From 2d5a5b95859708beb0b67497d20b958cf9747251 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 6 Jun 2024 17:50:44 +0000 Subject: [PATCH 1/3] Auto-update dist/* files for ESCU,BA,API via release job for tag v4.33.0 [skip ci] --- dist/DA-ESS-ContentUpdate/default/analyticstories.conf | 2 +- dist/DA-ESS-ContentUpdate/default/app.conf | 4 ++-- dist/DA-ESS-ContentUpdate/default/collections.conf | 2 +- dist/DA-ESS-ContentUpdate/default/content-version.conf | 2 +- ...rkbench_panel_all_backup_logs_for_host___response_task.xml | 2 +- ...azon_eks_kubernetes_activity_by_src_ip___response_task.xml | 2 +- ...nvestigate_security_hub_alerts_by_dest___response_task.xml | 2 +- ...stigate_user_activities_by_accesskeyid___response_task.xml | 2 +- ...aws_investigate_user_activities_by_arn___response_task.xml | 2 +- ..._panel_aws_network_acl_details_from_id___response_task.xml | 2 +- ...twork_interface_details_via_resourceid___response_task.xml | 2 +- ...l_aws_s3_bucket_details_via_bucketname___response_task.xml | 2 +- ...anel_gcp_kubernetes_activity_by_src_ip___response_task.xml | 2 +- ...h_panel_get_all_aws_activity_from_city___response_task.xml | 2 +- ...anel_get_all_aws_activity_from_country___response_task.xml | 2 +- ...l_get_all_aws_activity_from_ip_address___response_task.xml | 2 +- ...panel_get_all_aws_activity_from_region___response_task.xml | 2 +- ...nch_panel_get_backup_logs_for_endpoint___response_task.xml | 2 +- ...anel_get_certificate_logs_for_a_domain___response_task.xml | 2 +- ...anel_get_dns_server_history_for_a_host___response_task.xml | 2 +- .../workbench_panel_get_dns_traffic_ratio___response_task.xml | 2 +- ...get_ec2_instance_details_by_instanceid___response_task.xml | 2 +- ...workbench_panel_get_ec2_launch_details___response_task.xml | 2 +- .../panels/workbench_panel_get_email_info___response_task.xml | 2 +- ..._panel_get_emails_from_specific_sender___response_task.xml | 2 +- ...e_and_last_occurrence_of_a_mac_address___response_task.xml | 2 +- ...nch_panel_get_history_of_email_sources___response_task.xml | 2 +- ...ogon_rights_modifications_for_endpoint___response_task.xml | 2 +- ...et_logon_rights_modifications_for_user___response_task.xml | 2 +- .../workbench_panel_get_notable_history___response_task.xml | 2 +- ...orkbench_panel_get_parent_process_info___response_task.xml | 2 +- ...kbench_panel_get_process_file_activity___response_task.xml | 2 +- .../workbench_panel_get_process_info___response_task.xml | 2 +- ..._process_information_for_port_activity___response_task.xml | 2 +- ...rocess_responsible_for_the_dns_traffic___response_task.xml | 2 +- ...panel_get_sysmon_wmi_activity_for_host___response_task.xml | 2 +- ...web_session_information_via_session_id___response_task.xml | 2 +- ...stigate_aws_activities_via_region_name___response_task.xml | 2 +- ...gate_aws_user_activities_by_user_field___response_task.xml | 2 +- ...ailed_logins_for_multiple_destinations___response_task.xml | 2 +- ...nvestigate_network_traffic_from_src_ip___response_task.xml | 2 +- ...panel_investigate_okta_activity_by_app___response_task.xml | 2 +- ...nel_investigate_pass_the_hash_attempts___response_task.xml | 2 +- ...l_investigate_pass_the_ticket_attempts___response_task.xml | 2 +- ...panel_investigate_previous_unseen_user___response_task.xml | 2 +- ...cessful_remote_desktop_authentications___response_task.xml | 2 +- ...gate_suspicious_strings_in_http_header___response_task.xml | 2 +- ...el_investigate_user_activities_in_okta___response_task.xml | 2 +- ...h_panel_investigate_web_posts_from_src___response_task.xml | 2 +- dist/DA-ESS-ContentUpdate/default/es_investigations.conf | 2 +- dist/DA-ESS-ContentUpdate/default/macros.conf | 2 +- dist/DA-ESS-ContentUpdate/default/savedsearches.conf | 2 +- dist/DA-ESS-ContentUpdate/default/transforms.conf | 2 +- dist/DA-ESS-ContentUpdate/default/workflow_actions.conf | 2 +- dist/api/stories.json | 2 +- dist/api/version.json | 2 +- 56 files changed, 57 insertions(+), 57 deletions(-) diff --git a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf index 0dc324c65c..4ef8cd6913 100644 --- a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf +++ b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/app.conf b/dist/DA-ESS-ContentUpdate/default/app.conf index d29954ef4c..b0a76d6bf7 100644 --- a/dist/DA-ESS-ContentUpdate/default/app.conf +++ b/dist/DA-ESS-ContentUpdate/default/app.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -11,7 +11,7 @@ is_configured = false state = enabled state_change_requires_restart = false -build = 20240606164354 +build = 20240606174906 [triggers] reload.analytic_stories = simple diff --git a/dist/DA-ESS-ContentUpdate/default/collections.conf b/dist/DA-ESS-ContentUpdate/default/collections.conf index f99f8d2bda..14d957293e 100644 --- a/dist/DA-ESS-ContentUpdate/default/collections.conf +++ b/dist/DA-ESS-ContentUpdate/default/collections.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/content-version.conf b/dist/DA-ESS-ContentUpdate/default/content-version.conf index aa3abdbf4a..8c20be2511 100644 --- a/dist/DA-ESS-ContentUpdate/default/content-version.conf +++ b/dist/DA-ESS-ContentUpdate/default/content-version.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml index cbbb73e531..8f5321afa0 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml index 989584123f..17c1a7c422 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml index 98301ecd42..ce3f69c61e 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml index 2edb9011b0..435b2ee9aa 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml index 2bb1dfdcb4..2cd709a332 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml index daf16a5769..b0ad30b6d0 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml index 147ac9a6ae..b5e7efe838 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml index f2d9d2091f..0efc4760f0 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml index ff19d32164..67f04d8173 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml index 7b7da2a74d..2d0d2ae63f 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml index 4eec6acd14..979f85ef28 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml index d037cfdcdb..ba151247d8 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml index 49c0f4e792..bf3e63afa8 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml index b552d069ab..27cc657318 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml index 4f8d6ec08e..e25fb11cf6 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml index f2c9b145a8..bf17947eb8 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml index 77540a5ece..a0084d54b0 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml index 46e8f0f399..786db5b7e6 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml index cb4dde5880..08a8822cec 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml index c1e9db2d62..5f5e662c21 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml index 03e9c05eeb..ebc1ac13d5 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml index b96e56934e..db5fe065c3 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml index 83fc383947..e1d0b4e5b5 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml index 8fb9c40232..6950951424 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml index 1f0e4996cc..bff35cb071 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml index 90c65d66c3..92e09e3e75 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml index eb98a93e88..def3c91e63 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml index 6535ebaf40..fdcf1d29dc 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml index e9c790e7e0..6c17c7ecb5 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml index 4b0377c4c1..fd17bad0c1 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml index ce2becd597..6a30fbf35b 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml index 12d0fb7e01..d40580becd 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml index 126d35dfef..8aedde2479 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml index 12e0adcd40..b00e3581a1 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml index e0268d712d..566b4bbe61 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml index f3b464804c..e4eee35e85 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml index dbf85785a2..1b0d6cce04 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml index 9c8d44c4d5..33ea370730 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml index b1f3913ef7..1dd530c6fb 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml index 25e8b3d5e9..19770aba61 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml index a8ca04ac6d..4a79a8e862 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml index 5490e3c468..3f207afbcc 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml index 3e8d300abd..7fa85b4d07 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml index 6663d9e876..b005793cc2 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml index ea6c348a76..e0a798dbae 100644 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml +++ b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml @@ -2,7 +2,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf index 66bc106848..7309ce7102 100644 --- a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf +++ b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/macros.conf b/dist/DA-ESS-ContentUpdate/default/macros.conf index 3054377eb1..99d2658d7f 100644 --- a/dist/DA-ESS-ContentUpdate/default/macros.conf +++ b/dist/DA-ESS-ContentUpdate/default/macros.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf index ef189295df..30f8584973 100644 --- a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf +++ b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/transforms.conf b/dist/DA-ESS-ContentUpdate/default/transforms.conf index 0c94b98a8e..218c47f902 100644 --- a/dist/DA-ESS-ContentUpdate/default/transforms.conf +++ b/dist/DA-ESS-ContentUpdate/default/transforms.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf index e84db9009d..88ea112a2e 100644 --- a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf +++ b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf @@ -1,7 +1,7 @@ ############# # Automatically generated by 'contentctl build' from # https://github.com/splunk/contentctl -# On Date: 2024-06-06T16:44:23 UTC +# On Date: 2024-06-06T17:49:54 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/api/stories.json b/dist/api/stories.json index 5ca80b2a12..9f55070b84 100644 --- a/dist/api/stories.json +++ b/dist/api/stories.json @@ -1 +1 @@ -{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access"], "datamodels": ["Network_Resolution", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes newly seen TCP edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes newly seen UDP edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Previously Unseen Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Account Manipulation Of SSH Config and Keys", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion of SSL Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "APT41", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Lateral Movement", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Discovery", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\nThis Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Reconnaissance", "Lateral Movement", "Persistence", "Privilege Escalation", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Authentication", "Network_Traffic", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.\nIt is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "APT41", "Chimera", "FIN13", "GALLIUM", "Kimsuky", "Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Lateral Movement", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Short Lived Windows Accounts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "RDP Hijacking"}]}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Excessive Account Lockouts From Endpoint", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Detect Excessive User Account Lockouts", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Local Accounts"}]}, {"name": "Windows Create Local Account", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Lateral Movement", "Defense Evasion", "Persistence", "Discovery", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures.\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack.\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["Get Notable History", "Investigate Suspicious Strings in HTTP Header", "Investigate Web POSTs From src"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "APT29 Diplomatic Deceptions with WINELOADER", "author": "Michael Haag, splunk", "date": "2024-03-26", "version": 1, "id": "7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd", "description": "APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "narrative": "APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Process Writing File to World Writable Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}, {"name": "Windows Unsigned MS DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["Get First Occurrence and Last Occurrence of a MAC Address", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": []}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access", "Reconnaissance", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}], "mitre_attack_tactics": ["Initial Access", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware Additions"}]}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["AWS Investigate User Activities By AccessKeyId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Persistence", "Privilege Escalation", "Discovery", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "ASL AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "ASL AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "ASL AWS CreateAccessKey", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Initial Access", "Collection", "Defense Evasion", "Persistence", "Discovery", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Network Access Control List Deleted", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "references": ["https://aws.amazon.com/security-hub/features/"], "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage.\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Initial Access", "Defense Evasion", "Persistence", "Discovery", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "ASL AWS Excessive Security Scanning", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Reconnaissance", "Initial Access", "Lateral Movement", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Initial Access", "Collection", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Trust Modification"}]}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Trust Modification"}]}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Windows Multiple Account Passwords Changed", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Multiple Accounts Deleted", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Multiple Accounts Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}], "mitre_attack_tactics": ["Persistence", "Credential Access", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}], "mitre_attack_tactics": ["Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}], "mitre_attack_tactics": ["Discovery", "Initial Access", "Lateral Movement", "Collection", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "RDP Hijacking"}]}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Service"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Bootkit"}]}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Impact", "Credential Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SchCache Change By App Connect And Create ADSI Object", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution", "Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Reconnaissance", "Initial Access", "Collection", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}], "mitre_attack_tactics": ["Initial Access", "Lateral Movement", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Lateral Movement", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Reconnaissance", "Persistence", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Lateral Movement", "Collection", "Persistence", "Execution", "Privilege Escalation", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Lateral Movement", "Persistence", "Execution", "Privilege Escalation", "Discovery", "Defense Evasion"], "datamodels": ["Network_Resolution", "Endpoint", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "6219b623-9850-45b3-98a0-e398090bb352", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1057", "mitre_attack_technique": "Process Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT5", "Andariel", "Chimera", "Darkhotel", "Deep Panda", "Earth Lusca", "Gamaredon Group", "HAFNIUM", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Rocke", "Sidewinder", "Stealth Falcon", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windshift", "Winnti Group"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1003.004", "mitre_attack_technique": "LSA Secrets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT33", "Dragonfly", "Ke3chang", "Leafminer", "MuddyWater", "OilRig", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Lateral Movement", "Collection", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSA Secrets"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Discovery"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution.\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception.\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used.\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\n- What is the default, or normal, process lineage for spawnto_ value?\n- Does the spawnto_ value make network connections?\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["Get Notable History", "Investigate Network Traffic From src ip"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\nAttacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence.\nUse the searches to detect and monitor suspicious behavior related to these activities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}], "mitre_attack_tactics": ["Exfiltration", "Command And Control", "Initial Access"], "datamodels": ["Network_Resolution", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Command and Control", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Initial Access", "Collection", "Persistence", "Privilege Escalation", "Discovery", "Defense Evasion"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}]}, {"name": "Confluence Data Center and Confluence Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "509387a5-ab53-4656-8bb5-4bc8c2c074d9", "description": "The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.", "references": ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "narrative": "The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "ConnectWise ScreenConnect Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "fbee3185-748c-40d8-a60c-c2e2c9eb738b", "description": "This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "narrative": "The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "ConnectWise ScreenConnect Path Traversal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Authentication", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["Investigate Failed Logins for Multiple Destinations", "Investigate Pass the Hash Attempts", "Investigate Pass the Ticket Attempts", "Investigate Previous Unseen User"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "CrushFTP Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "933df821-3b75-4669-a58a-e85d2cd7b9b0", "description": "CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "narrative": "CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CrushFTP Server Side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CrushFTP Server Side Template Injection", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation.\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints.\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available.\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Cyclops Blink", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 2, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Reconnaissance", "Persistence", "Privilege Escalation", "Execution", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Time Discovery"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components.\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Lateral Movement", "Initial Access", "Collection", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint", "Authentication"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Lateral Movement", "Exfiltration", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}], "mitre_attack_tactics": ["Resource Development", "Command And Control", "Credential Access", "Initial Access", "Lateral Movement", "Reconnaissance", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Weaponization", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware Additions"}]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Collection", "Exfiltration", "Impact"], "datamodels": ["Network_Resolution", "Endpoint", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "High Volume of Bytes Out to Url", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Change_Analysis", "Change", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "references": ["https://attack.mitre.org/techniques/T1140/"], "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Logon Rights Modifications For Endpoint", "Get Logon Rights Modifications For User", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get All AWS Activity From City", "Get All AWS Activity From Country", "Get All AWS Activity From IP Address", "Get All AWS Activity From Region"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["Get Certificate logs for a domain"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing via Service"}]}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Exfiltration", "Command And Control"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Command and Control", "Actions on Objectives"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["All backup logs for host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "references": ["https://meltdownattack.com/"], "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised.\nSearches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["Get Emails From Specific Sender", "Get Notable History", "Get Web Session Information via session id"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}]}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access", "Lateral Movement"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Host Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT5"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Initial Access", "Exfiltration", "Persistence", "Execution"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "ASL AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "ASL AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Host Software Binary"}]}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Host Software Binary"}]}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Trusted Relationship"}]}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Trusted Relationship"}]}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure.\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Lateral Movement", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process File Activity", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well.\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days:\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well.\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Exfiltration", "Command And Control", "Initial Access"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Delivery", "Command and Control", "Actions on Objectives"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["Get DNS Server History for a host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "references": ["https://attack.mitre.org/techniques/T1482/"], "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN13", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Exfiltration", "Command And Control"], "datamodels": ["Network_Resolution", "Endpoint", "Web"], "kill_chain_phases": ["Command and Control", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Protocols"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}]}, {"name": "Emotet Malware DHS Report TA18-201A", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Lateral Movement", "Initial Access", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Email", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Software Deployment Tools"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions.\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Window"}]}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Hidden Window"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.", "tags": {"category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Lateral Movement", "Collection", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Lateral Movement", "Initial Access", "Collection", "Persistence", "Execution"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Lateral Movement", "Reconnaissance", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Lateral Movement", "Exfiltration", "Execution", "Defense Evasion"], "datamodels": ["Network_Resolution", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get History Of Email Sources", "Get Notable History", "Get Outbound Emails to Hidden Cobra Threat Actors", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN13", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Windigo", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Command And Control", "Discovery", "Lateral Movement", "Initial Access", "Collection", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Local System"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Lateral Movement", "Reconnaissance", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Reconnaissance"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "references": ["https://attack.mitre.org/techniques/T1105/"], "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Collection", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Exfiltration", "Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Network_Resolution", "Endpoint", "Authentication", "Network_Traffic"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Ivanti Connect Secure VPN Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab", "description": "The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"], "narrative": "Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure Command Injection Attempts", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server.\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/.\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges.\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry.\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names.\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Discovery", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Jenkins Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-29", "version": 1, "id": "789e76e6-4b5e-4af3-ab8c-46578d84ccff", "description": "This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "references": ["https://www.jenkins.io/security/advisory/2024-01-24/"], "narrative": "The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Jenkins Arbitrary File Read CVE-2024-23897", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JetBrains TeamCity Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "3cd841e8-2f64-45e8-b148-7767255db111", "description": "This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.", "references": ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "narrative": "JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication.\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts.\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution.\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["Amazon EKS Kubernetes activity by src ip", "GCP Kubernetes activity by src ip", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "references": ["https://kubernetes.io/docs/concepts/security/"], "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.007", "mitre_attack_technique": "Container Orchestration Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Execution", "Discovery", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Service Discovery"}]}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Create or Update Privileged Pod", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Cron Job Creation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container Orchestration Job"}]}, {"name": "Kubernetes DaemonSet Deployed", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Falco Shell Spawned", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Node Port Creation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Pod Created in Default Namespace", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Pod With Host Network Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Service Discovery"}]}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "references": ["https://gtfobins.github.io/"], "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Lateral Movement", "Collection", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}]}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SSH"}]}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unix Shell"}]}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "references": ["https://lolbas-project.github.io/"], "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "tags": {"category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Lateral Movement", "Defense Evasion", "Exfiltration", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Living Off The Land Detection", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Plist File Modification"}]}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}]}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Reconnaissance"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Reconnaissance", "Lateral Movement", "Defense Evasion", "Persistence", "Execution", "Discovery", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Fileless Storage"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "references": ["https://learn.cisecurity.org/20-controls-download"], "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": []}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1129", "mitre_attack_technique": "Shared Modules", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Initial Access", "Lateral Movement", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Local Groups"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify System Firewall"}]}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Shared Modules"}]}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Fileless Storage"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk", "date": "2020-12-14", "version": 3, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.", "references": ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "narrative": "This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Resource Development", "Command And Control", "Discovery", "Credential Access", "Initial Access", "Collection", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Command and Control", "Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Michael Haag, Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Initial Access", "Collection", "Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}]}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Security And Compliance Alert Triggered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}]}, {"name": "Office 365 Collection Techniques", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "d90f2b80-f675-4717-90af-12fc8c438ae8", "description": "Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.", "references": [], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information", "tags": {"category": ["Adversary Tactics", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}], "mitre_attack_tactics": ["Collection", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Web"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Compliance Content Search Exported", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Compliance Content Search Started", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Elevated Mailbox Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Mailbox Email Forwarding Enabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 Mailbox Folder Read Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Mailbox Folder Read Permission Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 New Email Forwarding Rule Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 New Email Forwarding Rule Enabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 New Forwarding Mailflow Rule Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Rights Delegation", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Collection", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}]}, {"name": "Okta Account Takeover", "author": "Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk", "date": "2024-03-06", "version": 1, "id": "83a48657-8153-4580-adba-eb0b3a83244e", "description": "The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.", "references": ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"], "narrative": "Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}, {"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Initial Access", "Lateral Movement", "Defense Evasion", "Persistence", "Discovery", "Privilege Escalation"], "datamodels": ["Authentication", "Risk", "Change"], "kill_chain_phases": ["Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Bhavin Patel, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Authentication Failed During MFA Challenge", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Multi-Factor Authentication Disabled", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Okta Multiple Accounts Locked Out", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Multiple Failed MFA Requests For User", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}]}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Successful Single Factor Authentication", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Okta Unauthorized Access to Application", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Okta User Logins from Multiple Cities", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}]}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command and Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Encrypted Channel"}]}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Encrypted Channel"}]}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Outlook RCE CVE-2024-21378", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "d889fcf2-0265-4b44-b29f-4ec063c21880", "description": "CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "narrative": "CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows InProcServer32 New Outlook Form", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows New InProcServer32 Added", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}]}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Forced Authentication"}]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "Phemedrone Stealer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "386f64dd-657b-4dcf-8eb3-5e297d30924c", "description": "Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.", "references": ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "narrative": "Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Persistence", "Execution", "Discovery", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Lateral Movement", "Persistence", "Execution", "Privilege Escalation", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "narrative": "This story was created as a joint effort between iDefense and Splunk.\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\n1. www.chemscalere[.]com\n1. chemscalere[.]com\n1. about.chemscalere[.]com\n1. autoconfig.chemscalere[.]com\n1. autodiscover.chemscalere[.]com\n1. catalog.chemscalere[.]com\n1. cpanel.chemscalere[.]com\n1. db.chemscalere[.]com\n1. ftp.chemscalere[.]com\n1. mail.chemscalere[.]com\n1. news.chemscalere[.]com\n1. update.chemscalere[.]com\n1. webmail.chemscalere[.]com\n1. www.candlelightparty[.]org\n1. candlelightparty[.]org\n1. newapp.freshasianews[.]com\nIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\n1. b43ad826fe6928245d3c02b648296b43\n1. 889a9b52566448231f112a5ce9b5dfaf\n1. b8ec65dab97cdef3cd256cc4753f0c54\n1. 04d83cd3813698de28cfbba326d7647c", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Lateral Movement", "Reconnaissance", "Collection", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Reconnaissance"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Managers"}]}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).\nThe prerequisites for successful exploitation consist of:\n1. Print Spooler service enabled on the target system\n1. Network connectivity to the target system (initial access has been obtained)\n1. Hash or password for a low privileged user ( or computer ) account.\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Exfiltration", "Initial Access", "Lateral Movement"], "datamodels": ["Network_Resolution", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "tags": {"category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Initial Access"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Discovery", "Command And Control", "Initial Access", "Reconnaissance", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Resource Development", "Discovery", "Command And Control", "Initial Access", "Reconnaissance", "Collection", "Lateral Movement", "Exfiltration", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Network_Resolution", "Endpoint", "Network_Traffic", "Change"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Weaponization", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "tags": {"category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Updates"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Reconnaissance", "Initial Access", "Collection", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Lateral Movement", "Initial Access", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Collection", "Persistence", "Impact", "Defense Evasion"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Discovery", "Lateral Movement", "Defense Evasion", "Persistence", "Impact", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Reconnaissance", "Lateral Movement", "Initial Access", "Persistence", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Lateral Movement", "Reconnaissance", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "references": ["https://attack.mitre.org/techniques/T1053/"], "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Lateral Movement", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded.\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Staged"}]}]}, {"name": "Snake Keylogger", "author": "Teoderick Contreras, Splunk", "date": "2024-02-12", "version": 1, "id": "0374f962-c66a-4a67-9a30-24b0708ef802", "description": "SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "narrative": "SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Reconnaissance", "Initial Access", "Persistence", "Privilege Escalation", "Execution", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Windows Credential Access From Browser Password Store", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows Non Discord App Access Discord LevelDB", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows Time Based Evasion via Choice Exec", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Time Based Evasion"}, {"mitre_attack_technique": "Virtualization/Sandbox Evasion"}]}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 2, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint", "Authentication", "Network_Traffic", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email.\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\n1. The .lnk file executes a PowerShell script\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1564.006", "mitre_attack_technique": "Run Virtual Instance", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Credential Access", "Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Window"}, {"mitre_attack_technique": "Run Virtual Instance"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella,Rod Soto, Eric McGinnis, Splunk", "date": "2024-01-22", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Scattered Spider", "Sidewinder", "Sowbug", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1654", "mitre_attack_technique": "Log Enumeration", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT5", "Volt Typhoon"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Resource Development", "Command And Control", "Credential Access", "Lateral Movement", "Initial Access", "Exfiltration", "Persistence", "Privilege Escalation", "Execution", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Command and Control", "Delivery", "Weaponization", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Eric McGinnis, Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Authentication Token Exposure in Debug Log", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Log Enumeration"}]}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Denial of Service"}]}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Application or System Exploitation"}]}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Denial of Service"}]}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Application or System Exploitation"}]}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "HTML Smuggling"}]}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Protocol Impersonation"}]}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Sniffing"}]}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:\n- Java Development Kit (JDK) 9 or greater\n- Apache Tomcat as the Servlet container\n- Packaged as a WAR\n- spring-webmvc or spring-webflux dependency\n", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}], "mitre_attack_tactics": ["Resource Development", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Weaponization", "Exploitation"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"], "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses.\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}], "mitre_attack_tactics": ["Impact", "Exfiltration", "Collection"], "datamodels": [], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS S3 Bucket details via bucketName", "Get All AWS Activity From IP Address", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network.\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\nAttackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Weaponization", "Exploitation"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Defense Evasion", "Exfiltration", "Persistence", "Privilege Escalation"], "datamodels": ["Risk", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get All AWS Activity From IP Address"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion", "Initial Access"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}], "mitre_attack_tactics": ["Discovery", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Security Groups Modifications by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Cloud Compute Configurations"}]}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Exfiltration", "Command And Control", "Initial Access"], "datamodels": ["Network_Resolution", "Endpoint"], "kill_chain_phases": ["Delivery", "Command and Control", "Actions on Objectives"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\nOnce a phishing message has been detected, the next steps are to answer the following questions:\n1. Which users have received this or a similar message in the past?\n1. When did the targeted campaign begin?\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}], "mitre_attack_tactics": ["Collection"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\n1. Determine if script code was executed with MSHTA.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Discovery", "Privilege Escalation"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": ["Investigate Okta Activity by app", "Investigate Okta Activity by IP Address", "Investigate User Activities In Okta"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Okta IDP Lifecycle Modifications", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Account Lockout Events", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Failed SSO Attempts", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\nThe registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\nThe searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["Get Process File Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Privilege Escalation", "Impact", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Lateral Movement", "Reconnaissance", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Discovery", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\n1. Determine if script code was executed with MSBuild.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Resource Development", "Discovery", "Credential Access", "Initial Access", "Reconnaissance", "Defense Evasion", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Weaponization", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Fileless Storage"}]}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["Get Notable History", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": []}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.\nThey issue commands via the command line to: 1. collect data, including credentials from local and network systems,\n2. put the data into an archive file to stage it for exfiltration, and then\n3. use the stolen valid credentials to maintain persistence.\nIn addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Lateral Movement", "Reconnaissance", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1553.005", "mitre_attack_technique": "Mark-of-the-Web Bypass", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "TA505"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Discovery", "Credential Access", "Initial Access", "Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mark-of-the-Web Bypass"}]}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Resource Development", "Lateral Movement", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Weaponization", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Windows AppLocker", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "7911b245-e74d-48db-b1cf-69f3eb02ca55", "description": "Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications.", "references": [], "narrative": "AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \\\nOrganizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \\\nIn summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats.", "tags": {"category": ["Unauthorized Software", "Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows AppLocker Block Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Execution from Uncommon Locations", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "references": ["https://attack.mitre.org/techniques/T1649/"], "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Lateral Movement", "Collection", "Execution", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence", "Execution", "Impact", "Discovery", "Privilege Escalation"], "datamodels": ["Risk", "Change", "Endpoint", "Updates", "Web"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Detect AzureHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect AzureHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Traffic to Active Directory Web Services Protocol", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "System Information Discovery Detection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows SOAPHound Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Service"}]}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874.\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access.\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers.\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications.\nSince its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe.\nAttackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}], "mitre_attack_tactics": ["Credential Access", "Reconnaissance", "Collection", "Persistence", "Privilege Escalation", "Execution", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Reconnaissance"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Managers"}]}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Query Registry"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Clipboard Data"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Privilege Escalation System Process Without System Parent", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Impact", "Execution", "Defense Evasion"], "datamodels": ["Endpoint", "Updates", "Risk", "Web"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Driver"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds.\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses.\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation.\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "references": ["https://cert.gov.ua/article/3761023"], "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Command And Control", "Discovery", "Collection", "Defense Evasion", "Exfiltration", "Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "WordPress Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "baeaee14-e439-4c95-91e8-aaedd8265c1c", "description": "This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "narrative": "The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WordPress Bricks Builder plugin RCE - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WordPress Bricks Builder plugin RCE", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Reconnaissance", "Persistence", "Execution", "Privilege Escalation", "Impact", "Discovery", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control", "Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Zscaler Browser Proxy Threats", "author": "Rod Soto, Gowthamaraj Rajendran", "date": "2023-10-25", "version": 1, "id": "5d4ba315-39df-4309-982f-a7052efccffd", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment.", "references": ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"], "narrative": "Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran", "author_name": "Rod Soto", "detections": [{"name": "Zscaler Adware Activities Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Behavior Analysis Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Employment Search Web Activity", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Exploit Threat Blocked", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Legal Liability Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Malware Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Phishing Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Potentially Abused File Download", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Scam Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Virus Download threat blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}]}]} \ No newline at end of file +{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Credential Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes newly seen TCP edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes newly seen UDP edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Previously Unseen Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Account Manipulation Of SSH Config and Keys", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion of SSL Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "APT41", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\nThis Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint", "Authentication", "Change"], "kill_chain_phases": ["Delivery", "Reconnaissance", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.\nIt is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "APT41", "Chimera", "FIN13", "GALLIUM", "Kimsuky", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Risk", "Endpoint", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Short Lived Windows Accounts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "RDP Hijacking"}]}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Excessive Account Lockouts From Endpoint", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Detect Excessive User Account Lockouts", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Local Accounts"}]}, {"name": "Windows Create Local Account", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures.\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack.\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["Get Notable History", "Investigate Suspicious Strings in HTTP Header", "Investigate Web POSTs From src"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "APT29 Diplomatic Deceptions with WINELOADER", "author": "Michael Haag, splunk", "date": "2024-03-26", "version": 1, "id": "7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd", "description": "APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "narrative": "APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Process Writing File to World Writable Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}, {"name": "Windows Unsigned MS DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["Get First Occurrence and Last Occurrence of a MAC Address", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": []}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Reconnaissance", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware Additions"}]}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["AWS Investigate User Activities By AccessKeyId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "ASL AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "ASL AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "ASL AWS CreateAccessKey", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Network Access Control List Deleted", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "references": ["https://aws.amazon.com/security-hub/features/"], "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage.\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "ASL AWS Excessive Security Scanning", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}], "mitre_attack_tactics": ["Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Trust Modification"}]}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Trust Modification"}]}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Windows Multiple Account Passwords Changed", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Multiple Accounts Deleted", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Multiple Accounts Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}], "mitre_attack_tactics": ["Persistence", "Credential Access", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}], "mitre_attack_tactics": ["Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Command And Control", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "RDP Hijacking"}]}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Service"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Bootkit"}]}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact", "Credential Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SchCache Change By App Connect And Create ADSI Object", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Collection", "Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Web", "Risk", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "bb4367ed-a816-4eb8-8da4-7c7086d06c40", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1057", "mitre_attack_technique": "Process Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT5", "Andariel", "Chimera", "Darkhotel", "Deep Panda", "Earth Lusca", "Gamaredon Group", "HAFNIUM", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Rocke", "Sidewinder", "Stealth Falcon", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windshift", "Winnti Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1003.004", "mitre_attack_technique": "LSA Secrets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT33", "Dragonfly", "Ke3chang", "Leafminer", "MuddyWater", "OilRig", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSA Secrets"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Discovery"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution.\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception.\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used.\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\n- What is the default, or normal, process lineage for spawnto_ value?\n- Does the spawnto_ value make network connections?\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["Get Notable History", "Investigate Network Traffic From src ip"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\nAttacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence.\nUse the searches to detect and monitor suspicious behavior related to these activities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}], "mitre_attack_tactics": ["Initial Access", "Command And Control", "Exfiltration"], "datamodels": ["Network_Traffic", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}]}, {"name": "Confluence Data Center and Confluence Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "509387a5-ab53-4656-8bb5-4bc8c2c074d9", "description": "The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.", "references": ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "narrative": "The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "ConnectWise ScreenConnect Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "fbee3185-748c-40d8-a60c-c2e2c9eb738b", "description": "This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "narrative": "The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "ConnectWise ScreenConnect Path Traversal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Authentication", "Endpoint", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["Investigate Failed Logins for Multiple Destinations", "Investigate Pass the Hash Attempts", "Investigate Pass the Ticket Attempts", "Investigate Previous Unseen User"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "CrushFTP Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "933df821-3b75-4669-a58a-e85d2cd7b9b0", "description": "CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "narrative": "CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CrushFTP Server Side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CrushFTP Server Side Template Injection", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation.\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints.\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available.\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Cyclops Blink", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 2, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Time Discovery"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components.\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Collection", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Actions on Objectives", "Exploitation", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware Additions"}]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Collection", "Exfiltration", "Credential Access", "Impact"], "datamodels": ["Web", "Risk", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "High Volume of Bytes Out to Url", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Change_Analysis", "Change", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "references": ["https://attack.mitre.org/techniques/T1140/"], "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Logon Rights Modifications For Endpoint", "Get Logon Rights Modifications For User", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get All AWS Activity From City", "Get All AWS Activity From Country", "Get All AWS Activity From IP Address", "Get All AWS Activity From Region"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["Get Certificate logs for a domain"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing via Service"}]}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["All backup logs for host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "references": ["https://meltdownattack.com/"], "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised.\nSearches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["Get Emails From Specific Sender", "Get Notable History", "Get Web Session Information via session id"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}]}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Lateral Movement", "Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Host Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT5"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Exfiltration", "Initial Access", "Discovery", "Credential Access", "Persistence", "Execution"], "datamodels": ["Risk"], "kill_chain_phases": ["Installation", "Delivery", "Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "ASL AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "ASL AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Host Software Binary"}]}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Host Software Binary"}]}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Trusted Relationship"}]}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Trusted Relationship"}]}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure.\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process File Activity", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well.\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days:\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well.\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Initial Access", "Command And Control", "Exfiltration"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["Get DNS Server History for a host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "references": ["https://attack.mitre.org/techniques/T1482/"], "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN13", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Web", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Protocols"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}]}, {"name": "Emotet Malware DHS Report TA18-201A", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Persistence", "Execution", "Lateral Movement"], "datamodels": ["Email", "Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Software Deployment Tools"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions.\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Command And Control", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Window"}]}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Hidden Window"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.", "tags": {"category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Resource Development", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Weaponization", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": ["Email"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Collection", "Credential Access", "Persistence", "Execution", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get History Of Email Sources", "Get Notable History", "Get Outbound Emails to Hidden Cobra Threat Actors", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN13", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Windigo", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Collection", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Local System"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "references": ["https://attack.mitre.org/techniques/T1105/"], "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Exfiltration", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Network_Traffic", "Authentication", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Exploitation", "Delivery", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Ivanti Connect Secure VPN Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab", "description": "The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"], "narrative": "Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure Command Injection Attempts", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server.\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/.\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges.\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry.\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names.\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Discovery", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Jenkins Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-29", "version": 1, "id": "789e76e6-4b5e-4af3-ab8c-46578d84ccff", "description": "This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "references": ["https://www.jenkins.io/security/advisory/2024-01-24/"], "narrative": "The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Jenkins Arbitrary File Read CVE-2024-23897", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JetBrains TeamCity Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "3cd841e8-2f64-45e8-b148-7767255db111", "description": "This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.", "references": ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "narrative": "JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication.\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts.\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution.\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["Amazon EKS Kubernetes activity by src ip", "GCP Kubernetes activity by src ip", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "references": ["https://kubernetes.io/docs/concepts/security/"], "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1053.007", "mitre_attack_technique": "Container Orchestration Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution"], "datamodels": [], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Service Discovery"}]}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Create or Update Privileged Pod", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Cron Job Creation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container Orchestration Job"}]}, {"name": "Kubernetes DaemonSet Deployed", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Falco Shell Spawned", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Node Port Creation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Pod Created in Default Namespace", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Pod With Host Network Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Service Discovery"}]}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "references": ["https://gtfobins.github.io/"], "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}]}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SSH"}]}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unix Shell"}]}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "references": ["https://lolbas-project.github.io/"], "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "tags": {"category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Exfiltration", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Living Off The Land Detection", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Plist File Modification"}]}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}]}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Network_Traffic", "Web", "Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Fileless Storage"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "references": ["https://learn.cisecurity.org/20-controls-download"], "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": []}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1129", "mitre_attack_technique": "Shared Modules", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Local Groups"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify System Firewall"}]}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Shared Modules"}]}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Fileless Storage"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk", "date": "2020-12-14", "version": 3, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.", "references": ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "narrative": "This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Initial Access", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Network_Traffic", "Web", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Michael Haag, Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}]}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Security And Compliance Alert Triggered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}]}, {"name": "Office 365 Collection Techniques", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "d90f2b80-f675-4717-90af-12fc8c438ae8", "description": "Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.", "references": [], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information", "tags": {"category": ["Adversary Tactics", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}], "mitre_attack_tactics": ["Persistence", "Collection", "Privilege Escalation"], "datamodels": ["Web", "Change"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Compliance Content Search Exported", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Compliance Content Search Started", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Elevated Mailbox Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Mailbox Email Forwarding Enabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 Mailbox Folder Read Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Mailbox Folder Read Permission Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 New Email Forwarding Rule Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 New Email Forwarding Rule Enabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 New Forwarding Mailflow Rule Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Rights Delegation", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}]}, {"name": "Okta Account Takeover", "author": "Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk", "date": "2024-03-06", "version": 1, "id": "83a48657-8153-4580-adba-eb0b3a83244e", "description": "The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.", "references": ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"], "narrative": "Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}, {"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}], "mitre_attack_tactics": ["Initial Access", "Resource Development", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion", "Lateral Movement"], "datamodels": ["Authentication", "Change", "Risk"], "kill_chain_phases": ["Installation", "Weaponization", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Bhavin Patel, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Authentication Failed During MFA Challenge", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Multi-Factor Authentication Disabled", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Okta Multiple Accounts Locked Out", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Multiple Failed MFA Requests For User", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}]}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Successful Single Factor Authentication", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Okta Unauthorized Access to Application", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Okta User Logins from Multiple Cities", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}]}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command and Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Encrypted Channel"}]}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Encrypted Channel"}]}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Outlook RCE CVE-2024-21378", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "d889fcf2-0265-4b44-b29f-4ec063c21880", "description": "CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "narrative": "CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows InProcServer32 New Outlook Form", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows New InProcServer32 Added", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}]}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Forced Authentication"}]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "Phemedrone Stealer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "386f64dd-657b-4dcf-8eb3-5e297d30924c", "description": "Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.", "references": ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "narrative": "Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "narrative": "This story was created as a joint effort between iDefense and Splunk.\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\n1. www.chemscalere[.]com\n1. chemscalere[.]com\n1. about.chemscalere[.]com\n1. autoconfig.chemscalere[.]com\n1. autodiscover.chemscalere[.]com\n1. catalog.chemscalere[.]com\n1. cpanel.chemscalere[.]com\n1. db.chemscalere[.]com\n1. ftp.chemscalere[.]com\n1. mail.chemscalere[.]com\n1. news.chemscalere[.]com\n1. update.chemscalere[.]com\n1. webmail.chemscalere[.]com\n1. www.candlelightparty[.]org\n1. candlelightparty[.]org\n1. newapp.freshasianews[.]com\nIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\n1. b43ad826fe6928245d3c02b648296b43\n1. 889a9b52566448231f112a5ce9b5dfaf\n1. b8ec65dab97cdef3cd256cc4753f0c54\n1. 04d83cd3813698de28cfbba326d7647c", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Managers"}]}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).\nThe prerequisites for successful exploitation consist of:\n1. Print Spooler service enabled on the target system\n1. Network connectivity to the target system (initial access has been obtained)\n1. Hash or password for a low privileged user ( or computer ) account.\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Initial Access", "Exfiltration", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Command and Control"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "tags": {"category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Initial Access"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Exfiltration", "Collection", "Initial Access", "Discovery", "Resource Development", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Network_Resolution", "Endpoint", "Change"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "tags": {"category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Updates", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Collection", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Reconnaissance", "Exploitation"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Initial Access", "Credential Access", "Persistence", "Defense Evasion", "Impact"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Installation", "Delivery", "Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Discovery", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Web", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "references": ["https://attack.mitre.org/techniques/T1053/"], "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded.\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Command And Control", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Staged"}]}]}, {"name": "Snake Keylogger", "author": "Teoderick Contreras, Splunk", "date": "2024-02-12", "version": 1, "id": "0374f962-c66a-4a67-9a30-24b0708ef802", "description": "SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "narrative": "SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Exploitation", "Actions on Objectives", "Delivery", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Windows Credential Access From Browser Password Store", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows Non Discord App Access Discord LevelDB", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows Time Based Evasion via Choice Exec", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Time Based Evasion"}, {"mitre_attack_technique": "Virtualization/Sandbox Evasion"}]}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 2, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Network_Traffic", "Authentication", "Endpoint", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email.\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\n1. The .lnk file executes a PowerShell script\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1564.006", "mitre_attack_technique": "Run Virtual Instance", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Credential Access", "Initial Access", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Window"}, {"mitre_attack_technique": "Run Virtual Instance"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella,Rod Soto, Eric McGinnis, Splunk", "date": "2024-01-22", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Scattered Spider", "Sidewinder", "Sowbug", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1654", "mitre_attack_technique": "Log Enumeration", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT5", "Volt Typhoon"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Exfiltration", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Eric McGinnis, Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Authentication Token Exposure in Debug Log", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Log Enumeration"}]}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Denial of Service"}]}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Application or System Exploitation"}]}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Denial of Service"}]}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Application or System Exploitation"}]}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "HTML Smuggling"}]}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Protocol Impersonation"}]}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Sniffing"}]}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:\n- Java Development Kit (JDK) 9 or greater\n- Apache Tomcat as the Servlet container\n- Packaged as a WAR\n- spring-webmvc or spring-webflux dependency\n", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Resource Development", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Weaponization", "Exploitation"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"], "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses.\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact", "Exfiltration", "Collection"], "datamodels": [], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS S3 Bucket details via bucketName", "Get All AWS Activity From IP Address", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network.\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\nAttackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Weaponization", "Exploitation"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Exfiltration", "Initial Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Risk", "Change"], "kill_chain_phases": ["Installation", "Delivery", "Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get All AWS Activity From IP Address"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Security Groups Modifications by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Cloud Compute Configurations"}]}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Initial Access", "Command And Control", "Exfiltration"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\nOnce a phishing message has been detected, the next steps are to answer the following questions:\n1. Which users have received this or a similar message in the past?\n1. When did the targeted campaign begin?\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}], "mitre_attack_tactics": ["Collection"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\n1. Determine if script code was executed with MSHTA.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": ["Investigate Okta Activity by app", "Investigate Okta Activity by IP Address", "Investigate User Activities In Okta"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Okta IDP Lifecycle Modifications", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Account Lockout Events", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Failed SSO Attempts", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\nThe registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\nThe searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["Get Process File Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Impact", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Reconnaissance", "Exploitation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\n1. Determine if script code was executed with MSBuild.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Fileless Storage"}]}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["Get Notable History", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": []}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.\nThey issue commands via the command line to: 1. collect data, including credentials from local and network systems,\n2. put the data into an archive file to stage it for exfiltration, and then\n3. use the stolen valid credentials to maintain persistence.\nIn addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1553.005", "mitre_attack_technique": "Mark-of-the-Web Bypass", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "TA505"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mark-of-the-Web Bypass"}]}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Resource Development", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Weaponization", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Windows AppLocker", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "7911b245-e74d-48db-b1cf-69f3eb02ca55", "description": "Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications.", "references": [], "narrative": "AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \\\nOrganizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \\\nIn summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats.", "tags": {"category": ["Unauthorized Software", "Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows AppLocker Block Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Execution from Uncommon Locations", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "references": ["https://attack.mitre.org/techniques/T1649/"], "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Collection", "Credential Access", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint", "Updates", "Web", "Risk", "Change"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Detect AzureHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect AzureHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Traffic to Active Directory Web Services Protocol", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "System Information Discovery Detection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows SOAPHound Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Service"}]}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874.\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access.\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers.\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications.\nSince its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe.\nAttackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Managers"}]}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Query Registry"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Clipboard Data"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Privilege Escalation System Process Without System Parent", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Web", "Updates", "Endpoint", "Risk"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Driver"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds.\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses.\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation.\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "references": ["https://cert.gov.ua/article/3761023"], "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Collection", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "WordPress Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "baeaee14-e439-4c95-91e8-aaedd8265c1c", "description": "This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "narrative": "The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WordPress Bricks Builder plugin RCE - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WordPress Bricks Builder plugin RCE", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Zscaler Browser Proxy Threats", "author": "Rod Soto, Gowthamaraj Rajendran", "date": "2023-10-25", "version": 1, "id": "5d4ba315-39df-4309-982f-a7052efccffd", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment.", "references": ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"], "narrative": "Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran", "author_name": "Rod Soto", "detections": [{"name": "Zscaler Adware Activities Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Behavior Analysis Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Employment Search Web Activity", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Exploit Threat Blocked", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Legal Liability Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Malware Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Phishing Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Potentially Abused File Download", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Scam Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Virus Download threat blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}]}]} \ No newline at end of file diff --git a/dist/api/version.json b/dist/api/version.json index be3d3a8a49..6ec3e5a834 100644 --- a/dist/api/version.json +++ b/dist/api/version.json @@ -1 +1 @@ -{"version": {"name": "v4.33.0", "published_at": "2024-06-06T16:44:25Z"}} \ No newline at end of file +{"version": {"name": "v4.33.0", "published_at": "2024-06-06T17:49:55Z"}} \ No newline at end of file From 22e5ea3f83dc833e64643fefd7001d691ba6d960 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 26 Jun 2024 14:41:53 +0000 Subject: [PATCH 2/3] Release Branch - ESCU v4.34.0 --- app_template/default/distsearch.conf | 2 +- ..._aws_instances_launched_by_user___mltk.yml | 2 +- ...ws_instances_terminated_by_user___mltk.yml | 2 +- contentctl.yml | 10 +- .../endpoint/Sysmon_for_Linux_EventID.yml | 2 +- .../endpoint/Windows_Event_Log_Security.yml | 2 +- .../Windows_Event_Log_Security_5145.yml | 6 +- ...ct_risky_spl_using_pretrained_ml_model.yml | 22 +- ...itten_outside_of_the_outlook_directory.yml | 2 +- .../no_windows_updates_in_a_time_frame.yml | 17 +- ...entication_failed_during_mfa_challenge.yml | 35 +- .../okta_idp_lifecycle_modifications.yml | 37 +- .../application/okta_mfa_exhaustion_hunt.yml | 47 +- ...e_and_response_for_verify_push_request.yml | 108 +- ...a_multi_factor_authentication_disabled.yml | 35 +- .../okta_multiple_accounts_locked_out.yml | 39 +- ..._multiple_failed_mfa_requests_for_user.yml | 36 +- ...failed_requests_to_access_applications.yml | 81 +- ..._users_failing_to_authenticate_from_ip.yml | 41 +- .../okta_new_api_token_created.yml | 34 +- .../okta_new_device_enrolled_on_account.yml | 38 +- ...g_detection_with_fastpass_origin_check.yml | 36 +- .../okta_risk_threshold_exceeded.yml | 91 +- ...uccessful_single_factor_authentication.yml | 36 +- ...kta_suspicious_use_of_a_session_cookie.yml | 51 +- .../okta_threatinsight_threat_detected.yml | 37 +- ...kta_unauthorized_access_to_application.yml | 39 +- .../okta_user_logins_from_multiple_cities.yml | 45 +- .../path_traversal_spl_injection.yml | 21 +- ...rapiddiag_through_user_interface_views.yml | 69 +- ..._auth_source_and_verification_response.yml | 45 +- ..._multiple_failed_mfa_requests_for_user.yml | 39 +- ..._new_mfa_method_after_credential_reset.yml | 47 +- ...scovery_drilldown_dashboard_disclosure.yml | 15 +- ...entication_token_exposure_in_debug_log.yml | 34 +- ...on_via_custom_dashboard_leading_to_rce.yml | 19 +- ...and_scripting_interpreter_delete_usage.yml | 21 +- ...d_scripting_interpreter_risky_commands.yml | 36 +- ...d_scripting_interpreter_risky_spl_mltk.yml | 24 +- ...srf_in_the_ssg_kvstore_client_endpoint.yml | 24 +- ...om_analytics_workspace_using_sid_query.yml | 22 +- ...al_certificates_infrastructure_version.yml | 21 +- ...igital_certificates_lack_of_encryption.yml | 24 +- ...plunk_dos_using_malformed_saml_request.yml | 37 +- .../splunk_dos_via_malformed_s2s_request.yml | 21 +- .../splunk_dos_via_printf_search_function.yml | 35 +- ...ndpoint_denial_of_service_dos_zip_bomb.yml | 24 +- ...prise_kv_store_incorrect_authorization.yml | 47 +- ...ons_manager_via_investigation_creation.yml | 42 +- ..._dos_through_investigation_attachments.yml | 48 +- ...esponse_splitting_via_rest_spl_command.yml | 34 +- ...nk_list_all_nonstandard_admin_accounts.yml | 20 +- ...e_user_can_view_hashed_splunk_password.yml | 45 +- ...sal_in_splunk_app_for_lookup_file_edit.yml | 43 +- ..._via_url_validation_bypass_w_dashboard.yml | 40 +- ...s_injection_forwarder_bundle_downloads.yml | 25 +- ...sonation_weak_encryption_configuration.yml | 25 +- ...unk_rce_via_serialized_session_payload.yml | 35 +- ..._gateway__splunk_mobile_alerts_feature.yml | 24 +- .../application/splunk_rce_via_user_xslt.yml | 4 +- ...ected_xss_on_app_search_table_endpoint.yml | 44 +- ...ed_xss_via_data_model_objectname_field.yml | 21 +- ...nticated_log_injection_web_service_log.yml | 44 +- ...nsions_allowed_by_lookup_table_uploads.yml | 71 +- .../splunk_user_enumeration_attempt.yml | 24 +- .../splunk_xss_in_highlighted_json_events.yml | 69 +- .../splunk_xss_in_monitoring_console.yml | 19 +- ...ave_table_dialog_header_in_search_page.yml | 21 +- .../application/splunk_xss_via_view.yml | 23 +- ...suspicious_email_attachment_extensions.yml | 8 +- ...servers_executing_suspicious_processes.yml | 6 +- ...gh_number_of_cloud_instances_destroyed.yml | 15 +- ...igh_number_of_cloud_instances_launched.yml | 14 +- ..._eks_kubernetes_cluster_scan_detection.yml | 2 +- ...azon_eks_kubernetes_pod_scan_detection.yml | 8 +- ...concurrent_sessions_from_different_ips.yml | 34 +- ..._aws_defense_evasion_delete_cloudtrail.yml | 43 +- ...se_evasion_delete_cloudwatch_log_group.yml | 44 +- ...fense_evasion_impair_security_services.yml | 47 +- .../cloud/asl_aws_iam_delete_policy.yml | 40 +- ...s_multi_factor_authentication_disabled.yml | 46 +- ...aws_new_mfa_method_registered_for_user.yml | 46 +- ...ttribute_modification_for_exfiltration.yml | 36 +- ...concurrent_sessions_from_different_ips.yml | 26 +- ...sole_login_failed_during_mfa_challenge.yml | 23 +- ..._policy_version_to_allow_all_resources.yml | 18 +- detections/cloud/aws_createaccesskey.yml | 26 +- detections/cloud/aws_createloginprofile.yml | 20 +- .../aws_credential_access_failed_login.yml | 21 +- ...s_credential_access_rds_password_reset.yml | 22 +- .../aws_defense_evasion_delete_cloudtrail.yml | 22 +- ...se_evasion_delete_cloudwatch_log_group.yml | 22 +- ...fense_evasion_impair_security_services.yml | 23 +- ...aws_defense_evasion_putbucketlifecycle.yml | 21 +- ...efense_evasion_stop_logging_cloudtrail.yml | 22 +- .../aws_defense_evasion_update_cloudtrail.yml | 23 +- detections/cloud/aws_detect_role_creation.yml | 14 +- ...g_keys_with_encrypt_policy_without_mfa.yml | 25 +- .../cloud/aws_disable_bucket_versioning.yml | 32 +- .../aws_ec2_snapshot_shared_externally.yml | 2 +- ...ontainer_upload_outside_business_hours.yml | 27 +- .../aws_ecr_container_upload_unknown_user.yml | 20 +- ...n_via_anomalous_getobject_api_activity.yml | 32 +- .../aws_exfiltration_via_batch_service.yml | 29 +- ...ws_exfiltration_via_bucket_replication.yml | 30 +- .../aws_exfiltration_via_datasync_task.yml | 32 +- .../aws_exfiltration_via_ec2_snapshot.yml | 38 +- ...ber_of_failed_authentications_for_user.yml | 20 +- ...mber_of_failed_authentications_from_ip.yml | 24 +- .../aws_iam_accessdenied_discovery_events.yml | 20 +- ...aws_iam_assume_role_policy_brute_force.yml | 23 +- detections/cloud/aws_iam_delete_policy.yml | 22 +- .../cloud/aws_iam_failure_group_deletion.yml | 25 +- .../aws_iam_successful_group_deletion.yml | 21 +- .../cloud/aws_lambda_updatefunctioncode.yml | 21 +- ...s_multi_factor_authentication_disabled.yml | 19 +- ..._multiple_failed_mfa_requests_for_user.yml | 26 +- ..._users_failing_to_authenticate_from_ip.yml | 31 +- ...ws_network_access_control_list_deleted.yml | 21 +- .../cloud/aws_password_policy_changes.yml | 21 +- ...ws_s3_exfiltration_behavior_identified.yml | 43 +- ..._access_by_provider_user_and_principal.yml | 21 +- .../aws_saml_update_identity_provider.yml | 21 +- .../cloud/aws_setdefaultpolicyversion.yml | 24 +- ...nsole_authentication_from_multiple_ips.yml | 28 +- ...uccessful_single_factor_authentication.yml | 18 +- ...mber_of_failed_authentications_from_ip.yml | 35 +- detections/cloud/aws_updateloginprofile.yml | 27 +- ...ure_active_directory_high_risk_sign_in.yml | 37 +- ..._consent_bypassed_by_service_principal.yml | 46 +- ...pplication_administrator_role_assigned.yml | 42 +- ...entication_failed_during_mfa_challenge.yml | 34 +- ...k_user_consent_for_risky_apps_disabled.yml | 49 +- ...concurrent_sessions_from_different_ips.yml | 43 +- .../azure_ad_device_code_authentication.yml | 46 +- .../azure_ad_external_guest_user_invited.yml | 38 +- ...ad_fullaccessasapp_permission_assigned.yml | 50 +- ..._ad_global_administrator_role_assigned.yml | 45 +- ...ber_of_failed_authentications_for_user.yml | 43 +- ...mber_of_failed_authentications_from_ip.yml | 39 +- ...d_multi_factor_authentication_disabled.yml | 37 +- ...ti_source_failed_authentications_spike.yml | 56 +- ...ds_and_useragents_authentication_spike.yml | 48 +- ..._multiple_denied_mfa_requests_for_user.yml | 40 +- ..._multiple_failed_mfa_requests_for_user.yml | 51 +- ...tiple_service_principals_created_by_sp.yml | 44 +- ...ple_service_principals_created_by_user.yml | 41 +- ..._users_failing_to_authenticate_from_ip.yml | 45 +- .../azure_ad_new_custom_domain_added.yml | 41 +- .../azure_ad_new_federated_domain_added.yml | 40 +- .../azure_ad_new_mfa_method_registered.yml | 56 +- ..._ad_new_mfa_method_registered_for_user.yml | 34 +- ...th_application_consent_granted_by_user.yml | 37 +- .../cloud/azure_ad_pim_role_assigned.yml | 41 +- ...azure_ad_pim_role_assignment_activated.yml | 41 +- ...entication_administrator_role_assigned.yml | 46 +- ...ivileged_graph_api_permission_assigned.yml | 45 +- .../azure_ad_privileged_role_assigned.yml | 24 +- ...ged_role_assigned_to_service_principal.yml | 19 +- ...re_ad_service_principal_authentication.yml | 42 +- .../azure_ad_service_principal_created.yml | 41 +- ...rvice_principal_new_client_credentials.yml | 42 +- ...azure_ad_service_principal_owner_added.yml | 49 +- ...sful_authentication_from_different_ips.yml | 42 +- ...d_successful_powershell_authentication.yml | 39 +- ...uccessful_single_factor_authentication.yml | 36 +- ...e_ad_tenant_wide_admin_consent_granted.yml | 52 +- ...mber_of_failed_authentications_from_ip.yml | 51 +- ..._consent_blocked_for_risky_application.yml | 45 +- ...r_consent_denied_for_oauth_application.yml | 36 +- ...ure_ad_user_enabled_and_password_reset.yml | 42 +- ..._ad_user_immutableid_attribute_updated.yml | 43 +- .../azure_automation_account_created.yml | 42 +- .../azure_automation_runbook_created.yml | 39 +- .../cloud/azure_runbook_webhook_created.yml | 40 +- .../cloud/circle_ci_disable_security_job.yml | 14 +- .../cloud/circle_ci_disable_security_step.yml | 11 +- ...alls_from_previously_unseen_user_roles.yml | 9 +- ...e_created_with_previously_unseen_image.yml | 9 +- ...d_with_previously_unseen_instance_type.yml | 16 +- ...g_activity_from_previously_unseen_city.yml | 7 +- ...ctivity_from_previously_unseen_country.yml | 7 +- ...vity_from_previously_unseen_ip_address.yml | 5 +- ...activity_from_previously_unseen_region.yml | 5 +- ..._security_groups_modifications_by_user.yml | 58 +- .../detect_aws_console_login_by_new_user.yml | 19 +- ...ws_console_login_by_user_from_new_city.yml | 23 +- ...console_login_by_user_from_new_country.yml | 22 +- ..._console_login_by_user_from_new_region.yml | 23 +- .../cloud/detect_new_open_s3_buckets.yml | 2 +- ...etect_new_open_s3_buckets_over_aws_cli.yml | 2 +- ...entication_failed_during_mfa_challenge.yml | 24 +- ...p_multi_factor_authentication_disabled.yml | 27 +- ..._multiple_failed_mfa_requests_for_user.yml | 32 +- ..._users_failing_to_authenticate_from_ip.yml | 25 +- ...uccessful_single_factor_authentication.yml | 26 +- ...mber_of_failed_authentications_from_ip.yml | 32 +- .../cloud/github_commit_changes_in_master.yml | 21 +- detections/cloud/github_commit_in_develop.yml | 20 +- detections/cloud/github_dependabot_alert.yml | 18 +- .../github_pull_request_from_unknown_user.yml | 18 +- .../gsuite_drive_share_in_external_email.yml | 17 +- .../gsuite_email_suspicious_attachment.yml | 21 +- ...ail_suspicious_subject_with_attachment.yml | 25 +- ...mail_with_known_abuse_web_service_link.yml | 20 +- ...ail_with_attachment_to_external_domain.yml | 24 +- .../gsuite_suspicious_shared_file_name.yml | 22 +- ...of_login_failures_from_a_single_source.yml | 38 +- ...es_abuse_of_secret_by_unusual_location.yml | 28 +- ..._abuse_of_secret_by_unusual_user_agent.yml | 28 +- ..._abuse_of_secret_by_unusual_user_group.yml | 27 +- ...s_abuse_of_secret_by_unusual_user_name.yml | 27 +- .../cloud/kubernetes_access_scanning.yml | 26 +- ..._inbound_network_activity_from_process.yml | 37 +- ..._anomalous_inbound_outbound_network_io.yml | 64 +- ...s_inbound_to_outbound_network_io_ratio.yml | 64 +- ...outbound_network_activity_from_process.yml | 38 +- ...etes_anomalous_traffic_on_network_edge.yml | 30 +- ...es_aws_detect_suspicious_kubectl_calls.yml | 28 +- ...rnetes_create_or_update_privileged_pod.yml | 43 +- .../cloud/kubernetes_cron_job_creation.yml | 46 +- .../cloud/kubernetes_daemonset_deployed.yml | 43 +- .../cloud/kubernetes_falco_shell_spawned.yml | 35 +- .../cloud/kubernetes_newly_seen_tcp_edge.yml | 34 +- .../cloud/kubernetes_newly_seen_udp_edge.yml | 34 +- .../cloud/kubernetes_node_port_creation.yml | 44 +- ...netes_pod_created_in_default_namespace.yml | 23 +- ...netes_pod_with_host_network_attachment.yml | 43 +- ...previously_unseen_container_image_name.yml | 67 +- .../kubernetes_previously_unseen_process.yml | 66 +- ...bernetes_process_running_from_new_path.yml | 66 +- ...ss_with_anomalous_resource_utilisation.yml | 60 +- ..._process_with_resource_ratio_anomalies.yml | 102 +- ...scanning_by_unauthenticated_ip_address.yml | 25 +- ...ubernetes_shell_running_on_worker_node.yml | 57 +- ...nning_on_worker_node_with_cpu_activity.yml | 60 +- .../kubernetes_suspicious_image_pulling.yml | 25 +- .../cloud/kubernetes_unauthorized_access.yml | 21 +- ...365_add_app_role_assignment_grant_user.yml | 33 +- .../cloud/o365_added_service_principal.yml | 36 +- ..._consent_bypassed_by_service_principal.yml | 36 +- .../cloud/o365_advanced_audit_disabled.yml | 40 +- ...5_application_registration_owner_added.yml | 31 +- ...applicationimpersonation_role_assigned.yml | 30 +- ...k_user_consent_for_risky_apps_disabled.yml | 39 +- .../cloud/o365_bypass_mfa_via_trusted_ip.yml | 19 +- ...365_compliance_content_search_exported.yml | 29 +- ...o365_compliance_content_search_started.yml | 31 +- ...concurrent_sessions_from_different_ips.yml | 29 +- detections/cloud/o365_disable_mfa.yml | 19 +- ...5_elevated_mailbox_permission_assigned.yml | 32 +- ...ed_application_consent_granted_by_user.yml | 30 +- ...65_fullaccessasapp_permission_assigned.yml | 45 +- ...ber_of_failed_authentications_for_user.yml | 35 +- .../o365_high_privilege_role_granted.yml | 29 +- ...ed_application_consent_granted_by_user.yml | 31 +- .../o365_mailbox_email_forwarding_enabled.yml | 35 +- ...ailbox_folder_read_permission_assigned.yml | 32 +- ...mailbox_folder_read_permission_granted.yml | 36 +- ...box_inbox_folder_shared_with_all_users.yml | 36 +- ...box_read_access_granted_to_application.yml | 33 +- ...ti_source_failed_authentications_spike.yml | 45 +- ...ds_and_useragents_authentication_spike.yml | 39 +- ..._multiple_failed_mfa_requests_for_user.yml | 31 +- ...65_multiple_mailboxes_accessed_via_api.yml | 41 +- ...tiple_service_principals_created_by_sp.yml | 50 +- ...ple_service_principals_created_by_user.yml | 34 +- ..._users_failing_to_authenticate_from_ip.yml | 34 +- ...o365_new_email_forwarding_rule_created.yml | 27 +- ...o365_new_email_forwarding_rule_enabled.yml | 33 +- .../cloud/o365_new_federated_domain_added.yml | 18 +- ...5_new_forwarding_mailflow_rule_created.yml | 31 +- .../cloud/o365_new_mfa_method_registered.yml | 30 +- .../o365_oauth_app_mailbox_access_via_ews.yml | 38 +- ...oauth_app_mailbox_access_via_graph_api.yml | 34 +- ...ivileged_graph_api_permission_assigned.yml | 44 +- detections/cloud/o365_pst_export_alert.yml | 19 +- ...ecurity_and_compliance_alert_triggered.yml | 42 +- ...rvice_principal_new_client_credentials.yml | 39 +- ...o365_tenant_wide_admin_consent_granted.yml | 39 +- ..._consent_blocked_for_risky_application.yml | 31 +- ...r_consent_denied_for_oauth_application.yml | 34 +- ...isk_rule_for_dev_sec_ops_by_repository.yml | 22 +- ...nts_connecting_to_multiple_dns_servers.yml | 2 +- ...s_resolved_by_unauthorized_dns_servers.yml | 2 +- .../first_time_seen_command_line_argument.yml | 2 +- .../gcp_kubernetes_cluster_scan_detection.yml | 2 +- ...h_invalid_credentials_from_the_same_ip.yml | 2 +- .../deprecated/okta_failed_sso_attempts.yml | 2 +- .../prohibited_software_on_endpoint.yml | 2 +- ...uspicious_changes_to_file_associations.yml | 2 +- .../uncommon_processes_on_endpoint.yml | 2 +- .../unsigned_image_loaded_by_lsass.yml | 2 +- .../7zip_commandline_to_smb_share_path.yml | 19 +- .../access_lsass_memory_for_dump_creation.yml | 25 +- .../account_discovery_with_net_app.yml | 22 +- ..._directory_lateral_movement_identified.yml | 53 +- ...ectory_privilege_escalation_identified.yml | 53 +- .../active_setup_registry_autostart.yml | 30 +- ...d_defaultuser_and_password_in_registry.yml | 32 +- .../add_or_set_windows_defender_exclusion.yml | 21 +- .../adsisearcher_account_discovery.yml | 19 +- ..._file_and_printing_sharing_in_firewall.yml | 21 +- ...ound_traffic_by_firewall_rule_registry.yml | 31 +- ...allow_inbound_traffic_in_firewall_rule.yml | 34 +- .../allow_network_discovery_in_firewall.yml | 22 +- .../allow_operation_with_consent_admin.yml | 33 +- .../endpoint/anomalous_usage_of_7zip.yml | 25 +- .../endpoint/any_powershell_downloadfile.yml | 20 +- .../any_powershell_downloadstring.yml | 20 +- .../endpoint/attacker_tools_on_endpoint.yml | 9 +- ..._to_add_certificate_to_untrusted_store.yml | 9 +- .../attempt_to_stop_security_service.yml | 9 +- .../auto_admin_logon_registry_entry.yml | 33 +- ...dedit_command_back_to_normal_mode_boot.yml | 21 +- detections/endpoint/bits_job_persistence.yml | 25 +- .../endpoint/bitsadmin_download_file.yml | 31 +- ...load_with_urlcache_and_split_arguments.yml | 22 +- ...oad_with_verifyctl_and_split_arguments.yml | 22 +- .../certutil_with_decode_argument.yml | 23 +- .../change_default_file_association.yml | 20 +- ...hange_to_safe_mode_with_network_config.yml | 21 +- .../endpoint/chcp_command_execution.yml | 18 +- .../check_elevated_cmd_using_whoami.yml | 21 +- .../child_processes_of_spoolsv_exe.yml | 2 +- .../endpoint/clop_common_exec_parameter.yml | 22 +- .../clop_ransomware_known_service_name.yml | 25 +- ...cmd_carry_out_string_command_parameter.yml | 20 +- .../endpoint/cmd_echo_pipe___escalation.yml | 19 +- ...cmdline_tool_not_executed_in_cmd_shell.yml | 23 +- .../endpoint/cobalt_strike_named_pipes.yml | 34 +- .../endpoint/common_ransomware_extensions.yml | 16 +- ...nnectwise_screenconnect_path_traversal.yml | 39 +- ...eenconnect_path_traversal_windows_sacl.yml | 38 +- ..._loading_from_world_writable_directory.yml | 19 +- ...ate_local_admin_accounts_using_net_exe.yml | 15 +- ...or_delete_windows_shares_using_net_exe.yml | 11 +- ...ate_remote_thread_in_shell_application.yml | 24 +- .../create_remote_thread_into_lsass.yml | 20 +- .../creation_of_lsass_dump_with_taskmgr.yml | 23 +- ...f_shadow_copy_with_wmic_and_powershell.yml | 9 +- ...ping_via_copy_command_from_shadow_copy.yml | 18 +- ...ial_dumping_via_symlink_to_shadow_copy.yml | 9 +- .../csc_net_on_the_fly_compilation.yml | 23 +- .../curl_download_and_bash_execution.yml | 20 +- .../delete_shadowcopy_with_powershell.yml | 24 +- detections/endpoint/deleting_of_net_users.yml | 20 +- ...tect_azurehound_command_line_arguments.yml | 26 +- .../detect_azurehound_file_modifications.yml | 26 +- .../detect_baron_samedit_cve_2021_3156.yml | 6 +- ...t_baron_samedit_cve_2021_3156_segfault.yml | 6 +- ...aron_samedit_cve_2021_3156_via_osquery.yml | 13 +- .../detect_certify_command_line_arguments.yml | 19 +- ...y_with_powershell_script_block_logging.yml | 42 +- .../detect_certipy_file_modifications.yml | 74 +- ...f_shadowcopy_with_script_block_logging.yml | 39 +- ...redential_dumping_through_lsass_access.yml | 29 +- ...e_with_powershell_script_block_logging.yml | 29 +- .../endpoint/detect_exchange_web_shell.yml | 43 +- .../endpoint/detect_html_help_renamed.yml | 29 +- .../detect_html_help_spawn_child_process.yml | 33 +- .../detect_html_help_url_in_command_line.yml | 33 +- ...l_help_using_infotech_storage_handlers.yml | 28 +- ...z_with_powershell_script_block_logging.yml | 28 +- .../detect_mshta_inline_hta_execution.yml | 20 +- detections/endpoint/detect_mshta_renamed.yml | 22 +- .../detect_mshta_url_in_command_line.yml | 21 +- .../detect_new_local_admin_account.yml | 23 +- .../detect_outlook_exe_writing_a_zip_file.yml | 2 +- .../detect_psexec_with_accepteula_flag.yml | 23 +- .../endpoint/detect_rare_executables.yml | 35 +- .../detect_rclone_command_line_usage.yml | 29 +- .../detect_regasm_spawning_a_process.yml | 31 +- .../detect_regasm_with_network_connection.yml | 28 +- ..._regasm_with_no_command_line_arguments.yml | 27 +- .../detect_regsvcs_spawning_a_process.yml | 31 +- ...detect_regsvcs_with_network_connection.yml | 29 +- ...regsvcs_with_no_command_line_arguments.yml | 21 +- ...ct_regsvr32_application_control_bypass.yml | 33 +- ...tect_remote_access_software_usage_file.yml | 48 +- ..._remote_access_software_usage_fileinfo.yml | 39 +- ...t_remote_access_software_usage_process.yml | 39 +- detections/endpoint/detect_renamed_7_zip.yml | 22 +- detections/endpoint/detect_renamed_psexec.yml | 19 +- detections/endpoint/detect_renamed_rclone.yml | 20 +- detections/endpoint/detect_renamed_winrar.yml | 19 +- .../endpoint/detect_rtlo_in_file_name.yml | 57 +- .../endpoint/detect_rtlo_in_process.yml | 19 +- ...2_application_control_bypass___advpack.yml | 24 +- ..._application_control_bypass___setupapi.yml | 24 +- ..._application_control_bypass___syssetup.yml | 24 +- .../detect_rundll32_inline_hta_execution.yml | 21 +- ...tect_sharphound_command_line_arguments.yml | 21 +- .../detect_sharphound_file_modifications.yml | 33 +- .../endpoint/detect_sharphound_usage.yml | 23 +- ...ssnames_using_pretrained_model_in_dsdl.yml | 26 +- ..._cmd_exe_to_launch_script_interpreters.yml | 38 +- .../detect_webshell_exploit_behavior.yml | 21 +- ...ect_wmi_event_subscription_persistence.yml | 39 +- .../disable_amsi_through_registry.yml | 20 +- .../disable_defender_antivirus_registry.yml | 34 +- ...able_defender_blockatfirstseen_feature.yml | 19 +- ...disable_defender_enhanced_notification.yml | 22 +- .../disable_defender_mpengine_registry.yml | 33 +- ...efender_submit_samples_consent_feature.yml | 19 +- .../endpoint/disable_etw_through_registry.yml | 19 +- detections/endpoint/disable_registry_tool.yml | 25 +- detections/endpoint/disable_schedule_task.yml | 21 +- ...le_security_logs_using_minint_registry.yml | 19 +- .../endpoint/disable_show_hidden_files.yml | 39 +- .../disable_uac_remote_restriction.yml | 20 +- .../endpoint/disable_windows_app_hotkeys.yml | 25 +- ...disable_windows_smartscreen_protection.yml | 36 +- ...thentication_discovery_with_get_aduser.yml | 23 +- ...uthentication_discovery_with_powerview.yml | 27 +- .../endpoint/disabling_cmd_application.yml | 23 +- .../endpoint/disabling_defender_services.yml | 26 +- ...isabling_folderoptions_windows_feature.yml | 21 +- .../endpoint/disabling_norun_windows_app.yml | 23 +- .../disabling_systemrestore_in_registry.yml | 32 +- .../endpoint/disabling_task_manager.yml | 23 +- ...no_command_line_arguments_with_network.yml | 21 +- .../dns_exfiltration_using_nslookup_app.yml | 27 +- .../domain_account_discovery_with_dsquery.yml | 19 +- .../domain_account_discovery_with_net_app.yml | 18 +- ...omain_controller_discovery_with_nltest.yml | 19 +- .../domain_controller_discovery_with_wmic.yml | 20 +- ...main_group_discovery_with_adsisearcher.yml | 32 +- .../domain_group_discovery_with_dsquery.yml | 19 +- .../domain_group_discovery_with_net.yml | 19 +- .../domain_group_discovery_with_wmic.yml | 19 +- .../download_files_using_telegram.yml | 23 +- .../endpoint/drop_icedid_license_dat.yml | 20 +- .../endpoint/dsquery_domain_discovery.yml | 44 +- .../endpoint/dump_lsass_via_comsvcs_dll.yml | 9 +- .../endpoint/dump_lsass_via_procdump.yml | 35 +- .../elevated_group_discovery_with_net.yml | 20 +- ...levated_group_discovery_with_powerview.yml | 37 +- .../elevated_group_discovery_with_wmic.yml | 19 +- .../enable_rdp_in_other_port_number.yml | 24 +- ...le_wdigest_uselogoncredential_registry.yml | 27 +- ...erate_users_local_group_using_telegram.yml | 30 +- detections/endpoint/esentutl_sam_copy.yml | 19 +- detections/endpoint/eventvwr_uac_bypass.yml | 21 +- .../endpoint/excel_spawning_powershell.yml | 28 +- .../excel_spawning_windows_script_host.yml | 29 +- ...e_distinct_processes_from_windows_temp.yml | 20 +- ...ve_file_deletion_in_windefender_folder.yml | 43 +- ...r_of_service_control_start_as_disabled.yml | 21 +- ...excessive_number_of_taskhost_processes.yml | 24 +- .../excessive_service_stop_attempt.yml | 19 +- .../endpoint/excessive_usage_of_cacls_app.yml | 18 +- .../endpoint/excessive_usage_of_net_app.yml | 19 +- .../excessive_usage_of_nslookup_app.yml | 31 +- .../excessive_usage_of_sc_service_utility.yml | 19 +- .../exchange_powershell_abuse_via_ssrf.yml | 28 +- .../exchange_powershell_module_usage.yml | 42 +- ...le_written_in_administrative_smb_share.yml | 36 +- ..._or_script_creation_in_suspicious_path.yml | 22 +- ...cute_javascript_with_jscript_com_clsid.yml | 19 +- ...ution_of_file_with_multiple_extensions.yml | 24 +- .../endpoint/extraction_of_registry_hives.yml | 25 +- .../endpoint/file_with_samsam_extension.yml | 9 +- .../firewall_allowed_program_enable.yml | 20 +- detections/endpoint/fodhelper_uac_bypass.yml | 41 +- detections/endpoint/fsutil_zeroing_file.yml | 18 +- ...ltdomainpasswordpolicy_with_powershell.yml | 19 +- ...ordpolicy_with_powershell_script_block.yml | 27 +- .../endpoint/get_aduser_with_powershell.yml | 19 +- ...et_aduser_with_powershell_script_block.yml | 20 +- ...esultantpasswordpolicy_with_powershell.yml | 19 +- ...ordpolicy_with_powershell_script_block.yml | 20 +- .../get_domainpolicy_with_powershell.yml | 19 +- ...ainpolicy_with_powershell_script_block.yml | 19 +- .../get_domaintrust_with_powershell.yml | 22 +- ...maintrust_with_powershell_script_block.yml | 31 +- .../get_domainuser_with_powershell.yml | 21 +- ...omainuser_with_powershell_script_block.yml | 20 +- .../get_foresttrust_with_powershell.yml | 21 +- ...resttrust_with_powershell_script_block.yml | 31 +- .../get_wmiobject_group_discovery.yml | 19 +- ...up_discovery_with_script_block_logging.yml | 31 +- .../getadcomputer_with_powershell.yml | 19 +- ...dcomputer_with_powershell_script_block.yml | 20 +- .../endpoint/getadgroup_with_powershell.yml | 20 +- ...etadgroup_with_powershell_script_block.yml | 24 +- .../getcurrent_user_with_powershell.yml | 20 +- ...rent_user_with_powershell_script_block.yml | 25 +- .../getdomaincomputer_with_powershell.yml | 20 +- ...ncomputer_with_powershell_script_block.yml | 23 +- .../getdomaincontroller_with_powershell.yml | 20 +- ...ontroller_with_powershell_script_block.yml | 20 +- .../getdomaingroup_with_powershell.yml | 21 +- ...maingroup_with_powershell_script_block.yml | 21 +- .../endpoint/getlocaluser_with_powershell.yml | 19 +- ...localuser_with_powershell_script_block.yml | 20 +- .../getnettcpconnection_with_powershell.yml | 19 +- ...onnection_with_powershell_script_block.yml | 20 +- ...twmiobject_ds_computer_with_powershell.yml | 21 +- ..._computer_with_powershell_script_block.yml | 19 +- .../getwmiobject_ds_group_with_powershell.yml | 21 +- ..._ds_group_with_powershell_script_block.yml | 24 +- .../getwmiobject_ds_user_with_powershell.yml | 21 +- ...t_ds_user_with_powershell_script_block.yml | 27 +- ...wmiobject_user_account_with_powershell.yml | 20 +- ...r_account_with_powershell_script_block.yml | 19 +- ...no_command_line_arguments_with_network.yml | 42 +- ...dless_browser_mockbin_or_mocky_request.yml | 36 +- .../endpoint/headless_browser_usage.yml | 33 +- .../hide_user_account_from_sign_in_screen.yml | 29 +- ..._files_and_directories_with_attrib_exe.yml | 25 +- ...equency_copy_of_files_in_network_share.yml | 40 +- .../high_process_termination_frequency.yml | 23 +- .../hunting_3cxdesktopapp_software.yml | 20 +- detections/endpoint/icacls_deny_command.yml | 22 +- detections/endpoint/icacls_grant_command.yml | 23 +- ...ateral_movement_commandline_parameters.yml | 24 +- ...ovement_smbexec_commandline_parameters.yml | 25 +- ...ovement_wmiexec_commandline_parameters.yml | 23 +- ...ion_on_remote_endpoint_with_powershell.yml | 27 +- ...class_file_download_by_java_user_agent.yml | 16 +- detections/endpoint/java_writing_jsp_file.yml | 20 +- .../jscript_execution_using_cscript_app.yml | 19 +- ...asting_spn_request_with_rc4_encryption.yml | 32 +- ...on_flag_disabled_in_useraccountcontrol.yml | 26 +- ...tication_flag_disabled_with_powershell.yml | 30 +- ...ce_ticket_request_using_rc4_encryption.yml | 39 +- ...beros_tgt_request_using_rc4_encryption.yml | 33 +- .../endpoint/kerberos_user_enumeration.yml | 36 +- .../known_services_killed_by_ransomware.yml | 25 +- ...nt_manipulation_of_ssh_config_and_keys.yml | 29 +- ...add_files_in_known_crontab_directories.yml | 17 +- .../endpoint/linux_add_user_account.yml | 21 +- ...ux_adding_crontab_using_list_parameter.yml | 32 +- .../linux_apt_get_privilege_escalation.yml | 23 +- .../linux_apt_privilege_escalation.yml | 22 +- .../linux_at_allow_config_file_creation.yml | 20 +- .../linux_at_application_execution.yml | 37 +- .../linux_awk_privilege_escalation.yml | 21 +- .../linux_busybox_privilege_escalation.yml | 22 +- .../linux_c89_privilege_escalation.yml | 22 +- .../linux_c99_privilege_escalation.yml | 22 +- .../linux_change_file_owner_to_root.yml | 22 +- .../endpoint/linux_clipboard_data_copy.yml | 2 +- ...x_common_process_for_elevation_control.yml | 23 +- .../linux_composer_privilege_escalation.yml | 22 +- .../linux_cpulimit_privilege_escalation.yml | 21 +- .../linux_csvtool_privilege_escalation.yml | 20 +- .../endpoint/linux_curl_upload_file.yml | 26 +- .../linux_data_destruction_command.yml | 23 +- .../endpoint/linux_dd_file_overwrite.yml | 21 +- .../endpoint/linux_decode_base64_to_shell.yml | 11 +- ...ng_critical_directory_using_rm_command.yml | 23 +- .../endpoint/linux_deletion_of_cron_jobs.yml | 30 +- .../linux_deletion_of_init_daemon_script.yml | 28 +- .../endpoint/linux_deletion_of_services.yml | 29 +- .../linux_deletion_of_ssl_certificate.yml | 28 +- .../endpoint/linux_disable_services.yml | 22 +- .../linux_doas_conf_file_creation.yml | 23 +- .../endpoint/linux_doas_tool_execution.yml | 23 +- .../linux_docker_privilege_escalation.yml | 24 +- .../linux_edit_cron_table_parameter.yml | 33 +- .../linux_emacs_privilege_escalation.yml | 22 +- ...ile_created_in_kernel_driver_directory.yml | 23 +- ...x_file_creation_in_init_boot_directory.yml | 22 +- ...nux_file_creation_in_profile_directory.yml | 22 +- .../linux_find_privilege_escalation.yml | 22 +- .../linux_gdb_privilege_escalation.yml | 20 +- .../linux_gem_privilege_escalation.yml | 22 +- .../linux_gnu_awk_privilege_escalation.yml | 24 +- .../linux_hardware_addition_swapoff.yml | 22 +- ...quency_of_file_deletion_in_boot_folder.yml | 26 +- ...equency_of_file_deletion_in_etc_folder.yml | 26 +- .../linux_impair_defenses_process_kill.yml | 23 +- .../linux_indicator_removal_clear_cache.yml | 21 +- ...ndicator_removal_service_file_deletion.yml | 23 +- .../linux_ingress_tool_transfer_hunting.yml | 2 +- .../linux_ingress_tool_transfer_with_curl.yml | 21 +- ...ert_kernel_module_using_insmod_utility.yml | 22 +- ...l_kernel_module_using_modprobe_utility.yml | 22 +- .../linux_iptables_firewall_modification.yml | 43 +- .../endpoint/linux_java_spawning_shell.yml | 23 +- .../linux_kernel_module_enumeration.yml | 2 +- ...orker_process_in_writable_process_path.yml | 24 +- .../linux_make_privilege_escalation.yml | 21 +- .../linux_mysql_privilege_escalation.yml | 22 +- .../linux_ngrok_reverse_proxy_usage.yml | 21 +- .../linux_node_privilege_escalation.yml | 22 +- .../linux_nopasswd_entry_in_sudoers_file.yml | 24 +- ...ted_files_or_information_base64_decode.yml | 2 +- .../linux_octave_privilege_escalation.yml | 23 +- .../linux_openvpn_privilege_escalation.yml | 22 +- ...and_privilege_escalation_risk_behavior.yml | 20 +- .../linux_php_privilege_escalation.yml | 22 +- .../linux_pkexec_privilege_escalation.yml | 21 +- ...ss_or_modification_of_sshd_config_file.yml | 23 +- ...ux_possible_access_to_credential_files.yml | 23 +- .../linux_possible_access_to_sudoers_file.yml | 21 +- ...append_command_to_at_allow_config_file.yml | 27 +- ..._append_command_to_profile_config_file.yml | 24 +- ...cronjob_entry_on_existing_cronjob_file.yml | 33 +- ...sible_cronjob_modification_with_editor.yml | 35 +- .../linux_possible_ssh_key_file_creation.yml | 20 +- .../linux_preload_hijack_library_calls.yml | 22 +- .../endpoint/linux_proxy_socks_curl.yml | 27 +- .../linux_puppet_privilege_escalation.yml | 22 +- .../linux_rpm_privilege_escalation.yml | 23 +- .../linux_ruby_privilege_escalation.yml | 20 +- ...vice_file_created_in_systemd_directory.yml | 26 +- .../endpoint/linux_service_restarted.yml | 35 +- .../linux_service_started_or_enabled.yml | 38 +- .../linux_setuid_using_chmod_utility.yml | 26 +- .../linux_setuid_using_setcap_utility.yml | 26 +- .../linux_shred_overwrite_command.yml | 24 +- .../linux_sqlite3_privilege_escalation.yml | 22 +- ...linux_ssh_authorized_keys_modification.yml | 2 +- ...nux_ssh_remote_services_script_execute.yml | 2 +- ...ux_stdout_redirection_to_dev_null_file.yml | 23 +- detections/endpoint/linux_stop_services.yml | 22 +- .../endpoint/linux_sudo_or_su_execution.yml | 25 +- .../linux_sudoers_tmp_file_creation.yml | 24 +- .../linux_system_network_discovery.yml | 22 +- ...x_system_reboot_via_system_request_key.yml | 23 +- ..._unix_shell_enable_all_sysrq_functions.yml | 24 +- .../linux_visudo_utility_execution.yml | 24 +- .../endpoint/loading_of_dynwrapx_module.yml | 23 +- .../local_account_discovery_with_net.yml | 19 +- .../local_account_discovery_with_wmic.yml | 19 +- .../log4shell_cve_2021_44228_exploitation.yml | 29 +- .../logon_script_event_trigger_execution.yml | 19 +- .../endpoint/lolbas_with_network_traffic.yml | 20 +- .../malicious_inprocserver32_modification.yml | 26 +- ...s_powershell_process___encoded_command.yml | 34 +- ...z_passtheticket_commandline_parameters.yml | 21 +- .../mmc_lolbas_execution_process_spawn.yml | 20 +- .../endpoint/modification_of_wallpaper.yml | 34 +- ...dify_acl_permission_to_files_or_folder.yml | 20 +- ...nitor_registry_keys_for_print_monitors.yml | 26 +- ...on_service_writing_active_server_pages.yml | 33 +- ..._scripting_process_loading_ldap_module.yml | 25 +- ...s_scripting_process_loading_wmi_module.yml | 22 +- ...d_suspicious_spawned_by_script_process.yml | 22 +- ..._spawning_rundll32_or_regsvr32_process.yml | 26 +- .../mshtml_module_load_in_office_product.yml | 36 +- ...msi_module_loaded_by_non_system_binary.yml | 32 +- .../msmpeng_application_dll_side_loading.yml | 31 +- .../endpoint/net_profiler_uac_bypass.yml | 21 +- .../network_connection_discovery_with_net.yml | 19 +- ...work_connection_discovery_with_netstat.yml | 18 +- ...work_discovery_using_route_windows_app.yml | 21 +- ...etwork_share_discovery_via_dir_command.yml | 38 +- ...active_directory_web_services_protocol.yml | 31 +- .../endpoint/nishang_powershelltcponeline.yml | 20 +- .../nltest_domain_trust_discovery.yml | 20 +- ...e_process_accessing_chrome_default_dir.yml | 27 +- ...fox_process_access_firefox_profile_dir.yml | 26 +- ...notepad_with_no_command_line_arguments.yml | 22 +- detections/endpoint/ntdsutil_export_ntds.yml | 25 +- .../office_application_drop_executable.yml | 21 +- ...ice_application_spawn_regsvr32_process.yml | 19 +- ...ice_application_spawn_rundll32_process.yml | 18 +- ...office_document_creating_schedule_task.yml | 41 +- .../office_document_executing_macro_code.yml | 32 +- ...ment_spawned_child_process_to_download.yml | 19 +- .../office_product_spawn_cmd_process.yml | 29 +- .../office_product_spawning_bitsadmin.yml | 33 +- .../office_product_spawning_certutil.yml | 33 +- .../office_product_spawning_mshta.yml | 31 +- ..._product_spawning_rundll32_with_no_dll.yml | 32 +- .../endpoint/office_product_spawning_wmic.yml | 33 +- .../office_product_writing_cab_or_inf.yml | 18 +- .../endpoint/office_spawning_control.yml | 30 +- ...nnection_from_java_using_default_ports.yml | 21 +- .../overwriting_accessibility_binaries.yml | 19 +- ...ercut_ng_suspicious_behavior_debug_log.yml | 52 +- ...etitpotam_network_share_access_request.yml | 33 +- ...tpotam_suspicious_kerberos_tgt_request.yml | 30 +- .../endpoint/ping_sleep_batch_command.yml | 21 +- .../possible_browser_pass_view_parameter.yml | 23 +- ...ible_lateral_movement_powershell_spawn.yml | 34 +- .../potential_password_in_username.yml | 20 +- ...entially_malicious_code_on_commandline.yml | 29 +- .../endpoint/powershell_4104_hunting.yml | 20 +- ...connect_to_internet_with_hidden_window.yml | 29 +- .../powershell_creating_thread_mutex.yml | 25 +- .../powershell_domain_enumeration.yml | 27 +- .../powershell_enable_powershell_remoting.yml | 30 +- ...powershell_enable_smb1protocol_feature.yml | 18 +- .../powershell_execute_com_object.yml | 23 +- ...s_process_injection_via_getprocaddress.yml | 35 +- ...script_contains_base64_encoded_content.yml | 34 +- ...up_discovery_with_script_block_logging.yml | 34 +- ...powershell_invoke_cimmethod_cimsession.yml | 28 +- .../powershell_load_module_in_meterpreter.yml | 28 +- ...ding_dotnet_into_memory_via_reflection.yml | 29 +- .../powershell_processing_stream_of_data.yml | 20 +- ...rshell_remote_services_add_trustedhost.yml | 33 +- ...remote_thread_to_known_windows_process.yml | 20 +- ...hell_remove_windows_defender_directory.yml | 21 +- ...powershell_script_block_with_url_chain.yml | 46 +- .../powershell_start_bitstransfer.yml | 22 +- .../powershell_start_or_stop_service.yml | 35 +- ...wershell_using_memory_as_backing_store.yml | 25 +- ...ll_windows_defender_exclusion_commands.yml | 33 +- .../print_processor_registry_autostart.yml | 19 +- .../print_spooler_adding_a_printer_driver.yml | 27 +- ...print_spooler_failed_to_load_a_plug_in.yml | 27 +- ...process_deleting_its_process_file_path.yml | 20 +- .../endpoint/process_execution_via_wmi.yml | 34 +- .../process_writing_dynamicwrapperx.yml | 23 +- .../endpoint/processes_launching_netsh.yml | 21 +- .../processes_tapping_keyboard_events.yml | 19 +- ...randomly_generated_scheduled_task_name.yml | 23 +- ...andomly_generated_windows_service_name.yml | 25 +- .../ransomware_notes_bulk_creation.yml | 23 +- .../recon_avproduct_through_pwh_or_wmi.yml | 25 +- detections/endpoint/recon_using_wmi_class.yml | 28 +- ...rsive_delete_of_directory_in_batch_cmd.yml | 19 +- .../registry_keys_used_for_persistence.yml | 23 +- ...try_keys_used_for_privilege_escalation.yml | 24 +- ...2_silent_and_install_param_dll_loading.yml | 20 +- ...svr32_with_known_silent_switch_cmdline.yml | 23 +- .../remcos_client_registry_install_entry.yml | 9 +- ...cos_rat_file_creation_in_remcos_folder.yml | 18 +- ...mote_desktop_process_running_on_system.yml | 18 +- ..._instantiation_via_dcom_and_powershell.yml | 21 +- ...n_via_dcom_and_powershell_script_block.yml | 26 +- ...instantiation_via_winrm_and_powershell.yml | 20 +- ..._via_winrm_and_powershell_script_block.yml | 22 +- ...cess_instantiation_via_winrm_and_winrs.yml | 19 +- ...s_instantiation_via_wmi_and_powershell.yml | 18 +- ...on_via_wmi_and_powershell_script_block.yml | 28 +- ...ote_system_discovery_with_adsisearcher.yml | 22 +- .../remote_system_discovery_with_dsquery.yml | 20 +- .../remote_system_discovery_with_net.yml | 20 +- .../remote_system_discovery_with_wmic.yml | 20 +- .../endpoint/remote_wmi_command_attempt.yml | 19 +- .../endpoint/resize_shadowstorage_volume.yml | 21 +- detections/endpoint/revil_registry_entry.yml | 21 +- .../rubeus_command_line_parameters.yml | 24 +- ...ticket_exports_through_winlogon_access.yml | 25 +- .../runas_execution_in_commandline.yml | 21 +- .../endpoint/rundll32_control_rundll_hunt.yml | 22 +- ...ontrol_rundll_world_writable_directory.yml | 23 +- ...ll32_create_remote_thread_to_a_process.yml | 18 +- ...rundll32_createremotethread_in_browser.yml | 19 +- detections/endpoint/rundll32_dnsquery.yml | 29 +- .../endpoint/rundll32_lockworkstation.yml | 18 +- ...undll32_process_creating_exe_dll_files.yml | 28 +- .../endpoint/rundll32_shimcache_flush.yml | 19 +- ...no_command_line_arguments_with_network.yml | 22 +- .../rundll_loading_dll_by_ordinal.yml | 20 +- .../endpoint/ryuk_wake_on_lan_command.yml | 24 +- .../sam_database_file_access_attempt.yml | 27 +- ..._by_app_connect_and_create_adsi_object.yml | 24 +- ...edule_task_with_http_command_arguments.yml | 22 +- ...ule_task_with_rundll32_command_trigger.yml | 22 +- ...k_creation_on_remote_endpoint_using_at.yml | 31 +- ...eduled_task_deleted_or_created_via_cmd.yml | 26 +- ...led_task_initiation_on_remote_endpoint.yml | 22 +- .../endpoint/schtasks_run_task_on_demand.yml | 20 +- ...htasks_scheduling_job_on_remote_system.yml | 23 +- .../schtasks_used_for_forcing_a_reboot.yml | 24 +- .../screensaver_event_trigger_execution.yml | 21 +- .../endpoint/script_execution_via_wmi.yml | 11 +- detections/endpoint/sdclt_uac_bypass.yml | 19 +- .../sdelete_application_execution.yml | 21 +- ...host_with_no_command_line_with_network.yml | 22 +- .../secretdumps_offline_ntds_dumping_tool.yml | 19 +- ...incipalnames_discovery_with_powershell.yml | 35 +- ...ceprincipalnames_discovery_with_setspn.yml | 37 +- detections/endpoint/services_escalate_exe.yml | 27 +- ...ervices_lolbas_execution_process_spawn.yml | 22 +- .../endpoint/shim_database_file_creation.yml | 19 +- ...nstallation_with_suspicious_parameters.yml | 20 +- .../endpoint/short_lived_scheduled_task.yml | 39 +- .../endpoint/short_lived_windows_accounts.yml | 15 +- .../endpoint/silentcleanup_uac_bypass.yml | 19 +- .../single_letter_process_on_endpoint.yml | 9 +- detections/endpoint/slui_runas_elevated.yml | 21 +- .../endpoint/slui_spawning_a_process.yml | 29 +- detections/endpoint/spike_in_file_writes.yml | 2 +- .../endpoint/spoolsv_spawning_rundll32.yml | 34 +- .../spoolsv_suspicious_process_access.yml | 20 +- detections/endpoint/spoolsv_writing_a_dll.yml | 27 +- .../spoolsv_writing_a_dll___sysmon.yml | 21 +- .../endpoint/sqlite_module_in_temp_folder.yml | 24 +- ...ation_certificates_behavior_identified.yml | 40 +- ...urst_correlation_dll_and_network_event.yml | 2 +- ...uspicious_computer_account_name_change.yml | 26 +- .../endpoint/suspicious_copy_on_system32.yml | 20 +- .../suspicious_curl_network_connection.yml | 16 +- ...ious_dllhost_no_command_line_arguments.yml | 21 +- .../suspicious_driver_loaded_path.yml | 27 +- .../suspicious_event_log_service_behavior.yml | 25 +- ...ous_gpupdate_no_command_line_arguments.yml | 21 +- .../suspicious_icedid_rundll32_cmdline.yml | 17 +- ...cious_image_creation_in_appdata_folder.yml | 21 +- ...icious_kerberos_service_ticket_request.yml | 33 +- .../suspicious_linux_discovery_commands.yml | 24 +- ...ous_microsoft_workflow_compiler_rename.yml | 20 +- .../endpoint/suspicious_msbuild_path.yml | 19 +- .../endpoint/suspicious_msbuild_spawn.yml | 22 +- .../suspicious_mshta_child_process.yml | 19 +- .../endpoint/suspicious_plistbuddy_usage.yml | 30 +- ...uspicious_plistbuddy_usage_via_osquery.yml | 30 +- ...ess_dns_query_known_abuse_web_services.yml | 33 +- ...s_process_executed_from_container_file.yml | 19 +- .../endpoint/suspicious_process_file_path.yml | 23 +- ...picious_process_with_discord_dns_query.yml | 23 +- .../endpoint/suspicious_reg_exe_process.yml | 2 +- ...ious_regsvr32_register_suspicious_path.yml | 27 +- .../suspicious_rundll32_dllregisterserver.yml | 29 +- ...ous_rundll32_no_command_line_arguments.yml | 21 +- .../endpoint/suspicious_rundll32_startw.yml | 24 +- ...s_scheduled_task_from_public_directory.yml | 26 +- ...protocolhost_no_command_line_arguments.yml | 29 +- ...spicious_sqlite3_lsquarantine_behavior.yml | 16 +- ...picious_ticket_granting_ticket_request.yml | 27 +- .../suspicious_wav_file_in_appdata_folder.yml | 21 +- ...spicious_writes_to_windows_recycle_bin.yml | 25 +- ...svchost_lolbas_execution_process_spawn.yml | 26 +- ...nfo_gathering_using_dxdiag_application.yml | 23 +- ...rocesses_run_from_unexpected_locations.yml | 28 +- .../system_user_discovery_with_query.yml | 18 +- .../system_user_discovery_with_whoami.yml | 19 +- .../time_provider_persistence_registry.yml | 27 +- .../uac_bypass_mmc_load_unsigned_dll.yml | 20 +- .../uac_bypass_with_colorui_com_object.yml | 23 +- .../endpoint/uninstall_app_using_msiexec.yml | 19 +- ...wn_process_using_the_kerberos_protocol.yml | 36 +- .../endpoint/unload_sysmon_filter_driver.yml | 4 +- .../unloading_amsi_via_reflection.yml | 29 +- ..._of_computer_service_tickets_requested.yml | 18 +- ..._of_kerberos_service_tickets_requested.yml | 31 +- ..._remote_endpoint_authentication_events.yml | 18 +- .../endpoint/unusually_long_command_line.yml | 6 +- .../unusually_long_command_line___mltk.yml | 14 +- ...ser_discovery_with_env_vars_powershell.yml | 20 +- ..._with_env_vars_powershell_script_block.yml | 26 +- detections/endpoint/usn_journal_deletion.yml | 19 +- .../vbscript_execution_using_wscript_app.yml | 20 +- .../endpoint/verclsid_clsid_execution.yml | 20 +- detections/endpoint/w3wp_spawning_shell.yml | 23 +- .../wbemprox_com_object_execution.yml | 22 +- ...ss_connecting_to_ip_check_web_services.yml | 26 +- .../wermgr_process_create_executable_file.yml | 20 +- ...cess_spawned_cmd_or_powershell_process.yml | 19 +- .../wget_download_and_bash_execution.yml | 19 +- .../endpoint/windows_abused_web_services.yml | 30 +- ...ss_token_manipulation_sedebugprivilege.yml | 21 +- ...lation_winlogon_duplicate_token_handle.yml | 23 +- ...ogon_duplicate_handle_in_uncommon_path.yml | 31 +- ...iscovery_for_none_disable_user_account.yml | 36 +- ...account_discovery_for_sam_account_name.yml | 33 +- ...scovery_with_netuser_preauthnotrequire.yml | 33 +- .../windows_ad_adminsdholder_acl_modified.yml | 43 +- ...s_ad_cross_domain_sid_history_addition.yml | 43 +- ...omain_controller_audit_policy_disabled.yml | 16 +- ...windows_ad_domain_controller_promotion.yml | 42 +- ...ows_ad_domain_replication_acl_addition.yml | 114 +- .../windows_ad_dsrm_account_changes.yml | 34 +- .../windows_ad_dsrm_password_reset.yml | 35 +- ...rivileged_account_sid_history_addition.yml | 96 +- ...s_ad_privileged_object_access_activity.yml | 67 +- ...tion_request_initiated_by_user_account.yml | 54 +- ...t_initiated_from_unsanctioned_location.yml | 67 +- ...ws_ad_same_domain_sid_history_addition.yml | 40 +- ...eprincipalname_added_to_domain_account.yml | 35 +- ...ed_domain_account_serviceprincipalname.yml | 40 +- ..._lived_domain_controller_spn_attribute.yml | 45 +- .../windows_ad_short_lived_server_object.yml | 43 +- ...dows_ad_sid_history_attribute_modified.yml | 41 +- detections/endpoint/windows_adfind_exe.yml | 23 +- .../windows_admin_permission_discovery.yml | 50 +- ...tive_shares_accessed_on_multiple_hosts.yml | 23 +- ...n_default_group_policy_object_modified.yml | 37 +- ...dows_admon_group_policy_object_created.yml | 35 +- ..._alternate_datastream___base64_content.yml | 45 +- ...ernate_datastream___executable_content.yml | 42 +- ...ternate_datastream___process_execution.yml | 42 +- .../windows_apache_benchmark_binary.yml | 20 +- ...ws_app_layer_protocol_qakbot_namedpipe.yml | 21 +- ...r_protocol_wermgr_connect_to_namedpipe.yml | 21 +- ...yer_protocol_rms_radmin_tool_namedpipe.yml | 30 +- ...cker_execution_from_uncommon_locations.yml | 46 +- ...ege_escalation_via_unauthorized_bypass.yml | 3 +- ...cker_rare_application_launch_detection.yml | 43 +- ..._archive_collected_data_via_powershell.yml | 29 +- ...windows_archive_collected_data_via_rar.yml | 39 +- .../endpoint/windows_autoit3_execution.yml | 42 +- ...ion_lsass_driver_registry_modification.yml | 21 +- ...roxy_execution_mavinject_dll_injection.yml | 23 +- ..._autostart_execution_in_startup_folder.yml | 32 +- .../endpoint/windows_bootloader_inventory.yml | 33 +- .../windows_bypass_uac_via_pkgmgr_tool.yml | 27 +- .../endpoint/windows_cab_file_on_disk.yml | 35 +- ...ws_cached_domain_credentials_reg_query.yml | 22 +- ...fault_file_association_for_no_file_ext.yml | 19 +- ...ndows_clipboard_data_via_get_clipboard.yml | 26 +- ..._hijacking_inprocserver32_modification.yml | 23 +- ...ing_interpreter_hunting_path_traversal.yml | 22 +- ...ipting_interpreter_path_traversal_exec.yml | 21 +- ...s_command_shell_dcrat_forkbomb_payload.yml | 21 +- ...dows_command_shell_fetch_env_variables.yml | 20 +- ..._common_abused_cmd_shell_risk_behavior.yml | 25 +- ...er_account_created_by_computer_account.yml | 31 +- ...windows_conhost_with_headless_argument.yml | 33 +- ...ial_access_from_browser_password_store.yml | 21 +- ...ential_dumping_lsass_memory_createdump.yml | 18 +- ...assword_stores_chrome_extension_access.yml | 23 +- ...ssword_stores_chrome_localstate_access.yml | 38 +- ...ssword_stores_chrome_login_data_access.yml | 39 +- ...dentials_from_password_stores_creation.yml | 35 +- ...dentials_from_password_stores_deletion.yml | 34 +- ...credentials_from_password_stores_query.yml | 21 +- ...dows_credentials_in_registry_reg_query.yml | 22 +- ...ndows_curl_download_to_suspicious_path.yml | 23 +- ...dows_curl_upload_to_remote_destination.yml | 32 +- ...truction_recursive_exec_files_deletion.yml | 49 +- .../windows_debugger_tool_execution.yml | 74 + ...cement_modify_transcodedwallpaper_file.yml | 21 +- ...s_default_group_policy_object_modified.yml | 26 +- ...group_policy_object_modified_with_gpme.yml | 25 +- .../windows_defender_asr_audit_events.yml | 13 +- .../windows_defender_asr_block_events.yml | 11 +- ...ows_defender_asr_registry_modification.yml | 27 +- .../windows_defender_asr_rule_disabled.yml | 7 +- .../windows_defender_asr_rules_stacking.yml | 36 +- ...dows_defender_exclusion_registry_entry.yml | 28 +- ...ndows_delete_or_modify_system_firewall.yml | 31 +- ...ry_by_a_non_critical_process_file_path.yml | 24 +- ...sable_change_password_through_registry.yml | 25 +- ...k_workstation_feature_through_registry.yml | 25 +- ...disable_logoff_button_through_registry.yml | 30 +- .../windows_disable_memory_crash_dump.yml | 25 +- .../windows_disable_notification_center.yml | 19 +- ...s_disable_or_modify_tools_via_taskkill.yml | 34 +- ...sable_shutdown_button_through_registry.yml | 26 +- ...group_policy_features_through_registry.yml | 22 +- .../windows_disableantispyware_registry.yml | 22 +- .../endpoint/windows_diskcryptor_usage.yml | 20 +- .../windows_diskshadow_proxy_execution.yml | 20 +- ...earch_order_hijacking_hunt_with_sysmon.yml | 37 +- ...l_search_order_hijacking_with_iscsicpl.yml | 22 +- .../windows_dll_side_loading_in_calc.yml | 21 +- ...dll_side_loading_process_child_of_calc.yml | 22 +- .../windows_dns_gather_network_info.yml | 23 +- .../windows_dnsadmins_new_member_added.yml | 32 +- ..._account_discovery_via_get_netcomputer.yml | 33 +- ...s_domain_admin_impersonation_indicator.yml | 8 +- ...ows_dotnet_binary_in_non_standard_path.yml | 32 +- .../endpoint/windows_driver_inventory.yml | 18 +- .../windows_driver_load_non_standard_path.yml | 95 +- .../windows_drivers_loaded_by_signature.yml | 24 +- ...enable_win32_scheduledjob_via_registry.yml | 41 +- .../windows_event_for_service_disabled.yml | 23 +- .../endpoint/windows_event_log_cleared.yml | 20 +- ...image_file_execution_options_injection.yml | 25 +- ...dows_excessive_disabled_services_event.yml | 33 +- .../windows_executable_in_loaded_modules.yml | 60 +- ...s_execute_arbitrary_commands_with_msdt.yml | 20 +- ...ltration_over_c2_via_invoke_restmethod.yml | 31 +- ...on_over_c2_via_powershell_uploadstring.yml | 30 +- .../endpoint/windows_export_certificate.yml | 23 +- ...ws_file_share_discovery_with_powerview.yml | 30 +- ...er_protocol_in_non_common_process_path.yml | 25 +- ...e_without_extension_in_critical_folder.yml | 20 +- ..._access_rights_modification_via_icacls.yml | 24 +- ..._organizational_units_with_getdomainou.yml | 35 +- ...ting_acl_with_findinterestingdomainacl.yml | 33 +- .../windows_findstr_gpp_discovery.yml | 23 +- ..._forest_discovery_with_getforestdomain.yml | 33 +- ..._gather_victim_host_information_camera.yml | 27 +- ...indows_gather_victim_identity_sam_info.yml | 23 +- ...ork_info_through_ip_check_web_services.yml | 32 +- ...ter_unconstrained_delegation_discovery.yml | 29 +- ..._local_admin_with_findlocaladminaccess.yml | 32 +- .../windows_group_policy_object_created.yml | 22 +- .../windows_hidden_schedule_task_settings.yml | 16 +- ...notification_features_through_registry.yml | 27 +- .../windows_high_file_deletion_frequency.yml | 47 +- ...k_execution_flow_version_dll_side_load.yml | 22 +- ...hunting_system_account_targeting_lsass.yml | 19 +- .../windows_identify_protocol_handlers.yml | 30 +- .../windows_iis_components_add_new_module.yml | 21 +- ...s_iis_components_module_failed_to_load.yml | 20 +- ...indows_iis_components_new_module_added.yml | 23 +- ...impair_defense_add_xml_applocker_rules.yml | 18 +- ...ge_win_defender_health_check_intervals.yml | 36 +- ...hange_win_defender_quick_scan_interval.yml | 33 +- ...ense_change_win_defender_throttle_rate.yml | 35 +- ...ense_change_win_defender_tracing_level.yml | 36 +- ..._defense_configure_app_install_control.yml | 39 +- ...ense_define_win_defender_threat_action.yml | 34 +- ...fense_delete_win_defender_context_menu.yml | 21 +- ...e_delete_win_defender_profile_registry.yml | 21 +- ..._deny_security_software_with_applocker.yml | 20 +- ...fense_disable_controlled_folder_access.yml | 35 +- ..._disable_defender_firewall_and_network.yml | 36 +- ..._disable_defender_protocol_recognition.yml | 33 +- ..._impair_defense_disable_pua_protection.yml | 35 +- ...se_disable_realtime_signature_delivery.yml | 33 +- ..._impair_defense_disable_web_evaluation.yml | 37 +- ...defense_disable_win_defender_app_guard.yml | 32 +- ...sable_win_defender_compute_file_hashes.yml | 32 +- ...fense_disable_win_defender_gen_reports.yml | 35 +- ...isable_win_defender_network_protection.yml | 32 +- ..._disable_win_defender_report_infection.yml | 32 +- ...se_disable_win_defender_scan_on_update.yml | 34 +- ...able_win_defender_signature_retirement.yml | 39 +- ...e_overide_win_defender_phishing_filter.yml | 35 +- ...ir_defense_override_smartscreen_prompt.yml | 36 +- ...in_defender_smart_screen_level_to_warn.yml | 32 +- .../windows_impair_defenses_disable_hvci.yml | 33 +- ...nses_disable_win_defender_auto_logging.yml | 21 +- .../windows_indicator_removal_via_rmdir.yml | 35 +- ...ndirect_command_execution_via_forfiles.yml | 21 +- ..._indirect_command_execution_via_pcalua.yml | 19 +- ...mmand_execution_via_series_of_forfiles.yml | 20 +- .../windows_information_discovery_fsutil.yml | 21 +- ...s_ingress_tool_transfer_using_explorer.yml | 23 +- ...indows_inprocserver32_new_outlook_form.yml | 34 +- ..._input_capture_using_credential_ui_dll.yml | 21 +- .../windows_installutil_credential_theft.yml | 45 +- ..._installutil_remote_network_connection.yml | 30 +- .../windows_installutil_uninstall_option.yml | 43 +- ...tallutil_uninstall_option_with_network.yml | 42 +- ...indows_installutil_url_in_command_line.yml | 29 +- .../windows_iso_lnk_file_creation.yml | 19 +- .../endpoint/windows_java_spawning_shells.yml | 16 +- ...indows_kerberos_local_successful_logon.yml | 25 +- .../windows_known_abused_dll_created.yml | 61 +- ...s_known_graphicalproton_loaded_modules.yml | 30 +- ..._of_computer_service_tickets_requested.yml | 45 +- ...ndows_ldifde_directory_object_behavior.yml | 35 +- ...dows_linked_policies_in_adsi_discovery.yml | 25 +- ...ocal_administrator_credential_stuffing.yml | 31 +- .../windows_lsa_secrets_nolmhash_registry.yml | 39 +- ...il_protocol_in_non_common_process_path.yml | 21 +- .../windows_mark_of_the_web_bypass.yml | 30 +- ...masquerading_explorer_as_child_process.yml | 31 +- .../windows_masquerading_msdtc_process.yml | 36 +- .../windows_mimikatz_binary_execution.yml | 23 +- ...y_registry_authenticationleveloverride.yml | 31 +- ...ows_modify_registry_auto_minor_updates.yml | 33 +- ...dows_modify_registry_auto_update_notif.yml | 35 +- ...s_modify_registry_default_icon_setting.yml | 22 +- ...dify_registry_disable_restricted_admin.yml | 38 +- ...y_registry_disable_toast_notifications.yml | 22 +- ...y_disable_win_defender_raw_write_notif.yml | 21 +- ...stry_disable_windefender_notifications.yml | 20 +- ..._disable_windows_security_center_notif.yml | 22 +- ...registry_disableremotedesktopantialias.yml | 34 +- ...odify_registry_disablesecuritysettings.yml | 22 +- ...modify_registry_disabling_wer_settings.yml | 19 +- ...s_modify_registry_disallow_windows_app.yml | 20 +- ..._registry_do_not_connect_to_win_update.yml | 37 +- .../windows_modify_registry_dontshowui.yml | 33 +- ...odify_registry_enablelinkedconnections.yml | 36 +- ...ndows_modify_registry_longpathsenabled.yml | 32 +- ...modify_registry_maxconnectionperserver.yml | 32 +- ...egistry_no_auto_reboot_with_logon_user.yml | 35 +- ...windows_modify_registry_no_auto_update.yml | 21 +- ...ws_modify_registry_nochangingwallpaper.yml | 34 +- .../windows_modify_registry_proxyenable.yml | 34 +- .../windows_modify_registry_proxyserver.yml | 34 +- ...y_registry_qakbot_binary_data_registry.yml | 53 +- .../windows_modify_registry_reg_restore.yml | 20 +- ...ify_registry_regedit_silent_reg_import.yml | 22 +- .../windows_modify_registry_risk_behavior.yml | 53 +- ...y_registry_suppress_win_defender_notif.yml | 20 +- ...dows_modify_registry_tamper_protection.yml | 34 +- ...ify_registry_updateserviceurlalternate.yml | 32 +- .../windows_modify_registry_usewuserver.yml | 33 +- ..._modify_registry_with_md5_reg_key_name.yml | 45 +- .../windows_modify_registry_wuserver.yml | 33 +- ...windows_modify_registry_wustatusserver.yml | 33 +- ...w_compress_color_and_info_tip_registry.yml | 31 +- ...tem_firewall_with_notable_process_path.yml | 38 +- ..._mof_event_triggered_execution_via_wmi.yml | 27 +- .../windows_moveit_transfer_writing_aspx.yml | 33 +- .../windows_mshta_execution_in_registry.yml | 22 +- ...s_mshta_writing_to_world_writable_path.yml | 52 +- ..._msiexec_hidewindow_rundll32_execution.yml | 37 +- .../endpoint/windows_msiexec_spawn_windbg.yml | 39 +- ...dows_multi_hop_proxy_tor_website_query.yml | 24 +- ...ows_multiple_account_passwords_changed.yml | 36 +- .../windows_multiple_accounts_deleted.yml | 34 +- .../windows_multiple_accounts_disabled.yml | 35 +- ...rs_failed_to_authenticate_wth_kerberos.yml | 33 +- ...rs_fail_to_authenticate_using_kerberos.yml | 37 +- ...sers_failed_to_authenticate_using_ntlm.yml | 34 +- ...o_authenticate_wth_explicitcredentials.yml | 32 +- ...d_to_authenticate_from_host_using_ntlm.yml | 31 +- ...rs_failed_to_authenticate_from_process.yml | 35 +- ..._failed_to_authenticate_using_kerberos.yml | 31 +- ...otely_failed_to_authenticate_from_host.yml | 32 +- .../windows_new_inprocserver32_added.yml | 29 +- .../windows_ngrok_reverse_proxy_usage.yml | 19 +- .../endpoint/windows_nirsoft_advancedrun.yml | 20 +- ...ws_njrat_fileless_storage_via_registry.yml | 34 +- ...non_discord_app_access_discord_leveldb.yml | 34 +- ...ows_non_system_account_targeting_lsass.yml | 20 +- .../endpoint/windows_odbcconf_load_dll.yml | 19 +- .../windows_odbcconf_load_response_file.yml | 20 +- .../windows_office_product_spawning_msdt.yml | 29 +- .../windows_papercut_ng_spawn_shell.yml | 19 +- ...dows_parent_pid_spoofing_with_explorer.yml | 35 +- .../windows_password_managers_discovery.yml | 25 +- ..._phishing_outlook_drop_dll_in_form_dir.yml | 35 +- ...ws_phishing_pdf_file_executes_url_link.yml | 22 +- ...dows_phishing_recent_iso_exec_registry.yml | 21 +- .../windows_possible_credential_dumping.yml | 32 +- ...indows_post_exploitation_risk_behavior.yml | 56 +- ...ll_add_module_to_global_assembly_cache.yml | 24 +- ...dows_powershell_cryptography_namespace.yml | 31 +- ...rshell_get_ciminstance_remote_computer.yml | 31 +- ...l_iis_components_webglobalmodule_usage.yml | 20 +- ...ows_powershell_import_applocker_policy.yml | 24 +- .../windows_powershell_remotesigned_file.yml | 19 +- .../windows_powershell_scheduletask.yml | 36 +- ...dows_powershell_wmi_win32_scheduledjob.yml | 33 +- .../windows_powersploit_gpp_discovery.yml | 25 +- ...iew_ad_access_control_list_enumeration.yml | 32 +- ...rview_constrained_delegation_discovery.yml | 31 +- ...erview_kerberos_service_ticket_request.yml | 28 +- .../windows_powerview_spn_discovery.yml | 24 +- ...iew_unconstrained_delegation_discovery.yml | 31 +- .../windows_private_keys_discovery.yml | 24 +- ...scalation_suspicious_process_elevation.yml | 144 +- ...n_system_process_without_system_parent.yml | 101 +- ...tion_user_process_spawn_system_process.yml | 118 +- .../windows_process_commandline_discovery.yml | 38 +- ...injection_in_non_service_searchindexer.yml | 33 +- ...windows_process_injection_into_notepad.yml | 43 +- ...s_injection_of_wermgr_to_known_browser.yml | 23 +- ...indows_process_injection_remote_thread.yml | 29 +- ...process_injection_wermgr_child_process.yml | 22 +- ...cess_injection_with_public_source_path.yml | 19 +- ...ows_process_with_namedpipe_commandline.yml | 23 +- ...ss_writing_file_to_world_writable_path.yml | 55 +- ...ocesses_killed_by_industroyer2_malware.yml | 20 +- .../windows_protocol_tunneling_with_plink.yml | 20 +- .../endpoint/windows_proxy_via_netsh.yml | 22 +- .../endpoint/windows_proxy_via_registry.yml | 32 +- ...uery_registry_browser_list_application.yml | 37 +- .../windows_query_registry_reg_save.yml | 21 +- ..._query_registry_uninstall_program_list.yml | 32 +- ...indows_raccine_scheduled_task_deletion.yml | 19 +- ...rapid_authentication_on_multiple_hosts.yml | 35 +- .../windows_rasautou_dll_execution.yml | 19 +- ...ws_raw_access_to_disk_volume_partition.yml | 27 +- ...raw_access_to_master_boot_record_drive.yml | 23 +- .../windows_rdp_connection_successful.yml | 35 +- ...dows_registry_bootexecute_modification.yml | 42 +- .../windows_registry_certificate_added.yml | 28 +- .../windows_registry_delete_task_sd.yml | 23 +- ...modification_for_safe_mode_persistence.yml | 25 +- .../windows_registry_payload_injection.yml | 20 +- ...ows_registry_sip_provider_modification.yml | 46 +- .../windows_regsvr32_renamed_binary.yml | 20 +- ...remote_access_software_brc4_loaded_dll.yml | 29 +- .../windows_remote_access_software_hunt.yml | 22 +- ...ws_remote_access_software_rms_registry.yml | 20 +- ...ows_remote_assistance_spawning_process.yml | 21 +- .../windows_remote_create_service.yml | 18 +- ...remote_service_rdpwinst_tool_execution.yml | 20 +- ..._remote_services_allow_rdp_in_firewall.yml | 22 +- ...emote_services_allow_remote_assistance.yml | 23 +- .../windows_remote_services_rdp_enable.yml | 22 +- ...ws_replication_through_removable_media.yml | 33 +- ..._root_domain_linked_policies_discovery.yml | 27 +- ...s_rundll32_apply_user_settings_changes.yml | 34 +- ...undll32_webdav_with_network_connection.yml | 18 +- ...windows_scheduled_task_created_via_xml.yml | 33 +- ...s_scheduled_task_service_spawned_shell.yml | 21 +- ...scheduled_task_with_highest_privileges.yml | 27 +- .../windows_schtasks_create_run_as_system.yml | 24 +- .../windows_screen_capture_via_powershell.yml | 29 +- ...ws_security_support_provider_reg_query.yml | 25 +- ...tware_component_gacutil_install_to_gac.yml | 24 +- .../windows_service_create_sliverc2.yml | 38 +- .../windows_service_create_with_tscon.yml | 24 +- ...e_created_with_suspicious_service_path.yml | 28 +- ...ows_service_created_within_public_path.yml | 27 +- ...ws_service_creation_on_remote_endpoint.yml | 19 +- ..._service_creation_using_registry_entry.yml | 27 +- ..._service_initiation_on_remote_endpoint.yml | 18 +- .../windows_service_stop_by_deletion.yml | 20 +- ...rvice_stop_via_net__and_sc_application.yml | 19 +- .../windows_service_stop_win_updates.yml | 21 +- .../windows_sip_provider_inventory.yml | 29 +- ...winverifytrust_failed_trust_validation.yml | 33 +- ...s_snake_malware_kernel_driver_comadmin.yml | 35 +- ...istry_modification_wav_openwithprogids.yml | 40 +- .../windows_snake_malware_service_create.yml | 24 +- .../windows_soaphound_binary_execution.yml | 34 +- ...hment_connect_to_none_ms_office_domain.yml | 20 +- ...hishing_attachment_onenote_spawn_mshta.yml | 31 +- ...ial_privileged_logon_on_multiple_hosts.yml | 36 +- .../windows_sql_spawning_certutil.yml | 27 +- ...ndows_sqlwriter_sqldumper_dll_sideload.yml | 45 +- ...thentication_certificates___esc1_abuse.yml | 72 +- ...ion_certificates___esc1_authentication.yml | 140 +- ...cation_certificates_certificate_issued.yml | 24 +- ...ation_certificates_certificate_request.yml | 20 +- ..._authentication_certificates_cryptoapi.yml | 21 +- ..._steal_or_forge_kerberos_tickets_klist.yml | 21 +- ...ct_process_with_authentication_traffic.yml | 124 +- ...execution_compiled_html_file_decompile.yml | 21 +- ...s_system_discovery_using_ldap_nslookup.yml | 20 +- ...windows_system_discovery_using_qwinsta.yml | 21 +- .../endpoint/windows_system_file_on_disk.yml | 19 +- .../windows_system_logoff_commandline.yml | 31 +- ...m_network_config_discovery_display_dns.yml | 23 +- ...em_network_connections_discovery_netsh.yml | 23 +- .../windows_system_reboot_commandline.yml | 32 +- .../windows_system_shutdown_commandline.yml | 37 +- ...dows_system_time_discovery_w32tm_delay.yml | 20 +- ...indows_system_user_discovery_via_quser.yml | 25 +- ...indows_system_user_privilege_discovery.yml | 33 +- .../windows_terminating_lsass_process.yml | 29 +- .../endpoint/windows_time_based_evasion.yml | 32 +- ...ows_time_based_evasion_via_choice_exec.yml | 36 +- ...ws_uac_bypass_suspicious_child_process.yml | 41 +- ..._bypass_suspicious_escalation_behavior.yml | 65 +- ...outlook_credentials_access_in_registry.yml | 34 +- .../windows_unsigned_dll_side_loading.yml | 64 +- ..._dll_side_loading_in_same_process_path.yml | 69 + .../windows_unsigned_ms_dll_side_loading.yml | 59 +- ...abled_users_failed_auth_using_kerberos.yml | 38 +- ...alid_users_fail_to_auth_using_kerberos.yml | 38 +- ...nvalid_users_failed_to_auth_using_ntlm.yml | 47 +- ...s_fail_to_auth_wth_explicitcredentials.yml | 34 +- ...of_users_failed_to_auth_using_kerberos.yml | 41 +- ...rs_failed_to_authenticate_from_process.yml | 37 +- ...sers_failed_to_authenticate_using_ntlm.yml | 35 +- ...sers_remotely_failed_to_auth_from_host.yml | 33 +- ..._execution_malicious_url_shortcut_file.yml | 21 +- ...id_account_with_never_expires_password.yml | 29 +- .../windows_vulnerable_3cx_software.yml | 38 +- .../windows_vulnerable_driver_loaded.yml | 91 +- .../windows_windbg_spawning_autoit3.yml | 43 +- ...inlogon_with_public_network_connection.yml | 35 +- .../windows_wmi_impersonate_token.yml | 19 +- .../windows_wmi_process_and_service_list.yml | 21 +- .../windows_wmi_process_call_create.yml | 20 +- ..._scheduled_task_created_to_spawn_shell.yml | 31 +- ...eduled_task_created_within_public_path.yml | 39 +- ...ws_task_scheduler_event_action_started.yml | 32 +- .../endpoint/winhlp32_spawning_a_process.yml | 25 +- .../winrar_spawning_shell_application.yml | 29 +- .../endpoint/winrm_spawning_a_process.yml | 17 +- detections/endpoint/winword_spawning_cmd.yml | 31 +- .../endpoint/winword_spawning_powershell.yml | 30 +- .../winword_spawning_windows_script_host.yml | 25 +- .../wmi_permanent_event_subscription.yml | 6 +- ..._permanent_event_subscription___sysmon.yml | 36 +- .../wmi_recon_running_process_or_services.yml | 24 +- .../wmi_temporary_event_subscription.yml | 13 +- detections/endpoint/wmic_group_discovery.yml | 22 +- ...wmic_noninteractive_app_uninstallation.yml | 21 +- .../endpoint/wmic_xsl_execution_via_url.yml | 23 +- ...miprsve_lolbas_execution_process_spawn.yml | 22 +- ...pt_or_cscript_suspicious_child_process.yml | 20 +- ...rovhost_lolbas_execution_process_spawn.yml | 20 +- detections/endpoint/wsreset_uac_bypass.yml | 19 +- .../xsl_script_execution_with_wmic.yml | 20 +- ...domains_using_pretrained_model_in_dsdl.yml | 27 +- ...tration_using_pretrained_model_in_dsdl.yml | 138 +- ...connecting_to_dynamic_domain_providers.yml | 25 +- .../detect_large_outbound_icmp_packets.yml | 16 +- .../network/detect_outbound_ldap_traffic.yml | 14 +- .../network/detect_outbound_smb_traffic.yml | 56 +- .../detect_port_security_violation.yml | 24 +- ...etect_remote_access_software_usage_dns.yml | 41 +- ...t_remote_access_software_usage_traffic.yml | 47 +- .../network/detect_rogue_dhcp_server.yml | 14 +- ...ct_software_download_to_network_device.yml | 17 +- ...records_using_pretrained_model_in_dsdl.yml | 24 +- .../network/detect_traffic_mirroring.yml | 17 +- ...ect_unauthorized_assets_by_mac_address.yml | 18 +- ...t_windows_dns_sigred_via_splunk_stream.yml | 13 +- .../detect_windows_dns_sigred_via_zeek.yml | 6 +- .../network/detect_zerologon_via_zeek.yml | 6 +- .../dns_query_length_outliers___mltk.yml | 2 +- ...ry_length_with_high_standard_deviation.yml | 20 +- detections/network/excessive_dns_failures.yml | 2 +- ...ntrol_rest_vulnerability_cve_2022_1388.yml | 22 +- .../high_volume_of_bytes_out_to_url.yml | 36 +- ...ltiple_archive_files_http_post_traffic.yml | 32 +- .../ngrok_reverse_proxy_on_network.yml | 22 +- .../plain_http_post_exfiltrated_data.yml | 28 +- .../prohibited_network_traffic_allowed.yml | 22 +- .../network/protocol_or_port_mismatch.yml | 18 +- ...ls_passing_authentication_in_cleartext.yml | 17 +- .../remote_desktop_network_traffic.yml | 24 +- detections/network/smb_traffic_spike.yml | 8 +- .../network/smb_traffic_spike___mltk.yml | 2 +- ...splunk_identified_ssl_tls_certificates.yml | 21 +- .../ssl_certificates_with_punycode.yml | 17 +- detections/network/tor_traffic.yml | 33 +- ...windows_ad_replication_service_traffic.yml | 75 +- ...gue_domain_controller_network_activity.yml | 60 +- .../zeek_x509_certificate_with_punycode.yml | 19 +- ...vanti_connect_secure_bookmark_endpoint.yml | 34 +- ...adobe_coldfusion_access_control_bypass.yml | 39 +- ...on_unauthenticated_arbitrary_file_read.yml | 42 +- .../web/cisco_ios_xe_implant_access.yml | 32 +- ...d_gateway_unauthorized_data_disclosure.yml | 46 +- .../citrix_adc_exploitation_cve_2023_3519.yml | 37 +- ..._sharefile_exploitation_cve_2023_24489.yml | 52 +- ...e_cve_2023_22515_trigger_vulnerability.yml | 34 +- ...center_and_server_privilege_escalation.yml | 39 +- ..._rce_via_ognl_injection_cve_2023_22527.yml | 30 +- ...d_remote_code_execution_cve_2022_26134.yml | 25 +- ...se_screenconnect_authentication_bypass.yml | 48 +- ...etect_remote_access_software_usage_url.yml | 50 +- ...ng_application_via_apache_commons_text.yml | 26 +- .../web/f5_tmui_authentication_bypass.yml | 32 +- .../web/fortinet_appliance_auth_bypass.yml | 37 +- detections/web/hunting_for_log4shell.yml | 57 +- ...nect_secure_command_injection_attempts.yml | 37 +- ..._connect_secure_ssrf_in_saml_component.yml | 43 +- ...tem_information_access_via_auth_bypass.yml | 35 +- ...uthenticated_api_access_cve_2023_35078.yml | 39 +- ...uthenticated_api_access_cve_2023_35082.yml | 42 +- .../ivanti_sentry_authentication_bypass.yml | 39 +- ...ins_arbitrary_file_read_cve_2024_23897.yml | 33 +- ...y_authentication_bypass_cve_2024_27198.yml | 42 +- ...ication_bypass_suricata_cve_2024_27198.yml | 40 +- ...ed_auth_bypass_suricata_cve_2024_27199.yml | 44 +- .../web/jetbrains_teamcity_rce_attempt.yml | 36 +- ...emote_code_execution_exploit_detection.yml | 44 +- ...g4shell_jndi_payload_injection_attempt.yml | 34 +- ...oad_injection_with_outbound_connection.yml | 30 +- ...arepoint_server_elevation_of_privilege.yml | 41 +- ...se_screenconnect_authentication_bypass.yml | 41 +- .../papercut_ng_remote_web_access_attempt.yml | 37 +- ...yshell_proxynotshell_behavior_detected.yml | 26 +- .../web/spring4shell_payload_url_request.yml | 22 +- .../web/sql_injection_with_long_urls.yml | 13 +- detections/web/supernova_webshell.yml | 6 +- ...vmware_aria_operations_exploit_attempt.yml | 39 +- ...emarker_server_side_template_injection.yml | 23 +- detections/web/web_jsp_request_via_url.yml | 22 +- .../web/web_remote_shellservlet_access.yml | 37 +- ...spring4shell_http_request_class_module.yml | 21 +- ...b_spring_cloud_function_functionrouter.yml | 24 +- ...ndows_exchange_autodiscover_ssrf_abuse.yml | 25 +- .../wordpress_bricks_builder_plugin_rce.yml | 49 +- .../web/ws_ftp_remote_code_execution.yml | 41 +- ...caler_adware_activities_threat_blocked.yml | 36 +- ...caler_behavior_analysis_threat_blocked.yml | 40 +- ..._cryptominer_downloaded_threat_blocked.yml | 39 +- ...zscaler_employment_search_web_activity.yml | 41 +- .../web/zscaler_exploit_threat_blocked.yml | 38 +- ...zscaler_legal_liability_threat_blocked.yml | 41 +- ...scaler_malware_activity_threat_blocked.yml | 38 +- ...caler_phishing_activity_threat_blocked.yml | 38 +- ...caler_potentially_abused_file_download.yml | 37 +- ...ivacy_risk_destinations_threat_blocked.yml | 39 +- ...caler_scam_destinations_threat_blocked.yml | 36 +- .../zscaler_virus_download_threat_blocked.yml | 38 +- .../curl_download_and_bash_execution.yml | 2 +- dev/endpoint/java_writing_jsp_file.yml | 2 +- ...nt_manipulation_of_ssh_config_and_keys.yml | 2 +- ...add_files_in_known_crontab_directories.yml | 2 +- dev/endpoint/linux_add_user_account.yml | 2 +- ...ux_adding_crontab_using_list_parameter.yml | 2 +- .../linux_apt_get_privilege_escalation.yml | 2 +- .../linux_apt_privilege_escalation.yml | 2 +- .../linux_at_allow_config_file_creation.yml | 2 +- .../linux_at_application_execution.yml | 2 +- .../linux_awk_privilege_escalation.yml | 2 +- .../linux_busybox_privilege_escalation.yml | 2 +- .../linux_c89_privilege_escalation.yml | 2 +- .../linux_c99_privilege_escalation.yml | 2 +- .../linux_change_file_owner_to_root.yml | 2 +- dev/endpoint/linux_clipboard_data_copy.yml | 2 +- ...x_common_process_for_elevation_control.yml | 2 +- .../linux_composer_privilege_escalation.yml | 2 +- .../linux_cpulimit_privilege_escalation.yml | 2 +- .../linux_csvtool_privilege_escalation.yml | 2 +- dev/endpoint/linux_curl_upload_file.yml | 2 +- dev/endpoint/linux_dd_file_overwrite.yml | 2 +- dev/endpoint/linux_decode_base64_to_shell.yml | 2 +- ...ng_critical_directory_using_rm_command.yml | 2 +- dev/endpoint/linux_deletion_of_cron_jobs.yml | 2 +- .../linux_deletion_of_init_daemon_script.yml | 2 +- dev/endpoint/linux_deletion_of_services.yml | 2 +- .../linux_deletion_of_ssl_certificate.yml | 2 +- dev/endpoint/linux_disable_services.yml | 2 +- .../linux_doas_conf_file_creation.yml | 2 +- dev/endpoint/linux_doas_tool_execution.yml | 2 +- .../linux_docker_privilege_escalation.yml | 2 +- .../linux_edit_cron_table_parameter.yml | 2 +- .../linux_emacs_privilege_escalation.yml | 2 +- ...ile_created_in_kernel_driver_directory.yml | 2 +- ...x_file_creation_in_init_boot_directory.yml | 2 +- ...nux_file_creation_in_profile_directory.yml | 2 +- .../linux_find_privilege_escalation.yml | 2 +- .../linux_gdb_privilege_escalation.yml | 2 +- .../linux_gem_privilege_escalation.yml | 2 +- .../linux_gnu_awk_privilege_escalation.yml | 2 +- .../linux_ingress_tool_transfer_hunting.yml | 2 +- .../linux_ingress_tool_transfer_with_curl.yml | 2 +- ...ert_kernel_module_using_insmod_utility.yml | 2 +- ...l_kernel_module_using_modprobe_utility.yml | 2 +- .../linux_iptables_firewall_modification.yml | 2 +- dev/endpoint/linux_java_spawning_shell.yml | 2 +- .../linux_kernel_module_enumeration.yml | 2 +- ...orker_process_in_writable_process_path.yml | 2 +- .../linux_make_privilege_escalation.yml | 2 +- .../linux_mysql_privilege_escalation.yml | 2 +- .../linux_node_privilege_escalation.yml | 2 +- .../linux_nopasswd_entry_in_sudoers_file.yml | 2 +- ...ted_files_or_information_base64_decode.yml | 2 +- .../linux_octave_privilege_escalation.yml | 2 +- .../linux_openvpn_privilege_escalation.yml | 2 +- .../linux_php_privilege_escalation.yml | 2 +- .../linux_pkexec_privilege_escalation.yml | 2 +- ...ss_or_modification_of_sshd_config_file.yml | 2 +- ...ux_possible_access_to_credential_files.yml | 2 +- .../linux_possible_access_to_sudoers_file.yml | 2 +- ...append_command_to_at_allow_config_file.yml | 2 +- ..._append_command_to_profile_config_file.yml | 2 +- ...cronjob_entry_on_existing_cronjob_file.yml | 2 +- ...sible_cronjob_modification_with_editor.yml | 2 +- .../linux_possible_ssh_key_file_creation.yml | 2 +- .../linux_preload_hijack_library_calls.yml | 2 +- dev/endpoint/linux_proxy_socks_curl.yml | 2 +- .../linux_puppet_privilege_escalation.yml | 2 +- .../linux_rpm_privilege_escalation.yml | 2 +- .../linux_ruby_privilege_escalation.yml | 2 +- ...vice_file_created_in_systemd_directory.yml | 2 +- dev/endpoint/linux_service_restarted.yml | 2 +- .../linux_service_started_or_enabled.yml | 2 +- .../linux_setuid_using_setcap_utility.yml | 2 +- .../linux_shred_overwrite_command.yml | 2 +- .../linux_sqlite3_privilege_escalation.yml | 2 +- ...linux_ssh_authorized_keys_modification.yml | 2 +- ...nux_ssh_remote_services_script_execute.yml | 2 +- ...ux_stdout_redirection_to_dev_null_file.yml | 2 +- dev/endpoint/linux_stop_services.yml | 2 +- dev/endpoint/linux_sudo_or_su_execution.yml | 2 +- .../linux_sudoers_tmp_file_creation.yml | 2 +- .../linux_system_network_discovery.yml | 2 +- .../linux_visudo_utility_execution.yml | 2 +- .../wget_download_and_bash_execution.yml | 2 +- ...le_written_in_administrative_smb_share.yml | 74 + dist/DA-ESS-ContentUpdate/README.md | 7 - .../README/essoc_story_detail.txt | 15 - .../README/essoc_summary.txt | 24 - .../README/essoc_usage_dashboard.txt | 51 - dist/DA-ESS-ContentUpdate/app.manifest | 46 - .../default/analytic_stories.conf | 2 - .../default/analyticstories.conf | 20154 ---- dist/DA-ESS-ContentUpdate/default/app.conf | 41 - .../default/collections.conf | 100 - .../default/commands.conf | 11 - .../default/content-version.conf | 9 - .../default/data/ui/nav/default.xml | 7 - ...l_backup_logs_for_host___response_task.xml | 18 - ...tes_activity_by_src_ip___response_task.xml | 18 - ...ity_hub_alerts_by_dest___response_task.xml | 18 - ...ivities_by_accesskeyid___response_task.xml | 18 - ...user_activities_by_arn___response_task.xml | 18 - ...rk_acl_details_from_id___response_task.xml | 18 - ...details_via_resourceid___response_task.xml | 18 - ...details_via_bucketname___response_task.xml | 18 - ...tes_activity_by_src_ip___response_task.xml | 18 - ...aws_activity_from_city___response_task.xml | 18 - ..._activity_from_country___response_task.xml | 18 - ...tivity_from_ip_address___response_task.xml | 18 - ...s_activity_from_region___response_task.xml | 18 - ...ckup_logs_for_endpoint___response_task.xml | 18 - ...cate_logs_for_a_domain___response_task.xml | 18 - ...ver_history_for_a_host___response_task.xml | 18 - ..._get_dns_traffic_ratio___response_task.xml | 18 - ..._details_by_instanceid___response_task.xml | 18 - ...get_ec2_launch_details___response_task.xml | 18 - ...h_panel_get_email_info___response_task.xml | 18 - ...s_from_specific_sender___response_task.xml | 18 - ...rence_of_a_mac_address___response_task.xml | 18 - ...story_of_email_sources___response_task.xml | 18 - ...fications_for_endpoint___response_task.xml | 18 - ...modifications_for_user___response_task.xml | 18 - ...el_get_notable_history___response_task.xml | 18 - ...et_parent_process_info___response_task.xml | 18 - ..._process_file_activity___response_task.xml | 18 - ...panel_get_process_info___response_task.xml | 18 - ...tion_for_port_activity___response_task.xml | 18 - ...le_for_the_dns_traffic___response_task.xml | 18 - ..._wmi_activity_for_host___response_task.xml | 18 - ...rmation_via_session_id___response_task.xml | 18 - ...vities_via_region_name___response_task.xml | 18 - ...tivities_by_user_field___response_task.xml | 18 - ..._multiple_destinations___response_task.xml | 18 - ...rk_traffic_from_src_ip___response_task.xml | 18 - ...e_okta_activity_by_app___response_task.xml | 18 - ...pass_the_hash_attempts___response_task.xml | 18 - ...ss_the_ticket_attempts___response_task.xml | 18 - ...e_previous_unseen_user___response_task.xml | 18 - ...esktop_authentications___response_task.xml | 18 - ...strings_in_http_header___response_task.xml | 18 - ...ser_activities_in_okta___response_task.xml | 18 - ...ate_web_posts_from_src___response_task.xml | 18 - .../default/data/ui/views/escu_applocker.xml | 401 - .../default/data/ui/views/escu_summary.xml | 193 - .../default/data/ui/views/feedback.xml | 13 - .../default/distsearch.conf | 5 - .../default/es_investigations.conf | 768 - dist/DA-ESS-ContentUpdate/default/macros.conf | 7270 -- .../default/savedsearches.conf | 74399 ------------- .../default/transforms.conf | 486 - .../default/usage_searches.conf | 73 - .../default/use_case_library.conf | 2 - .../default/workflow_actions.conf | 373 - .../lookups/3cx_ioc_domains.csv | 39 - ...ion_using_pretrained_model_in_dsdl.mlmodel | 2 - ...rds_using_pretrained_model_in_dsdl.mlmodel | 2 - ...mes_using_pretrained_model_in_dsdl.mlmodel | 2 - .../__mlspl_pretrained_dga_model_dsdl.mlmodel | 2 - ..._mlspl_risky_spl_pre_trained_model.mlmodel | 2 - ...lspl_unusual_commandline_detection.mlmodel | 2 - .../lookups/advanced_audit_policy_guids.csv | 69 - .../lookups/applockereventcodes.csv | 30 - .../lookups/asr_rules.csv | 18 - .../lookups/attacker_tools.csv | 31 - .../lookups/aws_service_accounts.csv | 1 - .../baseline_blocked_outbound_connections.csv | 1 - .../lookups/brand_monitoring.csv | 1 - .../lookups/browser_app_list.csv | 47 - .../lookups/char_conversion_matrix.csv | 259 - .../lookups/discovered_dns_records.csv | 1 - .../lookups/domain_admins.csv | 2 - dist/DA-ESS-ContentUpdate/lookups/domains.csv | 1 - .../lookups/dynamic_dns_providers_default.csv | 91976 ---------------- .../lookups/dynamic_dns_providers_local.csv | 1 - .../lookups/hijacklibs.csv | 403 - .../lookups/hijacklibs_loaded.csv | 886 - .../lookups/images_to_repository.csv | 3 - .../lookups/is_net_windows_file20231221.csv | 47 - .../lookups/is_nirsoft_software20231221.csv | 15 - .../is_suspicious_file_extension_lookup.csv | 52 - .../is_windows_system_file20231221.csv | 753 - .../lookups/legit_domains.csv | 20 - .../lookups/linux_tool_discovery_process.csv | 61 - .../lookups/local_file_inclusion_paths.csv | 1009 - .../lookups/lolbas_file_path.csv | 480 - .../lookups/loldrivers.csv | 251 - .../lookups/mandatory_job_for_workflow.csv | 2 - .../lookups/mandatory_step_for_job.csv | 2 - .../lookups/mitre_enrichment.csv | 638 - .../lookups/network_acl_activity_baseline.csv | 1 - .../previously_seen_cmd_line_arguments.csv | 1 - ...viously_seen_ec2_modifications_by_user.csv | 1 - .../lookups/privileged_azure_ad_roles.csv | 26 - .../prohibited_apps_launching_cmd20231221.csv | 18 - .../lookups/prohibited_processes.csv | 20 - .../lookups/ransomware_extensions.csv | 303 - .../ransomware_extensions_20231219.csv | 303 - .../lookups/ransomware_notes.csv | 75 - .../lookups/ransomware_notes_20231219.csv | 75 - .../rare_process_allow_list_default.csv | 7 - .../lookups/rare_process_allow_list_local.csv | 1 - .../lookups/remote_access_software.csv | 569 - .../lookups/security_services.csv | 5 - .../lookups/splunk_risky_command_20240122.csv | 15 - .../lookups/suspicious_files.csv | 4 - .../lookups/uncommon_processes_default.csv | 9 - .../lookups/uncommon_processes_local.csv | 1 - .../lookups/windows_protocol_handlers.csv | 205 - .../metadata/default.meta | 23 - dist/DA-ESS-ContentUpdate/static/appIcon.png | Bin 3658 -> 0 bytes .../static/appIconAlt.png | Bin 2656 -> 0 bytes .../static/appIconAlt_2x.png | Bin 7442 -> 0 bytes .../static/appIcon_2x.png | Bin 3657 -> 0 bytes dist/api/baselines.json | 1 - dist/api/deployments.json | 1 - dist/api/detections.json | 1 - dist/api/lookups.json | 1 - dist/api/macros.json | 1 - dist/api/response_tasks.json | 1 - dist/api/stories.json | 1 - dist/api/version.json | 1 - ...ssa___anomalous_usage_of_archive_tools.yml | 112 - .../srs/ssa___attacker_tools_on_endpoint.yml | 148 - .../srs/ssa___attempt_to_delete_services.yml | 118 - .../srs/ssa___attempt_to_disable_services.yml | 115 - ...dential_dump_from_registry_via_reg_exe.yml | 115 - ..._bcdedit_failure_recovery_modification.yml | 111 - ...ar_unallocated_sector_using_cipher_app.yml | 111 - ...ate_local_admin_accounts_using_net_exe.yml | 130 - ...eate_local_user_accounts_using_net_exe.yml | 126 - dist/ssa/srs/ssa___delete_a_net_user.yml | 118 - dist/ssa/srs/ssa___deleting_shadow_copies.yml | 116 - ...___deny_permission_using_cacls_utility.yml | 112 - ...wershell_applications_spawning_cmd_exe.yml | 110 - ...t_prohibited_browsers_spawning_cmd_exe.yml | 111 - ...d_office_applications_spawning_cmd_exe.yml | 112 - ...ssa___detect_rclone_command_line_usage.yml | 123 - .../srs/ssa___disable_net_user_account.yml | 118 - ...___dns_exfiltration_using_nslookup_app.yml | 119 - dist/ssa/srs/ssa___fsutil_zeroing_file.yml | 113 - ...__grant_permission_using_cacls_utility.yml | 112 - ..._files_and_directories_with_attrib_exe.yml | 116 - ...ovement_smbexec_commandline_parameters.yml | 145 - ...ovement_wmiexec_commandline_parameters.yml | 142 - ...fy_acls_permission_of_files_or_folders.yml | 114 - ...e_product_spawning_windows_script_host.yml | 114 - ...ible_lateral_movement_powershell_spawn.yml | 140 - .../srs/ssa___resize_shadowstorage_volume.yml | 114 - .../ssa___sdelete_application_execution.yml | 128 - ...incipalnames_discovery_with_powershell.yml | 122 - ...ervices_lolbas_execution_process_spawn.yml | 133 - ...ocess_running_from_unexpected_location.yml | 219 - .../ssa___wbadmin_delete_system_backups.yml | 113 - .../ssa___wevtutil_usage_to_clear_logs.yml | 119 - .../ssa___wevtutil_usage_to_disable_logs.yml | 115 - .../ssa___windows_bits_job_persistence.yml | 124 - .../ssa___windows_bitsadmin_download_file.yml | 129 - .../ssa___windows_certutil_decode_file.yml | 122 - ...a___windows_certutil_urlcache_download.yml | 120 - ...___windows_certutil_verifyctl_download.yml | 119 - ..._hijacking_inprocserver32_modification.yml | 118 - ...dows_curl_upload_to_remote_destination.yml | 126 - ...group_policy_object_modified_with_gpme.yml | 123 - ...ws_defender_tools_in_non_standard_path.yml | 108 - ...a___windows_diskshadow_proxy_execution.yml | 112 - ...ows_dotnet_binary_in_non_standard_path.yml | 151 - ...ndows_exchange_powershell_module_usage.yml | 124 - ...s_execute_arbitrary_commands_with_msdt.yml | 121 - ...ws_file_share_discovery_with_powerview.yml | 99 - .../ssa___windows_findstr_gpp_discovery.yml | 120 - ...s_ingress_tool_transfer_using_explorer.yml | 114 - ...ows_lolbin_binary_in_non_standard_path.yml | 136 - .../srs/ssa___windows_mshta_child_process.yml | 116 - .../ssa___windows_mshta_command_line_url.yml | 119 - ...a___windows_mshta_inline_hta_execution.yml | 118 - ...___windows_odbcconf_load_response_file.yml | 115 - ...tial_dumping_with_ntdsutil_export_ntds.yml | 126 - ...ws_os_credential_dumping_with_procdump.yml | 122 - ...connect_to_internet_with_hidden_window.yml | 125 - ...re_authentication_discovery_get_aduser.yml | 103 - ...uthentication_discovery_with_powerview.yml | 103 - .../ssa___windows_powershell_downloadfile.yml | 119 - ...sa___windows_powershell_downloadstring.yml | 132 - ...ows_powershell_execution_policy_bypass.yml | 128 - ..._windows_powershell_start_bitstransfer.yml | 120 - ...sa___windows_powersploit_gpp_discovery.yml | 104 - .../ssa___windows_rasautou_dll_execution.yml | 119 - ...onsole_exe_lolbas_in_non_standard_path.yml | 119 - ...adplus_exe_lolbas_in_non_standard_path.yml | 118 - ...dvpack_dll_lolbas_in_non_standard_path.yml | 118 - ...ecutor_exe_lolbas_in_non_standard_path.yml | 120 - ...taller_exe_lolbas_in_non_standard_path.yml | 119 - ...appvlp_exe_lolbas_in_non_standard_path.yml | 118 - ...mpiler_exe_lolbas_in_non_standard_path.yml | 119 - ...ies_at_exe_lolbas_in_non_standard_path.yml | 116 - ...broker_exe_lolbas_in_non_standard_path.yml | 118 - ...__windows_rundll32_comsvcs_memory_dump.yml | 113 - ..._windows_rundll32_inline_hta_execution.yml | 121 - ..._windows_screen_capture_via_powershell.yml | 97 - ...sa___windows_script_host_spawn_msbuild.yml | 118 - ...execution_compiled_html_file_decompile.yml | 117 - ...compiled_html_file_url_in_command_line.yml | 127 - ...l_file_using_infotech_storage_handlers.yml | 130 - ...xy_execution_msiexec_dllregisterserver.yml | 111 - ...roxy_execution_msiexec_remote_download.yml | 111 - ...proxy_execution_msiexec_unregister_dll.yml | 111 - .../ssa___windows_wmiprvse_spawn_msbuild.yml | 118 - macros/fillnull_config.yml | 3 + macros/oldsummaries_config.yml | 3 + macros/prohibited_softwares.yml | 6 +- macros/security_content_summariesonly.yml | 2 +- macros/summariesonly_config.yml | 3 + pipeline/.build.yml | 10 +- pipeline/.ephemeral-credentials.yml | 3 + pipeline/.install-contentctl.yml | 4 +- pipeline/.post.yml | 2 + pipeline/.release.yml | 3 + ...le_written_in_administrative_smb_share.yml | 112 + stories/gomir.yml | 26 + 1686 files changed, 22300 insertions(+), 231384 deletions(-) create mode 100644 detections/endpoint/windows_debugger_tool_execution.yml create mode 100644 detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml create mode 100644 dev_ssa/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml delete mode 100644 dist/DA-ESS-ContentUpdate/README.md delete mode 100644 dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt delete mode 100644 dist/DA-ESS-ContentUpdate/README/essoc_summary.txt delete mode 100644 dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt delete mode 100644 dist/DA-ESS-ContentUpdate/app.manifest delete mode 100644 dist/DA-ESS-ContentUpdate/default/analytic_stories.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/analyticstories.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/app.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/collections.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/commands.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/content-version.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/nav/default.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_applocker.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_summary.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/data/ui/views/feedback.xml delete mode 100644 dist/DA-ESS-ContentUpdate/default/distsearch.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/es_investigations.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/macros.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/savedsearches.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/transforms.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/usage_searches.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/use_case_library.conf delete mode 100644 dist/DA-ESS-ContentUpdate/default/workflow_actions.conf delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/__mlspl_unusual_commandline_detection.mlmodel delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/advanced_audit_policy_guids.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/applockereventcodes.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/asr_rules.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/attacker_tools.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/aws_service_accounts.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/baseline_blocked_outbound_connections.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/brand_monitoring.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/browser_app_list.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/char_conversion_matrix.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/discovered_dns_records.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/domains.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_default.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_local.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/hijacklibs.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/hijacklibs_loaded.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/images_to_repository.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/is_net_windows_file20231221.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/is_nirsoft_software20231221.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/is_suspicious_file_extension_lookup.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/is_windows_system_file20231221.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/legit_domains.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/linux_tool_discovery_process.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/local_file_inclusion_paths.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/lolbas_file_path.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/loldrivers.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/mandatory_job_for_workflow.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/mandatory_step_for_job.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/network_acl_activity_baseline.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/previously_seen_cmd_line_arguments.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/previously_seen_ec2_modifications_by_user.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/privileged_azure_ad_roles.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/prohibited_apps_launching_cmd20231221.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/prohibited_processes.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions_20231219.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/ransomware_notes.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/ransomware_notes_20231219.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_default.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_local.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/remote_access_software.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/security_services.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/splunk_risky_command_20240122.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/suspicious_files.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_default.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_local.csv delete mode 100644 dist/DA-ESS-ContentUpdate/lookups/windows_protocol_handlers.csv delete mode 100644 dist/DA-ESS-ContentUpdate/metadata/default.meta delete mode 100644 dist/DA-ESS-ContentUpdate/static/appIcon.png delete mode 100644 dist/DA-ESS-ContentUpdate/static/appIconAlt.png delete mode 100644 dist/DA-ESS-ContentUpdate/static/appIconAlt_2x.png delete mode 100644 dist/DA-ESS-ContentUpdate/static/appIcon_2x.png delete mode 100644 dist/api/baselines.json delete mode 100644 dist/api/deployments.json delete mode 100644 dist/api/detections.json delete mode 100644 dist/api/lookups.json delete mode 100644 dist/api/macros.json delete mode 100644 dist/api/response_tasks.json delete mode 100644 dist/api/stories.json delete mode 100644 dist/api/version.json delete mode 100644 dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml delete mode 100644 dist/ssa/srs/ssa___attacker_tools_on_endpoint.yml delete mode 100644 dist/ssa/srs/ssa___attempt_to_delete_services.yml delete mode 100644 dist/ssa/srs/ssa___attempt_to_disable_services.yml delete mode 100644 dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml delete mode 100644 dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml delete mode 100644 dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml delete mode 100644 dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml delete mode 100644 dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml delete mode 100644 dist/ssa/srs/ssa___delete_a_net_user.yml delete mode 100644 dist/ssa/srs/ssa___deleting_shadow_copies.yml delete mode 100644 dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml delete mode 100644 dist/ssa/srs/ssa___detect_powershell_applications_spawning_cmd_exe.yml delete mode 100644 dist/ssa/srs/ssa___detect_prohibited_browsers_spawning_cmd_exe.yml delete mode 100644 dist/ssa/srs/ssa___detect_prohibited_office_applications_spawning_cmd_exe.yml delete mode 100644 dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml delete mode 100644 dist/ssa/srs/ssa___disable_net_user_account.yml delete mode 100644 dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml delete mode 100644 dist/ssa/srs/ssa___fsutil_zeroing_file.yml delete mode 100644 dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml delete mode 100644 dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml delete mode 100644 dist/ssa/srs/ssa___impacket_lateral_movement_smbexec_commandline_parameters.yml delete mode 100644 dist/ssa/srs/ssa___impacket_lateral_movement_wmiexec_commandline_parameters.yml delete mode 100644 dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml delete mode 100644 dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml delete mode 100644 dist/ssa/srs/ssa___possible_lateral_movement_powershell_spawn.yml delete mode 100644 dist/ssa/srs/ssa___resize_shadowstorage_volume.yml delete mode 100644 dist/ssa/srs/ssa___sdelete_application_execution.yml delete mode 100644 dist/ssa/srs/ssa___serviceprincipalnames_discovery_with_powershell.yml delete mode 100644 dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml delete mode 100644 dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml delete mode 100644 dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml delete mode 100644 dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml delete mode 100644 dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml delete mode 100644 dist/ssa/srs/ssa___windows_bits_job_persistence.yml delete mode 100644 dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml delete mode 100644 dist/ssa/srs/ssa___windows_certutil_decode_file.yml delete mode 100644 dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml delete mode 100644 dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml delete mode 100644 dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml delete mode 100644 dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml delete mode 100644 dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml delete mode 100644 dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml delete mode 100644 dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml delete mode 100644 dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml delete mode 100644 dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml delete mode 100644 dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml delete mode 100644 dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml delete mode 100644 dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_mshta_child_process.yml delete mode 100644 dist/ssa/srs/ssa___windows_mshta_command_line_url.yml delete mode 100644 dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml delete mode 100644 dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml delete mode 100644 dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml delete mode 100644 dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_downloadfile.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_downloadstring.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_execution_policy_bypass.yml delete mode 100644 dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml delete mode 100644 dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml delete mode 100644 dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml delete mode 100644 dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml delete mode 100644 dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml delete mode 100644 dist/ssa/srs/ssa___windows_screen_capture_via_powershell.yml delete mode 100644 dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml delete mode 100644 dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml delete mode 100644 dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml delete mode 100644 dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml delete mode 100644 dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml delete mode 100644 dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml delete mode 100644 dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml delete mode 100644 dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml create mode 100644 macros/fillnull_config.yml create mode 100644 macros/oldsummaries_config.yml create mode 100644 macros/summariesonly_config.yml create mode 100644 ssa_detections/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml create mode 100644 stories/gomir.yml diff --git a/app_template/default/distsearch.conf b/app_template/default/distsearch.conf index 23129734b3..0883f658cd 100644 --- a/app_template/default/distsearch.conf +++ b/app_template/default/distsearch.conf @@ -1,5 +1,5 @@ [replicationSettings:refineConf] replicate.analytic_stories = false -[replicationBlacklist] +[replicationDenylist] excludeESCU = apps[/\\]DA-ESS-ContentUpdate[/\\]lookups[/\\]... diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml index 6982d4af4b..d1dcf15f47 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml @@ -10,7 +10,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window. -search: '`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` +search: '`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1' how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml index b240865159..1643566a67 100644 --- a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml +++ b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml @@ -11,7 +11,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window. -search: '`cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter` +search: '`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count as instances_terminated by _time src_user | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1' how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later) diff --git a/contentctl.yml b/contentctl.yml index efdce3b488..a93d091d78 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -47,12 +47,12 @@ apps: version: 2.2.0 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-okta-identity-cloud_220.tgz -- uid: 6176 +- uid: 6652 title: Add-on for Linux Sysmon appid: Splunk_TA_linux_sysmon - version: 1.0.4 + version: 1.0.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon-for-linux_100.tgz - uid: null title: Splunk Fix XmlWinEventLog HEC Parsing appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING @@ -71,9 +71,9 @@ apps: - uid: 5709 title: Splunk Add-on for Sysmon appid: Splunk_TA_microsoft_sysmon - version: 4.0.0 + version: 4.0.1 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_400.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_401.tgz - uid: 833 title: Splunk Add-on for Unix and Linux appid: Splunk_TA_nix diff --git a/data_sources/endpoint/Sysmon_for_Linux_EventID.yml b/data_sources/endpoint/Sysmon_for_Linux_EventID.yml index 0c8155880e..096a4002b5 100644 --- a/data_sources/endpoint/Sysmon_for_Linux_EventID.yml +++ b/data_sources/endpoint/Sysmon_for_Linux_EventID.yml @@ -2,7 +2,7 @@ name: Sysmon for Linux EventID id: da9fc0c9-4b15-4537-aa91-19ca0cb1eba5 author: Patrick Bareiss, Splunk source: Syslog:Linux-Sysmon/Operational -sourcetype: sysmon_linux +sourcetype: sysmon:linux separator: EventID supported_TA: name: Splunk Add-on for Sysmon for Linux diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml index 713e887a6d..46e786a697 100644 --- a/data_sources/endpoint/Windows_Event_Log_Security.yml +++ b/data_sources/endpoint/Windows_Event_Log_Security.yml @@ -1,7 +1,7 @@ name: Windows Event Log Security id: e3e44de1-57b1-462d-b57c-c7657af7ae6e author: Patrick Bareiss, Splunk -source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +source: XmlWinEventLog:Security sourcetype: xmlwineventlog separator: EventCode supported_TA: diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml index 1250a6fee1..56e69ac05f 100644 --- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml +++ b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml @@ -91,18 +91,20 @@ field_mappings: AccessList: access_list AccessMask: access_mask AccessReason: access_result - ShareLocalPath: share_local_path RelativeTargetName: relative_target_name + ObjectType: object_type IpAddress: src_ip IpPort: src_port + SubjectDomainName: user_domain SubjectUserName: user + SubjectLogonId: user_logon_id + SubjectUserSid: user_sid ShareName: share - data_model: ocsf mapping: AccessList: access_list AccessMask: access_mask AccessReason: access_result - ShareLocalPath: file.path RelativeTargetName: file.path ObjectType: file.type IpAddress: src_endpoint.ip diff --git a/detections/application/detect_risky_spl_using_pretrained_ml_model.yml b/detections/application/detect_risky_spl_using_pretrained_ml_model.yml index 57c99e5bbe..3f2c32c442 100644 --- a/detections/application/detect_risky_spl_using_pretrained_ml_model.yml +++ b/detections/application/detect_risky_spl_using_pretrained_ml_model.yml @@ -1,18 +1,17 @@ name: Detect Risky SPL using Pretrained ML Model id: b4aefb5f-1037-410d-a149-1e091288ba33 -version: 1 -date: '2022-06-16' +version: 2 +date: '2024-05-26' author: Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk status: experimental type: Anomaly -description: The following analytic uses a pretrained machine learning text classifier - to detect potentially risky commands. The model is trained independently and then - the model file is packaged within ESCU for usage. A command is deemed risky based - on the presence of certain trigger keywords, along with the context and the role - of the user (please see references). The model uses custom features to predict whether - a SPL is risky using text classification. The model takes as input the command text, - user and search type and outputs a risk score between [0,1]. A high score indicates - higher likelihood of a command being risky. This model is on-prem only. +description: The following analytic identifies potentially risky SPL commands executed + by users. It leverages a pretrained machine learning text classifier that analyzes + command text, user, and search type to assign a risk score between 0 and 1. This + detection is significant as it helps identify suspicious or unauthorized search + activities that could indicate malicious intent or misuse of the Splunk environment. + If confirmed malicious, such activity could lead to unauthorized data access, data + exfiltration, or further exploitation of the system. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc @@ -62,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt + - data: + https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt source: audittrail sourcetype: audittrail update_timestamp: true diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml index c6115c3034..7360aadcfb 100644 --- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml +++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml @@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count values(Filesystem.file_ != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `email_files_written_outside_of_the_outlook_directory_filter` ' + `email_files_written_outside_of_the_outlook_directory_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml index 313edec294..5eeafa902c 100644 --- a/detections/application/no_windows_updates_in_a_time_frame.yml +++ b/detections/application/no_windows_updates_in_a_time_frame.yml @@ -1,15 +1,18 @@ name: No Windows Updates in a time frame id: 1a77c08c-2f56-409c-a2d3-7d64617edd4f -version: 1 -date: '2017-09-15' +version: 2 +date: '2024-05-15' author: Bhavin Patel, Splunk status: experimental type: Hunting -description: This search looks for Windows endpoints that have not generated an event - indicating a successful Windows update in the last 60 days. Windows updates are - typically released monthly and applied shortly thereafter. An endpoint that has - not successfully applied an update in this time frame indicates the endpoint is - not regularly being patched for some reason. +description: The following analytic identifies Windows endpoints that have not generated + an event indicating a successful Windows update in the last 60 days. It leverages + the 'Update' data model in Splunk, specifically looking for the latest 'Installed' + status events from Microsoft Windows. This activity is significant for a SOC because + endpoints that are not regularly patched are vulnerable to known exploits and security + vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint + that is intentionally being kept unpatched, potentially allowing attackers to exploit + unpatched vulnerabilities and gain unauthorized access or control. data_source: [] search: '| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml index e472b275fa..6ed2871746 100644 --- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml +++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml @@ -1,16 +1,32 @@ name: Okta Authentication Failed During MFA Challenge id: e2b99e7d-d956-411a-a120-2b14adfdde93 -version: 1 -date: '2024-03-11' +version: 2 +date: '2024-05-29' author: Bhavin Patel, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies an authentication attempt event against - an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials. +description: The following analytic identifies failed authentication attempts during + the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication + datamodel to detect specific failed events where the authentication signature is + `user.authentication.auth_via_mfa`. This activity is significant as it may indicate + an adversary attempting to authenticate with compromised credentials on an account + with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt + to bypass MFA protections, potentially leading to unauthorized access and further + compromise of the affected account. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Authentication.app) as app values(Authentication.reason) as + reason values(Authentication.signature) as signature values(Authentication.method) + as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa + Authentication.action = failure by _time Authentication.src Authentication.user + Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation + src | `okta_authentication_failed_during_mfa_challenge_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: A user may have accidentally entered the wrong credentials + during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. + Ensure that the user is aware of the MFA process and has the correct credentials. references: - https://sec.okta.com/everythingisyes - https://splunkbase.splunk.com/app/6553 @@ -55,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log source: okta_log - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index c14716e1b8..c59a210bbb 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -1,16 +1,31 @@ name: Okta IDP Lifecycle Modifications id: e0be2c83-5526-4219-a14f-c3db2e763d15 -version: 1 -date: '2024-03-14' +version: 2 +date: '2024-05-28' author: Bhavin Patel, Splunk data_source: [] type: Anomaly status: production -description: This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational. -search: '`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") - | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior. +description: The following analytic identifies modifications to Okta Identity Provider + (IDP) lifecycle events, including creation, activation, deactivation, and deletion + of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta + Identity Cloud. Monitoring these events is crucial for maintaining the integrity + and security of authentication mechanisms. Unauthorized or anomalous changes could + indicate potential security breaches or misconfigurations. If confirmed malicious, + attackers could manipulate authentication processes, potentially gaining unauthorized + access or disrupting identity management systems. +search: '`okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") + | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) + as target_id values(target{}.type) as target_modified by src dest src_user_id user + user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `okta_idp_lifecycle_modifications_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: It's possible for legitimate administrative actions or automated + processes to trigger this detection, especially if there are bulk modifications + to Okta IDP lifecycle events. Review the context of the modification, such as the + user making the change and the specific lifecycle event modified, to determine if + it aligns with expected behavior. references: - https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/ - https://splunkbase.splunk.com/app/6553 @@ -20,7 +35,8 @@ tags: asset_type: Okta Tenant confidence: 90 impact: 90 - message: A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]" + message: A user [$user$] is attempting IDP lifecycle modification - [$description$] + from IP Address - [$src$]" mitre_attack_id: - T1087.004 observable: @@ -52,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml index d933d963dc..591a9b5231 100644 --- a/detections/application/okta_mfa_exhaustion_hunt.yml +++ b/detections/application/okta_mfa_exhaustion_hunt.yml @@ -1,27 +1,33 @@ name: Okta MFA Exhaustion Hunt id: 97e2fe57-3740-402c-988a-76b64ce04b8d -version: 2 -date: '2022-09-27' +version: 3 +date: '2024-05-18' author: Michael Haag, Marissa Bower, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies patterns within Okta data to determine - the amount of successful and failed pushes. Based on that, eval statements determine - a finding of whether this is suspicious or not. The events are within a window of - time and may be tuned as needed. +description: The following analytic detects patterns of successful and failed Okta + MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta + event logs, specifically focusing on push verification events, and uses statistical + evaluations to determine suspicious activity. This activity is significant as it + may indicate an attacker attempting to bypass MFA by overwhelming the user with + push notifications. If confirmed malicious, this could lead to unauthorized access, + compromising the security of the affected accounts and potentially the entire environment. data_source: [] -search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) - | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time - | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user - | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, "%c") - | search (pushes>1) - | eval totalattempts=successes+failures - | eval finding="Normal authentication pattern" - | eval finding=if(failures==pushes AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) - | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) - | eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple pushes sent, eventual successful authentication!",finding) - | `okta_mfa_exhaustion_hunt_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) + AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) + AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as + successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures + count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time + | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as + successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime + | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures + | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes + AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) + | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | + eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple + pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). known_false_positives: False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. @@ -59,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index 33e9d58c05..41b874c8bc 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -1,65 +1,46 @@ name: Okta Mismatch Between Source and Response for Verify Push Request id: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a -version: 1 -date: '2023-03-17' +version: 2 +date: '2024-05-19' author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk type: TTP status: experimental data_source: [] -description: 'The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic. - - For each Okta Verify Push challenge, the following two events are recorded in Okta System Log - - Source of Push (Sign-In) - - eventType eq \"system.push.send_factor_verify_push\" - - User Push Response (Okta Verify client) - - eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" - - In sequence, the logic for the analytic - - - * Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) - - * Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. - * Creates a ratio of successful sign-ins to pushes. - - * If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.' -search: '`okta` eventType IN (system.push.send_factor_verify_push) OR - (eventType IN (user.authentication.auth_via_mfa) - debugContext.debugData.factor="OKTA_VERIFY_PUSH") - | eval groupby="authenticationContext.externalSessionId" - | eval group_push_time=_time - | bin span=2s group_push_time - | fillnull value=NULL - | stats min(_time) as _time by authenticationContext.externalSessionId eventType - debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress - client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby - | iplocation client.ipAddress - | fields - lat, lon, group_push_time - | stats min(_time) as _time dc(client.ipAddress) as dc_ip - sum(eval(if(eventType="system.push.send_factor_verify_push" AND - "outcome.result"="SUCCESS",1,0))) as total_pushes - sum(eval(if(eventType="user.authentication.auth_via_mfa" AND - "outcome.result"="SUCCESS",1,0))) as total_successes - sum(eval(if(eventType="user.authentication.auth_via_mfa" AND - "outcome.result"="FAILURE",1,0))) as total_rejected - sum(eval(if(eventType="system.push.send_factor_verify_push" AND - "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source - sum(eval(if(eventType="system.push.send_factor_verify_push" AND - "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source - values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src - values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest - values(*) as * by groupby - | eval ratio = round(total_successes/total_pushes,2) - | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND - suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. +description: 'The following analytic identifies discrepancies between the source and + response events for Okta Verify Push requests, indicating potential suspicious behavior. + It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` + and `user.authentication.auth_via_mfa` with the factor "OKTA_VERIFY_PUSH." The detection + groups events by SessionID, calculates the ratio of successful sign-ins to push + requests, and checks for session roaming and new device/IP usage. This activity + is significant as it may indicate push spam or unauthorized access attempts. If + confirmed malicious, attackers could bypass MFA, leading to unauthorized access + to sensitive systems.' +search: '`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN + (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") + | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time + | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time + by authenticationContext.externalSessionId eventType debugContext.debugData.factor + outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent + debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress + | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) + as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) + as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) + as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND + "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" + AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source + sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" + LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) + as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) + as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) + | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip + > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may be present based on organization size and + configuration of Okta. Monitor, tune and filter as needed. references: - - https://attack.mitre.org/techniques/T1621 - - https://splunkbase.splunk.com/app/6553 +- https://attack.mitre.org/techniques/T1621 +- https://splunkbase.splunk.com/app/6553 tags: analytic_story: - Okta Account Takeover @@ -67,7 +48,8 @@ tags: asset_type: Okta Tenant confidence: 80 impact: 80 - message: A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$ + message: A mismatch between source and response for verifying a push request has + occurred for $actor.alternateId$ mitre_attack_id: - T1621 observable: @@ -81,15 +63,15 @@ tags: - Splunk Cloud required_fields: - _time - - authenticationContext.externalSessionId + - authenticationContext.externalSessionId - eventType - - debugContext.debugData.factor - - outcome.result - - actor.alternateId - - client.device + - debugContext.debugData.factor + - outcome.result + - actor.alternateId + - client.device - client.ipAddress - - client.userAgent.rawUserAgent - - debugContext.debugData.behaviors + - client.userAgent.rawUserAgent + - debugContext.debugData.behaviors - group_push_time risk_score: 64 security_domain: access diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index c8ba66e58e..4f3d2badc0 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -1,20 +1,29 @@ name: Okta Multi-Factor Authentication Disabled id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a -version: 1 -date: '2024-03-11' +version: 2 +date: '2024-05-13' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime - from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src - | `drop_dm_object_name("All_Changes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies an attempt to disable multi-factor + authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when + the 'user.mfa.factor.deactivate' command is executed. This activity is significant + because disabling MFA can allow an adversary to maintain persistence within the + environment using a compromised valid account. If confirmed malicious, this action + could enable attackers to bypass additional security layers, potentially leading + to unauthorized access to sensitive information and prolonged undetected presence + in the network. +search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, + min(_time) as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User + AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by + All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src + | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity. +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: Legitimate use case may require for users to disable MFA. Filter + lightly and monitor for any unusual activity. references: - https://attack.mitre.org/techniques/T1556/ - https://splunkbase.splunk.com/app/6553 @@ -24,7 +33,8 @@ tags: asset_type: Okta Tenant confidence: 60 impact: 50 - message: MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized. + message: MFA was disabled for User [$user$] initiated by [$src$]. Investigate further + to determine if this was authorized. mitre_attack_id: - T1556 - T1556.006 @@ -55,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index e062706a86..7771f9cfa8 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -1,21 +1,28 @@ name: Okta Multiple Accounts Locked Out id: a511426e-184f-4de6-8711-cfd2af29d1e1 -version: 1 -date: '2024-03-06' +version: 2 +date: '2024-05-11' author: Michael Haag, Mauricio Velazco, Splunk data_source: [] type: Anomaly status: production -description: The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts. -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user - from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src - | where count > 5 - | `drop_dm_object_name("All_Changes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `okta_multiple_accounts_locked_out_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity. +description: The following analytic detects multiple Okta accounts being locked out + within a short period. It uses the user.account.lock event from Okta logs, aggregated + over a 5-minute window, to identify this behavior. This activity is significant + as it may indicate a brute force or password spraying attack, where an adversary + attempts to guess passwords, leading to account lockouts. If confirmed malicious, + this could result in potential account takeovers or unauthorized access to sensitive + Okta accounts, posing a significant security risk. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) + as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA + All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock + by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src + | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: Multiple account lockouts may be also triggered by an application + malfunction. Filter as needed, and monitor for any unusual activity. references: - https://attack.mitre.org/techniques/T1110/ - https://splunkbase.splunk.com/app/6553 @@ -25,7 +32,8 @@ tags: asset_type: Okta Tenant confidence: 70 impact: 70 - message: Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized. + message: Multiple accounts locked out in Okta from [$src$]. Investigate further + to determine if this was authorized. mitre_attack_id: - T1110 observable: @@ -55,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index c42377fbf6..d0a539de30 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -1,21 +1,28 @@ name: Okta Multiple Failed MFA Requests For User id: 826dbaae-a1e6-4c8c-b384-d16898956e73 -version: 1 -date: '2024-03-05' +version: 2 +date: '2024-05-20' author: Mauricio Velazco, Splunk data_source: [] type: Anomaly status: production -description: The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -search: ' `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR - | bucket _time span=5m - | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user - | where count >= 5 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies multiple failed multi-factor authentication + (MFA) requests for a single user within an Okta tenant. It triggers when more than + 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. + This activity is significant as it may indicate an adversary attempting to bypass + MFA by bombarding the user with repeated authentication requests, a technique used + by threat actors like Lapsus and APT29. If confirmed malicious, this could lead + to unauthorized access, potentially compromising sensitive information and systems. +search: ' `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE + debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats + count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) + as src_ip values(debugContext.debugData.factor) by _time src_user | where count + >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity. +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: Multiple Failed MFA requests may also be a sign of authentication + or application issues. Filter as needed and monitor for any unusual activity. references: - https://attack.mitre.org/techniques/T1621/ tags: @@ -24,7 +31,7 @@ tags: asset_type: Okta Tenant confidence: 70 impact: 60 - message: Multiple failed MFA requests for user [$src_user$] from IP Address - [$src_ip$]. Investigate further to determine if this was authorized. + message: Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$ mitre_attack_id: - T1621 observable: @@ -53,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index c8b3738e1e..56a07ee4db 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -1,53 +1,66 @@ name: Okta Multiple Failed Requests to Access Applications id: 1c21fed1-7000-4a2e-9105-5aaafa437247 -version: 1 -date: "2023-03-17" +version: 2 +date: "2024-05-30" author: John Murphy, Okta, Michael Haag, Splunk type: Hunting status: experimental data_source: [] -description: - 'The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: - * Retrieves policy evaluation and SSO details in events that contain the Application requested - - * Formats target fields so we can aggregate specifically on Applications (AppInstances) - - * Groups by User, Session and IP - - * Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies - - * Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps.' -search: '`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip(''target{}.type'', ''target{}.displayName'', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`' -how_to_implement: This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -known_false_positives: False positives may be present based on organization size and configuration of Okta. +description: 'The following analytic detects multiple failed attempts to access applications + in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages + Okta logs to evaluate policy and SSO events, aggregating data by user, session, + and IP. The detection triggers when more than half of the app sign-on attempts are + unsuccessful across multiple applications. This activity is significant as it may + indicate an attempt to bypass authentication mechanisms. If confirmed malicious, + it could lead to unauthorized access to sensitive applications and data, posing + a significant security risk.' +search: '`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) + OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip(''target{}.type'', + ''target{}.displayName'', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") + | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) + as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes + by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress + | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) + as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) + as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps + by authenticationContext.externalSessionId actor.alternateId client.ipAddress | + fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", + mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" + . " seen opening " . total_challenges . " chiclets/apps with " . total_successes + . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 + total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`' +how_to_implement: This analytic is specific to Okta and requires Okta:im2 logs to + be ingested. +known_false_positives: False positives may be present based on organization size and + configuration of Okta. references: - - https://attack.mitre.org/techniques/T1538 - - https://attack.mitre.org/techniques/T1550/004 +- https://attack.mitre.org/techniques/T1538 +- https://attack.mitre.org/techniques/T1550/004 tags: analytic_story: - - Okta Account Takeover + - Okta Account Takeover asset_type: Okta Tenant confidence: 70 impact: 80 message: Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$. mitre_attack_id: - - T1550.004 - - T1538 + - T1550.004 + - T1538 observable: - - name: actor.alternateId - type: User - role: - - Victim + - name: actor.alternateId + type: User + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - authenticationContext.externalSessionId - - targets - - actor.alternateId - - client.ipAddress - - eventType + - _time + - authenticationContext.externalSessionId + - targets + - actor.alternateId + - client.ipAddress + - eventType risk_score: 56 security_domain: access diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 838e1aa5c1..6c457c5bd9 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,21 +1,30 @@ name: Okta Multiple Users Failing To Authenticate From Ip id: de365ffa-42f5-46b5-b43f-fa72290b8218 -version: 1 -date: '2024-03-06' +version: 2 +date: '2024-05-28' author: Michael Haag, Mauricio Velazco, Splunk data_source: [] type: Anomaly status: production -description: This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts. -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method - from datamodel=Authentication where Authentication.action="failure" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype - | where unique_accounts > 9 - | `drop_dm_object_name("Authentication")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `okta_multiple_users_failing_to_authenticate_from_ip_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. +description: The following analytic identifies instances where more than 10 unique + user accounts have failed to authenticate from a single IP address within a 5-minute + window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk + Add-on for Okta Identity Cloud. Such activity is significant as it may indicate + brute-force attacks or password spraying attempts. If confirmed malicious, this + behavior suggests an external entity is attempting to compromise multiple user accounts, + potentially leading to unauthorized access to organizational resources and data + breaches. +search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, + min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) + as signature values(Authentication.user) as user values(Authentication.app) as app + values(Authentication.authentication_method) as authentication_method from datamodel=Authentication + where Authentication.action="failure" AND Authentication.signature=user.session.start + by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: A source Ip failing to authenticate with multiple users in + a short period of time is not common legitimate behavior. references: - https://attack.mitre.org/techniques/T1110/003/ - https://splunkbase.splunk.com/app/6553 @@ -25,7 +34,8 @@ tags: asset_type: Okta Tenant confidence: 90 impact: 60 - message: Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized. + message: Multiple users failing to authenticate from a single source IP Address + - [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1110.003 observable: @@ -55,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index 4d99a43f7e..9d6a299dd2 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -1,19 +1,27 @@ name: Okta New API Token Created id: c3d22720-35d3-4da4-bd0a-740d37192bd4 -version: 2 -date: '2022-09-21' +version: 3 +date: '2024-05-11' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. +description: The following analytic detects the creation of a new API token within + an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity + Cloud to identify events where the `system.api_token.create` command is executed. + This activity is significant because creating a new API token can indicate potential + account takeover attempts or unauthorized access, allowing an adversary to maintain + persistence. If confirmed malicious, this could enable attackers to execute API + calls, access sensitive data, and perform administrative actions within the Okta + environment. data_source: [] -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime - from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category - | `drop_dm_object_name("All_Changes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, + min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND + All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result + All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category + | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). known_false_positives: False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. references: @@ -25,7 +33,8 @@ tags: asset_type: Okta Tenant confidence: 80 impact: 80 - message: A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized. + message: A new API token was created in Okta by [$user$]. Investigate further to + determine if this was authorized. mitre_attack_id: - T1078 - T1078.001 @@ -56,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index cfe8636792..8d19286783 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -1,20 +1,28 @@ name: Okta New Device Enrolled on Account id: bb27cbce-d4de-432c-932f-2e206e9130fb -version: 2 -date: '2024-03-08' +version: 3 +date: '2024-05-24' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. +description: The following analytic identifies when a new device is enrolled on an + Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity + Cloud to detect the creation of new device enrollments. This activity is significant + as it may indicate a legitimate user setting up a new device or an adversary adding + a device to maintain unauthorized access. If confirmed malicious, this could lead + to potential account takeover, unauthorized access, and persistent control over + the compromised Okta account. Monitoring this behavior is crucial for detecting + and mitigating unauthorized access attempts. data_source: [] -search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime - from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category - | `drop_dm_object_name("All_Changes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `okta_new_device_enrolled_on_account_filter`' -how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: It is possible that the user has legitimately added a new device to their account. Please verify this activity. +search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime, + min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create + by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype + All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`' +how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the + Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: It is possible that the user has legitimately added a new device + to their account. Please verify this activity. references: - https://attack.mitre.org/techniques/T1098/005/ - https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create @@ -24,7 +32,8 @@ tags: asset_type: Okta Tenant confidence: 60 impact: 40 - message: A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized. + message: A new device was enrolled on an Okta account for user [$user$]. Investigate + further to determine if this was authorized. mitre_attack_id: - T1098 - T1098.005 @@ -51,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml index dcbdfc9493..ee78e21364 100644 --- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml +++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml @@ -1,20 +1,28 @@ name: Okta Phishing Detection with FastPass Origin Check id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3 -version: 1 -date: '2023-03-09' +version: 2 +date: '2024-05-15' author: Okta, Inc, Michael Haag, Splunk type: TTP status: experimental data_source: [] -description: The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. - Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. -search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" -| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`' -how_to_implement: This search is specific to Okta and requires Okta logs to be - ingested in your Splunk deployment. -known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. +description: The following analytic identifies failed user authentication attempts + in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically + looking for events where multi-factor authentication (MFA) fails with the reason + "FastPass declined phishing attempt." This activity is significant as it indicates + that attackers are targeting users with real-time phishing proxies, attempting to + capture credentials. If confirmed malicious, this could lead to unauthorized access + to user accounts, potentially compromising sensitive information and furthering + lateral movement within the organization. +search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" + AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) + as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent + client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`' +how_to_implement: This search is specific to Okta and requires Okta logs to be ingested + in your Splunk deployment. +known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. + Filter and modify as needed. references: - https://sec.okta.com/fastpassphishingdetection tags: @@ -39,9 +47,9 @@ tags: - Splunk Cloud required_fields: - _time - - eventType - - client.userAgent.rawUserAgent - - client.userAgent.browser + - eventType + - client.userAgent.rawUserAgent + - client.userAgent.browser - outcome.reason - displayMessage risk_score: 100 diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index bbb9eebef3..314de0f5d4 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -1,57 +1,78 @@ name: Okta Risk Threshold Exceeded id: d8b967dd-657f-4d88-93b5-c588bcd7218c -version: 2 -date: "2024-04-02" +version: 3 +date: "2024-05-28" author: Michael Haag, Bhavin Patel, Splunk status: production type: Correlation -description: - This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. +description: The following correlation identifies when a user exceeds a risk threshold + based on multiple suspicious Okta activities. It leverages the Risk Framework from + Enterprise Security, aggregating risk events from "Suspicious Okta Activity," "Okta + Account Takeover," and "Okta MFA Exhaustion" analytic stories. This detection is + significant as it highlights potentially compromised user accounts exhibiting multiple + tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed + malicious, this activity could indicate a serious security breach, allowing attackers + to gain unauthorized access, escalate privileges, or persist within the environment. data_source: [] -search: - '| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`' -how_to_implement: - This search leverages the Risk Framework from Enterprise Security. Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. -known_false_positives: - False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization. +search: '| tstats `security_content_summariesonly` values(All_Risk.analyticstories) + as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type + = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta + MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` + | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`' +how_to_implement: This search leverages the Risk Framework from Enterprise Security. + Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" + analytic stories are enabled. TTPs may be set to Notables for point detections; + anomalies should not be notables but rather risk generators. The correlation relies + on risk before generating a notable. Modify the value as needed. +known_false_positives: False positives will be limited to the number of events generated + by the analytics tied to the stories. Analytics will need to be tested and tuned, + and the risk score reduced as needed based on the organization. references: - - https://developer.okta.com/docs/reference/api/event-types - - https://sec.okta.com/everythingisyes +- https://developer.okta.com/docs/reference/api/event-types +- https://sec.okta.com/everythingisyes tags: analytic_story: - - Okta Account Takeover - - Okta MFA Exhaustion - - Suspicious Okta Activity + - Okta Account Takeover + - Okta MFA Exhaustion + - Suspicious Okta Activity asset_type: Okta Tenant confidence: 80 impact: 70 - message: Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized. + message: Okta Risk threshold exceeded for user [$risk_object$]. Investigate further + to determine if this was authorized. mitre_attack_id: - - T1078 - - T1110 + - T1078 + - T1110 observable: - - name: risk_object - type: User - role: - - Victim + - name: risk_object + type: User + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - All_Risk.risk_object - - All_Risk.risk_object_type - - All_Risk.analyticstories - - All_Risk.calculated_risk_score - - All_Risk.annotations.mitre_attack.mitre_tactic_id - - All_Risk.annotations.mitre_attack.mitre_technique_id - - All_Risk.tag - - _time + - All_Risk.risk_object + - All_Risk.risk_object_type + - All_Risk.analyticstories + - All_Risk.calculated_risk_score + - All_Risk.annotations.mitre_attack.mitre_tactic_id + - All_Risk.annotations.mitre_attack.mitre_technique_id + - All_Risk.tag + - _time risk_score: 56 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.log source: risk_data - sourcetype: stash \ No newline at end of file + sourcetype: stash diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index b830aedc19..02d48dae21 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -1,17 +1,29 @@ name: Okta Successful Single Factor Authentication id: 98f6ad4f-4325-4096-9d69-45dc8e638e82 -version: 1 -date: '2024-04-08' +version: 2 +date: '2024-05-26' author: Bhavin Patel, Splunk data_source: [] type: Anomaly status: production -description: This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where "Okta Verify" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the "targets" in the detection search. -search: '`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter`' -how_to_implement: This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary. +description: The following analytic identifies successful single-factor authentication + events against the Okta Dashboard for accounts without Multi-Factor Authentication + (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication + events where "Okta Verify" is not used. This behavior is significant as it may indicate + a misconfiguration, policy violation, or potential account takeover. If confirmed + malicious, an attacker could gain unauthorized access to the account, potentially + leading to data breaches or further exploitation within the environment. +search: '`okta` action=success src_user_type = User eventType = user.authentication.verify + OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) + as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) + min(_time) as firstTime max(_time) as lastTime values(authentication_method) by + src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter`' +how_to_implement: This detection utilizes logs from Okta environments and requires + the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud + (https://splunkbase.splunk.com/app/6553). +known_false_positives: Although not recommended, certain users may be exempt from + multi-factor authentication. Adjust the filter as necessary. references: - https://sec.okta.com/everythingisyes - https://attack.mitre.org/techniques/T1078/004/ @@ -21,7 +33,8 @@ tags: asset_type: Okta Tenant confidence: 60 impact: 80 - message: A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$]. + message: A user [$user$] has successfully logged in to Okta Dashboard with single + factor authentication from IP Address - [$src_ip$]. mitre_attack_id: - T1586 - T1586.003 @@ -53,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log source: okta_log - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index 005ca8297d..9e144bfc6e 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -1,31 +1,34 @@ name: Okta Suspicious Use of a Session Cookie id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e -version: 2 -date: '2024-03-17' +version: 3 +date: '2024-05-29' author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk type: Anomaly status: production data_source: [] -description: 'The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. - - * Retrieves policy evaluation events from successful authentication events. - - * Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. - - * It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination.' -search: '`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN - (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, - values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as - userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, - values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, - dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, - values(outcome.reason) as reason by debugContext.debugData.dtHash, user - | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) - | `okta_suspicious_use_of_a_session_cookie_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may occur, depending on the organization's size and the configuration of Okta. +description: 'The following analytic identifies suspicious use of a session cookie + by detecting multiple client values (IP, User Agent, etc.) changing for the same + Device Token associated with a specific user. It leverages policy evaluation events + from successful authentication logs in Okta. This activity is significant as it + may indicate an adversary attempting to reuse a stolen web session cookie, potentially + bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized + access to user accounts, leading to data breaches or further exploitation within + the environment.' +search: '`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) + | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) + as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) + as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) + as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) + as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as + reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 + OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may occur, depending on the organization's + size and the configuration of Okta. references: - - https://attack.mitre.org/techniques/T1539/ +- https://attack.mitre.org/techniques/T1539/ tags: analytic_story: - Suspicious Okta Activity @@ -33,7 +36,8 @@ tags: asset_type: Okta Tenant confidence: 70 impact: 80 - message: A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized. + message: A user [$user$] is attempting to use a session cookie from multiple IP + addresses or devices. Investigate further to determine if this was authorized. mitre_attack_id: - T1539 observable: @@ -60,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log source: Okta sourcetype: OktaIM2:log diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index 9a1e594d06..77a959649f 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -1,20 +1,29 @@ name: Okta ThreatInsight Threat Detected id: 140504ae-5fe2-4d65-b2bc-a211813fbca6 -version: 2 -date: '2022-09-21' +version: 3 +date: '2024-05-21' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Anomaly -description: This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users. +description: The following analytic identifies threats detected by Okta ThreatInsight, + such as password spraying, login failures, and high counts of unknown user login + attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected + events. This activity is significant for a SOC as it highlights potential unauthorized + access attempts and credential-based attacks. If confirmed malicious, these activities + could lead to unauthorized access, data breaches, and further exploitation of compromised + accounts, posing a significant risk to the organization's security posture. data_source: [] -search: '`okta` eventType = security.threat.detected - | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city - | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`okta` eventType = security.threat.detected | rename client.geographicalContext.country + as country, client.geographicalContext.state as state, client.geographicalContext.city + as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip + signature eventType displayMessage client.device city state country user_agent outcome.reason + outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: False positives may occur. It is recommended to fine-tune Okta + settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. references: - https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected tags: @@ -23,7 +32,8 @@ tags: asset_type: Infrastructure confidence: 50 impact: 50 - message: The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized. + message: The following $src_ip$ has been identified as a threat by Okta ThreatInsight. + Investigate further to determine if this was authorized. mitre_attack_id: - T1078 - T1078.004 @@ -58,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index 2293135bb0..9f94ca1140 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -1,19 +1,30 @@ name: Okta Unauthorized Access to Application id: 5f661629-9750-4cb9-897c-1f05d6db8727 -version: 1 -date: '2024-03-07' +version: 2 +date: '2024-05-12' author: 'Bhavin Patel, Splunk' data_source: [] type: Anomaly status: production -description: This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment. -search: '| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure" by _time Authentication.src Authentication.user - | `drop_dm_object_name("Authentication")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | iplocation src | `okta_unauthorized_access_to_application_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates. +description: The following analytic identifies attempts by users to access Okta applications + that have not been assigned to them. It leverages Okta Identity Management logs, + specifically focusing on failed access attempts to unassigned applications. This + activity is significant for a SOC as it may indicate potential unauthorized access + attempts, which could lead to exposure of sensitive information or disruption of + services. If confirmed malicious, such activity could result in data breaches, non-compliance + with data protection laws, and overall compromise of the IT environment. +search: '| tstats values(Authentication.app) as app values(Authentication.action) + as action values(Authentication.user) as user values(Authentication.reason) as reason + from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt + Authentication.action="failure" by _time Authentication.src Authentication.user + | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: There is a possibility that a user may accidentally click on + the wrong application, which could trigger this event. It is advisable to verify + the location from which this activity originates. references: - https://attack.mitre.org/techniques/T1110/003/ tags: @@ -22,7 +33,8 @@ tags: asset_type: Okta Tenant confidence: 90 impact: 90 - message: A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$] + message: A user [$user$] is attempting to access an unauthorized application from + IP Address - [$src$] mitre_attack_id: - T1087.004 observable: @@ -53,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index 68549fb6a6..adefdd2cae 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -1,21 +1,34 @@ name: Okta User Logins from Multiple Cities id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8 -version: 1 -date: '2024-03-07' +version: 2 +date: '2024-05-09' author: 'Bhavin Patel, Splunk' data_source: [] type: Anomaly status: production -description: This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches. -search: '| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src - | `drop_dm_object_name("Authentication")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | iplocation src - | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user - | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`' -how_to_implement: This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -known_false_positives: It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive. +description: The following analytic identifies instances where the same Okta user + logs in from different cities within a 24-hour period. This detection leverages + Okta Identity Management logs, analyzing login events and their geographic locations. + Such behavior is significant as it may indicate a compromised account, with an attacker + attempting unauthorized access from multiple locations. If confirmed malicious, + this activity could lead to account takeovers and data breaches, allowing attackers + to access sensitive information and potentially escalate their privileges within + the environment. +search: '| tstats `security_content_summariesonly` values(Authentication.app) as + app values(Authentication.action) as action values(Authentication.user) as user + values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) + as signature values(Authentication.method) as method from datamodel=Authentication + where Authentication.signature=user.session.start by _time Authentication.src | + `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as + firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city + values(src) as src values(City) as City values(Country) as Country values(action) + as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`' +how_to_implement: This detection utilizes logs from Okta Identity Management (IM) + environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on + for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). +known_false_positives: It is uncommon for a user to log in from multiple cities simultaneously, + which may indicate a false positive. references: - https://attack.mitre.org/techniques/T1110/003/ tags: @@ -24,7 +37,8 @@ tags: asset_type: Okta Tenant confidence: 90 impact: 90 - message: A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized. + message: A user [$user$] has logged in from multiple cities [$City$] from IP Address + - [$src$]. Investigate further to determine if this was authorized. mitre_attack_id: - T1586.003 observable: @@ -55,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log source: Okta - sourcetype: OktaIM2:log \ No newline at end of file + sourcetype: OktaIM2:log diff --git a/detections/application/path_traversal_spl_injection.yml b/detections/application/path_traversal_spl_injection.yml index e0baa0efff..7f112a5d53 100644 --- a/detections/application/path_traversal_spl_injection.yml +++ b/detections/application/path_traversal_spl_injection.yml @@ -1,15 +1,19 @@ name: Path traversal SPL injection id: dfe55688-82ed-4d24-a21b-ed8f0e0fda99 -version: 2 -date: '2024-03-19' +version: 3 +date: '2024-05-26' author: Rod Soto, Splunk status: production type: TTP -description: On May 3rd, 2022, Splunk published a security advisory for a Path traversal - in search parameter that can potentiall allow SPL injection. An attacker can cause - the application to load data from incorrect endpoints, urls leading to outcomes - such as running arbitrary SPL queries. -data_source: +description: The following analytic identifies attempts at path traversal in search + parameters, which can lead to SPL injection. It detects this activity by searching + for specific patterns in the `_internal` index that indicate path traversal attempts + (e.g., "../../../../"). This activity is significant for a SOC because it can allow + an attacker to manipulate the application to load data from incorrect endpoints, + potentially running arbitrary SPL queries. If confirmed malicious, this could lead + to unauthorized data access, code execution, or further exploitation of the Splunk + environment. +data_source: - Splunk search: ' `path_traversal_spl_injection` | search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`' @@ -57,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/path_traversal_spl_injection.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/path_traversal_spl_injection.txt source: splunkd_ui_access.log sourcetype: splunkd_ui_access custom_index: _internal diff --git a/detections/application/persistent_xss_in_rapiddiag_through_user_interface_views.yml b/detections/application/persistent_xss_in_rapiddiag_through_user_interface_views.yml index 7de1a67049..8b68f351f7 100644 --- a/detections/application/persistent_xss_in_rapiddiag_through_user_interface_views.yml +++ b/detections/application/persistent_xss_in_rapiddiag_through_user_interface_views.yml @@ -1,57 +1,68 @@ name: Persistent XSS in RapidDiag through User Interface Views id: ce6e1268-e01c-4df2-a617-0f034ed49a43 -version: 1 -date: "2023-02-14" +version: 2 +date: "2024-05-24" author: Rod Soto, Splunk type: TTP status: production -data_source: +data_source: - Splunk -description: In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. -search: - "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* +description: The following analytic identifies potential persistent Cross-Site Scripting + (XSS) attacks in Splunk Enterprise 9.0 versions before 9.0.4 through user interface + views. It leverages audit logs from the `audit_searches` data source to detect actions + involving Base64-encoded images in error messages. This activity is significant + because it can allow attackers to inject malicious scripts that execute in the context + of other users, leading to unauthorized actions or data exposure. If confirmed malicious, + this could result in persistent control over the affected Splunk instance, compromising + its integrity and confidentiality. +search: "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`" -how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index -known_false_positives: This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search. +how_to_implement: This detection does not require you to ingest any new data. The + detection does require the ability to search the _internal index +known_false_positives: This is a hunting search, it will not deobfuscate base64 payload, + it provides however it will provide what user added the view artifact and what user + opened it. It will require further investigation based on the information presented + by this hunting search. references: - - https://www.splunk.com/en_us/product-security.html +- https://www.splunk.com/en_us/product-security.html tags: analytic_story: - - Splunk Vulnerabilities + - Splunk Vulnerabilities asset_type: Endpoint cve: - - CVE-2023-22932 + - CVE-2023-22932 confidence: 50 context: - - Source:Endpoint + - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_in_rapiddiag_through_user_interface_views_data.log + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_in_rapiddiag_through_user_interface_views_data.log impact: 50 message: A potential XSS attempt has been detected from $user$ mitre_attack_id: - - T1189 + - T1189 observable: - - name: user - type: User - role: - - Victim + - name: user + type: User + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - user - - action - - roles - - info - - roles - - path + - user + - action + - roles + - info + - roles + - path risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_in_rapiddiag_through_user_interface_views_data.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_in_rapiddiag_through_user_interface_views_data.log source: audittrail sourcetype: audittrail - custom_index: _audit \ No newline at end of file + custom_index: _audit diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 9488771f5f..19b718cce0 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -1,17 +1,42 @@ name: PingID Mismatch Auth Source and Verification Response id: 15b0694e-caa2-4009-8d83-a1f98b86d086 -version: 1 -date: '2023-09-26' +version: 2 +date: '2024-05-22' author: Steven Dick status: production type: TTP -description: The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. +description: The following analytic identifies discrepancies between the IP address + of an authentication event and the IP address of the verification response event, + focusing on differences in the originating countries. It leverages JSON logs from + PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity + is significant as it may indicate suspicious sign-in behavior, such as account compromise + or unauthorized access attempts. If confirmed malicious, this could allow attackers + to bypass authentication mechanisms, potentially leading to unauthorized access + to sensitive systems and data. data_source: - PingID search: >- - `pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT "result.message" IN ("*pair*","*create*","*delete*")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*") | rex field=result.message "IP Address: (?:N\/A)?(?.+)?\n" | rex field=result.message "Action: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application Name: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application ID: (?:N\/A)?(?.+)?\n" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter` -how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by users working out the geographic region where the organizations services or technology is hosted. + `pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT "result.message" + IN ("*pair*","*create*","*delete*")) | eval user = upper('actors{}.name'), session_id + = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', + object = 'resources{}.devicemodel', status = 'result.status' | join user session_id + [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) + AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*") + | rex field=result.message "IP Address: (?:N\/A)?(?.+)?\n" | rex + field=result.message "Action: (?:N\/A)?(?.+)?\n" | rex field=result.message + "Requested Application Name: (?:N\/A)?(?.+)?\n" | rex + field=result.message "Requested Application ID: (?:N\/A)?(?.+)?\n" + | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src + = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) + | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest + | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) + as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, + src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter` +how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) + enterprise environment, either via Webhook or Push Subscription. +known_false_positives: False positives may be generated by users working out the geographic + region where the organizations services or technology is hosted. references: - https://twitter.com/jhencinski/status/1618660062352007174 - https://attack.mitre.org/techniques/T1098/005/ @@ -23,7 +48,8 @@ tags: asset_type: Identity confidence: 50 impact: 50 - message: An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$]. + message: An authentication by [$user$] was detected from [$dest$ - $auth_Country$] + and the verification was received from [$src$ - $verify_Country$]. mitre_attack_id: - T1621 - T1556.006 @@ -58,7 +84,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID sourcetype: _json - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml index 972f5f09c0..495f695cde 100644 --- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml @@ -1,17 +1,30 @@ name: PingID Multiple Failed MFA Requests For User id: c1bc706a-0025-4814-ad30-288f38865036 -version: 1 -date: '2023-09-26' +version: 2 +date: '2024-05-29' author: Steven Dick status: production type: TTP -description: The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. +description: The following analytic identifies multiple failed multi-factor authentication + (MFA) requests for a single user within a PingID environment. It triggers when 10 + or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity + is significant as it may indicate an adversary attempting to bypass MFA by bombarding + the user with repeated authentication requests. If confirmed malicious, this could + lead to unauthorized access, as the user might eventually accept the fraudulent + request, compromising the security of the account and potentially the entire network. data_source: - PingID search: >- - `pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter` -how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by normal provisioning workflows for user device registration. + `pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") | eval time + = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user + = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| + bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) + as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter` +how_to_implement: Target environment must ingest JSON logging from a PingID(PingOne) + enterprise environment, either via Webhook or Push Subscription. +known_false_positives: False positives may be generated by normal provisioning workflows + for user device registration. references: - https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/ - https://attack.mitre.org/techniques/T1621/ @@ -24,7 +37,8 @@ tags: asset_type: Identity confidence: 50 impact: 100 - message: Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$. + message: Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ + and $lastTime$. mitre_attack_id: - T1621 - T1078 @@ -48,8 +62,9 @@ tags: risk_score: 50 security_domain: access tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log - source: PINGID - sourcetype: _json \ No newline at end of file +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + source: PINGID + sourcetype: _json diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml index 5a13b6e9f1..58957a5efe 100644 --- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml +++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml @@ -1,17 +1,39 @@ name: PingID New MFA Method After Credential Reset id: 2fcbce12-cffa-4c84-b70c-192604d201d0 -version: 1 -date: '2023-09-26' +version: 2 +date: '2024-05-21' author: Steven Dick status: production type: TTP -description: A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. +description: The following analytic identifies the provisioning of a new MFA device + shortly after a password reset. It detects this activity by correlating Windows + Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating + device pairing. This behavior is significant as it may indicate a social engineering + attack where a threat actor impersonates a valid user to reset credentials and add + a new MFA device. If confirmed malicious, this activity could allow an attacker + to gain persistent access to the compromised account, bypassing traditional security + measures. data_source: - PingID search: >- - `pingid` "result.message" = "*Device Paired*" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter` -how_to_implement: Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -known_false_positives: False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration. + `pingid` "result.message" = "*Device Paired*" | rex field=result.message "Device + (Unp)?(P)?aired (?.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), + user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) + | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', + "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) + as lastTime, values(reason) as reason by src,user,action,object | join type=outer + user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time + = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval + timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) + ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes") | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` + | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter` +how_to_implement: Target environment must ingest Windows Event Log and PingID(PingOne) + data sources. Specifically from logs from Active Directory Domain Controllers and + JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or + Push Subscription. +known_false_positives: False positives may be generated by normal provisioning workflows + that generate a password reset followed by a device registration. references: - https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677 - https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/ @@ -24,11 +46,12 @@ tags: asset_type: Identity confidence: 50 impact: 100 - message: An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$. + message: An MFA configuration change was detected for [$user$] within [$timeDiff$] + of a password reset. The device [$object$] was $action$. mitre_attack_id: - T1621 - T1556.006 - - T1098.005 + - T1098.005 observable: - name: user type: User @@ -57,9 +80,11 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log source: PINGID - sourcetype: _json \ No newline at end of file + sourcetype: _json diff --git a/detections/application/splunk_account_discovery_drilldown_dashboard_disclosure.yml b/detections/application/splunk_account_discovery_drilldown_dashboard_disclosure.yml index 621904fb05..6ccf92f332 100644 --- a/detections/application/splunk_account_discovery_drilldown_dashboard_disclosure.yml +++ b/detections/application/splunk_account_discovery_drilldown_dashboard_disclosure.yml @@ -1,14 +1,17 @@ name: Splunk Account Discovery Drilldown Dashboard Disclosure id: f844c3f6-fd99-43a2-ba24-93e35fe84be6 -version: 1 -date: '2022-08-02' +version: 2 +date: '2024-05-15' author: Marissa Bower, Rod Soto, Splunk status: experimental type: TTP -description: Splunk drilldown vulnerability disclosure in Dashboard application that - can potentially allow exposure of tokens from privilege users. An attacker can create - dashboard and share it to privileged user (admin) and detokenize variables using - external urls within dashboards drilldown function. +description: The following analytic identifies the presence of environment variables + in Splunk dashboard drilldown URLs. It uses the REST API to query dashboards for + specific patterns in the XML data. This activity is significant because it can expose + sensitive tokens from privileged users if an attacker shares a malicious dashboard. + If confirmed malicious, this could allow an attacker to detokenize variables and + potentially gain unauthorized access to sensitive information or escalate privileges + within the Splunk environment. data_source: [] search: '| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$env:*" eai:data="*url*" eai:data="*options*" | rename author AS Author eai:acl.sharing diff --git a/detections/application/splunk_authentication_token_exposure_in_debug_log.yml b/detections/application/splunk_authentication_token_exposure_in_debug_log.yml index 04954050ca..fa004a85b2 100644 --- a/detections/application/splunk_authentication_token_exposure_in_debug_log.yml +++ b/detections/application/splunk_authentication_token_exposure_in_debug_log.yml @@ -1,21 +1,28 @@ name: Splunk Authentication Token Exposure in Debug Log id: 9a67e749-d291-40dd-8376-d422e7ecf8b5 -version: 1 -date: '2024-03-18' +version: 2 +date: '2024-05-25' author: Rod Soto, Chase Franklin type: TTP status: production data_source: [] -description: This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. -search: '`splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" event_message="Validating token:*" - | rex "Validating token: (?.*)\.$" - | search token!=None - | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies exposed authentication tokens in debug + logs within Splunk Enterprise. It leverages logs from the `splunkd` component with + a DEBUG log level, specifically searching for event messages that validate tokens. + This activity is significant because exposed tokens can be exploited by attackers + to gain unauthorized access to the Splunk environment. If confirmed malicious, this + exposure could lead to unauthorized data access, privilege escalation, and potential + compromise of the entire Splunk infrastructure. Monitoring and addressing this vulnerability + is crucial for maintaining the security and integrity of the Splunk deployment. +search: '`splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" + event_message="Validating token:*" | rex "Validating token: (?.*)\.$" | search + token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) + as log_level values(event_message) as event_message by index, sourcetype, host, + token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter`' -how_to_implement: Requires access to internal Splunk indexes. -known_false_positives: Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9 +how_to_implement: Requires access to internal Splunk indexes. +known_false_positives: Only applies to affected versions of Splunk Enterprise below + 9.2.1, 9.1.4, and 9.0.9 references: - https://advisory.splunk.com/advisories/SVD-2024-0301 tags: @@ -41,14 +48,15 @@ tags: - component - log_level - eventtype - - event_message + - event_message - host risk_score: 50 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1654/splunk/jsonwebtokenplaintokensvd_splunkd.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1654/splunk/jsonwebtokenplaintokensvd_splunkd.log source: /opt/splunk/var/log/splunk/splunkd.log sourcetype: splunkd custom_index: _internal diff --git a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml index d65a5a89e0..5911352019 100644 --- a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml +++ b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml @@ -1,14 +1,18 @@ name: Splunk Code Injection via custom dashboard leading to RCE id: b06b41d7-9570-4985-8137-0784f582a1b3 -version: 1 -date: '2022-10-11' +version: 2 +date: '2024-05-24' author: Rod Soto status: experimental type: Hunting -description: This hunting search provides information about a vulnerability in Splunk - Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can - execute arbitrary code via the dashboard pdf generation component. Please review - events with file=export in the _internal index for the potential targets of exploitation. +description: The following analytic identifies attempts to exploit a vulnerability + in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, where an authenticated + user can execute arbitrary code via the dashboard PDF generation component. It detects + this activity by analyzing events in the _internal index with the file=export parameter. + This behavior is significant because it indicates a potential code injection attack, + which could lead to remote code execution (RCE). If confirmed malicious, an attacker + could gain unauthorized access, execute arbitrary commands, and potentially compromise + the entire Splunk environment. data_source: [] search: '`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?[^\/]*)" @@ -56,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt source: /opt/splunk/var/log/splunk/splunkd_ui_access.log sourcetype: splunkd_ui_access custom_index: _internal diff --git a/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml b/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml index c840f4d69c..4398016fff 100644 --- a/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml +++ b/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml @@ -1,15 +1,19 @@ name: Splunk Command and Scripting Interpreter Delete Usage id: 8d3d5d5e-ca43-42be-aa1f-bc64375f6b04 -version: 1 -date: '2022-05-27' +version: 2 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the use of the risky command - Delete - - that may be utilized in Splunk to delete some or all data queried for. In order - to use Delete in Splunk, one must be assigned the role. This is typically not used - and should generate an anomaly if it is used. -data_source: +description: The following analytic detects the use of the 'delete' command in Splunk, + which can be used to remove queried data. This detection leverages the Splunk Audit + data model, specifically monitoring ad-hoc searches containing the 'delete' command + by non-system users. This activity is significant because the 'delete' command is + rarely used and can indicate potential data tampering or unauthorized data removal. + If confirmed malicious, this activity could lead to the loss of critical log data, + hindering incident investigations and compromising the integrity of the monitoring + environment. +data_source: - Splunk search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search @@ -59,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log source: audittrail sourcetype: audittrail update_timestamp: true diff --git a/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml b/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml index 142c4bf3d0..07ce527149 100644 --- a/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml +++ b/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml @@ -1,30 +1,19 @@ name: Splunk Command and Scripting Interpreter Risky Commands id: 1cf58ae1-9177-40b8-a26c-8966040f11ae -version: 1 -date: '2022-05-23' +version: 2 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: Hunting -description: The Splunk platform contains built-in search processing language (SPL) - safeguards to warn you when you are about to unknowingly run a search that contains - commands that might be a security risk. This warning appears when you click a link - or type a URL that loads a search that contains risky commands. The warning does - not appear when you create ad hoc searches. This warning alerts you to the possibility - of unauthorized actions by a malicious user. Unauthorized actions include - Copying - or transferring data (data exfiltration), Deleting data and Overwriting data. All - risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. - A possible scenario when this might occur is when a malicious actor creates a search - that includes commands that exfiltrate or damage data. The malicious actor then - sends an unsuspecting user a link to the search. The URL contains a query string - (q) and a search identifier (sid), but the sid is not valid. The malicious actor - hopes the user will use the link and the search will run. During analysis, pivot - based on user name and filter any user or queries not needed. Queries ran from a - dashboard are seen as adhoc queries. When a query runs from a dashboard it will - not show in audittrail logs the source dashboard name. The query defaults to adhoc - and no Splunk system user activity. In addition, modify this query by removing key - commands that generate too much noise, or too little, and create separate queries - with higher confidence to alert on. -data_source: +description: The following analytic identifies the execution of risky commands within + the Splunk platform, such as `runshellscript`, `delete`, and `sendemail`. It leverages + the Search_Activity data model to detect ad hoc searches containing these commands, + excluding those run by the splunk-system-user. This activity is significant because + it may indicate attempts at data exfiltration, deletion, or other unauthorized actions + by a malicious user. If confirmed malicious, this could lead to data loss, unauthorized + data transfer, or system compromise, severely impacting the organization's security + posture. +data_source: - Splunk search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search @@ -84,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log source: audittrail sourcetype: audittrail update_timestamp: true diff --git a/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml b/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml index 2451dbadf5..cfaee91656 100644 --- a/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml +++ b/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml @@ -1,18 +1,19 @@ name: Splunk Command and Scripting Interpreter Risky SPL MLTK id: 19d0146c-2eae-4e53-8d39-1198a78fa9ca -version: 1 -date: '2022-05-27' +version: 2 +date: '2024-05-15' author: Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk status: production type: Anomaly -description: This detection utilizes machine learning model named "risky_command_abuse" - trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". - It should be scheduled to run hourly to detect whether a user has run searches containing - risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga - with abnormally long running time in the past one hour, comparing with his/her past - seven days history. This search uses the trained baseline to infer whether a search - is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) -data_source: +description: The following analytic identifies the execution of risky SPL commands + with abnormally long run times by leveraging a machine learning model named "risky_command_abuse." + It uses the Splunk Audit data model to compare current search activities against + a baseline of the past seven days. This activity is significant for a SOC as it + can indicate potential misuse or abuse of powerful SPL commands, which could lead + to unauthorized data access or system manipulation. If confirmed malicious, this + activity could allow an attacker to execute arbitrary scripts, delete data, or exfiltrate + sensitive information. +data_source: - Splunk search: '| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") @@ -65,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt + - data: + https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt source: audittrail sourcetype: audittrail update_timestamp: true diff --git a/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml b/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml index f449501b18..c4a186e320 100644 --- a/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml +++ b/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml @@ -1,18 +1,19 @@ name: Splunk csrf in the ssg kvstore client endpoint id: 4742d5f7-ce00-45ce-9c79-5e98b43b4410 -version: 1 -date: '2023-02-14' +version: 2 +date: '2024-05-11' author: Rod Soto status: production type: TTP -description: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site - request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint - allows for updating SSG KV store collections via a GET request. SSG is a Splunk - Built app included by default with Splunk Enterprise. The vulnerability affects - instances with SSG and Splunk Web enabled. This hunting search provides information - on affected server specific method and post data that may reveal exploitation of - this vulnerability. -data_source: +description: The following analytic identifies attempts to exploit a cross-site request + forgery (CSRF) vulnerability in the Splunk Secure Gateway (SSG) app's kvstore_client + endpoint. It detects GET requests to the vulnerable endpoint using internal index + data, focusing on specific URI paths and HTTP methods. This activity is significant + because it can allow unauthorized updates to SSG KV store collections, potentially + leading to data manipulation or unauthorized access. If confirmed malicious, this + could enable attackers to alter critical configurations or exfiltrate sensitive + information, compromising the integrity and security of the Splunk environment. +data_source: - Splunk search: '`splunkda` uri_path="/en-US/splunkd/__raw/services/ssg/kvstore_client" method="GET" delete_field_value="spacebridge_server" status="200" | table splunk_server status @@ -56,7 +57,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_csrf_in_the_ssg_kvstore_client_endpoint_data.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_csrf_in_the_ssg_kvstore_client_endpoint_data.log source: splunkd_access.log sourcetype: splunkd_access custom_index: _internal diff --git a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml index edde6b1e80..2e53d18f26 100644 --- a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml +++ b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml @@ -1,16 +1,19 @@ name: Splunk Data exfiltration from Analytics Workspace using sid query id: b6d77c6c-f011-4b03-8650-8f10edb7c4a8 -version: 1 -date: '2022-11-01' +version: 2 +date: '2024-05-25' author: Rod Soto, Eric McGinnis status: production type: Hunting -description: This hunting search allows operator to discover attempts to exfiltrate - data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk - Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires - the attacker to compel a victim to initiate a request within their browser (phishing). - The attacker cannot exploit the vulnerability at will. -data_source: +description: The following analytic identifies attempts to exfiltrate data by executing + a prepositioned malicious search ID in Splunk's Analytic Workspace. It leverages + the `audit_searches` data source to detect suspicious `mstats` commands indicative + of injection attempts. This activity is significant as it may indicate a phishing-based + attack where an attacker compels a victim to initiate a malicious request, potentially + leading to unauthorized data access. If confirmed malicious, this could result in + significant data exfiltration, compromising sensitive information and impacting + the organization's security posture. +data_source: - Splunk search: '`audit_searches` info=granted search NOT ("audit_searches") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))| @@ -59,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt source: audittrail sourcetype: audittrail custom_index: _audit diff --git a/detections/application/splunk_digital_certificates_infrastructure_version.yml b/detections/application/splunk_digital_certificates_infrastructure_version.yml index 00aec63786..15c43c0e3b 100644 --- a/detections/application/splunk_digital_certificates_infrastructure_version.yml +++ b/detections/application/splunk_digital_certificates_infrastructure_version.yml @@ -1,15 +1,19 @@ name: Splunk Digital Certificates Infrastructure Version id: 3c162281-7edb-4ebc-b9a4-5087aaf28fa7 -version: 1 -date: '2022-05-26' +version: 2 +date: '2024-05-27' author: Lou Stella, Splunk status: production type: Hunting -description: This search will check the TLS validation is properly configured on the - search head it is run from as well as its search peers after Splunk version 9. Other - components such as additional search heads or anything this rest command cannot - be distributed to will need to be manually checked. -data_source: +description: The following analytic identifies improper TLS validation configuration + on Splunk search heads and peers post version 9. It leverages REST API calls to + retrieve server information and SSL configuration settings, checking fields like + `sslVerifyServerCert` and `sslVerifyServerName`. This activity is significant for + a SOC as improper TLS settings can expose the infrastructure to man-in-the-middle + attacks and data breaches. If confirmed malicious, attackers could intercept or + manipulate data, compromising the integrity and confidentiality of communications + within the Splunk environment. +data_source: - Splunk search: '| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search="sslConfig"| @@ -58,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log source: audittrail sourcetype: audittrail update_timestamp: true diff --git a/detections/application/splunk_digital_certificates_lack_of_encryption.yml b/detections/application/splunk_digital_certificates_lack_of_encryption.yml index feccdd2a72..edaab43ed3 100644 --- a/detections/application/splunk_digital_certificates_lack_of_encryption.yml +++ b/detections/application/splunk_digital_certificates_lack_of_encryption.yml @@ -1,19 +1,18 @@ name: Splunk Digital Certificates Lack of Encryption id: 386a7ebc-737b-48cf-9ca8-5405459ed508 -version: 1 -date: '2022-05-26' +version: 2 +date: '2024-05-18' author: Lou Stella, Splunk status: production type: Anomaly -description: On June 14th, 2022, Splunk released a security advisory relating to the - authentication that happens between Universal Forwarders and Deployment Servers. - In some circumstances, an unauthenticated client can download forwarder bundles - from the Deployment Server. In other circumstances, a client may be allowed to publish - a forwarder bundle to other clients, which may allow for arbitrary code execution. - The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as - well. This is a great opportunity to configure TLS across the environment. This - search looks for forwarders that are not using TLS and adds risk to those entities. -data_source: +description: The following analytic identifies Splunk forwarder connections that are + not using TLS encryption. It leverages data from the `splunkd` logs, specifically + looking for connections where the `ssl` field is set to "false". This activity is + significant because unencrypted connections can expose sensitive data and allow + unauthorized access, posing a security risk. If confirmed malicious, an attacker + could exploit this vulnerability to download or publish forwarder bundles, potentially + leading to arbitrary code execution and further compromise of the environment. +data_source: - Splunk search: '`splunkd` group="tcpin_connections" ssl="false" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`' @@ -65,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.log source: /opt/splunk/var/log/splunk/metrics.log sourcetype: splunkd update_timestamp: false diff --git a/detections/application/splunk_dos_using_malformed_saml_request.yml b/detections/application/splunk_dos_using_malformed_saml_request.yml index 94b4a37f9e..669a282909 100644 --- a/detections/application/splunk_dos_using_malformed_saml_request.yml +++ b/detections/application/splunk_dos_using_malformed_saml_request.yml @@ -1,21 +1,31 @@ name: Splunk DoS Using Malformed SAML Request id: 8e8a86d5-f323-4567-95be-8e817e2baee6 -version: 1 -date: '2023-09-05' +version: 2 +date: '2024-05-29' author: Rod Soto status: production type: Hunting -data_source: +data_source: - Splunk -description: In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. -search: '`splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`' -how_to_implement: To run this search, you must have access to the _internal index. -known_false_positives: This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file. +description: The following analytic detects a denial of service (DoS) attempt using + a malformed SAML request targeting the /saml/acs REST endpoint in Splunk Enterprise + versions lower than 9.0.6 and 8.2.12. It leverages `splunkd` logs, specifically + looking for error messages containing "xpointer" in the `expr` field. This activity + is significant because it can cause the Splunk daemon to crash or hang, disrupting + service availability. If confirmed malicious, this attack could lead to prolonged + downtime, impacting the organization's ability to monitor and respond to security + events. +search: '`splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) + as firstTime max(_time) as lastTime by component expr splunk_server event_message + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`' +how_to_implement: To run this search, you must have access to the _internal index. +known_false_positives: This search will show false positives. The analyst must look + for errors and a pointer indicating a malicious file. references: - https://advisory.splunk.com/advisories/SVD-2023-0802 tags: analytic_story: - - Splunk Vulnerabilities + - Splunk Vulnerabilities asset_type: Endpoint confidence: 30 impact: 50 @@ -34,14 +44,15 @@ tags: risk_score: 15 required_fields: - component - - expr - - host - - event_message + - expr + - host + - event_message security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk/splunk_dos_using_malformed_saml_request_splunkd.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk/splunk_dos_using_malformed_saml_request_splunkd.log source: splunkd.log sourcetype: splunkd - custom_index: _internal \ No newline at end of file + custom_index: _internal diff --git a/detections/application/splunk_dos_via_malformed_s2s_request.yml b/detections/application/splunk_dos_via_malformed_s2s_request.yml index 75b3515bc7..a195ee0823 100644 --- a/detections/application/splunk_dos_via_malformed_s2s_request.yml +++ b/detections/application/splunk_dos_via_malformed_s2s_request.yml @@ -1,15 +1,19 @@ name: Splunk DoS via Malformed S2S Request id: fc246e56-953b-40c1-8634-868f9e474cbd -version: 2 -date: '2022-03-24' +version: 3 +date: '2024-05-27' author: Lou Stella, Splunk status: production type: TTP -description: On March 24th, 2022, Splunk published a security advisory for a possible - Denial of Service stemming from the lack of validation in a specific key-value field - in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation - in patched versions of Splunk. -data_source: +description: The following analytic identifies attempts to exploit a Denial of Service + (DoS) vulnerability in the Splunk-to-Splunk (S2S) protocol by detecting malformed + S2S requests. It leverages `splunkd` logs, specifically looking for "ERROR" level + logs from the "TcpInputProc" component with the thread name "FwdDataReceiverThread" + and the message "Invalid _meta atom." This activity is significant as it targets + a known vulnerability that could disrupt Splunk services. If confirmed malicious, + this could lead to service outages, impacting the availability and reliability of + Splunk for monitoring and analysis. +data_source: - Splunk search: '`splunkd` log_level="ERROR" component="TcpInputProc" thread_name="FwdDataReceiverThread" "Invalid _meta atom" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`' @@ -55,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk_indexer_dos/splunkd.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk_indexer_dos/splunkd.log source: /opt/splunk/var/log/splunk/splunkd.log sourcetype: splunkd update_timestamp: true diff --git a/detections/application/splunk_dos_via_printf_search_function.yml b/detections/application/splunk_dos_via_printf_search_function.yml index bc058bd7b1..2b7d790800 100644 --- a/detections/application/splunk_dos_via_printf_search_function.yml +++ b/detections/application/splunk_dos_via_printf_search_function.yml @@ -1,18 +1,28 @@ name: Splunk DOS via printf search function id: 78b48d08-075c-4eac-bd07-e364c3780867 -version: 1 -date: '2023-08-30' +version: 2 +date: '2024-05-25' author: Rod Soto, Eric McGinnis, Splunk status: production type: Hunting -data_source: +data_source: - Splunk -description: This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. -search: '`audit_searches` "*makeresults * eval * fieldformat *printf*" user!="splunk_system_user" search!="*audit_searches*" - | stats count by user splunk_server host search - | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter`' -how_to_implement: This search requires the ability to search internal indexes. -known_false_positives: This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash. +description: The following analytic identifies the use of the `printf` SPL function + in Splunk searches, which can be exploited for a denial of service (DoS) attack. + It detects this activity by querying the `audit_searches` data source for specific + patterns involving `makeresults`, `eval`, `fieldformat`, and `printf` functions, + excluding searches by the `splunk_system_user`. This activity is significant because + it targets a known vulnerability in Splunk Enterprise versions lower than 8.1.14, + 8.2.12, 9.0.6, and 9.1.1, potentially disrupting the availability of the Splunk + instance. If confirmed malicious, this could lead to service outages and impact + the monitoring and logging capabilities of the organization. +search: '`audit_searches` "*makeresults * eval * fieldformat *printf*" user!="splunk_system_user" + search!="*audit_searches*" | stats count by user splunk_server host search | convert + ctime(*time) |`splunk_dos_via_printf_search_function_filter`' +how_to_implement: This search requires the ability to search internal indexes. +known_false_positives: This search may produces false positives, analyst most focuse + in the use of printf conversion function of eval to craft an expression that splunkd + cannot interpret correctly causing it to crash. references: - https://advisory.splunk.com/ tags: @@ -37,15 +47,16 @@ tags: - Splunk Cloud risk_score: 100 required_fields: - - user + - user - splunk_server - host - - search + - search security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_printf_abuse.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_printf_abuse.log source: audittrail sourcetype: audittrail custom_index: _audit diff --git a/detections/application/splunk_endpoint_denial_of_service_dos_zip_bomb.yml b/detections/application/splunk_endpoint_denial_of_service_dos_zip_bomb.yml index 58e274e716..f3e483dc5d 100644 --- a/detections/application/splunk_endpoint_denial_of_service_dos_zip_bomb.yml +++ b/detections/application/splunk_endpoint_denial_of_service_dos_zip_bomb.yml @@ -1,18 +1,19 @@ name: Splunk Endpoint Denial of Service DoS Zip Bomb id: b237d393-2f57-4531-aad7-ad3c17c8b041 -version: 1 -date: '2022-08-02' +version: 2 +date: '2024-05-27' author: Marissa Bower, Rod Soto, Splunk status: production type: TTP -description: This search allows operator to identify Splunk search app crashes resulting - from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 - and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before - crash. This search will provide Universal Forwarder errors from uploaded binary - files (zip compression) which are used for this attack. If an analyst sees results - from this search we suggest you investigate and triage what zip file was uploaded, - zip compressed files may have different extensions. -data_source: +description: The following analytic identifies crashes in the Splunk search app caused + by specially crafted ZIP files, affecting Universal Forwarder versions 8.1.11 and + 8.2 versions below 8.2.7.1. It detects this activity by monitoring Universal Forwarder + error logs for specific messages indicating invalid or binary file issues. This + activity is significant because it can disrupt Splunk operations, leading to potential + data loss or monitoring gaps. If confirmed malicious, this attack could result in + a denial of service, hindering the organization's ability to monitor and respond + to other security incidents effectively. +data_source: - Splunk search: '`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`' @@ -52,7 +53,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.log source: /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype: splunkd custom_index: _internal diff --git a/detections/application/splunk_enterprise_kv_store_incorrect_authorization.yml b/detections/application/splunk_enterprise_kv_store_incorrect_authorization.yml index 85b6d110a8..d9a3f8b1ab 100644 --- a/detections/application/splunk_enterprise_kv_store_incorrect_authorization.yml +++ b/detections/application/splunk_enterprise_kv_store_incorrect_authorization.yml @@ -1,20 +1,28 @@ name: Splunk Enterprise KV Store Incorrect Authorization id: 8f0e8380-a835-4f2b-b749-9ce119364df0 -version: 1 -date: '2024-01-18' +version: 2 +date: '2024-05-10' author: Rod Soto, Eric McGinnis, Chase Franklin status: production type: Hunting -data_source: +data_source: - Splunk -description: In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. -search: '`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload - | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `splunk_enterprise_kv_store_incorrect_authorization_filter`' -how_to_implement: Requires access to internal indexes and REST API enabled instances. -known_false_positives: This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation. +description: The following analytic detects unauthorized attempts to reload Splunk + KV Store collections via the REST API. It leverages internal index logs to identify + POST requests to the `/servicesNS/nobody/search/admin/collections-conf/_reload` + endpoint, focusing on status codes starting with '2'. This activity is significant + as it may indicate improper permission handling, potentially leading to unauthorized + deletion of KV Store collections. If confirmed malicious, this could result in data + loss or unauthorized data manipulation, impacting the integrity and availability + of critical Splunk data. +search: '`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* + method="POST" user=* file=_reload | stats count min(_time) as firstTime max(_time) + as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter`' +how_to_implement: Requires access to internal indexes and REST API enabled instances. +known_false_positives: This is a hunting search and will produce false positives. + Operator must follow results into instances where curl requests coming from actual + users may indicate intent of exploitation. references: - https://advisory.splunk.com/advisories/SVD-2024-0105 tags: @@ -39,16 +47,17 @@ tags: risk_score: 25 required_fields: - uri - - status - - method - - file - - clientip - - host + - status + - method + - file + - clientip + - host security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_enterprise_kv_store_incorrect_authorization_splunkd_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_enterprise_kv_store_incorrect_authorization_splunkd_access.log source: /opt/splunk/var/log/splunk/splunkd_access.log - sourcetype: splunkd_access - custom_index: _internal + sourcetype: splunkd_access + custom_index: _internal diff --git a/detections/application/splunk_es_dos_investigations_manager_via_investigation_creation.yml b/detections/application/splunk_es_dos_investigations_manager_via_investigation_creation.yml index ef84370bb5..b4fd15ff4f 100644 --- a/detections/application/splunk_es_dos_investigations_manager_via_investigation_creation.yml +++ b/detections/application/splunk_es_dos_investigations_manager_via_investigation_creation.yml @@ -1,19 +1,30 @@ name: Splunk ES DoS Investigations Manager via Investigation Creation id: 7f6a07bd-82ef-46b8-8eba-802278abd00e -version: 1 -date: '2024-01-04' +version: 2 +date: '2024-05-25' author: Rod Soto, Eric McGinnis, Chase Franklin status: production type: TTP -data_source: +data_source: - Splunk -description: In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. -search: '`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `splunk_es_dos_investigations_manager_via_investigation_creation_filter`' -how_to_implement: This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2. -known_false_positives: The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event. +description: The following analytic detects the creation of malformed Investigations + in Splunk Enterprise Security (ES) versions lower than 7.1.2, which can lead to + a denial of service (DoS). It leverages internal Splunk logs, specifically monitoring + the `splunkd_investigation_rest_handler` with error statuses during investigation + creation. This activity is significant as it can disrupt the functionality of the + Investigations manager, hindering incident response efforts. If confirmed malicious, + this could prevent security teams from accessing critical investigation data, severely + impacting their ability to manage and respond to security incidents effectively. +search: '`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error + | stats count min(_time) as firstTime max(_time) as lastTime by user host method + msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + `splunk_es_dos_investigations_manager_via_investigation_creation_filter`' +how_to_implement: This search requires access to internal indexes. Only affects Splunk + Enterprise Security versions lower than 7.1.2. +known_false_positives: The vulnerability requires an authenticated session and access + to create an Investigation. It only affects the availability of the Investigations + manager, but without the manager, the Investigations functionality becomes unusable + for most users. This search gives the exact offending event. references: - https://advisory.splunk.com/advisories/SVD-2024-0102 tags: @@ -29,7 +40,7 @@ tags: - T1499 observable: - name: user - type: User + type: User role: - Victim - name: host @@ -41,14 +52,15 @@ tags: risk_score: 100 required_fields: - method - - msg - - status - - user + - msg + - status + - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_cve_2024_22165_investigation_rest_handler.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_cve_2024_22165_investigation_rest_handler.log source: /opt/splunk/var/log/splunk/investigation_handler.log sourcetype: investigation_rest_handler custom_index: _internal diff --git a/detections/application/splunk_es_dos_through_investigation_attachments.yml b/detections/application/splunk_es_dos_through_investigation_attachments.yml index e80d24e9aa..4cb6dfc441 100644 --- a/detections/application/splunk_es_dos_through_investigation_attachments.yml +++ b/detections/application/splunk_es_dos_through_investigation_attachments.yml @@ -1,20 +1,31 @@ name: Splunk ES DoS Through Investigation Attachments id: bb85b25e-2d6b-4e39-bd27-50db42edcb8f -version: 1 -date: '2024-01-04' +version: 2 +date: '2024-05-29' author: Rod Soto, Eric McGinnis, Chase Franklin status: production type: TTP -data_source: +data_source: - Splunk -description: In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. -search: '`splunkd_investigation_rest_handler` status=error object=investigation - | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `splunk_es_dos_through_investigation_attachments_filter`' -how_to_implement: This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2. -known_false_positives: This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager. +description: The following analytic detects attempts to perform a denial of service + (DoS) attack through investigation attachments in Splunk Enterprise Security (ES) + versions below 7.1.2. It leverages internal Splunk logs, specifically monitoring + the `splunkd_investigation_rest_handler` for error statuses related to investigation + objects. This activity is significant because it can render the Investigation feature + inaccessible, disrupting incident response and forensic analysis. If confirmed malicious, + this attack could prevent security teams from effectively managing and investigating + security incidents, leading to prolonged exposure and potential data breaches. +search: '`splunkd_investigation_rest_handler` status=error object=investigation | + stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) + as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter`' +how_to_implement: This search requires access to internal indexes, only affects Enterprise + Security versions below 7.1.2. +known_false_positives: This search will show the exact DoS event via error message + and investigation id. The error however does not point exactly at the uploader as + any users associated with the investigation will be affected. Operator must investigate + using investigation id the possible origin of the malicious upload. Attack only + affects specific investigation not the investigation manager. references: - https://advisory.splunk.com/advisories/SVD-2024-0101 tags: @@ -30,23 +41,24 @@ tags: - T1499 observable: - name: user - type: User + type: User role: - Victim product: - Splunk Enterprise Security risk_score: 100 required_fields: - - user - - status - - msg - - id - - object + - user + - status + - msg + - id + - object security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_cve_2024_22164_investigation_rest_handler.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_cve_2024_22164_investigation_rest_handler.log source: /opt/splunk/var/log/splunk/investigation_handler.log sourcetype: investigation_rest_handler custom_index: _internal diff --git a/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml b/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml index c189b55d1f..283e7c0c90 100644 --- a/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml +++ b/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml @@ -1,21 +1,34 @@ name: Splunk HTTP Response Splitting Via Rest SPL Command id: e615a0e1-a1b2-4196-9865-8aa646e1708c -version: 1 -date: '2023-05-23' +version: 2 +date: '2024-05-27' author: Rod Soto, Chase Franklin status: production type: Hunting data_source: - Splunk -description: A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. -search: '`audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") AND NOT search="*audit_searches*" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`' -how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. -known_false_positives: This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. +description: The following analytic identifies attempts to exploit an HTTP response + splitting vulnerability via the rest SPL command in Splunk. It detects this activity + by analyzing audit logs for specific search commands that include REST methods like + POST, PUT, PATCH, or DELETE. This behavior is significant because it indicates a + potential attempt to access restricted REST endpoints, which could lead to unauthorized + access to sensitive information. If confirmed malicious, this activity could allow + an attacker to access restricted content, such as password files, by injecting commands + into HTTP requests. +search: '`audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") + AND NOT search="*audit_searches*" | table user info has_error_msg search _time | + `splunk_http_response_splitting_via_rest_spl_command_filter`' +how_to_implement: This detection does not require you to ingest any new data. The + detection does require the ability to search the _audit index. This search may assist + in detecting possible http response splitting exploitation attemptss. +known_false_positives: This search may have produce false positives as malformed or + erroneous requests made to this endpoint may be executed willingly or erroneously + by operators. references: - https://advisory.splunk.com/ tags: analytic_story: - - Splunk Vulnerabilities + - Splunk Vulnerabilities asset_type: Endpoint atomic_guid: [] confidence: 50 @@ -33,14 +46,15 @@ tags: risk_score: 25 required_fields: - search - - testing_endpoint - - info + - testing_endpoint + - info - has_error_msg security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.006/splunk/splunk_http_response_splitting_via_rest_spl_command.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.006/splunk/splunk_http_response_splitting_via_rest_spl_command.log source: audittrail sourcetype: audittrail custom_index: _audit diff --git a/detections/application/splunk_list_all_nonstandard_admin_accounts.yml b/detections/application/splunk_list_all_nonstandard_admin_accounts.yml index ceeea9fa1a..ef97675e46 100644 --- a/detections/application/splunk_list_all_nonstandard_admin_accounts.yml +++ b/detections/application/splunk_list_all_nonstandard_admin_accounts.yml @@ -1,18 +1,18 @@ name: Splunk list all nonstandard admin accounts id: 401d689c-8596-4c6b-a710-7b6fdca296d3 -version: 1 -date: '2023-02-07' +version: 2 +date: '2024-05-21' author: Rod Soto status: experimental type: Hunting -description: 'This search will enumerate all Splunk Accounts with administrative rights - on this instance. It deliberately ignores the default admin account since this - is assumed to be present. This search may help in a detection the Cross-Site Scripting - Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a - View allows for Cross-Site Scripting in an XML View through the ''layoutPanel'' - attribute in the ''module'' tag. The vulnerability affects instances with Splunk - Web enabled.' -data_source: +description: 'The following analytic identifies nonstandard Splunk accounts with administrative + rights on the instance, excluding the default admin account. It uses REST API calls + to retrieve user data and filters for accounts with admin capabilities. This activity + is significant as unauthorized admin accounts can indicate potential security breaches + or misconfigurations. If confirmed malicious, attackers could leverage these accounts + to execute commands, escalate privileges, or persist within the environment, posing + a significant risk to the integrity and security of the Splunk instance.' +data_source: - Splunk search: '| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server diff --git a/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml b/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml index 019a5a4b51..e58f7adafe 100644 --- a/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml +++ b/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml @@ -1,17 +1,29 @@ name: Splunk Low Privilege User Can View Hashed Splunk Password id: a1be424d-e59c-4583-b6f9-2dcc23be4875 -version: 1 -date: '2023-05-09' +version: 2 +date: '2024-05-29' author: Rod Soto, Eric McGinnis, Chase Franklin status: production type: Hunting data_source: - Splunk -description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. -search: '`splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" | stats earliest(_time) as event_time values(method) as method values(status) as - status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`' -how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. -known_false_positives: This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts. +description: The following analytic identifies low-privilege users attempting to view + hashed Splunk passwords by querying the conf-user-seed REST endpoint. It leverages + data from the `splunkd_web` logs, specifically monitoring access to the conf-user-seed + endpoint. This activity is significant because it can indicate an attempt to escalate + privileges by obtaining hashed credentials, potentially leading to admin account + takeover. If confirmed malicious, this could allow an attacker to gain administrative + control over the Splunk instance, compromising the entire environment's security. +search: '`splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" | + stats earliest(_time) as event_time values(method) as method values(status) as status + values(clientip) as clientip values(useragent) as useragent values(file) as file + by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`' +how_to_implement: This detection does not require you to ingest any new data. The + detection does require the ability to search the _audit index. This detection may + assist in efforts to discover attempts to access con-user-seed file content. +known_false_positives: This search may produce false positives as accounts with high + privileges may access this file. Operator will need to investigate these actions + in order to discern exploitation attempts. references: - https://advisory.splunk.com/ tags: @@ -28,23 +40,24 @@ tags: - name: clientip type: IP Address role: - - Attacker + - Attacker product: - Splunk Enterprise risk_score: 81 required_fields: - - _time - - clientip - - useragent - - file - - user - - method - - status + - _time + - clientip + - useragent + - file + - user + - method + - status security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/splunk/splunk_low_privilege_user_can_view_hashed_splunk_password.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/splunk/splunk_low_privilege_user_can_view_hashed_splunk_password.log source: /opt/splunk/var/log/splunk/web_access.log sourcetype: splunk_web_access custom_index: _internal diff --git a/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml b/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml index a9d1e37322..5ca71945e7 100644 --- a/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml +++ b/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml @@ -1,23 +1,35 @@ name: Splunk Path Traversal In Splunk App For Lookup File Edit id: 8ed58987-738d-4917-9e44-b8ef6ab948a6 -version: 1 -date: '2023-05-11' +version: 2 +date: '2024-05-22' author: Rod Soto, Eric McGinnis status: production type: Hunting data_source: - Splunk -description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. -search: '`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`' -how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, - and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -known_false_positives: This search may find additional path traversal exploitation attempts or malformed requests. +description: The following analytic identifies path traversal attempts in the Splunk + App for Lookup File Editing. It detects specially crafted web requests targeting + lookup files by analyzing the `uri_query` field in the `_internal` index. This activity + is significant because it allows low-privilege users to read and write to restricted + areas of the Splunk installation directory, potentially accessing sensitive files + like password hashes. If confirmed malicious, this could lead to unauthorized access, + data breaches, and further exploitation of the Splunk environment. +search: '`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file + owner namespace version | stats count by clientip namespace lookup_file uri_query + | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`' +how_to_implement: This detection does not require you to ingest any new data. The + detection does require the ability to search the _internal index. This detection + is meant for on premise environments, and if executed on internet facing servers + without a WAF may produce a lot of results. This detection will not work against + obfuscated path traversal requests. +known_false_positives: This search may find additional path traversal exploitation + attempts or malformed requests. references: - https://advisory.splunk.com/ tags: analytic_story: - Splunk Vulnerabilities - asset_type: Endpoint + asset_type: Endpoint atomic_guid: [] confidence: 80 impact: 50 @@ -34,17 +46,18 @@ tags: risk_score: 40 required_fields: - clientip - - uri_query - - event_message - - lookup_file - - owner - - method + - uri_query + - event_message + - lookup_file + - owner + - method - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.log - source: splunkd_access + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.log + source: splunkd_access sourcetype: splunkd_access custom_index: _internal diff --git a/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml b/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml index 1c76eb13d8..70038513f5 100644 --- a/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml +++ b/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml @@ -1,16 +1,29 @@ name: Splunk Persistent XSS Via URL Validation Bypass W Dashboard id: 8a43558f-a53c-4ee4-86c1-30b1e8ef3606 -version: 1 -date: '2023-05-09' +version: 2 +date: '2024-05-20' author: Rod Soto status: production type: Hunting data_source: - Splunk -description: In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. -search: '`splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`' -how_to_implement: This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. -known_false_positives: This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability. +description: The following analytic detects attempts to bypass URL validation in Splunk + Enterprise versions below 9.0.4, 8.2.10, and 8.1.13 by targeting the vulnerable + bootstrap version 2.3.1. It leverages `splunkd_web` logs, specifically monitoring + GET requests to JavaScript files within the vulnerable bootstrap path. This activity + is significant as it can allow a low-privileged user to perform path traversal, + potentially accessing restricted and confidential information. If confirmed malicious, + this could lead to unauthorized data access and compromise of sensitive information, + including targeting admin users. +search: '`splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table + _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`' +how_to_implement: This search does not require additional data to be ingested. This + search requires ability to search _internal index. This search helps discover access + to vulnerable bootstrap versions. +known_false_positives: This search will produce numerous false positives as it shows + ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files + occur during normal Splunk usage. To reduce or eliminate false positives, update + the a version of Splunk which has addressed the vulnerability. references: - https://advisory.splunk.com/ tags: @@ -20,9 +33,9 @@ tags: atomic_guid: [] confidence: 20 impact: 80 - cve: + cve: - CVE-2019-8331 - message: Attempted access to vulnerable bootstrap file by $clientip$ + message: Attempted access to vulnerable bootstrap file by $clientip$ mitre_attack_id: - T1189 observable: @@ -34,15 +47,16 @@ tags: - Splunk Enterprise risk_score: 16 required_fields: - - file - - uri - - clientip - - user + - file + - uri + - clientip + - user security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log source: /opt/splunk/var/log/splunk/web_access.log sourcetype: splunk_web_access custom_index: _internal diff --git a/detections/application/splunk_process_injection_forwarder_bundle_downloads.yml b/detections/application/splunk_process_injection_forwarder_bundle_downloads.yml index e57945fd6b..522879fb7d 100644 --- a/detections/application/splunk_process_injection_forwarder_bundle_downloads.yml +++ b/detections/application/splunk_process_injection_forwarder_bundle_downloads.yml @@ -1,19 +1,19 @@ name: Splunk Process Injection Forwarder Bundle Downloads id: 8ea57d78-1aac-45d2-a913-0cd603fb6e9e -version: 1 -date: '2022-05-26' +version: 2 +date: '2024-05-23' author: Lou Stella, Splunk status: production type: Hunting -description: On June 14th, 2022, Splunk released a security advisory relating to the - authentication that happens between Universal Forwarders and Deployment Servers. - In some circumstances, an unauthenticated client can download forwarder bundles - from the Deployment Server. This hunting search pulls a full list of forwarder bundle - downloads where the peer column is the forwarder, the host column is the Deployment - Server, and then you have a list of the apps downloaded and the serverclasses in - which the peer is a member of. You should look for apps or clients that you do not - recognize as being part of your environment. -data_source: +description: The following analytic identifies unauthorized forwarder bundle downloads + from Splunk Deployment Servers. It leverages native Splunk logs, specifically the + `splunkd` component "PackageDownloadRestHandler," to detect instances where an unauthenticated + client may have downloaded forwarder bundles. This activity is significant because + it could indicate a potential security breach, allowing unauthorized access to sensitive + configurations and applications. If confirmed malicious, an attacker could gain + insights into the deployment server's environment, potentially leading to further + exploitation or lateral movement within the network. +data_source: - Splunk search: '`splunkd` component="PackageDownloadRestHandler" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`' @@ -60,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/splunk_ds/splunkd.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/splunk_ds/splunkd.log source: /opt/splunk/var/log/splunk/splunkd.log sourcetype: splunkd update_timestamp: false diff --git a/detections/application/splunk_protocol_impersonation_weak_encryption_configuration.yml b/detections/application/splunk_protocol_impersonation_weak_encryption_configuration.yml index 4b58fc9be3..0af3c5f19f 100644 --- a/detections/application/splunk_protocol_impersonation_weak_encryption_configuration.yml +++ b/detections/application/splunk_protocol_impersonation_weak_encryption_configuration.yml @@ -1,19 +1,19 @@ name: Splunk Protocol Impersonation Weak Encryption Configuration id: 900892bf-70a9-4787-8c99-546dd98ce461 -version: 1 -date: '2022-05-25' +version: 2 +date: '2024-05-28' author: Lou Stella, Splunk status: production type: Hunting -description: On June 14th, 2022, Splunk released a security advisory relating to TLS - validation occuring within the httplib and urllib python libraries shipped with - Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration - settings need to be set. This search will check those configurations on the search - head it is run from as well as its search peers. In addition to these settings, - the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be - enabled as well. Other components such as additional search heads or anything this - rest command cannot be distributed to will need to be manually checked. -data_source: +description: The following analytic identifies weak encryption configurations in Splunk + related to TLS validation within the httplib and urllib Python libraries. It uses + REST API calls to check specific configuration settings on the search head and its + peers, ensuring compliance with security advisories. This activity is significant + for a SOC as weak encryption can be exploited for protocol impersonation attacks, + leading to unauthorized access. If confirmed malicious, attackers could intercept + and manipulate data, compromising the integrity and confidentiality of the Splunk + environment. +data_source: - Splunk search: '| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search="PythonSslClientConfig" @@ -66,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log source: audittrail sourcetype: audittrail update_timestamp: true diff --git a/detections/application/splunk_rce_via_serialized_session_payload.yml b/detections/application/splunk_rce_via_serialized_session_payload.yml index 94ac2224a4..e7e417f810 100644 --- a/detections/application/splunk_rce_via_serialized_session_payload.yml +++ b/detections/application/splunk_rce_via_serialized_session_payload.yml @@ -1,25 +1,26 @@ name: Splunk RCE via Serialized Session Payload id: d1d8fda6-874a-400f-82cf-dcbb59d8e4db -version: 1 -date: '2023-10-02' +version: 2 +date: '2024-05-26' author: Chase Franklin, Rod Soto, Eric McGinnis, Splunk status: production type: Hunting -description: In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that - they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use - of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to - submit a serialized payload that can result in execution of code within the payload. Please refer to the - following URL for additional information on these disclosures - https://advisory.splunk.com -data_source: +description: The following analytic detects the execution of a specially crafted query + using the 'collect' SPL command in Splunk Enterprise versions lower than 8.2.12, + 9.0.6, and 9.1.1. It leverages audit logs to identify searches containing both 'makeresults' + and 'collect' commands. This activity is significant because it can indicate an + attempt to serialize untrusted data, potentially leading to arbitrary code execution. + If confirmed malicious, this could allow an attacker to execute code within the + Splunk environment, leading to unauthorized access and control over the system. +data_source: - Splunk -search: '`audit_searches` file=* (search="*makeresults*" AND search="*collect*") - | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`audit_searches` file=* (search="*makeresults*" AND search="*collect*") | + stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server + search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter`' how_to_implement: Requires access to the _audit index. -known_false_positives: There are numerous many uses of the 'makeresults' and 'collect' SPL commands. - Please evaluate the results of this search for potential abuse. +known_false_positives: There are numerous many uses of the 'makeresults' and 'collect' + SPL commands. Please evaluate the results of this search for potential abuse. references: - https://www.splunk.com/en_us/product-security.html tags: @@ -30,7 +31,8 @@ tags: cve: - CVE-2023-40595 impact: 50 - message: Potential abuse of the 'collect' SPL command against $splunk_server$ by detected by $user$ + message: Potential abuse of the 'collect' SPL command against $splunk_server$ by + detected by $user$ mitre_attack_id: - T1190 observable: @@ -57,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/splunk_rce_via_serialized_session_payload_audittrail.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/splunk_rce_via_serialized_session_payload_audittrail.log source: audittrail sourcetype: audittrail custom_index: _audit diff --git a/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml b/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml index 6c9e582108..0786aaca54 100644 --- a/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml +++ b/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml @@ -1,16 +1,18 @@ name: Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature id: baa41f09-df48-4375-8991-520beea161be -version: 1 -date: '2022-10-11' +version: 2 +date: '2024-05-16' author: Rod Soto status: production type: Hunting -description: This hunting search provides information on possible exploitation attempts - against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, - 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands - remotely through the use of specially crafted requests to the mobile alerts feature - in the Splunk Secure Gateway app. -data_source: +description: The following analytic identifies potential exploitation attempts against + the Splunk Secure Gateway App's Mobile Alerts feature in Splunk versions 9.0, 8.2.x, + and 8.1.x. It detects suspicious activity by monitoring requests to the mobile alerts + endpoint using specific URI paths and query parameters. This activity is significant + because an authenticated user could exploit this vulnerability to execute arbitrary + operating system commands remotely. If confirmed malicious, this could lead to unauthorized + code execution, compromising the integrity and security of the Splunk environment. +data_source: - Splunk search: '`splunkda` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" sort="notification.created_at:-1" | table clientip file host method uri_query sort @@ -19,7 +21,8 @@ how_to_implement: This search only applies if Splunk Mobile Gateway is deployed the vulnerable Splunk versions. known_false_positives: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this - search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" + search is + "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point. references: - https://www.splunk.com/en_us/product-security.html @@ -55,7 +58,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt source: /opt/splunk/var/log/splunk/splunkd_access.log sourcetype: splunkd_access custom_index: _internal diff --git a/detections/application/splunk_rce_via_user_xslt.yml b/detections/application/splunk_rce_via_user_xslt.yml index ba34faf90f..f6bd1063f7 100644 --- a/detections/application/splunk_rce_via_user_xslt.yml +++ b/detections/application/splunk_rce_via_user_xslt.yml @@ -20,8 +20,8 @@ search: '`splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR u | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value="N/A" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | table firstTime, lastTime src, useragent, action, count, Country, Region, City, - dest_uri, decoded_field' + | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field + | `splunk_rce_via_user_xslt_filter`' how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. known_false_positives: This search will provide information for investigation and diff --git a/detections/application/splunk_reflected_xss_on_app_search_table_endpoint.yml b/detections/application/splunk_reflected_xss_on_app_search_table_endpoint.yml index a0d0db7a0b..012f3aa620 100644 --- a/detections/application/splunk_reflected_xss_on_app_search_table_endpoint.yml +++ b/detections/application/splunk_reflected_xss_on_app_search_table_endpoint.yml @@ -1,16 +1,29 @@ name: Splunk Reflected XSS on App Search Table Endpoint id: 182f9080-4137-4629-94ac-cb1083ac981a -version: 1 -date: '2023-09-05' +version: 2 +date: '2024-05-23' author: Rod Soto status: production type: Hunting -data_source: +data_source: - Splunk -description: In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. -search: '`splunkd_web` (dataset_commands="*makeresults*" AND dataset_commands="*count*" AND dataset_commands="*eval*" AND dataset_commands="*baseSPL*") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter`' -how_to_implement: Need access to the internal indexes. -known_false_positives: This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string. +description: The following analytic identifies attempts to exploit a reflected cross-site + scripting (XSS) vulnerability on the app search table endpoint in Splunk Enterprise + versions below 9.1.1, 9.0.6, and 8.2.12. It detects this activity by analyzing web + request logs for specific dataset commands (`makeresults`, `count`, `eval`, `baseSPL`) + within the `splunkd_web` index. This activity is significant because successful + exploitation can lead to the execution of arbitrary commands on the Splunk platform, + potentially compromising the entire instance. If confirmed malicious, attackers + could gain unauthorized access, execute arbitrary code, and manipulate data within + the Splunk environment. +search: '`splunkd_web` (dataset_commands="*makeresults*" AND dataset_commands="*count*" + AND dataset_commands="*eval*" AND dataset_commands="*baseSPL*") | stats count min(_time) + as firstTime max(_time) as lastTime by clientip status user view root uri_path | + `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter`' +how_to_implement: Need access to the internal indexes. +known_false_positives: This search will produce false positives. It is necessary to + also look at uri_query parameter to determine the possible malicious intention of + inserting makeresults within the uri string. references: - https://advisory.splunk.com/advisories/SVD-2023-0801 tags: @@ -34,17 +47,18 @@ tags: risk_score: 12 required_fields: - dataset_commands - - clientip - - status - - user - - view - - root - - uri_path + - clientip + - status + - user + - view + - root + - uri_path security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_on_app_search_table_endpoint_splunk_web_access.log - source: web_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_on_app_search_table_endpoint_splunk_web_access.log + source: web_access.log sourcetype: splunk_web_access custom_index: _internal diff --git a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml index f7930178b9..ce012d31e8 100644 --- a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml +++ b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml @@ -1,15 +1,19 @@ name: Splunk Stored XSS via Data Model objectName field id: 062bff76-5f9c-496e-a386-cb1adcf69871 -version: 1 -date: '2022-10-11' +version: 2 +date: '2024-05-17' author: Rod Soto status: production type: Hunting -description: Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent - cross site scripting via Data Model object name. An authenticated user can inject - and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) - in the object name Data Model. -data_source: +description: The following analytic identifies attempts to exploit a stored cross-site + scripting (XSS) vulnerability in Splunk Enterprise via the Data Model object name + field. It detects this activity by analyzing web access logs (`splunkd_webx`) for + specific URI patterns and non-null query parameters. This activity is significant + because it allows authenticated users to inject and store malicious scripts, leading + to persistent XSS attacks. If confirmed malicious, this could enable attackers to + execute arbitrary scripts in the context of other users, potentially leading to + data theft, session hijacking, or further compromise of the Splunk environment. +data_source: - Splunk search: '`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`' @@ -56,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt source: /opt/splunk/var/log/splunk/web_access.log sourcetype: splunk_web_access custom_index: _internal diff --git a/detections/application/splunk_unauthenticated_log_injection_web_service_log.yml b/detections/application/splunk_unauthenticated_log_injection_web_service_log.yml index 1d91b02d5b..b69f9adcfb 100644 --- a/detections/application/splunk_unauthenticated_log_injection_web_service_log.yml +++ b/detections/application/splunk_unauthenticated_log_injection_web_service_log.yml @@ -1,26 +1,37 @@ name: Splunk Unauthenticated Log Injection Web Service Log id: de3908dc-1298-446d-84b9-fa81d37e959b -version: 1 -date: '2023-07-13' +version: 2 +date: '2024-05-19' author: Rod Soto status: production type: Hunting -data_source: +data_source: - Splunk -description: An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. -search: '`splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`' -how_to_implement: This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. -known_false_positives: This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. +description: The following analytic identifies potential log injection attempts into + the Splunk server via specially crafted web URLs. It detects ANSI escape codes within + the `uri_path` field of `splunkd_webx` logs. This activity is significant as it + can lead to log file manipulation, potentially obfuscating malicious actions or + misleading analysts. If confirmed malicious, an attacker could manipulate log files + to hide their tracks or execute further attacks, compromising the integrity of the + logging system and making incident response more challenging. +search: '`splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") + | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`' +how_to_implement: This only affects web enabled Splunk instances. The detection does + require the ability to search the _internal index. +known_false_positives: This hunting search will produce false positives if ANSI escape + characters are included in URLs either voluntarily or by accident. This search will + not detect obfuscated ANSI characters. references: -- https://advisory.splunk.com/advisories/SVD-2023-0606 +- https://advisory.splunk.com/advisories/SVD-2023-0606 tags: analytic_story: - Splunk Vulnerabilities asset_type: Endpoint confidence: 30 impact: 30 - message: Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$ - cve: + message: Possible Splunk unauthenticated log injection web service log exploitation + attempt against $host$ from $clientip$ + cve: - CVE-2023-32712 mitre_attack_id: - T1190 @@ -41,15 +52,16 @@ tags: required_fields: - method - uri_path - - host - - status - - clientip + - host + - status + - clientip security_domain: endpoint tests: - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/web_access.log + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/web_access.log source: /opt/splunk/var/log/splunk/web_access.log custom_index: _internal sourcetype: splunk_web_access - + diff --git a/detections/application/splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads.yml b/detections/application/splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads.yml index e21ddae906..e54983f982 100644 --- a/detections/application/splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads.yml +++ b/detections/application/splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads.yml @@ -1,56 +1,67 @@ name: Splunk unnecessary file extensions allowed by lookup table uploads id: b7d1293f-e78f-415e-b5f6-443df3480082 -version: 1 -date: "2023-02-14" +version: 2 +date: "2024-05-28" author: Rod Soto, Splunk type: TTP status: production -data_source: +data_source: - Splunk -description: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. -search: - '`splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views/* - | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method=="DELETE" , "Deleted" ) - | rex field=uri_path "(?.*?)\/ui\/views/(?.*)" - | eval dashboard = urldecode( dashboard_encoded ) - | table _time, uri_path, user, dashboard, activity, uri_path - | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`' +description: The following analytic identifies user activity related to uploading + lookup tables with unnecessary filename extensions in Splunk Enterprise versions + below 8.1.13, 8.2.10, and 9.0.4. It detects this activity by monitoring HTTP methods + (POST, DELETE) and specific URI paths in the internal `splunkd_access` logs. This + behavior is significant because it can indicate attempts to upload potentially malicious + files disguised as lookup tables. If confirmed malicious, this activity could allow + an attacker to execute unauthorized code or manipulate data within the Splunk environment, + leading to potential data breaches or system compromise. +search: '`splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views/* + | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions + Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method=="DELETE" + , "Deleted" ) | rex field=uri_path "(?.*?)\/ui\/views/(?.*)" + | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, + dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`' how_to_implement: Requires access to internal splunkd_access. -known_false_positives: This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned. +known_false_positives: This is a hunting search, the search provides information on + upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary + after executing search. This search will produce false positives as payload cannot + be directly discerned. references: - - https://www.splunk.com/en_us/product-security.html +- https://www.splunk.com/en_us/product-security.html tags: analytic_story: - - Splunk Vulnerabilities + - Splunk Vulnerabilities asset_type: Endpoint cve: - - CVE-2023-22937 + - CVE-2023-22937 confidence: 50 dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_unnecesary_file_extensions_allowed_by_lookup_table_uploads.log + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_unnecesary_file_extensions_allowed_by_lookup_table_uploads.log impact: 50 - message: Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$ + message: Potential lookup template injection attempt from $user$ on lookup table + at path $uri_path$ mitre_attack_id: - - T1189 + - T1189 observable: - - name: user - type: User - role: - - Victim + - name: user + type: User + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - user - - method - - uri_path + - user + - method + - uri_path risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_unnecesary_file_extensions_allowed_by_lookup_table_uploads.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_unnecesary_file_extensions_allowed_by_lookup_table_uploads.log source: /opt/splunk/var/log/splunk/splunkd_access.log sourcetype: splunkd_access - custom_index: _internal \ No newline at end of file + custom_index: _internal diff --git a/detections/application/splunk_user_enumeration_attempt.yml b/detections/application/splunk_user_enumeration_attempt.yml index fab150417e..d4fcbacb3a 100644 --- a/detections/application/splunk_user_enumeration_attempt.yml +++ b/detections/application/splunk_user_enumeration_attempt.yml @@ -1,19 +1,22 @@ name: Splunk User Enumeration Attempt id: 25625cb4-1c4d-4463-b0f9-7cb462699cde -version: 2 -date: '2024-03-19' +version: 3 +date: '2024-05-21' author: Lou Stella, Splunk status: production type: TTP -description: On May 3rd, 2022, Splunk published a security advisory for username - enumeration stemming from verbose login failure messages present on some REST endpoints. - This detection will alert on attempted exploitation in patched versions of Splunk - as well as actual exploitation in unpatched version of Splunk. -data_source: +description: The following analytic identifies attempts to enumerate usernames in + Splunk by detecting multiple failed authentication attempts from the same source. + It leverages data from the `_audit` index, specifically focusing on failed authentication + events. This activity is significant for a SOC because it can indicate an attacker + trying to discover valid usernames, which is a precursor to more targeted attacks + like password spraying or brute force attempts. If confirmed malicious, this activity + could lead to unauthorized access, compromising the security of the Splunk environment + and potentially exposing sensitive data. +data_source: - Splunk search: ' `splunkd_failed_auths` | stats count(user) as auths by user, src | where - auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | - `splunk_user_enumeration_attempt_filter`' + auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`' how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts @@ -56,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/splunkd_auth/audittrail.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/splunkd_auth/audittrail.log source: audittrail sourcetype: audittrail custom_index: _audit diff --git a/detections/application/splunk_xss_in_highlighted_json_events.yml b/detections/application/splunk_xss_in_highlighted_json_events.yml index 739b61e97b..b9dafdd9f8 100644 --- a/detections/application/splunk_xss_in_highlighted_json_events.yml +++ b/detections/application/splunk_xss_in_highlighted_json_events.yml @@ -1,28 +1,34 @@ name: Splunk XSS in Highlighted JSON Events id: 1030bc63-0b37-4ac9-9ae0-9361c955a3cc -version: 1 -date: '2023-11-16' +version: 2 +date: '2024-05-28' author: Rod Soto, Splunk status: production type: Hunting -data_source: +data_source: - Splunk -description: This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. - The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript - in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the - logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. -search: '`splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users" status=201 - | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies potential exploitation of a Cross-Site + Scripting (XSS) vulnerability in Splunk Enterprise 9.1.2. It detects suspicious + requests to the Splunk web GUI that may execute JavaScript within script tags. This + detection leverages logs from the `splunkd_ui` data source, focusing on specific + URI paths and HTTP methods. This activity is significant as it can allow attackers + to execute arbitrary JavaScript, potentially accessing the API with the logged-in + user's permissions. If the user is an admin, the attacker could create an admin + account, leading to full control over the Splunk environment. +search: '`splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users" + status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, + uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter`' -how_to_implement: This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes. -known_false_positives: This is a hunting search and will produce false positives as it is not possible to view contents of a request - payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges). +how_to_implement: This search only applies to web-GUI-enabled Splunk instances and + operator must have access to internal indexes. +known_false_positives: This is a hunting search and will produce false positives as + it is not possible to view contents of a request payload. It shows the artifact + resulting from a potential exploitation payload (the creation of a user with admin + privileges). references: -- https://advisory.splunk.com/advisories +- https://advisory.splunk.com/advisories cve: - - CVE-2023-46213 +- CVE-2023-46213 tags: analytic_story: - Splunk Vulnerabilities @@ -31,27 +37,28 @@ tags: impact: 30 message: Possible XSS exploitation from $clientip$ mitre_attack_id: - - T1189 + - T1189 observable: - - name: clientip - type: IP Address - role: - - Attacker + - name: clientip + type: IP Address + role: + - Attacker product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 15 required_fields: - - clientip - - uri_path - - method - - status + - clientip + - uri_path + - method + - status security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_highlighted_json_events_splunkd_ui_access.log - source: splunkd_ui_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_highlighted_json_events_splunkd_ui_access.log + source: splunkd_ui_access.log sourcetype: splunkd_ui_access - custom_index: _internal \ No newline at end of file + custom_index: _internal diff --git a/detections/application/splunk_xss_in_monitoring_console.yml b/detections/application/splunk_xss_in_monitoring_console.yml index fe1b93e156..33c0828bd7 100644 --- a/detections/application/splunk_xss_in_monitoring_console.yml +++ b/detections/application/splunk_xss_in_monitoring_console.yml @@ -1,15 +1,17 @@ name: Splunk XSS in Monitoring Console id: b11accac-6fa3-4103-8a1a-7210f1a67087 -version: 1 -date: '2022-04-27' +version: 2 +date: '2024-05-17' author: Lou Stella, Splunk status: experimental type: TTP -description: On May 3rd, 2022, Splunk published a security advisory for a reflective - Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation - in the Distributed Monitoring Console app. This detection will alert on attempted - exploitation in patched versions of Splunk as well as actual exploitation in unpatched - version of Splunk. +description: The following analytic identifies attempts to exploit a reflective Cross-Site + Scripting (XSS) vulnerability in the Splunk Distributed Monitoring Console app. + It detects GET requests with suspicious query parameters by analyzing `splunkd_web` + logs in the _internal index. This activity is significant because it targets a known + vulnerability (CVE-2022-27183) that could allow attackers to execute arbitrary scripts + in the context of the user's browser. If confirmed malicious, this could lead to + unauthorized actions, data theft, or further compromise of the Splunk environment. data_source: [] search: ' `splunkd_web` method="GET" uri_query="description=%3C*" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`' @@ -52,6 +54,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log source: /opt/splunk/var/log/splunk/web_access.log sourcetype: splunk_web_access diff --git a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml index 5402027fba..0170ae5774 100644 --- a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml +++ b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml @@ -1,15 +1,19 @@ name: Splunk XSS in Save table dialog header in search page id: a974d1ee-ddca-4837-b6ad-d55a8a239c20 -version: 1 -date: '2022-10-11' +version: 2 +date: '2024-05-27' author: Rod Soto status: production type: Hunting -description: This is a hunting search to find persistent cross-site scripting XSS - code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise - (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code - that can lead to persistent cross site scripting. -data_source: +description: The following analytic identifies persistent cross-site scripting (XSS) + attempts in the 'Save Table' dialog on the Splunk search page. It detects POST requests + to the endpoint `/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model` + containing potential XSS payloads. This activity is significant because it can allow + a remote user with the "power" role to inject malicious scripts, leading to persistent + XSS vulnerabilities. If confirmed malicious, this could enable attackers to execute + arbitrary scripts in the context of the affected user, potentially leading to data + theft, session hijacking, or further exploitation within the Splunk environment. +data_source: - Splunk search: '`splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`' @@ -55,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt source: /opt/splunk/var/log/splunk/web_access.log sourcetype: splunk_web_access custom_index: _internal diff --git a/detections/application/splunk_xss_via_view.yml b/detections/application/splunk_xss_via_view.yml index 183f530cef..c4271c50a6 100644 --- a/detections/application/splunk_xss_via_view.yml +++ b/detections/application/splunk_xss_via_view.yml @@ -1,16 +1,20 @@ name: Splunk XSS via View id: 9ac2bfea-a234-4a18-9d37-6d747e85c2e4 -version: 1 -date: '2023-02-07' +version: 2 +date: '2024-05-13' author: Rod Soto, Eric McGinnis, Splunk status: production type: Hunting -description: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View - allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute - in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. - This hunting search shows users action, application and role used for creating views - related to this vulnerability. -data_source: +description: The following analytic identifies potential Cross-Site Scripting (XSS) + attempts via the 'layoutPanel' attribute in the 'module' tag within XML Views in + Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It leverages internal + logs from "splunk_web_service" and "splunk_python" sourcetypes, focusing on messages + containing "loadParams." This activity is significant as it can lead to unauthorized + script execution within the Splunk Web interface, potentially compromising the security + of the instance. If confirmed malicious, attackers could execute arbitrary scripts, + leading to data theft, session hijacking, or further exploitation of the Splunk + environment. +data_source: - Splunk search: 'index = _internal sourcetype IN ("splunk_web_service", "splunk_python") message="*loadParams*" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`' @@ -52,7 +56,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_via_view.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_via_view.log source: /opt/splunk/var/log/splunk/web_service.log sourcetype: splunk_web_service custom_index: _internal diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index deda2074fd..964deb407c 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -1,18 +1,18 @@ name: Suspicious Email Attachment Extensions id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084 -version: 3 -date: '2023-04-14' +version: 4 +date: '2024-05-29' author: David Dorsey, Splunk status: experimental type: Anomaly description: |- - The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. + The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` - | `suspicious_email_attachment_extensions_filter` ' + | `suspicious_email_attachment_extensions_filter`' how_to_implement: You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml index f3541da280..f9cd51422a 100644 --- a/detections/application/web_servers_executing_suspicious_processes.yml +++ b/detections/application/web_servers_executing_suspicious_processes.yml @@ -1,12 +1,12 @@ name: Web Servers Executing Suspicious Processes id: ec3b7601-689a-4463-94e0-c9f45638efb9 -version: 1 -date: '2019-04-01' +version: 2 +date: '2024-05-11' author: David Dorsey, Splunk status: experimental type: TTP description: |- - The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. + The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index 725b0e7dcd..aea878fa80 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -1,13 +1,18 @@ name: Abnormally High Number Of Cloud Instances Destroyed id: ef629fc9-1583-4590-b62a-f2247fbf7bbf -version: 1 -date: '2020-08-21' +version: 2 +date: '2024-05-27' author: David Dorsey, Splunk status: experimental type: Anomaly -description: This search finds for the number successfully destroyed cloud instances - for every 4 hour block. This is split up between weekdays and the weekend. It then - applies the probability densitiy model previously created and alerts on any outliers. +description: The following analytic identifies an abnormally high number of cloud + instances being destroyed within a 4-hour period. It leverages cloud infrastructure + logs and applies a probability density model to detect outliers. This activity is + significant for a SOC because a sudden spike in destroyed instances could indicate + malicious activity, such as an insider threat or a compromised account attempting + to disrupt services. If confirmed malicious, this could lead to significant operational + disruptions, data loss, and potential financial impact due to the destruction of + critical cloud resources. data_source: [] search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 3562a72081..21ab397c4f 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -1,13 +1,17 @@ name: Abnormally High Number Of Cloud Instances Launched id: f2361e9f-3928-496c-a556-120cd4223a65 -version: 2 -date: '2020-08-21' +version: 3 +date: '2024-05-16' author: David Dorsey, Splunk status: experimental type: Anomaly -description: This search finds for the number successfully created cloud instances - for every 4 hour block. This is split up between weekdays and the weekend. It then - applies the probability densitiy model previously created and alerts on any outliers. +description: The following analytic detects an abnormally high number of cloud instances + launched within a 4-hour period. It leverages cloud infrastructure logs and applies + a probability density model to identify outliers based on historical data. This + activity is significant for a SOC because a sudden spike in instance creation could + indicate unauthorized access or misuse of cloud resources. If confirmed malicious, + this behavior could lead to resource exhaustion, increased costs, or provide attackers + with additional compute resources to further their objectives. data_source: [] search: '| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success diff --git a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml index cdf7ea4299..f9ea6826ae 100644 --- a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml @@ -18,7 +18,7 @@ search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!= max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - |`amazon_eks_kubernetes_cluster_scan_detection_filter` ' + |`amazon_eks_kubernetes_cluster_scan_detection_filter`' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. diff --git a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml index 02d44cdb96..fade7ab0fe 100644 --- a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml @@ -1,19 +1,19 @@ name: Amazon EKS Kubernetes Pod scan detection id: dbfca1dd-b8e5-4ba4-be0e-e565e5d62002 -version: 1 -date: '2020-04-15' +version: 2 +date: '2024-05-29' author: Rod Soto, Splunk status: experimental type: Hunting description: |- - The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. + The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster. data_source: [] search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` ' + | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index b3e2636cd3..2edc3ae569 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,21 +1,19 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 2 -date: '2024-02-13' +version: 3 +date: '2024-05-24' author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic identifies an AWS IAM account with concurrent - sessions coming from more than one unique IP address within the span of 5 minutes. - This behavior could represent a session hijacking attack whereby an adversary has - extracted cookies from a victims browser and is using them from a different location - to access corporate online resources. When a user navigates the AWS Console after - authentication, the API call with the event name `DescribeEventAggregates` is registered - in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event - name to identify 2 concurrent sessions. The presence of this event occurring from - two different IP addresses is highly unlikely. As users may behave differently across - organizations, security teams should test and customize this detection to fit their - environments. + sessions originating from more than one unique IP address within a 5-minute span. + This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` + API call, to identify multiple IP addresses associated with the same user session. + This behavior is significant as it may indicate a session hijacking attack, where + an adversary uses stolen session cookies to access AWS resources from a different + location. If confirmed malicious, this activity could allow unauthorized access + to sensitive corporate resources, leading to potential data breaches or further + exploitation. data_source: [] search: ' `amazon_security_lake` api.operation=DescribeEventAggregates "http_request.user_agent"!="AWS Internal" "src_endpoint.domain"!="health.amazonaws.com" | eval time = time/pow(10,3) @@ -24,7 +22,7 @@ search: ' `amazon_security_lake` api.operation=DescribeEventAggregates "http_req | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count values(cloud.region) as cloud.region by time api.operation actor.user.account_uid actor.user.uid | where distinct_ip_count > 1 | rename cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id, actor.user.uid as user -| `aws_concurrent_sessions_from_different_ips_filter`' +| `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or @@ -43,7 +41,8 @@ tags: asset_type: AWS Account confidence: 60 impact: 70 - message: User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. + message: User $user$ has concurrent sessions from more than one unique IP address + in the span of 5 minutes. mitre_attack_id: - T1185 observable: @@ -61,8 +60,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -73,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 34ed4b08e8..4b958baf05 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,26 +1,30 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e -version: 3 -date: '2024-02-12' +version: 4 +date: '2024-05-29' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the deletion of AWS CloudTrail logs, a critical event that could indicate - an adversary's attempt to evade detection. By identifying `DeleteTrail` events within CloudTrail logs, this analytic helps - in uncovering efforts to impair defense mechanisms by preventing the logging of malicious activities. Such actions allow adversaries - to operate undetected within a compromised AWS environment. Recognizing these deletion events is crucial for a - Security Operations Center (SOC) as it signals a potential compromise and the attacker's intent to hide their tracks, - making it a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, - as it can lead to a complete loss of visibility into the activities within the environment, hindering incident response and forensics efforts. +description: The following analytic detects AWS `DeleteTrail` events within CloudTrail + logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema + Framework (OCSF) format to identify when a CloudTrail is deleted. This activity + is significant because adversaries may delete CloudTrail logs to evade detection + and operate with stealth. If confirmed malicious, this action could allow attackers + to cover their tracks, making it difficult to trace their activities and investigate + other potential compromises within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| +search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count + min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid + actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid + as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent + as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides - security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, - ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or - the Federated Analytics App. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon + Web Services (AWS), which is a centralized data lake that provides security-related + data from AWS services. To use this detection, you must ingest CloudTrail logs from + Amazon Security Lake into Splunk. To run this search, ensure that you ingest events + using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) + or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: @@ -50,8 +54,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 30ccae16b4..c9b279013a 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,26 +1,31 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 -version: 2 -date: '2024-02-12' +version: 3 +date: '2024-05-25' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the deletion of CloudWatch Log Groups within AWS CloudTrail logs. - This action is indicative of an attacker's attempt to evade detection by disrupting the logging and monitoring capabilities of CloudWatch. - By identifying and analyzing `DeleteLogGroup` events, this analytic helps in uncovering efforts to obscure malicious activities within a - compromised AWS environment. Such evasion tactics are critical for a Security Operations Center (SOC) to identify as they signal an - attacker's intent to operate undetected, posing a significant threat to the integrity and security of cloud environments. - The impact of this attack is substantial, as it can lead to a loss of visibility into potentially malicious activities, - hindering incident response and forensics efforts. +description: The following analytic detects the deletion of CloudWatch log groups + in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method + leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant + because attackers may delete log groups to evade detection and disrupt logging capabilities, + hindering incident response efforts. If confirmed malicious, this action could allow + attackers to cover their tracks, making it difficult to trace their activities and + potentially leading to undetected data breaches or further malicious actions within + the compromised AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| +search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count + min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid + actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid + as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent + as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides - security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, - ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or - the Federated Analytics App. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon + Web Services (AWS), which is a centralized data lake that provides security-related + data from AWS services. To use this detection, you must ingest CloudTrail logs from + Amazon Security Lake into Splunk. To run this search, ensure that you ingest events + using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) + or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: @@ -50,8 +55,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json source: aws_asl sourcetype: aws:cloudtrail:lake diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index ea859b18fa..5dd6005f28 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,27 +1,31 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d -version: 2 -date: '2024-02-12' +version: 3 +date: '2024-05-13' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting -description: The following analytic detects the deletion of critical AWS Security Services configurations through specific API calls - to services like CloudWatch, GuardDuty, and Web Application Firewalls. By monitoring for these deletion actions, the analytic aims - to identify attempts by adversaries to undermine security defenses, such as erasing logging configurations or removing detection mechanisms. - This behavior is crucial for a Security Operations Center (SOC) to identify as it can indicate an attacker's intent to operate - undetected by eliminating evidence of their presence and activities. The impact of such attacks is significant, potentially leaving - the environment vulnerable to further exploitation without any traceable logs or alerts. +description: The following analytic detects the deletion of critical AWS Security + Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web + Application Firewall rules. It leverages Amazon Security Lake logs to identify specific + API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant + because adversaries often use these actions to disable security monitoring and evade + detection. If confirmed malicious, this could allow attackers to operate undetected, + leading to potential data breaches, unauthorized access, and prolonged persistence + within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `asl_aws_defense_evasion_impair_security_services_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides - security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, - ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or - the Federated Analytics App. +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") + | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation + actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, + http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon + Web Services (AWS), which is a centralized data lake that provides security-related + data from AWS services. To use this detection, you must ingest CloudTrail logs from + Amazon Security Lake into Splunk. To run this search, ensure that you ingest events + using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) + or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. @@ -55,8 +59,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -66,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 411e5c45f1..102a00c7cf 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,24 +1,29 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c -version: 2 -date: '2024-02-13' +version: 3 +date: '2024-05-22' author: Patrick Bareiss, Splunk status: production type: Hunting -description: The following analytic detects the deletion of an AWS policy, a critical action that could indicate an attempt to alter permissions - or reduce security controls. By monitoring AWS logs for `DeletePolicy` events, this analytic identifies both successful and attempted deletions, - providing insights into potentially malicious activities. Identifying such behavior is crucial for a Security Operations Center (SOC) as it may - signal an adversary's effort to escalate privileges or evade detection. The impact of unauthorized policy deletion is significant, - potentially leading to compromised accounts or data exposure. +description: The following analytic identifies when a policy is deleted in AWS. It + leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring + policy deletions is crucial as it can indicate unauthorized attempts to weaken security + controls. If confirmed malicious, this activity could allow an attacker to remove + critical security policies, potentially leading to privilege escalation or unauthorized + access to sensitive resources. data_source: [] -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id +search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count + min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid + actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, + http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides - security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, - ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or - the Federated Analytics App. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon + Web Services (AWS), which is a centralized data lake that provides security-related + data from AWS services. To use this detection, you must ingest CloudTrail logs from + Amazon Security Lake into Splunk. To run this search, ensure that you ingest events + using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) + or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to @@ -51,8 +56,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -62,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 687dad9523..eb58b23a3a 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,26 +1,31 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 -version: 2 -date: '2024-02-13' +version: 3 +date: '2024-05-22' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for - specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a - Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more - vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with - less risk of detection, facilitating further malicious activities. +description: The following analytic detects attempts to disable multi-factor authentication + (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically + monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. + This activity is significant as disabling MFA can indicate an adversary attempting + to weaken account security to maintain persistence using a compromised account. + If confirmed malicious, this action could allow attackers to retain access to the + AWS environment without detection, potentially leading to unauthorized access to + sensitive resources and prolonged compromise. data_source: [] -search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `asl_aws_multi_factor_authentication_disabled_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides - security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, - ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or - the Federated Analytics App. +search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) + | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation + actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, + http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon + Web Services (AWS), which is a centralized data lake that provides security-related + data from AWS services. To use this detection, you must ingest CloudTrail logs from + Amazon Security Lake into Splunk. To run this search, ensure that you ingest events + using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) + or the Federated Analytics App. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company references: @@ -54,8 +59,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -65,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 065fbc79b7..526f66fd1c 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,26 +1,31 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 2 -date: '2024-02-13' +version: 3 +date: '2024-05-18' author: Patrick Bareiss, Splunk status: experimental type: TTP -description: The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged - through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration. - Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate - an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable - persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources. +description: The following analytic identifies the registration of a new Multi-Factor + Authentication (MFA) method for an AWS account, as logged through Amazon Security + Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` + API operation within ASL logs. This behavior is significant because adversaries + who gain unauthorized access to an AWS account may register a new MFA method to + maintain persistence. If confirmed malicious, this activity could allow attackers + to secure their access, making it harder to detect and remove their presence from + the compromised environment. data_source: [] -search: ' `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `asl_aws_new_mfa_method_registered_for_user_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides - security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, - ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or - the Federated Analytics App. +search: ' `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | + stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid + actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, + http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon + Web Services (AWS), which is a centralized data lake that provides security-related + data from AWS services. To use this detection, you must ingest CloudTrail logs from + Amazon Security Lake into Splunk. To run this search, ensure that you ingest events + using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) + or the Federated Analytics App. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: @@ -53,8 +58,8 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name + - actor.user.account_uid + - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip @@ -64,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index aa56819462..6737f239da 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,19 +1,27 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 2 -date: '2023-03-31' +version: 3 +date: '2024-05-09' author: Bhavin Patel, Splunk status: production type: TTP -data_source: +data_source: - AWS CloudTrail ModifyImageAttribute -description: This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. -search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) - | rename requestParameters.launchPermission.add.items{}.group as group_added - | rename requestParameters.launchPermission.add.items{}.userId as accounts_added - | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") | stats - count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' +description: The following analytic detects suspicious modifications to AWS AMI attributes, + such as sharing an AMI with another AWS account or making it publicly accessible. + It leverages AWS CloudTrail logs to identify these changes by monitoring specific + API calls. This activity is significant because adversaries can exploit these modifications + to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this + could lead to unauthorized access and potential data breaches, compromising the + confidentiality and integrity of organizational information. +search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId + = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group + as group_added | rename requestParameters.launchPermission.add.items{}.userId as + accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not + Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) + values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName + userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately shared a @@ -29,7 +37,8 @@ tags: asset_type: EC2 Snapshot confidence: 80 impact: 100 - message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public. + message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ + from $src_ip$ or AMI made is made Public. mitre_attack_id: - T1537 observable: @@ -64,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 275fdb61de..7ba859e18e 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,22 +1,19 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 1 -date: '2023-02-01' +version: 2 +date: '2024-05-15' author: Bhavin Patel, Splunk status: production type: TTP description: The following analytic identifies an AWS IAM account with concurrent - sessions coming from more than one unique IP address within the span of 5 minutes. - This behavior could represent a session hijacking attack whereby an adversary has - extracted cookies from a victims browser and is using them from a different location - to access corporate online resources. When a user navigates the AWS Console after - authentication, the API call with the event name `DescribeEventAggregates` is registered - in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event - name to identify 2 concurrent sessions. The presence of this event occurring from - two different IP addresses is highly unlikely. As users may behave differently across - organizations, security teams should test and customize this detection to fit their - environments. -data_source: + sessions originating from more than one unique IP address within a 5-minute window. + It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, + to detect this behavior. This activity is significant as it may indicate a session + hijacking attack, where an adversary uses stolen session cookies to access AWS resources + from a different location. If confirmed malicious, this could allow unauthorized + access to sensitive corporate resources, leading to potential data breaches or further + exploitation within the AWS environment. +data_source: - AWS CloudTrail DescribeEventAggregates search: ' `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as @@ -68,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index f392e64283..49099d57ac 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -1,17 +1,19 @@ name: AWS Console Login Failed During MFA Challenge id: 55349868-5583-466f-98ab-d3beb321961e -version: 1 -date: '2022-10-03' +version: 2 +date: '2024-05-29' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies an authentication attempt event against - an AWS Console that fails during the Multi Factor Authentication challenge. AWS - Cloudtrail logs provide a a very useful field called `additionalEventData` that - logs information regarding usage of MFA. This behavior may represent an adversary - trying to authenticate with compromised credentials for an account that has multi-factor - authentication enabled. -data_source: +description: The following analytic identifies failed authentication attempts to the + AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages + AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when + MFA was used but the login attempt still failed. This activity is significant as + it may indicate an adversary attempting to access an account with compromised credentials + but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing + attempt to breach the account, potentially leading to unauthorized access and further + attacks if MFA is bypassed. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) @@ -68,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index 570543068f..e769fabfc5 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -1,13 +1,18 @@ name: AWS Create Policy Version to allow all resources id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac4 -version: 4 -date: '2024-04-16' +version: 5 +date: '2024-05-10' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for AWS CloudTrail events where a user created a policy - version that allows them to access any resource in their account. -data_source: +description: The following analytic identifies the creation of a new AWS IAM policy + version that allows access to all resources. It detects this activity by analyzing + AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that + grants broad permissions. This behavior is significant because it violates the principle + of least privilege, potentially exposing the environment to misuse or abuse. If + confirmed malicious, an attacker could gain extensive access to AWS resources, leading + to unauthorized actions, data exfiltration, or further compromise of the AWS environment. +data_source: - AWS CloudTrail CreatePolicyVersion search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements @@ -61,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 52a140e0b3..f9bc4065ea 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -1,21 +1,18 @@ name: AWS CreateAccessKey id: 2a9b80d3-6340-4345-11ad-212bf3d0d111 -version: 3 -date: '2022-03-03' +version: 4 +date: '2024-05-12' author: Bhavin Patel, Splunk status: production type: Hunting -description: This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. - An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. - While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative - of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to - establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS - services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. - Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with - unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user - creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed - manual during threat hunting. -data_source: +description: The following analytic identifies the creation of AWS IAM access keys + by a user for another user, which can indicate privilege escalation. It leverages + AWS CloudTrail logs to detect instances where the user creating the access key is + different from the user for whom the key is created. This activity is significant + because unauthorized access key creation can allow attackers to establish persistence + or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized + access to AWS services, data exfiltration, and long-term persistence in the environment. +data_source: - AWS CloudTrail CreateAccessKey search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) @@ -65,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index d63d30cc18..ab82917ec6 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -1,15 +1,18 @@ name: AWS CreateLoginProfile id: 2a9b80d3-6340-4345-11ad-212bf444d111 -version: 2 -date: '2021-07-19' +version: 3 +date: '2024-05-16' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for AWS CloudTrail events where a user A(victim A) - creates a login profile for user B, followed by a AWS Console login event from user - B from the same src_ip as user B. This correlated event can be indicative of privilege - escalation since both events happened from the same src_ip -data_source: +description: The following analytic identifies the creation of a login profile for + one AWS user by another, followed by a console login from the same source IP. It + uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` + events based on the source IP and user identity. This activity is significant as + it may indicate privilege escalation, where an attacker creates a new login profile + to gain unauthorized access. If confirmed malicious, this could allow the attacker + to escalate privileges and maintain persistent access to the AWS environment. +data_source: - AWS CloudTrail CreateLoginProfile - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName @@ -62,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 2236880be6..502061bce0 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -1,15 +1,19 @@ name: AWS Credential Access Failed Login id: a19b354d-0d7f-47f3-8ea6-1a7c36434968 -version: 1 -date: '2022-08-07' +version: 2 +date: '2024-05-16' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: TTP -description: It shows that there have been an unsuccessful attempt to log in using - the user identity to the AWS management console. Since the user identity has access - to AWS account services and resources, an attacker might try to brute force the - password for that identity. -data_source: +description: The following analytic identifies unsuccessful login attempts to the + AWS Management Console using a specific user identity. It leverages AWS CloudTrail + logs to detect failed authentication events associated with the AWS ConsoleLogin + action. This activity is significant for a SOC because repeated failed login attempts + may indicate a brute force attack or unauthorized access attempts. If confirmed + malicious, an attacker could potentially gain access to AWS account services and + resources, leading to data breaches, resource manipulation, or further exploitation + within the AWS environment. +data_source: - AWS CloudTrail search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn @@ -61,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index ca998bd4e8..542a8622a7 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -1,16 +1,19 @@ name: AWS Credential Access RDS Password reset id: 6153c5ea-ed30-4878-81e6-21ecdb198189 -version: 2 -date: '2024-03-19' +version: 3 +date: '2024-05-09' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The master user password for Amazon RDS DB instance can be reset using - the Amazon RDS console. Using this technique, the attacker can get access to the - sensitive data from the DB. Usually, the production databases may have sensitive - data like Credit card information, PII, Health care Data. This event should be investigated - further. -data_source: +description: The following analytic detects the resetting of the master user password + for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events + where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. + This activity is significant because unauthorized password resets can grant attackers + access to sensitive data stored in production databases, such as credit card information, + PII, and healthcare data. If confirmed malicious, this could lead to data breaches, + regulatory non-compliance, and significant reputational damage. Immediate investigation + is required to determine the legitimacy of the password reset. +data_source: - AWS CloudTrail ModifyDBInstance search: '`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) @@ -58,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index b00004005a..e06a095bef 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -1,16 +1,19 @@ name: AWS Defense Evasion Delete Cloudtrail id: 82092925-9ca1-4e06-98b8-85a2d3889552 -version: 1 -date: '2022-07-13' +version: 2 +date: '2024-05-14' author: Bhavin Patel, Splunk status: production type: TTP -description: This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. - Adversaries often try to impair their target's defenses by stopping their malicious - activity from being logged, so that they may operate with stealth and avoid detection. - When the adversary has the right type of permissions in the compromised AWS environment, - they may delete the the entire cloudtrail that is logging activities in the environment. -data_source: +description: The following analytic detects the deletion of AWS CloudTrail logs by + identifying `DeleteTrail` events within CloudTrail logs. This detection leverages + CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those + initiated from the AWS console. This activity is significant because adversaries + may delete CloudTrail logs to evade detection and operate stealthily within the + compromised environment. If confirmed malicious, this action could allow attackers + to cover their tracks, making it difficult to trace their activities and potentially + leading to prolonged unauthorized access and further exploitation. +data_source: - AWS CloudTrail DeleteTrail search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as @@ -61,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index 5e30979e6a..3867484e20 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,16 +1,19 @@ name: AWS Defense Evasion Delete CloudWatch Log Group id: d308b0f1-edb7-4a62-a614-af321160710f -version: 1 -date: '2022-07-17' +version: 2 +date: '2024-05-26' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. - Attackers may evade the logging capability by deleting the log group in CloudWatch. - This will stop sending the logs and metrics to CloudWatch. When the adversary has - the right type of permissions within the compromised AWS environment, they may delete - the CloudWatch log group that is logging activities in the environment. -data_source: +description: The following analytic detects the deletion of CloudWatch log groups + in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection + leverages CloudTrail data to monitor for successful log group deletions, excluding + console-based actions. This activity is significant as it indicates potential attempts + to evade logging and monitoring, which is crucial for maintaining visibility into + AWS activities. If confirmed malicious, this could allow attackers to hide their + tracks, making it difficult to detect further malicious actions or investigate incidents + within the compromised AWS environment. +data_source: - AWS CloudTrail DeleteLogGroup search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as @@ -61,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index c4b768bf04..a9a0b4337e 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -1,17 +1,19 @@ name: AWS Defense Evasion Impair Security Services id: b28c4957-96a6-47e0-a965-6c767aac1458 -version: 1 -date: '2022-07-26' +version: 2 +date: '2024-05-26' author: Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting -description: This analytic looks for several delete specific API calls made to AWS - Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These - API calls are often leveraged by adversaries to weaken existing security defenses - by deleting logging configurations in the CloudWatch alarm, delete a set of detectors - from your Guardduty environment or simply delete a bunch of CloudWatch alarms to - remain stealthy and avoid detection. -data_source: +description: The following analytic detects attempts to delete critical AWS security + service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web + Application Firewall rules. It leverages CloudTrail logs to identify specific API + calls like "DeleteLogStream" and "DeleteDetector." This activity is significant + because it indicates potential efforts to disable security monitoring and evade + detection. If confirmed malicious, this could allow attackers to operate undetected, + escalate privileges, or exfiltrate data without triggering security alerts, severely + compromising the security posture of the AWS environment. +data_source: - AWS CloudTrail DeleteLogStream - AWS CloudTrail DeleteDetector - AWS CloudTrail DeleteIPSet @@ -73,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index 85a7f532ca..acb04a8e34 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -1,16 +1,18 @@ name: AWS Defense Evasion PutBucketLifecycle id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4 -version: 1 -date: '2022-07-25' +version: 2 +date: '2024-05-28' author: Bhavin Patel status: production type: Hunting -description: This analytic identifies `PutBucketLifecycle` events in CloudTrail logs - where a user has created a new lifecycle rule for an S3 bucket with a short expiration - period. Attackers may use this API call to impair the CloudTrail logging by removing - logs from the S3 bucket by changing the object expiration day to 1 day, in which - case the CloudTrail logs will be deleted. -data_source: +description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail + logs where a user sets a lifecycle rule for an S3 bucket with an expiration period + of fewer than three days. This detection leverages CloudTrail logs to identify suspicious + lifecycle configurations. This activity is significant because attackers may use + it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic + investigations. If confirmed malicious, this could allow attackers to cover their + tracks, making it difficult to trace their actions and respond to the breach effectively. +data_source: - AWS CloudTrail PutBucketLifecycle search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days @@ -66,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index ffccb9af65..67ff658ff1 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,16 +1,19 @@ name: AWS Defense Evasion Stop Logging Cloudtrail id: 8a2f3ca2-4eb5-4389-a549-14063882e537 -version: 1 -date: '2022-07-12' +version: 2 +date: '2024-05-15' author: Bhavin Patel, Splunk status: production type: TTP -description: This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries - often try to impair their target's defenses by stopping their macliious activity - from being logged, so that they may operate with stealth and avoid detection. When - the adversary has the right type of permissions in the compromised AWS environment, - they may easily stop logging. -data_source: +description: The following analytic detects `StopLogging` events in AWS CloudTrail + logs. It leverages CloudTrail event data to identify when logging is intentionally + stopped, excluding console-based actions and focusing on successful attempts. This + activity is significant because adversaries may stop logging to evade detection + and operate stealthily within the compromised environment. If confirmed malicious, + this action could allow attackers to perform further activities without being logged, + hindering incident response and forensic investigations, and potentially leading + to unauthorized access or data exfiltration. +data_source: - AWS CloudTrail StopLogging search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as @@ -61,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index 249b246495..98568672ed 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -1,17 +1,19 @@ name: AWS Defense Evasion Update Cloudtrail id: 7c921d28-ef48-4f1b-85b3-0af8af7697db -version: 1 -date: '2022-07-17' +version: 2 +date: '2024-05-17' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers - may evade the logging capability by updating the settings and impairing them with - wrong parameters. For example, Attackers may change the multi-regional log into - a single region logs, which evades the logging for other regions. When the adversary - has the right type of permissions in the compromised AWS environment, they may update - the CloudTrail settings that is logging activities in your environment. -data_source: +description: The following analytic detects `UpdateTrail` events in AWS CloudTrail + logs. It identifies attempts to modify CloudTrail settings, potentially to evade + logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events + where the user agent is not the AWS console and the operation is successful. This + activity is significant because altering CloudTrail settings can disable or limit + logging, hindering visibility into AWS account activities. If confirmed malicious, + this could allow attackers to operate undetected, compromising the integrity and + security of the AWS environment. +data_source: - AWS CloudTrail UpdateTrail search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as @@ -62,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json source: aws_cloudtrail sourcetype: aws:cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/cloud/aws_detect_role_creation.yml index e7290d0ec9..7e70f272a7 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/cloud/aws_detect_role_creation.yml @@ -1,14 +1,16 @@ name: aws detect role creation id: 5f04081e-ddee-4353-afe4-504f288de9ad -version: 1 -date: '2020-07-27' +version: 2 +date: '2024-05-15' author: Rod Soto, Splunk status: experimental type: Hunting -description: This search provides detection of role creation by IAM users. Role creation - is an event by itself if user is creating a new role with trust policies different - than the available in AWS and it can be used for lateral movement and escalation - of privileges. +description: The following analytic identifies the creation of new IAM roles by users + in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action + is performed, focusing on roles with specific trust policies. This activity is significant + as unauthorized role creation can facilitate lateral movement and privilege escalation + within the AWS environment. If confirmed malicious, attackers could gain elevated + permissions, potentially compromising sensitive resources and data. data_source: [] search: '`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 63a8838e4e..3546a2c397 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,15 +1,19 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 1 -date: '2021-01-11' +version: 2 +date: '2024-05-28' author: Rod Soto, Patrick Bareiss Splunk status: production type: TTP -description: This search provides detection of KMS keys where action kms:Encrypt is - accessible for everyone (also outside of your organization). This is an indicator - that your account is compromised and the attacker uses the encryption key to compromise - another company. -data_source: +description: The following analytic detects the creation of AWS KMS keys with an encryption + policy accessible to everyone, including external entities. It leverages AWS CloudTrail + logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action + is granted to all principals. This activity is significant as it may indicate a + compromised account, allowing an attacker to misuse the encryption key to target + other organizations. If confirmed malicious, this could lead to unauthorized data + encryption, potentially disrupting operations and compromising sensitive information + across multiple entities. +data_source: - AWS CloudTrail CreateKey - AWS CloudTrail PutKeyPolicy search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy @@ -34,8 +38,8 @@ tags: asset_type: AWS Account confidence: 50 impact: 50 - message: AWS account is potentially compromised and user $user$ - is trying to compromise other accounts. + message: AWS account is potentially compromised and user $user$ is trying to compromise + other accounts. mitre_attack_id: - T1486 observable: @@ -60,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index febfa08d41..a130e3a2ab 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -1,18 +1,28 @@ name: AWS Disable Bucket Versioning id: 657902a9-987d-4879-a1b2-e7a65512824b -version: 1 -date: '2023-05-01' +version: 2 +date: '2024-05-24' author: Bhavin Patel, Splunk status: production type: Anomaly -data_source: +data_source: - AWS CloudTrail PutBucketVersioning -description: The following analytic detects AWS CloudTrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. -search: '`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended - | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`' +description: The following analytic detects when AWS S3 bucket versioning is suspended + by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events + with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant + because disabling versioning can prevent recovery of deleted or modified data, which + is a common tactic in ransomware attacks. If confirmed malicious, this action could + lead to data loss and hinder recovery efforts, severely impacting data integrity + and availability. +search: '`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended + | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) + as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn + userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `aws_disable_bucket_versioning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. +known_false_positives: It is possible that an AWS Administrator has legitimately disabled + versioning on certain buckets to avoid costs. references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 @@ -23,7 +33,8 @@ tags: asset_type: AWS Account confidence: 80 impact: 80 - message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$ + message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ + from IP address $src_ip$ mitre_attack_id: - T1490 observable: @@ -58,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index 1b534a82b2..e87c9dcd55 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -19,7 +19,7 @@ search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParamete as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match - = "No Match" | `aws_ec2_snapshot_shared_externally_filter` ' + = "No Match" | `aws_ec2_snapshot_shared_externally_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately shared a diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index bd42472c8a..a716f748f7 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -1,16 +1,26 @@ name: AWS ECR Container Upload Outside Business Hours id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb -version: 2 -date: '2023-11-09' +version: 3 +date: '2024-05-25' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: This search looks for AWS CloudTrail events from AWS Elastic Container - Service (ECR). A upload of a new container is normally done during business hours. - When done outside business hours, we want to take a look into it. -data_source: +description: The following analytic detects the upload of a new container image to + AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages + AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM + or on weekends. This activity is significant because container uploads outside business + hours can indicate unauthorized or suspicious activity, potentially pointing to + a compromised account or insider threat. If confirmed malicious, this could allow + an attacker to deploy unauthorized or malicious containers, leading to potential + data breaches or service disruptions. +data_source: - AWS CloudTrail PutImage -search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`' +search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 + OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* + as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" + | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, + eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: When your development is spreaded in different time zones, @@ -55,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index a8ad8290d9..3f9a5c86ae 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -1,15 +1,18 @@ name: AWS ECR Container Upload Unknown User id: 300688e4-365c-4486-a065-7c884462b31d -version: 1 -date: '2021-08-19' +version: 2 +date: '2024-05-28' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: This search looks for AWS CloudTrail events from AWS Elastic Container - Service (ECR). A upload of a new container is normally done from only a few known - users. When the user was never seen before, we should have a closer look into the - event. -data_source: +description: The following analytic detects the upload of a new container image to + AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail + logs to identify `PutImage` events from the ECR service, filtering out known users. + This activity is significant because container uploads should typically be performed + by a limited set of authorized users. If confirmed malicious, this could indicate + unauthorized access, potentially leading to the deployment of malicious containers, + data exfiltration, or further compromise of the AWS environment. +data_source: - AWS CloudTrail PutImage search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 34fc41b58c..3124872c30 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -1,17 +1,28 @@ name: AWS Exfiltration via Anomalous GetObject API Activity id: e4384bbf-5835-4831-8d85-694de6ad2cc6 -version: 1 -date: '2023-04-10' +version: 2 +date: '2024-05-15' author: Bhavin Patel, Splunk status: production type: Anomaly -data_source: +data_source: - AWS CloudTrail GetObject -description: This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. -search: '`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId - | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed. +description: The following analytic identifies anomalous GetObject API activity in + AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail + logs and uses the `anomalydetection` command to detect unusual patterns in the frequency + of GetObject API calls by analyzing fields such as "count," "user_type," and "user_arn" + within a 10-minute window. This activity is significant as it may indicate unauthorized + data access or exfiltration from S3 buckets. If confirmed malicious, attackers could + exfiltrate sensitive data, leading to data breaches and compliance violations. +search: '`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) + as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId + | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* + |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This + search works with AWS CloudTrail logs. +known_false_positives: It is possible that a user downloaded these files to use them + locally and there are AWS services in configured that perform these activities for + a legitimate reason. Filter is needed. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection @@ -55,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index 00c7bb19bc..5bbdcec9a0 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -1,17 +1,29 @@ name: AWS Exfiltration via Batch Service id: 04455dd3-ced7-480f-b8e6-5469b99e98e2 -version: 1 -date: '2023-04-24' +version: 2 +date: '2024-05-23' author: Bhavin Patel, Splunk status: production type: TTP -data_source: +data_source: - AWS CloudTrail JobCreated -description: This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. -search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' +description: The following analytic identifies the creation of AWS Batch jobs that + could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages + AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and + their status. This activity is significant because attackers can exploit this feature + to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this + could lead to unauthorized data transfer between S3 buckets, resulting in data breaches + and loss of sensitive information. +search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime + max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) + as status by src_ip aws_account_id eventName errorCode userAgent + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `aws_exfiltration_via_batch_service_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS Administrator or a user has legitimately created this job for some tasks. +known_false_positives: It is possible that an AWS Administrator or a user has legitimately + created this job for some tasks. references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 @@ -49,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 538c04408c..aa548db71f 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -1,21 +1,27 @@ name: AWS Exfiltration via Bucket Replication id: eeb432d6-2212-43b6-9e89-fcd753f7da4c -version: 1 -date: '2023-04-28' +version: 2 +date: '2024-05-11' author: Bhavin Patel, Splunk status: production type: TTP -data_source: +data_source: - AWS CloudTrail PutBucketReplication -description: The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region. - - S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. +description: The following analytic detects API calls to enable S3 bucket replication + services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, + focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, + and user details. This activity is significant as it can indicate unauthorized data + replication, potentially leading to data exfiltration. If confirmed malicious, attackers + could replicate sensitive data to external accounts, leading to data breaches and + compliance violations. search: '`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * - | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter`' + | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies. +known_false_positives: It is possible that an AWS admin has legitimately implemented + data replication to ensure data availability and improve data protection/backup + strategies. references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ tags: @@ -25,7 +31,8 @@ tags: asset_type: EC2 Snapshot confidence: 80 impact: 80 - message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$ + message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ + by user $user_arn$ from IP Address - $src_ip$ mitre_attack_id: - T1537 observable: @@ -61,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 87f691c6ac..1de0cebcc1 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -1,17 +1,29 @@ name: AWS Exfiltration via DataSync Task id: 05c4b09f-ea28-4c7c-a7aa-a246f665c8a2 -version: 1 -date: '2023-04-10' +version: 2 +date: '2024-05-28' author: Bhavin Patel, Splunk status: production type: TTP -data_source: +data_source: - AWS CloudTrail CreateTask -description: This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. -search: '`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' +description: The following analytic detects the creation of an AWS DataSync task, + which could indicate potential data exfiltration. It leverages AWS CloudTrail logs + to identify the `CreateTask` event from the DataSync service. This activity is significant + because attackers can misuse DataSync to transfer sensitive data from a private + AWS location to a public one, leading to data compromise. If confirmed malicious, + this could result in unauthorized access to sensitive information, causing severe + data breaches and compliance violations. +search: '`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" + | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) + as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn + sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -known_false_positives: It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task +known_false_positives: It is possible that an AWS Administrator has legitimately created + this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` + of this task references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/ @@ -22,7 +34,8 @@ tags: asset_type: AWS Account confidence: 80 impact: 80 - message: DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$ + message: DataSync task created on account id - $aws_account_id$ by user $user_arn$ + from src_ip $src_ip$ mitre_attack_id: - T1119 observable: @@ -57,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 9e4d67edf4..11f1b6109f 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,20 +1,36 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 1 -date: '2023-03-22' +version: 2 +date: '2024-05-10' author: Bhavin Patel, Splunk status: production type: TTP -data_source: +data_source: - AWS CloudTrail CreateSnapshot - AWS CloudTrail DescribeSnapshotAttribute - AWS CloudTrail ModifySnapshotAttribute - AWS CloudTrail DeleteSnapshot -description: This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. -search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`' +description: The following analytic detects a series of AWS API calls related to EC2 + snapshots within a short time window, indicating potential exfiltration via EC2 + Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such + as creating, describing, and modifying snapshot attributes. This activity is significant + as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots + externally. If confirmed malicious, the attacker could gain access to sensitive + information stored in the snapshots, leading to data breaches and potential compliance + violations. +search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", + "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" + | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) + as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) + as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip + aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This - search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. -known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization. + search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` + from src_ip to remove false positives caused by guard duty. We recommend you adjust + the time window as per your environment. +known_false_positives: It is possible that an AWS admin has legitimately shared a + snapshot with an other account for a specific purpose. Please check any recent change + requests filed in your organization. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html @@ -27,7 +43,8 @@ tags: asset_type: EC2 Snapshot confidence: 80 impact: 80 - message: Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$ + message: Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ + by user $userName$ from src_ip $src_ip$ mitre_attack_id: - T1537 observable: @@ -63,7 +80,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 2f7a9d4d25..5069058793 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -1,15 +1,18 @@ name: AWS High Number Of Failed Authentications For User id: e3236f49-daf3-4b70-b808-9290912ac64d -version: 1 -date: '2023-01-27' +version: 2 +date: '2024-05-25' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies an AWS account with more than 20 failed - authentication events in the span of 5 minutes. This behavior could represent a - brute force attack against the account. As environments differ across organizations, - security teams should customize the threshold of this detection. -data_source: +description: The following analytic detects an AWS account experiencing more than + 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail + logs to identify multiple failed ConsoleLogin events. This behavior is significant + as it may indicate a brute force attack targeting the account. If confirmed malicious, + the attacker could potentially gain unauthorized access, leading to data breaches + or further exploitation of the AWS environment. Security teams should consider adjusting + the threshold based on their specific environment to reduce false positives. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) @@ -56,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 3f57313282..91eb702c21 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -1,16 +1,18 @@ name: AWS High Number Of Failed Authentications From Ip id: f75b7f1a-b8eb-4975-a214-ff3e0a944757 -version: 1 -date: '2023-01-30' +version: 2 +date: '2024-05-23' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies an IP address failing to authenticate - 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior - could represent a brute force attack against an AWS tenant to obtain initial access - or elevate privileges. As environments differ across organizations, security teams - should customize the threshold of this detection. -data_source: +description: The following analytic detects an IP address with 20 or more failed authentication + attempts to the AWS Web Console within a 5-minute window. This detection leverages + CloudTrail logs, aggregating failed login events by IP address and time span. This + activity is significant as it may indicate a brute force attack aimed at gaining + unauthorized access or escalating privileges within an AWS environment. If confirmed + malicious, this could lead to unauthorized access, data breaches, or further exploitation + of AWS resources. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) @@ -32,7 +34,8 @@ tags: asset_type: AWS Account confidence: 90 impact: 60 - message: 'Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$' + message: 'Multiple failed console login attempts (Count: $failed_attempts$) against + users from IP Address - $src_ip$' mitre_attack_id: - T1110 - T1110.003 @@ -57,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index d3eba284d3..774352e523 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,15 +1,18 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 2 -date: '2021-11-12' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Anomaly -description: The following detection identifies excessive AccessDenied events within - an hour timeframe. It is possible that an access key to AWS may have been stolen - and is being misused to perform discovery events. In these instances, the access - is not available with the key stolen therefore these events will be generated. -data_source: +description: The following analytic identifies excessive AccessDenied events within + an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect + multiple failed access attempts from the same source IP and user identity. This + activity is significant as it may indicate that an access key has been compromised + and is being misused for unauthorized discovery actions. If confirmed malicious, + this could allow attackers to gather information about the AWS environment, potentially + leading to further exploitation or privilege escalation. +data_source: - AWS CloudTrail search: '`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) @@ -58,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index d7ed5fb0f9..63ae1f0062 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -1,17 +1,19 @@ name: AWS IAM Assume Role Policy Brute Force id: f19e09b0-9308-11eb-b7ec-acde48001122 -version: 1 -date: '2021-04-01' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies any malformed policy document exceptions - with a status of `failure`. A malformed policy document exception occurs in instances - where roles are attempted to be assumed, or brute forced. In a brute force attempt, - using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, - when an adversary is attempting to identify a role name, multiple failures will - occur. This detection focuses on the errors of a remote attempt that is failing. -data_source: +description: The following analytic detects multiple failed attempts to assume an + AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail + logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` + and filters out legitimate AWS services. This activity is significant as repeated + failures to assume roles can indicate an adversary attempting to guess role names, + which is a precursor to unauthorized access. If confirmed malicious, this could + lead to unauthorized access to AWS resources, potentially compromising sensitive + data and services. +data_source: - AWS CloudTrail search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as @@ -64,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index ad82abbf9f..c65260764b 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -1,16 +1,19 @@ name: AWS IAM Delete Policy id: ec3a9362-92fe-11eb-99d0-acde48001122 -version: 1 -date: '2021-04-01' +version: 2 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: Hunting -description: The following detection identifies when a policy is deleted on AWS. This - does not identify whether successful or failed, but the error messages tell a story - of suspicious attempts. There is a specific process to follow when deleting a policy. - First, detach the policy from all users, groups, and roles that the policy is attached - to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -data_source: +description: The following analytic detects the deletion of an IAM policy in AWS. + It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those + from AWS internal services. This activity is significant as unauthorized policy + deletions can disrupt access controls and weaken security postures. If confirmed + malicious, an attacker could remove critical security policies, potentially leading + to privilege escalation, unauthorized access, or data exfiltration. Monitoring this + behavior helps ensure that only authorized changes are made to IAM policies, maintaining + the integrity and security of the AWS environment. +data_source: - AWS CloudTrail DeletePolicy search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) @@ -61,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 755e336f8d..1897919347 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,16 +1,19 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: Anomaly -description: This detection identifies failure attempts to delete groups. We want - to identify when a group is attempting to be deleted, but either access is denied, - there is a conflict or there is no group. This is indicative of administrators performing - an action, but also could be suspicious behavior occurring. Review parallel IAM - events - recently added users, new groups and so forth. -data_source: +description: The following analytic identifies failed attempts to delete AWS IAM groups. + It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails + due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. + This activity is significant as it may indicate unauthorized attempts to modify + IAM group configurations, which could be a precursor to privilege escalation or + other malicious actions. If confirmed malicious, this could allow an attacker to + disrupt IAM policies, potentially leading to unauthorized access or denial of service + within the AWS environment. +data_source: - AWS CloudTrail DeleteGroup search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) @@ -33,7 +36,8 @@ tags: asset_type: AWS Account confidence: 50 impact: 10 - message: User $user_arn$ has had mulitple failures while attempting to delete groups from $src$ + message: User $user_arn$ has had mulitple failures while attempting to delete groups + from $src$ mitre_attack_id: - T1098 observable: @@ -60,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index aed09fb9bf..4f2f102188 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -1,15 +1,19 @@ name: AWS IAM Successful Group Deletion id: e776d06c-9267-11eb-819b-acde48001122 -version: 1 -date: '2021-03-31' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: Hunting -description: The following query uses IAM events to track the success of a group being - deleted on AWS. This is typically not indicative of malicious behavior, but a precurser - to additional events thay may unfold. Review parallel IAM events - recently added - users, new groups and so forth. Inversely, review failed attempts in a similar manner. -data_source: +description: The following analytic identifies the successful deletion of an IAM group + in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success + status. This activity is significant as it could indicate potential changes in user + permissions or access controls, which may be a precursor to further unauthorized + actions. If confirmed malicious, an attacker could disrupt access management, potentially + leading to privilege escalation or unauthorized access to sensitive resources. Analysts + should review related IAM events, such as recent user additions or new group creations, + to assess the broader context. +data_source: - AWS CloudTrail DeleteGroup search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as @@ -65,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 785e603020..978dc2da1c 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -1,16 +1,18 @@ name: AWS Lambda UpdateFunctionCode id: 211b80d3-6340-4345-11ad-212bf3d0d111 -version: 1 -date: '2022-02-24' +version: 2 +date: '2024-05-13' author: Bhavin Patel, Splunk status: production type: Hunting -description: This analytic is designed to detect IAM users attempting to update/modify - AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS - environment and to facilitate planting backdoors. In this instance, an attacker - may upload malicious code/binary to a lambda function which will be executed automatically - when the funnction is triggered. -data_source: +description: The following analytic identifies IAM users attempting to update or modify + AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful + `UpdateFunctionCode` events initiated by IAM users. This activity is significant + as it may indicate an attempt to gain persistence, further access, or plant backdoors + within your AWS environment. If confirmed malicious, an attacker could upload and + execute malicious code automatically when the Lambda function is triggered, potentially + compromising the integrity and security of your AWS infrastructure. +data_source: - AWS CloudTrail search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as @@ -56,7 +58,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index d28f7d9144..fdd8ede3df 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -1,15 +1,17 @@ name: AWS Multi-Factor Authentication Disabled id: 374832b1-3603-420c-b456-b373e24d34c0 -version: 1 -date: '2022-10-04' +version: 2 +date: '2024-05-15' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic identifies an attempt to disable multi-factor - authentication for an AWS IAM user. An adversary who has obtained access to an AWS - tenant may disable multi-factor authentication as a way to plant a backdoor and - maintain persistence using a valid account. This way the attackers can keep persistance - in the environment without adding new users. +description: The following analytic detects attempts to disable multi-factor authentication + (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where + MFA devices are deleted or deactivated. This activity is significant because disabling + MFA can indicate an adversary attempting to weaken account security, potentially + to maintain persistence using a compromised account. If confirmed malicious, this + action could allow attackers to retain access to the AWS environment without detection, + posing a significant risk to the security and integrity of the cloud infrastructure. data_source: - AWS CloudTrail DeleteVirtualMFADevice - AWS CloudTrail DeactivateMFADevice @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 6f2d7972eb..9252883794 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -1,23 +1,18 @@ name: AWS Multiple Failed MFA Requests For User id: 1fece617-e614-4329-9e61-3ba228c0f353 -version: 1 -date: '2022-10-03' +version: 2 +date: '2024-05-31' author: Bhavin Patel status: production type: Anomaly description: The following analytic identifies multiple failed multi-factor authentication - requests to an AWS Console for a single user. AWS CloudTrail logs provide a a very - useful field called `additionalEventData` that logs information regarding usage - of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail - within 10 minutes. AWS Environments can be very different depending on the organization, - Security teams should test this detection and customize these arbitrary thresholds. - The detected behavior may represent an adversary who has obtained legitimate credentials - for a user and continuously repeats login attempts in order to bombard users with - MFA push notifications, SMS messages, and phone calls potentially resulting in the - user finally accepting the authentication request. Threat actors like the Lapsus - team and APT29 have leveraged this technique to bypass multi-factor authentication - controls as reported by Mandiant and others. -data_source: + (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail + logs, specifically the `additionalEventData` field, to detect more than 10 failed + MFA prompts within 5 minutes. This activity is significant as it may indicate an + adversary attempting to bypass MFA by bombarding the user with repeated authentication + requests. If confirmed malicious, this could lead to unauthorized access to the + AWS environment, potentially compromising sensitive data and resources. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) @@ -72,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 0a54ea860a..4073132f6f 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,19 +1,23 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 1 -date: '2022-09-27' +version: 2 +date: '2024-05-10' author: Bhavin Patel status: production type: Anomaly -description: The following analytic identifies one source Ip failing to authenticate - into the AWS Console with 30 unique valid users within 10 minutes. This behavior - could represent an adversary performing a Password Spraying attack against an AWS - environment tenant to obtain initial access or elevate privileges. -data_source: +description: The following analytic identifies a single source IP failing to authenticate + into the AWS Console with 30 unique valid users within 10 minutes. It leverages + CloudTrail logs to detect multiple failed login attempts from the same IP address. + This behavior is significant as it may indicate a Password Spraying attack, where + an adversary attempts to gain unauthorized access or elevate privileges by trying + common passwords across many accounts. If confirmed malicious, this activity could + lead to unauthorized access, data breaches, or further exploitation within the AWS + environment. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, - src_ip |`aws_unusual_number_of_failed_authentications_from_ip_filter`' + | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip + | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -30,7 +34,8 @@ tags: asset_type: AWS Account confidence: 90 impact: 60 - message: 'Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$' + message: 'Multiple failed console login attempts (Count: $unique_accounts$) against + users from IP Address - $src_ip$' mitre_attack_id: - T1110 - T1110.003 @@ -56,10 +61,12 @@ tags: - src_ip risk_score: 54 security_domain: threat - manual_test: This search needs a specific number of events in a time window for the alert to trigger and events split up in CI testing while updating timestamp. + manual_test: This search needs a specific number of events in a time window for + the alert to trigger and events split up in CI testing while updating timestamp. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index 6d5ab5319c..f0c511b5a3 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -1,16 +1,18 @@ name: AWS Network Access Control List Deleted id: ada0f478-84a8-4641-a3f1-d82362d6fd75 -version: 2 -date: '2021-01-12' +version: 3 +date: '2024-05-15' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: Anomaly -description: Enforcing network-access controls is one of the defensive mechanisms - used by cloud administrators to restrict access to a cloud instance. After the attacker - has gained control of the AWS console by compromising an admin account, they can - delete a network ACL and gain access to the instance from anywhere. This search - will query the AWS CloudTrail logs to detect users deleting network ACLs. -data_source: +description: The following analytic detects the deletion of AWS Network Access Control + Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes + a network ACL entry. This activity is significant because deleting a network ACL + can remove critical access restrictions, potentially allowing unauthorized access + to cloud instances. If confirmed malicious, this action could enable attackers to + bypass network security controls, leading to unauthorized access, data exfiltration, + or further compromise of the cloud environment. +data_source: - AWS CloudTrail DeleteNetworkAclEntry search: '`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn @@ -59,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index b44c1d4b65..af1c3de763 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -1,16 +1,18 @@ name: AWS Password Policy Changes id: aee4a575-7064-4e60-b511-246f9baf9895 -version: 1 -date: '2023-01-26' +version: 2 +date: '2024-05-10' author: Bhavin Patel, Splunk status: production type: Hunting -description: This search looks for AWS CloudTrail events where a user is making successful - API calls to view/update/delete the existing password policy in an AWS organization. - It is unlikely for a regular user to conduct this operation. These events may potentially - be malicious, adversaries often use this information to gain more understanding - of the password defenses in place and exploit them to increase their attack surface - when a user account is compromised. +description: The following analytic detects successful API calls to view, update, + or delete the password policy in an AWS organization. It leverages AWS CloudTrail + logs to identify events such as "UpdateAccountPasswordPolicy," "GetAccountPasswordPolicy," + and "DeleteAccountPasswordPolicy." This activity is significant because it is uncommon + for regular users to perform these actions, and such changes can indicate an adversary + attempting to understand or weaken password defenses. If confirmed malicious, this + could lead to compromised accounts and increased attack surface, potentially allowing + unauthorized access and control over AWS resources. data_source: - AWS CloudTrail UpdateAccountPasswordPolicy - AWS CloudTrail GetAccountPasswordPolicy @@ -66,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index b00f8b1097..9c7d68f30e 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -1,18 +1,35 @@ name: AWS S3 Exfiltration Behavior Identified id: 85096389-a443-42df-b89d-200efbb1b560 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-13' author: Bhavin Patel, Splunk status: production type: Correlation -data_source: [] -description: This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS* by All_Risk.risk_object - | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`' -how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. -known_false_positives: alse positives may be present based on automated tooling or system administrators. Filter as needed. +data_source: [] +description: The following analytic identifies potential AWS S3 exfiltration behavior + by correlating multiple risk events related to Collection and Exfiltration techniques. + It leverages risk events from AWS sources, focusing on instances where two or more + unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk + object. This activity is significant as it may indicate an ongoing data exfiltration + attempt, which is critical for security teams to monitor. If confirmed malicious, + this could lead to unauthorized access and theft of sensitive information, compromising + the organization's data integrity and confidentiality. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk + where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic + = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`' +how_to_implement: You must enable all the detection searches in the Data Exfiltration + Analytic story to create risk events in Enterprise Security. +known_false_positives: alse positives may be present based on automated tooling or + system administrators. Filter as needed. references: - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ @@ -24,7 +41,8 @@ tags: asset_type: AWS Account confidence: 90 impact: 90 - message: Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$ + message: Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ + trigged for risk object $risk_object$ mitre_attack_id: - T1537 observable: @@ -48,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log sourcetype: stash source: aws_exfil update_timestamp: true diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml index de2a15b82c..949c17ac09 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml @@ -1,15 +1,19 @@ name: AWS SAML Access by Provider User and Principal id: bbe23980-6019-11eb-ae93-0242ac130002 -version: 1 -date: '2021-01-26' +version: 2 +date: '2024-05-23' author: Rod Soto, Splunk status: production type: Anomaly -description: This search provides specific SAML access from specific Service Provider, - user and targeted principal at AWS. This search provides specific information to - detect abnormal access or potential credential hijack or forgery, specially in federated - environments using SAML protocol inside the perimeter or cloud provider. -data_source: +description: The following analytic identifies specific SAML access events by a service + provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs + to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, + `roleArn`, and `roleSessionName`. This activity is significant as it can indicate + abnormal access patterns or potential credential hijacking, especially in federated + environments using the SAML protocol. If confirmed malicious, this could allow attackers + to assume roles and gain unauthorized access to sensitive AWS resources, leading + to data breaches or further exploitation. +data_source: - AWS CloudTrail AssumeRoleWithSAML search: '`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn @@ -67,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index b4f08fcbd3..d1da02fe30 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -1,15 +1,19 @@ name: AWS SAML Update identity provider id: 2f0604c6-6030-11eb-ae93-0242ac130002 -version: 1 -date: '2021-01-26' +version: 2 +date: '2024-05-19' author: Rod Soto, Splunk status: production type: TTP -description: This search provides detection of updates to SAML provider in AWS. Updates - to SAML provider need to be monitored closely as they may indicate possible perimeter - compromise of federated credentials, or backdoor access from another cloud provider - set by attacker. -data_source: +description: The following analytic detects updates to the SAML provider in AWS. It + leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing + fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. + Monitoring updates to the SAML provider is crucial as it may indicate a perimeter + compromise of federated credentials or unauthorized backdoor access set by an attacker. + If confirmed malicious, this activity could allow attackers to manipulate identity + federation, potentially leading to unauthorized access to cloud resources and sensitive + data. +data_source: - AWS CloudTrail UpdateSAMLProvider search: '`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn @@ -63,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index 890ed9b643..fd4ef5cde3 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -1,15 +1,18 @@ name: AWS SetDefaultPolicyVersion id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4 -version: 1 -date: '2021-03-02' +version: 2 +date: '2024-05-16' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for AWS CloudTrail events where a user has set a default - policy versions. Attackers have been know to use this technique for Privilege Escalation - in case the previous versions of the policy had permissions to access more resources - than the current version of the policy -data_source: +description: The following analytic detects when a user sets a default policy version + in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` + event from the IAM service. This activity is significant because attackers may exploit + this technique for privilege escalation, especially if previous policy versions + grant more extensive permissions than the current one. If confirmed malicious, this + could allow an attacker to gain elevated access to AWS resources, potentially leading + to unauthorized actions and data breaches. +data_source: - AWS CloudTrail SetDefaultPolicyVersion search: '`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) @@ -31,8 +34,8 @@ tags: asset_type: AWS Account confidence: 60 impact: 50 - message: From IP address $src$, user $user_arn$ has trigged an - event $eventName$ for updating the the default policy version + message: From IP address $src$, user $user_arn$ has trigged an event $eventName$ + for updating the the default policy version mitre_attack_id: - T1078.004 - T1078 @@ -61,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 8539506325..7e324252e3 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,21 +1,22 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-26' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies an AWS account successfully authenticating - from more than one unique Ip address in the span of 5 minutes. This behavior could - represent an adversary who has stolen credentials via a phishing attack or some - other method and using them to access corporate online resources around the same - time as a legitimate user. As users may behave differently across organizations, - security teams should test and customize this detection to fit their environments. -data_source: +description: The following analytic detects an AWS account successfully authenticating + from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail + logs, specifically monitoring `ConsoleLogin` events and counting distinct source + IPs. This behavior is significant as it may indicate compromised credentials, potentially + from a phishing attack, being used concurrently by an adversary and a legitimate + user. If confirmed malicious, this activity could allow unauthorized access to corporate + resources, leading to data breaches or further exploitation within the AWS environment. +data_source: - AWS CloudTrail ConsoleLogin -search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent - values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn - | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' +search: ' `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) + as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) + as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. known_false_positives: A user with successful authentication events from different @@ -59,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index a9aaf07302..762f71e260 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -1,15 +1,18 @@ name: AWS Successful Single-Factor Authentication id: a520b1fe-cc9e-4f56-b762-18354594c52f -version: 1 -date: '2022-10-04' +version: 2 +date: '2024-05-12' author: Bhavin Patel, Splunk status: production type: TTP description: The following analytic identifies a successful Console Login authentication - event against an AWS IAM user for an account without Multi-Factor Authentication - enabled. This could be evidence of a misconfiguration, a policy violation or an - account take over attempt that should be investigated -data_source: + event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. + It leverages AWS CloudTrail logs to detect instances where MFA was not used during + login. This activity is significant as it may indicate a misconfiguration, policy + violation, or potential account takeover attempt. If confirmed malicious, an attacker + could gain unauthorized access to the AWS environment, potentially leading to data + exfiltration, resource manipulation, or further privilege escalation. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource @@ -67,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 17b0be2de1..f7fb8db8f0 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -1,28 +1,23 @@ name: AWS Unusual Number of Failed Authentications From Ip id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-24' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies one source IP failing to authenticate - into the AWS Console with multiple valid users. This behavior could represent an - adversary performing a Password Spraying attack against an AWS environment to obtain - initial access or elevate privileges. The detection calculates the standard deviation - for source IP and leverages the 3-sigma statistical rule to identify an unusual - number of failed authentication attempts. To customize this analytic, users can - try different combinations of the bucket span time and the calculation of the upperBound - field. This logic can be used for real time security monitoring as well as threat - hunting exercises. While looking for anomalies using statistical methods like the - standard deviation can have benefits, we also recommend using threshold-based detections - to complement coverage. A similar analytic following the threshold model is `AWS - Multiple Users Failing To Authenticate From Ip`. -data_source: +description: The following analytic identifies a single source IP failing to authenticate + into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates + the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual + numbers of failed authentication attempts. This behavior is significant as it may + indicate a Password Spraying attack, where an adversary attempts to gain initial + access or elevate privileges. If confirmed malicious, this activity could lead to + unauthorized access, data breaches, or further exploitation within the AWS environment. +data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, - src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as - ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts + src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) + as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and @@ -39,7 +34,8 @@ tags: asset_type: AWS Account confidence: 90 impact: 60 - message: 'Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$' + message: 'Unusual number of failed console login attempts (Count: $distinct_attempts$) + against users from IP Address - $src_ip$' mitre_attack_id: - T1586 - T1586.003 @@ -70,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json source: aws_cloudtrail sourcetype: aws:cloudtrail update_timestamp: true diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 40da71dba3..1ff20b3915 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -1,15 +1,19 @@ name: AWS UpdateLoginProfile id: 2a9b80d3-6a40-4115-11ad-212bf3d0d111 -version: 3 -date: '2022-03-03' +version: 4 +date: '2024-05-17' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for AWS CloudTrail events where a user A who has already - permission to update login profile, makes an API call to update login profile for - another user B . Attackers have been know to use this technique for Privilege Escalation - in case new victim(user B) has more permissions than old victim(user B) -data_source: +description: The following analytic detects an AWS CloudTrail event where a user with + permissions updates the login profile of another user. It leverages CloudTrail logs + to identify instances where the user making the change is different from the user + whose profile is being updated. This activity is significant because it can indicate + privilege escalation attempts, where an attacker uses a compromised account to gain + higher privileges. If confirmed malicious, this could allow the attacker to escalate + their privileges, potentially leading to unauthorized access and control over sensitive + resources within the AWS environment. +data_source: - AWS CloudTrail UpdateLoginProfile search: ' `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), @@ -30,9 +34,9 @@ tags: asset_type: AWS Account confidence: 60 impact: 50 - message: From IP address $src$, user agent $userAgent$ has trigged an - event $eventName$ for updating the existing login profile, potentially giving - user $user_arn$ more access privilleges + message: From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ + for updating the existing login profile, potentially giving user $user_arn$ more + access privilleges mitre_attack_id: - T1136.003 - T1136 @@ -60,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 1ecb867cf1..7f07462ef4 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -1,26 +1,28 @@ name: Azure Active Directory High Risk Sign-in id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-22' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic triggers on a high risk sign-in against Azure - Active Directory identified by Azure Identity Protection. Identity Protection monitors - sign-in events using heuristics and machine learning to identify potentially malicious - events and categorizes them in three categories high, medium and low. -data_source: -- Azure Active Directory -search: ' `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_active_directory_high_risk_sign_in_filter`' +description: The following analytic detects high-risk sign-in attempts against Azure + Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers + and UserRiskEvents log categories from Azure AD events ingested via EventHub. This + activity is significant as it indicates potentially compromised accounts, flagged + by heuristics and machine learning. If confirmed malicious, attackers could gain + unauthorized access to sensitive resources, leading to data breaches or further + exploitation within the environment. +data_source: +- Azure Active Directory +search: ' `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | + rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents + log category in the azure:monitor:aad sourcetype. known_false_positives: Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. references: @@ -67,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index 46a75df4f1..33c9cab5e2 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -1,30 +1,42 @@ name: Azure AD Admin Consent Bypassed by Service Principal id: 9d4fea43-9182-4c5a-ada8-13701fd5615d -version: 1 -date: '2024-02-09' +version: 2 +date: '2024-05-29' author: Mauricio Velazco, Splunk -data_source: +data_source: - Azure Active Directory Add app role assignment to service principal type: TTP status: production -description: This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. -search: >- - `azure_monitor_aad` operationName="Add app role assignment to service principal" src_user_type=servicePrincipal - | rename properties.* as * - | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) +description: The following analytic identifies instances where a service principal + in Azure Active Directory assigns app roles without standard admin consent. It uses + Entra ID logs from the `azure_monitor_aad` data source, focusing on the "Add app + role assignment to service principal" operation. This detection is significant as + it highlights potential bypasses of critical administrative consent processes, which + could lead to unauthorized privileges being granted. If confirmed malicious, this + activity could allow attackers to exploit automation to assign sensitive permissions + without proper oversight, potentially compromising the security of the Azure AD + environment. +search: >- + `azure_monitor_aad` operationName="Add app role assignment to service principal" + src_user_type=servicePrincipal + | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', + 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) - | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) + | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', + 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription + | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user + dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_admin_consent_bypassed_by_service_principal_filter` + | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -known_false_positives: Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the Auditlog log category +known_false_positives: Service Principals are sometimes configured to legitimately + bypass the consent process for purposes of automation. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ tags: @@ -34,7 +46,8 @@ tags: asset_type: Azure Active Directory confidence: 60 impact: 90 - message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ + message: Service principal $src_user$ bypassed the admin consent process and granted + permissions to $dest_user$ mitre_attack_id: - T1098.003 observable: @@ -56,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index 53a7344a0b..f527f11123 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -1,29 +1,30 @@ name: Azure AD Application Administrator Role Assigned id: eac4de87-7a56-4538-a21b-277897af6d8d -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-15' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Add member to role -description: The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all - aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. - Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has - been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while - impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. - Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -search: ' `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies the assignment of the Application Administrator + role to an Azure AD user. It leverages Azure Active Directory events, specifically + monitoring the "Add member to role" operation. This activity is significant because + users in this role can manage all aspects of enterprise applications, including + credentials, which can be used to impersonate application identities. If confirmed + malicious, an attacker could escalate privileges, manage application settings, and + potentially access sensitive resources by impersonating application identities, + posing a significant security risk to the Azure AD tenant. +search: ' `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application + Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user + initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the Auditlog log category known_false_positives: Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. references: @@ -39,8 +40,8 @@ tags: atomic_guid: [] confidence: 50 impact: 70 - message: The privileged Azure AD role Application Administrator was assigned for User $user$ initiated - by $initiatedBy$ + message: The privileged Azure AD role Application Administrator was assigned for + User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1098 - T1098.003 @@ -68,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index ebe0877c31..86627df216 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -1,27 +1,28 @@ name: Azure AD Authentication Failed During MFA Challenge id: e62c9c2e-bf51-4719-906c-3074618fcc1c -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-18' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: 'The following analytic identifies an authentication attempt event against - an Azure AD tenant that fails during the Multi Factor Authentication challenge. - Error Code 500121 represents a failed attempt to authenticate using a second factor. - This behavior may represent an adversary trying to authenticate with compromised - credentials for an account that has multi-factor authentication enabled. ' -data_source: +description: 'The following analytic identifies failed authentication attempts against + an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically + flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. + This activity is significant as it may indicate an adversary attempting to authenticate + using compromised credentials on an account with MFA enabled. If confirmed malicious, + this could suggest an ongoing effort to bypass MFA protections, potentially leading + to unauthorized access and further compromise of the affected account.' +data_source: - Azure Active Directory search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_authentication_failed_during_mfa_challenge_filter`' + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. known_false_positives: Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. references: @@ -68,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml index bb2c8209ba..75171daea3 100644 --- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml @@ -1,28 +1,40 @@ name: Azure AD Block User Consent For Risky Apps Disabled id: 875de3d7-09bc-4916-8c0a-0929f4ced3d8 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Update authorization policy -description: This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization +description: The following analytic detects when the risk-based step-up consent security + setting in Azure AD is disabled. It monitors Azure Active Directory logs for the + "Update authorization policy" operation, specifically changes to the "AllowUserConsentForRiskyApps" + setting. This activity is significant because disabling this feature can expose + the organization to OAuth phishing threats by allowing users to grant consent to + potentially malicious applications. If confirmed malicious, attackers could gain + unauthorized access to user data and sensitive information, leading to data breaches + and further compromise within the organization. search: >- - `azure_monitor_aad` operationName="Update authorization policy" - | rename properties.* as * - | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps"), -1) - | search index_number >= 0 - | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) - | search AllowUserConsentForRiskyApps = "[true]" - | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_block_user_consent_for_risky_apps_disabled_filter` + `azure_monitor_aad` operationName="Update authorization policy" + | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + "AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + "AllowUserConsentForRiskyApps"), -1) + | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) + | search AllowUserConsentForRiskyApps = "[true]" + | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, + AllowUserConsentForRiskyApps + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_block_user_consent_for_risky_apps_disabled_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting + by administrators, perhaps as part of a policy update or security assessment, may + trigger this alert, necessitating verification of the change's intent and authorization references: - https://attack.mitre.org/techniques/T1562/ - https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/ @@ -58,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log source: Azure Ad sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index 399133dfe9..dc0b061ef5 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -1,30 +1,30 @@ name: Azure AD Concurrent Sessions From Different Ips id: a9126f73-9a9b-493d-96ec-0dd06695490d -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies an Azure AD account with concurrent - sessions coming from more than one unique Ip address within the span of 5 minutes. - This behavior could represent a session hijacking attack whereby an adversary has - extracted cookies from a victims browser and is using them from a different location - to access corporate online resources. As users may behave differently across organizations, - security teams should test and customize this detection to fit their environments. -data_source: +description: The following analytic detects an Azure AD account with concurrent sessions + originating from multiple unique IP addresses within a 5-minute window. It leverages + Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by + analyzing successful authentication events and counting distinct source IPs per + user. This activity is significant as it may indicate session hijacking, where an + attacker uses stolen session cookies to access corporate resources from a different + location. If confirmed malicious, this could lead to unauthorized access to sensitive + information and potential data breaches. +data_source: - Azure Active Directory search: ' `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs - | rename properties.* as * - | bucket span=30m _time - | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user - | where unique_ips > 1 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_concurrent_sessions_from_different_ips_filter`' + | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime + max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) + as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. @@ -39,8 +39,8 @@ tags: asset_type: Azure Tenant confidence: 60 impact: 70 - message: User $user$ has concurrent sessions from more than one unique - IP address in the span of 5 minutes. + message: User $user$ has concurrent sessions from more than one unique IP address + in the span of 5 minutes. mitre_attack_id: - T1185 observable: @@ -68,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml index 1a7f6003a6..9bf37ac615 100644 --- a/detections/cloud/azure_ad_device_code_authentication.yml +++ b/detections/cloud/azure_ad_device_code_authentication.yml @@ -1,31 +1,32 @@ name: Azure AD Device Code Authentication id: d68d8732-6f7e-4ee5-a6eb-737f2b990b91 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-28' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory -description: The following analytic identifies the execution of the Azure Device Code Phishing attack, - which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically - focusing on authentication requests to identify the attack. This technique involves creating malicious - infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). - The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick - the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result - in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). - This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. - It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. -search: '`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_device_code_authentication_filter`' +description: The following analytic identifies Azure Device Code Phishing attacks, + which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs + to detect suspicious authentication requests using the device code authentication + protocol. This activity is significant as it indicates potential bypassing of Multi-Factor + Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. + If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange + mailboxes, and Outlook Web Application (OWA), leading to potential data breaches + and unauthorized data access. +search: '`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: In most organizations, device code authentication will be used + to access common Microsoft service but it may be legitimate for others. Filter as + needed. references: - https://attack.mitre.org/techniques/T1528 - https://github.com/rvrsh3ll/TokenTactics @@ -70,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index a24b98701b..ccd54623f8 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -1,31 +1,28 @@ name: Azure AD External Guest User Invited id: c1fb4edb-cab1-4359-9b40-925ffd797fb5 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-11' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the invitation of an external guest - user within Azure AD. With Azure AD B2B collaboration, users and administrators - can invite external users to collaborate with internal users. External guest account - invitations should be monitored by security teams as they could potentially lead - to unauthorized access. An example of this attack vector was described at BlackHat - 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking - Azure AD Accounts by Abusing External Identities` -data_source: +description: The following analytic detects the invitation of an external guest user + within Azure AD. It leverages Azure AD AuditLogs to identify events where an external + user is invited, using fields such as operationName and initiatedBy. Monitoring + these invitations is crucial as they can lead to unauthorized access if abused. + If confirmed malicious, this activity could allow attackers to gain access to internal + resources, potentially leading to data breaches or further exploitation of the environment. +data_source: - Azure Active Directory Invite external user -search: '`azure_monitor_aad` operationName="Invite external user" - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | rename targetResources{}.type as type - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_external_guest_user_invited_filter`' +search: '`azure_monitor_aad` operationName="Invite external user" | rename properties.* as + * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type + as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLogs log category. known_false_positives: Administrator may legitimately invite external guest users. Filter as needed. references: @@ -66,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml index d12be6c356..74b8cac346 100644 --- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml @@ -1,28 +1,37 @@ name: Azure AD FullAccessAsApp Permission Assigned id: ae286126-f2ad-421c-b240-4ea83bd1c43a -version: 1 -date: '2024-01-29' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. -data_source: +description: The following analytic detects the assignment of the 'full_access_as_app' + permission to an application within Office 365 Exchange Online. This is identified + by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. + The detection leverages the azure_monitor_aad data source, focusing on AuditLogs + with the operation name 'Update application'. This activity is significant as it + grants broad control over Office 365 operations, including full access to all mailboxes + and the ability to send emails as any user. If malicious, this could lead to unauthorized + access and data exfiltration. +data_source: - Azure Active Directory Update application search: >- - `azure_monitor_aad` category=AuditLogs operationName="Update application" - | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) - | spath input=newvalue - | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" - | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_fullaccessasapp_permission_assigned_filter` + `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval + newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) + | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" + | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) + by user, object, user_agent, operationName + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_fullaccessasapp_permission_assigned_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: The full_access_as_app API permission may be assigned to legitimate + applications. Filter as needed. references: - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -34,7 +43,8 @@ tags: asset_type: Azure Active Directory confidence: 60 impact: 80 - message: User $user$ assigned the full_access_as_app permission to the app registration $object$ + message: User $user$ assigned the full_access_as_app permission to the app registration + $object$ mitre_attack_id: - T1098.002 - T1098.003 @@ -54,8 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log - source: Azure AD - sourcetype: azure:monitor:aad + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log source: Azure AD + sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index 82d0f500bb..b4acf713d2 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -1,31 +1,30 @@ name: Azure AD Global Administrator Role Assigned id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c -version: 4 -date: '2023-12-20' +version: 5 +date: '2024-05-29' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the assignment of the Azure AD Global - Administrator role to an Azure AD user. The Global Administrator role is the most - powerful administrator role in Azure AD and provides almost unlimited access to - data, resources and settings. It is equivalent to the Domain Administrator group - in an Active Directory environment. While Azure AD roles do not grant access to - Azure services and resources, it is possible for a Global Administrator account - to gain control of Azure resources. Adversaries and red teams alike may assign this - role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -data_source: +description: The following analytic detects the assignment of the Azure AD Global + Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify + when the "Add member to role" operation includes the "Global Administrator" role. + This activity is significant because the Global Administrator role grants extensive + access to data, resources, and settings, similar to a Domain Administrator in traditional + AD environments. If confirmed malicious, this could allow an attacker to establish + persistence, escalate privileges, and potentially gain control over Azure resources, + posing a severe security risk. +data_source: - Azure Active Directory Add member to role -search: '`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\"" - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_global_administrator_role_assigned_filter`' +search: '`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global + Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. known_false_positives: Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. references: @@ -42,8 +41,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 80 - message: Global Administrator Role assigned for User $user$ initiated - by $initiatedBy$ + message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1098.003 observable: @@ -70,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index 90a48c271f..98b05d1f52 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -1,28 +1,30 @@ name: Azure AD High Number Of Failed Authentications For User id: 630b1694-210a-48ee-a450-6f79e7679f2c -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies an Azure AD account with more than - 20 failed authentication events in the span of 10 minutes. This behavior could represent - a brute force attack against the account. As environments differ across organizations, - security teams should customize the threshold of this detection. -data_source: +description: The following analytic identifies an Azure AD account experiencing more + than 20 failed authentication attempts within a 10-minute window. This detection + leverages Azure SignInLogs data, specifically monitoring for error code 50126 and + unsuccessful authentication attempts. This behavior is significant as it may indicate + a brute force attack targeting the account. If confirmed malicious, an attacker + could potentially gain unauthorized access, leading to data breaches or further + exploitation within the environment. Security teams should adjust the threshold + based on their specific environment to reduce false positives. +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false - | rename properties.* as * - | bucket span=10m _time - | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user - | where count > 20 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_high_number_of_failed_authentications_for_user_filter`' +search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime + values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. known_false_positives: A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. references: @@ -35,8 +37,8 @@ tags: asset_type: Azure Tenant confidence: 70 impact: 50 - message: User $user$ failed to authenticate more than 20 times in the - span of 5 minutes. + message: User $user$ failed to authenticate more than 20 times in the span of 5 + minutes. mitre_attack_id: - T1110 - T1110.001 @@ -61,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index beb9947699..3e5a6654a5 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -1,29 +1,29 @@ name: Azure AD High Number Of Failed Authentications From Ip id: e5ab41bf-745d-4f72-a393-2611151afd8e -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies an Ip address failing to authenticate - 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could - represent a brute force attack againstan Azure AD to obtain initial access or elevate - privileges. As environments differ across organizations, security teams should customize - the threshold of this detection. -data_source: +description: The following analytic detects an IP address with 20 or more failed authentication + attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs + to identify repeated failed logins from the same IP. This behavior is significant + as it may indicate a brute force attack aimed at gaining unauthorized access or + escalating privileges. If confirmed malicious, the attacker could potentially compromise + user accounts, leading to unauthorized access to sensitive information and resources + within the Azure environment. +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false - | rename properties.* as * - | bucket span=10m _time - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip - | where count > 20 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_high_number_of_failed_authentications_from_ip_filter`' +search: ' `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime + values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. known_false_positives: An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application. references: @@ -69,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index 2622799870..d02e86cbd9 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -1,29 +1,29 @@ name: Azure AD Multi-Factor Authentication Disabled id: 482dd42a-acfa-486b-a0bb-d6fcda27318e -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-23' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies an attempt to disable multi-factor - authentication for an Azure AD user. An adversary who has obtained access to an - Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor - and maintain persistence using a valid account. This way the attackers can keep - persistance in the environment without adding new users. -data_source: +description: The following analytic detects attempts to disable multi-factor authentication + (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify + the "Disable Strong Authentication" operation. This activity is significant because + disabling MFA can allow adversaries to maintain persistence using compromised accounts + without raising suspicion. If confirmed malicious, this action could enable attackers + to bypass an essential security control, potentially leading to unauthorized access + and prolonged undetected presence in the environment. +data_source: - Azure Active Directory Disable Strong Authentication search: '`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication" - | rename properties.* as * - | rename targetResources{}.type as type - | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multi_factor_authentication_disabled_filter`' + | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, + type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. known_false_positives: Legitimate use case may require for users to disable MFA. Filter as needed. references: @@ -67,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index 5572bfa4d1..e96759611d 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -1,27 +1,46 @@ name: Azure AD Multi-Source Failed Authentications Spike id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: Hunting -data_source: +data_source: - Azure Active Directory -description: This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false - | rename properties.* as * - | bucket span=5m _time - | eval uniqueIPUserCombo = src_ip . "-" . user - | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries - | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multi_source_failed_authentications_spike_filter`' +description: The following analytic detects potential distributed password spraying + attacks in an Azure AD environment. It identifies a spike in failed authentication + attempts across various user-and-IP combinations from multiple source IPs and countries, + using different user agents. This detection leverages Azure AD SignInLogs, focusing + on error code 50126 for failed authentications. This activity is significant as + it indicates an adversary's attempt to bypass security controls by distributing + login attempts. If confirmed malicious, this could lead to unauthorized access, + data breaches, privilege escalation, and lateral movement within the organization's + infrastructure. +search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count + min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, + dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, + dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) + as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries + | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND + uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_multi_source_failed_authentications_spike_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. - The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. The thresholds set within the + analytic (such as unique IPs, unique users, etc.) are initial guidelines and should + be customized based on the organization's user behavior and risk profile. Security + teams are encouraged to adjust these thresholds to optimize the balance between + detecting genuine threats and minimizing false positives, ensuring the detection + is tailored to their specific environment. +known_false_positives: This detection may yield false positives in scenarios where + legitimate bulk sign-in activities occur, such as during company-wide system updates + or when users are accessing resources from varying locations in a short time frame, + such as in the case of VPNs or cloud services that rotate IP addresses. Filter as + needed. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -64,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 246f61382e..4c973afffd 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -1,25 +1,37 @@ name: Azure AD Multiple AppIDs and UserAgents Authentication Spike id: 5d8bb1f0-f65a-4b4e-af2e-fcdb88276314 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: Anomaly -data_source: +data_source: - Azure Active Directory Sign-in activity -description: This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -search: ' `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication AND "properties.authenticationDetails{}.succeeded"=true) - | bucket span=5m _time - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip - | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`' +description: The following analytic detects unusual authentication activity in Azure + AD, specifically when a single user account has over 8 authentication attempts using + 3+ unique application IDs and 5+ unique user agents within a short period. It leverages + Azure AD audit logs, focusing on authentication events and using statistical thresholds. + This behavior is significant as it may indicate an adversary probing for MFA requirements. + If confirmed malicious, it suggests a compromised account, potentially leading to + further exploitation, lateral movement, and data exfiltration. Early detection is + crucial to prevent substantial harm. +search: ' `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" + (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA + required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication + AND "properties.authenticationDetails{}.succeeded"=true) | bucket span=5m _time + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) + values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids + > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: Rapid authentication from the same user using more than 5 different + user agents and 3 application IDs is highly unlikely under normal circumstances. + However, there are potential scenarios that could lead to false positives. references: - https://attack.mitre.org/techniques/T1078/ - https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ @@ -31,7 +43,8 @@ tags: asset_type: Azure Tenant confidence: 80 impact: 60 - message: $user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids. + message: $user$ authenticated in a short periof of time with more than 5 different + user agents across 3 or more unique application ids. mitre_attack_id: - T1078 observable: @@ -59,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml index b96f198f6b..6889ecefd9 100644 --- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -1,26 +1,33 @@ name: Azure AD Multiple Denied MFA Requests For User id: d0895c20-de71-4fd2-b56c-3fcdb888eba1 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-18' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Sign-in activity -description: This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. +description: The following analytic detects an unusually high number of denied Multi-Factor + Authentication (MFA) requests for a single user within a 10-minute window, specifically + when more than nine MFA prompts are declined. It leverages Azure Active Directory + (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 + and additional details indicating "MFA denied; user declined the authentication." + This behavior is significant as it may indicate a targeted attack or account compromise + attempt, with the user actively declining unauthorized access. If confirmed malicious, + it could lead to data exfiltration, lateral movement, or further malicious activities. search: '`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" - | rename properties.* as * - | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" - | bucket span=10m _time - | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent - | where count > 9 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multiple_denied_mfa_requests_for_user_filter`' + | rename properties.* as * | search status.errorCode=500121 status.additionalDetails="MFA + denied; user declined the authentication" | bucket span=10m _time | stats count + min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, + appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -known_false_positives: Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. +known_false_positives: Multiple denifed MFA requests in a short period of span may + also be a sign of authentication errors. Investigate and filter as needed. references: - https://www.mandiant.com/resources/blog/russian-targeting-gov-business - https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ @@ -60,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 9261b1bf88..e56b196c40 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -1,36 +1,31 @@ name: Azure AD Multiple Failed MFA Requests For User id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea -version: 3 -date: '2023-12-20' +version: 4 +date: '2024-05-20' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies multiple failed multi-factor authentication - requests for a single user within an Azure AD tenant. Error Code 500121 represents - a failed attempt to authenticate using a second factor. Specifically, the analytic - triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, - like the user not responding in time or receiving multiple duplicate MFA requests. - Azure AD tenants can be very different depending on the organization, Security teams should test - this detection and customize these arbitrary thresholds. The detected behavior may - represent an adversary who has obtained legitimate credentials for a user and continuously - repeats login attempts in order to bombard users with MFA push notifications, SMS - messages, and phone calls potentially resulting in the user finally accepting the - authentication request. Threat actors like the Lapsus team and APT29 have leveraged - this technique to bypass multi-factor authentication controls as reported by Mandiant - and others. -data_source: + (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD + Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA + attempts within 10 minutes. This behavior is significant as it may indicate an adversary + attempting to bypass MFA by bombarding the user with repeated authentication prompts. + If confirmed malicious, this activity could lead to unauthorized access, allowing + attackers to compromise user accounts and potentially escalate their privileges + within the environment. +data_source: - Azure Active Directory Sign-in activity -search: ' `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" - | rename properties.* as * - | bucket span=10m _time - | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent - | where count > 9 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' +search: ' `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" + properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; + user declined the authentication" | rename properties.* as * | bucket span=10m _time + | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, + appDisplayName, user_agent | where count > 10 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. references: @@ -46,7 +41,8 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes. + message: User $user$ failed to complete MFA authentication more than 9 times in + a timespan of 10 minutes. mitre_attack_id: - T1586 - T1586.003 @@ -75,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index cdf3d76e41..407709ae8c 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -1,29 +1,33 @@ name: Azure AD Multiple Service Principals Created by SP id: 66cb378f-234d-4fe1-bb4c-e7878ff6b017 -version: 1 -date: '2024-02-07' +version: 2 +date: '2024-05-13' author: Mauricio Velazco, Splunk -data_source: +data_source: - Azure Active Directory Add service principal type: Anomaly status: production -description: This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm +description: The following analytic detects when a single service principal in Azure + AD creates more than three unique OAuth applications within a 10-minute span. It + leverages Azure AD audit logs, specifically monitoring the 'Add service principal' + operation initiated by service principals. This behavior is significant as it may + indicate an attacker using a compromised or malicious service principal to rapidly + establish multiple service principals, potentially staging an attack. If confirmed + malicious, this activity could facilitate network infiltration or expansion, allowing + the attacker to gain unauthorized access and persist within the environment. search: ' `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* - | rename properties.* as * - | bucket span=10m _time - | rename targetResources{}.displayName as displayName - | rename targetResources{}.type as type - | rename initiatedBy.app.displayName as src_user - | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user - | where unique_apps > 3 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multiple_service_principals_created_by_sp_filter`' + | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName + as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName + as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) + as displayName dc(displayName) as unique_apps by src_user | where unique_apps > + 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -34,7 +38,8 @@ tags: asset_type: Azure Active Directory confidence: 60 impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time + message: Multiple OAuth applications were created by $src_user$ in a short period + of time mitre_attack_id: - T1136.003 observable: @@ -53,7 +58,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index 9e942685cf..bb71615da5 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -1,27 +1,32 @@ name: Azure AD Multiple Service Principals Created by User id: 32880707-f512-414e-bd7f-204c0c85b758 -version: 1 -date: '2024-02-07' +version: 2 +date: '2024-05-13' author: Mauricio Velazco, Splunk -data_source: +data_source: - Azure Active Directory Add service principal type: Anomaly status: production -description: This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment +description: The following analytic identifies instances where a single user creates + more than three unique OAuth applications within a 10-minute timeframe in Azure + AD. It detects this activity by monitoring the 'Add service principal' operation + and aggregating data in 10-minute intervals. This behavior is significant as it + may indicate an adversary rapidly creating multiple service principals to stage + an attack or expand their foothold within the network. If confirmed malicious, this + activity could allow attackers to establish persistence, escalate privileges, or + access sensitive information within the Azure environment. search: ' `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* - | rename properties.* as * - | bucket span=10m _time - | rename targetResources{}.displayName as displayName - | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user - | where unique_apps > 3 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_multiple_service_principals_created_by_user_filter`' + | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName + as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) + as displayName dc(displayName) as unique_apps by src_user | where unique_apps > + 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -32,7 +37,8 @@ tags: asset_type: Azure Active Directory confidence: 60 impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time + message: Multiple OAuth applications were created by $src_user$ in a short period + of time mitre_attack_id: - T1136.003 observable: @@ -55,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 73fa6e51e5..3b4582fc2e 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,33 +1,30 @@ name: Azure AD Multiple Users Failing To Authenticate From Ip id: 94481a6a-8f59-4c86-957f-55a71e3612a6 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-13' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: 'The following analytic identifies one source Ip failing to authenticate - with 30 unique valid users within 5 minutes. This behavior could represent an adversary - performing a Password Spraying attack against an Azure Active Directory tenant to - obtain initial access or elevate privileges. Error Code 50126 represents an invalid - password. This logic can be used for real time security monitoring as well as threat - hunting exercises. - - Azure AD tenants can be very different depending on the organization. Users should - test this detection and customize the arbitrary threshold if needed.' -data_source: +description: 'The following analytic detects a single source IP failing to authenticate + with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages + Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior + is significant as it may indicate a Password Spraying attack, where an adversary + attempts to gain initial access or elevate privileges by trying common passwords + across many accounts. If confirmed malicious, this activity could lead to unauthorized + access, data breaches, or privilege escalation within the Azure AD environment.' +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false - | rename properties.* as * - | bucket span=5m _time - | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip - | where unique_accounts > 30 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime + dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts + > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. references: @@ -41,8 +38,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 70 - message: Source Ip $src_ip$ failed to authenticate with 30 users - within 5 minutes. + message: Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes. mitre_attack_id: - T1586 - T1586.003 @@ -74,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 6469ec3e21..9699b2bed5 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -1,36 +1,30 @@ name: Azure AD New Custom Domain Added id: 30c47f45-dd6a-4720-9963-0bca6c8686ef -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies the addition of a new custom domain - within an Azure Active Directory tenant. Adding a custom domain is a step required - to set up the Azure Active Directory identity federation backdoor technique discovered - by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses - the concept of domains to manage directories of identities. A new Azure AD tenant - will initially contain a single domain that is commonly called the `cloud-only` - onmicrosoft.com domain. Organizations can also add their registered custom domains - to Azure AD for email addresses to match the organizations domain name. If the organization - intends to use a third-party identity provider such as ADFS for authentication, - the added custom domains can be configured as federated. An adversary who has obtained - privileged access to an Azure AD tenant may leverage this technique to establish - persistence and be able to authenticate to Azure AD impersonating any user and bypassing - the requirement to have a valid password and/or perform MFA. -data_source: +description: The following analytic detects the addition of a new custom domain within + an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify + successful "Add unverified domain" operations. This activity is significant as it + may indicate an adversary attempting to establish persistence by setting up identity + federation backdoors, allowing them to impersonate users and bypass authentication + mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized + access, escalate privileges, and maintain long-term access to the Azure AD environment, + posing a severe security risk. +data_source: - Azure Active Directory Add unverified domain search: ' `azure_monitor_aad` operationName="Add unverified domain" properties.result=success - | rename properties.* as * - | rename targetResources{}.displayName as domain - | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | rename properties.* as * | rename targetResources{}.displayName as domain | stats + count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, + src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLogs log category. known_false_positives: In most organizations, new customm domains will be updated infrequently. Filter as needed. references: @@ -71,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index 7251122626..a0b3cad525 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -1,36 +1,29 @@ name: Azure AD New Federated Domain Added id: a87cd633-076d-4ab2-9047-977751a3c1a0 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-28' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies the addition of a new federated domain - within an Azure Active Directory tenant. This event could represent the execution - of the Azure Active Directory identity federation backdoor technique discovered - by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses - the concept of domains to manage directories of identities. A new Azure AD tenant - will initially contain a single domain that is commonly called the `cloud-only` - onmicrosoft.com domain. Organizations can also add their registered custom domains - to Azure AD for email addresses to match the organizations domain name. If the organization - intends to use a third-party identity provider such as ADFS for authentication, - the added custom domains can be configured as federated. An adversary who has obtained - privileged access to an Azure AD tenant may leverage this technique to establish - persistence and be able to authenticate to Azure AD impersonating any user and bypassing - the requirement to have a valid password and/or perform MFA. -data_source: +description: The following analytic detects the addition of a new federated domain + within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify + successful "Set domain authentication" operations. This activity is significant + as it may indicate the use of the Azure AD identity federation backdoor technique, + allowing an adversary to establish persistence. If confirmed malicious, the attacker + could impersonate any user, bypassing password and MFA requirements, potentially + leading to unauthorized access and control over the Azure AD environment. +data_source: - Azure Active Directory Set domain authentication search: ' `azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success - | rename properties.* as * - | rename targetResources{}.displayName as domain - | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | rename properties.* as * | rename targetResources{}.displayName as domain | stats + count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, + src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLogs log category. known_false_positives: In most organizations, domain federation settings will be updated infrequently. Filter as needed. references: @@ -70,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml index bce3a74fdf..601fed445a 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml @@ -1,32 +1,43 @@ name: Azure AD New MFA Method Registered id: 0488e814-eb81-42c3-9f1f-b2244973e3a3 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-16' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Update user -description: This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for a user account in Azure Active Directory. It leverages + Azure AD audit logs to identify changes in MFA configurations. This activity is + significant because adding a new MFA method can indicate an attacker's attempt to + maintain persistence on a compromised account. If confirmed malicious, the attacker + could bypass existing security measures, solidify their access, and potentially + escalate privileges, access sensitive data, or make unauthorized changes. Immediate + verification and remediation are required to secure the affected account. search: >- - `azure_monitor_aad` operationName="Update user" - | rename properties.* as * - | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) - | search propertyName = StrongAuthenticationMethod - | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) - | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) - | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" - | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" - | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) - | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) - | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_new_mfa_method_registered_filter` + `azure_monitor_aad` operationName="Update user" + | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', + 0) + | search propertyName = StrongAuthenticationMethod + | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) + | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) + | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" + | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" + | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) + | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) + | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) + by user newvalue oldvalue + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_new_mfa_method_registered_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Users may register MFA methods legitimally, investigate and filter as needed. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: Users may register MFA methods legitimally, investigate and + filter as needed. references: - https://attack.mitre.org/techniques/T1098/005/ - https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ @@ -62,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index de7c9384d6..e0e0bd3bc5 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -1,26 +1,29 @@ name: Azure AD New MFA Method Registered For User id: 2628b087-4189-403f-9044-87403f777a1b -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the registration of a new Multi Factor - authentication method for an Azure AD account. Adversaries who have obtained unauthorized - access to an Azure AD account may register a new MFA method to maintain persistence. -data_source: +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs + to identify when a user registers new security information. This activity is significant + because adversaries who gain unauthorized access to an account may add their own + MFA method to maintain persistence. If confirmed malicious, this could allow attackers + to bypass existing security controls, maintain long-term access, and potentially + escalate their privileges within the environment. +data_source: - Azure Active Directory User registered security info -search: ' `azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add - | rename properties.* as * - | rename targetResources{}.* as * - | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: ' `azure_monitor_aad` category=AuditLogs operationName="User registered security + info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* + as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, + result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLogs log category. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: @@ -66,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml index 410e8c8825..3e4b3baed2 100644 --- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml +++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml @@ -1,27 +1,41 @@ name: Azure AD OAuth Application Consent Granted By User id: 10ec9031-015b-4617-b453-c0c1ab729007 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Consent to application -description: This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. +description: The following analytic detects when a user in an Azure AD environment + grants consent to an OAuth application. It leverages Azure AD audit logs to identify + events where users approve application consents. This activity is significant as + it can expose organizational data to third-party applications, a common tactic used + by malicious actors to gain unauthorized access. If confirmed malicious, this could + lead to unauthorized access to sensitive information and resources. Immediate investigation + is required to validate the application's legitimacy, review permissions, and mitigate + potential risks. search: >- `azure_monitor_aad` operationName="Consent to application" properties.result=success - | rename properties.* as * - | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) + | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + "ConsentAction.Permissions"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions "Scope: (?[^,]+)" - | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope + | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, + Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. +known_false_positives: False positives may occur if users are granting consents as + part of legitimate application integrations or setups. It is crucial to review the + application and the permissions it requests to ensure they align with organizational + policies and security best practices. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -58,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index 69c8c94e84..6d4ea20cdb 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -1,29 +1,31 @@ name: Azure AD PIM Role Assigned id: fcd6dfeb-191c-46a0-a29c-c306382145ab -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory -description: The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD - that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the - risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role - assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful - security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their - legitimacy. +description: The following analytic detects the assignment of an Azure AD Privileged + Identity Management (PIM) role. It leverages Azure Active Directory events to identify + when a user is added as an eligible member to a PIM role. This activity is significant + because PIM roles grant elevated privileges, and their assignment should be closely + monitored to prevent unauthorized access. If confirmed malicious, an attacker could + exploit this to gain privileged access, potentially leading to unauthorized actions, + data breaches, or further compromise of the environment. search: ' `azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_pim_role_assigned_filter`' + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + values(user) as user values(targetResources{}.displayName) as displayName by result, + operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: As part of legitimate administrative behavior, users may be + assigned PIM roles. Filter as needed references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role @@ -54,12 +56,13 @@ tags: - properties - operationName - user - - initiatedBy.user.userPrincipalName + - initiatedBy.user.userPrincipalName - result security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log source: Azure AD - sourcetype: azure:monitor:aad \ No newline at end of file + sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index 19c5909a23..e87d24a8b2 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -1,30 +1,32 @@ name: Azure AD PIM Role Assignment Activated id: 952e80d0-e343-439b-83f4-808c3e6fbf2e -version: 3 -date: '2023-12-20' +version: 4 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory -description: The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD - that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the - risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role - assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful - security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their - legitimacy. +description: The following analytic detects the activation of an Azure AD Privileged + Identity Management (PIM) role. It leverages Azure Active Directory events to identify + when a user activates a PIM role assignment, indicated by the "Add member to role + completed (PIM activation)" operation. Monitoring this activity is crucial as PIM + roles grant elevated privileges, and unauthorized activation could indicate an adversary + attempting to gain privileged access. If confirmed malicious, this could lead to + unauthorized administrative actions, data breaches, or further compromise of the + Azure environment. search: ' `azure_monitor_aad` operationName="Add member to role completed (PIM activation)" - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_pim_role_assignment_activated_filter`' + | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy + | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user + values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: As part of legitimate administrative behavior, users may activate + PIM roles. Filter as needed references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role @@ -54,13 +56,14 @@ tags: - properties - operationName - user - - initiatedBy.user.userPrincipalName + - initiatedBy.user.userPrincipalName - result risk_score: 35 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log source: eventhub://researchhub1.servicebus.windows.net/azureadhub; sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index 909458ef70..f0c6deb71a 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -1,29 +1,32 @@ name: Azure AD Privileged Authentication Administrator Role Assigned id: a7da845d-6fae-41cf-b823-6c0b8c55814a -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-20' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Add member to role -description: The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication - methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive - or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. - Red teams and adversaries alike may abuse this role to escalate their privileges. -search: ' `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_privileged_authentication_administrator_role_assigned_filter`' +description: The following analytic detects the assignment of the Privileged Authentication + Administrator role to an Azure AD user. It leverages Azure Active Directory audit + logs to identify when this specific role is assigned. This activity is significant + because users in this role can set or reset authentication methods for any user, + including those in privileged roles like Global Administrators. If confirmed malicious, + an attacker could change credentials and assume the identity and permissions of + high-privilege users, potentially leading to unauthorized access to sensitive information + and critical configurations. +search: ' `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged + Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName + as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) + as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Administrators may legitimately assign the Privileged Authentication Administrator role - as part of administrative tasks. Filter as needed. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: Administrators may legitimately assign the Privileged Authentication + Administrator role as part of administrative tasks. Filter as needed. references: - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator - https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 @@ -34,8 +37,8 @@ tags: asset_type: Azure Active Directory confidence: 50 impact: 100 - message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated - by $initiatedBy$ + message: The privileged Azure AD role Privileged Authentication Administrator was + assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1003.002 observable: @@ -62,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml index 0e5a21d608..36832caf61 100644 --- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml @@ -1,28 +1,38 @@ name: Azure AD Privileged Graph API Permission Assigned id: 5521f8c5-1aa3-473c-9eb7-853701924a06 -version: 1 -date: '2024-01-30' +version: 2 +date: '2024-05-11' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Update application -description: This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. +description: The following analytic detects the assignment of high-risk Graph API + permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, + and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs + for 'Update application' operations, identifying when these permissions are assigned. + This activity is significant as it grants broad control over Azure AD, including + application and directory settings. If confirmed malicious, it could lead to unauthorized + modifications and potential security breaches, compromising the integrity and security + of the Azure AD environment. Immediate investigation is required. search: >- - `azure_monitor_aad` category=AuditLogs operationName="Update application" - | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) - | spath input=newvalue - | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" - | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_privileged_graph_api_permission_assigned_filter` + `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval + newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) + | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" + OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" + OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | + eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) + by user, object, user_agent, operationName + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -known_false_positives: Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. +known_false_positives: Privileged Graph API permissions may be assigned for legitimate + purposes. Filter as needed. references: - https://cloudbrothers.info/en/azure-attack-paths/ - https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json @@ -61,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log source: Azure AD sourcetype: azure:monitor:aad - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 4547aa93a9..841b4c60f5 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -1,15 +1,18 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a version: 3 -date: '2023-12-20' +date: '2024-05-29' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies the assignment of sensitive and privileged - Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike - may assign these roles to a compromised account to establish Persistence in an Azure - AD environment. -data_source: +description: The following analytic detects the assignment of privileged Azure Active + Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring + the "Add member to role" operation. This activity is significant as adversaries + may assign privileged roles to compromised accounts to maintain persistence within + the Azure AD environment. If confirmed malicious, this could allow attackers to + escalate privileges, access sensitive information, and maintain long-term control + over the Azure AD infrastructure. +data_source: - Azure Active Directory Add member to role search: ' `azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy @@ -24,7 +27,8 @@ search: ' `azure_monitor_aad` "operationName"="Add member to role" | rename pro how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. known_false_positives: Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. references: @@ -41,8 +45,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 70 - message: A privileged Azure AD role was assigned for User $user$ initiated - by $initiatedBy$ + message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ mitre_attack_id: - T1098 - T1098.003 @@ -70,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 7cc67019f4..3022a4b9fd 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -1,12 +1,19 @@ name: Azure AD Privileged Role Assigned to Service Principal id: 5dfaa3d3-e2e4-4053-8252-16d9ee528c41 version: 3 -date: '2023-12-20' +date: '2024-05-31' author: Mauricio Velazco, Splunk status: production type: TTP -description: "The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals." -data_source: +description: "The following analytic detects the assignment of privileged roles to + service principals in Azure Active Directory (AD). It leverages the AuditLogs log + category from ingested Azure AD events. This activity is significant because assigning + elevated permissions to non-human entities can lead to unauthorized access or malicious + activities. If confirmed malicious, attackers could exploit these service principals + to gain elevated access to Azure resources, potentially compromising sensitive data + and critical infrastructure. Monitoring this behavior helps prevent privilege escalation + and ensures the security of Azure environments." +data_source: - Azure Active Directory Add member to role search: ' `azure_monitor_aad` operationName="Add member to role" | rename properties.* as * @@ -25,7 +32,8 @@ search: ' `azure_monitor_aad` operationName="Add member to role" how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. known_false_positives: Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. references: @@ -61,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index e1e85883de..e357d5d3cb 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -1,23 +1,34 @@ name: Azure AD Service Principal Authentication id: 5a2ec401-60bb-474e-b936-1e66e7aa4060 -version: 1 -date: '2024-02-12' +version: 2 +date: '2024-05-21' author: Mauricio Velazco, Splunk -data_source: +data_source: - Azure Active Directory Sign-in activity type: TTP status: production -description: Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. +description: The following analytic identifies authentication events of service principals + in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically + targeting "Sign-in activity" within ServicePrincipalSignInLogs. This detection gathers + details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring + these events is significant for SOC teams to distinguish between normal application + authentication and potential anomalies, which could indicate compromised credentials + or malicious activities. If confirmed malicious, attackers could gain unauthorized + access to resources, leading to data breaches or further exploitation within the + environment. search: ' `azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs - | rename properties.* as * - | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_service_principal_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. - source ips. + | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) + as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: Service Principals will legitimally authenticate remotely to + your tenant. Implementing this detection after establishing a baseline enables a + more accurate identification of security threats, ensuring proactive and informed + responses to safeguard the Azure AD environment. source ips. references: - https://attack.mitre.org/techniques/T1078/004/ - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins @@ -25,7 +36,7 @@ tags: analytic_story: - Azure Active Directory Account Takeover - NOBELIUM Group - asset_type: Azure Active Directory + asset_type: Azure Active Directory confidence: 50 impact: 50 message: Service Principal $user$ authenticated from $src_ip$ @@ -58,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index 890da5086a..174a84df04 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -1,32 +1,30 @@ name: Azure AD Service Principal Created id: f8ba49e7-ffd3-4b53-8f61-e73974583c5d -version: 1 -date: '2022-08-17' +version: 2 +date: '2024-05-30' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the creation of a Service Principal - in an Azure AD environment. An Azure Service Principal is an identity designed to - be used with applications, services, and automated tools to access resources. It - is similar to a service account within an Active Directory environment. Service - Principal authentication does not support multi-factor authentication nor conditional - access policies. Adversaries and red teams alike who have obtained administrative - access may create a Service Principal to establish Persistence and obtain single-factor - access to an Azure AD environment. -data_source: +description: The following analytic detects the creation of a Service Principal in + an Azure AD environment. It leverages Azure Active Directory events ingested through + EventHub, specifically monitoring the "Add service principal" operation. This activity + is significant because Service Principals can be used by adversaries to establish + persistence and bypass multi-factor authentication and conditional access policies. + If confirmed malicious, this could allow attackers to maintain single-factor access + to the Azure AD environment, potentially leading to unauthorized access to resources + and prolonged undetected activity. +data_source: - Azure Active Directory Add service principal search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* - | rename properties.* as * - | rename targetResources{}.displayName as displayName - | rename targetResources{}.type as type - | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_service_principal_created_filter`' + | rename properties.* as * | rename targetResources{}.displayName as displayName + | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) + as lastTime values(displayName) as displayName by type, user, result, operationName + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + You must be ingesting Azure Active Directory events into your Splunk environment + thorough an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. known_false_positives: Administrator may legitimately create Service Principal. Filter as needed. references: @@ -65,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index a95272ce69..99e48bd36c 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -1,33 +1,30 @@ name: Azure AD Service Principal New Client Credentials id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-11' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies the addition of new credentials for Service - Principals and Applications in addition to existing legitimate credentials in Azure - AD. These credentials include both x509 certificates and passwords. With sufficient - permissions, there are a variety of ways to add credentials including the Azure - Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries - and red teams alike who have obtained privileged access to Azure AD may add credentials - to Service Principals to maintain persistent access to victim accounts and other - instances within the Azure environment. By compromising an account who is an Owner of an application - with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and - logging in as the service principal. -data_source: +description: The following analytic detects the addition of new credentials to Service + Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically + monitoring the "Update application*Certificates and secrets management" operation. + This activity is significant as it may indicate an adversary attempting to maintain + persistent access or escalate privileges within the Azure environment. If confirmed + malicious, attackers could use these new credentials to log in as the service principal, + potentially compromising sensitive accounts and resources, leading to unauthorized + access and control over the Azure environment. +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management " - | rename properties.* as * - | rename targetResources{}.* as * - | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_service_principal_new_client_credentials_filter`' +search: ' `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates + and secrets management " | rename properties.* as * | rename targetResources{}.* + as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) + as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the Signin log category. known_false_positives: Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. references: @@ -71,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 53612a16f5..104b919d26 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -1,36 +1,32 @@ name: Azure AD Service Principal Owner Added id: 7ddf2084-6cf3-4a44-be83-474f7b73c701 -version: 3 -date: '2023-12-20' +version: 4 +date: '2024-05-28' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies the addition of a new owner for a Service - Principal within an Azure AD tenant. An Azure Service Principal is an identity designed - to be used with applications, services, and automated tools to access resources. - It is similar to a service account within an Active Directory environment. Service - Principal authentication does not support multi-factor authentication nor conditional - access policies. Adversaries and red teams alike who have obtained administrative - access may add a new owner for an existing Service Principal to establish Persistence - and obtain single-factor access to an Azure AD environment. Attackers who are looking to - escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -data_source: +description: The following analytic detects the addition of a new owner to a Service + Principal within an Azure AD tenant. It leverages Azure Active Directory events + from the AuditLog log category to identify this activity. This behavior is significant + because Service Principals do not support multi-factor authentication or conditional + access policies, making them a target for adversaries seeking persistence or privilege + escalation. If confirmed malicious, this activity could allow attackers to maintain + access to the Azure AD environment with single-factor authentication, potentially + leading to unauthorized access and control over critical resources. +data_source: - Azure Active Directory Add owner to application -search: ' `azure_monitor_aad` operationName="Add owner to application" - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | rename targetResources{}.userPrincipalName as newOwner - | rename targetResources{}.modifiedProperties{}.newValue as displayName - | eval displayName = mvindex(displayName,1) - | where initiatedBy!=newOwner - | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_service_principal_owner_added_filter`' +search: ' `azure_monitor_aad` operationName="Add owner to application" | rename properties.* + as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName + as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName + | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats + count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName + by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. known_false_positives: Administrator may legitimately add new owners for Service Principals. Filter as needed. references: @@ -71,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index fcf2ec56c7..01ce2310b9 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -1,30 +1,29 @@ name: Azure AD Successful Authentication From Different Ips id: be6d868d-33b6-4aaa-912e-724fb555b11a -version: 3 -date: '2023-12-20' +version: 4 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies an Azure AD account successfully authenticating - from more than one unique Ip address in the span of 30 minutes. This behavior could - represent an adversary who has stolen credentials via a phishing attack or some - other method and using them to access corporate online resources around the same - time as a legitimate user. As users may behave differently across organizations, - security teams should test and customize this detection to fit their environments. -data_source: +description: The following analytic detects an Azure AD account successfully authenticating + from multiple unique IP addresses within a 30-minute window. It leverages Azure + AD SignInLogs to identify instances where the same user logs in from different IPs + in a short time frame. This behavior is significant as it may indicate compromised + credentials being used by an adversary, potentially following a phishing attack. + If confirmed malicious, this activity could allow unauthorized access to corporate + resources, leading to data breaches or further exploitation within the network. +data_source: - Azure Active Directory search: ' `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs - | rename properties.* as * - | bucket span=30m _time - | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | where unique_ips > 1 - | `azure_ad_successful_authentication_from_different_ips_filter`' + | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime + max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) + as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. known_false_positives: A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. @@ -39,8 +38,8 @@ tags: asset_type: Azure Tenant confidence: 80 impact: 70 - message: User $user$ has had successful authentication events from - more than one unique IP address in the span of 30 minutes. + message: User $user$ has had successful authentication events from more than one + unique IP address in the span of 30 minutes. mitre_attack_id: - T1110 - T1110.001 @@ -71,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index a75a4a2547..eeb37fcfc7 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -1,27 +1,30 @@ name: Azure AD Successful PowerShell Authentication id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies a successful authentication event against - an Azure AD tenant using PowerShell commandlets. This behavior is not common for - regular, non administrative users. After compromising an account in Azure AD, attackers - and red teams alike will perform enumeration and discovery techniques. One method - of executing these techniques is leveraging the native PowerShell modules. -data_source: + an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs + to identify successful logins where the appDisplayName is "Microsoft Azure PowerShell." + This activity is significant because it is uncommon for regular, non-administrative + users to authenticate using PowerShell, and it may indicate enumeration and discovery + techniques by an attacker. If confirmed malicious, this activity could allow attackers + to perform extensive reconnaissance, potentially leading to privilege escalation + or further exploitation within the Azure environment. +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_successful_powershell_authentication_filter`' +search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true + properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as + * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user + by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_successful_powershell_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. known_false_positives: Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. references: @@ -35,8 +38,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: Successful authentication for user $user$ - using PowerShell. + message: Successful authentication for user $user$ using PowerShell. mitre_attack_id: - T1586 - T1586.003 @@ -68,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index 6d1503c136..dd84988f4c 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -1,24 +1,28 @@ name: Azure AD Successful Single-Factor Authentication id: a560e7f6-1711-4353-885b-40be53101fcd -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-23' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies a successful authentication event against - Azure Active Directory for an account without Multi-Factor Authentication enabled. - This could be evidence of a missconfiguration, a policy violation or an account - take over attempt that should be investigated -data_source: +description: The following analytic identifies a successful single-factor authentication + event against Azure Active Directory. It leverages Azure SignInLogs data, specifically + focusing on events where single-factor authentication succeeded. This activity is + significant as it may indicate a misconfiguration, policy violation, or potential + account takeover attempt. If confirmed malicious, an attacker could gain unauthorized + access to the account, potentially leading to data breaches, privilege escalation, + or further exploitation within the environment. +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement - | `azure_ad_successful_single_factor_authentication_filter`' +search: ' `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication + properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats + count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, + appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. known_false_positives: Although not recommended, certain users may be required without multi-factor authentication. Filter as needed references: @@ -31,8 +35,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 50 - message: Successful authentication for user $user$ - without MFA + message: Successful authentication for user $user$ without MFA mitre_attack_id: - T1586 - T1586.003 @@ -64,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml index 6d6cf40cf0..e84950d54b 100644 --- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml @@ -1,34 +1,43 @@ name: Azure AD Tenant Wide Admin Consent Granted id: dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418 -version: 2 -date: '2023-09-14' +version: 3 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Consent to application -description: The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -search: >- - `azure_monitor_aad` operationName="Consent to application" - | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) - | rename properties.* as * - | rex field=new_field "ConsentType: (?[^\,]+)" - | rex field=new_field "Scope: (?[^\,]+)" - | search ConsentType = "AllPrincipals" - | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_tenant_wide_admin_consent_granted_filter` +description: The following analytic identifies instances where admin consent is granted + to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically + events related to the admin consent action within the ApplicationManagement category. + This activity is significant because admin consent allows applications to access + data across the entire tenant, potentially exposing vast amounts of organizational + data. If confirmed malicious, an attacker could gain extensive and persistent access + to sensitive data, leading to data exfiltration, espionage, further malicious activities, + and potential compliance violations. +search: >- + `azure_monitor_aad` operationName="Consent to application" + | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', + 4) + | rename properties.* as * | rex field=new_field "ConsentType: (?[^\,]+)" + | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | + stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, + targetResources{}.displayName, targetResources{}.id, ConsentType, Scope + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `azure_ad_tenant_wide_admin_consent_granted_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. -known_false_positives: Legitimate applications may be granted tenant wide consent, filter as needed. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Auditlogs log category. +known_false_positives: Legitimate applications may be granted tenant wide consent, + filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ +- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ tags: analytic_story: - Azure Active Directory Persistence @@ -61,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log source: Azure AD - sourcetype: azure:monitor:aad \ No newline at end of file + sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index a77d3c7e5d..c6061000f6 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -1,40 +1,32 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d -version: 2 -date: '2022-07-11' +version: 3 +date: '2024-05-15' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: 'The following analytic identifies one source Ip failing to authenticate - with multiple valid users. This behavior could represent an adversary performing - a Password Spraying attack against an Azure Active Directory tenant to obtain initial - access or elevate privileges. Error Code 50126 represents an invalid password. - - The detection calculates the standard deviation for source Ip and leverages the - 3-sigma statistical rule to identify an unusual number of failed authentication - attempts. To customize this analytic, users can try different combinations of the - `bucket` span time and the calculation of the `upperBound` field. This logic can - be used for real time security monitoring as well as threat hunting exercises. - - While looking for anomalies using statistical methods like the standard deviation - can have benefits, we also recommend using threshold-based detections to complement - coverage. A similar analytic following the threshold model is `Azure AD Multiple - Users Failing To Authenticate From Ip`.' -data_source: +description: 'The following analytic identifies a single source IP failing to authenticate + with multiple valid users, potentially indicating a Password Spraying attack against + an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the + standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers + of failed authentication attempts. This activity is significant as it may signal + an adversary attempting to gain initial access or elevate privileges. If confirmed + malicious, this could lead to unauthorized access, privilege escalation, and potential + compromise of sensitive information.' +data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false - | rename properties.* as * - | bucket span=5m _time - | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress - | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress - | eval upperBound=(ip_avg+ip_std*3) +search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 + properties.authenticationDetails{}.succeeded=false | rename properties.* as * | + bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) + as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, + stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) - | where isOutlier = 1 - | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' + | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the Signin log category. known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. references: @@ -80,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml index f46f25c060..188c0831f2 100644 --- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml @@ -1,30 +1,43 @@ name: Azure AD User Consent Blocked for Risky Application id: 06b8ec9a-d3b5-4882-8f16-04b4d10f5eab -version: 1 -date: '2023-10-27' +version: 2 +date: '2024-05-30' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Consent to application -description: The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. +description: The following analytic detects instances where Azure AD has blocked a + user's attempt to grant consent to a risky or potentially malicious application. + This detection leverages Azure AD audit logs, focusing on user consent actions and + system-driven blocks. Monitoring these blocked consent attempts is crucial as it + highlights potential threats early on, indicating that a user might be targeted + or that malicious applications are attempting to infiltrate the organization. If + confirmed malicious, this activity suggests that Azure's security measures successfully + prevented a harmful application from accessing organizational data, warranting immediate + investigation to understand the context and take preventive measures. search: >- `azure_monitor_aad` operationName="Consent to application" properties.result=failure - | rename properties.* as * - | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1) - | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) - | search reason_index >= 0 - | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) + | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + "ConsentAction.Reason"), -1) + | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', + "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', + "ConsentAction.Permissions"), -1) + | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = "\"Risky application detected\"" | rex field=permissions "Scope: (?[^,]+)" - | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope + | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, + reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the AuditLog log category. known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES references: - https://attack.mitre.org/techniques/T1528/ @@ -39,7 +52,8 @@ tags: asset_type: Azure Tenant confidence: 100 impact: 30 - message: Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky. + message: Azure AD has blocked $user$ attempt to grant to consent to an application + deemed risky. mitre_attack_id: - T1528 observable: @@ -62,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log source: Azure AD - sourcetype: azure:monitor:aad \ No newline at end of file + sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index b44f1eabcd..3d0fd1b1a6 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -1,23 +1,32 @@ name: Azure AD User Consent Denied for OAuth Application id: bb093c30-d860-4858-a56e-cd0895d5b49c -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-18' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - Azure Active Directory Sign-in activity -description: The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. +description: The following analytic identifies instances where a user has denied consent + to an OAuth application seeking permissions within the Azure AD environment. This + detection leverages Azure AD's audit logs, specifically focusing on user consent + actions with error code 65004. Monitoring denied consent actions is significant + as it can indicate users recognizing potentially suspicious or untrusted applications. + If confirmed malicious, this activity could suggest attempts by unauthorized applications + to gain access, potentially leading to data breaches or unauthorized actions within + the environment. Understanding these denials helps refine security policies and + enhance user awareness. search: ' `azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 - | rename properties.* as * - | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_user_consent_denied_for_oauth_application_filter`' + | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime + by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -known_false_positives: Users may deny consent for legitimate applications by mistake, filter as needed. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment + through an EventHub. This analytic was written to be used with the azure:monitor:aad + sourcetype leveraging the SignInLogs log category. +known_false_positives: Users may deny consent for legitimate applications by mistake, + filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -55,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log source: Azure AD sourcetype: azure:monitor:aad diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index f65d4d1ba1..d5914a8161 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -1,30 +1,33 @@ name: Azure AD User Enabled And Password Reset id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268 -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-26' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic identifies an Azure AD user enabling a previously - disabled account and resetting its password within 2 minutes. This behavior could - represent an adversary who has obtained administrative access and is trying to establish - a backdoor identity within an Azure AD tenant. -data_source: +description: The following analytic detects an Azure AD user enabling a previously + disabled account and resetting its password within 2 minutes. It uses Azure Active + Directory events to identify this sequence of actions. This activity is significant + because it may indicate an adversary with administrative access attempting to establish + a backdoor identity within the Azure AD tenant. If confirmed malicious, this could + allow the attacker to maintain persistent access, escalate privileges, and potentially + exfiltrate sensitive information from the environment. +data_source: - Azure Active Directory Enable account - Azure Active Directory Reset password (by admin) - Azure Active Directory Update user -search: ' `azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user") - | transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_ad_user_enabled_and_password_reset_filter`' +search: ' `azure_monitor_aad` (operationName="Enable account" OR operationName="Reset + password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable + account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename + properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats + count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName + values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. known_false_positives: While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. references: @@ -35,8 +38,8 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 50 - message: A user account, $user$, was enabled and its password reset within - 2 minutes by $initiatedBy$ + message: A user account, $user$, was enabled and its password reset within 2 minutes + by $initiatedBy$ mitre_attack_id: - T1098 observable: @@ -63,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 8360d6ebf9..4d389d1b08 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -1,38 +1,32 @@ name: Azure AD User ImmutableId Attribute Updated id: 0c0badad-4536-4a84-a561-5ff760f3c00e -version: 1 -date: '2022-09-02' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the modification of the SourceAnchor - (also called ImmutableId) attribute for an Azure Active Directory user. Updating - this attribute is a step required to set up the Azure Active Directory identity - federation backdoor technique discovered by security researcher Nestori Syynimaa. - Similar to Active Directory, Azure AD uses the concept of domains to manage directories - of identities. A new Azure AD tenant will initially contain a single domain that - is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also - add their registered custom domains to Azure AD for email addresses to match the - organizations domain name. If the organization intends to use a third-party identity - provider such as ADFS for authentication, the added custom domains can be configured - as federated. An adversary who has obtained privileged access to an Azure AD tenant - may leverage this technique to establish persistence and be able to authenticate - to Azure AD impersonating any user and bypassing the requirement to have a valid - password and/or perform MFA. -data_source: + (ImmutableId) attribute for an Azure Active Directory user. This detection leverages + Azure AD audit logs, specifically monitoring the "Update user" operation and changes + to the SourceAnchor attribute. This activity is significant as it is a step in setting + up an Azure AD identity federation backdoor, allowing an adversary to establish + persistence. If confirmed malicious, the attacker could impersonate any user, bypassing + password and MFA requirements, leading to unauthorized access and potential data + breaches. +data_source: - Azure Active Directory Update user search: ' `azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor - | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy - | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties - | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | + stats count min(_time) as firstTime max(_time) as lastTime values(user) as user + values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, + operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. - This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. + This analytic was written to be used with the azure:monitor:aad sourcetype leveraging + the AuditLog log category. known_false_positives: The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. references: @@ -72,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad update_timestamp: true diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index 432c15f41c..af5fb1430f 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -1,32 +1,25 @@ name: Azure Automation Account Created id: 860902fd-2e76-46b3-b050-ba548dab576c -version: 2 -date: '2023-12-20' +version: 3 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new Azure Automation - account within an Azure tenant. Azure Automation is a cloud-based automation platform - that allows administrators to automate Azure management tasks and orchestrate actions - across external systems within Azure using PowerShell and Python. Azure Automation - can also be configured to automate tasks on on premise infrastructure using a component - called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate - Automation resources, runbooks, assets, and configurations from the resources of - other accounts. They allow administrators to separate resources into logical environments - or delegated responsibilities. Adversaries or red teams who have obtained privileged - access to an Azure tenant may create an Azure Automation account with elevated privileges - to maintain persistence in the Azure tenant. A malicious Automation Runbook can - be created to create Global Administrators in Azure AD, execute code on VMs, etc. -data_source: +description: The following analytic detects the creation of a new Azure Automation + account within an Azure tenant. It leverages Azure Audit events, specifically the + Azure Activity log category, to identify when an account is created or updated. + This activity is significant because Azure Automation accounts can be used to automate + tasks and orchestrate actions across Azure and on-premise environments. If an attacker + creates an Automation account with elevated privileges, they could maintain persistence, + execute malicious runbooks, and potentially escalate privileges or execute code + on virtual machines, posing a significant security risk. +data_source: - Azure Audit Create or Update an Azure Automation account -search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded - | dedup object - | rename claims.ipaddr as src_ip - | rename caller as user - | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_automation_account_created_filter`' +search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation + account" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip + | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime + values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, @@ -74,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit update_timestamp: true diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 6a6c3e6666..3c1cfeb265 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -1,29 +1,25 @@ name: Azure Automation Runbook Created id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-11' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new Azure Automation - Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform - that allows administrators to automate Azure management tasks and orchestrate actions - across external systems within Azure. Azure Automation script files called Runbooks - that can be written in PowerShell or Python. Adversaries or red teams who have obtained - privileged access to an Azure tenant may create an Azure Automation Runbook that - runs with elevated privileges to maintain persistence in the Azure tenant. A malicious - Automation Runbook can be created to create Global Administrators in Azure AD, execute - code on VMs, etc. -data_source: +description: The following analytic detects the creation of a new Azure Automation + Runbook within an Azure tenant. It leverages Azure Audit events, specifically the + Azure Activity log category, to identify when a new Runbook is created or updated. + This activity is significant because adversaries with privileged access can use + Runbooks to maintain persistence, escalate privileges, or execute malicious code. + If confirmed malicious, this could lead to unauthorized actions such as creating + Global Administrators, executing code on VMs, and compromising the entire Azure + environment. +data_source: - Azure Audit Create or Update an Azure Automation Runbook -search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded - | dedup object - | rename claims.ipaddr as src_ip - | rename caller as user - | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_automation_runbook_created_filter`' +search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation + Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object + | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) + as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, @@ -71,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit update_timestamp: true diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 20a73cbeae..28fc9c5694 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -1,30 +1,25 @@ name: Azure Runbook Webhook Created id: e98944a9-92e4-443c-81b8-a322e33ce75a -version: 3 -date: '2023-12-20' +version: 4 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new Automation Runbook - Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform - that allows administrators to automate Azure management tasks and orchestrate actions - across external systems within Azure. Azure Automation script files called Runbooks - that can be written in PowerShell or Python. One of the ways administrators can - configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom - unauthenticated URLs that are exposed to the Internet. An adversary who has obtained - privileged access to an Azure tenant may create a Webhook to trigger the execution - of an Automation Runbook with malicious code that can create users or execute code - on a VM. This provides a persistent foothold on the environment. -data_source: +description: The following analytic detects the creation of a new Automation Runbook + Webhook within an Azure tenant. It leverages Azure Audit events, specifically the + "Create or Update an Azure Automation webhook" operation, to identify this activity. + This behavior is significant because Webhooks can trigger Automation Runbooks via + unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed + malicious, an attacker could use this to execute code, create users, or maintain + persistence within the environment, potentially leading to unauthorized access and + control over Azure resources. +data_source: - Azure Audit Create or Update an Azure Automation webhook -search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded - | dedup object - | rename claims.ipaddr as src_ip - | rename caller as user - | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `azure_runbook_webhook_created_filter`' +search: ' `azure_audit` operationName.localizedValue="Create or Update an Azure Automation + webhook" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip + | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime + by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, @@ -72,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log source: mscs:azure:audit sourcetype: mscs:azure:audit update_timestamp: true diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 9b36b3f296..455ff6f326 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -1,13 +1,13 @@ name: Circle CI Disable Security Job id: 4a2fdd41-c578-4cd4-9ef7-980e352517f2 -version: 1 -date: '2021-09-02' +version: 2 +date: '2024-05-20' author: Patrick Bareiss, Splunk status: production type: Anomaly description: |- - This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. -data_source: + The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity. +data_source: - CircleCI search: '`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id @@ -25,7 +25,8 @@ tags: asset_type: CircleCI confidence: 90 impact: 80 - message: Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$ + message: Disable security job $mandatory_job$ in workflow $workflow_name$ from user + $user$ mitre_attack_id: - T1554 observable: @@ -44,6 +45,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.json sourcetype: circleci source: circleci diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index 672ab05dac..4c7c333edd 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -1,13 +1,13 @@ name: Circle CI Disable Security Step id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97 -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-25' author: Patrick Bareiss, Splunk status: experimental type: Anomaly description: |- - The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. -data_source: + The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes. +data_source: - CircleCI search: '`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names @@ -45,6 +45,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json sourcetype: circleci source: circleci diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index 00f674b7f7..ca2e5983db 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -1,12 +1,12 @@ name: Cloud API Calls From Previously Unseen User Roles id: 2181ad1f-1e73-4d0c-9780-e8880482a08f -version: 1 -date: '2020-09-04' +version: 2 +date: '2024-05-15' author: David Dorsey, Splunk status: experimental type: Anomaly description: |- - The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. + The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment. data_source: [] search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, @@ -58,7 +58,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index a3fdda8ed8..7114193294 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -1,12 +1,12 @@ name: Cloud Compute Instance Created With Previously Unseen Image id: bc24922d-987c-4645-b288-f8c73ec194c4 -version: 1 -date: '2018-10-12' +version: 2 +date: '2024-05-30' author: David Dorsey, Splunk status: experimental type: Anomaly description: |- - The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. + The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats. data_source: [] search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, @@ -59,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index a5c9bd52f7..51ba95c9c5 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -1,11 +1,18 @@ name: Cloud Compute Instance Created With Previously Unseen Instance Type id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda -version: 1 -date: '2020-09-12' +version: 2 +date: '2024-05-14' author: David Dorsey, Splunk status: experimental type: Anomaly -description: The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. +description: The following analytic detects the creation of EC2 instances with previously + unseen instance types. It leverages Splunk's tstats command to analyze data from + the Change data model, identifying instance types that have not been previously + recorded. This activity is significant for a SOC because it may indicate unauthorized + or suspicious activity, such as an attacker attempting to create instances for malicious + purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, + system compromise, or service disruption. Immediate investigation is required to + determine the legitimacy of the instance creation. data_source: [] search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, @@ -59,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index d993474fef..b9d62ef08b 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -21,9 +21,10 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from d lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity - > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | - table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` - | `security_content_ctime(firstTime)`' + > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) + | `security_content_ctime(firstTime)` + | table firstTime, src, City, user, object, command + | `cloud_provisioning_activity_from_previously_unseen_city_filter`' how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index 9fc5036c7f..15ebf020a3 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -21,9 +21,10 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from d | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) - OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | table firstTime, src, - Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` - | `security_content_ctime(firstTime)`' + OR firstTimeSeenCountry > relative_time(now(), "-24h@h") + | `security_content_ctime(firstTime)` + | table firstTime, src, Country, user, object, command + | `cloud_provisioning_activity_from_previously_unseen_country_filter`' how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index 8cca4a3983..7698432f62 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -21,8 +21,9 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime, value src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) - | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` - | `security_content_ctime(firstTime)`' + | `security_content_ctime(firstTime)` + | table firstTime, src, user, object_id, command + | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`' how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index 4f9f552f0e..779605e1eb 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -22,8 +22,9 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from d firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) - | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` - | `security_content_ctime(firstTime)`' + | `security_content_ctime(firstTime)` + | table firstTime, src, Region, user, object, command + | `cloud_provisioning_activity_from_previously_unseen_region_filter`' how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index c2e5fd3a65..1ce26bf6ec 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -1,34 +1,35 @@ name: Cloud Security Groups Modifications by User id: cfe7cca7-2746-4bdf-b712-b01ed819b9de -version: 1 -date: '2024-02-21' -author: Bhavin Patel, Splunk -data_source: +version: 2 +date: '2024-05-18' +author: Bhavin Patel, Splunk +data_source: - AWS CloudTrail type: Anomaly status: production -description: The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat. - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will only trigger on all user and service accounts that have created/modified/deleted a security group . - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and values of the security objects affected. -search: '| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects - values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = "security_group" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m - | `drop_dm_object_name("All_Changes")` - | eventstats avg(unique_security_groups) as avg_changes - , stdev(unique_security_groups) as std_changes by user - | eval upperBound=(avg_changes+std_changes*3) - | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) - | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`' -how_to_implement: This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment. -known_false_positives: It is possible that legitimate user/admin may modify a number of security groups +description: The following analytic identifies unusual modifications to security groups + in your cloud environment by users, focusing on actions such as modifications, deletions, + or creations over 30-minute intervals. It leverages cloud infrastructure logs and + calculates the standard deviation for each user, using the 3-sigma rule to detect + anomalies. This activity is significant as it may indicate a compromised account + or insider threat. If confirmed malicious, attackers could alter security group + configurations, potentially exposing sensitive resources or disrupting services. +search: '| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) + as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) + as object_category values(All_Changes.object) as objects values(All_Changes.action) + as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) + as command from datamodel=Change WHERE All_Changes.object_category = "security_group" + (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action + = created) by All_Changes.user _time span=30m | `drop_dm_object_name("All_Changes")` + | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) + as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups + > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`' +how_to_implement: This search requries the Cloud infrastructure logs such as AWS Cloudtrail, + GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change + datamodel. It is also recommended that users can try different combinations of the + `bucket` span time and outlier conditions to better suit with their environment. +known_false_positives: It is possible that legitimate user/admin may modify a number + of security groups references: - https://attack.mitre.org/techniques/T1578/005/ tags: @@ -37,7 +38,7 @@ tags: asset_type: Cloud Instance confidence: 50 impact: 70 - message: Unsual number cloud security group modifications detected by user - $user$ + message: Unsual number cloud security group modifications detected by user - $user$ mitre_attack_id: - T1578.005 observable: @@ -61,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json sourcetype: aws:cloudtrail source: aws_cloudtrail diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml index 2541da0e47..a5f08b2e0c 100644 --- a/detections/cloud/detect_aws_console_login_by_new_user.yml +++ b/detections/cloud/detect_aws_console_login_by_new_user.yml @@ -1,15 +1,17 @@ name: Detect AWS Console Login by New User id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71 -version: 3 -date: '2022-05-10' +version: 4 +date: '2024-05-28' author: Rico Valdez, Splunk status: experimental type: Hunting -description: This search looks for AWS CloudTrail events wherein a console login event - by a user was recorded within the last hour, then compares the event to a lookup - file of previously seen users (by ARN values) who have logged into the console. - The alert is fired if the user has logged into the console for the first time within - the last hour +description: The following analytic detects AWS console login events by new users. + It leverages AWS CloudTrail events and compares them against a lookup file of previously + seen users based on ARN values. This detection is significant because a new user + logging into the AWS console could indicate the creation of new accounts or potential + unauthorized access. If confirmed malicious, this activity could lead to unauthorized + access to AWS resources, data exfiltration, or further exploitation within the cloud + environment. data_source: [] search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` @@ -59,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml index 2428ed1042..9488c17d39 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml @@ -1,16 +1,18 @@ name: Detect AWS Console Login by User from New City id: 121b0b11-f8ac-4ed6-a132-3800ca4fc07a -version: 2 -date: '2022-08-25' +version: 3 +date: '2024-05-25' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: This search looks for AWS CloudTrail events wherein a console login event - by a user was recorded within the last hour, then compares the event to a lookup - file of previously seen users (by ARN values) who have logged into the console. - The alert is fired if the user has logged into the console for the first time within - the last hour -data_source: +description: The following analytic identifies AWS console login events by users from + a new city within the last hour. It leverages AWS CloudTrail events and compares + them against a lookup file of previously seen user locations. This activity is significant + for a SOC as it may indicate unauthorized access or credential compromise, especially + if the login originates from an unusual location. If confirmed malicious, this could + lead to unauthorized access to AWS resources, data exfiltration, or further exploitation + within the cloud environment. +data_source: - AWS CloudTrail search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src @@ -66,12 +68,13 @@ tags: - Authentication.src risk_score: 18 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. + manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml index 49f63ccf37..7cd18c04e7 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml @@ -1,16 +1,17 @@ name: Detect AWS Console Login by User from New Country id: 67bd3def-c41c-4bf6-837b-ae196b4257c6 -version: 2 -date: '2022-08-25' +version: 3 +date: '2024-05-16' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: This search looks for AWS CloudTrail events wherein a console login event - by a user was recorded within the last hour, then compares the event to a lookup - file of previously seen users (by ARN values) who have logged into the console. - The alert is fired if the user has logged into the console for the first time within - the last hour -data_source: +description: The following analytic identifies AWS console login events by users from + a new country. It leverages AWS CloudTrail events and compares them against a lookup + file of previously seen users and their login locations. This activity is significant + because logins from new countries can indicate potential unauthorized access or + compromised accounts. If confirmed malicious, this could lead to unauthorized access + to AWS resources, data exfiltration, or further exploitation within the AWS environment. +data_source: - AWS CloudTrail search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src @@ -67,12 +68,13 @@ tags: - Authentication.src risk_score: 42 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. + manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml index 471db53e87..69cda1c583 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml @@ -1,16 +1,18 @@ name: Detect AWS Console Login by User from New Region id: 9f31aa8e-e37c-46bc-bce1-8b3be646d026 -version: 2 -date: '2022-08-25' +version: 3 +date: '2024-05-18' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting -description: This search looks for AWS CloudTrail events wherein a console login event - by a user was recorded within the last hour, then compares the event to a lookup - file of previously seen users (by ARN values) who have logged into the console. - The alert is fired if the user has logged into the console for the first time within - the last hour -data_source: +description: The following analytic identifies AWS console login attempts by users + from a new region. It leverages AWS CloudTrail events and compares current login + regions against a baseline of previously seen regions for each user. This activity + is significant as it may indicate unauthorized access attempts or compromised credentials. + If confirmed malicious, an attacker could gain unauthorized access to AWS resources, + potentially leading to data breaches, resource manipulation, or further lateral + movement within the cloud environment. +data_source: - AWS CloudTrail search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src @@ -67,12 +69,13 @@ tags: - Authentication.src risk_score: 36 security_domain: threat - manual_test: This search needs the baseline to be run first to create a lookup. + manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json sourcetype: aws:cloudtrail source: aws_cloudtrail update_timestamp: true diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml index d6d8f01373..64a68a65f9 100644 --- a/detections/cloud/detect_new_open_s3_buckets.yml +++ b/detections/cloud/detect_new_open_s3_buckets.yml @@ -21,7 +21,7 @@ search: '`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `detect_new_open_s3_buckets_filter` ' + | `detect_new_open_s3_buckets_filter`' how_to_implement: You must install the AWS App for Splunk. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml index 4cfc41d780..c81623d904 100644 --- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml +++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml @@ -23,7 +23,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR u by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` ' + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index 71890a9d28..2b04cfc1b8 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -1,18 +1,23 @@ name: GCP Authentication Failed During MFA Challenge id: 345f7e1d-a3fe-4158-abd8-e630f9878323 -version: 2 -date: '2024-01-04' +version: 3 +date: '2024-05-11' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: 'The following analytic identifies an authentication attempt event against - a Google Cloud Platform tenant that fails during the Multi Factor Authentication - challenge. This behavior may represent an adversary trying to authenticate with - compromised credentials for an account that has multi-factor authentication enabled. ' -data_source: +description: 'The following analytic detects failed authentication attempts during + the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) + tenant. It uses Google Workspace login failure events to identify instances where + MFA methods were challenged but not successfully completed. This activity is significant + as it may indicate an adversary attempting to access an account with compromised + credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized + access attempts, potentially compromising sensitive data and resources within the + GCP environment.' +data_source: - Google Workspace login_failure search: ' `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats - count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`' + count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method + | `gcp_authentication_failed_during_mfa_challenge_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google @@ -59,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log source: gws:reports:login sourcetype: gws:reports:login update_timestamp: true diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 69f6cc1bcb..8acdae5d35 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -1,18 +1,24 @@ name: GCP Multi-Factor Authentication Disabled id: b9bc5513-6fc1-4821-85a3-e1d81e451c83 -version: 2 -date: '2024-01-04' +version: 3 +date: '2024-05-25' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies an attempt to disable multi-factor - authentication for a GCP user. An adversary who has obtained access to an GCP tenant - may disable multi-factor authentication as a way to plant a backdoor and maintain - persistence using a valid account. This way the attackers can keep persistance in - the environment without adding new users. -data_source: +description: The following analytic detects an attempt to disable multi-factor authentication + (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin + log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity + is significant because disabling MFA can allow an adversary to maintain persistence + within the environment using a compromised account without raising suspicion. If + confirmed malicious, this action could enable attackers to bypass additional security + layers, potentially leading to unauthorized access, data exfiltration, or further + exploitation of the compromised account. +data_source: - Google Workspace -search: '`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`' +search: '`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count + min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, + id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google @@ -59,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log source: gws:reports:admin sourcetype: gws:reports:admin update_timestamp: true diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml index b12e297409..501ca6414b 100644 --- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml @@ -1,24 +1,23 @@ name: GCP Multiple Failed MFA Requests For User id: cbb3cb84-c06f-4393-adcc-5cb6195621f1 -version: 1 -date: '2022-10-14' +version: 2 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies multiple failed multi-factor authentication - requests for a single user within a Google Cloud Platform tenant. Specifically, - the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google - CLoud tenants can be very different depending on the organization, Security teams - should test this detection and customize these arbitrary thresholds. The detected - behavior may represent an adversary who has obtained legitimate credentials for - a user and continuously repeats login attempts in order to bombard users with MFA - push notifications, SMS messages, and phone calls potentially resulting in the user - finally accepting the authentication request. Threat actors like the Lapsus team - and APT29 have leveraged this technique to bypass multi-factor authentication controls - as reported by Mandiant and others. -data_source: +description: The following analytic detects multiple failed multi-factor authentication + (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It + triggers when 10 or more MFA prompts fail within a 5-minute window, using Google + Workspace login failure events. This behavior is significant as it may indicate + an adversary attempting to bypass MFA by bombarding the user with repeated authentication + requests. If confirmed malicious, this activity could lead to unauthorized access, + allowing attackers to compromise accounts and potentially escalate privileges within + the GCP environment. +data_source: - Google Workspace login_failure -search: "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`" +search: "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket + span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method,\ + \ _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`" how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google @@ -66,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log source: gws:reports:login sourcetype: gws:reports:login update_timestamp: true diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index f1a9dd7197..f4f9aceee7 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,17 +1,18 @@ name: GCP Multiple Users Failing To Authenticate From Ip id: da20828e-d6fb-4ee5-afb7-d0ac200923d5 -version: 1 -date: '2022-10-12' +version: 2 +date: '2024-05-22' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies one source Ip failing to authenticate - into the Google Workspace user accounts with more than 20 unique valid users within - 5 minutes. These user accounts may have other privileges with respect to access - to other sensitive resources in the Google Cloud Platform. This behavior could represent - an adversary performing a Password Spraying attack against an Google Workspace environment - to obtain initial access or elevate privileges. -data_source: +description: The following analytic detects a single source IP address failing to + authenticate into more than 20 unique Google Workspace user accounts within a 5-minute + window. It leverages Google Workspace login failure events to identify potential + password spraying attacks. This activity is significant as it may indicate an adversary + attempting to gain unauthorized access or elevate privileges within the Google Cloud + Platform. If confirmed malicious, this behavior could lead to unauthorized access + to sensitive resources, data breaches, or further exploitation within the environment. +data_source: - Google Workspace login_failure search: '`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts @@ -37,7 +38,8 @@ tags: asset_type: Google Cloud Platform tenant confidence: 90 impact: 60 - message: 'Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$' + message: 'Multiple failed login attempts (Count: $unique_accounts$) against users + seen from $src$' mitre_attack_id: - T1586 - T1586.003 @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login update_timestamp: true diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml index 5ee9e0bccf..7edda663ec 100644 --- a/detections/cloud/gcp_successful_single_factor_authentication.yml +++ b/detections/cloud/gcp_successful_single_factor_authentication.yml @@ -1,19 +1,24 @@ name: GCP Successful Single-Factor Authentication id: 40e17d88-87da-414e-b253-8dc1e4f9555b -version: 2 -date: '2024-01-04' +version: 3 +date: '2024-05-25' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies a successful authentication event against - Google Cloud Platform for an account without Multi-Factor Authentication enabled. - This could be evidence of a missconfiguration, a policy violation or an account - take over attempt that should be investigated -data_source: +description: The following analytic identifies a successful single-factor authentication + event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication + (MFA) enabled. It uses Google Workspace login event data to detect instances where + MFA is not utilized. This activity is significant as it may indicate a misconfiguration, + policy violation, or potential account takeover attempt. If confirmed malicious, + an attacker could gain unauthorized access to GCP resources, potentially leading + to data breaches, service disruptions, or further exploitation within the cloud + environment. +data_source: - Google Workspace login_success search: '`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` - | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action - |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter`' + | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, + app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `gcp_successful_single_factor_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google @@ -61,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log source: gws:reports:login sourcetype: gws:reports:login update_timestamp: true diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index 962884c414..007e7b649a 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -1,23 +1,19 @@ name: GCP Unusual Number of Failed Authentications From Ip id: bd8097ed-958a-4873-87d9-44f2b4d85705 -version: 1 -date: '2022-10-13' +version: 2 +date: '2024-05-24' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies one source IP failing to authenticate - into the Google Workspace with multiple valid users. This behavior could represent - an adversary performing a Password Spraying attack against a Google Workspace enviroment - to obtain initial access or elevate privileges. The detection calculates the standard - deviation for source IP and leverages the 3-sigma statistical rule to identify an - unusual number of failed authentication attempts. To customize this analytic, users - can try different combinations of the bucket span time and the calculation of the - upperBound field. This logic can be used for real time security monitoring as well - as threat hunting exercises. While looking for anomalies using statistical methods - like the standard deviation can have benefits, we also recommend using threshold-based - detections to complement coverage. A similar analytic following the threshold model - is `GCP Multiple Users Failing To Authenticate From Ip` -data_source: +description: The following analytic identifies a single source IP failing to authenticate + into Google Workspace with multiple valid users, potentially indicating a Password + Spraying attack. It uses Google Workspace login failure events and calculates the + standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed + authentication attempts. This activity is significant as it may signal an adversary + attempting to gain initial access or elevate privileges. If confirmed malicious, + this could lead to unauthorized access, data breaches, or further exploitation within + the environment. +data_source: - Google Workspace login_failure search: '`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts @@ -44,7 +40,8 @@ tags: asset_type: Google Cloud Platform tenant confidence: 90 impact: 60 - message: 'Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$' + message: 'Unusual number of failed console login attempts (Count: $unique_accounts$) + against users from IP Address - $src$' mitre_attack_id: - T1586 - T1586.003 @@ -75,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json source: gws_login sourcetype: gws:reports:login update_timestamp: true diff --git a/detections/cloud/github_commit_changes_in_master.yml b/detections/cloud/github_commit_changes_in_master.yml index e4bdf94cc8..0a4052114b 100644 --- a/detections/cloud/github_commit_changes_in_master.yml +++ b/detections/cloud/github_commit_changes_in_master.yml @@ -1,16 +1,18 @@ name: Github Commit Changes In Master id: c9d2bfe2-019f-11ec-a8eb-acde48001122 -version: 1 -date: '2021-08-20' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a pushed or commit to master or main branch. - This is to avoid unwanted modification to master without a review to the changes. - Ideally in terms of devsecops the changes made in a branch and do a PR for review. - of course in some cases admin of the project may did a changes directly to master - branch -data_source: +description: The following analytic detects direct commits or pushes to the master + or main branch in a GitHub repository. It leverages GitHub logs to identify events + where changes are made directly to these critical branches. This activity is significant + because direct modifications to the master or main branch bypass the standard review + process, potentially introducing unreviewed and harmful changes. If confirmed malicious, + this could lead to unauthorized code execution, security vulnerabilities, or compromised + project integrity. +data_source: - GitHub search: '`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login @@ -48,6 +50,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_master.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_master.log source: github sourcetype: aws:firehose:json diff --git a/detections/cloud/github_commit_in_develop.yml b/detections/cloud/github_commit_in_develop.yml index 93dd9436e6..1346e0f952 100644 --- a/detections/cloud/github_commit_in_develop.yml +++ b/detections/cloud/github_commit_in_develop.yml @@ -1,15 +1,18 @@ name: Github Commit In Develop id: f3030cb6-0b02-11ec-8f22-acde48001122 -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a pushed or commit to develop branch. This is - to avoid unwanted modification to develop without a review to the changes. Ideally - in terms of devsecops the changes made in a branch and do a PR for review. of course - in some cases admin of the project may did a changes directly to master branch -data_source: +description: The following analytic detects commits pushed directly to the 'develop' + or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on + commit metadata such as author details, commit messages, and timestamps. This activity + is significant as direct commits to these branches can bypass the review process, + potentially introducing unvetted changes. If confirmed malicious, this could lead + to unauthorized code modifications, introducing vulnerabilities or backdoors into + the codebase, and compromising the integrity of the development lifecycle. +data_source: - GitHub search: '`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email @@ -47,6 +50,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_develop.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_develop.json source: github sourcetype: aws:firehose:json diff --git a/detections/cloud/github_dependabot_alert.yml b/detections/cloud/github_dependabot_alert.yml index bb3b9bdcc8..da4f09cdc9 100644 --- a/detections/cloud/github_dependabot_alert.yml +++ b/detections/cloud/github_dependabot_alert.yml @@ -1,12 +1,19 @@ name: GitHub Dependabot Alert id: 05032b04-4469-4034-9df7-05f607d75cba -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-27' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: "The following analytic is made by first searching for logs that contain the action \"create\" and renames certain fields for easier analysis. Then, this analytic uses the \"stats\" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The \"phase\" field is set to \"code\" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the \"create\" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps." -data_source: +description: "The following analytic identifies the creation of GitHub Dependabot + alerts, which indicate potential vulnerabilities in the codebase. It detects this + activity by searching for logs with the \"create\" action and analyzing fields such + as affected package, severity, and fixed version. This detection is significant + for a SOC because it helps identify and address security risks in the codebase proactively. + If confirmed malicious, these vulnerabilities could be exploited by attackers to + gain unauthorized access or cause breaches, leading to potential data loss or system + compromise." +data_source: - GitHub search: '`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as @@ -56,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.json sourcetype: aws:firehose:json source: github diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml index b54e3440cf..7ab0f9565a 100644 --- a/detections/cloud/github_pull_request_from_unknown_user.yml +++ b/detections/cloud/github_pull_request_from_unknown_user.yml @@ -1,12 +1,19 @@ name: GitHub Pull Request from Unknown User id: 9d7b9100-8878-4404-914e-ca5e551a641e -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-13' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." -data_source: +description: The following analytic detects pull requests from unknown users on GitHub. + It uses a Splunk query to identify pull requests where the user ID is not specified + and cross-references these with a known users lookup table. This activity is significant + because pull requests from unknown users can introduce malicious code or unauthorized + changes to repositories. If confirmed malicious, this could lead to unauthorized + code changes, data breaches, or other security incidents. Immediate steps include + reviewing the author's name, repository, head reference, and commit message, and + investigating any related artifacts and processes. +data_source: - GitHub search: '`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message @@ -56,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json sourcetype: aws:firehose:json source: github diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index 61816b1325..1415347b8c 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -1,13 +1,17 @@ name: Gsuite Drive Share In External Email id: f6ee02d6-fea0-11eb-b2c2-acde48001122 -version: 1 -date: '2021-08-16' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: experimental type: Anomaly -description: This search is to detect suspicious google drive or google docs files - shared outside or externally. This behavior might be a good hunting query to monitor - exfitration of data made by an attacker or insider to a targetted machine. +description: The following analytic detects Google Drive or Google Docs files shared + externally from an internal domain. It leverages GSuite Drive logs, extracting and + comparing the source and destination email domains to identify external sharing. + This activity is significant as it may indicate potential data exfiltration by an + attacker or insider. If confirmed malicious, this could lead to unauthorized access + to sensitive information, data leakage, and potential compliance violations. Monitoring + this behavior helps in early detection and mitigation of data breaches. data_source: [] search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log source: http:gsuite sourcetype: gsuite:drive:json diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index d78ce9524a..5c9abfa33c 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -1,16 +1,18 @@ name: GSuite Email Suspicious Attachment id: 6d663014-fe92-11eb-ab07-acde48001122 -version: 1 -date: '2021-08-16' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a suspicious attachment file extension in Gsuite - email that may related to spear phishing attack. This file type is commonly used - by malware to lure user to click on it to execute malicious code to compromised - targetted machine. But this search can also catch some normal files related to this - file type that maybe send by employee or network admin. -data_source: +description: The following analytic detects suspicious attachment file extensions + in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite + Gmail logs to identify emails with attachments having file extensions commonly associated + with malware, such as .exe, .bat, and .js. This activity is significant as these + file types are often used to deliver malicious payloads, posing a risk of compromising + targeted machines. If confirmed malicious, this could lead to unauthorized code + execution, data breaches, or further network infiltration. +data_source: - G Suite Gmail search: '`gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", "sh", "bat", "exe", "dll", "cpl", "com", "js", "vbs", "ps1", "reg","swf", "cmd", "go") @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index ed60a9f68f..ff370ee6bb 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -1,19 +1,19 @@ name: Gsuite Email Suspicious Subject With Attachment id: 8ef3971e-00f2-11ec-b54f-acde48001122 -version: 1 -date: '2021-08-19' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a gsuite email contains suspicious subject having - known file type used in spear phishing. This technique is a common and effective - entry vector of attacker to compromise a network by luring the user to click or - execute the suspicious attachment send from external email account because of the - effective social engineering of subject related to delivery, bank and so on. On - the other hand this detection may catch a normal email traffic related to legitimate - transaction so better to check the email sender, spelling and etc. avoid click link - or opening the attachment if you are not expecting this type of e-mail. -data_source: +description: The following analytic identifies Gsuite emails with suspicious subjects + and attachments commonly used in spear phishing attacks. It leverages Gsuite email + logs, focusing on specific keywords in the subject line and known malicious file + types in attachments. This activity is significant for a SOC as spear phishing is + a prevalent method for initial compromise, often leading to further malicious actions. + If confirmed malicious, this activity could result in unauthorized access, data + exfiltration, or further malware deployment, posing a significant risk to the organization's + security. +data_source: - G Suite Gmail search: '`gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps @@ -65,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index e8b8f07159..f3b12b02de 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -1,15 +1,18 @@ name: Gsuite Email With Known Abuse Web Service Link id: 8630aa22-042b-11ec-af39-acde48001122 -version: 1 -date: '2021-08-23' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytics is to detect a gmail containing a link that are known - to be abused by malware or attacker like pastebin, telegram and discord to deliver - malicious payload. This event can encounter some normal email traffic within organization - and external email that normally using this application and services. -data_source: +description: The following analytic detects emails in Gsuite containing links to known + abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite + Gmail logs to identify emails with these specific domains in their links. This activity + is significant because these services are commonly used by attackers to deliver + malicious payloads. If confirmed malicious, this could lead to the delivery of malware, + phishing attacks, or other harmful activities, potentially compromising sensitive + information or systems within the organization. +data_source: - G Suite Gmail search: '`gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address @@ -56,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml index 9cc122c01e..8a4a5f238e 100644 --- a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml +++ b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml @@ -1,15 +1,18 @@ name: Gsuite Outbound Email With Attachment To External Domain id: dc4dc3a8-ff54-11eb-8bf7-acde48001122 -version: 2 -date: '2024-03-25' +version: 3 +date: '2024-05-10' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Hunting -description: This search is to detect a suspicious outbound e-mail from internal email - to external email domain. This can be a good hunting query to monitor insider or - outbound email traffic for not common domain e-mail. The idea is to parse the domain - of destination email check if there is a minimum outbound traffic < 20 with attachment. -data_source: +description: The following analytic detects outbound emails with attachments sent + from an internal email domain to an external domain. It leverages Gsuite Gmail logs, + parsing the source and destination email domains, and flags emails with fewer than + 20 outbound instances. This activity is significant as it may indicate potential + data exfiltration or insider threats. If confirmed malicious, an attacker could + use this method to exfiltrate sensitive information, leading to data breaches and + compliance violations. +data_source: - G Suite Gmail search: '`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" @@ -56,14 +59,15 @@ tags: - source.from_header_address - destination.address - num_message_attachments - - dest_domain - - phase + - dest_domain + - phase - severity risk_score: 9 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log source: http:gsuite sourcetype: gsuite:gmail:bigquery diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index abf04000d8..00d9aecf1a 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -1,17 +1,18 @@ name: Gsuite Suspicious Shared File Name id: 07eed200-03f5-11ec-98fb-acde48001122 -version: 1 -date: '2021-08-23' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a shared file in google drive with suspicious - file name that are commonly used by spear phishing campaign. This technique is very - popular to lure the user by running a malicious document or click a malicious link - within the shared file that will redirected to malicious website. This detection - can also catch some normal email communication between organization and its external - customer. -data_source: +description: The following analytic detects shared files in Google Drive with suspicious + filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs + to identify documents with titles that include keywords like "dhl," "ups," "invoice," + and "shipment." This activity is significant because such filenames are often used + to lure users into opening malicious documents or clicking harmful links. If confirmed + malicious, this activity could lead to unauthorized access, data theft, or further + compromise of the user's system. +data_source: - G Suite Drive search: '`gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", @@ -71,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log source: http:gsuite sourcetype: gsuite:drive:json diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index deb1ad386c..ed4ccbb777 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -1,20 +1,31 @@ name: High Number of Login Failures from a single source id: 7f398cfb-918d-41f4-8db8-2e2474e02222 -version: 2 -date: '2020-12-16' +version: 3 +date: '2024-05-25' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: Anomaly -description: This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. -data_source: +description: The following analytic detects multiple failed login attempts in Office365 + Azure Active Directory from a single source IP address. It leverages Office365 management + activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these + logs in 5-minute intervals to count failed login attempts. This activity is significant + as it may indicate brute-force attacks or password spraying, which are critical + to monitor. If confirmed malicious, an attacker could gain unauthorized access to + Office365 accounts, leading to potential data breaches, lateral movement within + the organization, or further malicious activities using the compromised account. +data_source: - O365 UserLoginFailed -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon - | bucket span=5m _time - | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip - | where failed_attempts > 10 - | `high_number_of_login_failures_from_a_single_source_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. -known_false_positives: An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) + AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) + as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts + > 10 | `high_number_of_login_failures_from_a_single_source_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. Adjust the threshold value to suit the specific + environment, as environments with naturally higher login failures might generate + false positives at a lower threshold. +known_false_positives: An Ip address with more than 10 failed authentication attempts + in the span of 5 minutes may also be triggered by a broken application. references: - https://attack.mitre.org/techniques/T1110/001/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -60,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index 0a0747decb..d012c1e6ef 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -1,17 +1,19 @@ name: Kubernetes Abuse of Secret by Unusual Location id: 40a064c1-4ec1-4381-9e35-61192ba8ef82 -version: 1 -date: '2023-12-06' +version: 2 +date: '2024-05-11' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. - It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. - Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, - and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate - an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, - potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects unauthorized access or misuse of Kubernetes + Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests by country. This activity + is significant for a SOC as Kubernetes Secrets store sensitive information like + passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed + malicious, this behavior could indicate an attacker attempting to exfiltrate or + misuse these secrets, potentially leading to unauthorized access to sensitive systems + or data.' +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} @@ -19,7 +21,7 @@ search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_abuse_of_secret_by_unusual_location_filter` ' + | `kubernetes_abuse_of_secret_by_unusual_location_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -33,7 +35,8 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$ + message: Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ + by $user$ mitre_attack_id: - T1552.007 observable: @@ -69,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index ba5bee52b3..e26121f0c5 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -1,24 +1,26 @@ name: Kubernetes Abuse of Secret by Unusual User Agent id: 096ab390-05ca-462c-884e-343acd5b9240 -version: 1 -date: '2023-12-06' +version: 2 +date: '2024-05-22' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. - It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. - Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, - and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate - an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, - potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects unauthorized access or misuse of Kubernetes + Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests based on user agents. This + activity is significant for a SOC because Kubernetes Secrets store sensitive information + like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed + malicious, this activity could lead to unauthorized access to sensitive systems + or data, potentially resulting in significant security breaches and exfiltration + of critical information.' +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter` ' + | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -32,7 +34,8 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$ + message: Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ + by $user$ mitre_attack_id: - T1552.007 observable: @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index b4626fffee..6d81b53ba3 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -1,24 +1,25 @@ name: Kubernetes Abuse of Secret by Unusual User Group id: b6f45bbc-4ea9-4068-b3bc-0477f6997ae2 -version: 1 -date: '2023-12-06' +version: 2 +date: '2024-05-25' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. - It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. - Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, - and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate - an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, - potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects unauthorized access or misuse of Kubernetes + Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests and user groups. This activity + is significant for a SOC as Kubernetes Secrets store sensitive information like + passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could + indicate an attacker attempting to exfiltrate or misuse these secrets, potentially + leading to unauthorized access to sensitive systems or data.' +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_abuse_of_secret_by_unusual_user_group_filter` ' + | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -32,7 +33,8 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$ + message: Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ + by user name $user$ mitre_attack_id: - T1552.007 observable: @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 393dc802d0..5b44d1e7f8 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -1,24 +1,26 @@ name: Kubernetes Abuse of Secret by Unusual User Name id: df6e9cae-5257-4a34-8f3a-df49fa0f5c46 -version: 1 -date: '2023-12-06' +version: 2 +date: '2024-05-27' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. - It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. - Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, - and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate - an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, - potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects unauthorized access or misuse of Kubernetes + Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies + in access patterns by analyzing the source of requests based on user names. This + activity is significant for a SOC as Kubernetes Secrets store sensitive information + like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed + malicious, this activity could lead to unauthorized access to sensitive systems + or data, potentially resulting in significant security breaches and exfiltration + of sensitive information.' +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_abuse_of_secret_by_unusual_user_name_filter` ' + | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -32,7 +34,7 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ + message: Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ mitre_attack_id: - T1552.007 observable: @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index 8cdcc54d8b..55e2362f32 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -1,16 +1,19 @@ name: Kubernetes Access Scanning id: 2f4abe6d-5991-464d-8216-f90f42999764 -version: 1 -date: '2023-12-07' +version: 2 +date: '2024-05-12' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects potential scanning activities within a Kubernetes environment. - It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. - The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. - This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. - The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects potential scanning activities within + a Kubernetes environment. It identifies unauthorized access attempts, probing of + public APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes + audit logs for repeated failed access attempts or unusual API requests. This activity + is significant for a SOC as it may indicate an attacker''s preliminary reconnaissance + to gather information about the system. If confirmed malicious, this activity could + lead to unauthorized access to sensitive systems or data, posing a severe security + risk.' +data_source: - Kubernetes Audit search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} @@ -18,7 +21,7 @@ search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.c by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_access_scanning_filter` ' + | `kubernetes_access_scanning_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -32,7 +35,7 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Kubernetes scanning from ip $src_ip$ + message: Kubernetes scanning from ip $src_ip$ mitre_attack_id: - T1046 observable: @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index 700b3cbecd..678f392e81 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -1,21 +1,19 @@ name: Kubernetes Anomalous Inbound Network Activity from Process id: 10442d8b-0701-4c25-911d-d67b906e713c -version: 1 -date: '2024-01-10' +version: 2 +date: '2024-05-17' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. - Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection - leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud - using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, - tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, - with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. - Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, - a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised - application resulting in the ability to upload data, can result in installation of command and control software or other malware, - data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in - resource contention, performance degradation and disruption to the normal operation of the environment.' +description: 'The following analytic identifies anomalous inbound network traffic + volumes from processes within containerized workloads. It leverages Network Performance + Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability + Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, + udp.bytes, udp.packets) over the last hour with the average over the past 30 days. + This activity is significant as it may indicate unauthorized data reception, potential + breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, + it could lead to command and control installation, data integrity damage, container + escape, and further environment compromise.' data_source: [] search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key=''dest.workload.name'' + ":" + ''dest.process.name'' @@ -36,7 +34,7 @@ search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host - | `kubernetes_anomalous_inbound_network_activity_from_process_filter` ' + | `kubernetes_anomalous_inbound_network_activity_from_process_filter`' how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup @@ -46,10 +44,6 @@ how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Name sim_npm_metrics_to_metrics_index - * Org ID - - * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') - * Metric Resolution 10000' known_false_positives: unknown references: @@ -60,7 +54,8 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$ + message: Kubernetes Anomalous Inbound Network Activity from Process in kubernetes + cluster $host$ mitre_attack_id: - T1204 observable: @@ -75,8 +70,8 @@ tags: required_fields: - tcp.* - udp.* - - k8s.cluster.name + - k8s.cluster.name - dest.process.name - - dest.workload.name + - dest.workload.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 4a4e95fc43..36e40b25e4 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -1,17 +1,18 @@ name: Kubernetes Anomalous Inbound Outbound Network IO id: 4f3b0c97-657e-4547-a89a-9a50c656e3cd -version: 1 -date: '2023-12-19' +version: 2 +date: '2024-05-13' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. - It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. - A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. - An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, - command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, - and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, - potentially leading to data breaches, service outages, financial losses, and reputational damage. +description: The following analytic identifies high inbound or outbound network I/O + anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector + and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup + table with average and standard deviation values for network I/O is used to detect + anomalies persisting over a 1-hour period. This activity is significant as it may + indicate data exfiltration, command and control communication, or unauthorized data + transfers. If confirmed malicious, it could lead to data breaches, service outages, + financial losses, and reputational damage. data_source: [] search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace(''k8s.pod.name'', "-\w{5}$$|-[abcdef0-9]{8,10}-\w{5}$$", "") @@ -31,29 +32,37 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8 | rename service as k8s.service | where count > 5 | rename k8s.node.name as host - | `kubernetes_anomalous_inbound_outbound_network_traffic_io_filter` ' + | `kubernetes_anomalous_inbound_outbound_network_io_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -64,7 +73,8 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$ + message: Kubernetes Anomalous Inbound Outbound Network IO from container on host + $host$ mitre_attack_id: - T1204 observable: @@ -79,8 +89,8 @@ tags: required_fields: - k8s.pod.network.io - direction - - k8s.cluster.name - - k8s.node.name + - k8s.cluster.name + - k8s.node.name - k8s.pod.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index 66d5bb3f25..a115c50b9f 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -1,16 +1,19 @@ name: Kubernetes Anomalous Inbound to Outbound Network IO Ratio id: 9d8f6e3f-39df-46d8-a9d4-96173edc501f -version: 1 -date: '2023-12-19' +version: 2 +date: '2024-05-26' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. - It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. - A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. - An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, - or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. - Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. +description: The following analytic identifies significant changes in network communication + behavior within Kubernetes containers by examining the inbound to outbound network + IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats + Receiver, along with data from Splunk Observability Cloud. Anomalies are detected + using a lookup table containing average and standard deviation values for network + IO, triggering an event if the anomaly persists for over an hour. This activity + is significant as it may indicate data exfiltration, command and control communication, + or compromised container behavior. If confirmed malicious, it could lead to data + breaches, service outages, and unauthorized access within the Kubernetes cluster. data_source: [] search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace(''k8s.pod.name'', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") @@ -33,29 +36,37 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8 | rename service as k8s.service | where count > 5 | rename k8s.node.name as host - | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter` ' + | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -66,7 +77,8 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$ + message: Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container + on host $host$ mitre_attack_id: - T1204 observable: @@ -81,8 +93,8 @@ tags: required_fields: - k8s.pod.network.io - direction - - k8s.cluster.name - - k8s.node.name + - k8s.cluster.name + - k8s.node.name - k8s.pod.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index f71a6800fc..bfc7974b65 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -1,20 +1,19 @@ name: Kubernetes Anomalous Outbound Network Activity from Process id: dd6afee6-e0a3-4028-a089-f47dd2842c22 -version: 1 -date: '2024-01-10' +version: 2 +date: '2024-05-25' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. - Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection - leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud - using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, - tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, - with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. - Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. - Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, - communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point - for further attacks within the containerized environment.' +description: 'The following analytic identifies anomalously high outbound network + activity from processes running within containerized workloads in a Kubernetes environment. + It leverages Network Performance Monitoring metrics collected via an OTEL collector + and pulled from Splunk Observability Cloud. The detection compares recent network + metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the + last hour with the average metrics over the past 30 days. This activity is significant + as it may indicate data exfiltration, process modification, or container compromise. + If confirmed malicious, it could lead to unauthorized data exfiltration, communication + with malicious entities, or further attacks within the containerized environment.' data_source: [] search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key=''source.workload.name'' + ":" + ''source.process.name'' @@ -35,7 +34,7 @@ search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host - | `kubernetes_anomalous_outbound_network_activity_from_process_filter` ' + | `kubernetes_anomalous_outbound_network_activity_from_process_filter`' how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup @@ -45,10 +44,6 @@ how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Name sim_npm_metrics_to_metrics_index - * Org ID - - * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') - * Metric Resolution 10000' known_false_positives: unknown references: @@ -59,7 +54,8 @@ tags: asset_type: Kubernetes confidence: 50 impact: 50 - message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$ + message: Kubernetes Anomalous Outbound Network Activity from Process in kubernetes + cluster $host$ mitre_attack_id: - T1204 observable: @@ -74,9 +70,9 @@ tags: required_fields: - tcp.* - udp.* - - k8s.cluster.name - - source.workload.name - - dest.workload.name + - k8s.cluster.name + - source.workload.name + - dest.workload.name - udp.packets risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index 23aaaf673b..8d7a99c3bd 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -1,15 +1,19 @@ name: Kubernetes Anomalous Traffic on Network Edge id: 886c7e51-2ea1-425d-8705-faaca5a64cc6 -version: 1 -date: '2024-01-10' +version: 2 +date: '2024-05-24' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). - This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). - This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order - to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. - Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches.' +description: 'The following analytic identifies anomalous network traffic volumes + between Kubernetes workloads or between a workload and external sources. It leverages + Network Performance Monitoring metrics collected via an OTEL collector and pulled + from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, + tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the + average over the past 30 days to identify significant deviations. This activity + is significant as unexpected spikes may indicate unauthorized data transfers or + lateral movement. If confirmed malicious, it could lead to data exfiltration or + compromise of additional services, potentially resulting in data breaches.' data_source: [] search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key=''source.workload.name'' + ":" + ''dest.workload.name'' @@ -31,7 +35,7 @@ search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host - | `kubernetes_anomalous_traffic_on_network_edge_filter` ' + | `kubernetes_anomalous_traffic_on_network_edge_filter`' how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup @@ -41,10 +45,6 @@ how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Name sim_npm_metrics_to_metrics_index - * Org ID - - * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') - * Metric Resolution 10000' known_false_positives: unknown references: @@ -70,9 +70,9 @@ tags: required_fields: - tcp.* - udp.* - - k8s.cluster.name - - source.workload.name - - dest.workload.name + - k8s.cluster.name + - source.workload.name + - dest.workload.name - udp.packets risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index 1cdaa0841a..2c4d27b19c 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -1,24 +1,24 @@ name: Kubernetes AWS detect suspicious kubectl calls id: 042a3d32-8318-4763-9679-09db2644a8f2 -version: 2 -date: '2023-12-19' +version: 3 +date: '2024-05-18' author: Rod Soto, Patrick Bareiss, Splunk status: experimental type: Anomaly -description: 'The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. - It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. - This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster - with no traceability to a user or service. The impact of such an attack could be substantial, - potentially granting an attacker access to sensitive data or control over the cluster. - This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure.' -data_source: +description: 'The following analytic detects anonymous and unauthenticated requests + to a Kubernetes cluster. It identifies this behavior by monitoring API calls from + users who have not provided any token or password in their request, using data from + `kube_audit` logs. This activity is significant for a SOC as it indicates a severe + misconfiguration, allowing unfettered access to the cluster with no traceability. + If confirmed malicious, an attacker could gain access to sensitive data or control + over the cluster, posing a substantial security risk.' +data_source: - Kubernetes Audit search: '`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") - | fillnull - | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI - responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb - | rename sourceIPs{} as src_ip, user.username as user - |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`' + | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource + requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} + user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username + as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. known_false_positives: Kubectl calls are not malicious by nature. However source IP, diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index 46084ca99c..b9f1be1cba 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -1,21 +1,25 @@ name: Kubernetes Create or Update Privileged Pod id: 3c6bd734-334d-4818-ae7c-5234313fc5da -version: 1 -date: '2023-12-14' +version: 2 +date: '2024-05-28' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. - This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. - The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -data_source: +description: The following analytic detects the creation or update of privileged pods + in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for + pod configurations that include root privileges. This behavior is significant for + a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, + and gain full access to the host's namespace and devices. If confirmed malicious, + this activity could lead to unauthorized access to sensitive information, data breaches, + and service disruptions, posing a severe threat to the environment. +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"privileged\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_create_or_update_privileged_pod_filter` ' + | `kubernetes_create_or_update_privileged_pod_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -47,17 +51,17 @@ tags: - Splunk Cloud required_fields: - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.type - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent + - kind + - objectRef.name + - objectRef.namespace + - objectRef.resource + - requestObject.kind + - requestObject.spec.type + - responseStatus.code + - sourceIPs{} + - stage + - user.username + - userAgent - verb - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration risk_score: 49 @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index 533a2e69cf..fd414326bb 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -1,22 +1,25 @@ name: Kubernetes Cron Job Creation id: 5984dbe8-572f-47d7-9251-3dff6c3f0c0d -version: 1 -date: '2023-12-14' +version: 2 +date: '2024-05-28' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. - It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. - This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. - The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -data_source: +description: The following analytic detects the creation of a Kubernetes cron job, + which is a task scheduled to run automatically at specified intervals. It identifies + this activity by monitoring Kubernetes Audit logs for the creation events of cron + jobs. This behavior is significant for a SOC as it could allow an attacker to execute + malicious tasks repeatedly and automatically, posing a threat to the Kubernetes + infrastructure. If confirmed malicious, this activity could lead to persistent attacks, + service disruptions, or unauthorized access to sensitive information. +data_source: - Kubernetes Audit search: '`kube_audit` verb=create "objectRef.resource"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_cron_job_creation_filter` ' + | `kubernetes_cron_job_creation_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -48,24 +51,25 @@ tags: - Splunk Cloud required_fields: - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.schedule - - requestObject.spec.jobTemplate.spec.template.spec.containers{}.image - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent + - kind + - objectRef.name + - objectRef.namespace + - objectRef.resource + - requestObject.kind + - requestObject.spec.schedule + - requestObject.spec.jobTemplate.spec.template.spec.containers{}.image + - responseStatus.code + - sourceIPs{} + - stage + - user.username + - userAgent - verb risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index d2799724c9..059055675a 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -1,23 +1,25 @@ name: Kubernetes DaemonSet Deployed id: bf39c3a3-b191-4d42-8738-9d9797bd0c3a -version: 1 -date: '2023-12-14' +version: 2 +date: '2024-05-16' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. - A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. - This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. - The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. - The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -data_source: +description: The following analytic detects the creation of a DaemonSet in a Kubernetes + cluster. This behavior is identified by monitoring Kubernetes Audit logs for the + creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, + making them a potential vector for persistent access. This activity is significant + for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes + infrastructure. If confirmed malicious, it could lead to persistent attacks, service + disruptions, or unauthorized access to sensitive information. +data_source: - Kubernetes Audit search: '`kube_audit` "objectRef.resource"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_daemonset_deployed_filter` ' + | `kubernetes_daemonset_deployed_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -49,22 +51,23 @@ tags: - Splunk Cloud required_fields: - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent + - kind + - objectRef.name + - objectRef.namespace + - objectRef.resource + - requestObject.kind + - responseStatus.code + - sourceIPs{} + - stage + - user.username + - userAgent - verb risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index 2bbb940e1b..71c85b1554 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -1,20 +1,24 @@ name: Kubernetes Falco Shell Spawned id: d2feef92-d54a-4a19-8306-b47c6ceba5b2 -version: 1 -date: '2023-12-13' +version: 2 +date: '2024-05-25' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. - Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. - This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. - The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -data_source: +description: The following analytic detects instances where a shell is spawned within + a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, + this analytic monitors system calls within the Kubernetes environment and flags + when a shell is spawned. This activity is significant for a SOC as it may indicate + unauthorized access, allowing an attacker to execute arbitrary commands, manipulate + container processes, or escalate privileges. If confirmed malicious, this could + lead to data breaches, service disruptions, or unauthorized access to sensitive + information, severely impacting the Kubernetes infrastructure's integrity and security. +data_source: - Kubernetes Falco search: '`kube_container_falco` "A shell was spawned in a container" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user - | `kubernetes_falco_shell_spawned_filter` ' + | `kubernetes_falco_shell_spawned_filter`' how_to_implement: The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. @@ -42,18 +46,19 @@ tags: - Splunk Enterprise Security - Splunk Cloud required_fields: - - container_image - - container_image_tag - - container_name - - parent - - proc_exepath - - process + - container_image + - container_image_tag + - container_name + - parent + - proc_exepath + - process - user risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log sourcetype: kube:container:falco source: kubernetes diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index d047b3d339..2425eaa829 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -1,19 +1,19 @@ name: Kubernetes newly seen TCP edge id: 13f081d6-7052-428a-bbb0-892c79ca7c65 -version: 1 -date: '2024-01-10' +version: 2 +date: '2024-05-15' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'This analytic detects TCP communication between a newly seen source and destination workload pair. - This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring - metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). - This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. - Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. - Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. - Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, - or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, - putting the applications integrity, availability, and confidentiality at risk.' +description: 'The following analytic identifies newly seen TCP communication between + source and destination workload pairs within a Kubernetes cluster. It leverages + Network Performance Monitoring metrics collected via an OTEL collector and pulled + from Splunk Observability Cloud. The detection compares network activity over the + last hour with the past 30 days to spot new inter-workload communications. This + is significant as new connections can indicate changes in application behavior or + potential security threats. If malicious, unauthorized connections could lead to + data breaches, privilege escalation, lateral movement, or disruption of critical + services, compromising the application''s integrity, availability, and confidentiality.' data_source: [] search: '| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" @@ -24,7 +24,7 @@ search: '| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metr | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host - | `kubernetes_newly_seen_tcp_edge_filter` ' + | `kubernetes_newly_seen_tcp_edge_filter`' how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup @@ -34,10 +34,6 @@ how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Name sim_npm_metrics_to_metrics_index - * Org ID - - * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') - * Metric Resolution 10000' known_false_positives: unknown references: @@ -61,9 +57,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud required_fields: - - k8s.cluster.name - - source.workload.name - - dest.workload.name + - k8s.cluster.name + - source.workload.name + - dest.workload.name - tcp.packets risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index e6803b5f4b..a264bff40e 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -1,19 +1,19 @@ name: Kubernetes newly seen UDP edge id: 49b7daca-4e3c-4899-ba15-9a175e056fa9 -version: 1 -date: '2024-01-10' +version: 2 +date: '2024-05-27' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: 'This analytic detects UDP communication between a newly seen source and destination workload pair. - This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring - metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). - This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. - Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. - Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. - Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, - or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, - putting the applications integrity, availability, and confidentiality at risk.' +description: 'The following analytic detects UDP communication between a newly seen + source and destination workload pair within a Kubernetes cluster. It leverages Network + Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk + Observability Cloud. This detection compares network activity over the last hour + with the past 30 days to identify new inter-workload communication. Such changes + in network behavior can indicate potential security threats or anomalies. If confirmed + malicious, unauthorized connections may enable attackers to infiltrate the application + ecosystem, leading to data breaches, privilege escalation, lateral movement, or + disruption of critical services.' data_source: [] search: '| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" @@ -24,7 +24,7 @@ search: '| mstats count(udp.packets) as udp.packets_count where `kubernetes_metr | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host - | `kubernetes_newly_seen_udp_edge_filter` ' + | `kubernetes_newly_seen_udp_edge_filter`' how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup @@ -34,10 +34,6 @@ how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Name sim_npm_metrics_to_metrics_index - * Org ID - - * Signal Flow Program data(''tcp.packets'').publish(label=''A''); data(''tcp.bytes'').publish(label=''B''); data(''tcp.new_sockets'').publish(label=''C''); data(''udp.packets'').publish(label=''D''); data(''udp.bytes'').publish(label=''E'') - * Metric Resolution 10000' known_false_positives: unknown references: @@ -61,9 +57,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud required_fields: - - k8s.cluster.name - - source.workload.name - - dest.workload.name + - k8s.cluster.name + - source.workload.name + - dest.workload.name - udp.packets risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index 46689f2eda..513e043486 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -1,22 +1,25 @@ name: Kubernetes Node Port Creation id: d7fc865e-b8a1-4029-a960-cf4403b821b6 -version: 1 -date: '2023-12-13' +version: 2 +date: '2024-05-12' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. - It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. - This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. - The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -data_source: +description: The following analytic detects the creation of a Kubernetes NodePort + service, which exposes a service to the external network. It identifies this activity + by monitoring Kubernetes Audit logs for the creation of NodePort services. This + behavior is significant for a SOC as it could allow an attacker to access internal + services, posing a threat to the Kubernetes infrastructure's integrity and security. + If confirmed malicious, this activity could lead to data breaches, service disruptions, + or unauthorized access to sensitive information. +data_source: - Kubernetes Audit search: '`kube_audit` "objectRef.resource"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_node_port_creation_filter` ' + | `kubernetes_node_port_creation_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -48,23 +51,24 @@ tags: - Splunk Cloud required_fields: - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.type - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent + - kind + - objectRef.name + - objectRef.namespace + - objectRef.resource + - requestObject.kind + - requestObject.spec.type + - responseStatus.code + - sourceIPs{} + - stage + - user.username + - userAgent - verb risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index 563b602178..c5b94b6782 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -1,22 +1,24 @@ name: Kubernetes Pod Created in Default Namespace id: 3d6b1a81-367b-42d5-a925-6ef90b6b9f1e -version: 1 -date: '2023-12-19' +version: 2 +date: '2024-05-12' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. - It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. - This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. - Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. - The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. -data_source: +description: The following analytic detects the creation of Kubernetes pods in the + default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs + to identify pod creation events within these specific namespaces. This activity + is significant for a SOC as it may indicate an attacker attempting to hide their + presence or evade defenses. Unauthorized pod creation in these namespaces can suggest + a successful cluster breach, potentially leading to privilege escalation, persistent + access, or further malicious activities within the cluster. +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN ("default", "kube-system", "kube-public") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_pod_created_in_default_namespace_filter` ' + | `kubernetes_pod_created_in_default_namespace_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index ba69d98485..763299bf0c 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -1,21 +1,25 @@ name: Kubernetes Pod With Host Network Attachment id: cce357cf-43a4-494a-814b-67cea90fe990 -version: 1 -date: '2023-12-14' +version: 2 +date: '2024-05-19' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. - This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. - The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -data_source: +description: The following analytic detects the creation or update of a Kubernetes + pod with host network attachment. It leverages Kubernetes Audit logs to identify + pods configured with host network settings. This activity is significant for a SOC + as it could allow an attacker to monitor all network traffic on the node, potentially + capturing sensitive information and escalating privileges. If confirmed malicious, + this could lead to unauthorized access, data breaches, and service disruptions, + severely impacting the security and integrity of the Kubernetes environment. +data_source: - Kubernetes Audit search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"hostNetwork\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_pod_with_host_network_attachment_filter` ' + | `kubernetes_pod_with_host_network_attachment_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -47,17 +51,17 @@ tags: - Splunk Cloud required_fields: - user.groups{} - - kind - - objectRef.name - - objectRef.namespace - - objectRef.resource - - requestObject.kind - - requestObject.spec.type - - responseStatus.code - - sourceIPs{} - - stage - - user.username - - userAgent + - kind + - objectRef.name + - objectRef.namespace + - objectRef.resource + - requestObject.kind + - requestObject.spec.type + - responseStatus.code + - sourceIPs{} + - stage + - user.username + - userAgent - verb - requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration risk_score: 49 @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index 32e877c37e..893fa07fce 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -1,20 +1,19 @@ name: Kubernetes Previously Unseen Container Image Name id: fea515a4-b1d8-4cd6-80d6-e0d71397b891 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-27' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: The following analytic identifies containerised workloads that have been created using a previously unseen image. - This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). - This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. - When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. - Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. - The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. - The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, - or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. - A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. - Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster +description: The following analytic identifies the creation of containerized workloads + using previously unseen images in a Kubernetes cluster. It leverages process metrics + from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability + Cloud. The detection compares container image names seen in the last hour with those + from the previous 30 days. This activity is significant as unfamiliar container + images may introduce vulnerabilities, malware, or misconfigurations, posing threats + to the cluster's integrity. If confirmed malicious, compromised images can lead + to data breaches, service disruptions, unauthorized access, and potential lateral + movement within the cluster. data_source: [] search: '| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="True" @@ -24,29 +23,37 @@ search: '| mstats count(k8s.container.ready) as k8s.container.ready_count where | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current="true" AND current!="false" | rename host.name as host - | `kubernetes_previously_unseen_container_image_name_filter` ' + | `kubernetes_previously_unseen_container_image_name_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -71,8 +78,8 @@ tags: - Splunk Cloud required_fields: - k8s.container.ready_count - - host.name - - k8s.cluster.name - - k8s.node.name + - host.name + - k8s.cluster.name + - k8s.node.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index 54054fa546..605ca069bb 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -1,19 +1,19 @@ name: Kubernetes Previously Unseen Process id: c8119b2f-d7f7-40be-940a-1c582870e8e2 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-13' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an - OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). - This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. - The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and - anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. - By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, - gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, - denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. - The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. +description: The following analytic detects previously unseen processes within the + Kubernetes environment on master or worker nodes. It leverages process metrics collected + via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability + Cloud. This detection compares processes observed in the last hour against those + seen in the previous 30 days. Identifying new processes is crucial as they may indicate + unauthorized activity or attempts to compromise the node. If confirmed malicious, + these processes could lead to data exfiltration, privilege escalation, denial-of-service + attacks, or the introduction of malware, posing significant risks to the Kubernetes + cluster. data_source: [] search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current="True" @@ -22,29 +22,37 @@ search: '| mstats count(process.memory.utilization) as process.memory.utilizati | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current="True" | rename host.name as host - | `kubernetes_previously_unseen_process_filter` ' + | `kubernetes_previously_unseen_process_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -69,9 +77,9 @@ tags: - Splunk Cloud required_fields: - process.memory.utilization - - host.name - - k8s.cluster.name - - k8s.node.name + - host.name + - k8s.cluster.name + - k8s.node.name - process.executable.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index 2c93736f1d..41b969d36b 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -1,19 +1,19 @@ name: Kubernetes Process Running From New Path id: 454076fb-0e9e-4adf-b93a-da132621c5e6 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-27' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. - This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud - using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for - each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. - The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. - A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. - If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. - It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. - This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. +description: The following analytic identifies processes running from newly seen paths + within a Kubernetes environment. It leverages process metrics collected via an OTEL + collector and hostmetrics receiver, and data is pulled from Splunk Observability + Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares + processes observed in the last hour with those seen over the previous 30 days. This + activity is significant as it may indicate unauthorized changes, compromised nodes, + or the introduction of malicious software. If confirmed malicious, it could lead + to unauthorized process execution, control over critical resources, data exfiltration, + privilege escalation, or malware introduction within the Kubernetes cluster. data_source: [] search: '| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current="True" @@ -23,29 +23,37 @@ search: '| mstats count(process.memory.utilization) as process.memory.utilizatio | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current="True" | rename host.name as host - | `kubernetes_process_running_from_new_path_filter` ' + | `kubernetes_process_running_from_new_path_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -70,9 +78,9 @@ tags: - Splunk Cloud required_fields: - process.memory.utilization - - host.name - - k8s.cluster.name - - k8s.node.name + - host.name + - k8s.cluster.name + - k8s.node.name - process.executable.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index f0ecb0c57e..44d9d3dce9 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -1,14 +1,18 @@ name: Kubernetes Process with Anomalous Resource Utilisation id: 25ca9594-7a0d-4a95-a5e5-3228d7398ec8 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-27' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, - fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values - for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, - or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. +description: The following analytic identifies high resource utilization anomalies + in Kubernetes processes. It leverages process metrics from an OTEL collector and + hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The + detection uses a lookup table with average and standard deviation values to spot + anomalies. This activity is significant as high resource utilization can indicate + security threats like cryptojacking, unauthorized data exfiltration, or compromised + containers. If confirmed malicious, such anomalies can disrupt services, exhaust + resources, increase costs, and allow attackers to evade detection or maintain access. data_source: [] search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' @@ -27,29 +31,37 @@ search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host | sort - count | where count > 5 | rename host.name as host - | `kubernetes_process_with_anomalous_resource_utilisation_filter` ' + | `kubernetes_process_with_anomalous_resource_utilisation_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -74,9 +86,9 @@ tags: - Splunk Cloud required_fields: - process.* - - host.name - - k8s.cluster.name - - k8s.node.name + - host.name + - k8s.cluster.name + - k8s.node.name - process.executable.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index fb50b5b397..870ba66146 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -1,62 +1,66 @@ name: Kubernetes Process with Resource Ratio Anomalies id: 0d42b295-0f1f-4183-b75e-377975f47c65 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-30' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. - This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). - This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. - This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. - Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. - Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. - A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. +description: The following analytic detects anomalous changes in resource utilization + ratios for processes running on a Kubernetes node. It leverages process metrics + collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk + Observability Cloud. The detection uses a lookup table containing average and standard + deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). + Significant deviations from these baselines may indicate compromised processes, + malicious activity, or misconfigurations. If confirmed malicious, this could signify + a security breach, allowing attackers to manipulate workloads, potentially leading + to data exfiltration or service disruption. data_source: [] -search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s - | eval cpu:mem = ''process.cpu.utilization''/''process.memory.utilization'' - | eval cpu:disk = ''process.cpu.utilization''/''process.disk.operations'' - | eval mem:disk = ''process.memory.utilization''/''process.disk.operations'' - | eval cpu:threads = ''process.cpu.utilization''/''process.threads'' - | eval disk:threads = ''process.disk.operations''/''process.threads'' - | eval key = ''k8s.cluster.name'' + ":" + ''host.name'' + ":" + ''process.executable.name'' - | lookup k8s_process_resource_ratio_baseline key - | fillnull - | eval anomalies = "" - | foreach stdev_* - [ eval anomalies =if( ''<>'' > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> ratio higher than average by " + - tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" - + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + ", " - , anomalies) - ] - | eval anomalies = replace(anomalies, ",\s$", "") - | where anomalies!="" - | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name - | where count > 5 - | rename host.name as host +search: '| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name + k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = + ''process.cpu.utilization''/''process.memory.utilization'' | eval cpu:disk = ''process.cpu.utilization''/''process.disk.operations'' + | eval mem:disk = ''process.memory.utilization''/''process.disk.operations'' | eval + cpu:threads = ''process.cpu.utilization''/''process.threads'' | eval disk:threads + = ''process.disk.operations''/''process.threads'' | eval key = ''k8s.cluster.name'' + + ":" + ''host.name'' + ":" + ''process.executable.name'' | lookup k8s_process_resource_ratio_baseline + key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( ''<>'' + > (''avg_<>'' + 4 * ''stdev_<>''), anomalies + "<> + ratio higher than average by " + tostring(round((''<>'' - ''avg_<>'')/''stdev_<>'' + ,2)) + " Standard Deviations. <>=" + tostring(''<>'') + " avg_<>=" + + tostring(''avg_<>'') + " ''stdev_<>''=" + tostring(''stdev_<>'') + + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where + anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name + k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`' -how_to_implement: 'To implement this detection, follow these steps: - +how_to_implement: 'To implement this detection, follow these steps: + * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: @@ -81,9 +85,9 @@ tags: - Splunk Cloud required_fields: - process.* - - host.name - - k8s.cluster.name - - k8s.node.name + - host.name + - k8s.cluster.name + - k8s.node.name - process.executable.name risk_score: 25 security_domain: network diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index 47e8d49802..a94b5cf3fe 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -1,15 +1,19 @@ name: Kubernetes Scanning by Unauthenticated IP Address id: f9cadf4e-df22-4f4e-a08f-9d3344c2165d -version: 1 -date: '2023-12-07' +version: 2 +date: '2024-05-10' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: This detection rule is designed to identify potential scanning activities within a Kubernetes environment. - Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. - In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. - This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. -data_source: +description: The following analytic identifies potential scanning activities within + a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes + audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) + from the same source IP. This activity is significant as it may indicate an attacker + probing for vulnerabilities or attempting to exploit known issues. If confirmed + malicious, such scanning could lead to unauthorized access, data breaches, or further + exploitation of the Kubernetes infrastructure, compromising the security and integrity + of the environment. +data_source: - Kubernetes Audit search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} @@ -17,7 +21,7 @@ search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.c by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_scanning_by_unauthenticated_ip_address_filter` ' + | `kubernetes_scanning_by_unauthenticated_ip_address_filter`' how_to_implement: You must ingest Kubernetes audit logs. known_false_positives: unknown references: @@ -28,7 +32,7 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Kubernetes scanning from ip $src_ip$ + message: Kubernetes scanning from ip $src_ip$ mitre_attack_id: - T1046 observable: @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index fbf7b3d8f6..53ba59cfd2 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -1,45 +1,56 @@ name: Kubernetes Shell Running on Worker Node id: efebf0c4-dcf4-496f-85a2-5ab7ad8fa876 -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-25' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. - It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. - Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. - Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. - Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. - It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. +description: The following analytic identifies shell activity within the Kubernetes + privilege scope on a worker node. It leverages process metrics from an OTEL collector + hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, + pulled from Splunk Observability Cloud. This activity is significant as unauthorized + shell processes can indicate potential security threats, providing attackers an + entry point to compromise the node and the entire Kubernetes cluster. If confirmed + malicious, this activity could lead to data theft, service disruption, privilege + escalation, lateral movement, and further attacks, severely compromising the cluster's + security and integrity. data_source: [] search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host - | `kubernetes_shell_running_on_worker_node_filter` ' + | `kubernetes_shell_running_on_worker_node_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index c9711414db..7440e985c8 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -1,47 +1,57 @@ name: Kubernetes Shell Running on Worker Node with CPU Activity id: cc1448e3-cc7a-4518-bc9f-2fa48f61a22b -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-11' author: Matthew Moore, Splunk status: experimental type: Anomaly -description: This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. - The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. - The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. - Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, - policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. - Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, - privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, - severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. +description: The following analytic identifies shell activity within the Kubernetes + privilege scope on a worker node, specifically when shell processes are consuming + CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, + pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring + Add-on, focusing on process.cpu.utilization and process.memory.utilization. This + activity is significant as unauthorized shell processes can indicate a security + threat, potentially compromising the node and the entire Kubernetes cluster. If + confirmed malicious, attackers could gain full control over the host's resources, + leading to data theft, service disruption, privilege escalation, and further attacks + within the cluster. data_source: [] search: '| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host - | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter` ' + | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`' how_to_implement: 'To implement this detection, follow these steps: * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. - + * Enable the hostmetrics/process receiver in the OTEL configuration. - - * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. - + + * Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, + are enabled. + * Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) - - * Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. - + + * Configure the SIM add-on with your Observability Cloud Organization ID and Access + Token. + * Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". - - * In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. - - * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') - + + * In the SIM configuration, set the Organization ID to your Observability Cloud + Organization ID. + + * Set the Signal Flow Program to the following: data(''process.threads'').publish(label=''A''); + data(''process.cpu.utilization'').publish(label=''B''); data(''process.cpu.time'').publish(label=''C''); + data(''process.disk.io'').publish(label=''D''); data(''process.memory.usage'').publish(label=''E''); + data(''process.memory.virtual'').publish(label=''F''); data(''process.memory.utilization'').publish(label=''G''); + data(''process.cpu.utilization'').publish(label=''H''); data(''process.disk.operations'').publish(label=''I''); + data(''process.handles'').publish(label=''J''); data(''process.threads'').publish(label=''K'') + * Set the Metric Resolution to 10000. - + * Leave all other settings at their default values. - + * Run the Search Baseline Of Kubernetes Container Network IO Ratio ' known_false_positives: unknown references: diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index 0a00025f0f..4eeaa70812 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -1,15 +1,18 @@ name: Kubernetes Suspicious Image Pulling id: 4d3a17b3-0a6d-4ae0-9421-46623a69c122 -version: 1 -date: '2023-12-07' +version: 2 +date: '2024-05-13' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects instances of suspicious image pulling in Kubernetes. - It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. - This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. - The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects suspicious image pulling in Kubernetes + environments. It identifies this activity by monitoring Kubernetes audit logs for + image pull requests that do not match a predefined list of allowed images. This + behavior is significant for a SOC as it may indicate an attacker attempting to deploy + malicious software or infiltrate the system. If confirmed malicious, the impact + could be severe, potentially leading to unauthorized access to sensitive systems + or data, and enabling further malicious activities within the cluster.' +data_source: - Kubernetes Audit search: '`kube_audit` requestObject.message="Pulling image*" | search NOT `kube_allowed_images` @@ -17,7 +20,7 @@ search: '`kube_audit` requestObject.message="Pulling image*" | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_suspicious_image_pulling_filter` ' + | `kubernetes_suspicious_image_pulling_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -31,7 +34,8 @@ tags: asset_type: Kubernetes confidence: 70 impact: 70 - message: Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$ + message: Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ + by user $user$ mitre_attack_id: - T1526 observable: @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index 019e41d47c..893a445494 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -1,21 +1,25 @@ name: Kubernetes Unauthorized Access id: 9b5f1832-e8b9-453f-93df-07a3d6a72a45 -version: 1 -date: '2023-12-07' +version: 2 +date: '2024-05-21' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: 'The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. - It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate - an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.' -data_source: +description: 'The following analytic detects unauthorized access attempts to Kubernetes + by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by + examining the source of requests and their response statuses. This activity is significant + for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes + environment. If confirmed malicious, such access could lead to unauthorized control + over Kubernetes resources, potentially compromising sensitive systems or data within + the cluster.' +data_source: - Kubernetes Audit search: '`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user - | `kubernetes_unauthorized_access_filter` ' + | `kubernetes_unauthorized_access_filter`' how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. @@ -62,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json sourcetype: _json source: kubernetes diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index dc90c09b86..bfa016ef7e 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -1,21 +1,24 @@ name: O365 Add App Role Assignment Grant User id: b2c81cc6-6040-11eb-ae93-0242ac130002 -version: 2 -date: '2023-07-11' +version: 3 +date: '2024-05-19' author: Rod Soto, Splunk status: production type: TTP -description: This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. - By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. - This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, - providing an additional layer of security for your environment. -data_source: +description: The following analytic detects the addition of an application role assignment + grant to a user in Office 365. It leverages data from the `o365_management_activity` + dataset, specifically monitoring the "Add app role assignment grant to user" operation. + This activity is significant as it can indicate unauthorized privilege escalation + or the assignment of sensitive roles to users. If confirmed malicious, this could + allow an attacker to gain elevated permissions, potentially leading to unauthorized + access to critical resources and data within the Office 365 environment. +data_source: - O365 Add app role assignment grant to user. -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." - | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_add_app_role_assignment_grant_user_filter`' +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app + role assignment grant to user." | stats count min(_time) as firstTime max(_time) + as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) + as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`' how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives: The creation of a new Federation is not necessarily malicious, @@ -31,7 +34,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 30 - message: User $user$ has created a new federation setting $modified_properties_name$ on $dest$ + message: User $user$ has created a new federation setting $modified_properties_name$ + on $dest$ mitre_attack_id: - T1136.003 - T1136 @@ -62,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index a7cd2c3de4..751bf096e0 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -1,16 +1,25 @@ name: O365 Added Service Principal id: 1668812a-6047-11eb-ae93-0242ac130002 -version: 3 -date: '2023-08-02' +version: 4 +date: '2024-05-27' author: Rod Soto, Splunk status: production type: TTP -description: The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. -data_source: -- O365 -search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") - | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`' +description: The following analytic detects the addition of new service principal + accounts in O365 tenants. It leverages data from the `o365_management_activity` + dataset, specifically monitoring for operations related to adding or creating service + principals. This activity is significant because attackers can exploit service principals + to gain unauthorized access and perform malicious actions within an organization's + environment. If confirmed malicious, this could allow attackers to interact with + APIs, access resources, and execute operations on behalf of the organization, potentially + leading to data breaches or further compromise. +data_source: +- O365 +search: '`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add + service principal*" OR (Operation = "*principal*" AND action = "created") | stats + count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type + action Operation authentication_service Workload | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`' how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives: The creation of a new Federation is not necessarily malicious, @@ -46,16 +55,17 @@ tags: - _time - Workload - signature - - src_user - - src_user_type - - action - - Operation + - src_user + - src_user_type + - action + - Operation - authentication_service risk_score: 42 security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml index a2ac104a0b..01cee46fbe 100644 --- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml @@ -1,15 +1,23 @@ name: O365 Admin Consent Bypassed by Service Principal id: 8a1b22eb-50ce-4e26-a691-97ff52349569 -version: 1 -date: '2024-02-09' +version: 2 +date: '2024-05-18' author: Mauricio Velazco, Splunk -data_source: +data_source: - O365 Add app role assignment to service principal. type: TTP status: production -description: This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. +description: The following analytic identifies instances where a service principal + in Office 365 Azure Active Directory assigns app roles without standard admin consent. + It leverages `o365_management_activity` logs, specifically focusing on the 'Add + app role assignment to service principal' operation. This activity is significant + for SOCs as it may indicate a bypass of critical administrative controls, potentially + leading to unauthorized access or privilege escalation. If confirmed malicious, + this could allow an attacker to misuse automated processes to assign sensitive permissions, + compromising the security of the environment. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." + `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role + assignment to service principal." | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) @@ -18,12 +26,14 @@ search: >- | eval dest_user = mvindex('Target{}.ID', 0) | search userType = "ServicePrincipal" | eval src_user = user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription + | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user + dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_admin_consent_bypassed_by_service_principal_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. + | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Service Principals are sometimes configured to legitimately + bypass the consent process for purposes of automation. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ @@ -37,7 +47,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 90 - message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ + message: Service principal $src_user$ bypassed the admin consent process and granted + permissions to $dest_user$ mitre_attack_id: - T1098.003 observable: @@ -62,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index 9e27b9325e..196993ba67 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -1,28 +1,37 @@ name: O365 Advanced Audit Disabled id: 49862dd4-9cb2-4c48-a542-8c8a588d9361 -version: 1 -date: '2023-09-19' +version: 2 +date: '2024-05-17' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - O365 Change user license. -description: The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. +description: The following analytic detects instances where the O365 advanced audit + is disabled for a specific user within the Office 365 tenant. It uses O365 audit + logs, focusing on events related to audit license changes in AzureActiveDirectory + workloads. This activity is significant because the O365 advanced audit provides + critical logging and insights into user and administrator activities. Disabling + it can blind security teams to potential malicious actions. If confirmed malicious, + attackers could operate within the user's mailbox or account with reduced risk of + detection, leading to unauthorized data access, data exfiltration, or account compromise. search: >- - `o365_management_activity` Operation="Change user license." - | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) + `o365_management_activity` Operation="Change user license." | eval property_name + = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = "extendedAuditEventCategory" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, "NewValue") - | eval possible_plan=mvindex(split_value, 1) - | rex field="possible_plan" "DisabledPlans=\[(?P[^\]]+)\]" + | eval possible_plan=mvindex(split_value, 1) | rex field="possible_plan" "DisabledPlans=\[(?P[^\]]+)\]" | search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") - | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | stats min(_time) as firstTime max(_time) as lastTime by Operation user object + DisabledPlans + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators might temporarily disable the advanced audit + for troubleshooting, performance reasons, or other administrative tasks. Filter + as needed. references: - https://attack.mitre.org/techniques/T1562/008/ - https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf @@ -58,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index 866e283742..732e63150c 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -1,22 +1,34 @@ name: O365 Application Registration Owner Added id: c068d53f-6aaa-4558-8011-3734df878266 -version: 1 -date: '2023-09-07' +version: 2 +date: '2024-05-11' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Add owner to application. -description: The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations +description: The following analytic identifies instances where a new owner is assigned + to an application registration within an Azure AD and Office 365 tenant. It leverages + O365 audit logs, specifically events related to changes in owner assignments within + the AzureActiveDirectory workload. This activity is significant because assigning + a new owner to an application registration can grant significant control over the + application's configuration, permissions, and behavior. If confirmed malicious, + an attacker could modify the application's settings, permissions, and behavior, + leading to unauthorized data access, privilege escalation, or the introduction of + malicious behavior within the application's operations. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application." + `o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to + application." | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) - | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object + | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, + user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Application owners may be added for legitimate reasons, filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Application owners may be added for legitimate reasons, filter + as needed. references: - https://attack.mitre.org/techniques/T1098/ - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners @@ -51,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index bafd096007..4fdc9c751e 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -1,20 +1,27 @@ name: O365 ApplicationImpersonation Role Assigned id: 49cdce75-f814-4d56-a7a4-c64ec3a481f2 -version: 1 -date: '2023-10-17' +version: 2 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 -description: The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. +description: The following analytic detects the assignment of the ApplicationImpersonation + role in Office 365 to a user or application. It uses the Office 365 Management Activity + API to monitor Azure Active Directory audit logs for role assignment events. This + activity is significant because the ApplicationImpersonation role allows impersonation + of any user, enabling access to and modification of their mailbox. If confirmed + malicious, an attacker could gain unauthorized access to sensitive information, + manipulate mailbox data, and perform actions as a legitimate user, posing a severe + security risk to the organization. search: '`o365_management_activity` Workload=Exchange Operation="New-ManagementRoleAssignment" Role=ApplicationImpersonation - | rename User as target_user - | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user - | `security_content_ctime(lastTime)` - | `o365_applicationimpersonation_role_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed. + | rename User as target_user | stats max(_time) as lastTime by Operation, user, + object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: While infrequent, the ApplicationImpersonation role may be + granted for leigimate reasons, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 @@ -58,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.log source: O365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml index e0928565ad..447f87e2d5 100644 --- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml @@ -1,25 +1,37 @@ name: O365 Block User Consent For Risky Apps Disabled id: 12a23592-e3da-4344-8545-205d3290647c -version: 1 -date: '2023-10-26' +version: 2 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Update authorization policy. -description: This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. +description: The following analytic detects when the "risk-based step-up consent" + security setting in Microsoft 365 is disabled. It monitors Azure Active Directory + logs for the "Update authorization policy" operation, specifically changes to the + "AllowUserConsentForRiskyApps" setting. This activity is significant because disabling + this feature can expose the organization to OAuth phishing threats, allowing users + to grant consent to malicious applications. If confirmed malicious, attackers could + gain unauthorized access to user data and sensitive information, leading to data + breaches and further compromise within the organization. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy." - | eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1) - | search index_number >= 0 - | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) + `o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization + policy." + | eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") + >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1) + | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like "%true%" - | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, + AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Legitimate changes to the 'risk-based step-up consent' setting + by administrators, perhaps as part of a policy update or security assessment, may + trigger this alert, necessitating verification of the change's intent and authorization. references: - https://attack.mitre.org/techniques/T1562/ - https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/ @@ -57,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log source: O365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index 5119d0f1d8..a33d96cb85 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -1,12 +1,20 @@ name: O365 Bypass MFA via Trusted IP id: c783dd98-c703-4252-9e8a-f19d9f66949e -version: 3 -date: '2022-02-03' +version: 4 +date: '2024-05-15' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. -data_source: +description: The following analytic identifies instances where new IP addresses are + added to the trusted IPs list in Office 365, potentially allowing users from these + IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 + audit logs, specifically focusing on events related to the modification of trusted + IP settings. This activity is significant because adding trusted IPs can weaken + the security posture by bypassing MFA, which is a critical security control. If + confirmed malicious, this could lead to unauthorized access, compromising sensitive + information and systems. Immediate investigation is required to validate the legitimacy + of the IP addition. +data_source: - O365 Set Company Information. search: '`o365_management_activity` Operation="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" @@ -65,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index 94da773222..2103c7707a 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -1,19 +1,27 @@ name: O365 Compliance Content Search Exported id: 2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8 -version: 1 -date: '2024-04-01' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. +description: The following analytic identifies when the results of a content search + within the Office 365 Security and Compliance Center are exported. It uses the SearchExported + operation from the SecurityComplianceCenter workload in the o365_management_activity + data source. This activity is significant because exporting search results can involve + sensitive or critical organizational data, potentially leading to data exfiltration. + If confirmed malicious, an attacker could gain access to and exfiltrate sensitive + information, posing a severe risk to the organization's data security and compliance + posture. search: ' `o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" - | rename user_id as user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` - | `o365_compliance_content_search_exported_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Compliance content searche exports may be executed for legitimate purposes, filter as needed. + | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Compliance content searche exports may be executed for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview @@ -51,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index 0de0995ca2..28eeaca71b 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -1,19 +1,27 @@ name: O365 Compliance Content Search Started id: f4cabbc7-c19a-4e41-8be5-98daeaccbb50 -version: 1 -date: '2024-04-01' +version: 2 +date: '2024-05-15' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. +description: The following analytic detects when a content search is initiated within + the Office 365 Security and Compliance Center. It leverages the SearchCreated operation + from the o365_management_activity logs under the SecurityComplianceCenter workload. + This activity is significant as it may indicate an attempt to access sensitive organizational + data, including emails and documents. If confirmed malicious, this could lead to + unauthorized data access, potential data exfiltration, and compliance violations. + Monitoring this behavior helps ensure the integrity and security of organizational + data. search: ' `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated - | rename user_id as user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` - | `o365_compliance_content_search_started_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Compliance content searches may be executed for legitimate purposes, filter as needed. + | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Compliance content searches may be executed for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview @@ -51,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log sourcetype: o365:management:activity - source: o365 \ No newline at end of file + source: o365 diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index 8e4b402825..94efdef9cd 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -1,19 +1,24 @@ name: O365 Concurrent Sessions From Different Ips id: 58e034de-1f87-4812-9dc3-a4f68c7db930 -version: 1 -date: '2023-12-04' +version: 2 +date: '2024-05-27' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. -data_source: +description: The following analytic identifies user sessions in Office 365 accessed + from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) + phishing attacks. It detects this activity by analyzing Azure Active Directory logs + for 'UserLoggedIn' operations and flags sessions with more than one associated IP + address. This behavior is significant as it suggests unauthorized concurrent access, + which is uncommon in normal usage. If confirmed malicious, the impact could include + data theft, account takeover, and the launching of internal phishing campaigns, + posing severe risks to organizational security. +data_source: - O365 UserLoggedIn search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn - | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId - | where mvcount(ips) > 1 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_concurrent_sessions_from_different_ips_filter`' + | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) + as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`' how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives: Unknown @@ -27,7 +32,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: User $user$ has logged in with the same session id from more than one unique IP address + message: User $user$ has logged in with the same session id from more than one unique + IP address mitre_attack_id: - T1185 observable: @@ -55,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log sourcetype: o365:management:activity source: o365 update_timestamp: true diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index 49a20fede9..9b85e10668 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -1,12 +1,20 @@ name: O365 Disable MFA id: c783dd98-c703-4252-9e8a-f19d9f5c949e -version: 2 -date: '2022-02-03' +version: 3 +date: '2024-05-11' author: Rod Soto, Splunk status: production type: TTP -description: This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. -data_source: +description: The following analytic identifies instances where Multi-Factor Authentication + (MFA) is disabled for a user within the Office 365 environment. It leverages O365 + audit logs, specifically focusing on events related to MFA settings. Disabling MFA + removes a critical security layer, making accounts more vulnerable to unauthorized + access. If confirmed malicious, this activity could indicate an attacker attempting + to maintain persistence or an insider threat, significantly increasing the risk + of unauthorized access. Immediate investigation is required to validate the reason + for disabling MFA, potentially re-enable it, and assess any other suspicious activities + related to the affected account. +data_source: - O365 Disable Strong Authentication. search: '`o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation @@ -51,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index 6e63a5203e..b2c1c243e6 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -1,21 +1,28 @@ name: O365 Elevated Mailbox Permission Assigned id: 2246c142-a678-45f8-8546-aaed7e0efd30 -version: 1 -date: '2024-03-31' +version: 2 +date: '2024-05-15' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. -search: ' `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission +description: The following analytic identifies the assignment of elevated mailbox + permissions in an Office 365 environment via the Add-MailboxPermission operation. + It leverages logs from the Exchange workload in the o365_management_activity data + source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. + This activity is significant as it indicates potential unauthorized access or control + over mailboxes, which could lead to data exfiltration or privilege escalation. If + confirmed malicious, attackers could gain extensive access to sensitive email data + and potentially manipulate mailbox settings, posing a severe security risk. +search: ' `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) - | rename Identity AS dest_user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights - |`security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` - | `o365_elevated_mailbox_permission_assigned_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed. + | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: FullAccess mailbox delegation may be assigned for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission @@ -52,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json source: o365:management:activity sourcetype: o365:management:activity diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index fa4b941926..f0fbd80d5d 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -1,26 +1,37 @@ name: O365 File Permissioned Application Consent Granted by User id: 6c382336-22b8-4023-9b80-1689e799f21f -version: 1 -date: '2023-10-18' +version: 2 +date: '2024-05-27' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Consent to application. -description: This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. +description: The following analytic identifies instances where a user in the Office + 365 environment grants consent to an application requesting file permissions for + OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application + consent events. This activity is significant because granting such permissions can + allow applications to access, modify, or delete files, posing a risk if the application + is malicious or overly permissive. If confirmed malicious, this could lead to data + breaches, data loss, or unauthorized data manipulation, necessitating immediate + investigation to validate the application's legitimacy and assess potential risks. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success + `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." + ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope - | search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", "Files.ReadWrite.AppFolder") + | search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", + "Files.ReadWrite.AppFolder") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications that require file permissions may be legitimate, investigate and filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications that require file permissions may be legitimate, + investigate and filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -58,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml index 93b792ad1f..c6f2706e01 100644 --- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml @@ -1,25 +1,34 @@ name: O365 FullAccessAsApp Permission Assigned id: 01a510b3-a6ac-4d50-8812-7e8a3cde3d79 -version: 1 -date: '2024-01-29' +version: 2 +date: '2024-05-11' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Update application. -description: The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. +description: The following analytic detects the assignment of the 'full_access_as_app' + permission to an application registration in Office 365 Exchange Online. This detection + leverages Office 365 management activity logs and filters Azure Active Directory + workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', + is granted. This activity is significant because it provides extensive control over + Office 365 operations, including access to all mailboxes and the ability to send + mail as any user. If confirmed malicious, this could lead to unauthorized data access, + exfiltration, or account compromise. Immediate investigation is required. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." - | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) - | spath input=newvalue - | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" - | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_fullaccessasapp_permission_assigned_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. + `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." + | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) + | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" + | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) + by user, object, user_agent, Operation + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_fullaccessasapp_permission_assigned_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: The full_access_as_app API permission may be assigned to legitimate + applications. Filter as needed. references: - https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -31,7 +40,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 80 - message: User $user$ assigned the full_access_as_app permission to the app registration $object$ + message: User $user$ assigned the full_access_as_app permission to the app registration + $object$ mitre_attack_id: - T1098.002 - T1098.003 @@ -57,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log source: o365:management:activity sourcetype: o365:management:activity diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index 312dae8668..e684d23e4c 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -1,20 +1,27 @@ name: O365 High Number Of Failed Authentications for User id: 31641378-2fa9-42b1-948e-25e281cb98f7 -version: 1 -date: '2023-10-10' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 UserLoginFailed -description: The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. -search: ' `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory - | bucket span=5m _time - | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time - | where failed_attempts > 10 - | `o365_high_number_of_failed_authentications_for_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Although unusual, users who have lost their passwords may trigger this detection. Filter as needed. +description: The following analytic identifies an O365 account experiencing more than + 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, + specifically "UserLoginFailed" events, to monitor and flag accounts exceeding this + threshold. This activity is significant as it may indicate a brute force attack + or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized + access to the O365 environment, potentially compromising sensitive emails, documents, + and other data. Prompt investigation and action are crucial to prevent unauthorized + access and data breaches. +search: ' `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon + Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) + as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Although unusual, users who have lost their passwords may trigger + this detection. Filter as needed. references: - https://attack.mitre.org/techniques/T1110/ - https://attack.mitre.org/techniques/T1110/001/ @@ -24,7 +31,8 @@ tags: asset_type: O365 Tenant confidence: 70 impact: 50 - message: User $user$ failed to authenticate more than 10 times in the span of 5 minutes. + message: User $user$ failed to authenticate more than 10 times in the span of 5 + minutes. mitre_attack_id: - T1110 - T1110.001 @@ -53,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log source: o365:management:activity sourcetype: o365:management:activity diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index d7d1adadee..da3e718fb0 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -1,24 +1,34 @@ name: O365 High Privilege Role Granted id: e78a1037-4548-4072-bb1b-ad99ae416426 -version: 1 -date: '2023-10-20' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Add member to role. -description: This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. +description: The following analytic detects when high-privilege roles such as "Exchange + Administrator," "SharePoint Administrator," or "Global Administrator" are granted + within Office 365. It leverages O365 audit logs to identify events where these roles + are assigned to any user or service account. This activity is significant for SOCs + as these roles provide extensive permissions, allowing broad access and control + over critical resources and data. If confirmed malicious, this could enable attackers + to gain significant control over O365 resources, access, modify, or delete critical + data, and compromise the overall security and functionality of the O365 environment. search: >- `o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) - | where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10") - | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name + | where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", + "62e90394-69f5-4237-9190-012177145e10") | stats earliest(_time) as firstTime latest(_time) + as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Privilege roles may be assigned for legitimate purposes, filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Privilege roles may be assigned for legitimate purposes, filter + as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference @@ -55,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 38509dc825..41b81db2a0 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -1,26 +1,38 @@ name: O365 Mail Permissioned Application Consent Granted by User id: fddad083-cdf5-419d-83c6-baa85e329595 -version: 1 -date: '2023-10-12' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Consent to application. -description: The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. +description: The following analytic identifies instances where a user grants consent + to an application requesting mail-related permissions within the Office 365 environment. + It leverages O365 audit logs, specifically focusing on events related to application + permissions and user consent actions. This activity is significant as it can indicate + potential security risks, such as data exfiltration or spear phishing, if malicious + applications gain access. If confirmed malicious, this could lead to unauthorized + data access, email forwarding, or sending malicious emails from the compromised + account. Validating the legitimacy of the application and consent context is crucial + to prevent data breaches. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success + `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." + ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope - | search Scope IN ("Mail.Read", "Mail.ReadBasic", "Mail.ReadWrite", "Mail.Read.Shared", "Mail.ReadWrite.Shared", "Mail.Send", "Mail.Send.Shared") + | search Scope IN ("Mail.Read", "Mail.ReadBasic", "Mail.ReadWrite", "Mail.Read.Shared", + "Mail.ReadWrite.Shared", "Mail.Send", "Mail.Send.Shared") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications that require mail permissions may be legitimate, + investigate and filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -59,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml index 01acd539a9..feb85ab074 100644 --- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml +++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml @@ -1,26 +1,34 @@ name: O365 Mailbox Email Forwarding Enabled id: 0b6bc75c-05d1-4101-9fc3-97e706168f24 -version: 1 -date: '2024-03-26' +version: 2 +date: '2024-05-24' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. +description: The following analytic identifies instances where email forwarding has + been enabled on mailboxes within an Office 365 environment. It detects this activity + by monitoring the Set-Mailbox operation within the o365_management_activity logs, + specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress + parameters. This activity is significant as unauthorized email forwarding can lead + to data exfiltration and unauthorized access to sensitive information. If confirmed + malicious, attackers could intercept and redirect emails, potentially compromising + confidential communications and leading to data breaches. search: >- - `o365_management_activity` Operation=Set-Mailbox - | eval match1=mvfind('Parameters{}.Name', "ForwardingAddress") + `o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', + "ForwardingAddress") | eval match2=mvfind('Parameters{}.Name', "ForwardingSmtpAddress") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) - | search ForwardTo!="" - | rename user_id as user - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId - |`security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` + | search ForwardTo!="" | rename user_id as user + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) + as ForwardTo by user ObjectId + |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Email forwarding may be configured for legitimate purposes, filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Email forwarding may be configured for legitimate purposes, + filter as needed. references: - https://attack.mitre.org/techniques/T1114/003/ - https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 @@ -55,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml index 955e6a71b0..49bbeb8296 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml @@ -1,22 +1,33 @@ name: O365 Mailbox Folder Read Permission Assigned id: 1435475e-2128-4417-a34f-59770733b0d5 -version: 1 -date: '2024-03-29' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. +description: The following analytic identifies instances where read permissions are + assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` + data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` + operations, while excluding Calendar, Contacts, and PersonMetadata objects. This + activity is significant as unauthorized read permissions can lead to data exposure + and potential information leakage. If confirmed malicious, an attacker could gain + unauthorized access to sensitive emails, leading to data breaches and compromising + the confidentiality of organizational communications. search: >- - `o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata - | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false") - | rename UserId as user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights + `o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions + OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts + object!=PersonMetadata + | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", + "false") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) + as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Mailbox folder permissions may be configured for legitimate purposes, filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Mailbox folder permissions may be configured for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946 @@ -52,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index 0fb03e72d8..7d13aaa76c 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -1,22 +1,29 @@ name: O365 Mailbox Folder Read Permission Granted id: cd15c0a8-470e-4b12-9517-046e4927db30 -version: 1 -date: '2024-03-28' +version: 2 +date: '2024-05-25' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. -search: ' `o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) - | eval isReadRole=if(match(AccessRights, "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", "false") - | search isReadRole="true" - | rename UserId as user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_mailbox_folder_read_permission_granted_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Mailbox folder permissions may be configured for legitimate purposes, filter as needed. +description: The following analytic identifies instances where read permissions are + granted to mailbox folders within an Office 365 environment. It detects this activity + by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` + and `Add-MailboxFolderPermission` operations. This behavior is significant as it + may indicate unauthorized access or changes to mailbox folder permissions, potentially + exposing sensitive email content. If confirmed malicious, an attacker could gain + unauthorized access to read email communications, leading to data breaches or information + leakage. +search: ' `o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" + OR Operation="Add-MailboxFolderPermission" ) | eval isReadRole=if(match(AccessRights, + "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", + "false") | search isReadRole="true" | rename UserId as user | stats count earliest(_time) + as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Mailbox folder permissions may be configured for legitimate + purposes, filter as needed. references: - https://attack.mitre.org/techniques/T1098/002/ - https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps @@ -52,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index bb295bdbe0..a47d64ad76 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -1,23 +1,36 @@ name: O365 Mailbox Inbox Folder Shared with All Users id: 21421896-a692-4594-9888-5faeb8a53106 -version: 1 -date: '2023-09-07' +version: 2 +date: '2024-05-18' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 ModifyFolderPermissions -description: The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. +description: The following analytic detects instances where the inbox folder of an + Office 365 mailbox is shared with all users within the tenant. It leverages Office + 365 management activity events to identify when the 'Inbox' folder permissions are + modified to include 'Everyone' with read rights. This activity is significant as + it represents a potential security risk, allowing unauthorized access to sensitive + emails. If confirmed malicious, this could lead to data breaches, exfiltration of + confidential information, and further compromise through spear-phishing or other + malicious activities based on the accessed email content. search: >- - `o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone - | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false") - | search isReadRole = "true" - | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights + `o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox + Item.ParentFolder.MemberUpn=Everyone + | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", + "false") | search isReadRole = "true" + | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, + UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Administrators might temporarily share a mailbox with all users + for legitimate reasons, such as troubleshooting, migrations, or other administrative + tasks. Some organizations use shared mailboxes for teams or departments where multiple + users need access to the same mailbox. Filter as needed. references: - https://attack.mitre.org/techniques/T1114/002/ - https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf @@ -57,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index be3de57bf8..d8a3f346dc 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -1,19 +1,20 @@ name: O365 Mailbox Read Access Granted to Application id: 27ab61c5-f08a-438a-b4d3-325e666490b3 -version: 1 -date: '2023-09-01' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Update application. -description: The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 - tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. - The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, - and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such - access and that any inadvertent or malicious assignments are promptly identified. - If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to - data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. +description: The following analytic identifies instances where the Mail.Read Graph + API permissions are granted to an application registration within an Office 365 + tenant. It leverages O365 audit logs, specifically events related to changes in + application permissions within the AzureActiveDirectory workload. This activity + is significant because the Mail.Read permission allows applications to access and + read all emails within a user's mailbox, which often contain sensitive or confidential + information. If confirmed malicious, this could lead to data exfiltration, spear-phishing + attacks, or further compromise based on the information gathered from the emails. search: >- `o365_management_activity` Operation="Update application." | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) @@ -22,11 +23,14 @@ search: >- | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") | where isnotnull(match_found) - | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object + | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, + user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: There are legitimate scenarios in wich an Application registrations + requires Mailbox read access. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://attack.mitre.org/techniques/T1114/002/ @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index 340816b5f0..2972dea980 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -1,22 +1,38 @@ name: O365 Multi-Source Failed Authentications Spike id: ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa -version: 1 -date: '2023-11-09' +version: 2 +date: '2024-05-31' author: Mauricio Velazco, Splunk status: production type: Hunting -data_source: +data_source: - O365 UserLoginFailed -description: This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 - | bucket span=5m _time - | eval uniqueIPUserCombo = src_ip . "-" . user - | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time - | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 - | `o365_multi_source_failed_authentications_spike_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. - The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. +description: The following analytic identifies a spike in failed authentication attempts + within an Office 365 environment, indicative of a potential distributed password + spraying attack. It leverages UserLoginFailed events from O365 Management Activity + logs, focusing on ErrorNumber 50126. This detection is significant as it highlights + attempts to bypass security controls using multiple IP addresses and user agents. + If confirmed malicious, this activity could lead to unauthorized access, data breaches, + privilege escalation, and lateral movement within the organization. Early detection + is crucial to prevent account takeovers and mitigate subsequent threats. +search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" + . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, + dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) + as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > + 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. The thresholds set within the analytic (such + as unique IPs, unique users, etc.) are initial guidelines and should be customized + based on the organization's user behavior and risk profile. Security teams are encouraged + to adjust these thresholds to optimize the balance between detecting genuine threats + and minimizing false positives, ensuring the detection is tailored to their specific + environment. +known_false_positives: This detection may yield false positives in scenarios where + legitimate bulk sign-in activities occur, such as during company-wide system updates + or when users are accessing resources from varying locations in a short time frame, + such as in the case of VPNs or cloud services that rotate IP addresses. Filter as + needed. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -59,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 93aef5578d..bd9b79e5ff 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -1,21 +1,32 @@ name: O365 Multiple AppIDs and UserAgents Authentication Spike id: 66adc486-224d-45c1-8e4d-9e7eeaba988f -version: 1 -date: '2023-10-24' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: Anomaly -data_source: +data_source: - O365 UserLoggedIn - O365 UserLoginFailed -description: This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -search: ' `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) - | bucket span=5m _time - | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip - | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 - | `o365_multiple_appids_and_useragents_authentication_spike_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. +description: The following analytic identifies unusual authentication activity in + an O365 environment, where a single user account experiences more than 8 authentication + attempts using 3 or more unique application IDs and over 5 unique user agents within + a short timeframe. It leverages O365 audit logs, focusing on authentication events + and applying statistical thresholds. This behavior is significant as it may indicate + an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, + it suggests a compromised account, potentially leading to unauthorized access, privilege + escalation, and data exfiltration. Early detection is crucial to prevent further + exploitation. +search: ' `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn + OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts + dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) + values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents + > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Rapid authentication from the same user using more than 5 different + user agents and 3 application IDs is highly unlikely under normal circumstances. + However, there are potential scenarios that could lead to false positives. references: - https://attack.mitre.org/techniques/T1078/ - https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ @@ -27,7 +38,8 @@ tags: asset_type: O365 Tenant confidence: 80 impact: 60 - message: $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. + message: $user$ authenticated in a short period of time with more than 5 different + user agents across 3 or more unique application ids. mitre_attack_id: - T1078 observable: @@ -55,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index d9da40acf8..778080e17c 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -1,19 +1,27 @@ name: O365 Multiple Failed MFA Requests For User id: fd22124e-dbac-4744-a8ce-be10d8ec3e26 -version: 1 -date: '2023-10-19' +version: 2 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 UserLoginFailed -description: This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 - | bucket span=10m _time - | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time - | where mfa_prompts > 9 - | `o365_multiple_failed_mfa_requests_for_user_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +description: The following analytic identifies potential "MFA fatigue" attacks targeting + Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts + within a 10-minute timeframe. It leverages O365 management activity logs, focusing + on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, + and an ErrorNumber of 500121. This activity is significant as attackers may exploit + MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA + requests. If confirmed malicious, this could lead to data breaches, unauthorized + data access, or further compromise within the O365 environment. Immediate investigation + is crucial. +search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) + as mfa_prompts values(LogonError) as LogonError values(signature) as signature by + user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. references: @@ -50,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index 7bcdc9aaa3..4ade3a6007 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -1,22 +1,31 @@ name: O365 Multiple Mailboxes Accessed via API id: 7cd853e9-d370-412f-965d-a2bcff2a2908 -version: 1 -date: '2024-02-01' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Splunk -data_source: +data_source: - O365 MailItemsAccessed type: TTP status: production -description: The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold - set here to flag over five unique mailboxes accessed within 10 minutes - to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. -search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* - | bucket span=10m _time - | eval matchRegex=if(match(ClientInfoString, "^Client=WebServices;ExchangeWebServices"), 1, 0) - | search (AppId="00000003-0000-0000-c000-000000000000" OR matchRegex=1) - | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString - | where unique_mailboxes > 5 - | `o365_multiple_mailboxes_accessed_via_api_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. +description: The following analytic detects when a high number of Office 365 Exchange + mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within + a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using + AppId and regex to identify API interactions. This activity is significant as it + may indicate unauthorized mass email access, potentially signaling data exfiltration + or account compromise. If confirmed malicious, attackers could gain access to sensitive + information, leading to data breaches and further exploitation of compromised accounts. + The threshold is set to flag over five unique mailboxes accessed within 10 minutes, + but should be tailored to your environment. +search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed + AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, + "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" + OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes + values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes + > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Legitimate applications may access multiple mailboxes via an + API. You can filter by the ClientAppId or the CLientIpAddress fields. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in @@ -31,7 +40,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API. + message: An Oauth application identified with id $ClientAppId$ accessed multiple + mailboxes in a short period of time via an API. mitre_attack_id: - T1114.002 observable: @@ -57,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 1619ceb232..89a32250e8 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -1,27 +1,37 @@ name: O365 Multiple Service Principals Created by SP id: ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe -version: 1 -date: '2024-02-07' +version: 2 +date: '2024-05-29' author: Mauricio Velazco, Splunk -data_source: +data_source: - O365 Add service principal. type: Anomaly status: production -description: This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline +description: The following analytic identifies instances where a single service principal + creates more than three unique OAuth applications within a 10-minute timeframe. + It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service + principal' operation in the Office 365 Azure Active Directory environment. This + activity is significant as it may indicate a compromised or malicious service principal + attempting to expand control or access within the network. If confirmed malicious, + this could lead to unauthorized access and potential lateral movement within the + environment, posing a significant security risk. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." - | bucket span=10m _time - | eval len=mvcount('Actor{}.ID') - | eval userType = mvindex('Actor{}.ID',len-1) - | search userType = "ServicePrincipal" - | eval displayName = object - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user - | where unique_apps > 3 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_multiple_service_principals_created_by_sp_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. + `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service + principal." | bucket span=10m _time + | eval len=mvcount('Actor{}.ID') + | eval userType = mvindex('Actor{}.ID',len-1) + | search userType = "ServicePrincipal" + | eval displayName = object + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) + as displayName dc(displayName) as unique_apps by src_user + | where unique_apps > 3 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_multiple_service_principals_created_by_sp_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -32,7 +42,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time + message: Multiple OAuth applications were created by $src_user$ in a short period + of time mitre_attack_id: - T1136.003 observable: @@ -56,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index eae0e797ef..f726e973c7 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -1,27 +1,37 @@ name: O365 Multiple Service Principals Created by User id: a34e65d0-54de-4b02-9db8-5a04522067f6 -version: 1 -date: '2024-02-07' +version: 2 +date: '2024-05-21' author: Mauricio Velazco, Splunk -data_source: +data_source: - O365 Add service principal. type: Anomaly status: production -description: This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. +description: The following analytic identifies instances where a single user creates + more than three unique OAuth applications within a 10-minute window in the Office + 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on + the 'Add service principal' operation in Azure Active Directory. This activity is + significant as it may indicate a compromised user account or unauthorized actions, + potentially leading to broader network infiltration or privilege escalation. If + confirmed malicious, this behavior could allow attackers to gain persistent access, + escalate privileges, or exfiltrate sensitive information. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." - | bucket span=10m _time + `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service + principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "User" | eval displayName = object - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) + as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Certain users or applications may create multiple service principals + in a short period of time for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1136/003/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -32,7 +42,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: Multiple OAuth applications were created by $src_user$ in a short period of time + message: Multiple OAuth applications were created by $src_user$ in a short period + of time mitre_attack_id: - T1136.003 observable: @@ -56,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index 0b3ceb1405..b8f4cbcd51 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,20 +1,29 @@ name: O365 Multiple Users Failing To Authenticate From Ip id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4 -version: 2 -date: '2024-03-19' +version: 3 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 UserLoginFailed -description: This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 - | bucket span=5m _time - | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip - | where unique_accounts > 10 - | `o365_multiple_users_failing_to_authenticate_from_ip_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. +description: The following analytic identifies instances where more than 10 unique + user accounts fail to authenticate from a single IP address within a 5-minute window. + This detection leverages O365 audit logs, specifically Azure Active Directory login + failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may + indicate brute-force attacks or password spraying attempts. If confirmed malicious, + this behavior suggests an external entity is attempting to breach security by targeting + multiple accounts, potentially leading to unauthorized access. Immediate action + is required to block or monitor the suspicious IP and notify affected users to enhance + their security measures. +search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed + ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) + as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) + as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: A source Ip failing to authenticate with multiple users in + a short period of time is not common legitimate behavior. references: - https://attack.mitre.org/techniques/T1110/003/ - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray @@ -62,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml index 33aad7699c..eb75fa4a3e 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_created.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml @@ -1,12 +1,19 @@ name: O365 New Email Forwarding Rule Created id: 68469fd0-1315-44ba-b7e4-e92847bb76d6 -version: 1 -date: '2024-03-27' +version: 2 +date: '2024-05-29' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. +description: The following analytic identifies the creation of new email forwarding + rules in an Office 365 environment. It detects events logged under New-InboxRule + and Set-InboxRule operations within the o365_management_activity data source, focusing + on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity + is significant as unauthorized email forwarding can lead to data exfiltration and + unauthorized access to sensitive information. If confirmed malicious, attackers + could intercept and redirect emails, potentially compromising confidential communications + and leading to data breaches. search: >- `o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', "ForwardTo") @@ -14,12 +21,15 @@ search: >- | eval match3=mvfind('Parameters{}.Name', "RedirectTo") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) - | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo + | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name + by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may create email forwarding rules for legitimate purposes. Filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Users may create email forwarding rules for legitimate purposes. + Filter as needed. references: - https://attack.mitre.org/techniques/T1114/003/ tags: @@ -28,7 +38,7 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: A forwarding email inbox rule was created for $user$ + message: A forwarding email inbox rule was created for $user$ mitre_attack_id: - T1114 - T1114.003 @@ -53,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml index f4c948908d..d11d1a2f55 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml @@ -1,15 +1,21 @@ name: O365 New Email Forwarding Rule Enabled id: ac7c4d0a-06a3-4278-aa59-88a5e537f981 -version: 1 -date: '2024-03-28' +version: 2 +date: '2024-05-23' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. +description: The following analytic identifies the creation of new email forwarding + rules in an Office 365 environment via the UpdateInboxRules operation. It leverages + Office 365 management activity events to detect rules that forward emails to external + recipients by examining the OperationProperties for specific forwarding actions. + This activity is significant as it may indicate unauthorized email redirection, + potentially leading to data exfiltration. If confirmed malicious, attackers could + intercept sensitive communications, leading to data breaches and information leakage. search: >- - `o365_management_activity` Workload=Exchange Operation=UpdateInboxRules - | eval match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction") + `o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval + match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction") | eval match2=mvfind('OperationProperties{}.Value', "ForwardAsAttachmentToRecipientsAction") | eval match3=mvfind('OperationProperties{}.Value', "RedirectToRecipientsAction") | eval index = mvfind('OperationProperties{}.Name', "ServerRule") @@ -18,15 +24,19 @@ search: >- | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted="*@*.*" - | eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null) + | eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, + null) | dedup ForwardTo | where isnotnull(ForwardTo) - | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo + | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name + by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may create email forwarding rules for legitimate purposes. Filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Users may create email forwarding rules for legitimate purposes. + Filter as needed. references: - https://attack.mitre.org/techniques/T1114/003/ tags: @@ -35,7 +45,7 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: A forwarding email inbox rule was created for $user$ + message: A forwarding email inbox rule was created for $user$ mitre_attack_id: - T1114 - T1114.003 @@ -59,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index 8094d4ba8e..f52ee289bb 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -1,12 +1,19 @@ name: O365 New Federated Domain Added id: e155876a-6048-11eb-ae93-0242ac130002 -version: 3 -date: '2023-08-02' +version: 4 +date: '2024-05-28' author: Rod Soto, Mauricio Velazco Splunk status: production type: TTP -description: The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. -data_source: +description: The following analytic identifies the addition of a new federated domain + in an Office 365 environment. This behavior is detected by analyzing Office 365 + management activity logs, specifically filtering for Workload=Exchange and Operation="Add-FederatedDomain". + The addition of a new federated domain is significant as it may indicate unauthorized + changes or potential compromises. If confirmed malicious, attackers could establish + a backdoor, bypass security measures, or exfiltrate data, leading to data breaches + and unauthorized access to sensitive information. Immediate investigation is required + to review the details of the added domain and any concurrent suspicious activities. +data_source: - O365 search: '`o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent @@ -57,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log sourcetype: o365:management:activity source: o365 update_timestamp: true diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml index 537d8e423b..3abb02e02f 100644 --- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml +++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml @@ -1,26 +1,32 @@ name: O365 New Forwarding Mailflow Rule Created id: 289ed0a1-4c78-4a43-9321-44ea2e089c14 -version: 1 -date: '2024-04-10' +version: 2 +date: '2024-05-29' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. -search: >- +description: The following analytic detects the creation of new mail flow rules in + Office 365 that may redirect or copy emails to unauthorized or external addresses. + It leverages Office 365 Management Activity logs, specifically querying for the + "New-TransportRule" operation and parameters like "BlindCopyTo", "CopyTo", and "RedirectMessageTo". + This activity is significant as it can indicate potential data exfiltration or unauthorized + access to sensitive information. If confirmed malicious, attackers could intercept + or redirect email communications, leading to data breaches or information leakage. +search: >- `o365_management_activity` Workload=Exchange Operation="New-TransportRule" | eval match1=mvfind('Parameters{}.Name', "BlindCopyTo") | eval match2=mvfind('Parameters{}.Name', "CopyTo") | eval match3=mvfind('Parameters{}.Name', "RedirectMessageTo") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) - | search ForwardTo!="" - | rename UserId as user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_new_forwarding_mailflow_rule_created_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Forwarding mail flow rules may be created for legitimate reasons, filter as needed. + | search ForwardTo!="" | rename UserId as user | stats count earliest(_time) as + firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Forwarding mail flow rules may be created for legitimate reasons, + filter as needed. references: - https://attack.mitre.org/techniques/T1114/ - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules @@ -54,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index 3fdcbf3824..29478235b8 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -1,16 +1,22 @@ name: O365 New MFA Method Registered id: 4e12db1f-f7c7-486d-8152-a221cad6ac2b -version: 1 -date: '2023-10-20' +version: 2 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Update user. -description: This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. +description: The following analytic detects the registration of a new Multi-Factor + Authentication (MFA) method for a user account within Office 365. It leverages O365 + audit logs to identify changes in MFA configurations. This activity is significant + as it may indicate an attacker's attempt to maintain persistence on a compromised + account. If confirmed malicious, the attacker could bypass existing security measures, + solidify their access, and potentially escalate privileges or access sensitive data. + Immediate verification and remediation are required to secure the affected account. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Update user." - | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) + `o365_management_activity` Workload=AzureActiveDirectory Operation="Update user." | + eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) @@ -19,12 +25,15 @@ search: >- | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type - | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue + | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) + by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may register MFA methods legitimally, investigate and filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Users may register MFA methods legitimally, investigate and + filter as needed. references: - https://attack.mitre.org/techniques/T1098/005/ - https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ @@ -60,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index 3dc01e51c2..7f866b4325 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -1,21 +1,29 @@ name: O365 OAuth App Mailbox Access via EWS id: e600cf1a-0bef-4426-b42e-00176d610a4d -version: 1 -date: '2024-01-31' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production -data_source: +data_source: - O365 MailItemsAccessed type: TTP -description: The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. -search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* - | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_oauth_app_mailbox_access_via_ews_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. +description: The following analytic detects when emails are accessed in Office 365 + Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. + It leverages the ClientInfoString field to identify EWS interactions and aggregates + metrics such as access counts, timing, and client IP addresses, categorized by user, + ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing + emails through EWS is crucial for identifying potential abuse or unauthorized data + access. If confirmed malicious, this activity could lead to unauthorized email access, + data exfiltration, or further compromise of sensitive information. +search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed + AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) + as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications may access mailboxes for legitimate purposes, + you can use the src_ip to add trusted sources to an allow list. references: - https://attack.mitre.org/techniques/T1114/002/ - https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ @@ -27,7 +35,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. + message: An OAuth application identified with id $ClientAppId$ accesed mailboxes + through the Graph API. mitre_attack_id: - T1114.002 observable: @@ -51,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index bf879f39f6..bd66c03848 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -1,20 +1,28 @@ name: O365 OAuth App Mailbox Access via Graph API id: 9db0d5b0-4058-4cb7-baaf-77d8143539a2 -version: 1 -date: '2024-01-31' +version: 2 +date: '2024-05-18' author: Mauricio Velazco, Splunk status: production -data_source: +data_source: - O365 MailItemsAccessed type: TTP -description: This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. -search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects when emails are accessed in Office 365 + Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. + It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing + on OAuth-authenticated applications. This activity is significant as unauthorized + access to emails can lead to data breaches and information theft. If confirmed malicious, + attackers could exfiltrate sensitive information, compromise user accounts, and + further infiltrate the organization’s network. +search: ' `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed + AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) + as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId + OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: OAuth applications may access mailboxes for legitimate purposes, + you can use the ClientAppId to add trusted applications to an allow list. references: - https://attack.mitre.org/techniques/T1114/002/ - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in @@ -26,7 +34,8 @@ tags: asset_type: O365 Tenant confidence: 60 impact: 70 - message: An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. + message: An OAuth application identified with id $ClientAppId$ accesed mailboxes + through the Graph API. mitre_attack_id: - T1114.002 observable: @@ -50,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml index 49c9ba456e..b122535a63 100644 --- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml @@ -1,25 +1,36 @@ name: O365 Privileged Graph API Permission Assigned id: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb -version: 1 -date: '2024-01-30' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Update application. -description: This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. +description: The following analytic detects the assignment of critical Graph API permissions + in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as + Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. + The detection method leverages Azure Active Directory workload events, specifically + 'Update application' operations. This activity is significant as these permissions + provide extensive control over Azure AD settings, posing a high risk if misused. + If confirmed malicious, this could allow unauthorized modifications, leading to + potential data breaches or privilege escalation. Immediate investigation is crucial. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." - | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) - | spath input=newvalue - | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" - | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' - | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_privileged_graph_api_permission_assigned_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. + `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." + | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) + | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" + OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" + OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | + eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' + | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) + by user, object, user_agent, Operation + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_privileged_graph_api_permission_assigned_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Privileged Graph API permissions may be assigned for legitimate + purposes. Filter as needed. references: - https://cloudbrothers.info/en/azure-attack-paths/ - https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json @@ -60,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index 099bcb420b..d6aa52da7a 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -1,12 +1,20 @@ name: O365 PST export alert id: 5f694cc4-a678-4a60-9410-bffca1b647dc -version: 2 -date: '2020-12-16' +version: 3 +date: '2024-05-16' author: Rod Soto, Splunk status: production type: TTP -description: This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. -data_source: +description: The following analytic detects instances where a user has initiated an + eDiscovery search or exported a PST file in an Office 365 environment. It leverages + Office 365 management activity logs, specifically filtering for events under ThreatManagement + with the name "eDiscovery search started or exported." This activity is significant + as it may indicate data exfiltration attempts or unauthorized access to sensitive + information. If confirmed malicious, it suggests an attacker or insider threat is + attempting to gather or exfiltrate data, potentially leading to data breaches, loss + of intellectual property, or unauthorized access to confidential communications. + Immediate investigation is required. +data_source: - O365 search: '`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as @@ -51,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index a927ab4ea4..814038f5f3 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -1,26 +1,33 @@ name: O365 Security And Compliance Alert Triggered id: 5b367cdd-8dfc-49ac-a9b7-6406cf27f33e -version: 1 -date: '2024-03-25' +version: 2 +date: '2024-05-09' author: Mauricio Velazco, Splunk data_source: [] type: TTP status: production -description: The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. -search: ' `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered - | spath input=Data path=f3u output=user - | spath input=Data path=op output=operation | spath input=_raw path=wl - | spath input=Data path=rid output=rule_id - | spath input=Data path=ad output=alert_description - | spath input=Data path=lon output=operation_name - | spath input=Data path=an output=alert_name - | spath input=Data path=sev output=severity - | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies alerts triggered by the Office 365 + Security and Compliance Center, indicating potential threats or policy violations. + It leverages data from the `o365_management_activity` dataset, focusing on events + where the workload is SecurityComplianceCenter and the operation is AlertTriggered. + This activity is significant as it highlights security and compliance issues within + the O365 environment, which are crucial for maintaining organizational security. + If confirmed malicious, these alerts could indicate attempts to breach security + policies, leading to unauthorized access, data exfiltration, or other malicious + activities. +search: ' `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement + Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data + path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid + output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data + path=lon output=operation_name | spath input=Data path=an output=alert_name | spath + input=Data path=sev output=severity | stats count earliest(_time) as firstTime + latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, + alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: O365 Security and Compliance may also generate false positives + or trigger on legitimate behavior, filter as needed. references: - https://attack.mitre.org/techniques/T1078/004/ - https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide @@ -56,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log sourcetype: o365:management:activity source: o365 diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 1652e26b56..4dd03b4f3c 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -1,29 +1,33 @@ name: O365 Service Principal New Client Credentials id: a1b229e9-d962-4222-8c62-905a8a010453 -version: 1 -date: '2023-08-31' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies the addition of new credentials for Service - Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. - Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent - If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application -data_source: +description: The following analytic detects the addition of new credentials for Service + Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events + related to credential modifications or additions in the AzureActiveDirectory workload. + This activity is significant because Service Principals represent application identities, + and their credentials allow applications to authenticate and access resources. If + an attacker successfully adds or modifies these credentials, they can impersonate + the application, leading to unauthorized data access, data exfiltration, or malicious + operations under the application's identity. +data_source: - O365 -search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " - | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_service_principal_new_client_credentials_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +search: ' `o365_management_activity` Workload=AzureActiveDirectory Operation="Update + application*Certificates and secrets management " | stats earliest(_time) as firstTime + latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. known_false_positives: Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/001/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications +- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ +- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications tags: analytic_story: - Office 365 Persistence Mechanisms @@ -59,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log sourcetype: o365:management:activity - source: o365 \ No newline at end of file + source: o365 diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index b0ea78c553..8b5a9bc611 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -1,31 +1,39 @@ name: O365 Tenant Wide Admin Consent Granted id: 50eaabf8-5180-4e86-bfb2-011472c359fc -version: 1 -date: '2023-09-06' +version: 2 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Consent to application. -description: The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations +description: The following analytic identifies instances where admin consent is granted + to an application within an Azure AD and Office 365 tenant. It leverages O365 audit + logs, specifically events related to the admin consent action within the AzureActiveDirectory + workload. This activity is significant because admin consent allows applications + to access data across the entire tenant, potentially exposing vast amounts of organizational + data. If confirmed malicious, an attacker could gain extensive and persistent access + to organizational data, leading to data exfiltration, espionage, further malicious + activities, and potential compliance violations. search: >- - `o365_management_activity` Operation="Consent to application." - | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) + `o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', + 4) | rex field=new_field "ConsentType: (?[^\,]+)" - | rex field=new_field "Scope: (?[^\,]+)" - | search ConsentType = "AllPrincipals" - | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | + stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, + ObjectId, ConsentType, Scope + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate applications may be granted tenant wide consent, filter as needed. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Legitimate applications may be granted tenant wide consent, + filter as needed. references: - https://attack.mitre.org/techniques/T1098/003/ - https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ +- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ tags: analytic_story: - Office 365 Persistence Mechanisms @@ -58,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index 43d2d1bd02..5ff69a0f26 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -1,15 +1,24 @@ name: O365 User Consent Blocked for Risky Application id: 242e4d30-cb59-4051-b0cf-58895e218f40 -version: 1 -date: '2023-10-11' +version: 2 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 Consent to application. -description: The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. +description: The following analytic identifies instances where Office 365 has blocked + a user's attempt to grant consent to an application deemed risky or potentially + malicious. This detection leverages O365 audit logs, specifically focusing on failed + user consent actions due to system-driven blocks. Monitoring these blocked consent + attempts is crucial as it highlights potential threats early on, indicating that + a user might be targeted or that malicious applications are attempting to infiltrate + the organization. If confirmed malicious, this activity suggests that O365's security + measures successfully prevented a harmful application from accessing organizational + data, warranting immediate investigation. search: >- - `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure + `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." + ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = "Risky application detected" @@ -17,8 +26,10 @@ search: >- | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications. +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Microsofts algorithm to identify risky applications is unknown + and may flag legitimate applications. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -32,7 +43,8 @@ tags: asset_type: O365 Tenant confidence: 100 impact: 30 - message: O365 has blocked $user$ attempt to grant to consent to an application deemed risky. + message: O365 has blocked $user$ attempt to grant to consent to an application deemed + risky. mitre_attack_id: - T1528 observable: @@ -57,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log source: o365 sourcetype: o365:management:activity diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index ddf43b50a4..f38efad892 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -1,21 +1,28 @@ name: O365 User Consent Denied for OAuth Application id: 2d8679ef-b075-46be-8059-c25116cb1072 -version: 1 -date: '2023-10-12' +version: 2 +date: '2024-05-22' author: Mauricio Velazco, Splunk status: production type: TTP -data_source: +data_source: - O365 -description: The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -search: ' `o365_graph` status.errorCode=65004 - | rename userPrincipalName as user - | rename ipAddress as src_ip - | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason - | `security_content_ctime(lastTime)` - | `o365_user_consent_denied_for_oauth_application_filter`' -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. -known_false_positives: OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. +description: The following analytic identifies instances where a user has denied consent + to an OAuth application seeking permissions within the Office 365 environment. This + detection leverages O365 audit logs, focusing on events related to user consent + actions. By filtering for denied consent actions associated with OAuth applications, + it captures instances where users have actively rejected permission requests. This + activity is significant as it may indicate users spotting potentially suspicious + or unfamiliar applications. If confirmed malicious, it suggests an attempt by a + potentially harmful application to gain unauthorized access, which was proactively + blocked by the user. +search: ' `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | + rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName + status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 events. +known_false_positives: OAuth applications that require mail permissions may be legitimate, + investigate and filter as needed. references: - https://attack.mitre.org/techniques/T1528/ - https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ @@ -56,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log source: o365 sourcetype: o365:graph:api diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index 9d0f037175..e1746bf9b1 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -1,15 +1,24 @@ name: Risk Rule for Dev Sec Ops by Repository id: 161bc0ca-4651-4c13-9c27-27770660cf67 -version: 1 -date: '2023-10-27' +version: 2 +date: '2024-05-24' author: Bhavin Patel status: production type: Correlation description: |- - The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. + The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise. data_source: [] -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`' -how_to_implement: Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) + as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count values(source) as source, dc(source) as source_count + from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type + = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic + | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`' +how_to_implement: Ensure that all relevant detections in the Dev Sec Ops analytic + stories are enabled and are configured to create risk events in Enterprise Security. known_false_positives: Unknown references: [] tags: @@ -38,6 +47,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log source: aws_ecr_risk_dataset.log sourcetype: stash diff --git a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml index 02add903d3..ad4302443a 100644 --- a/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml +++ b/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml @@ -11,7 +11,7 @@ data_source: [] search: '| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 | - `clients_connecting_to_multiple_dns_servers_filter` ' + `clients_connecting_to_multiple_dns_servers_filter`' how_to_implement: 'This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro. diff --git a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml index 9dc6f0de3f..078029a1fe 100644 --- a/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml +++ b/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml @@ -11,7 +11,7 @@ description: This search will detect DNS requests resolved by unauthorized DNS s data_source: [] search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src - DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` ' + DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`' how_to_implement: To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml index 3094fd5e77..3e63b16ad4 100644 --- a/detections/deprecated/first_time_seen_command_line_argument.yml +++ b/detections/deprecated/first_time_seen_command_line_argument.yml @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` ' + | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml index c0c0eb2e9d..8639f1dc7a 100644 --- a/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml +++ b/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml @@ -16,7 +16,7 @@ search: '`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp! values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | - `gcp_kubernetes_cluster_scan_detection_filter` ' + `gcp_kubernetes_cluster_scan_detection_filter`' how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection diff --git a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml index 0c3ed3bfb5..26d54ddf4c 100644 --- a/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml +++ b/detections/deprecated/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml @@ -17,7 +17,7 @@ search: '`okta` eventType=user.session.start outcome.result=FAILURE | rename cli as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` ' + | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`' how_to_implement: This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. known_false_positives: A single public IP address servicing multiple legitmate users diff --git a/detections/deprecated/okta_failed_sso_attempts.yml b/detections/deprecated/okta_failed_sso_attempts.yml index eb18442740..22f2a00260 100644 --- a/detections/deprecated/okta_failed_sso_attempts.yml +++ b/detections/deprecated/okta_failed_sso_attempts.yml @@ -10,7 +10,7 @@ data_source: [] search: '`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `okta_failed_sso_attempts_filter` ' + | `okta_failed_sso_attempts_filter`' how_to_implement: This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. known_false_positives: There may be a faulty config preventing legitmate users from diff --git a/detections/deprecated/prohibited_software_on_endpoint.yml b/detections/deprecated/prohibited_software_on_endpoint.yml index 0ced386a69..19c26ef4b0 100644 --- a/detections/deprecated/prohibited_software_on_endpoint.yml +++ b/detections/deprecated/prohibited_software_on_endpoint.yml @@ -12,7 +12,7 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` - | `prohibited_processes` | `prohibited_software_on_endpoint_filter`' + | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml index ade4a24926..1d0f536cf9 100644 --- a/detections/deprecated/suspicious_changes_to_file_associations.yml +++ b/detections/deprecated/suspicious_changes_to_file_associations.yml @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table - process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` ' + process_id dest registry_path]| `suspicious_changes_to_file_associations_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/deprecated/uncommon_processes_on_endpoint.yml b/detections/deprecated/uncommon_processes_on_endpoint.yml index e24e18fe44..3332774ef7 100644 --- a/detections/deprecated/uncommon_processes_on_endpoint.yml +++ b/detections/deprecated/uncommon_processes_on_endpoint.yml @@ -12,7 +12,7 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` ' + | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml index 9651f6f1c8..51423fd51a 100644 --- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml +++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml @@ -12,7 +12,7 @@ data_source: search: '`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `unsigned_image_loaded_by_lsass_filter` ' + | `unsigned_image_loaded_by_lsass_filter`' how_to_implement: This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index eb0a25a225..76c046406f 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -1,15 +1,17 @@ name: 7zip CommandLine To SMB Share Path id: 01d29b48-ff6f-11eb-b81e-acde48001123 -version: 1 -date: '2021-08-17' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This search is to detect a suspicious 7z process with commandline pointing - to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z - to archive a sensitive files and place it in network share tmp folder. This search - is a good hunting query that may give analyst a hint why specific user try to archive - a file pointing to SMB user which is un usual. +description: The following analytic detects the execution of 7z or 7za processes with + command lines pointing to SMB network shares. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line arguments. + This activity is significant as it may indicate an attempt to archive and exfiltrate + sensitive files to a network share, a technique observed in CONTI LEAK tools. If + confirmed malicious, this behavior could lead to data exfiltration, compromising + sensitive information and potentially aiding further attacks. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index 4ff7e38731..04d4d021a0 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -1,25 +1,23 @@ name: Access LSASS Memory for Dump Creation id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-13' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the dumping of the LSASS process memory, - which occurs during credential dumping attacks.The detection is made by using Sysmon - logs, specifically EventCode 10, which is related to lsass.exe. This helps to search - for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll - and dbghelp.dll. This detection is important because it prevents credential dumping - attacks and the theft of sensitive information such as login credentials, which - can be used to gain unauthorized access to systems and data. False positives might - occur due to legitimate administrative tasks. Next steps include reviewing and investigating - each case, given the high risk associated with potential credential dumping attacks. +description: The following analytic detects attempts to dump the LSASS process memory, + a common technique in credential dumping attacks. It leverages Sysmon logs, specifically + EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll + associated with lsass.exe. This activity is significant as it often precedes the + theft of sensitive login credentials, posing a high risk of unauthorized access + to systems and data. If confirmed malicious, attackers could gain access to critical + credentials, enabling further compromise and lateral movement within the network. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` ' + `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations @@ -71,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index df82586f50..2f4a8fd313 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -1,17 +1,18 @@ name: Account Discovery With Net App id: 339805ce-ac30-11eb-b87d-acde48001122 -version: 4 -date: '2023-01-04' +version: 5 +date: '2024-05-22' author: Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community status: production type: TTP -description: This search is to detect a potential account discovery series of command - used by several malware or attack to recon the target machine. This technique is - also seen in some note worthy malware like trickbot where it runs a cmd process, - or even drop its module that will execute the said series of net command. This series - of command are good correlation search and indicator of attacker recon if seen in - the machines within a none technical user or department (HR, finance, ceo and etc) - network. +description: The following analytic detects potential account discovery activities + using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. + It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line + patterns and process relationships. This activity is significant as it often precedes + further malicious actions, such as lateral movement or privilege escalation. If + confirmed malicious, attackers could gain valuable information about user accounts, + enabling them to escalate privileges or move laterally within the network, posing + a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -81,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index f98e28e872..461d0227f5 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -1,25 +1,45 @@ name: Active Directory Lateral Movement Identified id: 6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Correlation data_source: [] -description: The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. - The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. - The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic - | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | where source_count >= 4 - | `active_directory_lateral_movement_identified_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -known_false_positives: False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. +description: The following analytic identifies potential lateral movement activities + within an organization's Active Directory (AD) environment. It detects this activity + by correlating multiple analytics from the Active Directory Lateral Movement analytic + story within a specified time frame. This is significant for a SOC as lateral movement + is a common tactic used by attackers to expand their access within a network, posing + a substantial risk. If confirmed malicious, this activity could allow attackers + to escalate privileges, access sensitive information, and persist within the environment, + leading to severe security breaches. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active + Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `active_directory_lateral_movement_identified_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased as + the analytic story includes over 30 analytics. In addition, based on false positives, + modify any analytics to be anomaly and lower or increase risk based on organization + importance. +known_false_positives: False positives will most likely be present based on risk scoring + and how the organization handles system to system communication. Filter, or modify + as needed. In addition to count by analytics, adding a risk score may be useful. + In our testing, with 22 events over 30 days, the risk scores ranged from 500 to + 80,000. Your organization will be different, monitor and modify as needed. references: - - https://attack.mitre.org/tactics/TA0008/ - - https://research.splunk.com/stories/active_directory_lateral_movement/ +- https://attack.mitre.org/tactics/TA0008/ +- https://research.splunk.com/stories/active_directory_lateral_movement/ tags: analytic_story: - Active Directory Lateral Movement @@ -53,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/adlm_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/adlm_risk.log source: adlm sourcetype: stash diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index bba5f6ad64..f22fc57f3e 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -1,25 +1,45 @@ name: Active Directory Privilege Escalation Identified id: 583e8a68-f2f7-45be-8fc9-bf725f0e22fd -version: 1 -date: '2023-05-23' +version: 2 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: Correlation data_source: [] -description: The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. - The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. - The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic - | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | where source_count >= 4 - | `active_directory_privilege_escalation_identified_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -known_false_positives: False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. +description: The following analytic identifies potential privilege escalation activities + within an organization's Active Directory (AD) environment. It detects this activity + by correlating multiple analytics from the Active Directory Privilege Escalation + analytic story within a specified time frame. This is significant for a SOC as it + helps identify coordinated attempts to gain elevated privileges, which could indicate + a serious security threat. If confirmed malicious, this activity could allow attackers + to gain unauthorized access to sensitive systems and data, leading to potential + data breaches and further compromise of the network. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active + Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `active_directory_privilege_escalation_identified_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased as + the analytic story includes over 30 analytics. In addition, based on false positives, + modify any analytics to be anomaly and lower or increase risk based on organization + importance. +known_false_positives: False positives will most likely be present based on risk scoring + and how the organization handles system to system communication. Filter, or modify + as needed. In addition to count by analytics, adding a risk score may be useful. + In our testing, with 22 events over 30 days, the risk scores ranged from 500 to + 80,000. Your organization will be different, monitor and modify as needed. references: - - https://attack.mitre.org/tactics/TA0004/ - - https://research.splunk.com/stories/active_directory_privilege_escalation/ +- https://attack.mitre.org/tactics/TA0004/ +- https://research.splunk.com/stories/active_directory_privilege_escalation/ tags: analytic_story: - Active Directory Privilege Escalation @@ -53,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log source: adlm sourcetype: stash diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 6c491ac7b4..203813afd5 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -1,23 +1,26 @@ name: Active Setup Registry Autostart id: f64579c0-203f-11ec-abcc-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-27' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious modification of the active setup - registry for persistence and privilege escalation. This technique was seen in several - malware (poisonIvy), adware and APT to gain persistence to the compromised machine - upon boot up. This TTP is a good indicator to further check the process id that - do the modification since modification of this registry is not commonly done. check - the legitimacy of the file and process involve in this rules to check if it is a - valid setup installer that creating or modifying this registry. +description: The following analytic detects suspicious modifications to the Active + Setup registry for persistence and privilege escalation. It leverages data from + the Endpoint.Registry data model, focusing on changes to the "StubPath" value within + the "SOFTWARE\\Microsoft\\Active Setup\\Installed Components" path. This activity + is significant as it is commonly used by malware, adware, and APTs to maintain persistence + on compromised machines. If confirmed malicious, this could allow attackers to execute + code upon system startup, potentially leading to further system compromise and unauthorized + access. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active + Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 919be7da2f..e84b56e1ef 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -1,24 +1,29 @@ name: Add DefaultUser And Password In Registry id: d4a3eb62-0f1e-11ec-a971-acde48001122 -version: 4 -date: '2023-03-29' +version: 5 +date: '2024-05-28' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: this search is to detect a suspicious registry modification to implement - auto admin logon to a host. This technique was seen in BlackMatter ransomware to - automatically logon to the compromise host after triggering a safemode boot to - continue encrypting the whole network. This behavior is not a common practice and - really a suspicious TTP or alert need to be consider if found within then network - premise. +description: The following analytic detects suspicious registry modifications that + implement auto admin logon by adding DefaultUserName and DefaultPassword values. + It leverages data from the Endpoint.Registry data model, specifically monitoring + changes to the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" registry + path. This activity is significant because it is associated with BlackMatter ransomware, + which uses this technique to automatically log on to compromised hosts and continue + encryption after a safe mode boot. If confirmed malicious, this could allow attackers + to maintain persistence and further encrypt the network, leading to significant + data loss and operational disruption. data_source: - Sysmon EventID 1 - Sysmon EventID 13 - Sysmon EventID 14 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" + AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= + DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -60,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 9446f58a19..693246971c 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,16 +1,18 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will identify a suspicious process command-line related - to Windows Defender exclusion feature. This command is abused by adversaries, malware - authors and red teams to bypass Windows Defender Antivirus products by excluding - folder path, file path, process and extensions. From its real time or schedule scan - to execute their malicious code. This is a good indicator for defense evasion and - to look further for events after this behavior. +description: The following analytic detects the use of commands to add or set exclusions + in Windows Defender. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions involving "Add-MpPreference" or "Set-MpPreference" + with exclusion parameters. This activity is significant because adversaries often + use it to bypass Windows Defender, allowing malicious code to execute undetected. + If confirmed malicious, this behavior could enable attackers to evade antivirus + detection, maintain persistence, and execute further malicious activities without + interference from Windows Defender. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index 63cbb14e05..caeba199f2 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -1,14 +1,18 @@ name: AdsiSearcher Account Discovery id: de7fcadc-04f3-11ec-a241-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-24' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the `[Adsisearcher]` type accelerator being used to query Active Directory - for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate - domain users for situational awareness and Active Directory Discovery. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell to query Active Directory for domain users. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, + `objectcategory=user`, and `.findAll()`. This activity is significant as it may + indicate an attempt by adversaries or Red Teams to enumerate domain users for situational + awareness and Active Directory discovery. If confirmed malicious, this could lead + to further reconnaissance, privilege escalation, or lateral movement within the + network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText @@ -62,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index baa13cd1cf..1a2a11b37c 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -1,13 +1,18 @@ name: Allow File And Printing Sharing In Firewall id: ce27646e-d411-11eb-8a00-acde48001122 -version: 3 -date: '2023-12-15' +version: 4 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious modification of firewall to allow - file and printer sharing. This technique was seen in ransomware to be able to discover - more machine connected to the compromised host to encrypt more files +description: The following analytic detects the modification of firewall settings + to allow file and printer sharing. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving 'netsh' commands + that enable file and printer sharing. This activity is significant because it can + indicate an attempt by ransomware to discover and encrypt files on additional machines + connected to the compromised host. If confirmed malicious, this could lead to widespread + file encryption across the network, significantly increasing the impact of a ransomware + attack. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -38,7 +43,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$ + message: A suspicious modification of firewall to allow file and printer sharing + detected on host - $dest$ mitre_attack_id: - T1562.007 - T1562 @@ -73,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 818e9a5c0b..ae793efaed 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -1,22 +1,28 @@ name: Allow Inbound Traffic By Firewall Rule Registry id: 0a46537c-be02-11eb-92ca-acde48001122 -version: 5 -date: '2023-03-29' +version: 6 +date: '2024-05-22' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a potential suspicious modification of firewall - rule registry allowing inbound traffic in specific port with public profile. This - technique was identified when an adversary wants to grant remote access to a machine - by allowing the traffic in a firewall rule. +description: The following analytic detects suspicious modifications to firewall rule + registry settings that allow inbound traffic on specific ports with a public profile. + It leverages data from the Endpoint.Registry data model, focusing on registry paths + and values indicative of such changes. This activity is significant as it may indicate + an adversary attempting to grant remote access to a machine by modifying firewall + rules. If confirmed malicious, this could enable unauthorized remote access, potentially + leading to further exploitation, data exfiltration, or lateral movement within the + network. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `allow_inbound_traffic_by_firewall_rule_registry_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" + Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = + "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -66,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index 1ac40f9da6..e5c93cfb36 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -1,19 +1,23 @@ name: Allow Inbound Traffic In Firewall Rule id: a5d85486-b89c-11eb-8267-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious PowerShell command to allow - inbound traffic inbound to a specific local port within the public profile. This - technique was seen in some attacker want to have a remote access to a machine by - allowing the traffic in firewall rule. +description: The following analytic detects a suspicious PowerShell command that allows + inbound traffic to a specific local port within the public profile. It leverages + PowerShell script block logging (EventCode 4104) to identify commands containing + keywords like "firewall," "Inbound," "Allow," and "-LocalPort." This activity is + significant because it may indicate an attacker attempting to establish remote access + by modifying firewall rules. If confirmed malicious, this could allow unauthorized + access to the machine, potentially leading to further exploitation and data exfiltration. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText = "*Inbound*" - ScriptBlockText = "*Allow*" ScriptBlockText = "*-LocalPort*" | stats count min(_time) as firstTime - max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` +search: '`powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText + = "*Inbound*" ScriptBlockText = "*Allow*" ScriptBlockText = "*-LocalPort*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed @@ -28,8 +32,7 @@ tags: asset_type: Endpoint confidence: 30 impact: 10 - message: Suspicious firewall modification detected on endpoint $dest$ by - user $user$. + message: Suspicious firewall modification detected on endpoint $dest$ by user $user$. mitre_attack_id: - T1021.001 - T1021 @@ -49,14 +52,15 @@ tags: required_fields: - _time - EventCode - - Message - - ComputerName - - User + - ScriptBlockText + - Computer + - UserID risk_score: 3 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index 78d5509e0e..07192c9714 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -1,14 +1,18 @@ name: Allow Network Discovery In Firewall id: ccd6a38c-d40b-11eb-85a5-acde48001122 -version: 2 -date: '2021-06-23' +version: 3 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious modification to the firewall to - allow network discovery on a machine. This technique was seen in couple of ransomware - (revil, reddot) to discover other machine connected to the compromised host to encrypt - more files. +description: The following analytic detects a suspicious modification to the firewall + to allow network discovery on a machine. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving the 'netsh' + command to enable network discovery. This activity is significant because it is + commonly used by ransomware, such as REvil and RedDot, to discover and compromise + additional machines on the network. If confirmed malicious, this could lead to widespread + file encryption across multiple hosts, significantly amplifying the impact of the + ransomware attack. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -41,7 +45,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious modification to the firewall to allow network discovery detected on host - $dest$ + message: Suspicious modification to the firewall to allow network discovery detected + on host - $dest$ mitre_attack_id: - T1562.007 - T1562 @@ -72,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index 829bf5ed42..1d37f3adf4 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -1,23 +1,29 @@ name: Allow Operation with Consent Admin id: 7de17d7a-c9d8-11eb-a812-acde48001122 -version: 4 -date: '2023-03-29' +version: 5 +date: '2024-05-20' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a potential privilege escalation attempt to - perform malicious task. This registry modification is designed to allow the `Consent - Admin` to perform an operation that requires elevation without consent or credentials. - We also found this in some attacker to gain privilege escalation to the compromise - machine. +description: The following analytic detects a registry modification that allows the + 'Consent Admin' to perform operations requiring elevation without user consent or + credentials. It leverages data from the Endpoint.Registry data model, specifically + monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows + Policies System registry path. This activity is significant as it indicates a potential + privilege escalation attempt, which could allow an attacker to execute high-privilege + tasks without user approval. If confirmed malicious, this could lead to unauthorized + administrative access and control over the compromised machine, posing a severe + security risk. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `allow_operation_with_consent_admin_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" + Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data + = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -64,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 77cd112674..73420cfda5 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,24 +1,24 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-25' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following detection identifies a 7z.exe spawned from `Rundll32.exe` - or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. - It has been observed where an adversary will rename `7z.exe`. Additional coverage - may be required to identify the behavior of renamed instances of `7z.exe`. During - triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture - any files written to disk and analyze as needed. Review parallel processes for additional - behaviors. Typically, archiving files will result in exfiltration. +description: The following analytic detects the execution of 7z.exe, a 7-Zip utility, + spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint + Detection and Response (EDR) telemetry, focusing on process names and parent processes. + This activity is significant as it may indicate an adversary attempting to use 7-Zip + for data exfiltration, often by renaming the executable to evade detection. If confirmed + malicious, this could lead to unauthorized data archiving and exfiltration, compromising + sensitive information and potentially leading to further system exploitation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest - Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -87,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 2cc3f4b142..8731471376 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,15 +1,18 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 3 -date: '2023-04-14' +version: 4 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of PowerShell downloading a - file using `DownloadFile` method. This particular method is utilized in many different - PowerShell frameworks to download files and output to disk. Identify the source - (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell - transaction logs are available, review for further details of the implant. +description: The following analytic detects the use of PowerShell's `DownloadFile` + method to download files. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. This activity is significant as + it is commonly used in malicious frameworks to download and execute additional payloads. + If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, + or further compromise of the system. Analysts should investigate the source and + destination of the download and review AMSI or PowerShell transaction logs for additional + context. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -94,6 +97,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 1fbbaa1089..f811a1c48b 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -1,15 +1,18 @@ name: Any Powershell DownloadString id: 4d015ef2-7adf-11eb-95da-acde48001122 -version: 3 -date: '2023-04-05' +version: 4 +date: '2024-05-10' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of PowerShell downloading a - file using `DownloadString` method. This particular method is utilized in many different - PowerShell frameworks to download files and output to disk. Identify the source - (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell - transaction logs are available, review for further details of the implant. +description: The following analytic detects the use of PowerShell's `DownloadString` + method to download files. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include command-line details. + This activity is significant because `DownloadString` is commonly used in malicious + PowerShell scripts to fetch and execute remote code. If confirmed malicious, this + behavior could allow an attacker to download and run arbitrary code, potentially + leading to unauthorized access, data exfiltration, or further compromise of the + affected system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -95,6 +98,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index bb1e265ef2..d5be08b6a2 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -1,12 +1,12 @@ name: Attacker Tools On Endpoint id: a51bfe1a-94f0-48cc-b4e4-16a110145893 -version: 3 -date: '2024-01-01' +version: 4 +date: '2024-05-29' author: Bhavin Patel, Splunk status: production type: TTP description: |- - The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. + The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index d8d60065bf..be0059ec9e 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,12 +1,12 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 7 -date: '2021-09-16' +version: 8 +date: '2024-05-12' author: Patrick Bareiss, Rico Valdez, Splunk status: production type: TTP description: |- - The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. + The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) @@ -76,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index 32d26e832b..d1b6bad955 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -1,12 +1,12 @@ name: Attempt To Stop Security Service id: c8e349c6-b97c-486e-8949-bd7bcd1f3910 -version: 4 -date: '2023-06-13' +version: 5 +date: '2024-05-21' author: Rico Valdez, Splunk status: production type: TTP description: |- - The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. + The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" command with the "stop" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -86,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index a43f996819..c11c8a7094 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -1,24 +1,28 @@ name: Auto Admin Logon Registry Entry id: 1379d2b8-0f18-11ec-8ca3-acde48001122 -version: 4 -date: '2023-04-11' +version: 5 +date: '2024-05-10' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: this search is to detect a suspicious registry modification to implement - auto admin logon to a host. This technique was seen in BlackMatter ransomware to - automatically logon to the compromise host after triggering a safemode boot to - continue encrypting the whole network. This behavior is not a common practice and - really a suspicious TTP or alert need to be consider if found within then network - premise. +description: The following analytic detects a suspicious registry modification that + enables auto admin logon on a host. It leverages data from the Endpoint.Registry + data model, specifically looking for changes to the "AutoAdminLogon" value within + the "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" registry path. This + activity is significant because it was observed in BlackMatter ransomware attacks + to maintain access after a safe mode reboot, facilitating further encryption. If + confirmed malicious, this could allow attackers to automatically log in and continue + their operations, potentially leading to widespread network encryption and data + loss. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" + AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) + BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index afe16d9a0b..e6e58b0986 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -1,16 +1,18 @@ name: Bcdedit Command Back To Normal Mode Boot id: dc7a8004-0f18-11ec-8c54-acde48001122 -version: 1 -date: '2021-09-06' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious bcdedit commandline to configure - the host from safe mode back to normal boot configuration. This technique was seen - in blackMatter ransomware where it force the compromised host to boot in safe mode - to continue its encryption and bring back to normal boot using bcdedit deletevalue - command. This TTP can be a good alert for host that booted from safe mode forcefully - since it need to modify the boot configuration to bring it back to normal. +description: The following analytic detects the execution of a suspicious `bcdedit` + command that reconfigures a host from safe mode back to normal boot. This detection + leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions + involving `bcdedit.exe` with specific parameters. This activity is significant as + it may indicate the presence of ransomware, such as BlackMatter, which manipulates + boot configurations to facilitate encryption processes. If confirmed malicious, + this behavior could allow attackers to maintain control over the boot process, potentially + leading to further system compromise and data encryption. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index 6be342dcce..e67abbaf5b 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -1,17 +1,18 @@ name: BITS Job Persistence id: e97a5ffe-90bf-11eb-928a-acde48001122 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: TTP -description: The following query identifies Microsoft Background Intelligent Transfer - Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. - The query identifies the parameters used to create, resume or add a file to a BITS - job. Typically seen combined in a oneliner or ran in sequence. If identified, review - the BITS job created and capture any files written to disk. It is possible for BITS - to be used to upload files and this may require further network data analysis to - identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. +description: The following analytic detects the use of `bitsadmin.exe` to schedule + a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific command-line parameters such as + `create`, `addfile`, and `resume`. This activity is significant because BITS jobs + can be used by attackers to maintain persistence, download malicious payloads, or + exfiltrate data. If confirmed malicious, this could allow an attacker to persist + in the environment, execute arbitrary code, or transfer sensitive information, necessitating + further investigation and potential remediation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,11 +89,13 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 7339e7429a..384bdf2eb3 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -1,22 +1,19 @@ name: BITSAdmin Download File id: 80630ff4-8e4c-11eb-aab5-acde48001122 -version: 3 -date: '2022-11-29' +version: 4 +date: '2024-05-20' author: Michael Haag, Sittikorn S status: production type: TTP -description: The following query identifies Microsoft Background Intelligent Transfer - Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote - object. In addition, look for `download` or `upload` on the command-line, the switches - are not required to perform a transfer. Capture any files downloaded. Review the - reputation of the IP or domain used. Typically once executed, a follow on command - will be used to execute the dropped file. Note that the network connection or file - modification events related will not spawn or create from `bitsadmin.exe`, but the - artifacts will appear in a parallel process of `svchost.exe` with a command-line - similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel - and child processes to capture any behaviors and artifacts. In some suspicious and - malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` - to list out the jobs during investigation. +description: The following analytic detects the use of `bitsadmin.exe` with the `transfer` + parameter to download a remote object. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process and command-line telemetry. This + activity is significant because `bitsadmin.exe` can be exploited to download and + execute malicious files without immediate detection. If confirmed malicious, an + attacker could use this technique to download and execute payloads, potentially + leading to code execution, privilege escalation, or persistent access within the + environment. Review parallel and child processes, especially `svchost.exe`, for + associated artifacts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -95,11 +92,13 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 22d80c1593..f7617cb6e4 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -1,17 +1,18 @@ name: CertUtil Download With URLCache and Split Arguments id: 415b4306-8bfb-11eb-85c4-acde48001122 -version: 3 -date: '2022-02-03' +version: 4 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: Certutil.exe may download a file from a remote destination using `-urlcache`. - This behavior does require a URL to be passed on the command-line. In addition, - `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will - be used. It is not entirely common for `certutil.exe` to contact public IP space. - However, it is uncommon for `certutil.exe` to write files to world writeable paths. - During triage, capture any files on disk and review. Review the reputation of the - remote IP or domain in question. +description: The following analytic detects the use of certutil.exe to download files + using the `-urlcache` and `-split` arguments. It leverages Endpoint Detection and + Response (EDR) data, focusing on command-line executions that include these specific + arguments. This activity is significant because certutil.exe is typically used for + certificate services, and its use to download files from remote locations is uncommon + and potentially malicious. If confirmed, this behavior could indicate an attempt + to download and execute malicious payloads, leading to potential system compromise + and unauthorized data access. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +92,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 7724b2f5fa..ab76a73504 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -1,17 +1,18 @@ name: CertUtil Download With VerifyCtl and Split Arguments id: 801ad9e4-8bfb-11eb-8b31-acde48001122 -version: 3 -date: '2022-02-03' +version: 4 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`. - This behavior does require a URL to be passed on the command-line. In addition, - `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will - be used. It is not entirely common for `certutil.exe` to contact public IP space. - \ During triage, capture any files on disk and review. Review the reputation of - the remote IP or domain in question. Using `-VerifyCtl`, the file will either be - written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. ' +description: 'The following analytic detects the use of `certutil.exe` to download + files using the `-VerifyCtl` and `-split` arguments. This behavior is identified + by monitoring command-line executions for these specific arguments via Endpoint + Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` + is a legitimate tool often abused by attackers to download and execute malicious + payloads. If confirmed malicious, this could allow an attacker to download and execute + arbitrary files, potentially leading to code execution, data exfiltration, or further + compromise of the system.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index e5f322bd05..cdd65c8aa1 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -1,18 +1,18 @@ name: CertUtil With Decode Argument id: bfe94226-8c10-11eb-a4b3-acde48001122 -version: 2 -date: '2021-03-23' +version: 3 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: CertUtil.exe may be used to `encode` and `decode` a file, including PE - and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` - and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded - file that was downloaded. Once decoded, it will be loaded by a parallel process. - Note that there are two additional command switches that may be used - `encodehex` - and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for - further execution. During triage, identify the source of the file being decoded. - Review its contents or execution behavior for further analysis. +description: The following analytic detects the use of CertUtil.exe with the 'decode' + argument, which may indicate an attempt to decode a previously encoded file, potentially + containing malicious payloads. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. + This activity is significant because attackers often use CertUtil to decode malicious + files downloaded from the internet, which are then executed to compromise the system. + If confirmed malicious, this activity could lead to unauthorized code execution, + further system compromise, and potential data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -94,6 +94,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml index 4fb4d4936d..4c9eae831c 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/change_default_file_association.yml @@ -1,15 +1,18 @@ name: Change Default File Association id: 462d17d8-1f71-11ec-ad07-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is developed to detect suspicious registry modification - to change the default file association of windows to malicious payload. This technique - was seen in some APT where it modify the default process to run file association, - like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other - payload that will load malicious commands to the compromised host. +description: The following analytic detects suspicious registry modifications that + change the default file association to execute a malicious payload. It leverages + data from the Endpoint data model, specifically monitoring registry paths under + "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because + altering default file associations can allow attackers to execute arbitrary scripts + or payloads when a user opens a file, leading to potential code execution. If confirmed + malicious, this technique can enable attackers to persist on the compromised host + and execute further malicious commands, posing a severe threat to the environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index be3fe80b75..cd7079ba17 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -1,16 +1,18 @@ name: Change To Safe Mode With Network Config id: 81f1dce0-0f18-11ec-a5d7-acde48001122 -version: 1 -date: '2021-09-06' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious bcdedit commandline to configure - the host to boot in safe mode with network config. This technique was seen in blackMatter - ransomware where it force the compromised host to boot in safe mode to continue - its encryption and bring back to normal boot using bcdedit deletevalue command. - This TTP can be a good alert for host that booted from safe mode forcefully since - it need to modify the boot configuration to bring it back to normal. +description: The following analytic detects the execution of a suspicious `bcdedit` + command that configures a host to boot in safe mode with network support. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions involving `bcdedit.exe` with specific parameters. This activity is significant + because it is a known technique used by BlackMatter ransomware to force a compromised + host into safe mode for continued encryption. If confirmed malicious, this could + allow attackers to bypass certain security controls, persist in the environment, + and continue their malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 72a67b43f8..f4b3a5c1e9 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,13 +1,18 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 1 -date: '2021-07-27' +version: 2 +date: '2024-05-09' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect execution of chcp.exe application. this utility - is used to change the active code page of the console. This technique was seen in - icedid malware to know the locale region/language/country of the compromise host. +description: The following analytic detects the execution of the chcp.exe application, + which is used to change the active code page of the console. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where chcp.exe is executed by cmd.exe with specific command-line arguments. + This activity is significant because it can indicate the presence of malware, such + as IcedID, which uses this technique to determine the locale region, language, or + country of the compromised host. If confirmed malicious, this could lead to further + system compromise and data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 6705e955ac..e2cfedcecb 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -1,17 +1,17 @@ name: Check Elevated CMD using whoami id: a9079b18-1633-11ec-859c-acde48001122 -version: 1 -date: '2021-09-15' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious whoami execution to check if the - cmd or shell instance process is with elevated privileges. This technique was seen - in FIN7 js implant where it execute this as part of its data collection to the infected - machine to check if the running shell cmd process is elevated or not. This TTP is - really a good alert for known attacker that recon on the targetted host. This command - is not so commonly executed by a normal user or even an admin to check if a process - is elevated. +description: The following analytic identifies the execution of the 'whoami' command + with specific parameters to check for elevated privileges. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process and command-line + telemetry. This activity is significant because it is commonly used by attackers, + such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, + this behavior could indicate an attacker is assessing their privilege level, potentially + leading to further privilege escalation or persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index 43b94e57a4..2403887364 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` ' + | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index 92c20d7d5d..197e374c96 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -1,17 +1,18 @@ name: Clop Common Exec Parameter id: 5a8a2a72-8322-11eb-9ee9-acde48001122 -version: 2 -date: '2023-03-17' +version: 3 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytics are designed to identifies some CLOP ransomware - variant that using arguments to execute its main code or feature of its code. In - this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files - in network shares and if it is "temp.dat", it will try to read from some stream - pipe or file start encrypting files within the infected local machines. This technique - can be also identified as an anti-sandbox technique to make its code non-responsive - since it is waiting for some parameter to execute properly. +description: The following analytic identifies the execution of CLOP ransomware variants + using specific arguments ("runrun" or "temp.dat") to trigger their malicious activities. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line arguments. Monitoring this activity is + crucial as it indicates potential ransomware behavior, which can lead to file encryption + on network shares or local machines. If confirmed malicious, this activity could + result in significant data loss and operational disruption due to encrypted files, + highlighting the need for immediate investigation and response. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -83,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml index 60704940be..29ccc9225f 100644 --- a/detections/endpoint/clop_ransomware_known_service_name.yml +++ b/detections/endpoint/clop_ransomware_known_service_name.yml @@ -1,20 +1,24 @@ name: Clop Ransomware Known Service Name id: 07e08a12-870c-11eb-b5f9-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-21' author: Teoderick Contreras status: production type: TTP -description: This detection is to identify the common service name created by the - CLOP ransomware as part of its persistence and high privilege code execution in - the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API - in creating this service entry. +description: The following analytic identifies the creation of a service with a known + name used by CLOP ransomware for persistence and high-privilege code execution. + It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific + service names ("SecurityCenterIBM", "WinCheckDRVs"). This activity is significant + because the creation of such services is a common tactic used by ransomware to maintain + control over infected systems. If confirmed malicious, this could allow attackers + to execute code with elevated privileges, maintain persistence, and potentially + disrupt or encrypt critical data. data_source: - Windows Event Log System 7045 search: '`wineventlog_system` EventCode=7045 ServiceName IN ("SecurityCenterIBM", - "WinCheckDRVs") | stats count min(_time) as firstTime max(_time) as lastTime by Computer - EventCode ServiceName StartType ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`' + "WinCheckDRVs") | stats count min(_time) as firstTime max(_time) as lastTime by + Computer EventCode ServiceName StartType ServiceType | rename Computer as dest | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. @@ -53,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 981ba75530..f0a0066b9c 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,16 +1,17 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-20' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic identifies command-line arguments where `cmd.exe - /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and - terminate after command or process completion. This technique is commonly seen in - adversaries and malware to execute batch command using different shell like PowerShell - or different process other than `cmd.exe`. This is a good hunting query for suspicious - command-line made by a script or relative process execute it. +description: The following analytic detects the use of `cmd.exe /c` to execute commands, + a technique often employed by adversaries and malware to run batch commands or invoke + other shells like PowerShell. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process metadata. + Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized + command execution. If confirmed malicious, this behavior could lead to unauthorized + code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) @@ -95,6 +96,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index 81a0bd910f..7a570dfb50 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -1,14 +1,18 @@ name: CMD Echo Pipe - Escalation id: eb277ba0-b96b-11eb-b00e-acde48001122 -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -description: This analytic identifies a common behavior by Cobalt Strike and other - frameworks where the adversary will escalate privileges, either via `jump` (Cobalt - Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will - look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. +description: The following analytic identifies the use of named-pipe impersonation + for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. + It detects command-line executions where `cmd.exe` uses `echo` to write to a named + pipe, such as `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + command-line telemetry. This activity is significant as it indicates potential privilege + escalation attempts. If confirmed malicious, attackers could gain elevated privileges, + enabling further compromise and persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -86,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index f52a79653e..de29f57aea 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -1,18 +1,18 @@ name: Cmdline Tool Not Executed In CMD Shell id: 6c3f7dd8-153c-11ec-ac2d-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a non-standard parent process (not - matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. - This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also - typically seen when an adversary is injected into another process performing different - discovery techniques. This event stands out as a TTP since these tools are commonly - executed with a shell application or Explorer parent, and not by another application. - This TTP is a good indicator for an adversary gathering host information, but one - possible false positive might be an automated tool used by a system administator. +description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, + or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, + or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry + to monitor process creation events. Such behavior is significant as it may indicate + adversaries using injected processes to perform system discovery, a tactic observed + in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers + to gather critical host information, aiding in further exploitation or lateral movement + within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -99,6 +99,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 58eb2b927c..7c5eab3db4 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -1,30 +1,26 @@ name: Cobalt Strike Named Pipes id: 5876d429-0240-4709-8b93-ea8330b411b5 -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the use of default or publicly known - named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex - pipe for communication between the pipe server and one or more pipe clients. Cobalt - Strike uses named pipes in many ways and has default values used with the Artifact - Kit and Malleable C2 Profiles. The following query assists with identifying these - default named pipes. Each EDR product presents named pipes a little different. Consider - taking the values and generating a query based on the product of choice. - - Upon triage, review the process performing the named pipe. If it is explorer.exe, - It is possible it was injected into by another process. Review recent parallel processes - to identify suspicious patterns or behaviors. A parallel process may have a network - connection, review and follow the connection back to identify any file modifications.' +description: 'The following analytic detects the use of default or publicly known + named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 + to identify specific named pipes commonly used by Cobalt Strike''s Artifact Kit + and Malleable C2 Profiles. This activity is significant because Cobalt Strike is + a popular tool for adversaries to conduct post-exploitation tasks, and identifying + its named pipes can reveal potential malicious activity. If confirmed malicious, + this could indicate an active Cobalt Strike beacon, leading to unauthorized access, + data exfiltration, or further lateral movement within the network.' data_source: - Sysmon EventID 17 - Sysmon EventID 18 search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime - by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cobalt_strike_named_pipes_filter`' + by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -50,7 +46,8 @@ tags: asset_type: Endpoint confidence: 90 impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike. + message: An instance of $process_name$ was identified on endpoint $dest$ accessing + known suspicious named pipes related to Cobalt Strike. mitre_attack_id: - T1055 observable: @@ -79,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index 05110c7e55..0aded4d1e3 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -1,11 +1,18 @@ name: Common Ransomware Extensions id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec -version: 5 -date: '2022-11-10' +version: 6 +date: '2024-05-26' author: David Dorsey, Michael Haag, Splunk, Steven Dick status: production type: Hunting -description: "The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack." +description: "The following analytic detects modifications to files with extensions + commonly associated with ransomware. It leverages the Endpoint.Filesystem data model + to identify changes in file extensions that match known ransomware patterns. This + activity is significant because it suggests an attacker is attempting to encrypt + or alter files, potentially leading to severe data loss and operational disruption. + If confirmed malicious, this activity could result in the encryption of critical + data, rendering it inaccessible and causing significant damage to the organization's + data integrity and availability." data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) @@ -68,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index 1f9d78eba4..e8c22ba833 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -1,20 +1,36 @@ name: ConnectWise ScreenConnect Path Traversal id: 56a3ac65-e747-41f7-b014-dff7423c1dda -version: 1 -date: '2024-02-21' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 type: TTP status: production -description: This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating + file_path and file_name parameters in the URL. It leverages the Endpoint datamodel + Filesystem node to identify suspicious file system events, specifically targeting + paths and filenames associated with ScreenConnect. This activity is significant + as it can lead to unauthorized access to sensitive files and directories, potentially + resulting in data exfiltration or arbitrary code execution. If confirmed malicious, + attackers could gain unauthorized access and control over the host system, posing + a severe security risk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") + Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id + Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`' -how_to_implement: This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources. -known_false_positives: False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here. +how_to_implement: This analytic utilizes the Endpoint datamodel Filesystem node to + identify path traversal attempts against ScreenConnect. Note that using SACL auditing + or other file system monitoring tools may also be used to detect path traversal + attempts. Typically the data for this analytic will come from EDR or other properly + CIM mapped data sources. +known_false_positives: False positives are not expected, as the detection is based + on the presence of file system events that indicate path traversal attempts. The + analytic may be modified to look for any file writes to this path as it is not common + for files to write here. references: - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 @@ -48,10 +64,11 @@ tags: security_domain: endpoint cve: - CVE-2024-1708 - - CVE-2024-1709 + - CVE-2024-1709 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml index ace9237395..8dfdb15d92 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml @@ -1,21 +1,32 @@ name: ConnectWise ScreenConnect Path Traversal Windows SACL id: 4e127857-1fc9-4c95-9d69-ba24c91d52d7 -version: 1 -date: '2024-02-21' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4663 type: TTP status: production -description: This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -search: '`wineventlog_security` EventCode=4663 ProcessName=*\\ScreenConnect.Service.exe file_path IN ("*\\ScreenConnect\\App_Extensions\\*") file_name IN ("*.aspx","*.ashx") - | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name - | rename Computer as dest Caller_User_Name as user ProcessName as process_name - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `connectwise_screenconnect_path_traversal_windows_sacl_filter`' -how_to_implement: To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing. -known_false_positives: False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered. +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path + traversal attacks by monitoring file system events related to the ScreenConnect + service. This activity is significant as it allows unauthorized access to sensitive + files and directories, potentially leading to data exfiltration or arbitrary code + execution. If confirmed malicious, attackers could gain unauthorized access to critical + data or execute harmful code, compromising the integrity and security of the affected + system. Immediate remediation by updating to version 23.9.8 or above is recommended. +search: '`wineventlog_security` EventCode=4663 ProcessName=*\\ScreenConnect.Service.exe + file_path IN ("*\\ScreenConnect\\App_Extensions\\*") file_name IN ("*.aspx","*.ashx") + | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType + ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer + as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter`' +how_to_implement: To implement the following query, enable SACL auditing for the ScreenConnect + directory(ies). With this data, the following analytic will work correctly. A GIST + is provided in the references to assist with enabling SACL Auditing. +known_false_positives: False positives should be limited as the analytic is specific + to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific + hosts if false positives are encountered. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass @@ -52,10 +63,11 @@ tags: security_domain: endpoint cve: - CVE-2024-1708 - - CVE-2024-1709 + - CVE-2024-1709 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Security diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index f40fd54eb2..c5cfb4a44c 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -1,14 +1,18 @@ name: Control Loading from World Writable Directory id: 10423ac4-10c9-11ec-8dc4-acde48001122 -version: 1 -date: '2021-09-08' +version: 2 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies control.exe loading either a .cpl - or .inf from a writable directory. This is related to CVE-2021-40444. During triage, - review parallel processes, parent and child, for further suspicious behaviors. In - addition, capture file modifications and analyze. +description: The following analytic identifies instances of control.exe loading a + .cpl or .inf file from a writable directory, which is related to CVE-2021-40444. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions mapped to the `Processes` + node of the `Endpoint` data model. This activity is significant as it may indicate + an attempt to exploit a known vulnerability, potentially leading to unauthorized + code execution. If confirmed malicious, this could allow an attacker to gain control + over the affected system, leading to further compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,6 +92,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml index e238e14e46..bf7a421242 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml @@ -1,12 +1,12 @@ name: Create local admin accounts using net exe id: b89919ed-fe5f-492c-b139-151bb162040e -version: 9 -date: '2024-04-26' +version: 10 +date: '2024-05-11' author: Bhavin Patel, Splunk status: production type: TTP description: |- - The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. + The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.user) as @@ -15,9 +15,9 @@ search: '| tstats `security_content_summariesonly` count values(Processes.user) where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* - OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name - Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`' + OR Processes.process=*administratorer*) by Processes.process Processes.process_name + Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -83,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index 2461a4cc32..73242cd06a 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -1,12 +1,12 @@ name: Create or delete windows shares using net exe id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c -version: 6 -date: '2020-09-16' +version: 7 +date: '2024-05-26' author: Bhavin Patel, Splunk status: production type: TTP description: |- - The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. + The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.user) as @@ -14,7 +14,7 @@ search: '| tstats `security_content_summariesonly` count values(Processes.user) max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ' + `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -82,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index 78ee8f5821..5266ae0b5d 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -1,20 +1,25 @@ name: Create Remote Thread In Shell Application id: 10399c1e-f51e-11eb-b920-acde48001122 -version: 2 -date: '2024-01-31' +version: 3 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect suspicious process injection in command shell. - This technique was seen in IcedID where it execute cmd.exe process to inject its - shellcode as part of its execution as banking trojan. It is really uncommon to have - a create remote thread execution in the following application. +description: The following analytic detects suspicious process injection in command + shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages + Sysmon EventCode 8 to identify the creation of remote threads within these shell + processes. This activity is significant because it is a common technique used by + malware, such as IcedID, to inject malicious code and execute it within legitimate + processes. If confirmed malicious, this behavior could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence within the environment, + posing a severe threat to system security. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId - SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`' + SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as + process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `create_remote_thread_in_shell_application_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index e281f5465c..1def414675 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -1,16 +1,23 @@ name: Create Remote Thread into LSASS id: 67d4dbef-9564-4699-8da8-03a151529edc -version: 1 -date: '2019-12-06' +version: 2 +date: '2024-05-26' author: Patrick Bareiss, Splunk status: production type: TTP -description: "The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon EventID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats." +description: "The following analytic detects the creation of a remote thread in the + Local Security Authority Subsystem Service (LSASS). This behavior is identified + using Sysmon Event ID 8 logs, focusing on processes that create remote threads in + lsass.exe. This activity is significant because it is commonly associated with credential + dumping, a tactic used by adversaries to steal user authentication credentials. + If confirmed malicious, this could allow attackers to gain unauthorized access to + sensitive information, leading to potential compromise of the entire network. Analysts + should investigate to differentiate between legitimate tools and potential threats." data_source: - Sysmon EventID 8 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime - max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `create_remote_thread_into_lsass_filter`' + max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`' how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations @@ -59,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index 1dc9e795cd..28aa70a853 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -1,21 +1,23 @@ name: Creation of lsass Dump with Taskmgr id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd -version: 1 -date: '2020-02-03' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -description: Detect the hands on keyboard behavior of Windows Task Manager creating - a process dump of lsass.exe. Upon this behavior occurring, a file write/modification - will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, - cannot be renamed, however if the dump occurs more than once, it will be named lsass - (2).dmp. +description: The following analytic detects the creation of an lsass.exe process dump + using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation + events where the target filename matches *lsass*.dmp. This activity is significant + because creating an lsass dump can be a precursor to credential theft, as the dump + file contains sensitive information such as user passwords. If confirmed malicious, + an attacker could use the lsass dump to extract credentials and escalate privileges, + potentially compromising the entire network. data_source: - Sysmon EventID 1 search: '`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, - process_name, TargetFilename | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`' + process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `creation_of_lsass_dump_with_taskmgr_filter`' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific @@ -61,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 7bd3ac26eb..95a7ef8d8d 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -1,12 +1,12 @@ name: Creation of Shadow Copy with wmic and powershell id: 2ed8b538-d284-449a-be1d-82ad1dbd186b -version: 3 -date: '2021-09-16' +version: 4 +date: '2024-05-18' author: Patrick Bareiss, Splunk status: production type: TTP description: |- - The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. + The following analytic detects the creation of shadow copies using "wmic" or "Powershell" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes "shadowcopy" and "create". This activity is significant because it may indicate an attacker attempting to manipulate or access data unauthorizedly, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index f4405ef296..6cf0509fb1 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -1,11 +1,18 @@ name: Credential Dumping via Copy Command from Shadow Copy id: d8c406fe-23d2-45f3-a983-1abe7b83ff3b -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-30' author: Patrick Bareiss, Splunk status: production type: TTP -description: "The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as \"sam\", \"security\", \"system\", and \"ntds.dit\", located in system directories like \"system32\" or \"windows\". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack" +description: "The following analytic detects the use of the copy command to dump credentials + from a shadow copy. It leverages Endpoint Detection and Response (EDR) data to identify + processes with command lines referencing critical files like \"sam\", \"security\"\ + , \"system\", and \"ntds.dit\" in system directories. This activity is significant + as it indicates an attempt to extract credentials, a common technique for unauthorized + access and privilege escalation. If confirmed malicious, this could lead to attackers + gaining sensitive login information, escalating privileges, moving laterally within + the network, or accessing sensitive data." data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -15,7 +22,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `credential_dumping_via_copy_command_from_shadow_copy_filter` ' + | `credential_dumping_via_copy_command_from_shadow_copy_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -71,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index ba47aaacad..dcc09e8198 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -1,12 +1,12 @@ name: Credential Dumping via Symlink to Shadow Copy id: c5eac648-fae0-4263-91a6-773df1f4c903 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-20' author: Patrick Bareiss, Splunk status: production type: TTP description: |- - The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. + The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing "mklink" and "HarddiskVolumeShadowCopy". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index 560ae46297..4468e9810d 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -1,18 +1,18 @@ name: CSC Net On The Fly Compilation id: ea73128a-43ab-11ec-9753-acde48001122 -version: 1 -date: '2021-11-12' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Hunting -description: this analytic is to detect a suspicious compile before delivery approach - of .net compiler csc.exe. This technique was seen in several adversaries, malware - and even in red teams to take advantage the csc.exe .net compiler tool to compile - on the fly a malicious .net code to evade detection from security product. This - is a good hunting query to check further the file or process created after this - event and check the file path that passed to csc.exe which is the .net code. Aside - from that, powershell is capable of using this compiler in executing .net code in - a powershell script so filter on that case is needed. +description: The following analytic detects the use of the .NET compiler csc.exe for + on-the-fly compilation of potentially malicious .NET code. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command-line + patterns associated with csc.exe. This activity is significant because adversaries + and malware often use this technique to evade detection by compiling malicious code + at runtime. If confirmed malicious, this could allow attackers to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index eaa8a68c28..0109178820 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -1,13 +1,18 @@ name: Curl Download and Bash Execution id: 900bc324-59f3-11ec-9fb4-acde48001122 -version: 1 -date: '2021-12-10' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of curl on Linux or MacOS attempting - to download a file from a remote source and pipe it to bash. This is typically found - with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. +description: The following analytic detects the use of curl on Linux or MacOS systems + to download a file from a remote source and pipe it directly to bash for execution. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names, command-line arguments, and parent processes. This activity + is significant as it is commonly associated with malicious actions such as coinminers + and exploitation of vulnerabilities like CVE-2021-44228 in Log4j. If confirmed malicious, + this behavior could lead to unauthorized code execution, system compromise, and + further exploitation within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index f10da283ce..4e9538f69c 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -1,21 +1,24 @@ name: Delete ShadowCopy With PowerShell id: 5ee2bcd0-b2ff-11eb-bb34-acde48001122 -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP -description: This following analytic detects PowerShell command to delete shadow copy - using the WMIC PowerShell module. This technique was seen used by a recent adversary - to deploy DarkSide Ransomware where it executed a child process of PowerShell to - execute a hex encoded command to delete shadow copy. This hex encoded command was - able to be decrypted by PowerShell log. +description: The following analytic detects the use of PowerShell to delete shadow + copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches + for specific keywords like "ShadowCopy," "Delete," or "Remove" within the ScriptBlockText. + This activity is significant because deleting shadow copies is a common tactic used + by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, + this action could lead to irreversible data loss and hinder recovery efforts, significantly + impacting business continuity and data integrity. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText= "*ShadowCopy*" (ScriptBlockText = "*Delete*" OR ScriptBlockText = "*Remove*") | stats count min(_time) as firstTime - max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`' + max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename + Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. @@ -61,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml index 5e51e74924..56b579762c 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/deleting_of_net_users.yml @@ -1,16 +1,17 @@ name: Deleting Of Net Users id: 1c8c6f66-acce-11eb-aafb-acde48001122 -version: 2 -date: '2023-06-13' +version: 3 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will detect a suspicious net.exe/net1.exe command-line - to delete a user on a system. This technique may be use by an administrator for - legitimate purposes, however this behavior has been used in the wild to impair some - user or deleting adversaries tracks created during its lateral movement additional - systems. During triage, review parallel processes for additional behavior. Identify - any other user accounts created before or after. +description: The following analytic detects the use of net.exe or net1.exe command-line + to delete a user account on a system. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process and command-line execution logs. + This activity is significant as it may indicate an attempt to impair user accounts + or cover tracks during lateral movement. If confirmed malicious, this could lead + to unauthorized access removal, disruption of legitimate user activities, or concealment + of adversarial actions, complicating incident response and forensic investigations. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -84,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index 239c2099c8..878510f5e2 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -1,22 +1,25 @@ name: Detect AzureHound Command-Line Arguments id: 26f02e96-c300-11eb-b611-acde48001122 -version: 2 -date: '2024-03-14' +version: 3 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the common command-line argument used - by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may - be modified, but these changes are dependent upon the operator. In most instances - the defaults are used. This analytic works to identify the common command-line attributes - used. It does not cover the entirety of every argument in order to avoid false positives. +description: The following analytic detects the execution of the `Invoke-AzureHound` + command-line argument, commonly used by the AzureHound tool. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant because AzureHound is often used for reconnaissance + in Azure environments, potentially exposing sensitive information. If confirmed + malicious, this activity could allow an attacker to map out Azure Active Directory + structures, aiding in further attacks and privilege escalation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*invoke-azurehound*") - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`' + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_azurehound_command_line_arguments_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -87,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index 35e426a9ec..e65d2bf826 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -1,25 +1,26 @@ name: Detect AzureHound File Modifications id: 1c34549e-c31b-11eb-996b-acde48001122 -version: 2 -date: '2024-03-14' +version: 3 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic is similar to SharpHound file modifications, but - this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound - equivilent but for Azure. It's possible this may never be seen in an environment - as most attackers may execute this tool remotely. Once execution is complete, a - zip file with a similar name will drop `20210601090751-azurecollection.zip`. In - addition to the zip, multiple .json files will be written to disk, which are in - the zip. +description: The following analytic detects the creation of specific AzureHound-related + files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages + data from the Endpoint.Filesystem datamodel, focusing on file creation events with + specific filenames. This activity is significant because AzureHound is a tool used + to gather information about Azure environments, similar to SharpHound for on-premises + Active Directory. If confirmed malicious, this activity could indicate an attacker + is collecting sensitive Azure environment data, potentially leading to further exploitation + or privilege escalation within the cloud infrastructure. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name - Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`' + Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` @@ -74,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml index f05e62b8d9..b185a14275 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml @@ -1,12 +1,12 @@ name: Detect Baron Samedit CVE-2021-3156 id: 93fbec4e-0375-440c-8db3-4508eca470c4 -version: 1 -date: '2021-01-27' +version: 2 +date: '2024-05-15' author: Shannon Davis, Splunk status: experimental type: TTP description: |- - The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. + The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the "-s" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches. data_source: [] search: '`linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`' how_to_implement: Splunk Universal Forwarder running on Linux systems, capturing logs diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml index 882b8c8188..4968593a16 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml @@ -1,12 +1,12 @@ name: Detect Baron Samedit CVE-2021-3156 Segfault id: 10f2bae0-bbe6-4984-808c-37dc1c67980d -version: 1 -date: '2021-01-29' +version: 2 +date: '2024-05-28' author: Shannon Davis, Splunk status: experimental type: TTP description: |- - The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. + The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both "sudoedit" and "segfault" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk. data_source: [] search: '`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`' diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml index c6b942e6d7..6a17163717 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml @@ -1,11 +1,18 @@ name: Detect Baron Samedit CVE-2021-3156 via OSQuery id: 1de31d5d-8fa6-4ee0-af89-17069134118a -version: 1 -date: '2021-01-28' +version: 2 +date: '2024-05-13' author: Shannon Davis, Splunk status: experimental type: TTP -description: "The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command \"sudoedit -s *\" is run using the osquery_process data source. This indicates that the sudoedit command is used with the \"-s\" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the \"-s\" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment." +description: "The following analytic detects the execution of the \"sudoedit -s *\"\ + \ command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer + overflow vulnerability. This detection leverages the `osquery_process` data source + to identify instances where this specific command is run. This activity is significant + because it indicates an attempt to exploit a known vulnerability that allows privilege + escalation. If confirmed malicious, an attacker could gain full control of the system, + execute arbitrary code, or access sensitive data, leading to potential data breaches + and system disruptions." data_source: [] search: '`osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`' how_to_implement: OSQuery installed and configured to pick up process events (info diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index b530dc7d8d..52dd482e6e 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -1,14 +1,18 @@ name: Detect Certify Command Line Arguments id: e6d2dc61-a8b9-4b03-906c-da0ca75d71b8 -version: 1 -date: '2023-06-25' +version: 2 +date: '2024-05-25' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the attacker tool Certify or Certipy - are used to enumerate Active Directory Certificate Services (AD CS) environments. - The default command line arguments of these tools are similar and perform near identical - enumeration or exploitation functions. +description: The following analytic detects the use of Certify or Certipy tools to + enumerate Active Directory Certificate Services (AD CS) environments. It leverages + Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments + associated with these tools. This activity is significant because it indicates potential + reconnaissance or exploitation attempts targeting AD CS, which could lead to unauthorized + access or privilege escalation. If confirmed malicious, attackers could gain insights + into the AD CS infrastructure, potentially compromising sensitive certificates and + escalating their privileges within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index d05be57045..6255204005 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -1,23 +1,34 @@ name: Detect Certify With PowerShell Script Block Logging id: f533ca6c-9440-4686-80cb-7f294c07812a -version: 1 -date: '2023-06-25' +version: 2 +date: '2024-05-12' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. +description: The following analytic detects the use of the Certify tool via an in-memory + PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. + It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific + command patterns associated with Certify's enumeration and exploitation functions. + This activity is significant as it indicates potential reconnaissance or exploitation + attempts against AD CS, which could lead to unauthorized certificate issuance. If + confirmed malicious, attackers could leverage this to escalate privileges, persist + in the environment, or access sensitive information by abusing AD CS. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*")) - | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") - | eval signature = substr(command,0,256) - | rename Computer as dest,EventCode as signature_id - | `detect_certify_with_powershell_script_block_logging_filter`' -how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. -known_false_positives: Unknown, partial script block matches. +search: '`powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText + IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) + OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* + -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND + ScriptBlockText IN ("* /ca:*")) | stats count min(_time) as firstTime max(_time) + as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) + as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") + | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as + signature_id | `detect_certify_with_powershell_script_block_logging_filter`' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. +known_false_positives: Unknown, partial script block matches. references: - https://github.com/GhostPack/Certify - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf @@ -52,14 +63,15 @@ tags: - OpCode - Path - user - - Computer + - Computer - EventCode risk_score: 90 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 4665d10f04..ea93660b54 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -1,25 +1,38 @@ name: Detect Certipy File Modifications id: 7e3df743-b1d8-4631-8fa8-bd5819688876 -version: 1 -date: '2023-06-25' +version: 2 +date: '2024-05-27' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. +description: The following analytic detects the use of the Certipy tool to enumerate + Active Directory Certificate Services (AD CS) environments by identifying unique + file modifications. It leverages endpoint process and filesystem data to spot the + creation of files with specific names or extensions associated with Certipy's information + gathering and exfiltration activities. This activity is significant as it indicates + potential reconnaissance and data exfiltration efforts by an attacker. If confirmed + malicious, this could lead to unauthorized access to sensitive AD CS information, + enabling further attacks or privilege escalation within the network. data_source: - Windows Event Log Security 4663 - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action - |`drop_dm_object_name(Processes)` - | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest - | `drop_dm_object_name(Filesystem)` - ] - | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id - | where isnotnull(file_name) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `detect_certipy_file_modifications_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. +search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) + AS lastTime values(Processes.process_current_directory) as process_current_directory + FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h + Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process + Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid + Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid + [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", + "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id + Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest + | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time + file_name file_path parent_process_name parent_process process_name process_path + process_current_directory process process_guid process_id | where isnotnull(file_name) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints as well as file creation or deletion events. known_false_positives: Unknown references: - https://github.com/ly4k/Certipy @@ -58,28 +71,29 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.user - - Processes.dest - - Processes.process_id - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_guid + - Processes.user + - Processes.dest + - Processes.process_id + - Processes.process_name + - Processes.process + - Processes.process_path + - Processes.parent_process_name + - Processes.parent_process + - Processes.process_guid - Processes.action - - Filesystem.file_create_time - - Filesystem.process_id - - Filesystem.process_guid - - Filesystem.file_name - - Filesystem.file_path + - Filesystem.file_create_time + - Filesystem.process_id + - Filesystem.process_guid + - Filesystem.file_name + - Filesystem.file_path - Filesystem.dest risk_score: 45 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index f06e85ddcc..123f62d901 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -1,30 +1,24 @@ name: Detect Copy of ShadowCopy with Script Block Logging id: 9251299c-ea5b-11eb-a8de-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-31' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture - the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the - most basic use cases for credentials being taken for offline cracking. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the use of PowerShell commands to copy + the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It + leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command executed. This activity is significant as it indicates an attempt + to exfiltrate sensitive registry hives for offline password cracking. If confirmed + malicious, this could lead to unauthorized access to credentials, enabling further + compromise of the system and potential lateral movement within the network.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN ("*copy*","*[System.IO.File]::Copy*") - AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") + AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_copy_of_shadowcopy_with_script_block_logging_filter`' + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -62,16 +56,17 @@ tags: - Splunk Cloud required_fields: - _time - - Message + - ScriptBlockText - OpCode - - ComputerName - - User + - Computer + - UserID - EventCode risk_score: 80 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index d93fb9b233..77f0b0e806 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -1,28 +1,24 @@ name: Detect Credential Dumping through LSASS access id: 2c365e57-4414-4540-8dc0-73ab10729996 -version: 3 -date: '2023-12-27' +version: 4 +date: '2024-05-28' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the reading of lsass memory, which is - consistent with credential dumping. Reading lsass memory is a common technique used - by attackers to steal credentials from the Windows operating system. The detection - is made by monitoring the sysmon events and filtering for specific access permissions - (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances - of credential dumping.The detection is important because it suggests that an attacker - is attempting to extract credentials from the lsass memory, which can lead to unauthorized - access, data breaches, and compromise of sensitive information. Credential dumping - is often a precursor to further attacks, such as lateral movement, privilege escalation, - or data exfiltration. False positives can occur due to legitimate actions that involve - accessing lsass memory. Therefore, extensive triage and investigation are necessary - to differentiate between malicious and benign activities. +description: The following analytic detects attempts to read LSASS memory, indicative + of credential dumping. It leverages Sysmon EventCode 10, filtering for specific + access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is + significant because it suggests an attacker is trying to extract credentials from + LSASS memory, potentially leading to unauthorized access, data breaches, and compromise + of sensitive information. If confirmed malicious, this could enable attackers to + escalate privileges, move laterally within the network, or exfiltrate data. Extensive + triage is necessary to differentiate between malicious and benign activities. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` ' + `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`' how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations @@ -75,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml index 7b364ec96c..51deda2276 100644 --- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml @@ -1,24 +1,18 @@ name: Detect Empire with PowerShell Script Block Logging id: bc1dc6b8-c954-11eb-bade-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies the common PowerShell stager used by PowerShell-Empire. - Each stager that may use PowerShell all uses the same pattern. The initial HTTP - will be base64 encoded and use `system.net.webclient`. Note that some obfuscation - may evade the analytic. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects suspicious PowerShell execution indicative + of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) + to capture and analyze commands sent to PowerShell, specifically looking for patterns + involving `system.net.webclient` and base64 encoding. This behavior is significant + as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation + framework. If confirmed malicious, this activity could allow attackers to download + and execute additional payloads, leading to potential code execution, data exfiltration, + or further compromise of the affected system.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND @@ -76,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index d993e04357..da8c1f8422 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -1,44 +1,32 @@ name: Detect Exchange Web Shell id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a -version: 5 -date: '2023-11-07' +version: 6 +date: '2024-05-21' author: Michael Haag, Shannon Davis, David Dorsey, Splunk status: production type: TTP -description: 'The following query identifies suspicious .aspx created in 3 paths identified - by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM - group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths - include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. - Upon triage, the suspicious .aspx file will likely look obvious on the surface. - inspect the contents for script code inside. Identify additional log sources, IIS - included, to review source and other potential exploitation. It is often the case - that a particular threat is only applicable to a specific subset of systems in your - environment. Typically analytics to detect those threats are written without the - benefit of being able to only target those systems as well. Writing analytics against - all systems when those behaviors are limited to identifiable subsets of those systems - is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange - Servers. With asset information, a hunter can limit their analytics to systems that - have been identified as Exchange servers. A hunter may start with the theory that - the exchange server is communicating with new systems that it has not previously. - If this theory is run against all publicly facing systems, the amount of noise it - will generate will likely render this theory untenable. However, using the asset - information to limit this analytic to just the Exchange servers will reduce the - noise allowing the hunter to focus only on the systems where this behavioral change - is relevant.' +description: 'The following analytic identifies the creation of suspicious .aspx files + in known drop locations for Exchange exploitation, specifically targeting paths + associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. + It leverages data from the Endpoint datamodel, focusing on process and filesystem + events. This activity is significant as it may indicate a web shell deployment, + a common method for persistent access and remote code execution. If confirmed malicious, + attackers could gain unauthorized access, execute arbitrary commands, and potentially + escalate privileges within the Exchange environment.' data_source: - Sysmon EventID 1 - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name - Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| - tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, + _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path - process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, - process_name | `detect_exchange_web_shell_filter`' + process] | dedup file_create_time | table dest user file_create_time, file_name, + file_path, process_name | `detect_exchange_web_shell_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` @@ -98,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index 477f276ea8..60171a55be 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -1,21 +1,18 @@ name: Detect HTML Help Renamed id: 62fed254-513b-460e-953d-79771493a9f3 -version: 4 -date: '2022-04-07' +version: 5 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies a renamed instance of hh.exe (HTML - Help) executing a Compiled HTML Help (CHM). This particular technique will load - Windows script code from a compiled help file. CHM files may contain nearly any - file type embedded, but only execute html/htm. Upon a successful execution, the - following script engines may be used for execution - JScript, VBScript, VBScript.Encode, - JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll - loading into hh.exe upon execution. The "htm" and "html" file extensions were the - only extensions observed to be supported for the execution of Shortcut commands - or WSH script code. During investigation, identify script content origination. Validate - it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively - found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects instances where hh.exe (HTML Help) has + been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and original file names. This activity is significant because attackers can use + renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading + to code execution. If confirmed malicious, this technique could allow attackers + to run arbitrary scripts, escalate privileges, or persist within the environment, + posing a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -46,7 +43,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$ + message: The following $process_name$ has been identified as renamed, spawning from + $parent_process_name$ on $dest$ executed by $user$ mitre_attack_id: - T1218 - T1218.001 @@ -89,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index e282b1e4d2..f0f773852e 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -1,28 +1,26 @@ name: Detect HTML Help Spawn Child Process id: 723716de-ee55-4cd4-9759-c44e7e55ba4b -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled - HTML Help (CHM) that spawns a child process. This particular technique will load - Windows script code from a compiled help file. CHM files may contain nearly any - file type embedded, but only execute html/htm. Upon a successful execution, the - following script engines may be used for execution - JScript, VBScript, VBScript.Encode, - JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll - loading into hh.exe upon execution. The "htm" and "html" file extensions were the - only extensions observed to be supported for the execution of Shortcut commands - or WSH script code. During investigation, identify script content origination. Review - child process events and investigate further. hh.exe is natively found in C:\Windows\system32 - and C:\Windows\syswow64. +description: The following analytic detects the execution of hh.exe (HTML Help) spawning + a child process, indicating the use of a Compiled HTML Help (CHM) file to execute + Windows script code. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process creation events where hh.exe is the parent process. + This activity is significant as it may indicate an attempt to execute malicious + scripts via CHM files, a known technique for bypassing security controls. If confirmed + malicious, this could lead to unauthorized code execution, potentially compromising + the system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`' + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_html_help_spawn_child_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -93,6 +91,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index c4048d82f6..4c4b6b1eb6 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -1,29 +1,25 @@ name: Detect HTML Help URL in Command Line id: 8c5835b9-39d9-438b-817c-95f14c69a31e -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled - HTML Help (CHM) file from a remote url. This particular technique will load Windows - script code from a compiled help file. CHM files may contain nearly any file type - embedded, but only execute html/htm. Upon a successful execution, the following - script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, - JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe - upon execution. The "htm" and "html" file extensions were the only extensions observed - to be supported for the execution of Shortcut commands or WSH script code. During - investigation, identify script content origination. Review reputation of remote - IP and domain. Some instances, it is worth decompiling the .chm file to review its - original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects the execution of hh.exe (HTML Help) loading + a Compiled HTML Help (CHM) file from a remote URL. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + containing URLs. This activity is significant as it can indicate an attempt to execute + malicious scripts via CHM files, potentially leading to unauthorized code execution. + If confirmed malicious, this could allow an attacker to run scripts using engines + like JScript or VBScript, leading to further system compromise or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_html_help_url_in_command_line_filter`' + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -94,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index 466acb1996..698a35211c 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -1,23 +1,18 @@ name: Detect HTML Help Using InfoTech Storage Handlers id: 0b2eefa5-5508-450d-b970-3dd2fb761aec -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled - HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique - will load Windows script code from a compiled help file, using InfoTech Storage - Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are - supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm - file from within a CHM file. CHM files may contain nearly any file type embedded. - Upon a successful execution, the following script engines may be used for execution - - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may - identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" - and "html" file extensions were the only extensions observed to be supported for - the execution of Shortcut commands or WSH script code. During investigation, identify - script content origination. hh.exe is natively found in C:\Windows\system32 and - C:\Windows\syswow64. +description: The following analytic detects the execution of hh.exe (HTML Help) using + InfoTech Storage Handlers to load Windows script code from a Compiled HTML Help + (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line executions. This activity is + significant because it can be used to execute malicious scripts embedded within + CHM files, potentially leading to code execution. If confirmed malicious, this technique + could allow an attacker to execute arbitrary code, escalate privileges, or persist + within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index 4ad517f7e1..5e546a2561 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -1,23 +1,18 @@ name: Detect Mimikatz With PowerShell Script Block Logging id: 8148c29c-c952-11eb-9255-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable no critical endpoints or all. - - - This analytic identifies common Mimikatz functions that may be identified in the - script block, including `mimikatz`. This will catch the most basic use cases for - Pass the Ticket, Pass the Hash and `-DumprCreds`. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of Mimikatz commands via + PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This + method captures and logs the full command sent to PowerShell, allowing for the identification + of suspicious activities such as Pass the Ticket, Pass the Hash, and credential + dumping. This activity is significant as Mimikatz is a well-known tool used for + credential theft and lateral movement. If confirmed malicious, this could lead to + unauthorized access, privilege escalation, and potential compromise of sensitive + information within the environment.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, @@ -77,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 6bc5622ccb..af7f3f9e8b 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,15 +1,18 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: 6 -date: '2021-09-16' +version: 7 +date: '2024-05-21' author: Bhavin Patel, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies "mshta.exe" execution with inline protocol - handlers. "JavaScript", "VBScript", and "About" are the only supported options when - invoking HTA content directly on the command-line. The search will return the first - time and last time these command-line arguments were used for these executions, - as well as the target system, the user, process "mshta.exe" and its parent process. +description: The following analytic detects the execution of "mshta.exe" with inline + protocol handlers such as "JavaScript", "VBScript", and "About". It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments + and process details. This activity is significant because mshta.exe can be exploited + to execute malicious scripts, potentially leading to unauthorized code execution. + If confirmed malicious, this could allow an attacker to execute arbitrary code, + escalate privileges, or establish persistence within the environment, posing a severe + security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -86,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index 5ea00ace24..b158d5c8be 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -1,15 +1,17 @@ name: Detect mshta renamed id: 8f45fcf0-5b68-11eb-ae93-0242ac130002 -version: 3 -date: '2022-04-07' +version: 4 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies renamed instances of mshta.exe executing. - Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This - analytic utilizes the internal name of the PE to identify if is the legitimate mshta - binary. Further analysis should be performed to review the executed content and - validation it is the real mshta. +description: The following analytic identifies instances where mshta.exe has been + renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically + focusing on the original file name field to detect discrepancies. This activity + is significant because renaming mshta.exe is a common tactic used by attackers to + evade detection and execute malicious scripts. If confirmed malicious, this could + allow an attacker to execute arbitrary code, potentially leading to system compromise, + data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -39,7 +41,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$ + message: The following $process_name$ has been identified as renamed, spawning from + $parent_process_name$ on $dest$ executed by user $user$ mitre_attack_id: - T1218 - T1218.005 @@ -82,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index d1ed710267..185cb9a885 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -1,17 +1,17 @@ name: Detect MSHTA Url in Command Line id: 9b3af1e6-5b68-11eb-ae93-0242ac130002 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: This analytic identifies when Microsoft HTML Application Host (mshta.exe) - utility is used to make remote http connections. Adversaries may use mshta.exe to - proxy the download and execution of remote .hta files. The analytic identifies command - line arguments of http and https being used. This technique is commonly used by - malicious software to bypass preventative controls. The search will return the first - time and last time these command-line arguments were used for these executions, - as well as the target system, the user, process "rundll32.exe" and its parent process. +description: The following analytic detects the use of Microsoft HTML Application + Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on command-line arguments + containing URLs. This activity is significant because adversaries often use mshta.exe + to download and execute remote .hta files, bypassing security controls. If confirmed + malicious, this behavior could allow attackers to execute arbitrary code, potentially + leading to system compromise, data exfiltration, or further network infiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -87,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index 89ebf1b519..f85f0831f8 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -1,20 +1,18 @@ name: Detect New Local Admin account id: b25f6f62-0712-43c1-b203-083231ffd97d -version: 3 -date: '2024-02-14' +version: 4 +date: '2024-05-15' author: David Dorsey, Splunk status: production type: TTP description: |- - The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. + The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions. data_source: - Windows Event Log Security 4732 - Windows Event Log Security 4720 -search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) - | transaction src_user connected=false maxspan=180m - | rename src_user as user - | stats count min(_time) as firstTime max(_time) as lastTime by user dest - | `security_content_ctime(firstTime)` +search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) + | transaction src_user connected=false maxspan=180m | rename src_user as user | + stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`' how_to_implement: You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 @@ -61,12 +59,15 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index 426953581a..dc47120c0d 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -29,7 +29,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max( | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name - file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter` ' + file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`' how_to_implement: You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index b7a2d0b946..3eeaf9e622 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -1,18 +1,18 @@ name: Detect PsExec With accepteula Flag id: 27c3a83d-cada-47c6-9042-67baf19d2574 -version: 4 -date: '2021-09-16' +version: 5 +date: '2024-05-23' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for events where `PsExec.exe` is run with the `accepteula` - flag in the command line. PsExec is a built-in Windows utility that enables you - to execute processes on other systems. It is fully interactive for console applications. - This tool is widely used for launching interactive command prompts on remote systems. - Threat actors leverage this extensively for executing code on compromised systems. - If an attacker is running PsExec for the first time, they will be prompted to accept - the end-user license agreement (EULA), which can be passed as the argument `accepteula` - within the command line. +description: The following analytic identifies the execution of `PsExec.exe` with + the `accepteula` flag in the command line. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant because PsExec is commonly used by threat actors to + execute code on remote systems, and the `accepteula` flag indicates first-time usage, + which could signify initial compromise. If confirmed malicious, this activity could + allow attackers to gain remote code execution capabilities, potentially leading + to further system compromise and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -97,6 +97,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index af55c38e2b..ea623d3505 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -1,23 +1,24 @@ name: Detect Rare Executables id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac -version: 4 -date: '2024-03-12' +version: 5 +date: '2024-05-21' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects the occurrence of rare processes that appear only once across the network within a specified timeframe. - It operates by compiling a list of process executions. This detection is crucial for a Security Operations Center (SOC) as it helps in identifying - potentially malicious activities or unauthorized software that could indicate a security breach or an ongoing attack. Identifying such rare processes - allows for early detection of threats, minimizing the potential impact of an attack which could range from data theft to complete system compromise. +description: The following analytic detects the execution of rare processes that appear + only once across the network within a specified timeframe. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process execution logs. + This activity is significant for a SOC as it helps identify potentially malicious + activities or unauthorized software, which could indicate a security breach or ongoing + attack. If confirmed malicious, such rare processes could lead to data theft, privilege + escalation, or complete system compromise, making early detection crucial for minimizing + impact. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as - dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime - from datamodel=Endpoint.Processes by Processes.process_name - | `drop_dm_object_name(Processes)` - | search dc_dest < 10 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) + as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` + | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -29,7 +30,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Some legitimate processes may be only rarely executed in your - environment. + environment. references: [] tags: analytic_story: @@ -38,7 +39,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A rare process - [$process_name$] has been detected on less than 10 hosts in your environment. + message: A rare process - [$process_name$] has been detected on less than 10 hosts + in your environment. mitre_attack_id: - T1204 observable: @@ -60,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 592da7417e..29882711c6 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -1,26 +1,28 @@ name: Detect RClone Command-Line Usage id: 32e0baea-b3f1-11eb-a2ce-acde48001122 -version: 2 -date: '2021-11-29' +version: 3 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: This analytic identifies commonly used command-line arguments used by - `rclone.exe` to initiate a file transfer. Some arguments were negated as they are - specific to the configuration used by adversaries. In particular, an adversary may - list the files or directories of the remote file share using `ls` or `lsd`, which - is not indicative of malicious behavior. During triage, at this stage of a ransomware - event, exfiltration is about to occur or has already. Isolate the endpoint and continue - investigating by review file modifications and parallel processes. +description: The following analytic detects the usage of `rclone.exe` with specific + command-line arguments indicative of file transfer activities. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + and process details. This activity is significant as `rclone.exe` is often used + by adversaries for data exfiltration, especially during ransomware attacks. If confirmed + malicious, this behavior could lead to unauthorized data transfer, resulting in + data breaches and potential loss of sensitive information. Immediate isolation of + the affected endpoint and further investigation are recommended. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by - Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' + Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_rclone_command_line_usage_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -85,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 824ac81bc9..1bdfb85536 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -1,24 +1,26 @@ name: Detect Regasm Spawning a Process id: 72170ec5-f7d2-42f5-aefb-2b8be6aad15f -version: 3 -date: '2024-04-29' +version: 4 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies regasm.exe spawning a process. This - particular technique has been used in the wild to bypass application control products. - Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process - is rare from either process and should be investigated further. During investigation, - identify and retrieve the content being loaded. Review parallel processes for additional - suspicious behavior. Gather any other file modifications and review accordingly. - regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe - and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. +description: The following analytic detects regasm.exe spawning a child process. This + behavior is identified using data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events where regasm.exe is the parent process. This + activity is significant because regasm.exe spawning a process is rare and can indicate + an attempt to bypass application control mechanisms. If confirmed malicious, this + could allow an attacker to execute arbitrary code, potentially leading to privilege + escalation or persistent access within the environment. Immediate investigation + is recommended to determine the legitimacy of the spawned process and any associated + activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN ("conhost.exe")) - by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe + NOT (Processes.process_name IN ("conhost.exe")) by Processes.dest Processes.user + Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -87,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index cbf3fd3a9b..75b4df73f2 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -1,25 +1,22 @@ name: Detect Regasm with Network Connection id: 07921114-6db4-4e2e-ae58-3ea8a52ae93f -version: 3 -date: '2024-01-30' +version: 4 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies regasm.exe with a network connection - to a public IP address, exluding private IP space. This particular technique has - been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe - are signed by Microsoft. By contacting a remote Command And Control server, the - adversary will have the ability to escalate privileges and complete the objectives. - During investigation, identify and retrieve the content being loaded. Review parallel - processes for additional suspicious behavior. Gather any other file modifications - and review accordingly. Review the reputation of the remote IP or domain and block - as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe - and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. +description: The following analytic detects the execution of regasm.exe establishing + a network connection to a public IP address, excluding private IP ranges. This detection + leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant + as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass + application control mechanisms. If confirmed malicious, this behavior could indicate + an adversary's attempt to establish a remote Command and Control (C2) channel, potentially + leading to privilege escalation and further malicious actions within the environment. data_source: - Sysmon EventID 3 search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 - process_name=regasm.exe | stats count min(_time) as firstTime - max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` + process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime + by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -76,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 45f826c853..7efb79d1c9 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -1,19 +1,25 @@ name: Detect Regasm with no Command Line Arguments id: c3bc1430-04e7-4178-835f-047d8e6e97df -version: 3 -date: '2022-03-15' +version: 4 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies regasm.exe with no command line arguments. - This particular behavior occurs when another process injects into regasm.exe, no - command line arguments will be present. During investigation, identify any network - connections and parallel processes. Identify any suspicious module loads related - to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` - and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. +description: The following analytic detects instances of regasm.exe running without + command line arguments. This behavior typically indicates process injection, where + another process manipulates regasm.exe. The detection leverages Endpoint Detection + and Response (EDR) data, focusing on process names and command-line executions. + This activity is significant as it may signal an attempt to evade detection or execute + malicious code. If confirmed malicious, attackers could achieve code execution, + potentially leading to privilege escalation, persistence, or access to sensitive + information. Investigate network connections, parallel processes, and suspicious + module loads for further context. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where `process_regasm` by _time span=1h Processes.process_id Processes.process_name + Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -82,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index adec8b27e8..91fb7c7e28 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -1,25 +1,27 @@ name: Detect Regsvcs Spawning a Process id: bc477b57-5c21-4ab6-9c33-668772e7f114 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies regsvcs.exe spawning a process. This - particular technique has been used in the wild to bypass application control products. - Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process - is rare from either process and should be investigated further. During investigation, - identify and retrieve the content being loaded. Review parallel processes for additional - suspicious behavior. Gather any other file modifications and review accordingly. - regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe - and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. +description: The following analytic identifies regsvcs.exe spawning a child process. + This behavior is detected using Endpoint Detection and Response (EDR) telemetry, + focusing on process creation events where the parent process is regsvcs.exe. This + activity is significant because regsvcs.exe rarely spawns child processes, and such + behavior can indicate an attempt to bypass application control mechanisms. If confirmed + malicious, this could allow an attacker to execute arbitrary code, potentially leading + to privilege escalation or persistent access within the environment. Immediate investigation + is recommended to determine the legitimacy of the spawned process and any associated + suspicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe - by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`' + by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_regsvcs_spawning_a_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -84,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index df490c9832..10b6cd44f8 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -1,25 +1,23 @@ name: Detect Regsvcs with Network Connection id: e3e7a1c0-f2b9-445c-8493-f30a63522d1a -version: 3 -date: '2024-01-30' +version: 4 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies Regsvcs.exe with a network connection - to a public IP address, exluding private IP space. This particular technique has - been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe - are signed by Microsoft. By contacting a remote Command And Control server, the - adversary will have the ability to escalate privileges and complete the objectives. - During investigation, identify and retrieve the content being loaded. Review parallel - processes for additional suspicious behavior. Gather any other file modifications - and review accordingly. Review the reputation of the remote IP or domain and block - as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe - and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. +description: The following analytic identifies instances of Regsvcs.exe establishing + a network connection to a public IP address, excluding private IP ranges. This detection + leverages Sysmon Event ID 3 logs to monitor network connections initiated by Regsvcs.exe. + This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, + can be exploited to bypass application control mechanisms and establish remote Command + and Control (C2) channels. If confirmed malicious, this behavior could allow an + attacker to escalate privileges, persist in the environment, and exfiltrate sensitive + data. Immediate investigation and remediation are recommended. data_source: - Sysmon EventID 3 search: '`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 - process_name=regsvcs.exe | stats count min(_time) as firstTime - max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` + process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime + by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -75,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index ea6938dd77..47800ef07f 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -1,16 +1,18 @@ name: Detect Regsvcs with No Command Line Arguments id: 6b74d578-a02e-4e94-a0d1-39440d0bf254 -version: 3 -date: '2022-03-15' +version: 4 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies regsvcs.exe with no command line arguments. - This particular behavior occurs when another process injects into regsvcs.exe, no - command line arguments will be present. During investigation, identify any network - connections and parallel processes. Identify any suspicious module loads related - to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe - and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. +description: The following analytic detects instances of regsvcs.exe running without + command line arguments. This behavior typically indicates process injection, where + another process manipulates regsvcs.exe. The detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, IDs, and command-line + executions. This activity is significant as it may signal an attempt to evade detection + and execute malicious code. If confirmed malicious, the attacker could achieve code + execution, potentially leading to privilege escalation, persistence, or access to + sensitive information. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -85,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index b4218e5f53..a93cf963e5 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -1,28 +1,26 @@ name: Detect Regsvr32 Application Control Bypass id: 070e9b80-6252-11eb-ae93-0242ac130002 -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -description: 'Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. - Regsvr32.exe is a command-line program used to register and unregister object linking - and embedding controls, including dynamic link libraries (DLLs), on Windows systems. - Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is - often referred to as a "Squiblydoo" attack. - - Upon investigating, look for network connections to remote destinations (internal - or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" - is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon - execution. ' +description: 'The following analytic identifies the abuse of Regsvr32.exe to proxy + execution of malicious code, specifically detecting the loading of "scrobj.dll" + by Regsvr32.exe. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process creation events and command-line executions. This + activity is significant because Regsvr32.exe is a trusted, signed Microsoft binary, + often used in "Squiblydoo" attacks to bypass application control mechanisms. If + confirmed malicious, this technique could allow an attacker to execute arbitrary + code, potentially leading to system compromise and persistent access.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name - Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `detect_regsvr32_application_control_bypass_filter`' + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -94,6 +92,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index 77b504036c..bed6c42094 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,22 +1,36 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-13' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. +description: The following analytic detects the writing of files from known remote + access software to disk within the environment. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on file path, file name, and user + information. This activity is significant as adversaries often use remote access + tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. + If confirmed malicious, this could allow attackers to persist in the environment, + potentially leading to data exfiltration, further compromise, or complete control + over affected systems. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `drop_dm_object_name(Filesystem)` - | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = TRUE - | `detect_remote_access_software_usage_file_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Known or approved applications used by the organization or usage of built-in functions. +search: '| tstats `security_content_summariesonly` count, min(_time) as firstTime, + max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem + by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup + remote_access_software remote_utility AS file_name OUTPUT isutility, description + as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the file path, file name, and the user that created + the file. These logs must be processed using the appropriate Splunk Technology Add-ons + that are specific to the EDR product. The logs must also be mapped to the `Filesystem` + node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) + to normalize the field names and speed up the data modeling process. +known_false_positives: Known or approved applications used by the organization or + usage of built-in functions. references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -29,7 +43,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A file for known a remote access software [$file_name$] was created on $dest$ by $user$. + message: A file for known a remote access software [$file_name$] was created on + $dest$ by $user$. mitre_attack_id: - T1219 observable: @@ -51,7 +66,7 @@ tags: - Splunk Cloud required_fields: - _time - - Filesystem.dest + - Filesystem.dest - Filesystem.user - Filesystem.file_name risk_score: 25 @@ -59,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index cb26b7140a..6bda13e076 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -1,20 +1,29 @@ name: Detect Remote Access Software Usage FileInfo id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454 -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-29' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. +description: The following analytic detects the execution of processes with file or + code signing attributes from known remote access software within the environment. + It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote + access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity + is significant as adversaries often use these tools to maintain unauthorized remote + access. If confirmed malicious, this could allow attackers to persist in the environment, + potentially leading to data exfiltration or further compromise of the network. data_source: - Sysmon EventID 1 -search: '`sysmon` EventCode=1 - | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process - | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True - | `detect_remote_access_software_usage_fileinfo_filter`' -how_to_implement: This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. -known_false_positives: Known or approved applications used by the organization or usage of built-in functions. +search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as + lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, + process_name, process | lookup remote_access_software remote_utility_fileinfo AS + Product OUTPUT isutility, description as signature, comment_reference as desc, category + | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`' +how_to_implement: This analytic relies on Sysmon to be properly installed and utilized + in the environment. Ensure that proper logging is setup for Sysmon and data is being + ingested into Splunk. +known_false_positives: Known or approved applications used by the organization or + usage of built-in functions. references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -27,7 +36,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A file attributes for known a remote access software [$process_name$] was detected on $dest$ + message: A file attributes for known a remote access software [$process_name$] was + detected on $dest$ mitre_attack_id: - T1219 observable: @@ -52,12 +62,13 @@ tags: - user - parent_process_name - process_name - - process + - process risk_score: 25 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index aaf62a6fdd..af552ade69 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,20 +1,27 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-23' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. +description: The following analytic detects the execution of known remote access software + within the environment. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and parent processes mapped to the Endpoint data + model. This activity is significant as adversaries often use remote access tools + like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. + If confirmed malicious, this could allow attackers to control systems remotely, + exfiltrate data, or deploy additional malware, posing a severe threat to the organization's + security. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `drop_dm_object_name(Processes)` - | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True - | `detect_remote_access_software_usage_process_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes + where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user + Processes.process_name Processes.process | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software + remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference + as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -39,7 +46,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A process for a known remote access software $process_name$ was identified on $dest$. + message: A process for a known remote access software $process_name$ was identified + on $dest$. mitre_attack_id: - T1219 observable: @@ -61,9 +69,9 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest + - Processes.dest - Processes.user - - Processes.process_name + - Processes.process_name - Processes.process - Processes.process_id - Processes.parent_process_name @@ -72,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index c35cd9d2ae..abfe571860 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -1,16 +1,19 @@ name: Detect Renamed 7-Zip id: 4057291a-b8cf-11eb-95fe-acde48001122 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies renamed 7-Zip usage using Sysmon. At - this stage of an attack, review parallel processes and file modifications for data - that is staged or potentially have been exfiltrated. This analytic utilizes the - OriginalFileName to capture the renamed process. During triage, validate this is - the legitimate version of `7zip` by reviewing the PE metadata. In addition, review - parallel processes for further suspicious behavior. +description: The following analytic detects the usage of a renamed 7-Zip executable + using Sysmon data. It leverages the OriginalFileName field to identify instances + where the 7-Zip process has been renamed. This activity is significant as attackers + often rename legitimate tools to evade detection while staging or exfiltrating data. + If confirmed malicious, this behavior could indicate data exfiltration attempts + or other unauthorized data manipulation, potentially leading to significant data + breaches or loss of sensitive information. Analysts should validate the legitimacy + of the 7-Zip executable and investigate parallel processes for further suspicious + activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index 41e251c172..5eb632163f 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -1,15 +1,17 @@ name: Detect Renamed PSExec id: 683e6196-b8e8-11eb-9a79-acde48001122 -version: 4 -date: '2022-04-07' +version: 5 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies renamed instances of `PsExec.exe` being - utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` - or other SysInternal utility usage with the command-line argument of `-accepteula`. - During triage, validate this is the legitimate version of `PsExec` by reviewing - the PE metadata. In addition, review parallel processes for further suspicious behavior. +description: The following analytic identifies instances where `PsExec.exe` has been + renamed and executed on an endpoint. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and original file names. This activity + is significant because renaming `PsExec.exe` is a common tactic to evade detection. + If confirmed malicious, this could allow an attacker to execute commands remotely, + potentially leading to unauthorized access, lateral movement, or further compromise + of the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -92,6 +94,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index ed2dbff0a5..163caf9566 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -1,16 +1,17 @@ name: Detect Renamed RClone id: 6dca1124-b3ec-11eb-9328-acde48001122 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the usage of `rclone.exe`, renamed, - being used to exfiltrate data to a remote destination. RClone has been used by multiple - ransomware groups to exfiltrate data. In many instances, it will be downloaded from - the legitimate site and executed accordingly. During triage, isolate the endpoint - and begin to review parallel processes for additional behavior. At this stage, the - adversary may have staged data to be exfiltrated. +description: The following analytic detects the execution of a renamed `rclone.exe` + process, which is commonly used for data exfiltration to remote destinations. This + detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on + process names and original file names that do not match. This activity is significant + because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed + malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially + leading to significant data loss and further compromise of the affected systems. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 0276a70cde..7a62f9c579 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -1,15 +1,17 @@ name: Detect Renamed WinRAR id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122 -version: 3 -date: '2021-09-16' +version: 4 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: Hunting -description: The following analtyic identifies renamed instances of `WinRAR.exe`. - In most cases, it is not common for WinRAR to be used renamed, however it is common - to be installed by a third party application and executed from a non-standard path. - During triage, validate additional metadata from the binary that this is `WinRAR`. - Review parallel processes and file modifications. +description: The following analytic identifies instances where `WinRAR.exe` has been + renamed and executed. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and original file names within the Endpoint data + model. This activity is significant because renaming executables is a common tactic + used by attackers to evade detection. If confirmed malicious, this could indicate + an attempt to bypass security controls, potentially leading to unauthorized data + extraction or further system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -83,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 7d4f7debdb..0f65d1d91a 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -1,32 +1,34 @@ name: Detect RTLO In File Name id: 468b7e11-d362-43b8-b6ec-7a2d3b246678 -version: 2 -date: '2023-04-26' +version: 3 +date: '2024-05-24' author: Steven Dick status: production type: TTP -description: This search is used to detect the abuse of the right-to-left override (RTLO or RLO) - character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or - file name to make it appear benign. The RTLO character is a non-printing Unicode - character that causes the text that follows it to be displayed in reverse. +description: The following analytic identifies the use of the right-to-left override + (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, + specifically focusing on file creation events and file names containing the RTLO + character (U+202E). This activity is significant because adversaries use RTLO to + disguise malicious files as benign by reversing the text that follows the character. + If confirmed malicious, this technique can deceive users and security tools, leading + to the execution of harmful files and potential system compromise. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | regex file_name = "\\x{202E}" - | rex field=file_name "(?.+)(?\\x{202E})(?.+)" - | eval file_name_with_RTLO=file_name - | eval file_name=RTLO_file_1.RTLO_file_2 - | fields - RTLO* - | `detect_rtlo_in_file_name_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem + where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id + Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex + file_name = "\\x{202E}" | rex field=file_name "(?.+)(?\\x{202E})(?.+)" + | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | + fields - RTLO* | `detect_rtlo_in_file_name_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Implementation in regions that use right to left in native language. +known_false_positives: Implementation in regions that use right to left in native + language. references: - https://attack.mitre.org/techniques/T1036/002/ - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ @@ -36,7 +38,7 @@ tags: - Spearphishing Attachments asset_type: Endpoint confidence: 80 - impact: 50 + impact: 50 message: Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. mitre_attack_id: - T1036.002 @@ -60,16 +62,17 @@ tags: - Splunk Cloud required_fields: - _time - - Filesystem.dest - - Filesystem.user - - Filesystem.file_name + - Filesystem.dest + - Filesystem.user + - Filesystem.file_name - Filesystem.file_path - - Filesystem.process_id + - Filesystem.process_id risk_score: 40 security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index 444f8855ca..3d7c3ca93b 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -1,15 +1,17 @@ name: Detect RTLO In Process id: 22ac27b4-7189-4a4f-9375-b9017c9620d7 -version: 2 -date: '2023-04-26' +version: 3 +date: '2024-05-29' author: Steven Dick status: production type: TTP -description: This search is used to detect the abuse of the right-to-left override - (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to - disguise a string and/or file name to make it appear benign. The RTLO character - is a non-printing Unicode character that causes the text that follows it to be displayed - in reverse. +description: The following analytic identifies the abuse of the right-to-left override + (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line data. + This activity is significant because adversaries use the RTLO character to disguise + malicious files or commands, making them appear benign. If confirmed malicious, + this technique can allow attackers to execute harmful code undetected, potentially + leading to unauthorized access, data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index b1ff9bc6e5..12fda2f275 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -1,19 +1,18 @@ name: Detect Rundll32 Application Control Bypass - advpack id: 4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8 -version: 2 -date: '2021-02-04' +version: 3 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe loading advpack.dll and - ieadvpack.dll by calling the LaunchINFSection function on the command line. This - particular technique will load script code from a file. Upon a successful execution, - the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During - investigation, identify script content origination. Generally, a child process will - spawn from rundll32.exe, but that may be bypassed based on script code contents. - Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During - investigation, review any network connections and obtain the script content executed. - It's possible other files are on disk. +description: The following analytic detects the execution of rundll32.exe loading + advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified + using Endpoint Detection and Response (EDR) telemetry, focusing on command-line + executions and process details. This activity is significant as it indicates a potential + application control bypass, allowing script code execution from a file. If confirmed + malicious, an attacker could execute arbitrary code, potentially leading to privilege + escalation, persistence, or further network compromise. Investigate script content, + network connections, and any spawned child processes for further context. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index df11991ae6..9a81bf670c 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -1,19 +1,18 @@ name: Detect Rundll32 Application Control Bypass - setupapi id: 61e7b44a-6088-4f26-b788-9a96ba13b37a -version: 2 -date: '2021-02-04' +version: 3 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe loading setupapi.dll and - iesetupapi.dll by calling the LaunchINFSection function on the command line. This - particular technique will load script code from a file. Upon a successful execution, - the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During - investigation, identify script content origination. Generally, a child process will - spawn from rundll32.exe, but that may be bypassed based on script code contents. - Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During - investigation, review any network connections and obtain the script content executed. - It's possible other files are on disk. +description: The following analytic detects the execution of rundll32.exe loading + setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior + is identified using Endpoint Detection and Response (EDR) telemetry, focusing on + process creation events and command-line arguments. This activity is significant + as it indicates a potential application control bypass, allowing an attacker to + execute arbitrary script code. If confirmed malicious, this technique could enable + code execution, privilege escalation, or persistence within the environment, posing + a severe threat to system integrity and security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index 9b1aa84401..a0897c5b3b 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -1,19 +1,18 @@ name: Detect Rundll32 Application Control Bypass - syssetup id: 71b9bf37-cde1-45fb-b899-1b0aa6fa1183 -version: 2 -date: '2021-02-04' +version: 3 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe loading syssetup.dll by - calling the LaunchINFSection function on the command line. This particular technique - will load script code from a file. Upon a successful execution, the following module - loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify - script content origination. Generally, a child process will spawn from rundll32.exe, - but that may be bypassed based on script code contents. Rundll32.exe is natively - found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review - any network connections and obtain the script content executed. It's possible other - files are on disk. +description: The following analytic detects the execution of rundll32.exe loading + syssetup.dll via the LaunchINFSection function. This method is identified through + Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions + and process details. This activity is significant as it indicates a potential application + control bypass, allowing script code execution from a file. If confirmed malicious, + an attacker could execute arbitrary code, potentially leading to privilege escalation, + persistence, or further network compromise. Investigate the script content, network + connections, and any spawned child processes for further context. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 43cf85143d..8c8e1260ab 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -1,17 +1,17 @@ name: Detect Rundll32 Inline HTA Execution id: 91c79f14-5b41-11eb-ae93-0242ac130002 -version: 2 -date: '2021-01-20' +version: 3 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies "rundll32.exe" execution with inline - protocol handlers. "JavaScript", "VBScript", and "About" are the only supported - options when invoking HTA content directly on the command-line. This type of behavior - is commonly observed with fileless malware or application whitelisting bypass techniques. - The search will return the first time and last time these command-line arguments - were used for these executions, as well as the target system, the user, process - "rundll32.exe" and its parent process. +description: The following analytic detects the execution of "rundll32.exe" with inline + protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is + identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line + arguments. This activity is significant as it is often associated with fileless + malware or application whitelisting bypass techniques. If confirmed malicious, this + could allow an attacker to execute arbitrary code, bypass security controls, and + maintain persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -75,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index 6dd874e2ab..008f499514 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -1,16 +1,18 @@ name: Detect SharpHound Command-Line Arguments id: a0bdd2f6-c2ff-11eb-b918-acde48001122 -version: 2 -date: '2024-03-14' +version: 3 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies common command-line arguments used - by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, - function names may be modified, but these changes are dependent upon the operator. - In most instances the defaults are used. This analytic works to identify the common - command-line attributes used. It does not cover the entirety of every argument in - order to avoid false positives. +description: The following analytic detects the execution of SharpHound command-line + arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as SharpHound is commonly + used for Active Directory enumeration, which can be a precursor to lateral movement + or privilege escalation. If confirmed malicious, this activity could allow an attacker + to map out the network, identify high-value targets, and plan further attacks, potentially + compromising sensitive information and critical systems. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index afcee2bcd9..718559e461 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -1,32 +1,26 @@ name: Detect SharpHound File Modifications id: 42b4b438-beed-11eb-ba1d-acde48001122 -version: 3 -date: '2024-03-14' +version: 4 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. - SharpHound will query the domain controller and begin gathering all the data related - to the domain and trusts. For output, it will drop a .zip file upon completion following - a typical pattern that is often not changed. This analytic focuses on the default - file name scheme. Note that this may be evaded with different parameters within - SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` - are two examples. In addition, executing SharpHound via .exe or .ps1 without any - command-line arguments will still perform activity and dump output to the default - filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates - multiple temp files following the same pattern `20210601182121_computers.json`, - `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, - or remove these json's entirely if it is too noisy. During traige, review parallel - processes for further suspicious behavior. Typically, the process executing the - `.ps1` ingestor will be PowerShell. +description: The following analytic detects the creation of files typically associated + with SharpHound, a reconnaissance tool used for gathering domain and trust data. + It leverages file modification events from the Endpoint.Filesystem data model, focusing + on default file naming patterns like `*_BloodHound.zip` and various JSON files. + This activity is significant as it indicates potential domain enumeration, which + is a precursor to more targeted attacks. If confirmed malicious, an attacker could + gain detailed insights into the domain structure, facilitating lateral movement + and privilege escalation. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name - Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`' + Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` @@ -80,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index 8c8844e798..86389105f7 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -1,18 +1,18 @@ name: Detect SharpHound Usage id: dd04b29a-beed-11eb-87bc-acde48001122 -version: 3 -date: '2024-03-14' +version: 4 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies SharpHound binary usage by using the - original filena,e. In addition to renaming the PE, other coverage is available to - detect command-line arguments. This particular analytic looks for the original_file_name - of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe - have different original filenames. Dependent upon the operator, the code may be - re-compiled and the attributes removed or changed to anything else. During triage, - review the metadata of the binary in question. Review parallel processes for suspicious - behavior. Identify the source of this binary. +description: The following analytic detects the usage of the SharpHound binary by + identifying its original filename, `SharpHound.exe`, and the process name. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process metadata and command-line executions. SharpHound is a tool used for Active + Directory enumeration, often by attackers during the reconnaissance phase. If confirmed + malicious, this activity could allow an attacker to map out the network, identify + high-value targets, and plan further attacks, potentially leading to privilege escalation + and lateral movement within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index f1b3489d41..806d34c814 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,25 +1,21 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 -version: 1 -date: '2023-01-23' +version: 2 +date: '2024-05-27' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly status: experimental data_source: - Sysmon Event Code 1 -description: The following analytic uses a pre-trained Deep Learning model to predict - whether a processname is suspicious or not. Malwares and malicious programs such - as ransomware often use tactics, techniques, and procedures (TTPs) such as copying - malicious files to the local machine to propagate themselves across the network. - A key indicator of compromise is that after a successful execution of the malware, - it copies itself as an executable file with a randomly generated filename and places - this file in one of the directories. Such techniques are seen in several malwares - such as TrickBot. We develop machine learning model that uses a Recurrent Neural - Network (RNN) to distinguish between malicious and benign processnames. The model - is trained independently and is then made available for download. We use a character - level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, - the more likely is the processname to be suspicious (between [0,1]). The threshold - for flagging a processname as suspicious is set as 0.5. +description: The following analytic identifies suspicious process names using a pre-trained + Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry + to analyze process names and predict their likelihood of being malicious. The model, + a character-level Recurrent Neural Network (RNN), classifies process names as benign + or suspicious based on a threshold score of 0.5. This detection is significant as + it helps identify malware, such as TrickBot, which often uses randomly generated + filenames to evade detection. If confirmed malicious, this activity could indicate + the presence of malware capable of propagating across the network and executing + harmful actions. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index b0d8c4ea33..bc0e873704 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -1,22 +1,24 @@ name: Detect Use of cmd exe to Launch Script Interpreters id: b89919ed-fe5f-492c-b139-95dbb162039e -version: 5 -date: '2023-12-07' +version: 6 +date: '2024-05-20' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: This search looks for the execution of the cscript.exe or wscript.exe - processes, with a parent of cmd.exe. The search will return the count, the first - and last time this execution was seen on a machine, the user, and the destination - of the machine +description: The following analytic detects the execution of cscript.exe or wscript.exe + processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and parent processes within the Endpoint + data model. This activity is significant as it may indicate script-based attacks + or administrative actions that could be leveraged for malicious purposes. If confirmed + malicious, this behavior could allow attackers to execute scripts, potentially leading + to code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count - min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe - OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process - Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` - | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" + (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process + Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -26,10 +28,13 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. +known_false_positives: This detection may also be triggered by legitimate applications + and numerous service accounts, which often end with a $ sign. To manage this, it's + advised to check the service account's activities and, if they are valid, modify + the filter macro to exclude them. references: - - https://attack.mitre.org/techniques/T1059/ - - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ +- https://attack.mitre.org/techniques/T1059/ +- https://redcanary.com/threat-detection-report/techniques/windows-command-shell/ tags: analytic_story: - Emotet Malware DHS Report TA18-201A @@ -64,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml index 4616cd5914..aa6f4ffd68 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/detect_webshell_exploit_behavior.yml @@ -1,15 +1,19 @@ name: Detect Webshell Exploit Behavior id: 22597426-6dbd-49bd-bcdc-4ec19857192f -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-20' author: Steven Dick status: production type: TTP -description: This search is used to detect the abuse of web applications by adversaries. - Adversaries may install a backdoor or script onto web servers by exploiting known - vulnerabilities or misconfigruations. Web shells are used to establish persistent - access to systems and provide a set of executable functions or a command-line interface - on the system hosting the Web server. +description: The following analytic identifies the execution of suspicious processes + typically associated with webshell activity on web servers. It detects when processes + like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes + such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate + an adversary exploiting a web application vulnerability to install a webshell, providing + persistent access and command execution capabilities. If confirmed malicious, this + activity could allow attackers to maintain control over the compromised server, + execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive + data. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) @@ -91,6 +95,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index 32d5ad5042..ffc30d9f99 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -1,35 +1,23 @@ name: Detect WMI Event Subscription Persistence id: 01d9a0c2-cece-11eb-ab46-acde48001122 -version: 1 -date: '2021-06-16' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the use of WMI Event Subscription - to establish persistence or perform privilege escalation. WMI can be used to install - event filters, providers, consumers, and bindings that execute code when a defined - event occurs. WMI subscription execution is proxied by the WMI Provider Host process - (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic - is restricted by commonly added process execution and a path. If the volume is low - enough, remove the values and flag on any new subscriptions. - - All event subscriptions have three components - - 1. Filter - WQL Query for the events we want. EventID equals 19 - - 1. Consumer - An action to take upon triggering the filter. EventID equals 20 - - 1. Binding - Registers a filter to a consumer. EventID equals 21 - - Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. - It may be pertinent to review all 3 to identify the flow of execution. In addition, - EventCode 4104 may assist with any other PowerShell script usage that registered - the subscription.' +description: 'The following analytic identifies the creation of WMI Event Subscriptions, + which can be used to establish persistence or perform privilege escalation. It detects + EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID + 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant + because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, + making it a powerful persistence mechanism. If confirmed malicious, an attacker + could maintain long-term access, escalate privileges, and execute arbitrary code, + posing a severe threat to the environment.' data_source: - Sysmon EventID 20 search: '`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime - by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_wmi_event_subscription_persistence_filter`' + by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID @@ -71,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index 50ddb4106f..ee4ffdd399 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -1,14 +1,19 @@ name: Disable AMSI Through Registry id: 9c27ec42-d338-11eb-9044-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-29' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: this search is to identify modification in registry to disable AMSI windows - feature to evade detections. This technique was seen in several ransomware, RAT - and even APT to impaire defenses of the compromise machine and to be able to execute - payload with minimal alert as much as possible. +description: The following analytic detects modifications to the Windows registry + that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value + to "0x00000000". This detection leverages data from the Endpoint.Registry data model, + specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows + Script\\Settings\\AmsiEnable". Disabling AMSI is significant as it is a common technique + used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats + (APTs) to evade detection and impair defenses. If confirmed malicious, this activity + could allow attackers to execute payloads with minimal alerts, leading to potential + system compromise and data exfiltration. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -62,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 3d15b851f0..d84a2d4a21 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -1,24 +1,29 @@ name: Disable Defender AntiVirus Registry id: aa4f695a-3024-11ec-9987-acde48001122 -version: 4 -date: '2023-04-11' +version: 5 +date: '2024-05-28' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This particular behavior is typically executed when an adversary or malware - gains access to an endpoint and begins to perform execution and to evade detections. - Usually, a batch (.bat) file will be executed and multiple registry and scheduled - task modifications will occur. During triage, review parallel processes and identify - any further file modifications. Endpoint should be isolated. +description: The following analytic detects the modification of Windows Defender registry + settings to disable antivirus and antispyware protections. It leverages data from + the Endpoint.Registry data model, specifically monitoring changes to registry paths + associated with Windows Defender policies. This activity is significant because + disabling antivirus protections is a common tactic used by adversaries to evade + detection and maintain persistence on compromised systems. If confirmed malicious, + this action could allow attackers to execute further malicious activities undetected, + leading to potential data breaches, system compromise, and further propagation of + malware within the network. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `disable_defender_antivirus_registry_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name + IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) + BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | + `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -63,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 8d5f0a2a4d..349cb889c8 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -1,17 +1,21 @@ name: Disable Defender BlockAtFirstSeen Feature id: 2dd719ac-3021-11ec-97b4-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-22' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: This analytic is intended to detect a suspicious modification of the - Windows registry to disable a Windows Defender feature. This technique is intended - to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen - feature where it blocks suspicious files the first time seen on the host. +description: The following analytic detects the modification of the Windows registry + to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from + the Endpoint.Registry data model, specifically monitoring changes to the registry + path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. + This activity is significant because disabling this feature can allow malicious + files to bypass initial detection by Windows Defender, increasing the risk of malware + infection. If confirmed malicious, this action could enable attackers to execute + malicious code undetected, leading to potential system compromise and data breaches. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 1b08acb6b9..697be6ac02 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -1,14 +1,19 @@ name: Disable Defender Enhanced Notification id: dc65678c-301f-11ec-8e30-acde48001122 -version: 3 -date: '2023-12-27' +version: 4 +date: '2024-05-24' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is intended to detect a suspicious modification of registry - to disable windows defender features. This technique attempts to bypass or evade - detection from Windows Defender AV, specifically the Enhanced Notification feature - where a user or admin would receive alerts. +description: The following analytic detects the modification of the registry to disable + Windows Defender's Enhanced Notification feature. It leverages data from Endpoint + Detection and Response (EDR) agents, specifically monitoring changes to the registry + path associated with Windows Defender reporting. This activity is significant because + disabling Enhanced Notifications can prevent users and administrators from receiving + critical security alerts, potentially allowing malicious activities to go unnoticed. + If confirmed malicious, this action could enable an attacker to bypass detection + mechanisms, maintain persistence, and escalate their activities without triggering + alerts. data_source: - Sysmon EventID 1 - Sysmon EventID 12 @@ -25,7 +30,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' + | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -86,6 +91,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index 51084eb689..4f3093af81 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -1,24 +1,28 @@ name: Disable Defender MpEngine Registry id: cc391750-3024-11ec-955a-acde48001122 -version: 4 -date: '2023-04-11' +version: 5 +date: '2024-05-21' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This particular behavior is typically executed when an adversary or malware - gains access to an endpoint and begins to perform execution and to evade detections. - Usually, a batch (.bat) file will be executed and multiple registry and scheduled - task modifications will occur. During triage, review parallel processes and identify - any further file modifications. Endpoint should be isolated. +description: The following analytic detects the modification of the Windows Defender + MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection + leverages endpoint registry logs, focusing on changes within the path "*\\Policies\\Microsoft\\Windows + Defender\\MpEngine*". This activity is significant as it indicates an attempt to + disable key Windows Defender features, potentially allowing malware to evade detection. + If confirmed malicious, this could lead to undetected malware execution, persistence, + and further system compromise. Immediate investigation and endpoint isolation are + recommended. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `disable_defender_mpengine_registry_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" + Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) + BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | + `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -63,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index d4addee595..d1114bc616 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,14 +1,18 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-14' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is intended to detect a suspicious modification of the - Windows registry to disable a Windows Defender feature. This technique is intended - to bypass or evade detection from Windows Defender AV, specifically the feature - that submits samples for further analysis. +description: The following analytic detects the modification of the Windows registry + to disable the Windows Defender Submit Samples Consent feature. It leverages data + from the Endpoint.Registry data model, specifically monitoring changes to the registry + path associated with Windows Defender SpyNet and the SubmitSamplesConsent value + set to 0x00000000. This activity is significant as it indicates an attempt to bypass + or evade detection by preventing Windows Defender from submitting samples for further + analysis. If confirmed malicious, this could allow an attacker to execute malicious + code without being detected by Windows Defender, leading to potential system compromise. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 7244646f34..dc8513536c 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -1,14 +1,18 @@ name: Disable ETW Through Registry id: f0eacfa4-d33f-11eb-8f9d-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-24' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to identify modification in registry to disable ETW windows - feature to evade detections. This technique was seen in several ransomware, RAT - and even APT to impaire defenses of the compromise machine and to be able to execute - payload with minimal alert as much as possible. +description: The following analytic detects modifications to the registry that disable + the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" + with a value set to "0x00000000". This activity is significant because disabling + ETW can allow attackers to evade detection mechanisms, making it harder for security + tools to monitor malicious activities. If confirmed malicious, this could enable + attackers to execute payloads with minimal alerts, impairing defenses and potentially + leading to further compromise of the system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -60,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 5b720983c2..728f09b798 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -1,22 +1,26 @@ name: Disable Registry Tool id: cd2cf33c-9201-11eb-a10a-acde48001122 -version: 5 -date: '2024-04-26' +version: 6 +date: '2024-05-14' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search identifies modification of registry to disable the regedit - or registry tools of the windows operating system. Since registry tool is a swiss - knife in analyzing registry, malware such as RAT or trojan Spy disable this application - to prevent the removal of their registry entry such as persistence, file less components - and defense evasion. +description: The following analytic detects modifications to the Windows registry + aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" + with a value of "0x00000001". This activity is significant because malware, such + as RATs or trojans, often disable registry tools to prevent the removal of their + entries, aiding in persistence and defense evasion. If confirmed malicious, this + could hinder incident response efforts and allow the attacker to maintain control + over the compromised system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 5e03e78d2e..a486a8376b 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -1,16 +1,18 @@ name: Disable Schedule Task id: db596056-3019-11ec-a9ff-acde48001122 -version: 1 -date: '2021-10-18' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious commandline to disable existing - schedule task. This technique is used by adversaries or commodity malware like IcedID - to disable security application (AV products) in the targetted host to evade detections. - This TTP is a good pivot to check further why and what other process run before - and after this detection. check which process execute the commandline and what task - is disabled. parent child process is quite valuable in this scenario too. +description: The following analytic detects the execution of a command to disable + an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' + parameters. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. Disabling scheduled + tasks is significant as it is a common tactic used by adversaries, including malware + like IcedID, to disable security applications and evade detection. If confirmed + malicious, this activity could allow attackers to persist undetected, disable critical + security defenses, and further compromise the targeted host. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime @@ -63,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 509ba3f4eb..c7ef979383 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -1,14 +1,18 @@ name: Disable Security Logs Using MiniNt Registry id: 39ebdc68-25b9-11ec-aec7-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-29' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious registry modification to disable - security audit logs. This technique was shared by a researcher to disable Security - logs of windows by adding this registry. The Windows will think it is WinPE and - will not log any event to the Security Log +description: The following analytic detects a suspicious registry modification aimed + at disabling security audit logs by adding a specific registry entry. It leverages + data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" + registry path. This activity is significant because it can prevent Windows from + logging any events to the Security Log, effectively blinding security monitoring + efforts. If confirmed malicious, this technique could allow an attacker to operate + undetected, making it difficult to trace their actions and compromising the integrity + of security audits. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -62,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index ac410fbf3a..11aa7dfb24 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -1,22 +1,28 @@ name: Disable Show Hidden Files id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122 -version: 5 -date: '2024-02-14' +version: 6 +date: '2024-05-27' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to identify a modification in the Windows registry - to prevent users from seeing all the files with hidden attributes. This event or - techniques are known on some worm and trojan spy malware that will drop hidden files - on the infected machine. +description: The following analytic detects modifications to the Windows registry + that disable the display of hidden files. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to registry paths associated with hidden + file settings. This activity is significant because malware, such as worms and trojan + spyware, often use hidden files to evade detection. If confirmed malicious, this + behavior could allow an attacker to conceal malicious files on the system, making + it harder for security tools and analysts to identify and remove the threat. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_data = "0x00000000" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" + OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" + Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" + Registry.registry_value_data = "0x00000000" )) BY _time span=1h Registry.user Registry.dest + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -61,12 +67,15 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index ce59d73360..8473e91fcd 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -1,15 +1,18 @@ name: Disable UAC Remote Restriction id: 9928b732-210e-11ec-b65e-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-24' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious modification of registry to disable - UAC remote restriction. This technique was well documented in Microsoft page where - attacker may modify this registry value to bypassed UAC feature of windows host. - This is a good indicator that some tries to bypassed UAC to suspicious process or - gain privilege escalation. +description: The following analytic detects the modification of the registry to disable + UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". + It leverages data from the Endpoint.Registry data model, specifically monitoring + changes to the registry path "*\\CurrentVersion\\Policies\\System*". This activity + is significant because disabling UAC remote restriction can allow an attacker to + bypass User Account Control (UAC) protections, potentially leading to privilege + escalation. If confirmed malicious, this could enable an attacker to execute unauthorized + actions with elevated privileges, compromising the security of the affected system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 3372280e3d..1550c2f7dd 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -1,24 +1,26 @@ name: Disable Windows App Hotkeys id: 1490f224-ad8b-11eb-8c4f-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-11' author: Steven Dick, Teoderick Contreras, Splunkk status: production type: TTP -description: The following analytic detects a suspicious registry modification to disable Windows - hotkey (shortcut keys) for native Windows applications. This technique is commonly - used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. - This technique is used to impair the analyst in analyzing and removing the attacker - implant in compromised systems. +description: The following analytic detects a suspicious registry modification aimed + at disabling Windows hotkeys for native applications. It leverages data from the + Endpoint.Registry data model, focusing on specific registry paths and values indicative + of this behavior. This activity is significant as it can impair an analyst's ability + to use essential tools like Task Manager and Command Prompt, hindering incident + response efforts. If confirmed malicious, this technique can allow an attacker to + maintain persistence and evade detection, complicating the remediation process. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name - = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -61,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index d7db650147..e56a8075bd 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -1,26 +1,29 @@ name: Disable Windows SmartScreen Protection id: 664f0fd0-91ff-11eb-a56f-acde48001122 -version: 5 -date: '2024-02-14' +version: 6 +date: '2024-05-26' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following search identifies a modification of registry to disable - the smartscreen protection of windows machine. This is windows feature provide an - early warning system against website that might engage in phishing attack or malware - distribution. This modification are seen in RAT malware to cover their tracks upon - downloading other of its component or other payload. +description: The following analytic detects modifications to the Windows registry + that disable SmartScreen protection. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to registry paths associated with SmartScreen + settings. This activity is significant because SmartScreen provides an early warning + system against phishing and malware. Disabling it can indicate malicious intent, + often seen in Remote Access Trojans (RATs) to evade detection while downloading + additional payloads. If confirmed malicious, this action could allow attackers to + bypass security measures, increasing the risk of successful phishing attacks and + malware infections. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", "*\\Microsoft\\Windows\\System\\EnableSmartScreen") - Registry.registry_value_data IN ("Off", "0") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `disable_windows_smartscreen_protection_filter`' + WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", + "*\\Microsoft\\Windows\\System\\EnableSmartScreen") Registry.registry_value_data IN + ("Off", "0") BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index f749d913ae..fc69094941 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -1,18 +1,18 @@ name: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser id: 114c6bfe-9406-11ec-bcce-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-ADUser` commandlet with specific parameters. - `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows - Active Directory networks. As the name suggests, `Get-ADUser` is used to query for - domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover - domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries - alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack - their passwords offline. +description: The following analytic detects the execution of the `Get-ADUser` PowerShell + cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication + disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify + this specific activity. This behavior is significant because discovering accounts + with Kerberos Pre-Authentication disabled can allow adversaries to perform offline + password cracking. If confirmed malicious, this activity could lead to unauthorized + access to user accounts, potentially compromising sensitive information and escalating + privileges within the network. data_source: - Powershell Script Block Logging 4104 search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") @@ -60,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index e566d382e0..ffc44e5bce 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -1,24 +1,24 @@ name: Disabled Kerberos Pre-Authentication Discovery With PowerView id: b0b34e2c-90de-11ec-baeb-acde48001122 -version: 2 -date: '2022-05-03' +version: 3 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainUser` commandlet with specific parameters. - `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration - on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is - used to identify domain users and combining it with `-PreauthNotRequired` allows - adversaries to discover domain accounts with Kerberos Pre Authentication disabled. - - Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts - and attempt to crack their passwords offline. +description: The following analytic detects the execution of the `Get-DomainUser` + commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block + Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating + Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication + disabled is significant because adversaries can leverage this information to attempt + offline password cracking. If confirmed malicious, this activity could lead to unauthorized + access to domain accounts, potentially compromising sensitive information and escalating + privileges within the network. data_source: - Powershell Script Block Logging 4104 search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' + UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` + | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -58,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 37162d7d44..b230da25d7 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -1,21 +1,25 @@ name: Disabling CMD Application id: ff86077c-9212-11eb-a1e6-acde48001122 -version: 5 -date: '2024-04-26' +version: 6 +date: '2024-05-16' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to identify modification in registry to disable cmd prompt - application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging - or deleting there samples through cmd application which is one of the tool of analyst - to traverse on directory and files. +description: The following analytic detects modifications to the registry that disable + the CMD prompt application. It leverages data from the Endpoint.Registry data model, + specifically looking for changes to the "DisableCMD" registry value. This activity + is significant because disabling CMD can hinder an analyst's ability to investigate + and remediate threats, a tactic often used by malware such as RATs, Trojans, or + Worms. If confirmed malicious, this could prevent security teams from using CMD + for directory and file traversal, complicating incident response and allowing the + attacker to maintain persistence. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 5ffed2d1f3..7b116079f4 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -1,15 +1,18 @@ name: Disabling Defender Services id: 911eacdc-317f-11ec-ad30-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-19' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This particular behavior is typically executed when an adversaries or - malware gains access to an endpoint and beings to perform execution and to evade - detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled - task modifications will occur. During triage, review parallel processes and identify - any further file modifications. Endpoint should be isolated. +description: The following analytic detects the disabling of Windows Defender services + by monitoring registry modifications. It leverages registry event data to identify + changes to specific registry paths associated with Defender services, where the + 'Start' value is set to '0x00000004'. This activity is significant because disabling + Defender services can indicate an attempt by an adversary to evade detection and + maintain persistence on the endpoint. If confirmed malicious, this action could + allow attackers to execute further malicious activities undetected, leading to potential + data breaches or system compromise. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -17,9 +20,9 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data - = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) + = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index b9c7f6cf5a..f02279df0b 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -1,15 +1,19 @@ name: Disabling FolderOptions Windows Feature id: 83776de4-921a-11eb-868a-acde48001122 -version: 5 -date: '2024-04-26' +version: 6 +date: '2024-05-11' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to identify registry modification to disable folder options - feature of windows to show hidden files, file extension and etc. This technique - used by malware in combination if disabling show hidden files feature to hide their - files and also to hide the file extension to lure the user base on file icons or - fake file extensions. +description: The following analytic detects the modification of the Windows registry + to disable the Folder Options feature, which prevents users from showing hidden + files and file extensions. It leverages data from the Endpoint.Registry data model, + specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" + with a value of "0x00000001". This activity is significant as it is commonly used + by malware to conceal malicious files and deceive users with fake file extensions. + If confirmed malicious, this could allow an attacker to hide their presence and + malicious files, making detection and remediation more difficult. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index 2d9943c116..921201e39f 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -1,22 +1,24 @@ name: Disabling NoRun Windows App id: de81bc46-9213-11eb-adc9-acde48001122 -version: 5 -date: '2024-04-26' +version: 6 +date: '2024-05-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to identify modification of registry to disable run application - in window start menu. this application is known to be a helpful shortcut to windows - OS user to run known application and also to execute some reg or batch script. This - technique is used malware to make cleaning of its infection more harder by preventing - known application run easily through run shortcut. +description: The following analytic detects the modification of the Windows registry + to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" + with a value of "0x00000001". This activity is significant because the Run application + is a useful shortcut for executing known applications and scripts. If confirmed + malicious, this action could hinder system cleaning efforts and make it more difficult + to run essential tools, thereby aiding malware persistence. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index 7ede895e84..432a5d661b 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -1,14 +1,18 @@ name: Disabling SystemRestore In Registry id: f4f837e2-91fb-11eb-8bf6-acde48001122 -version: 5 -date: '2024-02-14' +version: 6 +date: '2024-05-22' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following search identifies the modification of registry related - in disabling the system restore of a machine. This event or behavior are seen in - some RAT malware to make the restore of the infected machine difficult and keep - their infection on the box. +description: The following analytic detects the modification of registry keys to disable + System Restore on a machine. It leverages data from the Endpoint.Registry data model, + specifically monitoring changes to registry paths associated with System Restore + settings. This activity is significant because disabling System Restore can hinder + recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain + persistence on an infected system. If confirmed malicious, this action could prevent + system recovery, allowing the attacker to sustain their foothold and potentially + cause further damage or data loss. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -17,8 +21,8 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -66,15 +70,19 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log source: WinEventLog:System sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index d151a34763..a6493c253f 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -1,21 +1,25 @@ name: Disabling Task Manager id: dac279bc-9202-11eb-b7fb-acde48001122 -version: 5 -date: '2024-04-26' +version: 6 +date: '2024-05-15' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to identifies modification of registry to disable the - task manager of windows operating system. this event or technique are commonly seen - in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate - their process. +description: The following analytic identifies modifications to the Windows registry + that disable Task Manager. It leverages data from the Endpoint.Registry data model, + specifically looking for changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" + with a value of "0x00000001". This activity is significant as it is commonly associated + with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent + users from terminating malicious processes. If confirmed malicious, this could allow + attackers to maintain persistence and control over the infected system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -63,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index f243c25516..6b96a1dd98 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -1,16 +1,18 @@ name: DLLHost with no Command Line Arguments with Network id: f1c07594-a141-11eb-8407-acde48001122 -version: 4 -date: '2023-07-10' +version: 5 +date: '2024-05-26' author: Steven Dick, Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies DLLHost.exe with no command line arguments - with a network connection. It is unusual for DLLHost.exe to execute with no command - line arguments present. This particular behavior is common with malicious software, - including Cobalt Strike. During investigation, triage any network connections and - parallel processes. Identify any suspicious module loads related to credential dumping - or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects instances of DLLHost.exe running without + command line arguments while establishing a network connection. This behavior is + identified using Endpoint Detection and Response (EDR) telemetry, focusing on process + execution and network activity data. It is significant because DLLHost.exe typically + runs with specific arguments, and its absence can indicate malicious activity, such + as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers + to execute code, move laterally, or exfiltrate data, posing a severe threat to the + network's security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -83,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index 996aef2d47..8fa692ce80 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -1,16 +1,18 @@ name: DNS Exfiltration Using Nslookup App id: 2452e632-9e0d-11eb-bacd-acde48001122 -version: 1 -date: '2021-04-15' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: TTP -description: this search is to detect potential DNS exfiltration using nslookup application. - This technique are seen in couple of malware and APT group to exfiltrated collected - data in a infected machine or infected network. This detection is looking for unique - use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are - commonly used by attacker and also the retry parameter which is designed to query - C2 DNS multiple tries. +description: The following analytic identifies potential DNS exfiltration using the + nslookup application. It detects specific command-line parameters such as query + type (TXT, A, AAAA) and retry options, which are commonly used by attackers to exfiltrate + data. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing + on process execution logs. This activity is significant as it may indicate an attempt + to communicate with a Command and Control (C2) server or exfiltrate sensitive data. + If confirmed malicious, this could lead to data breaches and unauthorized access + to critical information. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -18,9 +20,9 @@ search: '| tstats `security_content_summariesonly` values(Processes.process) as count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "nslookup.exe" Processes.process = "*-querytype=*" OR Processes.process="*-qt=*" OR Processes.process="*-q=*" OR Processes.process="-type=*" - OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | - `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `dns_exfiltration_using_nslookup_app_filter`' + OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name + Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -87,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 5d73a10016..77893e8ccf 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -1,14 +1,18 @@ name: Domain Account Discovery with Dsquery id: b1a8ce04-04c2-11ec-bea7-acde48001122 -version: 1 -date: '2021-08-24' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `dsquery.exe` with command-line - arguments utilized to discover domain users. The `user` argument returns a list - of all users registered in the domain. Red Teams and adversaries alike engage in - remote system discovery for situational awareness and Active Directory Discovery. +description: The following analytic identifies the execution of `dsquery.exe` with + command-line arguments used to discover domain users. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it indicates potential reconnaissance + efforts by adversaries to map out domain users, which is a common precursor to further + attacks. If confirmed malicious, this behavior could allow attackers to gain insights + into user accounts, facilitating subsequent actions like privilege escalation or + lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index eee2ac9b93..3fa0097ee5 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -1,14 +1,17 @@ name: Domain Account Discovery With Net App id: 98f6a534-04c2-11ec-96b2-acde48001122 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `net.exe` or `net1.exe` with - command-line arguments utilized to query for domain users. Red Teams and adversaries - alike may use net.exe to enumerate domain users for situational awareness and Active - Directory Discovery. +description: The following analytic detects the execution of `net.exe` or `net1.exe` + with command-line arguments used to query domain users. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it may indicate an attempt by adversaries + to enumerate domain users for situational awareness and Active Directory discovery. + If confirmed malicious, this behavior could allow attackers to map out user accounts, + potentially leading to further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 82c3b1367d..d93ad4be9e 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -1,15 +1,17 @@ name: Domain Controller Discovery with Nltest id: 41243735-89a7-4c83-bcdd-570aa78f00a1 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `nltest.exe` with command-line - arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', - can be used to return a list of all domain controllers. Red Teams and adversaries - alike may use nltest.exe to identify domain controllers in a Windows Domain for - situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `nltest.exe` with command-line + arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages + Endpoint Detection and Response (EDR) data, focusing on process names and command-line + arguments. This activity is significant because both Red Teams and adversaries use + `nltest.exe` for situational awareness and Active Directory discovery. If confirmed + malicious, this behavior could allow attackers to map out domain controllers, facilitating + further attacks such as privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index 4ee268234a..9fad87c1ad 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -1,15 +1,18 @@ name: Domain Controller Discovery with Wmic id: 64c7adaa-48ee-483c-b0d6-7175bc65e6cc -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `wmic.exe` with command-line - arguments utilized to discover remote systems. The arguments utilized in this command - line return a list of all domain controllers in a Windows domain. Red Teams and - adversaries alike use *.exe to identify remote systems for situational awareness - and Active Directory Discovery. +description: The following analytic identifies the execution of `wmic.exe` with command-line + arguments used to discover domain controllers in a Windows domain. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line arguments. This activity is significant because it is commonly + used by adversaries and Red Teams for situational awareness and Active Directory + discovery. If confirmed malicious, this behavior could allow attackers to map out + the network, identify key systems, and plan further attacks, potentially leading + to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index 1b3925c424..9627870eb9 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -1,19 +1,24 @@ name: Domain Group Discovery with Adsisearcher id: 089c862f-5f83-49b5-b1c8-7e4ff66560c7 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the `[Adsisearcher]` type accelerator being used to query Active Directory - for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate - domain groups for situational awareness and Active Directory Discovery. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell to query Active Directory for domain groups. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify specific script blocks containing + `[adsisearcher]` and group-related queries. This activity is significant as it may + indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational + awareness and Active Directory discovery. If confirmed malicious, this behavior + could lead to further reconnaissance, privilege escalation, or lateral movement + within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" - AND ScriptBlockText = "*findAll()*") | stats count min(_time) as firstTime max(_time) as - lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` +search: '`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = + "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*") | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -44,14 +49,15 @@ tags: required_fields: - _time - EventCode - - Message - - ComputerName - - User + - ScriptBlockText + - Computer + - UserID risk_score: 18 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index 9b869e342c..f30afa419a 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -1,14 +1,18 @@ name: Domain Group Discovery With Dsquery id: f0c9d62f-a232-4edd-b17e-bc409fb133d4 -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-22' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `dsquery.exe` with command-line - arguments utilized to query for domain groups. The argument `group`, returns a list - of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe - to enumerate domain groups for situational awareness and Active Directory Discovery. +description: The following analytic identifies the execution of `dsquery.exe` with + command-line arguments used to query for domain groups. It leverages Endpoint Detection + and Response (EDR) data, focusing on process names and command-line arguments. This + activity is significant because both Red Teams and adversaries use `dsquery.exe` + to enumerate domain groups, gaining situational awareness and facilitating further + Active Directory discovery. If confirmed malicious, this behavior could allow attackers + to map out the domain structure, identify high-value targets, and plan subsequent + attacks, potentially leading to privilege escalation or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index 03f5ca9c7c..4707b6fecc 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -1,14 +1,18 @@ name: Domain Group Discovery With Net id: f2f14ac7-fa81-471a-80d5-7eb65c3c7349 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-28' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `net.exe` with command-line - arguments utilized to query for domain groups. The argument `group /domain`, returns - a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate - domain groups for situational awareness and Active Directory Discovery. +description: The following analytic identifies the execution of `net.exe` with command-line + arguments used to query domain groups, specifically `group /domain`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line arguments. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to enumerate domain groups, which is a common + step in Active Directory Discovery. If confirmed malicious, this behavior could + allow attackers to gain insights into the domain structure, aiding in further attacks + such as privilege escalation or lateral movement. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 3ee3016a51..5ee7680ba9 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -1,14 +1,18 @@ name: Domain Group Discovery With Wmic id: a87736a6-95cd-4728-8689-3c64d5026b3e -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `wmic.exe` with command-line - arguments utilized to query for domain groups. The arguments utilized in this command - return a list of all domain groups. Red Teams and adversaries alike use wmic.exe - to enumerate domain groups for situational awareness and Active Directory Discovery. +description: The following analytic identifies the execution of `wmic.exe` with command-line + arguments used to query for domain groups. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it indicates potential reconnaissance efforts by + adversaries to gain situational awareness and map out Active Directory structures. + If confirmed malicious, this behavior could allow attackers to identify and target + specific domain groups, potentially leading to privilege escalation or lateral movement + within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index a3877fb104..b8ebf9ba8b 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -1,20 +1,22 @@ name: Download Files Using Telegram id: 58194e28-ae5e-11eb-8912-acde48001122 -version: 1 -date: '2021-05-06' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic will identify a suspicious download by the Telegram - application on a Windows system. This behavior was identified on a honeypot where - the adversary gained access, installed Telegram and followed through with downloading - different network scanners (port, bruteforcer, masscan) to the system and later - used to mapped the whole network and further move laterally. +description: The following analytic detects suspicious file downloads by the Telegram + application on a Windows system. It leverages Sysmon EventCode 15 to identify instances + where Telegram.exe creates files with a Zone.Identifier, indicating a download. + This activity is significant as it may indicate an adversary using Telegram to download + malicious tools, such as network scanners, for further exploitation. If confirmed + malicious, this behavior could lead to network mapping, lateral movement, and potential + compromise of additional systems within the network. data_source: - Sysmon EventID 15 search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" - |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode - process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name + process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that @@ -58,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index c3314fda54..67eed26a0a 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -1,13 +1,18 @@ name: Drop IcedID License dat id: b7a045fc-f14a-11eb-8e79-acde48001122 -version: 1 -date: '2021-07-30' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This search is to detect dropping a suspicious file named as "license.dat" - in %appdata%. This behavior seen in latest IcedID malware that contain the actual - core bot that will be injected in other process to do banking stealing. +description: The following analytic detects the dropping of a suspicious file named + "license.dat" in %appdata% or %programdata%. This behavior is associated with the + IcedID malware, which uses this file to inject its core bot into other processes + for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor + file creation events in these directories. This activity is significant as it indicates + a potential malware infection aiming to steal sensitive banking information. If + confirmed malicious, the attacker could gain unauthorized access to financial data, + leading to significant financial loss and data breaches. data_source: - Sysmon EventID 1 search: '`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" @@ -51,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index c8cc2386d4..89ab1635e5 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -1,39 +1,26 @@ name: DSQuery Domain Discovery id: cc316032-924a-11eb-91a2-acde48001122 -version: 1 -date: '2021-03-31' +version: 2 +date: '2024-05-31' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies "dsquery.exe" execution with arguments - looking for `TrustedDomain` query directly on the command-line. This is typically - indicative of an Administrator or adversary perform domain trust discovery. Note - that this query does not identify any other variations of "Dsquery.exe" usage. - - Within this detection, it is assumed `dsquery.exe` is not moved or renamed. - - The search will return the first time and last time these command-line arguments - were used for these executions, as well as the target system, the user, process - "dsquery.exe" and its parent process. - - DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` - and only on Server operating system. - - The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found - loaded by another process, it is possible dsquery is running within that process - context in memory. - - In addition to trust discovery, review parallel processes for additional behaviors - performed. Identify the parent process and capture any files (batch files, for example) - being used.' +description: 'The following analytic detects the execution of "dsquery.exe" with arguments + targeting `TrustedDomain` queries directly from the command line. This behavior + is identified using Endpoint Detection and Response (EDR) telemetry, focusing on + process names and command-line arguments. This activity is significant as it often + indicates domain trust discovery, a common step in lateral movement or privilege + escalation by adversaries. If confirmed malicious, this could allow attackers to + map domain trusts, potentially leading to further exploitation and unauthorized + access to trusted domains.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe - Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `dsquery_domain_discovery_filter`' + Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -96,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index f766fc2cd9..99767ac7bb 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -1,12 +1,12 @@ name: Dump LSASS via comsvcs DLL id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-25' author: Patrick Bareiss, Splunk status: production type: TTP description: |- - The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. + The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index e1736481ad..f01ad02d9d 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -1,27 +1,26 @@ name: Dump LSASS via procdump id: 3742ebfe-64c2-11eb-ae93-0242ac130002 -version: 3 -date: '2022-08-31' +version: 4 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: 'Detect procdump.exe dumping the lsass process. This query looks for - both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump - file with all process memory. Both are highly suspect and should be reviewed. This - query does not monitor for the internal name (original_file_name=procdump) of the - PE or look for procdump64.exe. Modify the query as needed. - - During triage, confirm this is procdump.exe executing. If it is the first time a - Sysinternals utility has been ran, it is possible there will be a -accepteula on - the command line. Review other endpoint data sources for cross process (injection) - into lsass.exe.' +description: 'The following analytic detects the use of procdump.exe to dump the LSASS + process, specifically looking for the -mm and -ma command-line arguments. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names, + command-line executions, and parent processes. This activity is significant because + dumping LSASS can expose sensitive credentials, posing a severe security risk. If + confirmed malicious, an attacker could obtain credentials, escalate privileges, + and move laterally within the network, leading to potential data breaches and further + compromise of the environment.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* - OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`' + OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name + Processes.process_name Processes.process Processes.original_file_name Processes.dest + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `dump_lsass_via_procdump_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -85,11 +84,13 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log source: crowdstrike sourcetype: crowdstrike:events:sensor diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml index 9ad1b4a8d6..87c932dc05 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/elevated_group_discovery_with_net.yml @@ -1,15 +1,18 @@ name: Elevated Group Discovery With Net id: a23a0e20-0b1b-4a07-82e5-ec5f70811e7a -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-22' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `net.exe` or `net1.exe` with - command-line arguments utilized to query for specific elevated domain groups. Red - Teams and adversaries alike use net.exe to enumerate elevated domain groups for - situational awareness and Active Directory Discovery to identify high privileged - users. +description: The following analytic detects the execution of `net.exe` or `net1.exe` + with command-line arguments used to query elevated domain groups. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to identify high-privileged users within Active + Directory. If confirmed malicious, this behavior could lead to further attacks aimed + at compromising privileged accounts, escalating privileges, or gaining unauthorized + access to sensitive systems and data. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 39ba6e09ce..8d4663dd5b 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -1,23 +1,24 @@ name: Elevated Group Discovery with PowerView id: 10d62950-0de5-4199-a710-cff9ea79b413 -version: 2 -date: '2024-02-14' +version: 3 +date: '2024-06-10' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` - is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. - As the name suggests, `Get-DomainGroupMember` is used to list the members of an - specific domain group. Red Teams and adversaries alike use PowerView to enumerate - elevated domain groups for situational awareness and Active Directory Discovery - to identify high privileged users. +description: The following analytic detects the execution of the `Get-DomainGroupMember` + cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). + This cmdlet is used to enumerate members of elevated domain groups such as Domain + Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates + potential reconnaissance efforts by adversaries to identify high-privileged users + within the domain. If confirmed malicious, this activity could lead to targeted + attacks on privileged accounts, facilitating further compromise and lateral movement + within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (Message = "*Get-DomainGroupMember*") AND Message +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroupMember*") AND ScriptBlockText IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest, User as user | `security_content_ctime(firstTime)` + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -50,17 +51,17 @@ tags: required_fields: - _time - EventCode - - Message - - ComputerName - - User + - ScriptBlockText + - Computer + - UserID risk_score: 21 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log - source: WinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: wineventlog + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: xmlwineventlog - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index 97946a582a..a55c1d2588 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -1,14 +1,18 @@ name: Elevated Group Discovery With Wmic id: 3f6bbf22-093e-4cb4-9641-83f47b8444b6 -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `wmic.exe` with command-line - arguments utilized to query for specific domain groups. Red Teams and adversaries - alike use net.exe to enumerate elevated domain groups for situational awareness - and Active Directory Discovery to identify high privileged users. +description: The following analytic detects the execution of `wmic.exe` with command-line + arguments querying specific elevated domain groups. It leverages Endpoint Detection + and Response (EDR) telemetry to identify processes that access the LDAP namespace + and search for groups like "Domain Admins" or "Enterprise Admins." This activity + is significant as it indicates potential reconnaissance efforts by adversaries to + identify high-privilege accounts within Active Directory. If confirmed malicious, + this behavior could lead to privilege escalation, allowing attackers to gain elevated + access and control over critical network resources. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 41d879b622..ba5dc70525 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -1,22 +1,27 @@ name: Enable RDP In Other Port Number id: 99495452-b899-11eb-96dc-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-29' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a modification to registry to enable rdp to - a machine with different port number. This technique was seen in some atttacker - tries to do lateral movement and remote access to a compromised machine to gain - control of it. +description: The following analytic detects modifications to the registry that enable + RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "HKLM\SYSTEM\CurrentControlSet\Control\Terminal + Server\WinStations\RDP-Tcp" and the "PortNumber" value. This activity is significant + as attackers often modify RDP settings to facilitate lateral movement and maintain + remote access to compromised systems. If confirmed malicious, this could allow attackers + to bypass network defenses, gain persistent access, and potentially control the + compromised machine. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY _time - span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 0428eef571..0243c5f583 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -1,24 +1,28 @@ name: Enable WDigest UseLogonCredential Registry id: 0c7d8ffe-25b1-11ec-9f39-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-12' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious registry modification to enable - plain text credential feature of windows. This technique was used by several malware - and also by mimikatz to be able to dumpe the a plain text credential to the compromised - or target host. This TTP is really a good indicator that someone wants to dump the - crendential of the host so it must be a good pivot for credential dumping techniques. +description: The following analytic detects a suspicious registry modification that + enables the plain text credential feature in Windows by setting the "UseLogonCredential" + value to 1 in the WDigest registry path. This detection leverages data from the + Endpoint.Registry data model, focusing on specific registry paths and values. This + activity is significant because it is commonly used by malware and tools like Mimikatz + to dump plain text credentials, indicating a potential credential dumping attempt. + If confirmed malicious, this could allow an attacker to obtain sensitive credentials, + leading to further compromise and lateral movement within the network. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" - Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`' + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml index e08bdfe4e6..ae1cf9dc5c 100644 --- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml +++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml @@ -1,20 +1,24 @@ name: Enumerate Users Local Group Using Telegram id: fcd74532-ae54-11eb-a5ab-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will detect a suspicious Telegram process enumerating all - network users in a local group. This technique was seen in a Monero infected honeypot - to mapped all the users on the compromised system. EventCode 4798 is generated when - a process enumerates a user's security-enabled local groups on a computer or device. +description: The following analytic detects a Telegram process enumerating all network + users in a local group. It leverages EventCode 4798, which is generated when a process + enumerates a user's security-enabled local groups on a computer or device. This + activity is significant as it may indicate an attempt to gather information on user + accounts, a common precursor to further malicious actions. If confirmed malicious, + this behavior could allow an attacker to map out user accounts, potentially leading + to privilege escalation or lateral movement within the network. data_source: - Windows Event Log Security 4798 -search: '`wineventlog_security` EventCode=4798 CallerProcessName = "*\\telegram.exe" | - stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode - CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId - | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`' +search: '`wineventlog_security` EventCode=4798 CallerProcessName = "*\\telegram.exe" + | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode + CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId | + rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `enumerate_users_local_group_using_telegram_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment. @@ -28,7 +32,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: The Telegram application has been identified enumerating local groups on $dest$ by $user$. + message: The Telegram application has been identified enumerating local groups on + $dest$ by $user$. mitre_attack_id: - T1087 observable: @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index ea811d2170..4153e98ff3 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -1,14 +1,18 @@ name: Esentutl SAM Copy id: d372f928-ce4f-11eb-a762-acde48001122 -version: 1 -date: '2021-08-18' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies the process - `esentutl.exe` - being - used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, - review parallel processes and determine if legitimate activity. Upon determination - of illegitimate activity, take further action to isolate and contain the threat. +description: The following analytic detects the use of `esentutl.exe` to access credentials + stored in the ntds.dit or SAM file. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs that include + command-line details. This activity is significant because it may indicate an attempt + to extract sensitive credential information, which is a common tactic in lateral + movement and privilege escalation. If confirmed malicious, this could allow an attacker + to gain unauthorized access to user credentials, potentially compromising the entire + network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index c4be842dda..76f5b40457 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -1,16 +1,18 @@ name: Eventvwr UAC Bypass id: 9cf8fe08-7ad8-11eb-9819-acde48001122 -version: 3 -date: '2022-11-14' +version: 4 +date: '2024-05-26' author: Steven Dick, Michael Haag, Splunk status: production type: TTP -description: The following search identifies Eventvwr bypass by identifying the registry - modification into a specific path that eventvwr.msc looks to (but is not valid) - upon execution. A successful attack will include a suspicious command to be executed - upon eventvwr.msc loading. Upon triage, review the parallel processes that have - executed. Identify any additional registry modifications on the endpoint that may - look suspicious. Remediate as necessary. +description: The following analytic detects an Eventvwr UAC bypass by identifying + suspicious registry modifications in the path that Eventvwr.msc references upon + execution. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on registry changes and process execution details. This activity + is significant because it indicates a potential privilege escalation attempt, allowing + an attacker to execute arbitrary commands with elevated privileges. If confirmed + malicious, this could lead to unauthorized code execution, persistence, and further + compromise of the affected system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) @@ -88,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index a6ba0c2846..a0b87e1141 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -1,24 +1,25 @@ name: Excel Spawning PowerShell id: 42d40a22-9be3-11eb-8f08-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies Microsoft Excel spawning PowerShell. - Typically, this is not common behavior and not default with Excel.exe. Excel.exe - will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` - (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing - attachment and is actively used. Albeit, the command executed will most likely be - encoded and captured via another detection. During triage, review parallel processes - and identify any files that may have been written. +description: The following analytic detects Microsoft Excel spawning PowerShell, an + uncommon and suspicious behavior. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where the parent + process is "excel.exe" and the child process is PowerShell. This activity is significant + because it is often associated with spearphishing attacks, where malicious attachments + execute encoded PowerShell commands. If confirmed malicious, this behavior could + allow an attacker to execute arbitrary code, potentially leading to data exfiltration, + privilege escalation, or persistent access within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.parent_process_name="excel.exe" `process_powershell` by Processes.parent_process Processes.parent_process_name - Processes.process_name Processes.user Processes.dest Processes.original_file_name - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + where Processes.parent_process_name="excel.exe" `process_powershell` by Processes.parent_process + Processes.parent_process_name Processes.process_name Processes.user Processes.dest + Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -83,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 4425070655..b0a85217a8 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -1,27 +1,25 @@ name: Excel Spawning Windows Script Host id: 57fe880a-9be3-11eb-9bf3-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies Microsoft Excel spawning Windows Script - Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and - not default with Excel.exe. Excel.exe will generally be found in the following path - `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` - or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. - `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing - attachment and is actively used. Albeit, the command-line executed will most likely - be obfuscated and captured via another detection. During triage, review parallel - processes and identify any files that may have been written. Review the reputation - of the remote destination and block accordingly. +description: The following analytic identifies instances where Microsoft Excel spawns + Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is + detected using Endpoint Detection and Response (EDR) telemetry, focusing on process + creation events where the parent process is `excel.exe`. This activity is significant + because it is uncommon and often associated with malicious actions, such as spearphishing + attacks. If confirmed malicious, this could allow an attacker to execute scripts, + potentially leading to code execution, data exfiltration, or further system compromise. + Immediate investigation and mitigation are recommended. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" Processes.process_name IN ("cscript.exe", - "wscript.exe") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user - Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + "wscript.exe") by Processes.parent_process Processes.parent_process_name Processes.process_name + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -83,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 465e383a5c..317b1d34b7 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -1,15 +1,18 @@ name: Excessive distinct processes from Windows Temp id: 23587b6a-c479-11eb-b671-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-29' author: Michael Hart, Mauricio Velazco, Splunk status: production type: Anomaly -description: This analytic will identify suspicious series of process executions. We - have observed that post exploit framework tools like Koadic and Meterpreter will - launch an excessive number of processes with distinct file paths from Windows\Temp - to execute actions on objective. This behavior is extremely anomalous compared - to typical application behaviors that use Windows\Temp. +description: The following analytic identifies an excessive number of distinct processes + executing from the Windows\Temp directory. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process paths and counts within a 20-minute + window. This behavior is significant as it often indicates the presence of post-exploit + frameworks like Koadic and Meterpreter, which use this technique to execute malicious + actions. If confirmed malicious, this activity could allow attackers to execute + arbitrary code, escalate privileges, and maintain persistence within the environment, + posing a severe threat to system integrity and security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index e9ea26d810..14c3da5d5b 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -1,28 +1,30 @@ name: Excessive File Deletion In WinDefender Folder id: b5baa09a-7a05-11ec-8da4-acde48001122 -version: 2 -date: '2024-03-05' +version: 3 +date: '2024-05-12' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: This analytic identifies excessive file deletion events in the Windows - Defender folder. This technique was observed in the WhisperGate malware campaign, - where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges - and then executed PowerShell commands to delete files within the Windows Defender - application folder. Such behavior is a strong indicator that the offending process - is attempting to corrupt a Windows Defender installation. +description: The following analytic detects excessive file deletion events in the + Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes + deleting multiple files within this directory. This behavior is significant as it + may indicate an attempt to corrupt or disable Windows Defender, a key security component. + If confirmed malicious, this activity could allow an attacker to disable endpoint + protection, facilitating further malicious actions without detection. data_source: - Sysmon EventID 23 - Sysmon EventID 26 -search: '`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*" - | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid - | rename Image as process - | where count >=50 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `excessive_file_deletion_in_windefender_folder_filter`' -how_to_implement: To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -known_false_positives: Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives. +search: '`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows + Defender\\*" | stats count, values(TargetFilename) as deleted_files, min(_time) + as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, + process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`' +how_to_implement: To successfully implement this search, you must ingest logs that + include the process name, TargetFilename, and ProcessID executions from your endpoints. + If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon + TA installed. +known_false_positives: Windows Defender AV updates may trigger this alert. Please + adjust the filter macros to mitigate false positives. references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ tags: @@ -57,7 +59,7 @@ tags: required_fields: - _time - TargetFilename - - user + - user - dest - signature - signature_id @@ -70,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index 3f54e8af8e..08d62164b5 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -1,16 +1,18 @@ name: Excessive number of service control start as disabled id: 77592bec-d5cc-11eb-9e60-acde48001122 -version: 1 -date: '2021-06-25' +version: 2 +date: '2024-05-19' author: Michael Hart, Splunk status: production type: Anomaly -description: This detection targets behaviors observed when threat actors have used - sc.exe to modify services. We observed malware in a honey pot spawning numerous - sc.exe processes in a short period of time, presumably to impair defenses, possibly - to block others from compromising the same machine. This detection will alert when - we see both an excessive number of sc.exe processes launched with specific commandline - arguments to disable the start of certain services. +description: The following analytic detects an excessive number of `sc.exe` processes + launched with the command line argument `start= disabled` within a short period. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names, command-line executions, and process GUIDs. This activity is significant + as it may indicate an attempt to disable critical services, potentially impairing + system defenses. If confirmed malicious, this behavior could allow an attacker to + disrupt security mechanisms, hinder incident response, and maintain control over + the compromised system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` distinct_count(Processes.process) @@ -74,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index fd0391b24d..f8a3260d94 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -1,16 +1,18 @@ name: Excessive number of taskhost processes id: f443dac2-c7cf-11eb-ab51-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-20' author: Michael Hart status: production type: Anomaly -description: This detection targets behaviors observed in post exploit kits like Meterpreter - and Koadic that are run in memory. We have observed that these tools must invoke - an excessive number of taskhost.exe and taskhostex.exe processes to complete various - actions (discovery, lateral movement, etc.). It is extremely uncommon in the course - of normal operations to see so many distinct taskhost and taskhostex processes running - concurrently in a short time frame. +description: The following analytic identifies an excessive number of taskhost.exe + and taskhostex.exe processes running within a short time frame. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + their counts. This behavior is significant as it is commonly associated with post-exploitation + tools like Meterpreter and Koadic, which use multiple instances of these processes + for actions such as discovery and lateral movement. If confirmed malicious, this + activity could indicate an ongoing attack, allowing attackers to execute code, escalate + privileges, or move laterally within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process_id) as @@ -42,7 +44,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 80 - message: An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior. + message: An excessive amount of taskhost.exe and taskhostex.exe was executed on + $dest$ indicative of suspicious behavior. mitre_attack_id: - T1059 observable: @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index 0fe4f63f7a..1319bf5119 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -1,14 +1,18 @@ name: Excessive Service Stop Attempt id: ae8d3f4a-acd7-11eb-8846-acde48001122 -version: 2 -date: '2021-05-04' +version: 3 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic identifies suspicious series of attempt to kill multiple - services on a system using either `net.exe` or `sc.exe`. This technique is use by - adversaries to terminate security services or other related services to continue - there objective and evade detections. +description: The following analytic detects multiple attempts to stop or delete services + on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process names and command-line executions + within a one-minute window. This activity is significant as it may indicate an adversary + attempting to disable security or critical services to evade detection and further + their objectives. If confirmed malicious, this could lead to the attacker gaining + persistence, escalating privileges, or disrupting essential services, thereby compromising + the system's security posture. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -74,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index 0743e4ad80..343c5eb6a4 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -1,14 +1,17 @@ name: Excessive Usage Of Cacls App id: 0bdf6092-af17-11eb-939a-acde48001122 -version: 1 -date: '2021-05-07' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` - or `icacls.exe` application to change file or folder permission. This behavior is - commonly seen where the adversary attempts to impair some users from deleting or - accessing its malware components or artifact from the compromised system. +description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, + or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it may indicate an adversary attempting + to restrict access to malware components or artifacts on a compromised system. If + confirmed malicious, this behavior could prevent users from deleting or accessing + critical files, aiding in the persistence and concealment of malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -70,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml index 349f8bede3..b9557e2e91 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/excessive_usage_of_net_app.yml @@ -1,14 +1,18 @@ name: Excessive Usage Of Net App id: 45e52536-ae42-11eb-b5c6-acde48001122 -version: 2 -date: '2023-06-13' +version: 3 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic identifies excessive usage of `net.exe` or `net1.exe` within - a bucket of time (1 minute). This behavior was seen in a Monero incident where the - adversary attempts to create many users, delete and disable users as part of its - malicious behavior. +description: The following analytic detects excessive usage of `net.exe` or `net1.exe` + within a one-minute interval. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, parent processes, and command-line executions. + This behavior is significant as it may indicate an adversary attempting to create, + delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining + incidents. If confirmed malicious, this activity could lead to unauthorized user + account manipulation, potentially compromising system integrity and enabling further + malicious actions. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -80,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index a72d43fb50..9d61ab590e 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -1,24 +1,26 @@ name: Excessive Usage of NSLOOKUP App id: 0a69fdaa-a2b8-11eb-b16d-acde48001122 -version: 2 -date: '2022-06-03' +version: 3 +date: '2024-05-15' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Anomaly -description: This search is to detect potential DNS exfiltration using nslookup application. - This technique are seen in couple of malware and APT group to exfiltrated collected - data in a infected machine or infected network. This detection is looking for unique - use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are - commonly used by attacker and also the retry parameter which is designed to query - C2 DNS multiple tries. +description: The following analytic detects excessive usage of the nslookup application, + which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode + 1 to monitor process executions, specifically focusing on nslookup.exe. The detection + identifies outliers by comparing the frequency of nslookup executions against a + calculated threshold. This activity is significant as it can reveal attempts by + malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, + this behavior could allow attackers to stealthily transfer sensitive information + out of the network, bypassing traditional data exfiltration defenses. data_source: - Sysmon EventID 1 search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m - | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as - avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | - eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup - > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`' + | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, + stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, + 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `excessive_usage_of_nslookup_app_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -60,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index bec9736486..074a2c9698 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -1,14 +1,18 @@ name: Excessive Usage Of SC Service Utility id: cb6b339e-d4c6-11eb-a026-acde48001122 -version: 1 -date: '2021-06-24' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a suspicious excessive usage of sc.exe in a - host machine. This technique was seen in several ransomware , xmrig and other malware - to create, modify, delete or disable a service may related to security application - or to gain privilege escalation. +description: The following analytic detects excessive usage of the `sc.exe` service + utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances + where `sc.exe` is executed more frequently than normal within a 15-minute window. + This behavior is significant as it is commonly associated with ransomware, cryptocurrency + miners, and other malware attempting to create, modify, delete, or disable services, + potentially related to security applications or for privilege escalation. If confirmed + malicious, this activity could allow attackers to manipulate critical services, + leading to system compromise or disruption of security defenses. data_source: - Sysmon EventID 1 search: '`sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | @@ -55,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index dd011c249e..46ee0fee33 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -1,26 +1,18 @@ name: Exchange PowerShell Abuse via SSRF id: 29228ab4-0762-11ec-94aa-acde48001122 -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-21' author: Michael Haag, Splunk status: experimental type: TTP -description: 'This analytic identifies suspicious behavior related to ProxyShell against - on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 - which utilizes the Web Datamodel. - - Modification of this analytic is requried to ensure fields are mapped accordingly. - - - A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. - This is indicative of accessing PowerShell on the back end of Exchange with SSRF. - - - An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` - (abbreviated) - - Review the source attempting to perform this activity against your environment. - In addition, review PowerShell logs and access recently granted to Exchange roles.' +description: 'The following analytic detects suspicious behavior indicative of ProxyShell + exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST + requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side + request forgery (SSRF) to access backend PowerShell. This detection uses Exchange + server logs ingested into Splunk. Monitoring this activity is crucial as it may + indicate an attacker attempting to execute commands or scripts on the Exchange server. + If confirmed malicious, this could lead to unauthorized access, privilege escalation, + or persistent control over the Exchange environment.' data_source: [] search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index 6d746adcb2..cc3fa2cf81 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -1,39 +1,26 @@ name: Exchange PowerShell Module Usage id: 2d10095e-05ae-11ec-8fdf-acde48001122 -version: 5 -date: '2023-07-10' +version: 6 +date: '2024-05-31' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the usage of Exchange PowerShell modules - that were recently used for a proof of concept related to ProxyShell. Adversaries - may abuse a limited set of PwSh Modules related to Exchange once gained access via - ProxyShell or ProxyNotShell. - - Inherently, the usage of the modules is not malicious, but reviewing parallel processes, - and user, of the session will assist with determining the intent. - - Module - New-MailboxExportRequest will begin the process of exporting contents of - a primary mailbox or archive to a .pst file. - - Module - New-managementroleassignment can assign a management role to a management - role group, management role assignment policy, user, or universal security group - (USG). - - Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate - of search results, place search results on In-Place Hold or copy them to a Discovery - mailbox. You can also place all contents in a mailbox on hold by not specifying - a search query, which accomplishes similar results as Litigation Hold. \ Module - - Get-Recipient cmdlet to view existing recipient objects in your organization. - This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, - mail contacts, and distribution groups).' +description: 'The following analytic detects the usage of specific Exchange PowerShell + modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, + and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) + to identify these commands. This activity is significant because these modules can + be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell + vulnerabilities. If confirmed malicious, attackers could export mailbox contents, + assign management roles, conduct mailbox searches, or view recipient objects, potentially + leading to data exfiltration, privilege escalation, or unauthorized access to sensitive + information.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `exchange_powershell_module_usage_filter`' + UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -84,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index f1fcfa6a5d..ac28c68fd7 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -1,22 +1,25 @@ name: Executable File Written in Administrative SMB Share id: f63c34fe-a435-11eb-935a-acde48001122 -version: 3 -date: '2024-02-14' +version: 4 +date: '2024-05-16' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies executable files (.exe or .dll) being - written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents - suspicious behavior as its commonly used by tools like PsExec/PaExec and others - to stage service binaries before creating and starting a Windows service on remote - endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral - movement and remote code execution. The Trickbot malware family also implements - this behavior to try to infect other machines in the infected network. +description: The following analytic detects executable files (.exe or .dll) being + written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows + Security Event Logs with EventCode 5145 to identify this activity. This behavior + is significant as it is commonly used by tools like PsExec/PaExec for staging binaries + before creating and starting services on remote endpoints, a technique often employed + for lateral movement and remote code execution. If confirmed malicious, this activity + could allow an attacker to execute arbitrary code remotely, potentially compromising + additional systems within the network. data_source: - Windows Event Log Security 5145 -search: '`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.exe","*.dll") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" - | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress - | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter`' +search: '`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.exe","*.dll") + ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= + "0x2" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode + ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | + `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. @@ -42,8 +45,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 70 - message: $src_user$ dropped or created an executable file in known sensitive SMB share. Share - name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ + message: $src_user$ dropped or created an executable file in known sensitive SMB + share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ mitre_attack_id: - T1021 - T1021.002 @@ -71,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-xml.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index dc2bb72b2a..3d9eac40ef 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,17 +1,18 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic identifies potentially malicious executables or scripts - by examining a list of suspicious file paths on Windows Operating System. The purpose - of this technique is to uncover files with known file extensions that could be used - by adversaries to evade detection and persistence. The suspicious file paths selected - for investigation are typically uncommon and uncommonly associated with executable - or script files. By scrutinizing these paths, we can proactively identify potential - security threats and enhance overall system security. +description: The following analytic identifies the creation of executables or scripts + in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem + data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created + in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is + significant as adversaries often use these paths to evade detection and maintain + persistence. If confirmed malicious, this behavior could allow attackers to execute + unauthorized code, escalate privileges, or persist within the environment, posing + a significant security threat. data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` values(Filesystem.file_path) as @@ -103,6 +104,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index a7694b8606..05722b76c7 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -1,14 +1,18 @@ name: Execute Javascript With Jscript COM CLSID id: dc64d064-d346-11eb-8588-acde48001122 -version: 1 -date: '2021-06-22' +version: 2 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will identify suspicious process of cscript.exe where it - tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique - was seen in ransomware (reddot ransomware) where it execute javascript with this - com object with combination of amsi disabling technique. +description: The following analytic detects the execution of JavaScript using the + JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, command-line executions, + and parent processes. This activity is significant as it is a known technique used + by ransomware, such as Reddot, to execute malicious scripts and potentially disable + AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow + attackers to execute arbitrary code, evade detection, and maintain persistence within + the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index c1720e7072..e5a8a177a1 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -1,22 +1,27 @@ name: Execution of File with Multiple Extensions id: b06a555e-dce0-417d-a2eb-28a5d8d66ef7 -version: 3 -date: '2020-11-18' +version: 4 +date: '2024-05-26' author: Rico Valdez, Teoderick Contreras, Splunk status: production type: TTP -description: This search looks for processes launched from files that have double - extensions in the file name. This is typically done to obscure the "real" file extension - and make it appear as though the file being accessed is a data file, as opposed - to executable content. +description: The following analytic detects the execution of files with multiple extensions, + such as ".doc.exe" or ".pdf.exe". This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on process creation events where the file + name contains double extensions. This activity is significant because attackers + often use double extensions to disguise malicious executables as benign documents, + increasing the likelihood of user execution. If confirmed malicious, this technique + can lead to unauthorized code execution, potentially compromising the endpoint and + allowing further malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest - Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`' + Processes.user Processes.process Processes.process_name Processes.parent_process + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` + | `execution_of_file_with_multiple_extensions_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -72,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml index 8c65a999c5..bcadff399d 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/extraction_of_registry_hives.yml @@ -1,23 +1,27 @@ name: Extraction of Registry Hives id: 8bbb7d58-b360-11eb-ba21-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of `reg.exe` exporting Windows - Registry hives containing credentials. Adversaries may use this technique to export - registry hives for offline credential access attacks. Typically found executed from - a untrusted process or script. Upon execution, a file will be written to disk. +description: The following analytic detects the use of `reg.exe` to export Windows + Registry hives, which may contain sensitive credentials. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions involving `save` or `export` actions targeting the `sam`, `system`, or + `security` hives. This activity is significant as it indicates potential offline + credential access attacks, often executed from untrusted processes or scripts. If + confirmed malicious, attackers could gain access to credential data, enabling further + compromise and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system *" OR Processes.process="*\security *") by Processes.dest Processes.user Processes.parent_process - Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `extraction_of_registry_hives_filter`' + Processes.process_name Processes.parent_process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -83,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 8a01dbf839..8cf0a0e31e 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -1,12 +1,12 @@ name: File with Samsam Extension id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf -version: 1 -date: '2018-12-14' +version: 2 +date: '2024-05-22' author: Rico Valdez, Splunk status: production type: TTP description: |- - The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. + The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -60,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index 8de88804cf..004add9e5c 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -1,15 +1,18 @@ name: Firewall Allowed Program Enable id: 9a8f63a8-43ac-11ec-904c-acde48001122 -version: 1 -date: '2021-11-12' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a potential suspicious modification of firewall - rule allowing to execute specific application. This technique was identified when - an adversary and red teams to bypassed firewall file execution restriction in a - targetted host. Take note that this event or command can run by administrator during - testing or allowing legitimate tool or application. +description: The following analytic detects the modification of a firewall rule to + allow the execution of a specific application. This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process creation events + with command-line arguments related to firewall rule changes. This activity is significant + as it may indicate an attempt to bypass firewall restrictions, potentially allowing + unauthorized applications to communicate over the network. If confirmed malicious, + this could enable an attacker to execute arbitrary code, escalate privileges, or + maintain persistence within the target environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 27f507f29d..3bf08952f6 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -1,31 +1,26 @@ name: FodHelper UAC Bypass id: 909f8fd8-7ac8-11eb-a1f3-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: 'Fodhelper.exe has a known UAC bypass as it attempts to look for specific - registry keys upon execution, that do not exist. Therefore, an attacker can write - its malicious commands in these registry keys to be executed by fodhelper.exe with - the highest privilege. - - * `HKCU:\Software\Classes\ms-settings\shell\open\command` - - * `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute` - - * `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)` - - Upon triage, fodhelper.exe will have a child process and read access will occur - on the registry keys. Isolate the endpoint and review parallel processes for additional - behavior.' +description: 'The following analytic detects the execution of fodhelper.exe, which + is known to exploit a User Account Control (UAC) bypass by leveraging specific registry + keys. The detection method uses Endpoint Detection and Response (EDR) telemetry + to identify when fodhelper.exe spawns a child process and accesses the registry + keys. This activity is significant because it indicates a potential privilege escalation + attempt by an attacker. If confirmed malicious, the attacker could execute commands + with elevated privileges, leading to unauthorized system changes and potential full + system compromise.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe - by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`' + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `fodhelper_uac_bypass_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -48,9 +43,8 @@ tags: asset_type: Endpoint confidence: 90 impact: 90 - message: Suspicious registy keys added by process fodhelper.exe - with a parent_process of $parent_process_name$ that has been executed on $dest$ - by $user$. + message: Suspicious registy keys added by process fodhelper.exe with a parent_process + of $parent_process_name$ that has been executed on $dest$ by $user$. mitre_attack_id: - T1112 - T1548.002 @@ -87,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index ed8f2d3f1c..b50136e550 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -1,13 +1,18 @@ name: Fsutil Zeroing File id: 4e5e024e-fabb-11eb-8b8f-acde48001122 -version: 1 -date: '2021-08-11' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious fsutil process to zeroing a target - file. This technique was seen in lockbit ransomware where it tries to zero out its - malware path as part of its defense evasion after encrypting the compromised host. +description: The following analytic detects the execution of the 'fsutil' command + with the 'setzerodata' parameter, which zeros out a target file. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line arguments. This activity is significant because it is a technique + used by ransomware, such as LockBit, to evade detection by erasing its malware path + after encrypting the host. If confirmed malicious, this action could hinder forensic + investigations and allow attackers to cover their tracks, complicating incident + response efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index 0d7ebb36de..0fc63d761e 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -1,14 +1,18 @@ name: Get ADDefaultDomainPasswordPolicy with Powershell id: 36e46ebe-065a-11ec-b4c7-acde48001122 -version: 1 -date: '2021-08-26' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` executing the - Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy - in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate - domain policies for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` running + the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password + policy in a Windows domain. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + Monitoring this activity is crucial as it can indicate attempts by adversaries to + gather information about domain policies for situational awareness and Active Directory + discovery. If confirmed malicious, this activity could lead to further reconnaissance + and potential exploitation of domain security settings. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index 17098bb4c7..8933daddbf 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -1,21 +1,24 @@ name: Get ADDefaultDomainPasswordPolicy with Powershell Script Block id: 1ff7ccc8-065a-11ec-91e4-acde48001122 -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-27' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet - used to obtain the password policy in a Windows domain. Red Teams and adversaries - alike may use PowerShell to enumerate domain policies for situational awareness - and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` + PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. + This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify + the specific command execution. Monitoring this activity is significant as it can + indicate an attempt to gather domain policy information, which is often a precursor + to further malicious actions. If confirmed malicious, this activity could allow + an attacker to understand password policies, aiding in password attacks or further + domain enumeration. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -30,7 +33,8 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" to query domain password policy on $dest$ + message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" + to query domain password policy on $dest$ mitre_attack_id: - T1201 observable: @@ -57,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index f96c8015a4..cfc54fe740 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -1,14 +1,18 @@ name: Get ADUser with PowerShell id: 0b6ee3f4-04e3-11ec-a87d-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns - a list of all domain users. Red Teams and adversaries alike may use this commandlet - to identify remote systems for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line executions. This activity is significant as it may + indicate an attempt by adversaries to gather information about domain users for + situational awareness and Active Directory discovery. If confirmed malicious, this + behavior could lead to further reconnaissance, enabling attackers to identify high-value + targets and plan subsequent attacks. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 7abe863d9b..20c59c72ef 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: Get ADUser with PowerShell Script Block id: 21432e40-04f4-11ec-b7e6-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-29' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet - is used to return a list of all domain users. Red Teams and adversaries may leverage - this commandlet to enumerate domain groups for situational awareness and Active - Directory Discovery. +description: The following analytic detects the execution of the `Get-AdUser` PowerShell + cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script + Block Logging (EventCode=4104) to identify instances where this command is executed + with a filter. This activity is significant as it may indicate an attempt by adversaries + or Red Teams to gather information about domain users for situational awareness + and Active Directory discovery. If confirmed malicious, this behavior could lead + to further reconnaissance and potential exploitation of user accounts within the + domain. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index ece8f4e24c..cb7cfc985d 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -1,14 +1,18 @@ name: Get ADUserResultantPasswordPolicy with Powershell id: 8b5ef342-065a-11ec-b0fc-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` executing the - Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy - in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate - domain policies for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` running + the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password + policy in a Windows domain. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as it indicates potential enumeration of domain policies, a common + tactic for situational awareness and Active Directory discovery by adversaries. + If confirmed malicious, this could allow attackers to understand password policies, + aiding in further attacks such as password spraying or brute force attempts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml index 7f0fda236e..0b54225dd0 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: Get ADUserResultantPasswordPolicy with Powershell Script Block id: 737e1eb0-065a-11ec-921a-acde48001122 -version: 3 -date: '2023-12-27' +version: 4 +date: '2024-05-09' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet - used to obtain the password policy in a Windows domain. Red Teams and adversaries - alike may use PowerShell to enumerate domain policies for situational awareness - and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` + PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. + It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. + Monitoring this behavior is significant as it may indicate an attempt to enumerate + domain policies, a common tactic used by adversaries for situational awareness and + Active Directory discovery. If confirmed malicious, this activity could allow attackers + to understand password policies, aiding in further attacks such as password guessing + or policy exploitation. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*" @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index d12e93cd23..327f40553b 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -1,14 +1,18 @@ name: Get DomainPolicy with Powershell id: b8f9947e-065a-11ec-aafb-acde48001122 -version: 1 -date: '2021-08-26' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` executing the - `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. - Red Teams and adversaries alike may use PowerShell to enumerate domain policies - for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` running + the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a + Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. This activity is significant + as it indicates potential reconnaissance efforts by adversaries to gather domain + policy information, which is crucial for planning further attacks. If confirmed + malicious, this could lead to unauthorized access to sensitive domain configurations, + aiding in privilege escalation and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index 70a2e886e0..59b8d1e7b7 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -1,14 +1,18 @@ name: Get DomainPolicy with Powershell Script Block id: a360d2b2-065a-11ec-b0bf-acde48001122 -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get DomainPolicy` commandlet used to obtain the - password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell - to enumerate domain policies for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-DomainPolicy` + cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs + capturing script block text to identify attempts to obtain the password policy in + a Windows domain. This activity is significant as it indicates potential reconnaissance + efforts by adversaries or Red Teams to gather domain policy information, which is + crucial for planning further attacks. If confirmed malicious, this behavior could + lead to detailed knowledge of domain security settings, aiding in privilege escalation + or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*" | stats @@ -58,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domainpolicy.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domainpolicy.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index d6001c8094..4932bbe871 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -1,16 +1,19 @@ name: Get-DomainTrust with PowerShell id: 4fa7f846-054a-11ec-a836-acde48001122 -version: 1 -date: '2021-08-24' +version: 2 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: TTP -description: This analytic identifies Get-DomainTrust from PowerView in order to gather - domain trust information. Typically, this is utilized within a script being executed - and used to enumerate the domain trust information. This grants the adversary an - understanding of how large or small the domain is. During triage, review parallel - processes using an EDR product or 4688 events. It will be important to understand - the timeline of events around this activity. +description: The following analytic identifies the execution of the Get-DomainTrust + command from PowerView using PowerShell, which is used to gather domain trust information. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and command-line telemetry. This activity is significant as + it indicates potential reconnaissance efforts by an adversary to understand domain + trust relationships, which can inform lateral movement strategies. If confirmed + malicious, this could allow attackers to map out the network, identify potential + targets, and plan further attacks, potentially compromising additional systems within + the domain. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index d77e610a37..1e54882d05 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -1,28 +1,24 @@ name: Get-DomainTrust with PowerShell Script Block id: 89275e7e-0548-11ec-bf75-acde48001122 -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies Get-DomainTrust from PowerView in order to gather domain - trust information. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of the Get-DomainTrust + command from PowerView using PowerShell Script Block Logging (EventCode=4104). This + method captures the full command sent to PowerShell, allowing for detailed inspection. + Identifying this activity is significant because it may indicate an attempt to gather + domain trust information, which is often a precursor to lateral movement or privilege + escalation. If confirmed malicious, this activity could enable an attacker to map + trust relationships within the domain, potentially leading to further exploitation + and compromise of additional systems.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `get_domaintrust_with_powershell_script_block_filter`' + ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -69,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index 88bc26415c..f72d056f00 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -1,15 +1,19 @@ name: Get DomainUser with PowerShell id: 9a5a41d6-04e7-11ec-923c-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, - a PowerShell tool used to perform enumeration on Windows domains. Red Teams and - adversaries alike may leverage PowerView to enumerate domain users for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments used to enumerate domain users via the `Get-DomainUser` command. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions mapped to the `Processes` + node of the `Endpoint` data model. This activity is significant as it indicates + potential reconnaissance efforts by adversaries or Red Teams using PowerView for + Active Directory discovery. If confirmed malicious, this could allow attackers to + gain situational awareness and identify valuable targets within the domain, potentially + leading to further exploitation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index 74e9eeaaaf..e05a37c3ba 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: Get DomainUser with PowerShell Script Block id: 61994268-04f4-11ec-865c-acde48001122 -version: 3 -date: '2023-12-27' +version: 4 +date: '2024-05-09' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is - part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. - Red Teams and adversaries alike may use PowerView to enumerate domain users for - situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-DomainUser` + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part + of PowerView, a tool often used for domain enumeration. The detection leverages + PowerShell operational logs to identify instances where this command is executed. + Monitoring this activity is crucial as it may indicate an adversary's attempt to + gather information about domain users, which is a common step in Active Directory + Discovery. If confirmed malicious, this activity could lead to further reconnaissance + and potential exploitation of domain resources. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stats @@ -58,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index 5f2f0c740a..d14075d71f 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -1,16 +1,18 @@ name: Get-ForestTrust with PowerShell id: 584f4884-0bf1-11ec-a5ec-acde48001122 -version: 1 -date: '2021-09-02' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: This analytic identifies Get-ForestTrust from PowerSploit in order to - gather domain trust information. Typically, this is utilized within a script being - executed and used to enumerate the domain trust information. This grants the adversary - an understanding of how large or small the domain is. During triage, review parallel - processes using an EDR product or 4688 events. It will be important to understand - the timeline of events around this activity. +description: The following analytic detects the execution of the Get-ForestTrust command + via PowerShell, commonly used by adversaries to gather domain trust information. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. Identifying this activity + is crucial as it indicates potential reconnaissance efforts to map out domain trusts, + which can inform further attacks. If confirmed malicious, this activity could allow + attackers to understand domain relationships, aiding in lateral movement and privilege + escalation within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index abe8fe210d..553b45eccc 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -1,28 +1,24 @@ name: Get-ForestTrust with PowerShell Script Block id: 70fac80e-0bf1-11ec-9ba0-acde48001122 -version: 2 -date: '2022-02-24' +version: 3 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain - trust information. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of the Get-ForestTrust + command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). + This method captures the full command sent to PowerShell, providing detailed visibility + into potentially suspicious activities. Monitoring this behavior is crucial as it + can indicate an attempt to gather domain trust information, which is often a precursor + to lateral movement or privilege escalation. If confirmed malicious, this activity + could allow an attacker to map trust relationships within the domain, facilitating + further exploitation and access to sensitive resources.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `get_foresttrust_with_powershell_script_block_filter`' + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -67,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index 92c916392c..1c49b46dd9 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -1,15 +1,17 @@ name: Get WMIObject Group Discovery id: 5434f670-155d-11ec-8cca-acde48001122 -version: 1 -date: '2021-09-14' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` - being used with PowerShell to identify local groups on the endpoint. \ Typically, - by itself, is not malicious but may raise suspicion based on time of day, endpoint - and username. \ During triage, review parallel processes and identify any further - suspicious behavior. +description: The following analytic detects the use of the `Get-WMIObject Win32_Group` + command executed via PowerShell to enumerate local groups on an endpoint. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line executions. Identifying local groups can be a precursor to + privilege escalation or lateral movement. If confirmed malicious, this activity + could allow an attacker to map out group memberships, aiding in further exploitation + or unauthorized access to sensitive resources. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index c41dfea6ef..7d41986854 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -1,29 +1,23 @@ name: Get WMIObject Group Discovery with Script Block Logging id: 69df7f7c-155d-11ec-a055-acde48001122 -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically - used as a way to identify groups on the endpoint. Typically, by itself, is not - malicious but may raise suspicion based on time of day, endpoint and username. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of the `Get-WMIObject Win32_Group` + command using PowerShell Script Block Logging (EventCode=4104). This method captures + the full command sent to PowerShell, allowing for detailed analysis. Identifying + group information on an endpoint is not inherently malicious but can be suspicious + based on context such as time, endpoint, and user. This activity is significant + as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, + it could lead to further enumeration and potential lateral movement within the network.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by - EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' + EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -69,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index 6362030f0d..fd71cbaada 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -1,14 +1,18 @@ name: GetAdComputer with PowerShell id: c5a31f80-5888-4d81-9f78-1cc65026316e -version: 1 -date: '2021-09-07' +version: 2 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns - a list of all domain computers. Red Teams and adversaries alike may use this commandlet - to identify remote systems for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-AdComputer` commandlet, which is used to discover remote systems within + a domain. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. This activity is significant + because it indicates potential reconnaissance efforts by adversaries to map out + domain computers, which is a common step in the attack lifecycle. If confirmed malicious, + this behavior could allow attackers to gain situational awareness and plan further + attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index ba88a802d2..8170e16f90 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: GetAdComputer with PowerShell Script Block id: a9a1da02-8e27-4bf7-a348-f4389c9da487 -version: 3 -date: '2022-05-02' +version: 4 +date: '2024-05-28' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet - is used to return a list of all domain computers. Red Teams and adversaries may - leverage this commandlet to enumerate domain computers for situational awareness - and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-AdComputer` + PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This + detection leverages script block text to identify when this commandlet is run. The + `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate + all domain computers, aiding in situational awareness and Active Directory discovery. + If confirmed malicious, this activity could allow attackers to map the network, + identify targets, and plan further attacks, potentially leading to unauthorized + access and data exfiltration. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats @@ -54,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index d167e30ba4..83900cb33a 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -1,15 +1,18 @@ name: GetAdGroup with PowerShell id: 872e3063-0fc4-4e68-b2f3-f2b99184a708 -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-20' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is - used to return a list of all groups available in a Windows Domain. Red Teams and - adversaries alike may leverage this commandlet to enumerate domain groups for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows + Domain. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. Monitoring this activity + is crucial as it may indicate an adversary or Red Team enumerating domain groups + for situational awareness and Active Directory discovery. If confirmed malicious, + this activity could lead to further reconnaissance, privilege escalation, or lateral + movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index 0e0d212168..efa6aa9cd5 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -1,20 +1,23 @@ name: GetAdGroup with PowerShell Script Block id: e4c73d68-794b-468d-b4d0-dac1772bbae7 -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-22' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet - is used to return a list of all domain groups. Red Teams and adversaries may leverage - this commandlet to enumerate domain groups for situational awareness and Active - Directory Discovery. +description: The following analytic detects the execution of the `Get-AdGroup` PowerShell + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used + to enumerate all domain groups, which adversaries may exploit for situational awareness + and Active Directory discovery. Monitoring this activity is crucial as it can indicate + reconnaissance efforts within the network. If confirmed malicious, this behavior + could lead to further exploitation, such as privilege escalation or lateral movement, + by providing attackers with detailed information about the domain's group structure. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count - min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getadgroup_with_powershell_script_block_filter`' + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer + UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -53,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index e774a291ef..a3f858c269 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -1,15 +1,18 @@ name: GetCurrent User with PowerShell id: 7eb9c3d5-c98c-4088-acc5-8240bad15379 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powerhsell.exe` with command-line - arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. - This method returns an object that represents the current Windows user. Red Teams - and adversaries may leverage this method to identify the logged user on a compromised - endpoint for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET + class. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line executions. This activity is + significant as adversaries may use this method to identify the logged-in user on + a compromised endpoint, aiding in situational awareness and Active Directory discovery. + If confirmed malicious, this could allow attackers to gain insights into user context, + potentially facilitating further exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index dbde8ca93d..acd52a9f63 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -1,21 +1,25 @@ name: GetCurrent User with PowerShell Script Block id: 80879283-c30f-44f7-8471-d1381f6d437a -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-21' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET - class. This method returns an object that represents the current Windows user. Red - Teams and adversaries may leverage this method to identify the logged user on a - compromised endpoint for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `GetCurrent` method + from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). + This method identifies the current Windows user. The detection leverages PowerShell + script block logs to identify when this method is called. This activity is significant + because adversaries and Red Teams may use it to gain situational awareness and perform + Active Directory discovery on compromised endpoints. If confirmed malicious, this + could allow attackers to map out user accounts and potentially escalate privileges + or move laterally within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`' + by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `getcurrent_user_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -55,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index 78b806359e..0dba51ad46 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -1,15 +1,18 @@ name: GetDomainComputer with PowerShell id: ed550c19-712e-43f6-bd19-6f58f61b3a5e -version: 1 -date: '2021-09-07' +version: 2 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, - a PowerShell tool used to perform enumeration on Windows domains. Red Teams and - adversaries alike may leverage PowerView to enumerate domain groups for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that utilize `Get-DomainComputer` to discover remote systems. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. This activity is significant + as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for + domain enumeration and situational awareness. If confirmed malicious, this activity + could allow attackers to map out the network, identify critical systems, and plan + further attacks, potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml index 634f8a3103..592155e6e4 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml @@ -1,20 +1,24 @@ name: GetDomainComputer with PowerShell Script Block id: f64da023-b988-4775-8d57-38e512beb56e -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` - is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. - Red Teams and adversaries alike may use PowerView to enumerate domain computers - for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-DomainComputer` + commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet + is part of PowerView, a tool often used for enumerating domain computers within + Windows environments. The detection leverages script block text analysis to identify + this specific command. Monitoring this activity is crucial as it can indicate an + adversary's attempt to gather information about domain computers, which is a common + step in Active Directory reconnaissance. If confirmed malicious, this activity could + lead to further network enumeration and potential lateral movement within the domain. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID - EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`' + EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `getdomaincomputer_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -52,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index 0b41e228ff..b1e963083d 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -1,15 +1,18 @@ name: GetDomainController with PowerShell id: 868ee0e4-52ab-484a-833a-6d85b7c028d0 -version: 1 -date: '2021-09-07' +version: 2 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to discover remote systems. `Get-DomainController` is part of - PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red - Teams and adversaries alike may leverage PowerView to enumerate domain groups for - situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-DomainController` command, which is used to discover remote systems within + a Windows domain. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line arguments. Monitoring this + activity is crucial as it may indicate an attempt to enumerate domain controllers, + a common tactic in Active Directory discovery. If confirmed malicious, this activity + could allow attackers to gain situational awareness, potentially leading to further + exploitation and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml index 0d0b088aa4..47f1e5591c 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: GetDomainController with PowerShell Script Block id: 676b600a-a94d-4951-b346-11329431e6c1 -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` - is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. - Red Teams and adversaries alike may use PowerView to enumerate domain computers - for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-DomainController` + commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet + is part of PowerView, a tool often used for domain enumeration. The detection leverages + script block text to identify this specific activity. Monitoring this behavior is + crucial as it may indicate an adversary or Red Team performing reconnaissance to + map out domain controllers. If confirmed malicious, this activity could lead to + further domain enumeration, potentially exposing sensitive information and aiding + in lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*") @@ -53,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index 26a5a2de12..33f2b2f707 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -1,15 +1,19 @@ name: GetDomainGroup with PowerShell id: 93c94be3-bead-4a60-860f-77ca3fe59903 -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-20' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, - a PowerShell tool used to perform enumeration on Windows domains. Red Teams and - adversaries alike may leverage PowerView to enumerate domain groups for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that query for domain groups using `Get-DomainGroup`. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line executions mapped to the `Processes` node of the + `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` + is part of PowerView, a tool often used by adversaries for domain enumeration and + situational awareness. If confirmed malicious, this activity could allow attackers + to gain insights into domain group structures, aiding in further exploitation and + privilege escalation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml index a1c44feff9..d8c35b4d1d 100644 --- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml @@ -1,16 +1,18 @@ name: GetDomainGroup with PowerShell Script Block id: 09725404-a44f-4ed3-9efa-8ed5d69e4c53 -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` - is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. - As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams - and adversaries may leverage this function to enumerate domain groups for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-DomainGroup` + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part + of the PowerView tool, is used to enumerate domain groups within a Windows domain. + The detection leverages script block text to identify this specific command. Monitoring + this activity is crucial as it may indicate an adversary or Red Team performing + reconnaissance to gain situational awareness and map out Active Directory structures. + If confirmed malicious, this activity could lead to further exploitation, including + privilege escalation and lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*") | stats @@ -55,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaingroup.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaingroup.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index 73d1071de9..16483c1c3c 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -1,14 +1,18 @@ name: GetLocalUser with PowerShell id: 85fae8fa-0427-11ec-8b78-acde48001122 -version: 1 -date: '2021-08-23' +version: 2 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to query for local users. The `Get-LocalUser` commandlet is used - to return a list of all local users. Red Teams and adversaries may leverage this - commandlet to enumerate users for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + the `Get-LocalUser` commandlet, which is used to query local user accounts. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. Monitoring this activity is significant + because adversaries and Red Teams may use it to enumerate local users for situational + awareness and Active Directory discovery. If confirmed malicious, this activity + could allow attackers to identify potential targets for further exploitation or + privilege escalation within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -56,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getlocaluser_with_powershell_script_block.yml b/detections/endpoint/getlocaluser_with_powershell_script_block.yml index 4d4e5db842..68d2f1f35c 100644 --- a/detections/endpoint/getlocaluser_with_powershell_script_block.yml +++ b/detections/endpoint/getlocaluser_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: GetLocalUser with PowerShell Script Block id: 2e891cbe-0426-11ec-9c9c-acde48001122 -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` - commandlet is used to return a list of all local users. Red Teams and adversaries - may leverage this commandlet to enumerate users for situational awareness and Active - Directory Discovery. +description: The following analytic detects the execution of the `Get-LocalUser` PowerShell + commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet + lists all local users on a system. The detection leverages script block text from + PowerShell logs to identify this activity. Monitoring this behavior is significant + as adversaries and Red Teams may use it to enumerate local users for situational + awareness and Active Directory discovery. If confirmed malicious, this activity + could lead to further reconnaissance, enabling attackers to identify potential targets + for privilege escalation or lateral movement. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats @@ -56,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index 44232a4ca7..e10e64b62a 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -1,14 +1,18 @@ name: GetNetTcpconnection with PowerShell id: e02af35c-1de5-4afe-b4be-f45aba57272b -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-19' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` - commandlet lists the current TCP connections. Red Teams and adversaries alike may - use this commandlet for situational awareness and Active Directory Discovery. +description: The following analytic identifies the execution of `powershell.exe` with + the `Get-NetTcpConnection` command, which lists current TCP connections on a system. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line executions. Monitoring this activity + is significant as it may indicate an adversary or Red Team performing network reconnaissance + or situational awareness. If confirmed malicious, this activity could allow attackers + to map network connections, aiding in lateral movement or further exploitation within + the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml index f9b9eb41f2..1c27f7acfd 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml @@ -1,15 +1,18 @@ name: GetNetTcpconnection with PowerShell Script Block id: 091712ff-b02a-4d43-82ed-34765515d95d -version: 2 -date: '2022-04-02' +version: 3 +date: '2024-05-22' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet - is used to return a listing of network connections on a compromised system. Red - Teams and adversaries alike may use this commandlet for situational awareness and - Active Directory Discovery. +description: The following analytic detects the execution of the `Get-NetTcpconnection` + PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet + lists network connections on a system, which adversaries may use for situational + awareness and Active Directory discovery. Monitoring this activity is crucial as + it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this + behavior could allow an attacker to map the network, identify critical systems, + and plan further attacks, potentially leading to data exfiltration or lateral movement + within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") @@ -53,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index 3d3559fa7e..73de135fe8 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -1,15 +1,19 @@ name: GetWmiObject Ds Computer with PowerShell id: 7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3 -version: 1 -date: '2021-09-07' +version: 2 +date: '2024-05-27' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined - with the `DS_Computer` parameter can be used to return a list of all domain computers. - Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, - to enumerate domain groups for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote + systems, specifically targeting the `DS_Computer` parameter. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to enumerate domain computers and gather situational + awareness within Active Directory. If confirmed malicious, this behavior could allow + attackers to map the network, identify critical systems, and plan further attacks, + potentially leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml index 6a586fc0e1..831c8bacc4 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml @@ -1,15 +1,17 @@ name: GetWmiObject Ds Computer with PowerShell Script Block id: 29b99201-723c-4118-847a-db2b3d3fb8ea -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class - parameter leverages WMI to query for all domain computers. Red Teams and adversaries - may leverage this commandlet to enumerate domain computers for situational awareness - and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-WmiObject` cmdlet + with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). + This detection leverages script block text to identify queries targeting domain + computers using WMI. Monitoring this activity is crucial as adversaries and Red + Teams may use it for Active Directory Discovery and situational awareness. If confirmed + malicious, this behavior could allow attackers to map out domain computers, facilitating + further attacks such as lateral movement or privilege escalation. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace @@ -54,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index 81e4dce647..f9dd5ae4a3 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -1,16 +1,18 @@ name: GetWmiObject Ds Group with PowerShell id: df275a44-4527-443b-b884-7600e066e3eb -version: 1 -date: '2021-08-25' +version: 2 +date: '2024-05-28' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined - with the `-class ds_group` parameter can be used to return the full list of groups - in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, - using PowerShell, to enumerate domain groups for situational awareness and Active - Directory Discovery. +description: The following analytic identifies the execution of `powershell.exe` with + command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet + and the `-class ds_group` parameter. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it indicates potential reconnaissance + efforts by adversaries to enumerate domain groups, which is a common step in Active + Directory Discovery. If confirmed malicious, this could allow attackers to gain + insights into the domain structure, aiding in further attacks and privilege escalation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index e2830e3e04..534309df72 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -1,21 +1,24 @@ name: GetWmiObject Ds Group with PowerShell Script Block id: 67740bd3-1506-469c-b91d-effc322cc6e5 -version: 2 -date: '2022-05-02' +version: 3 +date: '2024-05-18' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-WmiObject` commandlet used with specific parameters - . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams - and adversaries may leverage this commandlet to enumerate domain groups for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-WmiObject` commandlet + with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). + This method leverages WMI to query all domain groups. Monitoring this activity is + crucial as adversaries and Red Teams may use it for domain group enumeration, aiding + in situational awareness and Active Directory discovery. If confirmed malicious, + this activity could allow attackers to map out the domain structure, potentially + leading to further exploitation and privilege escalation within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) - as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`' + as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -55,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index 72a1b0a7d9..5ede6227b8 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -1,16 +1,18 @@ name: GetWmiObject DS User with PowerShell id: 22d3b118-04df-11ec-8fa3-acde48001122 -version: 1 -date: '2021-08-24' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined - with the `-class ds_user` parameter can be used to return the full list of users - in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, - using PowerShell, to enumerate domain users for situational awareness and Active - Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments used to query domain users via the `Get-WmiObject` cmdlet + and `-class ds_user` parameter. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it indicates potential reconnaissance efforts by + adversaries to enumerate domain users, which is a common step in Active Directory + Discovery. If confirmed malicious, this could lead to further attacks, including + privilege escalation and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml index 228fee7108..fbecd4cc1c 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml @@ -1,22 +1,25 @@ name: GetWmiObject DS User with PowerShell Script Block id: fabd364e-04f3-11ec-b34b-acde48001122 -version: 3 -date: '2023-11-07' +version: 4 +date: '2024-05-11' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class - parameter leverages WMI to query for all domain users. Red Teams and adversaries - may leverage this commandlet to enumerate domain users for situational awareness - and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-WmiObject` cmdlet + with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). + It leverages logs to identify attempts to query all domain users using WMI. This + activity is significant as it may indicate an adversary or Red Team operation attempting + to enumerate domain users for situational awareness and Active Directory discovery. + If confirmed malicious, this behavior could lead to further reconnaissance, enabling + attackers to map out the network and identify potential targets for privilege escalation + or lateral movement. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer - UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `getwmiobject_ds_user_with_powershell_script_block_filter`' + UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -30,7 +33,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: powershell process having commandline for user enumeration detected on host - $dest$ + message: powershell process having commandline for user enumeration detected on + host - $dest$ mitre_attack_id: - T1087.002 - T1087 @@ -59,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index 23d0d67cdd..ec1580ffee 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -1,15 +1,18 @@ name: GetWmiObject User Account with PowerShell id: b44f6ac6-0429-11ec-87e9-acde48001122 -version: 1 -date: '2023-04-05' +version: 2 +date: '2024-05-22' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments utilized to query local users. The `Get-WmiObject` commandlet combined - with the `Win32_UserAccount` parameter is used to return a list of all local users. - Red Teams and adversaries may leverage this commandlet to enumerate users for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` + parameter to query local user accounts. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line executions. + This activity is significant as it may indicate an attempt by adversaries to enumerate + user accounts for situational awareness or Active Directory discovery. If confirmed + malicious, this behavior could lead to further reconnaissance, privilege escalation, + or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -58,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml index 4be58a824c..f2d0eeb8bd 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml @@ -1,15 +1,17 @@ name: GetWmiObject User Account with PowerShell Script Block id: 640b0eda-0429-11ec-accd-acde48001122 -version: 2 -date: '2023-04-05' +version: 3 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. - The `Win32_UserAccount` parameter is used to return a list of all local users. Red - Teams and adversaries may leverage this commandlet to enumerate users for situational - awareness and Active Directory Discovery. +description: The following analytic detects the execution of the `Get-WmiObject` commandlet + with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). + This method leverages script block text to identify when a list of all local users + is being enumerated. This activity is significant as it may indicate an adversary + or Red Team operation attempting to gather user information for situational awareness + and Active Directory discovery. If confirmed malicious, this could lead to further + reconnaissance, privilege escalation, or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") @@ -56,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index 78091b1833..d79351156a 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -1,28 +1,31 @@ name: GPUpdate with no Command Line Arguments with Network id: 2c853856-a140-11eb-a5b5-acde48001122 -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies gpupdate.exe with no command line arguments - and with a network connection. It is unusual for gpupdate.exe to execute with no - command line arguments present. This particular behavior is common with malicious - software, including Cobalt Strike. During investigation, triage any network connections - and parallel processes. Identify any suspicious module loads related to credential - dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and - C:\Windows\syswow64. +description: The following analytic detects the execution of gpupdate.exe without + command line arguments and with an active network connection. This behavior is identified + using Endpoint Detection and Response (EDR) telemetry, focusing on process execution + and network traffic data. It is significant because gpupdate.exe typically runs + with specific arguments, and its execution without them, especially with network + activity, is often associated with malicious software like Cobalt Strike. If confirmed + malicious, this activity could indicate an attacker leveraging gpupdate.exe for + lateral movement, command and control, or other nefarious purposes, potentially + leading to system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id - Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | regex process="(?i)(gpupdate\.exe.{0,4}$)"| join process_id [| tstats `security_content_summariesonly` - count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != - 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` - | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path - process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`' + Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)"| + join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest + parent_process_name process_name process_path process process_id dest_port C2 | + `gpupdate_with_no_command_line_arguments_with_network_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -46,8 +49,8 @@ tags: confidence: 90 impact: 90 message: Process gpupdate.exe with parent_process $parent_process_name$ is executed - on $dest$ by user $user$, followed by an outbound network connection to $C2$ - on port $dest_port$. This behaviour is seen with cobaltstrike. + on $dest$ by user $user$, followed by an outbound network connection to $C2$ on + port $dest_port$. This behaviour is seen with cobaltstrike. mitre_attack_id: - T1055 observable: @@ -85,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index 0d6227215f..eac39a1875 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -1,20 +1,34 @@ name: Headless Browser Mockbin or Mocky Request id: 94fc85a1-e55b-4265-95e1-4b66730e05c0 -version: 1 -date: '2023-09-11' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. +description: The following analytic detects headless browser activity accessing mockbin.org + or mocky.io. It identifies processes with the "--headless" and "--disable-gpu" command + line arguments, along with references to mockbin.org or mocky.io. This behavior + is significant as headless browsers are often used for automated tasks, including + malicious activities like web scraping or automated attacks. If confirmed malicious, + this activity could indicate an attempt to bypass traditional browser security measures, + potentially leading to data exfiltration or further exploitation of web applications. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where - (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process + as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" + AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" + OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `headless_browser_mockbin_or_mocky_request_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives are not expected with this detection, unless + within the organization there is a legitimate need for headless browsing accessing + mockbin.org or mocky.io. references: - https://mockbin.org/ - https://www.mocky.io/ @@ -25,7 +39,8 @@ tags: atomic_guid: [] confidence: 70 impact: 80 - message: Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$. + message: Headless browser activity accessing mockbin.org or mocky.io detected on + $dest$ by $user$. mitre_attack_id: - T1564.003 observable: @@ -54,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 2e22b34fa0..c81b4af1fc 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -1,20 +1,34 @@ name: Headless Browser Usage id: 869ba261-c272-47d7-affe-5c0aa85c93d6 -version: 1 -date: '2023-09-08' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: Hunting data_source: - Sysmon EventID 1 -description: 'The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing.' +description: 'The following analytic detects the usage of headless browsers within + an organization. It identifies processes containing the "--headless" and "--disable-gpu" + command line arguments, which are indicative of headless browsing. This detection + leverages data from the Endpoint.Processes datamodel to identify such processes. + Monitoring headless browser usage is significant as these tools can be exploited + by adversaries for malicious activities like web scraping, automated testing, and + undetected web interactions. If confirmed malicious, this activity could lead to + unauthorized data extraction, automated attacks, or other covert operations on web + applications.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where - (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process + as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" + AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `headless_browser_usage_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: This hunting analytic is meant to assist with baselining and + understanding headless browsing in use. Filter as needed. references: - https://cert.gov.ua/article/5702579 tags: @@ -54,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/headlessbrowser/headless_mockbin.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 3dc6858675..69341e54f5 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -1,24 +1,28 @@ name: Hide User Account From Sign-In Screen id: 834ba832-ad89-11eb-937d-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-17' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a suspicious registry modification to hide a - user account on the Windows Login screen. This technique was seen in some tradecraft - where the adversary will create a hidden user account with Admin privileges in login - screen to avoid noticing by the user that they already compromise and to persist - on that said machine. +description: The following analytic detects a suspicious registry modification that + hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path "*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" + with a value of "0x00000000". This activity is significant as it may indicate an + adversary attempting to create a hidden admin account to avoid detection and maintain + persistence on the compromised machine. If confirmed malicious, this could allow + the attacker to maintain undetected access and control over the system, posing a + severe security risk. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" - AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`' + AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest + Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `hide_user_account_from_sign_in_screen_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -71,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index b8ab08fa9d..14fa643a85 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -1,21 +1,25 @@ name: Hiding Files And Directories With Attrib exe id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1 -version: 5 -date: '2024-01-01' +version: 6 +date: '2024-05-13' author: Bhavin Patel, Splunk status: production type: TTP -description: Attackers leverage an existing Windows binary, attrib.exe, to mark specific - as hidden by using specific flags so that the victim does not see the file. The - search looks for specific command-line arguments to detect the use of attrib.exe - to hide files. +description: The following analytic detects the use of the Windows binary attrib.exe + to hide files or directories by marking them with specific flags. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments + that include the "+h" flag. This activity is significant because hiding files can + be a tactic used by attackers to conceal malicious files or tools from users and + security software. If confirmed malicious, this behavior could allow an attacker + to persist in the environment undetected, potentially leading to further compromise + or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe - (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user - Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| - `hiding_files_and_directories_with_attrib_exe_filter` ' + (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` + |`hiding_files_and_directories_with_attrib_exe_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index 45b2c13a75..0918d8df50 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -1,27 +1,32 @@ name: High Frequency Copy Of Files In Network Share id: 40925f12-4709-11ec-bb43-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious high frequency copying/moving - of files in network share as part of information sabotage. This anomaly event can - be a good indicator of insider trying to sabotage data by transfering classified - or internal files within network share to exfitrate it after or to lure evidence - of insider attack to other user. This behavior may catch several noise if network - share is a common place for classified or internal document processing. +description: The following analytic detects a high frequency of file copying or moving + within network shares, which may indicate potential data sabotage or exfiltration + attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access + to specific file types and network shares. This activity is significant as it can + reveal insider threats attempting to transfer classified or internal files, potentially + leading to data breaches or evidence tampering. If confirmed malicious, this behavior + could result in unauthorized data access, data loss, or compromised sensitive information. data_source: - Windows Event Log Security 5145 -search: '`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" | bucket _time span=5m - | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip - | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user - | eval upperThreshold=(avgShareName + stdShareName *3) - | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) +search: '`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") + ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= + "0x2" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, + values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) + as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress + count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) + as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, + _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) + | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Windows - Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. - Also enable the object Audit access success/failure in your group policy. +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also + required. Also enable the object Audit access success/failure in your group policy. known_false_positives: This behavior may seen in normal transfer of file within network if network share is common place for sharing documents. references: @@ -64,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index 1ccc6b5ac9..b70fe60b7e 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -1,20 +1,22 @@ name: High Process Termination Frequency id: 17cd75b2-8666-11eb-9ab4-acde48001122 -version: 2 -date: '2022-09-14' +version: 3 +date: '2024-05-12' author: Teoderick Contreras status: production type: Anomaly -description: This analytic is designed to identify a high frequency of process termination - events on a computer in a short period of time, which is a common behavior of ransomware - malware before encrypting files. This technique is designed to avoid an exception - error while accessing (docs, images, database and etc..) in the infected machine - for encryption. +description: The following analytic identifies a high frequency of process termination + events on a computer within a short period. It leverages Sysmon EventCode 5 logs + to detect instances where 15 or more processes are terminated within a 3-second + window. This behavior is significant as it is commonly associated with ransomware + attempting to avoid exceptions during file encryption. If confirmed malicious, this + activity could indicate an active ransomware attack, potentially leading to widespread + file encryption and significant data loss. data_source: - Sysmon EventID 5 search: '`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated - min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode - ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID + | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. @@ -61,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index f93240b57f..73a147297d 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -1,18 +1,19 @@ name: Hunting 3CXDesktopApp Software id: 553d0429-1a1c-44bf-b3f5-a8513deb9ee5 -version: 1 -date: '2023-03-30' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk type: Hunting status: production data_source: - Sysmon EventID 1 -description: The hunting analytic outlined below is designed to detect any version - of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac - or Windows systems. It is important to note that this particular analytic employs - the Endpoint datamodel Processes node, which means that the file version information - is not provided. Recently, 3CX has identified a vulnerability specifically in versions - 18.12.407 and 18.12.416 of the desktop app. +description: The following analytic detects the presence of any version of the 3CXDesktopApp, + also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint + data model's Processes node to identify instances of the application running, although + it does not provide file version information. This activity is significant because + 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could + be exploited by attackers. If confirmed malicious, this could lead to unauthorized + access, data exfiltration, or further compromise of the affected systems. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name @@ -79,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index 827ba5f4df..439ab93512 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -1,17 +1,18 @@ name: Icacls Deny Command id: cf8d753e-a8fe-11eb-8f58-acde48001122 -version: 1 -date: '2023-06-06' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies instances where an adversary modifies the security - permissions of a particular file or directory. This technique is frequently observed - in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The - purpose of this behavior is to actively evade detection and impede access to their - associated files. By identifying these security permission changes, we can enhance - our ability to detect and respond to potential threats, mitigating the impact of - malicious activities on the system. +description: The following analytic detects instances where an adversary modifies + security permissions of a file or directory using commands like "icacls.exe", "cacls.exe", + or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and command-line executions. This + activity is significant as it is commonly used by Advanced Persistent Threats (APTs) + and coinminer scripts to evade detection and impede access to critical files. If + confirmed malicious, this could allow attackers to maintain persistence and hinder + incident response efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) @@ -71,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 851b6feb11..a3fac0b278 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,18 +1,18 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 1 -date: '2023-06-06' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies adversaries who manipulate the security permissions - of specific files or directories by granting additional access. This technique is - frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and - coinminer scripts. The objective behind this behavior is to actively evade detection - mechanisms and tightly control access to their associated files. By identifying - these security permission modifications, we can improve our ability to identify - and respond to potential threats, thereby minimizing the impact of malicious activities - on the system. +description: The following analytic detects the use of the ICACLS command to grant + additional access permissions to files or directories. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on specific process names and command-line + arguments. This activity is significant because it is commonly used by Advanced + Persistent Threats (APTs) and coinminer scripts to evade detection and maintain + control over compromised systems. If confirmed malicious, this behavior could allow + attackers to manipulate file permissions, potentially leading to unauthorized access, + data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) @@ -70,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index b5c2994bdb..4f1f6c8e85 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -1,18 +1,19 @@ name: Impacket Lateral Movement Commandline Parameters id: 8ce07472-496f-11ec-ab3b-3e22fbd008af -version: 3 -date: '2023-06-13' +version: 4 +date: '2024-05-30' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the presence of suspicious commandline parameters - typically present when using Impacket tools. Impacket is a collection of python - classes meant to be used with Microsoft network protocols. There are multiple scripts - that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` - and `atexec.py` used to execute commands on remote endpoints. By default, these - scripts leverage administrative shares and hardcoded parameters that can be used - as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets - tools for lateral movement and remote code execution. +description: The following analytic identifies the use of suspicious command-line + parameters associated with Impacket tools, such as `wmiexec.py`, `smbexec.py`, `dcomexec.py`, + and `atexec.py`, which are used for lateral movement and remote code execution. + It detects these activities by analyzing process execution logs from Endpoint Detection + and Response (EDR) agents, focusing on specific command-line patterns. This activity + is significant because Impacket tools are commonly used by adversaries and Red Teams + to move laterally within a network. If confirmed malicious, this could allow attackers + to execute commands remotely, potentially leading to further compromise and data + exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +92,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index ffe6f5b5b7..bfd9ce7673 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -1,22 +1,20 @@ name: Impacket Lateral Movement smbexec CommandLine Parameters id: bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: This analytic focuses on identifying suspicious command-line parameters - commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python - classes designed for working with Microsoft network protocols, and it includes several - scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command - execution on remote endpoints. These scripts typically utilize administrative shares - and hardcoded parameters, which can serve as signatures to detect their usage. Both - Red Teams and adversaries may employ Impacket tools for lateral movement and remote - code execution purposes. By monitoring for these specific command-line indicators, - the analytic aims to detect potentially malicious activities related to Impacket - tool usage. +description: The following analytic identifies suspicious command-line parameters + associated with the use of Impacket's smbexec.py for lateral movement. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line + patterns indicative of Impacket tool usage. This activity is significant as both + Red Teams and adversaries use Impacket for remote code execution and lateral movement. + If confirmed malicious, this activity could allow attackers to execute commands + on remote endpoints, potentially leading to unauthorized access, data exfiltration, + or further compromise of the network. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name @@ -91,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index cf2ae7a64a..974ea619a2 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -1,20 +1,20 @@ name: Impacket Lateral Movement WMIExec Commandline Parameters id: d6e464e4-5c6a-474e-82d2-aed616a3a492 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: This analytic looks for the presence of suspicious commandline parameters - typically present when using Impacket tools. Impacket is a collection of python - classes meant to be used with Microsoft network protocols. There are multiple scripts - that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` - and `atexec.py` used to execute commands on remote endpoints. By default, these - scripts leverage administrative shares and hardcoded parameters that can be used - as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets - tools for lateral movement and remote code execution. +description: The following analytic detects the use of Impacket's `wmiexec.py` tool + for lateral movement by identifying specific command-line parameters. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned + by `wmiprvse.exe` with command-line patterns indicative of Impacket usage. This + activity is significant as Impacket tools are commonly used by adversaries for remote + code execution and lateral movement within a network. If confirmed malicious, this + could allow attackers to execute arbitrary commands on remote systems, potentially + leading to further compromise and data exfiltration. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name @@ -88,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml index efa1b463dd..ef6c6e6352 100644 --- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml +++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml @@ -1,24 +1,28 @@ name: Interactive Session on Remote Endpoint with PowerShell id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af -version: 4 -date: '2023-11-07' +version: 5 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the usage of the `Enter-PSSession`. This commandlet can be used to open - an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams - and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement - and remote code execution. +description: The following analytic detects the use of the `Enter-PSSession` cmdlet + to establish an interactive session on a remote endpoint via the WinRM protocol. + It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity + by searching for specific script block text patterns. This behavior is significant + as it may indicate lateral movement or remote code execution attempts by adversaries. + If confirmed malicious, this activity could allow attackers to execute commands + remotely, potentially leading to further compromise of the network and unauthorized + access to sensitive information. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `interactive_session_on_remote_endpoint_with_powershell_filter`' + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions - can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. @@ -55,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/java_class_file_download_by_java_user_agent.yml b/detections/endpoint/java_class_file_download_by_java_user_agent.yml index a567667ec0..77213e3c78 100644 --- a/detections/endpoint/java_class_file_download_by_java_user_agent.yml +++ b/detections/endpoint/java_class_file_download_by_java_user_agent.yml @@ -1,14 +1,17 @@ name: Java Class File download by Java User Agent id: 8281ce42-5c50-11ec-82d2-acde48001122 -version: 1 -date: '2021-12-13' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP description: The following analytic identifies a Java user agent performing a GET - request for a .class file from the remote site. This is potentially indicative of - exploitation of the Java application and may be related to current event CVE-2021-44228 - (Log4Shell). + request for a .class file from a remote site. It leverages web or proxy logs within + the Web Datamodel to detect this activity. This behavior is significant as it may + indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). + If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, + potentially leading to remote code execution and further compromise of the affected + system. data_source: - Splunk Stream HTTP search: '| tstats count from datamodel=Web where Web.http_user_agent="*Java*" Web.http_method="GET" @@ -64,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log source: stream:http sourcetype: stream:http diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index 20a8f55311..ec20cfe789 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -1,14 +1,17 @@ name: Java Writing JSP File id: eb65619c-4f8d-4383-a975-d352765d344b -version: 2 -date: '2022-06-03' +version: 3 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the process java writing a .jsp to - disk. This is potentially indicative of a web shell being written to disk. Modify - and tune the analytic based on data ingested. For instance, it may be worth running - a broad query for jsp file writes first before performing a join. +description: The following analytic detects the Java process writing a .jsp file to + disk, which may indicate a web shell being deployed. It leverages data from the + Endpoint datamodel, specifically monitoring process and filesystem activities. This + activity is significant because web shells can provide attackers with remote control + over the compromised server, leading to further exploitation. If confirmed malicious, + this could allow unauthorized access, data exfiltration, or further compromise of + the affected system, posing a severe security risk. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -85,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index 1efa46b9f5..d1eb286807 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -1,15 +1,17 @@ name: Jscript Execution Using Cscript App id: 002f1e24-146e-11ec-a470-acde48001122 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a execution of jscript using cscript process. - Commonly when a user run jscript file it was executed by wscript.exe application. - This technique was seen in FIN7 js implant to execute its malicious script using - cscript process. This behavior is uncommon and a good artifacts to check further - anomalies within the network +description: The following analytic detects the execution of JScript using the cscript.exe + process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process and command-line telemetry. This behavior is significant because JScript + files are typically executed by wscript.exe, making cscript.exe execution unusual + and potentially indicative of malicious activity, such as the FIN7 group's tactics. + If confirmed malicious, this activity could allow attackers to execute arbitrary + scripts, leading to code execution, data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 18c1ee775a..206a89180c 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -1,25 +1,24 @@ name: Kerberoasting spn request with RC4 encryption id: 5cc67381-44fa-4111-8a37-7a230943f027 -version: 5 -date: '2024-04-26' +version: 6 +date: '2024-05-16' author: Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic leverages Kerberos Event 4769, A Kerberos service - ticket was requested, to identify a potential kerberoasting attack against Active - Directory networks. Kerberoasting allows an adversary to request kerberos tickets - for domain accounts typically used as service accounts and attempt to crack them - offline allowing them to obtain privileged access to the domain. This analytic looks - for a specific combination of the Ticket_Options field based on common kerberoasting - tools. Defenders should be aware that it may be possible for a Kerberoast attack - to use different Ticket_Options. +description: The following analytic detects potential Kerberoasting attacks by identifying + Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages + specific Ticket_Options values commonly used by Kerberoasting tools. This activity + is significant as Kerberoasting allows attackers to request service tickets for + domain accounts, typically service accounts, and crack them offline to gain privileged + access. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, and further compromise of the Active Directory environment. data_source: - Windows Event Log Security 4769 -search: '`wineventlog_security` EventCode=4769 ServiceName!="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `kerberoasting_spn_request_with_rc4_encryption_filter`' +search: '`wineventlog_security` EventCode=4769 ServiceName!="*$" (TicketOptions=0x40810000 + OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 + | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, + service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -64,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 1f0ab284b2..43385ce72c 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -1,22 +1,23 @@ name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl id: 0cb847ee-9423-11ec-b2df-acde48001122 -version: 1 -date: '2022-02-22' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic leverages Windows Security Event 4738, `A user - account was changed`, to identify a change performed on a domain user object that - disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the - UserAccountControl property allows an adversary to easily perform a brute force - attack against the user's password offline leveraging the ASP REP Roasting technique. - Red Teams and adversaries alike who have obtained privileges in an Active Directory - network may use this technique as a backdoor or a way to escalate privileges. +description: The following analytic detects when the Kerberos Pre-Authentication flag + is disabled in a user account, using Windows Security Event 4738. This event indicates + a change in the UserAccountControl property of a domain user object. Disabling this + flag allows adversaries to perform offline brute force attacks on the user's password + using the AS-REP Roasting technique. This activity is significant as it can be used + by attackers with existing privileges to escalate their access or maintain persistence. + If confirmed malicious, this could lead to unauthorized access and potential compromise + of sensitive information. data_source: - Windows Event Log Security 4738 search: ' `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require - Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes - | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' + Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, + Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. @@ -55,7 +56,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog update_timestamp: true diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index b728f1b3cc..22119be938 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -1,26 +1,25 @@ name: Kerberos Pre-Authentication Flag Disabled with PowerShell id: 59b51620-94c9-11ec-b3d5-acde48001122 -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Set-ADAccountControl` commandlet with specific - parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module - used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` - is used to modify User Account Control values for an Active Directory domain account. - With the appropiate parameters, Set-ADAccountControl allows adversaries to disable - Kerberos Pre-Authentication for an account to to easily perform a brute force attack - against the user's password offline leveraging the ASP REP Roasting technique. Red - Teams and adversaries alike who have obtained privileges in an Active Directory - network may use this technique as a backdoor or a way to escalate privileges. +description: The following analytic detects the use of the `Set-ADAccountControl` + PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify this specific command + execution. Disabling Kerberos Pre-Authentication is significant because it allows + adversaries to perform offline brute force attacks against user passwords using + the AS-REP Roasting technique. If confirmed malicious, this activity could enable + attackers to escalate privileges or maintain persistence within an Active Directory + environment, posing a severe security risk. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND ScriptBlockText="*DoesNotRequirePreAuth:$true*") | stats count min(_time) as firstTime - max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`' + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer + as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -60,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index 2be16714c5..f361a4b6fc 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -1,28 +1,25 @@ name: Kerberos Service Ticket Request Using RC4 Encryption id: 7d90f334-a482-11ec-908c-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-27' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic leverages Kerberos Event 4769, A Kerberos service - ticket was requested, to identify a potential Kerberos Service Ticket request related - to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM - password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted - access to an Active Directory environment. Armed with a Golden Ticket, attackers - can request service tickets to move laterally and execute code on remote systems. - Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism - could represent the second stage of a Golden Ticket attack. RC4 usage should be - rare on a modern network since Windows Vista & Windows Sever 2008 and newer support - AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage - the NTLM password hash but rather the AES key to create a golden ticket, this detection - may be bypassed. +description: 'The following analytic detects Kerberos service ticket requests using + RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential + Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using + the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory + environment. Monitoring for RC4 encryption usage is significant as it is rare in + modern networks, indicating possible malicious activity. If confirmed malicious, + attackers could move laterally and execute code on remote systems, compromising + the entire network. Note: This detection may be bypassed if attackers use the AES + key instead of the NTLM hash.' data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 - | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` +search: ' `wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 + OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 + | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, + TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting @@ -44,7 +41,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 90 - message: A Kerberos Service TTicket request with RC4 encryption was requested from $dest$ + message: A Kerberos Service TTicket request with RC4 encryption was requested from + $dest$ mitre_attack_id: - T1558 - T1558.001 @@ -70,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index b8aa49a71a..31815fd33b 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -1,26 +1,22 @@ name: Kerberos TGT Request Using RC4 Encryption id: 18916468-9c04-11ec-bdc6-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-27' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic leverages Event 4768, A Kerberos authentication - ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, - or RC4-HMAC. This encryption type is no longer utilized by newer systems and could - represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass - The Hash is a form of credential theft that allows adversaries to move laterally - or consume resources in a target network. Leveraging this attack, an adversary who - has stolen the NTLM hash of a valid domain account is able to authenticate to the - Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain - a Kerberos TGT ticket. Depending on the privileges of the compromised account, this - ticket may be used to obtain unauthorized access to systems and other network resources. +description: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) + request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption + type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring + this activity is crucial as it can signify credential theft, allowing adversaries + to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. + If confirmed malicious, this could enable unauthorized access to systems and resources, + potentially leading to lateral movement and further compromise within the network. data_source: - Windows Event Log Security 4768 -search: ' `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ - | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: ' `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ + | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting @@ -61,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index d165e5ca54..9fd94aa879 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -1,29 +1,24 @@ name: Kerberos User Enumeration id: d82d4af4-a0bd-11ec-9445-3e22fbd008af -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: Anomaly -description: The following analytic leverages Event Id 4768, A Kerberos authentication - ticket (TGT) was requested, to identify one source endpoint trying to obtain an - unusual number Kerberos TGT ticket for non existing users. This behavior could represent - an adversary abusing the Kerberos protocol to perform a user enumeration attack - against an Active Directory environment. When Kerberos is sent a TGT request with - no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate - a list of users use them to perform further attacks.\ The detection calculates the - standard deviation for each host and leverages the 3-sigma statistical rule to identify - an unusual number requests. To customize this analytic, users can try different - combinations of the `bucket` span time and the calculation of the `upperBound` field. +description: The following analytic detects an unusual number of Kerberos Ticket Granting + Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages + Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This + behavior is significant as it may indicate an adversary performing a user enumeration + attack against Active Directory. If confirmed malicious, the attacker could validate + a list of usernames, potentially leading to further attacks such as brute force + or credential stuffing, compromising the security of the environment. data_source: - Windows Event Log Security 4768 -search: ' `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" - | bucket span=2m _time - | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip - | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip - | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) +search: ' `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" | + bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) + as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg + , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting @@ -64,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/known_services_killed_by_ransomware.yml b/detections/endpoint/known_services_killed_by_ransomware.yml index e9c3bb2b32..0a0cb065f2 100644 --- a/detections/endpoint/known_services_killed_by_ransomware.yml +++ b/detections/endpoint/known_services_killed_by_ransomware.yml @@ -1,15 +1,18 @@ name: Known Services Killed by Ransomware id: 3070f8e0-c528-11eb-b2a0-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search detects a suspicioous termination of known services killed - by ransomware before encrypting files in a compromised machine. This technique is - commonly seen in most of ransomware now a days to avoid exception error while accessing - the targetted files it wants to encrypts because of the open handle of those services - to the targetted file. +description: The following analytic detects the suspicious termination of known services + commonly targeted by ransomware before file encryption. It leverages Windows System + Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow + Copy, backup, and antivirus services are stopped. This activity is significant because + ransomware often disables these services to avoid errors and ensure successful file + encryption. If confirmed malicious, this behavior could lead to widespread data + encryption, rendering files inaccessible and potentially causing significant operational + disruption and data loss. data_source: - Windows Event Log System 7036 search: '`wineventlog_system` EventCode=7036 param1 IN ("*Volume Shadow Copy*","*VSS*", @@ -17,8 +20,9 @@ search: '`wineventlog_system` EventCode=7036 param1 IN ("*Volume Shadow Copy*"," "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService" "YooBackup", "YooIT", "*Veeam*", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExec*", "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", - "WinDefend", "wscsvc", "Sense", "sppsvc", "SecurityHealthService") param2="stopped" | stats count min(_time) as firstTime max(_time) as - lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + "WinDefend", "wscsvc", "Sense", "sppsvc", "SecurityHealthService") param2="stopped" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 + dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index 5afb161c34..0f3add9bba 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -1,26 +1,26 @@ name: Linux Account Manipulation Of SSH Config and Keys id: 73a56508-1cf5-4df7-b8d9-5737fbdc27d2 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a deletion of ssh key in a linux machine. - attacker may delete or modify ssh key to impair some security features or act as - defense evasion in compromised linux machine. This Anomaly can be also a good indicator - of a malware trying to wipe or delete several files in a compromised host as part - of its destructive payload like what acidrain malware does in linux or router machines. - This detection can be a good pivot to check what process and user tries to delete - this type of files which is not so common and need further investigation. +description: The following analytic detects the deletion of SSH keys on a Linux machine. + It leverages filesystem event logs to identify when files within "/etc/ssh/*" or + "~/.ssh/*" are deleted. This activity is significant because attackers may delete + or modify SSH keys to evade security measures or as part of a destructive payload, + similar to the AcidRain malware. If confirmed malicious, this behavior could lead + to impaired security features, hindered forensic investigations, or further unauthorized + access, necessitating immediate investigation to identify the responsible process + and user. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | - `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`' + `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_account_manipulation_of_ssh_config_and_keys_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux \ No newline at end of file + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index 31f63a8b63..606c573d9a 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -1,11 +1,17 @@ name: Linux Add Files In Known Crontab Directories id: 023f3452-5f27-11ec-bf00-acde48001122 -version: 1 -date: '2021-12-17' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. +description: The following analytic detects unauthorized file creation in known crontab + directories on Unix-based systems. It leverages filesystem data to identify new + files in directories such as /etc/cron* and /var/spool/cron/*. This activity is + significant as it may indicate an attempt by threat actors or malware to establish + persistence on a compromised host. If confirmed malicious, this could allow attackers + to execute arbitrary code at scheduled intervals, potentially leading to further + system compromise and unauthorized access to sensitive information. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -56,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index ed4dd1890f..dd614a81d2 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -1,15 +1,17 @@ name: Linux Add User Account id: 51fbcaf2-6259-11ec-b0f3-acde48001122 -version: 1 -date: '2021-12-21' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic looks for commands to create user accounts on the linux - platform. This technique is commonly abuse by adversaries, malware author and red - teamers to persist on the targeted or compromised host by creating new user with - an elevated privilege. This Hunting query may catch normal creation of user by administrator - so filter is needed. +description: The following analytic detects the creation of new user accounts on Linux + systems using commands like "useradd" or "adduser." It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries often create new user accounts + to establish persistence on compromised hosts. If confirmed malicious, this could + allow attackers to maintain access, escalate privileges, and further compromise + the system, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -65,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 8a5e642751..2350c26f3d 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -1,24 +1,18 @@ name: Linux Adding Crontab Using List Parameter id: 52f6d751-1fd4-4c74-a4c9-777ecfeb5c58 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies suspicious modifications to cron jobs - on Linux systems using the crontab command with list parameters. This command line - parameter can be abused by malware like Industroyer2, as well as adversaries and - red teamers, to add a crontab entry for executing their malicious code on a schedule - of their choice. However, it's important to note that administrators or normal users - may also use this command for legitimate automation purposes, so filtering is required - to minimize false positives. Identifying the modification of cron jobs using list - parameters is valuable for a SOC as it indicates potential malicious activity or - an attempt to establish persistence on the system. If a true positive is detected, - further investigation should be conducted to analyze the added cron job, its associated - command, and the impact it may have on the system. This includes examining the purpose - of the job, reviewing any on-disk artifacts, and identifying any related processes - or activities occurring concurrently. The impact of a true positive can range from - unauthorized execution of malicious code to data destruction or other damaging outcomes. +description: The following analytic detects suspicious modifications to cron jobs + on Linux systems using the crontab command with list parameters. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant as it may indicate an attempt + to establish persistence or execute malicious code on a schedule. If confirmed malicious, + the impact could include unauthorized code execution, data destruction, or other + damaging outcomes. Further investigation should analyze the added cron job, its + associated command, and any related processes. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -49,6 +43,7 @@ tags: - Data Destruction - Linux Persistence Techniques - Scheduled Tasks + - Gomir asset_type: Endpoint confidence: 50 impact: 50 @@ -79,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 568fbd898f..3f64e0e5be 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,16 +1,18 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-22' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The apt-get is a command line tool for interacting with the Advanced - Package Tool (APT) library (a package management system for Linux distributions). - It allows you to search for, install, manage, update, and remove software. The tool - does not build software from the source code. If sudo right is given to the tool - for user, then the user can run system commands as root and possibly get a root - shell. +description: The following analytic detects the execution of the 'apt-get' command + with elevated privileges using 'sudo' on a Linux system. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process execution logs + that include command-line details. This activity is significant because it indicates + a user may be attempting to escalate privileges to root, which could lead to unauthorized + system control. If confirmed malicious, an attacker could gain root access, allowing + them to execute arbitrary commands, install or remove software, and potentially + compromise the entire system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index 31406a5709..388b86e419 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux APT Privilege Escalation id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-22' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Advanced Package Tool, more commonly known as APT, is a collection of - tools used to install, update, remove, and otherwise manage software packages on - Debian and its derivative operating systems, including Ubuntu and Linux Mint. If - sudo right is given to the tool for user, then the user can run system commands - as root and possibly get a root shell. +description: The following analytic detects the use of the Advanced Package Tool (APT) + with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection + and Response (EDR) telemetry to identify processes where APT commands are executed + with sudo rights. This activity is significant because it indicates a user can run + system commands as root, potentially leading to unauthorized root shell access. + If confirmed malicious, this could allow an attacker to escalate privileges, execute + arbitrary commands, and gain full control over the affected system, posing a severe + security risk. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 95765c3f32..25996012bd 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -1,13 +1,18 @@ name: Linux At Allow Config File Creation id: 977b3082-5f3d-11ec-b954-acde48001122 -version: 1 -date: '2021-12-17' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives. - - Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. +description: The following analytic detects the creation of the /etc/at.allow or /etc/at.deny + configuration files in Linux. It leverages file creation events from the Endpoint + datamodel to identify when these files are created. This activity is significant + as these files control user permissions for the "at" scheduling application and + can be abused by attackers to establish persistence. If confirmed malicious, this + could allow unauthorized execution of malicious code, leading to potential data + theft or further system compromise. Analysts should review the file path, creation + time, and associated processes to assess the threat. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -57,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 5fb5ff165e..05649e4cff 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,33 +1,19 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 2 -date: '2022-05-26' +version: 3 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Anomaly description: 'The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised - host. The "At" application can be used for automation purposes by administrators - or network operators, so the filter macros should be updated to remove false positives. - If a true positive is found, it suggests an attacker is trying to maintain access - to the environment or potentially deliver additional malicious payloads, leading - to data theft, ransomware, or other damaging outcomes. To implement this analytic, - ensure you are ingesting logs with the required fields from your endpoints into - the Endpoint datamodel. When a true positive is detected, it suggests that an attacker - is attempting to establish persistence or deliver additional malicious payloads - by leveraging the "At" application. This behavior can lead to data theft, ransomware - attacks, or other damaging outcomes. - - During triage, the SOC analyst should review the context surrounding the execution - of the "At" application. This includes identifying the user, the parent process - responsible for invoking the application, and the specific command-line arguments - used. It is important to consider whether the execution is expected behavior by - an administrator or network operator for legitimate automation purposes. - - The presence of "At" application execution may indicate an attacker''s attempt to - maintain unauthorized access to the environment. Immediate investigation and response - are necessary to mitigate further risks, identify the attacker''s intentions, and - prevent potential harm to the organization.' + host. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent process names associated with "at" or "atd". + This activity is significant because the "At" application can be exploited to maintain + unauthorized access or deliver additional malicious payloads. If confirmed malicious, + this behavior could lead to data theft, ransomware attacks, or other severe consequences. + Immediate investigation is required to determine the legitimacy of the execution + and mitigate potential risks.' data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -86,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 3389ced08c..a7fea37ec7 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -1,14 +1,18 @@ name: Linux AWK Privilege Escalation id: 4510cae0-96a2-4840-9919-91d262db210a -version: 1 -date: '2022-07-31' +version: 2 +date: '2024-05-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Awk is mostly used for processing and scanning patterns. It checks one - or more files to determine whether any lines fit the specified patterns, and if - so, it does the appropriate action. If sudo right is given to AWK binary for the - user, then the user can run system commands as root and possibly get a root shell. +description: The following analytic detects the use of the AWK command with elevated + privileges to execute system commands. It leverages Endpoint Detection and Response + (EDR) telemetry, specifically monitoring processes that include "sudo," "awk," and + "BEGIN*system" in their command lines. This activity is significant because it indicates + a potential privilege escalation attempt, where a user could gain root access by + executing commands as the root user. If confirmed malicious, this could allow an + attacker to fully compromise the system, execute arbitrary commands, and maintain + persistent control over the affected endpoint. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index f372d9d005..b32e411a9b 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Busybox Privilege Escalation id: 387c4e78-f4a4-413d-ad44-e9f7bc4642c9 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-27' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: BusyBox combines tiny versions of many common UNIX utilities into a single - small executable. It provides minimalist replacements for most of the utilities - you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox - application for the user, then the user can run system commands as root and possibly - get a root shell. +description: The following analytic detects the execution of BusyBox with sudo privileges, + which can lead to privilege escalation on Linux systems. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process creation events + where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant + because it indicates a user may be attempting to gain root access, bypassing standard + security controls. If confirmed malicious, this could allow an attacker to execute + arbitrary commands as root, leading to full system compromise and potential persistence + within the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index 435232ac7a..912bcac714 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux c89 Privilege Escalation id: 54c95f4d-3e5d-44be-9521-ea19ba62f7a8 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-30' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The c89 and cc commands compile, assemble, and link-edit C programs; - the cxx or c++ command does the same for C++ programs. The c89 command should be - used when compiling C programs that are written according to Standard C. If sudo - right is given to c89 application for the user, then the user can run system commands - as root and possibly get a root shell. +description: The following analytic detects the execution of the 'c89' command with + elevated privileges, which can be used to compile and execute C programs as root. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events that include command-line arguments. This activity + is significant because it indicates a potential privilege escalation attempt, allowing + a user to execute arbitrary commands as root. If confirmed malicious, this could + lead to full system compromise, enabling the attacker to gain root access and execute + any command with elevated privileges. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index ccdfb0028b..a13ecbdf76 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux c99 Privilege Escalation id: e1c6dec5-2249-442d-a1f9-99a4bd228183 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-21' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The c99 utility is an interface to the standard C compilation system; - it shall accept source code conforming to the ISO C standard. The system conceptually - consists of a compiler and link editor. If sudo right is given to ruby application - for the user, then the user can run system commands as root and possibly get a root - shell. +description: The following analytic detects the execution of the c99 utility with + sudo privileges, which can lead to privilege escalation on Linux systems. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include command-line details. This activity is significant because it + indicates a potential misuse of the c99 utility to gain root access, which is critical + for maintaining system security. If confirmed malicious, this could allow an attacker + to execute commands as root, potentially compromising the entire system and accessing + sensitive information. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index 9c2933ac37..ac42f0748a 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -1,16 +1,17 @@ name: Linux Change File Owner To Root id: c1400ea2-6257-11ec-ad49-acde48001122 -version: 1 -date: '2021-12-21' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for a commandline that change the file owner to root - using chown utility tool. This technique is commonly abuse by adversaries, malware - author and red teamers to escalate privilege to the targeted or compromised host - by changing the owner of their malicious file to root. This event is not so common - in corporate network except from the administrator doing normal task that needs - high privilege. +description: The following analytic detects the use of the 'chown' command to change + a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response + (EDR) telemetry, specifically monitoring command-line executions and process details. + This activity is significant as it may indicate an attempt to escalate privileges + by adversaries, malware, or red teamers. If confirmed malicious, this action could + allow an attacker to gain root-level access, leading to full control over the compromised + host and potential persistence within the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index a9c705ab7c..4281335323 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -82,5 +82,5 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index 00ed7645e9..f36c6826fd 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -1,16 +1,18 @@ name: Linux Common Process For Elevation Control id: 66ab15c0-63d0-11ec-9e70-acde48001122 -version: 1 -date: '2021-12-23' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic is to look for possible elevation control access using - a common known process in linux platform to change the attribute and file ownership. - This technique is commonly abused by adversaries, malware author and red teamers - to gain persistence or privilege escalation on the target or compromised host. This - common process is used to modify file attribute, file ownership or SUID. This tools - can be used in legitimate purposes so filter is needed. +description: The following analytic identifies the execution of common Linux processes + used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant because these processes + are often abused by adversaries to gain persistence or escalate privileges on compromised + hosts. If confirmed malicious, this behavior could allow attackers to modify file + attributes, change file ownership, or set user IDs, potentially leading to unauthorized + access and control over critical system resources. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 3ee25ed43e..4860e1f884 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -1,14 +1,19 @@ name: Linux Composer Privilege Escalation id: a3bddf71-6ba3-42ab-a6b2-396929b16d92 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-28' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Composer is a tool for dependency management in PHP. It allows you to - declare the libraries your project depends on and it will manage (install/update) - them for you. If sudo right is given to tool for the user, then the user can run - system commands as root and possibly get a root shell. +description: The following analytic detects the execution of the Composer tool with + elevated privileges on a Linux system. It identifies instances where Composer is + run with the 'sudo' command, allowing the user to execute system commands as root. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs and command-line arguments. This activity is + significant because it can indicate an attempt to escalate privileges, potentially + leading to unauthorized root access. If confirmed malicious, an attacker could gain + full control over the system, execute arbitrary commands, and compromise sensitive + data. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 3176c6f3e9..2b3e30b903 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -1,15 +1,17 @@ name: Linux Cpulimit Privilege Escalation id: d4e40b7e-aad3-4a7d-aac8-550ea5222be5 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-23' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: cpulimit is a simple program which attempts to limit the cpu usage of - a process (expressed in percentage, not in cpu time). This is useful to control - batch jobs, when you don't want them to eat too much cpu. If sudo right is given - to the program for the user, then the user can run system commands as root and possibly - get a root shell. +description: The following analytic detects the use of the 'cpulimit' command with + specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments + and execution details. This activity is significant because if 'cpulimit' is granted + sudo rights, a user can potentially execute system commands as root, leading to + privilege escalation. If confirmed malicious, this could allow an attacker to gain + root access, execute arbitrary commands, and fully compromise the affected system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 4125fa9651..d64d789396 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -1,13 +1,18 @@ name: Linux Csvtool Privilege Escalation id: f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-20' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: csvtool is an easy to use command-line tool to work with .CSV files. - If sudo right is given to the tool for the user, then the user can run system commands - as root and possibly get a root shell. +description: The following analytic detects the execution of the 'csvtool' command + with 'sudo' privileges, which can allow a user to run system commands as root. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that include command-line details. This activity is significant + because it indicates a potential privilege escalation attempt, where a user could + gain unauthorized root access. If confirmed malicious, this could lead to full system + compromise, allowing an attacker to execute arbitrary commands, escalate privileges, + and maintain persistent access. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 94628f72ca..108708e413 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -1,19 +1,18 @@ name: Linux Curl Upload File id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf -version: 1 -date: '2022-07-29' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies curl being utilized with the -F or - --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload - AWS credentials or config to a remote destination. This enables uploading of binary - files and so forth. To force the 'content' part to be a file, prefix the file name - with an @ sign. To just get the content part from a file, prefix the file name with - the symbol <. The difference between @ and < is then that @ makes a file get attached - in the post as a file upload, while the < makes a text field and just get the contents - for that text field from a file. This technique was utlized by the TeamTNT group - to exfiltrate AWS credentials. +description: The following analytic detects the use of the curl command with specific + switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to + upload AWS credentials or configuration files to a remote destination. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it may indicate + an attempt to exfiltrate sensitive AWS credentials, a technique known to be used + by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access + and potential compromise of AWS resources. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -87,7 +86,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index 2d8d8d8775..7716d9c8e6 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -1,16 +1,18 @@ name: Linux Data Destruction Command id: b11d3979-b2f7-411b-bb1a-bd00e642173b -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a unix shell command that can wipe - root folders of a linux host. This commandline is being abused by Awfulshred malware - that wipes or corrupts files in a targeted Linux host. The shell command uses the - rm command with force recursive deletion even in the root folder. This TTP can be - a good indicator that a user or a process wants to wipe roots directory files in - Linux host. +description: The following analytic detects the execution of a Unix shell command + designed to wipe root directories on a Linux host. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive + deletion and the '--no-preserve-root' option. This activity is significant as it + indicates potential data destruction attempts, often associated with malware like + Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, + system instability, and compromised integrity of the affected Linux host. Immediate + investigation and response are crucial to mitigate potential damage. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index 886f2a3b87..a948daa321 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -1,15 +1,17 @@ name: Linux DD File Overwrite id: 9b6aae5e-8d85-11ec-b2ae-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to look for dd command to overwrite file. This technique - was abused by adversaries or threat actor to destroy files or data on specific system - or in a large number of host within network to interrupt host avilability, services - and many more. This is also used to destroy data where it make the file irrecoverable - by forensic techniques through overwriting files, data or local and remote drives. +description: The following analytic detects the use of the 'dd' command to overwrite + files on a Linux system. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include command-line details. + This activity is significant because adversaries often use the 'dd' command to destroy + or irreversibly overwrite files, disrupting system availability and services. If + confirmed malicious, this behavior could lead to data destruction, making recovery + difficult and potentially causing significant operational disruptions. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index a63476aaf4..9673b8a687 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,12 +1,12 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 1 -date: '2022-07-27' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP description: |- - The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. + The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like "base64 -d" and "base64 --decode" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,7 +80,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index f5e654e748..42de888c5c 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -1,16 +1,18 @@ name: Linux Deleting Critical Directory Using RM Command id: 33f89303-cc6f-49ad-921d-2eaea38a6f7a -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a suspicious deletion of a critical - folder in Linux machine using rm command. This technique was seen in industroyer2 - campaign to wipe or destroy energy facilities of a targeted sector. Deletion in - these list of folder is not so common since it need some elevated privileges to - access some of it. We recommend to look further events specially in file access - or file deletion, process commandline that may related to this technique. +description: The following analytic detects the deletion of critical directories on + a Linux machine using the 'rm -rf' command. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions targeting directories + like /boot, /var/log, /etc, and /dev. This activity is significant because deleting + these directories can severely disrupt system operations and is often associated + with destructive campaigns like Industroyer2. If confirmed malicious, this action + could lead to system instability, data loss, and potential downtime, making it crucial + for immediate investigation and response. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 8ae82ba644..7c403ff139 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -1,24 +1,23 @@ name: Linux Deletion Of Cron Jobs id: 3b132a71-9335-4f33-9932-00bb4f6ac7e8 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a deletion of cron job in a linux machine. - This technique can be related to an attacker, threat actor or malware to disable - scheduled cron jobs that might be related to security or to evade some detections. - We also saw that this technique can be a good indicator for malware that is trying - to wipe or delete several files on the compromised host like the acidrain malware. - This anomaly detection can be a good pivot detection to look for process and user - doing it why they doing. Take note that this event can be done by administrator - so filtering on those possible false positive event is needed. +description: The following analytic detects the deletion of cron jobs on a Linux machine. + It leverages filesystem event logs to identify when files within the "/etc/cron.*" + directory are deleted. This activity is significant because attackers or malware + may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. + If confirmed malicious, this action could allow an attacker to disrupt system operations, + evade security measures, or facilitate further malicious activities such as data + wiping, as seen with the acidrain malware. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest - Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" + by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid + Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -66,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index a4b32b5e74..4dd0291868 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -1,27 +1,24 @@ name: Linux Deletion Of Init Daemon Script id: 729aab57-d26f-4156-b97f-ab8dda8f44b1 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a deletion of init daemon script in a linux - machine. daemon script that place in /etc/init.d/ is a directory that can start - and stop some daemon services in linux machines. attacker may delete or modify daemon - script to impair some security features or act as defense evasion in a compromised - linux machine. This TTP can be also a good indicator of a malware trying to wipe - or delete several files in compromised host as part of its destructive payload like - what acidrain malware does in linux or router machines. This detection can be a - good pivot to check what process and user tries to delete this type of files which - is not so common and need further investigation. +description: The following analytic detects the deletion of init daemon scripts on + a Linux machine. It leverages filesystem event logs to identify when files within + the /etc/init.d/ directory are deleted. This activity is significant because init + daemon scripts control the start and stop of critical services, and their deletion + can indicate an attempt to impair security features or evade defenses. If confirmed + malicious, this behavior could allow an attacker to disrupt essential services, + execute destructive payloads, or persist undetected in the environment. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`' + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from @@ -68,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux \ No newline at end of file + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index 9a3c8eb071..d3c227e341 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -1,26 +1,26 @@ name: Linux Deletion Of Services id: b509bbd3-0331-4aaa-8e4a-d2affe100af6 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a deletion of services in a linux machine. - attacker may delete or modify services to impair some security features or act as - defense evasion in a compromised linux machine. This TTP can be also a good indicator - of a malware trying to wipe or delete several files in a compromised host as part - of its destructive payload like what acidrain malware does in linux or router machines. - This detection can be a good pivot to check what process and user tries to delete - this type of files which is not so common and need further investigation. +description: The following analytic detects the deletion of services on a Linux machine. + It leverages filesystem event logs to identify when service files within system + directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This + activity is significant because attackers may delete or modify services to disable + security features or evade defenses. If confirmed malicious, this behavior could + indicate an attempt to impair system functionality or execute a destructive payload, + potentially leading to system instability or data loss. Immediate investigation + is required to determine the responsible process and user. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest - Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`' + Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from @@ -70,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux \ No newline at end of file + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index c0c12269cc..d43e710d0f 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -1,26 +1,25 @@ name: Linux Deletion of SSL Certificate id: 839ab790-a60a-4f81-bfb3-02567063f615 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a deletion of ssl certificate in a linux machine. - attacker may delete or modify ssl certificate to impair some security features or - act as defense evasion in compromised linux machine. This Anomaly can be also a - good indicator of a malware trying to wipe or delete several files in a compromised - host as part of its destructive payload like what acidrain malware does in linux - or router machines. This detection can be a good pivot to check what process and - user tries to delete this type of files which is not so common and need further - investigation. +description: The following analytic detects the deletion of SSL certificates on a + Linux machine. It leverages filesystem event logs to identify when files with extensions + .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant + because attackers may delete or modify SSL certificates to disable security features + or evade defenses on a compromised system. If confirmed malicious, this behavior + could indicate an attempt to disrupt secure communications, evade detection, or + execute a destructive payload, potentially leading to significant security breaches + and data loss. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid - Filesystem.action | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` + Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -67,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux \ No newline at end of file + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 7a5da4f568..9c16ea6bf1 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -1,15 +1,18 @@ name: Linux Disable Services id: f2e08a38-6689-4df4-ad8c-b51c16262316 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is to detect events that attempts to disable a - service. This is typically identified in parallel with other instances of service - enumeration of attempts to stop a service and then delete it. Adversaries utilize - this technique like industroyer2 malware to terminate security services or other - related services to continue there objective as a destructive payload. +description: The following analytic detects attempts to disable a service on a Linux + system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on processes like "systemctl," "service," and "svcadm" with commands containing + "disable." This activity is significant as adversaries may disable security or critical + services to evade detection and facilitate further malicious actions, such as deploying + destructive payloads. If confirmed malicious, this could lead to the termination + of essential security services, allowing attackers to persist undetected and potentially + cause significant damage to the system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index c131a51474..b17c9253c8 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -1,17 +1,17 @@ name: Linux Doas Conf File Creation id: f6343e86-6e09-11ec-9376-acde48001122 -version: 1 -date: '2022-01-05' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect the creation of doas.conf file in linux host - platform. This configuration file can be use by doas utility tool to allow or permit - standard users to perform tasks as root, the same way sudo does. This tool is developed - as a minimalistic alternative to sudo application. This tool can be abused advesaries, - attacker or malware to gain elevated privileges to the targeted or compromised host. - On the other hand this can also be executed by administrator for a certain task - that needs admin rights. In this case filter is needed. +description: The following analytic detects the creation of the doas.conf file on + a Linux host. This file is used by the doas utility to allow standard users to perform + tasks as root, similar to sudo. The detection leverages filesystem data from the + Endpoint data model, focusing on the creation of the doas.conf file. This activity + is significant because it can indicate an attempt to gain elevated privileges, potentially + by an adversary. If confirmed malicious, this could allow an attacker to execute + commands with root privileges, leading to full system compromise. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -60,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index 5a1e744cb1..7b3ac542c7 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -1,17 +1,17 @@ name: Linux Doas Tool Execution id: d5a62490-6e09-11ec-884e-acde48001122 -version: 1 -date: '2022-01-05' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect the doas tool execution in linux host platform. - This utility tool allow standard users to perform tasks as root, the same way sudo - does. This tool is developed as a minimalistic alternative to sudo application. - This tool can be abused advesaries, attacker or malware to gain elevated privileges - to the targeted or compromised host. On the other hand this can also be executed - by administrator for a certain task that needs admin rights. In this case filter - is needed. +description: The following analytic detects the execution of the 'doas' tool on a + Linux host. This tool allows standard users to perform tasks with root privileges, + similar to 'sudo'. The detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as 'doas' can be exploited by adversaries to gain elevated privileges + on a compromised host. If confirmed malicious, this could lead to unauthorized administrative + access, potentially compromising the entire system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index 938a048798..e0ff97e473 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -1,17 +1,18 @@ name: Linux Docker Privilege Escalation id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3 -version: 1 -date: '2022-07-31' +version: 2 +date: '2024-05-24' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Docker is an open source containerization platform. It helps programmers - to bundle applications into containers, which are standardized executable parts - that include the application source code along with the OS libraries and dependencies - needed to run that code in any setting. The user can add mount the root directory - into a container and edit the /etc/password file to add a super user. This requires - the user to be privileged enough to run docker, i.e. being in the docker group or - being root. +description: The following analytic detects attempts to escalate privileges on a Linux + system using Docker. It identifies processes where Docker commands are used to mount + the root directory or execute shell commands within a container. This detection + leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, + command-line arguments, and parent processes. This activity is significant because + it can allow an attacker with Docker privileges to modify critical system files, + such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead + to full system compromise and persistent unauthorized access. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index c0f46ec1f5..fd1845cafb 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -1,29 +1,17 @@ name: Linux Edit Cron Table Parameter id: 0d370304-5f26-11ec-a4bb-acde48001122 -version: 1 -date: '2021-12-17' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Hunting description: 'The following analytic detects the suspicious editing of cron jobs in - Linux via the crontab command-line parameter. This tactic could be used by adversaries - or malware to schedule execution of their malicious code, potentially leading to - system compromise or unauthorized persistent access. It pinpoints this activity - by monitoring command-line executions involving ''crontab'' and the edit parameter - (-e). - - Recognizing such activity is vital for a SOC as cron job manipulations might signal - unauthorized persistence attempts or scheduled malicious actions, potentially resulting - in substantial harm. A true positive signifies an active threat, with implications - ranging from unauthorized access to broader network compromise. - - To implement this analytic, logs capturing process name, parent process, and command-line - executions from your endpoints must be ingested. - - Known false positives could stem from valid administrative tasks or automation processes - using crontab. To reduce these, fine-tune the filter macros according to the benign - activities within your environment. These adjustments ensure legitimate actions - aren''t mistaken for threats, allowing analysts to focus on genuine potential risks.' + Linux using the crontab command-line parameter (-e). It identifies this activity + by monitoring command-line executions involving ''crontab'' and the edit parameter. + This behavior is significant for a SOC as cron job manipulations can indicate unauthorized + persistence attempts or scheduled malicious actions. If confirmed malicious, this + activity could lead to system compromise, unauthorized access, or broader network + compromise.' data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index f328cd4cc2..80663bbd03 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Emacs Privilege Escalation id: 92033cab-1871-483d-a03b-a7ce98665cfc -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-24' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: EMACS is a family of text editors that are characterized by their extensibility. - The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, - customizable, self-documenting, real-time display editor". If sudo right is given - to EMACS tool for the user, then the user can run special commands as root and possibly - get a root shell. +description: The following analytic detects the execution of Emacs with elevated privileges + using the `sudo` command and the `--eval` option. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs that include + command-line arguments. This activity is significant because it indicates a potential + privilege escalation attempt, where a user could gain root access by running Emacs + with elevated permissions. If confirmed malicious, this could allow an attacker + to execute arbitrary commands as root, leading to full system compromise and unauthorized + access to sensitive information. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index 76137b9485..a1abd5c193 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -1,18 +1,16 @@ name: Linux File Created In Kernel Driver Directory id: b85bbeec-6326-11ec-9311-acde48001122 -version: 1 -date: '2021-12-22' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious file creation in kernel/driver directory - in linux platform. This directory is known folder for all linux kernel module available - within the system. so creation of file in this directory is a good indicator that - there is a possible rootkit installation in the host machine. This technique was - abuse by adversaries, malware author and red teamers to gain high privileges to - their malicious code such us in kernel level. Even this event is not so common administrator - or legitimate 3rd party tool may install driver or linux kernel module as part of - its installation. +description: The following analytic detects the creation of files in the Linux kernel/driver + directory. It leverages filesystem data to identify new files in this critical directory. + This activity is significant because the kernel/driver directory is typically reserved + for kernel modules, and unauthorized file creation here can indicate a rootkit installation. + If confirmed malicious, this could allow an attacker to gain high-level privileges, + potentially compromising the entire system by executing code at the kernel level. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -62,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index 87c84a7dbd..4f2897be3f 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -1,16 +1,17 @@ name: Linux File Creation In Init Boot Directory id: 97d9cfb2-61ad-11ec-bb2d-acde48001122 -version: 1 -date: '2021-12-20' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious file creation on init system directories - for automatic execution of script or file upon boot up. This technique is commonly - abuse by adversaries, malware author and red teamer to persist on the targeted or - compromised host. This behavior can be executed or use by an administrator or network - operator to add script files or binary files as part of a task or automation. filter - is needed. +description: The following analytic detects the creation of files in Linux init boot + directories, which are used for automatic execution upon system startup. It leverages + file system logs to identify new files in directories such as /etc/init.d/ and /etc/rc.d/. + This activity is significant as it is a common persistence technique used by adversaries, + malware authors, and red teamers. If confirmed malicious, this could allow an attacker + to maintain persistence on the compromised host, potentially leading to further + exploitation and unauthorized control over the system. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -57,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index 71ad6343ba..3a9a11e994 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -1,16 +1,17 @@ name: Linux File Creation In Profile Directory id: 46ba0082-61af-11ec-9826-acde48001122 -version: 1 -date: '2021-12-20' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious file creation in /etc/profile.d directory - to automatically execute scripts by shell upon boot up of a linux machine. This - technique is commonly abused by adversaries, malware and red teamers as a persistence - mechanism to the targeted or compromised host. This Anomaly detection is a good - indicator that someone wants to run a code after boot up which can be done also - by the administrator or network operator for automation purposes. +description: The following analytic detects the creation of files in the /etc/profile.d + directory on Linux systems. It leverages filesystem data to identify new files in + this directory, which is often used by adversaries for persistence by executing + scripts upon system boot. This activity is significant as it may indicate an attempt + to maintain long-term access to the compromised host. If confirmed malicious, this + could allow attackers to execute arbitrary code with elevated privileges each time + the system boots, potentially leading to further compromise and data exfiltration. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -59,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index 68825be92e..337e22a5a1 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Find Privilege Escalation id: 2ff4e0c2-8256-4143-9c07-1e39c7231111 -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-28' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Find is a command-line utility that locates files based on some user-specified - criteria and either prints the pathname of each matched object or, if another action - is requested, performs that action on each matched object. If sudo right is given - to find utility for the user, then the user can run system commands as root and - possibly get a root shell. +description: The following analytic detects the use of the 'find' command with 'sudo' + and '-exec' options, which can indicate an attempt to escalate privileges on a Linux + system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that include command-line arguments. This activity is + significant because it can allow a user to execute system commands as root, potentially + leading to a root shell. If confirmed malicious, this could enable an attacker to + gain full control over the system, leading to severe security breaches and unauthorized + access to sensitive data. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index bfd60d2819..a4d996349f 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -1,14 +1,17 @@ name: Linux GDB Privilege Escalation id: 310b7da2-ab52-437f-b1bf-0bd458674308 -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-16' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: GDB is the acronym for GNU Debugger. This tool helps to debug the programs - written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command - on terminal. If sudo right is given to GDB tool for the user, then the user can - run system commands as root and possibly get a root shell. +description: The following analytic detects the execution of the GNU Debugger (GDB) + with specific flags that indicate an attempt to escalate privileges on a Linux system. + It leverages Endpoint Detection and Response (EDR) telemetry to identify processes + where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant + because it can allow a user to execute system commands as root, potentially leading + to a root shell. If confirmed malicious, this could result in full system compromise, + allowing an attacker to gain complete control over the affected endpoint. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index 0470837218..8b642f2b9a 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Gem Privilege Escalation id: 0115482a-5dcb-4bb0-bcca-5d095d224236 -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-24' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: RubyGems is a package manager for the Ruby programming language that - provides a standard format for distributing Ruby programs and libraries (in a self-contained - format called a "gem"), a tool designed to easily manage the installation of gems, - and a server for distributing them. If sudo right is given to GEM utility for the - user, then the user can run system commands as root and possibly get a root shell. +description: The following analytic detects the execution of the RubyGems utility + with elevated privileges, specifically when it is used to run system commands as + root. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions that include "gem open -e" and "sudo". This + activity is significant because it indicates a potential privilege escalation attempt, + allowing a user to execute commands as the root user. If confirmed malicious, this + could lead to full system compromise, enabling the attacker to gain root access + and execute arbitrary commands with elevated privileges. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index d529e30597..739707132d 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -1,18 +1,17 @@ name: Linux GNU Awk Privilege Escalation id: 0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-16' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: gawk command in Linux is used for pattern scanning and processing language. - The awk command requires no compiling and allows the user to use variables, numeric - functions, string functions, and logical operators. It is a utility that enables - programmers to write tiny and effective programs in the form of statements that - define text patterns that are to be searched for, in a text document and the action - that is to be taken when a match is found within a line. If sudo right is given - to gawk tool for the user, then the user can run system commands as root and possibly - get a root shell. +description: The following analytic detects the execution of the 'gawk' command with + elevated privileges on a Linux system. It leverages Endpoint Detection and Response + (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' + and 'BEGIN{system' patterns. This activity is significant because it indicates a + potential privilege escalation attempt, allowing a user to execute system commands + as root. If confirmed malicious, this could lead to full root access, enabling the + attacker to control the system, modify critical files, and maintain persistent access. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -77,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 48b191db22..25501520b6 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -1,15 +1,18 @@ name: Linux Hardware Addition SwapOff id: c1eea697-99ed-44c2-9b70-d8935464c499 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for process execution to disable the swapping of - paging devices. This technique was seen in Awfulshred malware that disables the - swapping of the specified devices and files. This anomaly detection can be a good - indicator that a process or a user tries to disable this Linux feature in a targeted - host. +description: The following analytic detects the execution of the "swapoff" command, + which disables the swapping of paging devices on a Linux system. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs. This activity is significant because disabling swap can be a tactic used by + malware, such as Awfulshred, to evade detection and hinder forensic analysis. If + confirmed malicious, this action could allow an attacker to manipulate system memory + management, potentially leading to data corruption, system instability, or evasion + of memory-based detection mechanisms. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index 0c10109704..96a4c94991 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -1,24 +1,25 @@ name: Linux High Frequency Of File Deletion In Boot Folder id: e27fbc5d-0445-4c4a-bc39-87f060d5c602 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a high frequency of file deletion relative - to process name and process id /boot/ folder. These events was seen in industroyer2 - wiper malware where it tries to delete all files in a critical directory in linux - directory. This detection already contains some filter that might cause false positive - during our testing. +description: The following analytic detects a high frequency of file deletions in + the /boot/ folder on Linux systems. It leverages filesystem event logs to identify + when 200 or more files are deleted within an hour by the same process. This behavior + is significant as it may indicate the presence of wiper malware, such as Industroyer2, + which targets critical system directories. If confirmed malicious, this activity + could lead to system instability or failure, hindering the boot process and potentially + causing a complete system compromise. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest - Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | + where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -63,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux \ No newline at end of file + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index ee27adad27..5ee59ba96b 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -1,24 +1,25 @@ name: Linux High Frequency Of File Deletion In Etc Folder id: 9d867448-2aff-4d07-876c-89409a752ff8 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a high frequency of file deletion relative - to process name and process id /etc/ folder. These events was seen in acidrain wiper - malware where it tries to delete all files in a non-standard directory in linux - directory. This detection already contains some filter that might cause false positive - during our testing. But we recommend to add more filter if needed. +description: The following analytic detects a high frequency of file deletions in + the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model + to identify instances where 200 or more files are deleted within an hour, grouped + by process name and process ID. This behavior is significant as it may indicate + the presence of wiper malware, such as AcidRain, which aims to delete critical system + files. If confirmed malicious, this activity could lead to severe system instability, + data loss, and potential disruption of services. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h Filesystem.dest - Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | + where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -62,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index 13e1afec2a..2780fcd8c0 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -1,16 +1,18 @@ name: Linux Impair Defenses Process Kill id: 435c6b33-adf9-47fe-be87-8e29fd6654f5 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic looks for PKILL process execution for possible termination - of process. This technique is being used by several Threat actors, adversaries and - red teamers to terminate processes in a targeted linux machine. This Hunting detection - can be a good pivot to check a possible defense evasion technique or termination - of security application in a linux host or wiper like Awfulshred that corrupt all - files. +description: The following analytic identifies the execution of the 'pkill' command, + which is used to terminate processes on a Linux system. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant because threat actors often use 'pkill' + to disable security defenses or terminate critical processes, facilitating further + malicious actions. If confirmed malicious, this behavior could lead to the disruption + of security applications, enabling attackers to evade detection and potentially + corrupt or destroy files on the targeted system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index 507605f8d8..11e72cdef5 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -1,15 +1,17 @@ name: Linux Indicator Removal Clear Cache id: e0940505-0b73-4719-84e6-cb94c44a5245 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic looks for processes that clear or free page cache in Linux - system host. This technique was seen in Awfulshred malware wiper that tries to clear - the cache using kernel system request drop_caches while wiping all files in the - targeted host. This TTP detection can be a good indicator of user or process tries - to clear page cache to delete tracks or might be a wiper like Awfulshred. +description: The following analytic detects processes that clear or free page cache + on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing + on specific command-line executions involving the kernel system request `drop_caches`. + This activity is significant as it may indicate an attempt to delete forensic evidence + or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior + could allow an attacker to cover their tracks, making it difficult to investigate + other malicious activities or system compromises. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index 609e1ae9b3..bfe37dea46 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -1,16 +1,18 @@ name: Linux Indicator Removal Service File Deletion id: 6c077f81-2a83-4537-afbc-0e62e3215d55 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious linux processes that delete service - unit configuration files. This technique was seen in several malware to delete service - configuration files to corrupt a services or security product as part of its defense - evasion. This TTP detection can be a good indicator of possible malware try to kill - several services or a wiper like AwfulShred shell script that wipes the targeted - linux host +description: The following analytic detects the deletion of Linux service unit configuration + files by suspicious processes. It leverages Endpoint Detection and Response (EDR) + telemetry, focusing on processes executing the 'rm' command targeting '.service' + files. This activity is significant as it may indicate malware attempting to disable + critical services or security products, a common defense evasion tactic. If confirmed + malicious, this behavior could lead to service disruption, security tool incapacitation, + or complete system compromise, severely impacting the integrity and availability + of the affected Linux host. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index 43cf1b6192..207c64c6cd 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -86,5 +86,5 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index 521395771e..c0c2a18a16 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -1,15 +1,17 @@ name: Linux Ingress Tool Transfer with Curl id: 8c1de57d-abc1-4b41-a727-a7a8fc5e0857 -version: 1 -date: '2022-07-29' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies curl with the command-line switches - that are commonly used to download, output, a remote script or binary. MetaSploit - Framework will combine the -sO switch with | chmod +x to enable a simple one liner - to download and set the execute bit to run the file immediately. During triage, - review the remote domain and file being downloaded for legitimacy. +description: The following analytic detects the use of the curl command with specific + switches (-O, -sO, -ksO, --output) commonly used to download remote scripts or binaries. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line arguments. This activity is significant + as it may indicate an attempt to download and execute potentially malicious files, + often used in initial stages of an attack. If confirmed malicious, this could lead + to unauthorized code execution, enabling attackers to compromise the system further. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,7 +82,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index 3c13040797..41d35b04ca 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -1,15 +1,18 @@ name: Linux Insert Kernel Module Using Insmod Utility id: 18b5a1a0-6326-11ec-943a-acde48001122 -version: 1 -date: '2021-12-22' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for inserting of linux kernel module using insmod - utility function. This event can detect a installation of rootkit or malicious kernel - module to gain elevated privileges to their malicious code and bypassed detections. - This Anomaly detection is a good indicator that someone installing kernel module - in a linux host either admin or adversaries. filter is needed in this scenario +description: The following analytic detects the insertion of a Linux kernel module + using the insmod utility. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include process names and + command-line details. This activity is significant as it may indicate the installation + of a rootkit or malicious kernel module, potentially allowing an attacker to gain + elevated privileges and bypass security detections. If confirmed malicious, this + could lead to unauthorized code execution, persistent access, and severe compromise + of the affected system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index 70eaacec9c..9049b9a000 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -1,15 +1,18 @@ name: Linux Install Kernel Module Using Modprobe Utility id: 387b278a-6326-11ec-aa2c-acde48001122 -version: 1 -date: '2021-12-22' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for possible installing a linux kernel module using - modprobe utility function. This event can detect a installation of rootkit or malicious - kernel module to gain elevated privileges to their malicious code and bypassed detections. - This Anomaly detection is a good indicator that someone installing kernel module - in a linux host either admin or adversaries. filter is needed in this scenario +description: The following analytic detects the installation of a Linux kernel module + using the modprobe utility. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant because installing a kernel module can indicate an attempt to deploy + a rootkit or other malicious kernel-level code, potentially leading to elevated + privileges and bypassing security detections. If confirmed malicious, this could + allow an attacker to gain persistent, high-level access to the system, compromising + its integrity and security. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 5b9bc92001..7a97f54ae9 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -1,26 +1,36 @@ name: Linux Iptables Firewall Modification id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7 -version: 3 -date: '2023-04-12' +version: 4 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly datamodel: - Endpoint -description: This analytic looks for suspicious commandline that modify the iptables - firewall setting of a linux machine. This technique was seen in cyclopsblink malware - where it modifies the firewall setting of the compromised machine to allow traffic - to its tcp port that will be used to communicate with its C2 server. +description: The following analytic detects suspicious command-line activity that + modifies the iptables firewall settings on a Linux machine. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command patterns + that alter firewall rules to accept traffic on certain TCP ports. This activity + is significant as it can indicate malware, such as CyclopsBlink, modifying firewall + settings to allow communication with a Command and Control (C2) server. If confirmed + malicious, this could enable attackers to maintain persistent access and exfiltrate + data, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*iptables *" AND Processes.process = "* --dport *" AND Processes.process = "* ACCEPT*" AND Processes.process = "*&>/dev/null*" AND Processes.process = "* tcp *" AND NOT(Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path -| rex field=Processes.process "--dport (?3269|636|989|994|995|8443)" -| stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path -| where port_count >=3 -| `drop_dm_object_name(Processes)` -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `linux_iptables_firewall_modification_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*iptables + *" AND Processes.process = "* --dport *" AND Processes.process = "* ACCEPT*" AND + Processes.process = "*&>/dev/null*" AND Processes.process = "* tcp *" AND + NOT(Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")) + by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name + Processes.parent_process_path Processes.process_path | rex field=Processes.process + "--dport (?3269|636|989|994|995|8443)" | stats values(Processes.process) as + processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) + as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name + Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path + Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -69,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index df5226bc3f..991d68fae9 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -1,16 +1,18 @@ name: Linux Java Spawning Shell id: 7b09db8a-5c20-11ec-9945-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the process name of Java, Apache, or - Tomcat spawning a Linux shell. This is potentially indicative of exploitation of - the Java application and may be related to current event CVE-2021-44228 (Log4Shell). - The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", - "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and - command-line arguments to determine legitimacy. +description: The following analytic detects instances where Java, Apache, or Tomcat + processes spawn a Linux shell, which may indicate exploitation attempts, such as + those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process names and parent-child process + relationships. This activity is significant as it can signify a compromised Java + application, potentially leading to unauthorized shell access. If confirmed malicious, + attackers could execute arbitrary commands, escalate privileges, or maintain persistent + access, posing a severe threat to the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -84,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 3d5cb8cfbb..9716b729ca 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -86,5 +86,5 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index d9b034568c..e3ff726822 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -1,19 +1,20 @@ name: Linux Kworker Process In Writable Process Path id: 1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed -version: 2 -date: '2023-04-12' +version: 3 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Hunting datamodel: - Endpoint -description: This analytic looks for suspicious process kworker commandline in a linux - machine. kworker process name or thread are common names of kernel threads in linux - process. This hunting detections can lead to investigate process contains process - path in writable directory in linux like /home/, /var/log and /tmp/. This technique - was seen in cyclopsblink malware to blend its core and other of its child process - as normal kworker on the compromised machine. This detection might be a good pivot - to look for other IOC related to cyclopsblink malware or attacks. +description: The following analytic detects the execution of a kworker process with + a command line in writable directories such as /home/, /var/log, and /tmp on a Linux + machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process and parent process paths. This activity is significant as kworker processes + are typically kernel threads, and their presence in writable directories is unusual + and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, + this could allow attackers to blend malicious processes with legitimate ones, leading + to persistent access and further system compromise. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index 943587ba22..45512b41a9 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -1,15 +1,17 @@ name: Linux Make Privilege Escalation id: 80b22836-5091-4944-80ee-f733ac443f4f -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-12' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: The Linux make command is used to build and maintain groups of programs - and files from the source code. In Linux, it is one of the most frequently used - commands by the developers. It assists developers to install and compile many utilities - from the terminal. If sudo right is given to make utility for the user, then the - user can run system commands as root and possibly get a root shell. +description: The following analytic detects the use of the 'make' command with elevated + privileges to execute system commands as root, potentially leading to a root shell. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + command-line executions that include 'make', '--eval', and 'sudo'. This activity + is significant because it indicates a possible privilege escalation attempt, allowing + a user to gain root access. If confirmed malicious, an attacker could achieve full + control over the system, execute arbitrary commands, and compromise the entire environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index f4680d2920..5d3a2ddc22 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux MySQL Privilege Escalation id: c0d810f4-230c-44ea-b703-989da02ff145 -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-17' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: MySQL is an open-source relational database management system. Its name - is a combination of "My", the name of co-founder Michael Widenius's daughter My, - and "SQL", the abbreviation for Structured Query Language. If sudo right is given - to mysql utility for the user, then the user can run system commands as root and - possibly get a root shell. +description: The following analytic detects the execution of MySQL commands with elevated + privileges using sudo, which can lead to privilege escalation. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include command-line details. This activity is significant because it + indicates a potential misuse of MySQL to execute system commands as root, which + could allow an attacker to gain root shell access. If confirmed malicious, this + could result in full control over the affected system, leading to severe security + breaches and unauthorized access to sensitive data. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 7d20064606..0f435fca52 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -1,15 +1,17 @@ name: Linux Ngrok Reverse Proxy Usage id: bc84d574-708c-467d-b78a-4c1e20171f97 -version: 1 -date: '2023-01-12' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the use of Ngrok being utilized on - the Linux operating system. Unfortunately, there is no original file name for Ngrok, - so it may be worth an additional hunt to identify any command-line arguments. The - sign of someone using Ngrok is not malicious, however, more recently it has become - an adversary tool. +description: The following analytic detects the use of Ngrok on a Linux operating + system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments associated with Ngrok. This activity + is significant because Ngrok can be used by adversaries to establish reverse proxies, + potentially bypassing network defenses. If confirmed malicious, this could allow + attackers to create persistent, unauthorized access channels, facilitating data + exfiltration or further exploitation of the compromised system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -84,7 +86,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 385e792315..6b7f465551 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Node Privilege Escalation id: 2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce -version: 1 -date: '2022-07-31' +version: 2 +date: '2024-05-29' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Node.js is a back-end JavaScript runtime environment that is open-source, - cross-platform, runs on the V8 engine, and executes JavaScript code outside of a - web browser. It was created to help create scalable network applications. If the - binary is allowed to run as superuser by sudo, it does not drop the elevated privileges - and may be used to access the file system, escalate or maintain privileged access. +description: The following analytic identifies the execution of Node.js with elevated + privileges using sudo, specifically when spawning child processes. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions that include specific Node.js commands. This activity is significant + because running Node.js as a superuser without dropping privileges can allow unauthorized + access to the file system and potential privilege escalation. If confirmed malicious, + this could enable an attacker to maintain privileged access, execute arbitrary code, + and compromise sensitive data within the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 95334a9564..0eb96a8627 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -1,17 +1,18 @@ name: Linux NOPASSWD Entry In Sudoers File id: ab1e0d52-624a-11ec-8e0b-acde48001122 -version: 1 -date: '2021-12-21' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for suspicious command lines that may add entry - to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly - abuse by adversaries, malware author and red teamers to gain elevated privilege - to the targeted or compromised host. /etc/sudoers file controls who can run what - commands users can execute on the machines and can also control whether user need - a password to execute particular commands. This file is composed of aliases (basically - variables) and user specifications. +description: The following analytic detects the addition of NOPASSWD entries to the + /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response + (EDR) telemetry to identify command lines containing "NOPASSWD:". This activity + is significant because it allows users to execute commands with elevated privileges + without requiring a password, which can be exploited by adversaries to maintain + persistent, privileged access. If confirmed malicious, this could lead to unauthorized + privilege escalation, persistent access, and potential compromise of sensitive data + and system integrity. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 10c47da133..f7104c6502 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -87,5 +87,5 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 52cb235314..91976f6e5f 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -1,16 +1,18 @@ name: Linux Octave Privilege Escalation id: 78f7487d-42ce-4f7f-8685-2159b25fb477 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-18' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: GNU Octave is a high-level programming language primarily intended for - scientific computing and numerical computation. Octave helps in solving linear and - nonlinear problems numerically, and for performing other numerical experiments using - a language that is mostly compatible with MATLAB. If sudo right is given to the - application for the user, then the user can run system commands as root and possibly - get a root shell. +description: The following analytic detects the execution of GNU Octave with elevated + privileges, specifically when it runs system commands via sudo. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process command-line + arguments that include "octave-cli," "--eval," "system," and "sudo." This activity + is significant because it indicates a potential privilege escalation attempt, allowing + a user to execute commands as root. If confirmed malicious, this could lead to full + system compromise, enabling an attacker to gain root access and execute arbitrary + commands, severely impacting system security and integrity. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index a4fd4973ad..cf1aadc893 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux OpenVPN Privilege Escalation id: d25feebe-fa1c-4754-8a1e-afb03bedc0f2 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-15' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: OpenVPN is a virtual private network system that implements techniques - to create secure point-to-point or site-to-site connections in routed or bridged - configurations and remote access facilities. It implements both client and server - applications. If sudo right is given to the OpenVPN application for the user, then - the user can run system commands as root and possibly get a root shell. +description: The following analytic detects the execution of OpenVPN with elevated + privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, + and `sudo` options. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process command-line arguments and execution details. + This activity is significant because it indicates a potential privilege escalation + attempt, allowing a user to execute system commands as root. If confirmed malicious, + this could lead to full system compromise, enabling an attacker to gain root access + and execute arbitrary commands with elevated privileges. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 6b446d9ffa..c9db51e233 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -1,15 +1,18 @@ name: Linux Persistence and Privilege Escalation Risk Behavior id: ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1 -version: 3 -date: '2022-08-30' +version: 4 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: Correlation -description: The following correlation is specific to Linux persistence and privilege - escalation tactics and is tied to two analytic stories and any Linux analytic tied - to persistence and privilege escalation. These techniques often overlap with Persistence - techniques, as OS features that let an adversary persist can execute in an elevated - context. +description: The following analytic identifies potential Linux persistence and privilege + escalation activities. It leverages risk scores and event counts from various Linux-related + data sources, focusing on tactics associated with persistence and privilege escalation. + This activity is significant for a SOC because it highlights behaviors that could + allow an attacker to maintain access or gain elevated privileges on a Linux system. + If confirmed malicious, this activity could enable an attacker to execute code with + higher privileges, persist in the environment, and potentially access sensitive + information, posing a severe security risk. data_source: [] search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) @@ -66,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log source: linuxrisk sourcetype: stash update_timestamp: true diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index f421888efa..3b41c80d4c 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux PHP Privilege Escalation id: 4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5 -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-19' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: PHP is a general-purpose scripting language geared toward web development. - It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. - The PHP reference implementation is now produced by The PHP Group. If sudo right - is given to php application for the user, then the user can run system commands - as root and possibly get a root shell. +description: The following analytic detects the execution of PHP commands with elevated + privileges on a Linux system. It identifies instances where PHP is used in conjunction + with 'sudo' and 'system' commands, indicating an attempt to run system commands + as the root user. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process command-line arguments. This activity is significant + because it can indicate an attempt to escalate privileges, potentially leading to + full root access. If confirmed malicious, this could allow an attacker to execute + arbitrary commands with root privileges, compromising the entire system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index a00b3e4ccc..118b7f8937 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -1,14 +1,18 @@ name: Linux pkexec Privilege Escalation id: 03e22c1c-8086-11ec-ac2e-acde48001122 -version: 1 -date: '2022-01-28' +version: 2 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies `pkexec` spawning with no command-line - arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 - (PwnKit) which is present in the default configuration of all major Linux distributions - and can be exploited to gain full root privileges on the system. +description: The following analytic detects the execution of `pkexec` without any + command-line arguments. This behavior leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process telemetry. The significance lies in the + fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), + a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this + activity could allow an attacker to gain full root privileges on the affected Linux + system, leading to complete system compromise and potential unauthorized access + to sensitive information. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -84,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 9b526491b7..1795a873f8 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -1,16 +1,18 @@ name: Linux Possible Access Or Modification Of sshd Config File id: 7a85eb24-72da-11ec-ac76-acde48001122 -version: 1 -date: '2022-01-11' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for suspicious process command-line that might - be accessing or modifying sshd_config. This file is the ssh configuration file that - might be modify by threat actors or adversaries to redirect port connection, allow - user using authorized key generated during attack. This anomaly detection might - catch noise from administrator auditing or modifying ssh configuration file. In - this scenario filter is needed +description: The following analytic detects suspicious access or modification of the + sshd_config file on Linux systems. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving processes like + "cat," "nano," "vim," and "vi" accessing the sshd_config file. This activity is + significant because unauthorized changes to sshd_config can allow threat actors + to redirect port connections or use unauthorized keys, potentially compromising + the system. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, or persistent backdoor access, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 45ba11cce0..81a283e83d 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -1,17 +1,17 @@ name: Linux Possible Access To Credential Files id: 16107e0e-71fc-11ec-b862-acde48001122 -version: 1 -date: '2022-01-10' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a possible attempt to dump or access the content - of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" - store user information within linux OS while "etc/shadow" contain the user passwords - hash. Adversaries and threat actors may attempt to access this to gain persistence - and/or privilege escalation. This anomaly detection can be a good indicator of possible - credential dumping technique but it might catch some normal administrator automation - scripts or during credential auditing. In this scenario filter is needed. +description: The following analytic detects attempts to access or dump the contents + of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on processes like 'cat', 'nano', 'vim', + and 'vi' accessing these files. This activity is significant as it may indicate + credential dumping, a technique used by adversaries to gain persistence or escalate + privileges. If confirmed malicious, attackers could obtain hashed passwords for + offline cracking, leading to unauthorized access and potential system compromise. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index 2823bd44e8..814f5dfe46 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -1,15 +1,17 @@ name: Linux Possible Access To Sudoers File id: 4479539c-71fc-11ec-b2e2-acde48001122 -version: 1 -date: '2022-01-10' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a possible access or modification of /etc/sudoers - file. "/etc/sudoers" file controls who can run what command as what users on what - machine and can also control whether a specific user need a password for particular - commands. adversaries and threat actors abuse this file to gain persistence and/or - privilege escalation during attack on targeted host. +description: The following analytic detects potential access or modification of the + /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on processes like "cat," "nano," "vim," and "vi" + accessing the /etc/sudoers file. This activity is significant because the sudoers + file controls user permissions for executing commands with elevated privileges. + If confirmed malicious, an attacker could gain persistence or escalate privileges, + compromising the security of the targeted host. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 4df933ceee..009ff74a40 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -1,20 +1,18 @@ name: Linux Possible Append Command To At Allow Config File id: 7bc20606-5f40-11ec-a586-acde48001122 -version: 2 -date: '2022-05-26' +version: 3 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: 'The following analytic is designed to identify suspicious command lines - that may append user entries to either /etc/at.allow or /etc/at.deny. These files - can be exploited by malicious actors for persistence on a compromised Linux host - by altering permissions for scheduled tasks using the at command. - - In this context, an attacker can create a user or add an existing user to these - configuration files to execute their malicious code through scheduled tasks. The - detection of such anomalous behavior can serve as an effective indicator warranting - further investigation to validate if the activity is indeed malicious or a false - positive.' +description: 'The following analytic detects suspicious command lines that append + user entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions involving + these files. This activity is significant because altering these configuration files + can allow attackers to schedule tasks with elevated permissions, facilitating persistence + on a compromised Linux host. If confirmed malicious, this could enable attackers + to execute arbitrary code at scheduled intervals, potentially leading to further + system compromise and unauthorized access to sensitive information.' data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -72,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index 74e4d84fc2..f907aa375e 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -1,17 +1,18 @@ name: Linux Possible Append Command To Profile Config File id: 9c94732a-61af-11ec-91e3-acde48001122 -version: 1 -date: '2021-12-20' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious command-lines that can be possibly - used to modify user profile files to automatically execute scripts/executables by - shell upon reboot of the machine. This technique is commonly abused by adversaries, - malware and red teamers as persistence mechanism to the targeted or compromised - host. This Anomaly detection is a good indicator that someone wants to run code - after reboot which can be done also by the administrator or network operator for - automation purposes. +description: The following analytic detects suspicious command-lines that modify user + profile files to automatically execute scripts or executables upon system reboot. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + command-line executions involving profile files like ~/.bashrc and /etc/profile. + This activity is significant as it indicates potential persistence mechanisms used + by adversaries to maintain access to compromised hosts. If confirmed malicious, + this could allow attackers to execute arbitrary code upon reboot, leading to persistent + control over the system and potential further exploitation. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index b90e23fb5f..a221d86e38 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,26 +1,18 @@ name: Linux Possible Append Cronjob Entry on Existing Cronjob File id: b5b91200-5f27-11ec-bb4e-acde48001122 -version: 1 -date: '2021-12-17' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Hunting -description: 'The following analytic is designed to detect potential tampering with - cronjob files on a Linux system. It specifically searches for command lines that - may be used to append code to existing cronjob files, a technique often employed - by adversaries, malware, and red teamers for persistence or privilege escalation. - Altering existing or sometimes normal cronjob script files allows malicious code - to be executed automatically. - - The analytic operates by monitoring logs for specific process names, parent processes, - and command-line executions from your endpoints. It specifically checks for any - ''echo'' command which modifies files in directories commonly associated with cron - jobs such as ''/etc/cron*'', ''/var/spool/cron/'', and ''/etc/anacrontab''. If such - activity is detected, an alert is triggered. - - This behavior is worth identifying for a SOC because malicious cron jobs can lead - to system compromises and unauthorized data access, impacting business operations - and data integrity.' +description: 'The following analytic detects potential tampering with cronjob files + on a Linux system by identifying ''echo'' commands that append code to existing + cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, + focusing on process names, parent processes, and command-line executions. This activity + is significant because adversaries often use it for persistence or privilege escalation. + If confirmed malicious, this could allow attackers to execute unauthorized code + automatically, leading to system compromises and unauthorized data access, thereby + impacting business operations and data integrity.' data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes @@ -81,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index cdf2bb724c..7ad33cf314 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -1,31 +1,17 @@ name: Linux Possible Cronjob Modification With Editor id: dcc89bde-5f24-11ec-87ca-acde48001122 -version: 1 -date: '2021-12-17' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Hunting description: 'The following analytic detects potential unauthorized modifications - to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this - behavior by tracking command-line executions that interact with paths related to - cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated - by attackers for privilege escalation or persistent access, making such changes - critical to monitor.\ The identified behavior is significant for a Security Operations - Center (SOC) as it could indicate an ongoing attempt at establishing persistent - access or privilege escalation, leading to data breaches, system compromise, or - other malicious activities. - - In case of a true positive, the impact could be severe. An attacker with escalated - privileges or persistent access could carry out damaging actions, such as data theft, - sabotage, or further network penetration. - - To implement this analytic, ensure ingestion of logs tracking process name, parent - process, and command-line executions from your endpoints. Utilize the Add-on for - Linux Sysmon from Splunkbase if you''re using Sysmon. - - Known false positives include legitimate administrative tasks, as these commands - may also be used for benign purposes. Careful tuning and filtering based on known - benign activity in your environment can minimize these instances.' + to Linux cronjobs using text editors like "nano," "vi," or "vim." It identifies + this activity by monitoring command-line executions that interact with cronjob configuration + paths. This behavior is significant for a SOC as it may indicate attempts at privilege + escalation or establishing persistent access. If confirmed malicious, the impact + could be severe, allowing attackers to execute damaging actions such as data theft, + system sabotage, or further network penetration.' data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -84,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index 2599d5881a..9b2bd11807 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -1,15 +1,16 @@ name: Linux Possible Ssh Key File Creation id: c04ef40c-72da-11ec-8eac-acde48001122 -version: 1 -date: '2022-01-11' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for possible ssh key file creation on ~/.ssh/ - folder. This technique is commonly abused by threat actors and adversaries to gain - persistence and privilege escalation to the targeted host. by creating ssh private - and public key and passing the public key to the attacker server. threat actor can - access remotely the machine using openssh daemon service. +description: The following analytic detects the creation of SSH key files in the ~/.ssh/ + directory. It leverages filesystem data to identify new files in this specific path. + This activity is significant because threat actors often create SSH keys to gain + persistent access and escalate privileges on a compromised host. If confirmed malicious, + this could allow attackers to remotely access the machine using the OpenSSH daemon + service, leading to potential unauthorized control and data exfiltration. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -59,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index 638e00fa1c..d9e8cd45eb 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -1,15 +1,18 @@ name: Linux Preload Hijack Library Calls id: cbe2ca30-631e-11ec-8670-acde48001122 -version: 1 -date: '2021-12-22' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious command that may hijack a library - function in linux platform. This technique is commonly abuse by adversaries, malware - author and red teamers to gain privileges and persist on the machine. This detection - pertains to loading a dll to hijack or hook a library function of specific program - using LD_PRELOAD command. +description: The following analytic detects the use of the LD_PRELOAD environment + variable to hijack or hook library functions on a Linux platform. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include command-line details. This activity is significant because adversaries, + malware authors, and red teamers commonly use this technique to gain elevated privileges + and establish persistence on a compromised machine. If confirmed malicious, this + behavior could allow attackers to execute arbitrary code, escalate privileges, and + maintain long-term access to the system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index ed48907888..00d9d54891 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -1,20 +1,18 @@ name: Linux Proxy Socks Curl id: bd596c22-ad1e-44fc-b242-817253ce8b08 -version: 1 -date: '2022-07-29' +version: 2 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies curl being utilized with a proxy based - on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is - built into the MetaSploit Framework as a auxiliary module. What does socks buy an - adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination - domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. - It is an incompatible extension of the SOCKS4 protocol; it offers more choices for - authentication and adds support for IPv6 and UDP, the latter of which can be used - for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade - controls in place monitoring traffic, making it harder for the defender to identify - and track activity. +description: The following analytic detects the use of the `curl` command with proxy-related + arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it may indicate + an adversary attempting to use a proxy to evade network monitoring and obscure their + actions. If confirmed malicious, this behavior could allow attackers to bypass security + controls, making it difficult to track their activities and potentially leading + to unauthorized data access or exfiltration. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -89,7 +87,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 3e6ee65e69..fc160989a9 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Puppet Privilege Escalation id: 1d19037f-466e-4d56-8d87-36fafd9aa3ce -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-17' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: In computing, Puppet is a software configuration management tool which - includes its own declarative language to describe system configuration. It is a - model-driven solution that requires limited programming knowledge to use. If sudo - right is given to the tool for the user, then the user can run system commands as - root and possibly get a root shell. +description: The following analytic detects the execution of Puppet commands with + elevated privileges, specifically when Puppet is used to apply configurations with + sudo rights. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs that include command-line details. + This activity is significant because it indicates a potential privilege escalation + attempt, where a user could gain root access and execute system commands as the + root user. If confirmed malicious, this could allow an attacker to fully compromise + the system, execute arbitrary commands, and maintain persistent control. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index efe8dc290c..69c6e106e7 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -1,16 +1,18 @@ name: Linux RPM Privilege Escalation id: f8e58a23-cecd-495f-9c65-6c76b4cb9774 -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-21' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: RPM Package Manager is a free and open-source package management system. - The name RPM refers to the .rpm file format and the package manager program itself. - RPM was intended primarily for Linux distributions; the file format is the baseline - package format of the Linux Standard Base. If sudo right is given to rpm utility - for the user, then the user can run system commands as root and possibly get a root - shell. +description: The following analytic detects the execution of the RPM Package Manager + with elevated privileges, specifically when it is used to run system commands as + root via the `--eval` and `lua:os.execute` options. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + and process metadata. This activity is significant because it indicates a potential + privilege escalation attempt, allowing a user to gain root access. If confirmed + malicious, this could lead to full system compromise, unauthorized access to sensitive + data, and further exploitation of the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index 28a56dab7e..a4ebe6d2ad 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -1,14 +1,17 @@ name: Linux Ruby Privilege Escalation id: 097b28b5-7004-4d40-a715-7e390501788b -version: 1 -date: '2022-08-09' +version: 2 +date: '2024-05-25' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: Ruby is one of the most used and easy to use programming languages. Ruby - is an open-source, object-oriented interpreter that can be installed on a Linux - system. If sudo right is given to ruby application for the user, then the user can - run system commands as root and possibly get a root shell. +description: The following analytic detects the execution of Ruby commands with elevated + privileges on a Linux system. It identifies processes where Ruby is used with the + `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response + (EDR) telemetry. This activity is significant because it indicates a potential privilege + escalation attempt, allowing a user to execute commands as root. If confirmed malicious, + this could lead to full system compromise, enabling an attacker to gain root access, + execute arbitrary commands, and maintain persistent control over the affected system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index ed5bfce79e..4c165ae904 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -1,13 +1,17 @@ name: Linux Service File Created In Systemd Directory id: c7495048-61b6-11ec-9a37-acde48001122 -version: 1 -date: '2021-12-20' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host. - - The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. +description: The following analytic detects the creation of suspicious service files + within the systemd directories on Linux platforms. It leverages logs containing + file name, file path, and process GUID data from endpoints. This activity is significant + for a SOC as it may indicate an adversary attempting to establish persistence on + a compromised host. If confirmed malicious, this could lead to system compromise + or data exfiltration, allowing attackers to maintain control over the system and + execute further malicious activities. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -21,7 +25,11 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. +known_false_positives: False positives may arise when administrators or network operators + create files in systemd directories for legitimate automation tasks. Therefore, + it's important to adjust filter macros to account for valid activities. To implement + this search successfully, it's crucial to ingest appropriate logs, preferably using + the Linux Sysmon Add-on from Splunkbase for those using Sysmon. references: - https://attack.mitre.org/techniques/T1053/006/ - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ @@ -33,6 +41,7 @@ tags: - Linux Persistence Techniques - Linux Living Off The Land - Scheduled Tasks + - Gomir asset_type: Endpoint confidence: 80 impact: 80 @@ -61,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index faac92c0fd..6926755af4 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -1,29 +1,18 @@ name: Linux Service Restarted id: 084275ba-61b8-11ec-8d64-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly description: 'The following analytic detects the restarting or re-enabling of services - in the Linux platform. It focuses on the use of the systemctl or service tools for - executing these actions. Adversaries may leverage this technique to repeatedly execute - malicious payloads as a form of persistence. Linux hosts typically start services - during boot to perform background system functions. However, administrators may - also create legitimate services for specific tools or applications as part of task - automation. In such cases, it is recommended to verify the service path of the registered - script or executable and identify the creator of the service for further validation. - - It''s important to be aware that this analytic may generate false positives as administrators - or network operators may use the same command-line for legitimate automation purposes. - Filter macros should be updated accordingly to minimize false positives. - - Identifying restarted or re-enabled services is valuable for a SOC as it can indicate - potential malicious activities attempting to maintain persistence or execute unauthorized - actions on Linux systems. By detecting and investigating these events, security - analysts can respond promptly to mitigate risks and prevent further compromise. - The impact of a true positive can range from unauthorized access to data destruction - or other damaging outcomes.' + on Linux systems using the `systemctl` or `service` commands. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process and command-line + execution logs. This activity is significant as adversaries may use it to maintain + persistence or execute unauthorized actions. If confirmed malicious, this behavior + could lead to repeated execution of malicious payloads, unauthorized access, or + data destruction. Security analysts should investigate these events to mitigate + risks and prevent further compromise.' data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -54,6 +43,7 @@ tags: - Data Destruction - Linux Persistence Techniques - Scheduled Tasks + - Gomir asset_type: Endpoint confidence: 50 impact: 50 @@ -84,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 61cf358632..72eebc0fce 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -1,30 +1,28 @@ name: Linux Service Started Or Enabled id: e0428212-61b7-11ec-88a3-acde48001122 -version: 2 -date: '2024-01-24' +version: 3 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation or enabling of services in - Linux platforms, specifically using the systemctl or service tool application. This - behavior is worth identifying as adversaries may create or modify services to execute - malicious payloads as part of persistence. Legitimate services created by administrators - for automation purposes may also trigger this analytic, so it is important to update - the filter macros to remove false positives. If a true positive is found, it suggests - an possible attacker is attempting to persist within the environment or deliver - additional malicious payloads, leading to data theft, ransomware, or other damaging - outcomes. To implement this analytic, ensure you are ingesting logs with the process - name, parent process, and command-line executions from your endpoints. +description: The following analytic detects the creation or enabling of services on + Linux platforms using the systemctl or service tools. It leverages Endpoint Detection + and Response (EDR) logs, focusing on process names, parent processes, and command-line + executions. This activity is significant as adversaries may create or modify services + to maintain persistence or execute malicious payloads. If confirmed malicious, this + behavior could lead to persistent access, data theft, ransomware deployment, or + other damaging outcomes. Monitoring and investigating such activities are crucial + for maintaining the security and integrity of the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process - IN ("* start *", "* enable *") AND NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows") - by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`' + IN ("* start *", "* enable *") AND NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft + Windows") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_service_started_or_enabled_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -44,6 +42,7 @@ tags: - Linux Persistence Techniques - Linux Living Off The Land - Scheduled Tasks + - Gomir asset_type: Endpoint confidence: 70 impact: 60 @@ -74,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index c0b8e30144..661c9931e7 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -1,19 +1,18 @@ name: Linux Setuid Using Chmod Utility id: bf0304b6-6250-11ec-9d7c-acde48001122 -version: 1 -date: '2021-12-21' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious chmod utility execution to enable - SUID bit. This allows a user to temporarily gain root access, usually in order to - run a program. For example, only the root account is allowed to change the password - information contained in the password database; If the SUID bit appears as an s, - the file's owner also has execute permission to the file; if it appears as an S, - the file's owner does not have execute permission. The second specialty permission - is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily - change group membership, usually to execute a program. The SGID bit is set if an - s or an S appears in the group section of permissions. +description: The following analytic detects the execution of the chmod utility to + set the SUID or SGID bit on files, which can allow users to temporarily gain root + or group-level access. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and command-line arguments related + to chmod. This activity is significant as it can indicate an attempt to escalate + privileges or maintain persistence on a system. If confirmed malicious, an attacker + could gain elevated access, potentially compromising sensitive data or critical + system functions. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index c0c5c6cb67..a6478eb949 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -1,19 +1,18 @@ name: Linux Setuid Using Setcap Utility id: 9d96022e-6250-11ec-9a19-acde48001122 -version: 1 -date: '2021-12-21' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic looks for suspicious setcap utility execution to enable - SUID bit. This allows a user to temporarily gain root access, usually in order to - run a program. For example, only the root account is allowed to change the password - information contained in the password database; If the SUID bit appears as an s, - the file's owner also has execute permission to the file; if it appears as an S, - the file's owner does not have execute permission. The second specialty permission - is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily - change group membership, usually to execute a program. The SGID bit is set if an - s or an S appears in the group section of permissions. +description: The following analytic detects the execution of the 'setcap' utility + to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response + (EDR) data, focusing on process names and command-line arguments that indicate the + use of 'setcap' with specific capabilities. This activity is significant because + setting the SUID bit allows a user to temporarily gain root access, posing a substantial + security risk. If confirmed malicious, an attacker could escalate privileges, execute + arbitrary commands with elevated permissions, and potentially compromise the entire + system. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index 86a913b9a4..d6af5c9e88 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -1,17 +1,18 @@ name: Linux Shred Overwrite Command id: c1952cf1-643c-4965-82de-11c067cbae76 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a shred process to overwrite a files in a - linux machine. Shred Linux application is designed to overwrite file to hide its - contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 - malware that tries to wipe energy facilities of targeted sector as part of its destructive - attack. It might be some normal user may use this command for valid purposes but - it is recommended to check what files, disk or folder it tries to shred that might - be good pivot for incident response in this type of destructive malware. +description: The following analytic detects the execution of the 'shred' command on + a Linux machine, which is used to overwrite files to make them unrecoverable. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line arguments. This activity is significant because the 'shred' + command can be used in destructive attacks, such as those seen in the Industroyer2 + malware targeting energy facilities. If confirmed malicious, this activity could + lead to the permanent destruction of critical files, severely impacting system integrity + and data availability. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index 0ab89bd45f..24fd1e2fed 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -1,15 +1,18 @@ name: Linux Sqlite3 Privilege Escalation id: ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1 -version: 1 -date: '2022-08-11' +version: 2 +date: '2024-05-13' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly -description: sqlite3 is a terminal-based front-end to the SQLite library that can - evaluate queries interactively and display the results in multiple formats. sqlite3 - can also be used within shell scripts and other applications to provide batch processing - features. If sudo right is given to this application for the user, then the user - can run system commands as root and possibly get a root shell. +description: The following analytic detects the execution of the sqlite3 command with + elevated privileges, which can be exploited for privilege escalation. It leverages + Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 + is used in conjunction with shell commands and sudo. This activity is significant + because it indicates a potential attempt to gain root access, which could lead to + full system compromise. If confirmed malicious, an attacker could execute arbitrary + commands as root, leading to unauthorized access, data exfiltration, or further + lateral movement within the network. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 605511721a..2caccf2eb4 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -87,5 +87,5 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 4709d20a5f..9e13bd446e 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -82,5 +82,5 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index a44c4940b0..4fe80ecb18 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -1,16 +1,18 @@ name: Linux Stdout Redirection To Dev Null File id: de62b809-a04d-46b5-9a15-8298d330f0c8 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: experimental type: Anomaly -description: This analytic looks for suspicious commandline that redirect the stdout - or possible stderror to dev/null file. This technique was seen in cyclopsblink malware - where it redirect the possible output or error while modify the iptables firewall - setting of the compromised machine to hide its action from the user. This Anomaly - detection is a good pivot to look further why process or user use this un common - approach. +description: The following analytic detects command-line activities that redirect + stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs. This behavior is + significant as it can indicate attempts to hide command outputs, a technique observed + in the CyclopsBlink malware to conceal modifications to iptables firewall settings. + If confirmed malicious, this activity could allow an attacker to stealthily alter + system configurations, potentially leading to unauthorized access or persistent + control over the compromised machine. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index 3a00cf09fa..28b9aee7f8 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -1,15 +1,18 @@ name: Linux Stop Services id: d05204a5-9f1c-4946-a7f3-4fa58d76d5fd -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is to detect events that attempt to stop or clear - a service. This is typically identified in parallel with other instances of service - enumeration of attempts to stop a service and then delete it. Adversaries utilize - this technique like industroyer2 malware to terminate security services or other - related services to continue there objective as a destructive payload. +description: The following analytic detects attempts to stop or clear a service on + Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on processes like "systemctl," "service," and "svcadm" executing stop commands. + This activity is significant as adversaries often terminate security or critical + services to disable defenses or disrupt operations, as seen in malware like Industroyer2. + If confirmed malicious, this could lead to the disabling of security mechanisms, + allowing attackers to persist, escalate privileges, or deploy destructive payloads, + severely impacting system integrity and availability. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index 5a640e75a3..323969cbee 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -1,18 +1,18 @@ name: Linux Sudo OR Su Execution id: 4b00f134-6d6a-11ec-a90c-acde48001122 -version: 1 -date: '2022-01-04' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic is to detect the execution of sudo or su command in linux - operating system. The "sudo" command allows a system administrator to delegate authority - to give certain users (or groups of users) the ability to run some (or all) commands - as root or another user while providing an audit trail of the commands and their - arguments. This command is commonly abused by adversaries, malware author and red - teamers to elevate privileges to the targeted host. This command can be executed - by administrator for legitimate purposes or to execute process that need admin privileges, - In this scenario filter is needed. +description: The following analytic detects the execution of the "sudo" or "su" command + on a Linux operating system. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and parent process names. This activity + is significant because "sudo" and "su" commands are commonly used by adversaries + to elevate privileges, potentially leading to unauthorized access or control over + the system. If confirmed malicious, this activity could allow attackers to execute + commands with root privileges, leading to severe security breaches, data exfiltration, + or further system compromise. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index 9da64e71d5..8e3da22f96 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -1,17 +1,18 @@ name: Linux Sudoers Tmp File Creation id: be254a5c-63e7-11ec-89da-acde48001122 -version: 1 -date: '2021-12-23' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to looks for file creation of sudoers.tmp file cause - by editing /etc/sudoers using visudo or editor in linux platform. This technique - may abuse by adversaries, malware author and red teamers to gain elevated privilege - to targeted or compromised host. /etc/sudoers file controls who can run what commands - as what users on what machines and can also control special things such as whether - you need a password for particular commands. The file is composed of aliases (basically - variables) and user specifications (which control who can run what). +description: The following analytic detects the creation of the "sudoers.tmp" file, + which occurs when editing the /etc/sudoers file using visudo or another editor on + a Linux platform. This detection leverages filesystem data to identify the presence + of "sudoers.tmp" files. Monitoring this activity is crucial as adversaries may exploit + it to gain elevated privileges on a compromised host. If confirmed malicious, this + activity could allow attackers to modify sudoers configurations, potentially granting + them unauthorized access to execute commands as other users, including root, thereby + compromising the system's security. data_source: - Sysmon for Linux EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -59,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index b4ecf7fb3d..6247fc97d8 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -1,15 +1,18 @@ name: Linux System Network Discovery id: 535cb214-8b47-11ec-a2c7-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for possible enumeration of local network configuration. - This technique is commonly used as part of recon of adversaries or threat actor - to know some network information for its next or further attack. This anomaly detections - may capture normal event made by administrator during auditing or testing network - connection of specific host or network to network. +description: The following analytic identifies potential enumeration of local network + configuration on Linux systems. It detects this activity by monitoring processes + such as "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," + and "route" within a 30-minute window. This behavior is significant as it often + indicates reconnaissance efforts by adversaries to gather network information for + subsequent attacks. If confirmed malicious, this activity could enable attackers + to map the network, identify vulnerabilities, and plan further exploitation or lateral + movement within the environment. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index bf374eba9b..6351f75b97 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -1,17 +1,17 @@ name: Linux System Reboot Via System Request Key id: e1912b58-ed9c-422c-bbb0-2dbc70398345 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to look for possible execution of SysReq hack to reboot - the Linux system host. This technique was seen in Awfulshred malware wiper to reboot - the compromised host by using the linux magic sysreq key. This kernel configuration - can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the - functions of sysrq. This TTP detection can be a good indicator of possible suspicious - processes running on the Linux host since this command is not a common way to reboot - a system. +description: The following analytic detects the execution of the SysReq hack to reboot + a Linux system host. It leverages Endpoint Detection and Response (EDR) data to + identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This + activity is significant as it is an uncommon method to reboot a system and was observed + in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate + the presence of suspicious processes and potential system compromise, leading to + unauthorized reboots and disruption of services. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index ea5df8e816..6f248fd7e4 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -1,17 +1,18 @@ name: Linux Unix Shell Enable All SysRq Functions id: e7a96937-3b58-4962-8dce-538e4763cf15 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for possible execution of SysReq hack to enable - all functions of kernel system requests of the Linux system host. This technique - was seen in AwfulShred malware wiper to reboot the compromised host by using the - linux magic sysreq key. This kernel configuration can be triggered by piping out - bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator - of possible suspicious processes running on the Linux host since this command is - not so common shell commandline. +description: The following analytic detects the execution of a command to enable all + SysRq functions on a Linux system, a technique associated with the AwfulShred malware. + It leverages Endpoint Detection and Response (EDR) data to identify processes executing + the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant + as it can indicate an attempt to manipulate kernel system requests, which is uncommon + and potentially malicious. If confirmed, this could allow an attacker to reboot + the system or perform other critical actions, leading to system instability or further + compromise. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index e3b26645f6..106f4f8587 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -1,17 +1,18 @@ name: Linux Visudo Utility Execution id: 08c41040-624c-11ec-a71f-acde48001122 -version: 1 -date: '2021-12-21' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to looks for suspicious commandline that add entry to - /etc/sudoers by using visudo utility tool in linux platform. This technique may - abuse by adversaries, malware author and red teamers to gain elevated privilege - to targeted or compromised host. /etc/sudoers file controls who can run what commands - as what users on what machines and can also control special things such as whether - you need a password for particular commands. The file is composed of aliases (basically - variables) and user specifications (which control who can run what). +description: The following analytic detects the execution of the 'visudo' utility + to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs. This activity + is significant because unauthorized changes to the /etc/sudoers file can grant elevated + privileges to users, potentially allowing adversaries to execute commands as root. + If confirmed malicious, this could lead to full system compromise, privilege escalation, + and persistent unauthorized access, severely impacting the security posture of the + affected host. data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 22176b4a25..2e3c85aa3e 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -1,18 +1,18 @@ name: Loading Of Dynwrapx Module id: eac5e8ba-4857-11ec-9371-acde48001122 -version: 1 -date: '2021-11-18' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: DynamicWrapperX is an ActiveX component that can be used in a script - to call Windows API functions, but it requires the dynwrapx.dll to be installed - and registered. With that, registering or loading dynwrapx.dll to a host is highly - suspicious. In most instances when it is used maliciously, the best way to triage - is to review parallel processes and pivot on the process_guid. Review the registry - for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious - module loads of dynwrapx.dll. This detection will return and identify the processes - that invoke vbs/wscript/cscript. +description: The following analytic detects the loading of the dynwrapx.dll module, + which is associated with the DynamicWrapperX ActiveX component. This detection leverages + Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This + activity is significant because DynamicWrapperX can be used to call Windows API + functions in scripts, making it a potential tool for malicious actions. If confirmed + malicious, this could allow an attacker to execute arbitrary code, escalate privileges, + or maintain persistence on the host. Immediate investigation of parallel processes + and registry modifications is recommended. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName @@ -72,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml index 4763b43fe4..11f6fcf8f6 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/local_account_discovery_with_net.yml @@ -1,14 +1,18 @@ name: Local Account Discovery with Net id: 5d0d4830-0133-11ec-bae3-acde48001122 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `net.exe` or `net1.exe` with - command-line arguments utilized to query for local users. The two arguments `user` - and 'users', return a list of all local users. Red Teams and adversaries alike use - net.exe to enumerate users for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `net.exe` or `net1.exe` + with command-line arguments `user` or `users` to query local user accounts. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to enumerate local users, which is a common + step in situational awareness and Active Directory discovery. If confirmed malicious, + this behavior could lead to further attacks, including privilege escalation and + lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -56,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index c0016b5537..b00c30fc36 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -1,14 +1,18 @@ name: Local Account Discovery With Wmic id: 4902d7aa-0134-11ec-9d65-acde48001122 -version: 2 -date: '2021-09-16' +version: 3 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `wmic.exe` with command-line - arguments utilized to query for local users. The argument `useraccount` is used - to leverage WMI to return a list of all local users. Red Teams and adversaries alike - use net.exe to enumerate users for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `wmic.exe` with command-line + arguments used to query local user accounts, specifically the `useraccount` argument. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs that include command-line details. This activity is significant + as it indicates potential reconnaissance efforts by adversaries to enumerate local + users, which is a common step in situational awareness and Active Directory discovery. + If confirmed malicious, this behavior could lead to further targeted attacks, privilege + escalation, or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -54,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index 78fc5aa558..d58be5a40a 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -1,23 +1,19 @@ name: Log4Shell CVE-2021-44228 Exploitation id: 9be30d80-3a39-4df9-9102-64a467b24eac -version: 3 -date: '2022-09-09' +version: 4 +date: '2024-05-26' author: Jose Hernandez, Splunk status: production type: Correlation -description: This correlation find exploitation of Log4Shell CVE-2021-44228 against - systems using detections from Splunk Security Content Analytic Story. It does this - by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections - fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume - high problability of exploitation. The Analytic story breaks down into 3 major phases - of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` - Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral - Movement using Powershell or similar T1562.001 Each of these phases fall into different - MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking - into 2 or more phases showing up in detections triggerd is how this correlation - search finds exploitation. If we get a notable from this correlation search the - best way to triage it is by investigating the affected systems against Log4Shell - exploitation using Splunk SOAR playbooks. +description: The following analytic identifies potential exploitation of Log4Shell + CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. + It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK + tactics from Log4Shell-related detections. This activity is significant because + it indicates a high probability of exploitation if two or more distinct tactics + are observed. If confirmed malicious, this activity could lead to initial payload + delivery, callback to a malicious server, and post-exploitation activities, potentially + resulting in unauthorized access, lateral movement, and further compromise of the + affected systems. data_source: [] search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) @@ -75,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt + - data: + https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt source: log4shell sourcetype: stash diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index c4a9010289..91c271f74f 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -1,14 +1,18 @@ name: Logon Script Event Trigger Execution id: 4c38c264-1f74-11ec-b5fa-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious modification of registry entry - to persist and gain privilege escalation upon booting up of compromised host. This - technique was seen in several APT and malware where it modify UserInitMprLogonScript - registry entry to its malicious payload to be executed upon boot up of the machine. +description: The following analytic detects the modification of the UserInitMprLogonScript + registry entry, which is often used by attackers to establish persistence and gain + privilege escalation upon system boot. It leverages data from the Endpoint.Registry + data model, focusing on changes to the specified registry path. This activity is + significant because it is a common technique used by APT groups and malware to ensure + their payloads execute automatically when the system starts. If confirmed malicious, + this could allow attackers to maintain persistent access and potentially escalate + their privileges on the compromised host. data_source: - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime @@ -63,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index ba3455eddc..d60a07c41e 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,15 +1,18 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 1 -date: '2021-12-09' +version: 2 +date: '2024-05-11' author: Steven Dick status: production type: TTP -description: The following analytic identifies LOLBAS with network traffic. When adversaries - abuse LOLBAS they are often used to download malicious code or executables. The - LOLBAS project documents Windows native binaries that can be abused by threat actors - to perform tasks like downloading malicious code. Looking for these process can - help defenders identify lateral movement, command-and-control, or exfiltration activies. +description: The following analytic identifies the use of Living Off the Land Binaries + and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic + data model to detect when native Windows binaries, often abused by adversaries, + initiate network connections. This activity is significant as LOLBAS are frequently + used to download malicious payloads, enabling lateral movement, command-and-control, + or data exfiltration. If confirmed malicious, this behavior could allow attackers + to execute arbitrary code, escalate privileges, or maintain persistence within the + environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 3 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,7 +88,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index 0af57baf31..602e7ee42d 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -1,22 +1,17 @@ name: Malicious InProcServer32 Modification id: 127c8d08-25ff-11ec-9223-acde48001122 -version: 1 -date: '2021-10-05' +version: 2 +date: '2024-05-30' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a process modifying the registry with - a known malicious CLSID under InProcServer32. Most COM classes are registered with - the operating system and are identified by a GUID that represents the Class Identifier - (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind - the implementation of a COM class is the server (some binary) that is referenced - within registry keys under the CLSID. The LocalServer32 key represents a path to - an executable (exe) implementation, and the InprocServer32 key represents a path - to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel - processes for suspicious activity. Pivot on the process GUID to see the full timeline - of events. Analyze the value and look for file modifications. Being this is looking - for inprocserver32, a DLL found in the value will most likely be loaded by a parallel - process. +description: The following analytic detects a process modifying the registry with + a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on registry modifications within the HKLM or + HKCU Software Classes CLSID paths. This activity is significant as it may indicate + an attempt to load a malicious DLL, potentially leading to code execution. If confirmed + malicious, this could allow an attacker to persist in the environment, execute arbitrary + code, or escalate privileges, posing a severe threat to system integrity and security. data_source: - Sysmon EventID 1 - Sysmon EventID 12 @@ -87,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 56b2022684..92ea9118aa 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,32 +1,27 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 7 -date: '2022-01-18' +version: 8 +date: '2024-05-19' author: David Dorsey, Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic identifies the use of the EncodedCommand PowerShell - parameter. This is typically used by Administrators to run complex scripts, but - commonly used by adversaries to hide their code. - - The analytic identifies all variations of EncodedCommand, as PowerShell allows the - ability to shorten the parameter. For example enc, enco, encod and so forth. In - addition, through our research it was identified that PowerShell will interpret - different command switch types beyond the hyphen. We have added endash, emdash, - horizontal bar, and forward slash. - - During triage, review parallel events to determine legitimacy. Tune as needed based - on admin scripts in use. - - Alternatively, may use regex per matching here https://regexr.com/662ov.' +description: 'The following analytic detects the use of the EncodedCommand parameter + in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data + to identify variations of the EncodedCommand parameter, including shortened forms + and different command switch types. This activity is significant because adversaries + often use encoded commands to obfuscate malicious scripts, making detection harder. + If confirmed malicious, this behavior could allow attackers to execute hidden code, + potentially leading to unauthorized access, privilege escalation, or persistent + threats within the environment. Review parallel events to determine legitimacy and + tune based on known administrative scripts.' data_source: - Sysmon EventID 1 search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013 - |\u2014|\u2015]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`" + | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\\ + s+[^-]\") | `malicious_powershell_process___encoded_command_filter`" how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -84,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index 1e9ed53316..b2a5e25b11 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -1,16 +1,18 @@ name: Mimikatz PassTheTicket CommandLine Parameters id: 13bbd574-83ac-11ec-99d4-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-30' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic looks for the use of Mimikatz command line parameters - leveraged to execute pass the ticket attacks. Red teams and adversaries alike may - use the pass the ticket technique using stolen Kerberos tickets to move laterally - within an environment, bypassing normal system access controls. Defenders should - be aware that adversaries may customize the source code of Mimikatz and modify the - command line parameters. This would effectively bypass this analytic. +description: The following analytic detects the use of Mimikatz command line parameters + associated with pass-the-ticket attacks. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific command-line patterns related to + Kerberos ticket manipulation. This activity is significant because pass-the-ticket + attacks allow adversaries to move laterally within an environment using stolen Kerberos + tickets, bypassing normal access controls. If confirmed malicious, this could enable + attackers to escalate privileges, access sensitive information, and maintain persistence + within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index dc728ce0f4..300a40f2d2 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -1,17 +1,18 @@ name: Mmc LOLBAS Execution Process Spawn id: f6601940-4c74-11ec-b9b7-3e22fbd008af -version: 1 -date: '2021-11-23' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP description: The following analytic identifies `mmc.exe` spawning a LOLBAS execution - process. When adversaries execute code on remote endpoints abusing the DCOM protocol - and the MMC20 COM object, the executed command is spawned as a child processs of - `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused - by threat actors to perform tasks like executing malicious code. Looking for child - processes of mmc.exe that are part of the LOLBAS project can help defenders identify - lateral movement activity. + process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process creation events where `mmc.exe` is the parent process. This activity + is significant because adversaries can abuse the DCOM protocol and MMC20 COM object + to execute malicious code, using Windows native binaries documented by the LOLBAS + project. If confirmed malicious, this behavior could indicate lateral movement, + allowing attackers to execute code remotely, potentially leading to further compromise + and persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -84,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index b7f50e63ec..d82dc62ae6 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -1,23 +1,28 @@ name: Modification Of Wallpaper id: accb0712-c381-11eb-8e5b-acde48001122 -version: 1 -date: '2021-06-02' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies suspicious modification of registry to deface - or change the wallpaper of a compromised machines as part of its payload. This technique - was commonly seen in ransomware like REVIL where it create a bitmap file contain - a note that the machine was compromised and make it as a wallpaper. +description: The following analytic detects the modification of registry keys related + to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify + changes to the "Control Panel\\Desktop\\Wallpaper" and "Control Panel\\Desktop\\WallpaperStyle" + registry keys, especially when the modifying process is not explorer.exe or involves + suspicious file paths like temp or public directories. This activity is significant + as it can indicate ransomware behavior, such as the REVIL ransomware, which changes + the wallpaper to display a ransom note. If confirmed malicious, this could signify + a compromised machine and the presence of ransomware, leading to potential data + encryption and extortion. data_source: - Sysmon EventID 13 -search: '`sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") - OR (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `modification_of_wallpaper_filter`' +search: '`sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control + Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") OR (TargetObject + IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") + AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) | stats count min(_time) as + firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer + process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -65,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 14fefa4508..3e43502335 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,16 +1,17 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 2 -date: '2022-03-17' +version: 3 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic identifies suspicious modification of ACL permission to - a files or folder to make it available to everyone. This technique may be used by - the adversary to evade ACLs or protected files access. This changes is commonly - configured by the file or directory owner with appropriate permission. This behavior - is a good indicator if this command seen on a machine utilized by an account with - no permission to do so. +description: The following analytic detects the modification of ACL permissions to + files or folders, making them accessible to everyone. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on processes like "cacls.exe," "icacls.exe," + and "xcacls.exe" with specific command-line arguments. This activity is significant + as it may indicate an adversary attempting to evade ACLs or access protected files. + If confirmed malicious, this could allow unauthorized access to sensitive data, + potentially leading to data breaches or further system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -64,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index 9018fb8e1c..ad8a2096e8 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -1,23 +1,26 @@ name: Monitor Registry Keys for Print Monitors id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc -version: 5 -date: '2023-04-27' +version: 6 +date: '2024-05-29' author: Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk status: production type: TTP -description: This search looks for registry activity associated with modifications - to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this - scenario, an attacker can load an arbitrary .dll into the print-monitor registry - by giving the full path name to the after.dll. The system will execute the .dll - with elevated (SYSTEM) permissions and will persist after reboot. +description: The following analytic detects modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. + It leverages data from the Endpoint.Registry data model, focusing on events where + the registry path is modified. This activity is significant because attackers can + exploit this registry key to load arbitrary .dll files, which will execute with + elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, + this could allow attackers to maintain persistence, execute code with high privileges, + and potentially compromise the entire system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`' + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `monitor_registry_keys_for_print_monitors_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -59,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index eff8fec884..288feba20e 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -1,31 +1,18 @@ name: MS Exchange Mailbox Replication service writing Active Server Pages id: 985f322c-57a5-11ec-b9ac-acde48001122 -version: 1 -date: '2023-07-10' +version: 2 +date: '2024-05-27' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following query identifies suspicious .aspx created in 3 paths identified - by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM - group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, - `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited - to process name MSExchangeMailboxReplication.exe, which typically does not write - .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious - on the surface. inspect the contents for script code inside. Identify additional - log sources, IIS included, to review source and other potential exploitation. It - is often the case that a particular threat is only applicable to a specific subset - of systems in your environment. Typically analytics to detect those threats are - written without the benefit of being able to only target those systems as well. - Writing analytics against all systems when those behaviors are limited to identifiable - subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability - on Microsoft Exchange Servers. With asset information, a hunter can limit their - analytics to systems that have been identified as Exchange servers. A hunter may - start with the theory that the exchange server is communicating with new systems - that it has not previously. If this theory is run against all publicly facing systems, - the amount of noise it will generate will likely render this theory untenable. However, - using the asset information to limit this analytic to just the Exchange servers - will reduce the noise allowing the hunter to focus only on the systems where this - behavioral change is relevant.' +description: 'The following analytic identifies the creation of suspicious .aspx files + in specific directories associated with Exchange exploitation by the HAFNIUM group + and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe + process, which typically does not write .aspx files. This behavior is significant + as it may indicate an active exploitation attempt on Exchange servers. If confirmed + malicious, attackers could gain unauthorized access, execute arbitrary code, or + maintain persistence within the environment. Immediate investigation and remediation + are crucial to prevent further compromise.' data_source: - Sysmon EventID 1 - Sysmon EventID 11 diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index f65000e124..750a86f48a 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -1,24 +1,24 @@ name: MS Scripting Process Loading Ldap Module id: 0b0c40dc-14a6-11ec-b267-acde48001122 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a suspicious MS scripting process such as wscript.exe - or cscript.exe that loading ldap module to process ldap query. This behavior was - seen in FIN7 implant where it uses javascript to execute ldap query to parse host - information that will send to its C2 server. this anomaly detections is a good initial - step to hunt further a suspicious ldap query or ldap related events to the host - that may give you good information regarding ldap or AD information processing or - might be a attacker. +description: The following analytic detects the execution of MS scripting processes + (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, + adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. + This activity is significant as it may indicate an attempt to query LDAP for host + information, a behavior observed in FIN7 implants. If confirmed malicious, this + could allow attackers to gather detailed Active Directory information, potentially + leading to further exploitation or data exfiltration. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid - Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `ms_scripting_process_loading_ldap_module_filter`' + Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -61,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index a0fc29d1ec..719ef1f264 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -1,17 +1,18 @@ name: MS Scripting Process Loading WMI Module id: 2eba3d36-14a6-11ec-a682-acde48001122 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a suspicious MS scripting process such as wscript.exe - or cscript.exe that loading wmi module to process wmi query. This behavior was seen - in FIN7 implant where it uses javascript to execute wmi query to parse host information - that will send to its C2 server. this anomaly detections is a good initial step - to hunt further a suspicious wmi query or wmi related events to the host that may - give you good information regarding process that are commonly using wmi query or - modules or might be an attacker using this technique. +description: The following analytic detects the loading of WMI modules by Microsoft + scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode + 7 to identify instances where these scripting engines load specific WMI-related + DLLs. This activity is significant because it can indicate the presence of malware, + such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering + host information to send to a C2 server. If confirmed malicious, this behavior could + allow attackers to collect sensitive system information and maintain persistence + within the environment. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded @@ -62,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 642f7139e4..8d752de08a 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -1,16 +1,19 @@ name: MSBuild Suspicious Spawned By Script Process id: 213b3148-24ea-11ec-93a2-acde48001122 -version: 1 -date: '2021-10-04' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious child process of MSBuild spawned - by Windows Script Host - cscript or wscript. This behavior or event are commonly - seen and used by malware or adversaries to execute malicious msbuild process using - malicious script in the compromised host. During triage, review parallel processes - and identify any file modifications. MSBuild may load a script from the same path - without having command-line arguments. +description: The following analytic detects the suspicious spawning of MSBuild.exe + by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is + often associated with malware or adversaries executing malicious MSBuild processes + via scripts on compromised hosts. The detection leverages Endpoint Detection and + Response (EDR) telemetry, focusing on process creation events where MSBuild is a + child of script hosts. This activity is significant as it may indicate an attempt + to execute malicious code. If confirmed malicious, it could lead to unauthorized + code execution, potentially compromising the host and allowing further malicious + activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -70,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index eb0948dbcc..c4779b8195 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -1,22 +1,25 @@ name: Mshta spawning Rundll32 OR Regsvr32 Process id: 4aa5d062-e893-11eb-9eb2-acde48001122 -version: 2 -date: '2021-07-19' +version: 3 +date: '2024-05-09' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious mshta.exe process that spawn rundll32 - or regsvr32 child process. This technique was seen in several malware nowadays like - trickbot to load its initial .dll stage loader to execute and download the the actual - trickbot payload. +description: The following analytic detects a suspicious mshta.exe process spawning + rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process GUID, process name, and parent process + fields. This activity is significant as it is a known technique used by malware + like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, escalate privileges, + or download additional malware, posing a severe threat to the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.process_guid - Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`' + = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/mshtml_module_load_in_office_product.yml index e6ab8c4753..b54ab9b15c 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/mshtml_module_load_in_office_product.yml @@ -1,26 +1,30 @@ name: MSHTML Module Load in Office Product id: 5f1c168e-118b-11ec-84ff-acde48001122 -version: 3 -date: '2024-03-14' +version: 4 +date: '2024-05-14' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: This detection identifies the loading of the mshtml.dll module into - an Office product. This behavior is associated with CVE-2021-40444, where a - malicious document loads ActiveX, thereby activating the MSHTML component. The - vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent - processes and document any file modifications for further analysis. +description: The following analytic detects the loading of the mshtml.dll module into + an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages + Sysmon EventID 7 to monitor image loads by specific Office processes. This activity + is significant because it can indicate an attempt to exploit a vulnerability in + the MSHTML component via a malicious document. If confirmed malicious, this could + allow an attacker to execute arbitrary code, potentially leading to system compromise, + data exfiltration, or further network penetration. data_source: - Sysmon EventID 7 -search: '`sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") - | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `mshtml_module_load_in_office_product_filter`' +search: '`sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", + "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", + "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") + | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, + loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll. +known_false_positives: Limited false positives will be present, however, tune as necessary. + Some applications may legitimately load mshtml.dll. references: - https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 @@ -36,7 +40,8 @@ tags: cve: - CVE-2021-40444 impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll. + message: An instance of $process_name$ was identified on endpoint $dest$ loading + mshtml.dll. mitre_attack_id: - T1566 - T1566.001 @@ -65,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index 9800835334..9e694af832 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -1,28 +1,17 @@ name: MSI Module Loaded by Non-System Binary id: ccb98a66-5851-11ec-b91c-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following hunting analytic identifies `msi.dll` being loaded by - a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This - behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and - DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to - be loaded by it. To Successful exploitation of this issue happens in four parts - - - 1. Generation of an MSI that will trigger bad behavior. - - 1. Preparing a directory for MSI installation. - - 1. Inducing an error state. - - 1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the - attacker specified file. - - In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded - by non-system binaries.' +description: 'The following analytic detects the loading of `msi.dll` by a binary + not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This + is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate + system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 + or DLL side-loading attacks, both of which can lead to unauthorized system modifications. + If confirmed malicious, this could allow an attacker to execute arbitrary code, + escalate privileges, or persist within the environment.' data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", @@ -75,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index 3e0e233627..54cfc12b83 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -1,23 +1,26 @@ name: Msmpeng Application DLL Side Loading id: 8bb3f280-dd9b-11eb-84d5-acde48001122 -version: 3 -date: '2023-03-15' +version: 4 +date: '2024-05-16' author: Teoderick Contreras, Splunk, Sanjay Govind status: production type: TTP -description: This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll - in non default windows defender folder. This technique was seen - with revil ransomware in Kaseya Supply chain. The approach is to drop an old version - of msmpeng.exe to load the actual payload name as mspvc.dll which will load the - revil ransomware to the compromise machine +description: The following analytic detects the suspicious creation of msmpeng.exe + or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem + datamodel to identify instances where these files are created outside their expected + directories. This activity is significant because it is associated with the REvil + ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed + malicious, this could lead to ransomware deployment, resulting in data encryption, + system compromise, and potential data loss or extortion. data_source: - Sysmon EventID 1 search: '|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem - where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll") AND NOT - (Filesystem.file_path IN ("*\\Program Files\\windows defender\\*","*\\WinSxS\\*defender-service*","*\\WinSxS\\Temp\\*defender-service*")) by Filesystem.file_create_time - Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`' + where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll") AND + NOT (Filesystem.file_path IN ("*\\Program Files\\windows defender\\*","*\\WinSxS\\*defender-service*","*\\WinSxS\\Temp\\*defender-service*")) + by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -31,7 +34,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$ + message: Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows + defender folder on host - $dest$ mitre_attack_id: - T1574.002 - T1574 @@ -56,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index 92c34a9386..ea5b0dbdc2 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -1,16 +1,18 @@ name: NET Profiler UAC bypass id: 0252ca80-e30d-11eb-8aa3-acde48001122 -version: 2 -date: '2022-02-18' +version: 3 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect modification of registry to bypass UAC windows - feature. This technique is to add a payload dll path on .NET COR file path that - will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring - the registry key and values in the detection area. It may happened that windows - update some dll related to mmc.exe and add dll path in this registry. In this case - filtering is needed. +description: The following analytic detects modifications to the registry aimed at + bypassing the User Account Control (UAC) feature in Windows. It identifies changes + to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious + DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, + focusing on specific registry paths and values. Monitoring this activity is crucial + as it can indicate an attempt to escalate privileges or persist within the environment. + If confirmed malicious, this could allow an attacker to execute arbitrary code with + elevated privileges, compromising system integrity. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -58,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml index 1c64bee970..22ce817b64 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/network_connection_discovery_with_net.yml @@ -1,14 +1,18 @@ name: Network Connection Discovery With Net id: 640337e5-6e41-4b7f-af06-9d9eab5e1e2d -version: 1 -date: '2021-09-10' +version: 2 +date: '2024-05-28' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `net.exe` with command-line - arguments utilized to get a listing of network connections on a compromised system. - Red Teams and adversaries alike may use net.exe for situational awareness and Active - Directory Discovery. +description: The following analytic identifies the execution of `net.exe` or `net1.exe` + with command-line arguments used to list network connections on a compromised system. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line executions. This activity is significant as it indicates + potential network reconnaissance by adversaries or Red Teams, aiming to gather situational + awareness and Active Directory information. If confirmed malicious, this behavior + could allow attackers to map the network, identify critical assets, and plan further + attacks, potentially leading to data exfiltration or lateral movement. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index e6cf1a1672..450173c2df 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -1,14 +1,17 @@ name: Network Connection Discovery With Netstat id: 2cf5cc25-f39a-436d-a790-4857e5995ede -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `netstat.exe` with command-line - arguments utilized to get a listing of network connections on a compromised system. - Red Teams and adversaries alike may use netstat.exe for situational awareness and - Active Directory Discovery. +description: The following analytic detects the execution of `netstat.exe` with command-line + arguments to list network connections on a system. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, command-line executions, + and parent processes. This activity is significant as both Red Teams and adversaries + use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed + malicious, this behavior could allow attackers to map network connections, identify + critical systems, and plan further lateral movement or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index b9c8b0a8fa..8663d4e1c5 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -1,14 +1,18 @@ name: Network Discovery Using Route Windows App id: dd83407e-439f-11ec-ab8e-acde48001122 -version: 2 -date: '2024-02-14' +version: 3 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic look for a spawned process of route.exe windows application. - Adversaries and red teams alike abuse this application the recon or do a network - discovery on a target host. but one possible false positive might be an automated - tool used by a system administator or a powershell script in amazon ec2 config services. +description: The following analytic detects the execution of the `route.exe` Windows + application, commonly used for network discovery. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process creation events. This activity + is significant because adversaries often use `route.exe` to map network routes and + identify potential targets within a network. If confirmed malicious, this behavior + could allow attackers to gain insights into network topology, facilitating lateral + movement and further exploitation. Note that false positives may occur due to legitimate + administrative tasks or automated scripts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index 95da75461b..7be5739254 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -1,30 +1,31 @@ name: Network Share Discovery Via Dir Command id: dc1457d0-1d9b-422e-b5a7-db46c184d9aa -version: 1 -date: '2023-05-23' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Windows Event Log Security 5140 -description: The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). - This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others - to stage service binaries before creating and starting a Windows service on remote - endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral - movement and remote code execution. The IcedID malware family also implements - this behavior to try to infect other machines in the infected network. -search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 - | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects access to Windows administrative SMB shares + (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event + Logs with EventCode 5140 to identify this activity. This behavior is significant + as it is commonly used by tools like PsExec/PaExec for staging binaries before creating + and starting services on remote endpoints, a technique often employed by adversaries + for lateral movement and remote code execution. If confirmed malicious, this activity + could allow attackers to propagate malware, such as IcedID, across the network, + leading to widespread infection and potential data breaches. +search: '`wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") + AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by + ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask + Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -known_false_positives: System Administrators may use looks like net.exe or "dir commandline" for troubleshooting - or administrations tasks. However, this will typically come only from certain users - and certain systems that can be added to an allow list. +known_false_positives: System Administrators may use looks like net.exe or "dir commandline" + for troubleshooting or administrations tasks. However, this will typically come + only from certain users and certain systems that can be added to an allow list. references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: @@ -51,7 +52,7 @@ tags: risk_score: 25 required_fields: - _time - - ShareName + - ShareName - IpAddress - ObjectType - SubjectUserName @@ -63,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index b39cd2557b..f3dc6a139b 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -1,16 +1,23 @@ name: Network Traffic to Active Directory Web Services Protocol id: 68a0056c-34cb-455f-b03d-df935ea62c4f -version: 2 -date: '2024-03-14' +version: 3 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: Hunting data_source: - Sysmon EventID 3 -description: The following analytic identifies network traffic to Active Directory - Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. -search: '| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `network_traffic_to_active_directory_web_services_protocol_filter`' +description: The following analytic identifies network traffic directed to the Active + Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic + logs, focusing on source and destination IP addresses, application names, and destination + ports. This activity is significant as ADWS is used to manage Active Directory, + and unauthorized access could indicate malicious intent. If confirmed malicious, + an attacker could manipulate Active Directory, potentially leading to privilege + escalation, unauthorized access, or persistent control over the environment. +search: '| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 + by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` + | `network_traffic_to_active_directory_web_services_protocol_filter`' how_to_implement: The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate @@ -18,8 +25,10 @@ how_to_implement: The detection is based on data that originates from network tr The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives should be limited as the destination port - is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. +known_false_positives: False positives should be limited as the destination port is + specific to Active Directory Web Services Protocol, however we recommend utilizing + this analytic to hunt for non-standard processes querying the ADWS port. Filter + by App or dest_ip to AD servers and remove known proceses querying ADWS. references: - https://github.com/FalconForceTeam/SOAPHound tags: @@ -29,7 +38,8 @@ tags: atomic_guid: [] confidence: 50 impact: 20 - message: Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$. + message: Network traffic to Active Directory Web Services Protocol was identified + on $dest_ip$ by $src_ip$. mitre_attack_id: - T1087.002 - T1069.001 @@ -62,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index 940d98dd76..0bfd311939 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -1,16 +1,17 @@ name: Nishang PowershellTCPOneLine id: 1a382c6c-7c2e-11eb-ac69-acde48001122 -version: 2 -date: '2021-03-03' +version: 3 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: This query detects the Nishang Invoke-PowerShellTCPOneLine utility that - spawns a call back to a remote Command And Control server. This is a powershell - oneliner. In addition, this will capture on the command-line additional utilities - used by Nishang. Triage the endpoint and identify any parallel processes that look - suspicious. Review the reputation of the remote IP or domain contacted by the powershell - process. +description: The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine + utility, which initiates a callback to a remote Command and Control (C2) server. + It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell + processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. + This activity is significant as it indicates potential remote control or data exfiltration + attempts by an attacker. If confirmed malicious, this could lead to unauthorized + remote access, data theft, or further compromise of the affected system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index e48d1ba8e2..ac75839a79 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -1,15 +1,18 @@ name: NLTest Domain Trust Discovery id: c3e05466-5f22-11eb-ae93-0242ac130002 -version: 2 -date: '2022-04-18' +version: 3 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -description: This search looks for the execution of `nltest.exe` with command-line - arguments utilized to query for Domain Trust information. Two arguments `/domain - trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted - domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current - domain to assist with further understanding where to pivot next. +description: The following analytic identifies the execution of `nltest.exe` with + command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs and command-line arguments. This activity is significant + as it indicates potential reconnaissance efforts by adversaries to understand domain + trust relationships, which can inform their lateral movement strategies. If confirmed + malicious, this activity could enable attackers to map out trusted domains, facilitating + further compromise and pivoting within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 75b6c5a6df..464c1c598c 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,25 +1,25 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect an anomaly event of a non-chrome process accessing - the files in chrome user default folder. This folder contains all the sqlite database - of the chrome browser related to users login, history, cookies and etc. Most of - the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database - to collect information on the compromised host. This SACL Event (4663) need to be - enabled to tthe firefox profile directory to be eable to use this. Since you monitoring - this access to the folder, we observed noise that needs to be filter out and hence - added sqlite db browser and explorer .exe to make this detection more stable. +description: The following analytic detects a non-Chrome process accessing files in + the Chrome user default folder. It leverages Windows Security Event logs, specifically + event code 4663, to identify unauthorized access attempts. This activity is significant + because the Chrome default folder contains sensitive user data such as login credentials, + browsing history, and cookies. If confirmed malicious, this behavior could indicate + an attempt to exfiltrate sensitive information, often associated with RATs, trojans, + and advanced persistent threats like FIN7. Such access could lead to data theft + and further compromise of the affected system. data_source: - Windows Event Log Security 4663 search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType - ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`' + ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `non_chrome_process_accessing_chrome_default_dir_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -71,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 005d99e2ec..0bf0bb5353 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,25 +1,24 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect an anomaly event of a non-firefox process accessing - the files in the profile folder. This folder contains all the sqlite database of - the firefox browser related to users login, history, cookies and etc. Most of the - RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database - to collect information on the compromised host. This SACL Event (4663) needs to - be enabled to the firefox profile directory to use this. Since this is monitoring - the access to the folder, we have obsevered noise and hence added `sqlite db browser` - and `explorer.exe` to make this detection more stable. +description: The following analytic detects non-Firefox processes accessing the Firefox + profile directory, which contains sensitive user data such as login credentials, + browsing history, and cookies. It leverages Windows Security Event logs, specifically + event code 4663, to monitor access attempts. This activity is significant because + it may indicate attempts by malware, such as RATs or trojans, to harvest user information. + If confirmed malicious, this behavior could lead to data exfiltration, unauthorized + access to user accounts, and further compromise of the affected system. data_source: - Windows Event Log Security 4663 search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\firefox.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType - ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`' + ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `non_firefox_process_access_firefox_profile_dir_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -72,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index 81d8c576b2..419918270a 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -1,19 +1,20 @@ name: Notepad with no Command Line Arguments id: 5adbc5f1-9a2f-41c1-a810-f37e015f8179 -version: 1 -date: '2023-02-22' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk type: TTP status: production data_source: - Sysmon EventID 1 -description: The following analytic identifies behavior related to default SliverC2 - framework where it will inject into Notepad.exe and spawn Notepad.exe with no command - line arguments. In testing, this is a common procedure for SliverC2 usage, however - may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly - commands spawn and inject into notepad.exe by default. The following query finds - process creation events where the same process creates and injects into notepad.exe - within 10 seconds." +description: The following analytic identifies instances where Notepad.exe is launched + without any command line arguments, a behavior commonly associated with the SliverC2 + framework. This detection leverages process creation events from Endpoint Detection + and Response (EDR) agents, focusing on processes initiated by Notepad.exe within + a short time frame. This activity is significant as it may indicate an attempt to + inject malicious code into Notepad.exe, a known tactic for evading detection. If + confirmed malicious, this could allow an attacker to execute arbitrary code, potentially + leading to system compromise and unauthorized access. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name @@ -80,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index 985c2743c1..34a70d201c 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -1,21 +1,17 @@ name: Ntdsutil Export NTDS id: da63bc76-61ae-11eb-ae93-0242ac130002 -version: 1 -date: '2021-01-28' +version: 2 +date: '2024-05-30' author: Michael Haag, Patrick Bareiss, Splunk status: production type: TTP -description: 'Monitor for signs that Ntdsutil is being used to Extract Active Directory - database - NTDS.dit, typically used for offline password cracking. It may be used - in normal circumstances with no command line arguments or shorthand variations of - more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical - command used to dump ntds.dit - - ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q - - This technique uses "Install from Media" (IFM), which will extract a copy of the - Active Directory database. A successful export of the Active Directory database - will yield a file modification named ntds.dit to the destination.' +description: 'The following analytic detects the use of Ntdsutil to export the Active + Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line arguments. This activity + is significant because exporting NTDS.dit can be a precursor to offline password + cracking, posing a severe security risk. If confirmed malicious, an attacker could + gain access to sensitive credentials, potentially leading to unauthorized access + and privilege escalation within the network.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 2bfb827a22..4991080650 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -1,16 +1,18 @@ name: Office Application Drop Executable id: 73ce70c4-146d-11ec-9184-acde48001122 -version: 4 -date: '2023-02-15' +version: 5 +date: '2024-05-14' author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github status: production type: TTP -description: This search is to detect a suspicious MS office application that drops - or creates executables or scripts in a Windows Operating System. This behavior is - commonly seen in spear phishing office attachment where it drop malicious files - or script to compromised the host. It might be some normal macro may drop script - or tools as part of automation but still this behavior is reallly suspicious and - not commonly seen in normal office application +description: The following analytic detects Microsoft Office applications dropping + or creating executables or scripts on a Windows OS. It leverages process creation + and file system events from the Endpoint data model to identify Office applications + like Word or Excel generating files with extensions such as .exe, .dll, or .ps1. + This behavior is significant as it is often associated with spear-phishing attacks + where malicious files are dropped to compromise the host. If confirmed malicious, + this activity could lead to code execution, privilege escalation, or persistent + access, posing a severe threat to the environment. data_source: - Sysmon EventID 1 - Sysmon EventID 11 @@ -74,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index d1dbe0c653..bbf6fa1519 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -1,14 +1,18 @@ name: Office Application Spawn Regsvr32 process id: 2d9fc90c-f11f-11eb-9300-acde48001122 -version: 4 -date: '2023-02-15' +version: 5 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP -description: this detection was designed to identifies suspicious spawned process - of known MS office application due to macro or malicious code. this technique can - be seen in so many malware like IcedID that used MS office as its weapon or attack - vector to initially infect the machines. +description: The following analytic identifies instances where an Office application + spawns a Regsvr32 process, which is often indicative of macro execution or malicious + code. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events where the parent process is a known Office application. + This activity is significant because it is a common technique used by malware, such + as IcedID, to initiate infections. If confirmed malicious, this behavior could lead + to code execution, allowing attackers to gain control over the affected system and + potentially escalate privileges. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index e4d5ebefd0..8c30efb8d2 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -1,14 +1,17 @@ name: Office Application Spawn rundll32 process id: 958751e4-9c5f-11eb-b103-acde48001122 -version: 4 -date: '2023-02-15' +version: 5 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: TTP -description: This detection was designed to identify suspicious spawned processes - of known MS office applications due to macro or malicious code. this technique can - be seen in so many malware like trickbot that used MS office as its weapon or attack - vector to initially infect the machines. +description: The following analytic identifies instances where an Office application + spawns a rundll32 process, which is often indicative of macro execution or malicious + code. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events where the parent process is a known Office application. + This activity is significant because it is a common technique used by malware, such + as Trickbot, to initiate infections. If confirmed malicious, this behavior could + lead to code execution, further system compromise, and potential data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/office_document_creating_schedule_task.yml index f3b023ecc9..bf7281830a 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/office_document_creating_schedule_task.yml @@ -1,31 +1,23 @@ name: Office Document Creating Schedule Task id: cc8b7b74-9d0f-11eb-8342-acde48001122 -version: 6 -date: '2024-03-14' +version: 7 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a potentially malicious office document that creates - a scheduled task entry either through a macro VBA API or by loading taskschd.dll. This - technique has been observed in numerous instances of malicious macro malware aiming to establish persistence - or beaconing through task schedule entries. The analytic will return the first and - last time the task was registered, as well as details such as the `Command` to be executed, - `Task Name`, `Author`, `Enabled` status, and whether it is `Hidden`. schtasks.exe - is natively located in `C:\Windows\system32` and `C:\Windows\syswow64`. The DLL(s) - `taskschd.dll` are loaded when schtasks.exe or TaskService is initiated. If this DLL is found loaded by another process, it may indicate that a scheduled task is being registered - within that process's context in memory. During triage, determine the source of the scheduled - task. Was it schtasks.exe or via TaskService? Review the job created and the command - to be executed. Capture any artifacts on disk for further review. Identify any parallel - processes within the same timeframe to pinpoint the source.' +description: The following analytic detects an Office document creating a scheduled + task, either through a macro VBA API or by loading `taskschd.dll`. This detection + leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` + file. This activity is significant as it is a common technique used by malicious + macro malware to establish persistence or initiate beaconing. If confirmed malicious, + this could allow an attacker to maintain persistence, execute arbitrary commands, + or schedule future malicious activities, posing a significant threat to the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", - "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", - "msaccess.exe") loaded_file_path = "*\\taskschd.dll" - | stats min(_time) as firstTime - max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", + "msaccess.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime + max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, + original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. @@ -45,8 +37,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: An Office document was identified creating a scheduled task on $dest$. Investigate - further. + message: An Office document was identified creating a scheduled task on $dest$. + Investigate further. mitre_attack_id: - T1566 - T1566.001 @@ -74,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index 6c7ca46330..41a3287902 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -1,25 +1,24 @@ name: Office Document Executing Macro Code id: b12c89bc-9d06-11eb-a592-acde48001122 -version: 5 -date: '2024-03-17' +version: 6 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: This detection is designed to identify suspicious office documents - that utilize macro code. Macro code is known to be a prevalent weaponization - or attack vector for threat actors. This malicious macro code can be embedded in an office - document as an attachment, potentially executing a malicious payload, downloading malware, - or other malicious components. It is a good practice to disable macros by default - to prevent the automatic execution of macro code when opening or closing office document - files. +description: The following analytic identifies office documents executing macro code. + It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE + load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant + because macros are a common attack vector for delivering malicious payloads, such + as malware. If confirmed malicious, this could lead to unauthorized code execution, + data exfiltration, or further compromise of the system. Disabling macros by default + is recommended to mitigate this risk. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", - "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") +search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) - as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count - by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`' + as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by + dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -78,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index 84ef9f520a..f359bb1535 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -1,14 +1,18 @@ name: Office Document Spawned Child Process To Download id: 6fed27d2-9ec7-11eb-8fe4-aa665a019aa3 -version: 6 -date: '2023-07-11' +version: 7 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect potential malicious office document executing - lolbin child process to download payload or other malware. Since most of the attacker - abused the capability of office document to execute living on land application to - blend it to the normal noise in the infected machine to cover its track. +description: The following analytic identifies Office applications spawning child + processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where Office applications + like Word or Excel initiate network connections, excluding common browsers. This + activity is significant as it often indicates the use of malicious documents to + execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed + malicious, this behavior could lead to unauthorized code execution, data exfiltration, + or further malware deployment, posing a severe threat to the organization's security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index 9bce73fe2d..eefddc7ecd 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -1,15 +1,18 @@ name: Office Product Spawn CMD Process id: b8b19420-e892-11eb-9244-acde48001122 -version: 5 -date: '2023-07-11' +version: 6 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP -description: this search is to detect a suspicious office product process that spawn - cmd child process. This is commonly seen in a ms office product having macro to - execute shell command to download or execute malicious lolbin relative to its malicious - code. This is seen in trickbot spear phishing doc where it execute shell cmd to - run mshta payload. +description: The following analytic detects an Office product spawning a CMD process, + which is indicative of a macro executing shell commands to download or run malicious + code. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and parent process names. This activity is significant as it + often signals the execution of malicious payloads, such as those seen in Trickbot + spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized + code execution, potentially compromising the system and allowing further malicious + activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -18,10 +21,11 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" - OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.process_guid - Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`' + OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.process_guid Processes.user Processes.dest Processes.original_file_name + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `office_product_spawn_cmd_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -90,6 +94,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index 7d36a38e8d..ec0b2821fe 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -1,30 +1,28 @@ name: Office Product Spawning BITSAdmin id: e8c591f4-a6d7-11eb-8cf7-acde48001122 -version: 5 -date: '2023-07-11' +version: 6 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies the latest behavior utilized by different - malware families (including TA551, IcedID). This detection identifies any Windows - Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line - of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line - arguments as transfer, Download, priority, Foreground. In addition, Threat Research - has released a detections identifying suspicious use of `bitsadmin.exe`. In this - instance, we narrow our detection down to the Office suite as a parent process. - During triage, review all file modifications. Capture and analyze any artifacts - on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote - destination, capture and block the IPs or domain. Review additional parallel processes - for further activity. +description: The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, + a behavior often associated with malware families like TA551 and IcedID. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + and parent process relationships. This activity is significant because `bitsadmin.exe` + is commonly used for malicious file transfers, potentially indicating a malware + infection. If confirmed malicious, this activity could allow attackers to download + additional payloads, escalate privileges, or establish persistence, leading to further + compromise of the affected system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_bitsadmin` by Processes.dest - Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`' + Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `office_product_spawning_bitsadmin_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -81,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index 920b784cf8..4f69c47264 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -1,29 +1,27 @@ name: Office Product Spawning CertUtil id: 6925fe72-a6d5-11eb-9e17-acde48001122 -version: 5 -date: '2023-07-11' +version: 6 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies the latest behavior utilized by different - malware families (including TA551, IcedID). This detection identifies any Windows - Office Product spawning `certutil.exe`. In malicious instances, the command-line - of `certutil.exe` will contain a URL to a remote destination. In addition, Threat - Research has released a detections identifying suspicious use of `certutil.exe`. - In this instance, we narrow our detection down to the Office suite as a parent process. - During triage, review all file modifications. Capture and analyze any artifacts - on disk. The Office Product, or `certutil.exe` will have reached out to a remote - destination, capture and block the IPs or domain. Review additional parallel processes - for further activity. +description: The following analytic detects any Windows Office Product spawning `certutil.exe`, + a behavior often associated with malware families like TA551 and IcedID. This detection + leverages Endpoint Detection and Response (EDR) data, focusing on process relationships + and command-line executions. The significance lies in the fact that `certutil.exe` + is frequently used for downloading malicious payloads from remote URLs. If confirmed + malicious, this activity could lead to unauthorized code execution, data exfiltration, + or further system compromise. Immediate investigation and containment are crucial + to prevent potential damage. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", - "Graph.exe","winproj.exe") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`' + "Graph.exe","winproj.exe") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -83,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 86f5981bab..77be35a956 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -1,28 +1,26 @@ name: Office Product Spawning MSHTA id: 6078fa20-a6d2-11eb-b662-acde48001122 -version: 4 -date: '2023-07-11' +version: 5 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies the latest behavior utilized by different - malware families (including TA551, IcedID). This detection identifies any Windows - Office Product spawning `mshta.exe`. In malicious instances, the command-line of - `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. - In addition, Threat Research has released a detections identifying suspicious use - of `mshta.exe`. In this instance, we narrow our detection down to the Office suite - as a parent process. During triage, review all file modifications. Capture and analyze - any artifacts on disk. The Office Product, or `mshta.exe` will have reached out - to a remote destination, capture and block the IPs or domain. Review additional - parallel processes for further activity. +description: The following analytic identifies instances where a Microsoft Office + product spawns `mshta.exe`. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where the parent + process is an Office application. This activity is significant because it is a common + technique used by malware families like TA551 and IcedID to execute malicious scripts + or payloads. If confirmed malicious, this behavior could allow attackers to execute + arbitrary code, potentially leading to data exfiltration, system compromise, or + further malware deployment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe", "onenote.exe","onenotem.exe", - "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name - Processes.parent_process Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -82,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml index 90b3518b21..b0350eb750 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml @@ -1,29 +1,28 @@ name: Office Product Spawning Rundll32 with no DLL id: c661f6be-a38c-11eb-be57-acde48001122 -version: 5 -date: '2023-07-11' +version: 6 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies the latest behavior utilized by IcedID - malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` - without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` - will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat - Research has released a detection identifying the use of `DllRegisterServer` on - the command-line of `rundll32.exe`. In this instance, we narrow our detection down - to the Office suite as a parent process. During triage, review all file modifications. - Capture and analyze the `DLL` that was dropped to disk. The Office Product will - have reached out to a remote destination, capture and block the IPs or domain. Review - additional parallel processes for further activity. +description: The following analytic detects any Windows Office Product spawning `rundll32.exe` + without a `.dll` file extension. This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on process and parent process relationships. + This activity is significant as it is a known tactic of the IcedID malware family, + which can lead to unauthorized code execution. If confirmed malicious, this could + allow attackers to execute arbitrary code, potentially leading to data exfiltration, + system compromise, or further malware deployment. Immediate investigation and containment + are recommended. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`' + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `office_product_spawning_rundll32_with_no_dll_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -83,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index 465da61574..e6be1c2d40 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -1,29 +1,27 @@ name: Office Product Spawning Wmic id: ffc236d6-a6c9-11eb-95f1-acde48001122 -version: 6 -date: '2023-07-11' +version: 7 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies the latest behavior utilized by Ursnif - malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. - In malicious instances, the command-line of `wmic.exe` will contain `wmic process - call create`. In addition, Threat Research has released a detection identifying - the use of `wmic process call create` on the command-line of `wmic.exe`. In this - instance, we narrow our detection down to the Office suite as a parent process. - During triage, review all file modifications. Capture and analyze any artifacts - on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, - capture and block the IPs or domain. Review additional parallel processes for further - activity. +description: The following analytic detects any Windows Office Product spawning `wmic.exe`, + specifically when the command-line of `wmic.exe` contains `wmic process call create`. + This behavior is identified using data from Endpoint Detection and Response (EDR) + agents, focusing on process and parent process relationships. This activity is significant + as it is commonly associated with the Ursnif malware family, indicating potential + malicious activity. If confirmed malicious, this could allow an attacker to execute + arbitrary commands, leading to further system compromise, data exfiltration, or + lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", - "Graph.exe","winproj.exe") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`' + "Graph.exe","winproj.exe") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -83,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/office_product_writing_cab_or_inf.yml index c776deb2b5..b72c3790b4 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/endpoint/office_product_writing_cab_or_inf.yml @@ -1,14 +1,17 @@ name: Office Product Writing cab or inf id: f48cd1d4-125a-11ec-a447-acde48001122 -version: 4 -date: '2023-02-15' +version: 5 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies behavior related to CVE-2021-40444. - Whereas the malicious document will load ActiveX and download the remote payload - (.inf, .cab). During triage, review parallel processes and further activity on endpoint - to identify additional patterns. Retrieve the file modifications and analyze further. +description: The following analytic detects Office products writing .cab or .inf files, + indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and + Endpoint.Filesystem data models to identify Office applications creating these file + types. This activity is significant as it may signal an attempt to load malicious + ActiveX controls and download remote payloads, a known attack vector. If confirmed + malicious, this could lead to remote code execution, allowing attackers to gain + control over the affected system and potentially compromise sensitive data. data_source: - Sysmon EventID 1 - Sysmon EventID 11 @@ -77,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml index c44032083c..0ea96e2f34 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/office_spawning_control.yml @@ -1,26 +1,27 @@ name: Office Spawning Control id: 053e027c-10c7-11ec-8437-acde48001122 -version: 4 -date: '2023-11-07' +version: 5 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies control.exe spawning from an office - product. This detection identifies any Windows Office Product spawning `control.exe`. - In malicious instances, the command-line of `control.exe` will contain a file path - to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection - down to the Office suite as a parent process. During triage, review all file modifications. - Capture and analyze any artifacts on disk. review parallel and child processes to - identify further suspicious behavior +description: The following analytic identifies instances where `control.exe` is spawned + by a Microsoft Office product. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process and parent process relationships. This activity + is significant because it can indicate exploitation attempts related to CVE-2021-40444, + where `control.exe` is used to execute malicious .cpl or .inf files. If confirmed + malicious, this behavior could allow an attacker to execute arbitrary code, potentially + leading to system compromise, data exfiltration, or further lateral movement within + the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") - Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `office_spawning_control_filter`' + Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `office_spawning_control_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -87,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index 709f6e4fb7..40b85044fc 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -1,17 +1,17 @@ name: Outbound Network Connection from Java Using Default Ports id: d2c14d28-5c47-11ec-9892-acde48001122 -version: 2 -date: '2022-06-28' +version: 3 +date: '2024-05-26' author: Mauricio Velazco, Lou Stella, Splunk status: production type: TTP -description: A required step while exploiting the CVE-2021-44228-Log4j vulnerability - is that the victim server will perform outbound connections to attacker-controlled - infrastructure. This is required as part of the JNDI lookup as well as for retrieving - the second stage .class payload. The following analytic identifies the Java process - reaching out to default ports used by the LDAP and RMI protocols. This behavior - could represent successfull exploitation. Note that adversaries can easily decide - to use arbitrary ports for these protocols and potentially bypass this detection. +description: The following analytic detects outbound network connections from Java + processes to default ports used by LDAP and RMI protocols, which may indicate exploitation + of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process and network traffic logs. + Monitoring this activity is crucial as it can signify an attacker’s attempt to perform + JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity + could lead to remote code execution and further compromise of the affected server. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -77,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index 6f31e5cbb8..ce700f1d5c 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -1,14 +1,18 @@ name: Overwriting Accessibility Binaries id: 13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae -version: 4 -date: '2023-04-14' +version: 5 +date: '2024-05-25' author: David Dorsey, Splunk status: production type: TTP -description: Microsoft Windows contains accessibility features that can be launched - with a key combination before a user has logged in. An adversary can modify or replace - these programs so they can get a command prompt or backdoor without logging in to - the system. This search looks for modifications to these binaries. +description: The following analytic detects modifications to Windows accessibility + binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, + and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem + data model to identify changes to these specific files. This activity is significant + because adversaries can exploit these binaries to gain unauthorized access or execute + commands without logging in. If confirmed malicious, this could allow attackers + to bypass authentication mechanisms, potentially leading to unauthorized system + access and further compromise of the environment. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -63,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index 22119cc1aa..3419aa89a2 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -1,28 +1,38 @@ name: PaperCut NG Suspicious Behavior Debug Log id: 395163b8-689b-444b-86c7-9fe9ad624734 -version: 1 -date: '2023-05-15' +version: 2 +date: '2024-05-30' author: Michael Haag, Splunk status: experimental type: Hunting data_source: [] -description: The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. -search: '`papercutng` (loginType=Admin OR userName=admin) - | eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null()) - | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), "IP matches", null()) - | where (isnotnull(uri_match) OR isnotnull(ip_match)) - | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) - BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`' -how_to_implement: Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. -known_false_positives: False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. +description: The following analytic identifies potential exploitation attempts on + a PaperCut NG server by analyzing its debug log data. It detects unauthorized or + suspicious access attempts from public IP addresses and searches for specific URIs + associated with known exploits. The detection leverages regex to parse unstructured + log data, focusing on admin login activities. This activity is significant as it + can indicate an active exploitation attempt on the server. If confirmed malicious, + attackers could gain unauthorized access, potentially leading to data breaches or + further compromise of the server. +search: '`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, + "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), + "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") + AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), + "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats + sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) + BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`' +how_to_implement: Debug logs must be enabled and shipped to Splunk in order to properly + identify behavior with this analytic. +known_false_positives: False positives may be present, as this is based on the admin + user accessing the Papercut NG instance from a public IP address. Filter as needed. references: - - https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs - - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md - - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability - - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 - - https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/ - - https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/ - - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software +- https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs +- https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md +- https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability +- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 +- https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/ +- https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/ +- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software tags: analytic_story: - PaperCut MF NG Vulnerability @@ -30,7 +40,8 @@ tags: atomic_guid: [] confidence: 80 impact: 80 - message: Behavior related to exploitation of PaperCut NG has been identified on $host$. + message: Behavior related to exploitation of PaperCut NG has been identified on + $host$. mitre_attack_id: - T1190 - T1133 @@ -54,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log source: papercutng sourcetype: papercutng diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml index b9ca8f822a..2e05e72116 100644 --- a/detections/endpoint/petitpotam_network_share_access_request.yml +++ b/detections/endpoint/petitpotam_network_share_access_request.yml @@ -1,30 +1,24 @@ name: PetitPotam Network Share Access Request id: 95b8061a-0a67-11ec-85ec-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-26' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: 'The following analytic utilizes Windows Event Code 5145, "A network - share object was checked to see whether client can be granted desired access". During - our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this - event on the target host with specific values. - - To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows - Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, - go to Object Access (Audit Polices->Object Access), then select the Setting Audit - Detailed File Share Audit - - It is possible this is not enabled by default and may need to be reviewed and enabled. - - - During triage, review parallel security events to identify further suspicious activity.' +description: 'The following analytic detects network share access requests indicative + of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, + which logs attempts to access network share objects. This detection is significant + as PetitPotam can coerce authentication from domain controllers, potentially leading + to unauthorized access. If confirmed malicious, this activity could allow attackers + to escalate privileges or move laterally within the network, posing a severe security + risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic + effectively.' data_source: - Windows Event Log Security 5145 search: '`wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, - ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`' + ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`' how_to_implement: Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments. known_false_positives: False positives have been limited when the Anonymous Logon @@ -67,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml index 89d5355da7..c8508e737c 100644 --- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml @@ -1,25 +1,24 @@ name: PetitPotam Suspicious Kerberos TGT Request id: e3ef244e-0a67-11ec-abf2-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-30' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifes Event Code 4768, A `Kerberos authentication - ticket (TGT) was requested`, successfull occurs. This behavior has been identified - to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer - certificate by abusing Active Directory Certificate Services in combination with - PetitPotam, the next step would be to leverage the certificate for malicious purposes. - One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool - like Rubeus. This request will generate a 4768 event with some unusual fields depending - on the environment. This analytic will require tuning, we recommend filtering Account_Name - to Domain Controllers for your environment. +description: The following analytic detects a suspicious Kerberos Ticket Granting + Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows + Security Event Logs to identify TGT requests with unusual fields, which may indicate + the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). + This activity is significant as it can signal an attacker leveraging a compromised + certificate to request Kerberos tickets, potentially leading to unauthorized access. + If confirmed malicious, this could allow attackers to escalate privileges and persist + within the environment, posing a severe security risk. data_source: - Windows Event Log Security 4768 search: '`wineventlog_security` EventCode=4768 src!="::1" TargetUserName=*$ CertThumbprint!="" - | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`' + | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, + src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `petitpotam_suspicious_kerberos_tgt_request_filter`' how_to_implement: The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. known_false_positives: False positives are possible if the environment is using certificates @@ -61,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index acf5c300a2..647878ca12 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,16 +1,18 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic will identify the possible execution of ping sleep batch - commands. This technique was seen in several malware samples and is used to trigger - sleep times without explicitly calling sleep functions or commandlets. The goal - is to delay the execution of malicious code and bypass detection or sandbox analysis. - This detection can be a good indicator of a process delaying its execution for - malicious purposes. +description: The following analytic identifies the execution of ping sleep batch commands. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process and parent process command-line details. This activity is significant as + it indicates an attempt to delay malicious code execution, potentially evading detection + or sandbox analysis. If confirmed malicious, this technique allows attackers to + bypass security measures, making it harder to detect and analyze their activities, + thereby increasing the risk of prolonged unauthorized access and potential data + exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -78,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index cf73e98b83..c2e79b5818 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -1,18 +1,18 @@ name: Possible Browser Pass View Parameter id: 8ba484e8-4b97-11ec-b19a-acde48001122 -version: 1 -date: '2021-11-22' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic will detect if a suspicious process contains a commandline - parameter related to a web browser credential dumper. This technique is used by - Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to - dump web browser credentials. Remcos uses the "/stext" command line to dump the - credentials in text format. This Hunting query is a good indicator of hosts suffering - from possible Remcos RAT infection. Since the hunting query is based on the parameter - command and the possible path where it will save the text credential information, - it may catch normal tools that are using the same command and behavior. +description: The following analytic identifies processes with command-line parameters + associated with web browser credential dumping tools, specifically targeting behaviors + used by Remcos RAT malware. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions and specific file paths. This + activity is significant as it indicates potential credential theft, a common tactic + in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain + unauthorized access to sensitive web credentials, leading to further system compromise + and data breaches. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index c6caf24a5b..6b3a5242d9 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,20 +1,18 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 2 -date: '2023-05-13' +version: 3 +date: '2024-05-20' author: Mauricio Velazco, Splunk status: production type: TTP -description: 'The following analytic is designed to identify possible lateral movement - attacks that involve the spawning of a PowerShell process as a child or grandchild - process of commonly abused processes. These processes include services.exe, wmiprsve.exe, - svchost.exe, wsmprovhost.exe, and mmc.exe. - - Such behavior is indicative of legitimate Windows features such as the Service Control - Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, - and the DCOM protocol being abused to start a process on a remote endpoint. This - behavior is often seen during lateral movement techniques where adversaries or red - teams abuse these services for lateral movement and remote code execution.' +description: 'The following analytic detects the spawning of a PowerShell process + as a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, + svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process and parent process names, as well + as command-line executions. This activity is significant as it often indicates lateral + movement or remote code execution attempts by adversaries. If confirmed malicious, + this behavior could allow attackers to execute code remotely, escalate privileges, + or persist within the environment.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -22,10 +20,11 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) - OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\windows\ccm\*")) - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' + OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) + NOT (Processes.process IN ("*c:\windows\ccm\*")) by Processes.dest Processes.user + Processes.parent_process_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -91,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index 123dadaad6..e9ec637a72 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -1,15 +1,18 @@ name: Potential password in username id: 5ced34b4-ab32-4bb0-8f22-3b8f186f0a38 -version: 1 -date: '2022-05-11' +version: 2 +date: '2024-05-11' author: Mikael Bjerkeland, Splunk status: production type: Hunting -description: This search identifies users who have entered their passwords in username - fields. This is done by looking for failed authentication attempts using usernames - with a length longer than 7 characters and a high Shannon entropy, and looks for - the next successful authentication attempt from the same source system to the same - destination system as the failed attempt. +description: The following analytic identifies instances where users may have mistakenly + entered their passwords in the username field during authentication attempts. It + detects this by analyzing failed authentication events with usernames longer than + 7 characters and high Shannon entropy, followed by a successful authentication from + the same source to the same destination. This activity is significant as it can + indicate potential security risks, such as password exposure. If confirmed malicious, + attackers could exploit this to gain unauthorized access, leading to potential data + breaches or further compromise of the system. data_source: - Linux Secure search: '| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) @@ -73,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log source: /var/log/secure sourcetype: linux_secure diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index a861336f50..1f8cb8a562 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -1,20 +1,19 @@ name: Potentially malicious code on commandline id: 9c53c446-757e-11ec-871d-acde48001122 -version: 1 -date: '2022-01-14' +version: 2 +date: '2024-05-12' author: Michael Hart, Splunk status: production type: Anomaly -description: The following analytic uses a pretrained machine learning text classifier - to detect potentially malicious commandlines. The model identifies unusual combinations - of keywords found in samples of commandlines where adversaries executed powershell - code, primarily for C2 communication. For example, adversaries will leverage IO - capabilities such as "streamreader" and "webclient", threading capabilties such - as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic - operations like "computehash". Although observing one of these keywords in a commandline - script is possible, combinations of keywords observed in attack data are not typically - found in normal usage of the commandline. The model will output a score where all - values above zero are suspicious, anything greater than one particularly so. +description: The following analytic detects potentially malicious command lines using + a pretrained machine learning text classifier. It identifies unusual keyword combinations + in command lines, such as "streamreader," "webclient," "mutex," "function," and + "computehash," which are often associated with adversarial PowerShell code execution + for C2 communication. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command lines longer than 200 characters. This + activity is significant as it can indicate an attempt to execute malicious scripts, + potentially leading to unauthorized code execution, data exfiltration, or further + system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -47,7 +46,8 @@ tags: asset_type: Endpoint confidence: 20 impact: 60 - message: Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$] + message: Unusual command-line execution with command line length greater than 200 + found on $dest$ with commandline value - [$process$] mitre_attack_id: - T1059.003 observable: @@ -76,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index a45ff1f00d..e02d365720 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,15 +1,18 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: Hunting -description: The following Hunting analytic assists with identifying suspicious PowerShell - execution using Script Block Logging, or EventCode 4104. This analytic is not meant - to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. - This analytic is a combination of work completed by Alex Teixeira and Splunk Threat - Research Team. +description: The following analytic identifies suspicious PowerShell execution using + Script Block Logging (EventCode 4104). It leverages specific patterns and keywords + within the ScriptBlockText field to detect potentially malicious activities. This + detection is significant for SOC analysts as PowerShell is commonly used by attackers + for various malicious purposes, including code execution, privilege escalation, + and persistence. If confirmed malicious, this activity could allow attackers to + execute arbitrary commands, exfiltrate data, or maintain long-term access to the + compromised system, posing a severe threat to the organization's security. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), @@ -96,6 +99,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index 02e44f1c10..9f971e9dbb 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -1,27 +1,27 @@ name: PowerShell - Connect To Internet With Hidden Window id: ee18ed37-0802-4268-9435-b3b91aaa18db -version: 8 -date: '2023-04-14' +version: 9 +date: '2024-05-12' author: David Dorsey, Michael Haag Splunk status: production type: Hunting -description: The following hunting analytic identifies PowerShell commands utilizing - the WindowStyle parameter to hide the window on the compromised endpoint. This combination - of command-line options is suspicious because it is overriding the default PowerShell - execution policy, attempts to hide its activity from the user, and connects to the - Internet. Removed in this version of the query is New-Object. The analytic identifies - all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. - For example w, win, windowsty and so forth. In addition, through our research it - was identified that PowerShell will interpret different command switch types beyond - the hyphen. We have added endash, emdash, horizontal bar, and forward slash. +description: The following analytic detects PowerShell commands using the WindowStyle + parameter to hide the window while connecting to the Internet. This behavior is + identified through Endpoint Detection and Response (EDR) telemetry, focusing on + command-line executions that include variations of the WindowStyle parameter. This + activity is significant because it attempts to bypass default PowerShell execution + policies and conceal its actions, which is often indicative of malicious intent. + If confirmed malicious, this could allow an attacker to execute commands stealthily, + potentially leading to unauthorized data exfiltration or further compromise of the + endpoint. data_source: - Sysmon EventID 1 search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013 - |\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`" + | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\\\ + s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`" how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -88,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml index d90ba567e9..a8d2094a2c 100644 --- a/detections/endpoint/powershell_creating_thread_mutex.yml +++ b/detections/endpoint/powershell_creating_thread_mutex.yml @@ -1,22 +1,24 @@ name: Powershell Creating Thread Mutex id: 637557ec-ca08-11eb-bd0a-acde48001122 -version: 3 -date: '2022-05-02' +version: 4 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious PowerShell script execution - via EventCode 4104 that is using the `mutex` function. This function is commonly - seen in some obfuscated PowerShell scripts to make sure that only one instance of - there process is running on a compromise machine. During triage, review parallel - processes within the same timeframe. Review the full script block to identify other - related artifacts. +description: The following analytic detects the execution of PowerShell scripts using + the `mutex` function via EventCode 4104. This detection leverages PowerShell Script + Block Logging to identify scripts that create thread mutexes, a technique often + used in obfuscated scripts to ensure only one instance runs on a compromised machine. + This activity is significant as it may indicate the presence of sophisticated malware + or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive + control over a process, potentially leading to further exploitation or persistence + within the environment. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `powershell_creating_thread_mutex_filter`' + Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -63,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index 5513991c3b..a1aff99a00 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -1,22 +1,18 @@ name: PowerShell Domain Enumeration id: e1866ce2-ca22-11eb-8e44-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies specific PowerShell modules typically used to enumerate - an organizations domain or users. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of PowerShell commands + used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. + It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command sent to PowerShell. This activity is significant as it often indicates + reconnaissance efforts by an attacker to map out the domain structure and identify + key users and groups. If confirmed malicious, this behavior could lead to further + targeted attacks, privilege escalation, and unauthorized access to sensitive information + within the domain.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, @@ -73,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/enumeration.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/enumeration.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index e40f86c31e..1fc3db9be9 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -1,22 +1,29 @@ name: PowerShell Enable PowerShell Remoting id: 40e3b299-19a5-4460-96e9-e1467f714f8e -version: 1 -date: '2023-03-22' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk type: Anomaly status: production -data_source: +data_source: - Powershell Script Block Logging 4104 -description: This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. - By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. -search: '`powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`' +description: The following analytic detects the use of the Enable-PSRemoting cmdlet, + which allows PowerShell remoting on a local or remote computer. This detection leverages + PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is + executed. Monitoring this activity is crucial as it can indicate an attacker enabling + remote command execution capabilities on a compromised system. If confirmed malicious, + this activity could allow an attacker to take control of the system remotely, execute + commands, and potentially pivot to other systems within the network, leading to + further compromise and lateral movement. +search: '`powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" | stats + count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives. +known_false_positives: Note that false positives may occur due to the use of the Enable-PSRemoting + cmdlet by legitimate users, such as system administrators. It is recommended to + apply appropriate filters as needed to minimize the number of false positives. references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3 tags: @@ -48,6 +55,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml index fea7e6e90b..21aa4a6bf1 100644 --- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml +++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml @@ -1,14 +1,17 @@ name: Powershell Enable SMB1Protocol Feature id: afed80b2-d34b-11eb-a952-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious enabling of smb1protocol through - `powershell.exe`. This technique was seen in some ransomware (like reddot) where - it enable smb share to do the lateral movement and encrypt other files within the - compromise network system. +description: The following analytic detects the enabling of the SMB1 protocol via + `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) + to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the + `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can + facilitate lateral movement and file encryption by ransomware, such as RedDot. If + confirmed malicious, this action could allow an attacker to propagate through the + network, encrypt files, and potentially disrupt business operations. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" @@ -55,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml index a43bcad0f1..97984f444a 100644 --- a/detections/endpoint/powershell_execute_com_object.yml +++ b/detections/endpoint/powershell_execute_com_object.yml @@ -1,21 +1,23 @@ name: Powershell Execute COM Object id: 65711630-f9bf-11eb-8d72-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-09' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a COM CLSID execution through powershell. This - technique was seen in several adversaries and malware like ransomware conti where - it has a feature to execute command using COM Object. This technique may use by - network operator at some cases but a good indicator if some application want to - gain privilege escalation or bypass uac. +description: The following analytic detects the execution of a COM CLSID through PowerShell. + It leverages EventCode 4104 and searches for specific script block text indicating + the creation of a COM object. This activity is significant as it is commonly used + by adversaries and malware, such as the Conti ransomware, to execute commands, potentially + for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, + this technique could allow attackers to gain elevated privileges or persist within + the environment, posing a significant security risk. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `powershell_execute_com_object_filter`' + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -57,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml index c60b958daf..e6c8b33ec8 100644 --- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml +++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml @@ -1,32 +1,24 @@ name: Powershell Fileless Process Injection via GetProcAddress id: a26d9db4-c883-11eb-9d75-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable no critical endpoints or all. - - - This analytic identifies `GetProcAddress` in the script block. This is not normal - to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack - toolkits use GetProcAddress to obtain code execution. - - In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later - referenced/executed elsewhere. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the use of `GetProcAddress` in PowerShell + script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This + method captures the full command sent to PowerShell, which is then logged in Windows + event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts + and often indicates malicious activity, as many attack toolkits use it to achieve + code execution. If confirmed malicious, this activity could allow an attacker to + execute arbitrary code, potentially leading to system compromise. Analysts should + review parallel processes and the entire logged script block for further investigation.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `powershell_fileless_process_injection_via_getprocaddress_filter`' + ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -71,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 4b916dc355..cc9b1ab5e6 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,31 +1,24 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 3 -date: '2023-04-05' +version: 4 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies `FromBase64String` within the script block. A typical malicious - instance will include additional code. - - Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` - - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of PowerShell scripts containing + Base64 encoded content, specifically identifying the use of `FromBase64String`. + It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command sent to PowerShell. This activity is significant as Base64 encoding + is often used by attackers to obfuscate malicious payloads, making it harder to + detect. If confirmed malicious, this could lead to code execution, allowing attackers + to run arbitrary commands and potentially compromise the system.' search: '`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*" | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`' + by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID + as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_fileless_script_contains_base64_encoded_content_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -74,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index 38085da731..549f09229e 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -1,31 +1,24 @@ name: Powershell Get LocalGroup Discovery with Script Block Logging id: d7c6ad22-155c-11ec-bb64-acde48001122 -version: 2 -date: '2022-04-26' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, - by itself, is not malicious but may raise suspicion based on time of day, endpoint - and username. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of the PowerShell cmdlet + `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method + captures the full command sent to PowerShell, providing detailed visibility into + script execution. Monitoring this activity is significant as it can indicate an + attempt to enumerate local groups, which may be a precursor to privilege escalation + or lateral movement. If confirmed malicious, an attacker could gain insights into + group memberships, potentially leading to unauthorized access or privilege abuse. + Review parallel processes and the entire script block for comprehensive analysis.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode - ScriptBlockText | rename Computer as dest, UserID as user - | `security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` - | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' + ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -72,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index 9111604b76..cf32efd7e0 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -1,21 +1,29 @@ name: PowerShell Invoke CIMMethod CIMSession id: 651ee958-a433-471c-b264-39725b788b83 -version: 1 -date: '2023-03-22' +version: 2 +date: '2024-05-31' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Powershell Script Block Logging 4104 -description: This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. +description: The following analytic detects the creation of a New-CIMSession cmdlet + followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages + PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText + field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod + cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. + If confirmed malicious, this could allow an attacker to execute commands remotely, + potentially leading to unauthorized access and control over targeted systems. search: '`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`' + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_invoke_cimmethod_cimsession_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives. +known_false_positives: False positives may be present based on third-party applications + or administrators using CIM. It is recommended to apply appropriate filters as needed + to minimize the number of false positives. references: - https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3 tags: @@ -25,7 +33,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$. + message: PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession + on $Computer$. mitre_attack_id: - T1047 observable: @@ -47,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index bb1f1d3b45..68dedb6a49 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -1,23 +1,18 @@ name: Powershell Load Module in Meterpreter id: d5905da5-d050-48db-9259-018d8f034fcf -version: 1 -date: '2022-11-22' +version: 2 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" - being used. This behavior is related to when a Meterpreter session is started and - the operator runs load_kiwi. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the execution of suspicious PowerShell + commands associated with Meterpreter modules, such as "MSF.Powershell" and "MSF.Powershell.Meterpreter". + It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze + the full command sent to PowerShell. This activity is significant as it indicates + potential post-exploitation actions, including credential dumping and persistence + mechanisms. If confirmed malicious, an attacker could gain extensive control over + the compromised system, escalate privileges, and maintain long-term access, posing + a severe threat to the environment.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN ("*MSF.Powershell*","*MSF.Powershell.Meterpreter*","*MSF.Powershell.Meterpreter.Kiwi*","*MSF.Powershell.Meterpreter.Transport*") @@ -66,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 644cadad0b..29948081ed 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,26 +1,20 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 3 -date: '2023-04-05' +version: 4 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable no critical endpoints or all. - - - This analytic identifies the use of PowerShell loading .net assembly via reflection. - This is commonly found in malicious PowerShell usage, including Empire and Cobalt - Strike. In addition, the `load(` value may be modifed by removing `(` and it will - identify more events to review. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the use of PowerShell to load .NET assemblies + into memory via reflection, a technique often used in malicious activities such + as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging + (EventCode=4104) to capture and analyze the full command executed. This behavior + is significant as it can indicate advanced attack techniques aiming to execute code + in memory, bypassing traditional defenses. If confirmed malicious, this activity + could lead to unauthorized code execution, privilege escalation, and persistent + access within the environment.' search: '`powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` @@ -78,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 43cdb8188a..56184299fa 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,16 +1,17 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious PowerShell script execution - via EventCode 4104 that is processing compressed stream data. This is typically - found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files - that are stream flattened and will be deflated durnig execution. During triage, - review parallel processes within the same timeframe. Review the full script block - to identify other related artifacts. +description: The following analytic detects suspicious PowerShell script execution + involving compressed stream data processing, identified via EventCode 4104. It leverages + PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, + or decompression methods. This activity is significant as it often indicates obfuscated + PowerShell or embedded .NET/binary execution, which are common tactics for evading + detection. If confirmed malicious, this behavior could allow attackers to execute + hidden code, escalate privileges, or maintain persistence within the environment. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText @@ -70,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/streamreader.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/streamreader.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml index 846180622b..c8f4b8d880 100644 --- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml +++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml @@ -1,28 +1,30 @@ name: Powershell Remote Services Add TrustedHost id: bef21d24-297e-45e3-9b9a-c6ac45450474 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 - that contains command to add or modify the trustedhost configuration in Windows OS. - This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, - which typically involves adjusting settings crucial for remote connections and security protocols. - Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems - for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. -search: '`powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" ScriptBlockText IN ("* -Value *", "* -Concatenate *") - | rename Computer as dest, UserID as user - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of a PowerShell script that + modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell + Script Block Logging to identify commands targeting WSMan settings, specifically + those altering or concatenating trusted hosts. This activity is significant as it + can indicate attempts to manipulate remote connection settings, potentially allowing + unauthorized remote access. If confirmed malicious, this could enable attackers + to establish persistent remote connections, bypass security protocols, and gain + unauthorized access to sensitive systems and data. +search: '`powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" + ScriptBlockText IN ("* -Value *", "* -Concatenate *") | rename Computer as dest, + UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: user and network administrator may used this function to add trusted host. +known_false_positives: user and network administrator may used this function to add + trusted host. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate tags: @@ -60,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index 40509da7c7..292b8a1164 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -1,15 +1,18 @@ name: Powershell Remote Thread To Known Windows Process id: ec102cb2-a0f5-11eb-9b38-acde48001122 -version: 2 -date: '2022-08-25' +version: 3 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: this search is designed to detect suspicious powershell process that - tries to inject code and to known/critical windows process and execute it using - CreateRemoteThread. This technique is seen in several malware like trickbot and - offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to - execute reverse shell to c2 and download another payload +description: The following analytic detects suspicious PowerShell processes attempting + to inject code into critical Windows processes using CreateRemoteThread. It leverages + Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes + like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly + used by malware such as TrickBot and offensive tools like Cobalt Strike to execute + malicious payloads, establish reverse shells, or download additional malware. If + confirmed malicious, this behavior could lead to unauthorized code execution, privilege + escalation, and persistent access within the environment. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe") @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index e1cca5044e..eda9198315 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -1,21 +1,23 @@ name: Powershell Remove Windows Defender Directory id: adf47620-79fa-11ec-b248-acde48001122 -version: 3 -date: '2023-04-14' +version: 4 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will identify a suspicious PowerShell command used to delete - the Windows Defender folder. This technique was seen used by the WhisperGate malware - campaign where it used Nirsofts advancedrun.exe to gain administrative privileges - to then execute a PowerShell command to delete the Windows Defender folder. This - is a good indicator the offending process is trying corrupt a Windows Defender installation. +description: The following analytic detects a suspicious PowerShell command attempting + to delete the Windows Defender directory. It leverages PowerShell Script Block Logging + to identify commands containing "rmdir" and targeting the Windows Defender path. + This activity is significant as it may indicate an attempt to disable or corrupt + Windows Defender, a key security component. If confirmed malicious, this action + could allow an attacker to bypass endpoint protection, facilitating further malicious + activities without detection. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*rmdir *" AND ScriptBlockText = "*\\Microsoft\\Windows Defender*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter` ' + | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -58,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml index 694e2e5e22..66e0a38616 100644 --- a/detections/endpoint/powershell_script_block_with_url_chain.yml +++ b/detections/endpoint/powershell_script_block_with_url_chain.yml @@ -1,27 +1,31 @@ name: PowerShell Script Block With URL Chain id: 4a3f2a7d-6402-4e64-a76a-869588ec3b57 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-30' author: Steven Dick status: production type: TTP -description: The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. - This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. - During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. +description: The following analytic identifies suspicious PowerShell script execution + via EventCode 4104 that contains multiple URLs within a function or array. It leverages + PowerShell operational logs to detect script blocks with embedded URLs, often indicative + of obfuscated scripts or those attempting to download secondary payloads. This activity + is significant as it may signal an attempt to execute malicious code or download + additional malware. If confirmed malicious, this could lead to code execution, further + system compromise, or data exfiltration. Review parallel processes and the full + script block for additional context and related artifacts. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") - | regex ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | regex + ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" | rex max_match=20 field=ScriptBlockText "(?https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))" - | eval Path = case(isnotnull(Path),Path,true(),"unknown") - | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode - | rename Computer as dest, EventCode as signature_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `powershell_script_block_with_url_chain_filter`' -how_to_implement: The following analytic requires PowerShell operational logs - to be imported. Modify the powershell macro as needed to match the sourcetype or - add index. This analytic is specific to 4104, or PowerShell Script Block Logging. + | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) + as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) + as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, + Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`' +how_to_implement: The following analytic requires PowerShell operational logs to be + imported. Modify the powershell macro as needed to match the sourcetype or add index. + This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Unknown, possible custom scripting. references: - https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations @@ -33,10 +37,11 @@ tags: asset_type: Endpoint confidence: 80 impact: 100 - message: A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware. + message: A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ + URLs in an array, this is commonly used for malware. mitre_attack_id: - - T1059.001 - - T1105 + - T1059.001 + - T1105 observable: - name: dest type: Endpoint @@ -69,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index b5bc61d649..f919c87e47 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -1,17 +1,18 @@ name: PowerShell Start-BitsTransfer id: 39e2605a-90d8-11eb-899e-acde48001122 -version: 2 -date: '2021-03-29' +version: 3 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -description: Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar - functionality is present. This technique variation is not as commonly used by adversaries, - but has been abused in the past. Lesser known uses include the ability to set the - `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` - is used, it is highly possible files will be archived. During triage, review parallel - processes and process lineage. Capture any files on disk and review. For the remote - domain or IP, what is the reputation? +description: The following analytic detects the execution of the PowerShell command + `Start-BitsTransfer`, which can be used for file transfers, including potential + data exfiltration. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process creation events and command-line arguments. This activity + is significant because `Start-BitsTransfer` can be abused by adversaries to upload + sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, + this could lead to unauthorized data exfiltration, compromising sensitive information + and potentially leading to further exploitation of the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index 625f5eff19..abd5ec0598 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -1,26 +1,34 @@ name: PowerShell Start or Stop Service id: 04207f8a-e08d-4ee6-be26-1e0c4488b04a -version: 1 -date: '2023-03-24' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk type: Anomaly status: production -data_source: +data_source: - Powershell Script Block Logging 4104 -description: This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. - By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies the use of PowerShell's Start-Service + or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging + to detect these commands. This activity is significant because attackers can manipulate + services to disable or stop critical functions, causing system instability or disrupting + business operations. If confirmed malicious, this behavior could allow attackers + to disable security services, evade detection, or disrupt essential services, leading + to potential system downtime and compromised security. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. +known_false_positives: This behavior may be noisy, as these cmdlets are commonly used + by system administrators or other legitimate users to manage services. Therefore, + it is recommended not to enable this analytic as a direct notable or TTP. Instead, + it should be used as part of a broader set of security controls to detect and investigate + potential threats. references: - - https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/ - - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3 +- https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3 tags: analytic_story: - Active Directory Lateral Movement @@ -49,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index 17d6e6d67f..af0da3f683 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -1,21 +1,25 @@ name: Powershell Using memory As Backing Store id: c396a0c4-c9f2-11eb-b4f5-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious PowerShell script execution - via EventCode 4104 that is using memory stream as new object backstore. The malicious - PowerShell script will contain stream flate data and will be decompressed in memory - to run or drop the actual payload. During triage, review parallel processes within - the same timeframe. Review the full script block to identify other related artifacts. +description: The following analytic detects suspicious PowerShell script execution + using memory streams as a backing store, identified via EventCode 4104. It leverages + PowerShell Script Block Logging to capture scripts that create new objects with + memory streams, often used to decompress and execute payloads in memory. This activity + is significant as it indicates potential in-memory execution of malicious code, + bypassing traditional file-based detection. If confirmed malicious, this technique + could allow attackers to execute arbitrary code, maintain persistence, or escalate + privileges without leaving a trace on the disk. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`' + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename + UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `powershell_using_memory_as_backing_store_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/pwsh/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/pwsh/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index dd67d66949..9edee81398 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -1,21 +1,23 @@ name: Powershell Windows Defender Exclusion Commands id: 907ac95c-4dd9-11ec-ba2c-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will detect a suspicious process commandline related to - windows defender exclusion feature. This command is abused by adversaries, malware - author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder - path, file path, process, extensions and etc. from its real time or schedule scan - to execute their malicious code. This is a good indicator for defense evasion and - to look further for events after this behavior. +description: The following analytic detects the use of PowerShell commands to add + or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious + `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This + activity is significant because adversaries often use it to bypass Windows Defender, + allowing malicious code to execute without detection. If confirmed malicious, this + behavior could enable attackers to evade antivirus defenses, maintain persistence, + and execute further malicious activities undetected. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText = - "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" | stats count min(_time) as - firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText + = "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -58,14 +60,15 @@ tags: required_fields: - _time - EventCode - - Message - - ComputerName - - User + - ScriptBlockText + - Computer + - UserID risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml index 6f583234c7..1ed17ebb5e 100644 --- a/detections/endpoint/print_processor_registry_autostart.yml +++ b/detections/endpoint/print_processor_registry_autostart.yml @@ -1,15 +1,17 @@ name: Print Processor Registry Autostart id: 1f5b68aa-2037-11ec-898e-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: experimental type: TTP -description: This analytic is to detect a suspicious modification or new registry - entry regarding print processor. This registry is known to be abuse by turla or - other APT to gain persistence and privilege escalation to the compromised machine. - This is done by adding the malicious dll payload on the new created key in this - registry that will be executed as it restarted the spoolsv.exe process and services. +description: The following analytic detects suspicious modifications or new entries + in the Print Processor registry path. It leverages registry activity data from the + Endpoint data model to identify changes in the specified registry path. This activity + is significant because the Print Processor registry is known to be exploited by + APT groups like Turla for persistence and privilege escalation. If confirmed malicious, + this could allow an attacker to execute a malicious DLL payload by restarting the + spoolsv.exe process, leading to potential control over the compromised machine. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml index ab2dc907a5..3952fd8e68 100644 --- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml +++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml @@ -1,22 +1,18 @@ name: Print Spooler Adding A Printer Driver id: 313681a2-da8e-11eb-adad-acde48001122 -version: 1 -date: '2021-07-01' +version: 2 +date: '2024-05-18' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: 'The following analytic identifies new printer drivers being load by - utilizing the Windows PrintService operational logs, EventCode 316. This was identified - during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. - - - Within the proof of concept code, the following event will occur - "Printer driver - 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, - evil.dll. No user action is required." - - During triage, isolate the endpoint and review for source of exploitation. Capture - any additional file modification events and review the source of where the exploitation - began.' +description: 'The following analytic detects the addition of new printer drivers by + monitoring Windows PrintService operational logs, specifically EventCode 316. This + detection leverages log data to identify messages indicating the addition or update + of printer drivers, such as "kernelbase.dll" and "UNIDRV.DLL." This activity is + significant as it may indicate exploitation attempts related to vulnerabilities + like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain + code execution or escalate privileges, potentially compromising the affected system. + Immediate isolation and investigation of the endpoint are recommended.' data_source: - Windows Event Log Printservice 316 search: '`printservice` EventCode=316 category = "Adding a printer driver" Message @@ -65,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log source: WinEventLog:Microsoft-Windows-PrintService/Operational sourcetype: WinEventLog diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 17bc87f66c..335ac79e6e 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -1,22 +1,18 @@ name: Print Spooler Failed to Load a Plug-in id: 1adc9548-da7c-11eb-8f13-acde48001122 -version: 1 -date: '2021-07-01' +version: 2 +date: '2024-05-28' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies driver load errors utilizing the Windows - PrintService Admin logs. This was identified during our testing of CVE-2021-34527 - previously (CVE-2021-1675) or PrintNightmare. - - Within the proof of concept code, the following error will occur - "The print spooler - failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, - error code 0x45A. See the event user data for context information." - - The analytic is based on file path and failure to load the plug-in. - - During triage, isolate the endpoint and review for source of exploitation. Capture - any additional file modification events.' +description: 'The following analytic detects driver load errors in the Windows PrintService + Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). + It triggers on error messages indicating the print spooler failed to load a plug-in + module, such as "meterpreter.dll," with error code 0x45A. This detection method + leverages specific event codes and error messages. This activity is significant + as it may indicate an exploitation attempt of a known vulnerability. If confirmed + malicious, an attacker could gain unauthorized code execution on the affected system, + leading to potential system compromise.' data_source: - Windows Event Log Printservice 808 - Windows Event Log Printservice 4909 @@ -66,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log source: WinEventLog:Microsoft-Windows-PrintService/Admin sourcetype: WinEventLog diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index c7fc573d18..7a5942249f 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -1,15 +1,18 @@ name: Process Deleting Its Process File Path id: f7eda4bc-871c-11eb-b110-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-27' author: Teoderick Contreras status: production type: TTP -description: This detection is to identify a suspicious process that tries to delete - the process file path related to its process. This technique is known to be defense - evasion once a certain condition of malware is satisfied or not. Clop ransomware - use this technique where it will try to delete its process file path using a .bat - command if the keyboard layout is not the layout it tries to infect. +description: The following analytic identifies a process attempting to delete its + own file path, a behavior often associated with defense evasion techniques. This + detection leverages Sysmon EventCode 1 logs, focusing on command lines executed + via cmd.exe that include deletion commands. This activity is significant as it may + indicate malware, such as Clop ransomware, trying to evade detection by removing + its executable file if certain conditions are met. If confirmed malicious, this + could allow the attacker to persist undetected, complicating incident response and + remediation efforts. data_source: - Sysmon EventID 1 search: '`sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index e61bb49661..7516cc6bb5 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -1,22 +1,28 @@ name: Process Execution via WMI id: 24869767-8579-485d-9a4f-d9ddfd8f0cac -version: 5 -date: '2020-03-16' +version: 6 +date: '2024-05-22' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies `WmiPrvSE.exe` spawning a process. - This typically occurs when a process is instantiated from a local or remote process - using `wmic.exe`. During triage, review parallel processes for suspicious behavior - or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. - Contain and remediate the endpoint as necessary. +description: The following analytic detects the execution of a process by `WmiPrvSE.exe`, + indicating potential use of WMI (Windows Management Instrumentation) for process + creation. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process and parent process relationships. This activity is significant + as WMI can be used for lateral movement, remote code execution, or persistence by + attackers. If confirmed malicious, this could allow an attacker to execute arbitrary + commands or scripts, potentially leading to further compromise of the affected system + or network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN ("*\\dismhost.exe*")) - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` ' + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe + NOT (Processes.process IN ("*\\dismhost.exe*")) by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `process_execution_via_wmi_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -35,7 +41,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$ + message: A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host + - $dest$ mitre_attack_id: - T1047 observable: @@ -63,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index 5b5c591842..f73f8a86b5 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -1,18 +1,18 @@ name: Process Writing DynamicWrapperX id: b0a078e4-2601-11ec-9aec-acde48001122 -version: 1 -date: '2021-10-05' +version: 2 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: Hunting -description: DynamicWrapperX is an ActiveX component that can be used in a script - to call Windows API functions, but it requires the dynwrapx.dll to be installed - and registered. With that, a binary writing dynwrapx.dll to disk and registering - it into the registry is highly suspect. Why is it needed? In most malicious instances, - it will be written to disk at a non-standard location. During triage, review parallel - processes and pivot on the process_guid. Review the registry for any suspicious - modifications meant to load dynwrapx.dll. Identify any suspicious module loads of - dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. +description: The following analytic detects a process writing the dynwrapx.dll file + to disk and registering it in the registry. It leverages data from the Endpoint + datamodel, specifically monitoring process and filesystem events. This activity + is significant because DynamicWrapperX is an ActiveX component often used in scripts + to call Windows API functions, and its presence in non-standard locations is highly + suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary + code, escalate privileges, or maintain persistence within the environment. Immediate + investigation of parallel processes and registry modifications is recommended. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -82,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index c7b0336c50..9d7abc4478 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -1,16 +1,18 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 4 -date: '2021-09-16' +version: 5 +date: '2024-05-24' author: Michael Haag, Josef Kuepker, Splunk status: production type: Anomaly -description: This search looks for processes launching netsh.exe. Netsh is a command-line - scripting utility that allows you to, either locally or remotely, display or modify - the network configuration of a computer that is currently running. Netsh can be - used as a persistence proxy technique to execute a helper DLL when netsh.exe is - executed. In this search, we are looking for processes spawned by netsh.exe and - executing commands via the command line. +description: The following analytic identifies processes launching netsh.exe, a command-line + utility used to modify network configurations. It detects this activity by analyzing + data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, + names, parent processes, and command-line executions. This behavior is significant + because netsh.exe can be exploited to execute malicious helper DLLs, serving as + a persistence mechanism. If confirmed malicious, an attacker could gain persistent + access, modify network settings, and potentially escalate privileges, posing a severe + threat to the network's integrity and security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml index 83d459c9d2..78f429cedd 100644 --- a/detections/endpoint/processes_tapping_keyboard_events.yml +++ b/detections/endpoint/processes_tapping_keyboard_events.yml @@ -1,20 +1,25 @@ name: Processes Tapping Keyboard Events id: 2a371608-331d-4034-ae2c-21dda8f1d0ec -version: 1 -date: '2019-01-25' +version: 2 +date: '2024-05-13' author: Jose Hernandez, Splunk status: experimental type: TTP -description: This search looks for processes in an MacOS system that is tapping keyboard - events in MacOS, and essentially monitoring all keystrokes made by a user. This - is a common technique used by RATs to log keystrokes from a victim, although it - can also be used by legitimate processes like Siri to react on human input +description: The following analytic detects processes on macOS systems that are tapping + keyboard events, potentially monitoring all keystrokes made by a user. It leverages + data from osquery results within the Alerts data model, focusing on specific process + names and command lines. This activity is significant as it is a common technique + used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security + risk. If confirmed malicious, this could lead to unauthorized access to sensitive + information, including passwords and personal data, compromising the integrity and + confidentiality of the system. data_source: [] search: '| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`' how_to_implement: In order to properly run this search, Splunk needs to ingest data - from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) + from your osquery deployed agents with the + [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model. diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index ce1163e1f6..ecb46d821e 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -1,21 +1,18 @@ name: Randomly Generated Scheduled Task Name id: 9d22a780-5165-11ec-ad4f-3e22fbd008af -version: 1 -date: '2021-11-29' +version: 2 +date: '2024-05-28' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following hunting analytic leverages Event ID 4698, `A scheduled - task was created`, to identify the creation of a Scheduled Task with a suspicious, - high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` - function from the URL ToolBox Splunk application. Red teams and adversaries alike - may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain - remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, - typically create a Scheduled Task with a random task name on the victim host. This - hunting analytic may help defenders identify Scheduled Tasks created as part of - a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized - by users. The Command field can be used to determine if the task has malicious intent - or not. +description: The following analytic detects the creation of a Scheduled Task with + a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` + function from the URL ToolBox Splunk application to measure the entropy of the Task + Name. This activity is significant as adversaries often use randomly named Scheduled + Tasks for lateral movement and remote code execution, employing tools like Impacket + or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary + code remotely, potentially leading to further compromise and persistence within + the network. data_source: - Windows Event Log Security 4698 search: ' `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index de14a6bd39..24a5d97d46 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -1,27 +1,22 @@ name: Randomly Generated Windows Service Name id: 2032a95a-5165-11ec-a2c3-3e22fbd008af -version: 1 -date: '2021-11-29' +version: 2 +date: '2024-05-30' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: The following hunting analytic leverages Event ID 7045, `A new service - was installed in the system`, to identify the installation of a Windows Service - with a suspicious, high entropy, Service Name. To achieve this, this analytic also - leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red - teams and adversaries alike may abuse the Service Control Manager to create and - start a remote Windows Service and obtain remote code execution. To achieve this - goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a - Windows Service with a random service name on the victim host. This hunting analytic - may help defenders identify Windows Services installed as part of a lateral movement - attack. The entropy threshold `ut_shannon > 3` should be customized by users. The - Service_File_Name field can be used to determine if the Windows Service has malicious - intent or not. +description: The following analytic detects the installation of a Windows Service + with a suspicious, high-entropy name, indicating potential malicious activity. It + leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk + application to identify services with random names. This behavior is significant + as adversaries often use randomly named services for lateral movement and remote + code execution. If confirmed malicious, this activity could allow attackers to execute + arbitrary code, escalate privileges, or maintain persistence within the environment. data_source: - Windows Event Log System 7045 search: ' `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type - Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter` ' + Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index 5a8198bfaf..662f35efe9 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -1,22 +1,24 @@ name: Ransomware Notes bulk creation id: eff7919a-8330-11eb-83f8-acde48001122 -version: 1 -date: '2021-03-12' +version: 2 +date: '2024-05-25' author: Teoderick Contreras status: production type: Anomaly -description: The following analytics identifies a big number of instance of ransomware - notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This - behavior is a good sensor if the ransomware note filename is quite new for security - industry or the ransomware note filename is not in your ransomware lookup table - list for monitoring. +description: The following analytic identifies the bulk creation of ransomware notes + (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode + 11 to detect multiple instances of these file types being created within a short + time frame. This activity is significant as it often indicates an active ransomware + attack, where the attacker is notifying the victim of the encryption. If confirmed + malicious, this behavior could lead to widespread data encryption, rendering critical + files inaccessible and potentially causing significant operational disruption. data_source: - Sysmon EventID 11 search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer - Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`' + Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`' how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which @@ -62,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index 32bfad1a2d..eedc4ade5b 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -1,23 +1,25 @@ name: Recon AVProduct Through Pwh or WMI id: 28077620-c9f6-11eb-8785-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious PowerShell script execution - via EventCode 4104 performing checks to identify anti-virus products installed on - the endpoint. This technique is commonly found in malware and APT events where the - adversary will map all running security applications or services. During triage, - review parallel processes within the same timeframe. Review the full script block - to identify other related artifacts. +description: The following analytic detects suspicious PowerShell script execution + via EventCode 4104, specifically targeting checks for installed anti-virus products + using WMI or PowerShell commands. This detection leverages PowerShell Script Block + Logging to identify scripts containing keywords like "SELECT," "WMIC," "AntiVirusProduct," + or "AntiSpywareProduct." This activity is significant as it is commonly used by + malware and APT actors to map running security applications or services, potentially + aiding in evasion techniques. If confirmed malicious, this could allow attackers + to disable or bypass security measures, leading to further compromise of the endpoint. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `recon_avproduct_through_pwh_or_wmi_filter`' + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 0d09ba0f58..c38b04e789 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,16 +1,18 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies suspicious PowerShell via EventCode - 4104, where WMI is performing an event query looking for running processes or running - services. This technique is commonly found where the adversary will identify services - and system information on the compromised machine. During triage, review parallel - processes within the same timeframe. Review the full script block to identify other - related artifacts. +description: The following analytic detects suspicious PowerShell activity via EventCode + 4104, where WMI performs event queries to gather information on running processes + or services. This detection leverages PowerShell Script Block Logging to identify + specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. + This activity is significant as it often indicates reconnaissance efforts by an + adversary to profile the compromised machine. If confirmed malicious, the attacker + could gain detailed system information, aiding in further exploitation or lateral + movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlockText= @@ -19,8 +21,8 @@ search: '`powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlock OR ScriptBlockText= "*Win32_PnPEntity*" OR ScriptBlockText= "*Win32_ShadowCopy*" OR ScriptBlockText= "*Win32_DiskDrive*" OR ScriptBlockText= "*Win32_PhysicalMemory*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `recon_using_wmi_class_filter`' + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -46,7 +48,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 75 - message: A suspicious powershell script contains host recon commands detected on host $dest$ + message: A suspicious powershell script contains host recon commands detected on + host $dest$ mitre_attack_id: - T1592 - T1059.001 @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index 35b06a0e4a..efef3925a2 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -1,14 +1,18 @@ name: Recursive Delete of Directory In Batch CMD id: ba570b3a-d356-11eb-8358-acde48001122 -version: 3 -date: '2022-11-12' +version: 4 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious commandline designed to delete - files or directory recursive using batch command. This technique was seen in ransomware - (reddot) where it it tries to delete the files in recycle bin to impaire user from - recovering deleted files. +description: The following analytic detects the execution of a batch command designed + to recursively delete files or directories, a technique often used by ransomware + like Reddot to delete files in the recycle bin and prevent recovery. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions that include specific flags for recursive and quiet deletions. This activity + is significant as it indicates potential ransomware behavior aimed at data destruction. + If confirmed malicious, it could lead to significant data loss and hinder recovery + efforts, severely impacting business operations. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 473156374a..c627f41d35 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,17 +1,19 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 9 -date: '2023-12-27' +version: 10 +date: '2024-05-25' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP -description: The search looks for modifications or alterations made to registry keys - that have the potential to initiate the launch of an application or service during - system startup. By monitoring and detecting modifications in these registry keys, - we can identify suspicious or unauthorized changes that could be indicative of malicious - activity. This proactive approach helps in safeguarding the system's integrity and - security by promptly identifying and mitigating potential threats that aim to gain - persistence or execute malicious actions during the startup process. +description: The following analytic identifies modifications to registry keys commonly + used for persistence mechanisms. It leverages data from endpoint detection sources + like Sysmon or Carbon Black, focusing on specific registry paths known to initiate + applications or services during system startup. This activity is significant as + unauthorized changes to these keys can indicate attempts to maintain persistence + or execute malicious actions upon system boot. If confirmed malicious, this could + allow attackers to achieve persistent access, execute arbitrary code, or maintain + control over compromised systems, posing a severe threat to system integrity and + security. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -105,6 +107,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index e38075bdc0..f04259902b 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -1,22 +1,27 @@ name: Registry Keys Used For Privilege Escalation id: c9f4b923-f8af-4155-b697-1354f5bcbc5e -version: 7 -date: '2023-04-27' +version: 8 +date: '2024-05-18' author: Steven Dick, David Dorsey, Teoderick Contreras, Splunk status: production type: TTP -description: This search looks for modifications to registry keys that can be used - to elevate privileges. The registry keys under "Image File Execution Options" are - used to intercept calls to an executable and can be used to attach malicious binaries - to benign system binaries. +description: The following analytic detects modifications to registry keys under "Image + File Execution Options" that can be used for privilege escalation. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to registry + paths and values like GlobalFlag and Debugger. This activity is significant because + attackers can use these modifications to intercept executable calls and attach malicious + binaries to legitimate system binaries. If confirmed malicious, this could allow + attackers to execute arbitrary code with elevated privileges, leading to potential + system compromise and persistent access. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -68,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 7be7483dda..9694429dc7 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,16 +1,17 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a loading of dll using regsvr32 application - with silent parameter and dllinstall execution. This technique was seen in several - RAT malware similar to remcos, njrat and adversaries to load their malicious DLL - on the compromised machine. This TTP may executed by normal 3rd party application - so it is better to pivot by the parent process, parent command-line and command-line - of the file that execute this regsvr32. +description: The following analytic detects the loading of a DLL using the regsvr32 + application with the silent parameter and DLLInstall execution. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process command-line + arguments and parent process details. This activity is significant as it is commonly + used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised + machines. If confirmed malicious, this technique could allow attackers to execute + arbitrary code, maintain persistence, and further compromise the system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -89,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 934fd284b6..fca732291a 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -1,18 +1,18 @@ name: Regsvr32 with Known Silent Switch Cmdline id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122 -version: 2 -date: '2021-07-27' +version: 3 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies Regsvr32.exe utilizing the silent switch - to load DLLs. This technique has most recently been seen in IcedID campaigns to - load its initial dll that will download the 2nd stage loader that will download - and decrypt the config payload. The switch type may be either a hyphen `-` or forward - slash `/`. This behavior is typically found with `-s`, and it is possible there - are more switch types that may be used. \ During triage, review parallel processes - and capture any artifacts that may have landed on disk. Isolate and contain the - endpoint as necessary. +description: The following analytic detects the execution of Regsvr32.exe with the + silent switch to load DLLs. This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on command-line executions containing the + `-s` or `/s` switches. This activity is significant as it is commonly used in malware + campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, + this could allow an attacker to execute arbitrary code, download additional payloads, + and potentially compromise the system further. Immediate investigation and endpoint + isolation are recommended. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -90,6 +90,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index c43cf69ef2..a85fb22e64 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -1,12 +1,12 @@ name: Remcos client registry install entry id: f2a1615a-1d63-11ec-97d2-acde48001122 -version: 3 -date: '2022-11-14' +version: 4 +date: '2024-05-28' author: Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk status: production type: TTP description: |- - The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. + The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the "license" key is found in the "Software\Remcos" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required. data_source: - Sysmon EventID 1 - Sysmon EventID 12 @@ -76,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index 14046accd6..ad7ea90bde 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -1,14 +1,17 @@ name: Remcos RAT File Creation in Remcos Folder id: 25ae862a-1ac3-11ec-94a1-acde48001122 -version: 2 -date: '2021-09-21' +version: 3 +date: '2024-05-24' author: Teoderick Contreras, Splunk, Sanjay Govind status: production type: TTP -description: This search is to detect file creation in remcos folder in appdata which - is the keylog and clipboard logs that will be send to its c2 server. This is really - a good TTP indicator that there is a remcos rat in the system that do keylogging, - clipboard grabbing and audio recording. +description: The following analytic detects the creation of files in the Remcos folder + within the AppData directory, specifically targeting keylog and clipboard log files. + It leverages the Endpoint.Filesystem data model to identify .dat files created in + paths containing "remcos." This activity is significant as it indicates the presence + of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. + If confirmed malicious, this could lead to unauthorized data exfiltration and extensive + surveillance capabilities for the attacker. data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -53,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index 413ce0d513..b5a0af8292 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -1,21 +1,25 @@ name: Remote Desktop Process Running On System id: f5939373-8054-40ad-8c64-cec478a22a4a -version: 5 -date: '2020-07-21' +version: 6 +date: '2024-05-24' author: David Dorsey, Splunk status: experimental type: Hunting -description: This search looks for the remote desktop process mstsc.exe running on - systems upon which it doesn't typically run. This is accomplished by filtering out - all systems that are noted in the `common_rdp_source category` in the Assets and - Identity framework. +description: The following analytic detects the execution of the remote desktop process + (mstsc.exe) on systems where it is not typically run. This detection leverages data + from Endpoint Detection and Response (EDR) agents, filtering out systems categorized + as common RDP sources. This activity is significant because unauthorized use of + mstsc.exe can indicate lateral movement or unauthorized remote access attempts. + If confirmed malicious, this could allow an attacker to gain remote control of a + system, potentially leading to data exfiltration, privilege escalation, or further + network compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` ' + | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 3c5cb34a1b..6f3ea167d8 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -1,15 +1,19 @@ name: Remote Process Instantiation via DCOM and PowerShell id: d4f42098-4680-11ec-ad07-3e22fbd008af -version: 1 -date: '2021-11-15' +version: 2 +date: '2024-05-20' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with arguments - utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, - this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams - and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and - remote code execution. +description: The following analytic detects the execution of `powershell.exe` with + arguments used to start a process on a remote endpoint by abusing the DCOM protocol, + specifically targeting ShellExecute and ExecuteShellCommand. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process names, parent + processes, and command-line executions. This activity is significant as it indicates + potential lateral movement and remote code execution attempts by adversaries. If + confirmed malicious, this could allow attackers to execute arbitrary code remotely, + escalate privileges, and move laterally within the network, posing a severe security + risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml index 6932626dc4..555aea074b 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml @@ -1,15 +1,17 @@ name: Remote Process Instantiation via DCOM and PowerShell Script Block id: fa1c3040-4680-11ec-a618-3e22fbd008af -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of PowerShell with arguments utilized to start a process - on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks - for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries - alike may abuse DCOM for lateral movement and remote code execution. +description: The following analytic detects the execution of PowerShell commands that + initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. + This activity is significant as it may indicate lateral movement or remote code + execution attempts by adversaries. If confirmed malicious, this behavior could allow + attackers to execute arbitrary code on remote systems, potentially leading to further + compromise and persistence within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText="*Document.Application.ShellExecute*" @@ -18,7 +20,8 @@ search: '`powershell` EventCode=4104 (ScriptBlockText="*Document.Application.She | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions - can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. references: @@ -30,8 +33,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 90 - message: A process was started on a remote endpoint from $Computer$ by abusing - WMI using PowerShell.exe + message: A process was started on a remote endpoint from $Computer$ by abusing WMI + using PowerShell.exe mitre_attack_id: - T1021 - T1021.003 @@ -55,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index 454db8a909..9e728ff016 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -1,15 +1,18 @@ name: Remote Process Instantiation via WinRM and PowerShell id: ba24cda8-4716-11ec-8009-3e22fbd008af -version: 1 -date: '2021-11-16' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` with arguments - utilized to start a process on a remote endpoint by abusing the WinRM protocol. - Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. - Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral - movement and remote code execution. +description: The following analytic detects the execution of `powershell.exe` with + arguments used to start a process on a remote endpoint via the WinRM protocol, specifically + targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process telemetry. + This activity is significant as it may indicate lateral movement or remote code + execution attempts by adversaries. If confirmed malicious, this could allow attackers + to execute arbitrary code on remote systems, potentially leading to further compromise + and lateral spread within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml index 052592536f..1feea35a2e 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml @@ -1,15 +1,17 @@ name: Remote Process Instantiation via WinRM and PowerShell Script Block id: 7d4c618e-4716-11ec-951c-3e22fbd008af -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of PowerShell with arguments utilized to start a process - on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks - for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike - may abuse WinRM for lateral movement and remote code execution. +description: The following analytic detects the execution of PowerShell commands that + use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the + WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to + identify such activities. This behavior is significant as it may indicate lateral + movement or remote code execution attempts by adversaries. If confirmed malicious, + this activity could allow attackers to execute arbitrary code on remote systems, + potentially leading to further compromise and persistence within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") @@ -18,7 +20,8 @@ search: '`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND Scr | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions - can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, @@ -58,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 6046cee8c8..0e1089703d 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -1,14 +1,18 @@ name: Remote Process Instantiation via WinRM and Winrs id: 0dd296a2-4338-11ec-ba02-3e22fbd008af -version: 1 -date: '2021-11-11' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `winrs.exe` with command-line - arguments utilized to start a process on a remote endpoint. Red Teams and adversaries - alike may abuse the WinRM protocol and this binary for lateral movement and remote - code execution. +description: The following analytic detects the execution of `winrs.exe` with command-line + arguments used to start a process on a remote endpoint. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions mapped to the `Processes` node of the `Endpoint` data model. This activity + is significant as it may indicate lateral movement or remote code execution attempts + by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary + code on remote systems, potentially leading to further compromise and lateral spread + within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index 1813496fa8..66811ce7f8 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -1,14 +1,17 @@ name: Remote Process Instantiation via WMI and PowerShell id: 112638b4-4634-11ec-b9ab-3e22fbd008af -version: 1 -date: '2021-11-15' +version: 2 +date: '2024-05-17' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `powershell.exe` leveraging - the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start - a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may - abuse WMI and `powershell.exe` for lateral movement and remote code execution. +description: The following analytic detects the execution of `powershell.exe` using + the `Invoke-WmiMethod` cmdlet to start a process on a remote endpoint via WMI. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process telemetry. This activity is significant as it indicates potential + lateral movement or remote code execution attempts by adversaries. If confirmed + malicious, this could allow attackers to execute arbitrary code on remote systems, + leading to further compromise and persistence within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml index 8d36d3b172..110e6db09a 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml @@ -1,14 +1,18 @@ name: Remote Process Instantiation via WMI and PowerShell Script Block id: 2a048c14-4634-11ec-a618-3e22fbd008af -version: 2 -date: '2022-11-15' +version: 3 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized - to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries - alike may abuse WMI and this commandlet for lateral movement and remote code execution. +description: The following analytic detects the execution of the `Invoke-WmiMethod` + commandlet with parameters used to start a process on a remote endpoint via WMI, + leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies + specific script block text patterns associated with remote process instantiation. + This activity is significant as it may indicate lateral movement or remote code + execution attempts by adversaries. If confirmed malicious, this could allow attackers + to execute arbitrary code on remote systems, potentially leading to further compromise + and persistence within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (ScriptBlockText="*-CN*" @@ -18,7 +22,8 @@ search: '`powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (S | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions - can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. + can be found + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. @@ -31,8 +36,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 90 - message: A process was started on a remote endpoint from $Computer$ by abusing - WMI using PowerShell.exe + message: A process was started on a remote endpoint from $Computer$ by abusing WMI + using PowerShell.exe mitre_attack_id: - T1047 observable: @@ -55,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/wmi_remote_process_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/wmi_remote_process_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml index 9562bb28e7..5887b1fb3b 100644 --- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml +++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml @@ -1,20 +1,25 @@ name: Remote System Discovery with Adsisearcher id: 70803451-0047-4e12-9d63-77fa7eb8649c -version: 2 -date: '2022-06-29' +version: 3 +date: '2024-05-09' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the `[Adsisearcher]` type accelerator being used to query Active Directory - for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to - enumerate domain computers for situational awareness and Active Directory Discovery. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell scripts to query Active Directory for domain computers. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks + containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` + or `findOne()`. This activity is significant as it may indicate an attempt by adversaries + or Red Teams to perform Active Directory discovery and gain situational awareness. + If confirmed malicious, this could lead to further reconnaissance and potential + lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`' + Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` + | `remote_system_discovery_with_adsisearcher_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -51,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 1ba2b5cdf5..bf994244b3 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -1,15 +1,18 @@ name: Remote System Discovery with Dsquery id: 9fb562f4-42f8-4139-8e11-a82edf7ed718 -version: 1 -date: '2021-08-31' +version: 2 +date: '2024-05-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `dsquery.exe` with command-line - arguments utilized to discover remote systems. The `computer` argument returns a - list of all computers registered in the domain. Red Teams and adversaries alike - engage in remote system discovery for situational awareness and Active Directory - Discovery. +description: The following analytic detects the execution of `dsquery.exe` with the + `computer` argument, which is used to discover remote systems within a domain. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. Remote system discovery is significant + as it indicates potential reconnaissance activities by adversaries or Red Teams + to map out network resources and Active Directory structures. If confirmed malicious, + this activity could lead to further exploitation, lateral movement, and unauthorized + access to critical systems within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index 1cb7a63c7d..d77e2c716b 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -1,15 +1,18 @@ name: Remote System Discovery with Net id: 9df16706-04a2-41e2-bbfe-9b38b34409d3 -version: 1 -date: '2021-08-30' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `net.exe` or `net1.exe` with - command-line arguments utilized to discover remote systems. The argument `domain - computers /domain` returns a list of all domain computers. Red Teams and adversaries - alike use net.exe to identify remote systems for situational awareness and Active - Directory Discovery. +description: The following analytic identifies the execution of `net.exe` or `net1.exe` + with command-line arguments used to discover remote systems, such as `domain computers + /domain`. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line arguments. This activity is significant + as it indicates potential reconnaissance efforts by adversaries or Red Teams to + map out networked systems and Active Directory structures. If confirmed malicious, + this behavior could lead to further network exploitation, privilege escalation, + or lateral movement within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 30d203e423..5615606282 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -1,15 +1,18 @@ name: Remote System Discovery with Wmic id: d82eced3-b1dc-42ab-859e-a2fc98827359 -version: 1 -date: '2021-09-01' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `wmic.exe` with command-line - arguments utilized to discover remote systems. The arguments utilized in this command - return a list of all the systems registered in the domain. Red Teams and adversaries - alike may leverage WMI and wmic.exe to identify remote systems for situational awareness - and Active Directory Discovery. +description: The following analytic detects the execution of `wmic.exe` with specific + command-line arguments used to discover remote systems within a domain. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it indicates potential + reconnaissance efforts by adversaries to map out network resources and Active Directory + structures. If confirmed malicious, this behavior could allow attackers to gain + situational awareness, identify critical systems, and plan further attacks, potentially + leading to unauthorized access and data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index b8b2f9308f..ce1fd3e8a3 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -1,15 +1,17 @@ name: Remote WMI Command Attempt id: 272df6de-61f1-4784-877c-1fbc3e2d0838 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-17' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies usage of `wmic.exe` spawning a local - or remote process, identified by the `node` switch. During triage, review parallel - processes for additional commands executed. Look for any file modifications before - and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm - execution or file modifications. Contain and isolate the endpoint as needed. +description: The following analytic detects the execution of `wmic.exe` with the `node` + switch, indicating an attempt to spawn a local or remote process. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + creation events and command-line arguments. This activity is significant as it may + indicate lateral movement or remote code execution attempts by an attacker. If confirmed + malicious, the attacker could gain remote control over the targeted system, execute + arbitrary commands, and potentially escalate privileges or persist within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index 6af005c6b2..1ac224b41a 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -1,16 +1,18 @@ name: Resize ShadowStorage volume id: bc760ca6-8336-11eb-bcbb-acde48001122 -version: 1 -date: '2021-03-12' +version: 2 +date: '2024-05-13' author: Teoderick Contreras status: production type: TTP -description: The following analytics identifies the resizing of shadowstorage by ransomware - malware to avoid the shadow volumes being made again. this technique is an alternative - by ransomware attacker than deleting the shadowstorage which is known alert in defensive - team. one example of ransomware that use this technique is CLOP ransomware where - it drops a .bat file that will resize the shadowstorage to minimum size as much - as possible +description: The following analytic identifies the resizing of shadow storage volumes, + a technique used by ransomware like CLOP to prevent the recreation of shadow volumes. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions involving "vssadmin.exe" with parameters related + to resizing shadow storage. This activity is significant as it indicates an attempt + to hinder recovery efforts by manipulating shadow copies. If confirmed malicious, + this could lead to successful ransomware deployment, making data recovery difficult + and increasing the potential for data loss. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline @@ -76,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index 95a4bd5255..82977a8971 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -1,15 +1,19 @@ name: Revil Registry Entry id: e3d3f57a-c381-11eb-9e35-acde48001122 -version: 3 -date: '2022-11-14' +version: 4 +date: '2024-05-24' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies suspicious modification in registry entry to - keep some malware data during its infection. This technique seen in several apt - implant, malware and ransomware like REVIL where it keep some information like the - random generated file extension it uses for all the encrypted files and ransomware - notes file name in the compromised host. +description: The following analytic identifies suspicious modifications in the registry + entry, specifically targeting paths used by malware like REVIL. It detects changes + in registry paths such as `SOFTWARE\\WOW6432Node\\Facebook_Assistant` and `SOFTWARE\\WOW6432Node\\BlackLivesMatter`. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on registry modifications linked to process GUIDs. This activity is significant + as it indicates potential malware persistence mechanisms, often used by advanced + persistent threats (APTs) and ransomware. If confirmed malicious, this could allow + attackers to maintain persistence, encrypt files, and store critical ransomware-related + information on compromised hosts. data_source: - Sysmon EventID 1 - Sysmon EventID 12 @@ -87,6 +91,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 429a72145a..b091b3a554 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -1,19 +1,18 @@ name: Rubeus Command Line Parameters id: cca37478-8377-11ec-b59a-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is - heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin - project. This analytic looks for the use of Rubeus command line arguments utilized - in common Kerberos attacks like exporting and importing tickets, forging silver - and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. - Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory - networks. Defenders should be aware that adversaries may customize the source code - of Rubeus and modify the command line parameters. This would effectively bypass - this analytic. +description: The following analytic detects the use of Rubeus command line parameters, + a toolset for Kerberos attacks within Active Directory environments. It leverages + Endpoint Detection and Response (EDR) data to identify specific command-line arguments + associated with actions like ticket manipulation, kerberoasting, and password spraying. + This activity is significant as Rubeus is commonly used by adversaries to exploit + Kerberos for privilege escalation and lateral movement. If confirmed malicious, + this could lead to unauthorized access, persistence, and potential compromise of + sensitive information within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -90,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 4c93aff19c..4b8c89fca1 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -1,20 +1,18 @@ name: Rubeus Kerberos Ticket Exports Through Winlogon Access id: 5ed8c50a-8869-11ec-876f-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-27' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic looks for a process accessing the winlogon.exe - system process. The Splunk Threat Research team identified this behavior when using - the Rubeus tool to monitor for and export kerberos tickets from memory. Before being - able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining - a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting - tickets from memory is typically the first step for pass the ticket attacks. Red - teams and adversaries alike may use the pass the ticket technique using stolen Kerberos - tickets to move laterally within an environment, bypassing normal system access - controls. Defenders should be aware that adversaries may customize the source code - of Rubeus to potentially bypass this analytic. +description: The following analytic detects a process accessing the winlogon.exe system + process, indicative of the Rubeus tool attempting to export Kerberos tickets from + memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes + obtaining a handle to winlogon.exe with specific access rights. This activity is + significant as it often precedes pass-the-ticket attacks, where adversaries use + stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, + this could allow attackers to bypass normal access controls, escalate privileges, + and persist within the network, posing a severe security risk. data_source: - Sysmon EventID 10 search: ' `sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) @@ -73,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 1c97c663ba..5325220d71 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -1,16 +1,18 @@ name: Runas Execution in CommandLine id: 4807e716-43a4-11ec-a0e7-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic look for a spawned runas.exe process with a administrator - user option parameter. This parameter was abused by adversaries, malware author - or even red teams to gain elevated privileges in target host. This is a good hunting - query to figure out privilege escalation tactics that may used for different stages - like lateral movement but take note that administrator may use this command in purpose - so its better to see other event context before and after this analytic. +description: The following analytic detects the execution of the runas.exe process + with administrator user options. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions and process details. This activity + is significant as it may indicate an attempt to gain elevated privileges, a common + tactic in privilege escalation and lateral movement. If confirmed malicious, this + could allow an attacker to execute commands with higher privileges, potentially + leading to unauthorized access, data exfiltration, or further compromise of the + target host. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index 9384003e18..48b89e8052 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -1,17 +1,18 @@ name: Rundll32 Control RunDLL Hunt id: c8e7ced0-10c5-11ec-8b03-acde48001122 -version: 1 -date: '2021-09-08' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting detection identifies rundll32.exe with `control_rundll` - within the command-line, loading a .cpl or another file type. Developed in relation - to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files - (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. - Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written - to be a bit more broad by not including .cpl. \ During triage, review parallel processes - to identify any further suspicious behavior. +description: The following analytic identifies instances of rundll32.exe executing + with `Control_RunDLL` in the command line, which is indicative of loading a .cpl + or other file types. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs and command-line arguments. This + activity is significant as rundll32.exe can be exploited to execute malicious Control + Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, + this could allow attackers to execute arbitrary code, escalate privileges, or maintain + persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -91,6 +92,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index 51cfaa13f4..553eb513a4 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -1,18 +1,18 @@ name: Rundll32 Control RunDLL World Writable Directory id: 1adffe86-10c3-11ec-8ce6-acde48001122 -version: 1 -date: '2021-09-08' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies rundll32.exe with `control_rundll` - within the command-line, loading a .cpl or another file type from windows\temp, - programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can - also be used to execute Control Panel Item files (.cpl) through the undocumented - shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a - .cpl file also causes rundll32.exe to execute. This is written to be a bit more - broad by not including .cpl. The paths are specified, add more as needed. During - triage, review parallel processes to identify any further suspicious behavior. +description: The following analytic detects the execution of rundll32.exe with the + `Control_RunDLL` command, loading files from world-writable directories such as + windows\temp, programdata, or appdata. This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process command-line data and specific + directory paths. This activity is significant as it may indicate an attempt to exploit + CVE-2021-40444 or similar vulnerabilities, allowing attackers to execute arbitrary + code. If confirmed malicious, this could lead to unauthorized code execution, privilege + escalation, or persistent access within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -93,6 +93,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index ff39487b58..cfc70b8712 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -1,14 +1,17 @@ name: Rundll32 Create Remote Thread To A Process id: 2dbeee3a-f067-11eb-96c0-acde48001122 -version: 1 -date: '2021-07-29' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies the suspicious Remote Thread execution of rundll32.exe - to any process. This technique was seen in IcedID malware to execute its malicious - code in normal process for defense evasion and to steal sensitive information in - the compromised host. +description: The following analytic detects the creation of a remote thread by rundll32.exe + into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring + SourceImage and TargetImage fields. This activity is significant as it is a common + technique used by malware, such as IcedID, to execute malicious code within legitimate + processes, aiding in defense evasion and data theft. If confirmed malicious, this + behavior could allow an attacker to execute arbitrary code, escalate privileges, + and exfiltrate sensitive information from the compromised host. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index b8125e6c4a..dd4d0665e3 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -1,14 +1,18 @@ name: Rundll32 CreateRemoteThread In Browser id: f8a22586-ee2d-11eb-a193-acde48001122 -version: 1 -date: '2021-07-26' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies the suspicious Remote Thread execution of rundll32.exe - process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID - malware where it hooks the browser to parse banking information as user used the - targetted browser process. +description: The following analytic detects the suspicious creation of a remote thread + by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, + and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on + SourceImage and TargetImage fields to identify the behavior. This activity is significant + as it is commonly associated with malware like IcedID, which hooks browsers to steal + sensitive information such as banking details. If confirmed malicious, this could + allow attackers to intercept and exfiltrate sensitive user data, leading to potential + financial loss and privacy breaches. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_dnsquery.yml b/detections/endpoint/rundll32_dnsquery.yml index 0f5f1f30be..e0b2bb34a2 100644 --- a/detections/endpoint/rundll32_dnsquery.yml +++ b/detections/endpoint/rundll32_dnsquery.yml @@ -1,20 +1,25 @@ name: Rundll32 DNSQuery id: f1483f5e-ee29-11eb-9d23-acde48001122 -version: 2 -date: '2022-02-18' +version: 3 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious rundll32.exe process having a http - connection and do a dns query in some web domain. This technique was seen in IcedID - malware where the rundll32 that execute its payload will contact amazon.com to check - internet connect and to communicate to its C&C server to download config and other - file component. +description: The following analytic detects a suspicious `rundll32.exe` process making + HTTP connections and performing DNS queries to web domains. It leverages Sysmon + EventCode 22 logs to identify these activities. This behavior is significant as + it is commonly associated with IcedID malware, where `rundll32.exe` checks internet + connectivity and communicates with C&C servers to download configurations and other + components. If confirmed malicious, this activity could allow attackers to establish + persistence, download additional payloads, and exfiltrate sensitive data, posing + a severe threat to the network. data_source: - Sysmon EventID 22 search: '`sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) - as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`' + as firstTime max(_time) as lastTime values(query) as query values(answer) as answer + values(QueryResults) as query_results values(QueryStatus) as query_status by process_name + process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -29,7 +34,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 70 - message: rundll32 process $process_name$ made a DNS query for $query$ from host $dest$ + message: rundll32 process $process_name$ made a DNS query for $query$ from host + $dest$ mitre_attack_id: - T1218 - T1218.011 @@ -58,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index 625ed9df2b..72b774ccfa 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -1,14 +1,17 @@ name: Rundll32 LockWorkStation id: fa90f372-f91d-11eb-816c-acde48001122 -version: 2 -date: '2021-08-09' +version: 3 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This search is to detect a suspicious rundll32 commandline to lock the - workstation through command line. This technique was seen in CONTI leak tooling - and script as part of its defense evasion. This technique is not a common practice - to lock a screen and maybe a good indicator of compromise. +description: The following analytic detects the execution of the rundll32.exe command + with the user32.dll,LockWorkStation parameter, which is used to lock the workstation + via command line. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as it is an uncommon method to lock a screen and has been observed + in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique + could indicate an attempt to evade detection and hinder incident response efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 66aeabbbb0..57f71e63ee 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -1,22 +1,23 @@ name: Rundll32 Process Creating Exe Dll Files id: 6338266a-ee2a-11eb-bf68-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious rundll32 process that drops executable - (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries - to drop copy of itself in temp folder or download executable drop it either appdata - or programdata as part of its execution. +description: The following analytic detects a rundll32 process creating executable + (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to + identify instances where rundll32.exe generates these file types. This activity + is significant because rundll32 is often exploited by malware, such as IcedID, to + drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed + malicious, this behavior could allow an attacker to execute arbitrary code, establish + persistence, or escalate privileges within the environment. data_source: - Sysmon EventID 11 -search: '`sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll") - | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer - | rename Computer as dest | rename TargetFilename as file_name - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `rundll32_process_creating_exe_dll_files_filter`' +search: '`sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll") + | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename + Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -60,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 42d2172559..b942853036 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -1,15 +1,17 @@ name: Rundll32 Shimcache Flush id: a913718a-25b6-11ec-96d3-acde48001122 -version: 1 -date: '2021-10-05' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious rundll32 commandline to clear - shim cache. This technique is a anti-forensic technique to clear the cache taht - are one important artifacts in terms of digital forensic during attacks or incident. - This TTP is a good indicator that someone tries to evade some tools and clear foothold - on the machine. +description: The following analytic detects the execution of a suspicious rundll32 + command line used to clear the shim cache. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant because clearing the shim cache is an anti-forensic + technique aimed at evading detection and removing forensic artifacts. If confirmed + malicious, this action could hinder incident response efforts, allowing an attacker + to cover their tracks and maintain persistence on the compromised machine. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index c742b3a016..45e5287cbb 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -1,17 +1,18 @@ name: Rundll32 with no Command Line Arguments with Network id: 35307032-a12d-11eb-835f-acde48001122 -version: 4 -date: '2023-07-10' +version: 5 +date: '2024-05-21' author: Steven Dick, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe with no command line arguments - and performing a network connection. It is unusual for rundll32.exe to execute with - no command line arguments present. This particular behavior is common with malicious - software, including Cobalt Strike. During investigation, triage any network connections - and parallel processes. Identify any suspicious module loads related to credential - dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and - C:\Windows\syswow64. +description: The following analytic detects the execution of rundll32.exe without + command line arguments, followed by a network connection. This behavior is identified + using Endpoint Detection and Response (EDR) telemetry and network traffic data. + It is significant because rundll32.exe typically requires arguments to function, + and its absence is often associated with malicious activity, such as Cobalt Strike. + If confirmed malicious, this activity could indicate an attempt to establish unauthorized + network connections, potentially leading to data exfiltration or further compromise + of the system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index c67c2be719..0bb925c509 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -1,16 +1,17 @@ name: RunDLL Loading DLL By Ordinal id: 6c135f8d-5e60-454e-80b7-c56eed739833 -version: 6 -date: '2022-02-08' +version: 7 +date: '2024-05-20' author: Michael Haag, David Dorsey, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe loading an export function - by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious - code. Using rundll32.exe, vice executing directly, may avoid triggering security - tools that may not monitor execution of the rundll32.exe process because of allowlists - or false positives from normal operations. Utilizing ordinal values makes it a bit - more complicated for analysts to understand the behavior until the DLL is reviewed. +description: The following analytic detects rundll32.exe loading a DLL export function + by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. This behavior is significant because + adversaries may use rundll32.exe to execute malicious code while evading security + tools that do not monitor this process. If confirmed malicious, this activity could + allow attackers to execute arbitrary code, potentially leading to system compromise, + privilege escalation, or persistent access within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -81,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index c932d6d394..9128468dea 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -1,19 +1,18 @@ name: Ryuk Wake on LAN Command id: 538d0152-7aaa-11eb-beaa-acde48001122 -version: 1 -date: '2021-03-01' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -description: This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk - ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered - off devices on a compromised network to have greater success encrypting them. This - is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, - isolate the endpoint. Additional file modification events will be within the users - profile (\appdata\roaming) and in public directories (users\public\). Review all - Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled - Tasks will include a path to a unknown binary and those endpoints should be isolated - until triaged. +description: The following analytic detects the use of Wake-on-LAN commands associated + with Ryuk ransomware. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific process and command-line activities. This behavior + is significant as Ryuk ransomware uses Wake-on-LAN to power on devices in a compromised + network, increasing its encryption success rate. If confirmed malicious, this activity + could lead to widespread ransomware encryption across multiple endpoints, causing + significant operational disruption and data loss. Immediate isolation and thorough + investigation of the affected endpoints are crucial to mitigate the impact. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/sam_database_file_access_attempt.yml b/detections/endpoint/sam_database_file_access_attempt.yml index 8d79d0659f..5f3e2f16c2 100644 --- a/detections/endpoint/sam_database_file_access_attempt.yml +++ b/detections/endpoint/sam_database_file_access_attempt.yml @@ -1,21 +1,24 @@ name: SAM Database File Access Attempt id: 57551656-ebdb-11eb-afdf-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-22' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies access to SAM, SYSTEM or SECURITY databases' - within the file path of `windows\system32\config` using Windows Security EventCode - 4663. This particular behavior is related to credential access, an attempt to either - use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security - Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, - 8.1 and 10 that stores users' passwords. +description: The following analytic detects attempts to access the SAM, SYSTEM, or + SECURITY database files within the `windows\system32\config` directory using Windows + Security EventCode 4663. This detection leverages Windows Security Event logs to + identify unauthorized access attempts. Monitoring this activity is crucial as it + indicates potential credential access attempts, possibly exploiting vulnerabilities + like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, + leading to unauthorized access, privilege escalation, and further compromise of + the system. data_source: - Windows Event Log Security 4663 search: '`wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") - | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`' + | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename + ProcessName as process_name | `sam_database_file_access_attempt_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -39,7 +42,8 @@ tags: cve: - CVE-2021-36934 impact: 80 - message: The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$. + message: The following process $process_name$ accessed the object $ObjectName$ attempting + to gain access to credentials on $dest$ by user $src_user$. mitre_attack_id: - T1003.002 - T1003 @@ -75,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index d9ef5048db..3f1fd31caf 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -1,19 +1,18 @@ name: SchCache Change By App Connect And Create ADSI Object id: 991eb510-0fc6-11ec-82d3-acde48001122 -version: 1 -date: '2021-09-07' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect an application try to connect and create ADSI - Object to do LDAP query. Every time an application connects to the directory and - attempts to create an ADSI object, the Active Directory Schema is checked for changes. - If it has changed since the last connection, the schema is downloaded and stored - in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache - or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious - application like blackmatter ransomware that use ADS object api to execute ldap - query. having a good list of ldap or normal AD query tool used within the network - is a good start to reduce the noise. +description: The following analytic detects an application attempting to connect and + create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 + to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\Microsoft\Windows\SchCache + or %systemroot%\SchCache. This activity is significant as it can indicate the presence + of suspicious applications, such as ransomware, using ADSI object APIs for LDAP + queries. If confirmed malicious, this behavior could allow attackers to gather sensitive + directory information, potentially leading to further exploitation or lateral movement + within the network. data_source: - Sysmon EventID 11 search: '`sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename @@ -62,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index 2cddac2431..aaded3e025 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -1,17 +1,18 @@ name: Schedule Task with HTTP Command Arguments id: 523c2684-a101-11eb-916b-acde48001122 -version: 1 -date: '2023-04-05' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. - - The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. - - Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. - - Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. +description: The following analytic detects the creation of scheduled tasks on Windows + systems that include HTTP command arguments, using Windows Security EventCode 4698. + It identifies tasks registered via schtasks.exe or TaskService with HTTP in their + command arguments. This behavior is significant as it often indicates malware activity + or the use of Living off the Land binaries (lolbins) to download additional payloads. + If confirmed malicious, this activity could lead to data exfiltration, malware propagation, + or unauthorized access to sensitive information, necessitating immediate investigation + and mitigation. data_source: - Windows Event Log Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN @@ -60,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/tasksched/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/tasksched/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 65b615af4d..a399bddb7a 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -1,17 +1,18 @@ name: Schedule Task with Rundll32 Command Trigger id: 75b00fd8-a0ff-11eb-8b31-acde48001122 -version: 1 -date: '2021-04-19' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. - - If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. - - To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. - - Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. +description: The following analytic detects the creation of scheduled tasks in Windows + that use the rundll32 command. It leverages Windows Security EventCode 4698, which + logs the creation of scheduled tasks, and filters for tasks executed via rundll32. + This activity is significant as it is a common technique used by malware, such as + TrickBot, to persist in an environment or deliver additional payloads. If confirmed + malicious, this could lead to data theft, ransomware deployment, or other damaging + outcomes. Immediate investigation and mitigation are crucial to prevent further + compromise. data_source: - Windows Event Log Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN @@ -62,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/tasksched/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/tasksched/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index be52905571..6462ab1b60 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -1,26 +1,18 @@ name: Scheduled Task Creation on Remote Endpoint using At id: 4be54858-432f-11ec-8209-3e22fbd008af -version: 1 -date: '2021-11-11' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP -description: 'The following analytic detects the creation of suspicious tasks on a - remote Windows endpoint using the at.exe command with command-line arguments. This - technique is commonly used by red teams and adversaries for lateral movement and - remote code execution. The at.exe binary leverages the deprecated AT protocol, which - may still work on previous versions of Windows. Attackers can enable this protocol - on demand by modifying a system registry key. It is important to consider potential - false positives. While administrators may create scheduled tasks on remote systems, - this activity is typically limited to a small set of hosts or users. - - Identifying the creation of scheduled tasks on remote endpoints is crucial for a - Security Operations Center (SOC) because it indicates potential unauthorized activity - or an attacker attempting to establish persistence or execute malicious code. The - impact of a true positive can be significant, leading to unauthorized access, data - theft, or other damaging outcomes. During triage, investigate the source and purpose - of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent - processes to identify the extent of the attack and take appropriate response actions.' +description: 'The following analytic detects the creation of scheduled tasks on remote + Windows endpoints using the at.exe command. This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process creation events involving at.exe + with remote command-line arguments. Identifying this activity is significant for + a SOC as it may indicate lateral movement or remote code execution attempts by an + attacker. If confirmed malicious, this activity could lead to unauthorized access, + persistence, or execution of malicious code, potentially resulting in data theft + or further compromise of the network.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index e8ab036a5e..3087f52f73 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,19 +1,18 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 6 -date: '2023-12-27' +version: 7 +date: '2024-05-17' author: Bhavin Patel, Splunk status: production type: TTP -description: This analytic focuses on identifying the creation or deletion of scheduled - tasks using the schtasks.exe utility with the corresponding command-line flags (-create - or -delete). This technique has been notably associated with threat actors like - Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic - is to detect suspicious activity related to scheduled tasks that could indicate - malicious intent or unauthorized system manipulation. By monitoring for these specific - command-line flags, we can enhance our ability to identify potential threats and - prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware - incident. +description: The following analytic identifies the creation or deletion of scheduled + tasks using the schtasks.exe utility with the -create or -delete flags. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions. This activity is significant as it can indicate unauthorized + system manipulation or malicious intent, often associated with threat actors like + Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this + activity could allow attackers to execute code, escalate privileges, or persist + within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -21,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count values(Processes.proces max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` ' + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -95,6 +94,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index f6f4ce647e..437884fada 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,18 +1,17 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 1 -date: '2021-11-11' +version: 2 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects instances of 'schtasks.exe' being used to start - a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler - for lateral movement and remote code execution. The search parameters include process - details such as the process name, parent process, and command-line executions. - Although legitimate administrators may start scheduled tasks on remote systems, - this activity is usually limited to a small set of hosts or users. The findings - from this analytic provide valuable insight into potentially malicious activities - on an endpoint. +description: The following analytic detects the use of 'schtasks.exe' to start a Scheduled + Task on a remote endpoint. This detection leverages Endpoint Detection and Response + (EDR) data, focusing on process details such as process name, parent process, and + command-line executions. This activity is significant as adversaries often abuse + Task Scheduler for lateral movement and remote code execution. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code remotely, potentially + leading to further compromise of the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index 140110ad9f..e9f9b1188b 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -1,16 +1,19 @@ name: Schtasks Run Task On Demand id: bb37061e-af1f-11eb-a159-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is designed to detect when a Windows Scheduled - Task is executed on demand via shell or command line. Adversaries often force the - execution of their created Scheduled Tasks for persistent access or lateral movement - within a compromised machine. This analytic is driven by process-related data, specifically +description: The following analytic detects the execution of a Windows Scheduled Task + on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint - logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. + logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. + This activity is significant as adversaries often use it to force the execution + of their created Scheduled Tasks for persistent access or lateral movement within + a compromised machine. If confirmed malicious, this could allow attackers to maintain + persistence or move laterally within the network, potentially leading to further + compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 3edd969350..0a0b4544cb 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -1,18 +1,18 @@ name: Schtasks scheduling job on remote system id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6 -version: 6 -date: '2022-05-23' +version: 7 +date: '2024-05-14' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic is designed to detect suspicious command-line - arguments executed through 'schtasks.exe' to create a scheduled task on a remote - endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' - has been used with specific command-line flags that suggest an attempt at lateral - movement or remote code execution, common techniques employed by adversaries and - red teams. Key data points include the process name, the specific command line used, - the parent process name, the target destination, and the user involved. Also, timestamp - data gives context to when these activities occurred. +description: The following analytic detects the use of 'schtasks.exe' to create a + scheduled task on a remote system, indicating potential lateral movement or remote + code execution. It leverages process data from Endpoint Detection and Response (EDR) + agents, focusing on specific command-line arguments and flags. This activity is + significant as it may signify an adversary's attempt to persist or execute code + remotely. If confirmed malicious, this could allow attackers to maintain access, + execute arbitrary commands, or further infiltrate the network, posing a severe security + risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index d3bb019f67..37ac72a0f1 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -1,19 +1,18 @@ name: Schtasks used for forcing a reboot id: 1297fb80-f42a-4b4a-9c8a-88c066437cf6 -version: 4 -date: '2020-12-07' +version: 5 +date: '2024-05-11' author: Bhavin Patel, Splunk status: production type: TTP -description: The following analytic utilizes a Splunk query to pinpoint potential - threats by monitoring the 'schtasks.exe' command-line usage. This particular command, - especially when used in tandem with 'shutdown' and '/create' flags, can suggest - an adversarial force intending to schedule unwarranted system reboots. The query - focuses on endpoint process data and retrieves details such as the process name, - the parent process name, the destination, and the user involved. Essential to the - investigation are the earliest and latest timestamps of these events, providing - an activity timeline. Data such as the targeted host and initiating user offer valuable - context for analyst. +description: The following analytic detects the use of 'schtasks.exe' to schedule + forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint + process data to identify instances where these specific command-line arguments are + used. This activity is significant because it may indicate an adversary attempting + to disrupt operations or force a reboot to execute further malicious actions. If + confirmed malicious, this could lead to system downtime, potential data loss, and + provide an attacker with an opportunity to execute additional payloads or evade + detection. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -73,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 70770c8280..78ba213d36 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -1,16 +1,18 @@ name: Screensaver Event Trigger Execution id: 58cea3ec-1f6d-11ec-8560-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is developed to detect possible event trigger execution - through screensaver registry entry modification for persistence or privilege escalation. - This technique was seen in several APT and malware where they put the malicious - payload path to the SCRNSAVE.EXE registry key to redirect the execution to their - malicious payload path. This TTP is a good indicator that some attacker may modify - this entry for their persistence and privilege escalation. +description: The following analytic detects modifications to the SCRNSAVE.EXE registry + entry, indicating potential event trigger execution via screensaver settings for + persistence or privilege escalation. It leverages registry activity data from the + Endpoint data model to identify changes to the specified registry path. This activity + is significant as it is a known technique used by APT groups and malware to maintain + persistence or escalate privileges. If confirmed malicious, this could allow an + attacker to execute arbitrary code with elevated privileges, leading to further + system compromise and persistent access. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index a13aee7cfa..d8f42a5cb9 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -1,19 +1,19 @@ name: Script Execution via WMI id: aa73f80d-d728-4077-b226-81ea0c8be589 -version: 4 -date: '2020-03-16' +version: 5 +date: '2024-05-11' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP description: |- - The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. + The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` ' + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -59,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index 0c33fe0463..47ee1614ca 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -1,14 +1,18 @@ name: Sdclt UAC Bypass id: d71efbf6-da63-11eb-8c6e-acde48001122 -version: 3 -date: '2022-11-14' +version: 4 +date: '2024-05-12' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious sdclt.exe registry modification. - This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe - application by modifying some registry that sdclt.exe tries to open or query with - payload file path on it to be executed. +description: The following analytic detects suspicious modifications to the sdclt.exe + registry, a technique often used to bypass User Account Control (UAC). It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on specific registry + paths and values associated with sdclt.exe. This activity is significant because + UAC bypasses can allow attackers to execute payloads with elevated privileges without + user consent. If confirmed malicious, this could lead to unauthorized code execution, + privilege escalation, and potential persistence within the environment, posing a + severe security risk. data_source: - Sysmon EventID 1 - Sysmon EventID 12 @@ -83,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index 1a919ea6c6..69e6542438 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -1,16 +1,18 @@ name: Sdelete Application Execution id: 31702fc0-2682-11ec-85c3-acde48001122 -version: 1 -date: '2021-10-06' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect the execution of sdelete.exe application sysinternal - tools. This tool is one of the most use tool of malware and adversaries to remove - or clear their tracks and artifact in the targetted host. This tool is designed - to delete securely a file in file system that remove the forensic evidence on the - machine. A good TTP query to check why user execute this application which is not - a common practice. +description: The following analytic detects the execution of the sdelete.exe application, + a Sysinternals tool often used by adversaries to securely delete files and remove + forensic evidence from a targeted host. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs. Monitoring + this activity is crucial as sdelete.exe is not commonly used in regular operations + and its presence may indicate an attempt to cover malicious activities. If confirmed + malicious, this could lead to the loss of critical forensic data, hindering incident + response and investigation efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -74,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 5b80c3d81d..653159cc35 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -1,17 +1,18 @@ name: SearchProtocolHost with no Command Line with Network id: b690df8c-a145-11eb-a38b-acde48001122 -version: 3 -date: '2023-07-10' +version: 4 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies searchprotocolhost.exe with no command - line arguments and with a network connection. It is unusual for searchprotocolhost.exe - to execute with no command line arguments present. This particular behavior is common - with malicious software, including Cobalt Strike. During investigation, identify - any network connections and parallel processes. Identify any suspicious module loads - related to credential dumping or file writes. searchprotocolhost.exe is natively - found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects instances of searchprotocolhost.exe running + without command line arguments but with an active network connection. This behavior + is identified using Endpoint Detection and Response (EDR) telemetry, focusing on + process execution and network traffic data. It is significant because searchprotocolhost.exe + typically runs with specific command line arguments, and deviations from this norm + can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, + this activity could allow attackers to establish network connections for command + and control, potentially leading to data exfiltration or further system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -73,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index aa2c24789d..45c91d0cb8 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -1,14 +1,18 @@ name: SecretDumps Offline NTDS Dumping Tool id: 5672819c-be09-11eb-bbfb-acde48001122 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a potential usage of secretsdump.py tool for dumping - credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry - hive. This technique was seen in some attacker that dump ntlm hashes offline after - having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. +description: The following analytic detects the potential use of the secretsdump.py + tool to dump NTLM hashes from a copy of ntds.dit and the SAM, SYSTEM, and SECURITY + registry hives. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on specific command-line patterns and process names associated with secretsdump.py. + This activity is significant because it indicates an attempt to extract sensitive + credential information offline, which is a common post-exploitation technique. If + confirmed malicious, this could allow an attacker to obtain NTLM hashes, facilitating + further lateral movement and potential privilege escalation within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index b8f5af41da..95cce99f66 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -1,33 +1,23 @@ name: ServicePrincipalNames Discovery with PowerShell id: 13243068-2d38-11ec-8908-acde48001122 -version: 2 -date: '2022-02-26' +version: 3 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies `powershell.exe` usage, using Script - Block Logging EventCode 4104, related to querying the domain for Service Principle - Names. typically, this is a precursor activity related to kerberoasting or the silver - ticket attack. - - What is a ServicePrincipleName? - - A service principal name (SPN) is a unique identifier of a service instance. SPNs - are used by Kerberos authentication to associate a service instance with a service - logon account. This allows a client application to request that the service authenticate - an account even if the client does not have the account name. - - The following analytic identifies the use of KerberosRequestorSecurityToken class - within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken - class in PowerShell is the equivelant of using setspn.exe. - - During triage, review parallel processes for further suspicious activity.' +description: 'The following analytic detects the use of `powershell.exe` to query + the domain for Service Principal Names (SPNs) using Script Block Logging EventCode + 4104. It identifies the use of the KerberosRequestorSecurityToken class within the + script block, which is equivalent to using setspn.exe. This activity is significant + as it often precedes kerberoasting or silver ticket attacks, which can lead to credential + theft. If confirmed malicious, attackers could leverage this information to escalate + privileges or persist within the environment.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText - Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `serviceprincipalnames_discovery_with_powershell_filter`' + Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -85,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index 3409f4e83a..d16327f89d 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -1,33 +1,17 @@ name: ServicePrincipalNames Discovery with SetSPN id: ae8b3efc-2d2e-11ec-8b57-acde48001122 -version: 1 -date: '2021-10-14' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies `setspn.exe` usage related to querying - the domain for Service Principle Names. typically, this is a precursor activity - related to kerberoasting or the silver ticket attack. - - What is a ServicePrincipleName? - - A service principal name (SPN) is a unique identifier of a service instance. SPNs - are used by Kerberos authentication to associate a service instance with a service - logon account. This allows a client application to request that the service authenticate - an account even if the client does not have the account name. - - Example usage includes the following - - * setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn - -Q */* > allspns.txt 1. setspn -q - - Values - - * -F = perform queries at the forest, rather than domain level 1. -T = perform - query on the specified domain or forest (when -F is also used) 1. -Q = query for - existence of SPN - - During triage, review parallel processes for further suspicious activity.' +description: 'The following analytic detects the use of `setspn.exe` to query the + domain for Service Principal Names (SPNs). This detection leverages Endpoint Detection + and Response (EDR) data, focusing on specific command-line arguments associated + with `setspn.exe`. Monitoring this activity is crucial as it often precedes Kerberoasting + or Silver Ticket attacks, which can lead to credential theft. If confirmed malicious, + an attacker could use the gathered SPNs to escalate privileges or persist within + the environment, posing a significant security risk.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -109,6 +93,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 6516615767..df20d5640f 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -1,22 +1,18 @@ name: Services Escalate Exe id: c448488c-b7ec-11eb-8253-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-31' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of `svc-exe` with Cobalt Strike. - The behavior typically follows after an adversary has already gained initial access - and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded - from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, - the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` - with multiple keys and values added to look like a legitimate service. Upon loading, - `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. - The process lineage is completed with `400619a.exe` spawning rundll32.exe, which - is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary - and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` - process will also contain a network connection. During triage, review parallel procesess - and identify any additional file modifications. +description: The following analytic identifies the execution of a randomly named binary + via `services.exe`, indicative of privilege escalation using Cobalt Strike's `svc-exe`. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process lineage and command-line executions. This activity is significant + as it often follows initial access, allowing adversaries to escalate privileges + and establish persistence. If confirmed malicious, this behavior could enable attackers + to execute arbitrary code, maintain long-term access, and potentially move laterally + within the network, posing a severe threat to the organization's security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index f55c2de675..93510c2490 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -1,17 +1,18 @@ name: Services LOLBAS Execution Process Spawn id: ba9e1954-4c04-11ec-8b74-3e22fbd008af -version: 1 -date: '2021-11-22' +version: 2 +date: '2024-05-20' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies `services.exe` spawning a LOLBAS execution - process. When adversaries execute code on remote endpoints abusing the Service Control - Manager and creating a remote malicious service, the executed command is spawned - as a child process of `services.exe`. The LOLBAS project documents Windows native - binaries that can be abused by threat actors to perform tasks like executing malicious - code. Looking for child processes of services.exe that are part of the LOLBAS project - can help defenders identify lateral movement activity. +description: The following analytic identifies `services.exe` spawning a LOLBAS (Living + Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process creation events where `services.exe` + is the parent process. This activity is significant because adversaries often abuse + the Service Control Manager to execute malicious code via native Windows binaries, + facilitating lateral movement. If confirmed malicious, this behavior could allow + attackers to execute arbitrary code, escalate privileges, or maintain persistence + within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index a54e073409..737398ef05 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -1,15 +1,17 @@ name: Shim Database File Creation id: 6e4c4588-ba2f-42fa-97e6-9f6f548eaa33 -version: 3 -date: '2020-12-08' +version: 4 +date: '2024-05-19' author: David Dorsey, Splunk status: production type: TTP -description: This search looks for shim database files being written to default directories. - The sdbinst.exe application is used to install shim database files (.sdb). According - to Microsoft, a shim is a small library that transparently intercepts an API, changes - the parameters passed, handles the operation itself, or redirects the operation - elsewhere. +description: The following analytic detects the creation of shim database files (.sdb) + in default directories using the sdbinst.exe application. It leverages filesystem + activity data from the Endpoint.Filesystem data model to identify file writes to + the Windows\AppPatch\Custom directory. This activity is significant because shims + can intercept and alter API calls, potentially allowing attackers to bypass security + controls or execute malicious code. If confirmed malicious, this could lead to unauthorized + code execution, privilege escalation, or persistent access within the environment. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count values(Filesystem.action) @@ -59,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 850cc36f14..d23095f980 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -1,15 +1,18 @@ name: Shim Database Installation With Suspicious Parameters id: 404620de-46d8-48b6-90cc-8a8d7b0876a3 -version: 4 -date: '2020-11-23' +version: 5 +date: '2024-05-09' author: David Dorsey, Splunk status: production type: TTP -description: This search detects the process execution and arguments required to silently - create a shim database. The sdbinst.exe application is used to install shim database - files (.sdb). A shim is a small library which transparently intercepts an API, changes - the parameters passed, handles the operation itself, or redirects the operation - elsewhere. +description: The following analytic detects the execution of sdbinst.exe with parameters + indicative of silently creating a shim database. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, parent processes, + and command-line arguments. This activity is significant because shim databases + can be used to intercept and manipulate API calls, potentially allowing attackers + to bypass security controls or achieve persistence. If confirmed malicious, this + could enable unauthorized code execution, privilege escalation, or persistent access + to the compromised system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -63,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 1ef4cffda5..59415847fe 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -1,32 +1,18 @@ name: Short Lived Scheduled Task id: 6fa31414-546e-11ec-adfa-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-17' author: Mauricio Velazco, Splunk status: production type: TTP -description: 'The following analytic utilizes Windows Security EventCode 4698, "A - scheduled task was created," and EventCode 4699, "A scheduled task was deleted," - to identify scheduled tasks that are created and deleted within a short time frame - of less than 30 seconds. This behavior is indicative of a potential lateral movement - attack where the Task Scheduler is abused to achieve code execution. Both red teams - and adversaries may exploit the Task Scheduler for lateral movement and remote code - execution. - - To implement this analytic, ensure that you are ingesting Windows Security Event - Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) - is required to parse and extract the necessary information from the logs. - - It''s important to note that while uncommon, legitimate applications may create - and delete scheduled tasks within a short duration. Analysts should filter the results - based on the specific context and environment to reduce false positives. - - Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate - malicious activities attempting to move laterally or execute unauthorized code on - Windows systems. By detecting and investigating these events, security analysts - can respond promptly to prevent further compromise and mitigate potential risks. - The impact of a true positive could range from unauthorized access to data exfiltration - or the execution of malicious payloads.' +description: 'The following analytic detects the creation and deletion of scheduled + tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes + 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs + and leveraging the Windows TA for parsing. Such activity is significant as it may + indicate lateral movement or remote code execution attempts by adversaries. If confirmed + malicious, this could lead to unauthorized access, data exfiltration, or execution + of malicious payloads, necessitating prompt investigation and response by security + analysts.' data_source: - Windows Event Log Security 4698 - Windows Event Log Security 4699 @@ -34,7 +20,7 @@ search: ' `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Messag | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived - | `short_lived_scheduled_task_filter` ' + | `short_lived_scheduled_task_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. @@ -77,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 2f912af286..211e0ef1ec 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -1,12 +1,12 @@ name: Short Lived Windows Accounts id: b25f6f62-0782-43c1-b403-083231ffd97d -version: 3 -date: '2024-03-19' +version: 4 +date: '2024-05-14' author: David Dorsey, Splunk status: production type: TTP description: |- - The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. + The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame. It leverages the "Change" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage. data_source: - Windows Event Log System 4720 - Windows Event Log System 4726 @@ -56,14 +56,17 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog update_timestamp: true - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log source: WinEventLog:System sourcetype: WinEventLog update_timestamp: true - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index 2a51d4db6b..06dd984ad7 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -1,14 +1,18 @@ name: SilentCleanup UAC Bypass id: 56d7cfcc-da63-11eb-92d4-acde48001122 -version: 3 -date: '2022-11-14' +version: 4 +date: '2024-05-18' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious modification of registry that may - related to UAC bypassed. This registry will be trigger once the attacker abuse the - silentcleanup task schedule to gain high privilege execution that will bypass User - control account. +description: The following analytic detects suspicious modifications to the registry + that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup + task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on registry changes in the path "*\\Environment\\windir" with executable values. + This activity is significant as it can allow an attacker to gain high-privilege + execution without user consent, bypassing UAC protections. If confirmed malicious, + this could lead to unauthorized administrative access, enabling further system compromise + and persistence. data_source: - Sysmon EventID 1 - Sysmon EventID 12 @@ -81,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index be5ab4b8aa..9f4b91fe89 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -1,12 +1,12 @@ name: Single Letter Process On Endpoint id: a4214f0b-e01c-41bc-8cc4-d2b71e3056b4 -version: 3 -date: '2020-12-08' +version: 4 +date: '2024-05-27' author: David Dorsey, Splunk status: production type: TTP description: |- - The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. + The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 3a524e0db0..4e1704c562 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -1,16 +1,18 @@ name: SLUI RunAs Elevated id: 8d124810-b3e4-11eb-96c7-acde48001122 -version: 1 -date: '2021-05-13' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the Microsoft Software Licensing User - Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This - particular bypass utilizes a registry key/value. Identified by two sources, the - registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. - To simulate this behavior, multiple POC are available. The analytic identifies the - use of `runas` by `slui.exe`. +description: The following analytic detects the execution of the Microsoft Software + Licensing User Interface Tool (`slui.exe`) with elevated privileges using the `-verb + runas` function. This activity is identified through logs from Endpoint Detection + and Response (EDR) agents, focusing on specific registry keys and command-line parameters. + This behavior is significant as it indicates a potential privilege escalation attempt, + which could allow an attacker to gain elevated access and execute malicious actions + with higher privileges. If confirmed malicious, this could lead to unauthorized + system changes, data exfiltration, or further compromise of the affected endpoint. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index ad739a265a..0f60018064 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -1,24 +1,26 @@ name: SLUI Spawning a Process id: 879c4330-b3e0-11eb-b1b1-acde48001122 -version: 1 -date: '2021-05-13' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the Microsoft Software Licensing User - Interface Tool, `slui.exe`, spawning a child process. This behavior is associated - with publicly known UAC bypass. `slui.exe` is commonly associated with software - updates and is most often spawned by `svchost.exe`. The `slui.exe` process should - not have child processes, and any processes spawning from it will be running with - elevated privileges. During triage, review the child process and additional parallel - processes. Identify any file modifications that may have lead to the bypass. +description: The following analytic detects the Microsoft Software Licensing User + Interface Tool (`slui.exe`) spawning a child process. This behavior is identified + using Endpoint Detection and Response (EDR) telemetry, focusing on process creation + events where `slui.exe` is the parent process. This activity is significant because + `slui.exe` should not typically spawn child processes, and doing so may indicate + a UAC bypass attempt, leading to elevated privileges. If confirmed malicious, an + attacker could leverage this to execute code with elevated privileges, potentially + compromising the system's security and gaining unauthorized access. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`' + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `slui_spawning_a_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -73,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index 41de33ab9e..b7c38733cb 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` ' + > upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`' how_to_implement: In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index 6b3bbea8c9..a368a4bb44 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -1,24 +1,27 @@ name: Spoolsv Spawning Rundll32 id: 15d905f6-da6b-11eb-ab82-acde48001122 -version: 2 -date: '2021-07-01' +version: 3 +date: '2024-05-14' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a suspicious child process, `rundll32.exe`, - with no command-line arguments being spawned from `spoolsv.exe`. This was identified - during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. - Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During - triage, isolate the endpoint and review for source of exploitation. Capture any - additional file modification events. +description: The following analytic detects the spawning of `rundll32.exe` without + command-line arguments by `spoolsv.exe`, which is unusual and potentially indicative + of exploitation attempts like CVE-2021-34527 (PrintNightmare). This detection leverages + Endpoint Detection and Response (EDR) telemetry, focusing on process creation events + where `spoolsv.exe` is the parent process. This activity is significant as `spoolsv.exe` + typically does not spawn other processes, and such behavior could indicate an active + exploitation attempt. If confirmed malicious, this could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence on the compromised + endpoint. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe - `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `spoolsv_spawning_rundll32_filter`' + `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -42,8 +45,8 @@ tags: cve: - CVE-2021-34527 impact: 80 - message: $parent_process_name$ has spawned $process_name$ on endpoint $dest$. - This behavior is suspicious and related to PrintNightmare. + message: $parent_process_name$ has spawned $process_name$ on endpoint $dest$. This + behavior is suspicious and related to PrintNightmare. mitre_attack_id: - T1547.012 - T1547 @@ -78,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index 7bc07eb985..5321e878ab 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -1,15 +1,18 @@ name: Spoolsv Suspicious Process Access id: 799b606e-da81-11eb-93f8-acde48001122 -version: 1 -date: '2021-07-01' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a suspicious behavior related to PrintNightmare, - or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the - vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability - to elevate privilege. This detection is to look for suspicious process access made - by the spoolsv.exe that may related to the attack. +description: The following analytic detects suspicious process access by spoolsv.exe, + potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). + It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical + system files or processes like rundll32.exe with elevated privileges. This activity + is significant as it may signal an attempt to gain unauthorized privilege escalation + on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated + privileges, leading to further system compromise, persistent access, or unauthorized + control over the affected environment. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index 8b95eabe07..72a318e110 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -1,16 +1,18 @@ name: Spoolsv Writing a DLL id: d5bf5cf2-da71-11eb-92c2-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-27' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a `.dll` being written by `spoolsv.exe`. - This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) - or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write - a `.dll`. Current POC code used will write the suspicious DLL to disk within a path - of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source - of exploitation. Capture any additional file modification events. +description: The following analytic detects `spoolsv.exe` writing a `.dll` file, which + is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 + (PrintNightmare). This detection leverages the Endpoint datamodel, specifically + monitoring process and filesystem events to identify `.dll` file creation within + the `\spool\drivers\x64\` path. This activity is significant as it may signify an + attacker attempting to execute malicious code via the Print Spooler service. If + confirmed malicious, this could lead to unauthorized code execution and potential + system compromise. Immediate endpoint isolation and further investigation are recommended. data_source: - Sysmon EventID 1 - Sysmon EventID 11 @@ -21,9 +23,9 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\spool\\drivers\\x64\\*" Filesystem.file_name="*.dll" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | - fields _time dest file_create_time file_name file_path process_name process_path process_guid - process] | dedup file_create_time | table dest file_create_time, file_name, file_path, - process_name process_guid | `spoolsv_writing_a_dll_filter`' + fields _time dest file_create_time file_name file_path process_name process_path + process_guid process] | dedup file_create_time | table dest file_create_time, file_name, + file_path, process_name process_guid | `spoolsv_writing_a_dll_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` @@ -74,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index e4ada7b87e..66efe10da1 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -1,16 +1,18 @@ name: Spoolsv Writing a DLL - Sysmon id: 347fd388-da87-11eb-836d-acde48001122 -version: 1 -date: '2021-07-01' +version: 2 +date: '2024-05-17' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a `.dll` being written by `spoolsv.exe`. - This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) - or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write - a `.dll`. Current POC code used will write the suspicious DLL to disk within a path - of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source - of exploitation. Capture any additional file modification events. +description: The following analytic detects `spoolsv.exe` writing a `.dll` file, which + is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 + (PrintNightmare). This detection leverages Sysmon Event ID 11 to monitor file creation + events in the `\spool\drivers\x64\` directory. This activity is significant because + `spoolsv.exe` typically does not write DLL files, and such behavior could signify + an ongoing attack. If confirmed malicious, this could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence on the compromised + system. data_source: - Sysmon EventID 11 search: '`sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*" @@ -70,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index 7b8bb3220d..dc4abc1eed 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -1,20 +1,23 @@ name: Sqlite Module In Temp Folder id: 0f216a38-f45f-11eb-b09c-acde48001122 -version: 1 -date: '2021-08-03' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious file creation of sqlite3.dll in - %temp% folder. This behavior was seen in IcedID malware where it download sqlite - module to parse browser database like for chrome or firefox to stole browser information - related to bank, credit card or credentials. +description: The following analytic detects the creation of sqlite3.dll files in the + %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are + written to the temporary directory. This activity is significant because it is associated + with IcedID malware, which uses the sqlite3 module to parse browser databases and + steal sensitive information such as banking details, credit card information, and + credentials. If confirmed malicious, this behavior could lead to significant data + theft and compromise of user accounts. data_source: - Sysmon EventID 11 search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename - = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") - | stats count min(_time) as - firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") | stats count min(_time) as + firstTime max(_time) as lastTime by dest signature signature_id process_name file_name + file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -57,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index c6f46a74e7..05f3834ed9 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -1,19 +1,36 @@ name: Steal or Forge Authentication Certificates Behavior Identified id: 87ac670e-bbfd-44ca-b566-44e9f835518d -version: 1 -date: '2023-05-01' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: Correlation data_source: [] -description: This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic - | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`' -how_to_implement: The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. -known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed. +description: The following analytic identifies potential threats related to the theft + or forgery of authentication certificates. It detects when five or more analytics + from the Windows Certificate Services story trigger within a specified timeframe. + This detection leverages aggregated risk scores and event counts from the Risk data + model. This activity is significant as it may indicate an ongoing attack aimed at + compromising authentication mechanisms. If confirmed malicious, attackers could + gain unauthorized access to sensitive systems and data, potentially leading to severe + security breaches. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows + Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`' +how_to_implement: The Windows Certificate Services analytic story must have 5 or more + analytics enabled. In addition, ensure data is being logged that is required. Modify + the correlation as needed based on volume of noise related to the other analytics. +known_false_positives: False positives may be present based on automated tooling or + system administrators. Filter as needed. references: - https://research.splunk.com/stories/windows_certificate_services/ - https://attack.mitre.org/techniques/T1649/ @@ -50,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log source: certs sourcetype: stash diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml index 26c97d169c..d52b748e83 100644 --- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml +++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml @@ -20,7 +20,7 @@ search: '(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer. AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `sunburst_correlation_dll_and_network_event_filter` ' + | `sunburst_correlation_dll_and_network_event_filter`' how_to_implement: This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index d04e89a1e5..84d32e4c57 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -1,23 +1,22 @@ name: Suspicious Computer Account Name Change id: 35a61ed8-61c4-11ec-bc1e-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-17' author: Mauricio Velazco, Splunk status: production type: TTP -description: As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller - Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a - new computer account name and rename it to match the name of a domain controller - account without the ending '$'. In Windows Active Directory environments, computer - account names always end with `$`. This analytic leverages Event Id 4781, `The name - of an account was changed`, to identify a computer account rename event with a suspicious - name that does not terminate with `$`. This behavior could represent an exploitation - attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. +description: The following analytic detects a suspicious computer account name change + in Active Directory. It leverages Event ID 4781, which logs account name changes, + to identify instances where a computer account name is changed to one that does + not end with a `$`. This behavior is significant as it may indicate an attempt to + exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation + and privilege escalation. If confirmed malicious, this activity could allow an attacker + to gain elevated privileges and potentially control the domain. data_source: - Windows Event Log Security 4781 search: '`wineventlog_security` EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$" - | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest | - `suspicious_computer_account_name_change_filter`' + | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName + | rename Computer as dest | `suspicious_computer_account_name_change_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. known_false_positives: Renaming a computer account name to a name that not end with @@ -66,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 5d3e835aa6..bb76235f6b 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -1,15 +1,18 @@ name: Suspicious Copy on System32 id: ce633e56-25b2-11ec-9e76-acde48001122 -version: 1 -date: '2023-08-17' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious copy of file from systemroot - folder of the windows OS. This technique is commonly used by APT or other malware - as part of execution (LOLBIN) to run its malicious code using the available legitimate - tool in OS. this type of event may seen or may execute of normal user in some instance - but this is really a anomaly that needs to be check within the network. +description: The following analytic detects suspicious file copy operations from the + System32 or SysWow64 directories, often indicative of malicious activity. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on processes initiated + by command-line tools like cmd.exe or PowerShell. This behavior is significant as + it may indicate an attempt to execute malicious code using legitimate system tools + (LOLBIN). If confirmed malicious, this activity could allow an attacker to execute + arbitrary code, potentially leading to system compromise or further lateral movement + within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index e290f57b00..f4a1e56f14 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -1,14 +1,18 @@ name: Suspicious Curl Network Connection id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f -version: 1 -date: '2021-02-22' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the use of a curl contacting suspicious - remote domains to checkin to Command And Control servers or download further implants. - In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. - This particular behavior is common with MacOS adware-malicious software. +description: The following analytic detects the use of the curl command contacting + suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command + and Control (C2) activity or downloading further implants. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs and command-line arguments. This activity is significant as it may indicate + the presence of MacOS adware or other malicious software attempting to establish + persistence or exfiltrate data. If confirmed malicious, this could allow attackers + to maintain control over the compromised system and deploy additional payloads. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index b7b30feef0..e3b117d33e 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -1,16 +1,18 @@ name: Suspicious DLLHost no Command Line Arguments id: ff61e98c-0337-4593-a78f-72a676c56f26 -version: 4 -date: '2023-07-10' +version: 5 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies DLLHost.exe with no command line arguments. - It is unusual for DLLHost.exe to execute with no command line arguments present. - This particular behavior is common with malicious software, including Cobalt Strike. - During investigation, identify any network connections and parallel processes. Identify - any suspicious module loads related to credential dumping or file writes. DLLHost.exe - is natively found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects instances of DLLHost.exe executing without + command line arguments. This behavior is unusual and often associated with malicious + activities, such as those performed by Cobalt Strike. The detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs. This activity is significant because DLLHost.exe typically requires arguments + to function correctly, and its absence may indicate an attempt to evade detection. + If confirmed malicious, this could lead to unauthorized actions like credential + dumping or file manipulation, posing a severe threat to the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_driver_loaded_path.yml b/detections/endpoint/suspicious_driver_loaded_path.yml index 62a51ed660..0b866e2df3 100644 --- a/detections/endpoint/suspicious_driver_loaded_path.yml +++ b/detections/endpoint/suspicious_driver_loaded_path.yml @@ -1,25 +1,25 @@ name: Suspicious Driver Loaded Path id: f880acd4-a8f1-11eb-a53b-acde48001122 -version: 1 -date: '2021-04-29' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will detect suspicious driver loaded paths. This technique - is commonly used by malicious software like coin miners (xmrig) to register its - malicious driver from notable directories where executable or drivers do not commonly - exist. During triage, validate this driver is for legitimate business use. Review - the metadata and certificate information. Unsigned drivers from non-standard paths - is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` - for possible other drivers of interest. Long tail analyze drivers by path (outside - of default, and in default) for further review. +description: The following analytic detects the loading of drivers from suspicious + paths, which is a technique often used by malicious software such as coin miners + (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard + directories. This activity is significant because legitimate drivers typically reside + in specific system directories, and deviations may indicate malicious activity. + If confirmed malicious, this could allow an attacker to execute code at the kernel + level, potentially leading to privilege escalation, persistence, or further system + compromise. data_source: - Sysmon EventID 6 search: '`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature - Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `suspicious_driver_loaded_path_filter`' + Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -68,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_event_log_service_behavior.yml b/detections/endpoint/suspicious_event_log_service_behavior.yml index d45748592d..28ca08176e 100644 --- a/detections/endpoint/suspicious_event_log_service_behavior.yml +++ b/detections/endpoint/suspicious_event_log_service_behavior.yml @@ -1,21 +1,21 @@ name: Suspicious Event Log Service Behavior id: 2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes Windows Event ID 1100 to identify when - Windows event log service is shutdown. Note that this is a voluminous analytic that - will require tuning or restricted to specific endpoints based on criticality. This - event generates every time Windows Event Log service has shut down. It also generates - during normal system shutdown. During triage, based on time of day and user, determine - if this was planned. If not planned, follow through with reviewing parallel alerts - and other data sources to determine what else may have occurred. +description: The following analytic detects the shutdown of the Windows Event Log + service using Windows Event ID 1100. This event is logged every time the service + stops, including during normal system shutdowns. Monitoring this activity is crucial + as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, + an attacker could hide their activities, making it difficult to trace their actions + and investigate further incidents. Analysts should verify if the shutdown was planned + and review other alerts and data sources for additional suspicious behavior. data_source: - Windows Event Log Security 1100 -search: '(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode - | `security_content_ctime(firstTime)` +search: '(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime + max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. @@ -56,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index fc713c1e09..577c14d002 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -1,16 +1,18 @@ name: Suspicious GPUpdate no Command Line Arguments id: f308490a-473a-40ef-ae64-dd7a6eba284a -version: 3 -date: '2023-07-10' +version: 4 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies gpupdate.exe with no command line arguments. - It is unusual for gpupdate.exe to execute with no command line arguments present. - This particular behavior is common with malicious software, including Cobalt Strike. - During investigation, identify any network connections and parallel processes. Identify - any suspicious module loads related to credential dumping or file writes. gpupdate.exe - is natively found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects the execution of gpupdate.exe without + any command line arguments. This behavior is identified using data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs. It is significant + because gpupdate.exe typically runs with specific arguments, and its execution without + them is often associated with malicious activities, such as those performed by Cobalt + Strike. If confirmed malicious, this activity could indicate an attempt to execute + unauthorized commands or scripts, potentially leading to further system compromise + or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index b42a10a684..0623f65c76 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -1,13 +1,17 @@ name: Suspicious IcedID Rundll32 Cmdline id: bed761f8-ee29-11eb-8bf3-acde48001122 -version: 2 -date: '2021-07-26' +version: 3 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious rundll32.exe commandline to execute - dll file. This technique was seen in IcedID malware to load its payload dll with - the following parameter to load encrypted dll payload which is the license.dat. +description: The following analytic detects a suspicious `rundll32.exe` command line + used to execute a DLL file, a technique associated with IcedID malware. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions containing the pattern `*/i:*`. This activity is significant as it indicates + potential malware attempting to load an encrypted DLL payload, often named `license.dat`. + If confirmed malicious, this could allow attackers to execute arbitrary code, leading + to further system compromise and potential data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index 759afebf28..efed22edca 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -1,16 +1,18 @@ name: Suspicious Image Creation In Appdata Folder id: f6f904c4-1ac0-11ec-806b-acde48001122 -version: 2 -date: '2022-07-07' +version: 3 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious creation of image in appdata folder - made by process that also has a file reference in appdata folder. This technique - was seen in remcos rat that capture screenshot of the compromised machine and place - it in the appdata and will be send to its C2 server. This TTP is really a good indicator - to check that process because it is in suspicious folder path and image files are - not commonly created by user in this folder path. +description: The following analytic detects the creation of image files in the AppData + folder by processes that also have a file reference in the same folder. It leverages + data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify + this behavior. This activity is significant because it is commonly associated with + malware, such as the Remcos RAT, which captures screenshots and stores them in the + AppData folder before exfiltrating them to a command-and-control server. If confirmed + malicious, this activity could indicate unauthorized data capture and exfiltration, + compromising sensitive information and user privacy. data_source: - Sysmon EventID 1 - Sysmon EventID 11 @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index 74b75829a8..e1a1d54d94 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -1,26 +1,24 @@ name: Suspicious Kerberos Service Ticket Request id: 8b1297bc-6204-11ec-b7c4-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-16' author: Mauricio Velazco, Splunk status: production type: TTP -description: As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller - Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and - obtain a Kerberos Service Ticket (TGS) with a domain controller computer account - as the Service Name. This Service Ticket can be then used to take control of the - domain controller on the final part of the attack. This analytic leverages Event - Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request - where the Account_Name requesting the ticket matches the Service_Name field. This - behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 - for privilege escalation. +description: The following analytic detects suspicious Kerberos Service Ticket (TGS) + requests where the requesting account name matches the service name, potentially + indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection + leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity + is significant as it may represent an adversary attempting to escalate privileges + by impersonating a domain controller. If confirmed malicious, this could allow an + attacker to take control of the domain controller, leading to complete domain compromise + and unauthorized access to sensitive information. data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 - | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0) - | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user - | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious - | `suspicious_kerberos_service_ticket_request_filter`' +search: ' `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) + = lower(mvindex(split(TargetUserName,"@"),0)),1,0) | where isSuspicious = 1 | rename + Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, + ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -68,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index f3bd714ed1..b1d9d22a6d 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -1,17 +1,18 @@ name: Suspicious Linux Discovery Commands id: 0edd5112-56c9-11ec-b990-acde48001122 -version: 1 -date: '2021-12-06' +version: 2 +date: '2024-05-11' author: Bhavin Patel, Splunk status: production type: TTP -description: 'This search, detects execution of suspicious bash commands from various - commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery - of possible paths of privilege execution, password files, vulnerable directories, - executables and file permissions on a Linux host. - - The search logic specifically looks for high number of distinct commands run in - a short period of time.' +description: 'The following analytic detects the execution of suspicious bash commands + commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery + on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically + looking for a high number of distinct commands executed within a short time frame. + This activity is significant as it often precedes privilege escalation or other + malicious actions. If confirmed malicious, an attacker could gain detailed system + information, identify vulnerabilities, and potentially escalate privileges, posing + a severe threat to the environment.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -68,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index 8ae1e54f4c..48390203df 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -1,16 +1,17 @@ name: Suspicious microsoft workflow compiler rename id: f0db4464-55d9-11eb-ae93-0242ac130002 -version: 5 -date: '2023-11-07' +version: 6 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. - Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 - and is rarely utilized. When investigating, identify the executed code on disk and - review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. - In any instance, microsoft.workflow.compiler.exe spawning from an Office product - or any living off the land binary is highly suspect. +description: The following analytic detects the renaming of microsoft.workflow.compiler.exe, + a rarely used executable typically located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. + This detection leverages Endpoint Detection and Response (EDR) data, focusing on + process names and original file names. This activity is significant because renaming + this executable can indicate an attempt to evade security controls. If confirmed + malicious, an attacker could use this renamed executable to execute arbitrary code, + potentially leading to privilege escalation or persistent access within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index cf48600521..8ce76cd24a 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -1,15 +1,17 @@ name: Suspicious msbuild path id: f5198224-551c-11eb-ae93-0242ac130002 -version: 3 -date: '2023-07-10' +version: 4 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies msbuild.exe executing from a non-standard - path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 - and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio - will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however - there are instances of build applications that will move or use a copy of MSBuild. +description: The following analytic detects the execution of msbuild.exe from a non-standard + path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that deviate from typical msbuild.exe locations. This + activity is significant because msbuild.exe is commonly abused by attackers to execute + malicious code, and running it from an unusual path can indicate an attempt to evade + detection. If confirmed malicious, this behavior could allow an attacker to execute + arbitrary code, potentially leading to system compromise and further malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -82,7 +84,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index 738730004d..2effe22e78 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -1,17 +1,18 @@ name: Suspicious MSBuild Spawn id: a115fba6-5514-11eb-ae93-0242ac130002 -version: 2 -date: '2021-01-12' +version: 3 +date: '2024-05-30' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies wmiprvse.exe spawning msbuild.exe. - This behavior is indicative of a COM object being utilized to spawn msbuild from - wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using - Visual Studio. In this instance, there will be command line arguments and file paths. - In a malicious instance, MSBuild.exe will spawn from non-standard processes and - have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, - powershell.exe is far less common and should be investigated. +description: The following analytic identifies instances where wmiprvse.exe spawns + msbuild.exe, which is unusual and indicative of potential misuse of a COM object. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process relationships and command-line executions. This activity is + significant because msbuild.exe is typically spawned by devenv.exe during legitimate + Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could + indicate an attacker executing arbitrary code or scripts, potentially leading to + system compromise or further malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -76,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index 96fd1ea214..8590a0251f 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -1,14 +1,18 @@ name: Suspicious mshta child process id: 60023bb6-5500-11eb-ae93-0242ac130002 -version: 2 -date: '2024-01-01' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies child processes spawning from "mshta.exe". - The search will return the first time and last time these command-line arguments - were used for these executions, as well as the target system, the user, parent process - "mshta.exe" and its child process. +description: The following analytic identifies child processes spawned from "mshta.exe". + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + specific child processes like "powershell.exe" and "cmd.exe". This activity is significant + because "mshta.exe" is often exploited by attackers to execute malicious scripts + or commands. If confirmed malicious, this behavior could allow an attacker to execute + arbitrary code, escalate privileges, or maintain persistence within the environment. + Monitoring this activity helps in early detection of potential threats leveraging + "mshta.exe" for malicious purposes. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -76,7 +80,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index f918a9be77..336f2ba446 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -1,28 +1,18 @@ name: Suspicious PlistBuddy Usage id: c3194009-e0eb-4f84-87a9-4070f8688f00 -version: 1 -date: '2021-02-22' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following analytic identifies the use of a native MacOS utility, - PlistBuddy, creating or modifying a properly list (.plist) file. In the instance - of Silver Sparrow, the following commands were executed: - - * PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist - - Upon triage, capture the property list file being written to disk and review for - further indicators. Contain the endpoint and triage further.' +description: 'The following analytic identifies the use of the native macOS utility, + PlistBuddy, to create or modify property list (.plist) files. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and command-line executions involving PlistBuddy. This activity is significant because + PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen + in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker + to maintain persistence, execute arbitrary commands, and potentially escalate privileges + on the compromised macOS system.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml index cb9f22d400..abeb9ae75c 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml @@ -1,28 +1,18 @@ name: Suspicious PlistBuddy Usage via OSquery id: 20ba6c32-c733-4a32-b64e-2688cf231399 -version: 1 -date: '2021-02-22' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: experimental type: TTP -description: 'The following analytic identifies the use of a native MacOS utility, - PlistBuddy, creating or modifying a properly list (.plist) file. In the instance - of Silver Sparrow, the following commands were executed: - - * PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist - - * PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist - - Upon triage, capture the property list file being written to disk and review for - further indicators. Contain the endpoint and triage further.' +description: 'The following analytic detects the use of the PlistBuddy utility on + macOS to create or modify property list (.plist) files. It leverages OSQuery to + monitor process events, specifically looking for commands that interact with LaunchAgents + and set properties like RunAtLoad. This activity is significant because PlistBuddy + can be used to establish persistence mechanisms, as seen in malware like Silver + Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, + execute arbitrary commands, and potentially escalate privileges on the compromised + system.' data_source: [] search: '`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter`' diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml index 5d11c5ab85..a743b438b9 100644 --- a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,25 +1,25 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects a suspicious process making a DNS query via known, - abused text-paste web services, VoIP, instant messaging, and digital distribution - platforms used to download external files. This technique is abused by adversaries, - malware actors, and red teams to download a malicious file on the target host. This - is a good TTP indicator for possible initial access techniques. A user will experience - false positives if the following instant messaging is allowed or common applications - like telegram or discord are allowed in the corporate network. +description: The following analytic detects a suspicious process making DNS queries + to known, abused text-paste web services, VoIP, instant messaging, and digital distribution + platforms. It leverages Sysmon Event ID 22 logs to identify queries from processes + like cmd.exe, powershell.exe, and others. This activity is significant as it may + indicate an attempt to download malicious files, a common initial access technique. + If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, + or further compromise of the target host. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") - process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") - | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") + process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") + OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", + "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) + as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | + rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`' how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. @@ -69,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index 1ae1800a59..61a49ede77 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -1,15 +1,17 @@ name: Suspicious Process Executed From Container File id: d8120352-3b62-411c-8cb6-7b47584dd5e8 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-09' author: Steven Dick status: production type: TTP -description: This analytic identifies a suspicious process spawned by another process - from within common container/archive file types. This technique was a common technique - used by adversaries and malware to execute scripts or evade defenses. This TTP may - detect some normal software installation or user behaviors where opening archive - files is common. +description: The following analytic identifies a suspicious process executed from + within common container/archive file types such as ZIP, ISO, IMG, and others. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + names and command-line executions. This activity is significant as it is a common + technique used by adversaries to execute scripts or evade defenses. If confirmed + malicious, this behavior could allow attackers to execute arbitrary code, escalate + privileges, or persist within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -74,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 8dbc5bdeed..838a902c60 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -1,18 +1,18 @@ name: Suspicious Process File Path id: 9be25988-ad82-11eb-a14f-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a suspicious processes running in file paths - that are not typically associated with legitimate software. Adversaries often employ - this technique to drop and execute malicious executables in accessible locations - that do not require administrative privileges. By monitoring for processes running - in such unconventional file paths, we can identify potential indicators of compromise - and proactively respond to malicious activity. This analytic plays a crucial role - in enhancing system security by pinpointing suspicious behaviors commonly associated - with malware and unauthorized software execution. +description: The following analytic identifies processes running from file paths not + typically associated with legitimate software. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific process paths within the Endpoint + data model. This activity is significant because adversaries often use unconventional + file paths to execute malicious code without requiring administrative privileges. + If confirmed malicious, this behavior could indicate an attempt to bypass security + controls, leading to unauthorized software execution, potential system compromise, + and further malicious activities within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -110,6 +110,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml index bebfbca672..a307238a63 100644 --- a/detections/endpoint/suspicious_process_with_discord_dns_query.yml +++ b/detections/endpoint/suspicious_process_with_discord_dns_query.yml @@ -1,22 +1,24 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-16' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Anomaly -description: This analytic identifies a process making a DNS query to Discord, a well - known instant messaging and digital distribution platform. Discord can be abused - by adversaries, as seen in the WhisperGate campaign, to host and download malicious. - external files. A process resolving a Discord DNS name could be an indicator of - malware trying to download files from Discord for further execution. +description: The following analytic identifies a process making a DNS query to Discord, + excluding legitimate Discord application paths. It leverages Sysmon logs with Event + ID 22 to detect DNS queries containing "discord" in the QueryName field. This activity + is significant because Discord can be abused by adversaries to host and download + malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this + could indicate malware attempting to download additional payloads from Discord, + potentially leading to further code execution and compromise of the affected system. data_source: - Sysmon EventID 22 search: '`sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*" AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name - QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `suspicious_process_with_discord_dns_query_filter`' + QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`' how_to_implement: his detection relies on sysmon logs with the Event ID 22, DNS Query. known_false_positives: Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is @@ -62,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index a71c958027..5f33d5b64c 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -25,7 +25,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup - process_id| table process_id dest] | `suspicious_reg_exe_process_filter` ' + process_id| table process_id dest] | `suspicious_reg_exe_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 93d52eec1b..76158d6124 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -1,23 +1,27 @@ name: Suspicious Regsvr32 Register Suspicious Path id: 62732736-6250-11eb-ae93-0242ac130002 -version: 3 -date: '2023-03-02' +version: 4 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -description: Adversaries may abuse Regsvr32.exe to proxy execution of malicious code - by using non-standard file extensions to load DLLs. Upon investigating, look for - network connections to remote destinations (internal or external). Review additional - parrallel processes and child processes for additional activity. +description: The following analytic detects the use of Regsvr32.exe to register DLLs + from suspicious paths such as AppData, ProgramData, or Windows Temp directories. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs and command-line arguments. This activity is significant + because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing + traditional security controls. If confirmed malicious, this could allow an attacker + to execute arbitrary code, potentially leading to system compromise, data exfiltration, + or further lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process - IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.original_file_name Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' + IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.original_file_name + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -89,6 +93,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 99638fd769..c5697dbc90 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -1,25 +1,25 @@ name: Suspicious Rundll32 dllregisterserver id: 8c00a385-9b86-4ac0-8932-c9ec3713b159 -version: 2 -date: '2021-02-09' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe using dllregisterserver - on the command line to load a DLL. When a DLL is registered, the DllRegisterServer - method entry point in the DLL is invoked. This is typically seen when a DLL is being - registered on the system. Not every instance is considered malicious, but it will - capture malicious use of it. During investigation, review the parent process and - parrellel processes executing. Capture the DLL being loaded and inspect further. - Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects the execution of rundll32.exe with the + DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process details. + This activity is significant as it may indicate an attempt to register a malicious + DLL, which can be a method for code execution or persistence. If confirmed malicious, + an attacker could gain unauthorized code execution, escalate privileges, or maintain + persistence within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `suspicious_rundll32_dllregisterserver_filter`' + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -92,6 +92,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index 969e0ab100..c765ae417e 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -1,16 +1,18 @@ name: Suspicious Rundll32 no Command Line Arguments id: e451bd16-e4c5-4109-8eb1-c4c6ecf048b4 -version: 3 -date: '2023-07-10' +version: 4 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe with no command line arguments. - It is unusual for rundll32.exe to execute with no command line arguments present. - This particular behavior is common with malicious software, including Cobalt Strike. - During investigation, identify any network connections and parallel processes. Identify - any suspicious module loads related to credential dumping or file writes. Rundll32.exe - is natively found in C:\Windows\system32 and C:\Windows\syswow64. +description: The following analytic detects the execution of rundll32.exe without + any command line arguments. This behavior is identified using Endpoint Detection + and Response (EDR) telemetry, focusing on process execution logs. It is significant + because rundll32.exe typically requires command line arguments to function properly, + and its absence is often associated with malicious activities, such as those performed + by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt + to execute arbitrary code, potentially leading to credential dumping, unauthorized + file writes, or other malicious actions. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -82,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 0aa084d7ab..f8b24376d3 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -1,19 +1,18 @@ name: Suspicious Rundll32 StartW id: 9319dda5-73f2-4d43-a85a-67ce961bddb7 -version: 3 -date: '2023-07-10' +version: 4 +date: '2024-05-30' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies rundll32.exe executing a DLL function - name, Start and StartW, on the command line that is commonly observed with Cobalt - Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 - and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world - writeable path or user location. In most instances it will not have a valid certificate - (Unsigned). During investigation, review the parent process and other parallel application - execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, - rundll32.exe is the default process it opens and injects shellcode into. This default - process can be changed, but typically is not. +description: The following analytic identifies the execution of rundll32.exe with + the DLL function names "Start" and "StartW," commonly associated with Cobalt Strike + payloads. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions and process metadata. This activity + is significant as it often indicates the presence of malicious payloads, such as + Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, + this activity could allow attackers to inject shellcode, escalate privileges, and + maintain persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -84,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 2e40561e9c..230691fe2e 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,21 +1,18 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Anomaly -description: 'The following analytic, "Suspicious Scheduled Task from Public Directory", - detects the registration of scheduled tasks aimed to execute a binary or script - from public directories, a behavior often associated with malware deployment. It - utilizes the Sysmon EventID 1 data source, searching for instances where schtasks.exe - is connected with the directories users\public, \programdata\, or \windows\temp - and involves the /create command. - - The registration of such scheduled tasks in public directories could suggest that - an attacker is trying to maintain persistence or execute malicious scripts. If confirmed - as a true positive, this could lead to data compromise, unauthorized access, and - potential lateral movement within the network.' +description: 'The following analytic identifies the creation of scheduled tasks that + execute binaries or scripts from public directories, such as users\public, \programdata\, + or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon + Event ID 1 data to detect this behavior. This activity is significant because it + often indicates an attempt to maintain persistence or execute malicious scripts, + which are common tactics in malware deployment. If confirmed as malicious, this + could lead to data compromise, unauthorized access, and potential lateral movement + within the network.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index 13a25f07bc..bbd7412255 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -1,24 +1,26 @@ name: Suspicious SearchProtocolHost no Command Line Arguments id: f52d2db8-31f9-4aa7-a176-25779effe55c -version: 3 -date: '2023-07-10' +version: 4 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies searchprotocolhost.exe with no command - line arguments. It is unusual for searchprotocolhost.exe to execute with no command - line arguments present. This particular behavior is common with malicious software, - including Cobalt Strike. During investigation, identify any network connections - and parallel processes. Identify any suspicious module loads related to credential - dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 - and C:\Windows\syswow64. +description: The following analytic detects instances of searchprotocolhost.exe running + without command line arguments. This behavior is unusual and often associated with + malicious activities, such as those performed by Cobalt Strike. The detection leverages + Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. + This activity is significant because searchprotocolhost.exe typically runs with + specific arguments, and its absence may indicate an attempt to evade detection. + If confirmed malicious, this could lead to unauthorized code execution, potential + credential dumping, or other malicious actions within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id - Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`' + Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process + Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" + | `suspicious_searchprotocolhost_no_command_line_arguments_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -75,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index 4c87d4a1cf..97e8ce4886 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -1,14 +1,18 @@ name: Suspicious SQLite3 LSQuarantine Behavior id: e1997b2e-655f-4561-82fd-aeba8e1c1a86 -version: 1 -date: '2021-02-22' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the use of a SQLite3 querying the MacOS - preferences to identify the original URL the pkg was downloaded from. This particular - behavior is common with MacOS adware-malicious software. Upon triage, review other - processes in parallel for suspicious activity. Identify any recent package installations. +description: The following analytic identifies the use of SQLite3 querying the MacOS + preferences to determine the original URL from which a package was downloaded. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line executions involving LSQuarantine. This activity + is significant as it is commonly associated with MacOS adware and other malicious + software. If confirmed malicious, this behavior could indicate an attempt to track + or manipulate downloaded packages, potentially leading to further system compromise + or persistent adware infections. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index d600e452e6..db115afd9d 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -1,24 +1,24 @@ name: Suspicious Ticket Granting Ticket Request id: d77d349e-6269-11ec-9cfe-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: production type: Hunting -description: As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller - Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request - a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed - computer account. The TGT request will be preceded by a computer account name event. - This analytic leverages Event Id 4781, `The name of an account was changed` and - event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate - a sequence of events where the new computer account on event id 4781 matches the - request account on event id 4768. This behavior could represent an exploitation - attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. +description: The following analytic detects suspicious Kerberos Ticket Granting Ticket + (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. + It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) + to identify sequences where a newly renamed computer account requests a TGT. This + behavior is significant as it could represent an attempt to escalate privileges + by impersonating a Domain Controller. If confirmed malicious, this activity could + allow attackers to gain elevated access and potentially control over the domain + environment. data_source: - Windows Event Log Security 4768 - Windows Event Log Security 4781 search: ' `wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") - OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) + OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, + TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`' @@ -65,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index 252ba206fe..b05b86bfc6 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -1,16 +1,18 @@ name: Suspicious WAV file in Appdata Folder id: 5be109e6-1ac5-11ec-b421-acde48001122 -version: 2 -date: '2022-07-07' +version: 3 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious creation of .wav file in appdata - folder. This behavior was seen in Remcos RAT malware where it put the audio recording - in the appdata\audio folde as part of data collection. this recording can be send - to its C2 server as part of its exfiltration to the compromised machine. creation - of wav files in this folder path is not a ussual disk place used by user to save - audio format file. +description: The following analytic detects the creation of .wav files in the AppData + folder, a behavior associated with Remcos RAT malware, which stores audio recordings + in this location for data exfiltration. The detection leverages endpoint process + and filesystem data to identify .wav file creation within the AppData\Roaming directory. + This activity is significant as it indicates potential unauthorized data collection + and exfiltration by malware. If confirmed malicious, this could lead to sensitive + information being sent to an attacker's command and control server, compromising + the affected system's confidentiality. data_source: - Sysmon EventID 1 - Sysmon EventID 11 @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index a462f82012..defc4d90ed 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -1,22 +1,24 @@ name: Suspicious writes to windows Recycle Bin id: b5541828-8ffd-4070-9d95-b3da4de924cb -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-18' author: Rico Valdez, Splunk status: production type: TTP description: |- - The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. + The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools. data_source: - Sysmon EventID 1 - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_name Filesystem.process_id Filesystem.dest - | `drop_dm_object_name("Filesystem")` - | join process_id - [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest - | `drop_dm_object_name("Processes")` - | table user process_name process_id dest] - | `suspicious_writes_to_windows_recycle_bin_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) + as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" + by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")` + | join process_id [| tstats `security_content_summariesonly` values(Processes.user) + as user values(Processes.process_name) as process_name values(Processes.parent_process_name) + as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name + != "explorer.exe" by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` + | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. @@ -63,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index eb6ce3401b..f6aa015e9e 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -1,21 +1,18 @@ name: Svchost LOLBAS Execution Process Spawn id: 09e5c72a-4c0d-11ec-aa29-3e22fbd008af -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-14' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic is designed to spot instances of 'svchost.exe' - initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. - Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, - resulting in the spawning of a malicious command as a child process of 'svchost.exe'. - By tracking child processes of 'svchost.exe' that align with the LOLBAS project, - potential lateral movement activity can be detected. The analytic examines process - details, including the process name, parent process, and command-line executions. - A comprehensive list of LOLBAS processes is included in the search parameters. Although - the analytic might catch legitimate applications exhibiting this behavior, these - instances should be filtered accordingly. The findings from this analytic offer - valuable insight into potentially malicious activities on an endpoint. +description: The following analytic detects instances of 'svchost.exe' spawning Living + Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection + and Response (EDR) data to monitor child processes of 'svchost.exe' that match known + LOLBAS executables. This activity is significant as adversaries often use LOLBAS + techniques to execute malicious code stealthily, potentially indicating lateral + movement or code execution attempts. If confirmed malicious, this behavior could + allow attackers to execute arbitrary commands, escalate privileges, or maintain + persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -87,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index 2523e2b3b3..db166e66b2 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -1,18 +1,18 @@ name: System Info Gathering Using Dxdiag Application id: f92d74f2-4921-11ec-b685-acde48001122 -version: 1 -date: '2021-11-19' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic is to detect a suspicious dxdiag.exe process command-line - execution. Dxdiag is used to collect the system info of the target host. This technique - has been used by Remcos RATS, various actors, and other malware to collect information - as part of the recon or collection phase of an attack. This behavior should rarely - be seen in a corporate network, but this command line can be used by a network administrator - to audit host machine specifications. Thus in some rare cases, this detection will - contain false positives in its results. To triage further, analyze what commands - were passed after it pipes out the result to a file for further processing. +description: The following analytic identifies the execution of the dxdiag.exe process + with specific command-line arguments, which is used to gather system information. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process creation events and command-line details. This activity is significant + because dxdiag.exe is rarely used in corporate environments and its execution may + indicate reconnaissance efforts by malicious actors. If confirmed malicious, this + activity could allow attackers to collect detailed system information, aiding in + further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 3871676bae..c446396c02 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,27 +1,24 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d -version: 6 -date: '2020-12-08' +version: 7 +date: '2024-05-25' author: David Dorsey, Michael Haag, Splunk status: production type: Anomaly -description: 'This search looks for system processes that typically execute from `C:\Windows\System32\` - or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying - to hide as a legitimate process. - - This detection utilizes a lookup that is deduped `system32` and `syswow64` directories - from Server 2016 and Windows 10. - - During triage, review the parallel processes - what process moved the native Windows - binary? identify any artifacts on disk and review. If a remote destination is contacted, - what is the reputation?' +description: 'The following analytic identifies system processes running from unexpected + locations outside `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process paths, + names, and hashes. This activity is significant as it may indicate a malicious process + attempting to masquerade as a legitimate system process. If confirmed malicious, + this behavior could allow an attacker to execute code, escalate privileges, or maintain + persistence within the environment, posing a significant security risk.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user - Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` + Processes.parent_process Processes.process_path Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection @@ -82,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index 7cb5ef9c26..0ee1d19535 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -1,14 +1,17 @@ name: System User Discovery With Query id: ad03bfcf-8a91-4bc2-a500-112993deba87 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-23' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `query.exe` with command-line - arguments utilized to discover the logged user. Red Teams and adversaries alike - may leverage `query.exe` to identify system users on a compromised endpoint for - situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `query.exe` with command-line + arguments aimed at discovering logged-in users. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries may use `query.exe` to gain + situational awareness and perform Active Directory discovery on compromised endpoints. + If confirmed malicious, this behavior could allow attackers to identify active users, + aiding in further lateral movement and privilege escalation within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 874bd354b2..20c9d2afc6 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,14 +1,18 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `whoami.exe` without any arguments. - This windows native binary prints out the current logged user. Red Teams and adversaries - alike may leverage `whoami.exe` to identify system users on a compromised endpoint - for situational awareness and Active Directory Discovery. +description: The following analytic detects the execution of `whoami.exe` without + any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs. This activity is significant because both Red + Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding + in situational awareness and Active Directory discovery. If confirmed malicious, + this behavior could indicate an attacker is gathering information to further compromise + the system, potentially leading to privilege escalation or lateral movement within + the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 4fda914196..3cfee5f93b 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -1,23 +1,27 @@ name: Time Provider Persistence Registry id: 5ba382c4-2105-11ec-8d8f-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-13' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious modification of time provider - registry for persistence and autostart. This technique can allow the attacker to - persist on the compromised host and autostart as soon as the machine boot up. This - TTP can be a good indicator of suspicious behavior since this registry is not commonly - modified by normal user or even an admin. +description: The following analytic detects suspicious modifications to the time provider + registry for persistence and autostart. It leverages data from the Endpoint.Registry + data model, focusing on changes to the "CurrentControlSet\\Services\\W32Time\\TimeProviders" + registry path. This activity is significant because such modifications are uncommon + and can indicate an attempt to establish persistence on a compromised host. If confirmed + malicious, this technique allows an attacker to maintain access and execute code + automatically upon system boot, potentially leading to further exploitation and + control over the affected system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`' + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `time_provider_persistence_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -66,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 0144cd74ca..92ba9a187a 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -1,14 +1,19 @@ name: UAC Bypass MMC Load Unsigned Dll id: 7f04349c-e30d-11eb-bc7f-acde48001122 -version: 1 -date: '2021-07-12' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious loaded unsigned dll by MMC.exe - application. This technique is commonly seen in attacker that tries to bypassed - UAC feature or gain privilege escalation. This is done by modifying some CLSID registry - that will trigger the mmc.exe to load the dll path +description: The following analytic detects the loading of an unsigned DLL by the + MMC.exe application, which is indicative of a potential UAC bypass or privilege + escalation attempt. It leverages Sysmon EventCode 7 to identify instances where + MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because + attackers often use this technique to modify CLSID registry entries, causing MMC.exe + to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining + elevated privileges. If confirmed malicious, this could allow an attacker to execute + arbitrary code with higher privileges, leading to further system compromise and + persistence. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed=false @@ -59,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index aa35ab0497..f40dff0bff 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -1,18 +1,23 @@ name: UAC Bypass With Colorui COM Object id: 2bcccd20-fc2b-11eb-8d22-acde48001122 -version: 1 -date: '2021-08-13' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a possible uac bypass using the colorui.dll - COM Object. this technique was seen in so many malware and ransomware like lockbit - where it make use of the colorui.dll COM CLSID to bypass UAC. +description: The following analytic detects a potential UAC bypass using the colorui.dll + COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll + is loaded by a process other than colorcpl.exe, excluding common system directories. + This activity is significant because UAC bypass techniques are often used by malware, + such as LockBit ransomware, to gain elevated privileges without user consent. If + confirmed malicious, this could allow an attacker to execute code with higher privileges, + leading to further system compromise and persistence within the environment. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as - firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id + EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -28,7 +33,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 60 - message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$. + message: The following module $ImageLoaded$ was loaded by a non-standard application + on endpoint $dest$. mitre_attack_id: - T1218 - T1218.003 @@ -59,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 2346b44037..3a5f4eb570 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -1,14 +1,18 @@ name: Uninstall App Using MsiExec id: 1fca2b28-f922-11eb-b2dd-acde48001122 -version: 1 -date: '2021-08-09' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious un-installation of application - using msiexec. This technique was seen in conti leak tool and script where it tries - to uninstall AV product using this commandline. This commandline to uninstall product - is not a common practice in enterprise network. +description: The following analytic detects the uninstallation of applications using + msiexec with specific command-line arguments. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs that include command-line + details. This activity is significant because it is an uncommon practice in enterprise + environments and has been associated with malicious behavior, such as disabling + antivirus software. If confirmed malicious, this could allow an attacker to remove + security software, potentially leading to further compromise and persistence within + the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index 9faf2a372a..6e7650ccd9 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -1,19 +1,28 @@ name: Unknown Process Using The Kerberos Protocol id: c91a0852-9fbb-11ec-af44-acde48001122 -version: 2 -date: '2024-01-23' +version: 3 +date: '2024-05-19' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies a process performing an outbound connection - on port 88 used by default by the network authentication protocol Kerberos. Typically, - on a regular Windows endpoint, only the lsass.exe process is the one tasked with - connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying - an unknown process using this protocol may be evidence of an adversary abusing the - Kerberos protocol. +description: The following analytic identifies a non-lsass.exe process making an outbound + connection on port 88, which is typically used by the Kerberos authentication protocol. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and network traffic logs. This activity is significant because, + under normal circumstances, only the lsass.exe process should interact with the + Kerberos Distribution Center. If confirmed malicious, this behavior could indicate + an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized + access or lateral movement within the network. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name + Processes.dest Processes.process_path Processes.process Processes.parent_process_name + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest + parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -34,7 +43,8 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: Unknown process $process_name$ using the kerberos protocol detected on host $dest$ + message: Unknown process $process_name$ using the kerberos protocol detected on + host $dest$ mitre_attack_id: - T1550 observable: @@ -62,9 +72,11 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log source: WinEventLog:Security sourcetype: WinEventLog - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index 1bd3d35327..cf0bb0a7ce 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -19,8 +19,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` - |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count - process_name process_id parent_process_name process' + | table firstTime lastTime dest user count process_name process_id parent_process_name process + | `unload_sysmon_filter_driver_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml index 5c0e3366c7..a96829949e 100644 --- a/detections/endpoint/unloading_amsi_via_reflection.yml +++ b/detections/endpoint/unloading_amsi_via_reflection.yml @@ -1,24 +1,18 @@ name: Unloading AMSI via Reflection id: a21e3484-c94d-11eb-b55b-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify suspicious PowerShell execution. Script Block Logging captures the command - sent to PowerShell, the full command to be executed. Upon enabling, logs will output - to Windows event logs. Dependent upon volume, enable on critical endpoints or all. - - - This analytic identifies the behavior of AMSI being tampered with. Implemented natively - in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct - COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` - taken from Powershell-Empire. - - During triage, review parallel processes using an EDR product or 4688 events. It - will be important to understand the timeline of events around this activity. Review - the entire logged PowerShell script block.' +description: 'The following analytic detects the tampering of AMSI (Antimalware Scan + Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging + (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically + those involving `system.management.automation.amsi`. This activity is significant + as it indicates an attempt to bypass AMSI, a critical security feature that helps + detect and block malicious scripts. If confirmed malicious, this could allow an + attacker to execute harmful code undetected, leading to potential system compromise + and data exfiltration.' data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* @@ -69,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index e11b3275a9..4f9f960d7e 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -1,16 +1,18 @@ name: Unusual Number of Computer Service Tickets Requested id: ac3b81c0-52f4-11ec-ac44-acde48001122 -version: 1 -date: '2021-12-01' +version: 2 +date: '2024-05-25' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: 'The following hunting analytic leverages Event ID 4769, `A Kerberos - service ticket was requested`, to identify an unusual number of computer service - ticket requests from one source. When a domain joined endpoint connects to a remote - endpoint, it first will request a Kerberos Ticket with the computer name as the - Service Name. An endpoint requesting a large number of computer service tickets - for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises.' +description: 'The following analytic identifies an unusual number of computer service + ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service + ticket was requested." It uses statistical analysis, including standard deviation + and the 3-sigma rule, to detect anomalies in service ticket requests. This activity + is significant as it may indicate malicious behavior such as lateral movement, malware + staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized + access to multiple endpoints, facilitating further compromise and potential data + exfiltration.' data_source: - Windows Event Log Security 4769 search: ' `wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 611d329514..066ee5a7f2 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,25 +1,23 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: Anomaly -description: 'The following hunting analytic leverages Kerberos Event 4769, A Kerberos - service ticket was requested, to identify a potential kerberoasting attack against - Active Directory networks. Kerberoasting allows an adversary to request kerberos - tickets for domain accounts typically used as service accounts and attempt to crack - them offline allowing them to obtain privileged access to the domain. - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number service ticket requests. - To customize this analytic, users can try different combinations of the `bucket` - span time and the calculation of the `upperBound` field.' +description: 'The following analytic identifies an unusual number of Kerberos service + ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos + Event 4769 and calculates the standard deviation for each host, using the 3-sigma + rule to detect anomalies. This activity is significant as kerberoasting allows adversaries + to request service tickets and crack them offline, potentially gaining privileged + access to the domain. If confirmed malicious, this could lead to unauthorized access + to sensitive accounts and escalation of privileges within the Active Directory environment.' data_source: - Windows Event Log Security 4769 -search: ' `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) - as requested_services by _time, src | eventstats avg(unique_services) - as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) +search: ' `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 + | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) + as requested_services by _time, src | eventstats avg(unique_services) as comp_avg + , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -65,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index 1634a215bb..1d25cdb3b5 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -1,15 +1,17 @@ name: Unusual Number of Remote Endpoint Authentication Events id: acb5dc74-5324-11ec-a36d-acde48001122 -version: 1 -date: '2021-12-01' +version: 2 +date: '2024-05-11' author: Mauricio Velazco, Splunk status: experimental type: Hunting -description: 'The following hunting analytic leverages Event ID 4624, `An account - was successfully logged on`, to identify an unusual number of remote authentication - attempts coming from one source. An endpoint authenticating to a large number of - remote endpoints could represent malicious behavior like lateral movement, malware - staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises.' +description: 'The following analytic identifies an unusual number of remote authentication + attempts from a single source by leveraging Windows Event ID 4624, which logs successful + account logons. It uses statistical analysis, specifically the 3-sigma rule, to + detect deviations from normal behavior. This activity is significant for a SOC as + it may indicate lateral movement, malware staging, or reconnaissance. If confirmed + malicious, this behavior could allow an attacker to move laterally within the network, + escalate privileges, or gather information for further attacks.' data_source: - Windows Event Log Security 4624 search: ' `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | @@ -56,4 +58,4 @@ tags: - Account_Name - ComputerName risk_score: 42 - security_domain: endpoint \ No newline at end of file + security_domain: endpoint diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 42754fafb6..7e44a8e57c 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -1,12 +1,12 @@ name: Unusually Long Command Line id: c77162d3-f93c-45cc-80c8-22f6a4264e7f -version: 5 -date: '2020-12-08' +version: 6 +date: '2024-05-20' author: David Dorsey, Splunk status: experimental type: Anomaly description: |- - The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. + The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index be45bd6f70..e0585e47eb 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -1,13 +1,17 @@ name: Unusually Long Command Line - MLTK id: 57edaefa-a73b-45e5-bbae-f39c1473f941 -version: 1 -date: '2019-05-08' +version: 2 +date: '2024-05-26' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: Command lines that are extremely long may be indicative of malicious - activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) - to help identify command lines with lengths that are unusual for a given user. +description: The following analytic identifies unusually long command lines executed + on hosts, which may indicate malicious activity. It leverages the Machine Learning + Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for + a given user. This is significant for a SOC as unusually long command lines can + be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this + activity could allow attackers to execute sophisticated commands, potentially leading + to unauthorized access, data exfiltration, or further compromise of the system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index 63d546faff..bf025c6f7c 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -1,15 +1,18 @@ name: User Discovery With Env Vars PowerShell id: 0cdf318b-a0dd-47d7-b257-c621c0247de8 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-19' author: Mauricio Velazco, Splunk status: production type: Hunting -description: This analytic looks for the execution of `powershell.exe` with command-line - arguments that leverage PowerShell environment variables to identify the current - logged user. Red Teams and adversaries may leverage this method to identify the - logged user on a compromised endpoint for situational awareness and Active Directory - Discovery. +description: The following analytic detects the execution of `powershell.exe` with + command-line arguments that use PowerShell environment variables to identify the + current logged user. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names and command-line executions. This activity is + significant as adversaries may use it for situational awareness and Active Directory + discovery on compromised endpoints. If confirmed malicious, this behavior could + allow attackers to gather critical user information, aiding in further exploitation + and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index d35bd3ef5f..1c031185cc 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -1,23 +1,24 @@ name: User Discovery With Env Vars PowerShell Script Block id: 77f41d9e-b8be-47e3-ab35-5776f5ec1d20 -version: 2 -date: '2022-03-22' +version: 3 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the use of PowerShell environment variables to identify the current - logged user. Red Teams and adversaries may leverage this method to identify the - logged user on a compromised endpoint for situational awareness and Active Directory - Discovery. +description: The following analytic detects the use of PowerShell environment variables + to identify the current logged user by leveraging PowerShell Script Block Logging + (EventCode=4104). This method monitors script blocks containing `$env:UserName` + or `[System.Environment]::UserName`. Identifying this activity is significant as + adversaries and Red Teams may use it for situational awareness and Active Directory + discovery on compromised endpoints. If confirmed malicious, this activity could + allow attackers to gain insights into user context, aiding in further exploitation + and lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode ScriptBlockText Computer user_id - | rename Computer as dest, user_id as user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, + user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -61,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index 30f47248ed..af019c6418 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -1,14 +1,18 @@ name: USN Journal Deletion id: b6e0ff70-b122-4227-9368-4cf322ab43c3 -version: 2 -date: '2018-12-03' +version: 3 +date: '2024-05-12' author: David Dorsey, Splunk status: production type: TTP -description: The fsutil.exe application is a legitimate Windows utility used to perform - tasks related to the file allocation table (FAT) and NTFS file systems. The update - sequence number (USN) change journal provides a log of all changes made to the files - on the disk. This search looks for fsutil.exe deleting the USN journal. +description: The following analytic detects the deletion of the USN Journal using + the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process execution logs that include command-line details. This + activity is significant because the USN Journal maintains a log of all changes made + to files on the disk, and its deletion can be an indicator of an attempt to cover + tracks or hinder forensic investigations. If confirmed malicious, this action could + allow an attacker to obscure their activities, making it difficult to trace file + modifications and potentially compromising incident response efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process) @@ -60,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index c49955fb04..c6ed45174a 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -1,15 +1,18 @@ name: Vbscript Execution Using Wscript App id: 35159940-228f-11ec-8a49-acde48001122 -version: 1 -date: '2021-10-01' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to detect a suspicious wscript commandline to execute - vbscript. This technique was seen in several malware to execute malicious vbs file - using wscript application. commonly vbs script is associated to cscript process - and this can be a technique to evade process parent child detections or even some - av script emulation system. +description: The following analytic detects the execution of VBScript using the wscript.exe + application. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and command-line telemetry. This activity is significant because + wscript.exe is typically not used to execute VBScript, which is usually associated + with cscript.exe. This deviation can indicate an attempt to evade traditional process + monitoring and antivirus defenses. If confirmed malicious, this technique could + allow attackers to execute arbitrary code, potentially leading to system compromise, + data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index b08b64a074..5fcbc96f83 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -1,15 +1,18 @@ name: Verclsid CLSID Execution id: 61e9a56a-20fa-11ec-8ba3-acde48001122 -version: 1 -date: '2021-09-29' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic is to detect a possible abuse of verclsid to execute malicious - file through generate CLSID. This process is a normal application of windows to - verify the CLSID COM object before it is instantiated by Windows Explorer. This - hunting query can be a good pivot point to analyze what is he CLSID or COM object - pointing too to check if it is a valid application or not. +description: The following analytic detects the potential abuse of the verclsid.exe + utility to execute malicious files via generated CLSIDs. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command-line + patterns associated with verclsid.exe. This activity is significant because verclsid.exe + is a legitimate Windows application used to verify CLSID COM objects, and its misuse + can indicate an attempt to bypass security controls. If confirmed malicious, this + technique could allow an attacker to execute arbitrary code, potentially leading + to system compromise or further malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -76,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index b2705361f7..52aebab2b1 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -1,18 +1,18 @@ name: W3WP Spawning Shell id: 0f03423c-7c6a-11eb-bc47-acde48001122 -version: 2 -date: '2023-07-10' +version: 3 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from - W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will - capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, - on publicly available Exchange mail servers. During triage, review the parent process - and child process of the shell being spawned. Review the command-line arguments - and any file modifications that may occur. Identify additional parallel process, - child processes, that may highlight further commands executed. After triaging, work - to contain the threat and patch the system that is vulnerable. +description: The following analytic identifies instances where a shell (PowerShell.exe + or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where the parent process is W3WP.exe. This activity is significant as it + may indicate webshell activity, often associated with exploitation attempts like + those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior + could allow attackers to execute arbitrary commands, potentially leading to system + compromise, data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count values(Processes.process_name) @@ -88,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index 41be0a9cb8..b9cf151cb4 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -1,17 +1,18 @@ name: Wbemprox COM Object Execution id: 9d911ce0-c3be-11eb-b177-acde48001122 -version: 1 -date: '2021-06-02' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a potential suspicious process loading - a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model - (COM) is a platform-independent, distributed, object-oriented system for creating - binary software components that can interact. This feature is being abused by several - threat actors, adversaries or even red teamers to gain privilege escalation or even - to evade detections. This TTP is a good indicator that a process is loading possible - known .dll modules that were known for its COM object. +description: The following analytic detects a suspicious process loading a COM object + from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode + 7 to identify instances where these DLLs are loaded by processes not typically associated + with them, excluding known legitimate processes and directories. This activity is + significant as it may indicate an attempt by threat actors to abuse COM objects + for privilege escalation or evasion of detection mechanisms. If confirmed malicious, + this could allow attackers to gain elevated privileges or maintain persistence within + the environment, posing a significant security risk. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.dll", @@ -65,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml index 3d2355fc2f..3d0107a0a5 100644 --- a/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml @@ -1,17 +1,17 @@ name: Wermgr Process Connecting To IP Check Web Services id: ed313326-a0f9-11eb-a89c-acde48001122 -version: 2 -date: '2022-06-01' +version: 3 +date: '2024-05-27' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: This search is designed to detect suspicious wermgr.exe process that - tries to connect to known IP web services. This technique is know for trickbot and - other trojan spy malware to recon the infected machine and look for its ip address - without so much finger print on the commandline process. Since wermgr.exe is designed - for error handling process of windows it is really suspicious that this process - is trying to connect to this IP web services cause that maybe cause of some malicious - code injection. +description: The following analytic detects the wermgr.exe process attempting to connect + to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS + queries made by wermgr.exe to specific IP check services. This activity is significant + because wermgr.exe is typically used for Windows error reporting, and its connection + to these services may indicate malicious code injection, often associated with malware + like Trickbot. If confirmed malicious, this behavior could allow attackers to recon + the infected machine's IP address, aiding in further exploitation and evasion tactics. data_source: - Sysmon EventID 22 search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com", @@ -19,8 +19,9 @@ search: '`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfism "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name - ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`' + ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer + as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wermgr_process_connecting_to_ip_check_web_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least @@ -63,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index c55a509bb0..231e40d92a 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -1,16 +1,17 @@ name: Wermgr Process Create Executable File id: ab3bcce0-a105-11eb-973c-acde48001122 -version: 1 -date: '2021-04-19' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP -description: this search is designed to detect potential malicious wermgr.exe process - that drops or create executable file. Since wermgr.exe is an application trigger - when error encountered in a process, it is really un ussual to this process to drop - executable file. This technique is commonly seen in trickbot malware where it injects - it code to this process to execute it malicious behavior like downloading other - payload +description: The following analytic detects the wermgr.exe process creating an executable + file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates + a .exe file. This behavior is unusual because wermgr.exe is typically associated + with error reporting, not file creation. Such activity is significant as it may + indicate TrickBot malware, which injects code into wermgr.exe to execute malicious + actions like downloading additional payloads. If confirmed malicious, this could + lead to further malware infections, data exfiltration, or system compromise. data_source: - Sysmon EventID 11 search: '`sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe" @@ -56,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index 4bb17179bc..df44295542 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -1,14 +1,18 @@ name: Wermgr Process Spawned CMD Or Powershell Process id: e8fc95bc-a107-11eb-a978-acde48001122 -version: 2 -date: '2021-04-19' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is designed to detect suspicious cmd and powershell process - spawned by wermgr.exe process. This suspicious behavior are commonly seen in code - injection technique technique like trickbot to execute a shellcode, dll modules - to run malicious behavior. +description: The following analytic detects the spawning of cmd or PowerShell processes + by the wermgr.exe process. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process telemetry, including parent-child process relationships + and command-line executions. This behavior is significant as it is commonly associated + with code injection techniques used by malware like TrickBot to execute shellcode + or malicious DLL modules. If confirmed malicious, this activity could allow attackers + to execute arbitrary code, escalate privileges, or maintain persistence within the + environment, posing a severe threat to system security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline @@ -68,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index f997b41d31..5284757eb7 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -1,13 +1,17 @@ name: Wget Download and Bash Execution id: 35682718-5a85-11ec-b8f7-acde48001122 -version: 1 -date: '2021-12-11' +version: 2 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of wget on Linux or MacOS attempting - to download a file from a remote source and pipe it to bash. This is typically found - with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. +description: The following analytic detects the use of wget on Linux or MacOS to download + a file from a remote source and pipe it to bash. This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it is commonly associated with malicious + actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed + malicious, this behavior could allow attackers to execute arbitrary code, potentially + leading to system compromise and unauthorized access to sensitive data. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/detections/endpoint/windows_abused_web_services.yml b/detections/endpoint/windows_abused_web_services.yml index 2bcb34653e..1095d267ba 100644 --- a/detections/endpoint/windows_abused_web_services.yml +++ b/detections/endpoint/windows_abused_web_services.yml @@ -1,24 +1,23 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: 1 -date: '2023-09-20' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 22 -description: The following analytic detects a suspicious process making a DNS query via known, - abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution - platforms used to download external files. This technique is abused by adversaries, - malware actors, and red teams to download a malicious file on the target host. This - is a good TTP indicator for possible initial access techniques. A user will experience - false positives if the following instant messaging is allowed or common applications - like telegram or discord are allowed in the corporate network. -search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", "*discord*", "*duckdns.org*", "*pasteio.com*") - | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects a suspicious process making DNS queries + to known, abused web services such as text-paste sites, VoIP, secure tunneling, + instant messaging, and digital distribution platforms. This detection leverages + Sysmon logs with Event ID 22, focusing on specific query names. This activity is + significant as it may indicate an adversary attempting to download malicious files, + a common initial access technique. If confirmed malicious, this could lead to unauthorized + code execution, data exfiltration, or further compromise of the target host. +search: '`sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", + "*discord*", "*duckdns.org*", "*pasteio.com*") | stats count min(_time) as firstTime + max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults + Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`' how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. @@ -62,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102/njrat_ngrok_connection/ngrok.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index f9596dc30f..36a82e515d 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,17 +1,17 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" - privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory - of other processes, and has long been a security concern. SeDebugPrivilege allows - the token bearer to access any process or thread, regardless of security descriptors, - per Palantir. This technique is abused by adversaries to gain debug privileges with - their malicious software to be able to access or debug a process to dump credentials - or to inject malicious code. +description: The following analytic detects a process enabling the "SeDebugPrivilege" + privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering + out common legitimate processes. This activity is significant because SeDebugPrivilege + allows a process to inspect and modify the memory of other processes, potentially + leading to credential dumping or code injection. If confirmed malicious, an attacker + could gain extensive control over system processes, enabling them to escalate privileges, + persist in the environment, or access sensitive information. data_source: - Windows Event Log Security 4703 search: '`wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*" @@ -72,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 2cb73893ef..3379233382 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -1,21 +1,25 @@ name: Windows Access Token Manipulation Winlogon Duplicate Token Handle id: dda126d7-1d99-4f0b-b72a-4c14031f9398 -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process requesting access to winlogon.exe - attempting to duplicate its handle. This technique was seen in several adversaries - to gain privileges for their process. Winlogon.exe is the common targeted process - of this technique because it contains high privileges and security tokens. +description: The following analytic detects a process attempting to access winlogon.exe + to duplicate its handle. This is identified using Sysmon EventCode 10, focusing + on processes targeting winlogon.exe with specific access rights. This activity is + significant because it is a common technique used by adversaries to escalate privileges + by leveraging the high privileges and security tokens associated with winlogon.exe. + If confirmed malicious, this could allow an attacker to gain elevated privileges, + potentially leading to full system compromise and unauthorized access to sensitive + information. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId - GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' + GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 @@ -66,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index e2ecf54105..cc92288e72 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -1,25 +1,26 @@ name: Windows Access Token Winlogon Duplicate Handle In Uncommon Path id: b8f7ed6b-0556-4c84-bffd-839c262b0278 -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process requesting access in winlogon.exe - to duplicate its handle with a non-common or public process source path. This technique - was seen where adversaries attempt to gain privileges to their process. This duplicate - handle access technique, may refer to a malicious process duplicating the process - token of winlogon.exe and using it to a new process instance. Winlogon.exe is the - common targeted process of this technique because it contains high privileges and - security tokens. +description: The following analytic detects a process attempting to duplicate the + handle of winlogon.exe from an uncommon or public source path. This is identified + using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific + access rights and excluding common system paths. This activity is significant because + it may indicate an adversary trying to escalate privileges by leveraging the high-privilege + tokens associated with winlogon.exe. If confirmed malicious, this could allow the + attacker to gain elevated access, potentially leading to full system compromise + and persistent control over the affected host. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId - TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`' + lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID + SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 @@ -35,7 +36,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$ + message: A process $SourceImage$ is duplicating the handle token of winlogon.exe + on $dest$ mitre_attack_id: - T1134.001 - T1134 @@ -69,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml index 64babf75f4..c4aadd207c 100644 --- a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml +++ b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml @@ -1,26 +1,30 @@ name: Windows Account Discovery for None Disable User Account id: eddbf5ba-b89e-47ca-995e-2d259804e55e -version: 2 -date: '2023-12-15' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Powershell Script Block Logging 4104 -description: The following analytic utilizes PowerShell Script Block Logging to identify - the execution of the PowerView PowerShell commandlet Get-NetUser. In the context - of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory - user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" - | rename Computer as dest, UserID as user - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating + an attempt to enumerate Active Directory user accounts that are not disabled. This + detection leverages PowerShell Script Block Logging (EventCode 4104) to identify + the specific script block text. Monitoring this activity is significant as it may + indicate reconnaissance efforts by an attacker to identify active user accounts + for further exploitation. If confirmed malicious, this activity could lead to unauthorized + access, privilege escalation, or lateral movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText + = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, + UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://powersploit.readthedocs.io/en/stable/Recon/README/ @@ -32,7 +36,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$. + message: Windows Account Discovery for None Disable User Account using PowerView's + Get-NetUser on $dest$. mitre_attack_id: - T1087 - T1087.001 @@ -56,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index 670cd298ad..2701339e68 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -1,26 +1,30 @@ name: Windows Account Discovery for Sam Account Name id: 69934363-e1dd-4c49-8651-9d7663dd4d2f -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. - In the context of PowerView's Get-NetUser cmdlet as a filter or parameter - to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process - or malware that gather user account information in a host or within network system. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*") - | rename Computer as dest, UserID as user - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetUser, specifically querying for "samaccountname" and "pwdlastset" + attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify + this activity. This behavior is significant as it may indicate an attempt to gather + user account information from Active Directory, which is a common reconnaissance + step in lateral movement or privilege escalation attacks. If confirmed malicious, + this activity could allow an attacker to map out user accounts, potentially leading + to further exploitation and unauthorized access within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText + IN ("*samaccountname*", "*pwdlastset*") | rename Computer as dest, UserID as user + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: @@ -52,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml index a87b2c702e..6545581668 100644 --- a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml +++ b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml @@ -1,26 +1,29 @@ name: Windows Account Discovery With NetUser PreauthNotRequire id: cf056b65-44b2-4d32-9172-d6b6f081a376 -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Powershell Script Block Logging 4104 -description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. - This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter - to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process - or malware that gather user account information in a host or within network system. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" - | rename Computer as dest, UserID as user - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. + This method identifies attempts to query Active Directory user accounts that do + not require Kerberos preauthentication. Monitoring this activity is crucial as it + can indicate reconnaissance efforts by an attacker to identify potentially vulnerable + accounts. If confirmed malicious, this behavior could lead to further exploitation, + such as unauthorized access or privilege escalation within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText + = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest + user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: @@ -29,7 +32,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$. + message: A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire + parameter on $dest$. mitre_attack_id: - T1087 observable: @@ -52,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index c68b7b90b2..b78653d7b2 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -1,26 +1,30 @@ name: Windows AD AdminSDHolder ACL Modified id: 00d877c3-7b7b-443d-9562-6b231e2abab9 -version: 1 -date: '2022-11-15' +version: 2 +date: '2024-05-13' author: Mauricio Velazco, Splunk type: TTP status: production -data_source: +data_source: - Windows Event Log Security 5136 -description: The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the - detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a - security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont - match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object - Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder - ACL to establish persistence and allow an unprivileged user to take control of a domain. -search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType="%%14674" ObjectDN="CN=AdminSDHolder,CN=System*" - | rex field=AttributeValue max_match=10000 "A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)" - | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN - | `windows_ad_adminsdholder_acl_modified_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode - `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` - within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. -known_false_positives: Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed +description: The following analytic detects modifications to the Access Control List + (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition + of new rules. It leverages EventCode 5136 from the Security Event Log, focusing + on changes to the nTSecurityDescriptor attribute. This activity is significant because + the AdminSDHolder object secures privileged group members, and unauthorized changes + can allow attackers to establish persistence and escalate privileges. If confirmed + malicious, this could enable an attacker to control domain-level permissions, compromising + the entire Active Directory environment. +search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor + OperationType="%%14674" ObjectDN="CN=AdminSDHolder,CN=System*" | rex field=AttributeValue + max_match=10000 "A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)" + | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`' +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for the AdminSDHolder object in order to log modifications. +known_false_positives: Adding new users or groups to the AdminSDHolder ACL is not + usual. Filter as needed references: - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory - https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index 05141f0b5a..d5a0b0fbd1 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -1,28 +1,32 @@ name: Windows AD Cross Domain SID History Addition id: 41bbb371-28ba-439c-bb5c-d9930c28365d -version: 1 -date: '2022-11-17' +version: 2 +date: '2024-05-11' author: Dean Luxton type: TTP status: production -data_source: +data_source: - Windows Event Log Security 4742 - Windows Event Log Security 4738 -description: The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. - The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access - continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. -search: '`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) - | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" - | rex field=TargetSid "^(?P.*)(\-|\\\)" - | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName - | rename TargetSid as userSid - | table _time action status host user userSid SidHistory Logon_ID src_user - | `windows_ad_cross_domain_sid_history_addition_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcodes - `4738` and `4742`. The Advanced Security Audit policy settings - `Audit User Account Management` and `Audit Computer Account Management` - within `Account Management` all need to be enabled. -known_false_positives: Domain mergers and migrations may generate large volumes of false positives for this analytic. +description: The following analytic detects changes to the sIDHistory attribute of + user or computer objects across different domains. It leverages Windows Security + Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. + This activity is significant because the sIDHistory attribute allows users to inherit + permissions from other AD accounts, which can be exploited by adversaries for inter-domain + privilege escalation and persistence. If confirmed malicious, this could enable + attackers to gain unauthorized access to resources, maintain persistence, and escalate + privileges across domain boundaries. +search: '`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory + IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" + | rex field=TargetSid "^(?P.*)(\-|\\\)" | where SidHistoryMatch!=TargetSidmatch + AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time + action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit + User Account Management` and `Audit Computer Account Management` within `Account + Management` all need to be enabled. +known_false_positives: Domain mergers and migrations may generate large volumes of + false positives for this analytic. references: - https://adsecurity.org/?p=1772 - https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml index e209fc63c9..10b933d2aa 100644 --- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml +++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml @@ -1,13 +1,20 @@ name: Windows AD Domain Controller Audit Policy Disabled id: fc3ccef1-60a4-4239-bd66-b279511b4d14 -version: 1 -date: '2023-01-26' +version: 2 +date: '2024-05-12' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4719 -description: The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." +description: The following analytic detects the disabling of audit policies on a domain + controller. It leverages EventCode 4719 from Windows Security Event Logs to identify + changes where success or failure auditing is removed. This activity is significant + as it suggests an attacker may have gained access to the domain controller and is + attempting to evade detection by tampering with audit policies. If confirmed malicious, + this could lead to severe consequences, including data theft, privilege escalation, + and full network compromise. Immediate investigation is required to determine the + source and intent of the change. search: '`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure removed")) dest_category="domain_controller"| replace "%%8448" with "Success removed", @@ -53,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml index 205f4feffd..43fd9e1f94 100644 --- a/detections/endpoint/windows_ad_domain_controller_promotion.yml +++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml @@ -1,21 +1,34 @@ name: Windows AD Domain Controller Promotion id: e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0 -version: 1 -date: '2023-01-26' +version: 2 +date: '2024-05-18' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4742 -description: This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the - necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly - joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story - which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this - detection to identify DCShadow activity. -search: "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`" -how_to_implement: To successfully implement this search, you need to be ingesting eventcode - `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` - within `Account Management` needs to be enabled. +description: The following analytic identifies a genuine Domain Controller (DC) promotion + event by detecting when a computer assigns itself the necessary Service Principal + Names (SPNs) to function as a domain controller. It leverages Windows Security Event + Code 4742 to monitor existing domain controllers for these changes. This activity + is significant as it can help identify rogue DCs added to the network, which could + indicate a DCShadow attack. If confirmed malicious, this could allow an attacker + to manipulate Active Directory, leading to potential privilege escalation and persistent + access within the environment. +search: "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\"\ + ,\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) + as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| + where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe + [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"\ + \ | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) + as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, + values(status) as status, values(src_category) as src_category, values(src_ip) as + src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) + as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"\ + $\") | `windows_ad_domain_controller_promotion_filter`" +how_to_implement: To successfully implement this search, you need to be ingesting + eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account + Management` within `Account Management` needs to be enabled. known_false_positives: None. references: - https://attack.mitre.org/techniques/T1207/ @@ -23,8 +36,8 @@ tags: analytic_story: - Sneaky Active Directory Persistence Tricks asset_type: Endpoint - confidence: 100 - impact: 80 + confidence: 100 + impact: 80 message: AD Domain Controller Promotion Event Detected for $dest$ mitre_attack_id: - T1207 @@ -50,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 91eab3b69d..0be1143257 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -1,70 +1,84 @@ name: Windows AD Domain Replication ACL Addition id: 8c372853-f459-4995-afdc-280c114d33ab -version: 1 -date: "2022-11-18" +version: 2 +date: "2024-05-16" author: Dean Luxton type: TTP status: experimental data_source: [] -description: - The following analytic detects the addition of the permissions necessary to perform a DCSync attack. - In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - - DS-Replication-Get-Changes - - DS-Replication-Get-Changes-All - Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. - By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -search: '`wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")| where minDCSyncPermissions=\"true\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`' -how_to_implement: - To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting - `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` - applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing - accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. - Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. -known_false_positives: - When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. - If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. +description: The following analytic detects the addition of permissions required for + a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, + and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from + the Windows Security Event Log to identify when these permissions are granted. This + activity is significant because it indicates potential preparation for a DCSync + attack, which can be used to replicate AD objects and exfiltrate sensitive data. + If confirmed malicious, an attacker could gain extensive access to Active Directory, + leading to severe data breaches and privilege escalation. +search: '`wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"| + table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| + mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), + fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")| + where minDCSyncPermissions=\"true\" | lookup identity_lookup_expanded objectSid + as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid + as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid + minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory + Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` + to `Write All Properties` applied to the domain root and all descendant objects. + Once the necessary logging has been enabled, enumerate the domain policy to verify + if existing accounts with access need to be whitelisted, or revoked. Assets and + Identities is also leveraged to automatically translate the objectSid into username. + Ensure your identities lookup is configured with the sAMAccountName and objectSid + of all AD user and computer objects. +known_false_positives: When there is a change to nTSecurityDescriptor, Windows logs + the entire ACL with the newly added components. If existing accounts are present + with this permission, they will raise an alert each time the nTSecurityDescriptor + is updated unless whitelisted. references: - - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb - - https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb +- https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml tags: analytic_story: - - Sneaky Active Directory Persistence Tricks + - Sneaky Active Directory Persistence Tricks asset_type: Endpoint confidence: 80 impact: 100 message: $src_user$ has granted $user$ permission to replicate AD objects mitre_attack_id: - - T1484 + - T1484 observable: - - name: user - type: User - role: - - Victim - - name: src_user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - dest - - src_user - - AttributeLDAPDisplayName - - AttributeValue - - ObjectClass + - _time + - dest + - src_user + - AttributeLDAPDisplayName + - AttributeValue + - ObjectClass risk_score: 80 security_domain: endpoint - manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. + manual_test: This search uses a lookup provided by Enterprise Security and needs + to be manually tested. tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log - source: XmlWinEventLog:Security - sourcetype: xmlwineventlog +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log + source: XmlWinEventLog:Security + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index 90663061d2..6d87eae63b 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -1,28 +1,31 @@ name: Windows AD DSRM Account Changes id: 08cb291e-ea77-48e8-a95a-0799319bf056 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-24' author: Dean Luxton type: TTP status: production data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: Aside from being used to promote genuine domain controllers, the DSRM - (Directory Services Restore Mode) account can be used to persist within a Domain. - A DC can be configured to allow the DSRM account to logon & be used in the same - way as a local administrator account. This detection is looking for alterations - to the behaviour of the account via registry. +description: The following analytic identifies changes to the Directory Services Restore + Mode (DSRM) account behavior via registry modifications. It detects alterations + in the registry path "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" + with specific values indicating potential misuse. This activity is significant because + the DSRM account, if misconfigured, can be exploited to persist within a domain, + similar to a local administrator account. If confirmed malicious, an attacker could + gain persistent administrative access to a Domain Controller, leading to potential + domain-wide compromise and unauthorized access to sensitive information. search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path - Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user - | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` - count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name - Processes.process Processes.dest Processes.parent_process_name Processes.parent_process - Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action - dest user parent_process_name parent_process process_name process process_guid registry_path - registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`' + Registry.registry_value_data Registry.registry_value_type Registry.process_guid + Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer + process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] + | table _time action dest user parent_process_name parent_process process_name process + process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -70,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml index b4611939fe..6afb115e79 100644 --- a/detections/endpoint/windows_ad_dsrm_password_reset.yml +++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml @@ -1,24 +1,30 @@ name: Windows AD DSRM Password Reset id: d1ab841c-36a6-46cf-b50f-b2b04b31182a -version: 1 -date: '2022-09-08' +version: 2 +date: '2024-05-12' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4794 -description: Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) - account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be - used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. +description: The following analytic detects attempts to reset the Directory Services + Restore Mode (DSRM) administrator password on a Domain Controller. It leverages + event code 4794 from the Windows Security Event Log, specifically looking for events + where the DSRM password reset is attempted. This activity is significant because + the DSRM account can be used similarly to a local administrator account, providing + potential persistence for an attacker. If confirmed malicious, this could allow + an attacker to maintain administrative access to the Domain Controller, posing a + severe risk to the domain's security. search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="An attempt was made to - set the Directory Services Restore Mode administrator password" by All_Changes.action, - All_Changes.dest, All_Changes.src, All_Changes.user - | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcode - `4794` and have the Advanced Security Audit policy - `Audit User Account Management` within `Account Management` enabled. -known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. + set the Directory Services Restore Mode administrator password" by All_Changes.action, + All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` + | `windows_ad_dsrm_password_reset_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + eventcode `4794` and have the Advanced Security Audit policy `Audit User Account + Management` within `Account Management` enabled. +known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot + the password. Disaster recovery. Deploying AD backdoor deliberately. references: - https://adsecurity.org/?p=1714 tags: @@ -56,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log source: XmlWinEventLog:Security - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml index 01d8943395..471e1d7456 100644 --- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml @@ -1,71 +1,71 @@ name: Windows AD Privileged Account SID History Addition id: 6b521149-b91c-43aa-ba97-c2cac59ec830 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-26' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4742 - Windows Event Log Security 4738 -description: - This detection identifies when the SID of a privileged user is added to - the SID History attribute of another user. Useful for tracking SID history abuse - across multiple domains. This detection leverages the Asset and Identities - framework. See the implementation section for further details on configuration. -search: - '`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) - | rex field=SidHistory "(^%{|^)(?P.*?)(}$|$)" - | eval category="privileged" - | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match - | where isnotnull(match) - | rename TargetSid as userSid - | table _time action status host user userSid SidHistory Logon_ID src_user - | `windows_ad_privileged_account_sid_history_addition_filter`' -how_to_implement: - Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` +description: The following analytic identifies when the SID of a privileged user is + added to the SID History attribute of another user. It leverages Windows Security + Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. + This behavior is significant as it may indicate an attempt to abuse SID history + for unauthorized access across multiple domains. If confirmed malicious, this activity + could allow an attacker to escalate privileges or maintain persistent access within + the environment, posing a significant security risk. +search: '`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory + IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*?)(}$|$)" | eval + category="privileged" | lookup identity_lookup_expanded category, identity as SidHistory + OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid + | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`' +how_to_implement: Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the - category of privileged for the applicable users. Ensure you are - ingesting eventcodes 4742 and 4738. Two advanced audit policies - `Audit User Account Management` and `Audit Computer Account Management` under - `Account Management` are required to generate these event codes. + category of privileged for the applicable users. Ensure you are ingesting eventcodes + 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit + Computer Account Management` under `Account Management` are required to generate + these event codes. known_false_positives: Migration of privileged accounts. references: - - https://adsecurity.org/?p=1772 +- https://adsecurity.org/?p=1772 tags: analytic_story: - - Sneaky Active Directory Persistence Tricks + - Sneaky Active Directory Persistence Tricks asset_type: Endpoint confidence: 90 impact: 100 - message: A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$ + message: A Privileged User Account SID History Attribute was added to $userSid$ + by $src_user$ mitre_attack_id: - - T1134.005 - - T1134 + - T1134.005 + - T1134 observable: - - name: src_user - type: User - role: - - Victim + - name: src_user + type: User + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - EventCode - - SidHistory - - TargetSid - - TargetDomainName - - user - - src_user - - Logon_ID + - _time + - EventCode + - SidHistory + - TargetSid + - TargetDomainName + - user + - src_user + - Logon_ID risk_score: 90 security_domain: endpoint - manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. + manual_test: This search uses a lookup provided by Enterprise Security and needs + to be manually tested. tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log - source: XmlWinEventLog:Security - sourcetype: xmlwineventlog +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + source: XmlWinEventLog:Security + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index e365da2754..fde48019ed 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -1,44 +1,38 @@ name: Windows AD Privileged Object Access Activity id: dc2f58bc-8cd2-4e51-962a-694b963acde0 -version: 1 -date: '2023-06-01' +version: 2 +date: '2024-05-18' author: Steven Dick status: production type: TTP -description: Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. +description: The following analytic detects access attempts to privileged Active Directory + objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security + Event Code 4662 to identify when these sensitive objects are accessed. This activity + is significant because such objects should rarely be accessed by normal users or + processes, and unauthorized access attempts may indicate attacker enumeration or + lateral movement within the domain. If confirmed malicious, this activity could + allow attackers to escalate privileges, persist in the environment, or gain control + over critical domain resources. data_source: - Windows Event Log Security 4662 -search: '`wineventlog_security` EventCode=4662 ObjectName IN ( -"CN=Account Operators,*", -"CN=Administrators,*", -"CN=Backup Operators,*", -"CN=Cert Publishers,*", -"CN=Certificate Service DCOM Access,*", -"CN=Domain Admins,*", -"CN=Domain Controllers,*", -"CN=Enterprise Admins,*", -"CN=Enterprise Read-only Domain Controllers,*", -"CN=Group Policy Creator Owners,*", -"CN=Incoming Forest Trust Builders,*", -"CN=Microsoft Exchange Servers,*", -"CN=Network Configuration Operators,*", -"CN=Power Users,*", -"CN=Print Operators,*", -"CN=Read-only Domain Controllers,*", -"CN=Replicators,*", -"CN=Schema Admins,*", -"CN=Server Operators,*", -"CN=Exchange Trusted Subsystem,*", -"CN=Exchange Windows Permission,*", -"CN=Organization Management,*") -| rex field=ObjectName "CN\=(?[^,]+)" -| stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName -| rename SubjectUserName as user -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `windows_ad_privileged_object_access_activity_filter`' -how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. -known_false_positives: Service accounts or applications that routinely query Active Directory for information. +search: '`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", + "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate + Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise + Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator + Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", + "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", + "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server + Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", + "CN=Organization Management,*") | rex field=ObjectName "CN\=(?[^,]+)" + | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) + as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName + | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_ad_privileged_object_access_activity_filter`' +how_to_implement: Enable Audit Directory Service Access via GPO and collect event + code 4662. The required SACLs need to be created for the relevant objects. Be aware + Splunk filters this event by default on the Windows TA. +known_false_positives: Service accounts or applications that routinely query Active + Directory for information. references: - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 @@ -69,7 +63,7 @@ tags: required_fields: - _time - EventCode - - ObjectName + - ObjectName - EventCode - Computer - SubjectUserName @@ -78,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index c10d6584b3..09293b4370 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -1,24 +1,42 @@ name: Windows AD Replication Request Initiated by User Account id: 51307514-1236-49f6-8686-d46d93cc2821 -version: 2 -date: '2024-01-05' +version: 3 +date: '2024-05-16' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4662 -description: This alert was written to detect activity associated with the DCSync attack. - When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. - Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. - This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. -search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4662`. - The Advanced Security Audit policy settings `Audit Directory Services Access` - within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root - and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` - auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and - `Replicating Directory Changes In Filtered Set` -known_false_positives: Azure AD Connect syncing operations. +description: The following analytic detects a user account initiating an Active Directory + replication request, indicative of a DCSync attack. It leverages EventCode 4662 + from the Windows Security Event Log, focusing on specific object types and replication + permissions. This activity is significant because it can allow an attacker with + sufficient privileges to request password hashes for any or all users within the + domain. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, and potential compromise of the entire domain. +search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", + "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", + "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") + AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" + OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) + as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, + ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, + SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe + [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] + | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, + Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, + ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) + as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, + values(Computer) as Computer, values(status) as status, values(src_category) as + src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services + Access` within `DS Access` needs to be enabled, as well as the following SACLs applied + to the domain root and all descendant objects. The principals `everybody`, `Domain + Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory + Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes + In Filtered Set` +known_false_positives: Azure AD Connect syncing operations. references: - https://adsecurity.org/?p=1729 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer @@ -30,7 +48,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 100 - message: Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$ + message: Windows Active Directory Replication Request Initiated by User Account + $user$ at $src_ip$ mitre_attack_id: - T1003.006 - T1003 @@ -68,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index 4e5b7d00d5..1b02916fdf 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -1,43 +1,46 @@ name: Windows AD Replication Request Initiated from Unsanctioned Location id: 50998483-bb15-457b-a870-965080d9e3d3 -version: 3 -date: '2024-01-05' +version: 4 +date: '2024-05-20' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4662 - Windows Event Log Security 4624 -description: This alert was written to detect activity associated with the DCSync attack performed by computer accounts. - When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. - Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. - This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate - from a known domain controller IP address. +description: The following analytic identifies unauthorized Active Directory replication + requests initiated from non-domain controller locations. It leverages EventCode + 4662 to detect when a computer account with replication permissions creates a handle + to domainDNS, filtering out known domain controller IP addresses. This activity + is significant as it may indicate a DCSync attack, where an attacker with privileged + access can request password hashes for any or all users within the domain. If confirmed + malicious, this could lead to unauthorized access to sensitive information and potential + full domain compromise. search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", - "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", - "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") - AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") - | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status - | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as - TargetLogonId - | appendpipe - [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] + "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", + "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") + AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" + OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) + as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, + ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName + as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe + [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, - Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, - ObjectServer, ObjectType, OperationType - | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) - as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) - as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId - | search NOT src_category="domain_controller" + Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, + ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) + as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, + values(Computer) as Computer, values(status) as status, values(src_category) as + src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category="domain_controller" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4662`. - The Advanced Security Audit policy settings `Audit Directory Services Access` - within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root - and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` - auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and - `Replicating Directory Changes In Filtered Set` - Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers. -known_false_positives: Genuine DC promotion may trigger this alert. +how_to_implement: To successfully implement this search, you need to be ingesting + eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services + Access` within `DS Access` needs to be enabled, as well as the following SACLs applied + to the domain root and all descendant objects. The principals `everybody`, `Domain + Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory + Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes + In Filtered Set` Assets and Identities will also need to be configured, with the + category of domain_controller added for domain controllers. +known_false_positives: Genuine DC promotion may trigger this alert. references: - https://adsecurity.org/?p=1729 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer @@ -49,7 +52,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 100 - message: Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$ + message: Windows Active Directory Replication Request Initiated from Unsanctioned + Location $src_ip$ by $user$ mitre_attack_id: - T1003.006 - T1003 @@ -87,6 +91,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 1211667b7d..8aa08c4d09 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -1,29 +1,30 @@ name: Windows AD Same Domain SID History Addition id: 5fde0b7c-df7a-40b1-9b3a-294c00f0289d -version: 2 -date: '2022-09-09' +version: 3 +date: '2024-05-22' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 4742 - Windows Event Log Security 4738 -description: The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. - The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access - continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. - This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. +description: The following analytic detects changes to the sIDHistory attribute of + user or computer objects within the same domain. It leverages Windows Security Event + Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This + activity is significant because the sIDHistory attribute can be abused by adversaries + to grant unauthorized access by inheriting permissions from another account. If + confirmed malicious, this could allow attackers to maintain persistent access or + escalate privileges within the domain, posing a severe security risk. search: '`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory - IN ("%%1793", -) - | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" - | rex field=TargetSid "^(?P.*)(\-|\\\)" - | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName - | rename TargetSid as userSid, TargetDomainName as userDomainName - | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user - | `windows_ad_same_domain_sid_history_addition_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcodes - `4738` and `4742`. The Advanced Security Audit policy settings - `Audit User Account Management` and `Audit Computer Account Management` - within `Account Management` all need to be enabled. SID resolution is not required.. + IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" + | rex field=TargetSid "^(?P.*)(\-|\\\)" | where SidHistoryMatch=TargetSidmatch + OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName + as userDomainName | table _time action status host user userSid userDomainName SidHistory + Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit + User Account Management` and `Audit Computer Account Management` within `Account + Management` all need to be enabled. SID resolution is not required.. known_false_positives: Unknown references: - https://adsecurity.org/?p=1772 @@ -68,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index e7c6122c46..e22a02f6f0 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -1,23 +1,29 @@ name: Windows AD ServicePrincipalName Added To Domain Account id: 8a1259cb-0ea7-409c-8bfe-74bad89259f9 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-22' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 5136 -description: The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, - it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password - of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt - to obtain its clertext password. -search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" - | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user +description: The following analytic detects the addition of a Service Principal Name + (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes + to the servicePrincipalName attribute. This activity is significant because it may + indicate an attempt to perform Kerberoasting, a technique where attackers extract + and crack service account passwords offline. If confirmed malicious, this could + allow an attacker to obtain cleartext passwords, leading to unauthorized access + and potential lateral movement within the domain environment. +search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName + OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, + SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode - `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` - within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -known_false_positives: A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for AD objects in order to ingest attribute modifications. +known_false_positives: A Service Principal Name should only be added to an account + when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed. references: - https://adsecurity.org/?p=3466 @@ -58,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 6080a8de50..8d1a3b2fe9 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -1,26 +1,31 @@ name: Windows AD Short Lived Domain Account ServicePrincipalName id: b681977c-d90c-4efc-81a5-c58f945fb541 -version: 1 -date: '2022-11-18' +version: 2 +date: '2024-05-18' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 5136 -description: The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, - it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password - of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt - to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. +description: The following analytic identifies the addition and quick deletion of + a Service Principal Name (SPN) to a domain account within 5 minutes. This detection + leverages EventCode 5136 from the Windows Security Event Log, focusing on changes + to the servicePrincipalName attribute. This activity is significant as it may indicate + an attempt to perform Kerberoasting, a technique used to crack the cleartext password + of a domain account offline. If confirmed malicious, this could allow an attacker + to gain unauthorized access to sensitive information or escalate privileges within + the domain environment. search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName - | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") - | eval short_lived=case((duration<300),"TRUE") - | search short_lived = TRUE | rename ObjectDN as user - | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode - `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` - within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -known_false_positives: A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it - is less common but may be part of legitimate action. Filter as needed. + | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") + endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") + | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`' +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for AD objects in order to ingest attribute modifications. +known_false_positives: A Service Principal Name should only be added to an account + when an application requires it. Adding an SPN and quickly deleting it is less common + but may be part of legitimate action. Filter as needed. references: - https://adsecurity.org/?p=3466 - https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting @@ -56,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml index 6fbc3762d4..aaa5800936 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml @@ -1,29 +1,43 @@ name: Windows AD Short Lived Domain Controller SPN Attribute -id: 57e27f27-369c-4df8-af08-e8c7ee8373d4 -version: 3 -date: '2023-11-07' +id: 57e27f27-369c-4df8-af08-e8c7ee8373d4 +version: 4 +date: '2024-05-11' author: Dean Luxton type: TTP status: production data_source: - Windows Event Log Security 5136 - Windows Event Log Security 4624 -description: The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. - DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject - and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. - No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),"TRUE") | where short_lived="TRUE" AND mvcount(OperationType)>1 | replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting eventcode - `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` - within `DS Access` needs to be enabled, alongside a SACL for `everybody` to - `Write All Properties` applied to the domain root and all descendant objects. +description: The following analytic detects the temporary addition of a global catalog + SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential + DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` + data source, focusing on specific SPN attribute changes. This activity is significant + as DCShadow attacks allow attackers with privileged access to register rogue Domain + Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed + malicious, this could lead to unauthorized replication of changes, including credentials + and keys, compromising the entire domain's security. +search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName + (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") + | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType + values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain + values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN + by Logon_ID | eval short_lived=case((duration<30),"TRUE") | where short_lived="TRUE" + AND mvcount(OperationType)>1 | replace "%%14674" with "Value Added", "%%14675" with + "Value Deleted" in OperationType | rename Logon_ID as TargetLogonId | appendpipe + [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] + | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) + as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services + Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` + to `Write All Properties` applied to the domain root and all descendant objects. known_false_positives: None. references: - https://www.dcshadow.com/ - https://blog.netwrix.com/2022/09/28/dcshadow_attack/ - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 - https://attack.mitre.org/techniques/T1207/ -- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d +- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d tags: analytic_story: - Sneaky Active Directory Persistence Tricks @@ -58,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index c3fe144eb2..1aefbcaed6 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -1,29 +1,31 @@ name: Windows AD Short Lived Server Object id: 193769d3-1e33-43a9-970e-ad4a88256cdb -version: 1 -date: '2022-10-17' +version: 2 +date: '2024-05-21' author: Mauricio Velazco, Splunk type: TTP status: production -data_source: +data_source: - Windows Event Log Security 5137 - Windows Event Log Security 5141 -description: 'The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. - DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject - and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security - researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller - computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with - Mimikatz.' +description: 'The following analytic identifies the creation and quick deletion of + a Domain Controller (DC) object within 30 seconds in an Active Directory environment, + indicative of a potential DCShadow attack. This detection leverages Windows Security + Event Codes 5137 and 5141, analyzing the duration between these events. This activity + is significant as DCShadow allows attackers with privileged access to register a + rogue DC, enabling unauthorized changes to AD objects, including credentials. If + confirmed malicious, this could lead to unauthorized AD modifications, compromising + the integrity and security of the entire domain.' search: ' `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*" - | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) - | eval short_lived=case((duration<30),"TRUE") - | search short_lived = TRUE - | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName - | `windows_ad_short_lived_server_object_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting Event codes - `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` - within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. -known_false_positives: Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed. + | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval + short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | stats values(ObjectDN) + values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`' +how_to_implement: To successfully implement this search, you ned to be ingesting Event + codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory + Services Changes` within `DS Access` needs to be enabled. For these event codes + to be generated, specific SACLs are required. +known_false_positives: Creating and deleting a server object within 30 seconds or + less is unusual but not impossible in a production environment. Filter as needed. references: - https://www.dcshadow.com/ - https://attack.mitre.org/techniques/T1207/ @@ -65,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index ddedfa605c..c855fcc1d1 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -1,22 +1,29 @@ name: Windows AD SID History Attribute Modified id: 1155e47d-307f-4247-beab-71071e3a458c -version: 1 -date: '2022-11-16' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Splunk type: TTP status: production -data_source: +data_source: - Windows Event Log Security 5136 -description: The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. - The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access - continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. -search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType="%%14674" - | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest - | `windows_ad_sid_history_attribute_modified_filter`' -how_to_implement: To successfully implement this search, you ned to be ingesting eventcode - `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` - within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -known_false_positives: Domain mergers and migrations may generate large volumes of false positives for this analytic. +description: The following analytic detects modifications to the SID History attribute + in Active Directory by leveraging event code 5136. This detection uses logs from + the `wineventlog_security` data source to identify changes to the sIDHistory attribute. + Monitoring this activity is crucial as the SID History attribute can be exploited + by adversaries to inherit permissions from other accounts, potentially granting + unauthorized access. If confirmed malicious, this activity could allow attackers + to maintain persistent access and escalate privileges within the domain, posing + a significant security risk. +search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory + OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, + SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`' +how_to_implement: To successfully implement this search, you ned to be ingesting eventcode + `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` + within `DS Access` needs to be enabled. Additionally, a SACL needs to be created + for AD objects in order to ingest attribute modifications. +known_false_positives: Domain mergers and migrations may generate large volumes of + false positives for this analytic. references: - https://adsecurity.org/?p=1772 - https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN @@ -28,7 +35,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 80 - message: SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$ + message: SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on + $dest$ mitre_attack_id: - T1134 - T1134.005 @@ -55,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index b89fb6de5e..e23d9c6d48 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -1,18 +1,18 @@ name: Windows AdFind Exe id: bd3b0187-189b-46c0-be45-f52da2bae67f -version: 3 -date: '2023-06-13' +version: 4 +date: '2024-05-13' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: TTP -description: 'This search looks for the execution of `adfind.exe` with command-line - arguments that it uses by default specifically the filter or search functions. It - also considers the arguments necessary like objectcategory, see readme for more - details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is - a powerful tool that is commonly used for querying and retrieving information from - Active Directory (AD). While it is primarily designed for AD administration and - management, it has been seen used before by Wizard Spider, FIN6 and actors whom - also launched SUNBURST.' +description: 'The following analytic identifies the execution of `adfind.exe` with + specific command-line arguments related to Active Directory queries. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names, + command-line arguments, and parent processes. This activity is significant because + `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and + FIN6 to gather sensitive AD information. If confirmed malicious, this activity could + allow attackers to map the AD environment, facilitating further attacks such as + privilege escalation or lateral movement.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 7f1a28ea13..5bb5a9d541 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -1,32 +1,35 @@ name: Windows Admin Permission Discovery id: e08620cb-9488-4052-832d-97bcc0afd414 -version: 1 -date: '2023-09-19' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 11 -description: This analytic is developed to identify suspicious file creation in the root drive (C:\). - This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on - the compromised host possesses administrative privileges. - The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. - If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. - This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing - similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") - by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user - | `drop_dm_object_name(Filesystem)` - | eval dropped_file_path = split(file_path, "\\") - | eval dropped_file_path_split_count = mvcount(dropped_file_path) - | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_admin_permission_discovery_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that - include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. +description: The following analytic identifies the creation of a suspicious file named + 'win.dat' in the root directory (C:\). It leverages data from the Endpoint.Filesystem + datamodel to detect this activity. This behavior is significant as it is commonly + used by malware like NjRAT to check for administrative privileges on a compromised + host. If confirmed malicious, this activity could indicate that the malware has + administrative access, allowing it to perform high-privilege actions, potentially + leading to further system compromise and persistence. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", + "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", + "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id + Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user + | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, + "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive + = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count + = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + `windows_admin_permission_discovery_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: False positives may occur if there are legitimate accounts + with the privilege to drop files in the root of the C drive. It's recommended to + verify the legitimacy of such actions and the accounts involved. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat tags: @@ -66,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/njrat_admin_check/win_dat.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index e2d36bdc0e..fc8331a2e3 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -1,22 +1,20 @@ name: Windows Administrative Shares Accessed On Multiple Hosts id: d92f2d95-05fb-48a7-910f-4d3d61ab8655 -version: 1 -date: '2023-03-23' +version: 2 +date: '2024-05-19' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 5140 - Windows Event Log Security 5145 -description: The following analytic leverages Event IDs 5140 or 5145 to identify a - source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across - a large number remote endpoints. Specifically, the logic will trigger when a source - endpoint accesses administrative shares across 30 or more target computers within - a 5 minute timespan. This behavior could represent an adversary who is enumerating - network shares across an Active Directory environment in the search for sensitive - files, a common technique leveraged by red teamers and threat actors. As environments - differ across organizations, security teams should customize the thresholds of this - detection as needed. +description: The following analytic detects a source computer accessing Windows administrative + shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. + It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant + as it may indicate an adversary enumerating network shares to locate sensitive files, + a common tactic used by threat actors. If confirmed malicious, this activity could + lead to unauthorized access to critical data, lateral movement, and potential compromise + of multiple systems within the network. search: ' `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) @@ -71,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index ff923c82ac..c9c7b2a75d 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -1,24 +1,30 @@ name: Windows Admon Default Group Policy Object Modified id: 83458004-db60-4170-857d-8572f16f070b -version: 1 -date: '2023-03-29' +version: 2 +date: '2024-05-28' author: Mauricio Velazco, Splunk status: production type: TTP -data_source : +data_source: - Windows Active Directory Admon -description: The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain - two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. - The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group - policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") - | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects modifications to the default Group Policy + Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to + monitor updates to the "Default Domain Policy" and "Default Domain Controllers Policy." + This activity is significant because changes to these default GPOs can indicate + an adversary with privileged access attempting to gain further control, establish + persistence, or deploy malware across multiple hosts. If confirmed malicious, such + modifications could lead to widespread policy enforcement changes, unauthorized + access, and potential compromise of the entire domain environment. +search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" + (displayName="Default Domain Policy" OR displayName="Default Domain Controllers + Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) + by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here +how_to_implement: To successfully implement this search, you need to be monitoring + Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -57,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: ActiveDirectory - sourcetype: ActiveDirectory \ No newline at end of file + sourcetype: ActiveDirectory diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index 67e0bbe23a..a200ad7329 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -1,24 +1,28 @@ name: Windows Admon Group Policy Object Created id: 69201633-30d9-48ef-b1b6-e680805f0582 -version: 1 -date: '2023-04-06' +version: 2 +date: '2024-05-20' author: Mauricio Velazco, Splunk status: production type: TTP -data_source : +data_source: - Windows Active Directory Admon -description: The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure - applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or - deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. - Security teams should monitor the creation of new Group Policy Objects. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" - | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_admon_group_policy_object_created_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here +description: The following analytic detects the creation of a new Group Policy Object + (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, + excluding default "New Group Policy Object" entries. Monitoring GPO creation is + crucial as adversaries can exploit GPOs to escalate privileges or deploy malware + across an Active Directory network. If confirmed malicious, this activity could + allow attackers to control system configurations, deploy ransomware, or propagate + malware, significantly compromising the network's security. +search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" + versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime + max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`' +how_to_implement: To successfully implement this search, you need to be monitoring + Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed. +known_false_positives: Group Policy Objects are created as part of regular administrative + operations, filter as needed. references: - https://attack.mitre.org/techniques/T1484/ - https://attack.mitre.org/techniques/T1484/001 @@ -57,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log source: ActiveDirectory sourcetype: ActiveDirectory diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml index 225c00c009..9bf07cecb7 100644 --- a/detections/endpoint/windows_alternate_datastream___base64_content.yml +++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml @@ -1,30 +1,35 @@ name: Windows Alternate DataStream - Base64 Content id: 683f48de-982f-4a7e-9aac-9cec550da498 -version: 2 -date: '2024-02-15' +version: 3 +date: '2024-05-28' author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk status: production type: TTP -description: This analytic leverages Sysmon EventID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. +description: The following analytic detects the creation of Alternate Data Streams + (ADS) with Base64 content on Windows systems. It leverages Sysmon Event ID 15, which + captures file creation events, including the content of named streams. ADS can conceal + malicious payloads, making them significant for SOC monitoring. This detection identifies + hidden streams that may contain executables, scripts, or configuration data, often + used by malware to evade detection. If confirmed malicious, this activity could + allow attackers to hide and execute payloads, persist in the environment, or access + sensitive information without being easily detected. data_source: - Sysmon EventID 15 -search: '`sysmon` EventCode=15 NOT Contents IN ("-","[ZoneTransfer]*") - | regex TargetFilename="(? upperBound, "Yes", "No") - | where anomaly="Yes" - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_applocker_execution_from_uncommon_locations_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP. -known_false_positives: False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. +description: The following analytic identifies the execution of applications or scripts + from uncommon or suspicious file paths, potentially indicating malware or unauthorized + activity. It leverages Windows AppLocker event logs and uses statistical analysis + to detect anomalies. By calculating the average and standard deviation of execution + counts per file path, it flags paths with execution counts significantly higher + than expected. This behavior is significant as it can uncover malicious activities + or policy violations. If confirmed malicious, this activity could allow attackers + to execute unauthorized code, leading to potential system compromise or data breaches. +search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer + as dest, TargetUser AS user | stats count min(_time) as firstTime max(_time) as + lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath + | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*2), + anomaly=if(count > upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event + logs collected from endpoints with AppLocker enabled. If using Microsoft Defender + for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match + the block events for AppLocker. The analytic requires the AppLocker event logs to + be ingested into Splunk. Note that, an additional method to reduce any false positives + would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon + tuning, modify to Anomaly or TTP. +known_false_positives: False positives are possible if legitimate users are executing + applications from file paths that are not permitted by AppLocker. It is recommended + to investigate the context of the application execution to determine if it is malicious + or not. Modify the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker @@ -49,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: xmlwineventlog - source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script \ No newline at end of file + source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml index 3ca9e28623..0dc0da18b9 100644 --- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml +++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml @@ -47,6 +47,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml index f8b7da2868..3e97153c5e 100644 --- a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml +++ b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml @@ -1,20 +1,33 @@ name: Windows AppLocker Rare Application Launch Detection id: 9556f7b7-285f-4f18-8eeb-963d989f9d27 -version: 1 -date: '2024-03-21' +version: 2 +date: '2024-05-30' author: Michael Haag, Splunk data_source: [] type: Hunting -status: production -description: This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat. -search: '`applocker` - | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user - | stats dc(_time) as days, count by FullFilePath dest user - | eventstats avg(count) as avg, stdev(count) as stdev - | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) - | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`' -how_to_implement: The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. -known_false_positives: False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. +status: production +description: The following analytic detects the launch of rarely used applications + within the environment, which may indicate the use of potentially malicious software + or tools by attackers. It leverages Windows AppLocker event logs, aggregating application + launch counts over time and flagging those that significantly deviate from the norm. + This behavior is significant as it helps identify unusual application activity that + could signal a security threat. If confirmed malicious, this activity could allow + attackers to execute unauthorized code, potentially leading to further compromise + of the system. +search: '`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer + as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest + user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), + lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`' +how_to_implement: The analytic is designed to be run against Windows AppLocker event + logs collected from endpoints with AppLocker enabled. If using Microsoft Defender + for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match + the block events for AppLocker. The analytic requires the AppLocker event logs to + be ingested into Splunk. Note that, an additional method to reduce any false positives + would be to add the specific EventCodes - 8003 or 8004 and filter from there. +known_false_positives: False positives are possible if legitimate users are launching + applications that are not permitted by AppLocker. It is recommended to investigate + the context of the application launch to determine if it is malicious or not. Modify + the threshold as needed to reduce false positives. references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting @@ -24,7 +37,8 @@ tags: asset_type: Endpoint confidence: 30 impact: 50 - message: An application launch that deviates from the norm was detected on a host $dest$. + message: An application launch that deviates from the norm was detected on a host + $dest$. mitre_attack_id: - T1218 observable: @@ -46,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/applocker/applocker.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index 61962cced8..6e45ec66b2 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -1,23 +1,23 @@ name: Windows Archive Collected Data via Powershell id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5 -version: 1 -date: '2023-12-19' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies suspicious PowerShell script that archive files to a temp folder. - This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts - for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, - enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText = "*\\Temp\\*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID - | rename Computer as dest - | rename UserID as user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_archive_collected_data_via_powershell_filter`' +description: The following analytic detects the use of PowerShell scripts to archive + files into a temporary folder. It leverages PowerShell Script Block Logging, specifically + monitoring for the `Compress-Archive` command targeting the `Temp` directory. This + activity is significant as it may indicate an adversary's attempt to collect and + compress data for exfiltration. If confirmed malicious, this behavior could lead + to unauthorized data access and exfiltration, posing a severe risk to sensitive + information and overall network security. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText + = "*\\Temp\\*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode + ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -54,6 +54,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index c40dad972e..52f7397116 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -1,28 +1,28 @@ name: Windows Archive Collected Data via Rar id: 2015de95-fe91-413d-9d62-2fe011b67e82 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: The following analytic identifies a process execute a rar utilities to archive files. - This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, - to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to - command and control servers as part of their data exfiltration techniques. - These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. - Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. - This process involves transferring the archived data to command and control servers, - facilitating the extraction and retrieval of critical information from compromised systems. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name="Rar.exe" OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" - Processes.process = "* -v5m*" Processes.process = "* -m1*" - by Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies the execution of RAR utilities to archive + files on a system. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process names, GUIDs, and command-line arguments. This activity + is significant as threat actors, including red-teamers and malware like DarkGate, + use RAR archiving to compress and exfiltrate collected data from compromised hosts. + If confirmed malicious, this behavior could lead to the unauthorized transfer of + sensitive information to command and control servers, posing a severe risk to data + confidentiality and integrity. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="Rar.exe" + OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process + = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" Processes.process + = "* -v5m*" Processes.process = "* -m1*" by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -75,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index 4158c8942c..226da555e3 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -1,21 +1,37 @@ name: Windows AutoIt3 Execution id: 0ecb40d9-492b-4a57-9f87-515dd742794c -version: 1 -date: '2023-10-31' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. +description: The following analytic detects the execution of AutoIt3, a scripting + language often used for automating Windows GUI tasks and general scripting. It identifies + instances where AutoIt3 or its variants are executed by searching for process names + or original file names matching 'autoit3.exe'. This activity is significant because + attackers frequently use AutoIt3 to automate malicious actions, such as executing + malware. If confirmed malicious, this activity could lead to unauthorized code execution, + system compromise, or further propagation of malware within the environment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if the application is legitimately used, filter by user or endpoint as needed. + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", + "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_autoit3_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if the application is legitimately + used, filter by user or endpoint as needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt tags: @@ -25,7 +41,8 @@ tags: atomic_guid: [] confidence: 100 impact: 50 - message: Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by + message: Execution of AutoIt3 detected. The source process is $parent_process_name$ + and the destination process is $process_name$ on $dest$ by mitre_attack_id: - T1059 observable: @@ -63,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index 639d32db3a..c3c0f33fdc 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -1,16 +1,18 @@ name: Windows Autostart Execution LSASS Driver Registry Modification id: 57fb8656-141e-4d8a-9f51-62cff4ecb82a -version: 1 -date: '2022-08-22' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the abuse of two undocumented registry - keys that allow for a DLL to load into lsass.exe to potentially capture credentials. - Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt - or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will - be set as the value and load up into lsass.exe. Based on POC code a text file may - be written to disk with credentials. +description: The following analytic detects modifications to undocumented registry + keys that allow a DLL to load into lsass.exe, potentially capturing credentials. + It leverages the Endpoint.Registry data model to identify changes to \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt + or \CurrentControlSet\Services\NTDS\LsaDbExtPt. This activity is significant as + it indicates a possible attempt to inject malicious code into the Local Security + Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed + malicious, this could allow attackers to gain unauthorized access to sensitive information + and escalate privileges within the environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -64,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index 5642b5ef8f..2f14bd3f8a 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -1,18 +1,18 @@ name: Windows Binary Proxy Execution Mavinject DLL Injection id: ccf4b61b-1b26-4f2e-a089-f2009c569c57 -version: 1 -date: '2022-07-07' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -description: Adversaries may abuse mavinject.exe to inject malicious DLLs into running - processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution - (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition - to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import - descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe - PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an - import table entry consisting of the specified DLL into the module at the given - base address. During triage, review file modifcations and parallel processes. +description: The following analytic detects the use of mavinject.exe for DLL injection + into running processes, identified by specific command-line parameters such as /INJECTRUNNING + and /HMODULE. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant because it indicates potential arbitrary code execution, a common + tactic for malware deployment and persistence. If confirmed malicious, this could + allow attackers to execute unauthorized code, escalate privileges, and maintain + persistence within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -86,7 +86,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 5532609a59..c7b1e4b4d2 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,24 +1,25 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 1 -date: '2023-01-12' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic will identify suspicious files dropped or created in the Windows %startup% folder. - This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer - abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. - This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to - verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. +description: The following analytic detects the creation of files in the Windows %startup% + folder, a common persistence technique. It leverages the Endpoint.Filesystem data + model to identify file creation events in this specific directory. This activity + is significant because adversaries often use the startup folder to ensure their + malicious code executes automatically upon system boot or user logon. If confirmed + malicious, this could allow attackers to maintain persistence on the host, potentially + leading to further system compromise and unauthorized access to sensitive information. data_source: - Sysmon EventID 11 -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem - where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" - by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`' +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id + Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -66,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_bootloader_inventory.yml b/detections/endpoint/windows_bootloader_inventory.yml index 6fedbe5add..a3c6ac2f68 100644 --- a/detections/endpoint/windows_bootloader_inventory.yml +++ b/detections/endpoint/windows_bootloader_inventory.yml @@ -1,21 +1,30 @@ name: Windows BootLoader Inventory id: 4f7e3913-4db3-4ccd-afe4-31198982305d -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: experimental type: Hunting data_source: [] -description: The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. - By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. -search: '`bootloader_inventory` | stats count min(_time) as firstTime max(_time) - as lastTime values(_raw) by host | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`' -how_to_implement: To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. -known_false_positives: No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. +description: The following analytic identifies the bootloader paths on Windows endpoints. + It leverages a PowerShell Scripted input to capture this data, which is then processed + and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC + as it helps detect unauthorized modifications that could indicate bootkits or other + persistent threats. If confirmed malicious, such activity could allow attackers + to maintain persistence, bypass security controls, and potentially control the boot + process, leading to full system compromise. +search: '`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as + lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_bootloader_inventory_filter`' +how_to_implement: To implement this analytic, a new stanza will need to be added to + a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 + provides the stanza. If modifying the sourcetype, be sure to update the Macro for + this analytic. Recommend running it daily, or weekly, depending on threat model. +known_false_positives: No false positives here, only bootloaders. Filter as needed + or create a lookup as a baseline. references: - - https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 - - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +- https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 +- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ tags: analytic_story: - BlackLotus Campaign @@ -41,4 +50,4 @@ tags: - _time - _raw risk_score: 81 - security_domain: endpoint \ No newline at end of file + security_domain: endpoint diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index 5738aed020..baaaa620e6 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -1,24 +1,20 @@ name: Windows Bypass UAC via Pkgmgr Tool id: cce58e2c-988a-4319-9390-0daa9eefa3cd -version: 1 -date: '2023-07-26' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: The following analytic identifies a potentially suspicious execution - of the 'pkgmgr' process involving the use of an XML input file for package management. - The 'pkgmgr' process, though deprecated in modern Windows systems, was historically - used for managing packages. The presence of an XML input file raises concerns about - the nature of the executed command and its potential impact on the system. Due to - the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity - warrants careful investigation. XML files are commonly used for configuration and - data exchange, making it crucial to ascertain the intentions and legitimacy of the - command. To ensure system security, it is recommended to use up-to-date package - management utilities, such as DISM or PowerShell's PackageManagement module, and - exercise caution when executing commands involving potentially sensitive operations - or files. +description: The following analytic detects the execution of the deprecated 'pkgmgr.exe' + process with an XML input file, which is unusual and potentially suspicious. This + detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on + process execution details and command-line arguments. The significance lies in the + deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate + an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity + could allow an attacker to execute commands with elevated privileges, leading to + potential system compromise and unauthorized changes. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", @@ -84,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_create_file.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_create_file.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index b39614152e..be9ec1dbfa 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -1,18 +1,36 @@ name: Windows CAB File on Disk id: 622f08d0-69ef-42c2-8139-66088bc25acd -version: 1 -date: '2023-11-08' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Sysmon EventID 11 -description: The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. +description: The following analytic detects .cab files being written to disk. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on events where + the file name is '*.cab' and the action is 'write'. This activity is significant + as .cab files can be used to deliver malicious payloads, including embedded .url + files that execute harmful code. If confirmed malicious, this behavior could lead + to unauthorized code execution and potential system compromise. Analysts should + review the file path and associated artifacts for further investigation. search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path) - as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name - | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed. + as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id + Filesystem.file_name | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will only be present if a process legitimately + writes a .cab file to disk. Modify the analytic as needed by file path. Filter as + needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt tags: @@ -44,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 2269b4bec5..c1be8ead59 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -1,17 +1,18 @@ name: Windows Cached Domain Credentials Reg Query id: 40ccb8e0-1785-466e-901e-6a8b75c04ecd -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line related to the - discovery of cache domain credential logon count in the registry. This Technique - was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount - registry value in Winlogon registry. This value can be good information about the - login caching setting on the Windows OS target host. A value of 0 means login caching - is disable and values > 50 caches only 50 login attempts. By default all versions - of Windows 10 save cached logins except Windows Server 2008. +description: The following analytic identifies a process command line querying the + CachedLogonsCount registry value in the Winlogon registry. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and registry queries. Monitoring this activity is significant as it can + indicate the use of post-exploitation tools like Winpeas, which gather information + about login caching settings. If confirmed malicious, this activity could help attackers + understand login caching configurations, potentially aiding in credential theft + or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -77,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index 853763f307..5b487622a8 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -1,14 +1,18 @@ name: Windows Change Default File Association For No File Ext id: dbdf52ad-d6a1-4b68-975f-0a10939d8e38 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is developed to detect suspicious process commandline to - change or set the default file association of a file without file extension with - notepad.exe. This technique was seen in some APT and ransomware Prestige where it - set/modify the default process to run file association, like .txt to notepad.exe. +description: The following analytic detects attempts to change the default file association + for files without an extension to open with Notepad.exe. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on specific command-line + patterns and registry modifications. This activity is significant as it can indicate + an attempt to manipulate file handling behavior, a technique observed in APT and + ransomware attacks like Prestige. If confirmed malicious, this could allow attackers + to execute arbitrary code by tricking users into opening files, potentially leading + to system compromise or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 156a89d1b0..4d38dd0681 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -1,21 +1,23 @@ name: Windows ClipBoard Data via Get-ClipBoard id: ab73289e-2246-4de0-a14b-67006c72a893 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a powershell script command to retrieve - clipboard data. This technique was seen in several post exploitation tools like - WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard - powershell commandlet, adversaries can be able collect data stored in clipboard - that might be a copied user name, password or other sensitive information. +description: The following analytic detects the execution of the PowerShell command + 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block + Logging (EventCode 4104) to identify instances where this command is used. This + activity is significant because it can indicate an attempt to steal sensitive information + such as usernames, passwords, or other confidential data copied to the clipboard. + If confirmed malicious, this behavior could lead to unauthorized access to sensitive + information, potentially compromising user accounts and other critical assets. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer - UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_clipboard_data_via_get_clipboard_filter`' + UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -31,7 +33,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$ + message: Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on + $dest$ mitre_attack_id: - T1115 observable: @@ -59,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 1ffad64d33..0dca0667c7 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -1,18 +1,18 @@ name: Windows COM Hijacking InprocServer32 Modification id: b7bd83c0-92b5-4fc7-b286-23eccfa2c561 -version: 1 -date: '2022-09-26' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of reg.exe performing an add - to the InProcServer32, which may be related to COM hijacking. Adversaries can use - the COM system to insert malicious code that can be executed in place of legitimate - software through hijacking the COM references and relationships as a means for persistence. - Hijacking a COM object requires a change in the Registry to replace a reference - to a legitimate system component which may cause that component to not work when - executed. When that system component is executed through normal system operation - the adversary's code will be executed instead. +description: The following analytic detects the modification of the InProcServer32 + registry key by reg.exe, indicative of potential COM hijacking. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + command-line execution logs. COM hijacking is significant as it allows adversaries + to insert malicious code that executes in place of legitimate software, providing + a means for persistence. If confirmed malicious, this activity could enable attackers + to execute arbitrary code, disrupt legitimate system components, and maintain long-term + access to the compromised environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 36bdfb13bb..bae81a6e17 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -1,17 +1,18 @@ name: Windows Command and Scripting Interpreter Hunting Path Traversal id: d0026380-b3c4-4da0-ac8e-02790063ff6b -version: 1 -date: '2022-06-01' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies path traversal command-line execution - and should be used to tune and driver other more higher fidelity analytics. This - technique was seen in malicious document that execute malicious code using msdt.exe - and path traversal technique that serve as defense evasion. This Hunting query is - a good pivot to look for possible suspicious process and command-line that runs - execute path traversal technique to run malicious code. This may help you to find - possible downloaded malware or other lolbin execution. +description: The following analytic identifies path traversal command-line executions, + leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns + in command-line arguments indicative of path traversal techniques, such as multiple + instances of "/..", "\..", or "\\..". This activity is significant as it often indicates + attempts to evade defenses by executing malicious code, such as through msdt.exe. + If confirmed malicious, this behavior could allow attackers to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 777d71c9a1..5158e43544 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -1,16 +1,18 @@ name: Windows Command and Scripting Interpreter Path Traversal Exec id: 58fcdeb1-728d-415d-b0d7-3ab18a275ec2 -version: 2 -date: '2022-06-01' +version: 3 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies path traversal command-line execution. - This technique was seen in malicious document that execute malicious code using - msdt.exe and path traversal technique that serve as defense evasion. This TTP is - a good pivot to look for more suspicious process and command-line that runs before - and after this execution. This may help you to find possible downloaded malware - or other lolbin execution. +description: The following analytic detects path traversal command-line execution, + often used in malicious documents to execute code via msdt.exe for defense evasion. + It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns + in process paths. This activity is significant as it can indicate an attempt to + bypass security controls and execute unauthorized code. If confirmed malicious, + this behavior could lead to code execution, privilege escalation, or persistence + within the environment, potentially allowing attackers to deploy malware or leverage + other living-off-the-land binaries (LOLBins). data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index 77158c2297..3c450a831b 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -1,16 +1,18 @@ name: Windows Command Shell DCRat ForkBomb Payload id: 2bb1a362-7aa8-444a-92ed-1987e8da83e1 -version: 1 -date: '2022-07-28' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies DCRat "forkbomb" payload feature. This - technique was seen in dark crystal RAT backdoor capabilities where it will execute - several cmd child process executing "notepad.exe & pause". The following analytic detects - the multiple cmd.exe and child process notepad.exe execution using batch script - in the targeted host within 30s timeframe. this TTP can be a good pivot to check - DCRat infection. +description: The following analytic detects the execution of a DCRat "forkbomb" payload, + which spawns multiple cmd.exe processes that launch notepad.exe instances in quick + succession. This detection leverages Endpoint Detection and Response (EDR) data, + focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second + window. This activity is significant as it indicates a potential DCRat infection, + a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, + this behavior could lead to system instability, resource exhaustion, and potential + disruption of services. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -76,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml index f379ffb58a..657cb15392 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml @@ -1,17 +1,18 @@ name: Windows Command Shell Fetch Env Variables id: 048839e4-1eaa-43ff-8a22-86d17f6fcc13 -version: 1 -date: '2022-10-27' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic identifies a suspicious process command line fetching - the environment variables with a non-shell parent process. This technique was seen - in qakbot malware where it fetches the environment variable in the target or compromised - host. This TTP detection is a good pivot of possible malicious behavior since the - command line is executed by a common non-shell process like cmd.exe , powershell.exe - and many more. This can also be a good sign that the parent process has a malicious - code injected to it to execute this command. + environment variables with a non-shell parent process. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions and parent + process names. This activity is significant as it is commonly associated with malware + like Qakbot, which uses this technique to gather system information. If confirmed + malicious, this behavior could indicate that the parent process has been compromised, + potentially allowing attackers to execute arbitrary commands, escalate privileges, + or persist within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 2550616e04..2e491afdbf 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -1,21 +1,19 @@ name: Windows Common Abused Cmd Shell Risk Behavior id: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] -description: The following correlation identifies instances where four or more distinct - detection analytics are associated with malicious command line behavior that is - known to be exploited by multiple threat actors, adversaries, or red teamers on - a specific host. By leveraging the Command Line Interface (CLI), attackers can execute - malicious commands, gain access to sensitive data, install backdoors, and engage - in various nefarious activities. The impact of such compromise can be severe, as - attackers may gain unauthorized control over the compromised system, enabling them - to exfiltrate valuable information, escalate privileges, or launch further attacks - within the network. If this detection is triggered, there is a high level of confidence - in the occurrence of suspicious command line activities on the host. +description: The following analytic identifies instances where four or more distinct + detection analytics are associated with malicious command line behavior on a specific + host. This detection leverages the Command Line Interface (CLI) data from various + sources to identify suspicious activities. This behavior is significant as it often + indicates attempts to execute malicious commands, access sensitive data, install + backdoors, or perform other nefarious actions. If confirmed malicious, attackers + could gain unauthorized control, exfiltrate information, escalate privileges, or + launch further attacks within the network, leading to severe compromise. search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as @@ -90,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/risk_behavior/abused_commandline/risk_recon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/risk_behavior/abused_commandline/risk_recon.log source: risk sourcetype: stash diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml index 04dc959ff9..1d2617f73f 100644 --- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml +++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml @@ -1,20 +1,25 @@ name: Windows Computer Account Created by Computer Account id: 97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifes a Computer Account creating a new Computer - Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost - service class allows client applications to use Kerberos authentication when they - do not have the identity of the service but have the server name. +description: The following analytic identifies a computer account creating a new computer + account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection + leverages Windows Security Event Logs, specifically EventCode 4741, to identify + such activities. This behavior is significant as it may indicate an attempt to establish + unauthorized Kerberos authentication channels, potentially leading to lateral movement + or privilege escalation. If confirmed malicious, this activity could allow an attacker + to impersonate services, access sensitive information, or maintain persistence within + the network. data_source: - Windows Event Log Security 4741 -search: '`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!="NT AUTHORITY" ServicePrincipalNames=*RestrictedKrbHost* - | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`' +search: '`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!="NT + AUTHORITY" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as + firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, + SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_computer_account_created_by_computer_account_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. @@ -30,7 +35,8 @@ tags: asset_type: Endpoint confidence: 60 impact: 50 - message: A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack). + message: A Computer Account on $dest$ created by a computer account (possibly indicative + of Kerberos relay attack). mitre_attack_id: - T1558 observable: @@ -57,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml index f47fe647e5..3c99f93275 100644 --- a/detections/endpoint/windows_conhost_with_headless_argument.yml +++ b/detections/endpoint/windows_conhost_with_headless_argument.yml @@ -1,20 +1,38 @@ name: Windows ConHost with Headless Argument id: d5039508-998d-4cfc-8b5e-9dcd679d9a62 -version: 1 -date: '2023-11-01' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: 'The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker''s attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage.' +description: 'The following analytic detects the unusual invocation of the Windows + Console Host process (conhost.exe) with the undocumented --headless parameter. This + detection leverages Endpoint Detection and Response (EDR) telemetry, specifically + monitoring for command-line executions where conhost.exe is executed with the --headless + argument. This activity is significant for a SOC as it is not commonly used in legitimate + operations and may indicate an attacker''s attempt to execute commands stealthily. + If confirmed malicious, this behavior could lead to persistence, lateral movement, + or other malicious activities, potentially resulting in data exfiltration or system + compromise.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process="*--headless *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if the application is legitimately used, filter by user or endpoint as needed. + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_conhost_with_headless_argument_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if the application is legitimately + used, filter by user or endpoint as needed. references: - https://x.com/embee_research/status/1559410767564181504?s=20 - https://x.com/GroupIB_TI/status/1719675754886131959?s=20 @@ -55,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.003/headless/4688_conhost_headless.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.003/headless/4688_conhost_headless.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index ae1038466b..18dc559f24 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,7 +1,7 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 version: 2 -date: '2024-02-20' +date: '2024-05-29' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 @@ -23,18 +23,24 @@ search: '`wineventlog_security` EventCode=4663 | `windows_credential_access_from_browser_password_store_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in - Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. -known_false_positives: The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file. + Group Policy. Then check the two boxes listed for both "Success" and "Failure." + This search may trigger on a browser application that is not included in the browser_app_list + lookup file. +known_false_positives: The lookup file `browser_app_list` may not contain all the + browser applications that are allowed to access the browser user data profiles. + Consider updating the lookup files to add allowed object paths for the browser applications + that are not included in the lookup file. references: - - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger - - https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/ +- https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger +- https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/ tags: analytic_story: - Snake Keylogger asset_type: Endpoint confidence: 50 impact: 50 - message: A non-common browser process $process_name$ accessing browser user data folder on $dest$ + message: A non-common browser process $process_name$ accessing browser user data + folder on $dest$ mitre_attack_id: - T1012 observable: @@ -60,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index db8319b2db..81aa7093f0 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -1,14 +1,17 @@ name: Windows Credential Dumping LSASS Memory Createdump id: b3b7ce35-fce5-4c73-85f4-700aeada81a9 -version: 1 -date: '2023-01-23' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of CreateDump.exe being used - to perform a process dump. This particular binary is not native to Windows, but - is found to be brought in my many different third party applications including PowerShell - 7. +description: The following analytic detects the use of CreateDump.exe to perform a + process dump. This binary is not native to Windows and is often introduced by third-party + applications, including PowerShell 7. The detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, GUIDs, and complete + command-line executions. This activity is significant as it may indicate an attempt + to dump LSASS memory, which can be used to extract credentials. If confirmed malicious, + this could lead to unauthorized access and lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,7 +84,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 4009521b51..e340082a93 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,21 +1,19 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: This analytic focuses on identifying non-chrome processes that attempt - to access the Chrome extensions file. This file contains crucial settings and information - related to the browser's extensions installed on the computer. Adversaries and malware - authors have been known to exploit this file to extract sensitive information from - the Chrome browser on targeted hosts. Detecting such anomalous behavior provides - valuable insights for analyzing suspicious processes beyond the commonly observed - chrome.exe and explorer.exe executables. By monitoring for access to the Chrome - extensions file by non-chrome processes, we can enhance our ability to detect potential - threats and protect sensitive information stored within the browser. +description: The following analytic detects non-Chrome processes attempting to access + the Chrome extensions file. It leverages Windows Security Event logs, specifically + event code 4663, to identify this behavior. This activity is significant because + adversaries may exploit this file to extract sensitive information from the Chrome + browser, posing a security risk. If confirmed malicious, this could lead to unauthorized + access to stored credentials and other sensitive data, potentially compromising + the security of the affected system and broader network. search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by @@ -67,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 740e85b594..fa7a0cbff2 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,28 +1,30 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 1 -date: '2023-04-26' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." - This file contains important settings and information related to the browser's operations on the computer. Threat actors, - adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for - decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as - a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. - By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" - NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' +description: The following analytic detects non-Chrome processes accessing the Chrome + "Local State" file, which contains critical settings and information. It leverages + Windows Security Event logs, specifically event code 4663, to identify this behavior. + This activity is significant because threat actors can exploit this file to extract + the encrypted master key used for decrypting saved passwords in Chrome. If confirmed + malicious, this could lead to unauthorized access to sensitive information, posing + a severe security risk. Monitoring this anomaly helps identify potential threats + and safeguard browser-stored data. +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User + Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name + object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. +known_false_positives: Uninstall chrome application may access this file and folder + path to removed chrome installation in target host. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer tags: @@ -37,7 +39,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$ + message: A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local + State" file on $dest$ mitre_attack_id: - T1012 observable: @@ -63,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_local_state_simulate_access/redline-localstate-smalldata-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_local_state_simulate_access/redline-localstate-smalldata-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 5bac7c13c0..729c15e631 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,28 +1,31 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 1 -date: '2023-04-27' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." - This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, - and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. - Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes - beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability - to detect potential threats and protect sensitive information stored within the browser. -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" - AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' +description: The following analytic identifies non-Chrome processes accessing the + Chrome user data file "login data." This file is an SQLite database containing sensitive + information, including saved passwords. The detection leverages Windows Security + Event logs, specifically event code 4663, to monitor access attempts. This activity + is significant as it may indicate attempts by threat actors to extract and decrypt + stored passwords, posing a risk to user credentials. If confirmed malicious, attackers + could gain unauthorized access to sensitive accounts and escalate their privileges + within the environment. +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User + Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", + "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) + as firstTime max(_time) as lastTime by object_file_name object_file_path process_name + process_path process_id EventCode dest | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall application may access this registry to remove the entry of the target application. filter is needed. +known_false_positives: Uninstall application may access this registry to remove the + entry of the target application. filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer tags: @@ -37,7 +40,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$ + message: A non-chrome process $process_name$ accessing Chrome "Login Data" file + on $dest$ mitre_attack_id: - T1012 observable: @@ -63,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_login_data_simulate_access/redline-login-data-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_login_data_simulate_access/redline-login-data-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index f72a2cd1a1..ee120e6d34 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -1,25 +1,27 @@ name: Windows Credentials from Password Stores Creation id: c0c5a479-bf57-4ca0-af3a-4c7081e5ba05 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies a process execution of Windows OS cmdkey.exe - tool. This tool is being abused or used by several post exploitation tool and malware such as - Darkgate malware to create stored user names, passwords - or credentials in the targeted Windows OS host. This information can be used by - the attacker to gain privilege escalation and persistence in the targeted hosts - for further attacks. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/generic*" Processes.process IN ("*/user*", "*/password*") - by Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of the Windows OS tool cmdkey.exe, + which is used to create stored usernames, passwords, or credentials. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution logs and command-line arguments. This activity is significant because + cmdkey.exe is often abused by post-exploitation tools and malware, such as Darkgate, + to gain unauthorized access. If confirmed malicious, this behavior could allow attackers + to escalate privileges and maintain persistence on the targeted host, facilitating + further attacks and potential data breaches. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" + OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/generic*" + Processes.process IN ("*/user*", "*/password*") by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -71,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index 073acf2aa2..756e14a4d0 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -1,26 +1,27 @@ name: Windows Credentials from Password Stores Deletion id: 46d676aa-40c6-4fe6-b917-d23b621f0f89 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies a process execution of Windows OS cmdkey.exe - tool. This tool is being abused or used by several post exploitation tool and malware such as - Darkgate malware to delete stored user names, passwords - or credentials in the targeted Windows OS host. This information can be used by - the attacker to gain privilege escalation and persistence in the targeted hosts - for further attacks. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/delete*" +description: The following analytic detects the execution of the Windows OS tool cmdkey.exe + with the /delete parameter. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs and command-line arguments. + The activity is significant because cmdkey.exe can be used by attackers to delete + stored credentials, potentially leading to privilege escalation and persistence. + If confirmed malicious, this behavior could allow attackers to remove stored user + credentials, hindering incident response efforts and enabling further unauthorized + access to the compromised system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" + OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/delete*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_credentials_from_password_stores_deletion_filter`' + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -71,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 3c9a39c0b0..085ac15b7f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -1,16 +1,18 @@ name: Windows Credentials from Password Stores Query id: db02d6b4-5d5b-4c33-8d8f-f0577516a8c7 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process execution of Windows OS cmdkey.exe - tool. This tool is being abused or used by several post exploitation tool such as - winpeas that being used by ransomware prestige to list stored user names, passwords - or credentials in the targeted Windows OS host. This information can be used by - the attacker to gain privilege escalation and persistence in the targeted hosts - for further attacks. +description: The following analytic detects the execution of the Windows OS tool cmdkey.exe, + which is often abused by post-exploitation tools like winpeas, commonly used in + ransomware attacks to list stored usernames, passwords, or credentials. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution logs. This activity is significant as it indicates potential credential + harvesting, which can lead to privilege escalation and persistence. If confirmed + malicious, attackers could gain unauthorized access to sensitive information and + maintain control over compromised systems for further exploitation. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index c3a7ba9c0b..206d4627e5 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -1,17 +1,18 @@ name: Windows Credentials in Registry Reg Query id: a8b3124e-2278-4b73-ae9c-585117079fb2 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line related to the - discovery of possible password or credentials in the registry. This technique is - being abused by adversaries or post exploitation tools like winpeas to steal credentials - in the registry in the targeted host. Registry can contain several sensitive information - like username and credentials that can be used for privilege escalation, persistence - or even in lateral movement. This Anomaly detection can be a good pivot to detect - a suspicious process querying a registry related to password or private keys. +description: The following analytic identifies processes querying the registry for + potential passwords or credentials. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions that access specific + registry paths known to store sensitive information. This activity is significant + as it may indicate credential theft attempts, often used by adversaries or post-exploitation + tools like winPEAS. If confirmed malicious, this behavior could lead to privilege + escalation, persistence, or lateral movement within the network, posing a severe + security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -78,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index cdf86a9e3d..7b943a9259 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -1,18 +1,18 @@ name: Windows Curl Download to Suspicious Path id: c32f091e-30db-11ec-8738-acde48001122 -version: 1 -date: '2021-10-19' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the use of Windows Curl.exe downloading - a file to a suspicious location. - - -O or --output is used when a file is to be downloaded and placed in a specified - location. - - During triage, review parallel processes for further behavior. In addition, identify - if the download was successful. If a file was downloaded, capture and analyze.' +description: 'The following analytic detects the use of Windows Curl.exe to download + a file to a suspicious location, such as AppData, ProgramData, or Public directories. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + command-line executions that include the -O or --output options. This activity is + significant because downloading files to these locations can indicate an attempt + to bypass security controls or establish persistence. If confirmed malicious, this + behavior could lead to unauthorized code execution, data exfiltration, or further + compromise of the system.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index 53cb82f67f..3c5a338023 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -1,28 +1,17 @@ name: Windows Curl Upload to Remote Destination id: 42f8f1a2-4228-11ec-aade-acde48001122 -version: 1 -date: '2021-11-10' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the use of Windows Curl.exe uploading - a file to a remote destination. - - `-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. - - - `-d` or `--data` POST is the HTTP method that was invented to send data to a receiving - web application, and it is, for example, how most common HTML forms on the web work. - - - HTTP multipart formposts are done with `-F`, but this appears to not be compatible - with the Windows version of Curl. Will update if identified adversary tradecraft. - - - Adversaries may use one of the three methods based on the remote destination and - what they are attempting to upload (zip vs txt). During triage, review parallel - processes for further behavior. In addition, identify if the upload was successful - in network logs. If a file was uploaded, isolate the endpoint and review.' +description: 'The following analytic detects the use of Windows Curl.exe to upload + a file to a remote destination. It identifies command-line arguments such as `-T`, + `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity + is significant because adversaries may use Curl to exfiltrate data or upload malicious + payloads. If confirmed malicious, this could lead to data breaches or further compromise + of the system. Analysts should review parallel processes and network logs to determine + if the upload was successful and isolate the endpoint if necessary.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -95,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index 3e7c67923c..9832d05ab5 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -1,31 +1,32 @@ name: Windows Data Destruction Recursive Exec Files Deletion id: 3596a799-6320-4a2f-8772-a9e98ddb2960 -version: 2 -date: '2023-03-05' +version: 3 +date: '2024-05-24' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: This analytic identifies a suspicious process that is recursively deleting - files on a compromised host. This behavior has been observed in several types of destructive malware, - such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite - files with randomly generated strings to make recovery impossible. Additionally, this analytic can - detect potential recursive file writes across multiple files using Sysmon Event - 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. - This analytic serves as a strong indicator of potential destructive malware activity - on a host machine or the uninstallation of a large software application. +description: The following analytic identifies a suspicious process that is recursively + deleting executable files on a compromised host. It leverages Sysmon Event Codes + 23 and 26 to detect this activity by monitoring for a high volume of deletions or + overwrites of files with extensions like .exe, .sys, and .dll. This behavior is + significant as it is commonly associated with destructive malware such as CaddyWiper, + DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed + malicious, this activity could lead to significant data loss and system instability, + severely impacting business operations. data_source: - Sysmon EventID 23 - Sysmon EventID 26 -search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") - | bin _time span=2m - | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid - | rename Image as process - | where count >=500 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_data_destruction_recursive_exec_files_deletion_filter`' -how_to_implement: To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -known_false_positives: The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives. +search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") + | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) + as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, + process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`' +how_to_implement: To successfully implement this search, you need to ingest logs that + include the process name, TargetFilename, and ProcessID executions from your endpoints. + If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. +known_false_positives: The uninstallation of a large software application or the use + of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false + positives. references: - https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/ tags: @@ -35,7 +36,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$. + message: The process $process_name$ has removed a significant quantity of executable + files, totaling [$count$], from the destination $dest$. mitre_attack_id: - T1485 observable: @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml new file mode 100644 index 0000000000..48e3b65ec4 --- /dev/null +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -0,0 +1,74 @@ +name: Windows Debugger Tool Execution +id: e14d94a3-07fb-4b47-8406-f5e37180d422 +version: 1 +date: '2024-06-07' +author: Teoderick Contreras, Splunk +data_source: [] +type: Hunting +status: production +description: This analysis detects the use of debugger tools within a production environment. + While these tools are legitimate for file analysis and debugging, they are abused by malware + like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) + in identifying potentially suspicious tool executions, particularly for non-technical users in the production network. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = "x32dbg.exe" OR Processes.process_name = "x64dbg.exe" OR Processes.process_name = "windbg.exe" + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_debugger_tool_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: administrator or IT professional may execute this application for verifying files or debugging application. +references: +- https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html +- https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html +tags: + analytic_story: + - DarkGate Malware + - PlugX + asset_type: Endpoint + confidence: 30 + impact: 30 + message: a debugger $process_name$ is executed in $dest$ + mitre_attack_id: + - T1036 + observable: + - name: dest + type: Endpoint + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.parent_process_name + - Processes.parent_process + - Processes.process_name + - Processes.process_id + - Processes.process + - Processes.dest + - Processes.user + - Processes.process_id + - Processes.parent_process_id + risk_score: 9 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/debugger_execution/debugger.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index f79e244c2f..4d56e2db30 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -1,16 +1,18 @@ name: Windows Defacement Modify Transcodedwallpaper File id: e11c3d90-5bc7-42ad-94cd-ba75db10d897 -version: 1 -date: '2022-08-25' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a modification to the Transcodedwallpaper - file in the wallpaper theme directory to change the wallpaper of the host machine. - This technique was seen in adversaries attempting to deface or change the desktop - wallpaper of the targeted host. During our testing, the common process that affects - or changes the wallpaper if a user changes it via desktop personalized setting is - explorer.exe. +description: The following analytic identifies modifications to the TranscodedWallpaper + file in the wallpaper theme directory, excluding changes made by explorer.exe. This + detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to + correlate process activity with file modifications. This activity is significant + as it may indicate an adversary attempting to deface or change the desktop wallpaper + of a targeted host, a tactic often used to signal compromise or deliver a message. + If confirmed malicious, this could be a sign of unauthorized access and tampering, + potentially leading to further system compromise or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index c8376387ef..712adb5d73 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -1,22 +1,21 @@ name: Windows Default Group Policy Object Modified id: fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876 -version: 1 -date: '2023-03-28' +version: 2 +date: '2024-05-26' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Event Log Security 5136 -description: The following analytic leverages Event ID 5136 to identify the modification - of a default Group Policy Object. A fresh installation of an Active Directory network - will typically contain two default group policy objects `Default Domain Controllers - Policy` and `Default Domain Policy`. The default domain controllers policy is used - to enforce and set policies to all the domain controllers within the domain environment. - The default domain policy is linked to all users and computers by default. An adversary - who has obtained privileged access to an Active Directory network may modify the - default group policy objects to obtain further access, deploy persistence or execute - malware across a large number of hosts. Security teams should monitor the modification - of the default GPOs. +description: The following analytic detects modifications to default Group Policy + Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers + Policy` and `Default Domain Policy`, which are critical for enforcing security settings + across domain controllers and all users/computers, respectively. This activity is + significant because unauthorized changes to these GPOs can indicate an adversary + with privileged access attempting to deploy persistence mechanisms or execute malware + across the network. If confirmed malicious, such modifications could lead to widespread + compromise, allowing attackers to maintain control and execute arbitrary code on + numerous hosts. search: ' `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*") @@ -73,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 48ced2ba59..8899947e04 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -1,22 +1,20 @@ name: Windows Default Group Policy Object Modified with GPME id: eaf688b3-bb8f-454d-b105-920a862cd8cb -version: 1 -date: '2023-04-24' +version: 2 +date: '2024-05-24' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic leverages the Endpoint datamodel to identify the - potential edition of a default Group Policy Object. A fresh installation of an Active - Directory network will typically contain two default group policy objects `Default - Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers - policy is used to enforce and set policies to all the domain controllers within - the domain environment. The default domain policy is linked to all users and computers - by default. An adversary who has obtained privileged access to an Active Directory - network may modify the default group policy objects to obtain further access, deploy - persistence or execute malware across a large number of hosts. Security teams should - monitor the edition of the default GPOs. +description: The following analytic detects modifications to default Group Policy + Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the + Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with + specific GUIDs related to default GPOs. This activity is significant because default + GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, + are critical for enforcing security policies across the domain. If malicious, such + modifications could allow an attacker to gain further access, establish persistence, + or deploy malware across numerous hosts, severely compromising the network's security. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" @@ -88,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index 1e15ad34e2..ea86b39227 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Audit Events id: 0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea -version: 1 -date: '2023-11-27' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: Anomaly @@ -9,7 +9,7 @@ data_source: - Windows Event Log Defender 1122 - Windows Event Log Defender 1125 - Windows Event Log Defender 1126 -- Windows Event Log Defender 1132 +- Windows Event Log Defender 1132 - Windows Event Log Defender 1134 description: 'This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.' search: '`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) @@ -28,7 +28,7 @@ tags: atomic_guid: [] confidence: 50 impact: 10 - message: ASR audit event, $ASR_Rule$, was triggered on $dest$. + message: ASR audit event, $ASR_Rule$, was triggered on $dest$. mitre_attack_id: - T1059 - T1566.001 @@ -58,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_audit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_audit.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index a4d50aa676..7fefbb6800 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Block Events id: 026f5f4e-e99f-4155-9e63-911ba587300b -version: 1 -date: '2023-11-27' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: Anomaly @@ -9,7 +9,7 @@ data_source: - Windows Event Log Defender 1121 - Windows Event Log Defender 1126 - Windows Event Log Defender 1129 -- Windows Event Log Defender 1131 +- Windows Event Log Defender 1131 - Windows Event Log Defender 1133 description: 'This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.' search: '`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) @@ -58,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_block.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_block.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_asr_registry_modification.yml b/detections/endpoint/windows_defender_asr_registry_modification.yml index 4209be0617..b354f2a3a5 100644 --- a/detections/endpoint/windows_defender_asr_registry_modification.yml +++ b/detections/endpoint/windows_defender_asr_registry_modification.yml @@ -1,13 +1,20 @@ name: Windows Defender ASR Registry Modification id: 6a1b6cbe-6612-44c3-92b9-1a1bd77412eb -version: 1 -date: '2023-11-27' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: Hunting data_source: - Windows Event Log Defender 5007 -description: 'This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.' +description: 'The following analytic detects modifications to Windows Defender Attack + Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational + logs, specifically EventCode 5007, to identify changes in ASR rules. This activity + is significant because ASR rules are designed to block actions commonly used by + malware to exploit systems. Unauthorized modifications to these settings could indicate + an attempt to weaken system defenses. If confirmed malicious, this could allow an + attacker to bypass security measures, leading to potential system compromise and + data breaches.' search: '`ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" @@ -18,8 +25,15 @@ search: '`ms_defender` EventCode IN (5007) | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -known_false_positives: False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. +known_false_positives: False positives are expected from legitimate applications generating + events that are similar to those generated by malicious activity. For example, Event + ID 5007 is generated when a process attempts to modify a registry key that is related + to ASR rules. This can be triggered by legitimate applications that attempt to modify + registry keys that are not blocked by ASR rules. references: - https://asrgen.streamlit.app/ tags: @@ -57,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml index a5dd4127ef..04693b4cf6 100644 --- a/detections/endpoint/windows_defender_asr_rule_disabled.yml +++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Rule Disabled id: 429d611b-3183-49a7-b235-fc4203c4e1cb -version: 1 -date: '2023-11-27' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP @@ -57,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_asr_rules_stacking.yml b/detections/endpoint/windows_defender_asr_rules_stacking.yml index 43ae285088..9ef8f5ab7b 100644 --- a/detections/endpoint/windows_defender_asr_rules_stacking.yml +++ b/detections/endpoint/windows_defender_asr_rules_stacking.yml @@ -1,23 +1,29 @@ name: Windows Defender ASR Rules Stacking id: 425a6657-c5e4-4cbb-909e-fc9e5d326f01 -version: 1 -date: '2023-11-20' +version: 2 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: Hunting -data_source: +data_source: - Windows Event Log Defender 1121 - Windows Event Log Defender 1122 - Windows Event Log Defender 1125 - Windows Event Log Defender 1126 - Windows Event Log Defender 1129 -- Windows Event Log Defender 1131 +- Windows Event Log Defender 1131 - Windows Event Log Defender 1133 - Windows Event Log Defender 1134 - Windows Event Log Defender 5007 -description: This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. - - Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. +description: The following analytic identifies security events from Microsoft Defender, + focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects + Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, + 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while + Event ID 5007 signals configuration changes. This detection uses a lookup to correlate + ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying + unauthorized operations, potential security breaches, and policy enforcement issues. + If confirmed malicious, attackers could bypass security measures, execute unauthorized + actions, or alter system configurations. search: '`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode @@ -25,8 +31,17 @@ search: '`ms_defender` | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`' -how_to_implement: The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. -known_false_positives: False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. +how_to_implement: The following analytic requires collection of Windows Defender Operational + logs in either XML or multi-line. To collect, setup a new input for the Windows + Defender Operational logs. In addition, it does require a lookup that maps the ID + to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore + the analytic will need to be modified for each type of event. The analytic can be + modified to look for specific ASR rules, or to look for specific Event IDs. EventID + 5007 is a change in the registry, and may be a false positive. This can be removed + from the search if desired. +known_false_positives: False positives are not expected with this analytic, since + it is a hunting analytic. It is meant to show the use of ASR rules and how they + can be used to detect malicious activity. references: - https://asrgen.streamlit.app/ - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide @@ -67,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log source: WinEventLog:Microsoft-Windows-Windows Defender/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 38bad499ca..bd11dc18c9 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,23 +1,25 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-21' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will detect a suspicious process that modify a registry - related to windows defender exclusion feature. This registry is abused by adversaries, - malware author and red teams to bypassed Windows Defender Anti-Virus product by - excluding folder path, file path, process, extensions and etc. from its real time - or schedule scan to execute their malicious code. This is a good indicator for a - defense evasion and to look further for events after this behavior. +description: The following analytic detects modifications to the Windows Defender + exclusion registry entries. It leverages endpoint registry data to identify changes + in the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*". + This activity is significant because adversaries often modify these entries to bypass + Windows Defender, allowing malicious code to execute without detection. If confirmed + malicious, this behavior could enable attackers to evade antivirus defenses, maintain + persistence, and execute further malicious activities undetected. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` + BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -38,7 +40,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender + message: Exclusion registry $registry_path$ modified or added on $dest$ for Windows + Defender mitre_attack_id: - T1562.001 - T1562 @@ -67,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index d5c88db747..aa99fe8e6f 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -1,23 +1,25 @@ name: Windows Delete or Modify System Firewall id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f -version: 1 -date: '2023-09-08' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. - This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. - Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, - that makes alterations to firewall configurations as a component of its malicious activities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_netsh` Processes.process = "* firewall *" Processes.process = "* delete *" - by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest - | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_delete_or_modify_system_firewall_filter`' +description: The following analytic identifies 'netsh' processes that delete or modify + firewall configurations. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions containing specific keywords. + This activity is significant because it can indicate malware, such as NJRAT, attempting + to alter firewall settings to evade detection or remove traces. If confirmed malicious, + this behavior could allow an attacker to disable security measures, facilitating + further compromise and persistence within the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process + = "* firewall *" Processes.process = "* delete *" by Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process_id Processes.process_guid Processes.process + Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -64,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index ebbdd17b10..f681d34702 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -1,17 +1,17 @@ name: Windows Deleted Registry By A Non Critical Process File Path id: 15e70689-f55b-489e-8a80-6d0cd6d8aad2 -version: 2 -date: '2023-04-14' +version: 3 +date: '2024-05-16' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect deletion of registry with suspicious process - file path. This technique was seen in Double Zero wiper malware where it will delete - all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload - to the targeted hosts. This anomaly detections can catch possible malware or advesaries - deleting registry as part of defense evasion or even payload impact but can also - catch for third party application updates or installation. In this scenario false - positive filter is needed. +description: The following analytic detects the deletion of registry keys by non-critical + processes. It leverages Endpoint Detection and Response (EDR) data, focusing on + registry deletion events and correlating them with processes not typically associated + with system or program files. This activity is significant as it may indicate malware, + such as the Double Zero wiper, attempting to evade defenses or cause destructive + payload impacts. If confirmed malicious, this behavior could lead to significant + system damage, loss of critical configurations, and potential disruption of services. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -46,7 +46,8 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$. + message: The registry was deleted by a suspicious process named $process_name$ with + the process path $process_path$ on dest $dest$. mitre_attack_id: - T1112 observable: @@ -79,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index 021121d5aa..c561835edc 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -1,19 +1,19 @@ name: Windows Disable Change Password Through Registry id: 0df33e1a-9ef6-11ec-a1ad-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-19' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious registry modification to disable - change password feature of the windows host. This registry modification may disables - the Change Password button on the Windows Security dialog box (which appears when - you press Ctrl+Alt+Del). As a result, users cannot change their Windows password - on demand. This technique was seen in some malware family like ransomware to prevent - the user to change the password after ownning the network or a system during attack. - This windows feature may implemented by administrator to prevent normal user to - change the password of a critical host or server, In this type of scenario filter - is needed to minimized false positive. +description: The following analytic detects a suspicious registry modification that + disables the Change Password feature on a Windows host. It identifies changes to + the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" + with a value of "0x00000001". This activity is significant as it can prevent users + from changing their passwords, a tactic often used by ransomware to maintain control + over compromised systems. If confirmed malicious, this could hinder user response + to an attack, allowing the attacker to persist and potentially escalate their access + within the network. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -64,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index 4d02edfa7e..24eb798ef3 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -1,22 +1,26 @@ name: Windows Disable Lock Workstation Feature Through Registry id: c82adbc6-9f00-11ec-a81f-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-25' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious registry modification to disable - Lock Computer windows features. This registry modification prevent the user from - locking its screen or computer that are being abused by several malware for example - ransomware. This technique was used by threat actor to make its payload more impactful - to the compromised host. +description: The following analytic detects a suspicious registry modification that + disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" + with a value of "0x00000001". This activity is significant because it prevents users + from locking their screens, a tactic often used by malware, including ransomware, + to maintain control over compromised systems. If confirmed malicious, this could + allow attackers to sustain their presence and execute further malicious actions + without user interruption. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" - Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -60,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index 128d762c72..62e6d17639 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -1,28 +1,27 @@ name: Windows Disable LogOff Button Through Registry id: b2fb6830-9ed1-11ec-9fcb-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-30' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious registry modification to disable - logoff feature in windows host. This registry when enable will prevent users to - log off of the system by using any method, including programs run from the command - line, such as scripts. It also disables or removes all menu items and buttons that - log the user off of the system. This technique was seen abused by ransomware malware - to make the compromised host un-useful and hard to remove other registry modification - made on the machine that needs restart to take effect. This windows feature may - implement by administrator in some server where shutdown is critical. In that scenario - filter of machine and users that can modify this registry is needed. +description: The following analytic detects a suspicious registry modification that + disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry + data model to identify changes to specific registry values associated with logoff + functionality. This activity is significant because it can indicate ransomware attempting + to make the compromised host unusable and hinder remediation efforts. If confirmed + malicious, this action could prevent users from logging off, complicate incident + response, and allow attackers to maintain persistence and control over the affected + system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data - = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -67,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index 21c1f1311d..e587837d60 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -1,16 +1,18 @@ name: Windows Disable Memory Crash Dump id: 59e54602-9680-11ec-a8a6-acde48001122 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a process that is attempting to disable - the ability on Windows to generate a memory crash dump. This was recently identified - being utilized by HermeticWiper. To disable crash dumps, the value must be set to - 0. This feature is typically modified to perform a memory crash dump when a computer - stops unexpectedly because of a Stop error (also known as a blue screen, system - crash, or bug check). +description: The following analytic detects attempts to disable the memory crash dump + feature on Windows systems by setting the registry value to 0. It leverages data + from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled + registry key. This activity is significant because disabling crash dumps can hinder + forensic analysis and incident response efforts. If confirmed malicious, this action + could be part of a broader attack strategy, such as data destruction or system destabilization, + as seen with HermeticWiper, potentially leading to significant operational disruptions + and data loss. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -19,9 +21,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint AND Registry.registry_value_data="0x00000000" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_disable_memory_crash_dump_filter`' + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` @@ -68,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index 3873de7f53..45cef9986b 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -1,15 +1,17 @@ name: Windows Disable Notification Center id: 1cd983c8-8fd6-11ec-a09d-acde48001122 -version: 3 -date: '2023-12-27' +version: 4 +date: '2024-05-28' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: The following search identifies a modification of registry to disable - the windows notification center feature in a windows host machine. This registry - modification removes notification and action center from the notification area on - the task bar. This modification are seen in RAT malware to cover their tracks upon - downloading other of its component or other payload. +description: The following analytic detects the modification of the Windows registry + to disable the Notification Center on a host machine. It leverages data from the + Endpoint.Registry data model, specifically looking for changes to the "DisableNotificationCenter" + registry value set to "0x00000001." This activity is significant because disabling + the Notification Center can be a tactic used by RAT malware to hide its presence + and subsequent actions. If confirmed malicious, this could allow an attacker to + operate stealthily, potentially leading to further system compromise and data exfiltration. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -62,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 0f78726686..762b4cfe59 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,22 +1,26 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 1 -date: '2023-09-13' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. - This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate - other processes whether they be security products or other legitimate applications as part of their malicious activities. - Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = "taskkill.exe" Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") - by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest - | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies the use of taskkill.exe to forcibly + terminate processes. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions that include specific taskkill parameters. + This activity is significant because it can indicate attempts to disable security + tools or disrupt legitimate applications, a common tactic in malware operations. + If confirmed malicious, this behavior could allow attackers to evade detection, + disrupt system stability, and potentially gain further control over the compromised + system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" + Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -27,7 +31,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Network administrator can use this application to kill process during audit or investigation. +known_false_positives: Network administrator can use this application to kill process + during audit or investigation. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat tags: @@ -73,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill/taskkill_im.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill/taskkill_im.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index f634c6b352..a34a9efea4 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -1,25 +1,26 @@ name: Windows Disable Shutdown Button Through Registry id: 55fb2958-9ecd-11ec-a06a-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-19' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious registry modification to disable - shutdown button on the logon user. This technique was seen in several malware especially - in ransomware family like killdisk malware variant to make the compromised host - un-useful and hard to remove other registry modification made on the machine that - needs restart to take effect. This windows feature may implement by administrator - in some server where shutdown is critical. In that scenario filter of machine and - users that can modify this registry is needed. +description: The following analytic detects suspicious registry modifications that + disable the shutdown button on a user's logon screen. It leverages data from the + Endpoint.Registry data model, specifically monitoring changes to registry paths + associated with shutdown policies. This activity is significant because it is a + tactic used by malware, particularly ransomware like KillDisk, to hinder system + usability and prevent the removal of malicious changes. If confirmed malicious, + this could impede system recovery efforts, making it difficult to restart the machine + and remove other harmful modifications. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" - Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user Registry.registry_path - Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -63,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index bef9adc5a3..3870d1fb51 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -1,17 +1,18 @@ name: Windows Disable Windows Group Policy Features Through Registry id: 63a449ae-9f04-11ec-945e-acde48001122 -version: 4 -date: '2023-12-27' +version: 5 +date: '2024-05-27' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious registry modification to disable - windows features. These techniques are seen in several ransomware malware to impair - the compromised host to make it hard for analyst to mitigate or response from the - attack. Disabling these known features make the analysis and forensic response more - hard. Disabling these feature is not so common but can still be implemented by the - administrator for security purposes. In this scenario filters for users that are - allowed doing this is needed. +description: The following analytic detects suspicious registry modifications aimed + at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry + data model, focusing on specific registry paths and values associated with disabling + key Windows functionalities. This activity is significant because it is commonly + used by ransomware to hinder mitigation and forensic response efforts. If confirmed + malicious, this behavior could severely impair the ability of security teams to + analyze and respond to the attack, allowing the attacker to maintain control and + persist within the compromised environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -68,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 56f4760159..55092c52fa 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -1,16 +1,19 @@ name: Windows DisableAntiSpyware Registry id: 23150a40-9301-4195-b802-5bb4f43067fb -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-28' author: Rod Soto, Jose Hernandez, Michael Haag, Splunk status: production type: TTP -description: The search looks for the Registry Key DisableAntiSpyware set to disable. - This is consistent with Ryuk infections across a fleet of endpoints. This particular - behavior is typically executed when an ransomware actor gains access to an endpoint - and beings to perform execution. Usually, a batch (.bat) will be executed and multiple - registry and scheduled task modifications will occur. During triage, review parallel - processes and identify any further file modifications. Endpoint should be isolated. +description: The following analytic detects the modification of the Windows Registry + key "DisableAntiSpyware" being set to disable. This detection leverages data from + the Endpoint.Registry datamodel, specifically looking for the registry value name + "DisableAntiSpyware" with a value of "0x00000001". This activity is significant + as it is commonly associated with Ryuk ransomware infections, indicating potential + malicious intent to disable Windows Defender. If confirmed malicious, this action + could allow attackers to disable critical security defenses, facilitating further + malicious activities such as data encryption, exfiltration, or additional system + compromise. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index 423664785b..c47287a5e0 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -1,15 +1,18 @@ name: Windows DiskCryptor Usage id: d56fe0c8-4650-11ec-a8fa-acde48001122 -version: 1 -date: '2021-11-15' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies DiskCryptor process name of dcrypt.exe - or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt - disks manually during an operation. In addition, during install, a dcrypt.sys driver - is installed and requires a reboot in order to take effect. There are no command-line - arguments used. +description: The following analytic detects the execution of DiskCryptor, identified + by the process names "dcrypt.exe" or "dcinst.exe". This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + original file names. DiskCryptor is significant because adversaries use it to manually + encrypt disks during an operation, potentially leading to data inaccessibility. + If confirmed malicious, this activity could result in complete disk encryption, + causing data loss and operational disruption. Immediate investigation is required + to mitigate potential ransomware attacks. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index d526eef206..dcfe3f0c2a 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -1,16 +1,17 @@ name: Windows Diskshadow Proxy Execution id: 58adae9e-8ea3-11ec-90f6-acde48001122 -version: 1 -date: '2022-02-15' +version: 2 +date: '2024-05-18' author: Lou Stella, Splunk status: production type: TTP -description: DiskShadow.exe is a Microsoft Signed binary present on Windows Server. - It has a scripting mode intended for complex scripted backup operations. This feature - also allows for execution of arbitrary unsigned code. This analytic looks for the - usage of the scripting mode flags in executions of DiskShadow. During triage, compare - to known backup behavior in your environment and then review the scripts called - by diskshadow. +description: The following analytic detects the use of DiskShadow.exe in scripting + mode, which can execute arbitrary unsigned code. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions with scripting + mode flags. This activity is significant because DiskShadow.exe is typically used + for legitimate backup operations, but its misuse can indicate an attempt to execute + unauthorized code. If confirmed malicious, this could lead to unauthorized code + execution, potentially compromising the system and allowing further malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -66,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index b03c8ce6da..d023af11cf 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -1,26 +1,30 @@ name: Windows DLL Search Order Hijacking Hunt with Sysmon id: 79c7d1fc-64c7-91be-a616-ccda752efe81 -version: 4 -date: '2024-03-17' +version: 5 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: Hunting -description: This hunting analytic identifies known Windows libraries - potentially used in DLL search order hijacking or DLL Sideloading scenarios. Such cases - may necessitate recompiling the DLL, relocating the DLL, or moving the vulnerable process. The - query searches for any processes running outside of system32 or syswow64 directories. Certain libraries - inherently operate from different application paths and must be added to the exclusion list - as required. The lookup includes Microsoft native libraries cataloged in the - Hijacklibs.net project. +description: The following analytic identifies potential DLL search order hijacking + or DLL sideloading by detecting known Windows libraries loaded from non-standard + directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references + them with a lookup of known hijackable libraries. This activity is significant as + it may indicate an attempt to execute malicious code by exploiting DLL search order + vulnerabilities. If confirmed malicious, this could allow attackers to gain code + execution, escalate privileges, or maintain persistence within the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) - | lookup hijacklibs library AS loaded_file OUTPUT islibrary - | search islibrary = True - | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' -how_to_implement: The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup. +search: '`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) + | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = + True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) + as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`' +how_to_implement: The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. + For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to + the loaded_file field which is used in the search to compare against the hijacklibs + lookup. known_false_positives: False positives will be present based on paths. Filter or add - other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths. + other paths to the exclusion as needed. Some applications may legitimately load + libraries from non-standard paths. references: - https://hijacklibs.net tags: @@ -54,7 +58,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index 060f1aa821..dd0dea9bce 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -1,17 +1,18 @@ name: Windows DLL Search Order Hijacking with iscsicpl id: f39ee679-3b1e-4f47-841c-5c3c580acda2 -version: 1 -date: '2022-07-29' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a recently disclosed search ordler - DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, - upon load, will execute the payload. The analytic is restricted to Windows shells. - Two proof of concepts were identified and utilized to determine the behavior. The - command-line is an option to go after, but most likely identifying a child process - off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is - also an option. +description: The following analytic detects DLL search order hijacking involving iscsicpl.exe. + It identifies when iscsicpl.exe loads a malicious DLL from a new path, triggering + the payload execution. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on child processes spawned by iscsicpl.exe. This + activity is significant as it indicates a potential attempt to execute unauthorized + code via DLL hijacking. If confirmed malicious, this could allow an attacker to + execute arbitrary code, escalate privileges, or maintain persistence within the + environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -84,7 +85,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index 5bf3f1def2..358f90443f 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -1,16 +1,18 @@ name: Windows DLL Side-Loading In Calc id: af01f6db-26ac-440e-8d89-2793e303f137 -version: 1 -date: '2022-10-24' +version: 2 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies suspicious DLL modules loaded by calc.exe - that are not in windows %systemroot%\system32 or %systemroot%\sysWoW64 folder. This - technique is well used by Qakbot malware to execute its malicious DLL file via dll - side loading technique in calc process execution. This TTP detection is a good indicator - that a suspicious dll was loaded in a public or non-common installation folder of - Windows Operating System that needs further investigation. +description: The following analytic detects suspicious DLL modules loaded by calc.exe + that are not located in the %systemroot%\system32 or %systemroot%\sysWoW64 directories. + This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique + often used by Qakbot malware to execute malicious DLLs. This activity is significant + as it indicates potential malware execution through a trusted process, which can + bypass security controls. If confirmed malicious, this could allow attackers to + execute arbitrary code, maintain persistence, and escalate privileges within the + environment. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 Image = "*\calc.exe" AND NOT (Image IN ("*:\\windows\\system32\\*", @@ -63,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 5e6232623e..7e98507043 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -1,19 +1,20 @@ name: Windows DLL Side-Loading Process Child Of Calc id: 295ca9ed-e97b-4520-90f7-dfb6469902e1 -version: 1 -date: '2022-10-20' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: The following analytic identifies the suspicious child process of calc.exe - due to dll side loading technique to execute another executable. This technique - was seen in qakbot malware that uses dll side loading technique to calc applications - to load its malicious dll code. The malicious dll that abuses dll side loading technique - will load the actual qakbot loader dll using regsvr32.exe application. This TTP - is a good indicator of qakbot since the calc.exe will not load other child processes - aside from win32calc.exe. +description: The following analytic identifies suspicious child processes spawned + by calc.exe, indicative of DLL side-loading techniques. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, + names, and parent processes. This activity is significant as it is commonly associated + with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. + If confirmed malicious, this behavior could allow attackers to execute arbitrary + code, maintain persistence, and escalate privileges, posing a severe threat to the + environment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "calc.exe") AND Processes.process_name != "win32calc.exe" by Processes.parent_process @@ -69,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index b183293b5e..2837575cb7 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -1,21 +1,19 @@ name: Windows DNS Gather Network Info id: 347e0892-e8f3-4512-afda-dc0e3fa996f3 -version: 1 -date: '2023-04-05' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk type: Anomaly status: production data_source: - Sysmon EventID 1 -description: The following analytic identifies a process command line used to enumerate - DNS records. Adversaries, threat actors, or red teamers may employ this technique - to gather information about a victim's DNS, which can be utilized during targeting. - This method was also observed as part of a tool used by the Sandworm APT group in - a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, - an attacker can enumerate DNS records for specific domains within the targeted network, - potentially aiding in further attacks. This anomaly detection can serve as a valuable - starting point for identifying users and hostnames that may be compromised or targeted - by adversaries seeking to collect data information. +description: The following analytic detects the use of the dnscmd.exe command to enumerate + DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. This activity is significant as it + may indicate an adversary gathering network information, a common precursor to more + targeted attacks. If confirmed malicious, this behavior could enable attackers to + map the network, identify critical assets, and plan subsequent actions, potentially + leading to data exfiltration or further compromise of the network. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dnscmd.exe" Processes.process = "* /enumrecords *" by Processes.parent_process Processes.process_name @@ -73,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index 46e3cc6784..a4559e7d79 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -1,22 +1,29 @@ name: Windows DnsAdmins New Member Added id: 27e600aa-77f8-4614-bc80-2662a67e2f48 -version: 3 -date: '2023-11-07' +version: 4 +date: '2024-05-29' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Windows Event Log Security 4732 -description: The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage - the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by - executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. -search: ' `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the addition of a new member to the DnsAdmins + group in Active Directory by leveraging Event ID 4732. This detection uses security + event logs to identify changes to this high-privilege group. Monitoring this activity + is crucial because members of the DnsAdmins group can manage the DNS service, often + running on Domain Controllers, and potentially execute malicious code with SYSTEM + privileges. If confirmed malicious, this activity could allow an attacker to escalate + privileges and gain control over critical domain services, posing a significant + security risk. +search: ' `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) + as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added + values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`' -how_to_implement: To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` - within `Account Management` needs to be enabled. -known_false_positives: New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed. +how_to_implement: To successfully implement this search, Domain Controller events + need to be ingested. The Advanced Security Audit policy setting `Audit Security + Group Management` within `Account Management` needs to be enabled. +known_false_positives: New members can be added to the DnsAdmins group as part of + legitimate administrative tasks. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise @@ -53,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index 8e78873549..ad82cbcb87 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -1,26 +1,30 @@ name: Windows Domain Account Discovery Via Get-NetComputer id: a7fbbc4e-4571-424a-b627-6968e1c939e4 -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. - This technique was seen used in the context of PowerView's Get-NetUser cmdlet as a filter or parameter - to query Active Directory user account's "samccountname", "accountexpires", "lastlogon" and so on. This hunting query is a good pivot to look for suspicious process - or malware that gather user account information in a host or within network system. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetComputer*" ScriptBlockText IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", "*logoncount*") - | rename Computer as dest, UserID as user - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_domain_account_discovery_via_get_netcomputer_filter`' +description: The following analytic detects the execution of the PowerView PowerShell + cmdlet Get-NetComputer, which is used to query Active Directory for user account + details such as "samaccountname," "accountexpires," "lastlogon," and more. It leverages + Event ID 4104 from PowerShell Script Block Logging to identify this activity. This + behavior is significant as it may indicate an attempt to gather user account information, + which is often a precursor to further malicious actions. If confirmed malicious, + this activity could lead to unauthorized access, privilege escalation, or lateral + movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetComputer*" ScriptBlockText + IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", + "*logoncount*") | rename Computer as dest, UserID as user | stats count min(_time) + as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: @@ -53,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index f70354e62c..5d572bb1d3 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -1,7 +1,7 @@ name: Windows Domain Admin Impersonation Indicator id: 10381f93-6d38-470a-9c30-d25478e3bd3f version: 2 -date: '2023-10-06' +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP @@ -28,7 +28,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: $TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket. + message: $TargetUserName$ may be impersonating a Domain Administrator through a + forged Kerberos ticket. mitre_attack_id: - T1558 observable: @@ -51,6 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/diamond_ticket/security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/diamond_ticket/security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 6eba7d2344..3592aa6915 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -1,28 +1,29 @@ name: Windows DotNet Binary in Non Standard Path id: fddf3b56-7933-11ec-98a6-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies native .net binaries within the Windows - operating system that may be abused by adversaries by moving it to a new directory. - The analytic identifies the .net binary by using a lookup and compares the process - name and original file name (internal name). The analytic utilizes a lookup with - the is_net_windows_file_macro macro to identify the binary process name and original file - name. if one or the other matches an alert will be generated. Adversaries abuse - these binaries as they are native to windows and native DotNet. Note that not all - SDK (post install of Windows) are captured in the lookup. +description: The following analytic detects the execution of native .NET binaries + from non-standard directories within the Windows operating system. It leverages + Endpoint Detection and Response (EDR) telemetry, comparing process names and original + file names against a predefined lookup using the `is_net_windows_file_macro` macro. + This activity is significant because adversaries may move .NET binaries to unconventional + paths to evade detection and execute malicious code. If confirmed malicious, this + behavior could allow attackers to execute arbitrary code, escalate privileges, or + maintain persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by - Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process - Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter`' + Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.original_file_name Processes.process_path + Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` + | `windows_dotnet_binary_in_non_standard_path_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -97,6 +98,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml index 07510dc9cc..4998c8378d 100644 --- a/detections/endpoint/windows_driver_inventory.yml +++ b/detections/endpoint/windows_driver_inventory.yml @@ -1,15 +1,16 @@ name: Windows Driver Inventory id: f87aa96b-369b-4a3e-9021-1bbacbfcb8fb -version: 1 -date: '2023-02-03' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following hunting / inventory query assists defenders in identifying - Drivers being loaded across the fleet. This query relies upon a PowerShell script - input to be deployed to critical systems and beyond. If capturing all via the input, - this will provide retrospection into drivers persisting. Note, that this is not - perfect across a large fleet. Modify the query as you need to view the data differently. +description: The following analytic identifies drivers being loaded across the fleet. + It leverages a PowerShell script input deployed to critical systems to capture driver + data. This detection is significant as it helps monitor for unauthorized or malicious + drivers that could compromise system integrity. If confirmed malicious, such drivers + could allow attackers to execute arbitrary code, escalate privileges, or maintain + persistence within the environment. data_source: [] search: '`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` @@ -48,7 +49,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log source: PwSh:DriverInventory sourcetype: PwSh:DriverInventory update_timestamp: true diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index 59c74b59c2..9dd0aacff0 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -1,69 +1,70 @@ name: Windows Driver Load Non-Standard Path id: 9216ef3d-066a-4958-8f27-c84589465e62 -version: 2 -date: "2023-02-24" +version: 3 +date: "2024-05-22" author: Michael Haag, Splunk status: production type: TTP -description: - The following analytic uses Windows EventCode 7045 to identify new Kernel - Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries - may move malicious or vulnerable drivers into these paths and load up. The idea - is that this analytic provides visibility into drivers loading in non-standard file - paths. +description: The following analytic detects the loading of new Kernel Mode Drivers + from non-standard paths using Windows EventCode 7045. It identifies drivers not + located in typical directories like Windows, Program Files, or SystemRoot. This + activity is significant because adversaries may use these non-standard paths to + load malicious or vulnerable drivers, potentially bypassing security controls. If + confirmed malicious, this could allow attackers to execute code at the kernel level, + escalate privileges, or maintain persistence within the environment, posing a severe + threat to system integrity and security. data_source: - - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" NOT (ImagePath IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")) - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_driver_load_non_standard_path_filter`' -how_to_implement: - To implement this analytic, the Windows EventCode 7045 will need +- Windows Event Log System 7045 +search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" NOT + (ImagePath IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", + "system32\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer + EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`' +how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -known_false_positives: - False positives may be present based on legitimate third party +known_false_positives: False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths. references: - - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ - - https://attack.mitre.org/techniques/T1014/ - - https://www.fuzzysecurity.com/tutorials/28.html +- https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ +- https://attack.mitre.org/techniques/T1014/ +- https://www.fuzzysecurity.com/tutorials/28.html tags: - analytic_story: - - Windows Drivers - - CISA AA22-320A - - AgentTesla - - BlackByte Ransomware + analytic_story: + - Windows Drivers + - CISA AA22-320A + - AgentTesla + - BlackByte Ransomware asset_type: Endpoint confidence: 60 impact: 60 message: A kernel mode driver was loaded from a non-standard path on $dest$. mitre_attack_id: - - T1014 - - T1068 + - T1014 + - T1068 observable: - - name: dest - type: Endpoint - role: - - Victim + - name: dest + type: Endpoint + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - Computer - - EventCode - - ImagePath - - ServiceName - - ServiceType + - _time + - Computer + - EventCode + - ImagePath + - ServiceName + - ServiceType risk_score: 36 security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log - source: XmlWinEventLog:System - sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index cd1d824d2e..1f813a27d6 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -1,21 +1,22 @@ name: Windows Drivers Loaded by Signature id: d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68 -version: 1 -date: '2022-03-30' +version: 2 +date: '2024-05-10' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic assists with viewing all drivers being loaded - by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to - assist with identifying suspicious drivers. Use this analytic to look at prevalence - of driver (count), path of driver, signature status and hash. Review these fields - with scrutiny until the ability to prove the driver is legitimate and has a purpose - in the environment. +description: The following analytic identifies all drivers being loaded on Windows + systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver + path, signature status, and hash to detect potentially suspicious drivers. This + activity is significant for a SOC as malicious drivers can be used to gain kernel-level + access, bypass security controls, or persist in the environment. If confirmed malicious, + this activity could allow an attacker to execute arbitrary code with high privileges, + leading to severe system compromise and potential data exfiltration. data_source: - Sysmon EventID 6 search: '`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime - values(ImageLoaded) count by dest Signed Signature service_signature_verified - service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists + Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -64,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 2a58edf0eb..f457c864d3 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -1,21 +1,40 @@ name: Windows Enable Win32 ScheduledJob via Registry id: 12c80db8-ef62-4456-92df-b23e1b3219f6 -version: 1 -date: '2023-03-27' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: 'This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named "EnableAt" in the following registry path: "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals.' +description: 'The following analytic detects the creation of a new DWORD value named + "EnableAt" in the registry path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". + This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands + to add scheduled tasks on a Windows endpoint. The detection leverages registry event + data from the Endpoint datamodel. This activity is significant because it may indicate + that an attacker is enabling the ability to schedule tasks, potentially to execute + malicious code at specific times or intervals. If confirmed malicious, this could + allow persistent code execution on the system.' search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) - as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\CurrentVersion\\Schedule\\Configuration*" Registry.registry_value_name=EnableAt by - Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` + as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\CurrentVersion\\Schedule\\Configuration*" + Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, + Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: In some cases, an automated script or system may enable this + setting continuously, leading to false positives. To avoid such situations, it is + recommended to monitor the frequency and context of the registry modification and + modify or filter the detection rules as needed. This can help to reduce the number + of false positives and ensure that only genuine threats are identified. Additionally, + it is important to investigate any detected instances of this modification and analyze + them in the broader context of the system and network to determine if further action + is necessary. references: - https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/ - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob @@ -26,7 +45,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$. + message: A process has modified the schedule task registry value - EnableAt - on + endpoint $dest$ by user $user$. mitre_attack_id: - T1053.005 observable: @@ -44,7 +64,7 @@ tags: - Splunk Cloud required_fields: - _time - - Registry.registry_path + - Registry.registry_path - Registry.dest - Registry.user - Registry.registry_value_name @@ -54,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_event_for_service_disabled.yml b/detections/endpoint/windows_event_for_service_disabled.yml index 55b752efdc..400e0541d9 100644 --- a/detections/endpoint/windows_event_for_service_disabled.yml +++ b/detections/endpoint/windows_event_for_service_disabled.yml @@ -1,18 +1,22 @@ name: Windows Event For Service Disabled id: 9c2620a8-94a1-11ec-b40c-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic will identify suspicious system event of services that - was modified from start to disabled. This technique is seen where the adversary - attempts to disable security app services, other malware services to evade the defense - systems on the compromised host +description: The following analytic detects when a Windows service is modified from + a start type to disabled. It leverages system event logs, specifically EventCode + 7040, to identify this change. This activity is significant because adversaries + often disable security or other critical services to evade detection and maintain + control over a compromised host. If confirmed malicious, this action could allow + attackers to bypass security defenses, leading to further exploitation and persistence + within the environment. data_source: - Windows Event Log System 7040 -search: '`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count min(_time) as firstTime max(_time) as lastTime - by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` +search: '`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count + min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID + service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type @@ -53,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml index 8707301fa0..eb3a155337 100644 --- a/detections/endpoint/windows_event_log_cleared.yml +++ b/detections/endpoint/windows_event_log_cleared.yml @@ -1,16 +1,17 @@ name: Windows Event Log Cleared id: ad517544-aff9-4c96-bd99-d6eb43bfbb6a -version: 7 -date: '2024-04-26' +version: 8 +date: '2024-05-12' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: The following analytic utilizes Windows Security Event ID 1102 or System - log event 104 to identify when a Windows event log is cleared. Note that this analytic - will require tuning or restricted to specific endpoints based on criticality. During - triage, based on time of day and user, determine if this was planned. If not planned, - follow through with reviewing parallel alerts and other data sources to determine - what else may have occurred. +description: The following analytic detects the clearing of Windows event logs by + identifying Windows Security Event ID 1102 or System log event 104. This detection + leverages Windows event logs to monitor for log clearing activities. Such behavior + is significant as it may indicate an attempt to cover tracks after malicious activities. + If confirmed malicious, this action could hinder forensic investigations and allow + attackers to persist undetected, making it crucial to investigate further and correlate + with other alerts and data sources. data_source: - Windows Event Log Security 1102 - Windows Event Log System 104 @@ -57,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml index 6f01cc52be..66c6eae42d 100644 --- a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml +++ b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml @@ -1,20 +1,18 @@ name: Windows Event Triggered Image File Execution Options Injection id: f7abfab9-12ea-44e8-8745-475f9ca6e0a4 -version: 1 -date: '2022-09-08' +version: 2 +date: '2024-05-31' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic identifies EventCode 3000 in Application - channel indicating a process exit. This behavior is based on process names being - added to the Image File Execution Options under HKLM \SOFTWARE\Microsoft\Windows - NT\CurrentVersion\Image File Execution Options\ and \SOFTWARE\Microsoft\Windows - NT\CurrentVersion\SilentProcessExit. Once these are set for a process, an eventcode - 3000 will generate. The example used is from Thinkst Canary where a CanaryToken - is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) - and generate an event when it occurs. This can be seen as settings traps to monitor - for suspicious behavior. Monitor and tune this hunting analytic and setup traps - across your organization and begin monitoring. +description: The following analytic identifies the creation or modification of Image + File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the + Application channel. This detection leverages Windows Event Logs to monitor for + process names added to IFEO under specific registry paths. This activity is significant + as it can indicate attempts to set traps for process monitoring or debugging, often + used by attackers for persistence or evasion. If confirmed malicious, this could + allow an attacker to execute arbitrary code or manipulate process behavior, leading + to potential system compromise. data_source: - Windows Event Log Application 3000 search: '`wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 @@ -58,7 +56,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml index d4c4bb6a54..3ec5426f6f 100644 --- a/detections/endpoint/windows_excessive_disabled_services_event.yml +++ b/detections/endpoint/windows_excessive_disabled_services_event.yml @@ -1,23 +1,24 @@ name: Windows Excessive Disabled Services Event id: c3f85976-94a5-11ec-9a58-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will identify suspicious excessive number of system events - of services that was modified from start to disabled. This technique is seen where - the adversary attempts to disable security app services, other malware services - oer serve as an destructive impact to complete the objective on the compromised - system. One good example for this scenario is Olympic destroyer where it disable - all active services in the compromised host as part of its destructive impact and - defense evasion. +description: The following analytic identifies an excessive number of system events + where services are modified from start to disabled. It leverages Windows Event Logs + (EventCode 7040) to detect multiple service state changes on a single host. This + activity is significant as it may indicate an adversary attempting to disable security + applications or other critical services, potentially leading to defense evasion + or destructive actions. If confirmed malicious, this behavior could allow attackers + to disable security defenses, disrupt system operations, and achieve their objectives + on the compromised system. data_source: - Windows Event Log System 7040 -search: '`wineventlog_system` EventCode=7040 "disabled" | stats count values(EventData_Xml) as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) as lastTime by Computer EventCode UserID | rename Computer as dest - | where count >=10 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`wineventlog_system` EventCode=7040 "disabled" | stats count values(EventData_Xml) + as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) + as lastTime by Computer EventCode UserID | rename Computer as dest | where count + >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type @@ -32,7 +33,8 @@ tags: asset_type: Endpoint confidence: 90 impact: 90 - message: An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$. + message: An excessive number (Count - $MessageCount$) of Windows services were disabled + on dest - $dest$. mitre_attack_id: - T1562.001 - T1562 @@ -58,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index ad7666e3f2..d50c4786ac 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -1,29 +1,30 @@ name: Windows Executable in Loaded Modules id: 3e27af56-fcf0-4113-988d-24969b062be7 -version: 1 -date: '2023-09-12' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 7 -description: This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. - This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, - Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. - This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. - Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or - other malicious software instances that introduce executable files as modules within a targeted host. -search: '`sysmon` EventCode=7 ImageLoaded= *.exe - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_executable_in_loaded_modules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. - If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +description: The following analytic identifies instances where executable files (.exe) + are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This + method leverages Sysmon EventCode 7 to track unusual module loading behavior, which + is significant as it deviates from the norm of loading .dll files. This activity + is crucial for SOC monitoring because it can indicate the presence of malware like + NjRAT, which uses this technique to load malicious modules. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, maintain persistence, + and further compromise the host system. +search: '`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime + max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName + process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown. references: - - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat tags: analytic_story: - NjRAT @@ -45,21 +46,22 @@ tags: risk_score: 64 required_fields: - _time - - Image - - ImageLoaded - - Signed - - SignatureStatus - - OriginalFileName - - process_name - - Computer - - EventCode - - ProcessId - - Hashes - - IMPHASH + - Image + - ImageLoaded + - Signed + - SignatureStatus + - OriginalFileName + - process_name + - Computer + - EventCode + - ProcessId + - Hashes + - IMPHASH security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1129/executable_shared_modules/image_loaded_exe.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1129/executable_shared_modules/image_loaded_exe.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index 7c42d56102..698fe4bfd8 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -1,15 +1,18 @@ name: Windows Execute Arbitrary Commands with MSDT id: e1d5145f-38fe-42b9-a5d5-457796715f97 -version: 3 -date: '2022-06-29' +version: 4 +date: '2024-05-19' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a recently disclosed arbitraty command - execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample - identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve - a remote payload. During triage, review file modifications for html. Identify parallel - process execution that may be related, including an Office Product. +description: The following analytic detects arbitrary command execution using Windows + msdt.exe, a Diagnostics Troubleshooting Wizard. It leverages Endpoint Detection + and Response (EDR) data to identify instances where msdt.exe is invoked via the + ms-msdt:/ protocol handler to retrieve a remote payload. This activity is significant + as it can indicate an exploitation attempt leveraging msdt.exe to execute arbitrary + commands, potentially leading to unauthorized code execution. If confirmed malicious, + this could allow an attacker to execute arbitrary code, escalate privileges, or + persist within the environment, posing a severe security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -89,7 +92,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml index a43ee186f0..bbdf5110a0 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml @@ -1,18 +1,25 @@ name: Windows Exfiltration Over C2 Via Invoke RestMethod id: 06ade821-f6fa-40d0-80af-15bc1d45b3ba -version: 1 -date: '2023-04-05' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Invoke-RestMethod *" AND ScriptBlockText = "* -Uri *" AND ScriptBlockText = "* -Method *" AND ScriptBlockText = "* Post *" AND ScriptBlockText = "* -InFile *" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`' +description: The following analytic detects potential data exfiltration using PowerShell's + Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts + that attempt to upload files via HTTP POST requests. This activity is significant + as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots + or files, to an external command and control (C2) server. If confirmed malicious, + this could lead to data breaches, loss of sensitive information, and further compromise + of the affected systems. Immediate investigation is recommended to determine the + intent and scope of the activity. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Invoke-RestMethod *" AND + ScriptBlockText = "* -Uri *" AND ScriptBlockText = "* -Method *" AND ScriptBlockText + = "* Post *" AND ScriptBlockText = "* -InFile *" | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26,7 +33,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A PowerShell script on $Computer$ is attempting to transfer files to a remote URL. + message: A PowerShell script on $Computer$ is attempting to transfer files to a + remote URL. mitre_attack_id: - T1041 observable: @@ -49,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml index c6c320a1cb..cf10e3a8e9 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml @@ -1,18 +1,24 @@ name: Windows Exfiltration Over C2 Via Powershell UploadString id: 59e8bf41-7472-412a-90d3-00f3afa452e9 -version: 1 -date: '2023-04-05' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText = "*.UploadString*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`' +description: The following analytic identifies potential data exfiltration using the + PowerShell `net.webclient` command with the `UploadString` method. It leverages + PowerShell Script Block Logging to detect instances where this command is executed. + This activity is significant as it may indicate an attempt to upload sensitive data, + such as desktop screenshots or files, to an external or internal URI, often associated + with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized + data transfer, compromising sensitive information and potentially leading to further + exploitation of the compromised host. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText + = "*.UploadString*" | stats count min(_time) as firstTime max(_time) as lastTime + by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26,7 +32,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A PowerShell script on $Computer$ is attempting to transfer files to a remote URL. + message: A PowerShell script on $Computer$ is attempting to transfer files to a + remote URL. mitre_attack_id: - T1041 observable: @@ -49,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 8236df3628..7b7b8813e6 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -1,17 +1,16 @@ name: Windows Export Certificate id: d8ddfa9b-b724-4df9-9dbe-f34cc0936714 -version: 2 -date: '2023-02-11' +version: 3 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies when a certificate is exported from - the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle - log channel event ID 1007. EventID 1007 is focused on the Export of a certificate - from the local certificate store. In addition, review the ProcessName field as it - will help to determine automation/Admin or adversary extracting the certificate. - Depending on the organization, the certificate may be used for authentication to - the VPN or private resources. +description: The following analytic detects the export of a certificate from the Windows + Certificate Store. It leverages the Certificates Lifecycle log channel, specifically + event ID 1007, to identify this activity. Monitoring certificate exports is crucial + as certificates can be used for authentication to VPNs or private resources. If + malicious actors export certificates, they could potentially gain unauthorized access + to sensitive systems or data, leading to significant security breaches. data_source: - Windows Event Log CertificateServicesClient 1007 search: '`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats @@ -55,7 +54,9 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log - source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log + source: + XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index 230d672891..6300157fa4 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -1,24 +1,29 @@ name: Windows File Share Discovery With Powerview id: a44c0be1-d7ab-41e4-92fd-aa9af4fe232c -version: 1 -date: '2023-03-20' +version: 2 +date: '2024-05-18' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all - active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information - like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them - for Privilege Escalation or Lateral Movement. -search: '`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) - | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of the Invoke-ShareFinder + PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block + Logging to identify instances where this specific command is executed. Monitoring + this activity is crucial as it indicates an attempt to enumerate network file shares, + which may contain sensitive information such as backups, scripts, and credentials. + If confirmed malicious, this activity could enable an attacker to escalate privileges + or move laterally within the network, potentially compromising additional systems + and sensitive data. +search: '`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats + count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode + ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed. +known_false_positives: Security teams may leverage PowerView proactively to identify + and remediate sensitive file shares. Filter as needed. references: - https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index e107be25c3..fc788f5756 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -1,23 +1,25 @@ name: Windows File Transfer Protocol In Non-Common Process Path id: 0f43758f-1fe9-470a-a9e4-780acc4d5407 -version: 1 -date: '2022-09-16' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a possible windows application having - a FTP connection in a non common installation path in windows operating system.This - network protocol is being used by adversaries, threat actors and malware like AgentTesla - as a Command And Control communication to transfer its collected stolen information - like the desktop screenshots, browser information and system information of a targeted - or compromised host. +description: The following analytic detects FTP connections initiated by processes + located in non-standard installation paths on Windows systems. It leverages Sysmon + EventCode 3 to identify network connections where the process image path does not + match common directories like "Program Files" or "Windows\System32". This activity + is significant as FTP is often used by adversaries and malware, such as AgentTesla, + for Command and Control (C2) communications to exfiltrate stolen data. If confirmed + malicious, this could lead to unauthorized data transfer, exposing sensitive information + and compromising the integrity of the affected host. data_source: - Sysmon EventID 3 search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) (DestinationPortName="ftp" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname - DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | - `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`' + DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -65,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 531f194953..53286281b3 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -1,16 +1,17 @@ name: Windows File Without Extension In Critical Folder id: 0dbcac64-963c-11ec-bf04-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: TTP -description: This analytic is to look for suspicious file creation in the critical - folder like "System32\Drivers" folder without file extension. This artifacts was - seen in latest hermeticwiper where it drops its driver component in Driver Directory - both the compressed(without file extension) and the actual driver component (with - .sys file extension). This TTP is really a good indication that a host might be - compromised by this destructive malware that wipes the boot sector of the system. +description: The following analytic detects the creation of files without extensions + in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem + datamodel, focusing on file paths and creation times. This activity is significant + as it may indicate the presence of destructive malware, such as HermeticWiper, which + drops driver components in these directories. If confirmed malicious, this behavior + could lead to severe system compromise, including boot sector wiping, resulting + in potential data loss and system inoperability. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem @@ -66,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 896725f530..76c347c84d 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,21 +1,20 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 1 -date: '2023-06-06' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: This analytic aims to identify potential adversaries who manipulate the - security permissions of specific files or directories. This technique is frequently - observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. - By modifying the security permissions, adversaries seek to evade detection and impede - access to their component files. Such actions indicate a deliberate effort to maintain - control over compromised systems and hinder investigation or remediation efforts. - Detecting these security permission changes can serve as a valuable indicator of - an ongoing attack and enable timely response to mitigate the impact of the adversary's - activities. +description: The following analytic identifies the modification of security permissions + on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It + leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific + command-line executions. This activity is significant as it is commonly used by + Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and + maintain control over compromised systems. If confirmed malicious, this behavior + could allow attackers to hinder investigation, impede remediation efforts, and maintain + persistent access to the compromised environment. search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, @@ -79,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 42ba573c02..28a1e72c69 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -1,19 +1,29 @@ name: Windows Find Domain Organizational Units with GetDomainOU id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e -version: 1 -date: '2023-08-31' +version: 2 +date: '2024-05-17' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_find_domain_organizational_units_with_getdomainou_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Get-DomainOU` cmdlet, + a part of the PowerView toolkit used for Windows domain enumeration. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting + `Get-DomainOU` usage is significant as adversaries may use it to gather information + about organizational units within Active Directory, which can facilitate lateral + movement or privilege escalation. If confirmed malicious, this activity could allow + attackers to map the domain structure, aiding in further exploitation and persistence + within the network. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" | stats count + min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer + UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/ - https://attack.mitre.org/techniques/T1087/002/ @@ -24,8 +34,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ - by user $user$. + message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by + user $user$. mitre_attack_id: - T1087 - T1087.002 @@ -53,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index c1d15ac066..5cf2bf2017 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -1,19 +1,28 @@ name: Windows Find Interesting ACL with FindInterestingDomainAcl id: e4a96dfd-667a-4487-b942-ccef5a1e81e8 -version: 1 -date: '2023-08-31' +version: 2 +date: '2024-05-28' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Find-InterestingDomainAcl` + cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). + This detection leverages logs to identify when this command is run, which is significant + as adversaries may use it to find misconfigured or unusual Access Control Lists + (ACLs) within a domain. If confirmed malicious, this activity could allow attackers + to identify privilege escalation opportunities or weak security configurations in + Active Directory, potentially leading to unauthorized access or further exploitation. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/ - https://attack.mitre.org/techniques/T1087/002/ @@ -24,7 +33,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$. + message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint + $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 @@ -52,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index 77d6e4f33f..92960180a5 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -1,20 +1,20 @@ name: Windows Findstr GPP Discovery id: 1631ac2d-f2a9-42fa-8a59-d6e210d472f5 -version: 1 -date: '2023-03-16' +version: 2 +date: '2024-05-29' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Sysmon EventID 1 -description: The following analytic identifies the use of the findstr command employed - to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools - that allow administrators to create domain policies with embedded credentials. These - policies allow administrators to set local accounts. These group policies are stored - in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL - share and decrypt the password (using the AES key that has been made public). While - Microsoft released a patch that impedes Administrators to create unsecure credentials, - existing Group Policy Preferences files with passwords are not removed from SYSVOL. +description: The following analytic detects the use of the findstr command to search + for unsecured credentials in Group Policy Preferences (GPP). It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on command-line executions + involving findstr.exe with references to SYSVOL and cpassword. This activity is + significant because it indicates an attempt to locate and potentially decrypt embedded + credentials in GPP, which could lead to unauthorized access. If confirmed malicious, + this could allow an attacker to escalate privileges or gain access to sensitive + systems and data within the domain. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest @@ -80,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index fd45cb8e53..625c6836f4 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -1,19 +1,28 @@ name: Windows Forest Discovery with GetForestDomain id: a14803b2-4bd9-4c08-8b57-c37980edebe8 -version: 1 -date: '2023-08-31' +version: 2 +date: '2024-05-16' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_forest_discovery_with_getforestdomain_filter`' -how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +description: The following analytic detects the execution of the `Get-ForestDomain` + cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. + It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. + Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use + it to gather detailed information about Active Directory forest and domain configurations. + If confirmed malicious, this activity could enable attackers to understand the domain + structure, facilitating lateral movement or privilege escalation within the environment. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs + to be imported. Modify the powershell macro as needed to match the sourcetype or + add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/ - https://attack.mitre.org/techniques/T1087/002/ @@ -24,7 +33,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$. + message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ + by user $user$. mitre_attack_id: - T1087 - T1087.002 @@ -52,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index b213ca5955..0db4ac23ef 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -1,26 +1,30 @@ name: Windows Gather Victim Host Information Camera id: e4df4676-ea41-4397-b160-3ee0140dc332 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a powershell script that enumerate camera - mounted to the targeted host. This technique was seen in DCRat malware, where it - runs a powershell command to look for camera information that will be pass on to - its C2 server. This anomaly detection can be a good pivot to check who and why this - enumeration is needed and what parent process execute this powershell script command. +description: The following analytic detects a PowerShell script that enumerates camera + devices on the targeted host. This detection leverages PowerShell Script Block Logging, + specifically looking for commands querying Win32_PnPEntity for camera-related information. + This activity is significant as it is commonly observed in DCRat malware, which + collects camera data to send to its command-and-control server. If confirmed malicious, + this behavior could indicate an attempt to gather sensitive visual information from + the host, potentially leading to privacy breaches or further exploitation. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText= "* Win32_PnPEntity *" ScriptBlockText= "*SELECT*" ScriptBlockText= "*WHERE*" ScriptBlockText = "*PNPClass*" ScriptBlockText IN ("*Image*", "*Camera*") | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`' + by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename + UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_gather_victim_host_information_camera_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators may execute this powershell command to get hardware information related to camera on $dest$. +known_false_positives: Administrators may execute this powershell command to get hardware + information related to camera on $dest$. references: - https://cert.gov.ua/article/405538 - https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat @@ -58,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index ef7a117f63..98025e0495 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -1,15 +1,17 @@ name: Windows Gather Victim Identity SAM Info id: a18e85d7-8b98-4399-820c-d46a1ca3516f -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process that loads the samlib.dll - module. This module is being abused by adversaries, threat actors and red teamers - to access information of SAM objects or access credentials information in DC. This - hunting query can be a good indicator that a process is capable of accessing the - SAM object. +description: The following analytic detects processes loading the samlib.dll or samcli.dll + modules, which are often abused to access Security Account Manager (SAM) objects + or credentials on domain controllers. This detection leverages Sysmon EventCode + 7 to identify these DLLs being loaded outside typical system directories. Monitoring + this activity is crucial as it may indicate attempts to gather sensitive identity + information. If confirmed malicious, this behavior could allow attackers to obtain + credentials, escalate privileges, or further infiltrate the network. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileName @@ -32,8 +34,8 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: An instance of $dest$ that loads $ImageLoaded$ that are related to - accessing to SAM object information. + message: An instance of $dest$ that loads $ImageLoaded$ that are related to accessing + to SAM object information. mitre_attack_id: - T1589.001 - T1589 @@ -59,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index 329e912c37..ed1ca881f8 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,23 +1,26 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 2 -date: '2024-02-15' +version: 3 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies process that attempts to connect to - a known IP web services. This technique is commonly used by trickbot and other malware - to perform reconnaissance against the infected machine and look for its IP address. +description: The following analytic detects processes attempting to connect to known + IP check web services. This behavior is identified using Sysmon EventCode 22 logs, + specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". + This activity is significant as it is commonly used by malware, such as Trickbot, + for reconnaissance to determine the infected machine's IP address. If confirmed + malicious, this could allow attackers to gather network information, aiding in further + attacks or lateral movement within the network. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", - "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", - "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", - "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*") - | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", + "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", + "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", + "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", + "*geoip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image + ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer + as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from @@ -63,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index b4ac05d7b3..872b578c88 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -1,20 +1,24 @@ name: Windows Get-AdComputer Unconstrained Delegation Discovery id: c8640777-469f-4638-ab44-c34a3233ffac -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-13' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the Get-ADComputer commandlet used with specific parameters to discover - Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries - alike may leverage use this technique for situational awareness and Active Directory - Discovery. +description: The following analytic detects the use of the Get-ADComputer cmdlet with + parameters indicating a search for Windows endpoints with Kerberos Unconstrained + Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify + this specific activity. This behavior is significant as it may indicate an attempt + by adversaries or Red Teams to gain situational awareness and perform Active Directory + discovery. If confirmed malicious, this activity could allow attackers to identify + high-value targets for further exploitation, potentially leading to privilege escalation + or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText = - "*TrustedForDelegation*") | stats count min(_time) as firstTime max(_time) as lastTime - by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText + = "*TrustedForDelegation*") | stats count min(_time) as firstTime max(_time) as + lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`' how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add @@ -54,12 +58,13 @@ tags: - EventCode - ScriptBlockText - Computer - - User + - UserID risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 0ef82b749c..d77f2be686 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -1,22 +1,29 @@ name: Windows Get Local Admin with FindLocalAdminAccess id: d2988160-3ce9-4310-b59d-905334920cdd -version: 1 -date: '2023-08-31' +version: 2 +date: '2024-05-22' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. -search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_get_local_admin_with_findlocaladminaccess_filter`' +description: The following analytic detects the execution of the `Find-LocalAdminAccess` + cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part + of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` + is crucial as adversaries may use it to find machines where the current user has + local administrator access, facilitating lateral movement or privilege escalation. + If confirmed malicious, this activity could allow attackers to target and compromise + additional systems within the network, significantly increasing their control and + access to sensitive information. +search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" | + stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. +known_false_positives: Administrators may leverage PowerSploit tools for legitimate + reasons, filter as needed. references: - https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/ - https://attack.mitre.org/techniques/T1087/002/ @@ -27,8 +34,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ - by user $user$. + message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint + $dest$ by user $user$. mitre_attack_id: - T1087 - T1087.002 @@ -56,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index c2f1c30233..16771eae70 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -1,21 +1,20 @@ name: Windows Group Policy Object Created id: 23add2a8-ea22-4fd4-8bc0-8c0b822373a1 -version: 1 -date: '2023-03-27' +version: 2 +date: '2024-05-17' author: Mauricio Velazco status: production type: TTP data_source: - Windows Event Log Security 5136 - Windows Event Log Security 5137 -description: The following analytic leverages Event IDs 5136 and 51137 to identify - the creation of a new Group Policy Object. With GPOs, system administrators can - manage and configure applications, software operations, and user settings throughout - an entire organization. GPOs can be abused and leveraged by adversaries to escalate - privileges or deploy malware across an Active Directory network. As an example, - the Lockbit ransomware malware will create new group policies on the domain controller - that are then pushed out to every device on the network. Security teams should monitor - the creation of new Group Policy Objects. +description: The following analytic detects the creation of a new Group Policy Object + (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service + change events to identify when a new GPO is created. Monitoring GPO creation is + crucial as adversaries can exploit GPOs to escalate privileges or deploy malware + across an Active Directory network. If confirmed malicious, this activity could + allow attackers to control system configurations, deploy ransomware, or propagate + malware, leading to widespread compromise and significant operational disruption. search: ' `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) @@ -71,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index 073d1c0d32..ba483a22a0 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -1,11 +1,18 @@ name: Windows Hidden Schedule Task Settings id: 0b730470-5fe8-4b13-93a7-fe0ad014d0cc -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. +description: The following analytic detects the creation of hidden scheduled tasks + on Windows systems, which are not visible in the UI. It leverages Windows Security + EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior + is significant as it may indicate malware activity, such as Industroyer2, or the + use of living-off-the-land binaries (LOLBINs) to download additional payloads. If + confirmed malicious, this activity could allow attackers to execute code stealthily, + maintain persistence, or further compromise the system by downloading additional + malicious payloads. data_source: - Windows Event Log Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true @@ -55,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index cba318106a..27f2dd8bb8 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -1,16 +1,17 @@ name: Windows Hide Notification Features Through Registry id: cafa4bce-9f06-11ec-a7b2-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-26' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious registry modification to hide - common windows notification feature from compromised host. This technique was seen - in some ransomware family to add more impact to its payload that are visually seen - by user aside from the encrypted files and ransomware notes. Even this a good anomaly - detection, administrator may implement this changes for auditing or security reason. - In this scenario filter is needed. +description: The following analytic detects suspicious registry modifications aimed + at hiding common Windows notification features on a compromised host. It leverages + data from the Endpoint.Registry data model, focusing on specific registry paths + and values. This activity is significant as it is often used by ransomware to obscure + visual indicators, increasing the impact of the attack. If confirmed malicious, + this could prevent users from noticing critical system alerts, thereby aiding the + attacker in maintaining persistence and furthering their malicious activities undetected. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -18,9 +19,10 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("HideClock", "HideSCAHealth", "HideSCANetwork", "HideSCAPower", "HideSCAVolume") Registry.registry_value_data = "0x00000001") BY - _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`' + _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_hide_notification_features_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -61,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index c9a123204f..8e3e59f1e3 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -1,26 +1,35 @@ name: Windows High File Deletion Frequency id: 45b125c4-866f-11eb-a95a-acde48001122 -version: 2 -date: '2024-03-05' +version: 3 +date: '2024-05-18' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: This search identifies a high frequency of file deletions relative to the process - name and process ID. Such events typically occur when ransomware attempts to encrypt - files with specific extensions, leading Sysmon to treat the original files - as deleted as soon as they are replaced with encrypted data. +description: The following analytic identifies a high frequency of file deletions + by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection + leverages Sysmon logs to track deleted target filenames, process names, and process + IDs. Such activity is significant as it often indicates ransomware behavior, where + files are encrypted and the originals are deleted. If confirmed malicious, this + activity could lead to extensive data loss and operational disruption, as ransomware + can render critical files inaccessible, demanding a ransom for their recovery. data_source: - Sysmon EventID 23 - Sysmon EventID 26 -search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT TargetFilename IN ("*\\INetCache\\Content.Outlook\\*") - | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid - | rename Image as process - | where count >=100 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", + "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", + "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", + "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT + TargetFilename IN ("*\\INetCache\\Content.Outlook\\*") | stats count, values(TargetFilename) + as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, + signature, signature_id, Image, process_name, process_guid | rename Image as process + | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`' -how_to_implement: To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -known_false_positives: Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives. +how_to_implement: To successfully implement this search, you need to ingest logs that + include the deleted target file name, process name, and process ID from your endpoints. + If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. +known_false_positives: Users may delete a large number of pictures or files in a folder, + which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook + may also result in false positives. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html @@ -36,7 +45,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 90 - message: Elevated file deletion rate observed from process [$process_name$] on machine $dest$ + message: Elevated file deletion rate observed from process [$process_name$] on machine + $dest$ mitre_attack_id: - T1485 observable: @@ -55,7 +65,7 @@ tags: - name: process_name type: Process role: - - Attacker + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -73,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index db76da9959..c65837e084 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,17 +1,18 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a process loading version.dll that is not - in %windir%\\system32 or %windir%\\syswow64 dir path. This event is seen in ransomware - and APT malware that executes malicious version.dll placed in the same folder of - onedrive application that will execute that module. This technique is known to be - DLL side loading. This technique was used to execute an agent of Brute Ratel C4 - red teaming tools to serve as remote admin tool to collect and compromise target - host. +description: The following analytic detects a process loading a version.dll file from + a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages + Sysmon EventCode 7 to identify instances where an unsigned or improperly located + version.dll is loaded. This activity is significant as it is a common technique + used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute + malicious code via DLL side loading. If confirmed malicious, this could allow attackers + to execute arbitrary code, maintain persistence, and potentially compromise the + target host. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 ImageLoaded = "*\\version.dll" AND (Signed = "false" @@ -58,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index 94614cdbec..13c7c899e9 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -1,15 +1,17 @@ name: Windows Hunting System Account Targeting Lsass id: 1c6abb08-73d1-11ec-9ca0-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic identifies all processes requesting access - into Lsass.exe. his behavior may be related to credential dumping or applications - requiring access to credentials. Triaging this event will require understanding - the GrantedAccess from the SourceImage. In addition, whether the account is privileged - or not. Review the process requesting permissions and review parallel processes. +description: The following analytic identifies processes attempting to access Lsass.exe, + which may indicate credential dumping or applications needing credential access. + It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like + TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized + access to Lsass.exe can lead to credential theft, posing a severe security risk. + If confirmed malicious, attackers could gain access to sensitive credentials, potentially + leading to privilege escalation and further compromise of the environment. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 2e3ce8bb68..00d46a92f7 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -1,25 +1,26 @@ name: Windows Identify Protocol Handlers id: bd5c311e-a6ea-48ae-a289-19a3398e3648 -version: 2 -date: '2022-09-13' +version: 3 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following hunting analytic will identify any protocol handlers utilized - on the command-line. A protocol handler is an application that knows how to handle - particular types of links: for example, a mail client is a protocol handler for - "mailto:" links. When the user clicks a "mailto:" link, the browser opens the application - selected as the handler for the "mailto:" protocol (or offers them a choice of handlers, - depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html - URLProtocolView or query the registry using PowerShell.' +description: 'The following analytic identifies the use of protocol handlers executed + via the command line. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process and command-line telemetry. This activity is significant + because protocol handlers can be exploited to execute arbitrary commands or launch + applications, potentially leading to unauthorized actions. If confirmed malicious, + an attacker could use this technique to gain code execution, escalate privileges, + or maintain persistence within the environment, posing a significant security risk.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) - as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user - Processes.process_name Processes.process | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers - handler AS process OUTPUT handler ishandler | where ishandler="TRUE" | `windows_identify_protocol_handlers_filter`' + as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name + Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup + windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" + | `windows_identify_protocol_handlers_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -90,7 +91,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 6a160a2077..48273b9ffe 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -1,16 +1,18 @@ name: Windows IIS Components Add New Module id: 38fe731c-1f13-43d4-b878-a5bbe44807e3 -version: 1 -date: '2022-12-19' +version: 2 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the process AppCmd.exe installing a - new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. - An adversary may run this command to install a webshell or backdoor. This has been - found to be used for credit card scraping, persistence, and further post-exploitation. - An administrator may run this to install new modules for a web site or during IIS - updates. +description: The following analytic detects the execution of AppCmd.exe to install + a new module in IIS. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant as adversaries may use it to install webshells or backdoors, leading + to credit card scraping, persistence, and further post-exploitation. If confirmed + malicious, this could allow attackers to maintain persistent access, execute arbitrary + code, and potentially exfiltrate sensitive information from the compromised web + server. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -88,7 +90,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index c83ffff4a7..bf64fbbb77 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -1,15 +1,18 @@ name: Windows IIS Components Module Failed to Load id: 40c2ba5b-dd6a-496b-9e6e-c9524d0be167 -version: 1 -date: '2022-12-20' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic utilizes EventCode 2282 which generates when a - Module DLL could not be loaded due to a configuration problem. This typically occurs - when a IIS module is installed but is failing to load. This typically results in - thousands of events until the issue is resolved. Review the module that is failing - and determine if it is legitimate or not. +description: The following analytic detects when an IIS Module DLL fails to load due + to a configuration problem, identified by EventCode 2282. This detection leverages + Windows Application event logs to identify repeated failures in loading IIS modules. + Such failures can indicate misconfigurations or potential tampering with IIS components. + If confirmed malicious, this activity could lead to service disruptions or provide + an attacker with opportunities to exploit vulnerabilities within the IIS environment. + Immediate investigation is required to determine the legitimacy of the failing module + and to mitigate any potential security risks. data_source: - Windows Event Log Application 2282 search: '`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime @@ -57,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log source: XmlWinEventLog:Application sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index c5a1fdaa7d..753d10b9bf 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -1,19 +1,17 @@ name: Windows IIS Components New Module Added id: 55f22929-cfd3-4388-ba5c-4d01fac7ee7e -version: 1 -date: '2022-12-19' +version: 2 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - - which must be enabled and logged on Windows IIS servers before it can be Splunked. - The following analytic identifies newly installed IIS modules. Per Microsoft, IIS - modules are not commonly added to a production IIS server, so alerting on this event - ID should be enabled.IIS modules can be installed at a global level or at a site - level. In detecting malicious IIS modules, it is important to check both the global - and site level for unauthorized modules. Regular monitoring of these locations for - such modules and comparing against a known good list can help detect and identify - malicious IIS modules. +description: The following analytic detects the addition of new IIS modules on a Windows + IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, + specifically EventCode 29, to identify this activity. This behavior is significant + because IIS modules are rarely added to production servers, and unauthorized modules + could indicate malicious activity. If confirmed malicious, an attacker could use + these modules to execute arbitrary code, escalate privileges, or maintain persistence + within the environment, potentially compromising the server and sensitive data. data_source: - Windows IIS 29 search: '`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime @@ -62,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log source: IIS:Configuration:Operational sourcetype: IIS:Configuration:Operational update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index c07f96bc62..210a52c970 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -1,14 +1,17 @@ name: Windows Impair Defense Add Xml Applocker Rules id: 467ed9d9-8035-470e-ad5e-ae5189283033 -version: 1 -date: '2022-06-24' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic is to identify a process that imports applocker - xml policy using PowerShell commandlet. This technique was seen in Azorult malware - where it drop an xml Applocker policy that will deny several AV products and further - executed the PowerShell Applocker commandlet. +description: The following analytic detects the use of a PowerShell commandlet to + import an AppLocker XML policy. This behavior is identified by monitoring processes + that execute the "Import-Module Applocker" and "Set-AppLockerPolicy" commands with + the "-XMLPolicy" parameter. This activity is significant because it can indicate + an attempt to disable or bypass security controls, as seen in the Azorult malware. + If confirmed malicious, this could allow an attacker to disable antivirus products, + leading to further compromise and persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -64,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index e344f42a85..40bb659bcf 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -1,28 +1,27 @@ name: Windows Impair Defense Change Win Defender Health Check Intervals id: 5211c260-820e-4366-b983-84bbfb5c263a -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. - Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. - However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may - have specific accepted values or a defined range that differs from a simple binary representation. - Changing registry values, especially those related to system services, should be approached cautiously. - Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and - have a backup before altering registry settings. +description: The following analytic detects modifications to the Windows registry + that change the health check interval of Windows Defender. It leverages data from + the Endpoint datamodel, specifically monitoring changes to the "ServiceKeepAlive" + registry path with a value of "0x00000001". This activity is significant because + altering Windows Defender settings can impair its ability to perform timely health + checks, potentially leaving the system vulnerable. If confirmed malicious, this + could allow an attacker to disable or delay security scans, increasing the risk + of undetected malware or other malicious activities. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\ServiceKeepAlive" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_change_win_defender_health_check_intervals_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\ServiceKeepAlive" Registry.registry_value_data="0x00000001" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -66,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index d3cf063d45..5f43c86c9f 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -1,26 +1,26 @@ name: Windows Impair Defense Change Win Defender Quick Scan Interval id: 783f0798-f679-4c17-b3b3-187febf0b9b8 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to change Windows Defender - Quick Scan Interval. The "QuickScanInterval" in Windows Defender, specifically within the context of antivirus software, - typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. - This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive - than full system scans but provide a faster way to check critical areas for potential threats or malware. - This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. +description: The following analytic detects modifications to the Windows registry + that change the Windows Defender Quick Scan Interval. It leverages data from the + Endpoint.Registry data model, focusing on changes to the "QuickScanInterval" registry + path. This activity is significant because altering the scan interval can impair + Windows Defender's ability to detect malware promptly, potentially allowing threats + to persist undetected. If confirmed malicious, this modification could enable attackers + to bypass security measures, maintain persistence, and execute further malicious + activities without being detected by quick scans. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Scan\\QuickScanInterval" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Scan\\QuickScanInterval" by Registry.registry_key_name Registry.user Registry.registry_path + Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -64,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index b35f125047..7112af78f7 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -1,27 +1,27 @@ name: Windows Impair Defense Change Win Defender Throttle Rate id: f7da5fca-9261-43de-a4d0-130dad1e4f4d -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. - The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or - reported by Windows Defender Antivirus. - This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value - can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. - A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could - increase the reporting frequency, resulting in more frequent logs of detection events. +description: The following analytic detects modifications to the ThrottleDetectionEventsRate + registry setting in Windows Defender. It leverages data from the Endpoint.Registry + datamodel to identify changes in the registry path related to Windows Defender's + event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate + can reduce the frequency of logged detection events, potentially masking malicious + activities. If confirmed malicious, this could allow an attacker to evade detection + by decreasing the visibility of security events, thereby hindering incident response + and forensic investigations. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_change_win_defender_throttle_rate_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -65,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index ed5c7a5b7c..1e2532cf69 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -1,30 +1,27 @@ name: Windows Impair Defense Change Win Defender Tracing Level id: fe9391cd-952a-4c64-8f56-727cb0d4f2d4 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. - The "WppTracingLevel" registry setting is typically related to Windows software tracing and diagnostics, specifically involving - Windows Software Trace Preprocessor (WPP) tracing. - WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs - and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. - Without specific documentation or references to "WppTracingLevel" within Windows Defender settings or its functionalities, it's challenging - to provide precise details about its intended use or configuration within Windows Defender. - Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously - and ensure changes align with best practices and organizational requirements. +description: The following analytic detects modifications to the Windows registry + specifically targeting the "WppTracingLevel" setting within Windows Defender. This + detection leverages data from the Endpoint.Registry data model to identify changes + in the registry path associated with Windows Defender tracing levels. Such modifications + are significant as they can impair the diagnostic capabilities of Windows Defender, + potentially hiding malicious activities. If confirmed malicious, this activity could + allow an attacker to evade detection and maintain persistence within the environment, + leading to further compromise and data exfiltration. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\WppTracingLevel" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_change_win_defender_tracing_level_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Reporting\\WppTracingLevel" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -68,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 22ebdbaf9d..d9c06e6d65 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -1,28 +1,29 @@ name: Windows Impair Defense Configure App Install Control id: c54b7439-cfb1-44c3-bb35-b0409553077c -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to change or disable Windows Defender - smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. - When attackers modify "ConfigureAppInstallControlEnabled" to 0, they are likely attempting to disable the App Install Control feature - in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. - Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without - restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users - inadvertently install harmful applications. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender SmartScreen App Install Control feature. It leverages + data from the Endpoint.Registry data model to identify changes to specific registry + values. This activity is significant because disabling App Install Control can allow + users to install potentially malicious web-based applications without restrictions, + increasing the risk of security vulnerabilities. If confirmed malicious, this action + could lead to the installation of harmful applications, potentially compromising + the system and exposing sensitive information. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" Registry.registry_value_data= "Anywhere") OR - (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= "0x00000000") - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_configure_app_install_control_filter`' + WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" + Registry.registry_value_data= "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows + Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= + "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -40,7 +41,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Define Windows Defender App Install Control registry set to disable on $dest$. + message: Define Windows Defender App Install Control registry set to disable on + $dest$. mitre_attack_id: - T1562.001 - T1562 @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index 13dc8facef..209ba10f7d 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -1,28 +1,27 @@ name: Windows Impair Defense Define Win Defender Threat Action id: 7215831c-8252-4ae3-8d43-db588e82f952 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. - The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender - when it encounters threats of specific severity levels. - A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. - For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. - In this context, a registry value of 1 typically indicates an action to "clean," aiming to disinfect or resolve the detected threat, - while a registry value of 9 signifies "no action," meaning that the antivirus software refrains from taking immediate steps against the identified threat. +description: The following analytic detects modifications to the Windows Defender + ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry + datamodel to identify changes in registry values that define how Windows Defender + responds to threats. This activity is significant because altering these settings + can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. + If confirmed malicious, this could enable attackers to bypass antivirus protections, + leading to persistent threats and increased risk of data compromise or further system + exploitation. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" - Registry.registry_value_data IN ("0x00000001", "9") - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_define_win_defender_threat_action_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Threats\\ThreatSeverityDefaultAction*" Registry.registry_value_data IN + ("0x00000001", "9") by Registry.registry_key_name Registry.user Registry.registry_path + Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -66,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 37116639d0..028057a2a4 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -1,16 +1,18 @@ name: Windows Impair Defense Delete Win Defender Context Menu id: 395ed5fe-ad13-4366-9405-a228427bdd91 -version: 1 -date: '2022-06-07' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The search looks for the deletion of Windows Defender context menu within - the registry. This is consistent behavior with RAT malware across a fleet of endpoints. - This particular behavior is executed when an adversary gains access to an endpoint - and begins to perform execution. Usually, a batch (.bat) will be executed and multiple - registry and scheduled task modifications will occur. During triage, review parallel - processes and identify any further file modifications. +description: The following analytic detects the deletion of the Windows Defender context + menu entry from the registry. It leverages data from the Endpoint datamodel, specifically + monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" + and the action is 'deleted'. This activity is significant as it is commonly associated + with Remote Access Trojan (RAT) malware attempting to disable security features. + If confirmed malicious, this could allow an attacker to impair defenses, facilitating + further malicious activities such as unauthorized access, persistence, and data + exfiltration. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -63,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 04db697641..d6b47becd8 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -1,16 +1,18 @@ name: Windows Impair Defense Delete Win Defender Profile Registry id: 65d4b105-ec52-48ec-ac46-289d0fbf7d96 -version: 1 -date: '2022-06-07' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The search looks for the deletion of Windows Defender main profile within - the registry. This was used by RAT malware across a fleet of endpoints. This particular - behavior is typically executed when an adversary gains access to an endpoint and - beings to perform execution. Usually, a batch (.bat) will be executed and multiple - registry and scheduled task modifications will occur. During triage, review parallel - processes and identify any further file modifications. +description: The following analytic detects the deletion of the Windows Defender main + profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically + monitoring for deleted actions within the Windows Defender registry path. This activity + is significant as it indicates potential tampering with security defenses, often + associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, + this action could allow an attacker to disable Windows Defender, reducing the system's + ability to detect and respond to further malicious activities, thereby compromising + endpoint security. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -63,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index 3dc1fef0ab..a40b2650a8 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -1,15 +1,18 @@ name: Windows Impair Defense Deny Security Software With Applocker id: e0b6ca60-9e29-4450-b51a-bba0abae2313 -version: 1 -date: '2022-06-24' +version: 2 +date: '2024-05-09' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a modification in the Windows registry - by the Applocker utility that contains details or registry data values related to - denying the execution of several security products. This technique was seen in Azorult - malware where it drops an xml Applocker policy that will deny several AV products - and then loaded by using PowerShell Applocker commandlet. +description: The following analytic detects modifications in the Windows registry + by the Applocker utility that deny the execution of various security products. This + detection leverages data from the Endpoint.Registry datamodel, focusing on specific + registry paths and values indicating a "Deny" action against known antivirus and + security software. This activity is significant as it may indicate an attempt to + disable security defenses, a tactic observed in malware like Azorult. If confirmed + malicious, this could allow attackers to bypass security measures, facilitating + further malicious activities and persistence within the environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -72,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 452ac260f4..4fd31eb924 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -1,27 +1,27 @@ name: Windows Impair Defense Disable Controlled Folder Access id: 3032741c-d6fc-4c69-8988-be8043d6478c -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled - Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain - folders from unauthorized access or modification by malicious applications, including ransomware. - When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature - within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against - unauthorized access by potentially malicious applications or ransomware is not enabled. +description: The following analytic detects a modification in the Windows registry + that disables the Windows Defender Controlled Folder Access feature. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + EnableControlledFolderAccess registry setting. This activity is significant because + Controlled Folder Access is designed to protect critical folders from unauthorized + access, including ransomware attacks. If this activity is confirmed malicious, it + could allow attackers to bypass a key security feature, potentially leading to unauthorized + access or modification of sensitive files. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -66,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index 8fe39a685b..ce1d9979f6 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -1,27 +1,27 @@ name: Windows Impair Defense Disable Defender Firewall And Network id: 8467d8cd-b0f9-46fa-ac84-a30ad138983e -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable firewall - and network protection section settings of windows security. The specific impact of this change depends - on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 - might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network - protection settings within Windows Defender Security Center. This could potentially restrict users from modifying - certain firewall or network protection settings through the UI. +description: The following analytic detects modifications in the Windows registry + to disable firewall and network protection settings within Windows Defender Security + Center. It leverages data from the Endpoint.Registry data model, specifically monitoring + changes to the UILockdown registry value. This activity is significant as it may + indicate an attempt to impair system defenses, potentially restricting users from + modifying firewall or network protection settings. If confirmed malicious, this + could allow an attacker to weaken the system's security posture, making it more + vulnerable to further attacks and unauthorized access. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender Security Center\\Firewall and network protection\\UILockdown" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_defender_firewall_and_network_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender Security Center\\Firewall and network protection\\UILockdown" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -39,7 +39,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Windows Defender firewall and network protection section feature set to disable on $dest$. + message: Windows Defender firewall and network protection section feature set to + disable on $dest$. mitre_attack_id: - T1562.001 - T1562 @@ -65,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index d69afcad10..4ecad8e241 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -1,27 +1,27 @@ name: Windows Impair Defense Disable Defender Protocol Recognition id: b2215bfb-6171-4137-af17-1a02fdd8d043 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known - or documented registry setting. It's possible that this specific setting might not exist within the standard - Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. - It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols - or communication methods used by malware or suspicious software. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender protocol recognition feature. It leverages data + from the Endpoint.Registry data model, specifically looking for changes to the "DisableProtocolRecognition" + setting. This activity is significant because disabling protocol recognition can + hinder Windows Defender's ability to detect and respond to malware or suspicious + software. If confirmed malicious, this action could allow an attacker to bypass + antivirus defenses, facilitating further malicious activities such as data exfiltration + or system compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\DisableProtocolRecognition" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_defender_protocol_recognition_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -65,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index ab55ef1d3a..645c85539e 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -1,29 +1,27 @@ name: Windows Impair Defense Disable PUA Protection id: fbfef407-cfee-4866-88c1-f8de1c16147c -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - PUA protection. - Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications - by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently - malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. - Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. - Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience - or security. +description: The following analytic detects a modification in the Windows registry + to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection + leverages data from the Endpoint.Registry datamodel, focusing on registry path changes + related to Windows Defender. Disabling PUA protection is significant as it reduces + defenses against Potentially Unwanted Applications (PUAs), which, while not always + malicious, can negatively impact user experience and security. If confirmed malicious, + this activity could allow an attacker to introduce adware, browser toolbars, or + other unwanted software, potentially compromising system integrity and user productivity. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\PUAProtection" - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_pua_protection_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\PUAProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -67,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index 307965ad1f..09bbfd21f9 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -1,27 +1,27 @@ name: Windows Impair Defense Disable Realtime Signature Delivery id: ffd99aea-542f-448e-b737-091c1b417274 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable windows defender - realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature - definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated - with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. - For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods - such as through Windows Update or directly from Microsoft's cloud-based services. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender real-time signature delivery feature. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + registry path associated with Windows Defender signature updates. This activity + is significant because disabling real-time signature delivery can prevent Windows + Defender from receiving timely malware definitions, reducing its effectiveness. + If confirmed malicious, this action could allow attackers to bypass malware detection, + leading to potential system compromise and persistent threats. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery" - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_realtime_signature_delivery_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Signature Updates\\RealtimeSignatureDelivery" Registry.registry_value_data="0x00000000" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -65,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index db5ee0a77d..ca0db28199 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -1,31 +1,27 @@ name: Windows Impair Defense Disable Web Evaluation id: e234970c-dcf5-4f80-b6a9-3a562544ca5b -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - web content evaluation. The "EnableWebContentEvaluation" registry entry typically relates to security settings - within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. - When attackers modify "EnableWebContentEvaluation" to 0, they might attempt to disable the browser's - capability to evaluate web content for security purposes. Disabling this feature could potentially impact - the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, - active content, or unsafe web elements. - By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without - triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious - content, potentially leading to security compromises or system exploitation. +description: The following analytic detects modifications to the Windows registry + entry "EnableWebContentEvaluation" to disable Windows Defender web content evaluation. + It leverages data from the Endpoint.Registry datamodel, specifically monitoring + changes where the registry value is set to "0x00000000". This activity is significant + as it indicates an attempt to impair browser security features, potentially allowing + malicious web content to bypass security checks. If confirmed malicious, this could + lead to users interacting with harmful scripts or unsafe web elements, increasing + the risk of system exploitation and security breaches. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation" Registry.registry_value_data= "0x00000000" - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name - Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_web_evaluation_filter`' + WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation" Registry.registry_value_data= + "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -69,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index b56927f230..02f4147feb 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -1,29 +1,26 @@ name: Windows Impair Defense Disable Win Defender App Guard id: 8b700d7e-54ad-4d7d-81cc-1456c4703306 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - audit application guard. - Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and - websites in a containerized environment, protecting the system against various threats. Auditing and logging are - essential components of security measures, providing visibility into activities within the isolated environment. - Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing - is crucial for security monitoring and threat detection within the isolated container. However, there might be - settings or configurations related to audit policies in the broader Windows Defender or operating system settings. - This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender Application Guard auditing. It leverages data from + the Endpoint.Registry data model, focusing on specific registry paths and values. + This activity is significant because disabling auditing can hinder security monitoring + and threat detection within the isolated environment, making it easier for malicious + activities to go unnoticed. If confirmed malicious, this action could allow attackers + to bypass Windows Defender protections, potentially leading to unauthorized access, + data exfiltration, or further system compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Policies\\Microsoft\\AppHVSI\\AuditApplicationGuard" - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -68,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 90cce17ec9..1f6f7f35c6 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -1,26 +1,27 @@ name: Windows Impair Defense Disable Win Defender Compute File Hashes id: fe52c280-98bd-4596-b6f6-a13bbf8ac7c6 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. - The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes - file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain - malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries - and red teamers to bypasses Windows defender detections. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender's file hash computation by setting the EnableFileHashComputation + value to 0. This detection leverages data from the Endpoint.Registry data model, + focusing on changes to the specific registry path associated with Windows Defender. + Disabling file hash computation can significantly impair Windows Defender's ability + to detect and scan for malware, making it a critical behavior to monitor. If confirmed + malicious, this activity could allow attackers to bypass Windows Defender, facilitating + undetected malware execution and persistence in the environment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\MpEngine\\EnableFileHashComputation" - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\MpEngine\\EnableFileHashComputation" Registry.registry_value_data="0x00000000" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -64,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index 65c2e5d4d7..13250a24ee 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -1,27 +1,27 @@ name: Windows Impair Defense Disable Win Defender Gen reports id: 93f114f6-cb1e-419b-ac3f-9e11a3045e70 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing - the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, - commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to - Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. - This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. +description: The following analytic detects modifications in the Windows registry + to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the "DisableGenericRePorts" registry + value. This activity is significant as it can prevent the transmission of error + reports to Microsoft's Windows Error Reporting service, potentially hiding malicious + activities. If confirmed malicious, this action could allow attackers to bypass + Windows Defender detections, reducing the visibility of their activities and increasing + the risk of undetected system compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\DisableGenericRePorts" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_win_defender_gen_reports_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Reporting\\DisableGenericRePorts" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -65,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index b8f4dbf87a..3829d5bca7 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -1,26 +1,27 @@ name: Windows Impair Defense Disable Win Defender Network Protection id: 8b6c15c7-5556-463d-83c7-986326c21f12 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation - of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection - is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially - malicious network activity. This registry setting is being abuse by several threat actors, adversaries - and red teamers to bypasses Windows defender detections. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the EnableNetworkProtection registry + entry. This activity is significant because disabling Network Protection can leave + the system vulnerable to network-based threats by preventing Windows Defender from + analyzing and blocking malicious network activity. If confirmed malicious, this + action could allow attackers to bypass security measures, potentially leading to + unauthorized access, data exfiltration, or further compromise of the network. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" + Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -65,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index 29a66289be..7796d1d06b 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -1,26 +1,26 @@ name: Windows Impair Defense Disable Win Defender Report Infection id: 201946c6-b1d5-42bb-a7e0-5f7123f47fc4 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable windows defender - report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed - information about infections or threats detected on the system to Microsoft. Enabling this setting might limit - or prevent the transmission of specific data related to infections, such as details about the detected malware, - to Microsoft's servers for analysis or logging purposes. - This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender's infection reporting. It leverages data from the + Endpoint.Registry datamodel, specifically monitoring changes to the "DontReportInfectionInformation" + registry key. This activity is significant because it can prevent Windows Defender + from reporting detailed threat information to Microsoft, potentially allowing malware + to evade detection. If confirmed malicious, this action could enable attackers to + bypass security measures, maintain persistence, and avoid detection, leading to + prolonged unauthorized access and potential data breaches. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\MRT\\DontReportInfectionInformation" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -39,7 +39,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Windows Defender DontReportInfectionInformation registry is enabled on $dest$. + message: Windows Defender DontReportInfectionInformation registry is enabled on + $dest$. mitre_attack_id: - T1562.001 - T1562 @@ -65,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index 172942e72b..e01d1f1143 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -1,29 +1,26 @@ name: Windows Impair Defense Disable Win Defender Scan On Update id: 0418e72f-e710-4867-b656-0688e1523e09 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable Windows Defender - Scan On Update. The "DisableScanOnUpdate" registry setting in Windows Defender, when set to a value of 1, typically - signifies the feature that prevents automatic scans from initiating when updates to Windows Defender - or its antivirus definitions are installed. - Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. - Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes - are made based on accurate information and organizational requirements. - This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender Scan On Update feature. It leverages data from + the Endpoint.Registry datamodel, specifically looking for changes to the "DisableScanOnUpdate" + registry setting with a value of "0x00000001". This activity is significant because + disabling automatic scans can leave systems vulnerable to malware and other threats. + If confirmed malicious, this action could allow attackers to bypass Windows Defender, + facilitating further compromise and persistence within the environment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\DisableScanOnUpdate" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_win_defender_scan_on_update_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\Signature Updates\\DisableScanOnUpdate" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -67,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index e8148b48ee..cf9d08115b 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -1,30 +1,27 @@ name: Windows Impair Defense Disable Win Defender Signature Retirement id: 7567a72f-bada-489d-aef1-59743fb64a66 -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable windows defender - Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement - or expiration of antivirus signatures used by Windows Defender Antivirus. - When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire - or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are - used by Windows Defender to detect and protect against threats. - Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less - relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system - resources or the effectiveness of threat detection. +description: The following analytic detects modifications to the Windows registry + that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry + data model, specifically monitoring changes to the DisableSignatureRetirement registry + setting. This activity is significant because disabling signature retirement can + prevent Windows Defender from removing outdated antivirus signatures, potentially + reducing its effectiveness in detecting threats. If confirmed malicious, this action + could allow an attacker to evade detection by using older, less relevant signatures, + thereby compromising the system's security posture. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" - Registry.registry_value_data="0x00000001" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_disable_win_defender_signature_retirement_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows + Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" Registry.registry_value_data="0x00000001" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -42,7 +39,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: Windows Defender DisableSignatureRetirement registry is set to enable on $dest$. + message: Windows Defender DisableSignatureRetirement registry is set to enable on + $dest$. mitre_attack_id: - T1562.001 - T1562 @@ -68,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index 187dc99e75..db2f560571 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -1,28 +1,28 @@ name: Windows Impair Defense Overide Win Defender Phishing Filter id: 10ca081c-57b1-4a78-ba56-14a40a7e116a -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to disable windows defender - phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. - When attackers modify "PreventOverride" to 0, it might indicate an attempt to disable the prevention of user overrides for - the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. - By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or - malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the - risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry + data model, focusing on changes to specific registry values related to Microsoft + Edge's phishing filter settings. This activity is significant because disabling + the phishing filter can allow attackers to deceive users into visiting malicious + websites without triggering browser warnings. If confirmed malicious, this could + lead to users unknowingly accessing harmful sites, resulting in potential security + incidents or data compromises. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", "PreventOverride") - Registry.registry_value_data="0x00000000" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_overide_win_defender_phishing_filter_filter`' + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = + "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", + "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.action + Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -66,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index b1263d8685..741c72ce63 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -1,28 +1,27 @@ name: Windows Impair Defense Override SmartScreen Prompt id: 08058866-7987-486f-b042-275715ef6e9d -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to override windows defender - smartscreen prompt. The "PreventSmartScreenPromptOverride" registry setting is associated with the Windows SmartScreen feature, - specifically related to controlling whether users can override SmartScreen prompts. - When attackers modify "PreventSmartScreenPromptOverride" to 0, it signifies an attempt to disable the prevention of user overrides - for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. - This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or - websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing - malicious content, potentially resulting in security incidents or system compromises. +description: The following analytic detects modifications to the Windows registry + that override the Windows Defender SmartScreen prompt. It leverages data from the + Endpoint.Registry data model, specifically monitoring changes to the "PreventSmartScreenPromptOverride" + registry setting. This activity is significant because it indicates an attempt to + disable the prevention of user overrides for SmartScreen prompts, potentially allowing + users to bypass security warnings. If confirmed malicious, this could lead to users + inadvertently executing or accessing harmful content, increasing the risk of security + incidents or system compromises. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" Registry.registry_value_data= "0x00000000" - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_impair_defense_override_smartscreen_prompt_filter`' + WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" + Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -66,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index a24c698eaa..d2d8e1b17b 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -1,29 +1,26 @@ name: Windows Impair Defense Set Win Defender Smart Screen Level To Warn id: cc2a3425-2703-47e7-818f-3dca1b0bc56f -version: 1 -date: '2024-01-08' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to set windows defender - smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration - where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized - files or applications. This warning serves as a cautionary alert to users, advising them about the potential - risks associated with the file or application they are trying to execute. - Changing SmartScreen settings to "warn" might be employed by attackers to reduce the likelihood of triggering - immediate suspicion from users when running malicious executables. By setting it to "warn," the system prompts a - cautionary warning rather than outright blocking the execution, potentially increasing the chances of users - proceeding with running the file despite the warning. +description: The following analytic detects modifications to the Windows registry + that set the Windows Defender SmartScreen level to "warn." This detection leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + ShellSmartScreenLevel registry value. This activity is significant because altering + SmartScreen settings to "warn" can reduce immediate suspicion from users, allowing + potentially malicious executables to run with just a warning prompt. If confirmed + malicious, this could enable attackers to execute harmful files, increasing the + risk of successful malware deployment and subsequent system compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\System\\ShellSmartScreenLevel" - Registry.registry_value_data="Warn" - by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + Registry.registry_value_data="Warn" by Registry.registry_key_name Registry.user + Registry.registry_path Registry.registry_value_data Registry.action Registry.dest + | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -68,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index 0769887403..74a15ee529 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -1,32 +1,42 @@ name: Windows Impair Defenses Disable HVCI id: b061dfcc-f0aa-42cc-a6d4-a87f172acb79 -version: 1 -date: '2023-04-13' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. - HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. - Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI. +description: The following analytic detects the disabling of Hypervisor-protected + Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages + data from the Endpoint datamodel, specifically focusing on registry paths and values + related to HVCI settings. This activity is significant because HVCI helps protect + the kernel and system processes from tampering by malicious code. If confirmed malicious, + disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially + leading to kernel-level rootkits or other severe security breaches. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" Registry.registry_value_data="0x00000000" by Registry.registry_path Registry.registry_value_name + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" + Registry.registry_value_data="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives will be limited to administrative scripts disabling HVCI. Filter as needed. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives will be limited to administrative scripts disabling + HVCI. Filter as needed. references: - - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ tags: analytic_story: - BlackLotus Campaign - Windows Defense Evasion Tactics - Windows Registry Abuse asset_type: Endpoint - atomic_guid: + atomic_guid: - 70bd71e6-eba4-4e00-92f7-617911dbe020 confidence: 100 impact: 70 @@ -56,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index 63f1ca8f24..e3649c03d7 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -1,16 +1,18 @@ name: Windows Impair Defenses Disable Win Defender Auto Logging id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger - set to disable. This is consistent with RAT malware across a fleet of endpoints. - This particular behavior is typically executed when an adversary gains access to - an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed - and multiple registry and scheduled task modifications will occur. During triage, - review parallel processes and identify any further file modifications. +description: The following analytic detects the disabling of Windows Defender logging + by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger + set to disable. It leverages data from the Endpoint.Registry datamodel to monitor + specific registry paths and values. This activity is significant as it is commonly + associated with Remote Access Trojan (RAT) malware attempting to evade detection. + If confirmed malicious, this action could allow an attacker to conceal their activities, + making it harder to detect further malicious actions and maintain persistence on + the compromised endpoint. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -64,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 4be0e1b285..d5143ea681 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -1,25 +1,27 @@ name: Windows Indicator Removal Via Rmdir id: c4566d2c-b094-48a1-9c59-d66e22065560 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: The following analytic identifies a process execute rmdir commandline to delete files and directory tree. - This technique has been observed in the actions of various malware strains, such as DarkGate, - as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. - Notably, this deletion method doesn't exclusively require elevated privileges and can be executed by regular users or network administrators, - although it's not the typical approach used for file deletion. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" - by Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_indicator_removal_via_rmdir_filter`' +description: The following analytic detects the execution of the 'rmdir' command with + '/s' and '/q' options to delete files and directory trees. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process metadata. This activity is significant as it may indicate + malware attempting to remove traces or components during cleanup operations. If + confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, + hinder incident response efforts, and maintain persistence by removing indicators + of compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" + Processes.process = "* /s *" Processes.process = "* /q *" by Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.process_guid + Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -70,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index 4d626dc7a2..b959dc3314 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -1,15 +1,19 @@ name: Windows Indirect Command Execution Via forfiles id: 1fdf31c9-ff4d-4c48-b799-0e8666e08787 -version: 1 -date: '2022-04-05' +version: 2 +date: '2024-05-28' author: Eric McGinnis, Splunk status: production type: TTP -description: The following analytic detects programs that have been started by forfiles.exe. - According to Microsoft, the 'The forfiles command lets you run a command on or pass - arguments to multiple files'. While this tool can be used to start legitimate programs, - usually within the context of a batch script, it has been observed being used to - evade protections on command line execution. +description: The following analytic detects the execution of programs initiated by + forfiles.exe. This command is typically used to run commands on multiple files, + often within batch scripts. The detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where forfiles.exe + is the parent process. This activity is significant because forfiles.exe can be + exploited to bypass command line execution protections, making it a potential vector + for malicious activity. If confirmed malicious, this could allow attackers to execute + arbitrary commands, potentially leading to unauthorized access or further system + compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index f5dc78005c..cec4a83828 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -1,14 +1,18 @@ name: Windows Indirect Command Execution Via pcalua id: 3428ac18-a410-4823-816c-ce697d26f7a8 -version: 1 -date: '2022-04-05' +version: 2 +date: '2024-05-10' author: Eric McGinnis, Splunk status: production type: TTP -description: The following analytic detects programs that have been started by pcalua.exe. - pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this - tool can be used to start legitimate programs, it has been observed being used to - evade protections on command line execution. +description: The following analytic detects programs initiated by pcalua.exe, the + Microsoft Windows Program Compatibility Assistant. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process and parent + process information. While pcalua.exe can start legitimate programs, it is significant + because attackers may use it to bypass command line execution protections. If confirmed + malicious, this activity could allow attackers to execute arbitrary commands, potentially + leading to unauthorized actions, privilege escalation, or persistence within the + environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index ff5a3c559c..a5db471e72 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -1,15 +1,18 @@ name: Windows Indirect Command Execution Via Series Of Forfiles id: bfdaabe7-3db8-48c5-80c1-220f9b8f22be -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is developed to detect suspicious excessive usage of forfiles.exe - process. This event was seen in post exploitation tool WINPEAS that was used by - Ransomware Prestige. Forfiles command lets you run a command on or pass arguments - to multiple files. This Windows OS built-in tool being abused to list all files - in specific directory or drive. +description: The following analytic detects excessive usage of the forfiles.exe process, + which is often indicative of post-exploitation activities. The detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs that include process GUID, process name, and parent process. This activity + is significant because forfiles.exe can be abused to execute commands on multiple + files, a technique used by ransomware like Prestige. If confirmed malicious, this + behavior could allow attackers to enumerate files, potentially leading to data exfiltration + or further malicious actions. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -70,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index ddecabde5f..d49801f8b6 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,16 +1,18 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process execution of Windows OS built-in - tool FSUTIL to discover file system information. This tool is being abused or used - by several adversaries or threat actor to query/list all drives, drive type, volume - information or volume statistics by using the FSINFO parameter of this tool. This - technique was seen in WINPEAS post exploitation tool that is being used by ransomware - prestige to gain privilege and persistence to the targeted host. +description: The following analytic identifies the execution of the Windows built-in + tool FSUTIL with the FSINFO parameter to discover file system information. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs that include command-line details. Monitoring this activity + is significant because FSUTIL can be abused by adversaries to gather detailed information + about the file system, aiding in further exploitation. If confirmed malicious, this + activity could enable attackers to map the file system, identify valuable data, + and plan subsequent actions such as privilege escalation or persistence. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 2da6d1f10c..7a6841a325 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -1,18 +1,18 @@ name: Windows Ingress Tool Transfer Using Explorer id: 76753bab-f116-4ea3-8fb9-89b638be58a9 -version: 2 -date: '2022-08-30' +version: 3 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the Windows Explorer process with a - URL within the command-line. Explorer.exe is known Windows process that handles - start menu, taskbar, desktop and file manager. Many adversaries abuse this process, - like DCRat malware, where it attempts to open the URL with the default browser application - on the target host by putting the URL as a parameter on explorer.exe process. This - anomaly detection might be a good pivot to check which user and how this process - was executed, what is the parent process and what is the URL link. This technique - is not commonly used to open an URL. +description: The following analytic identifies instances where the Windows Explorer + process (explorer.exe) is executed with a URL in its command line. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution logs. This activity is significant because adversaries, such as those + using DCRat malware, may abuse explorer.exe to open URLs with the default browser, + which is an uncommon and suspicious behavior. If confirmed malicious, this technique + could allow attackers to download and execute malicious payloads, leading to potential + system compromise and further malicious activities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) @@ -85,7 +85,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index c4dee8b4d8..c2a3773cf5 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -1,21 +1,31 @@ name: Windows InProcServer32 New Outlook Form id: fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4 -version: 1 -date: '2024-03-20' +version: 2 +date: '2024-05-25' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 type: Anomaly status: production -description: The following analytic identifies the creation or modification of registry keys associated with new Outlook form installations that could indicate exploitation of CVE-2024-21378. The vulnerability allows for authenticated remote code execution via synced form objects by abusing the InProcServer32 registry key. The attack involves syncing malicious form objects that carry special properties and attachments used to "install" the form on a client, potentially leading to arbitrary file and registry key creation under HKEY_CLASSES_ROOT (HKCR), and ultimately, remote code execution. This detection focuses on monitoring for registry modifications involving InProcServer32 keys or equivalent that are linked to Outlook form installations, which are indicative of an attempt to exploit this vulnerability. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user - | `drop_dm_object_name(Registry)` - |`security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`' +description: The following analytic detects the creation or modification of registry + keys associated with new Outlook form installations, potentially indicating exploitation + of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing + on registry paths involving InProcServer32 keys linked to Outlook forms. This activity + is significant as it may signify an attempt to achieve authenticated remote code + execution via malicious form objects. If confirmed malicious, this could allow an + attacker to create arbitrary files and registry keys, leading to remote code execution + and potential full system compromise. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* + by Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | + `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_inprocserver32_new_outlook_form_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives. +known_false_positives: False positives are possible if the organization adds new forms + to Outlook via an automated method. Filter by name or path to reduce false positives. references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ tags: @@ -26,7 +36,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$. + message: A registry key associated with a new Outlook form installation was created + or modified. This could indicate exploitation of CVE-2024-21378 on $dest$. mitre_attack_id: - T1566 - T1112 @@ -52,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index 369c6604ee..638b2a7d98 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -1,17 +1,17 @@ name: Windows Input Capture Using Credential UI Dll id: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process that loads the credui.dll - module. This legitimate module is typically abused by adversaries, threat actors - and red teamers to create a credential UI prompt dialog box to lure users for possible - credential theft or can be used to dump the credentials of a targeted host. This - hunting query is a good pivot to check why the process loaded this dll and if it - is a legitimate file. This hunting query may hit false positive for a third party - application that uses a credential login UI for user login. +description: The following analytic detects a process loading the credui.dll or wincredui.dll + module. This detection leverages Sysmon EventCode 7 to identify instances where + these DLLs are loaded by processes outside typical system directories. This activity + is significant because adversaries often abuse these modules to create fake credential + prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, + this activity could allow attackers to harvest user credentials, leading to unauthorized + access and potential lateral movement within the network. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName @@ -61,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index 7def68636e..5445ac16f5 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -1,35 +1,29 @@ name: Windows InstallUtil Credential Theft id: ccfeddec-43ec-11ec-b494-acde48001122 -version: 4 -date: '2024-03-14' +version: 5 +date: '2024-05-18' author: Michael Haag, Mauricio Velazo, Splunk status: production type: TTP -description: This analytic identifies instances where the Windows InstallUtil.exe binary - loads `vaultcli.dll` and `Samlib.dll`. This technique can be employed to execute code - that bypasses application control and captures credentials using tools like - Mimikatz. - - When `InstallUtil.exe` is used maliciously, it typically specifies the path to an executable on - the filesystem. It is important to observe the parent process in such cases. Suspicious - activity often involves being spawned from non-standard processes such as `Cmd.exe`, `PowerShell.exe`, - or `Explorer.exe`. - - Conversely, when used by developers, it is usually accompanied by multiple command-line - switches/arguments and originates from Visual Studio. - - During triage, review any resulting network connections, file modifications, and concurrent - processes. Capture any artifacts for further review.' +description: The following analytic detects instances where the Windows InstallUtil.exe + binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode + 7 to identify these specific DLL loads. This activity is significant because it + can indicate an attempt to execute code that bypasses application control and captures + credentials using tools like Mimikatz. If confirmed malicious, this behavior could + allow an attacker to steal credentials, potentially leading to unauthorized access + and further compromise of the system. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", "*\\vaultcli.dll") - | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`' +search: '`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", + "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) as lastTime + by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, + process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_installutil_credential_theft_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: Typically, this will not trigger because, by its very nature, InstallUtil - does not require credentials. Filter as needed. +known_false_positives: Typically, this will not trigger because, by its very nature, + InstallUtil does not require credentials. Filter as needed. references: - https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0 tags: @@ -38,8 +32,8 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: An instance of process name [$process_name$] loading a file [$loaded_file$] was identified - on endpoint- [$dest$] to potentially capture credentials in memory. + message: An instance of process name [$process_name$] loading a file [$loaded_file$] + was identified on endpoint- [$dest$] to potentially capture credentials in memory. mitre_attack_id: - T1218.004 - T1218 @@ -74,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index 9b8a4cb900..b8d6a4dd73 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -1,24 +1,19 @@ name: Windows InstallUtil Remote Network Connection id: 4fbf9270-43da-11ec-9486-acde48001122 -version: 3 -date: '2023-11-07' +version: 4 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the Windows InstallUtil.exe binary - making a remote network connection. This technique may be used to download and execute - code while bypassing application control. - - When `InstallUtil.exe` is used in a malicous manner, the path to an executable on - the filesystem is typically specified. Take note of the parent process. In a suspicious - instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` - or `Explorer.exe`. - - If used by a developer, typically this will be found with multiple command-line - switches/arguments and spawn from Visual Studio. - - During triage review resulting network connections, file modifications, and parallel - processes. Capture any artifacts and review further.' +description: 'The following analytic detects the Windows InstallUtil.exe binary making + a remote network connection. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process and network telemetry. This activity is significant + because InstallUtil.exe can be exploited to download and execute malicious code, + bypassing application control mechanisms. If confirmed malicious, an attacker could + achieve code execution, potentially leading to further system compromise, data exfiltration, + or lateral movement within the network. Analysts should review the parent process, + network connections, and any associated file modifications to determine the legitimacy + of this activity.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes @@ -98,6 +93,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index 9dc72a2937..b9f187a954 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -1,36 +1,28 @@ name: Windows InstallUtil Uninstall Option id: cfa7b9ac-43f0-11ec-9b48-acde48001122 -version: 2 -date: '2024-04-29' +version: 3 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the Windows InstallUtil.exe binary. - This will execute code while bypassing application control using the `/u` (uninstall) - switch. - - InstallUtil uses the functions install and uninstall within the System.Configuration.Install - namespace to process .net assembly. Install function requires admin privileges, - however, uninstall function can be run as an unprivileged user. - - When `InstallUtil.exe` is used in a malicous manner, the path to an executable on - the filesystem is typically specified. Take note of the parent process. In a suspicious - instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` - or `Explorer.exe`. - - If used by a developer, typically this will be found with multiple command-line - switches/arguments and spawn from Visual Studio. - - During triage review resulting network connections, file modifications, and parallel - processes. Capture any artifacts and review further.' +description: 'The following analytic detects the use of the Windows InstallUtil.exe + binary with the `/u` (uninstall) switch, which can execute code while bypassing + application control. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, parent processes, and command-line executions. + This activity is significant because it can indicate an attempt to execute malicious + code without administrative privileges. If confirmed malicious, an attacker could + achieve code execution, potentially leading to further system compromise or persistence + within the environment.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process - IN ("*/u*", "*uninstall*") NOT (Processes.process IN ("*C:\\WINDOWS\\CCM\\*")) NOT (Processes.parent_process_name IN ("Microsoft.SharePoint.Migration.ClientInstaller.exe")) by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `windows_installutil_uninstall_option_filter`' + IN ("*/u*", "*uninstall*") NOT (Processes.process IN ("*C:\\WINDOWS\\CCM\\*")) NOT + (Processes.parent_process_name IN ("Microsoft.SharePoint.Migration.ClientInstaller.exe")) + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_installutil_uninstall_option_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -97,6 +89,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index 876e8d5d55..39c7259c94 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -1,39 +1,30 @@ name: Windows InstallUtil Uninstall Option with Network id: 1a52c836-43ef-11ec-a36c-acde48001122 -version: 2 -date: '2022-03-16' +version: 3 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the Windows InstallUtil.exe binary - making a remote network connection. This technique may be used to download and execute - code while bypassing application control using the `/u` (uninstall) switch. - - InstallUtil uses the functions install and uninstall within the System.Configuration.Install - namespace to process .net assembly. Install function requires admin privileges, - however, uninstall function can be run as an unprivileged user. - - When `InstallUtil.exe` is used in a malicous manner, the path to an executable on - the filesystem is typically specified. Take note of the parent process. In a suspicious - instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` - or `Explorer.exe`. - - If used by a developer, typically this will be found with multiple command-line - switches/arguments and spawn from Visual Studio. - - During triage review resulting network connections, file modifications, and parallel - processes. Capture any artifacts and review further.' +description: 'The following analytic identifies the use of Windows InstallUtil.exe + making a remote network connection using the `/u` (uninstall) switch. This detection + leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and + network activity data. This behavior is significant as it may indicate an attempt + to download and execute code while bypassing application control mechanisms. If + confirmed malicious, this activity could allow an attacker to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") by _time - span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path - Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` + span=1h Processes.user Processes.process_id Processes.process_name Processes.dest + Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port - | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name - process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`' + | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest + parent_process_name process_name process_path process process_id dest_port C2 | + `windows_installutil_uninstall_option_with_network_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -104,6 +95,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index fc3a536b83..ca9b2147fd 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -1,24 +1,18 @@ name: Windows InstallUtil URL in Command Line id: 28e06670-43df-11ec-a569-acde48001122 -version: 1 -date: '2021-11-12' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic identifies the Windows InstallUtil.exe binary - passing a HTTP request on the command-line. This technique may be used to download - and execute code while bypassing application control. - - When `InstallUtil.exe` is used in a malicous manner, the path to an executable on - the filesystem is typically specified. Take note of the parent process. In a suspicious - instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` - or `Explorer.exe`. - - If used by a developer, typically this will be found with multiple command-line - switches/arguments and spawn from Visual Studio. - - During triage review resulting network connections, file modifications, and parallel - processes. Capture any artifacts and review further.' +description: 'The following analytic detects the use of Windows InstallUtil.exe with + an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection + and Response (EDR) telemetry, focusing on command-line executions containing URLs. + This activity is significant as it may indicate an attempt to download and execute + malicious code, potentially bypassing application control mechanisms. If confirmed + malicious, this could lead to unauthorized code execution, privilege escalation, + or persistent access within the environment. Analysts should review the parent process, + network connections, file modifications, and related processes for further investigation.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -93,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index 6f68708f81..182d927f4a 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -1,15 +1,17 @@ name: Windows ISO LNK File Creation id: d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32 -version: 2 -date: '2022-09-19' +version: 3 +date: '2024-05-09' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the use of a delivered ISO file that - has been mounted and the afformention lnk or file opened within it. When the ISO - file is opened, the files are saved in the %USER%\AppData\Local\Temp\\ path. The analytic identifies .iso.lnk written to the path. The name of the - ISO file is prepended. +description: The following analytic detects the creation of .iso.lnk files in the + %USER%\AppData\Local\Temp\\ path, indicating that an ISO file + has been mounted and accessed. This detection leverages the Endpoint.Filesystem + data model, specifically monitoring file creation events in the Windows Recent folder. + This activity is significant as it may indicate the delivery and execution of potentially + malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized + code execution, data exfiltration, or further system compromise. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 29ef727da7..78910c722e 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -1,15 +1,17 @@ name: Windows Java Spawning Shells id: 28c81306-5c47-11ec-bfea-acde48001122 -version: 2 -date: '2023-01-23' +version: 3 +date: '2024-05-11' author: Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies the process name of java.exe and w3wp.exe - spawning a Windows shell. This is potentially indicative of exploitation of the - Java application and may be related to current event CVE-2021-44228 (Log4Shell). - The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review - parallel processes and command-line arguments to determine legitimacy. +description: The following analytic identifies instances where java.exe or w3wp.exe + spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + parent process relationships. This activity is significant as it may indicate exploitation + attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, + attackers could execute arbitrary commands, potentially leading to system compromise, + data exfiltration, or further lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml index 9781f363dc..5b28939ffb 100644 --- a/detections/endpoint/windows_kerberos_local_successful_logon.yml +++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml @@ -1,22 +1,24 @@ name: Windows Kerberos Local Successful Logon id: 8309c3a8-4d34-48ae-ad66-631658214653 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP description: The following analytic identifies a local successful authentication event - on a Windows endpoint using the Kerberos package. The target user security identified - will be set to the built-in local Administrator account, along with the remote address - as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon - triage, review for recently ran binaries on disk. In addition, look for new computer - accounts added to Active Directory and other anomolous AD events. + on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with + LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local + Administrator account. This activity is significant as it may suggest a Kerberos + relay attack, a method attackers use to escalate privileges. If confirmed malicious, + this could allow an attacker to gain unauthorized access to sensitive systems, execute + arbitrary code, or create new accounts in Active Directory, leading to potential + system compromise. data_source: - Windows Event Log Security 4624 search: '`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos - action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) - as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | - `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`' + action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) as + lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required. @@ -58,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index 9756ab67c6..b8eb9d459e 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -1,36 +1,51 @@ name: Windows Known Abused DLL Created id: ea91651a-772a-4b02-ac3d-985b364a5f07 -version: 1 -date: '2024-02-19' +version: 2 +date: '2024-05-17' author: Steven Dick status: production type: Anomaly -description: This analytic is designed to identify instances where Dynamic Link Libraries (DLLs) with a known history of being exploited are created in locations that are not typical for their use. This could indicate that an attacker is attempting to exploit the DLL search order hijacking or sideloading techniques. DLL search order hijacking involves tricking an application into loading a malicious DLL instead of the legitimate one it was intending to load. This is often achieved by placing the malicious DLL in a directory that is searched before the directory containing the legitimate DLL. Sideloading, similarly, involves placing a malicious DLL with the same name as a legitimate DLL that an application is known to load, in a location that the application will search before finding the legitimate version. Both of these techniques can be used by attackers to execute arbitrary code, maintain persistence on a system, and potentially elevate their privileges, all while appearing as legitimate operations to the untrained eye. This analytic aims to shed light on such suspicious activities by monitoring for the creation of known abused DLLs in unconventional locations, thereby helping in the early detection of these stealthy attack techniques. +description: The following analytic identifies the creation of Dynamic Link Libraries + (DLLs) with a known history of exploitation in atypical locations. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + filesystem events. This activity is significant as it may indicate DLL search order + hijacking or sideloading, techniques used by attackers to execute arbitrary code, + maintain persistence, or escalate privileges. If confirmed malicious, this activity + could allow attackers to blend in with legitimate operations, posing a severe threat + to system integrity and security. data_source: - Sysmon EventID 1 - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name - | `drop_dm_object_name(Processes)` - | join max=0 process_guid dest - [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid - | `drop_dm_object_name(Filesystem)` - | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc - | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded - | search islibrary = TRUE AND excluded != TRUE - | stats latest(*) as * by dest process_guid ] - | where isnotnull(file_name) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_known_abused_dll_created_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown" + Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest + Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process + Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid + dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") + Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time + Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` + | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as + desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT + islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) + as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives. + the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` + nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) + to normalize the field names and speed up the data modeling process. +known_false_positives: This analytic may flag instances where DLLs are loaded by user + mode programs for entirely legitimate and benign purposes. It is important for users + to be aware that false positives are not only possible but likely, and that careful + tuning of this analytic is necessary to distinguish between malicious activity and + normal, everyday operations of applications. This may involve adjusting thresholds, + whitelisting known good software, or incorporating additional context from other + security tools and logs to reduce the rate of false positives. references: - https://attack.mitre.org/techniques/T1574/002/ - https://hijacklibs.net/api/ @@ -43,7 +58,8 @@ tags: asset_type: Endpoint confidence: 25 impact: 40 - message: The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$]. + message: The file [$file_name$] was written to an unusual location by [$process_name$] + on [$dest$]. mitre_attack_id: - T1574.001 - T1574.002 @@ -88,6 +104,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index 5e9f560982..ab871bc23d 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -1,20 +1,27 @@ name: Windows Known GraphicalProton Loaded Modules id: bf471c94-0324-4b19-a113-d02749b969bc -version: 1 -date: '2023-12-18' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 7 -description: The following analytic identifies a potential suspicious process loading dll modules related to Graphicalproton backdoor implant of SVR. - These DLL modules have been observed in SVR attacks, commonly used to install backdoors on targeted hosts. - This anomaly detection highlights the need for thorough investigation and immediate mitigation measures to safeguard the network against potential breaches. -search: '`sysmon` EventCode=7 - ImageLoaded IN ("*\\AclNumsInvertHost.dll", "*\\ModeBitmapNumericAnimate.dll", "*\\UnregisterAncestorAppendAuto.dll", "*\\DeregisterSeekUsers.dll", "*\\ScrollbarHandleGet.dll", "*\\PerformanceCaptionApi.dll", "*\\WowIcmpRemoveReg.dll", "*\\BlendMonitorStringBuild.dll", "*\\HandleFrequencyAll.dll", "*\\HardSwapColor.dll", "*\\LengthInMemoryActivate.dll", "*\\ParametersNamesPopup.dll", "*\\ModeFolderSignMove.dll", "*\\ChildPaletteConnected.dll", "*\\AddressResourcesSpec.dll") - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the loading of DLL modules associated + with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. + It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This + activity is significant as it may indicate the presence of a sophisticated backdoor, + warranting immediate investigation. If confirmed malicious, the attacker could gain + persistent access to the compromised host, potentially leading to further exploitation + and data exfiltration. +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\AclNumsInvertHost.dll", "*\\ModeBitmapNumericAnimate.dll", + "*\\UnregisterAncestorAppendAuto.dll", "*\\DeregisterSeekUsers.dll", "*\\ScrollbarHandleGet.dll", + "*\\PerformanceCaptionApi.dll", "*\\WowIcmpRemoveReg.dll", "*\\BlendMonitorStringBuild.dll", + "*\\HandleFrequencyAll.dll", "*\\HardSwapColor.dll", "*\\LengthInMemoryActivate.dll", + "*\\ParametersNamesPopup.dll", "*\\ModeFolderSignMove.dll", "*\\ChildPaletteConnected.dll", + "*\\AddressResourcesSpec.dll") | stats count min(_time) as firstTime max(_time) + as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes + IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you @@ -57,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/svr_loaded_modules/loaded_module_svr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/svr_loaded_modules/loaded_module_svr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index 60135966dc..cb6ced8840 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -1,32 +1,31 @@ name: Windows Large Number of Computer Service Tickets Requested id: 386ad394-c9a7-4b4f-b66f-586252de20f0 -version: 1 -date: '2023-03-20' +version: 2 +date: '2024-05-11' author: Mauricio Velazco, Splunk type: Anomaly status: production data_source: - Windows Event Log Security 4769 -description: The following analytic leverages Event ID 4769, `A Kerberos - service ticket was requested`, to identify more than 30 computer service - ticket requests from one source. When a domain joined endpoint connects to other remote - endpoint, it will first request a Kerberos Service Ticket with the computer name as the - Service Name. A user requesting a large number of computer service tickets - for different endpoints could represent malicious behavior like lateral movement, - malware staging, reconnaissance, etc. - - Active Directory environments can be very different depending on the organization. Users should test this detection and customize - the arbitrary threshold as needed. +description: The following analytic detects a high volume of Kerberos service ticket + requests, specifically more than 30, from a single source within a 5-minute window. + It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, + focusing on requests with computer names as the Service Name. This behavior is significant + as it may indicate malicious activities such as lateral movement, malware staging, + or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access + to multiple endpoints, potentially compromising the entire network. search: ' `wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" - | bucket span=5m _time - | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName - | where unique_targets > 30 + | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) + as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. - The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. - Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: An single endpoint requesting a large number of kerberos service + tickets is not common behavior. Possible false positive scenarios include but are + not limited to vulnerability scanners, administration systems and missconfigured + systems. references: - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ - https://attack.mitre.org/techniques/T1135/ @@ -38,7 +37,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 60 - message: A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes. + message: A large number of kerberos computer service tickets were requested by $IpAddress$ + within 5 minutes. mitre_attack_id: - T1135 - T1078 @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index 023ba90cd0..a233880855 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -1,32 +1,20 @@ name: Windows Ldifde Directory Object Behavior id: 35cd29ca-f08c-4489-8815-f715c45460d3 -version: 1 -date: '2023-05-25' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies the use of Ldifde.exe, which provides - the ability to create, modify, or delete LDAP directory objects. Natively, the binary - is only installed on a domain controller. However, adversaries or administrators - may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is - a Microsoft Windows command-line utility used to import or export LDAP directory - entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol - used for accessing and managing directory information services over an IP network. - LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text - data interchange format for representing LDAP directory entries. -i This is a flag - used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an - LDIF file and imports its contents into the LDAP directory. The data in the LDIF - file might include new objects to be created, or modifications or deletions to existing - objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe - will import from (in the case of the -i flag) or export to (without the -i flag). - For example, if you wanted to import data from a file called data.ldif, you would - use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe - is legitimate in many contexts, it can also be used maliciously. For instance, an - attacker who has gained access to a domain controller could potentially use Ldifde.exe - to export sensitive data or make unauthorized changes to the directory. Therefore, - it's important to monitor for unusual or unauthorized use of this tool. +description: The following analytic identifies the use of Ldifde.exe, a command-line + utility for creating, modifying, or deleting LDAP directory objects. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + execution and command-line arguments. Monitoring Ldifde.exe is significant because + it can be used by attackers to manipulate directory objects, potentially leading + to unauthorized changes or data exfiltration. If confirmed malicious, this activity + could allow an attacker to gain control over directory services, escalate privileges, + or access sensitive information within the network. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN ("*-i *", "*-f *") by Processes.dest Processes.user Processes.parent_process_name @@ -100,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index 8736ccad8a..881d251a75 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -1,23 +1,25 @@ name: Windows Linked Policies In ADSI Discovery id: 510ea428-4731-4d2f-8829-a28293e427aa -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the `[Adsisearcher]` type accelerator being used to query Active Directory - for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate - domain organizational unit for situational awareness and Active Directory Discovery. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for + domain organizational units. This detection leverages PowerShell operational logs + to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, + and `findAll()`. This activity is significant as it indicates potential reconnaissance + efforts by adversaries to gain situational awareness of the domain structure. If + confirmed malicious, this could lead to further exploitation, such as privilege + escalation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer user_id - | rename Computer as dest, user_id as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_linked_policies_in_adsi_discovery_filter`' + Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -57,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 56e0950d64..87560c5f9e 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -1,27 +1,31 @@ name: Windows Local Administrator Credential Stuffing id: 09555511-aca6-484a-b6ab-72cd03d73c34 -version: 1 -date: '2023-03-22' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 4624 - Windows Event Log Security 4625 -description: The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, - the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could - represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. - As environments differ across organizations, security teams should customize the thresholds of this detection as needed. +description: The following analytic detects attempts to authenticate using the built-in + local Administrator account across more than 30 endpoints within a 5-minute window. + It leverages Windows Event Logs, specifically events 4625 and 4624, to identify + this behavior. This activity is significant as it may indicate an adversary attempting + to validate stolen local credentials across multiple hosts, potentially leading + to privilege escalation. If confirmed malicious, this could allow the attacker to + gain widespread access and control over numerous systems within the network, posing + a severe security risk. search: ' `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator - | bucket span=5m _time - | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode - | where unique_targets > 30 - | `windows_local_administrator_credential_stuffing_filter`' + | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as + host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets + > 30 | `windows_local_administrator_credential_stuffing_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. +known_false_positives: Vulnerability scanners or system administration tools may also + trigger this detection. Filter as needed. references: - https://attack.mitre.org/techniques/T1110/004/ - https://attack.mitre.org/techniques/T1110/ @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index 716b6b9141..828e00bf9e 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -1,29 +1,27 @@ name: Windows LSA Secrets NoLMhash Registry id: 48cc1605-538c-4223-8382-e36bee5b540d -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. - This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. - Setting it to 0 disables this feature, meaning LM hashes will be stored. - Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. - This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, - which are more susceptible to certain types of attacks. - This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +description: The following analytic detects modifications to the Windows registry + related to the Local Security Authority (LSA) NoLMHash setting. It identifies when + the registry value is set to 0, indicating that the system will store passwords + in the weaker Lan Manager (LM) hash format. This detection leverages registry activity + logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity + is crucial as it can indicate attempts to weaken password storage security. If confirmed + malicious, this could allow attackers to exploit weaker LM hashes, potentially leading + to unauthorized access and credential theft. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" - Registry.registry_value_data = 0x00000000) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_lsa_secrets_nolmhash_registry_filter`' + Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response @@ -65,12 +63,13 @@ tags: - Registry.user - Registry.dest - Registry.action - - Registry.registry_value_data - - Registry.process_guid + - Registry.registry_value_data + - Registry.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index 8b55fbde6c..c56ab5a29f 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -1,16 +1,18 @@ name: Windows Mail Protocol In Non-Common Process Path id: ac3311f5-661d-4e99-bd1f-3ec665b05441 -version: 1 -date: '2022-09-16' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a possible windows application having - a SMTP connection in a non common installation path in windows operating system.This - network protocol is being used by adversaries, threat actors and malware like AgentTesla - as a Command And Control communication to transfer its collected stolen information - like the desktop screenshots, browser information and system information of a targeted - or compromised host. +description: The following analytic detects a Windows application establishing an + SMTP connection from a non-common installation path. It leverages Sysmon EventCode + 3 to identify processes not typically associated with email clients (e.g., Thunderbird, + Outlook) making SMTP connections. This activity is significant as adversaries, including + malware like AgentTesla, use such connections for Command and Control (C2) communication + to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized + data exfiltration, including sensitive information like desktop screenshots, browser + data, and system details, compromising the affected host. data_source: - Sysmon EventID 3 search: '`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird.exe","*\\outlook.exe")) @@ -65,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index ca3c493988..fd2f47ba7b 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -1,23 +1,26 @@ name: Windows Mark Of The Web Bypass id: 8ca13343-7405-4916-a2d1-ae34ce0c28ae -version: 1 -date: '2023-08-14' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 23 -description: The following analytic identifies a suspicious process that delete mark-of-the-web data stream. - This technique has been observed in various instances of malware and adversarial activities aimed at circumventing - security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. - An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. -search: '`sysmon` EventCode=23 TargetFilename = "*:Zone.Identifier" - | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies a suspicious process that deletes the + Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when + a file's Zone.Identifier stream is removed. This activity is significant because + it is a common technique used by malware, such as Ave Maria RAT, to bypass security + restrictions on files downloaded from the internet. If confirmed malicious, this + behavior could allow an attacker to execute potentially harmful files without triggering + security warnings, leading to further compromise of the system. +search: '`sysmon` EventCode=23 TargetFilename = "*:Zone.Identifier" | stats min(_time) + as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename + ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the deleted target file name, - process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the deleted target file name, process name and process id from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1553/005/ @@ -57,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/possible-motw-deletion.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/possible-motw-deletion.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index 04ff87019e..6e1ff979c3 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -1,25 +1,27 @@ name: Windows Masquerading Explorer As Child Process id: 61490da9-52a1-4855-a0c5-28233c88c481 -version: 1 -date: '2024-04-25' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a suspicious parent process of explorer.exe. - Explorer is usually executed by userinit.exe that will exit after execution that - causes the main explorer.exe no parent process. Some malware like qakbot spawn another - explorer.exe to inject its code. This TTP detection is a good indicator that a process - spawning explorer.exe might inject code or masquerading its parent child process - to evade detections. +description: The following analytic identifies instances where explorer.exe is spawned + by unusual parent processes such as cmd.exe, powershell.exe, or regsvr32.exe. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process and parent process relationships. This activity is significant because + explorer.exe is typically initiated by userinit.exe, and deviations from this norm + can indicate code injection or process masquerading attempts by malware like Qakbot. + If confirmed malicious, this behavior could allow attackers to execute arbitrary + code, evade detection, and maintain persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN("cmd.exe", "powershell.exe", "regsvr32.exe") AND Processes.process_name = "explorer.exe" AND Processes.process IN ("*\\explorer.exe") - by Processes.parent_process Processes.parent_process_name Processes.process_name - Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest - Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` - |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`' + IN("cmd.exe", "powershell.exe", "regsvr32.exe") AND Processes.process_name = "explorer.exe" + AND Processes.process IN ("*\\explorer.exe") by Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.process_id Processes.process_guid Processes.process + Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index f7e032f976..a71d52bf86 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -1,27 +1,26 @@ name: Windows Masquerading Msdtc Process id: 238f3a07-8440-480b-b26f-462f41d9a47c -version: 1 -date: '2023-11-21' +version: 2 +date: '2024-05-19' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, - which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert - operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. - The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic - of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, - headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these - specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, - thereby evading immediate suspicion. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = "msdtc.exe" Processes.process = "*msdtc.exe*" Processes.process IN ("* -a*", "* -b*") - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies the execution of msdtc.exe with specific + command-line parameters (-a or -b), which are indicative of the PlugX malware. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. This activity is significant because + PlugX uses these parameters to masquerade its malicious operations within legitimate + processes, making it harder to detect. If confirmed malicious, this behavior could + allow attackers to gain unauthorized access, exfiltrate data, and conduct espionage, + severely compromising the affected system. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "msdtc.exe" + Processes.process = "*msdtc.exe*" Processes.process IN ("* -a*", "* -b*") by Processes.dest + Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_masquerading_msdtc_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -71,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index 218705eefb..2c3e806bab 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -1,18 +1,18 @@ name: Windows Mimikatz Binary Execution id: a9e0d6d3-9676-4e26-994d-4e0406bb4467 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: As simple as it sounds, this analytic identifies when the native mimikatz.exe - binary executes on Windows. It does look for the original file name as well, just - in case the binary is renamed. Adversaries sometimes bring in the default binary - and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept - to show Microsoft that its authentication protocols were vulnerable to an attack. - Instead, he inadvertently created one of the most widely used and downloaded threat - actor tools of the past 20 years. Mimikatz is an open-source application that allows - users to view and save authentication credentials such as Kerberos tickets. +description: The following analytic identifies the execution of the native mimikatz.exe + binary on Windows systems, including instances where the binary is renamed. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process names + and original file names. This activity is significant because Mimikatz is a widely + used tool for extracting authentication credentials, posing a severe security risk. + If confirmed malicious, this activity could allow attackers to obtain sensitive + credentials, escalate privileges, and move laterally within the network, leading + to potential data breaches and system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -90,7 +90,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 9a02cf1336..28f8014766 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -1,23 +1,27 @@ name: Windows Modify Registry AuthenticationLevelOverride id: 6410a403-36bb-490f-a06a-11c3be7d2a41 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry related to authentication level settings. - This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. - AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. - DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path = "*\\Terminal Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 - by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`' +description: The following analytic detects modifications to the Windows registry + key "AuthenticationLevelOverride" within the Terminal Server Client settings. It + leverages data from the Endpoint.Registry datamodel to identify changes where the + registry value is set to 0x00000000. This activity is significant as it may indicate + an attempt to override authentication levels for remote connections, a tactic used + by DarkGate malware for malicious installations. If confirmed malicious, this could + allow attackers to gain unauthorized remote access, potentially leading to data + exfiltration or further system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal + Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 + by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -57,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index 3bca5e9f40..2a72081010 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry Auto Minor Updates id: be498b9f-d804-4bbf-9fc0-d5448466b313 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification that will "Treat minor updates like other updates". -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" - AND Registry.registry_value_data="0x00000000" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_auto_minor_updates_filter`' +description: The following analytic identifies a suspicious modification to the Windows + auto update configuration registry. It detects changes to the registry path + "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" + with a value of "0x00000000". This activity is significant as it is commonly used + by adversaries, including malware like RedLine Stealer, to bypass detection and + deploy additional payloads. If confirmed malicious, this modification could allow + attackers to evade defenses, potentially leading to further system compromise and + exploitation of zero-day vulnerabilities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" + AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index e868d8c6e7..f88ce7e5aa 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry Auto Update Notif id: 4d1409df-40c7-4b11-aec4-bd0e709dfc12 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update notification. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification that will switch the automatic windows update to "Notify before download". -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" - AND Registry.registry_value_data="0x00000002" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_auto_update_notif_filter`' +description: The following analytic detects a suspicious modification to the Windows + registry that changes the auto-update notification setting to "Notify before download." + This detection leverages data from the Endpoint.Registry data model, focusing on + specific registry paths and values. This activity is significant because it is a + known technique used by adversaries, including malware like RedLine Stealer, to + evade detection and potentially deploy additional payloads. If confirmed malicious, + this modification could allow attackers to bypass security measures, maintain persistence, + and exploit vulnerabilities on the target host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" + AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -34,7 +34,7 @@ tags: analytic_story: - RedLine Stealer asset_type: Endpoint - atomic_guid: + atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 confidence: 50 impact: 50 @@ -64,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 15f350d533..6325f12c1a 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -1,17 +1,18 @@ name: Windows Modify Registry Default Icon Setting id: a7a7afdb-3c58-45b6-9bff-63e5acfd9d40 -version: 1 -date: '2023-01-16' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is developed to detect suspicious registry modification - to change the default icon association of windows to ransomware . This technique - was seen in Lockbit ransomware where it modified the default icon association of - the compromised Windows OS host with its dropped ransomware icon file as part of - its defacement payload. This registry is not commonly modified by a normal user - so having this anomaly detection may help to catch possible lockbit ransomware infection - or other malware. +description: The following analytic detects suspicious modifications to the Windows + registry's default icon settings, a technique associated with Lockbit ransomware. + It leverages data from the Endpoint Registry data model, focusing on changes to + registry paths under "*HKCR\\*\\defaultIcon\\(Default)*". This activity is significant + as it is uncommon for normal users to modify these settings, and such changes can + indicate ransomware infection or other malware. If confirmed malicious, this could + lead to system defacement and signal a broader ransomware attack, potentially compromising + sensitive data and system integrity. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -67,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index add189820a..b526a40c4a 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -1,29 +1,26 @@ name: Windows Modify Registry Disable Restricted Admin id: cee573a0-7587-48e6-ae99-10e8c657e89a -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. - This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits - the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it - indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, - changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system - security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored - closely for any signs of tampering or unauthorized alterations. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +description: The following analytic detects modifications to the Windows registry + entry "DisableRestrictedAdmin," which controls the Restricted Admin mode behavior. + This detection leverages registry activity logs from endpoint data sources like + Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting + can disable a security feature that limits credential exposure during remote connections. + If confirmed malicious, an attacker could weaken security controls, increasing the + risk of credential theft and unauthorized access to sensitive systems. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" - Registry.registry_value_data = 0x00000000) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_disable_restricted_admin_filter`' + Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user + Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response @@ -65,12 +62,13 @@ tags: - Registry.user - Registry.dest - Registry.action - - Registry.registry_value_data - - Registry.process_guid + - Registry.registry_value_data + - Registry.process_guid security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index 1d46601b2b..0c0d4cfcb6 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -1,16 +1,19 @@ name: Windows Modify Registry Disable Toast Notifications id: ed4eeacb-8d5a-488e-bc97-1ce6ded63b84 -version: 1 -date: '2022-06-22' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to identify a modification in the Windows registry - to disable toast notifications. This Windows Operating System feature is responsible - for alerting or notifying user if application or OS need some updates. Adversaries - and malwares like Azorult abuse this technique to disable important update notification - in compromised host. This anomaly detection is a good pivot to look for further - events related to defense evasion and execution. +description: The following analytic detects modifications to the Windows registry + that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, + specifically monitoring changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" + with a value set to "0x00000000". This activity is significant because disabling + toast notifications can prevent users from receiving critical system and application + updates, which adversaries like Azorult exploit for defense evasion. If confirmed + malicious, this action could allow attackers to operate undetected, leading to prolonged + persistence and potential further compromise of the system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -60,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index b25754e92f..ca18f20edd 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -1,15 +1,19 @@ name: Windows Modify Registry Disable Win Defender Raw Write Notif id: 0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a modification in the Windows registry - to disable Windows Defender raw write notification feature. This policy controls - whether raw volume write notifications are sent to behavior monitoring or not. This - registry was recently identified in Azorult malware to bypass Windows Defender detections - or behavior monitoring in terms of volume write. +description: The following analytic detects modifications to the Windows registry + that disable the Windows Defender raw write notification feature. It leverages data + from the Endpoint.Registry datamodel, specifically monitoring changes to the registry + path associated with Windows Defender's real-time protection settings. This activity + is significant because disabling raw write notifications can allow malware, such + as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading + to undetected malicious activities. If confirmed malicious, this could enable attackers + to execute code, persist in the environment, and access sensitive information without + detection. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -61,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 1b2ecb7346..04af8a5dfd 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -1,18 +1,21 @@ name: Windows Modify Registry Disable WinDefender Notifications id: 8e207707-ad40-4eb3-b865-3a52aec91f26 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-09' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification - to disable Windows Defender notification. This technique was being abused by several - adversaries, malware authors and also red-teamers to evade detection on the targeted - machine. RedLine Stealer is one of the malware we've seen that uses this technique - to bypass Windows defender detection. +description: The following analytic detects a suspicious registry modification aimed + at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry + data model, specifically looking for changes to the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows + Defender Security Center\\Notifications\\DisableNotifications" with a value of "0x00000001". + This activity is significant as it indicates an attempt to evade detection by disabling + security alerts, a technique used by adversaries and malware like RedLine Stealer. + If confirmed malicious, this could allow attackers to operate undetected, increasing + the risk of further compromise and data exfiltration. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" @@ -63,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index 59a4bf0910..944bbb2aea 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -1,16 +1,19 @@ name: Windows Modify Registry Disable Windows Security Center Notif id: 27ed3e79-6d86-44dd-b9ab-524451c97a7b -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to identify a modification in the Windows registry - to disable windows center notifications. This Windows Operating System feature is - responsible for alerting or notifying user if application or OS need some updates. - Adversaries and malwares like Azorult abuse this technique to disable important - update notification in compromised host. This anomaly detection is a good pivot - to look for further events related to defense evasion and execution. +description: The following analytic detects modifications to the Windows registry + aimed at disabling Windows Security Center notifications. It leverages data from + the Endpoint.Registry datamodel, specifically monitoring changes to the registry + path "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" with + a value of "0x00000000". This activity is significant as it can indicate an attempt + by adversaries or malware, such as Azorult, to evade defenses by suppressing critical + update notifications. If confirmed malicious, this could allow attackers to persist + undetected, potentially leading to further exploitation and compromise of the host + system. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -62,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index 2097dfb15a..7b3ed78c86 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -1,23 +1,27 @@ name: Windows Modify Registry DisableRemoteDesktopAntiAlias id: 4927c6f1-4667-42e6-bd7a-f5222116386b -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. - This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. - DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 - by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_disableremotedesktopantialias_filter`' +description: The following analytic detects modifications to the Windows registry + key "DisableRemoteDesktopAntiAlias" with a value set to 0x00000001. This detection + leverages data from the Endpoint datamodel, specifically monitoring changes in the + Registry node. This activity is significant as it may indicate the presence of DarkGate + malware, which alters this registry setting to enhance its remote desktop capabilities. + If confirmed malicious, this modification could allow an attacker to maintain persistence + and control over the compromised host, potentially leading to further exploitation + and data exfiltration. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal + Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 + by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -32,7 +36,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$. + message: the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias + on $dest$. mitre_attack_id: - T1112 observable: @@ -57,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index f4a0454a6f..51df5de3ed 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -1,20 +1,21 @@ name: Windows Modify Registry DisableSecuritySettings id: 989019b4-b7aa-418a-9a17-2293e91288b6 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry - to disable security settings of Terminal Services. altering or disabling security - settings within Terminal Services. Terminal Services, now known as Remote Desktop - Services (RDS) in more recent Windows versions, allows users to access applications, - data, and even an entire desktop remotely. DarkGate malware modify this registry - as part of its malicious installation in a targeted host for its remote desktop - capabilities. +description: The following analytic detects modifications to the Windows registry + that disable security settings for Terminal Services. It leverages the Endpoint + data model, specifically monitoring changes to the registry path associated with + Terminal Services security settings. This activity is significant because altering + these settings can weaken the security posture of Remote Desktop Services, potentially + allowing unauthorized remote access. If confirmed malicious, such modifications + could enable attackers to gain persistent remote access to the system, facilitating + further exploitation and data exfiltration. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableSecuritySettings" Registry.registry_value_data = 0x00000001 by Registry.registry_path @@ -62,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disablesecuritysetting.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disablesecuritysetting.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index d488055f1f..d26073ec5f 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -1,15 +1,17 @@ name: Windows Modify Registry Disabling WER Settings id: 21cbcaf1-b51f-496d-a0c1-858ff3070452 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a modification in the Windows registry - to disable Windows error reporting settings. This Windows feature allows the user - to report bugs, errors, failure or problems encountered in specific application - or processes. Adversaries use this technique to hide any error or failure that some - of its malicious components trigger. +description: The following analytic detects modifications in the Windows registry + to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring changes to registry paths related to WER with + a value set to "0x00000001". This activity is significant as adversaries may disable + WER to suppress error notifications, hiding the presence of malicious activities. + If confirmed malicious, this could allow attackers to operate undetected, potentially + leading to prolonged persistence and further exploitation within the environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -60,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index 87a95b0a1f..7fa3ba2780 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -1,15 +1,18 @@ name: Windows Modify Registry DisAllow Windows App id: 4bc788d3-c83a-48c5-a4e2-e0c6dba57889 -version: 1 -date: '2022-06-22' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies modification in the Windows registry - to prevent user running specific computer programs that could aid them in manually - removing malware or detecting it using security products. This technique was recently - identified in Azorult malware where it uses this registry value to prevent several - AV products to execute on the compromised host machine. +description: The following analytic detects modifications to the Windows registry + aimed at preventing the execution of specific computer programs. It leverages data + from the Endpoint.Registry datamodel, focusing on changes to the registry path + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" + with a value of "0x00000001". This activity is significant as it can indicate an + attempt to disable security tools, a tactic used by malware like Azorult. If confirmed + malicious, this could allow an attacker to evade detection and maintain persistence + on the compromised host. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -58,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index 6ef781934b..e165e8ebe5 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -1,27 +1,27 @@ name: Windows Modify Registry Do Not Connect To Win Update id: e09c598e-8dd0-4e73-b740-4b96b689199e -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. - This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" - AND Registry.registry_value_data="0x00000001" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_do_not_connect_to_win_update_filter`' +description: The following analytic detects a suspicious modification to the Windows + registry that disables automatic updates. It leverages data from the Endpoint datamodel, + specifically monitoring changes to the registry path + "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" + with a value of "0x00000001". This activity is significant as it can be used by + adversaries, including malware like RedLine Stealer, to evade detection and prevent + the system from receiving critical updates. If confirmed malicious, this could allow + attackers to exploit vulnerabilities, persist in the environment, and potentially + deploy additional payloads. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -36,7 +36,7 @@ tags: analytic_story: - RedLine Stealer asset_type: Endpoint - atomic_guid: + atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 confidence: 50 impact: 50 @@ -66,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index ffcdd1cb73..6f4f26d691 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -1,25 +1,27 @@ name: Windows Modify Registry DontShowUI id: 4ff9767b-fdf2-489c-83a5-c6c34412d72e -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. - DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. - When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, - suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the - Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 - by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_dontshowui_filter`' +description: The following analytic detects modifications to the Windows Error Reporting + registry key "DontShowUI" to suppress error reporting dialogs. It leverages data + from the Endpoint datamodel's Registry node to identify changes where the registry + value is set to 0x00000001. This activity is significant as it is commonly associated + with DarkGate malware, which uses this modification to avoid detection during its + installation. If confirmed malicious, this behavior could allow attackers to maintain + a low profile, avoiding user alerts and potentially enabling further malicious activities + without user intervention. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows + Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 by Registry.registry_path + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -59,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index f22dd15d67..c57b4e44ec 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -1,24 +1,28 @@ name: Windows Modify Registry EnableLinkedConnections id: 93048164-3358-4af0-8680-aa5f38440516 -version: 1 -date: '2023-07-10' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows linked connection configuration. - This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, - that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. - By default, Windows does not enable this feature to enhance security. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_enablelinkedconnections_filter`' +description: The following analytic detects a suspicious modification to the Windows + registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry + datamodel to identify changes where the registry path is + "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" + and the value is set to "0x00000001". This activity is significant because enabling + linked connections can allow network shares to be accessed with both standard and + administrator-level privileges, a technique often abused by malware like BlackByte + ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive + network resources, escalating the attacker's privileges. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -35,7 +39,8 @@ tags: - 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b confidence: 70 impact: 70 - message: A registry modification in Windows EnableLinkedConnections configuration on $dest$ + message: A registry modification in Windows EnableLinkedConnections configuration + on $dest$ mitre_attack_id: - T1112 observable: @@ -61,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index 4904bd46ff..1822366cb3 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -1,24 +1,27 @@ name: Windows Modify Registry LongPathsEnabled id: 36f9626c-4272-4808-aadd-267acce681c0 -version: 1 -date: '2023-07-10' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows long path enable configuration. - This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. - By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. - Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" Registry.registry_value_data = "0x00000001") - BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_longpathsenabled_filter`' +description: The following analytic detects a modification to the Windows registry + setting "LongPathsEnabled," which allows file paths longer than 260 characters. + This detection leverages data from the Endpoint.Registry datamodel, focusing on + changes to the specific registry path and value. This activity is significant because + adversaries, including malware like BlackByte, exploit this setting to bypass file + path limitations, potentially aiding in evasion techniques. If confirmed malicious, + this modification could facilitate the execution of long-path payloads, aiding in + persistence and further system compromise. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" + Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -61,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 94c2969b1c..effdb82672 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -1,23 +1,28 @@ name: Windows Modify Registry MaxConnectionPerServer id: 064cd09f-1ff4-4823-97e0-45c2f5b087ec -version: 1 -date: '2023-07-26' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. - This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. - By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections - allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_maxconnectionperserver_filter`' +description: The following analytic identifies a suspicious modification of the Windows + registry setting for max connections per server. It detects changes to specific + registry paths using data from the Endpoint.Registry datamodel. This activity is + significant because altering this setting can be exploited by attackers to increase + the number of concurrent connections to a remote server, potentially facilitating + DDoS attacks or enabling more effective lateral movement within a compromised network. + If confirmed malicious, this could lead to network disruption or further compromise + of additional systems. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet + Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet + Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" + by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -59,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/maxconnectionperserver/registry_event.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/maxconnectionperserver/registry_event.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index e341e11248..a9825acf86 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry No Auto Reboot With Logon User id: 6a12fa9f-580d-4627-8c7f-313e359bdc6a -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification that will allow "Logged-on user gets to choose whether or not to restart his or her compute". -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" - AND Registry.registry_value_data="0x00000001" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`' +description: The following analytic detects a suspicious modification to the Windows + registry that disables automatic reboot with a logged-on user. This detection leverages + the Endpoint data model to identify changes to the registry path + `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers` + with a value of `0x00000001`. This activity is significant as it is commonly used + by adversaries, including malware like RedLine Stealer, to evade detection and maintain + persistence. If confirmed malicious, this could allow attackers to bypass security + measures and deploy additional payloads without interruption. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -34,7 +34,7 @@ tags: analytic_story: - RedLine Stealer asset_type: Endpoint - atomic_guid: + atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 confidence: 30 impact: 30 @@ -64,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index c65d281c3c..068495e512 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -1,20 +1,20 @@ name: Windows Modify Registry No Auto Update id: fbd4f333-17bb-4eab-89cb-860fa2e0600e -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification - of Windows auto update configuration. This technique was being abused by several - adversaries, malware authors and also red-teamers to bypass detection or to be able - to compromise the target host with zero day exploit or as an additional defense - evasion technique. RedLine Stealer is one of the malware we've seen that uses this - technique to evade detection and add more payload on the target host. This detection - looks for registry modification that will "Disable Automatic Updates". +description: The following analytic identifies a suspicious modification to the Windows + registry that disables automatic updates. It detects changes to the registry path + `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate` with a value + of `0x00000001`. This activity is significant as it is commonly used by adversaries, + including malware like RedLine Stealer, to evade detection and maintain persistence. + If confirmed malicious, this could allow attackers to bypass security updates, leaving + the system vulnerable to further exploitation and potential zero-day attacks. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path @@ -64,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index 309c48bbbd..1b2fba591d 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry NoChangingWallPaper id: a2276412-e254-4e9a-9082-4d92edb6a3e0 -version: 1 -date: '2023-12-12' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. - This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. - By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, - restricting the user's control over their system's visual settings. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry +description: The following analytic detects modifications to the Windows registry + aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring changes to the "NoChangingWallPaper" registry + value. This activity is significant as it is a known tactic used by Rhysida ransomware + to enforce a malicious wallpaper, thereby limiting user control over system settings. + If confirmed malicious, this registry change could indicate a ransomware infection, + leading to further system compromise and user disruption. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" - Registry.registry_value_data = 1) - BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_nochangingwallpaper_filter`' + Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data + Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -35,7 +35,8 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: the registry settings was modified to disable changing of wallpaper on $dest$. + message: the registry settings was modified to disable changing of wallpaper on + $dest$. mitre_attack_id: - T1112 observable: @@ -60,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/no_changing_wallpaper/NoChangingWallPaper.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/no_changing_wallpaper/NoChangingWallPaper.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index 2d5b384c3a..1c7713ebe9 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -1,26 +1,27 @@ name: Windows Modify Registry ProxyEnable id: b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5 -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to enable proxy. - This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, - facilitating connections to malicious Command and Control (C2) servers. - Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy - feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially - those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path = "*\\Internet Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 - by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_registry_proxyenable_filter`' +description: The following analytic detects modifications to the Windows registry + key "ProxyEnable" to enable proxy settings. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring changes to the "Internet Settings\ProxyEnable" + registry path. This activity is significant as it is commonly exploited by malware + and adversaries to establish proxy communication, potentially connecting to malicious + Command and Control (C2) servers. If confirmed malicious, this could allow attackers + to redirect network traffic through a proxy, facilitating unauthorized communication + and data exfiltration, thereby compromising the security of the affected host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet + Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 by Registry.registry_path + Registry.registry_value_name Registry.registry_value_data Registry.process_guid + Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure @@ -60,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index 179e526a4d..83f4e5bae7 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -1,26 +1,25 @@ name: Windows Modify Registry ProxyServer id: 12bdaa0b-3c59-4489-aae1-bff6d67746ef -version: 1 -date: '2023-11-23' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a modification in the Windows registry to setup proxy server. - This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, - facilitating connections to malicious Command and Control (C2) servers. - Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy - feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially - those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path = "*\\Internet Settings\\ProxyServer" - by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest - | `drop_dm_object_name(Registry)` - | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects modifications to the Windows registry + key for setting up a proxy server. It leverages data from the Endpoint.Registry + datamodel, focusing on changes to the "Internet Settings\\ProxyServer" registry + path. This activity is significant as it can indicate malware or adversaries configuring + a proxy to facilitate unauthorized communication with Command and Control (C2) servers. + If confirmed malicious, this could allow attackers to establish persistent, covert + channels for data exfiltration or further exploitation of the compromised host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet + Settings\\ProxyServer" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -61,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index f92bf36259..b5232301d2 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -1,35 +1,39 @@ name: Windows Modify Registry Qakbot Binary Data Registry id: 2e768497-04e0-4188-b800-70dd2be0e30d -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-12' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious registry entry created - by Qakbot malware as part of its malicious execution. This "Binary Data" Registry was - created by newly spawn explorer.exe where its malicious code is injected to it. - The registry consist of 8 random registry value name with encrypted binary data - on its registry value data. This anomaly detections can be a good pivot for possible - Qakbot malware infection or other malware that uses registry to save or store there - config or malicious code on the registry data stream. +description: The following analytic detects the creation of a suspicious registry + entry by Qakbot malware, characterized by 8 random registry value names with encrypted + binary data. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on registry modifications under the "SOFTWARE\\Microsoft\\" + path by processes like explorer.exe. This activity is significant as it indicates + potential Qakbot infection, which uses the registry to store malicious code or configuration + data. If confirmed malicious, this could allow attackers to maintain persistence + and execute arbitrary code on the compromised system. data_source: - Sysmon EventID 1 - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\*" AND Registry.registry_value_data = "Binary Data" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | eval registry_key_name_len = len(registry_key_name) - | eval registry_value_name_len = len(registry_value_name) - | regex registry_value_name="^[0-9a-fA-F]{8}" - | where registry_key_name_len < 80 AND registry_value_name_len == 8 - | join process_guid, _time - [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("explorer.exe", "wermgr.exe","dxdiag.exe", "OneDriveSetup.exe", "mobsync.exe", "msra.exe", "xwizard.exe") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path - | `drop_dm_object_name(Processes)` - ] - | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 - | `windows_modify_registry_qakbot_binary_data_registry_filter`' +search: '| tstats `security_content_summariesonly` count dc(registry_value_name) as + registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\*" + AND Registry.registry_value_data = "Binary Data" by _time span=1m Registry.dest + Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` + | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len + = len(registry_value_name) | regex registry_value_name="^[0-9a-fA-F]{8}" | where + registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, + _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes + where Processes.process_name IN ("explorer.exe", "wermgr.exe","dxdiag.exe", "OneDriveSetup.exe", + "mobsync.exe", "msra.exe", "xwizard.exe") by _time span=1m Processes.process_id + Processes.process_name Processes.process Processes.dest Processes.parent_process_name + Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` + ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) + as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) + by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -82,7 +86,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml index f825c16324..d1a53adcac 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_modify_registry_reg_restore.yml @@ -1,15 +1,18 @@ name: Windows Modify Registry Reg Restore id: d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e -version: 1 -date: '2022-12-12' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process execution of reg.exe with - "restore" parameter. This reg.exe parameter is commonly used to restore registry - backup data in a targeted host. This approach or technique was also seen in post-exploitation - tool like winpeas where it uses "reg save" and "reg restore" to check the registry - modification restriction in targeted host after gaining access to it. +description: The following analytic detects the execution of reg.exe with the "restore" + parameter, indicating an attempt to restore registry backup data on a host. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process execution logs and command-line arguments. This activity is significant + as it may indicate post-exploitation actions, such as those performed by tools like + winpeas, which use "reg save" and "reg restore" to manipulate registry settings. + If confirmed malicious, this could allow an attacker to revert registry changes, + potentially bypassing security controls and maintaining persistence. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 2fadc958c1..fbdb72e48b 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -1,17 +1,18 @@ name: Windows Modify Registry Regedit Silent Reg Import id: 824dd598-71be-4203-bc3b-024f4cda340e -version: 1 -date: '2022-06-24' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies modification of Windows registry using - regedit.exe application with silent mode parameter. regedit.exe windows application - is commonly used as GUI app to check or modify registry. This application is also - has undocumented command-line parameter and one of those are silent mode parameter - that performs action without stopping for confirmation with dialog box. Importing - registry from .reg files need to monitor in a production environment since it can - be used adversaries to import RMS registry in compromised host. +description: The following analytic detects the modification of the Windows registry + using the regedit.exe application with the silent mode parameter. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant because the silent mode allows + registry changes without user confirmation, which can be exploited by adversaries + to import malicious registry settings. If confirmed malicious, this could enable + attackers to persist in the environment, escalate privileges, or manipulate system + configurations, leading to potential system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -72,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index 17c8a72951..f44605d7f1 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -1,32 +1,36 @@ name: Windows Modify Registry Risk Behavior id: 5eb479b1-a5ea-4e01-8365-780078613776 -version: 1 -date: '2023-06-15' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] -description: This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime - sum(All_Risk.calculated_risk_score) as risk_score, - count(All_Risk.calculated_risk_score) as risk_event_count, - values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, - dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, - values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, - dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, - values(All_Risk.tag) as tag, values(source) as source, - dc(source) as source_count from datamodel=Risk.All_Risk - where source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") - by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic - | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | where source_count >= 3 - | `windows_modify_registry_risk_behavior_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, - modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, - but the number may need to be increased base on internal testing. In addition, - based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. +description: The following analytic identifies instances where three or more distinct + registry modification events associated with MITRE ATT&CK Technique T1112 are detected. + It leverages data from the Risk data model in Splunk, focusing on registry-related + sources and MITRE technique annotations. This activity is significant because multiple + registry modifications can indicate an attempt to persist, hide malicious configurations, + or erase forensic evidence. If confirmed malicious, this behavior could allow attackers + to maintain persistent access, execute malicious code, and evade detection, posing + a severe threat to the integrity and security of the affected host. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") + All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object + All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 3 | `windows_modify_registry_risk_behavior_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased base + on internal testing. In addition, based on false positives, modify any analytics + to be anomaly and lower or increase risk based on organization importance. known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. references: @@ -64,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/modify_reg_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/modify_reg_risk.log source: mod_reg sourcetype: stash diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index 5a38de518c..c863f2df58 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -1,15 +1,18 @@ name: Windows Modify Registry Suppress Win Defender Notif id: e3b42daf-fff4-429d-bec8-2a199468cea9 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to identify a modification in the Windows registry - to suppress windows defender notification. This technique was abuse by adversaries - and threat actor to bypassed windows defender on the targeted host. Azorult malware - is one of the malware use this technique that also disable toast notification and - other windows features as part of its malicious behavior. +description: The following analytic detects modifications in the Windows registry + to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry + datamodel, specifically targeting changes to the "Notification_Suppress" registry + value. This activity is significant because adversaries, including those deploying + Azorult malware, use this technique to bypass Windows Defender and disable critical + notifications. If confirmed malicious, this behavior could allow attackers to evade + detection, maintain persistence, and execute further malicious activities without + alerting the user or security tools. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -61,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index 47a68a3ea0..d35c5a3f93 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -1,24 +1,27 @@ name: Windows Modify Registry Tamper Protection id: 12094335-88fc-4c3a-b55f-e62dd8c93c23 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. - This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. - RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection" - AND Registry.registry_value_data="0x00000000" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_tamper_protection_filter`' +description: The following analytic detects a suspicious modification to the Windows + Defender Tamper Protection registry setting. It leverages data from the Endpoint + datamodel, specifically targeting changes where the registry path is set to disable + Tamper Protection. This activity is significant because disabling Tamper Protection + can allow adversaries to make further undetected changes to Windows Defender settings, + potentially leading to reduced security on the system. If confirmed malicious, this + could enable attackers to evade detection, persist in the environment, and execute + further malicious activities without interference from Windows Defender. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows + Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -32,7 +35,7 @@ tags: analytic_story: - RedLine Stealer asset_type: Endpoint - atomic_guid: + atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 confidence: 70 impact: 70 @@ -62,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index a4e0b5cc50..60b4641bd4 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -1,25 +1,26 @@ name: Windows Modify Registry UpdateServiceUrlAlternate id: ca4e94fb-7969-4d63-8630-3625809a1f70 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_updateserviceurlalternate_filter`' +description: The following analytic detects a suspicious modification to the Windows + Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate + setting. It leverages data from the Endpoint.Registry datamodel to identify changes + to this registry path. This activity is significant because adversaries, including + malware like RedLine Stealer, exploit this technique to bypass detection and deploy + additional payloads. If confirmed malicious, this modification could allow attackers + to redirect update services, potentially leading to the execution of malicious code, + further system compromise, and persistent evasion of security defenses. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -61,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index 56fbac5ca4..acbbb57bfa 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry USeWuServer id: c427bafb-0b2c-4b18-ad85-c03c6fed9e75 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification that will use "The WUServer value unless this key is set". -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" - AND Registry.registry_value_data="0x00000001" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_usewuserver_filter`' +description: The following analytic detects a suspicious modification to the Windows + Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry + data model to identify changes where the registry value is set to "0x00000001." + This activity is significant because it is commonly used by adversaries, including + malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit + zero-day vulnerabilities. If confirmed malicious, this modification could allow + attackers to evade defenses, persist on the target host, and deploy additional malicious + payloads. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" + AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path + Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index 0787a856e9..5c29de3e84 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -1,31 +1,35 @@ name: Windows Modify Registry With MD5 Reg Key Name id: 4662c6b1-0754-455e-b9ff-3ee730af3ba8 -version: 1 -date: '2023-09-25' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. - This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. - Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as - part of their malicious activities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | eval dropped_reg_path = split(registry_path, "\\") - | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) +description: The following analytic detects potentially malicious registry modifications + characterized by MD5-like registry key names. It leverages the Endpoint data model + to identify registry entries under the SOFTWARE path with 32-character hexadecimal + names, a technique often used by NjRAT malware for fileless storage of keylogs and + .DLL plugins. This activity is significant as it can indicate the presence of NjRAT + or similar malware, which can lead to unauthorized data access and persistent threats + within the environment. If confirmed malicious, attackers could maintain persistence + and exfiltrate sensitive information. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path + = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" by Registry.dest + Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path + = split(registry_path, "\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,"^[0-9a-fA-F]{32}$"),"md5","nonmd5") - | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 - | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_with_md5_reg_key_name_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that - include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. + | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 | table + dest user registry_path registry_value_name registry_value_data registry_key_name + reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives: unknown references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_reg_binary.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_reg_binary.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index 756a65ab11..3c71d7f3fc 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry WuServer id: a02ad386-e26d-44ce-aa97-6a46cee31439 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. - This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_wuserver_filter`' +description: The following analytic detects suspicious modifications to the Windows + Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry + data model to identify changes in the registry path associated with Windows Update + configurations. This activity is significant because adversaries, including malware + like RedLine Stealer, exploit this technique to bypass detection and deploy additional + payloads. If confirmed malicious, this registry modification could allow attackers + to evade defenses, potentially leading to further system compromise and persistent + unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index f90cf34d51..92790bcc74 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -1,26 +1,26 @@ name: Windows Modify Registry wuStatusServer id: 073e69d0-68b2-4142-aa90-a7ee6f590676 -version: 1 -date: '2023-04-21' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification of Windows auto update configuration. - This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or - to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. - RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. - This detection looks for registry modification related to the server to which reporting information will be sent for client computers - that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_modify_registry_wustatusserver_filter`' +description: The following analytic identifies suspicious modifications to the Windows + Update configuration registry, specifically targeting the WUStatusServer key. It + leverages data from the Endpoint datamodel to detect changes in the registry path + associated with Windows Update settings. This activity is significant as it is commonly + used by adversaries, including malware like RedLine Stealer, to bypass detection + and deploy additional payloads. If confirmed malicious, this modification could + allow attackers to evade defenses, potentially leading to further system compromise + and persistent unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" + by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data + Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 25e3634663..4f97037742 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -1,26 +1,28 @@ name: Windows Modify Show Compress Color And Info Tip Registry id: b7548c2e-9a10-11ec-99e3-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-27' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to look for suspicious registry modification related - to file compression color and information tips. This IOC was seen in hermetic wiper - where it has a thread that will create this registry entry to change the color of - compressed or encrypted files in NTFS file system as well as the pop up information - tips. This is a good indicator that a process tries to modified one of the registry - GlobalFolderOptions related to file compression attribution in terms of color in - NTFS file system. +description: The following analytic detects suspicious modifications to the Windows + registry keys related to file compression color and information tips. It leverages + data from the Endpoint.Registry data model, specifically monitoring changes to the + "ShowCompColor" and "ShowInfoTip" values under the "Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" + path. This activity is significant as it was observed in the Hermetic Wiper malware, + indicating potential malicious intent to alter file attributes and user interface + elements. If confirmed malicious, this could signify an attempt to manipulate file + visibility and deceive users, potentially aiding in further malicious activities. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" - AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data - Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`' + AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h + Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` + | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_modify_show_compress_color_and_info_tip_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical @@ -62,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index 94b88c80ce..be273fc785 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -1,25 +1,30 @@ name: Windows Modify System Firewall with Notable Process Path id: cd6d7410-9146-4471-a418-49edba6dadc4 -version: 1 -date: '2023-12-12' +version: 2 +date: '2024-05-10' author: Teoderick Contreras, Will Metcalf, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic detects a potential suspicious modification of firewall - rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when - an adversary and red teams to bypassed firewall file execution restriction in a - targetted host. Take note that this event or command can run by administrator during - testing or allowing legitimate tool or application. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process = "*firewall*" Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" - Processes.process IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*","*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_modify_system_firewall_with_notable_process_path_filter`' +description: The following analytic detects suspicious modifications to system firewall + rules, specifically allowing execution of applications from notable and potentially + malicious file paths. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving firewall rule + changes. This activity is significant as it may indicate an adversary attempting + to bypass firewall restrictions to execute malicious files. If confirmed malicious, + this could allow attackers to execute unauthorized code, potentially leading to + further system compromise, data exfiltration, or persistence within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*" + Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" + Processes.process IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", + "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", + "*\\Users\\Default\\*","*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", + "*\\temp\\*", "*\\PerfLogs\\*") by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_modify_system_firewall_with_notable_process_path_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -68,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index b4d639814c..ba34e91262 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -1,25 +1,25 @@ name: Windows MOF Event Triggered Execution via WMI id: e59b5a73-32bf-4467-a585-452c36ae10c1 -version: 2 -date: '2024-04-29' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: The following anaytic identifies MOFComp.exe loading a MOF file. The - Managed Object Format (MOF) compiler parses a file containing MOF statements and - adds the classes and class instances defined in the file to the WMI repository. - Typically, MOFComp.exe does not reach out to the public internet or load a MOF file - from User Profile paths. A filter and consumer is typically registered in WMI. Review - parallel processes and query WMI subscriptions to gather artifacts. The default - path of mofcomp.exe is C:\Windows\System32\wbem. +description: The following analytic detects the execution of MOFComp.exe loading a + MOF file, often triggered by cmd.exe or powershell.exe, or from unusual paths like + User Profile directories. It leverages Endpoint Detection and Response (EDR) data, + focusing on process names, parent processes, and command-line executions. This activity + is significant as it may indicate an attacker using WMI for persistence or lateral + movement. If confirmed malicious, it could allow the attacker to execute arbitrary + code, maintain persistence, or escalate privileges within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("cmd.exe", "powershell.exe") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe - Processes.process IN ("*\\AppData\\Local\\*","*\\Users\\Public\\*")) - by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + Processes.process IN ("*\\AppData\\Local\\*","*\\Users\\Public\\*")) by Processes.dest + Processes.user Processes.parent_process_name Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -88,7 +88,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml index 26b12bd5a9..afa42c67af 100644 --- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml +++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml @@ -1,19 +1,27 @@ name: Windows MOVEit Transfer Writing ASPX id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0 -version: 1 -date: '2023-06-01' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: experimental type: TTP data_source: - Sysmon EventID 11 -description: The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. +description: The following analytic detects the creation of new ASPX files in the + MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on + process and filesystem activity to identify processes responsible for creating these + files. This activity is significant as it may indicate exploitation of a critical + zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious + ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive + data, including user credentials and file metadata, posing a severe risk to the + organization's security. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") Filesystem.file_name - IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") + Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN + ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, @@ -26,11 +34,11 @@ known_false_positives: The query is structured in a way that `action` (read, cre is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. references: - - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ - - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ - - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ - - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft +- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 +- https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ +- https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ +- https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/ +- https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft tags: analytic_story: - MOVEit Transfer Critical Vulnerability @@ -60,13 +68,14 @@ tags: - Filesystem.file_hash - Filesystem.user - Filesystem.file_create_time - - Processes.process_id + - Processes.process_id - Processes.process_name - Processes.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index 45f01c7a32..49612a23f0 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -1,17 +1,18 @@ name: Windows Mshta Execution In Registry id: e13ceade-b673-4d34-adc4-4d9c01729753 -version: 1 -date: '2022-10-14' +version: 2 +date: '2024-05-12' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies the usage of mshta.exe Windows binary - in registry to execute malicious script. This technique was seen in kovter malware - where it create several registry entry which is a encoded javascript and will be - executed by another registry containing mshta and javascript activexobject to execute - the encoded script using wscript.shell. This TTP is a good indication of kovter - malware or other adversaries or threat actors leveraging fileless detection that - survive system reboot. +description: The following analytic detects the execution of mshta.exe via registry + entries to run malicious scripts. It leverages registry activity logs to identify + entries containing "mshta," "javascript," "vbscript," or "WScript.Shell." This behavior + is significant as it indicates potential fileless malware, such as Kovter, which + uses encoded scripts in the registry to persist and execute without files. If confirmed + malicious, this activity could allow attackers to maintain persistence, execute + arbitrary code, and evade traditional file-based detection methods, posing a significant + threat to system integrity and security. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -66,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index 37d114da15..cbe89e7960 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -1,25 +1,44 @@ name: Windows MSHTA Writing to World Writable Path id: efbcf8ee-bc75-47f1-8985-a5c638c4faf0 -version: 1 -date: '2024-03-26' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 type: TTP status: production -description: This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named `invite.txt` to the `C:\Windows\Tasks` directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with `SqlDumper.exe` in this campaign. \ - - The analytic is designed to detect the initial file write operation by `mshta.exe` to directories that are typically writable by any user, such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of `mshta.exe` to write to these locations, which is a deviation from the utility's legitimate use cases and thus serves as a strong indicator of compromise (IoC). \ - - The ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs. -search: '`sysmon` EventCode=11 Image="*\\mshta.exe" TargetFilename IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") - | rename Computer as dest, User as user - | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_mshta_writing_to_world_writable_path_filter`' -how_to_implement: The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed. -known_false_positives: False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives. +description: The following analytic identifies instances of `mshta.exe` writing files + to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file + write operations by `mshta.exe` to directories like `C:\Windows\Tasks` and `C:\Windows\Temp`. + This activity is significant as it often indicates an attempt to establish persistence + or execute malicious code, deviating from the utility's legitimate use. If confirmed + malicious, this behavior could lead to the execution of multi-stage payloads, potentially + resulting in full system compromise and unauthorized access to sensitive information. +search: '`sysmon` EventCode=11 Image="*\\mshta.exe" TargetFilename IN ("*\\Windows\\Tasks\\*", + "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", + "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", + "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", + "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", + "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", + "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp + and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", + "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp + and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") + | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) + as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`' +how_to_implement: The analytic is designed to be run against Sysmon event logs collected + from endpoints. The analytic requires the Sysmon event logs to be ingested into + Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the + TargetFilename is within world-writable directories such as `C:\Windows\Tasks`, + `C:\Windows\Temp`, and others. The detection is designed to catch the initial file + write operation by `mshta.exe` to these locations, which is indicative of an attempt + to establish persistence or execute malicious code. The analytic can be modified + to include additional world-writable directories as needed. +known_false_positives: False positives may occur if legitimate processes are writing + to world-writable directories. It is recommended to investigate the context of the + file write operation to determine if it is malicious or not. Modify the search to + include additional known good paths for `mshta.exe` to reduce false positives. references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader @@ -61,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index cc002bf578..c26455606b 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -1,24 +1,26 @@ name: Windows MsiExec HideWindow Rundll32 Execution id: 9683271d-92e4-43b5-a907-1983bfb9f7fd -version: 1 -date: '2024-01-03' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. - One such tactic involves utilizing system processes like "msiexec," "hidewindow," and "rundll32" through command-line execution. - By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. - This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, - executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes - enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion. +description: The following analytic detects the execution of the msiexec.exe process + with the /HideWindow and rundll32 command-line parameters. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process creation events + and command-line arguments. This activity is significant because it is a known tactic + used by malware like QakBot to mask malicious operations under legitimate system + processes. If confirmed malicious, this behavior could allow an attacker to download + additional payloads, execute malicious code, or establish communication with remote + servers, thereby evading detection and maintaining persistence. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = "* /HideWindow *" Processes.process = "* rundll32*" - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + = msiexec.exe Processes.process = "* /HideWindow *" Processes.process = "* rundll32*" + by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -29,7 +31,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Other possible 3rd party msi software installers use this technique as part of its installation process. +known_false_positives: Other possible 3rd party msi software installers use this technique + as part of its installation process. references: - https://twitter.com/Max_Mal_/status/1736392741758611607 - https://twitter.com/1ZRR4H/status/1735944522075386332 @@ -39,7 +42,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: a msiexec parent process with /hidewindow rundll32 process commandline in $dest$ + message: a msiexec parent process with /hidewindow rundll32 process commandline + in $dest$ mitre_attack_id: - T1218.007 - T1218 @@ -71,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/hidewndw-rundll32.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/hidewndw-rundll32.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index 5b1532788c..39ee45ee9c 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -1,21 +1,37 @@ name: Windows MSIExec Spawn WinDBG id: 9a18f7c2-1fe3-47b8-9467-8b3976770a30 -version: 1 -date: '2023-10-31' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. +description: The following analytic identifies the unusual behavior of MSIExec spawning + WinDBG. It detects this activity by analyzing endpoint telemetry data, specifically + looking for instances where 'msiexec.exe' is the parent process of 'windbg.exe'. + This behavior is significant as it may indicate an attempt to debug or tamper with + system processes, which is uncommon in typical user activity and could signify malicious + intent. If confirmed malicious, this activity could allow an attacker to manipulate + or inspect running processes, potentially leading to privilege escalation or persistence + within the environment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed. + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe + Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will only be present if the MSIExec process + legitimately spawns WinDBG. Filter as needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt tags: @@ -66,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml index 4f8a5b9c7c..ac04567ed7 100644 --- a/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml @@ -1,21 +1,24 @@ name: Windows Multi hop Proxy TOR Website Query id: 4c2d198b-da58-48d7-ba27-9368732d0054 -version: 1 -date: '2022-09-16' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a dns query to a known TOR proxy website. - This technique was seen in several adversaries, threat actors and malware like AgentTesla - to To disguise the source of its malicious traffic. adversaries may chain together - multiple proxies. This Anomaly detection might be a good pivot for a process trying - to download or use TOR proxies in a compromised host machine. +description: The following analytic identifies DNS queries to known TOR proxy websites, + such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode + 22 to detect these queries by monitoring DNS query events from endpoints. This activity + is significant because adversaries often use TOR proxies to disguise the source + of their malicious traffic, making it harder to trace their actions. If confirmed + malicious, this behavior could indicate an attempt to obfuscate network traffic, + potentially allowing attackers to exfiltrate data or communicate with command and + control servers undetected. data_source: - Sysmon EventID 22 search: '`sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName - QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_multi_hop_proxy_tor_website_query_filter`' + QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the @@ -56,7 +59,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index 67861e1700..a699fadee2 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -1,22 +1,30 @@ name: Windows Multiple Account Passwords Changed id: faefb681-14be-4f0d-9cac-0bc0160c7280 -version: 1 -date: '2024-02-20' +version: 2 +date: '2024-05-19' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4724 type: TTP status: production -description: This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection's threshold and timeframe to fit their specific operational context. -search: ' `wineventlog_security` EventCode=4724 status=success - | bucket span=10m _time - | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID - | where unique_users > 5 - | `windows_multiple_account_passwords_changed_filter`' +description: The following analytic detects instances where more than five unique + Windows account passwords are changed within a 10-minute interval. It leverages + Event Code 4724 from the Windows Security Event Log, using the wineventlog_security + dataset to monitor and count distinct TargetUserName values. This behavior is significant + as rapid password changes across multiple accounts are unusual and may indicate + unauthorized access or internal compromise. If confirmed malicious, this activity + could lead to widespread account compromise, unauthorized access to sensitive information, + and potential disruption of services. +search: ' `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time + | stats count dc(user) as unique_users values(user) as user by EventCode signature + _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users + > 5 | `windows_multiple_account_passwords_changed_filter`' how_to_implement: To successfully implement this search, you need to be ingesting - Domain Controller events with the Windows TA. The Advanced Security Audit policy setting - `Audit User Account Management` within `Account Management` needs to be enabled. -known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. + Domain Controller events with the Windows TA. The Advanced Security Audit policy + setting `Audit User Account Management` within `Account Management` needs to be + enabled. +known_false_positives: Service accounts may be responsible for the creation, deletion + or modification of accounts for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ tags: @@ -25,7 +33,8 @@ tags: asset_type: Endpoint confidence: 60 impact: 40 - message: User $src_user$ changed the passwords of multiple accounts in a short period of time. + message: User $src_user$ changed the passwords of multiple accounts in a short period + of time. mitre_attack_id: - T1098 - T1078 @@ -54,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 01bffce3e1..9b49d44623 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -1,22 +1,29 @@ name: Windows Multiple Accounts Deleted id: 49c0d4d6-c55d-4d3a-b3d5-7709fafed70d -version: 1 -date: '2024-02-21' +version: 2 +date: '2024-05-21' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4726 type: TTP status: production -description: The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection's threshold and timeframe to suit their specific environment. -search: ' `wineventlog_security` EventCode=4726 status=success - | bucket span=10m _time - | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID - | where unique_users > 5 - | `windows_multiple_accounts_deleted_filter`' +description: The following analytic detects the deletion of more than five unique + Windows accounts within a 10-minute period, using Event Code 4726 from the Windows + Security Event Log. It leverages the `wineventlog_security` dataset, segmenting + data into 10-minute intervals to identify suspicious account deletions. This activity + is significant as it may indicate an attacker attempting to erase traces of their + actions. If confirmed malicious, this could lead to unauthorized access removal, + hindering incident response and forensic investigations. +search: ' `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time + | stats count dc(user) as unique_users values(user) as user by EventCode signature + _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users + > 5 | `windows_multiple_accounts_deleted_filter`' how_to_implement: To successfully implement this search, you need to be ingesting - Domain Controller events with the Windows TA. The Advanced Security Audit policy setting - `Audit User Account Management` within `Account Management` needs to be enabled. -known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. + Domain Controller events with the Windows TA. The Advanced Security Audit policy + setting `Audit User Account Management` within `Account Management` needs to be + enabled. +known_false_positives: Service accounts may be responsible for the creation, deletion + or modification of accounts for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ tags: @@ -54,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index ba814f89cc..38cc7c019c 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -1,22 +1,30 @@ name: Windows Multiple Accounts Disabled id: 5d93894e-befa-4429-abde-7fc541020b7b -version: 1 -date: '2024-02-21' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4725 type: TTP status: production -description: This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker's attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment's specifics -search: ' `wineventlog_security` EventCode=4725 status=success - | bucket span=10m _time - | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID - | where unique_users > 5 - | `windows_multiple_accounts_disabled_filter`' +description: The following analytic identifies instances where more than five unique + Windows accounts are disabled within a 10-minute window, as indicated by Event Code + 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, + grouping data into 10-minute segments and tracking the count and distinct count + of TargetUserName. This behavior is significant as it may indicate internal policy + breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, + this activity could lead to widespread account lockouts, hindering user access and + potentially disrupting business operations. +search: ' `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time + | stats count dc(user) as unique_users values(user) as user by EventCode signature + _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users + > 5 | `windows_multiple_accounts_disabled_filter`' how_to_implement: To successfully implement this search, you need to be ingesting - Domain Controller events with the Windows TA. The Advanced Security Audit policy setting - `Audit User Account Management` within `Account Management` needs to be enabled. -known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. + Domain Controller events with the Windows TA. The Advanced Security Audit policy + setting `Audit User Account Management` within `Account Management` needs to be + enabled. +known_false_positives: Service accounts may be responsible for the creation, deletion + or modification of accounts for legitimate purposes. Filter as needed. references: - https://attack.mitre.org/techniques/T1098/ tags: @@ -54,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml index c98402540b..0fc83fc237 100644 --- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml +++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml @@ -1,25 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2021-04-14' -description: 'The following analytic identifies one source endpoint failing to authenticate +date: '2024-05-28' +description: 'The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. - This behavior could represent an adversary performing a Password Spraying attack - against an Active Directory environment using Kerberos to obtain initial access - or elevate privileges. Active Directory environments can be very different depending - on the organization. Users should test this detection and customize the arbitrary - threshold when needed. As attackers progress in a breach, mistakes will be made. - In certain scenarios, adversaries may execute a password spraying attack against - disabled users. Event 4768 is generated every time the Key Distribution Center issues - a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients - credentials have been revoked` (account disabled, expired or locked out). - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will only trigger on domain controllers, not on member - servers or workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and attempted user accounts.' + It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating + revoked credentials. This activity is significant as it may indicate a Password + Spraying attack targeting disabled accounts, a tactic used by adversaries to gain + initial access or elevate privileges. If confirmed malicious, this could lead to + unauthorized access or privilege escalation within the Active Directory environment, + posing a severe security risk.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -55,7 +45,7 @@ tags: - name: IpAddress type: IP Address role: - - Attacker + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -70,9 +60,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: xmlwineventlog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml index d738b9a399..a369d3a1f0 100644 --- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml @@ -1,25 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2021-04-14' -description: 'The following analytic identifies one source endpoint failing to authenticate - with 30 unique invalid domain users using the Kerberos protocol. This behavior could - represent an adversary performing a Password Spraying attack against an Active Directory - environment using Kerberos to obtain initial access or elevate privileges. Active - Directory environments can be very different depending on the organization. Users - should test this detection and customize the arbitrary threshold when needed. As - attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries - may execute a password spraying attack using an invalid list of users. Event 4768 - is generated every time the Key Distribution Center issues a Kerberos Ticket Granting - Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` - (the attempted user is not a valid domain user). - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will only trigger on domain controllers, not on member - servers or workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and attempted user accounts.' +date: '2024-05-21' +description: 'The following analytic identifies a source endpoint failing to authenticate + with 30 unique invalid domain users using the Kerberos protocol. This detection + leverages EventCode 4768, specifically looking for failure code 0x6, indicating + the user is not found in the Kerberos database. This activity is significant as + it may indicate a Password Spraying attack, where an adversary attempts to gain + initial access or elevate privileges. If confirmed malicious, this could lead to + unauthorized access or privilege escalation within the Active Directory environment, + posing a significant security risk.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -33,7 +23,7 @@ references: - https://attack.mitre.org/techniques/T1110/003/ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter` ' + as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`' status: production tags: analytic_story: @@ -55,7 +45,7 @@ tags: - name: IpAddress type: Endpoint role: - - Attacker + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -70,9 +60,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index 55899adff2..4a0d9fefbf 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -1,26 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2021-04-15' -description: 'The following analytic identifies one source endpoint failing to authenticate - with 30 unique invalid users using the NTLM protocol. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - using NTLM to obtain initial access or elevate privileges. Active Directory environments - can be very different depending on the organization. Users should test this detection - and customize the arbitrary threshold when needed. As attackers progress in a breach, - mistakes will be made. In certain scenarios, adversaries may execute a password - spraying attack using an invalid list of users. Event 4776 is generated on the computer - that is authoritative for the provided credentials. For domain accounts, the domain - controller is authoritative. For local accounts, the local computer is authoritative. - Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted - user is a legitimate domain user). - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will only trigger on domain controllers, not on member - servers or workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source workstation name and attempted user accounts.' +date: '2024-05-17' +description: 'The following analytic detects a single source endpoint failing to authenticate + with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 + from Domain Controller logs, focusing on error code 0xC0000064, which indicates + non-existent usernames. This behavior is significant as it may indicate a Password + Spraying attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access, privilege + escalation, and potential compromise of sensitive information within the Active + Directory environment.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. @@ -69,9 +58,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index 9d433582d8..2c0916a271 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -1,24 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2021-04-13' +date: '2024-05-17' description: 'The following analytic identifies a source user failing to authenticate - with 30 unique users using explicit credentials on a host. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - to obtain initial access or elevate privileges. Active Directory environments can - be very different depending on the organization. Users should test this detection - and customize the arbitrary threshold when needed. Event 4648 is generated when - a process attempts an account logon by explicitly specifying that accounts credentials. - This event generates on domain controllers, member servers, and workstations. - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will trigger on the potenfially malicious host, perhaps - controlled via a trojan or operated by an insider threat, from where a password - spraying attack is being executed. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source account, attempted user accounts and the endpoint were - the behavior was identified.' + with 30 unique users using explicit credentials on a host. It leverages Windows + Event 4648, which is generated when a process attempts an account logon by explicitly + specifying account credentials. This detection is significant as it may indicate + a Password Spraying attack, where an adversary attempts to gain initial access or + elevate privileges within an Active Directory environment. If confirmed malicious, + this activity could lead to unauthorized access, privilege escalation, and potential + compromise of sensitive information.' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs @@ -37,7 +28,7 @@ references: search: ' `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > - 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter` ' + 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`' status: production tags: analytic_story: @@ -70,9 +61,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index 43054b767c..1ca6318c8d 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -1,24 +1,14 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2021-04-13' -description: 'The following analytic identifies one source endpoint failing to authenticate - with 30 unique valid users using the NTLM protocol. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - using NTLM to obtain initial access or elevate privileges. Active Directory environments - can be very different depending on the organization. Users should test this detection - and customize the arbitrary threshold when needed. Event 4776 is generated on the - computer that is authoritative for the provided credentials. For domain accounts, - the domain controller is authoritative. For local accounts, the local computer is - authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted - user is a legitimate domain user). - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will only trigger on domain controllers, not on member - servers or workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source workstation name and attempted user accounts.' +date: '2024-05-26' +description: 'The following analytic identifies a single source endpoint failing to + authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode + 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates + a bad password. This behavior is significant as it may indicate a Password Spraying + attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access to sensitive + information or further compromise of the Active Directory environment.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. @@ -67,9 +57,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 2a396e394c..596020b269 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -1,24 +1,14 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2021-04-13' -description: 'The following analytic identifies a source process name failing to authenticate - with 30 uniquer users. This behavior could represent an adversary performing a Password - Spraying attack against an Active Directory environment to obtain initial access - or elevate privileges. Active Directory environments can be very different depending - on the organization. Users should test this detection and customize the arbitrary - threshold when needed. Event 4625 generates on domain controllers, member servers, - and workstations when an account fails to logon. Logon Type 2 describes an iteractive - logon attempt. - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will trigger on the potenfially malicious host, perhaps - controlled via a trojan or operated by an insider threat, from where a password - spraying attack is being executed. This could be a domain controller as well as - a member server or workstation. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source process name, source account and attempted user accounts.' +date: '2024-05-25' +description: 'The following analytic detects a source process failing to authenticate + with 30 unique users, indicating a potential Password Spraying attack. It leverages + Windows Event 4625 with Logon Type 2, collected from domain controllers, member + servers, and workstations. This activity is significant as it may represent an adversary + attempting to gain initial access or elevate privileges within an Active Directory + environment. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, or further compromise of the network, posing a severe security risk.' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs @@ -35,8 +25,8 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts - > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' + as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer + as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`' status: production tags: analytic_story: @@ -71,9 +61,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml index e45b8f4cf1..3b007a7059 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml @@ -1,23 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4771 -date: '2021-04-08' -description: 'The following analytic identifies one source endpoint failing to authenticate - with 30 unique users using the Kerberos protocol. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - using Kerberos to obtain initial access or elevate privileges. Active Directory - environments can be very different depending on the organization. Users should test - this detection and customize the arbitrary threshold when needed. Event 4771 is - generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting - Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted - user is a legitimate domain user). - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will only trigger on domain controllers, not on member - servers or workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and attempted user accounts.' +date: '2024-05-16' +description: 'The following analytic identifies a single source endpoint failing to + authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode + 4771 with Status 0x18, indicating wrong password attempts, and aggregates these + events over a 5-minute window. This behavior is significant as it may indicate a + Password Spraying attack, where an adversary attempts to gain initial access or + elevate privileges in an Active Directory environment. If confirmed malicious, this + activity could lead to unauthorized access, privilege escalation, and potential + compromise of sensitive information.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -70,9 +62,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 3a00966b45..8084bdfb50 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -1,24 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2021-04-13' +date: '2024-05-28' description: 'The following analytic identifies a source host failing to authenticate - against a remote host with 30 unique users. This behavior could represent an adversary - performing a Password Spraying attack against an Active Directory environment to - obtain initial access or elevate privileges. Active Directory environments can be - very different depending on the organization. Users should test this detection and - customize the arbitrary threshold when needed. Event 4625 documents each and every - failed attempt to logon to the local computer. This event generates on domain controllers, - member servers, and workstations. Logon Type 3 describes an remote authentication - attempt. - - This logic can be used for real time security monitoring as well as threat hunting - exercises. This detection will trigger on the host that is the target of the password - spraying attack. This could be a domain controller as well as a member server or - workstation. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source process name, source account and attempted user accounts.' + against a remote host with 30 unique users. It leverages Windows Event 4625 with + Logon Type 3, indicating remote authentication attempts. This behavior is significant + as it may indicate a Password Spraying attack, where an adversary attempts to gain + initial access or elevate privileges in an Active Directory environment. If confirmed + malicious, this activity could lead to unauthorized access, privilege escalation, + and potential compromise of sensitive information. This detection is crucial for + real-time security monitoring and threat hunting.' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs @@ -36,7 +27,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events search: ' `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ' + as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`' status: production tags: analytic_story: @@ -69,9 +60,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: TTP -version: 2 +version: 3 diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 25d9966da4..0b9156b74e 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -1,21 +1,30 @@ name: Windows New InProcServer32 Added id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db -version: 1 -date: '2024-03-20' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 type: Hunting status: production -description: This analytic is designed to detect the addition of new InProcServer32 registry keys, which could indicate suspicious or malicious activity on a Windows endpoint. The InProcServer32 registry key specifies the path to a COM object that can be loaded into the process space of calling processes. Malware often abuses this mechanism to achieve persistence or execute code by registering a new InProcServer32 key pointing to a malicious DLL. By monitoring for the creation of new InProcServer32 keys, this analytic helps identify potential threats that leverage COM hijacking or similar techniques for execution and persistence. Understanding the normal behavior of legitimate software in your environment will aid in distinguishing between benign and malicious use of InProcServer32 modifications. -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user - | `drop_dm_object_name(Registry)` - |`security_content_ctime(firstTime)` +description: The following analytic detects the addition of new InProcServer32 registry + keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel + to identify changes in registry paths associated with InProcServer32. This activity + is significant because malware often uses this mechanism to achieve persistence + or execute malicious code by registering a new InProcServer32 key pointing to a + harmful DLL. If confirmed malicious, this could allow an attacker to persist in + the environment or execute arbitrary code, posing a significant threat to system + integrity and security. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid + Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -known_false_positives: False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results. +known_false_positives: False positives are expected. Filtering will be needed to properly + reduce legitimate applications from the results. references: - https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ tags: @@ -24,7 +33,8 @@ tags: asset_type: Endpoint confidence: 20 impact: 10 - message: A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ . + message: A new InProcServer32 registry key was added to a Windows endpoint. This + could indicate suspicious or malicious activity on the $dest$ . mitre_attack_id: - T1112 observable: @@ -51,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 3280ec3e5b..b66eded1e2 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -1,15 +1,17 @@ name: Windows Ngrok Reverse Proxy Usage id: e2549f2c-0aef-408a-b0c1-e0f270623436 -version: 2 -date: '2023-01-12' +version: 3 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the use of ngrok.exe being utilized - on the Windows operating system. Unfortunately, there is no original file name for - Ngrok, so it may be worth an additional hunt to identify any command-line arguments. - The sign of someone using Ngrok is not malicious, however, more recently it has - become an adversary tool. +description: The following analytic detects the execution of ngrok.exe on a Windows + operating system. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and command-line arguments. This activity is significant + because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly + used by adversaries to bypass network defenses and establish reverse proxies. If + confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, + or facilitate further attacks by tunneling traffic through the compromised system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -83,7 +85,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index c967cafb8f..f903662971 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -1,15 +1,18 @@ name: Windows NirSoft AdvancedRun id: bb4f3090-7ae4-11ec-897f-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe - has similar capabilities as other remote programs like psexec. AdvancedRun may also - ingest a configuration file with all settings defined and perform its activity. - The analytic is written in a way to identify a renamed binary and also the common - command-line arguments. +description: The following analytic detects the execution of AdvancedRun.exe, a tool + with capabilities similar to remote administration programs like PsExec. It identifies + the process by its name or original file name and flags common command-line arguments. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process and command-line telemetry. Monitoring this activity is crucial + as AdvancedRun can be used for remote code execution and configuration-based automation. + If malicious, this could allow attackers to execute arbitrary commands, escalate + privileges, or maintain persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index 8e70d16024..d35c591ffe 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -1,24 +1,27 @@ name: Windows Njrat Fileless Storage via Registry id: a5fffbbd-271f-4980-94ed-4fbf17f0af1c -version: 1 -date: '2023-09-14' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The following analytic identifies a suspicious registry modification associated with NjRat, - a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. - This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. - Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry - where Registry.registry_path="*\\[kl]" OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") - by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name - | `drop_dm_object_name(Registry)` - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `windows_njrat_fileless_storage_via_registry_filter`' +description: The following analytic detects suspicious registry modifications indicative + of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model + to identify specific registry paths and values commonly used by NjRat for keylogging + and executing DLL plugins. This activity is significant as it helps evade traditional + file-based detection systems, making it crucial for SOC analysts to monitor. If + confirmed malicious, this behavior could allow attackers to persist on the host, + execute arbitrary code, and capture sensitive keystrokes, leading to potential data + breaches and further system compromise. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\[kl]" + OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") by Registry.dest + Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name + Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -26,7 +29,7 @@ how_to_implement: To successfully implement this search you need to be ingesting endpoint product. known_false_positives: unknown references: - - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat tags: analytic_story: - NjRAT @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_registry.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_registry.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 965d47f826..d4bd14b414 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,23 +1,25 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 1 -date: '2024-02-16' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk data_source: - Windows Event Log Security 4663 type: Anomaly status: production -description: The following analytic detects suspicious file access within the Discord LevelDB database. - This database contains critical data such as user profiles, messages, guilds, channels, settings, and cached information. - Access to this data poses a risk of Discord credential theft or unauthorized access to sensitive information on the - compromised system. Detecting such anomalies can serve as an effective pivot to identify non-Discord applications - accessing this database, potentially indicating the presence of malware or trojan stealers aimed at data theft. -search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\discord\\Local Storage\\leveldb*") - AND process_name != *\\discord.exe AND NOT (process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_non_discord_app_access_discord_leveldb_filter`' +description: The following analytic detects non-Discord applications accessing the + Discord LevelDB database. It leverages Windows Security Event logs, specifically + event code 4663, to identify file access attempts to the LevelDB directory by processes + other than Discord. This activity is significant as it may indicate attempts to + steal Discord credentials or access sensitive user data. If confirmed malicious, + this could lead to unauthorized access to user profiles, messages, and other critical + information, potentially compromising the security and privacy of the affected users. +search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\discord\\Local + Storage\\leveldb*") AND process_name != *\\discord.exe AND NOT (process_path IN + ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name + object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -30,7 +32,8 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: A non-discord process $process_name$ accessing discord "leveldb" file on $dest$ + message: A non-discord process $process_name$ accessing discord "leveldb" file on + $dest$ mitre_attack_id: - T1012 observable: @@ -56,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index c46a17bdd9..e5df2652ed 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -1,15 +1,18 @@ name: Windows Non-System Account Targeting Lsass id: b1ce9a72-73cf-11ec-981b-acde48001122 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-09' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies non SYSTEM accounts requesting access - to lsass.exe. This behavior may be related to credential dumping or applications - requiring access to credentials. Triaging this event will require understanding - the GrantedAccess from the SourceImage. In addition, whether the account is privileged - or not. Review the process requesting permissions and review parallel processes. +description: The following analytic identifies non-SYSTEM accounts requesting access + to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access + attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM + users. This activity is significant as it may indicate credential dumping attempts + or unauthorized access to sensitive credentials. If confirmed malicious, an attacker + could potentially extract credentials from memory, leading to privilege escalation + or lateral movement within the network. Immediate investigation is required to determine + the legitimacy of the access request and to mitigate any potential threats. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") @@ -72,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 9a86ece3fe..e1b1a3efc6 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -1,14 +1,18 @@ name: Windows Odbcconf Load DLL id: 141e7fca-a9f0-40fd-a539-9aac8be41f1b -version: 1 -date: '2022-06-28' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies odbcconf.exe, Windows Open Database - Connectivity utility, utilizing the action function of regsvr to load a DLL. An - example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, - review parent process, parallel procesess and file modifications. +description: The following analytic detects the execution of odbcconf.exe with the + regsvr action to load a DLL. This is identified by monitoring command-line arguments + in process creation logs from Endpoint Detection and Response (EDR) agents. This + activity is significant as it may indicate an attempt to execute arbitrary code + via DLL loading, a common technique used in various attack vectors. If confirmed + malicious, this could allow an attacker to execute code with the privileges of the + odbcconf.exe process, potentially leading to system compromise or further lateral + movement. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,7 +84,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 2fdf375847..126f117ddd 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -1,15 +1,18 @@ name: Windows Odbcconf Load Response File id: 1acafff9-1347-4b40-abae-f35aa4ba85c1 -version: 1 -date: '2022-06-30' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the odbcconf.exe, Windows Open Database - Connectivity utility, loading up a resource file. The file extension is arbitrary - and may be named anything. The resource file itself may have different commands - supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. - During triage, review file modifications and parallel processes. +description: The following analytic detects the execution of odbcconf.exe with a response + file, which may contain commands to load a DLL (REGSVR) or other instructions. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. This activity is significant as it + may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially + leading to unauthorized actions. If confirmed malicious, this could allow an attacker + to gain code execution, escalate privileges, or establish persistence within the + environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,7 +84,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml index 23f93728bc..bf57ad3258 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawning_msdt.yml @@ -1,25 +1,27 @@ name: Windows Office Product Spawning MSDT id: 127eba64-c981-40bf-8589-1830638864a7 -version: 4 -date: '2023-11-07' +version: 5 +date: '2024-05-25' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a Microsoft Office product spawning - the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native - to Windows. This behavior is related to a recently identified sample utilizing protocol - handlers to evade preventative controls, including if macros are disabled in the - document. During triage, review file modifications for html. In addition, parallel - processes including PowerShell and CertUtil. +description: The following analytic detects a Microsoft Office product spawning the + Windows msdt.exe process. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where Office applications + are the parent process. This activity is significant as it may indicate an attempt + to exploit protocol handlers to bypass security controls, even if macros are disabled. + If confirmed malicious, this behavior could allow an attacker to execute arbitrary + code, potentially leading to system compromise, data exfiltration, or further lateral + movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") - Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`' + Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -91,7 +93,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 98ace8f7e9..e738167a8d 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -1,16 +1,20 @@ name: Windows PaperCut NG Spawn Shell id: a602d9a2-aaea-45f8-bf0f-d851168d61ca -version: 1 -date: '2023-05-15' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic is designed to detect instances where the PaperCut - NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. - This behavior may indicate potential malicious activity, such as an attacker attempting - to gain unauthorized access or execute harmful commands on the affected system. +description: The following analytic detects instances where the PaperCut NG application + (pc-app.exe) spawns a Windows shell, such as cmd.exe or PowerShell. This behavior + is identified using Endpoint Detection and Response (EDR) telemetry, focusing on + process creation events where the parent process is pc-app.exe. This activity is + significant as it may indicate an attacker attempting to gain unauthorized access + or execute malicious commands on the system. If confirmed malicious, this could + lead to unauthorized code execution, privilege escalation, or further compromise + of the affected environment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest @@ -79,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index 188294c35e..93b1e11509 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -1,27 +1,25 @@ name: Windows Parent PID Spoofing with Explorer id: 17f8f69c-5d00-4c88-9c6f-493bbdef20a1 -version: 1 -date: '2023-11-21' +version: 2 +date: '2024-05-25' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies a suspicious explorer.exe process that has "/root" process commandline. - The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process - by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and - operate undetected within the system. - This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware - or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, - it attempts to evade scrutiny and evade detection by security measures. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process="*explorer.exe*" Processes.process="*/root,*" - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_parent_pid_spoofing_with_explorer_filter`' +description: The following analytic identifies a suspicious `explorer.exe` process + with the `/root` command-line parameter. This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process and command-line data. The presence + of `/root` in `explorer.exe` is significant as it may indicate parent process spoofing, + a technique used by malware to evade detection. If confirmed malicious, this activity + could allow an attacker to operate undetected, potentially leading to unauthorized + access, privilege escalation, or persistent threats within the environment. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process="*explorer.exe*" + Processes.process="*/root,*" by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_parent_pid_spoofing_with_explorer_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -71,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 698a4022fb..05abef9387 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -1,20 +1,18 @@ name: Windows Password Managers Discovery id: a3b3bc96-1c4f-4eba-8218-027cac739a48 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line that retrieves - information related to password manager software. This technique was seen in several - post exploitation tools like winpeas that are being used by Ransomware Prestige - to gather this type of information. Password Managers applications are designed - to store user credentials, normally in an encrypted database. Credentials are typically - accessible after a user provides a master password that unlocks the database. After - the database is unlocked, these credentials may be copied to memory. These databases - can be stored as files on disk. Due to this password manager software designed adversaries - may find or look for keywords related to the Password Manager databases that can - be stolen or extracted for further attacks. +description: The following analytic identifies command-line activity that searches + for files related to password manager software, such as "*.kdbx*" and "*credential*". + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process execution logs. This activity is significant because attackers often target + password manager databases to extract stored credentials, which can be used for + further exploitation. If confirmed malicious, this behavior could lead to unauthorized + access to sensitive information, enabling attackers to escalate privileges, move + laterally, or exfiltrate critical data. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index 15aa065756..67dc39b952 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -1,26 +1,28 @@ name: Windows Phishing Outlook Drop Dll In FORM Dir id: fca01769-5163-4b3a-ae44-de874adfc9bc -version: 1 -date: '2024-03-20' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 type: TTP status: production -description: The following analytic identifies a suspicious outlook.exe process dropped a dll file. - This technique was seen in CVE-2024-21378, involves the loading of a custom MAPI form to execute a - potentially malicious DLL. Detecting such TTPs serves as a crucial pivot point to identify potential adversaries, - malware, or red team activity attempting to leverage this method within phishing campaigns. +description: The following analytic detects the creation of a DLL file by an outlook.exe + process in the AppData\Local\Microsoft\FORMS directory. This detection leverages + data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on + process and file creation events. This activity is significant as it may indicate + an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially + malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary + code, leading to further system compromise or data exfiltration. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name=outlook.exe - by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid - | `drop_dm_object_name(Processes)` - | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name ="*.dll" Filesystem.file_path = "*\\AppData\\Local\\Microsoft\\FORMS\\IPM*" - by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid - | `drop_dm_object_name(Filesystem)` - | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] - | `windows_phishing_outlook_drop_dll_in_form_dir_filter`' + where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name + Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` + | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) + as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name + ="*.dll" Filesystem.file_path = "*\\AppData\\Local\\Microsoft\\FORMS\\IPM*" by _time + span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path + Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path + process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, @@ -63,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_phishing_form_dll.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_phishing_form_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 6a755bf9aa..6c254b3742 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -1,18 +1,17 @@ name: Windows Phishing PDF File Executes URL Link id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1 -version: 1 -date: '2023-01-18' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is developed to detect suspicious pdf viewer processes - that have a browser application child processes. This event was seen in a pdf spear - phishing attachment containing a malicious URL link to download the actual payload. - When a user clicks the malicious link the pdf viewer application will execute a - process of the host default browser to connect to the malicious site. This anomaly - detection can be a good indicator that a possible pdf file has a link executed by - a user. The pdf viewer and browser list in this detection is still in progress, - add the common browser and pdf viewer you use in opening pdf in your network. +description: The following analytic detects suspicious PDF viewer processes spawning + browser application child processes. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process and parent process names. This activity + is significant as it may indicate a PDF spear-phishing attempt where a malicious + URL link is executed, leading to potential payload download. If confirmed malicious, + this could allow attackers to execute code, escalate privileges, or persist in the + environment by exploiting the user's browser to connect to a malicious site. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 00770f6d66..5b665a92f8 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -1,16 +1,18 @@ name: Windows Phishing Recent ISO Exec Registry id: cb38ee66-8ae5-47de-bd66-231c7bbc0b2c -version: 2 -date: '2022-09-19' +version: 3 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following hunting analytic identifies registry artifacts when an - ISO container is opened, clicked or mounted on the Windows operating system. As - Microsoft makes changes to macro based document execution, adversaries have begun - to utilize container based initial access based phishing campaigns to evade preventative - controls. Once the ISO is clicked or mounted it will create a registry artifact - related to this event as a recent application executed or opened. +description: The following analytic detects the creation of registry artifacts when + an ISO container is opened, clicked, or mounted on a Windows operating system. It + leverages data from the Endpoint.Registry data model, specifically monitoring registry + keys related to recent ISO or IMG file executions. This activity is significant + as adversaries increasingly use container-based phishing campaigns to bypass macro-based + document execution controls. If confirmed malicious, this behavior could indicate + an initial access attempt, potentially leading to further exploitation, persistence, + or data exfiltration within the environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index 19ae5dcb59..075f0bb069 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -1,28 +1,17 @@ name: Windows Possible Credential Dumping id: e4723b92-7266-11ec-af45-acde48001122 -version: 3 -date: '2023-12-27' +version: 4 +date: '2024-05-31' author: Michael Haag, Splunk status: production type: TTP -description: 'The following analytic is an enhanced version of two previous analytics - that identifies common GrantedAccess permission requests and CallTrace DLLs in order - to detect credential dumping. - - GrantedAccess is the requested permissions by the SourceImage into the TargetImage. - - - CallTrace Stack trace of where open process is called. Included is the DLL and the - relative virtual address of the functions in the call stack right before the open - process call. - - dbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions - which provide a way for applications to produce crashdump files that contain a useful - subset of the entire process context. - - The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. - For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, - used to execute this module which is related to lsass dumping.' +description: 'The following analytic detects potential credential dumping by identifying + specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS + process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe + and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, + and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized + access to sensitive credentials. If confirmed malicious, attackers could gain elevated + privileges and persist within the environment, posing a severe security risk.' data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*\\lsass.exe granted_access IN ("0x01000", @@ -94,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index ff91d5abca..8c5248c6d0 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -1,32 +1,36 @@ name: Windows Post Exploitation Risk Behavior id: edb930df-64c2-4bb7-9b5c-889ed53fb973 -version: 1 -date: '2023-06-14' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] -description: The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime - sum(All_Risk.calculated_risk_score) as risk_score, - count(All_Risk.calculated_risk_score) as risk_event_count, - values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, - dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, - values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, - dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, - values(All_Risk.tag) as tag, values(source) as source, - dc(source) as source_count from datamodel=Risk.All_Risk - where All_Risk.analyticstories IN ("*Windows Post-Exploitation*") - by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic - | `drop_dm_object_name(All_Risk)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | where source_count >= 4 - | `windows_post_exploitation_risk_behavior_filter`' -how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, - modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, - but the number may need to be increased base on internal testing. In addition, - based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. +description: The following analytic identifies four or more distinct post-exploitation + behaviors on a Windows system. It leverages data from the Risk data model in Splunk + Enterprise Security, focusing on multiple risk events and their associated MITRE + ATT&CK tactics and techniques. This activity is significant as it indicates potential + malicious actions following an initial compromise, such as persistence, privilege + escalation, or data exfiltration. If confirmed malicious, this behavior could allow + attackers to maintain control, escalate privileges, and further exploit the compromised + environment, leading to significant security breaches and data loss. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) + as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as + annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) + as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) + as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) + as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, + dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories + IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type + All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where + source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`' +how_to_implement: Splunk Enterprise Security is required to utilize this correlation. + In addition, modify the source_count value to your environment. In our testing, + a count of 4 or 5 was decent in a lab, but the number may need to be increased base + on internal testing. In addition, based on false positives, modify any analytics + to be anomaly and lower or increase risk based on organization importance. known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. references: @@ -37,7 +41,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: An increase of Windows Post Exploitation behavior has been detected on $risk_object$ + message: An increase of Windows Post Exploitation behavior has been detected on + $risk_object$ mitre_attack_id: - T1012 - T1049 @@ -68,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_risk.log source: wpe sourcetype: stash diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml index ba8b0bb0bc..156612b04f 100644 --- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml +++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml @@ -1,19 +1,18 @@ name: Windows PowerShell Add Module to Global Assembly Cache id: 3fc16961-97e5-4a5b-a079-e4ab0d9763eb -version: 1 -date: '2023-01-18' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -description: The following PowerShell Script Block analytic identifies the native - ability to add a DLL to the Windows Global Assembly Cache. Each computer where the - Common Language Runtime is installed has a machine-wide code cache called the Global - Assembly Cache. The Global Assembly Cache stores assemblies specifically designated - to be shared by several applications on the computer. By adding a DLL to the GAC, - this allows an adversary to call it via any other means across the operating systems. - This is native and built into Windows. Per the Microsoft blog, the more high fidelity - method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine - as identified in this analytic. +description: The following analytic detects the addition of a DLL to the Windows Global + Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging + to identify commands containing "system.enterpriseservices.internal.publish". This + activity is significant because adding a DLL to the GAC allows it to be shared across + multiple applications, potentially enabling an adversary to execute malicious code + system-wide. If confirmed malicious, this could lead to widespread code execution, + privilege escalation, and persistent access across the operating system, posing + a severe security risk. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*") @@ -58,7 +57,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index 9ccf5e25b6..e3dee7cefc 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -1,23 +1,26 @@ name: Windows Powershell Cryptography Namespace id: f8b482f4-6d62-49fa-a905-dfa15698317b -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies suspicious PowerShell script execution - via EventCode 4104 that is processing cryptography namespace library. This technique - was seen in several powershell malware, loader, downloader and stager that will - decrypt or decode the next malicious stager or the actual payload. This Anomaly - detection can be a good indicator that a powershell process to decrypt code. We - recommend to further check the parent_process_name, the file or data it tries to - decrypt, network connection and user who execute the script. +description: The following analytic detects suspicious PowerShell script execution + involving the cryptography namespace via EventCode 4104. It leverages PowerShell + Script Block Logging to identify scripts using cryptographic functions, excluding + common hashes like SHA and MD5. This activity is significant as it is often associated + with malware that decrypts or decodes additional malicious payloads. If confirmed + malicious, this could allow an attacker to execute further code, escalate privileges, + or establish persistence within the environment. Analysts should investigate the + parent process, decrypted data, network connections, and the user executing the + script. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*")) | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`' + as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID + | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -30,7 +33,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A suspicious powershell script contains cryptography command detected on host $dest$ + message: A suspicious powershell script contains cryptography command detected on + host $dest$ mitre_attack_id: - T1059.001 - T1059 @@ -59,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index 996c65e489..08cd5b08aa 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -1,29 +1,39 @@ name: Windows PowerShell Get CIMInstance Remote Computer id: d8c972eb-ed84-431a-8869-ca4bd83257d1 -version: 1 -date: '2023-03-27' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Powershell Script Block Logging 4104 -description: This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats. -search: '`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`' +description: The following analytic detects the use of the Get-CimInstance cmdlet + with the -ComputerName parameter, indicating an attempt to retrieve information + from a remote computer. It leverages PowerShell Script Block Logging to identify + this specific command execution. This activity is significant as it may indicate + unauthorized remote access or information gathering by an attacker. If confirmed + malicious, this could allow the attacker to collect sensitive data from remote systems, + potentially leading to further exploitation or lateral movement within the network. +search: '`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*" | + stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_powershell_get_ciminstance_remote_computer_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index. +known_false_positives: This is meant to be a low risk RBA anomaly analytic or to be + used for hunting. Enable this with a low risk score and let it generate risk in + the risk index. references: - - https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3 +- https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3 tags: analytic_story: - Active Directory Lateral Movement asset_type: Endpoint confidence: 50 impact: 30 - message: A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host. + message: A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to + connect to a remote host. mitre_attack_id: - T1059.001 observable: @@ -45,6 +55,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index e7f1109ce2..6414336358 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -1,15 +1,18 @@ name: Windows PowerShell IIS Components WebGlobalModule Usage id: 33fc9f6f-0ce7-4696-924e-a69ec61a3d57 -version: 1 -date: '2022-12-21' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, - Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable - (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe - parameters. Adversaries may utilize these cmdlets as they are lesser known and perform - the same activity as AppCmd. +description: The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, + Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, + or modify IIS Modules. This detection leverages PowerShell Script Block Logging, + specifically monitoring EventCode 4104 for these cmdlets. This activity is significant + as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, + similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed + malicious, this could allow attackers to persist in the environment, manipulate + web server behavior, or escalate privileges. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*") @@ -58,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index d13d5541e1..bab67f0b21 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -1,20 +1,25 @@ name: Windows Powershell Import Applocker Policy id: 102af98d-0ca3-4aa4-98d6-7ab2b98b955a -version: 1 -date: '2022-06-30' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is to identify the imports of Windows PowerShell - Applocker commandlets. This technique was seen in Azorult malware where it drops - an xml Applocker policy that will deny several AV product and then loaded using - PowerShell Applocker commandlet. +description: The following analytic detects the import of Windows PowerShell Applocker + cmdlets, specifically identifying the use of "Import-Module Applocker" and "Set-AppLockerPolicy" + with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) + to capture and analyze script block text. This activity is significant as it may + indicate an attempt to enforce restrictive Applocker policies, potentially used + by malware like Azorult to disable antivirus products. If confirmed malicious, this + could allow an attacker to bypass security controls, leading to further system compromise + and persistence. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`' + as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_powershell_import_applocker_policy_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -58,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index cad9533ed7..0c4c88c01c 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -1,17 +1,19 @@ name: Windows Powershell RemoteSigned File id: f7f7456b-470d-4a95-9703-698250645ff4 -version: 1 -date: '2023-06-16' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic identifies the use of "remotesigned" execution policy for - a file. This security setting determines whether PowerShell scripts can be executed - on a computer. When the execution policy is set to "remotesigned," it allows locally - created scripts to run without any restrictions, but scripts downloaded from the - internet must have a digital signature from a trusted publisher. +description: The following analytic identifies the use of the "remotesigned" execution + policy for PowerShell scripts. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line executions containing "remotesigned" and + "-File". This activity is significant because the "remotesigned" policy allows locally + created scripts to run without restrictions, posing a potential security risk. If + confirmed malicious, an attacker could execute unauthorized scripts, leading to + code execution, privilege escalation, or persistence within the environment. search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index f0ff39be13..aefdb37203 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -1,24 +1,32 @@ name: Windows PowerShell ScheduleTask id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc -version: 1 -date: '2023-06-12' +version: 2 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: "The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. - If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. - Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network." -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_powershell_scheduletask_filter`' +description: "The following analytic detects potential malicious activities involving + PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging + (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' + and 'Set-ScheduledTask'. This activity is significant as attackers often use these + cmdlets for persistence and remote execution of malicious code. If confirmed malicious, + this could allow attackers to maintain access, deliver additional payloads, or execute + ransomware, leading to data theft or other severe impacts. Immediate investigation + and mitigation are crucial to prevent further compromise." +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", + "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", + "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", + "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. +known_false_positives: Benign administrative tasks can also trigger alerts, necessitating + a firm understanding of the typical system behavior and precise tuning of the analytic + to reduce false positives. references: - https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ @@ -30,7 +38,8 @@ tags: - af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd confidence: 50 impact: 50 - message: The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$. + message: The PowerShell cmdlets related to task creation, modification and start + occurred on $Computer$ by $user_id$. mitre_attack_id: - T1053.005 - T1059.001 @@ -58,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index 506dab9dc4..eda87ec83a 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -1,21 +1,32 @@ name: Windows PowerShell WMI Win32 ScheduledJob id: 47c69803-2c09-408b-b40a-063c064cbb16 -version: 1 -date: '2023-03-27' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk type: TTP status: production data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. -search: '`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user - | `security_content_ctime(firstTime)` +description: The following analytic detects the use of the Win32_ScheduledJob WMI + class via PowerShell script block logging. This class, which manages scheduled tasks, + is disabled by default due to security concerns and must be explicitly enabled through + registry modifications. The detection leverages PowerShell event code 4104 and script + block text analysis. Monitoring this activity is crucial as it may indicate malicious + intent, especially if the class was enabled by an attacker. If confirmed malicious, + this could allow attackers to persist in the environment by creating scheduled tasks. +search: '`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" | stats + count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place. +known_false_positives: False positives may be present based on legacy applications + or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to + create scheduled tasks on remote computers. It uses the DCOM (Distributed Component + Object Model) infrastructure to establish a connection with the remote computer + and invoke the necessary methods. The RPC service needs to be running on both the + local and remote computers for the communication to take place. references: - https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/ - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob @@ -25,7 +36,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 80 - message: PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$. + message: PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was + ran on $dest$. mitre_attack_id: - T1059.001 - T1059 @@ -48,7 +60,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index 714700fe95..6fb35c4eaf 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -1,19 +1,23 @@ name: Windows PowerSploit GPP Discovery id: 0130a0df-83a1-4647-9011-841e950ff302 -version: 1 -date: '2023-03-16' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). - GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. - These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). - While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. +description: The following analytic detects the execution of the Get-GPPPassword PowerShell + cmdlet, which is used to search for unsecured credentials in Group Policy Preferences + (GPP). This detection leverages PowerShell Script Block Logging to identify specific + script block text associated with this cmdlet. Monitoring this activity is crucial + as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, + potentially leading to unauthorized access. If confirmed malicious, this activity + could allow an attacker to escalate privileges or move laterally within the network + by exploiting exposed credentials. search: ' `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) - | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -22,7 +26,7 @@ known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1552/006/ - https://pentestlab.blog/2017/03/20/group-policy-preferences/ -- https://adsecurity.org/?p=2288 +- https://adsecurity.org/?p=2288 - https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ - https://adsecurity.org/?p=2288 - https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 @@ -61,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index 564d807e30..4b9c329ff4 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -1,26 +1,29 @@ name: Windows PowerView AD Access Control List Enumeration id: 39405650-c364-4e1e-a740-32a63ef042a6 -version: 1 -date: '2023-04-20' +version: 2 +date: '2024-05-17' author: Mauricio Velazco, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets - are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within - the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex - and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged - by attackers to identify and exploit configuration weaknesses. -search: ' `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) - | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of PowerView PowerShell + cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access + Control List (ACL) permissions for Active Directory objects. It leverages Event + ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior + is significant as it may indicate an attempt to discover weak permissions in Active + Directory, potentially leading to privilege escalation. If confirmed malicious, + attackers could exploit these permissions to gain unauthorized access or escalate + their privileges within the network. +search: ' `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* + ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer + UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. references: - https://attack.mitre.org/techniques/T1078/002/ - https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 @@ -58,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml index 05c1cbd404..cac12014b8 100644 --- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml @@ -1,20 +1,24 @@ name: Windows PowerView Constrained Delegation Discovery id: 86dc8176-6e6c-42d6-9684-5444c6557ab3 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify commandlets used by the PowerView hacking tool leveraged to discover - Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries - alike may leverage use this technique for situational awareness and Active Directory - Discovery. +description: The following analytic detects the use of PowerView commandlets to discover + Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` + or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant + as it indicates potential reconnaissance efforts by adversaries or Red Teams to + map out privileged delegation settings in Active Directory. If confirmed malicious, + this could allow attackers to identify high-value targets for further exploitation, + potentially leading to privilege escalation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText - = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*") | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR + ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`' how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add @@ -56,13 +60,14 @@ tags: - _time - EventCode - ScriptBlockText - - ComputerName - - User + - Computer + - UserID risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index baa5231f89..fd8f21bf0a 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -1,25 +1,24 @@ name: Windows PowerView Kerberos Service Ticket Request id: 970455a1-4ac2-47e1-a9a5-9e75443ddcb9 -version: 1 -date: '2022-06-22' +version: 2 +date: '2024-05-31' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainSPNTicket` commandlets with specific - parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform - enumeration and discovery on Windows Active Directory networks. As the name suggests, - this commandlet is used to request the kerberos ticket for a specified service principal - name (SPN). Once the ticket is received, it may be cracked using password cracking - tools like hashcat to extract the password of the SPN account. Red Teams and adversaries - alike may leverage PowerView and these commandlets to identify accounts that can - be attacked with the Kerberoasting technique. +description: The following analytic detects the execution of the `Get-DomainSPNTicket` + commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging + (EventCode=4104). This commandlet requests Kerberos service tickets for specified + service principal names (SPNs). Monitoring this activity is crucial as it can indicate + attempts to perform Kerberoasting, a technique used to extract SPN account passwords + via cracking tools like hashcat. If confirmed malicious, this activity could allow + attackers to gain unauthorized access to sensitive accounts, potentially leading + to privilege escalation and further network compromise. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText - Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_powerview_kerberos_service_ticket_request_filter`' + Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`' how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -62,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index 56c9c54800..d4542f0745 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -1,19 +1,18 @@ name: Windows PowerView SPN Discovery id: a7093c28-796c-4ebb-9997-e2c18b870837 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-13' author: Gowthamaraj Rajendran, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with - specific parameters. These commandlets are part of PowerView, a PowerShell tool - used to perform enumeration and discovery on Windows Active Directory networks. - As the names suggest, these commandlets are used to identify domain users in a network - and combining them with the `-SPN` parameter allows adversaries to discover domain - accounts associated with a Service Principal Name (SPN). Red Teams and adversaries - alike may leverage PowerView and these commandlets to identify accounts that can - be attacked with the Kerberoasting technique. +description: The following analytic detects the execution of the `Get-DomainUser` + or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use + of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) + to identify these specific commands. This activity is significant as it suggests + an attempt to enumerate domain accounts associated with Service Principal Names + (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this + could allow an attacker to identify and target accounts for credential theft, potentially + leading to unauthorized access and privilege escalation within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) @@ -62,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml index ba692776de..8480b2bcdc 100644 --- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml @@ -1,20 +1,24 @@ name: Windows PowerView Unconstrained Delegation Discovery id: fbf9e47f-e531-4fea-942d-5c95af7ed4d6 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify commandlets used by the PowerView hacking tool leveraged to discover - Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries - alike may leverage use this technique for situational awareness and Active Directory - Discovery. +description: The following analytic detects the use of PowerView commandlets to discover + Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell + Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` + or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant + as it indicates potential reconnaissance efforts by adversaries or Red Teams to + map out privileged delegation settings in Active Directory. If confirmed malicious, + this could allow attackers to identify high-value targets for further exploitation, + potentially leading to privilege escalation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 -search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText - = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*") | stats count min(_time) - as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` +search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR + ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*") + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`' how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add @@ -55,13 +59,14 @@ tags: - _time - EventCode - ScriptBlockText - - ComputerName - - User + - Computer + - UserID risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 684b7898ab..8434dab2bb 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -1,18 +1,19 @@ name: Windows Private Keys Discovery id: 5c1c2877-06c0-40ee-a1a2-db71f1372b5b -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-30' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line that retrieves - information related to private keys files. This technique was seen in several post - exploitation tools like winpeas that are being used by Ransomware Prestige to search - for private key certificates on the compromised host for insecurely stored credentials. - This files can be used by adversaries to gain privileges, persistence or remote - service authentication to collect more sensitive information. Some private keys - required password for operation, so in this case adversaries may need to have that - passphrase either via keylogging or brute force attack. +description: The following analytic identifies processes that retrieve information + related to private key files, often used by post-exploitation tools like winpeas. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions that search for private key certificates. This + activity is significant as it indicates potential attempts to locate insecurely + stored credentials, which adversaries can exploit for privilege escalation, persistence, + or remote service authentication. If confirmed malicious, this behavior could allow + attackers to access sensitive information, escalate privileges, or maintain persistence + within the compromised environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,7 +80,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index f7c19c1c09..260cd7c510 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -1,79 +1,109 @@ ---- name: Windows Privilege Escalation Suspicious Process Elevation id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc -version: 1 -date: '2023-11-30' +version: 2 +date: '2024-05-23' author: Steven Dick status: production type: TTP -description: The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges. +description: The following analytic detects when a process running with low or medium + integrity from a user account spawns an elevated process with high or system integrity + in suspicious locations. This behavior is identified using process execution data + from Windows process monitoring or Sysmon Event ID 1. This activity is significant + as it may indicate a threat actor successfully elevating privileges, which is a + common tactic in advanced attacks. If confirmed malicious, this could allow the + attacker to execute code with higher privileges, potentially leading to full system + compromise and persistent access. data_source: - Sysmon EventID 1 search: >- - | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, - Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats - `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, - Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename parent_process_guid as join_guid ] | where - elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | + | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes + where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user + IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, + Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name + Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, + Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` + | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) + | rename user as src_user, parent_process* as orig_parent_process*, process* as + parent_process* | join max=0 dest join_guid [| tstats + `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL + SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level + IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") + OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) + by Processes.dest, + Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, + Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory + | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) + | rename parent_process_guid as join_guid ] | where + elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, + user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, + parent_process_integrity_level, parent_process_current_directory, process_name, + process, process_path, process_guid, process_integrity_level, process_current_directory, + orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, + lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter` -how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. -known_false_positives: False positives may be generated by administrators installing benign applications using run-as/elevation. +how_to_implement: Target environment must ingest process execution data sources such + as Windows process monitoring and/or Sysmon EID 1. +known_false_positives: False positives may be generated by administrators installing + benign applications using run-as/elevation. references: - - https://attack.mitre.org/techniques/T1068/ - - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor - - https://redcanary.com/blog/getsystem-offsec/ - - https://atomicredteam.io/privilege-escalation/T1134.001/ +- https://attack.mitre.org/techniques/T1068/ +- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor +- https://redcanary.com/blog/getsystem-offsec/ +- https://atomicredteam.io/privilege-escalation/T1134.001/ tags: analytic_story: - - Windows Privilege Escalation + - Windows Privilege Escalation asset_type: Endpoint confidence: 40 impact: 100 - message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. + message: The user $src_user$ launched a process [$parent_process_name$] which spawned + a suspicious elevated integrity process [$process_name$]. mitre_attack_id: - - T1068 - - T1548 - - T1134 + - T1068 + - T1548 + - T1134 observable: - - name: dest - role: - - Victim - type: Hostname - - name: user - role: - - Victim - type: User - - name: src_user - role: - - Victim - type: User - - name: process_name - role: - - Attacker - type: Other + - name: dest + role: + - Victim + type: Hostname + - name: user + role: + - Victim + type: User + - name: src_user + role: + - Victim + type: User + - name: process_name + role: + - Attacker + type: Other product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_guid - - Processes.parent_process - - Processes.parent_process_name - - Processes.process_name - - Processes.process - - Processes.process_path - - Processes.process_guid - - Processes.process_integrity_level - - Processes.process_current_directory + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_guid + - Processes.parent_process + - Processes.parent_process_name + - Processes.process_name + - Processes.process + - Processes.process_path + - Processes.process_guid + - Processes.process_integrity_level + - Processes.process_current_directory risk_score: 40 security_domain: endpoint tests: - - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog - update_timestamp: true - name: True Positive Test \ No newline at end of file +- attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog + update_timestamp: true + name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index 9b7995d414..61bd65496c 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -1,66 +1,79 @@ ---- name: Windows Privilege Escalation System Process Without System Parent id: 5a5351cd-ba7e-499e-ad82-2ce160ffa637 -version: 1 -date: '2023-11-30' +version: 2 +date: '2024-05-28' author: Steven Dick status: production type: TTP -description: The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. +description: The following analytic detects any system integrity level process spawned + by a non-system account. It leverages Sysmon Event ID 1, focusing on process integrity + and parent user data. This behavior is significant as it often indicates successful + privilege escalation to SYSTEM from a user-controlled process or service. If confirmed + malicious, this activity could allow an attacker to gain full control over the system, + execute arbitrary code, and potentially compromise the entire environment. data_source: - Sysmon EventID 1 search: >- - `sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, - parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter` -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. + `sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL + SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") + | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) + as process_name values(process) as process, values(process_path) as process_path, + values(process_current_directory) as process_current_directory values(parent_process) + as parent_process by dest, user, src_user, + parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter` +how_to_implement: Target environment must ingest sysmon data, specifically Event ID + 1 with process integrity and parent user data. known_false_positives: Unknown references: - - https://attack.mitre.org/techniques/T1068/ - - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor - - https://redcanary.com/blog/getsystem-offsec/ - - https://atomicredteam.io/privilege-escalation/T1134.001/ +- https://attack.mitre.org/techniques/T1068/ +- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor +- https://redcanary.com/blog/getsystem-offsec/ +- https://atomicredteam.io/privilege-escalation/T1134.001/ tags: analytic_story: - - Windows Privilege Escalation + - Windows Privilege Escalation asset_type: Endpoint confidence: 80 impact: 100 - message: The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$. + message: The process [$process_name$] on $dest$ was launched with system level integrity + by $src_user$. mitre_attack_id: - - T1068 - - T1548 - - T1134 + - T1068 + - T1548 + - T1134 observable: - - name: dest - role: - - Victim - type: Hostname - - name: src_user - role: - - Victim - type: User - - name: process_name - role: - - Attacker - type: Other + - name: dest + role: + - Victim + type: Hostname + - name: src_user + role: + - Victim + type: User + - name: process_name + role: + - Attacker + type: Other product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - dest - - user - - ParentUser - - parent_process_name - - parent_process_guid - - IntegrityLevel + - _time + - dest + - user + - ParentUser + - parent_process_name + - parent_process_guid + - IntegrityLevel risk_score: 80 security_domain: endpoint tests: - - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog - update_timestamp: true - name: True Positive Test +- attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog + update_timestamp: true + name: True Positive Test diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 41c97a1f19..72c1a9026f 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -1,68 +1,94 @@ ---- name: Windows Privilege Escalation User Process Spawn System Process id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe -version: 1 -date: '2023-11-30' +version: 2 +date: '2024-05-13' author: Steven Dick status: production type: TTP -description: The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. +description: The following analytic detects when a process with low, medium, or high + integrity spawns a system integrity process from a user-controlled location. This + behavior is indicative of privilege escalation attempts where attackers elevate + their privileges to SYSTEM level from a user-controlled process or service. The + detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. + Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level + access, potentially leading to full control over the affected system, unauthorized + access to sensitive data, and further malicious activities. data_source: - Sysmon EventID 1 search: >- - | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") AND Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name - Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("system") AND Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by - Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, - process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter` -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 15. + | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes + where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user + IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") AND Processes.process_path + IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, + Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name + Processes.process_name + Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, + Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid + = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` + count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level + IN ("system") AND Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") + by + Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, + Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory + | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* + as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, + parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, + process_current_directory, system_process_name, system_process, system_process_path, + system_process_integrity_level, system_process_current_directory, system_user, firstTime, + lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_privilege_escalation_user_process_spawn_system_process_filter` +how_to_implement: Target environment must ingest sysmon data, specifically Event ID + 15. known_false_positives: Unknown references: - - https://attack.mitre.org/techniques/T1068/ - - https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor - - https://redcanary.com/blog/getsystem-offsec/ - - https://atomicredteam.io/privilege-escalation/T1134.001/ +- https://attack.mitre.org/techniques/T1068/ +- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor +- https://redcanary.com/blog/getsystem-offsec/ +- https://atomicredteam.io/privilege-escalation/T1134.001/ tags: analytic_story: - - Windows Privilege Escalation + - Windows Privilege Escalation asset_type: Endpoint confidence: 80 impact: 100 - message: The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$]. + message: The user $user$ launched a process [$process_name$] which spawned a system + level integrity process [$system_process$]. mitre_attack_id: - - T1068 - - T1548 - - T1134 + - T1068 + - T1548 + - T1134 observable: - - name: dest - role: - - Victim - type: Hostname - - name: user - role: - - Victim - type: User - - name: process_name - role: - - Attacker - type: Other + - name: dest + role: + - Victim + type: Hostname + - name: user + role: + - Victim + type: User + - name: process_name + role: + - Attacker + type: Other product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - dest - - user - - ParentUser - - parent_process_name - - parent_process_guid - - IntegrityLevel + - _time + - dest + - user + - ParentUser + - parent_process_name + - parent_process_guid + - IntegrityLevel risk_score: 80 security_domain: endpoint tests: - - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog - update_timestamp: true - name: True Positive Test +- attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog + update_timestamp: true + name: True Positive Test diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 38db348055..8f0e4adcdb 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -1,22 +1,27 @@ name: Windows Process Commandline Discovery id: 67d2a52e-a7e2-4a5d-ae44-a21212048bc2 -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 1 -description: The following analytic detects Windows Management Instrumentation Command-line (WMIC) command - used to retrieve information about running processes and specifically fetches the command lines used to launch those processes. - This Hunting detection can be a good indicator for possible suspicious user or process getting list of process with its command line using wmic application which is not a - common practice for a non-technical user. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_wmic` Processes.process= "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_process_commandline_discovery_filter`' +description: The following analytic detects the use of Windows Management Instrumentation + Command-line (WMIC) to retrieve information about running processes, specifically + targeting the command lines used to launch those processes. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on logs containing + process details and command-line executions. This activity is significant as it + may indicate suspicious behavior, such as a user or process gathering detailed process + information, which is uncommon for non-technical users. If confirmed malicious, + this could allow an attacker to gain insights into running processes, aiding in + further exploitation or lateral movement. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= + "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -26,7 +31,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. Filter as needed. +known_false_positives: Administrators or power users may use this command for troubleshooting. + Filter as needed. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a tags: @@ -35,7 +41,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Activity related to process commandline discovery detected on $dest$ using wmic.exe. + message: Activity related to process commandline discovery detected on $dest$ using + wmic.exe. mitre_attack_id: - T1057 observable: @@ -65,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index 880e6bb0bd..8eee5c8a5b 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -1,26 +1,26 @@ name: Windows Process Injection In Non-Service SearchIndexer id: d131673f-ede1-47f2-93a1-0108d3e7fafd -version: 1 -date: '2024-01-03' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies a non-service searchindexer.exe process. - QakBot, a notorious banking trojan and information stealer, often deploys a process named "searchindexer.exe" - as part of its malicious activities. This legitimate Windows process, "Search Indexer," is manipulated by - QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to - camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, - keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, - the malicious "searchindexer.exe" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion. +description: The following analytic identifies instances of the searchindexer.exe + process that are not spawned by services.exe, indicating potential process injection. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent processes. This activity is significant because + QakBot malware often uses a fake searchindexer.exe to evade detection and perform + malicious actions such as data exfiltration and keystroke logging. If confirmed + malicious, this activity could allow attackers to maintain persistence, steal sensitive + information, and communicate with command and control servers. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_process_injection_in_non_service_searchindexer_filter`' + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name + != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -71,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/non-service-searchindexer/seaarch-indexer-non-service.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/non-service-searchindexer/seaarch-indexer-non-service.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index b13bc011e0..5402b29917 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -1,23 +1,32 @@ name: Windows Process Injection into Notepad id: b8340d0f-ba48-4391-bea7-9e793c5aae36 -version: 1 -date: '2023-02-22' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk type: Anomaly status: production data_source: - Sysmon EventID 10 -description: The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. - By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. - This particular behavior will occur from a source image that is the initial payload dropped. -search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`' +description: The following analytic detects process injection into Notepad.exe using + Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) + to Notepad.exe, excluding common system paths like System32, Syswow64, and Program + Files. This behavior is often associated with the SliverC2 framework by BishopFox. + Monitoring this activity is crucial as it may indicate an initial payload attempting + to execute malicious code within Notepad.exe. If confirmed malicious, this could + allow attackers to execute arbitrary code, potentially leading to privilege escalation + or persistent access within the environment. +search: '`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN + ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") + | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage + TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_process_injection_into_notepad_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed. +known_false_positives: False positives may be present based on SourceImage paths. + If removing the paths is important, realize svchost and many native binaries inject + into notepad consistently. Restrict or tune as needed. references: - https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors @@ -27,7 +36,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 40 - message: An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$. + message: An instance of $SourceImage$ injecting into $TargetImage$ was identified + on endpoint $dest$. mitre_attack_id: - T1055 - T1055.002 @@ -50,17 +60,18 @@ tags: - Splunk Cloud required_fields: - _time - - dest - - SourceImage - - TargetImage - - GrantedAccess + - dest + - SourceImage + - TargetImage + - GrantedAccess - CallTrace risk_score: 32 security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index 1add87c910..0079c49fc0 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -1,18 +1,18 @@ name: Windows Process Injection Of Wermgr to Known Browser id: aec755a5-3a2c-4be0-ab34-6540e68644e9 -version: 1 -date: '2022-10-28' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies the suspicious Remote Thread execution of wermgr.exe - process to "firefox.exe", "chrome.exe" and other known browsers. This technique - was seen in Qakbot malware that executes its malicious code by injecting its code - in legitimate Windows Operating System processes such as wermgr.exe to steal information - in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe - process injected with qakbot code that tries to remote thread code execution in - known browsers like firefox and edge which is not a common behavior of this wermgr.exe - application. +description: The following analytic identifies the suspicious remote thread execution + of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and + others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring + SourceImage and TargetImage fields. This activity is significant because it is indicative + of Qakbot malware, which injects malicious code into legitimate processes to steal + information. If confirmed malicious, this activity could allow attackers to execute + arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised + host. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode=8 SourceImage = "*\\wermgr.exe" TargetImage IN ("*\\firefox.exe", @@ -66,7 +66,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index 6b1e0960ae..8435afb15e 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -1,24 +1,26 @@ name: Windows Process Injection Remote Thread id: 8a618ade-ca8f-4d04-b972-2d526ba59924 -version: 1 -date: '2023-06-15' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies a suspicious remote thread execution - in some process being abused by threat actor and malware like qakbot. Qakbot is - one of the malware using this technique to load its malicious dll module or malicious - code in the targeted host. This TTP can be a good pivot to verify what is the behavior - of the targeted Image process after this detection trigger. look for network connection, - child process execution, file access and many more that helps to verify the indication - of malware infection. +description: The following analytic detects suspicious remote thread execution in + processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process + injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to + identify remote thread creation in specific target processes. This activity is significant + as it often signifies an attempt by malware to inject malicious code into legitimate + processes, potentially leading to unauthorized code execution. If confirmed malicious, + this could allow attackers to execute arbitrary code, escalate privileges, or maintain + persistence on the compromised host. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", "*\\notepad.exe", "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", - "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", "*\\powershell.exe") | stats count - min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode - StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", + "*\\powershell.exe") | stats count min(_time) as firstTime max(_time) as lastTime + by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 6ac021e53a..16b9b8a305 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -1,17 +1,18 @@ name: Windows Process Injection Wermgr Child Process id: 360ae6b0-38b5-4328-9e2b-bc9436cddb17 -version: 1 -date: '2022-10-27' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a suspicious wermgr.exe parent process - having a child process not related to error, fault or windows werfault event. This - technique was seen in Qakbot malware where it inject its malicious code in wermgr - to evade detections and hide from the analyst to execute its recon and its malicious - behavior. This Anomaly detection can be a good pivot to start investigating a possible - qakbot infection in the network. The Wermgr.exe process is not known to have other - child processes aside from itself or werfault.exe +description: The following analytic identifies a suspicious instance of wermgr.exe + spawning a child process unrelated to error or fault handling. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process relationships + and command-line executions. This activity is significant as it can indicate Qakbot + malware, which injects malicious code into wermgr.exe to evade detection and execute + malicious actions. If confirmed malicious, this behavior could allow an attacker + to conduct reconnaissance, execute arbitrary code, and persist within the network, + posing a severe security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index bc57883040..9353d63f25 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -1,14 +1,18 @@ name: Windows Process Injection With Public Source Path id: 492f09cf-5d60-4d87-99dd-0bc325532dda -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-10' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process in a non-standard file path - on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, - is commonly used by adversaries for process injection to evade detections or gain - privilege escalation. +description: The following analytic detects a process from a non-standard file path + on Windows attempting to create a remote thread in another process. This is identified + using Sysmon EventCode 8, focusing on processes not originating from typical system + directories. This behavior is significant as it often indicates process injection, + a technique used by adversaries to evade detection or escalate privileges. If confirmed + malicious, this activity could allow an attacker to execute arbitrary code within + another process, potentially leading to unauthorized actions and further compromise + of the system. data_source: - Sysmon EventID 8 search: '`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", @@ -70,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index ebaaeafe35..ff2054e86f 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -1,18 +1,18 @@ name: Windows Process With NamedPipe CommandLine id: e64399d4-94a8-11ec-a9da-acde48001122 -version: 1 -date: '2022-02-23' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for process commandline that contains named - pipe. This technique was seen in some adversaries, threat actor and malware like - olympic destroyer to communicate to its other child processes after process injection - that serve as defense evasion and privilege escalation. On the other hand this analytic - may catch some normal process that using this technique for example browser application. - In that scenario we include common process path we've seen during testing that cause - false positive which is the program files. False positive may still be arise if - the normal application is in other folder path. +description: The following analytic detects processes with command lines containing + named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. This behavior is significant as it + is often used by adversaries, such as those behind the Olympic Destroyer malware, + for inter-process communication post-injection, aiding in defense evasion and privilege + escalation. If confirmed malicious, this activity could allow attackers to maintain + persistence, escalate privileges, or evade defenses, potentially leading to further + compromise of the system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 1f0033d53f..5b80780b15 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -1,25 +1,46 @@ name: Windows Process Writing File to World Writable Path id: c051b68c-60f7-4022-b3ad-773bec7a225b -version: 1 -date: '2024-04-17' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk data_source: [] type: Hunting status: production -description: The following analytic identifies a process writing a file, specifically a .txt, to a world writable path. This technique is used by adversaries to deliver payloads to a system. It is not common for living off the land binaries to write to these paths. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path - | `drop_dm_object_name("Filesystem")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`' +description: The following analytic identifies a process writing a .txt file to a + world writable path. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on file creation events within specific directories. This + activity is significant as adversaries often use such techniques to deliver payloads + to a system, which is uncommon for legitimate processes. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, escalate privileges, + or maintain persistence within the environment, posing a significant security risk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt + Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", + "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", + "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", + "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", + "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", + "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", + "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections + Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", + "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp + and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") + by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | + `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_process_writing_file_to_world_writable_path_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the file creation event, process name, file path and, file name. - These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious. + you must ingest logs that contain the file creation event, process name, file path + and, file name. These logs must be processed using the appropriate Splunk Technology + Add-ons that are specific to the EDR product. The logs must also be mapped to the + `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information + Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may occur if legitimate software writes to + these paths. Modify the search to include additional file name extensions. To enhance + it further, adding a join on Processes.process_name may assist with restricting + the analytic to specific process names. Investigate the process and file to determine + if it is malicious. references: - https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/ tags: @@ -28,7 +49,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$]. + message: A process wrote a file name- [$file_name$] to a world writable file path + [$file_path$] on host- [$dest$]. mitre_attack_id: - T1218.005 observable: @@ -56,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log sourcetype: xmlwineventlog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index 89e82ebcf6..e0a30efa52 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -1,15 +1,18 @@ name: Windows Processes Killed By Industroyer2 Malware id: d8bea5ca-9d4a-4249-8b56-64a619109835 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to look for known processes killed by industroyer2 - malware. This technique was seen in the industroyer2 malware attack that tries to - kill several processes of windows host machines related to the energy facility network. - This anomaly might be a good indicator to check which process kill these processes - or why the process was killed. +description: The following analytic detects the termination of specific processes + by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes + like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant + as it targets processes related to energy facility networks, indicating a potential + attack on critical infrastructure. If confirmed malicious, this could lead to disruption + of essential services, loss of control over energy systems, and significant operational + impact. Immediate investigation is required to determine the cause and mitigate + any potential threats. data_source: - Sysmon EventID 5 search: '`sysmon` EventCode=5 process_name IN ("PServiceControl.exe", "PService_PPD.exe") @@ -62,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index 1807530c44..9acb8d813b 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -1,15 +1,18 @@ name: Windows Protocol Tunneling with Plink id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed -version: 1 -date: '2022-09-15' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of Plink being utilized to - proxy egress or laterally in an organization. The analytic is limited to specific - Plink options on the command-line, including -R -L and -D which will have the remote - and local IP address or port and -l for a username. Modify the options as seen fit - for your organization. +description: The following analytic detects the use of Plink for protocol tunneling, + either for egress or lateral movement within an organization. It identifies specific + Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs + from Endpoint Detection and Response (EDR) agents. This activity is significant + as it may indicate an attempt to bypass network security controls or establish unauthorized + connections. If confirmed malicious, this could allow an attacker to exfiltrate + data, move laterally across the network, or maintain persistent access, posing a + severe threat to the organization's security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,7 +88,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index 7af5aa8699..b98c7ba434 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -1,18 +1,21 @@ name: Windows Proxy Via Netsh id: c137bfe8-6036-4cff-b77b-4e327dd0a1cf -version: 1 -date: '2023-05-25' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: This search looks for processes launching netsh.exe for connection proxy. - Netsh is a command-line scripting utility that allows you to, either locally or - remotely, display or modify the network configuration of a computer that is currently - running. Netsh can be used as a persistence proxy technique to execute a helper - DLL when netsh.exe is executed. In this search, we are looking for processes spawned - by netsh.exe and executing commands via the command line. +description: The following analytic identifies the use of netsh.exe to configure a + connection proxy, which can be leveraged for persistence by executing a helper DLL. + It detects this activity by analyzing process creation events from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving "portproxy" + and "v4tov4" parameters. This activity is significant because it indicates potential + unauthorized network configuration changes, which could be used to maintain persistence + or redirect network traffic. If confirmed malicious, this could allow an attacker + to maintain covert access or manipulate network communications, posing a significant + security risk. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name @@ -72,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index b5a8023d8f..1632eb4c23 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -1,25 +1,26 @@ name: Windows Proxy Via Registry id: 0270455b-1385-4579-9ac5-e77046c508ae -version: 1 -date: '2023-05-25' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line - scripting utility that allows you to, either locally or remotely, display or modify - the network configuration of a computer that is currently running. Netsh can be - used as a persistence proxy technique to execute a helper DLL when netsh.exe is - executed. In this search, we are looking for processes spawned by netsh.exe and - executing commands via the command line. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" - by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user - | `security_content_ctime(lastTime)` - | `security_content_ctime(firstTime)` - | `drop_dm_object_name(Registry)` +description: The following analytic detects the modification of registry keys related + to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry + data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". + This activity is significant because netsh.exe can be used to establish a persistent + proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe + runs. If confirmed malicious, this could enable the attacker to maintain persistence, + manipulate network configurations, and potentially exfiltrate data or further compromise + the system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path + ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path + Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your @@ -63,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 730049090c..0d91467a1e 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -1,27 +1,31 @@ name: Windows Query Registry Browser List Application id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb -version: 1 -date: '2023-04-25' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic identifies a suspicious process accessing default internet browsers registry entry. - This registry is used by Windows to store information about default internet browsers installed on a system. - Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. - This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. - We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable. -search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*", "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") - AND NOT (process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_query_registry_browser_list_application_filter`' +description: The following analytic detects a suspicious process accessing the registry + entries for default internet browsers. It leverages Windows Security Event logs, + specifically event code 4663, to identify access attempts to these registry paths. + This activity is significant because adversaries can exploit this registry key to + gather information about installed browsers and their settings, potentially leading + to the theft of sensitive data such as login credentials and browsing history. If + confirmed malicious, this behavior could enable attackers to exfiltrate sensitive + information and compromise user accounts. +search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*", + "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT (process_path IN ("*:\\Windows\\System32\\*", + "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count + min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path + process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: uninstall application may access this registry to remove the entry of the target application. filter is needed. +known_false_positives: uninstall application may access this registry to remove the + entry of the target application. filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer tags: @@ -30,7 +34,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A suspicious process accessing installed default browser registry on $dest$ + message: A suspicious process accessing installed default browser registry on $dest$ mitre_attack_id: - T1012 observable: @@ -56,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_list/ar3_4663_redline_reg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_list/ar3_4663_redline_reg.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml index daa3ebe21b..8e299c1a7b 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_query_registry_reg_save.yml @@ -1,17 +1,17 @@ name: Windows Query Registry Reg Save id: cbee60c1-b776-456f-83c2-faa56bdbe6c6 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process execution of reg.exe with - "save" parameter. This reg.exe parameter is commonly being abused by threat actors, - adversaries and red-teamers to dump credentials or to check the registry modification - capabilities of certain users or administrators in targeted hosts. This approach - was seen in post-exploitation tool like winpeas where it uses "reg save" and "reg - restore" to check registry modification restriction in targeted host after gaining - access to it. +description: The following analytic detects the execution of the reg.exe process with + the "save" parameter. This detection leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process execution logs and command-line arguments. + This activity is significant because threat actors often use the "reg save" command + to dump credentials or test registry modification capabilities on compromised hosts. + If confirmed malicious, this behavior could allow attackers to escalate privileges, + persist in the environment, or access sensitive information stored in the registry. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index b4a3f63fdb..b6d63d8d56 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -1,25 +1,28 @@ name: Windows Query Registry UnInstall Program List id: 535fd4fc-7151-4062-9d7e-e896bea77bf6 -version: 1 -date: '2023-04-25' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. - This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. - However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the "Uninstall" key to gather data about installed applications in the target host. - This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user. -search: '`wineventlog_security` EventCode=4663 object_file_path="\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_query_registry_uninstall_program_list_filter`' +description: The following analytic detects a suspicious query on the uninstall application + list in the Windows OS registry. It leverages Windows Security Event logs, specifically + event code 4663, to identify access to the "Uninstall" registry key. This activity + is significant because adversaries or malware can exploit this key to gather information + about installed applications, aiding in further attacks. If confirmed malicious, + this behavior could allow attackers to map out installed software, potentially identifying + vulnerabilities or software to exploit, leading to further system compromise. +search: '`wineventlog_security` EventCode=4663 object_file_path="\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name + object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall application may access this registry to remove the entry of the target application. Filter is needed. +known_false_positives: Uninstall application may access this registry to remove the + entry of the target application. Filter is needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer tags: @@ -28,7 +31,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A suspicious process $process_name$ accessing uninstall registry on $dest$ + message: A suspicious process $process_name$ accessing uninstall registry on $dest$ mitre_attack_id: - T1012 observable: @@ -54,6 +57,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/recon_registry/recon-reg-redline-security-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/recon_registry/recon-reg-redline-security-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index 250667861a..fda8529ff6 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -1,15 +1,17 @@ name: Windows Raccine Scheduled Task Deletion id: c9f010da-57ab-11ec-82bd-acde48001122 -version: 1 -date: '2021-12-07' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the Raccine Rules Updater scheduled - task being deleted. Adversaries may attempt to remove this task in order to prevent - the update of Raccine. Raccine is a "ransomware vaccine" created by security researcher - Florian Roth, designed to intercept and prevent precursors and active ransomware - behavior. +description: The following analytic identifies the deletion of the Raccine Rules Updater + scheduled task using the `schtasks.exe` command. This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant because adversaries may delete this task + to disable Raccine, a tool designed to prevent ransomware attacks. If confirmed + malicious, this action could allow ransomware to execute without interference, leading + to potential data encryption and loss. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index 0737a0cc85..745a615e16 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -1,26 +1,29 @@ name: Windows Rapid Authentication On Multiple Hosts id: 62606c77-d53d-4182-9371-b02cdbbbcef7 -version: 1 -date: '2023-03-23' +version: 2 +date: '2024-05-16' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 4624 -description: The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. - Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is - moving laterally across the environment or enumerating network shares in the search for sensitive files. - As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -search: ' `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$" - | bucket span=5m _time - | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName - | where unique_targets > 30 - | `windows_rapid_authentication_on_multiple_hosts_filter`' +description: The following analytic detects a source computer authenticating to 30 + or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior + is identified by analyzing Windows Event Logs for LogonType 3 events and counting + unique target computers. Such activity is significant as it may indicate lateral + movement or network share enumeration by an adversary. If confirmed malicious, this + could lead to unauthorized access to multiple systems, potentially compromising + sensitive data and escalating privileges within the network. +search: ' `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS + LOGON" TargetUserName!="*$" | bucket span=5m _time | stats dc(Computer) AS unique_targets + values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets + > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. +known_false_positives: Vulnerability scanners or system administration tools may also + trigger this detection. Filter as needed. references: - https://attack.mitre.org/techniques/T1135/ - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ @@ -32,7 +35,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 60 - message: The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes. + message: The source computer with ip address $IpAddress$ authenticated to a large + number of remote endpoints within 5 minutes. mitre_attack_id: - T1003.002 observable: @@ -60,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index 38736f2cec..ab0e7049ac 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -1,14 +1,18 @@ name: Windows Rasautou DLL Execution id: 6f42b8be-8e96-11ec-ad5a-acde48001122 -version: 1 -date: '2022-02-15' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the Windows Windows Remote Auto Dialer, - rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary - shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review - parent and child process behavior including file and image loads. +description: The following analytic detects the execution of an arbitrary DLL by the + Windows Remote Auto Dialer (rasautou.exe). This behavior is identified by analyzing + process creation events where rasautou.exe is executed with specific command-line + arguments. This activity is significant because it leverages a Living Off The Land + Binary (LOLBin) to execute potentially malicious code, bypassing traditional security + controls. If confirmed malicious, this technique could allow an attacker to execute + arbitrary code, potentially leading to system compromise, privilege escalation, + or persistent access within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +84,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index 5a801f2b58..7f86e6ccc8 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -1,20 +1,24 @@ name: Windows Raw Access To Disk Volume Partition id: a85aa37e-9647-11ec-90c5-acde48001122 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to look for suspicious raw access read to device disk - partition of the host machine. This technique was seen in several attacks by adversaries - or threat actor to wipe, encrypt or overwrite the boot sector of each partition - as part of their impact payload for example the "hermeticwiper" malware. This detection - is a good indicator that there is a process try to read or write on boot sector. +description: The following analytic detects suspicious raw access reads to the device + disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify + processes attempting to read or write to the boot sector, excluding legitimate system + processes. This activity is significant as it is commonly associated with destructive + actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, + as seen in attacks involving malware like HermeticWiper. If confirmed malicious, + this behavior could lead to severe impacts, including system inoperability, data + loss, or compromised boot integrity. data_source: - Sysmon EventID 9 search: '`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' + lastTime by dest signature signature_id process_guid process_name process_path Device + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least @@ -51,12 +55,12 @@ tags: - Splunk Cloud required_fields: - _time - - dest + - dest - signature - signature_id - process_guid - process_name - - process_path + - process_path - Device - EventCode - Image @@ -65,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index a3362e926e..11751c9edc 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -1,22 +1,24 @@ name: Windows Raw Access To Master Boot Record Drive id: 7b83f666-900c-11ec-a2d9-acde48001122 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-11' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is to look for suspicious raw access read to drive where - the master boot record is placed. This technique was seen in several attacks by - adversaries or threat actor to wipe, encrypt or overwrite the master boot record - code as part of their impact payload. This detection is a good indicator that there - is a process try to read or write on MBR sector. +description: The following analytic detects suspicious raw access reads to the drive + containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify + processes attempting to read or write to the MBR sector, excluding legitimate system + processes. This activity is significant because adversaries often target the MBR + to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed + malicious, this could lead to system instability, data loss, or a complete system + compromise, severely impacting the organization's operations. data_source: - Sysmon EventID 9 search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode - | rename Computer as dest - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`' + | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_raw_access_to_master_boot_record_drive_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least @@ -68,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index 8202261148..8733534473 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -1,23 +1,30 @@ name: Windows RDP Connection Successful id: ceaed840-56b3-4a70-b8e1-d762b1c5c08c -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Hunting data_source: - Windows Event Log RemoteConnectionManager 1149 -description: The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. - Note this analytic requires enabling and a stanza in a inputs.conf. -search: '`remoteconnectionmanager` EventCode=1149 - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id - | `security_content_ctime(firstTime)` +description: The following analytic detects successful Remote Desktop Protocol (RDP) + connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager + Operational log. This detection is significant as successful RDP connections can + indicate remote access to a system, which may be leveraged by attackers to control + or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized + access, data theft, or further lateral movement within the network. Monitoring successful + RDP connections is crucial for identifying potential security breaches and mitigating + risks promptly. +search: '`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime + max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`' -how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. -known_false_positives: False positives will be present, filter as needed or restrict to critical assets on the perimeter. +how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager + Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. +known_false_positives: False positives will be present, filter as needed or restrict + to critical assets on the perimeter. references: - - https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706 - - https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +- https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706 +- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 tags: analytic_story: - Active Directory Lateral Movement @@ -49,6 +56,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log - source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log + source: + WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 422d8f208d..c2ba83897b 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -1,23 +1,35 @@ name: Windows Registry BootExecute Modification id: eabbac3a-45aa-4659-920f-6b8cff383fb8 -version: 1 -date: '2023-05-03' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process. +description: The following analytic detects modifications to the BootExecute registry + key, which manages applications and services executed during system boot. It leverages + data from the Endpoint.Registry data model, focusing on changes to the registry + path "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute". This + activity is significant because unauthorized changes to this key can indicate attempts + to achieve persistence, load malicious code, or tamper with the boot process. If + confirmed malicious, this could allow an attacker to maintain persistence, execute + arbitrary code at boot, or disrupt system operations. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name - Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action - | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) + WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session + Manager\\BootExecute" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name + Registry.registry_value_name Registry.registry_value_data Registry.process_guid, + Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +how_to_implement: To successfully implement this search you need to be ingesting information + on Windows Registry that include the name of the path and key responsible for the + changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. + In addition, confirm the latest CIM App 4.20 or higher is installed and the latest + TA for the endpoint product. known_false_positives: False positives may be present and will need to be filtered. references: - - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ tags: analytic_story: - Windows BootKits @@ -25,7 +37,8 @@ tags: atomic_guid: [] confidence: 100 impact: 100 - message: The Registry BootExecute value was modified on $dest$ and should be reviewed immediately. + message: The Registry BootExecute value was modified on $dest$ and should be reviewed + immediately. mitre_attack_id: - T1542 - T1547.001 @@ -41,17 +54,18 @@ tags: risk_score: 100 required_fields: - _time - - Registry.dest - - Registry.registry_path + - Registry.dest + - Registry.registry_path - Registry.registry_key_name - - Registry.registry_value_name - - Registry.registry_value_data + - Registry.registry_value_name + - Registry.registry_value_data - Registry.process_guid - Registry.action security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index a759a266f8..a74e8c78bc 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -1,19 +1,18 @@ name: Windows Registry Certificate Added id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87 -version: 2 -date: '2023-04-27' +version: 3 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies installation of a root CA certificate - by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). - In short, there are specific certificate registry paths that will be written to - (SetValue) when a new certificate is added. The high-fidelity events to pay attention - to are SetValue events where the TargetObject property ends with "\Blob" - as this indicates the direct installation or modification of a root certificate - binary blob. The other high fidelity reference will be which process is making the - registry modifications. There are very few processes that modify these day to day, - therefore monitoring for all to start (hunting) provides a great beginning. +description: The following analytic detects the installation of a root CA certificate + by monitoring specific registry paths for SetValue events. It leverages data from + the Endpoint datamodel, focusing on registry paths containing "certificates" and + registry values named "Blob." This activity is significant because unauthorized + root CA certificates can compromise the integrity of encrypted communications and + facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an + attacker to intercept, decrypt, or manipulate sensitive data, leading to severe + security breaches. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -21,9 +20,7 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | - `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -67,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index daecfd42a2..ddbac21920 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -1,18 +1,18 @@ name: Windows Registry Delete Task SD id: ffeb7893-ff06-446f-815b-33ca73224e92 -version: 1 -date: '2022-04-13' +version: 2 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies a process attempting to delete a scheduled - task SD (Security Descriptor) from within the registry path of that task. This may - occur from a non-standard process running and may not come from reg.exe. This particular - behavior will remove the actual Task Name from the Task Scheduler GUI and from the - command-line query - schtasks.exe /query. In addition, in order to perform this - action, the user context will need to be SYSTEM. - - Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. +description: The following analytic detects a process attempting to delete a scheduled + task's Security Descriptor (SD) from the registry path of that task. It leverages + the Endpoint.Registry data model to identify registry actions performed by the SYSTEM + user, specifically targeting deletions or modifications of the SD value. This activity + is significant as it may indicate an attempt to remove evidence of a scheduled task + for defense evasion. If confirmed malicious, it suggests an attacker with privileged + access trying to hide their tracks, potentially compromising system integrity and + security. Immediate investigation is required. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -72,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index a1c18bcdd1..98fc743a01 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -1,16 +1,18 @@ name: Windows Registry Modification for Safe Mode Persistence id: c6149154-c9d8-11eb-9da7-acde48001122 -version: 4 -date: '2023-04-27' +version: 5 +date: '2024-05-20' author: Teoderick Contreras, Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a modification or registry add to the - safeboot registry as an autostart mechanism. This technique is utilized by adversaries - to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal - and Network. adding values to Minimal will load into Safe Mode and by adding into - Network it will provide the service or drive the ability to perform network connections - in Safe Mode. +description: The following analytic identifies modifications to the SafeBoot registry + keys, specifically within the Minimal and Network paths. This detection leverages + registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring + these keys is crucial as adversaries can use them to persist drivers or services + in Safe Mode, with Network allowing network connections. If confirmed malicious, + this activity could enable attackers to maintain persistence even in Safe Mode, + potentially bypassing certain security measures and facilitating further malicious + actions. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -18,9 +20,7 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | - `drop_dm_object_name(Registry)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model @@ -68,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index c662385fb3..fc5a636e73 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -1,15 +1,18 @@ name: Windows Registry Payload Injection id: c6b2d80f-179a-41a1-b95e-ce5601d7427a -version: 1 -date: '2023-06-15' +version: 2 +date: '2024-05-10' author: Steven Dick status: production type: TTP -description: The following analytic identifies when suspiciouly long data is written - to the registry. This behavior is often associated with certain fileless malware - threats or persistence techniques used by threat actors. Data stored in the registy - is considered fileless since it does not get written to disk and is traditionally - not well defended since normal users can modify thier own registry. +description: The following analytic detects suspiciously long data written to the + Windows registry, a behavior often linked to fileless malware or persistence techniques. + It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry + events with data lengths exceeding 512 characters. This activity is significant + as it can indicate an attempt to evade traditional file-based defenses, making it + crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers + to maintain persistence, execute code, or manipulate system configurations without + leaving a conventional file footprint. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) @@ -91,6 +94,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index 32652368ee..b3936c9b6a 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -1,28 +1,43 @@ name: 'Windows Registry SIP Provider Modification' id: 3b4e18cb-497f-4073-85ad-1ada7c2107ab -version: 1 -date: '2023-10-10' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: 'The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon EventID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system''s cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks.' +description: 'The following analytic detects modifications to the Windows Registry + SIP Provider. It leverages Sysmon Event ID 7 to monitor registry changes in paths + and values related to Cryptography Providers and OID Encoding Types. This activity + is significant as it may indicate an attempt to subvert trust controls, a common + tactic for bypassing security measures and maintaining persistence. If confirmed + malicious, an attacker could manipulate the system''s cryptographic functions, potentially + leading to unauthorized access, data theft, or other damaging outcomes. Review the + modified registry paths and concurrent processes to identify the attack source.' search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) - as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") Registry.registry_value_name IN ("Dll","$DLL") by - Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. + as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path + IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") + Registry.registry_value_name IN ("Dll","$DLL") by Registry.dest , Registry.user + Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Be aware of potential false positives - legitimate applications + may cause benign activities to be flagged. references: - - https://attack.mitre.org/techniques/T1553/003/ - - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml - - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf - - https://github.com/gtworek/PSBits/tree/master/SIP - - https://github.com/mattifestation/PoCSubjectInterfacePackage - - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ +- https://attack.mitre.org/techniques/T1553/003/ +- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +- https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf +- https://github.com/gtworek/PSBits/tree/master/SIP +- https://github.com/mattifestation/PoCSubjectInterfacePackage +- https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ tags: analytic_story: - Subvert Trust Controls SIP and Trust Provider Hijacking @@ -52,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index 0a89c6c59a..364564698a 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -1,16 +1,17 @@ name: Windows Regsvr32 Renamed Binary id: 7349a9e9-3cf6-4171-bb0c-75607a8dcd1a -version: 1 -date: '2022-10-27' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following hunting analytic identifies renamed instances of regsv32.exe - executing. regsv32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. - During investigation, validate if it is the legitimate regsv32.exe executing and - what dll module content it is loading. This query relies on the original filename - or internal name from the PE meta data. Expand the query as needed by looking for - specific command line arguments outlined in other analytics. +description: The following analytic identifies instances where the regsvr32.exe binary + has been renamed and executed. This detection leverages Endpoint Detection and Response + (EDR) data, specifically focusing on the original filename metadata. Renaming regsvr32.exe + is significant as it can be an evasion technique used by attackers to bypass security + controls. If confirmed malicious, this activity could allow an attacker to execute + arbitrary DLLs, potentially leading to code execution, privilege escalation, or + persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -68,7 +69,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index b386490ea8..8a7d263fbc 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -1,24 +1,18 @@ name: Windows Remote Access Software BRC4 Loaded Dll id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05 -version: 1 -date: '2022-08-24' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following anomaly detection identifies the behavior related to 4 - native Windows DLLs being loaded by a non-standard process. Identified by MDSec - during their research into Brute Ratel, MDSec identified a high signal analytic - by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net - Logon Client DLL and is related to users and other domain services to get authenticated. - Credui.dll is Credential Manager User Interface. Credential managers receive notifications - when authentication information changes. For example, credential managers are notified - when a user logs on or an account password changes. Samcli.dll is the Security Accounts - Manager Client DLL. Adversaries may attempt to extract credential material from - the Security Account Manager (SAM) database either through in-memory techniques - or through the Windows Registry where the SAM database is stored. Dbghelp.dll is - Windows Image Helper. Windows Image Helper is commonly seen in credential dumping - due to native functions. All of these modules are important to monitor and track - and combined may lead to credentail access or dumping. +description: The following analytic identifies the loading of four specific Windows + DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. + This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags + when all four DLLs are loaded within a short time frame. This activity is significant + as it may indicate the presence of Brute Ratel C4, a sophisticated remote access + tool used for credential dumping and other malicious activities. If confirmed malicious, + this behavior could lead to unauthorized access, credential theft, and further compromise + of the affected system. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", @@ -77,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml index 816bedf210..cb2269e501 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/endpoint/windows_remote_access_software_hunt.yml @@ -1,17 +1,18 @@ name: Windows Remote Access Software Hunt id: 8bd22c9f-05a2-4db1-b131-29271f28cb0a -version: 1 -date: '2022-08-22' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic is meant to help organizations understand - what remote access software is being used in the environment. When reviewing this - hunt, confirm the software identified is authorized to be utilized. Based on fidelity, - create a new analytic for specific utilities banned within the organization. Adversaries - use these utilities to retain remote access capabilities to the environment. Utilities - in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review - the lookup for the entire list and add any others. +description: The following analytic identifies the use of remote access software within + the environment. It leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process execution logs. This detection is significant as unauthorized + remote access tools can be used by adversaries to maintain persistent access to + compromised systems. If confirmed malicious, this activity could allow attackers + to remotely control systems, exfiltrate data, or further infiltrate the network. + Review the identified software to ensure it is authorized and take action against + any unauthorized utilities. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -77,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index a7687d5d71..bb79c75394 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -1,15 +1,18 @@ name: Windows Remote Access Software RMS Registry id: e5b7b5a9-e471-4be8-8c5d-4083983ba329 -version: 1 -date: '2022-06-22' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is to identify a modification or creation of Windows - registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is - a legitimate tool developed by russian organization TektonIT and has been observed - being abused by adversaries to gain remote access to the targeted host. Azorult - malware utilized RMS to gain remote access. +description: The following analytic detects the creation or modification of Windows + registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. + It leverages data from the Endpoint.Registry datamodel, focusing on registry paths + containing "SYSTEM\\Remote Manipulator System." This activity is significant because + RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware + campaigns, to gain unauthorized remote access. If confirmed malicious, this could + allow attackers to remotely control the targeted host, leading to potential data + exfiltration, system manipulation, or further network compromise. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -58,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 337b743522..9a76051121 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -1,16 +1,18 @@ name: Windows Remote Assistance Spawning Process id: ced50492-8849-11ec-9f68-acde48001122 -version: 1 -date: '2022-02-07' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the use of Microsoft Remote Assistance, - msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default - has no command-line arguments and typically spawns itself. It will generate a network - connection to the remote system that is connected. This behavior is indicative of - another process injected into msra.exe. Review the parent process or cross process - events to identify source. +description: The following analytic detects Microsoft Remote Assistance (msra.exe) + spawning PowerShell.exe or cmd.exe as a child process. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where msra.exe is the parent process. This activity is significant because + msra.exe typically does not spawn command-line interfaces, indicating potential + process injection or misuse. If confirmed malicious, an attacker could use this + technique to execute arbitrary commands, escalate privileges, or maintain persistence + on the compromised system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -78,6 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 8e0c377a9d..e904d6be26 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -1,16 +1,19 @@ name: Windows Remote Create Service id: 0dc44d03-8c00-482d-ba7c-796ba7ab18c9 -version: 1 -date: '2023-03-20' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic identifies an endpoint that remotely connects to another - endpoint to create a new service using sc.exe. On the remote endpoint, the new service - will be created and this action will trigger the creation of EventCode 7045 along - with all the resulting service information. +description: The following analytic identifies the creation of a new service on a + remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response + (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new + service creation. This activity is significant as it may indicate lateral movement + or remote code execution attempts by an attacker. If confirmed malicious, this could + allow the attacker to establish persistence, escalate privileges, or execute arbitrary + code on the remote system, potentially leading to further compromise of the network. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN ("*create*") Processes.process="*\\\\*" by Processes.dest @@ -82,7 +85,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index 632ba7614e..8a4638c731 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -1,15 +1,18 @@ name: Windows Remote Service Rdpwinst Tool Execution id: c8127f87-c7c9-4036-89ed-8fe4b30e678c -version: 1 -date: '2022-06-24' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper - library tool designed to enable remote desktop host support and concurrent RDP session - on reduced functionality system. Unfortunately, this open project was abused by - adversaries to enable RDP connection to the targeted host for remote access and - potentially be for lateral movement. +description: The following analytic detects the execution of the RDPWInst.exe tool, + which is an RDP wrapper library used to enable remote desktop host support and concurrent + RDP sessions. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, original file names, and specific command-line + arguments. This activity is significant because adversaries can abuse this tool + to establish unauthorized RDP connections, facilitating remote access and potential + lateral movement within the network. If confirmed malicious, this could lead to + unauthorized access, data exfiltration, and further compromise of the targeted host. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -69,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index bc802b0584..4e48f92957 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -1,17 +1,18 @@ name: Windows Remote Services Allow Rdp In Firewall id: 9170cb54-ea15-41e1-9dfc-9f3363ce9b02 -version: 1 -date: '2022-06-21' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to identify a modification in the Windows firewall - to enable remote desktop protocol on a targeted machine. This technique was seen - in several adversaries, malware or red teamer to remotely access the compromised - or targeted host by allowing this protocol in firewall. Even this protocol might - be allowed in some production environment, This TTP behavior is a good pivot to - check who and why the user want to enable this feature through firewall which is - also common traits of attack to start lateral movement. +description: The following analytic detects modifications to the Windows firewall + to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + involving "netsh.exe" to allow TCP port 3389. This activity is significant as it + may indicate an adversary attempting to gain remote access to a compromised host, + a common tactic for lateral movement. If confirmed malicious, this could allow attackers + to remotely control the system, leading to potential data exfiltration or further + network compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline @@ -70,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index 789ffad566..0c1d265e0b 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -1,18 +1,18 @@ name: Windows Remote Services Allow Remote Assistance id: 9bce3a97-bc97-4e89-a1aa-ead151c82fbb -version: 1 -date: '2022-06-21' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic is to identify a modification in the Windows registry - to enable remote desktop assistance on a targeted machine. This technique was seen - in several adversaries, malware or red teamer like azorult to remotely access the - compromised or targeted host by enabling this protocol in registry. Even this protocol - might be allowed in some production environment, This Anomaly behavior is a good - pivot to check who and why the user want to enable this feature through registry - which is un-common. And as per stated in microsoft documentation the default value - of this registry is false that makes this a good indicator of suspicious behavior. +description: The following analytic detects modifications in the Windows registry + to enable remote desktop assistance on a targeted machine. It leverages data from + the Endpoint.Registry datamodel, specifically monitoring changes to the "Control\\Terminal + Server\\fAllowToGetHelp" registry path. This activity is significant because enabling + remote assistance via registry is uncommon and often associated with adversaries + or malware like Azorult. If confirmed malicious, this could allow an attacker to + remotely access and control the compromised host, leading to potential data exfiltration + or further system compromise. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -63,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 6dfeead045..8cdb6f35ef 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -1,17 +1,18 @@ name: Windows Remote Services Rdp Enable id: 8fbd2e88-4ea5-40b9-9217-fd0855e08cc0 -version: 1 -date: '2022-06-21' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic is to identify a modification in the Windows registry - to enable remote desktop protocol on a targeted machine. This technique was seen - in several adversaries, malware or red teamer to remotely access the compromised - or targeted host by enabling this protocol in registry. Even this protocol might - be allowed in some production environment, This TTP behavior is a good pivot to - check who and why the user want to enable this feature through registry which is - un-common. +description: The following analytic detects modifications in the Windows registry + to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data + from the Endpoint.Registry datamodel, specifically monitoring changes to the "fDenyTSConnections" + registry value. This activity is significant as enabling RDP via registry is uncommon + and often associated with adversaries or malware attempting to gain remote access. + If confirmed malicious, this could allow attackers to remotely control the compromised + host, potentially leading to further exploitation and lateral movement within the + network. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -61,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index f290098c33..a22f38ca07 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -1,21 +1,17 @@ name: Windows Replication Through Removable Media id: 60df805d-4605-41c8-bbba-57baa6a4eb97 -version: 1 -date: '2023-09-07' +version: 2 +date: '2024-05-14' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic is developed to detect suspicious executable or script - files created or dropped in the root drive of a targeted host. This technique is - commonly used by threat actors, adversaries or even red teamers to replicate or - spread in possible removable drives. Back then, WORM malware was popular for this - technique where it would drop a copy of itself in the root drive to be able to spread - or to have a lateral movement in other network machines. Nowadays, Ransomware like - CHAOS ransomware also use this technique to spread its malicious code in possible - removable drives. This TTP detection can be a good indicator that a process might - create a persistence technique or lateral movement of a targeted machine. We suggest - checking the process name that creates this event, the file created, user type, - and the reason why that executable or scripts are dropped in the root drive. +description: The following analytic detects the creation or dropping of executable + or script files in the root directory of a removable drive. It leverages data from + the Endpoint.Filesystem datamodel, focusing on specific file types and their creation + paths. This activity is significant as it may indicate an attempt to spread malware, + such as ransomware, via removable media. If confirmed malicious, this behavior could + lead to unauthorized code execution, lateral movement, or persistence within the + network, potentially compromising sensitive data and systems. data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -24,8 +20,8 @@ search: '|tstats `security_content_summariesonly` count min(_time) as firstTime = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name - Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval - dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count + Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` + | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "%:") AND dropped_file_path_split_count = 2 AND root_drive!= "C:" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -46,8 +42,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: executable or script $file_path$ was dropped in root drive $root_drive$ in - $dest$ + message: executable or script $file_path$ was dropped in root drive $root_drive$ + in $dest$ mitre_attack_id: - T1091 observable: @@ -75,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index 26140307d7..c1fd6ba784 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -1,22 +1,23 @@ name: Windows Root Domain linked policies Discovery id: 80ffaede-1f12-49d5-a86e-b4b599b68b3c -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the `[Adsisearcher]` type accelerator being used to query Active Directory - for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate - root domain linked policies for situational awareness and Active Directory Discovery. +description: The following analytic detects the use of the `[Adsisearcher]` type accelerator + in PowerShell to query Active Directory for root domain linked policies. It leverages + PowerShell Script Block Logging (EventCode=4104) to identify this activity. This + behavior is significant as it may indicate an attempt by adversaries or Red Teams + to gain situational awareness and perform Active Directory Discovery. If confirmed + malicious, this activity could allow attackers to map out domain policies, potentially + aiding in further exploitation or lateral movement within the network. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime - max(_time) as lastTime by EventCode ScriptBlockText Computer user_id - | rename Computer as dest, user_id as user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer + as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or @@ -33,7 +34,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$ + message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint + $dest$ mitre_attack_id: - T1087.002 - T1087 @@ -57,6 +59,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index 3d601e86fc..08b286b748 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -1,25 +1,26 @@ name: Windows Rundll32 Apply User Settings Changes id: b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d -version: 1 -date: '2023-12-12' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, - display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, - such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out - and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice - to lock a screen and maybe a good indicator of compromise. - This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings - without their knowledge or consent. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=rundll32.exe Processes.process= "*user32.dll,UpdatePerUserSystemParameters*" - by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of a suspicious rundll32 + command line that updates user-specific system parameters, such as desktop backgrounds, + display settings, and visual themes. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on command-line executions involving "user32.dll,UpdatePerUserSystemParameters." + This activity is significant as it is uncommon for legitimate purposes and has been + observed in Rhysida Ransomware for defense evasion. If confirmed malicious, this + could allow an attacker to disguise activities or make unauthorized system changes, + potentially leading to persistent unauthorized access. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe + Processes.process= "*user32.dll,UpdatePerUserSystemParameters*" by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.parent_process_name | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -71,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/update_per_user_system/rundll32_updateperusersystem.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/update_per_user_system/rundll32_updateperusersystem.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index 2fbf258721..71b1d73175 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -1,15 +1,18 @@ name: Windows Rundll32 WebDav With Network Connection id: f03355e0-28b5-4e9b-815a-6adffc63b38c -version: 1 -date: '2024-01-30' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk type: TTP status: experimental data_source: [] -description: The following analytic identifies rundll32.exe with the commandline arguments - loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav - instance. The analytic attempts to use join from Processes and All_Traffic to identify - the network connection. This particular behavior was recently showcased in CVE-2023-23397. +description: The following analytic detects the execution of rundll32.exe with command-line + arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav + instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating + process execution and network traffic data. This activity is significant as it may + indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, + this could allow an attacker to establish unauthorized remote connections, potentially + leading to data exfiltration or further network compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", @@ -93,6 +96,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index eed62c0abc..fe8cfebc59 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,30 +1,20 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: 2 -date: '2023-12-27' +version: 3 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: 'The following analytic detects the creation of suspicious scheduled - tasks in Windows, specifically tasks created using schtasks.exe with the -create - flag and an XML parameter in the command-line. This technique is commonly employed - by threat actors, adversaries, and red teamers to establish persistence or achieve - privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern - have been observed using XML files to create scheduled tasks. Monitoring and investigating - this activity is crucial to mitigate potential security risks. It is important to - be aware that scripts or administrators may trigger this analytic, leading to potential - false positives. To minimize false positives, adjust the filter based on the parent - process or application. - - When a true positive is detected, it suggests an attacker''s attempt to gain persistence - or execute additional malicious payloads, potentially resulting in data theft, ransomware, - or other damaging outcomes. During triage, review the source of the scheduled task, - the command to be executed, and capture any relevant on-disk artifacts. Analyze - concurrent processes to identify the source of the attack. This analytic enables - analysts to detect and respond to potential threats early, mitigating the associated - risks effectively.' +description: 'The following analytic detects the creation of scheduled tasks in Windows + using schtasks.exe with the -create flag and an XML parameter. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it is a common technique + for establishing persistence or achieving privilege escalation, often used by malware + like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers + to maintain access, execute additional payloads, and potentially lead to data theft + or ransomware deployment.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process="* /xml *" by Processes.user Processes.parent_process_name @@ -89,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index bc6e8234ef..5890126fb4 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -1,16 +1,18 @@ name: Windows Scheduled Task Service Spawned Shell id: d8120352-3b62-4e3c-8cb6-7b47584dd5e8 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-14' author: Steven Dick status: production type: TTP -description: The following analytic identifies when the Task Scheduler service "svchost.exe - -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, - or shell execution binaries. Attackers often abuse the task scheduler service with - these binaries as an execution and persistence mechanism in order to blend in with - normal Windows operations. This TTP is also commonly seen for legitimate purposes - such as business scripts or application updates. +description: The following analytic detects when the Task Scheduler service ("svchost.exe + -k netsvcs -p -s Schedule") spawns common command line, scripting, or shell execution + binaries such as "powershell.exe" or "cmd.exe". This detection leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process and parent process + relationships. This activity is significant as attackers often abuse the Task Scheduler + for execution and persistence, blending in with legitimate Windows operations. If + confirmed malicious, this could allow attackers to execute arbitrary code, maintain + persistence, or escalate privileges within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index ca477a2fdf..4b0730ba79 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,22 +1,18 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: TTP -description: 'The following analytic detects the creation of a new task with the highest - execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT - attacks, where the scheduled task is used for persistence and privilege escalation. - AsyncRAT sets up a scheduled task with parameters ''/rl'' and ''highest'', triggering - this technique. It''s a strong indicator of potential malware or adversaries seeking - to establish persistence and escalate privileges through scheduled tasks. This is - crucial for a Security Operations Center (SOC) as it can prevent unauthorized system - access and potential data breaches. - - The analytic works by monitoring logs for process name, parent process, and command-line - executions. In the presence of the ''*/rl '' and '' highest *'' commands in a schtasks.exe - process, an alert is triggered.' +description: 'The following analytic detects the creation of a new scheduled task + with the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection + and Response (EDR) logs to monitor for specific command-line parameters (''/rl'' + and ''highest'') in schtasks.exe executions. This activity is significant as it + is commonly used in AsyncRAT attacks for persistence and privilege escalation. If + confirmed malicious, this could allow an attacker to maintain persistent access + and execute tasks with elevated privileges, potentially leading to unauthorized + system access and data breaches.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index da147aa140..b92dfcc83b 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -1,19 +1,18 @@ name: Windows Schtasks Create Run As System id: 41a0e58e-884c-11ec-9976-acde48001122 -version: 1 -date: '2022-02-07' +version: 2 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the creation of a new task to start - and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly - used by adversaries to spawn a process in an elevated state. If a true positive - is found, it suggests an attacker is attempting to persist within the environment - or potentially deliver additional malicious payloads, leading to data theft, ransomware, - or other damaging outcomes. Upon triage, review the scheduled task's source and - the command to be executed. Capture and inspect any relevant on-disk artifacts, - and look for concurrent processes to identify the attack source. This approach helps - analysts detect potential threats earlier and mitigate the risks. +description: The following analytic detects the creation of a new scheduled task using + Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint + Detection and Response (EDR) agents, focusing on command-line executions and process + details. This activity is significant as it often indicates an attempt to gain elevated + privileges or maintain persistence within the environment. If confirmed malicious, + an attacker could execute code with SYSTEM-level privileges, potentially leading + to data theft, ransomware deployment, or further system compromise. Immediate investigation + and mitigation are crucial to prevent further damage. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 7116db78e6..3a7e848183 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -1,18 +1,23 @@ name: Windows Screen Capture Via Powershell id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170 -version: 1 -date: '2023-04-05' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Powershell Script Block Logging 4104 -description: The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity. -search: '`powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" AND ScriptBlockText = "*New-Object Drawing.Bitmap*" - AND ScriptBlockText = "*.CopyFromScreen*" - | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of a PowerShell script designed + to capture screen images on a host. It leverages PowerShell Script Block Logging + to identify specific script block text patterns associated with screen capture activities. + This behavior is significant as it may indicate an attempt to exfiltrate sensitive + information by capturing desktop screenshots. If confirmed malicious, this activity + could allow an attacker to gather visual data from the compromised system, potentially + leading to data breaches or further exploitation. +search: '`powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" + AND ScriptBlockText = "*New-Object Drawing.Bitmap*" AND ScriptBlockText = "*.CopyFromScreen*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText + Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here @@ -32,7 +37,8 @@ tags: dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log impact: 70 - message: A PowerShell script was identified possibly performing screen captures on $Computer$. + message: A PowerShell script was identified possibly performing screen captures + on $Computer$. mitre_attack_id: - T1113 observable: @@ -55,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index d06b1106af..5f71816289 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -1,19 +1,19 @@ name: Windows Security Support Provider Reg Query id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line related to the - discovery of possible Security Support Providers in the registry. This technique - is being abused by adversaries or post exploitation tools like winpeas to gather - LSA protection and configuration in the registry in the targeted host. This registry - entry can contain several information related to LSA that validates users for local - and remote sign-ins and enforces local security policies. Understanding LSA protection - may give a good information in accessing LSA content in memory which is commonly - attack by adversaries and tool like mimikatz to scrape password hashes or clear - plain text passwords. +description: The following analytic identifies command-line activity querying the + registry for Security Support Providers (SSPs) related to Local Security Authority + (LSA) protection and configuration. This detection leverages Endpoint Detection + and Response (EDR) telemetry, focusing on processes accessing specific LSA registry + paths. Monitoring this activity is crucial as adversaries and post-exploitation + tools like winpeas may use it to gather information on LSA protections, potentially + leading to credential theft. If confirmed malicious, attackers could exploit this + to scrape password hashes or plaintext passwords from memory, significantly compromising + system security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index 9641ebcd98..1cad2e24b4 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -1,20 +1,17 @@ name: Windows Server Software Component GACUtil Install to GAC id: 7c025ef0-9e65-4c57-be39-1c13dbb1613e -version: 1 -date: '2023-01-17' +version: 2 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the Windows SDK utility - GACUtil.exe, - being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer - where the Common Language Runtime is installed has a machine-wide code cache called - the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically - designated to be shared by several applications on the computer. By adding a DLL - to the GAC, this allows an adversary to call it via any other means across the operating - systems. As outlined by Microsoft in their blog, it is not common to see this spawning - from W3WP.exe, however, in a non-development environment it may not be common at - all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, - this is not a native binary. +description: The following analytic detects the use of GACUtil.exe to add a DLL into + the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line executions. This activity + is significant because adding a DLL to the GAC allows it to be called by any application, + potentially enabling widespread code execution. If confirmed malicious, this could + allow an attacker to execute arbitrary code across the operating system, leading + to privilege escalation or persistent access. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -90,7 +87,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index d415038410..f328e79128 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -1,24 +1,31 @@ name: Windows Service Create SliverC2 id: 89dad3ee-57ec-43dc-9044-131c4edd663f -version: 1 -date: '2023-03-03' +version: 2 +date: '2024-05-25' author: Michael Haag, Splunk type: TTP status: production data_source: - Windows Event Log System 7045 -description: When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. - We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). -search: '`wineventlog_system` EventCode=7045 ServiceName="sliver" - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`' -how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended. -known_false_positives: False positives should be limited, but if another service out there is named Sliver, filtering may be needed. +description: The following analytic detects the creation of a Windows service named + "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement + using the PsExec module. It leverages Windows EventCode 7045 from the System Event + log to identify this activity. This behavior is significant as it may indicate an + adversary's attempt to establish persistence or execute commands remotely. If confirmed + malicious, this activity could allow attackers to maintain control over the compromised + system, execute arbitrary code, and further infiltrate the network. +search: '`wineventlog_system` EventCode=7045 ServiceName="sliver" | stats count min(_time) + as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName + ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_service_create_sliverc2_filter`' +how_to_implement: To implement this analytic, the Windows EventCode 7045 will need + to be logged from the System Event log. The Windows TA for Splunk is also recommended. +known_false_positives: False positives should be limited, but if another service out + there is named Sliver, filtering may be needed. references: - - https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16 - - https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ - - https://regex101.com/r/DWkkXm/1 +- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16 +- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ +- https://regex101.com/r/DWkkXm/1 tags: analytic_story: - BishopFox Sliver Adversary Emulation Framework @@ -49,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log source: XmlWinEventLog:System - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 0caef89aa7..2c3e6c81a1 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -1,21 +1,20 @@ name: Windows Service Create with Tscon id: c13b3d74-6b63-4db5-a841-4206f0370077 -version: 1 -date: '2023-03-29' +version: 2 +date: '2024-05-30' author: Michael Haag, Splunk type: TTP status: production data_source: - Sysmon EventID 1 -description: The following analytic detects potential RDP Hijacking attempts by monitoring - a series of actions taken by an attacker to gain unauthorized access to a remote - system. The attacker first runs the quser command to query the remote host for disconnected - user sessions. Upon identifying a disconnected session, they use the sc.exe command - to create a new Windows service with a binary path that launches tscon.exe. By specifying - the disconnected session ID and a destination ID, the attacker can transfer the - disconnected session to a new RDP session, effectively hijacking the user's session. - This analytic allows security teams to detect and respond to RDP Hijacking attempts, - mitigating potential risks and impacts on targeted systems. +description: The following analytic detects potential RDP Hijacking attempts by identifying + the creation of a Windows service using sc.exe with a binary path that includes + tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on process creation events and command-line arguments. This activity + is significant as it indicates an attacker may be trying to hijack a disconnected + RDP session, posing a risk of unauthorized access. If confirmed malicious, the attacker + could gain control over an existing user session, leading to potential data theft + or further system compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process="*/dest:rdp-tcp*" by Processes.dest Processes.user Processes.parent_process_name @@ -96,6 +95,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index abc1cb847c..b3f638846a 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,20 +1,22 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 4 -date: '2024-04-26' +version: 5 +date: '2024-05-21' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytics uses Windows Event Id 7045, `New Service Was - Installed`, to identify the creation of a Windows Service where the service binary - path path is located in a non-common Service folder in Windows. Red Teams and adversaries - alike may create malicious Services for lateral movement or remote code execution - as well as persistence and execution. The Clop ransomware has also been seen in - the wild abusing Windows services. +description: The following analytic detects the creation of a Windows Service with + a binary path located in uncommon directories, using Windows Event ID 7045. It leverages + logs from the `wineventlog_system` to identify services installed outside typical + system directories. This activity is significant as adversaries, including those + deploying Clop ransomware, often create malicious services for lateral movement, + remote code execution, persistence, and execution. If confirmed malicious, this + could allow attackers to maintain persistence, execute arbitrary code, and potentially + escalate privileges, posing a severe threat to the environment. data_source: - Windows Event Log System 7045 -search: ' `wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath - IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) +search: ' `wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN + ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`' @@ -39,7 +41,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 70 - message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$ + message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ + on $dest$ mitre_attack_id: - T1569 - T1569.002 @@ -69,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_created_within_public_path.yml b/detections/endpoint/windows_service_created_within_public_path.yml index ea0aaff2e6..6992ebaa34 100644 --- a/detections/endpoint/windows_service_created_within_public_path.yml +++ b/detections/endpoint/windows_service_created_within_public_path.yml @@ -1,19 +1,22 @@ name: Windows Service Created Within Public Path id: 3abb2eda-4bb8-11ec-9ae4-3e22fbd008af -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-15' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytc uses Windows Event Id 7045, `New Service Was Installed`, - to identify the creation of a Windows Service where the service binary path is located - in public paths. This behavior could represent the installation of a malicious service. - Red Teams and adversaries alike may create malicious Services for lateral movement - or remote code execution +description: The following analytic detects the creation of a Windows Service with + its binary path located in public directories using Windows Event ID 7045. This + detection leverages logs from the `wineventlog_system` data source, focusing on + the `ImagePath` field to identify services installed outside standard system directories. + This activity is significant as it may indicate the installation of a malicious + service, often used by adversaries for lateral movement or remote code execution. + If confirmed malicious, this could allow attackers to execute arbitrary code, maintain + persistence, or further compromise the system. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath - IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) +search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN + ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`' @@ -32,8 +35,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 90 - message: A Windows Service $ServiceName$ with a public path was created on - $dest$ + message: A Windows Service $ServiceName$ with a public path was created on $dest$ mitre_attack_id: - T1543 - T1543.003 @@ -62,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index be63ca9c64..a2742671f3 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -1,14 +1,18 @@ name: Windows Service Creation on Remote Endpoint id: e0eea4fa-4274-11ec-882b-3e22fbd008af -version: 1 -date: '2021-11-10' +version: 2 +date: '2024-05-21' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `sc.exe` with command-line arguments - utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries - alike may abuse the Service Control Manager for lateral movement and remote code - execution. +description: The following analytic identifies the creation of a Windows Service on + a remote endpoint using `sc.exe`. It detects this activity by analyzing process + execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line + arguments that include remote paths and service creation commands. This behavior + is significant because adversaries often exploit the Service Control Manager for + lateral movement and remote code execution. If confirmed malicious, this activity + could allow attackers to execute arbitrary code on remote systems, potentially leading + to further compromise and persistence within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -71,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index f814c81be8..642788bb65 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,23 +1,17 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 3 -date: '2023-04-27' +version: 4 +date: '2024-05-30' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects when reg.exe modify registry keys that - define Windows services and their configurations in Windows to detect potential - threats earlier and mitigate the risks. This detection is made by a Splunk query - that searches for specific keywords in the process name, parent process name, user, - and process ID. This detection is important because it suggests that an attacker - has modified the registry keys that define Windows services and their configurations, - which can allow them to maintain access to the system and potentially move laterally - within the network. It is a common technique used by attackers to gain persistence - on a compromised system and its impact can lead to data theft, ransomware, or other - damaging outcomes. False positives can occur since legitimate uses of reg.exe to - modify registry keys for Windows services can also trigger this alert. Next steps - include reviewing the process and user context of the reg.exe activity and identify - any other concurrent processes that might be associated with the attack upon triage. +description: The following analytic detects the modification of registry keys that + define Windows services using reg.exe. This detection leverages Splunk to search + for specific keywords in the registry path, value name, and value data fields. This + activity is significant because it indicates potential unauthorized changes to service + configurations, a common persistence technique used by attackers. If confirmed malicious, + this could allow an attacker to maintain access, escalate privileges, or move laterally + within the network, leading to data theft, ransomware, or other damaging outcomes. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -73,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index efa85b2b60..2aa32d5e0e 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -1,14 +1,17 @@ name: Windows Service Initiation on Remote Endpoint id: 3f519894-4276-11ec-ab02-3e22fbd008af -version: 1 -date: '2021-11-10' +version: 2 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: TTP -description: This analytic looks for the execution of `sc.exe` with command-line arguments - utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries - alike may abuse the Service Control Manager for lateral movement and remote code - execution. +description: The following analytic detects the execution of `sc.exe` with command-line + arguments used to start a Windows Service on a remote endpoint. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant because adversaries may exploit + the Service Control Manager for lateral movement and remote code execution. If confirmed + malicious, this could allow attackers to execute arbitrary code on remote systems, + potentially leading to further compromise and persistence within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index cfb19f012b..e2d4305a69 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -1,15 +1,18 @@ name: Windows Service Stop By Deletion id: 196ff536-58d9-4d1b-9686-b176b04e430b -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies Windows Service Control, `sc.exe`, - attempting to delete a service. This is typically identified in parallel with other - instances of service enumeration of attempts to stop a service and then delete it. - Adversaries utilize this technique to terminate security services or other related - services to continue there objective and evade detections. +description: The following analytic detects the use of `sc.exe` to delete a Windows + service. It leverages Endpoint Detection and Response (EDR) data, focusing on process + execution logs that capture command-line arguments. This activity is significant + because adversaries often delete services to disable security mechanisms or critical + system functions, aiding in evasion and persistence. If confirmed malicious, this + action could lead to the termination of essential security services, allowing attackers + to operate undetected and potentially escalate their privileges or maintain long-term + access to the compromised system. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -69,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index 9fe2b2484f..3043128ae5 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -1,15 +1,17 @@ name: Windows Service Stop Via Net and SC Application id: 827af04b-0d08-479b-9b84-b7d4644e4b80 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic identifies suspicious attempts to stop services on a system - using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate - security services or other related services to continue their objective and evade - detections. This technique is also commonly used by ransomware threat actors to - successfully encrypt databases or files being processed or used by Windows OS Services. +description: The following analytic identifies attempts to stop services on a system + using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, GUIDs, and command-line executions. This + activity is significant as adversaries often terminate security or critical services + to evade detection and further their objectives. If confirmed malicious, this behavior + could allow attackers to disable security defenses, facilitate ransomware encryption, + or disrupt essential services, leading to potential data loss or system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,7 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index 59025b7c1d..e8ec84f55b 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -1,18 +1,20 @@ name: Windows Service Stop Win Updates id: 0dc25c24-6fcf-456f-b08b-dd55a183e4de -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log System 7040 -description: The following analytic identifies a windows update service being disabled - in Windows OS. This technique is being abused by adversaries or threat actors to - add defense mechanisms to their malware implant in the targeted host. Disabling - windows update will put the compromised host vulnerable in some zero day exploit - or even some update features against threats. RedLine Stealer kills this service - as part of its defense evasion mechanism. +description: The following analytic detects the disabling of Windows Update services, + such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows + Update." It leverages Windows System Event ID 7040 logs to identify changes in service + start modes to 'disabled.' This activity is significant as it can indicate an adversary's + attempt to evade defenses by preventing critical updates, leaving the system vulnerable + to exploits. If confirmed malicious, this could allow attackers to maintain persistence + and exploit unpatched vulnerabilities, compromising the integrity and security of + the affected host. search: '`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) | stats @@ -61,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/win_update_services_stop/system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/win_update_services_stop/system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sip_provider_inventory.yml b/detections/endpoint/windows_sip_provider_inventory.yml index 978ea8e15a..95fd394161 100644 --- a/detections/endpoint/windows_sip_provider_inventory.yml +++ b/detections/endpoint/windows_sip_provider_inventory.yml @@ -1,15 +1,26 @@ name: Windows SIP Provider Inventory id: 21c5af91-1a4a-4511-8603-64fb41df3fad -version: 1 -date: '2023-10-10' +version: 2 +date: '2024-05-09' author: Michael Haag, Splunk status: production type: Hunting data_source: [] -description: The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. -search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' -how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 -known_false_positives: False positives are limited as this is a hunting query for inventory. +description: The following analytic identifies all SIP (Subject Interface Package) + providers on a Windows system using PowerShell scripted inputs. It detects SIP providers + by capturing DLL paths from relevant events. This activity is significant because + malicious SIP providers can be used to bypass trust controls, potentially allowing + unauthorized code execution. If confirmed malicious, this activity could enable + attackers to subvert system integrity, leading to unauthorized access or persistent + threats within the environment. Analysts should review for new and non-standard + paths to identify potential threats. +search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime + max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' +how_to_implement: To implement this analytic, one must first perform inventory using + a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 +known_false_positives: False positives are limited as this is a hunting query for + inventory. references: - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 tags: @@ -19,7 +30,8 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$. + message: A list of SIP providers on the system is available. Review for new and + non-standard paths for SIP providers on $host$. mitre_attack_id: - T1553.003 observable: @@ -40,6 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log source: powershell://SubjectInterfacePackage sourcetype: PwSh:SubjectInterfacePackage diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index 12eb793380..274d7a84c2 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -1,25 +1,35 @@ name: Windows SIP WinVerifyTrust Failed Trust Validation id: 6ffc7f88-415b-4278-a80d-b957d6539e1a -version: 1 -date: '2023-10-10' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: Anomaly data_source: - Windows Event Log CAPI2 81 -description: The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. -search: '`capi2_operational` EventID=81 "The digital signature of the object did not verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`' +description: The following analytic detects failed trust validation attempts using + Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, + which indicates that "The digital signature of the object did not verify." This + detection leverages the CAPI2 Operational log to identify instances where digital + signatures fail to validate. Monitoring this activity is crucial as it can indicate + attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, + this activity could allow attackers to bypass security controls and execute unauthorized + code, leading to potential system compromise. +search: '`capi2_operational` EventID=81 "The digital signature of the object did not + verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as + lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`' how_to_implement: To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. -known_false_positives: False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. +known_false_positives: False positives may be present in some instances of legitimate + binaries with invalid signatures. Filter as needed. references: - - https://attack.mitre.org/techniques/T1553/003/ - - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf - - https://github.com/gtworek/PSBits/tree/master/SIP - - https://github.com/mattifestation/PoCSubjectInterfacePackage - - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ +- https://attack.mitre.org/techniques/T1553/003/ +- https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf +- https://github.com/gtworek/PSBits/tree/master/SIP +- https://github.com/mattifestation/PoCSubjectInterfacePackage +- https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ tags: analytic_story: - Subvert Trust Controls SIP and Trust Provider Hijacking @@ -48,6 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index 954b187ee7..346e20826c 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -1,19 +1,30 @@ name: Windows Snake Malware Kernel Driver Comadmin id: 628d9c7c-3242-43b5-9620-7234c080a726 -version: 1 -date: '2023-05-11' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 11 -description: 'The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a - single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory.' +description: 'The following analytic detects the creation of the comadmin.dat file + in the %windows%\system32\Com directory, which is associated with Snake Malware. + This detection leverages the Endpoint.Filesystem data model to identify file creation + events matching the specified path and filename. This activity is significant because + the comadmin.dat file is part of Snake Malware''s installation process, which includes + dropping a kernel driver and a custom DLL. If confirmed malicious, this activity + could allow an attacker to load a malicious driver, potentially leading to privilege + escalation and persistent access to the compromised system.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" AND Filesystem.file_name="comadmin.dat" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" + AND Filesystem.file_name="comadmin.dat" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. known_false_positives: False positives may be present, filter as needed. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF @@ -25,7 +36,8 @@ tags: - e5cb5564-cc7b-4050-86e8-f2d9eec1941f confidence: 80 impact: 70 - message: A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$. + message: A kernel driver comadmin.dat related to Snake Malware was written to disk + on $dest$. mitre_attack_id: - T1547.006 observable: @@ -40,15 +52,16 @@ tags: risk_score: 56 required_fields: - _time - - Filesystem.file_create_time - - Filesystem.process_id + - Filesystem.file_create_time + - Filesystem.process_id - Filesystem.file_name - - Filesystem.file_path + - Filesystem.file_path - Filesystem.dest security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index f267585fee..02ac75ad3a 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -1,22 +1,34 @@ name: Windows Snake Malware Registry Modification wav OpenWithProgIds id: 13cf8b79-805d-443c-bf52-f55bd7610dfd -version: 1 -date: '2023-05-10' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 12 - Sysmon EventID 13 -description: The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows - registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader. +description: The following analytic identifies modifications to the registry path + .wav\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages + data from the Endpoint.Registry datamodel to detect changes in this specific registry + location. This activity is significant because Snake's WerFault.exe uses this registry + path to decrypt an encrypted blob containing critical components like the AES key, + IV, and paths for its kernel driver and loader. If confirmed malicious, this could + allow the attacker to load and execute Snake's kernel driver, leading to potential + system compromise and persistent access. search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) - as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*" by Registry.dest Registry.user - Registry.registry_path Registry.registry_key_name Registry.registry_value_name | - `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: False positives may be present and will require tuning based on program Ids in large organizations. + as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*" by + Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` + | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be present and will require tuning based + on program Ids in large organizations. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF tags: @@ -27,7 +39,8 @@ tags: - 8318ad20-0488-4a64-98f4-72525a012f6b confidence: 50 impact: 50 - message: A registry modification related to Snake Malware has been identified on $dest$. + message: A registry modification related to Snake Malware has been identified on + $dest$. mitre_attack_id: - T1112 observable: @@ -44,13 +57,14 @@ tags: - _time - Registry.dest - Registry.user - - Registry.registry_path - - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_key_name - Registry.registry_value_name security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index ec8fd2787b..a256f60b75 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -1,22 +1,29 @@ name: Windows Snake Malware Service Create id: 64eb091f-8cab-4b41-9b09-8fb4942377df -version: 1 -date: '2023-05-11' +version: 2 +date: '2024-05-13' author: Michael Haag, Splunk status: production type: TTP data_source: - Windows Event Log System 7045 -description: 'The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, - which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.' +description: 'The following analytic detects the creation of a new service named WerFaultSvc + with a binary path in the Windows WinSxS directory. It leverages Windows System + logs, specifically EventCode 7045, to identify this activity. This behavior is significant + because it indicates the presence of Snake malware, which uses this service to maintain + persistence by blending in with legitimate Windows services. If confirmed malicious, + this activity could allow an attacker to execute Snake malware components, leading + to potential data exfiltration, system compromise, and long-term persistence within + the environment.' search: '`wineventlog_system` EventCode=7045 ImagePath="*\\windows\\winSxS\\*" ImagePath="*\Werfault.exe" - | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest - | `security_content_ctime(firstTime)` + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode + ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -known_false_positives: False positives should be limited as this is a strict primary indicator used by Snake Malware. +known_false_positives: False positives should be limited as this is a strict primary + indicator used by Snake Malware. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF tags: @@ -54,7 +61,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log source: XmlWinEventLog:System sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index c092021897..072c606580 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -1,21 +1,30 @@ name: Windows SOAPHound Binary Execution id: 8e53f839-e127-4d6d-a54d-a2f67044a57f -version: 2 -date: '2024-03-14' +version: 3 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies the common command-line argument used - by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, - but these changes are dependent upon the operator. In most instances the defaults - are used. - It does not cover the entirety of every argument in order to avoid false positives. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="soaphound.exe" OR Processes.original_file_name="soaphound.exe" AND Processes.process IN ("*--buildcache *", "*--bhdump *", "*--certdump *", "*--dnsdump *", "*-c *", "*--cachefilename *", "*-o *", "*--outputdirectory *") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `windows_soaphound_binary_execution_filter`' +description: The following analytic detects the execution of the SOAPHound binary + (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names, command-line arguments, + and other process-related metadata. This activity is significant because SOAPHound + is a known tool used for credential dumping and other malicious activities. If confirmed + malicious, this behavior could allow an attacker to extract sensitive information, + escalate privileges, or persist within the environment, posing a severe threat to + organizational security. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="soaphound.exe" + OR Processes.original_file_name="soaphound.exe" AND Processes.process IN ("*--buildcache + *", "*--bhdump *", "*--certdump *", "*--dnsdump *", "*-c *", "*--cachefilename *", + "*-o *", "*--outputdirectory *") by Processes.process Processes.dest Processes.process_current_directory + Processes.process_name Processes.process_path Processes.process_integrity_level + Processes.parent_process Processes.parent_process_path Processes.parent_process_guid + Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_soaphound_binary_execution_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -77,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index 5eff1eeef3..ce4cd751bd 100644 --- a/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -1,16 +1,17 @@ name: Windows Spearphishing Attachment Connect To None MS Office Domain id: 1cb40e15-cffa-45cc-abbd-e35884a49766 -version: 2 -date: '2023-02-15' +version: 3 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Hunting -description: this detection was designed to identifies suspicious office documents - that connect to a website aside from Microsoft Office Domain. This technique was - seen in several malicious documents that abuses .rels xml properties of MS office - to connect or download malicious files. This hunting query can be a good pivot or - guide to check what URL link it tries to connect, what domain, where the documents - came from and how the connection happens. +description: The following analytic identifies suspicious Office documents that connect + to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes + like winword.exe or excel.exe making DNS queries to domains outside of *.office.com + or *.office.net. This activity is significant as it may indicate a spearphishing + attempt using malicious documents to download or connect to harmful content. If + confirmed malicious, this could lead to unauthorized data access, malware infection, + or further network compromise. data_source: - Sysmon EventID 22 search: '`sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", @@ -61,7 +62,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index 44a398b023..9c851dbfd0 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -1,27 +1,25 @@ name: Windows Spearphishing Attachment Onenote Spawn Mshta id: 35aeb0e7-7de5-444a-ac45-24d6788796ec -version: 1 -date: '2023-01-24' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following detection identifies the latest behavior utilized by different - malware families (including TA551, AsyncRat, Redline and DCRAT). This detection - identifies onenote Office Product spawning `mshta.exe`. In malicious instances, - the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to - the remote destination. In addition, Threat Research has released a detections identifying - suspicious use of `mshta.exe`. In this instance, we narrow our detection down to - the Office suite as a parent process. During triage, review all file modifications. - Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will - have reached out to a remote destination, capture and block the IPs or domain. Review - additional parallel processes for further activity. +description: The following analytic detects OneNote spawning `mshta.exe`, a behavior + often associated with spearphishing attacks. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process creation events where OneNote is + the parent process. This activity is significant as it is commonly used by malware + families like TA551, AsyncRat, Redline, and DCRAT to execute malicious scripts. + If confirmed malicious, this could allow attackers to execute arbitrary code, potentially + leading to data exfiltration, system compromise, or further malware deployment. + Immediate investigation and containment are recommended. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("onenote.exe", "onenotem.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name - Processes.parent_process Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + IN ("onenote.exe", "onenotem.exe") `process_mshta` by Processes.dest Processes.user + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -79,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index d4432b6f0c..ebdfcb4170 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -1,25 +1,25 @@ name: Windows Special Privileged Logon On Multiple Hosts id: 4c461f5a-c2cc-4e86-b132-c262fc9edca7 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-24' author: Mauricio Velazco, Splunk type: TTP status: production data_source: - Windows Event Log Security 4672 -description: The following analytic leverages Event ID 4672 to identify a source user - authenticating with special privileges across a large number remote endpoints. Specifically, - the logic will trigger when a source user obtains special privileges across 30 or - more target computers within a 5 minute timespan. Special privileges are assigned - to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege - are assigned. This behavior could represent an adversary who is moving laterally - and executing remote code across the network. It can also be triggered by other - behavior like an adversary enumerating network shares. As environments differ across - organizations, security teams should customize the thresholds of this detection - as needed. -search: ' `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL SERVICE","NETWORK SERVICE","SYSTEM","*$")) | bucket span=5m _time | stats dc(Computer) - AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges - by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`' +description: The following analytic detects a user authenticating with special privileges + on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 + from Windows Security logs to identify this behavior. This activity is significant + as it may indicate lateral movement or remote code execution by an adversary. If + confirmed malicious, the attacker could gain extensive control over the network, + potentially leading to privilege escalation, data exfiltration, or further compromise + of the environment. Security teams should adjust detection thresholds based on their + specific environment. +search: ' `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL + SERVICE","NETWORK SERVICE","SYSTEM","*$")) | bucket span=5m _time | stats dc(Computer) + AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by + _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets + > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`' how_to_implement: To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled. @@ -37,7 +37,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: 'A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.' + message: 'A user $user$ obtained special privileges on a large number of endpoints + (Count: $unique_targets$) within 5 minutes.' mitre_attack_id: - T1087 - T1021.002 @@ -62,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index cc7c3d5e72..1dba7e5dab 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -1,29 +1,20 @@ name: Windows SQL Spawning CertUtil id: dfc18a5a-946e-44ee-a373-c0f60d06e676 -version: 1 -date: '2023-08-25' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk status: experimental type: TTP data_source: - Sysmon EventID 1 description: The following analytic detects the use of certutil to download software, - a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN - connection by downloading an executable file for SoftEther VPN from their network - infrastructure using one of several LOLBins, including certutil. The actor then - uses the Service Control Manager (SCM) to create a Windows service that launches - the VPN connection automatically when the system starts. This behavior allows the - actor to monitor the availability of the compromised system and establish an RDP - connection. This analytic identifies this behavior by monitoring for the use of - certutil in conjunction with the downloading of software. This behavior is worth - identifying for a SOC as it indicates a potential compromise of the system and the - establishment of a persistent threat. If a true positive is found, it suggests an - attacker has gained access to the environment and is attempting to maintain that - access, potentially leading to further malicious activities such as data theft or - ransomware attacks. Be aware of potential false positives - legitimate uses of certutil - in your environment may cause benign activities to be flagged. Upon triage, review - the command executed and look for concurrent processes to identify the attack source. - This approach helps analysts detect potential threats earlier and mitigate the risks. + specifically when spawned by SQL-related processes. This detection leverages Endpoint + Detection and Response (EDR) data, focusing on command-line executions involving + certutil with parameters like *urlcache* and *split*. This activity is significant + as it may indicate a compromise by threat actors, such as Flax Typhoon, who use + certutil to establish persistent VPN connections. If confirmed malicious, this behavior + could allow attackers to maintain access, monitor system availability, and potentially + escalate to data theft or ransomware deployment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index 46da188c95..e2e505f872 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -1,30 +1,36 @@ name: Windows SqlWriter SQLDumper DLL Sideload id: 2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3 -version: 1 -date: '2024-03-25' +version: 2 +date: '2024-05-17' author: Michael Haag, Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 type: TTP status: production -description: The following analytic identifies the abuse of SqlWriter and SQLDumper executables - to sideload the vcruntime140.dll library. This technique is commonly used by adversaries - to load malicious code into a legitimate process. The analytic searches for EventCode - 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the - ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading - of vcruntime140.dll from the System32 directory to reduce false positives. -search: '`sysmon` EventCode=7 (Image="*\\SQLDumper.exe" OR Image="*\\SQLWriter.exe") ImageLoaded="*\\vcruntime140.dll" NOT ImageLoaded="C:\\Windows\\System32\\*" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`' +description: The following analytic detects the abuse of SqlWriter and SQLDumper executables + to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, + focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, + excluding legitimate loads from the System32 directory. This activity is significant + as it indicates potential DLL sideloading, a technique used by adversaries to execute + malicious code within trusted processes. If confirmed malicious, this could allow + attackers to execute arbitrary code, maintain persistence, and evade detection by + blending with legitimate processes. +search: '`sysmon` EventCode=7 (Image="*\\SQLDumper.exe" OR Image="*\\SQLWriter.exe") + ImageLoaded="*\\vcruntime140.dll" NOT ImageLoaded="C:\\Windows\\System32\\*" | stats + values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, + user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`' how_to_implement: The analytic is designed to be run against Sysmon event logs collected - from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. - The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe - and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate - loading of vcruntime140.dll from the System32 directory to reduce false positives. - The analytic can be modified to include additional known good paths for vcruntime140.dll - to further reduce false positives. + from endpoints. The analytic requires the Sysmon event logs to be ingested into + Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe + or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters + out the legitimate loading of vcruntime140.dll from the System32 directory to reduce + false positives. The analytic can be modified to include additional known good paths + for vcruntime140.dll to further reduce false positives. known_false_positives: False positives are possible if legitimate processes are loading - vcruntime140.dll from non-standard directories. It is recommended to investigate the - context of the process loading vcruntime140.dll to determine if it is malicious or - not. Modify the search to include additional known good paths for vcruntime140.dll + vcruntime140.dll from non-standard directories. It is recommended to investigate + the context of the process loading vcruntime140.dll to determine if it is malicious + or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties @@ -67,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index 0d184542b1..be6c246e52 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -1,28 +1,47 @@ name: Windows Steal Authentication Certificates - ESC1 Abuse id: cbe761fc-d945-4c8c-a71d-e26d12255d32 -version: 2 -date: '2024-01-03' +version: 3 +date: '2024-05-11' author: Steven Dick status: production type: TTP -description: The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) +description: The following analytic detects when a new certificate is requested or + granted against Active Directory Certificate Services (AD CS) using a Subject Alternative + Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify + these actions. This activity is significant because improperly configured certificate + templates can be exploited for privilege escalation and environment compromise. + If confirmed malicious, an attacker could gain elevated privileges or persist within + the environment, potentially leading to unauthorized access to sensitive information + and further exploitation. data_source: - Windows Event Log Security 4886 - Windows Event Log Security 4887 search: >- `wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" - | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject - values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| fillnull + | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name + values(status) as status values(Subject) as ssl_subject + values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, + RequestId + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" - | eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was issued using request ID: ".'RequestId'.". To revoke this certifacte use this request ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter` -how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. + | eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested + using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was + issued using request ID: ".'RequestId'.". To revoke this certifacte use this request + ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), + src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as + object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, + Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter` +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled + on AD CS and within Group Policy Management for CS server. See Page 115 of first + reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +known_false_positives: False positives may be generated in environments where administrative + users or processes are allowed to generate certificates with Subject Alternative + Names. Sources or templates used in these processes may need to be tuned out for + accurate function. references: - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf - https://github.com/ly4k/Certipy#esc1 @@ -35,27 +54,27 @@ tags: impact: 100 message: Possible AD CS ESC1 activity by $src_user$ - $flavor_text$ mitre_attack_id: - - T1649 + - T1649 observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: src_user - type: User - role: - - Attacker + - name: src + type: Hostname + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: src_user + type: User + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud required_fields: - _time - - Attributes + - Attributes - Computer - EventCode - Requester @@ -65,7 +84,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file + update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index 36ae60f96f..dd46987277 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -1,97 +1,115 @@ name: Windows Steal Authentication Certificates - ESC1 Authentication id: f0306acf-a6ab-437a-bbc6-8628f8d5c97e -version: 1 -date: '2023-05-25' +version: 2 +date: '2024-05-24' author: Steven Dick status: production type: TTP -description: The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). +description: The following analytic detects when a suspicious certificate with a Subject + Alternative Name (SAN) is issued using Active Directory Certificate Services (AD + CS) and then immediately used for authentication. This detection leverages Windows + Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent + use of the certificate. This activity is significant because improperly configured + certificate templates can be exploited for privilege escalation and environment + compromise. If confirmed malicious, an attacker could gain unauthorized access, + escalate privileges, and potentially compromise the entire environment. data_source: - - Windows Event Log Security 4887 - - Windows Event Log Security 4768 +- Windows Event Log Security 4887 +- Windows Event Log Security 4768 search: >- `wineventlog_security` EventCode IN (4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" - | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId + | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name + values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) + as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" - | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name - | eval user = lower(coalesce(req_user_1,req_user_2)) - | join user + | rename Attributes as object_attrs, EventCode as signature_id, name as signature, + RequestId as ssl_serial, Requester as ssl_subject_common_name + | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] - | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 - | eval flavor_text = case(signature_id=="4887", "User account [".'user'."] authenticated after a suspicious certificate was issued for it by [".'src_user'."] using certificate request ID: ".'ssl_serial') + | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), + risk_score = 90 + | eval flavor_text = case(signature_id=="4887", "User account [".'user'."] authenticated + after a suspicious certificate was issued for it by [".'src_user'."] using certificate + request ID: ".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter` -how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. +how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled + on AD CS and within Group Policy Management for CS server. See Page 115 of first + reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. +known_false_positives: False positives may be generated in environments where administrative + users or processes are allowed to generate certificates with Subject Alternative + Names for authentication. Sources or templates used in these processes may need + to be tuned out for accurate function. references: - - https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf - - https://github.com/ly4k/Certipy#esc1 - - https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/ +- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf +- https://github.com/ly4k/Certipy#esc1 +- https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/ tags: analytic_story: - - Windows Certificate Services + - Windows Certificate Services asset_type: Endpoint confidence: 90 impact: 100 message: Possible AD CS ESC1 authentication on $dest$ mitre_attack_id: - - T1649 - - T1550 + - T1649 + - T1550 observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: src_user - type: User - role: - - Victim - - name: user - type: User - role: - - Victim - - name: ssl_hash - type: Other - role: - - Attacker - - name: ssl_serial - type: Other - role: - - Attacker + - name: src + type: Hostname + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: src_user + type: User + role: + - Victim + - name: user + type: User + role: + - Victim + - name: ssl_hash + type: Other + role: + - Attacker + - name: ssl_serial + type: Other + role: + - Attacker product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - Attributes - - Computer - - EventCode - - Requester - - RequestId - - TargetUserName - - Computer - - IpAddress + - _time + - Attributes + - Computer + - EventCode + - Requester + - RequestId + - TargetUserName + - Computer + - IpAddress risk_score: 90 security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog - update_timestamp: true +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index 461d2e4a08..73de2f92b3 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -1,19 +1,18 @@ name: Windows Steal Authentication Certificates Certificate Issued id: 9b1a5385-0c31-4c39-9753-dc26b8ce64c2 -version: 1 -date: '2023-02-06' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies when a new certificate is issued against - the Certificate Services - AD CS. By its very nature this is not malicious, but - should be tracked and correlated with other events related to certificates being - issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services - approved a certificate request and issued a certificate". The event supplies the - requester user context, the DNS hostname of the machine they requested the certificate - from, and the time they requested the certificate. The attributes fields in these - event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request - Machine DNS name, and Cert Client Machine, respectively. +description: The following analytic identifies the issuance of a new certificate by + Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester + user context, DNS hostname of the requesting machine, and the request time. Monitoring + this activity is crucial as it can indicate potential misuse of authentication certificates. + If confirmed malicious, an attacker could use the issued certificate to impersonate + users, escalate privileges, or maintain persistence within the environment. This + detection helps in identifying and correlating suspicious certificate-related activities + for further investigation. data_source: - Windows Event Log Security 4887 search: '`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime @@ -56,7 +55,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index b24e29fbe6..5b5fac3a21 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -1,15 +1,18 @@ name: Windows Steal Authentication Certificates Certificate Request id: 747d7800-2eaa-422d-b994-04d8bb9e06d0 -version: 1 -date: '2023-02-06' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies when a new certificate is requested - against the Certificate Services - AD CS. By its very nature this is not malicious, - but should be tracked and correlated with other events related to certificate requests. - When an account requests a certificate, the CA generates event ID (EID) 4886 "Certificate - Services received a certificate request". +description: The following analytic detects when a new certificate is requested from + Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a + certificate request has been received. This activity is significant because unauthorized + certificate requests can be part of credential theft or lateral movement tactics. + If confirmed malicious, an attacker could use the certificate to impersonate users, + gain unauthorized access to resources, or establish persistent access within the + environment. Monitoring and correlating this event with other suspicious activities + is crucial for identifying potential security incidents. data_source: - Windows Event Log Security 4886 search: '`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime @@ -52,7 +55,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index 688f489b94..ebeefc9216 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -1,17 +1,17 @@ name: Windows Steal Authentication Certificates CryptoAPI id: 905d5692-6d7c-432f-bc7e-a6b4f464d40e -version: 1 -date: '2023-02-08' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI - 2, to identify suspicious certificate extraction. Typically, this event log is meant - for diagnosing PKI issues, however is a great source to identify certificate exports. - Note that this event log is noisy as it captures common PKI requests from many different - processes. EventID 70 is generated anytime a certificate is exported. The description - for EventID 70 is "Acquire Certificate Private Key". STRT tested this analytic using - Mimikatz binary and the implementation of Mimikatz in Cobalt Strike. +description: The following analytic detects the extraction of authentication certificates + using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is + generated when a certificate's private key is acquired. This detection is significant + because it can identify potential misuse of certificates, such as those extracted + by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could + allow attackers to impersonate users, escalate privileges, or access sensitive information, + posing a severe risk to the organization's security. data_source: - Windows Event Log CAPI2 70 search: '`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) @@ -53,7 +53,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index 7f712868df..7603dbc2ad 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -1,16 +1,18 @@ name: Windows Steal or Forge Kerberos Tickets Klist id: 09d88404-1e29-46cb-806c-1eedbc85ad5d -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process execution of Windows OS klist.exe - tool. This tool is being abused or used by several post exploitation tool such as - winpeas that being used by ransomware prestige to display or gather list of currently - cached kerberos ticket. This cahced data can be used for lateral movement or even - privilege escalation on the targeted host. This hunting query can be a good pivot - in possible kerberos attack or pass the hash technique. +description: The following analytic identifies the execution of the Windows OS tool + klist.exe, often used by post-exploitation tools like winpeas. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process and + parent process details. Monitoring klist.exe is significant as it can indicate attempts + to list or gather cached Kerberos tickets, which are crucial for lateral movement + or privilege escalation. If confirmed malicious, this activity could enable attackers + to move laterally within the network or escalate privileges, posing a severe security + risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 5c80bfb48b..3529b53f4f 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -1,85 +1,91 @@ name: Windows Suspect Process With Authentication Traffic id: 953322db-128a-4ce9-8e89-56e039e33d98 -version: 1 -date: '2023-06-13' +version: 2 +date: '2024-05-15' author: Steven Dick status: production type: Anomaly description: >- - This analytic identifies executables running from public or temporary locations that are communicating over windows domain - authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications - running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial - compromise from executables in these locations. Most attacker toolkits offer some degree of interaction with AD/LDAP. + The following analytic detects executables running from public or temporary locations + that are communicating over Windows domain authentication ports/protocols such as + LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to + identify processes originating from user-controlled directories. This activity is + significant because legitimate applications rarely run from these locations and + attempt domain authentication, making it a potential indicator of compromise. If + confirmed malicious, attackers could leverage this to access domain resources, potentially + leading to further exploitation and lateral movement within the network. data_source: - - Sysmon EventID 3 +- Sysmon EventID 3 search: >- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id - from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") - AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") - by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port - | `drop_dm_object_name(All_Traffic)` - | rex field=app ".*\\\(?.*)$" + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic + where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", + "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by + All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port + | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?.*)$" | rename app as process - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter` how_to_implement: >- - To implement this analytic, Sysmon should be installed in the environment and generating network events for - userland and/or known public writable locations. + To implement this analytic, Sysmon should be installed in the environment and generating + network events for userland and/or known public writable locations. known_false_positives: >- - Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) + Known applications running from these locations for legitimate purposes. Targeting + only kerberos (port 88) may significantly reduce noise. references: - - https://attack.mitre.org/techniques/T1069/002/ - - https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88 +- https://attack.mitre.org/techniques/T1069/002/ +- https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88 tags: analytic_story: - - Active Directory Discovery + - Active Directory Discovery asset_type: Endpoint confidence: 50 impact: 50 - message: The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$. + message: The process $process_name$ on $src$ has been communicating with $dest$ + on $dest_port$. mitre_attack_id: - - T1087 - - T1087.002 - - T1204 - - T1204.002 + - T1087 + - T1087.002 + - T1204 + - T1204.002 observable: - - name: src - type: Hostname - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker + - name: src + type: Hostname + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + - name: process_name + type: Process + role: + - Attacker product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - All_Traffic.app - - All_Traffic.src - - All_Traffic.src_ip - - All_Traffic.user - - All_Traffic.dest - - All_Traffic.dest_ip - - All_Traffic.dest_port + - _time + - All_Traffic.app + - All_Traffic.src + - All_Traffic.src_ip + - All_Traffic.user + - All_Traffic.dest + - All_Traffic.dest_ip + - All_Traffic.dest_port risk_score: 25 security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog - update_timestamp: true \ No newline at end of file +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog + update_timestamp: true diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 850a26bf92..87d2c4fbed 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -1,16 +1,18 @@ name: Windows System Binary Proxy Execution Compiled HTML File Decompile id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d -version: 1 -date: '2022-08-31' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the decompile parameter with the HTML - Help application, HH.exe. This is a uncommon command to see ran and behavior. Most - recently this was seen in a APT41 campaign where a CHM file was delivered and a - script inside used a technique for running an arbitrary command in a CHM file via - an ActiveX object. This unpacks an HTML help file to a specified path for launching - the next stage. +description: The following analytic detects the use of the decompile parameter with + the HTML Help application (HH.exe). This behavior is identified through Endpoint + Detection and Response (EDR) telemetry, focusing on command-line executions involving + the decompile parameter. This activity is significant because it is an uncommon + command and has been associated with APT41 campaigns, where it was used to unpack + HTML help files for further malicious actions. If confirmed malicious, this technique + could allow attackers to execute arbitrary commands, potentially leading to further + compromise and persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,7 +82,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index 5223d60b80..d947e3ab84 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -1,15 +1,18 @@ name: Windows System Discovery Using ldap Nslookup id: 2418780f-7c3e-4c45-b8b4-996ea850cd49 -version: 1 -date: '2022-10-21' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the execution of nslookup.exe tool - to get domain information. Nslookup.exe is a command-line tool that can display - information to diagnose domain name systems. This Nslookup feature is being abused - by Qakbot malware to gather domain information such as SRV service location records, - server name and many more. +description: The following analytic detects the execution of nslookup.exe to query + domain information using LDAP. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names and command-line arguments. This activity + is significant as nslookup.exe can be abused by malware like Qakbot to gather critical + domain details, such as SRV records and server names. If confirmed malicious, this + behavior could allow attackers to map the network, identify key servers, and plan + further attacks, potentially leading to data exfiltration or lateral movement within + the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -69,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index b105eca029..384ab9d953 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -1,16 +1,18 @@ name: Windows System Discovery Using Qwinsta id: 2e765c1b-144a-49f0-93d0-1df4287cca04 -version: 1 -date: '2022-10-21' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies the execution of qwinsta.exe executable - in Windows Operating System. This Windows executable file can display information - about sessions on a remote desktop session host server. The information includes - servername, sessionname, username and many more. This tool is being abused of Qakbot - malware to gather information to the targeted or compromised host that will be send - back to its Command And Control server. +description: The following analytic detects the execution of "qwinsta.exe" on a Windows + operating system. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. The "qwinsta.exe" tool is significant + because it can display detailed session information on a remote desktop session + host server. This behavior is noteworthy as it is commonly abused by Qakbot malware + to gather system information and send it back to its Command and Control (C2) server. + If confirmed malicious, this activity could lead to unauthorized data exfiltration + and further compromise of the host. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -70,7 +72,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index af84726b29..0b7236e303 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -1,15 +1,17 @@ name: Windows System File on Disk id: 993ce99d-9cdd-42c7-a2cf-733d5954e5a6 -version: 2 -date: '2022-05-16' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic will assist with identifying new .sys - files introduced in the environment. This query is meant to identify sys file creates - on disk. There will be noise, but reducing common process names or applications - should help to limit any volume. The idea is to identify new sys files written to - disk and identify them before they're added as a new kernel mode driver. +description: The following analytic detects the creation of new .sys files on disk. + It leverages the Endpoint.Filesystem data model to identify and log instances where + .sys files are written to the filesystem. This activity is significant because .sys + files are often used as kernel mode drivers, and their unauthorized creation can + indicate malicious activity such as rootkit installation. If confirmed malicious, + this could allow an attacker to gain kernel-level access, leading to full system + compromise, persistent control, and the ability to bypass security mechanisms. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -61,7 +63,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index bb9fb20937..feb74b6866 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -1,26 +1,28 @@ name: Windows System LogOff Commandline id: 74a8133f-93e7-4b71-9bd3-13a66124fd57 -version: 1 -date: '2022-07-27' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies Windows commandline to logoff a windows - host machine. This technique was seen in several APT, RAT like dcrat and other commodity - malware to shutdown the machine to add more impact, interrupt access, aid destruction - of the system like wiping disk or inhibit system recovery. This TTP is a good pivot - to check why application trigger this commandline which is not so common way to - logoff a machine. +description: The following analytic detects the execution of the Windows command line + to log off a host machine. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. + This activity is significant as it is often associated with Advanced Persistent + Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique + to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed + malicious, this could lead to system downtime, data loss, or hindered incident response + efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_system_logoff_commandline_filter`' + Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process + IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -72,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 2dbcff4187..9a66d7d083 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -1,18 +1,18 @@ name: Windows System Network Config Discovery Display DNS id: e24f0a0e-41a9-419f-9999-eacab15efc36 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process command line that retrieves - dns reply information using Windows OS built-in tool IPConfig. This technique is - being abused by threat actors, adversaries and post exploitation tools like WINPEAS - to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) - can show dns server resource record, record name, record type, time to live data - length and dns reply. This hunting detection can be a good pivot to check which - process is executing this command line in specific host system that may lead to - malware or adversaries gathering network information. +description: The following analytic identifies the execution of the "ipconfig /displaydns" + command, which retrieves DNS reply information using the built-in Windows tool IPConfig. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process command-line executions. Monitoring this activity is significant + as threat actors and post-exploitation tools like WINPEAS often abuse this command + to gather network information. If confirmed malicious, this activity could allow + attackers to map the network, identify DNS servers, and potentially facilitate further + network-based attacks or lateral movement. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -75,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 71758b47cc..83a2f34969 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,18 +1,18 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a process execution of Windows OS built-in - tool netsh.exe to show state, configuration and profile of host firewall. This tool - is being used or abused by several adversaries or even post exploitation tool to - bypass firewall rules or to discover firewall settings. This hunting detection can - help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings - or even firewall wlan profile. We recommend checking which parent process and process - name execute this command. Also check the process file path for verification that - may lead to further TTP's threat behavior. +description: The following analytic detects the execution of the Windows built-in + tool netsh.exe to display the state, configuration, and profile of the host firewall. + This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions and process metadata. Monitoring this activity + is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover + firewall settings. If confirmed malicious, this activity could allow attackers to + manipulate firewall configurations, potentially leading to unauthorized network + access or data exfiltration. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -76,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index a3f111dcdf..7960407df0 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,27 +1,28 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 1 -date: '2022-07-27' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies Windows commandline to reboot a windows - host machine. This technique was seen in several APT, RAT like dcrat and other commodity - malware to shutdown the machine to add more impact, interrupt access, aid destruction - of the system like wiping disk or inhibit system recovery. This TTP is a good pivot - to check why application trigger this commandline which is not so common way to - reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen - in some automation script like ansible to reboot the machine. +description: The following analytic identifies the execution of the Windows command + line to reboot a host machine using "shutdown.exe" with specific parameters. This + detection leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process names and command-line arguments. This activity is significant as it + is often associated with advanced persistent threats (APTs) and remote access trojans + (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system + destruction, or inhibit recovery. If confirmed malicious, this could lead to system + downtime, data loss, or hindered incident response efforts. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_system_reboot_commandline_filter`' + Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process + IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -74,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 22f6750b5c..2aa6d6ec78 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,33 +1,27 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 2 -date: '2023-06-20' +version: 3 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This detection rule is designed to identify the execution of the Windows - shutdown command via command line interface. The shutdown command can be utilized - by system administrators to properly halt, power off, or reboot a computer. However, - in a security context, attackers who have gained unauthorized access to a system - may also use this command in an effort to erase tracks, or to cause disruption and - denial of service. In some instances, they might execute the shutdown command after - installing a backdoor, to force the system to restart, ensuring that changes take - effect or evading detection by security tools. Monitoring for the use of the Windows - shutdown command, especially in conjunction with other unusual or unauthorized activities, - can be an important part of identifying malicious behavior within a network. It - is advised that security professionals analyze the context in which the shutdown - command is being executed to differentiate between legitimate administrative functions - and potentially malicious activity. +description: The following analytic identifies the execution of the Windows shutdown + command via the command line interface. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process names and command-line arguments. + This activity is significant because attackers may use the shutdown command to erase + tracks, cause disruption, or ensure changes take effect after installing backdoors. + If confirmed malicious, this activity could lead to system downtime, denial of service, + or evasion of security tools, impacting the overall security posture of the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) - Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process IN ("* /t*","* -t*","* /f*","* -f*") - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_system_shutdown_commandline_filter`' + Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process + IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -81,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 7e7a154eeb..c013297983 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -1,15 +1,18 @@ name: Windows System Time Discovery W32tm Delay id: b2cc69e7-11ba-42dc-a269-59c069a48870 -version: 1 -date: '2022-07-28' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies DCRat delay time tactics using w32tm. - This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe - application to delay the execution of its payload like c2 communication , beaconing - and execution. This anomaly detection may help the analyst to check other possible - event like the process who execute this command that may lead to DCRat attack. +description: The following analytic identifies the use of the w32tm.exe utility with + the /stripchart function, which is indicative of DCRat malware delaying its payload + execution. This detection leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific command-line arguments used by w32tm.exe. This activity + is significant as it may indicate an attempt to evade detection by delaying malicious + actions such as C2 communication and beaconing. If confirmed malicious, this behavior + could allow an attacker to maintain persistence and execute further malicious activities + undetected. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process @@ -71,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index 0dfccf1a75..6d2a13035e 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -1,20 +1,18 @@ name: Windows System User Discovery Via Quser id: 0c3f3e09-e47a-410e-856f-a02a5c5fafb0 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-20' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic identifies a process execution of Windows OS quser.exe - tool. This tool is being abused or used by several post exploitation tool such as - winpeas that being used by ransomware prestige to display or gather information - about user sessions on a Remote Desktop Session Host server. This command can find - out if a specific user is logged on to a specific Remote Desktop Session Host server. - This tool can retrieve some RDP information that can be use by attacker for further - attack like Name of the user , Name of the session on the Remote Desktop Session - Host server, Session ID, State of the session (active or disconnected), Idle time - (the number of minutes since the last keystroke or mouse movement at the session) - and Date and time the user logged on. +description: The following analytic detects the execution of the Windows OS tool quser.exe, + commonly used to gather information about user sessions on a Remote Desktop Session + Host server. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial + as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware + attacks to enumerate user sessions. If confirmed malicious, attackers could leverage + this information to further compromise the system, maintain persistence, or escalate + privileges. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -78,7 +76,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index cf745ccdda..99dd2dfba5 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -1,20 +1,24 @@ name: Windows System User Privilege Discovery id: 8c9a06bc-9939-4425-9bb9-be2371f7fb7e -version: 1 -date: '2023-12-15' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Hunting data_source: - Sysmon EventID 1 -description: This analytic looks for the execution of `whoami.exe` with /priv parameter. - This whoami command is used to display or shows the privileges assigned to the current user account. - This hunting query can be a good pivot start to look for suspicious usage of whoami application that might related to a malware or adversaries. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name="whoami.exe" Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the execution of `whoami.exe` with the + `/priv` parameter, which displays the privileges assigned to the current user account. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process names and command-line executions. This activity is significant as it may + indicate an adversary attempting to enumerate user privileges, a common step in + the reconnaissance phase of an attack. If confirmed malicious, this could lead to + privilege escalation or further exploitation within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="whoami.exe" + Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process + Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -25,7 +29,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or power users may use this command for troubleshooting. Filter as needed. +known_false_positives: Administrators or power users may use this command for troubleshooting. + Filter as needed. references: - https://attack.mitre.org/techniques/T1033/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -35,7 +40,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 30 - message: Activity related to system user privilege discovery detected on $dest$ using whoami.exe. + message: Activity related to system user privilege discovery detected on $dest$ + using whoami.exe. mitre_attack_id: - T1033 observable: @@ -65,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index 1a1246ccc7..fe239ff752 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -1,26 +1,24 @@ name: Windows Terminating Lsass Process id: 7ab3c319-a4e7-4211-9e8c-40a049d0dba6 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-23' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic is to detect a suspicious process terminating Lsass process. - Lsass process is known to be a critical process that is responsible for enforcing - security policy system. This process was commonly targetted by threat actor or red - teamer to gain privilege escalation or persistence in the targeted machine because - it handles credentials of the logon users. In this analytic we tried to detect a - suspicious process having a granted access PROCESS_TERMINATE to lsass process to - modify or delete protected registrys. This technique was seen in doublezero malware - that tries to wipe files and registry in compromised hosts. This anomaly detection - can be a good pivot of incident response for possible credential dumping or evading - security policy in a host or network environment. +description: The following analytic detects a suspicious process attempting to terminate + the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes + granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because + Lsass.exe is a critical process responsible for enforcing security policies and + handling user credentials. If confirmed malicious, this behavior could indicate + an attempt to perform credential dumping, privilege escalation, or evasion of security + policies, potentially leading to unauthorized access and persistence within the + environment. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, - TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest - as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`' how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. @@ -70,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index 7e4c22e9cd..66c6773554 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -1,23 +1,26 @@ name: Windows Time Based Evasion id: 34502357-deb1-499a-8261-ffe144abf561 -version: 1 -date: '2023-09-08' +version: 2 +date: '2024-05-24' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. - This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. - Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as - evasion tactics. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = "ping.exe" Processes.parent_process = "* ping 0 -n *" OR Processes.process = "* ping 0 -n *" - by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest - | `drop_dm_object_name("Processes")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_time_based_evasion_filter`' +description: The following analytic detects potentially malicious processes that initiate + a ping delay using an invalid IP address. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving "ping 0 + -n". This behavior is significant as it is commonly used by malware like NJRAT to + introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed + malicious, this activity could indicate an active infection attempting to evade + detection, potentially leading to further compromise and persistence within the + environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "ping.exe" + Processes.parent_process = "* ping 0 -n *" OR Processes.process = "* ping 0 -n *" + by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid + Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -64,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/ping_0.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/ping_0.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index 205de10bc1..4b780c85e4 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -1,23 +1,26 @@ name: Windows Time Based Evasion via Choice Exec id: d5f54b38-10bf-4b3a-b6fc-85949862ed50 -version: 1 -date: '2024-02-14' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. - This technique, observed in the SnakeKeylogger malware, is utilized for time delays or 'Sleep' commands in its code execution - or before the deletion of its copies on compromised hosts. Detecting this anomaly serves as a valuable pivot to uncover - suspicious processes attempting to evade detection through time-based evasion techniques. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name =choice.exe Processes.process = "*/T*" Processes.process = "*/N*" - by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_time_based_evasion_via_choice_exec_filter`' +description: The following analytic detects the use of choice.exe in batch files as + a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process names and + command-line executions. This activity is significant as it indicates potential + time-based evasion techniques used by malware to avoid detection. If confirmed malicious, + this behavior could allow attackers to execute code stealthily, delete malicious + files, and persist on compromised hosts, making it crucial for SOC analysts to investigate + promptly. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process + = "*/T*" Processes.process = "*/N*" by Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -27,8 +30,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: administrator may use choice.exe to allow user to choose from and indexes of choices from a batch - script. +known_false_positives: administrator may use choice.exe to allow user to choose from + and indexes of choices from a batch script. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice - https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger @@ -66,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/snakekeylogger_choice.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/snakekeylogger_choice.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index 08b19ede05..bdc5625734 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -1,21 +1,34 @@ name: Windows UAC Bypass Suspicious Child Process id: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c -version: 1 -date: '2023-11-20' +version: 2 +date: '2024-05-22' author: Steven Dick status: production type: TTP -description: The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. +description: The following analytic detects when an executable known for User Account + Control (UAC) bypass exploitation spawns a child process in a user-controlled location + or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages + Sysmon Event ID 1 data, focusing on high or system integrity level processes with + specific parent-child process relationships. This activity is significant as it + may indicate an attacker has successfully used a UAC bypass exploit to escalate + privileges. If confirmed malicious, this could allow the attacker to execute arbitrary + commands with elevated privileges, potentially compromising the entire system. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory - | `drop_dm_object_name(Processes)` - | where parent_process_name != process_name - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_uac_bypass_suspicious_child_process_filter`' -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -known_false_positives: Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level + IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) + AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") + OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) + by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, + Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, + Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` + | where parent_process_name != process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`' +how_to_implement: Target environment must ingest sysmon data, specifically Event ID + 1 with process integrity level data. +known_false_positives: Including Werfault.exe may cause some unintended false positives + related to normal application faulting, but is used in a number of UAC bypass techniques. references: - https://attack.mitre.org/techniques/T1548/002/ - https://atomicredteam.io/defense-evasion/T1548.002/ @@ -28,7 +41,8 @@ tags: asset_type: Endpoint confidence: 75 impact: 60 - message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$. + message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched + a suspicious child process - $process_name$. mitre_attack_id: - T1548 - T1548.002 @@ -64,7 +78,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index b77e64ea20..7f18816f7f 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -1,33 +1,46 @@ name: Windows UAC Bypass Suspicious Escalation Behavior id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3 -version: 1 -date: '2023-11-20' +version: 2 +date: '2024-05-27' author: Steven Dick status: production type: TTP -description: The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. +description: The following analytic detects when a process spawns an executable known + for User Account Control (UAC) bypass exploitation and subsequently monitors for + any child processes with a higher integrity level than the original process. This + detection leverages Sysmon Event ID 1 data, focusing on process integrity levels + and known UAC bypass executables. This activity is significant as it may indicate + an attacker has successfully used a UAC bypass exploit to escalate privileges. If + confirmed malicious, the attacker could gain elevated privileges, potentially leading + to further system compromise and persistent access. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory - | `drop_dm_object_name(Processes)` - | eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) - | rename process_guid as join_guid_1, process* as parent_process* - | join max=0 dest join_guid_1 - [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid - | `drop_dm_object_name(Processes)` - | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] - | join max=0 dest join_guid_2 - [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN ("high","system") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory - | `drop_dm_object_name(Processes)` - | rename parent_process_guid as join_guid_2 - | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)] - | where elevated_integrity_level > original_integrity_level - | table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_uac_bypass_suspicious_escalation_behavior_filter`' -how_to_implement: Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -known_false_positives: Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. +search: '| tstats `security_content_summariesonly` count max(_time) as lastTime from + datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium") + by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, + Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory + | `drop_dm_object_name(Processes)` | eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) + | rename process_guid as join_guid_1, process* as parent_process* | join max=0 dest + join_guid_1 [| tstats `security_content_summariesonly` count min(_time) as firstTime + from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") + AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, + Processes.process_name, Processes.process_guid | `drop_dm_object_name(Processes)` + | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name + as uac_process_name ] | join max=0 dest join_guid_2 [| tstats `security_content_summariesonly` + count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name + IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN ("high","system") + by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, + Processes.process_guid, Processes.process_path, Processes.process_integrity_level, + Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename + parent_process_guid as join_guid_2 | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)] + | where elevated_integrity_level > original_integrity_level | table dest user parent_process + parent_process_name parent_process_integrity_level process_integrity_level process + process_name uac_process_name count firstTime lastTime | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter`' +how_to_implement: Target environment must ingest sysmon data, specifically Event ID + 1 with process integrity level data. +known_false_positives: Including Werfault.exe may cause some unintended false positives + related to normal application faulting, but is used in a number of UAC bypass techniques. references: - https://attack.mitre.org/techniques/T1548/002/ - https://atomicredteam.io/defense-evasion/T1548.002/ @@ -40,7 +53,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$. + message: A UAC bypass behavior was detected by parent process name- $parent_process_name$ + on host $dest$ by $user$. mitre_attack_id: - T1548 - T1548.002 @@ -84,7 +98,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 4b60c78516..c482f4cee1 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,23 +1,25 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 1 -date: '2024-02-14' +version: 2 +date: '2024-05-22' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Windows Event Log Security 4663 -description: The following analytic identifies a suspicious query on outlook credentials registry in Windows OS registry. - typically refers to user profiles associated with Microsoft Outlook. Within this key, Outlook stores configuration settings, - including account information such as email addresses, server details, and authentication credentials. Accessing or modifying - this registry key can potentially compromise users' email security, making it a target for attackers seeking to steal sensitive - information or execute unauthorized actions within Outlook. This anomaly detection is a good pivot to catch possible Trojan Stealer or RAT - that tries to steal sensitive information to its targeted host. -search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676*", "*\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676*") - AND process_name != *\\outlook.exe - | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects unauthorized access to Outlook credentials + stored in the Windows registry. It leverages Windows Security Event logs, specifically + EventCode 4663, to identify access attempts to registry paths associated with Outlook + profiles. This activity is significant as it may indicate attempts to steal sensitive + email credentials, which could lead to unauthorized access to email accounts. If + confirmed malicious, this could allow attackers to exfiltrate sensitive information, + impersonate users, or execute further unauthorized actions within Outlook, posing + a significant security risk. +search: '`wineventlog_security` EventCode=4663 object_file_path IN ("*\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676*", + "*\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676*") AND + process_name != *\\outlook.exe | stats count min(_time) as firstTime max(_time) + as lastTime by object_file_name object_file_path process_name process_path process_id + EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in @@ -32,7 +34,8 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A suspicious process $process_name$ accessing outlook credentials registry on $dest$ + message: A suspicious process $process_name$ accessing outlook credentials registry + on $dest$ mitre_attack_id: - T1552 observable: @@ -58,6 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakekeylogger_4663.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index e864d90ae8..0217eacff5 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -1,29 +1,30 @@ name: Windows Unsigned DLL Side-Loading id: 5a83ce44-8e0f-4786-a775-8249a525c879 -version: 1 -date: '2023-07-26' +version: 2 +date: '2024-05-31' author: Teoderick Contreras, Splunk status: production type: Anomaly data_source: - Sysmon EventID 7 -description: This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. - This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) - by dropping the "dismcore.dll" to achieve privilege escalation. - DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the - same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. - In the case of Warzone RAT (Ave Maria), the dropped "dismcore.dll" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, - thereby granting the malware elevated privileges and enabling further compromise of the target system. - Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, - and implementing security best practices are essential in safeguarding systems from such threats. -search: '`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_unsigned_dll_side_loading_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. - If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed. +description: The following analytic detects the creation of potentially malicious + unsigned DLLs in the c:\windows\system32 or c:\windows\syswow64 folders. It leverages + Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded + in these critical directories. This activity is significant as it may indicate a + DLL hijacking attempt, a technique used by attackers to gain unauthorized access + and execute malicious code. If confirmed malicious, this could lead to privilege + escalation, allowing the attacker to gain elevated privileges and further compromise + the target system. +search: '`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" + ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") | stats + count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed + SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: It is possible some Administrative utilities will load dismcore.dll + outside of normal system paths, filter as needed. references: - https://asec.ahnlab.com/en/17692/ - https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. @@ -49,21 +50,22 @@ tags: risk_score: 49 required_fields: - _time - - Image - - ImageLoaded - - Signed - - SignatureStatus - - OriginalFileName - - process_name - - dest - - EventCode - - ProcessId - - Hashes - - IMPHASH + - Image + - ImageLoaded + - Signed + - SignatureStatus + - OriginalFileName + - process_name + - dest + - EventCode + - ProcessId + - Hashes + - IMPHASH security_domain: endpoint tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/unsigned_dll_loaded/loaded_unsigned_dll.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/warzone_rat/unsigned_dll_loaded/loaded_unsigned_dll.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml new file mode 100644 index 0000000000..67361645f1 --- /dev/null +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -0,0 +1,69 @@ +name: Windows Unsigned DLL Side-Loading In Same Process Path +id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f +version: 1 +date: '2024-06-07' +author: Teoderick Contreras, Splunk +data_source: +- Sysmon Event ID 7 +type: TTP +status: production +description: This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. + This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable + associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, + and implementing security best practices are essential in safeguarding systems from such threats. +search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) + | rex field=Image "(?.+\\\)" + | rex field=ImageLoaded "(?.+\\\)" + | where ImageFolderPath = ImageLoadedFolderPath + | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus + | rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_unsigned_dll_side_loading_in_same_process_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: unknown +references: +- https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html +- https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html +tags: + analytic_story: + - DarkGate Malware + - PlugX + asset_type: Endpoint + confidence: 70 + impact: 70 + message: An unsigned dll module was loaded on $dest$ + mitre_attack_id: + - T1574.002 + - T1574 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - _time + - Image + - ImageLoaded + - Signed + - SignatureStatus + - OriginalFileName + - process_name + - dest + - EventCode + - ProcessId + - Hashes + - IMPHASH + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index 44a7ee83e7..5ac3b46ab7 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -1,40 +1,40 @@ name: Windows Unsigned MS DLL Side-Loading id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c -version: 1 -date: '2024-04-05' +version: 2 +date: '2024-05-27' author: Teoderick Contreras, Splunk data_source: - Sysmon Event ID 7 type: Anomaly status: production -description: The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with - a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute - malicious code automatically by running a legitimate process. The analytics involves searching Sysmon logs for Event Code 7, - where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). - Additionally, it verifies whether the loaded DLL is signed and checks if the folder paths of the `Image` and `ImageLoaded` are identical. - This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting. -search: '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid - NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) - NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) - | rex field=Image "(?.+\\\)" - | rex field=ImageLoaded "(?.+\\\)" - | where ImageFolderPath = ImageLoadedFolderPath - | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus - | rename Computer as dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_unsigned_ms_dll_side_loading_filter`' +description: The following analytic identifies potential DLL side-loading instances + involving unsigned DLLs mimicking Microsoft signatures. It detects this activity + by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` + paths do not match system directories like `system32`, `syswow64`, and `programfiles`. + This behavior is significant as adversaries often exploit DLL side-loading to execute + malicious code via legitimate processes. If confirmed malicious, this activity could + allow attackers to execute arbitrary code, potentially leading to privilege escalation, + persistence, and unauthorized access to sensitive information. +search: '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus + != Valid NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program + Files*")) NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", + "C:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded + "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath + | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid + ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company + Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`' how_to_implement: The analytic is designed to be run against Sysmon event logs collected - from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. - The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe - and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate - loading of vcruntime140.dll from the System32 directory to reduce false positives. - The analytic can be modified to include additional known good paths for vcruntime140.dll - to further reduce false positives. + from endpoints. The analytic requires the Sysmon event logs to be ingested into + Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe + or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters + out the legitimate loading of vcruntime140.dll from the System32 directory to reduce + false positives. The analytic can be modified to include additional known good paths + for vcruntime140.dll to further reduce false positives. known_false_positives: False positives are possible if legitimate processes are loading - vcruntime140.dll from non-standard directories. It is recommended to investigate the - context of the process loading vcruntime140.dll to determine if it is malicious or - not. Modify the search to include additional known good paths for vcruntime140.dll + vcruntime140.dll from non-standard directories. It is recommended to investigate + the context of the process loading vcruntime140.dll to determine if it is malicious + or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. references: - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties @@ -78,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_load//wineloader_dll_sideload.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_load//wineloader_dll_sideload.log sourcetype: xmlwineventlog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index fc17d42212..c35ac5aff3 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -1,28 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2022-09-22' -description: 'The following analytic identifies one source endpoint failing to authenticate - with multiple disabled domain users using the Kerberos protocol. This behavior could - represent an adversary performing a Password Spraying attack against an Active Directory - environment using Kerberos to obtain initial access or elevate privileges. As attackers - progress in a breach, mistakes will be made. In certain scenarios, adversaries may - execute a password spraying attack against disabled users. Event 4768 is generated - every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket - (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account - disabled, expired or locked out). - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will only trigger on domain controllers, not on member servers or - workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and attempted user accounts.' +date: '2024-05-25' +description: 'The following analytic identifies a source endpoint failing to authenticate + with multiple disabled domain users using the Kerberos protocol. It leverages EventCode + 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket + Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This + behavior is significant as it may indicate a Password Spraying attack targeting + disabled accounts, potentially leading to initial access or privilege escalation. + If confirmed malicious, attackers could gain unauthorized access or elevate privileges + within the Active Directory environment.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -39,7 +26,7 @@ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter` ' + | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`' status: production tags: analytic_story: @@ -76,9 +63,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index ebc5ba53b2..73c8ec95b0 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -1,28 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4768 -date: '2022-09-22' -description: 'The following analytic identifies one source endpoint failing to authenticate - with multiple invalid domain users using the Kerberos protocol. This behavior could - represent an adversary performing a Password Spraying attack against an Active Directory - environment using Kerberos to obtain initial access or elevate privileges. As attackers - progress in a breach, mistakes will be made. In certain scenarios, adversaries may - execute a password spraying attack using an invalid list of users. Event 4768 is - generated every time the Key Distribution Center issues a Kerberos Ticket Granting - Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` - (the attempted user is not a valid domain user). - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will only trigger on domain controllers, not on member servers or - workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and attempted user accounts.' +date: '2024-05-31' +description: 'The following analytic identifies a source endpoint failing to authenticate + with multiple invalid domain users using the Kerberos protocol. It leverages Event + ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket + Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found + in the Kerberos database. This behavior is significant as it may indicate a Password + Spraying attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access and potential + privilege escalation within the Active Directory environment.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -39,7 +26,7 @@ search: '`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | b as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter` ' + | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`' status: production tags: analytic_story: @@ -76,9 +63,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 8294f2b9aa..7a5203e123 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -1,29 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2022-09-22' -description: 'The following analytic identifies one source endpoint failing to authenticate - with multiple invalid users using the NTLM protocol. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - using NTLM to obtain initial access or elevate privileges. As attackers progress - in a breach, mistakes will be made. In certain scenarios, adversaries may execute - a password spraying attack using an invalid list of users. Event 4776 is generated - on the computer that is authoritative for the provided credentials. For domain accounts, - the domain controller is authoritative. For local accounts, the local computer is - authoritative. Error code 0xC0000064 stands for `The username you typed does not - exist` (the attempted user is a legitimate domain user). - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will only trigger on domain controllers, not on member servers or - workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source workstation name and attempted user accounts.' +date: '2024-05-19' +description: 'The following analytic identifies a source endpoint failing to authenticate + with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 + and calculates the standard deviation for each host, using the 3-sigma rule to detect + anomalies. This behavior is significant as it may indicate a Password Spraying attack, + where an adversary attempts to gain initial access or elevate privileges. If confirmed + malicious, this activity could lead to unauthorized access or privilege escalation, + posing a significant threat to the Active Directory environment. This detection + is focused on domain controllers.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. @@ -40,12 +26,10 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 search: ' `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg - , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 - | rename Workstation as src - |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' + as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) + as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation + as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`' status: production tags: analytic_story: @@ -81,9 +65,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index 657070e18e..458d7d8f5f 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -1,27 +1,14 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2022-09-22' +date: '2024-05-14' description: 'The following analytic identifies a source user failing to authenticate - with multiple users using explicit credentials on a host. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - to obtain initial access or elevate privileges. Event 4648 is generated when a process - attempts an account logon by explicitly specifying that accounts credentials. This - event generates on domain controllers, member servers, and workstations. - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will trigger on the potenfially malicious host, perhaps controlled - via a trojan or operated by an insider threat, from where a password spraying attack - is being executed. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source account, attempted user accounts and the endpoint were - the behavior was identified.' + with multiple users using explicit credentials on a host. It leverages Windows Event + Code 4648 and calculates the standard deviation for each host, using the 3-sigma + rule to detect anomalies. This behavior is significant as it may indicate a Password + Spraying attack, where an adversary attempts to gain initial access or elevate privileges. + If confirmed malicious, this activity could lead to unauthorized access, privilege + escalation, or further compromise of the Active Directory environment.' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs @@ -42,7 +29,7 @@ search: ' `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter` ' + | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`' status: production tags: analytic_story: @@ -79,9 +66,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index f5cbd8d917..32184389f6 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -1,26 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4771 -date: '2022-09-22' -description: 'The following analytic identifies one source endpoint failing to authenticate - with multiple valid users using the Kerberos protocol. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated - when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket - (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user - is a legitimate domain user). - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will only trigger on domain controllers, not on member servers or - workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source ip and attempted user accounts.' +date: '2024-05-28' +description: 'The following analytic identifies a source endpoint failing to authenticate + multiple valid users using the Kerberos protocol, potentially indicating a Password + Spraying attack. It leverages Event 4771, which is generated when the Key Distribution + Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password + (failure code 0x18). This detection uses statistical analysis, specifically the + 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, + this activity could allow an attacker to gain initial access or elevate privileges + within an Active Directory environment.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -36,10 +25,9 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 search: '`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) - as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg - , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`' + as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) + as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`' status: production tags: analytic_story: @@ -76,9 +64,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index c5df59c633..b9a9ff7198 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -1,27 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2022-09-22' -description: 'The following analytic identifies a source process name failing to authenticate - with multiple users. This behavior could represent an adversary performing a Password - Spraying attack against an Active Directory environment to obtain initial access - or elevate privileges. Event 4625 generates on domain controllers, member servers, - and workstations when an account fails to logon. Logon Type 2 describes an iteractive - logon attempt. - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will trigger on the potenfially malicious host, perhaps controlled - via a trojan or operated by an insider threat, from where a password spraying attack - is being executed. This could be a domain controller as well as a member server - or workstation. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source process name, source account and attempted user accounts.' +date: '2024-05-21' +description: 'The following analytic identifies a source process failing to authenticate + multiple users, potentially indicating a Password Spraying attack. It leverages + Windows Event 4625, which logs failed logon attempts, and uses statistical analysis + to detect anomalies. This activity is significant as it may represent an adversary + attempting to gain initial access or elevate privileges within an Active Directory + environment. If confirmed malicious, the attacker could compromise multiple accounts, + leading to unauthorized access, data exfiltration, or further lateral movement within + the network.' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs @@ -41,7 +29,7 @@ search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts - > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` ' + > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`' status: production tags: analytic_story: @@ -80,9 +68,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 3cacce8ca3..48afd2bdfe 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -1,27 +1,15 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 -date: '2022-09-22' -description: 'The following analytic identifies one source endpoint failing to authenticate - with multiple valid users using the NTLM protocol. This behavior could represent - an adversary performing a Password Spraying attack against an Active Directory environment - using NTLM to obtain initial access or elevate privileges. Event 4776 is generated - on the computer that is authoritative for the provided credentials. For domain accounts, - the domain controller is authoritative. For local accounts, the local computer is - authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted - user is a legitimate domain user). - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will only trigger on domain controllers, not on member servers or - workstations. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source workstation name and attempted user accounts.' +date: '2024-05-12' +description: 'The following analytic identifies a source endpoint failing to authenticate + multiple valid users using the NTLM protocol, potentially indicating a Password + Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the + standard deviation for each host and applying the 3-sigma rule to detect anomalies. + This activity is significant as it may represent an adversary attempting to gain + initial access or elevate privileges. If confirmed malicious, the attacker could + compromise multiple accounts, leading to unauthorized access and potential lateral + movement within the network.' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. @@ -73,9 +61,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index 7e6420cea9..8c07be7abd 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -1,26 +1,14 @@ author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2022-09-22' +date: '2024-05-18' description: 'The following analytic identifies a source host failing to authenticate - against a remote host with multiple users. This behavior could represent an adversary - performing a Password Spraying attack against an Active Directory environment to - obtain initial access or elevate privileges. Event 4625 documents each and every - failed attempt to logon to the local computer. This event generates on domain controllers, - member servers, and workstations. Logon Type 3 describes an remote authentication - attempt. - - The detection calculates the standard deviation for each host and leverages the - 3-sigma statistical rule to identify an unusual number of users. To customize this - analytic, users can try different combinations of the `bucket` span time and the - calculation of the `upperBound` field. This logic can be used for real time security - monitoring as well as threat hunting exercises. - - This detection will trigger on the host that is the target of the password spraying - attack. This could be a domain controller as well as a member server or workstation. - - The analytics returned fields allow analysts to investigate the event further by - providing fields like source process name, source account and attempted user accounts.' + against a remote host with multiple users, potentially indicating a Password Spraying + attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 + (remote authentication) to detect this behavior. This activity is significant as + it may represent an adversary attempting to gain initial access or elevate privileges + within an Active Directory environment. If confirmed malicious, this could lead + to unauthorized access, privilege escalation, and further compromise of the network.' how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs @@ -41,7 +29,7 @@ search: ' `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | b as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) - | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter` ' + | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`' status: production tags: analytic_story: @@ -74,9 +62,10 @@ tags: security_domain: endpoint tests: - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog name: True Positive Test type: Anomaly -version: 1 +version: 2 diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 74d1239d7f..819ed666d4 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,17 +1,17 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc -version: 1 -date: '2023-01-12' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic will identify suspicious creation of URL shortcut link - files. This technique was seen in CHAOS ransomware where it will drop this .url - link file in %startup% folder that contains the path of its malicious dropped file - to execute upon the reboot of the targeted host. The creation of this file can be - created by a normal application or software but it is a good practice to verify - this type of file specially the resource it tries to execute which is commonly a - website. +description: The following analytic detects the creation of suspicious URL shortcut + link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem + datamodel to identify .url files created outside standard directories, such as Program + Files. This activity is significant as it may indicate an attempt to execute malicious + code upon system reboot. If confirmed malicious, this could allow an attacker to + achieve persistence and execute harmful payloads, potentially leading to further + system compromise and data loss. data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -67,7 +67,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml index bb90665866..8e84d9e45c 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml @@ -1,25 +1,27 @@ name: Windows Valid Account With Never Expires Password id: 73a931db-1830-48b3-8296-cd9cfa09c3c8 -version: 1 -date: '2022-06-23' +version: 2 +date: '2024-05-28' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies net.exe updating user account policies - for password requirement with non-expiring password. This technique was seen in - several adversaries and malware like Azorult to maintain the foothold (persistence), - gaining privilege escalation, defense evasion and possible for lateral movement - for specific users or created user account on the targeted host. This TTP detections - is a good pivot to see further what other events that users executes on the machines. +description: The following analytic detects the use of net.exe to update user account + policies to set passwords as non-expiring. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions involving "/maxpwage:unlimited". + This activity is significant as it can indicate an attempt to maintain persistence, + escalate privileges, evade defenses, or facilitate lateral movement. If confirmed + malicious, this behavior could allow an attacker to maintain long-term access to + compromised accounts, potentially leading to further exploitation and unauthorized + access to sensitive information. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="* accounts *" AND Processes.process="* - /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_valid_account_with_never_expires_password_filter`' + /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -71,7 +73,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index 8f19bb4cb2..7dccbaa56b 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -1,27 +1,35 @@ name: Windows Vulnerable 3CX Software id: f2cc1584-46ee-485b-b905-977c067f36de -version: 1 -date: '2023-03-30' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk type: TTP status: production data_source: - Sysmon EventID 1 -description: The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -search: '`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`' +description: The following analytic detects instances of the 3CXDesktopApp.exe with + a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying + vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this + activity is crucial as these specific versions have known vulnerabilities that could + be exploited by attackers. If confirmed malicious, exploitation of this vulnerability + could lead to unauthorized access, code execution, or further compromise of the + affected system, posing significant security risks. +search: '`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* + | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, + OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `windows_vulnerable_3cx_software_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed. +known_false_positives: False positives may be present based on file version, modify + the analytic to only look for version between 18.12.407 and 18.12.416 as needed. references: - - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - - https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp - - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - - https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 - - https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ +- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ +- https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp +- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ +- https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898 +- https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/ tags: analytic_story: - 3CX Supply Chain Attack @@ -30,7 +38,8 @@ tags: cve: - CVE-2023-29059 impact: 100 - message: A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack. + message: A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, + related to a supply chain attack. mitre_attack_id: - T1195.002 observable: @@ -59,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml index 5ac379d1e3..c85fdcc548 100644 --- a/detections/endpoint/windows_vulnerable_driver_loaded.yml +++ b/detections/endpoint/windows_vulnerable_driver_loaded.yml @@ -1,17 +1,18 @@ name: Windows Vulnerable Driver Loaded id: a2b1f1ef-221f-4187-b2a4-d4b08ec745f4 version: 2 -date: "2022-12-12" +date: "2024-05-18" author: Michael Haag, Splunk status: experimental type: Hunting -description: - The following analytic utilizes a known list of vulnerable Windows drivers - to help defenders find potential persistence or privelege escalation via a vulnerable - driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with - this lookup is that it does not use the hash or known signer of the vulnerable driver - therefore it is up to the defender to identify version and signing info and confirm - it is a vulnerable driver. +description: The following analytic detects the loading of known vulnerable Windows + drivers, which may indicate potential persistence or privilege escalation attempts. + It leverages Sysmon EventCode 6 to identify driver loading events and cross-references + them with a list of vulnerable drivers. This activity is significant as attackers + often exploit vulnerable drivers to gain elevated privileges or maintain persistence + on a system. If confirmed malicious, this could allow attackers to execute arbitrary + code with high privileges, leading to further system compromise and potential data + exfiltration. data_source: - Sysmon EventID 6 search: @@ -19,60 +20,58 @@ search: max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`" -how_to_implement: - Sysmon collects driver loads via EventID 6, however you may modify +how_to_implement: Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable. -known_false_positives: - False positives will be present. Drill down into the driver +known_false_positives: False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. references: - - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml - - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules - - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ - - https://github.com/jbaines-r7/dellicious - - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md - - https://github.com/namazso/physmem_drivers - - https://github.com/stong/CVE-2020-15368 - - https://github.com/CaledoniaProject/drivers-binaries - - https://github.com/Chigusa0w0/AsusDriversPrivEscala - - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ - - https://eclypsium.com/2019/11/12/mother-of-all-drivers/ - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 +- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md +- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules +- https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ +- https://github.com/jbaines-r7/dellicious +- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +- https://github.com/namazso/physmem_drivers +- https://github.com/stong/CVE-2020-15368 +- https://github.com/CaledoniaProject/drivers-binaries +- https://github.com/Chigusa0w0/AsusDriversPrivEscala +- https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ +- https://eclypsium.com/2019/11/12/mother-of-all-drivers/ +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 tags: analytic_story: - - Windows Drivers - - BlackByte Ransomware + - Windows Drivers + - BlackByte Ransomware asset_type: Endpoint confidence: 50 impact: 50 - message: - An process has loaded a possible vulnerable driver on $dest$. Review and + message: An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed. mitre_attack_id: - - T1543.003 + - T1543.003 observable: - - name: dest - type: Hostname - role: - - Victim + - name: dest + type: Hostname + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - dest - - ImageLoaded + - _time + - dest + - ImageLoaded risk_score: 25 security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog - update_timestamp: true +- name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog + update_timestamp: true diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index 4338649148..d9fca3e811 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -1,21 +1,39 @@ name: Windows WinDBG Spawning AutoIt3 id: 7aec015b-cd69-46c3-85ed-dac152056aa4 -version: 1 -date: '2023-10-31' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 -description: The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | eval matches_extension=if(match(process, "\\.(au3|a3x|exe|aut|aup)$"), "Yes", "No") - | search matches_extension="Yes" | `windows_windbg_spawning_autoit3_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed. +description: The following analytic identifies instances of the WinDBG process spawning + AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes + where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child + process. This activity is significant because AutoIt3 is frequently used by threat + actors for scripting malicious automation, potentially indicating an ongoing attack. + If confirmed malicious, this could allow attackers to automate tasks, execute arbitrary + code, and further compromise the system, leading to data exfiltration or additional + malware deployment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND + (Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name + IN ("autoit3.exe", "autoit*.exe")) by Processes.dest, Processes.user, Processes.parent_process_name, + Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, + "\\.(au3|a3x|exe|aut|aup)$"), "Yes", "No") | search matches_extension="Yes" | `windows_windbg_spawning_autoit3_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives will only be present if the WinDBG process + legitimately spawns AutoIt3. Filter as needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt tags: @@ -64,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index b31dcd18d6..4917a62735 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -1,33 +1,21 @@ name: Windows WinLogon with Public Network Connection id: 65615b3a-62ea-4d65-bb9f-6f07c17df4ea -version: 2 -date: '2024-01-30' +version: 3 +date: '2024-05-23' author: Michael Haag, Splunk status: experimental type: Hunting data_source: - Sysmon EventID 1 - Sysmon EventID 3 -description: 'The following analytic is designed to detect anomalous behavior associated - with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and - further investigated in a blog by Microsoft, which provided hunting queries for - security analysts. The primary focus of this analytic is to identify instances of - Winlogon.exe, a critical Windows process, connecting to public IP space, which is - indicative of potential malicious activity.\ The BlackLotus Campaign is a bootkit-based - attack that compromises system integrity by infecting the Master Boot Record (MBR) - and Volume Boot Record (VBR). This malware variant can bypass traditional security - measures, load before the operating system, and maintain persistence on the target - system. - - Winlogon.exe is a critical Windows process responsible for managing user logon and - logoff processes. Under normal circumstances, Winlogon.exe should not be connecting - to public IP addresses. However, if it does, it may indicate that the process has - been compromised as part of the BlackLotus Campaign or another malicious operation. - - This analytic monitors network connections made by Winlogon.exe and triggers an - alert if it detects connections to public IP space. By identifying such anomalous - behavior, security analysts can investigate further and respond swiftly to potential - threats.' +description: 'The following analytic detects instances of Winlogon.exe, a critical + Windows process, connecting to public IP addresses. This behavior is identified + using Endpoint Detection and Response (EDR) telemetry, focusing on network connections + made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect + to public IPs, and such activity may indicate a compromise, such as the BlackLotus + bootkit attack. This detection is significant as it highlights potential system + integrity breaches. If confirmed malicious, attackers could maintain persistence, + bypass security measures, and compromise the system at a fundamental level.' search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name @@ -85,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 07def3c05b..f6cb1a1bf1 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -1,15 +1,17 @@ name: Windows WMI Impersonate Token id: cf192860-2d94-40db-9a51-c04a2e8a8f8b -version: 1 -date: '2022-10-24' +version: 2 +date: '2024-05-29' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies a possible wmi token impersonation - activities in a process or command. This technique was seen in Qakbot malware where - it will execute a vbscript code contains wmi impersonation object to gain privilege - escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe - SourceImage having a duplicate handle or full granted access in a target process. +description: The following analytic detects potential WMI token impersonation activities + in a process or command. It leverages Sysmon EventCode 10 to identify instances + where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. + This behavior is significant as it is commonly used by malware like Qakbot for privilege + escalation or defense evasion. If confirmed malicious, this activity could allow + an attacker to gain elevated privileges, evade defenses, and maintain persistence + within the environment. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", @@ -63,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index e8cc9fbb21..c9499e2dfb 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -1,16 +1,18 @@ name: Windows WMI Process And Service List id: ef3c5ef2-3f6d-4087-aa75-49bf746dc907 -version: 1 -date: '2022-11-30' +version: 2 +date: '2024-05-21' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies suspicious process command line, where - WMI is performing an event query looking for running processes or running services. - This technique is commonly found where the adversary will identify services and - system information on the compromised machine. During triage, review parallel processes - within the same timeframe. Review the full script block to identify other related - artifacts. +description: The following analytic identifies suspicious WMI command lines querying + for running processes or services. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on specific process and command-line events. This + activity is significant as adversaries often use WMI to gather system information + and identify services on compromised machines. If confirmed malicious, this behavior + could allow attackers to map out the system, identify critical services, and plan + further attacks, potentially leading to privilege escalation or persistence within + the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -73,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index 2a4401706e..efc4d39129 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -1,15 +1,18 @@ name: Windows WMI Process Call Create id: 0661c2de-93de-11ec-9833-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic is to look for wmi commandlines to execute or create process. - This technique was used by adversaries or threat actor to execute their malicious - payload in local or remote host. This hunting query is a good pivot to start to - look further which process trigger the wmi or what process it execute locally or - remotely. +description: The following analytic detects the execution of WMI command lines used + to create or execute processes. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on command-line events that include specific keywords like + "process," "call," and "create." This activity is significant because adversaries + often use WMI to execute malicious payloads on local or remote hosts, potentially + bypassing traditional security controls. If confirmed malicious, this behavior could + allow attackers to execute arbitrary code, escalate privileges, or maintain persistence + within the environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index b56295b658..cf1a395650 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -1,25 +1,25 @@ name: WinEvent Scheduled Task Created to Spawn Shell id: 203ef0ea-9bd8-11eb-8201-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP datamodel: [] -description: The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. - - The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. - - Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. - - During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. +description: The following analytic detects the creation of scheduled tasks designed + to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or + Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks + are registered. This activity is significant as it may indicate an attempt to establish + persistence or execute malicious commands on a system. If confirmed malicious, this + could allow an attacker to maintain access, execute arbitrary code, or escalate + privileges, posing a severe threat to the environment. data_source: - Windows Event Log Security 4698 -search: '`wineventlog_security` EventCode=4698 TaskContent IN - ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", - "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*") | stats count - min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `winevent_scheduled_task_created_to_spawn_shell_filter`' +search: '`wineventlog_security` EventCode=4698 TaskContent IN ("*powershell.exe*", + "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", + "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*") | stats count min(_time) as firstTime + max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. @@ -68,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index c3a2f80f79..c53101d242 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,33 +1,25 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 3 -date: '2024-04-26' +version: 4 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP datamodel: [] -description: 'The following analytic utilizes Windows Security EventCode 4698, which - indicates the creation of a scheduled task on a Windows system. The purpose of this - query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. - - When this analytic is triggered, it provides information such as the first and last - registration time of the task, the command to be executed, the task name, author, - and whether it is set as hidden or not. It is worth noting that schtasks.exe is - commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the - taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests - that a scheduled task may be registered within that process''s context in memory. - - During the triage process, it is essential to identify the source of the scheduled - task creation, whether it was initiated through schtasks.exe or TaskService. The - analyst should review the task that was created, including the command to be executed. - Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. - - By conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker''s attempt to establish persistence or execute unauthorized commands on the system.' +description: 'The following analytic detects the creation of scheduled tasks within + user-writable paths using Windows Security EventCode 4698. It identifies tasks registered + via schtasks.exe or TaskService that execute commands from directories like Public, + ProgramData, Temp, and AppData. This behavior is significant as it may indicate + an attempt to establish persistence or execute unauthorized commands. If confirmed + malicious, an attacker could maintain long-term access, escalate privileges, or + execute arbitrary code, posing a severe threat to system integrity and security.' data_source: - Windows Event Log Security 4698 -search: '`wineventlog_security` EventCode=4698 TaskContent IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") -| stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent -| rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`' +search: '`wineventlog_security` EventCode=4698 TaskContent IN ("*\\users\\public\\*", + "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") + | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, + TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `winevent_scheduled_task_created_within_public_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. @@ -82,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index d75d0a48d0..a30da724a5 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,25 +1,24 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 2 -date: '2024-04-26' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Hunting -description: The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment. - - After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis. - - To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field. - - False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise. - - Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -data_source: +description: The following analytic detects the execution of tasks registered in Windows + Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) + from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify + potentially suspicious or unauthorized task executions. Monitoring these events + is significant for a SOC as it helps uncover evasive techniques used for persistence, + unauthorized code execution, or other malicious activities. If confirmed malicious, + this activity could lead to unauthorized access, data exfiltration, or the execution + of harmful payloads, posing a significant threat to the environment. +data_source: - Windows Event Log TaskScheduler 200 - Windows Event Log TaskScheduler 201 -search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName - dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `winevent_windows_task_scheduler_event_action_started_filter`' +search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) + as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`' how_to_implement: Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction @@ -72,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 254c835d87..1193ec77ed 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -1,20 +1,18 @@ name: Winhlp32 Spawning a Process id: d17dae9e-2618-11ec-b9f5-acde48001122 -version: 1 -date: '2021-10-05' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies winhlp32.exe, found natively in `c:\windows\`, - spawning a child process that loads a file out of appdata, programdata, or temp. - Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added - to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the - ".hlp" file name extension. This particular instance is related to a Remcos sample - where dynwrapx.dll is added to the registry under inprocserver32, and later module - loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During - triage, review parallel processes to identify further suspicious behavior. Review - module loads for unsuspecting unsigned modules. Capture any file modifications and - analyze. +description: The following analytic detects winhlp32.exe spawning a child process + that loads a file from appdata, programdata, or temp directories. This detection + leverages data from Endpoint Detection and Response (EDR) agents, focusing on process + creation events. This activity is significant because winhlp32.exe has known vulnerabilities + and can be exploited to execute malicious code. If confirmed malicious, an attacker + could use this technique to execute arbitrary scripts, escalate privileges, or maintain + persistence within the environment. Analysts should review parallel processes, module + loads, and file modifications for further suspicious behavior. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -87,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 9c91751398..5f72b97010 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -1,28 +1,20 @@ name: WinRAR Spawning Shell Application id: d2f36034-37fa-4bd4-8801-26807c15540f -version: 1 -date: '2023-08-29' +version: 2 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: TTP data_source: - Sysmon EventID 1 description: The following analytic detects the execution of Windows shell processes - initiated by WinRAR, specifically looking for instances where WinRAR spawns processes - like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". - This behavior is worth identifying for a Security Operations Center (SOC) because - it is indicative of a spoofing attack exploit, such as the one associated with WinRAR - CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives - with spoofed extensions, hiding the launch of malicious scripts within an archive. - When a victim opened the specially crafted archive, it executed the malware, leading - to unauthorized access to their broker accounts and enabling the cybercriminals - to perform illicit financial transactions and withdraw funds. If a true positive - is found, it suggests that an attacker has successfully exploited the vulnerability - to execute malicious scripts, leading to unauthorized access, financial loss, and - potentially the delivery of additional malicious payloads. The impact of the attack - could be severe, involving financial loss, unauthorized access to sensitive accounts, - and the potential for further malicious activity such as data theft or ransomware - attacks. + initiated by WinRAR, such as "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", + or "bitsadmin.exe". This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process and parent process relationships. This activity + is significant because it may indicate exploitation of the WinRAR CVE-2023-38831 + vulnerability, where malicious scripts are executed from spoofed ZIP archives. If + confirmed malicious, this could lead to unauthorized access, financial loss, and + further malicious activities like data theft or ransomware attacks. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") @@ -96,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index 501e540b03..8545e5ff94 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -1,16 +1,17 @@ name: WinRM Spawning a Process id: a081836a-ba4d-11eb-8593-acde48001122 -version: 1 -date: '2023-12-27' +version: 2 +date: '2024-05-20' author: Drew Church, Michael Haag, Splunk status: experimental type: TTP -description: The following analytic identifies suspicious processes spawning from - WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. - which is a kernel-mode device driver http.sys vulnerability. Current proof of concept - code will blue-screen the operating system. However, http.sys used by many different - Windows processes, including WinRM. In this case, identifying suspicious process - create (child processes) from `wsmprovhost.exe` is what this analytic is identifying. +description: The following analytic detects suspicious processes spawned by WinRM + (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. + This activity is significant as it may indicate exploitation attempts of vulnerabilities + like CVE-2021-31166, which could lead to system instability or compromise. If confirmed + malicious, attackers could execute arbitrary commands, escalate privileges, or maintain + persistence, posing a severe threat to the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index feef3b720e..0b0bee811b 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -1,26 +1,26 @@ name: Winword Spawning Cmd id: 6fcbaedc-a37b-11eb-956b-acde48001122 -version: 2 -date: '2021-04-22' +version: 3 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies Microsoft Word spawning `cmd.exe`. - Typically, this is not common behavior and not default with winword.exe. Winword.exe - will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` - (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing - attachment and is actively used. Albeit, the command-line will indicate what is - being executed. During triage, review parallel processes and identify any files - that may have been written. It is possible that COM is utilized to trampoline the - child process to `explorer.exe` or `wmiprvse.exe`. +description: The following analytic identifies instances where Microsoft Word (winword.exe) + spawns the command prompt (cmd.exe). This behavior is detected using Endpoint Detection + and Response (EDR) telemetry, focusing on process creation events where the parent + process is winword.exe. This activity is significant because it is uncommon and + often associated with spearphishing attacks, where malicious attachments execute + commands via cmd.exe. If confirmed malicious, this could allow an attacker to execute + arbitrary commands, potentially leading to further system compromise, data exfiltration, + or lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe - `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `winword_spawning_cmd_filter`' + `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.original_file_name Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -82,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index 1cf9ea1a86..70f84db7d7 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -1,25 +1,26 @@ name: Winword Spawning PowerShell id: b2c950b8-9be2-11eb-8658-acde48001122 -version: 2 -date: '2021-04-12' +version: 3 +date: '2024-05-10' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies Microsoft Word spawning PowerShell. - Typically, this is not common behavior and not default with winword.exe. Winword.exe - will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` - (version will vary). PowerShell spawning from winword.exe is common for a spearphishing - attachment and is actively used. Albeit, the command executed will most likely be - encoded and captured via another detection. During triage, review parallel processes - and identify any files that may have been written. +description: The following analytic identifies instances where Microsoft Word (winword.exe) + spawns a PowerShell process. This behavior is detected using Endpoint Detection + and Response (EDR) telemetry, focusing on process creation events where the parent + process is winword.exe. This activity is significant because it is uncommon and + often associated with spearphishing attacks, where malicious documents execute encoded + PowerShell commands. If confirmed malicious, this could allow an attacker to execute + arbitrary code, potentially leading to data exfiltration, system compromise, or + further lateral movement within the network. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="winword.exe" - `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name - Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `winword_spawning_powershell_filter`' + `process_powershell` by Processes.dest Processes.user Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.original_file_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -84,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index ba87028d5d..97421a66cc 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -1,20 +1,18 @@ name: Winword Spawning Windows Script Host id: 637e1b5c-9be1-11eb-9c32-acde48001122 -version: 1 -date: '2021-04-12' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -description: The following detection identifies Microsoft Winword.exe spawning Windows - Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior - and not default with Winword.exe. Winword.exe will generally be found in the following - path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` - or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64\`. - `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing - attachment and is actively used. Albeit, the command-line executed will most likely - be obfuscated and captured via another detection. During triage, review parallel - processes and identify any files that may have been written. Review the reputation - of the remote destination and block accordingly. +description: The following analytic identifies instances where Microsoft Winword.exe + spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior + is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process + creation events where the parent process is Winword.exe. This activity is significant + because it is uncommon and often associated with spearphishing attacks, where malicious + scripts are executed via document macros. If confirmed malicious, this could lead + to code execution, allowing attackers to gain initial access, execute further payloads, + or establish persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -77,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index f14e47a813..4c15c26cac 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -1,12 +1,12 @@ name: WMI Permanent Event Subscription id: 71bfdb13-f200-4c6c-b2c9-a2e07adf437d -version: 1 -date: '2018-10-23' +version: 2 +date: '2024-05-26' author: Rico Valdez, Splunk status: experimental type: TTP description: |- - The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon EventID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. + The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon Event ID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack. data_source: - Windows Event Log WMI 5861 search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index 5d55fd0c61..754d36939a 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -1,31 +1,18 @@ name: WMI Permanent Event Subscription - Sysmon id: ad05aae6-3b2a-4f73-af97-57bd26cee3b9 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-20' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: 'This analytic looks for the creation of WMI permanent event subscriptions. - The following analytic identifies the use of WMI Event Subscription to establish - persistence or perform privilege escalation. WMI can be used to install event filters, - providers, consumers, and bindings that execute code when a defined event occurs. - WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) - and thus may result in elevated SYSTEM privileges. This analytic is restricted by - commonly added process execution and a path. If the volume is low enough, remove - the values and flag on any new subscriptions. - - All event subscriptions have three components - - 1. Filter - WQL Query for the events we want. EventID = 19 - - 1. Consumer - An action to take upon triggering the filter. EventID = 20 - - 1. Binding - Registers a filter to a consumer. EventID = 21 - - Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. - It may be pertinent to review all 3 to identify the flow of execution. In addition, - EventCode 4104 may assist with any other PowerShell script usage that registered - the subscription.' +description: 'The following analytic identifies the creation of WMI permanent event + subscriptions, which can be used to establish persistence or perform privilege escalation. + It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the + creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This + activity is significant as it may indicate an attacker setting up mechanisms to + execute code with elevated SYSTEM privileges when specific events occur. If confirmed + malicious, this could allow the attacker to maintain persistence, escalate privileges, + and execute arbitrary code, posing a severe threat to the environment.' data_source: - Sysmon EventID 21 search: '`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, @@ -79,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index 69dffcabc4..bd3d1d259a 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -1,22 +1,25 @@ name: WMI Recon Running Process Or Services id: b5cd5526-cce7-11eb-b3bd-acde48001122 -version: 3 -date: '2023-11-07' +version: 4 +date: '2024-05-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic identifies suspicious PowerShell script execution - via EventCode 4104, where WMI is performing an event query looking for running processes - or running services. This technique is commonly found in malware and APT events - where the adversary will map all running security applications or services on the - compromised machine. During triage, review parallel processes within the same timeframe. - Review the full script block to identify other related artifacts. + via EventCode 4104, where WMI performs an event query to list running processes + or services. This detection leverages PowerShell Script Block Logging to capture + and analyze script block text for specific WMI queries. This activity is significant + as it is commonly used by malware and APT actors to map security applications or + services on a compromised machine. If confirmed malicious, this could allow attackers + to identify and potentially disable security defenses, facilitating further compromise + and persistence within the environment. data_source: - Powershell Script Block Logging 4104 search: '`powershell` EventCode=4104 ScriptBlockText= "*SELECT*" AND (ScriptBlockText="*Win32_Process*" OR ScriptBlockText="*Win32_Service*") | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`' + as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest + | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `wmi_recon_running_process_or_services_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -64,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/win32process.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/win32process.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml index d0b7a2d7a9..3e9a1cee3b 100644 --- a/detections/endpoint/wmi_temporary_event_subscription.yml +++ b/detections/endpoint/wmi_temporary_event_subscription.yml @@ -1,11 +1,18 @@ name: WMI Temporary Event Subscription id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83 -version: 1 -date: '2018-10-23' +version: 2 +date: '2024-05-12' author: Rico Valdez, Splunk status: experimental type: TTP -description: "The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks." +description: "The following analytic detects the creation of WMI temporary event subscriptions. + It leverages Windows Event Logs, specifically EventCode 5860, to identify these + activities. This detection is significant because attackers often use WMI to execute + commands, gather information, or maintain persistence within a compromised system. + If confirmed malicious, this activity could allow an attacker to execute arbitrary + code, escalate privileges, or persist in the environment. Analysts should review + the specific WMI queries and assess their intent, considering potential false positives + from legitimate administrative tasks." data_source: - Windows Event Log WMI 5860 search: '`wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index 7a93892934..8ec9c7c739 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -1,17 +1,18 @@ name: Wmic Group Discovery id: 83317b08-155b-11ec-8e00-acde48001122 -version: 1 -date: '2021-09-14' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following hunting analytic identifies the use of `wmic.exe` enumerating - local groups on the endpoint. - - Typically, by itself, is not malicious but may raise suspicion based on time of - day, endpoint and username. - - During triage, review parallel processes and identify any further suspicious behavior.' +description: 'The following analytic identifies the use of `wmic.exe` to enumerate + local groups on an endpoint. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on process execution logs, including command-line + details. Monitoring this activity is significant as it can indicate reconnaissance + efforts by an attacker to understand group memberships, which could be a precursor + to privilege escalation or lateral movement. If confirmed malicious, this activity + could allow an attacker to map out privileged groups, aiding in further exploitation + and persistence within the environment.' data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -74,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index 39c41f866b..4e598965b7 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -1,16 +1,18 @@ name: Wmic NonInteractive App Uninstallation id: bff0e7a0-317f-11ec-ab4e-acde48001122 -version: 2 -date: '2022-07-19' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This analytic indentifies WMIC command-line attempting to uninstall application - non-interactively. This technique was seen in IcedID to uninstall AV products on - the compromised host to evade detection. This Hunting query maybe a good indicator - that some process tries to uninstall application using wmic which is not a common - behavior. This approach may seen in some script or third part appication to uninstall - their application but it is a good thing to check what it uninstall and why. +description: The following analytic identifies the use of the WMIC command-line tool + attempting to uninstall applications non-interactively. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on specific command-line patterns + associated with WMIC. This activity is significant because it is uncommon and may + indicate an attempt to evade detection by uninstalling security software, as seen + in IcedID malware campaigns. If confirmed malicious, this behavior could allow an + attacker to disable security defenses, facilitating further compromise and persistence + within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -80,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index c2cbbefce0..dea2d4446b 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -1,18 +1,18 @@ name: WMIC XSL Execution via URL id: 787e9dd0-4328-11ec-a029-acde48001122 -version: 1 -date: '2021-11-11' +version: 2 +date: '2024-05-27' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible - Stylesheet Language) script. This originally was identified by Casey Smith, dubbed - Squiblytwo, as an application control bypass. Many adversaries will utilize this - technique to invoke JScript or VBScript within an XSL file. This technique can also - execute local/remote scripts and, similar to its Regsvr32 "Squiblydoo" counterpart, - leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows - Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying - a suspicious execution, review for confirmed network connnection and script download. +description: The following analytic detects `wmic.exe` loading a remote XSL script + via a URL. This detection leverages Endpoint Detection and Response (EDR) data, + focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT + switch. This activity is significant as it indicates a potential application control + bypass, allowing adversaries to execute JScript or VBScript within an XSL file. + If confirmed malicious, this technique can enable attackers to execute arbitrary + code, escalate privileges, or maintain persistence using a trusted Windows tool, + posing a severe threat to the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -85,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index 5b054faec0..320825cc45 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -1,17 +1,18 @@ name: Wmiprsve LOLBAS Execution Process Spawn id: 95a455f0-4c04-11ec-b8ac-3e22fbd008af -version: 1 -date: '2021-11-22' +version: 2 +date: '2024-05-10' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution - process. When adversaries execute code on remote endpoints abusing Windows Management - Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. - The LOLBAS project documents Windows native binaries that can be abused by threat - actors to perform tasks like executing malicious code. Looking for child processes - of wmiprvse.exe that are part of the LOLBAS project can help defenders identify - lateral movement activity. +description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution + process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing + on process creation events where `wmiprvse.exe` is the parent process and the child + process is a known LOLBAS binary. This activity is significant as it may indicate + lateral movement or remote code execution by an adversary abusing Windows Management + Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers + to execute arbitrary code, escalate privileges, or maintain persistence within the + environment, posing a severe security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -81,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index dba8b14e7b..be80f2ab03 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,16 +1,17 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 1 -date: '2023-04-14' +version: 2 +date: '2024-05-18' author: Teoderick Contreras, Splunk status: production type: TTP -description: This analytic identifies a suspicious spawned process by WScript or CScript - process. This technique was a common technique used by adversaries and malware to - execute different LOLBIN, other scripts like PowerShell or spawn a suspended process - to inject its code as a defense evasion. This TTP may detect some normal script - that using several application tool that are in the list of the child process it - detects but a good pivot and indicator that a script is may execute suspicious code. +description: The following analytic identifies suspicious child processes spawned + by WScript or CScript. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on specific parent and child process names. This activity is significant + as adversaries often use WScript or CScript to execute Living Off The Land Binaries + (LOLBINs) or other scripts like PowerShell for defense evasion. If confirmed malicious, + this behavior could allow attackers to execute arbitrary code, escalate privileges, + or maintain persistence within the environment, posing a significant security risk. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index 800b0bb31c..7d85e2a050 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -1,17 +1,18 @@ name: Wsmprovhost LOLBAS Execution Process Spawn id: 2eed004c-4c0d-11ec-93e8-3e22fbd008af -version: 1 -date: '2021-11-22' +version: 2 +date: '2024-05-12' author: Mauricio Velazco, Splunk status: production type: TTP description: The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS - execution process. When adversaries execute code on remote endpoints abusing the - Windows Remote Management (WinRm) protocol, the executed command is spawned as a - child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native - binaries that can be abused by threat actors to perform tasks like executing malicious - code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS - project can help defenders identify lateral movement activity. + execution process. It leverages Endpoint Detection and Response (EDR) data to detect + when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off + the Land Binaries and Scripts) executables. This activity is significant because + it may indicate an adversary using Windows Remote Management (WinRM) to execute + code on remote endpoints, a common technique for lateral movement. If confirmed + malicious, this could allow attackers to execute arbitrary code, escalate privileges, + or maintain persistence within the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -82,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index 6a10398c61..6d27b6f43a 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -1,14 +1,18 @@ name: WSReset UAC Bypass id: 8b5901bc-da63-11eb-be43-acde48001122 -version: 3 -date: '2022-11-14' +version: 4 +date: '2024-05-19' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious modification of registry related - to UAC bypass. This technique is to modify the registry in this detection, create - a registry value with the path of the payload and run WSreset.exe to bypass User - account Control. +description: The following analytic detects a suspicious modification of the registry + aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies + the creation or modification of specific registry values under the path "*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command*". + This detection uses data from Endpoint Detection and Response (EDR) agents, focusing + on process and registry events. This activity is significant because UAC bypass + techniques can allow attackers to execute high-privilege actions without user consent. + If confirmed malicious, this could lead to unauthorized code execution and potential + system compromise. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) @@ -81,6 +85,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index f1af9e49b9..87c4f9bd36 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -1,15 +1,18 @@ name: XSL Script Execution With WMIC id: 004e32e2-146d-11ec-a83f-acde48001122 -version: 1 -date: '2021-09-13' +version: 2 +date: '2024-05-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect a suspicious wmic.exe process or renamed wmic - process to execute malicious xsl file. This technique was seen in FIN7 to execute - its malicous jscript using the .xsl as the loader with the help of wmic.exe process. - This TTP is really a good indicator for you to hunt further for FIN7 or other attacker - that known to used this technique. +description: The following analytic detects the execution of an XSL script using the + WMIC process, which is often indicative of malicious activity. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line executions + involving WMIC and XSL files. This behavior is significant as it has been associated + with the FIN7 group, known for using this technique to execute malicious scripts. + If confirmed malicious, this activity could allow attackers to execute arbitrary + code, potentially leading to system compromise and further malicious actions within + the environment. data_source: - Sysmon EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -79,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 2377cb5c08..9b33d3d609 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -1,23 +1,18 @@ name: Detect DGA domains using pretrained model in DSDL id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493 -version: 1 -date: '2023-01-18' +version: 2 +date: '2024-05-29' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly -description: The following analytic uses a pre trained deep learning model to detect - Domain Generation Algorithm (DGA) generated domains. The model is trained independently - and is then made available for download. One of the prominent indicators of a domain - being DGA generated is if the domain name consists of unusual character sequences - or concatenated dictionary words. Adversaries often use clever techniques to obfuscate - machine generated domain names as human generated. Predicting DGA generated domain - names requires analysis and building a model based on carefully chosen features. - The deep learning model we have developed uses the domain name to analyze patterns - of character sequences along with carefully chosen custom features to predict if - a domain is DGA generated. The model takes a domain name consisting of second-level - and top-level domain names as input and outputs a dga_score. Higher the dga_score, - the more likely the input domain is a DGA domain. The threshold for flagging a domain - as DGA is set at 0.5. +description: The following analytic identifies Domain Generation Algorithm (DGA) generated + domains using a pre-trained deep learning model. It leverages the Network Resolution + data model to analyze domain names and detect unusual character sequences indicative + of DGA activity. This behavior is significant as adversaries often use DGAs to generate + numerous domain names for command-and-control servers, making it harder to block + malicious traffic. If confirmed malicious, this activity could enable attackers + to maintain persistent communication with compromised systems, evade detection, + and execute further malicious actions. data_source: [] search: '| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, @@ -38,7 +33,7 @@ how_to_implement: 'Steps to deploy DGA detection model into Splunk App DSDL.\ Th * Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app. - * Below steps need to be followed inside Jupyter lab + * Below steps need to be followed inside Jupyter lab * Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 6861eff46d..2b626e75f4 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -1,94 +1,82 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 -version: 1 -date: '2023-04-27' +version: 2 +date: '2024-05-22' status: experimental author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly data_source: [] -description: The following analytic uses a pre trained deep learning model to - detect DNS data exfiltration. The model is trained on the data we collected - and is inferred on live data. This detection detects low throughput DNS - Tunneling (data exfiltration) using features computed from past events between - the same src and domain. The search uses macros from URL ToolBox app to - generate features used by the model. The model is a deep learning model that - accepts DNS request as input along with a few custom features to generate a - pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, - the more likely the DNS request is data exfiltration. The threshold for - flagging a request as DNS exfiltration is set at 0.5. -search: '| tstats `security_content_summariesonly` count from - datamodel=Network_Resolution by DNS.src _time DNS.query | - `drop_dm_object_name("DNS")` | sort - _time,src, query | streamstats count as - rank by src query | where rank < 10 | table src,query,rank,_time | apply - detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table - src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration - | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as - is_exfiltration_score | rename pred_is_dns_data_exfiltration as - is_exfiltration | where is_exfiltration_score > 0.5 | - `security_content_ctime(_time)` | - table src, _time,query,is_exfiltration_score,is_exfiltration | - `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`' -how_to_implement: - Steps to deploy detect DNS data exfiltration model into Splunk - App DSDL. This detection depends on the Splunk app for Data Science and Deep - Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and - the Network Resolution datamodel which can be found here - - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep - learning model that needs to be deployed in DSDL app. Follow the steps for - deployment here - - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. - - * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks - - * Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app. - - * Below steps need to be followed inside Jupyter lab - - * Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. - - * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data` - - * Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab - - * Save the notebook using the save option in jupyter notebook. - - * Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -known_false_positives: False positives may be present if DNS data exfiltration - request look very similar to benign DNS requests. +description: The following analytic identifies potential DNS data exfiltration using + a pre-trained deep learning model. It leverages DNS request data from the Network + Resolution datamodel and computes features from past events between the same source + and domain. The model generates a probability score (pred_is_exfiltration_proba) + indicating the likelihood of data exfiltration. This activity is significant as + DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If + confirmed malicious, this could lead to unauthorized data access and potential data + breaches, compromising the organization's security posture. +search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution + by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query + | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time + | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration + | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score + | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score + > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration + | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`' +how_to_implement: "Steps to deploy detect DNS data exfiltration model into Splunk + App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning + which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network + Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. + The detection uses a pre-trained deep learning model that needs to be deployed in + DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n + * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz + Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` + Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login + to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl + container. This container should be listed on Containers page for DSDL app.\n* Below + steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz + file into `app/model/data` path using the upload option in the jupyter notebook.\n + * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz + using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz + -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb + into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save + the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` + into `notebooks/data` folder." +known_false_positives: False positives may be present if DNS data exfiltration request + look very similar to benign DNS requests. references: - - https://attack.mitre.org/techniques/T1048/003/ - - https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ - - https://en.wikipedia.org/wiki/Data_exfiltration +- https://attack.mitre.org/techniques/T1048/003/ +- https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ +- https://en.wikipedia.org/wiki/Data_exfiltration tags: analytic_story: - - DNS Hijacking - - Suspicious DNS Traffic - - Command And Control + - DNS Hijacking + - Suspicious DNS Traffic + - Command And Control asset_type: Endpoint confidence: 90 impact: 50 message: A DNS data exfiltration request was sent by this host $src$ , kindly review. mitre_attack_id: - - T1048.003 + - T1048.003 observable: - - name: query - type: Other - role: - - Attacker - - name: src - type: Hostname - role: - - Victim + - name: query + type: Other + role: + - Attacker + - name: src + type: Hostname + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - DNS.message_type - - DNS.record_type - - DNS.src - - DNS.dest - - DNS.answer + - _time + - DNS.message_type + - DNS.record_type + - DNS.src + - DNS.dest + - DNS.answer risk_score: 45 security_domain: network diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 6cd5284fd1..390d41a9a6 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -1,17 +1,19 @@ name: Detect hosts connecting to dynamic domain providers id: a1e761ac-1344-4dbd-88b2-3f34c912d359 -version: 3 -date: '2021-01-14' +version: 4 +date: '2024-05-18' author: Bhavin Patel, Splunk status: production type: TTP -description: Malicious actors often abuse legitimate Dynamic DNS services to host - malicious payloads or interactive Command And Control nodes. Attackers will automate - domain resolution changes by routing dynamic domains to countless IP addresses to - circumvent firewall blocks, block lists as well as frustrate a network defenders - analytic and investigative processes. This search will look for DNS queries made - from within your infrastructure to suspicious dynamic domains. -data_source: +description: The following analytic identifies DNS queries from internal hosts to + dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` + data model and cross-references them with a lookup file containing known dynamic + DNS providers. This activity is significant because attackers often use dynamic + DNS services to host malicious payloads or command-and-control servers, making it + crucial for security teams to monitor. If confirmed malicious, this activity could + allow attackers to bypass firewall blocks, evade detection, and maintain persistent + access to the network. +data_source: - Sysmon EventID 22 search: '| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name("DNS")` @@ -30,7 +32,7 @@ how_to_implement: 'First, you''ll need to ingest data from your DNS operations. metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): - + * **Label:** DNS Query, **Field:** query * **Label:** DNS Answer, **Field:** answer @@ -77,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index 8ac62d5ad3..c4dc8a9563 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -1,14 +1,18 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: 2 -date: '2018-06-01' +version: 3 +date: '2024-05-24' author: Rico Valdez, Splunk status: experimental type: TTP -description: This search looks for outbound ICMP packets with a packet size larger - than 1,000 bytes. Various threat actors have been known to use ICMP as a command - and control channel for their attack infrastructure. Large ICMP packets from an - endpoint to a remote host may be indicative of this activity. +description: The following analytic identifies outbound ICMP packets with a size larger + than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually + large ICMP packets that are not blocked and are destined for external IP addresses. + This activity is significant because threat actors often use ICMP for command and + control communication, and large ICMP packets can indicate data exfiltration or + other malicious activities. If confirmed malicious, this could allow attackers to + maintain covert communication channels, exfiltrate sensitive data, or further compromise + the network. data_source: [] search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index a64fc816e0..ea8dfaf973 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -5,12 +5,14 @@ date: '2024-05-21' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting -description: Malicious actors often abuse misconfigured LDAP servers or applications - that use the LDAP servers in organizations. Outbound LDAP traffic should not be - allowed outbound through your perimeter firewall. This search will help determine - if you have any LDAP connections to IP addresses outside of private (RFC1918) address - space. -data_source: +description: The following analytic identifies outbound LDAP traffic to external IP + addresses. It leverages the Network_Traffic data model to detect connections on + ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity + is significant because outbound LDAP traffic can indicate potential data exfiltration + or unauthorized access attempts. If confirmed malicious, attackers could exploit + this to access sensitive directory information, leading to data breaches or further + network compromise. +data_source: - Bro search: '| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index b3cbdf700a..67643b492d 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -1,33 +1,31 @@ name: Detect Outbound SMB Traffic id: 1bed7774-304a-4e8f-9d72-d80e45ff492b -version: 4 -date: '2024-02-27' -author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss +version: 5 +date: '2024-05-25' +author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss status: experimental type: TTP -description: The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, - a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests - directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) - as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and - privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise. +description: The following analytic detects outbound SMB (Server Message Block) connections + from internal hosts to external servers. It identifies this activity by monitoring + network traffic for SMB requests directed towards the Internet, which are unusual + for standard operations. This detection is significant for a SOC as it can indicate + an attacker's attempt to retrieve credential hashes through compromised servers, + a key step in lateral movement and privilege escalation. If confirmed malicious, + this activity could lead to unauthorized access to sensitive data and potential + full system compromise. data_source: [] -search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app - values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic - where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") by All_Traffic.src_ip - | `drop_dm_object_name("All_Traffic")` - | eval match=case( - cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", - cidrmatch("172.16.0.0/12" ,dest_ip) ,"1", - cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", - cidrmatch("100.64.0.0/10" ,dest_ip) ,"1", - 1=1,"0") - | search match=0 - | fields - match - | `security_content_ctime(start_time)` - | `security_content_ctime(end_time)` - | `detect_outbound_smb_traffic_filter`' -how_to_implement: 'This search also requires you to be ingesting your network traffic and populating - the Network_Traffic data model' +search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) + as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app + values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port + values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed + All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 + OR All_Traffic.app="smb") by All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")` + | eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12" + ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10" + ,dest_ip) ,"1", 1=1,"0") | search match=0 | fields - match | `security_content_ctime(start_time)` + | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`' +how_to_implement: 'This search also requires you to be ingesting your network traffic + and populating the Network_Traffic data model' known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the @@ -44,7 +42,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ + message: An outbound SMB connection from $src_ip$ in your infrastructure connecting + to dest ip $dest_ip$ mitre_attack_id: - T1071.002 - T1071 @@ -75,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log sourcetype: bro:conn:json - source: conn.log \ No newline at end of file + source: conn.log diff --git a/detections/network/detect_port_security_violation.yml b/detections/network/detect_port_security_violation.yml index 033fe3eed6..3df84d3efe 100644 --- a/detections/network/detect_port_security_violation.yml +++ b/detections/network/detect_port_security_violation.yml @@ -1,20 +1,17 @@ name: Detect Port Security Violation id: 2de3d5b8-a4fa-45c5-8540-6d071c194d24 -version: 1 -date: '2020-10-28' +version: 2 +date: '2024-05-13' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: By enabling Port Security on a Cisco switch you can restrict input to - an interface by limiting and identifying MAC addresses of the workstations that - are allowed to access the port. When you assign secure MAC addresses to a secure - port, the port does not forward packets with source addresses outside the group - of defined addresses. If you limit the number of secure MAC addresses to one and - assign a single secure MAC address, the workstation attached to that port is assured - the full bandwidth of the port. If a port is configured as a secure port and the - maximum number of secure MAC addresses is reached, when the MAC address of a workstation - attempting to access the port is different from any of the identified secure MAC - addresses, a security violation occurs. +description: The following analytic detects port security violations on Cisco switches. + It leverages logs from Cisco network devices, specifically looking for events with + mnemonics indicating port security violations. This activity is significant because + it indicates an unauthorized device attempting to connect to a secured port, potentially + bypassing network access controls. If confirmed malicious, this could allow an attacker + to gain unauthorized access to the network, leading to data exfiltration, network + disruption, or further lateral movement within the environment. data_source: [] search: '`cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="psecure-violation") OR (facility="PORT_SECURITY" mnemonic="PSECURE_VIOLATION" OR mnemonic="PSECURE_VIOLATION_VLAN") @@ -24,7 +21,8 @@ search: '`cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="p | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`' how_to_implement: This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable - for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) + for this to work (see + https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index 600cc85921..ee831d6810 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,23 +1,33 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-27' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when a known remote access software domains are contacted from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. +description: The following analytic detects DNS queries to known remote access software + domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution + data model and cross-references them with a lookup table of remote access software + domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant + as adversaries often use remote access tools to maintain persistent access to compromised + systems. If confirmed malicious, this could allow attackers to control systems remotely, + exfiltrate data, or further infiltrate the network, posing a severe security risk. data_source: - Sysmon EventID 22 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query - | `drop_dm_object_name("DNS")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category - | eval dest = query - | search isutility = True - | `detect_remote_access_software_usage_dns_filter`' -how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src + DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | + `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain + AS query OUTPUT isutility, description as signature, comment_reference as desc, + category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`' +how_to_implement: To implement this search, you must ingest logs that contain the + DNS query and the source of the query. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the DNS logs. The logs must also + be mapped to the `Network_Resolution` data model. Use the Splunk Common Information + Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -56,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index ffa8742233..b7b9c3d063 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,22 +1,33 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-29' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when a known remote access software application traffic is detected from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -data_source: +description: The following analytic detects network traffic associated with known + remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. + It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in + Splunk. This activity is significant because adversaries often use remote access + tools to maintain unauthorized access to compromised environments. If confirmed + malicious, this activity could allow attackers to control systems remotely, exfiltrate + data, or deploy additional malware, posing a severe threat to the organization's + security. +data_source: - Palo Alto Network Traffic -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app - | `drop_dm_object_name("All_Traffic")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True - | `detect_remote_access_software_usage_traffic_filter`' -how_to_implement: The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from + datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | + `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | lookup remote_access_software remote_appid AS app OUTPUT isutility, description + as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`' +how_to_implement: The following analytic was developed with Palo Alto traffic logs. + Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -30,14 +41,15 @@ tags: asset_type: Network confidence: 50 impact: 50 - message: Application traffic for a known remote access software [$signature$] was detected from $src$. + message: Application traffic for a known remote access software [$signature$] was + detected from $src$. mitre_attack_id: - T1219 observable: - name: src type: Hostname role: - - Victim + - Victim product: - Splunk Enterprise - Splunk Enterprise Security @@ -54,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log source: screenconnect_palo_traffic - sourcetype: pan:traffic \ No newline at end of file + sourcetype: pan:traffic diff --git a/detections/network/detect_rogue_dhcp_server.yml b/detections/network/detect_rogue_dhcp_server.yml index 8c4cd4840e..a9254f53b9 100644 --- a/detections/network/detect_rogue_dhcp_server.yml +++ b/detections/network/detect_rogue_dhcp_server.yml @@ -1,13 +1,17 @@ name: Detect Rogue DHCP Server id: 6e1ada88-7a0d-4ac1-92c6-03d354686079 -version: 1 -date: '2020-08-11' +version: 2 +date: '2024-05-28' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: By enabling DHCP Snooping as a Layer 2 Security measure on the organization's - network devices, we will be able to detect unauthorized DHCP servers handing out - DHCP leases to devices on the network (Man in the Middle attack). +description: The following analytic identifies the presence of unauthorized DHCP servers + on the network. It leverages logs from Cisco network devices with DHCP Snooping + enabled, specifically looking for events where DHCP leases are issued from untrusted + ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle + attacks, leading to potential data interception and network disruption. If confirmed + malicious, this could allow attackers to redirect network traffic, capture sensitive + information, and compromise the integrity of the network. data_source: [] search: '`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) diff --git a/detections/network/detect_software_download_to_network_device.yml b/detections/network/detect_software_download_to_network_device.yml index 579f9b5daf..50d3f0b30c 100644 --- a/detections/network/detect_software_download_to_network_device.yml +++ b/detections/network/detect_software_download_to_network_device.yml @@ -1,15 +1,18 @@ name: Detect Software Download To Network Device id: cc590c66-f65f-48f2-986a-4797244762f8 -version: 1 -date: '2020-10-28' +version: 2 +date: '2024-05-20' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: Adversaries may abuse netbooting to load an unauthorized network device - operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot - (netbooting) is commonly used by network administrators to load configuration-controlled - network device images from a centralized management server. Netbooting is one option - in the boot sequence and can be used to centralize, manage, and control device images. +description: The following analytic identifies unauthorized software downloads to + network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing + network traffic events on specific ports (69, 21, 22) from devices categorized as + network, router, or switch. This activity is significant because adversaries may + exploit netbooting to load unauthorized operating systems, potentially compromising + network integrity. If confirmed malicious, this could lead to unauthorized control + over network devices, enabling further attacks, data exfiltration, or persistent + access within the network. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 8686639f9f..093cf15ce4 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -1,20 +1,17 @@ name: Detect suspicious DNS TXT records using pretrained model in DSDL id: 92f65c3a-968c-11ed-a1eb-0242ac120002 -version: 1 -date: '2023-01-15' +version: 2 +date: '2024-05-13' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly -description: The following analytic uses a pre trained deep learning model to detect - suspicious DNS TXT records. The model is trained independently and is then made - available for download. The DNS TXT records are categorized into commonly identified - types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. - The TXT records that do not match regular expressions for well known types are labeled - as 1 for "unknown/suspicious" and otherwise 0 for "not suspicious". The deep learning - model we have developed uses DNS TXT responses to analyze patterns of character - sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, - the more likely the DNS TXT record is suspicious. The threshold for flagging a domain - as suspicious is set at 0.5. +description: The following analytic identifies suspicious DNS TXT records using a + pre-trained deep learning model. It leverages DNS response data from the Network + Resolution data model, categorizing TXT records into known types via regular expressions. + Records that do not match known patterns are flagged as suspicious. This activity + is significant as DNS TXT records can be used for data exfiltration or command-and-control + communication. If confirmed malicious, attackers could use these records to covertly + transfer data or receive instructions, posing a severe threat to network security. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND @@ -22,7 +19,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > - 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`' + 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | + table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`' how_to_implement: 'Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network diff --git a/detections/network/detect_traffic_mirroring.yml b/detections/network/detect_traffic_mirroring.yml index 4ca226c2f4..6905c3e69a 100644 --- a/detections/network/detect_traffic_mirroring.yml +++ b/detections/network/detect_traffic_mirroring.yml @@ -1,15 +1,18 @@ name: Detect Traffic Mirroring id: 42b3b753-5925-49c5-9742-36fa40a73990 -version: 1 -date: '2020-10-28' +version: 2 +date: '2024-05-09' author: Mikael Bjerkeland, Splunk status: experimental type: TTP -description: Adversaries may leverage traffic mirroring in order to automate data - exfiltration over compromised network infrastructure. Traffic mirroring is a native - feature for some network devices and used for network analysis and may be configured - to duplicate traffic and forward to one or more destinations for analysis by a network - analyzer or other monitoring device. +description: The following analytic detects the initiation of traffic mirroring sessions + on Cisco network devices. It leverages logs with specific mnemonics and facilities + related to traffic mirroring, such as "ETH_SPAN_SESSION_UP" and "PKTCAP_START." + This activity is significant because adversaries may use traffic mirroring to exfiltrate + data by duplicating and forwarding network traffic to an external destination. If + confirmed malicious, this could allow attackers to capture sensitive information, + monitor network communications, and potentially compromise the integrity and confidentiality + of the network. data_source: [] search: '`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index aa47960e68..dd1bed53cc 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -1,16 +1,18 @@ name: Detect Unauthorized Assets by MAC address id: dcfd6b40-42f9-469d-a433-2e53f7489ff4 -version: 2 -date: '2017-09-13' +version: 3 +date: '2024-05-10' author: Bhavin Patel, Splunk status: experimental type: TTP -description: By populating the organization's assets within the assets_by_str.csv, - we will be able to detect unauthorized devices that are trying to connect with the - organization's network by inspecting DHCP request packets, which are issued by devices - when they attempt to obtain an IP address from the DHCP server. The MAC address - associated with the source of the DHCP request is checked against the list of known - devices, and reports on those that are not found. +description: The following analytic identifies unauthorized devices attempting to + connect to the organization's network by inspecting DHCP request packets. It detects + this activity by comparing the MAC addresses in DHCP requests against a list of + known authorized devices stored in the assets_by_str.csv file. This activity is + significant for a SOC because unauthorized devices can pose security risks, including + potential data breaches or network disruptions. If confirmed malicious, this activity + could allow an attacker to gain unauthorized network access, potentially leading + to further exploitation or data exfiltration. data_source: [] search: '| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index 1c4263b7e7..6dc617e251 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -1,11 +1,18 @@ name: Detect Windows DNS SIGRed via Splunk Stream id: babd8d10-d073-11ea-87d0-0242ac130003 -version: 1 -date: '2020-07-28' +version: 2 +date: '2024-05-28' author: Shannon Davis, Splunk status: experimental type: TTP -description: "Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability." +description: "The following analytic detects attempts to exploit the SIGRed vulnerability + (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data + to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This + activity is significant because SIGRed is a critical wormable vulnerability that + allows remote code execution. If confirmed malicious, an attacker could gain unauthorized + access, execute arbitrary code, and potentially disrupt services, leading to severe + data breaches and infrastructure compromise. Immediate investigation and remediation + are crucial to mitigate these risks." data_source: [] search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 88d788d304..6cffde76c0 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -1,12 +1,12 @@ name: Detect Windows DNS SIGRed via Zeek id: c5c622e4-d073-11ea-87d0-0242ac130003 -version: 1 -date: '2020-07-28' +version: 2 +date: '2024-05-23' author: Shannon Davis, Splunk status: experimental type: TTP description: |- - The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. + The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial. data_source: [] search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index e279b2c858..d7885eff30 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -1,12 +1,12 @@ name: Detect Zerologon via Zeek id: bf7a06ec-f703-11ea-adc1-0242ac120002 -version: 1 -date: '2020-09-15' +version: 2 +date: '2024-05-28' author: Shannon Davis, Splunk status: experimental type: TTP description: |- - The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . + The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial. data_source: [] search: '`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index 06ab3e2671..30677e8872 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as start_tim | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time - query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` ' + query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`' how_to_implement: "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index 32a4515f36..db3f32e5c8 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -1,14 +1,19 @@ name: DNS Query Length With High Standard Deviation id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5 -version: 5 -date: '2024-02-14' +version: 6 +date: '2024-05-15' author: Bhavin Patel, Splunk status: production type: Anomaly -description: This search allows you to identify DNS requests and compute the standard - deviation on the length of the names being resolved, then filter on two times the - standard deviation to show you those queries that are unusually large for your environment. -data_source: +description: The following analytic identifies DNS queries with unusually large lengths + by computing the standard deviation of query lengths and filtering those exceeding + twice the standard deviation. It leverages DNS query data from the Network_Resolution + data model, focusing on the length of the domain names being resolved. This activity + is significant as unusually long DNS queries can indicate data exfiltration or command-and-control + communication attempts. If confirmed malicious, this activity could allow attackers + to stealthily transfer data or maintain persistent communication channels within + the network. +data_source: - Sysmon EventID 22 search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN("Pointer","PTR") by DNS.query host| `drop_dm_object_name("DNS")` @@ -51,6 +56,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index 2aa0235411..81820f3276 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -22,7 +22,7 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Network_ domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code - | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter` ' + | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`' how_to_implement: To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. known_false_positives: It is possible legitimate traffic can trigger this rule. Please diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index 4c47cf932f..2cb77c3b2f 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -1,16 +1,19 @@ name: F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 id: bb1c2c30-107a-4e56-a4b9-1f7022867bfe -version: 1 -date: '2022-05-10' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies a recent unauthenticated remote code - execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies - the URI path found in the POCs and the HTTP Method of POST. In addition, the request - header will have the commands that may be executed in fields utilcmdargs and the - auth field of X-F5-Auth-Token, which may have a random base64 encoded value. -data_source: +description: The following analytic detects attempts to exploit the F5 BIG-IP iControl + REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. + It identifies suspicious URI paths and POST HTTP methods, along with specific request + headers containing potential commands in the `utilcmdargs` field and a random base64 + encoded value in the `X-F5-Auth-Token` field. This activity is significant as it + targets a critical vulnerability that can allow attackers to execute arbitrary commands + on the affected system. If confirmed malicious, this could lead to full system compromise + and unauthorized access to sensitive data. +data_source: - Palo Alto Network Threat search: '| tstats count from datamodel=Web where Web.url="*/mgmt/tm/util/bash*" Web.http_method="POST" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest @@ -62,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log source: pan:threat sourcetype: pan:threat update_timestamp: true diff --git a/detections/network/high_volume_of_bytes_out_to_url.yml b/detections/network/high_volume_of_bytes_out_to_url.yml index 453906056d..44ca220d6a 100644 --- a/detections/network/high_volume_of_bytes_out_to_url.yml +++ b/detections/network/high_volume_of_bytes_out_to_url.yml @@ -1,18 +1,32 @@ name: High Volume of Bytes Out to Url id: c8a6b56d-16dd-4e9c-b4bd-527742ead98d -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-24' author: Bhavin Patel, Splunk -data_source: +data_source: - Nginx Access type: Anomaly status: production -description: The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be - indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further. -search: '| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name("Web")`| `high_volume_of_bytes_out_to_url_filter`' +description: The following analytic detects a high volume of outbound web traffic, + specifically over 1GB of data sent to a URL within a 2-minute window. It leverages + the Web data model to identify significant uploads by analyzing the sum of bytes + out. This activity is significant as it may indicate potential data exfiltration + by malware or malicious insiders. If confirmed as malicious, this behavior could + lead to unauthorized data transfer, resulting in data breaches and loss of sensitive + information. Immediate investigation is required to determine the legitimacy of + the transfer and mitigate any potential threats. +search: '| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out + values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web + by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 + | `drop_dm_object_name("Web")`| `high_volume_of_bytes_out_to_url_filter`' how_to_implement: To successfully implement this search you need to be ingesting information - on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior. -known_false_positives: This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment. + on Web traffic that include fields relavent for traffic into the `Web` datamodel. + Please adjust the threshold for the sum of bytes out as per your environment and + user behavior. +known_false_positives: This search may trigger false positives if there is a legitimate + reason for a high volume of bytes out to a URL. We recommend to investigate these + findings. Consider updating the filter macro to exclude the applications that are + relevant to your environment. references: - https://attack.mitre.org/techniques/T1567/ - https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html @@ -23,7 +37,8 @@ tags: asset_type: Endpoint confidence: 30 impact: 30 - message: A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$. + message: A high volume of bytes out to a URL $url$ was detected from src $src$ to + dest $dest$. mitre_attack_id: - T1567 observable: @@ -52,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/network/multiple_archive_files_http_post_traffic.yml b/detections/network/multiple_archive_files_http_post_traffic.yml index 72fb45a5ae..9120c894ba 100644 --- a/detections/network/multiple_archive_files_http_post_traffic.yml +++ b/detections/network/multiple_archive_files_http_post_traffic.yml @@ -1,24 +1,20 @@ name: Multiple Archive Files Http Post Traffic id: 4477f3ea-a28f-11eb-b762-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is designed to detect high frequency of archive files data - exfiltration through HTTP POST method protocol. This are one of the common techniques - used by APT or trojan spy after doing the data collection like screenshot, recording, - sensitive data to the infected machines. The attacker may execute archiving command - to the collected data, save it a temp folder with a hidden attribute then send it - to its C2 through HTTP POST. Sometimes adversaries will rename the archive files - or encode/encrypt to cover their tracks. This detection can detect a renamed archive - files transfer to HTTP POST since it checks the request body header. Unfortunately - this detection cannot support archive that was encrypted or encoded before doing - the exfiltration. -data_source: +description: The following analytic detects the high-frequency exfiltration of archive + files via HTTP POST requests. It leverages HTTP stream logs to identify specific + archive file headers within the request body. This activity is significant as it + often indicates data exfiltration by APTs or trojan spyware after data collection. + If confirmed malicious, this behavior could lead to the unauthorized transfer of + sensitive data to an attacker’s command and control server, potentially resulting + in severe data breaches and loss of confidential information. +data_source: - Splunk Stream HTTP -search: '`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = "7z" OR archive_hdr1 = "PK" OR archive_hdr2="Rar!") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter` - ' +search: '`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = "7z" OR archive_hdr1 = "PK" OR archive_hdr2="Rar!") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream @@ -35,7 +31,8 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$ + message: A http post $http_method$ sending packet with possible archive bytes header + in uri path $uri_path$ mitre_attack_id: - T1048.003 - T1048 @@ -68,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/archive_http_post/stream_http_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/archive_http_post/stream_http_events.log source: stream sourcetype: stream:http diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index cde26d4e83..d1b33bc26b 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -1,16 +1,19 @@ name: Ngrok Reverse Proxy on Network id: 5790a766-53b8-40d3-a696-3547b978fcf0 -version: 1 -date: '2022-11-16' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the 4 most common Ngrok used domains - based on DNS queries under the Network Resolution datamodel. It's possible these - domains may be ran against the Web datamodel or ran with a direct query across network/proxy - traffic. The sign of someone using Ngrok is not malicious, however, more recenctly - it has become an adversary tool. -data_source: +description: The following analytic detects DNS queries to common Ngrok domains, indicating + potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution + datamodel to identify queries to domains such as "*.ngrok.com" and "*.ngrok.io". + While Ngrok usage is not inherently malicious, it has been increasingly adopted + by adversaries for covert communication and data exfiltration. If confirmed malicious, + this activity could allow attackers to bypass network defenses, establish persistent + connections, and exfiltrate sensitive data, posing a significant threat to the network's + security. +data_source: - Sysmon EventID 22 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN ("*.ngrok.com","*.ngrok.io", @@ -52,7 +55,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog update_timestamp: true diff --git a/detections/network/plain_http_post_exfiltrated_data.yml b/detections/network/plain_http_post_exfiltrated_data.yml index 1fbab86301..d44da6f3e8 100644 --- a/detections/network/plain_http_post_exfiltrated_data.yml +++ b/detections/network/plain_http_post_exfiltrated_data.yml @@ -1,20 +1,24 @@ name: Plain HTTP POST Exfiltrated Data id: e2b36208-a364-11eb-8909-acde48001122 -version: 2 -date: '2023-11-07' +version: 3 +date: '2024-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: This search is to detect potential plain HTTP POST method data exfiltration. - This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary - where arguments or commands are sent in plain text to the remote C2 server using - HTTP POST method as part of data exfiltration. -data_source: +description: The following analytic detects potential data exfiltration using plain + HTTP POST requests. It leverages network traffic logs, specifically monitoring the + `stream_http` data source for POST methods containing suspicious form data such + as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly + associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, + which use plain text HTTP POST requests to communicate with remote C2 servers. If + confirmed malicious, this activity could lead to unauthorized data exfiltration, + compromising sensitive information and potentially leading to further network infiltration. +data_source: - Splunk Stream HTTP search: '`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*") |stats values(form_data) - as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method - http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` + as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip + dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make @@ -29,7 +33,8 @@ tags: asset_type: Endpoint confidence: 90 impact: 70 - message: A http post $http_method$ sending packet with plain text of information in uri path $uri_path$ + message: A http post $http_method$ sending packet with plain text of information + in uri path $uri_path$ mitre_attack_id: - T1048.003 - T1048 @@ -55,6 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log source: stream sourcetype: stream:http diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index 0629d51e5c..4c1c265a7e 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -1,15 +1,18 @@ name: Prohibited Network Traffic Allowed id: ce5a0962-849f-4720-a678-753fe6674479 -version: 2 -date: '2024-02-27' +version: 3 +date: '2024-05-11' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as - prohibited in the "lookup_interesting_ports" table, is allowed according to the Network_Traffic data model. It operates by cross-referencing - traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. - This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices - that could allow unauthorized access or data exfiltration, directly impacting the organization's security posture. +description: The following analytic detects instances where network traffic, identified + by port and transport layer protocol as prohibited in the "lookup_interesting_ports" + table, is allowed. It uses the Network_Traffic data model to cross-reference traffic + data against predefined security policies. This activity is significant for a SOC + as it highlights potential misconfigurations or policy violations that could lead + to unauthorized access or data exfiltration. If confirmed malicious, this could + allow attackers to bypass network defenses, leading to potential data breaches and + compromising the organization's security posture. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by @@ -60,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log sourcetype: bro:conn:json - source: conn.log \ No newline at end of file + source: conn.log diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index 1e6d9ac2e7..7651f15b0c 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -1,16 +1,18 @@ name: Protocol or Port Mismatch id: 54dc1265-2f74-4b6d-b30d-49eb506a31b3 -version: 2 -date: '2020-07-21' +version: 3 +date: '2024-05-29' author: Rico Valdez, Splunk status: experimental type: Anomaly -description: This search looks for network traffic on common ports where a higher - layer protocol does not match the port that is being used. For example, this search - should identify cases where protocols other than HTTP are running on TCP port 80. - This can be used by attackers to circumvent firewall restrictions, or as an attempt - to hide malicious communications over ports and protocols that are typically allowed - and not well inspected. +description: The following analytic identifies network traffic where the higher layer + protocol does not match the expected port, such as non-HTTP traffic on TCP port + 80. It leverages data from network traffic inspection technologies like Bro or Palo + Alto Networks firewalls. This activity is significant because it may indicate attempts + to bypass firewall restrictions or conceal malicious communications. If confirmed + malicious, this behavior could allow attackers to evade detection, maintain persistence, + or exfiltrate data through commonly allowed ports, posing a significant threat to + network security. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index 598878b632..b46553a399 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -1,15 +1,18 @@ name: Protocols passing authentication in cleartext id: 6923cd64-17a0-453c-b945-81ac2d8c6db9 -version: 3 -date: '2021-08-19' +version: 4 +date: '2024-05-29' author: Rico Valdez, Splunk status: experimental type: TTP -description: The following analytic identifies cleartext protocols at risk of leaking - sensitive information. Currently, this consists of legacy protocols such as telnet - (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. - While some of these protocols may be used over SSL, they typically are found on - different assigned ports in those instances. +description: The following analytic identifies the use of cleartext protocols that + risk leaking sensitive information. It detects network traffic on legacy protocols + such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP + (port 21). The detection leverages the Network_Traffic data model to identify TCP + traffic on these ports. Monitoring this activity is crucial as it can expose credentials + and other sensitive data to interception. If confirmed malicious, attackers could + capture authentication details, leading to unauthorized access and potential data + breaches. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index c73ed1fef3..90269189f7 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -1,22 +1,25 @@ name: Remote Desktop Network Traffic id: 272b8407-842d-4b3d-bead-a704584003d3 -version: 4 -date: '2024-02-27' +version: 5 +date: '2024-05-29' author: David Dorsey, Splunk status: production type: Anomaly -description: The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389, the default RDP port. - It identifies this activity by filtering out traffic from known RDP sources and destinations, focusing on atypical RDP connections within the network. - This detection is crucial for a Security Operations Center (SOC) as unauthorized RDP access can indicate an attacker's attempt to gain control over - networked systems, potentially leading to data theft, ransomware deployment, or further network compromise. - The impact of such unauthorized access can be significant, ranging from data breaches to complete system and network control loss. +description: The following analytic detects unusual Remote Desktop Protocol (RDP) + traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing + on atypical connections within the network. This detection leverages network traffic + data to identify potentially unauthorized RDP access. Monitoring this activity is + crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt + to control networked systems, leading to data theft, ransomware deployment, or further + network compromise. If confirmed malicious, this activity could result in significant + data breaches or complete system and network control loss. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action="allowed" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `remote_desktop_network_traffic_filter` ' + | `remote_desktop_network_traffic_filter`' how_to_implement: To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search "Identify Systems Creating @@ -68,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log sourcetype: bro:conn:json - source: conn.log \ No newline at end of file + source: conn.log diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index b61c4bc0c7..ab999aa0dc 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -1,12 +1,12 @@ name: SMB Traffic Spike id: 7f5fb3e1-4209-4914-90db-0ec21b936378 -version: 3 -date: '2020-07-22' +version: 4 +date: '2024-05-27' author: David Dorsey, Splunk status: experimental type: Anomaly description: |- - The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. + The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network. data_source: [] search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb @@ -15,7 +15,7 @@ search: '| tstats `security_content_summariesonly` count from datamodel=Network_ "-70m@m"), count, null))) as count avg(eval(if(_time upperBound - AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` ' + AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`' how_to_implement: This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. known_false_positives: A file server may experience high-demand loads that could cause diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index cf81e5e112..5f2317f4e6 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | - table _time src dest port count | `smb_traffic_spike___mltk_filter` ' + table _time src dest port count | `smb_traffic_spike___mltk_filter`' how_to_implement: "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, diff --git a/detections/network/splunk_identified_ssl_tls_certificates.yml b/detections/network/splunk_identified_ssl_tls_certificates.yml index 765ac454f1..ccf832b111 100644 --- a/detections/network/splunk_identified_ssl_tls_certificates.yml +++ b/detections/network/splunk_identified_ssl_tls_certificates.yml @@ -1,15 +1,19 @@ name: Splunk Identified SSL TLS Certificates id: 620fbb89-86fd-4e2e-925f-738374277586 -version: 1 -date: '2022-05-25' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic uses tags of SSL, TLS and certificate to identify - the usage of the Splunk default certificates being utilized in the environment. - Recommended guidance is to utilize valid TLS certificates which documentation may - be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL. -data_source: +description: The following analytic identifies the usage of Splunk default SSL/TLS + certificates within the environment. It leverages tags such as SSL, TLS, and certificate + to detect these default certificates by examining the ssl_issuer_common_name field. + This activity is significant because using default certificates can expose the environment + to potential security risks, as they are not unique and can be easily exploited. + If confirmed malicious, attackers could intercept or manipulate data, leading to + unauthorized access or data breaches. It is recommended to replace default certificates + with valid, unique TLS certificates to enhance security. +data_source: - Splunk Stream TCP search: tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS "Host(s) with Default Cert" count by ssl_issuer ssl_subject_common_name ssl_subject_organization @@ -60,7 +64,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1040/ssltls/ssl_splunk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1040/ssltls/ssl_splunk.log source: stream:tcp sourcetype: stream:tcp update_timestamp: true diff --git a/detections/network/ssl_certificates_with_punycode.yml b/detections/network/ssl_certificates_with_punycode.yml index be31efed7a..15f10eb50a 100644 --- a/detections/network/ssl_certificates_with_punycode.yml +++ b/detections/network/ssl_certificates_with_punycode.yml @@ -1,17 +1,16 @@ name: SSL Certificates with Punycode id: 696694df-5706-495a-81f2-79501fa11b90 -version: 1 -date: '2022-11-01' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic utilizes the Certificates Datamodel to look for - punycode domains, starting with xn--, found in the SSL issuer email domain. The - presence of punycode here does not equate to evil, therefore we need to decode the - punycode to determine what it translates to. Remove the CyberChef recipe as needed - and decode manually. Note that this is not the exact location of the malicious punycode - to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these - email paths. What does evil look like? it will start with +description: The following analytic detects SSL certificates with Punycode domains + in the SSL issuer email domain, identified by the prefix "xn--". It leverages the + Certificates Datamodel to flag these domains and uses CyberChef for decoding. This + activity is significant as Punycode can be used for domain spoofing and phishing + attacks. If confirmed malicious, attackers could deceive users and systems, potentially + leading to unauthorized access and data breaches. data_source: [] search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index 769d5af7e7..200eddc4f1 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -1,23 +1,34 @@ name: TOR Traffic id: ea688274-9c06-4473-b951-e4cb7a5d7a45 -version: 3 -date: '2023-09-20' +version: 4 +date: '2024-05-29' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. -data_source: +description: The following analytic identifies allowed network traffic to The Onion + Router (TOR), an anonymity network often exploited for malicious activities. It + leverages data from Next Generation Firewalls, using the Network_Traffic data model + to detect traffic where the application is TOR and the action is allowed. This activity + is significant as TOR can be used to bypass conventional monitoring, facilitating + hacking, data breaches, and illicit content dissemination. If confirmed malicious, + this could lead to unauthorized access, data exfiltration, and severe compliance + violations, compromising the integrity and security of the network. +data_source: - Palo Alto Network Traffic search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `tor_traffic_filter`' -how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. +how_to_implement: In order to properly run this search, Splunk needs to ingest data + from Next Generation Firewalls like Palo Alto Networks Firewalls or other network + control devices that mediate the traffic allowed into an environment. This is necessary + so that the search can identify an 'action' taken on the traffic of interest. The + search requires the Network_Traffic data model to be populated. known_false_positives: None at this time -references: - - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK - - https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks. +references: +- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK +- https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks. tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch @@ -27,7 +38,8 @@ tags: asset_type: Endpoint confidence: 80 impact: 100 - message: Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$ + message: Suspicious network traffic allowed using TOR has been detected from $src_ip$ + to $dest_ip$ mitre_attack_id: - T1090 - T1090.003 @@ -52,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.log source: pan_tor_allowed sourcetype: pan:traffic diff --git a/detections/network/windows_ad_replication_service_traffic.yml b/detections/network/windows_ad_replication_service_traffic.yml index 4ef5761e2b..4d254d24ea 100644 --- a/detections/network/windows_ad_replication_service_traffic.yml +++ b/detections/network/windows_ad_replication_service_traffic.yml @@ -1,59 +1,60 @@ name: Windows AD Replication Service Traffic id: c6e24183-a5f4-4b2a-ad01-2eb456d09b67 -version: 1 -date: "2022-11-26" +version: 2 +date: "2024-05-19" author: Steven Dick type: TTP status: experimental data_source: [] -description: - This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. - This traffic is often seen exclusively between Domain Controllers for AD database replication. - Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques. -search: - '| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user - values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime - from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs") by All_Traffic.src All_Traffic.dest All_Traffic.app - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `drop_dm_object_name("All_Traffic")` - | `windows_ad_replication_service_traffic_filter`' -how_to_implement: - To successfully implement this search, you need to be ingesting +description: The following analytic identifies unexpected Active Directory replication + traffic from non-domain controller sources. It leverages data from the Network Traffic + datamodel, specifically looking for applications related to AD replication. This + activity is significant because AD replication traffic should typically only occur + between domain controllers. Detection of such traffic from other sources may indicate + malicious activities like DCSync or DCShadow, which are used for credential dumping. + If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, + leading to unauthorized access and potential domain-wide compromise. +search: '| tstats `security_content_summariesonly` count values(All_Traffic.transport) + as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as + src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime + max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad + drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. known_false_positives: New domain controllers or certian scripts run by administrators. references: - - https://adsecurity.org/?p=1729 - - https://attack.mitre.org/techniques/T1003/006/ - - https://attack.mitre.org/techniques/T1207/ +- https://adsecurity.org/?p=1729 +- https://attack.mitre.org/techniques/T1003/006/ +- https://attack.mitre.org/techniques/T1207/ tags: analytic_story: - - Sneaky Active Directory Persistence Tricks + - Sneaky Active Directory Persistence Tricks asset_type: Endpoint confidence: 100 impact: 100 message: Active Directory Replication Traffic from Unknown Source - $src$ mitre_attack_id: - - T1003 - - T1003.006 - - T1207 + - T1003 + - T1003.006 + - T1207 observable: - - name: dest - type: IP Address - role: - - Victim - - name: src - type: IP Address - role: - - Attacker + - name: dest + type: IP Address + role: + - Victim + - name: src + type: IP Address + role: + - Attacker product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - All_Traffic.src - - All_Traffic.dest - - All_Traffic.app + - All_Traffic.src + - All_Traffic.dest + - All_Traffic.app risk_score: 100 security_domain: network diff --git a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml index 24875ceda1..e4678ee492 100644 --- a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml +++ b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml @@ -1,47 +1,53 @@ name: Windows AD Rogue Domain Controller Network Activity id: c4aeeeef-da7f-4338-b3ba-553cbcbe2138 -version: 1 -date: "2022-09-08" +version: 2 +date: "2024-05-18" author: Dean Luxton type: TTP status: experimental data_source: [] -description: - This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. - If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;) -search: '`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges - | where NOT (dest_category="Domain Controller") OR NOT (src_category="Domain Controller") - | fillnull value="Unknown" src_category, dest_category - | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`' -how_to_implement: Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities. +description: The following analytic identifies unauthorized replication RPC calls + from non-domain controller devices. It leverages Zeek wire data to detect specific + RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate + domain controllers. This activity is significant as it may indicate an attempt to + introduce a rogue domain controller, which can compromise the integrity of the Active + Directory environment. If confirmed malicious, this could allow attackers to manipulate + directory data, escalate privileges, and persist within the network, posing a severe + security risk. +search: '`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category="Domain + Controller") OR NOT (src_category="Domain Controller") | fillnull value="Unknown" + src_category, dest_category | table _time endpoint operation src src_category dest + dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`' +how_to_implement: Run zeek on domain controllers to capture the DCE RPC calls, ensure + the domain controller categories are defined in Assets and Identities. known_false_positives: None. references: - - https://adsecurity.org/?p=1729 +- https://adsecurity.org/?p=1729 tags: analytic_story: - - Sneaky Active Directory Persistence Tricks + - Sneaky Active Directory Persistence Tricks asset_type: Endpoint confidence: 100 impact: 100 message: Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$) mitre_attack_id: - - T1207 + - T1207 observable: - - name: src - type: IP Address - role: - - Attacker - - name: dest - type: IP Address - role: - - Victim + - name: src + type: IP Address + role: + - Attacker + - name: dest + type: IP Address + role: + - Victim product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud required_fields: - - _time - - src - - dest + - _time + - src + - dest risk_score: 100 security_domain: network diff --git a/detections/network/zeek_x509_certificate_with_punycode.yml b/detections/network/zeek_x509_certificate_with_punycode.yml index 195e4a5e7d..5fddaf6167 100644 --- a/detections/network/zeek_x509_certificate_with_punycode.yml +++ b/detections/network/zeek_x509_certificate_with_punycode.yml @@ -1,18 +1,17 @@ name: Zeek x509 Certificate with Punycode id: 029d6fe4-a5fe-43af-827e-c78c50e81d81 -version: 1 -date: '2022-11-03' +version: 2 +date: '2024-05-30' author: Michael Haag, Splunk status: experimental type: Hunting -description: The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 - macro with your index and sourcetype as needed. You will need to ensure the full - x509 is logged as the potentially malicious punycode is nested under subject alternative - names. In this particular analytic, it will identify punycode within the subject - alternative name email and other fields. Note, that OtherFields is meant to be BOOL - (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, - manually copy and paste, or add CyberChef recipe to query, and decode the punycode - manually. +description: The following analytic detects the presence of punycode within x509 certificates + using Zeek x509 logs. It identifies punycode in the subject alternative name email + and other fields by searching for the "xn--" prefix. This activity is significant + as punycode can be used in phishing attacks or to bypass domain filters, posing + a security risk. If confirmed malicious, attackers could use these certificates + to impersonate legitimate domains, potentially leading to unauthorized access or + data breaches. data_source: [] search: '`zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | rex field=san.other_fields{} "\@(?xn--.*)" | stats values(domain_detected) diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml index 31e05bc2ac..2ee10a8f52 100644 --- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml +++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml @@ -1,19 +1,32 @@ name: Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint id: 15838756-f425-43fa-9d88-a7f88063e81a -version: 1 -date: '2024-01-16' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic identifies access to the + /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark + endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. + It detects this activity by monitoring for GET requests that receive a 403 Forbidden + response with an empty body. This behavior is significant as it indicates potential + exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, + attackers could exploit these vulnerabilities to gain unauthorized access or control + over the affected systems, leading to potential data breaches or system compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" + Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, + Web.url source | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 403; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml @@ -51,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log source: suricata sourcetype: suricata diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml index a19139a3ae..5828ebffb2 100644 --- a/detections/web/adobe_coldfusion_access_control_bypass.yml +++ b/detections/web/adobe_coldfusion_access_control_bypass.yml @@ -1,23 +1,35 @@ name: Adobe ColdFusion Access Control Bypass id: d6821c0b-fcdc-4c95-a77f-e10752fae41a -version: 1 -date: '2023-08-23' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", "/CFIDE/servermanager*") Web.status=200 - by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`' +description: The following analytic detects potential exploitation attempts against + Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors + requests to specific ColdFusion Administrator endpoints, especially those with an + unexpected additional forward slash, using the Web datamodel. This activity is significant + for a SOC as it indicates attempts to bypass access controls, which can lead to + unauthorized access to ColdFusion administration endpoints. If confirmed malicious, + this could result in data theft, brute force attacks, or further exploitation of + other vulnerabilities, posing a serious security risk to the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", + "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", + "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", + "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", + "/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, + Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`' how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ tags: @@ -29,7 +41,7 @@ tags: atomic_guid: [] confidence: 50 impact: 90 - message: Possible exploitation of CVE-2023-29298 against $dest$. + message: Possible exploitation of CVE-2023-29298 against $dest$. mitre_attack_id: - T1190 observable: @@ -60,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log source: suricata sourcetype: suricata diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml index 5ee1bb22a0..76a708daf5 100644 --- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml +++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml @@ -1,27 +1,34 @@ name: Adobe ColdFusion Unauthenticated Arbitrary File Read id: 695aceae-21db-4e7f-93ac-a52e39d02b93 -version: 1 -date: '2023-08-23' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager. - - Our analytic pinpoints exploitation by monitoring web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. - - If a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/cf_scripts/scripts/ajax/ckeditor/*") Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`' +description: The following analytic detects potential exploitation of the Adobe ColdFusion + vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. + It monitors web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path using + the Web datamodel, focusing on specific ColdFusion paths to differentiate malicious + activity from normal traffic. This activity is significant due to the vulnerability's + high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could + lead to unauthorized data access, further attacks, or severe operational disruptions, + necessitating immediate investigation. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/cf_scripts/scripts/ajax/ckeditor/*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`' how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: 'In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment.' +known_false_positives: 'In the wild, we have observed three different types of attempts + that could potentially trigger false positives if the HTTP status code is not in + the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 + . These could be legitimate requests depending on the context of your organization. + Therefore, it is recommended to modify the analytic as needed to suit your specific + environment.' references: - https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml @@ -34,7 +41,7 @@ tags: atomic_guid: [] confidence: 50 impact: 90 - message: Possible exploitation of CVE-2023-26360 against $dest$. + message: Possible exploitation of CVE-2023-26360 against $dest$. mitre_attack_id: - T1190 observable: @@ -65,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/cve_2023_29360_coldfusion.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/cve_2023_29360_coldfusion.log source: suricata sourcetype: suricata diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml index e5f1ea0504..790ff1f9fd 100644 --- a/detections/web/cisco_ios_xe_implant_access.yml +++ b/detections/web/cisco_ios_xe_implant_access.yml @@ -1,22 +1,31 @@ name: Cisco IOS XE Implant Access id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9 -version: 1 -date: '2023-10-17' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic identifies the potential exploitation of a vulnerability + (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects + suspicious account creation and subsequent actions, including the deployment of + a non-persistent implant configuration file. The detection leverages the Web datamodel, + focusing on specific URL patterns and HTTP methods. This activity is significant + as it indicates unauthorized administrative access, which can lead to full control + of the device. If confirmed malicious, attackers could maintain privileged access, + compromising the device's integrity and security. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST + Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, + Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`' how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk - for Palo Alto. -known_false_positives: False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. + for Palo Alto. +known_false_positives: False positives may be present, restrict to Cisco IOS XE devices + or perimeter appliances. Modify the analytic as needed based on hunting for successful + exploitation of CVE-2023-20198. references: - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ - https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner @@ -57,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log source: suricata sourcetype: suricata diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml index 331a10159a..3e08a9a9b5 100644 --- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -1,30 +1,36 @@ name: Citrix ADC and Gateway Unauthorized Data Disclosure id: b593cac5-dd20-4358-972a-d945fefdaf17 -version: 1 -date: '2023-10-24' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. - - This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. - - If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. - - Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic detects attempts to exploit the Citrix Bleed vulnerability + (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies + HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration + URL endpoint. By parsing web traffic and filtering based on user agent details, + HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially + malicious requests. This activity is significant for a SOC because successful exploitation + can allow attackers to impersonate legitimate users, bypass authentication, and + access sensitive data. If confirmed malicious, it could lead to unauthorized data + access, network propagation, and critical information exfiltration. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`' how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk - for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. -known_false_positives: False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. + for Palo Alto. We recommend hunting in the environment first to understand the scope + of the issue and then deploying this detection to monitor for future exploitation + attempts. Limit or restrict to Citrix devices only if possible. +known_false_positives: False positives may be present based on organization use of + Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. references: - - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 tags: analytic_story: - Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 @@ -32,7 +38,8 @@ tags: atomic_guid: [] confidence: 90 impact: 100 - message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$. + message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron + $src$. mitre_attack_id: - T1190 observable: @@ -62,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log source: suricata sourcetype: suricata diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index e09267c278..a7bdea2439 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -1,29 +1,29 @@ name: Citrix ADC Exploitation CVE-2023-3519 id: 76ac2dcb-333c-4a77-8ae9-2720cfae47a8 -version: 2 -date: '2023-07-21' +version: 3 +date: '2024-05-25' author: Michael Haag, Splunk status: production type: Hunting -data_source: +data_source: - Palo Alto Network Threat -description: This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process. - - Given the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority. - - The search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. - - Please be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic identifies potential exploitation attempts against + Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints + associated with this vulnerability by leveraging the Web datamodel. This activity + is significant as CVE-2023-3519 involves a SAML processing overflow issue that can + lead to memory corruption, posing a high risk. If confirmed malicious, attackers + could exploit this to execute arbitrary code, escalate privileges, or disrupt services, + making it crucial for SOC analysts to monitor and investigate these alerts promptly. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`' how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only. +known_false_positives: False positives may be present based on organization use of + SAML utilities. Filter, or restrict the analytic to Citrix devices only. references: - https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/ - https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 @@ -38,7 +38,7 @@ tags: atomic_guid: [] confidence: 50 impact: 90 - message: Possible expliotation of CVE-2023-3519 against $dest$. + message: Possible expliotation of CVE-2023-3519 against $dest$. mitre_attack_id: - T1190 observable: @@ -62,6 +62,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log source: pan:threat sourcetype: pan:threat diff --git a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml index e263450d53..92cfe69c6f 100644 --- a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml +++ b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml @@ -1,30 +1,35 @@ name: Citrix ShareFile Exploitation CVE-2023-24489 id: 172c59f2-5fae-45e5-8e51-94445143e93f -version: 1 -date: '2023-07-26' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: Hunting -data_source: +data_source: - Suricata -description: The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method, indicative of a file upload attempt. - - This behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation. - - The impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation. - - However, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`' -how_to_implement: Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a - supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk - for Palo Alto. - The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not. -known_false_positives: False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. +description: The following analytic detects potentially malicious file upload attempts + to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages + the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", + "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined + with the HTTP POST method. This activity is significant for a SOC as it may indicate + an attempt to upload harmful scripts or content, potentially compromising the Documentum + application. If confirmed malicious, this could lead to unauthorized access, data + breaches, and operational disruptions. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") + AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `citrix_sharefile_exploitation_cve_2023_24489_filter`' +how_to_implement: Dependent upon the placement of the ShareFile application, ensure + the latest Technology Add-On is eneabled. This detection requires the Web datamodel + to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, + Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, + therefore ingesting IIS logs and reviewing for the same pattern would identify this + activity, successful or not. +known_false_positives: False positives may be present, filtering may be needed. Also, + restricting to known web servers running IIS or ShareFile will change this from + Hunting to TTP. references: - https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ tags: @@ -36,7 +41,7 @@ tags: atomic_guid: [] confidence: 50 impact: 90 - message: Possible expliotation of CVE-2023-24489 against $dest$. + message: Possible expliotation of CVE-2023-24489 against $dest$. mitre_attack_id: - T1190 observable: @@ -60,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index 7462f048dc..00769b851c 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -1,19 +1,27 @@ name: Confluence CVE-2023-22515 Trigger Vulnerability id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0 -version: 2 -date: '2023-10-23' +version: 3 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`' +description: The following analytic identifies potential exploitation attempts of + the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP + status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk + 'Web' Data Model. This activity is significant for a SOC as it indicates possible + privilege escalation attempts in Confluence. If confirmed malicious, attackers could + gain unauthorized access or create accounts with escalated privileges, leading to + potential data breaches or further exploitation within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") + Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, + Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`' how_to_implement: To successfully implement this search you need to be ingesting information - on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. + on Web traffic that include fields relavent for traffic into the `Web` datamodel. + Tested with Suricata and nginx:plus:kv. known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. references: @@ -22,12 +30,13 @@ references: - https://github.com/j3seer/CVE-2023-22515-POC tags: analytic_story: - - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server + - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server asset_type: Web Server atomic_guid: [] confidence: 80 impact: 90 - message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. + message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence + detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 observable: @@ -57,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index bcb6d14f32..778fd3c8cd 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -1,26 +1,35 @@ name: Confluence Data Center and Server Privilege Escalation id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11 -version: 3 -date: '2023-10-18' +version: 4 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Nginx Access -description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*", "*/json/setup-restore-local.action*", "*/json/setup-restore-progress.action*", "*/json/setup-restore.action*", "*/bootstrap/selectsetupstep.action*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`' +description: The following analytic identifies potential exploitation attempts on + a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* + URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering + for successful accesses (HTTP status 200) to these endpoints. This activity is significant + as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. + If confirmed malicious, it could result in unauthorized access or account creation + with escalated privileges, leading to potential data breaches or further exploitation + within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*", + "*/json/setup-restore-local.action*", "*/json/setup-restore-progress.action*", "*/json/setup-restore.action*", + "*/bootstrap/selectsetupstep.action*") Web.status=200 by Web.http_user_agent, Web.status + Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. references: - - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html - - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html - - https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ - - https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis +- https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html +- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html +- https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ +- https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis tags: analytic_story: - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server @@ -31,7 +40,8 @@ tags: atomic_guid: [] confidence: 80 impact: 90 - message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. + message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence + detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 observable: @@ -60,6 +70,7 @@ tags: tests: - name: Nginx Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml index a65d81a29e..11fa43ee4b 100644 --- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml +++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml @@ -1,17 +1,25 @@ name: Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 id: f56936c0-ae6f-4eeb-91ff-ecc1448c6105 -version: 1 -date: '2024-01-22' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`' +description: The following analytic identifies attempts to exploit a critical template + injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and + Server versions. It detects POST requests to the "/template/aui/text-inline.vm" + endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection + attacks. This activity is significant as it allows unauthenticated attackers to + execute arbitrary code remotely. If confirmed malicious, attackers could gain full + control over the affected Confluence instance, leading to data breaches, system + compromise, and further network infiltration. Immediate patching is essential to + mitigate this threat. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN + (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. known_false_positives: False positives may be present with legitimate applications. @@ -28,7 +36,8 @@ tags: atomic_guid: [] confidence: 90 impact: 90 - message: Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. + message: Exploitation attempts on a known vulnerability in Atlassian Confluence + detected. The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 observable: @@ -55,6 +64,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log source: suricata sourcetype: suricata diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index 0d6417a8f5..99ce8e6a16 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -1,18 +1,20 @@ name: Confluence Unauthenticated Remote Code Execution CVE-2022-26134 id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c -version: 1 -date: '2022-06-03' +version: 2 +date: '2024-05-30' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic assists with identifying CVE-2022-26134 based - exploitation utilizing the Web datamodel to cover network and CIM compliant web - logs. The parameters were captured from live scanning and the POC provided by Rapid7. - This analytic is written against multiple proof of concept codes released and seen - in the wild (scanning). During triage, review any endpoint based logs for further - activity including writing a jsp file to disk and commands/processes spawning running - as root from the Confluence process. -data_source: +description: The following analytic detects attempts to exploit CVE-2022-26134, an + unauthenticated remote code execution vulnerability in Confluence. It leverages + the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious + URL patterns and parameters indicative of exploitation attempts. This activity is + significant as it allows attackers to execute arbitrary code on the Confluence server + without authentication, potentially leading to full system compromise. If confirmed + malicious, this could result in unauthorized access, data exfiltration, and further + lateral movement within the network. Immediate investigation and remediation are + crucial to prevent extensive damage. +data_source: - Palo Alto Network Threat search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" @@ -73,7 +75,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log source: pan:threat sourcetype: pan:threat update_timestamp: true diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml index c5339c82ed..53cb0b4819 100644 --- a/detections/web/connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml @@ -1,21 +1,37 @@ name: ConnectWise ScreenConnect Authentication Bypass id: d3f7a803-e802-448b-8eb2-e796b223bfff -version: 2 -date: '2024-02-23' +version: 3 +date: '2024-05-24' author: Michael Haag, Splunk -data_source: +data_source: - Suricata type: TTP status: production -description: This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source - | rex field=Web.url "/SetupWizard.aspx/(?.+)" - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `connectwise_screenconnect_authentication_bypass_filter`' -how_to_implement: To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further. -known_false_positives: False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via + an alternate path or channel. It leverages web request logs to identify access to + the SetupWizard.aspx page, indicating potential exploitation. This activity is significant + as it can lead to unauthorized administrative access and remote code execution. + If confirmed malicious, attackers could create administrative users and gain full + control over the affected system, posing severe security risks. Immediate remediation + by updating to version 23.9.8 or above is recommended. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST + by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, + sourcetype, source | rex field=Web.url "/SetupWizard.aspx/(?.+)" | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`' +how_to_implement: To implement this analytic, ensure proper logging is occurring with + IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. + The analytic was written against Suricata. The proper TA will need to be enabled + and should be mapped to CIM and the Web datamodel. Ingestion of the data source + is required to utilize this detection. In addition, if it is not mapped to the datamodel, + modify the query for your application logs to look for requests the same URI and + investigate further. +known_false_positives: False positives are not expected, as the detection is based + on the presence of web requests to the SetupWizard.aspx page, which is not a common + page to be accessed by legitimate users. Note that the analytic is limited to HTTP + POST and a status of 200 to reduce false positives. Modify the query as needed to + reduce false positives or hunt for additional indicators of compromise. references: - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 @@ -26,7 +42,8 @@ tags: asset_type: Web Server confidence: 100 impact: 100 - message: An authentication bypass attempt against ScreenConnect has been detected on $dest$. + message: An authentication bypass attempt against ScreenConnect has been detected + on $dest$. mitre_attack_id: - T1190 observable: @@ -49,10 +66,11 @@ tags: security_domain: network cve: - CVE-2024-1708 - - CVE-2024-1709 + - CVE-2024-1709 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log sourcetype: suricata source: suricata diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 8d54253062..42460961f3 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,22 +1,34 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-09' author: Steven Dick status: production type: Anomaly -description: The following analytic detects when a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -data_source: +description: The following analytic detects the execution of known remote access software + within the environment. It leverages network logs mapped to the Web data model, + identifying specific URLs and user agents associated with remote access tools like + AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries + often use these utilities to maintain unauthorized remote access. If confirmed malicious, + this could allow attackers to control systems remotely, exfiltrate data, or further + compromise the network, posing a severe security risk. +data_source: - Palo Alto Network Threat -search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `drop_dm_object_name("Web")` - | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True - | `detect_remote_access_software_usage_url_filter`' -how_to_implement: The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) + as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as + url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action + Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS + url_domain OUTPUT isutility, description as signature, comment_reference as desc, + category | search isutility = True | `detect_remote_access_software_usage_url_filter`' +how_to_implement: The detection is based on data that originates from network logs. + These logs must be processed using the appropriate Splunk Technology Add-ons that + are specific to the network logs. The logs must also be mapped to the `Web` data + model. Use the Splunk Common Information Model (CIM) to normalize the field names + and speed up the data modeling process. +known_false_positives: It is possible that legitimate remote access software is used + within the environment. Ensure that the lookup is reviewed and updated with any + additional remote access software that is used within the environment. references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -29,7 +41,8 @@ tags: asset_type: Network confidence: 50 impact: 50 - message: A domain for a known remote access software $url_domain$ was contacted by $src$. + message: A domain for a known remote access software $url_domain$ was contacted + by $src$. mitre_attack_id: - T1219 observable: @@ -53,13 +66,14 @@ tags: - _time - Web.action - Web.src - - Web.category - - Web.url_domain + - Web.category + - Web.url_domain risk_score: 25 security_domain: network tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log source: screenconnect_palo - sourcetype: pan:threat \ No newline at end of file + sourcetype: pan:threat diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 84e60aed5b..7d640a4274 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -5,20 +5,16 @@ date: '2024-05-21' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies activity related to Text4Shell, or - the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache - Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version - 1.10. The analytic may need to be tuned for your environment before enabling as - a TTP, or direct Notable. Apache Commons Text is a Java library described as a library - focused on algorithms working on strings. We can see it as a general-purpose text - manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator - class, which is included in the Commons Text library. A default interpolator allows - for string lookups that can lead to Remote Code Execution. This is due to a logic - flaw that makes the script, dns, and url lookup keys interpolated by default, as - opposed to what it should be, according to the documentation of the StringLookupFactory - class. Those keys allow an attacker to execute arbitrary code via lookups. -data_source: -- Bro +description: The following analytic detects attempts to exploit the CVE-2022-42889 + vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages + the Web datamodel to identify suspicious HTTP requests containing specific lookup + keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity + is significant as it targets a critical vulnerability that can allow attackers to + execute arbitrary code on the server. If confirmed malicious, this could lead to + full system compromise, data exfiltration, or further lateral movement within the + network. +data_source: +- Nginx Access search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent @@ -96,4 +92,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log source: nginx:plus:kv - sourcetype: nginx:plus:kv \ No newline at end of file + sourcetype: nginx:plus:kv diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml index 9f25f72989..57992b1fa8 100644 --- a/detections/web/f5_tmui_authentication_bypass.yml +++ b/detections/web/f5_tmui_authentication_bypass.yml @@ -1,20 +1,30 @@ name: F5 TMUI Authentication Bypass id: 88bf127c-613e-4579-99e4-c4d4b02f3840 -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/mgmt/tm/auth/user/*") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic detects attempts to exploit the CVE-2023-46747 + vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility + (TMUI). It identifies this activity by monitoring for specific URI paths such as + "*/mgmt/tm/auth/user/*" with the PATCH method and a 200 status code. This behavior + is significant for a SOC as it indicates potential unauthorized access attempts, + leading to remote code execution. If confirmed malicious, an attacker could gain + unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct + further malicious activities within the network. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/mgmt/tm/auth/user/*") Web.http_method=PATCH Web.status=200 + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel. -known_false_positives: False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed. +known_false_positives: False positives should be limited to as this is strict to active + exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter + data as needed. references: - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ - https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml @@ -27,7 +37,8 @@ tags: - CVE-2023-46747 confidence: 90 impact: 100 - message: Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$. + message: Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring + against $dest$ from $src$. observable: - name: dest type: Hostname @@ -55,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5_tmui.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5_tmui.log source: suricata sourcetype: suricata diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 05700479c0..185ae83c36 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -1,31 +1,19 @@ name: Fortinet Appliance Auth bypass id: a83122f2-fa09-4868-a230-544dbc54bc1c -version: 1 -date: '2022-10-14' +version: 2 +date: '2024-05-12' author: Michael Haag, Splunk status: production type: TTP -description: 'CVE-2022-40684 is a Fortinet appliance auth bypass that is actively - being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. - Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, - etc). The REST API request failing is not an indication that an attacker was unsuccessful. - Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly - failed. The collection /api/v2/ endpoints can be used to configure the system and - modify the administrator user. Any logs found that meet the above conditions and - also have a URL containing /api/v2/ should be cause for concern. Further investigation - of any matching log entries can reveal any damage an attack has done. Additionally, - an attacker may perform the following actions to further compromise a system Modify - the admin SSH key to enable the attacker to login to the compromised system. - - Add new local users. - - Update networking configurations to reroute traffic. - - Download the system configuration. - - Initiate packet captures to capture other sensitive system information. Reference - Horizon3.ai' -data_source: +description: 'The following analytic detects attempts to exploit CVE-2022-40684, a + Fortinet appliance authentication bypass vulnerability. It identifies REST API requests + to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that + may indicate unauthorized modifications, such as adding SSH keys or creating new + users. This detection leverages the Web datamodel to monitor specific URL patterns + and HTTP methods. This activity is significant as it can lead to unauthorized access + and control over the appliance. If confirmed malicious, attackers could gain persistent + access, reroute network traffic, or capture sensitive information.' +data_source: - Palo Alto Network Threat search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/api/v2/cmdb/system/admin*") Web.http_method IN ("GET", "PUT") @@ -82,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log source: pan:threat sourcetype: pan:threat update_timestamp: true diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index 85ef12d31c..d5aa4dc7ba 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -1,48 +1,19 @@ name: Hunting for Log4Shell id: 158b68fa-5d1a-11ec-aac8-acde48001122 -version: 1 -date: '2021-12-14' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: Hunting -description: 'The following hunting query assists with quickly assessing CVE-2021-44228, - or Log4Shell, activity mapped to the Web Datamodel. This is a combination query - attempting to identify, score and dashboard. Because the Log4Shell vulnerability - requires the string to be in the logs, this will work to identify the activity anywhere - in the HTTP headers using _raw. Modify the first line to use the same pattern matching - against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the - best match, and less than 5 meant to identify additional patterns that will equate - to a higher total score. - - The first jndi match identifies the standard pattern of `{jndi:` - - jndi_fastmatch is meant to identify any jndi in the logs. The score is set low and - is meant to be the "base" score used later. - - jndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, - dns, nis, iiop, corba, nds, http, https.` - - all_match is a very well written regex by https://gist.github.com/Schvenn that identifies - nearly all patterns of this attack behavior. - - env works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, - `AWS_SECRET_ACCESS_KEY` and `env`. - - uri_detect is string match looking for the common uri paths currently being scanned/abused - in the wild. - - keywords matches on enumerated values that, like `$ctx:loginId`, that may be found - in the header used by the adversary. - - lookup matching is meant to catch some basic obfuscation that has been identified - using upper, lower and date. - - Scoring will then occur based on any findings. The base score is meant to be 2 , - created by jndi_fastmatch. Everything else is meant to increase that score. - - Finally, a simple table is created to show the scoring and the _raw field. Sort - based on score or columns of interest.' -data_source: +description: 'The following analytic detects potential exploitation attempts of the + Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific + patterns. It leverages the Web Datamodel and evaluates various indicators such as + the presence of `{jndi:`, environment variables, and common URI paths. This detection + is significant as Log4Shell allows remote code execution, posing a severe threat + to systems. If confirmed malicious, attackers could gain unauthorized access, execute + arbitrary code, and potentially compromise sensitive data, leading to extensive + damage and data breaches.' +data_source: - Nginx Access search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) @@ -56,7 +27,8 @@ search: '| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI] "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, - all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`' + all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw + | `hunting_for_log4shell_filter`' how_to_implement: Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. @@ -109,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml index 1ed741ff9c..c65d92aa41 100644 --- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml +++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml @@ -1,20 +1,32 @@ name: Ivanti Connect Secure Command Injection Attempts id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e -version: 2 -date: '2024-01-17' +version: 3 +date: '2024-05-20' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `ivanti_connect_secure_command_injection_attempts_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic identifies attempts to exploit the CVE-2023-46805 + and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests + to specific URIs that leverage command injection to execute arbitrary commands. + The detection uses the Web datamodel to monitor for these requests and checks for + a 200 OK response, indicating a successful exploit attempt. This activity is significant + as it can lead to unauthorized command execution on the server. If confirmed malicious, + attackers could gain control over the system, leading to potential data breaches + or further network compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") + Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, + Web.url, Web.http_method, Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml @@ -54,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml index f30d79da35..d47456ac9a 100644 --- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml +++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml @@ -1,23 +1,35 @@ name: Ivanti Connect Secure SSRF in SAML Component id: 8e6ca490-7af3-4299-9a24-39fb69759925 -version: 1 -date: '2024-02-05' +version: 2 +date: '2024-05-29' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `ivanti_connect_secure_ssrf_in_saml_component_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic identifies POST requests targeting endpoints vulnerable + to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data + model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, + and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that + received an HTTP 200 OK response, indicating successful execution. This activity + is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially + allowing attackers to access internal services or sensitive data. If confirmed malicious, + this could lead to unauthorized access and data exfiltration. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") + Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, + Web.status, Web.http_method | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the HTTP Status is removed, as most failed attempts + result in a 301. It's recommended to review the context of the alerts and adjust + the analytic parameters to better fit the specific environment. references: - - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis - - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two +- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis +- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two tags: cve: - CVE-2024-21893 @@ -55,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log source: suricata - sourcetype: suricata \ No newline at end of file + sourcetype: suricata diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index aec9e9a8cd..a3724e46c5 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -1,20 +1,32 @@ name: Ivanti Connect Secure System Information Access via Auth Bypass id: d51c13dd-a232-4c83-a2bb-72ab36233c5d -version: 1 -date: '2024-01-16' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: Anomaly -data_source: +data_source: - Suricata -description: This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies attempts to exploit the CVE-2023-46805 + and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests + to the /api/v1/totp/user-backup-code/../../system/system-information URI, which + leverage an authentication bypass to access system information. The detection uses + the Web datamodel to identify requests with a 200 OK response, indicating a successful + exploit attempt. This activity is significant as it reveals potential unauthorized + access to sensitive system information. If confirmed malicious, attackers could + gain critical insights into the system, facilitating further exploitation and compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" + Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. +known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. + False positives may occur if the URI path is IP-restricted or externally blocked. + It's recommended to review the context of the alerts and adjust the analytic parameters + to better fit the specific environment. references: - https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse - https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml @@ -51,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml index 493f50e042..190dd5dbca 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml @@ -1,21 +1,33 @@ name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 id: 66b9c9ba-7fb2-4e80-a3a2-496e5e078167 -version: 1 -date: '2023-07-31' +version: 2 +date: '2024-05-18' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint "/mifs/aad/api/v2/authorized/users?*" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/mifs/aad/api/v2/authorized/users?*") Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`' -how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -known_false_positives: The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. +description: The following analytic detects attempts to exploit CVE-2023-35078, a + vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. It identifies + HTTP requests to the endpoint "/mifs/aad/api/v2/authorized/users?*" with a status + code of 200 in web logs. This activity is significant as it indicates unauthorized + remote access to restricted functionalities or resources. If confirmed malicious, + this could lead to data theft, unauthorized modifications, or further system compromise, + necessitating immediate action to mitigate potential severe impacts. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/mifs/aad/api/v2/authorized/users?*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`' +how_to_implement: To implement this analytic, a network product similar to Suricata + or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work + with your products. +known_false_positives: The Proof of Concept exploit script indicates that status=200 + is required for successful exploitation of the vulnerability. False positives may + be present if status=200 is removed from the search. If it is removed,then the + search also alert on status=301 and status=404 which indicates unsuccessful exploitation + attempts. Analysts may find it useful to hunt for these status codes as well, but + it is likely to produce a significant number of alerts as this is a widespread vulnerability. references: - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py @@ -53,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml index c5be53493f..83094bd53a 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml @@ -1,22 +1,35 @@ name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 id: e03edeba-4942-470c-a664-27253f3ad351 -version: 1 -date: '2023-08-08' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: 'The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. - Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation.' -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/mifs/asfV3/api/v2/*") Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`' -how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -known_false_positives: Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. +description: 'The following analytic detects potential unauthorized access attempts + exploiting CVE-2023-35082 within Ivanti''s software products. It identifies access + to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web + access logs, indicating successful unauthorized access. This activity is significant + for a SOC as it highlights potential security breaches that could lead to unauthorized + data access or system modifications. If confirmed malicious, an attacker could gain + unbridled access to sensitive organizational data or modify systems maliciously, + posing severe security risks.' +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/mifs/asfV3/api/v2/*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`' +how_to_implement: To implement this analytic, a network product similar to Suricata + or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work + with your products. +known_false_positives: Similar to CVE-2023-35078, the path for exploitation indicates + that status=200 is required for successful exploitation of the vulnerability. False + positives may be present if status=200 is removed from the search. If it is removed,then + the search also alert on status=301 and status=404 which indicates unsuccessful + exploitation attempts. Analysts may find it useful to hunt for these status codes + as well, but it is likely to produce a significant number of alerts as this is a + widespread vulnerability. references: - https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py @@ -55,7 +68,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log source: suricata sourcetype: suricata diff --git a/detections/web/ivanti_sentry_authentication_bypass.yml b/detections/web/ivanti_sentry_authentication_bypass.yml index 637e56a58d..220df4f5d7 100644 --- a/detections/web/ivanti_sentry_authentication_bypass.yml +++ b/detections/web/ivanti_sentry_authentication_bypass.yml @@ -1,21 +1,33 @@ name: Ivanti Sentry Authentication Bypass id: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8 -version: 1 -date: '2023-08-24' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic identifies unauthenticated access attempts to + the System Manager Portal in Ivanti Sentry, exploiting CVE-2023-38035. It detects + this activity by monitoring HTTP requests to specific endpoints ("/mics/services/configservice/*", + "/mics/services/*", "/mics/services/MICSLogService*") with a status code of 200. + This behavior is significant for a SOC as it indicates potential unauthorized access, + which could lead to OS command execution as root. If confirmed malicious, this activity + could result in significant system compromise and data breaches, especially if port + 8443 is exposed to the internet. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") + Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, + Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`' -how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -known_false_positives: It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt. +how_to_implement: To implement this analytic, a network product similar to Suricata + or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work + with your products. +known_false_positives: It is important to note that false positives may occur if the + search criteria are expanded beyond the HTTP status code 200. In other words, if + the search includes other HTTP status codes, the likelihood of encountering false + positives increases. This is due to the fact that HTTP status codes other than 200 + may not necessarily indicate a successful exploitation attempt. references: - https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py - https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/ @@ -29,7 +41,7 @@ tags: atomic_guid: [] confidence: 50 impact: 90 - message: Possible exploitation of CVE-2023-38035 against $dest$. + message: Possible exploitation of CVE-2023-38035 against $dest$. mitre_attack_id: - T1190 observable: @@ -59,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log source: suricata sourcetype: suricata diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml index 6129793455..145082ee5c 100644 --- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml +++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml @@ -1,19 +1,29 @@ name: Jenkins Arbitrary File Read CVE-2024-23897 id: c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1 -version: 1 -date: '2024-01-26' +version: 2 +date: '2024-05-24' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Nginx Access -description: The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source. -known_false_positives: False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment. +description: The following analytic identifies attempts to exploit Jenkins Arbitrary + File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing + "*/cli?remoting=false*" with a 200 status code. This activity is significant as + it indicates potential unauthorized access to sensitive files on the Jenkins server, + such as credentials and private keys. If confirmed malicious, this could lead to + severe data breaches, unauthorized access, and further exploitation within the environment. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, + Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, + or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to + your data source. +known_false_positives: False positives should be limited as this detection is based + on a specific URL path and HTTP status code. Adjust the search as necessary to fit + the environment. references: - https://github.com/projectdiscovery/nuclei-templates/pull/9025 - https://github.com/jenkinsci-cert/SECURITY-3314-3315 @@ -59,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml index 20f44dd269..9548f959e1 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml @@ -1,19 +1,33 @@ name: JetBrains TeamCity Authentication Bypass CVE-2024-27198 id: fbcc04c7-8a79-453c-b3a9-c232c423bdd4 -version: 1 -date: '2024-03-04' +version: 2 +date: '2024-05-20' author: Michael Haag, Splunk -data_source: +data_source: - Suricata type: TTP status: production -description: 'The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution. Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures.' -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url="*?jsp=*" AND Web.url="*;.jsp*") Web.status=200 Web.http_method=POST) OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`' -how_to_implement: The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs. -known_false_positives: False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. +description: 'The following analytic identifies attempts to exploit the JetBrains + TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious + POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, + which are indicative of attempts to create new administrator users or generate admin + access tokens without authentication. This detection leverages the Web datamodel + and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is + significant as it can lead to full control over the TeamCity server, including all + projects, builds, agents, and artifacts. If confirmed malicious, attackers could + gain unauthorized administrative access, leading to severe security breaches.' +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where ((Web.url="*?jsp=*" AND Web.url="*;.jsp*") Web.status=200 Web.http_method=POST) + OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") + Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, + Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`' +how_to_implement: The detection relies on the Web datamodel and a CIM compliant log + source, that may include Nginx, TeamCity logs, or other web server logs. +known_false_positives: False positives are not expected, as this detection is based + on the presence of specific URI paths and HTTP methods that are indicative of the + CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based + on organization log sources. references: - https://github.com/projectdiscovery/nuclei-templates/pull/9279/files - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ @@ -26,7 +40,8 @@ tags: asset_type: Web Server confidence: 90 impact: 90 - message: Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$. + message: Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt + against $dest$ from $src$. mitre_attack_id: - T1190 observable: @@ -58,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log sourcetype: suricata - source: suricata \ No newline at end of file + source: suricata diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml index 5e43bd6eeb..132724f73a 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml @@ -1,20 +1,32 @@ name: JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 id: fbcc04c7-8a79-453c-b3a9-c232c423bdd3 -version: 1 -date: '2024-03-04' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk -data_source: +data_source: - Suricata type: TTP status: production -description: 'The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution.Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures.' -search: '`suricata` - ((http.url="*?jsp=*" AND http.url="*;.jsp*") http.status=200 http_method=POST) OR (http.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") http.status=200 http_method=POST ) - | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`' -how_to_implement: The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -known_false_positives: False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. +description: 'The following analytic detects attempts to exploit the CVE-2024-27198 + vulnerability in JetBrains TeamCity on-premises servers, which allows attackers + to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to + identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` + endpoints. This activity is significant because it can lead to unauthorized administrative + access, enabling attackers to gain full control over the TeamCity server, including + projects, builds, agents, and artifacts. If confirmed malicious, this could result + in severe security breaches and compromise the integrity of the development environment.' +search: '`suricata` ((http.url="*?jsp=*" AND http.url="*;.jsp*") http.status=200 http_method=POST) + OR (http.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") + http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) + as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`' +how_to_implement: The following detection relies on the Suricata TA and ensuring it + is properly configured to monitor HTTP traffic. Modify the query for your environment + and log sources as needed. +known_false_positives: False positives are not expected, as this detection is based + on the presence of specific URI paths and HTTP methods that are indicative of the + CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based + on organization log sources. references: - https://github.com/projectdiscovery/nuclei-templates/pull/9279/files - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ @@ -26,7 +38,8 @@ tags: asset_type: Web Server confidence: 90 impact: 90 - message: Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$. + message: Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ + from $src$. mitre_attack_id: - T1190 observable: @@ -56,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27198.log sourcetype: suricata source: suricata diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml index b796684e28..d1ed0622f0 100644 --- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml +++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml @@ -1,19 +1,37 @@ name: JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 id: a1e68dcd-2e24-4434-bd0e-b3d4de139d58 -version: 1 -date: '2024-03-04' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk -data_source: +data_source: - Suricata type: TTP status: production -description: 'CVE-2024-27199 reveals a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated attackers to bypass authentication for a limited set of endpoints. This vulnerability exploits path traversal issues, enabling attackers to access and potentially modify system settings or disclose sensitive server information without proper authentication. Identified vulnerable paths include /res/, /update/, and /.well-known/acme-challenge/, among others. Attackers can manipulate these paths to reach restricted JSP pages and servlet endpoints, such as /app/https/settings/uploadCertificate, which could allow for the uploading of malicious HTTPS certificates or modification of server settings. This detection aims to identify potential exploitation attempts by monitoring for unusual access patterns to these endpoints, which could indicate an authentication bypass attempt in progress.' -search: '`suricata` http.url IN ("*../admin/diagnostic.jsp*", "*../app/https/settings/*", "*../app/pipeline*", "*../app/oauth/space/createBuild.html*", "*../res/*", "*../update/*", "*../.well-known/acme-challenge/*", "*../app/availableRunners*", "*../app/https/settings/setPort*", "*../app/https/settings/certificateInfo*", "*../app/https/settings/defaultHttpsPort*", "*../app/https/settings/fetchFromAcme*", "*../app/https/settings/removeCertificate*", "*../app/https/settings/uploadCertificate*", "*../app/https/settings/termsOfService*", "*../app/https/settings/triggerAcmeChallenge*", "*../app/https/settings/cancelAcmeChallenge*", "*../app/https/settings/getAcmeOrder*", "*../app/https/settings/setRedirectStrategy*") http.status=200 http_method=GET - | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`' -how_to_implement: The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -known_false_positives: False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives. +description: 'The following analytic identifies attempts to exploit CVE-2024-27199, + a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated + access to specific endpoints. It detects unusual access patterns to vulnerable paths + such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic + logs via Suricata. This activity is significant as it could indicate an attacker + bypassing authentication to access or modify system settings. If confirmed malicious, + this could lead to unauthorized changes, disclosure of sensitive information, or + uploading of malicious certificates, severely compromising the server''s security.' +search: '`suricata` http.url IN ("*../admin/diagnostic.jsp*", "*../app/https/settings/*", + "*../app/pipeline*", "*../app/oauth/space/createBuild.html*", "*../res/*", "*../update/*", + "*../.well-known/acme-challenge/*", "*../app/availableRunners*", "*../app/https/settings/setPort*", + "*../app/https/settings/certificateInfo*", "*../app/https/settings/defaultHttpsPort*", + "*../app/https/settings/fetchFromAcme*", "*../app/https/settings/removeCertificate*", + "*../app/https/settings/uploadCertificate*", "*../app/https/settings/termsOfService*", + "*../app/https/settings/triggerAcmeChallenge*", "*../app/https/settings/cancelAcmeChallenge*", + "*../app/https/settings/getAcmeOrder*", "*../app/https/settings/setRedirectStrategy*") + http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) + as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`' +how_to_implement: The following detection relies on the Suricata TA and ensuring it + is properly configured to monitor HTTP traffic. Modify the query for your environment + and log sources as needed. +known_false_positives: False positives are not expected, however, monitor, filter, + and tune as needed based on organization log sources. The analytic is restricted + to 200 and GET requests to specific URI paths, which should limit false positives. references: - https://github.com/projectdiscovery/nuclei-templates/blob/f644ec82dfe018890c6aa308967424d26c0f1522/http/cves/2024/CVE-2024-27199.yaml - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ @@ -25,7 +43,8 @@ tags: asset_type: Web Server confidence: 70 impact: 90 - message: Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$. + message: Possible JetBrains TeamCity Limited Authentication Bypass Attempt against + $dest$ from $src$. mitre_attack_id: - T1190 observable: @@ -55,7 +74,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27199.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity_cve_2024_27199.log sourcetype: suricata source: suricata diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml index 63148a7035..abca1f2fc1 100644 --- a/detections/web/jetbrains_teamcity_rce_attempt.yml +++ b/detections/web/jetbrains_teamcity_rce_attempt.yml @@ -1,21 +1,29 @@ name: JetBrains TeamCity RCE Attempt id: 89a58e5f-1365-4793-b45c-770abbb32b6c -version: 1 -date: '2023-10-01' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: 'The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE).' -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/app/rest/users/id:1/tokens/RPC2*") Web.status=200 Web.http_method=POST - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: 'The following analytic detects attempts to exploit the CVE-2023-42793 + vulnerability in JetBrains TeamCity On-Premises. It identifies suspicious POST requests + to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific + URL patterns and HTTP methods. This activity is significant as it may indicate an + unauthenticated attacker attempting to gain administrative access via Remote Code + Execution (RCE). If confirmed malicious, this could allow the attacker to execute + arbitrary code, potentially compromising the entire TeamCity environment and leading + to further unauthorized access and data breaches.' +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/app/rest/users/id:1/tokens/RPC2*") Web.status=200 Web.http_method=POST + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`' -how_to_implement: The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -known_false_positives: If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment. +how_to_implement: The following analytic requires the Web datamodel. Ensure data source + is mapped correctly or modify and tune for your data source. +known_false_positives: If TeamCity is not in use, this analytic will not return results. + Monitor and tune for your environment. references: - https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/ - https://www.sonarsource.com/blog/teamcity-vulnerability/ @@ -32,7 +40,8 @@ tags: atomic_guid: [] confidence: 90 impact: 90 - message: Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$. + message: Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on + $dest$. mitre_attack_id: - T1190 observable: @@ -65,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jetbrains/teamcity.log source: suricata sourcetype: suricata diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 8108ff7dc8..2fc4c95b69 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -1,21 +1,34 @@ name: Juniper Networks Remote Code Execution Exploit Detection id: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e -version: 1 -date: '2023-08-29' +version: 2 +date: '2024-05-14' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`' -how_to_implement: To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products. -known_false_positives: Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor. +description: The following analytic detects attempts to exploit a remote code execution + vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, + which are indicative of uploading and executing malicious PHP files. This detection + leverages the Web data model, focusing on specific URL patterns and HTTP status + codes. This activity is significant because it signals an attempt to gain unauthorized + access and execute arbitrary code on the device. If confirmed malicious, the attacker + could gain control over the device, leading to data theft, network compromise, or + other severe consequences. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `juniper_networks_remote_code_execution_exploit_detection_filter`' +how_to_implement: To implement this search, ensure that the Web data model is populated. + The search is activated when the Web data model is accelerated. Network products, + such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the + mapping as necessary to suit your specific products. +known_false_positives: Be aware of potential false positives - legitimate uses of + the /webauth_operation.php endpoint may cause benign activities to be flagged.The + URL in the analytic is specific to a successful attempt to exploit the vulnerability. + Review contents of the HTTP body to determine if the request is malicious. If the + request is benign, add the URL to the whitelist or continue to monitor. references: - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml @@ -35,7 +48,9 @@ tags: atomic_guid: [] confidence: 80 impact: 90 - message: 'This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.' + message: 'This analytic has identified a potential exploitation of a remote code + execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ + used for the exploit.' observable: - name: dest type: Hostname @@ -67,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log source: suricata sourcetype: suricata diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index 9357b24330..fa9fb75dbe 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -1,28 +1,19 @@ name: Log4Shell JNDI Payload Injection Attempt id: c184f12e-5c90-11ec-bf1f-497c9a704a72 -version: 1 -date: '2021-12-13' +version: 2 +date: '2024-05-25' author: Jose Hernandez status: production type: Anomaly -description: CVE-2021-44228 Log4Shell payloads can be injected via various methods, - but on of the most common vectors injection is via Web calls. Many of the vulnerable - java web applications that are using log4j have a web component to them are specially - targets of this injection, specifically projects like Apache Struts, Flink, Druid, - and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, - its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against - vulnerable web applications the invocation can be seen in various part of web logs. - Specifically it has been successfully exploited via headers like X-Forwarded-For, - User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope - of our search to the Web Datamodel and use the `| from datamodel` function to benefit - from schema accelerated searching capabilities, mainly because the second part of - the detection is pretty heavy, it runs a regex across all _raw events that looks - for `${jndi:ldap://` pattern across all potential web fields available to the raw - data, like http headers for example. If you see results for this detection, it means - that there was a attempt at a injection, which could be a reconnaissance activity - or a valid expliotation attempt, but this does not exactly mean that the host was - indeed successfully exploited. -data_source: +description: The following analytic identifies attempts to inject Log4Shell JNDI payloads + via web calls. It leverages the Web datamodel and uses regex to detect patterns + like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity + is significant because it targets vulnerabilities in Java web applications using + Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow + attackers to execute arbitrary code, potentially leading to full system compromise. + Immediate investigation is required to determine if the attempt was successful and + to mitigate any potential exploitation. +data_source: - Nginx Access search: '| from datamodel Web.Web | regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w+(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" | fillnull | stats count by action, category, dest, dest_port, http_content_type, @@ -80,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log source: nginx sourcetype: nginx:plus:kv diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index 1da495900c..a67f0cc60f 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -1,21 +1,19 @@ name: Log4Shell JNDI Payload Injection with Outbound Connection id: 69afee44-5c91-11ec-bf1f-497c9a704a72 -version: 1 -date: '2021-12-13' +version: 2 +date: '2024-05-16' author: Jose Hernandez status: production type: Anomaly -description: CVE-2021-44228 Log4Shell payloads can be injected via various methods, - but on of the most common vectors injection is via Web calls. Many of the vulnerable - java web applications that are using log4j have a web component to them are specially - targets of this injection, specifically projects like Apache Struts, Flink, Druid, - and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, - its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against - vulnerable web applications the invocation can be seen in various part of web logs. - Specifically it has been successfully exploited via headers like X-Forwarded-For, - User-Agent, Referer, and X-Api-Version. In this detection we match the invocation - function with a network connection to a malicious ip address. -data_source: +description: The following analytic detects Log4Shell JNDI payload injections via + outbound connections. It identifies suspicious LDAP lookup functions in web logs, + such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic + to known malicious IP addresses. This detection leverages the Web and Network_Traffic + data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities + in Java web applications using log4j, potentially leading to remote code execution. + If confirmed malicious, attackers could gain unauthorized access, execute arbitrary + code, and compromise sensitive data within the affected environment. +data_source: - Splunk Stream IP search: '| from datamodel Web.Web | rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?[a-zA-Z0-9\.\-\_\$]+)" | join affected_host type=inner [| tstats `security_content_summariesonly` count @@ -75,9 +73,11 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log source: nginx sourcetype: nginx:plus:kv - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.log source: stream:Splunk_IP sourcetype: stream:ip diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml index 1972a83e54..fe3ef716bc 100644 --- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml +++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml @@ -1,22 +1,30 @@ name: Microsoft SharePoint Server Elevation of Privilege id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859d -version: 1 -date: '2023-09-27' +version: 2 +date: '2024-05-19' author: Michael Haag, Gowthamaraj Rajendran, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/_api/web/siteusers*","/_api/web/currentuser*") Web.status=200 Web.http_method=GET - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `microsoft_sharepoint_server_elevation_of_privilege_filter`' -how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. -known_false_positives: False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +description: The following analytic detects potential exploitation attempts against + Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel + to monitor for specific API calls and HTTP methods indicative of privilege escalation + attempts. This activity is significant as it may indicate an attacker is trying + to gain unauthorized privileged access to the SharePoint environment. If confirmed + malicious, the impact could include unauthorized access to sensitive data, potential + data theft, and further compromise of the SharePoint server, leading to a broader + security breach. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/_api/web/siteusers*","/_api/web/currentuser*") Web.status=200 + Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, + Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Microsoft SharePoint. +known_false_positives: False positives may occur if there are legitimate activities + that mimic the exploitation pattern. It's recommended to review the context of the + alerts and adjust the analytic parameters to better fit the specific environment. references: - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ - https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs @@ -29,7 +37,7 @@ tags: atomic_guid: [] confidence: 50 impact: 90 - message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$. + message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$. mitre_attack_id: - T1068 observable: @@ -60,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log source: suricata - sourcetype: suricata \ No newline at end of file + sourcetype: suricata diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml index 1fb504ca71..3dbacac6c5 100644 --- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml @@ -1,19 +1,34 @@ name: Nginx ConnectWise ScreenConnect Authentication Bypass id: b3f7a803-e802-448b-8eb2-e796b223bccc -version: 1 -date: '2024-02-23' +version: 2 +date: '2024-05-16' author: Michael Haag, Splunk -data_source: +data_source: - Nginx Access type: TTP status: production -description: This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -search: '`nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects attempts to exploit the ConnectWise ScreenConnect + CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via + alternate paths or channels. It leverages Nginx access logs to identify web requests + to the SetupWizard.aspx page, indicating potential exploitation. This activity is + significant as it can lead to unauthorized administrative access and remote code + execution. If confirmed malicious, attackers could create administrative users and + gain full control over the affected ScreenConnect instance, posing severe security + risks. Immediate remediation by updating to version 23.9.8 or above is recommended. +search: '`nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") + status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as + lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, + source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter`' -how_to_implement: To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx. -known_false_positives: False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. +how_to_implement: To implement this analytic, ensure proper logging is occurring with + Nginx, access.log and error.log, and that these logs are being ingested into Splunk. + STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec + to properly log as much data with Nginx. +known_false_positives: False positives are not expected, as the detection is based + on the presence of web requests to the SetupWizard.aspx page, which is not a common + page to be accessed by legitimate users. Note that the analytic is limited to HTTP + POST and a status of 200 to reduce false positives. Modify the query as needed to + reduce false positives or hunt for additional indicators of compromise. references: - https://docs.splunk.com/Documentation/AddOns/released/NGINX/Sourcetypes - https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec @@ -26,7 +41,8 @@ tags: asset_type: Web Proxy confidence: 100 impact: 100 - message: An authentication bypass attempt against ScreenConnect has been detected on $dest$. + message: An authentication bypass attempt against ScreenConnect has been detected + on $dest$. mitre_attack_id: - T1190 observable: @@ -53,10 +69,11 @@ tags: security_domain: network cve: - CVE-2024-1708 - - CVE-2024-1709 + - CVE-2024-1709 tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log sourcetype: nginx:plus:kv source: nginx:plus:kv diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index acbc6c76cc..1fc500207c 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -1,25 +1,37 @@ name: PaperCut NG Remote Web Access Attempt id: 9fcb214a-dc42-4ce7-a650-f1d2cab16a6a -version: 1 -date: '2023-05-15' +version: 2 +date: '2024-05-23' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. - When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. -search: '| tstats count from datamodel=Web where Web.url IN ("/app?service=page/SetupCompleted", "/app", "/app?service=page/PrinterList", "/app?service=direct/1/PrinterList/selectPrinter&sp=*", "/app?service=direct/1/PrinterDetails/printerOptionsTab.tab") NOT (src IN ("10.*.*.*","172.16.*.*", "192.168.*.*", "169.254.*.*", "127.*.*.*", "fc00::*", "fd00::*", "fe80::*")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` +description: The following analytic detects potential exploitation attempts on publicly + accessible PaperCut NG servers. It identifies connections from public IP addresses + to the server, specifically monitoring URI paths commonly used in proof-of-concept + scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web + traffic data from the `Web` datamodel, focusing on specific URI paths and excluding + internal IP ranges. This activity is significant as it may indicate an attempt to + exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized + access or control of the server. If confirmed malicious, attackers could gain administrative + access, leading to data breaches or further network compromise. +search: '| tstats count from datamodel=Web where Web.url IN ("/app?service=page/SetupCompleted", + "/app", "/app?service=page/PrinterList", "/app?service=direct/1/PrinterList/selectPrinter&sp=*", + "/app?service=direct/1/PrinterDetails/printerOptionsTab.tab") NOT (src IN ("10.*.*.*","172.16.*.*", + "192.168.*.*", "169.254.*.*", "127.*.*.*", "fc00::*", "fd00::*", "fe80::*")) by + Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port + sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. known_false_positives: False positives may be present, filter as needed. references: - - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability - - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 - - https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/ - - https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/ - - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software +- https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability +- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 +- https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/ +- https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/ +- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software tags: analytic_story: - PaperCut MF NG Vulnerability @@ -54,6 +66,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log source: suricata sourcetype: suricata diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index e62809b2a9..a7a9c09997 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -1,20 +1,19 @@ name: ProxyShell ProxyNotShell Behavior Detected id: c32fab32-6aaf-492d-bfaf-acbed8e50cdf -version: 1 -date: '2023-07-10' +version: 2 +date: '2024-05-21' author: Michael Haag, Splunk status: production type: Correlation -description: The following correlation will identify activity related to Windows Exchange - being actively exploited by adversaries related to ProxyShell or ProxyNotShell. - In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. - Common post-exploitation behavior has been seen in the wild includes adversaries - running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically - looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your - organization. 5 analytics is an arbitrary number but was chosen to reduce the amount - of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike - to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop - a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. +description: The following analytic identifies potential exploitation of Windows Exchange + servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation + activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. + It leverages data from multiple analytic stories, requiring at least five distinct + sources to trigger, thus reducing noise. This activity is significant as it indicates + a high likelihood of an active compromise, potentially leading to unauthorized access, + privilege escalation, and persistent threats within the environment. If confirmed + malicious, attackers could gain control over the Exchange server, exfiltrate data, + and maintain long-term access. data_source: [] search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) @@ -71,7 +70,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log source: proxyshell sourcetype: stash update_timestamp: true diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index a19a9c0b3b..1355219306 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -1,16 +1,19 @@ name: Spring4Shell Payload URL Request id: 9d44d649-7d67-4559-95c1-8022ff49420b -version: 1 -date: '2022-07-12' +version: 2 +date: '2024-05-26' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic is static indicators related to CVE-2022-22963, - Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping - to exploit a web shell on the destination. The filename and cmd are arbitrary in - this exploitation. Java will write a JSP to disk and a process will spawn from Java - based on the cmd passed. This is indicative of typical web shell activity. -data_source: +description: The following analytic detects attempts to exploit the Spring4Shell vulnerability + (CVE-2022-22963) by identifying specific URL patterns associated with web shell + payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs + containing indicators like "tomcatwar.jsp," "poc.jsp," and "shell.jsp." This activity + is significant as it suggests an attacker is trying to deploy a web shell, which + can lead to remote code execution. If confirmed malicious, this could allow the + attacker to gain persistent access, execute arbitrary commands, and potentially + escalate privileges within the compromised environment. +data_source: - Nginx Access search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method, @@ -64,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index a4d7f4738a..768940b1f0 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -1,11 +1,18 @@ name: SQL Injection with Long URLs id: e0aad4cf-0790-423b-8328-7564d0d938f9 -version: 3 -date: '2022-03-28' +version: 4 +date: '2024-05-12' author: Bhavin Patel, Splunk status: experimental type: TTP -description: "The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack." +description: "The following analytic detects long URLs containing multiple SQL commands, + indicating a potential SQL injection attack. This detection leverages web traffic + data, specifically targeting web server destinations with URLs longer than 1024 + characters or HTTP user agents longer than 200 characters. SQL injection is significant + as it allows attackers to manipulate a web application's database, potentially leading + to unauthorized data access or modification. If confirmed malicious, this activity + could result in data breaches, unauthorized access, and complete system compromise. + Immediate investigation and validation of alerts are crucial to mitigate these risks." data_source: [] search: '| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index 1080be1b61..df3acd20f3 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -1,12 +1,12 @@ name: Supernova Webshell id: 2ec08a09-9ff1-4dac-b59f-1efd57972ec1 -version: 1 -date: '2021-01-06' +version: 2 +date: '2024-05-26' author: John Stoner, Splunk status: experimental type: TTP description: |- - The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. + The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections. data_source: [] search: '| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index e10cf0e98e..a873108626 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -1,29 +1,30 @@ name: VMWare Aria Operations Exploit Attempt id: d5d865e4-03e6-43da-98f4-28a4f42d4df7 -version: 1 -date: '2023-06-21' +version: 2 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Palo Alto Network Threat -description: The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system. - - The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability. - - The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint. - - Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status IN ("unknown", "200") - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: The following analytic detects potential exploitation attempts against + VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. + It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint + "/saas./resttosaasservlet." This detection leverages web traffic data, focusing + on specific URL patterns and HTTP methods. Identifying this behavior is crucial + for a SOC as it indicates an active exploit attempt. If confirmed malicious, the + attacker could execute arbitrary code, leading to unauthorized access, data theft, + or further network compromise. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status + IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, + Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`' how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. -known_false_positives: False positives will be present based on gateways in use, modify the status field as needed. +known_false_positives: False positives will be present based on gateways in use, modify + the status field as needed. references: - https://nvd.nist.gov/vuln/detail/CVE-2023-20887 - https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30 @@ -38,7 +39,8 @@ tags: atomic_guid: [] confidence: 80 impact: 90 - message: An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887 + message: An exploitation attempt has occurred against $dest$ from $src$ related + to CVE-2023-20887 mitre_attack_id: - T1133 - T1190 @@ -69,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log source: pan:threat sourcetype: pan:threat diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 5e957a2d05..65d65d4321 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -1,17 +1,19 @@ name: VMware Workspace ONE Freemarker Server-side Template Injection id: 9e5726fe-8fde-460e-bd74-cddcf6c86113 -version: 1 -date: '2022-05-19' +version: 2 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the server side template injection - related to CVE-2022-22954. Based on the scanning activity across the internet and - proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. - Upon triage, review parallel processes and VMware logs. Following the deviceudid= - may be a command to be executed. Capture any file creates and review modified files - on disk. -data_source: +description: The following analytic detects server-side template injection attempts + related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs + to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with + the freemarker.template.utility.Execute command. This activity is significant as + it indicates potential exploitation attempts that could lead to remote code execution. + If confirmed malicious, an attacker could execute arbitrary commands on the server, + leading to full system compromise, data exfiltration, or further lateral movement + within the network. +data_source: - Palo Alto Network Threat search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" AND Web.url="*freemarker.template.utility.Execute*" by Web.http_user_agent Web.http_method, @@ -63,7 +65,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log source: pan:threat sourcetype: pan:threat update_timestamp: true diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 09505d855f..1fce35b1a7 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -1,16 +1,19 @@ name: Web JSP Request via URL id: 2850c734-2d44-4431-8139-1a56f6f54c01 -version: 1 -date: '2022-04-05' +version: 2 +date: '2024-05-15' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the common URL requests used by a recent - CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. - The filename and cmd are arbitrary in this exploitation. Java will write a JSP to - disk and a process will spawn from Java based on the cmd passed. This is indicative - of typical web shell activity. -data_source: +description: The following analytic identifies URL requests associated with CVE-2022-22965 + (Spring4Shell) exploitation attempts, specifically targeting webshell access on + a remote webserver. It detects HTTP GET requests with URLs containing ".jsp?cmd=" + or "j&cmd=" patterns. This activity is significant as it indicates potential webshell + deployment, which can lead to unauthorized remote command execution. If confirmed + malicious, attackers could gain control over the webserver, execute arbitrary commands, + and potentially escalate privileges, leading to severe data breaches and system + compromise. +data_source: - Nginx Access search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*.jsp?cmd=*","*j&cmd=*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length @@ -65,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index 6177f925fe..10353c2884 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -1,19 +1,30 @@ name: Web Remote ShellServlet Access id: c2a332c3-24a2-4e24-9455-0e80332e6746 -version: 2 -date: '2024-04-02' +version: 3 +date: '2024-05-19' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Nginx Access -description: This analytic identifies attempts to access the Remote ShellServlet on a web server, which is utilized to execute commands. Such activity is commonly linked with web shells and other forms of malicious behavior. It was specifically detected on a Confluence server in relation to CVE-2023-22518 and CVE-2023-22515. Activities preceding access to the shell servlet include the addition of a plugin to Confluence. Additionally, it is advisable to monitor for ShellServlet?act=3, ShellServlet, or obfuscated variations such as Sh3llServlet1. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*plugins/servlet/com.jsos.shell/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter`' -how_to_implement: This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic. -known_false_positives: False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives. +description: The following analytic identifies attempts to access the Remote ShellServlet + on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 + and CVE-2023-22515. It leverages web data to detect URLs containing "*plugins/servlet/com.jsos.shell/*" + with a status code of 200. This activity is significant as it is commonly associated + with web shells and other malicious behaviors, potentially leading to unauthorized + command execution. If confirmed malicious, attackers could gain remote code execution + capabilities, compromising the server and potentially the entire network. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("*plugins/servlet/com.jsos.shell/*") Web.status=200 by Web.http_user_agent, + Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `web_remote_shellservlet_access_filter`' +how_to_implement: This analytic necessitates the collection of web data, which can + be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web + Server. No additional configuration is required for this analytic. +known_false_positives: False positives may occur depending on the web server's configuration. + If the web server is intentionally configured to utilize the Remote ShellServlet, + then the detections by this analytic would not be considered true positives. references: - http://www.servletsuite.com/servlets/shell.htm tags: @@ -23,7 +34,8 @@ tags: atomic_guid: [] confidence: 90 impact: 90 - message: An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$. + message: An attempt to access the Remote ShellServlet on a web server was detected. + The source IP is $src$ and the destination hostname is $dest$. mitre_attack_id: - T1190 observable: @@ -53,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log source: /var/log/nginx/access.log sourcetype: nginx:plus:kv diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index 6b7c4e4983..c0b3fb7032 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -1,15 +1,19 @@ name: Web Spring4Shell HTTP Request Class Module id: fcdfd69d-0ca3-4476-920e-9b633cb4593e -version: 1 -date: '2022-04-06' +version: 2 +date: '2024-05-28' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies the payload related to Spring4Shell, - CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, - form data. STRT reviewed all the current proof of concept code and determined the - commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". -data_source: +description: The following analytic detects HTTP requests containing payloads related + to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP + data to inspect the HTTP request body and form data for specific fields such as + "class.module.classLoader.resources.context.parent.pipeline.first". This activity + is significant as it indicates an attempt to exploit a critical vulnerability in + Spring Framework, potentially leading to remote code execution. If confirmed malicious, + this could allow attackers to gain unauthorized access, execute arbitrary code, + and compromise the affected system. +data_source: - Splunk Stream HTTP search: '`stream_http` http_method IN ("POST") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent @@ -63,6 +67,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log source: stream:http sourcetype: stream:http diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index e08aa4b4e6..f850adbf3b 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -1,18 +1,19 @@ name: Web Spring Cloud Function FunctionRouter id: 89dddbad-369a-4f8a-ace2-2439218735bc -version: 1 -date: '2022-04-05' +version: 2 +date: '2024-05-22' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies activity related to the web application - Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. - Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. - The specifics of the exploit include a status of 500. In this query we did not include - it, but for filtering you can add Web.status=500. The exploit data itself (based - on all the POCs) is located in the form_data field. This field will include all - class.modules being called. -data_source: +description: The following analytic identifies HTTP POST requests to the Spring Cloud + Function endpoint containing "functionRouter" in the URL. It leverages the Web data + model to detect these requests based on specific fields such as http_method, url, + and http_user_agent. This activity is significant because it targets CVE-2022-22963, + a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept + exploits available. If confirmed malicious, this activity could allow attackers + to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, + or further compromise of the affected system. +data_source: - Splunk Stream HTTP search: '| tstats count from datamodel=Web where Web.http_method IN ("POST") Web.url="*/functionRouter*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest @@ -64,6 +65,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log source: stream:http sourcetype: stream:http diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 22f9862f3e..8ff6285ca5 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -1,20 +1,18 @@ name: Windows Exchange Autodiscover SSRF Abuse id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752 -version: 1 -date: '2023-07-10' +version: 2 +date: '2024-05-16' author: Michael Haag, Nathaniel Stearns, Splunk status: production type: TTP -description: The following analytic utilizes the Web datamodel and identifies the - ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery - (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit - vulnerable functionality to access server side or local network services by affectively - traversing the external firewall using vulnerable web functionality. This analytic - looks for the URI path and query of autodiscover, powershell and mapi along with - a POST occurring. It will tally a simple score and show the output of the events - that match. This analytic may be added to by simply creating a new eval statement - and modifying the hardcode digit for Score. -data_source: +description: The following analytic detects potential abuse of the ProxyShell or ProxyNotShell + vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It + leverages the Web datamodel to identify suspicious POST requests with specific URI + paths and queries related to autodiscover, powershell, and mapi. This activity is + significant as it may indicate an attempt to exploit Exchange server vulnerabilities + to access internal services or sensitive data. If confirmed malicious, this could + lead to unauthorized access, data exfiltration, or further compromise of the network. +data_source: - Windows IIS search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) @@ -79,7 +77,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log source: ms:iis:splunk sourcetype: ms:iis:splunk update_timestamp: true diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml index 6d55c5e9b8..8be952b7ad 100644 --- a/detections/web/wordpress_bricks_builder_plugin_rce.yml +++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml @@ -1,33 +1,45 @@ name: WordPress Bricks Builder plugin RCE id: 56a8771a-3fda-4959-b81d-2f266e2f679f -version: 1 -date: '2024-02-22' +version: 2 +date: '2024-05-17' author: Michael Haag, Splunk -data_source: +data_source: - Nginx Access type: TTP status: production -description: The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. The search is focused on the URL path "/wp-json/bricks/v1/render_element" with a status code of 200 and a POST method. It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024. The vulnerability is tracked as CVE-2024-25600. The POC exploit is simple enough and will spawn commands on the target server. The exploit is actively being used in the wild. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/wp-json/bricks/v1/render_element") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `wordpress_bricks_builder_plugin_rce_filter`' -how_to_implement: The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed. -known_false_positives: False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed. +description: The following analytic identifies potential exploitation of the WordPress + Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL + path "/wp-json/bricks/v1/render_element" with a status code of 200, leveraging the + Web datamodel. This activity is significant as it indicates an attempt to exploit + CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed + malicious, an attacker could execute arbitrary commands on the target server, leading + to potential full system compromise and unauthorized access to sensitive data. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Web where Web.url IN ("*/wp-json/bricks/v1/render_element") + Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, + Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`' +how_to_implement: The search is based on data in the Web datamodel and was modeled + from NGINX logs. Ensure that the Web datamodel is accelerated and that the data + source for the Web datamodel is properly configured. If using other web sources, + modify they query, or review the data, as needed. +known_false_positives: False positives may be possible, however we restricted it to + HTTP Status 200 and POST requests, based on the POC. Upon investigation review the + POST body for the actual payload - or command - being executed. references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600 - - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/ - - https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html +- https://attack.mitre.org/techniques/T1190 +- https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600 +- https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/ +- https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html tags: analytic_story: - WordPress Vulnerabilities asset_type: Web Server confidence: 100 impact: 100 - message: Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$. + message: Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability + on $dest$ by $src$. mitre_attack_id: - T1190 observable: @@ -60,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/wordpress/bricks_cve_2024_25600.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/wordpress/bricks_cve_2024_25600.log source: nginx:plus:kv sourcetype: nginx:plus:kv diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml index ed2889b9c9..12d1f3d7d0 100644 --- a/detections/web/ws_ftp_remote_code_execution.yml +++ b/detections/web/ws_ftp_remote_code_execution.yml @@ -1,21 +1,30 @@ name: WS FTP Remote Code Execution id: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845 -version: 1 -date: '2023-10-01' +version: 2 +date: '2024-05-11' author: Michael Haag, Splunk status: production type: TTP -data_source: +data_source: - Suricata -description: 'The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt.' -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` - | `security_content_ctime(firstTime)` +description: 'The following analytic detects potential Remote Code Execution (RCE) + attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests + to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status code of 200. This detection + leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. + This activity is significant as it may indicate an exploitation attempt, potentially + allowing an attacker to execute arbitrary code on the server. If confirmed malicious, + this could lead to unauthorized access, data exfiltration, or further compromise + of the affected system.' +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web + where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST + by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, + Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`' -how_to_implement: The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -known_false_positives: If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. +how_to_implement: The following analytic requires the Web datamodel. Ensure data source + is mapped correctly or modify and tune for your data source. +known_false_positives: If WS_FTP Server is not in use, this analytic will not return + results. Monitor and tune for your environment. Note the MetaSploit module is focused + on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. references: - https://github.com/projectdiscovery/nuclei-templates/pull/8296/files - https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 @@ -29,7 +38,8 @@ tags: atomic_guid: [] confidence: 80 impact: 90 - message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$ + message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ + from $src$ mitre_attack_id: - T1190 observable: @@ -40,11 +50,11 @@ tags: - name: dest type: Hostname role: - - Victim + - Victim - name: src type: IP Address role: - - Attacker + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -63,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ws_ftp/wsftpweb.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ws_ftp/wsftpweb.log source: suricata sourcetype: suricata diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index 610f745c55..2637a4838c 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -1,18 +1,29 @@ name: Zscaler Adware Activities Threat Blocked id: 3407b250-345a-4d71-80db-c91e555a3ece -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-15' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The following analytic is designed to detect potential adware activity which is blocked by Zscaler. Utilizing Splunk search functionality, it filters web proxy logs for blocked actions associated with adware threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible adware intrusions. -search: '`zscaler_proxy` action=blocked threatname=*adware* - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies potential adware activity blocked by + Zscaler. It leverages web proxy logs to detect blocked actions associated with adware + threats. Key data points such as device owner, user, URL category, destination URL, + and IP are analyzed. This activity is significant as adware can degrade system performance, + lead to unwanted advertisements, and potentially expose users to further malicious + content. If confirmed malicious, it could indicate an attempt to compromise user + systems, necessitating further investigation and remediation to prevent potential + data breaches or system exploitation. +search: '`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url + src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -49,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index 258c4d56f7..a2b7853530 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -1,18 +1,28 @@ name: Zscaler Behavior Analysis Threat Blocked id: 289ad59f-8939-4331-b805-f2bd51d36fb8 -version: 1 -date: '2023-10-31' +version: 2 +date: '2024-05-17' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The analytic is built to identify threats blocked by the Zscaler proxy based on behavior analysis. It filters web proxy logs for entries where actions are blocked and threat names and classes are specified. The search further refines the results to include only those with reasons related to "block". It then aggregates the count, providing a clear view of the threat landscape as handled by the behavior analysis proxy. -search: '`zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies threats blocked by the Zscaler proxy + based on behavior analysis. It leverages web proxy logs to detect entries where + actions are blocked and threat names and classes are specified. This detection is + significant as it highlights potential malicious activities that were intercepted + by Zscaler's behavior analysis, providing early indicators of threats. If confirmed + malicious, these blocked threats could indicate attempted breaches or malware infections, + helping security teams to understand and mitigate potential risks in their environment. +search: '`zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" + | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner + user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -22,7 +32,8 @@ tags: asset_type: Web Server confidence: 80 impact: 10 - message: Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$]. + message: Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ + for user-[$user$]. mitre_attack_id: - T1566 observable: @@ -49,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index 8aee6fa555..f89e0356df 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -1,18 +1,29 @@ name: Zscaler CryptoMiner Downloaded Threat Blocked id: ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365 -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-22' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability. -search: '`zscaler_proxy` action=blocked threatname=*miner* - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies attempts to download cryptomining software + that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions + associated with cryptominer threats, analyzing key data points such as device owner, + user, URL category, destination URL, and IP. This activity is significant for a + SOC as it helps in early identification and mitigation of cryptomining activities, + which can compromise network integrity and resource availability. If confirmed malicious, + this activity could lead to unauthorized use of network resources for cryptomining, + potentially degrading system performance and increasing operational costs. +search: '`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -22,7 +33,8 @@ tags: asset_type: Web Server confidence: 80 impact: 40 - message: Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$]. + message: Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for + user-[$user$]. mitre_attack_id: - T1566 observable: @@ -49,14 +61,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler sourcetype: zscalernss-web diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index e843745807..d515afdc21 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -1,18 +1,29 @@ name: Zscaler Employment Search Web Activity id: 5456bdef-d765-4565-8e1f-61ca027bc50e -version: 1 -date: '2023-11-14' +version: 2 +date: '2024-05-11' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: "The analytic is designed to identify destinations within a network deemed as potential Empolyment Searches. Utilizing Splunk's search functionality, it processes web proxy logs, focusing on entries marked as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the employment risk destinations. This anomaly-type detection aids in monitoring and managing risks, promoting a secure environment from insider threats." -search: '`zscaler_proxy` urlsupercategory="Job/Employment Search" - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: "The following analytic identifies web activity related to employment + searches within a network. It leverages Zscaler web proxy logs, focusing on entries + categorized as 'Job/Employment Search'. Key data points such as device owner, user, + URL category, destination URL, and IP are analyzed. This detection is significant + for SOCs as it helps monitor potential insider threats by identifying users who + may be seeking new employment. If confirmed malicious, this activity could indicate + a risk of data exfiltration or other insider threats, potentially leading to sensitive + information leakage or other security breaches." +search: '`zscaler_proxy` urlsupercategory="Job/Employment Search" | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -22,7 +33,8 @@ tags: asset_type: Web Server confidence: 80 impact: 5 - message: Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$]. + message: Potential Employment Search Web Activity from dest -[$dest$] on $src$ for + user-[$user$]. mitre_attack_id: - T1566 observable: @@ -49,14 +61,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index 49d4cdfadf..d242640e18 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -1,18 +1,29 @@ name: Zscaler Exploit Threat Blocked id: 94665d8c-b841-4ff4-acb4-34d613e2cbfe -version: 1 -date: '2023-10-31' +version: 2 +date: '2024-05-13' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: [] -description: The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts. -search: '`zscaler_proxy` action=blocked threatname=*exploit* - | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies potential exploit attempts involving + command and script interpreters blocked by Zscaler. It leverages web proxy logs + to detect incidents where actions are blocked due to exploit references. The detection + compiles statistics by user, threat name, URL, hostname, file class, and filename. + This activity is significant as it helps identify and mitigate exploit attempts, + which are critical for maintaining security. If confirmed malicious, such activity + could lead to unauthorized code execution, privilege escalation, or persistent access + within the environment, posing a severe threat to organizational security. +search: '`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) + as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename + url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -49,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 17ebcf1a1a..3975036c91 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -1,21 +1,31 @@ name: Zscaler Legal Liability Threat Blocked id: bbf55ebf-c416-4f62-94d9-4064f2a28014 -version: 1 -date: '2023-10-31' +version: 2 +date: '2024-05-23' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The analytic is aimed at identifying the most significant legal liability threats blocked by zcaler web proxy. It leverages web proxy logs to list the destinations, device owners, users, URL categories, and actions that are associated with Legal Liability, by utilizing stats on unique fields, it ensures a precise focus on unique legal liability threats, thereby providing valuable insights for organizations to enforce legal compliance and risk management. -search: '`zscaler_proxy` urlclass="Legal Liability" - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +description: The following analytic identifies significant legal liability threats + blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, + device owners, users, URL categories, and actions associated with legal liability. + By leveraging statistics on unique fields, it ensures a precise focus on these threats. + This activity is significant for SOC as it helps enforce legal compliance and risk + management. If confirmed malicious, it could indicate attempts to access legally + sensitive or restricted content, potentially leading to legal repercussions and + compliance violations. +search: '`zscaler_proxy` urlclass="Legal Liability" | stats count min(_time) as firstTime + max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`' +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: -- https://help.zscaler.com/zia/nss-feed-output-format-web-logs +- https://help.zscaler.com/zia/nss-feed-output-format-web-logs tags: analytic_story: - Zscaler Browser Proxy Threats @@ -49,14 +59,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 97d7e7c3e5..856cc106f2 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -1,18 +1,29 @@ name: Zscaler Malware Activity Threat Blocked id: ae874ad8-e353-40a7-87d4-420cdfb27d1a -version: 1 -date: '2023-10-25' +version: 2 +date: '2024-05-12' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly data_source: [] -description: The analytic targets the detection of potential malware activities within a network that are blocked by Zscaler. By filtering web proxy logs for blocked actions associated with malware, where a threat category is specified, the analytic aggregates occurrences by user, URL, and threat category. This approach ensures a focused identification of malware activities, making it an effective tool for ongoing network security monitoring and anomaly detection. -search: '`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies potential malware activities within + a network that are blocked by Zscaler. It leverages web proxy logs to filter for + blocked actions associated with malware, aggregating occurrences by user, URL, and + threat category. This detection is significant for SOC as it highlights attempts + to access malicious content, indicating potential compromise or targeted attacks. + If confirmed malicious, this activity could signify an ongoing attempt to infiltrate + the network, necessitating immediate investigation to prevent further threats and + ensure network integrity. +search: '`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None + | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner + user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -49,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index a94678d350..46e4d27601 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -1,18 +1,29 @@ name: Zscaler Phishing Activity Threat Blocked id: 68d3e2c1-e97f-4310-b080-dea180b48aa9 -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-12' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The analytic is devised to detect likely phishing attempts within a network blocked by Zscaler. By leveraging Splunk search functionality, it evaluates web proxy logs for blocked actions correlated with phishing threats, specifically those tagged as HTML.Phish. Critical data points such as the user, threat name, URL, and hostname are analyzed to accentuate possible phishing activities. This anomaly-type detection serves as an early warning system, facilitating prompt investigation and mitigation of phishing threats, thereby bolstering network security. -search: '`zscaler_proxy` action=blocked threatname="HTML.Phish*" - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies potential phishing attempts blocked + by Zscaler within a network. It leverages web proxy logs to detect actions tagged + as HTML.Phish. The detection method involves analyzing critical data points such + as user, threat name, URL, and hostname. This activity is significant for a SOC + as it serves as an early warning system for phishing threats, enabling prompt investigation + and mitigation. If confirmed malicious, this activity could indicate an attempt + to deceive users into divulging sensitive information, potentially leading to data + breaches or credential theft. +search: '`zscaler_proxy` action=blocked threatname="HTML.Phish*" | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user threatname url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscalar configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -49,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index 8ccc847973..818100944d 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -1,18 +1,28 @@ name: Zscaler Potentially Abused File Download id: b0c21379-f4ba-4bac-a958-897e260f964a -version: 1 -date: '2023-11-21' +version: 2 +date: '2024-05-22' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The analytic is engineered to detect potential rarely abused malicious filetypes downloaded within a network. They are usually used to spread malwares. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to potential threats. Essential data points like the deviceowner, user, urlcategory, url, dest, and filename taken are analyzed to highlight possible malicious endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of malicious download activities, ensuring a safer network environment. -search: '`zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") - | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies the download of potentially malicious + file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web + proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, + user, urlcategory, url, dest, and filename. This activity is significant as these + file types are often used to spread malware, posing a threat to network security. + If confirmed malicious, this activity could lead to malware execution, data compromise, + or further network infiltration. +search: '`zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") | stats count + min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url + src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -49,14 +59,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index cef1444d8b..1c3d4fe82c 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -1,19 +1,29 @@ name: Zscaler Privacy Risk Destinations Threat Blocked id: 5456bdef-d765-4565-8e1f-61ca027bc50d -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-24' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The analytic is designed to identify blocked destinations within a network deemed as privacy risks by Zscaler. Utilizing Splunk search functionality, it processes web proxy logs, focusing on entries marked as Privacy Risk. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the privacy risk destinations. This anomaly-type detection aids in monitoring and managing privacy risks, promoting a secure network environment. -search: '`zscaler_proxy` action=blocked urlclass="Privacy Risk" - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | dedup urlcategory - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies blocked destinations within a network + that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing + on entries marked as "Privacy Risk." Key data points such as device owner, user, + URL category, destination URL, and IP are analyzed. This activity is significant + for a SOC as it helps monitor and manage privacy risks, ensuring a secure network + environment. If confirmed malicious, this activity could indicate attempts to access + or exfiltrate sensitive information, posing a significant threat to data privacy + and security. +search: '`zscaler_proxy` action=blocked urlclass="Privacy Risk" | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -50,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index a70bfebc16..46a7960ad0 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -1,17 +1,28 @@ name: Zscaler Scam Destinations Threat Blocked id: a0c21379-f4ba-4bac-a958-897e260f964a -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-27' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment. -search: '`zscaler_proxy` action=blocked threatname=*scam* - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +description: The following analytic identifies blocked scam-related activities detected + by Zscaler within a network. It leverages web proxy logs to examine actions flagged + as scam threats, focusing on data points such as device owner, user, URL category, + destination URL, and IP. This detection is significant for SOC as it helps in the + early identification and mitigation of scam activities, ensuring network safety. + If confirmed malicious, this activity could indicate attempts to deceive users, + potentially leading to data theft or financial loss. +search: '`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) + as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -48,14 +59,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index e5e4d9dd6a..3393bd7b75 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -1,18 +1,29 @@ name: Zscaler Virus Download threat blocked id: aa19e627-d448-4a31-85cd-82068dec5691 -version: 1 -date: '2023-10-30' +version: 2 +date: '2024-05-17' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly data_source: [] -description: The analytic is formulated to detect blocked virus download activities within a network by Zscaler. Employing Splunk's search functionality, it reviews web proxy logs for blocked actions indicative of virus threats downloads. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to pinpoint possible virus downloads. As an anomaly-type detection, this analytic facilitates early detection and remediation of virus download attempts, contributing to enhanced network security. -search: '`zscaler_proxy` action=blocked threatname!="None" threatclass=Virus - | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic identifies attempts to download viruses that were + blocked by Zscaler within a network. It leverages web proxy logs to detect blocked + actions indicative of virus download attempts. Key data points such as device owner, + user, URL category, destination URL, and IP are analyzed. This activity is significant + as it helps in early detection and remediation of potential virus threats, enhancing + network security. If confirmed malicious, this activity could indicate an attempt + to compromise the network, potentially leading to data breaches or further malware + infections. +search: '`zscaler_proxy` action=blocked threatname!="None" threatclass=Virus | stats + count min(_time) as firstTime max(_time) as lastTime by action deviceowner user + urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter`' -how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. +how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. + You must be ingesting Zscaler events into your Splunk environment through an ingester. + This analytic was written to be used with the "zscalernss-web" sourcetype leveraging + the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. + Security teams are encouraged to adjust the detection parameters, ensuring the detection + is tailored to their specific environment. known_false_positives: False positives are limited to Zscaler configuration. references: - https://help.zscaler.com/zia/nss-feed-output-format-web-logs @@ -49,14 +60,15 @@ tags: - deviceowner - user - urlcategory - - url - - dest - - dest_ip + - url + - dest + - dest_ip - action security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json source: zscaler - sourcetype: zscalernss-web \ No newline at end of file + sourcetype: zscalernss-web diff --git a/dev/endpoint/curl_download_and_bash_execution.yml b/dev/endpoint/curl_download_and_bash_execution.yml index 112e6a34d7..ca56a403dc 100644 --- a/dev/endpoint/curl_download_and_bash_execution.yml +++ b/dev/endpoint/curl_download_and_bash_execution.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/java_writing_jsp_file.yml b/dev/endpoint/java_writing_jsp_file.yml index ee946194ba..31e442bd94 100644 --- a/dev/endpoint/java_writing_jsp_file.yml +++ b/dev/endpoint/java_writing_jsp_file.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/dev/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index a90ed9fdf9..ef53991417 100644 --- a/dev/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/dev/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_add_files_in_known_crontab_directories.yml b/dev/endpoint/linux_add_files_in_known_crontab_directories.yml index 06fc89c857..173a50356b 100644 --- a/dev/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/dev/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_add_user_account.yml b/dev/endpoint/linux_add_user_account.yml index 721a9eb869..3a981ab90e 100644 --- a/dev/endpoint/linux_add_user_account.yml +++ b/dev/endpoint/linux_add_user_account.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_adding_crontab_using_list_parameter.yml b/dev/endpoint/linux_adding_crontab_using_list_parameter.yml index f575b4c3a6..edf667f465 100644 --- a/dev/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/dev/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_apt_get_privilege_escalation.yml b/dev/endpoint/linux_apt_get_privilege_escalation.yml index cc67782702..366445fc2a 100644 --- a/dev/endpoint/linux_apt_get_privilege_escalation.yml +++ b/dev/endpoint/linux_apt_get_privilege_escalation.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_apt_privilege_escalation.yml b/dev/endpoint/linux_apt_privilege_escalation.yml index 0e99d64c8e..e874966639 100644 --- a/dev/endpoint/linux_apt_privilege_escalation.yml +++ b/dev/endpoint/linux_apt_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_at_allow_config_file_creation.yml b/dev/endpoint/linux_at_allow_config_file_creation.yml index 508edabf92..5c33a14901 100644 --- a/dev/endpoint/linux_at_allow_config_file_creation.yml +++ b/dev/endpoint/linux_at_allow_config_file_creation.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_at_application_execution.yml b/dev/endpoint/linux_at_application_execution.yml index db86911941..1e9c02f275 100644 --- a/dev/endpoint/linux_at_application_execution.yml +++ b/dev/endpoint/linux_at_application_execution.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_awk_privilege_escalation.yml b/dev/endpoint/linux_awk_privilege_escalation.yml index df0abb0e89..bd9aaf4539 100644 --- a/dev/endpoint/linux_awk_privilege_escalation.yml +++ b/dev/endpoint/linux_awk_privilege_escalation.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_busybox_privilege_escalation.yml b/dev/endpoint/linux_busybox_privilege_escalation.yml index 766c72be8f..b4dc8979ce 100644 --- a/dev/endpoint/linux_busybox_privilege_escalation.yml +++ b/dev/endpoint/linux_busybox_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_c89_privilege_escalation.yml b/dev/endpoint/linux_c89_privilege_escalation.yml index aabaa263ac..50312ea89e 100644 --- a/dev/endpoint/linux_c89_privilege_escalation.yml +++ b/dev/endpoint/linux_c89_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_c99_privilege_escalation.yml b/dev/endpoint/linux_c99_privilege_escalation.yml index c59d23755f..8e4b8ff9ee 100644 --- a/dev/endpoint/linux_c99_privilege_escalation.yml +++ b/dev/endpoint/linux_c99_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_change_file_owner_to_root.yml b/dev/endpoint/linux_change_file_owner_to_root.yml index 31cb6cf931..94f70fb652 100644 --- a/dev/endpoint/linux_change_file_owner_to_root.yml +++ b/dev/endpoint/linux_change_file_owner_to_root.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_clipboard_data_copy.yml b/dev/endpoint/linux_clipboard_data_copy.yml index 4b463b25c2..fa24f802be 100644 --- a/dev/endpoint/linux_clipboard_data_copy.yml +++ b/dev/endpoint/linux_clipboard_data_copy.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_common_process_for_elevation_control.yml b/dev/endpoint/linux_common_process_for_elevation_control.yml index d7e5a0114b..3fb272275e 100644 --- a/dev/endpoint/linux_common_process_for_elevation_control.yml +++ b/dev/endpoint/linux_common_process_for_elevation_control.yml @@ -93,4 +93,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_composer_privilege_escalation.yml b/dev/endpoint/linux_composer_privilege_escalation.yml index 94efab82d5..a1b28e59e8 100644 --- a/dev/endpoint/linux_composer_privilege_escalation.yml +++ b/dev/endpoint/linux_composer_privilege_escalation.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_cpulimit_privilege_escalation.yml b/dev/endpoint/linux_cpulimit_privilege_escalation.yml index 3bce76236c..886009ea58 100644 --- a/dev/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/dev/endpoint/linux_cpulimit_privilege_escalation.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_csvtool_privilege_escalation.yml b/dev/endpoint/linux_csvtool_privilege_escalation.yml index 9777eed52c..5c6d74f3a4 100644 --- a/dev/endpoint/linux_csvtool_privilege_escalation.yml +++ b/dev/endpoint/linux_csvtool_privilege_escalation.yml @@ -61,5 +61,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_curl_upload_file.yml b/dev/endpoint/linux_curl_upload_file.yml index 89bb44795f..c810ebb3c3 100644 --- a/dev/endpoint/linux_curl_upload_file.yml +++ b/dev/endpoint/linux_curl_upload_file.yml @@ -80,5 +80,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_dd_file_overwrite.yml b/dev/endpoint/linux_dd_file_overwrite.yml index fa1caed075..134800c879 100644 --- a/dev/endpoint/linux_dd_file_overwrite.yml +++ b/dev/endpoint/linux_dd_file_overwrite.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_decode_base64_to_shell.yml b/dev/endpoint/linux_decode_base64_to_shell.yml index 73e4cff118..73a38becf9 100644 --- a/dev/endpoint/linux_decode_base64_to_shell.yml +++ b/dev/endpoint/linux_decode_base64_to_shell.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/dev/endpoint/linux_deleting_critical_directory_using_rm_command.yml index a811b937b2..0b573a38e1 100644 --- a/dev/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/dev/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_deletion_of_cron_jobs.yml b/dev/endpoint/linux_deletion_of_cron_jobs.yml index 6ffcf08b33..e6922761b1 100644 --- a/dev/endpoint/linux_deletion_of_cron_jobs.yml +++ b/dev/endpoint/linux_deletion_of_cron_jobs.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_deletion_of_init_daemon_script.yml b/dev/endpoint/linux_deletion_of_init_daemon_script.yml index 050d7ac807..c139919851 100644 --- a/dev/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/dev/endpoint/linux_deletion_of_init_daemon_script.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_deletion_of_services.yml b/dev/endpoint/linux_deletion_of_services.yml index ae51b09c7f..487761fb6c 100644 --- a/dev/endpoint/linux_deletion_of_services.yml +++ b/dev/endpoint/linux_deletion_of_services.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_deletion_of_ssl_certificate.yml b/dev/endpoint/linux_deletion_of_ssl_certificate.yml index 6a1757b861..a0ac97d0a9 100644 --- a/dev/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/dev/endpoint/linux_deletion_of_ssl_certificate.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_disable_services.yml b/dev/endpoint/linux_disable_services.yml index 9548d01fce..12fb5a6386 100644 --- a/dev/endpoint/linux_disable_services.yml +++ b/dev/endpoint/linux_disable_services.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_doas_conf_file_creation.yml b/dev/endpoint/linux_doas_conf_file_creation.yml index 306793a46c..72934a3eb3 100644 --- a/dev/endpoint/linux_doas_conf_file_creation.yml +++ b/dev/endpoint/linux_doas_conf_file_creation.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_doas_tool_execution.yml b/dev/endpoint/linux_doas_tool_execution.yml index d8d78d74c4..0f3f1e3f0d 100644 --- a/dev/endpoint/linux_doas_tool_execution.yml +++ b/dev/endpoint/linux_doas_tool_execution.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_docker_privilege_escalation.yml b/dev/endpoint/linux_docker_privilege_escalation.yml index 33d10e0e72..ae128bff7f 100644 --- a/dev/endpoint/linux_docker_privilege_escalation.yml +++ b/dev/endpoint/linux_docker_privilege_escalation.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_edit_cron_table_parameter.yml b/dev/endpoint/linux_edit_cron_table_parameter.yml index da64a96cbd..3a7b34e1bc 100644 --- a/dev/endpoint/linux_edit_cron_table_parameter.yml +++ b/dev/endpoint/linux_edit_cron_table_parameter.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_emacs_privilege_escalation.yml b/dev/endpoint/linux_emacs_privilege_escalation.yml index 188c7c9044..6e10a076b4 100644 --- a/dev/endpoint/linux_emacs_privilege_escalation.yml +++ b/dev/endpoint/linux_emacs_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_file_created_in_kernel_driver_directory.yml b/dev/endpoint/linux_file_created_in_kernel_driver_directory.yml index 4dcfabdcba..4f15b09552 100644 --- a/dev/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/dev/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -56,4 +56,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_file_creation_in_init_boot_directory.yml b/dev/endpoint/linux_file_creation_in_init_boot_directory.yml index d259cdef14..17089f7851 100644 --- a/dev/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/dev/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_file_creation_in_profile_directory.yml b/dev/endpoint/linux_file_creation_in_profile_directory.yml index 9ec55d1d47..d34b70b535 100644 --- a/dev/endpoint/linux_file_creation_in_profile_directory.yml +++ b/dev/endpoint/linux_file_creation_in_profile_directory.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_find_privilege_escalation.yml b/dev/endpoint/linux_find_privilege_escalation.yml index b99d1bcb19..c498d890bb 100644 --- a/dev/endpoint/linux_find_privilege_escalation.yml +++ b/dev/endpoint/linux_find_privilege_escalation.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_gdb_privilege_escalation.yml b/dev/endpoint/linux_gdb_privilege_escalation.yml index 0ebdf76fdd..bbe155eb3f 100644 --- a/dev/endpoint/linux_gdb_privilege_escalation.yml +++ b/dev/endpoint/linux_gdb_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_gem_privilege_escalation.yml b/dev/endpoint/linux_gem_privilege_escalation.yml index daeb92ed49..9d2f025e69 100644 --- a/dev/endpoint/linux_gem_privilege_escalation.yml +++ b/dev/endpoint/linux_gem_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_gnu_awk_privilege_escalation.yml b/dev/endpoint/linux_gnu_awk_privilege_escalation.yml index 02cc79428d..f7e6293bc9 100644 --- a/dev/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/dev/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_ingress_tool_transfer_hunting.yml b/dev/endpoint/linux_ingress_tool_transfer_hunting.yml index 20e5ae720f..e9b1929248 100644 --- a/dev/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/dev/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_ingress_tool_transfer_with_curl.yml b/dev/endpoint/linux_ingress_tool_transfer_with_curl.yml index 0023b27f6e..4d2822d3fc 100644 --- a/dev/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/dev/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/dev/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index cbc866aa30..08bf70fe8c 100644 --- a/dev/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/dev/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/dev/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index a5c8918f84..f9be77532e 100644 --- a/dev/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/dev/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_iptables_firewall_modification.yml b/dev/endpoint/linux_iptables_firewall_modification.yml index 533e36fc1f..bc64379af3 100644 --- a/dev/endpoint/linux_iptables_firewall_modification.yml +++ b/dev/endpoint/linux_iptables_firewall_modification.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_java_spawning_shell.yml b/dev/endpoint/linux_java_spawning_shell.yml index 4206667114..b73e7ca450 100644 --- a/dev/endpoint/linux_java_spawning_shell.yml +++ b/dev/endpoint/linux_java_spawning_shell.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_kernel_module_enumeration.yml b/dev/endpoint/linux_kernel_module_enumeration.yml index b2c2f7ed09..6b41f0d000 100644 --- a/dev/endpoint/linux_kernel_module_enumeration.yml +++ b/dev/endpoint/linux_kernel_module_enumeration.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_kworker_process_in_writable_process_path.yml b/dev/endpoint/linux_kworker_process_in_writable_process_path.yml index 959a0c31e6..889fadb668 100644 --- a/dev/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/dev/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_make_privilege_escalation.yml b/dev/endpoint/linux_make_privilege_escalation.yml index dfafc4e83b..cdbe3bd005 100644 --- a/dev/endpoint/linux_make_privilege_escalation.yml +++ b/dev/endpoint/linux_make_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_mysql_privilege_escalation.yml b/dev/endpoint/linux_mysql_privilege_escalation.yml index 83f14a5ea9..52b3c9f4b5 100644 --- a/dev/endpoint/linux_mysql_privilege_escalation.yml +++ b/dev/endpoint/linux_mysql_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_node_privilege_escalation.yml b/dev/endpoint/linux_node_privilege_escalation.yml index 8bab4bc178..5bbf8cabdc 100644 --- a/dev/endpoint/linux_node_privilege_escalation.yml +++ b/dev/endpoint/linux_node_privilege_escalation.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/dev/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 5e48ce4a1a..583470b1e9 100644 --- a/dev/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/dev/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -54,4 +54,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/dev/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 0279453088..67991a8df0 100644 --- a/dev/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/dev/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -65,5 +65,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_octave_privilege_escalation.yml b/dev/endpoint/linux_octave_privilege_escalation.yml index 7b84eb5dcb..33b16e8927 100644 --- a/dev/endpoint/linux_octave_privilege_escalation.yml +++ b/dev/endpoint/linux_octave_privilege_escalation.yml @@ -67,5 +67,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_openvpn_privilege_escalation.yml b/dev/endpoint/linux_openvpn_privilege_escalation.yml index ab7bcfb707..c28b187d4e 100644 --- a/dev/endpoint/linux_openvpn_privilege_escalation.yml +++ b/dev/endpoint/linux_openvpn_privilege_escalation.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_php_privilege_escalation.yml b/dev/endpoint/linux_php_privilege_escalation.yml index 4697b43e02..8bca4dd1ad 100644 --- a/dev/endpoint/linux_php_privilege_escalation.yml +++ b/dev/endpoint/linux_php_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_pkexec_privilege_escalation.yml b/dev/endpoint/linux_pkexec_privilege_escalation.yml index e8396bf68b..998f5630fd 100644 --- a/dev/endpoint/linux_pkexec_privilege_escalation.yml +++ b/dev/endpoint/linux_pkexec_privilege_escalation.yml @@ -71,4 +71,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/dev/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index d490078810..488622ca90 100644 --- a/dev/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/dev/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_access_to_credential_files.yml b/dev/endpoint/linux_possible_access_to_credential_files.yml index 2cad481cce..44ad9ca6d8 100644 --- a/dev/endpoint/linux_possible_access_to_credential_files.yml +++ b/dev/endpoint/linux_possible_access_to_credential_files.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_access_to_sudoers_file.yml b/dev/endpoint/linux_possible_access_to_sudoers_file.yml index 8e761139c2..8c3a2808b3 100644 --- a/dev/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/dev/endpoint/linux_possible_access_to_sudoers_file.yml @@ -57,4 +57,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 694b56c795..ec7f98aa12 100644 --- a/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/dev/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_append_command_to_profile_config_file.yml b/dev/endpoint/linux_possible_append_command_to_profile_config_file.yml index 5edb9b76b0..62cd8bb9cc 100644 --- a/dev/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/dev/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -62,4 +62,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/dev/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 23439ab989..a6b0b89f94 100644 --- a/dev/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/dev/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -58,4 +58,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_cronjob_modification_with_editor.yml b/dev/endpoint/linux_possible_cronjob_modification_with_editor.yml index c1b68c9cf9..c88b5bd5d1 100644 --- a/dev/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/dev/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -63,4 +63,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_possible_ssh_key_file_creation.yml b/dev/endpoint/linux_possible_ssh_key_file_creation.yml index 43b75be536..6b8eadaae4 100644 --- a/dev/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/dev/endpoint/linux_possible_ssh_key_file_creation.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_preload_hijack_library_calls.yml b/dev/endpoint/linux_preload_hijack_library_calls.yml index 0bf385f1b4..c0b57f5515 100644 --- a/dev/endpoint/linux_preload_hijack_library_calls.yml +++ b/dev/endpoint/linux_preload_hijack_library_calls.yml @@ -51,4 +51,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_proxy_socks_curl.yml b/dev/endpoint/linux_proxy_socks_curl.yml index 6f3d7cca7d..542282e84b 100644 --- a/dev/endpoint/linux_proxy_socks_curl.yml +++ b/dev/endpoint/linux_proxy_socks_curl.yml @@ -79,5 +79,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_puppet_privilege_escalation.yml b/dev/endpoint/linux_puppet_privilege_escalation.yml index 23faf701cb..4f905e2f17 100644 --- a/dev/endpoint/linux_puppet_privilege_escalation.yml +++ b/dev/endpoint/linux_puppet_privilege_escalation.yml @@ -68,5 +68,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_rpm_privilege_escalation.yml b/dev/endpoint/linux_rpm_privilege_escalation.yml index 71b1a9e762..c5419adc39 100644 --- a/dev/endpoint/linux_rpm_privilege_escalation.yml +++ b/dev/endpoint/linux_rpm_privilege_escalation.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_ruby_privilege_escalation.yml b/dev/endpoint/linux_ruby_privilege_escalation.yml index a884619193..62d1f2593c 100644 --- a/dev/endpoint/linux_ruby_privilege_escalation.yml +++ b/dev/endpoint/linux_ruby_privilege_escalation.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_service_file_created_in_systemd_directory.yml b/dev/endpoint/linux_service_file_created_in_systemd_directory.yml index f8a3f8941c..32366a555e 100644 --- a/dev/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/dev/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -68,4 +68,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_service_restarted.yml b/dev/endpoint/linux_service_restarted.yml index 0f7bc8ab91..71b034318a 100644 --- a/dev/endpoint/linux_service_restarted.yml +++ b/dev/endpoint/linux_service_restarted.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_service_started_or_enabled.yml b/dev/endpoint/linux_service_started_or_enabled.yml index 17f2e025b0..aebf6a979d 100644 --- a/dev/endpoint/linux_service_started_or_enabled.yml +++ b/dev/endpoint/linux_service_started_or_enabled.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_setuid_using_setcap_utility.yml b/dev/endpoint/linux_setuid_using_setcap_utility.yml index 92b42ca48b..74ca3e98a1 100644 --- a/dev/endpoint/linux_setuid_using_setcap_utility.yml +++ b/dev/endpoint/linux_setuid_using_setcap_utility.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_shred_overwrite_command.yml b/dev/endpoint/linux_shred_overwrite_command.yml index 3e13f9b5ca..1502728e3f 100644 --- a/dev/endpoint/linux_shred_overwrite_command.yml +++ b/dev/endpoint/linux_shred_overwrite_command.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_sqlite3_privilege_escalation.yml b/dev/endpoint/linux_sqlite3_privilege_escalation.yml index 998491018b..3ca3ee937b 100644 --- a/dev/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/dev/endpoint/linux_sqlite3_privilege_escalation.yml @@ -64,5 +64,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_ssh_authorized_keys_modification.yml b/dev/endpoint/linux_ssh_authorized_keys_modification.yml index ba92749430..e829fefaad 100644 --- a/dev/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/dev/endpoint/linux_ssh_authorized_keys_modification.yml @@ -66,5 +66,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_ssh_remote_services_script_execute.yml b/dev/endpoint/linux_ssh_remote_services_script_execute.yml index fd96a248d1..0260d12c2e 100644 --- a/dev/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/dev/endpoint/linux_ssh_remote_services_script_execute.yml @@ -63,5 +63,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux update_timestamp: true diff --git a/dev/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/dev/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 68408a2461..6a891ee3cc 100644 --- a/dev/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/dev/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -52,4 +52,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_stop_services.yml b/dev/endpoint/linux_stop_services.yml index 44853d0004..74752efd21 100644 --- a/dev/endpoint/linux_stop_services.yml +++ b/dev/endpoint/linux_stop_services.yml @@ -55,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_sudo_or_su_execution.yml b/dev/endpoint/linux_sudo_or_su_execution.yml index c985756916..3e101898c0 100644 --- a/dev/endpoint/linux_sudo_or_su_execution.yml +++ b/dev/endpoint/linux_sudo_or_su_execution.yml @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_sudoers_tmp_file_creation.yml b/dev/endpoint/linux_sudoers_tmp_file_creation.yml index 001c2c3237..4d2f1f80c4 100644 --- a/dev/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/dev/endpoint/linux_sudoers_tmp_file_creation.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_system_network_discovery.yml b/dev/endpoint/linux_system_network_discovery.yml index 72b4193400..5118a822f1 100644 --- a/dev/endpoint/linux_system_network_discovery.yml +++ b/dev/endpoint/linux_system_network_discovery.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/linux_visudo_utility_execution.yml b/dev/endpoint/linux_visudo_utility_execution.yml index 1a514dd3be..3847f71449 100644 --- a/dev/endpoint/linux_visudo_utility_execution.yml +++ b/dev/endpoint/linux_visudo_utility_execution.yml @@ -53,4 +53,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev/endpoint/wget_download_and_bash_execution.yml b/dev/endpoint/wget_download_and_bash_execution.yml index 190070ae4b..294f091fd4 100644 --- a/dev/endpoint/wget_download_and_bash_execution.yml +++ b/dev/endpoint/wget_download_and_bash_execution.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon_linux + sourcetype: sysmon:linux diff --git a/dev_ssa/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml b/dev_ssa/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml new file mode 100644 index 0000000000..a13ed29671 --- /dev/null +++ b/dev_ssa/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml @@ -0,0 +1,74 @@ +name: Executable File Written in Administrative SMB Share +id: d3bba9cb-c066-4e49-a81e-29eeb8e8506b +version: 1 +date: "2024-05-28" +author: Teoderick Contreras, Mauricio Velazco, Splunk +status: production +type: TTP +description: + The following analytic identifies executable files (.exe or .dll) being + written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents + suspicious behavior as its commonly used by tools like PsExec/PaExec and others + to stage service binaries before creating and starting a Windows service on remote + endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral + movement and remote code execution. The Trickbot malware family also implements + this behavior to try to infect other machines in the infected network. +data_source: + - Windows Event Log Security 5145 +search: + selection1: + file.path|endswith: + - .exe + - .dll + file.type: File + share: + - \\\\*\\C$ + - \\\\*\\IPC$ + - \\\\*\\admin$ + access_mask: 2 + condition: selection1 +how_to_implement: + To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also + required. Also enable the object Audit access success/failure in your group policy. +known_false_positives: + System Administrators may use looks like PsExec for troubleshooting + or administrations tasks. However, this will typically come only from certain users + and certain systems that can be added to an allow list. +references: + - https://attack.mitre.org/techniques/T1021/002/ + - https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/ + - https://labs.vipre.com/trickbot-and-its-modules/ + - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ + - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +tags: + analytic_story: + - Active Directory Lateral Movement + - Prestige Ransomware + - Graceful Wipe Out Attack + - Industroyer2 + - IcedID + - Data Destruction + - Hermetic Wiper + - Trickbot + asset_type: Endpoint + confidence: 100 + impact: 70 + message: + $src_user$ dropped or created an executable file in known sensitive SMB share. Share + name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ + mitre_attack_id: + - T1021 + - T1021.002 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + risk_score: 70 + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-xml.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/dist/DA-ESS-ContentUpdate/README.md b/dist/DA-ESS-ContentUpdate/README.md deleted file mode 100644 index 5dac27658a..0000000000 --- a/dist/DA-ESS-ContentUpdate/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Splunk ES Content Update - -This subscription service delivers pre-packaged Security Content for use with Splunk Enterprise Security. Subscribers get regular updates to help security practitioners more quickly address ongoing and time-sensitive customer problems and threats. - -Requires Splunk Enterprise Security version 4.5 or greater. - -For more information please visit the [Splunk ES Content Update user documentation](https://docs.splunk.com/Documentation/ESSOC). diff --git a/dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt b/dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt deleted file mode 100644 index 5333752842..0000000000 --- a/dist/DA-ESS-ContentUpdate/README/essoc_story_detail.txt +++ /dev/null @@ -1,15 +0,0 @@ -The Analytic Story Details dashboard renders all the details of the content related to a specific analytic story which -can be chose via the drop down - -Each analytic story has attributes associated with it and the following: -______________________________________________________________________ - - - Analytic Story: name of the analytic story - Description ; description of the analytic story - Search Name : The name of the searches belonging to the chosen analytic story - Search : The search query which looks for an attack pattern corresponding to the analytic story - Search Description: The description of the search query - Asset Type: The analytic story specifies what asset in the infrastructure may be compromised - Category: The category that the search belongs to (malware, vulnerabilities, best practices, abuse) - Kill Chain Phase: The kill chain phase of the attack that the search is after. \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/README/essoc_summary.txt b/dist/DA-ESS-ContentUpdate/README/essoc_summary.txt deleted file mode 100644 index d7dde31ec6..0000000000 --- a/dist/DA-ESS-ContentUpdate/README/essoc_summary.txt +++ /dev/null @@ -1,24 +0,0 @@ -The ES_SOC Summary Dashboard provides you a summarized view of the analytic story contents of the ES-SOC app. -The dashboard has the following panels gives you following details - -1) Analytic story Summary - - Total Analytic Stories : The total number of Analytic stories in the ES-SOC application - - Total Searches: The total number of searches in ES-SOC - - Searches added last week: Number of searches added to ES-SOC in the last week. - - 2) Analytic story Category: This dashboard panel summarizes the categories of the searches that the ES-SOC app contains. The categories of the analytic stories are as follow - -Malware: These searches detect specific malware behavior for a particular phase of the attack kill chain. E.g. a malware’s delivery method via email or a malware’s installation behavior via registry key changes - -Vulnerability: These searches detect behavior or a signature of a vulnerable software in use. These searches are not designed to replace vulnerability management or scanning systems. The purpose of these searches is to discover a vulnerability through side effects or behaviors. - -Abuse: Some actions can be deemed malicious because they are unexpected, violate corporate policy or are significantly different than the actions of other users. E.g. A USB disk that is seen on multiple systems or a user that uploads excessive files to a cloud service or a database query that dumps an entire table - -Best Practices: Searches that correspond to specific guidelines from organizations like SANS or OWASP - - 3) Kill Chain phases: Every analytic story has one or more searches which look for a certain kind of attack pattern/behavior. These searches have an attribute which essentially tells you what Kill chain phase does the search correspond to. - The numbers on the dashboard represents the number of searches correponding to each kill chain phase - - 4) Analytic story table: This table gives the user a comprehensive view of some of the details of the analytic story. Some of the listed attributes are: - - Analytic Story : The name of the analytic story - - Description: The description of the analyttic story - - Search names: The name of the searches in each analytic story - - Datamodels: The name of the datamodel that the search is querying against. - - Technology Examples: This field represent some examples related to the technologies required to populate the datamodels(Nessues, Cisco Firewall,etc) - - Kill chain phase: The name of the kill chain phase that the search belongs to \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt b/dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt deleted file mode 100644 index fcbc842881..0000000000 --- a/dist/DA-ESS-ContentUpdate/README/essoc_usage_dashboard.txt +++ /dev/null @@ -1,51 +0,0 @@ -###################### -ESSOC Usage Dashboard# -###################### - -The ESSOC Usage dashboard is designed to provide high-level insight into the usage of the ES-SOC app. It is suitable for display when providing feedback to the Splunk team or for identifying how the ES-SOC app is being used. This dashboard has two time selectors that work independently - the top time selector determines the search time range for all the single-value. And the lower time selector, determines the time range for the usage table. - -IMPORTANT: The user loading this dashboard must have permission to search the _audit index - -################## -#Dashboard panels# -################## - -Searches Ran - -The total number of searches in ES-SOC that were executed. This number includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch ‘ syntax - -Unique Searches - -The unique/distinct searches executed on the deployment. This is equivalent to the distinct count of searches run in the ES-SOC app. - -Most Run - -The total number of searches in ES-SOC that were executed. This number includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch ‘ syntax. - -Ad hoc Searches - -The total number of searches run from the search bar using the '| savedsearch ‘ syntax. - -Scheduled - -The total number of ESSOC searches run that were scheduled. - -Most Active User - -The user who executed the highest number/count of searches. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch ‘ syntax. - -Search Run Time (seconds) - -Total run time of all searches executed in seconds. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch ‘ syntax. - -Average Run Time (seconds) - -Average run time of all searches executed in seconds. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch ‘ syntax. - -Max Run Time (seconds) - -The run time of the longest running search. This calculation includes scheduled searches and ad hoc searches run from the search bar using the '| savedsearch ‘ syntax. - -Search summary - -This table provides details on each search that was executed in the ESSOC app. \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/app.manifest b/dist/DA-ESS-ContentUpdate/app.manifest deleted file mode 100644 index 5986dfb981..0000000000 --- a/dist/DA-ESS-ContentUpdate/app.manifest +++ /dev/null @@ -1,46 +0,0 @@ -{ - "schemaVersion": "1.0.0", - "info": { - "title": "ES Content Updates", - "id": { - "group": null, - "name": "DA-ESS-ContentUpdate", - "version": "4.33.0" - }, - "author": [ - { - "name": "Splunk Threat Research Team", - "email": "research@splunk.com", - "company": "Splunk" - } - ], - "releaseDate": "2024-06-06", - "description": "Explore the Analytic Stories included with ES Content Updates.", - "classification": { - "intendedAudience": null, - "categories": [], - "developmentStatus": null - }, - "commonInformationModels": null, - "license": { - "name": null, - "text": null, - "uri": null - }, - "privacyPolicy": { - "name": null, - "text": null, - "uri": null - }, - "releaseNotes": { - "name": null, - "text": "./README.md", - "uri": null - } - }, - "dependencies": null, - "tasks": null, - "inputGroups": null, - "incompatibleApps": null, - "platformRequirements": null -} \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/analytic_stories.conf b/dist/DA-ESS-ContentUpdate/default/analytic_stories.conf deleted file mode 100644 index 0cfdca344c..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/analytic_stories.conf +++ /dev/null @@ -1,2 +0,0 @@ -### Deprecated since ESCU UI was deprecated and this conf file is no longer in use -### Using one single file analyticstories.conf that will be used both by ES and ESCU \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf deleted file mode 100644 index 4ef8cd6913..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf +++ /dev/null @@ -1,20154 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# - -### DETECTIONS ### - -[savedsearch://ESCU - CrushFTP Server Side Template Injection - Rule] -type = detection -asset_type = Web Application -confidence = medium -explanation = This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis. -how_to_implement = CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however tune or filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Detect New Login Attempts to Routers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise. -how_to_implement = To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = Legitimate router connections may appear as new connections -providing_technologies = null - -[savedsearch://ESCU - Detect Risky SPL using Pretrained ML Model - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. -how_to_implement = This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords. -providing_technologies = null - -[savedsearch://ESCU - Email Attachments With Lots Of Spaces - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment. -how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \ -**Splunk Phantom Playbook Integration** \ -If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = None at this time -providing_technologies = null - -[savedsearch://ESCU - Email files written outside of the Outlook directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network. -how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} -known_false_positives = Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Email servers sending high volume traffic to hosts - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. -how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} -known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. -providing_technologies = null - -[savedsearch://ESCU - Monitor Email For Brand Abuse - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage. -how_to_implement = You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = None at this time -providing_technologies = null - -[savedsearch://ESCU - No Windows Updates in a time frame - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason. -how_to_implement = To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - Okta Authentication Failed During MFA Challenge - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} -known_false_positives = A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta IDP Lifecycle Modifications - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} -known_false_positives = It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta MFA Exhaustion Hunt - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic. \ -For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ -Source of Push (Sign-In) \ -eventType eq \"system.push.send_factor_verify_push\" \ -User Push Response (Okta Verify client) \ -eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ -In sequence, the logic for the analytic - \ -* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ -* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. * Creates a ratio of successful sign-ins to pushes. \ -* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Multi-Factor Authentication Disabled - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Multiple Accounts Locked Out - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -known_false_positives = Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Multiple Failed MFA Requests For User - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.AE"]} -known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Multiple Failed Requests to Access Applications - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: * Retrieves policy evaluation and SSO details in events that contain the Application requested \ -* Formats target fields so we can aggregate specifically on Applications (AppInstances) \ -* Groups by User, Session and IP \ -* Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ -* Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. -how_to_implement = This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present based on organization size and configuration of Okta. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003"], "nist": ["DE.AE"]} -known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta New API Token Created - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta New Device Enrolled on Account - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. -how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} -known_false_positives = It is possible that the user has legitimately added a new device to their account. Please verify this activity. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Phishing Detection with FastPass Origin Check - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. -how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} -known_false_positives = Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Risk Threshold Exceeded - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. -how_to_implement = This search leverages the Risk Framework from Enterprise Security. Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} -known_false_positives = False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Successful Single Factor Authentication - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where "Okta Verify" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the "targets" in the detection search. -how_to_implement = This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.AE"]} -known_false_positives = Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Suspicious Activity Reported - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment. -how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be minimal, given the high fidelity of this detection. marker. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Suspicious Use of a Session Cookie - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \ -* Retrieves policy evaluation events from successful authentication events. \ -* Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \ -* It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination. -how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} -known_false_positives = False positives may occur, depending on the organization's size and the configuration of Okta. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta ThreatInsight Threat Detected - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users. -how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.AE"]} -known_false_positives = False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Unauthorized Access to Application - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment. -how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} -known_false_positives = There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta User Logins from Multiple Cities - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches. -how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1586.003"], "nist": ["DE.AE"]} -known_false_positives = It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Path traversal SPL injection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter ("../../../../../../../../../") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} -known_false_positives = This search may find additional path traversal exploitation attempts. -providing_technologies = null - -[savedsearch://ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -known_false_positives = This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - PingID Mismatch Auth Source and Verification Response - Rule] -type = detection -asset_type = Identity -confidence = medium -explanation = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. -how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated by users working out the geographic region where the organizations services or technology is hosted. -providing_technologies = ["Ping ID"] - -[savedsearch://ESCU - PingID Multiple Failed MFA Requests For User - Rule] -type = detection -asset_type = Identity -confidence = medium -explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. -providing_technologies = ["Ping ID"] - -[savedsearch://ESCU - PingID New MFA Method After Credential Reset - Rule] -type = detection -asset_type = Identity -confidence = medium -explanation = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. -how_to_implement = Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration. -providing_technologies = ["Microsoft Windows", "Ping ID"] - -[savedsearch://ESCU - PingID New MFA Method Registered For User - Rule] -type = detection -asset_type = Identity -confidence = medium -explanation = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment. -how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. -providing_technologies = ["Ping ID"] - -[savedsearch://ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise. -how_to_implement = Must have access to internal indexes. Only applies to Splunk on Windows versions. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} -known_false_positives = The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script. -providing_technologies = null - -[savedsearch://ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. -how_to_implement = This search uses REST function to query for dashboards with environment variables present in URL options. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} -known_false_positives = This search may reveal non malicious URLs with environment variables used in organizations. -providing_technologies = null - -[savedsearch://ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment. -how_to_implement = Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -known_false_positives = This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit. -providing_technologies = null - -[savedsearch://ESCU - Splunk Authentication Token Exposure in Debug Log - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. -how_to_implement = Requires access to internal Splunk indexes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1654"], "nist": ["DE.CM"]} -known_false_positives = Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9 -providing_technologies = null - -[savedsearch://ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -known_false_positives = Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. -how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if this command is used as a common practice. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. -how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present until properly filtered by Username and search name. -providing_technologies = null - -[savedsearch://ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) -how_to_implement = This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky. -providing_technologies = null - -[savedsearch://ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. -how_to_implement = Requires access to internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -known_false_positives = This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives. -providing_technologies = null - -[savedsearch://ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. -how_to_implement = The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} -known_false_positives = This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Digital Certificates Infrastructure Version - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} -known_false_positives = No known at this time. -providing_technologies = null - -[savedsearch://ESCU - Splunk Digital Certificates Lack of Encryption - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. -how_to_implement = This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the "ssl=false" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} -known_false_positives = None at this time -providing_technologies = null - -[savedsearch://ESCU - Splunk DoS Using Malformed SAML Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. -how_to_implement = To run this search, you must have access to the _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} -known_false_positives = This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file. -providing_technologies = null - -[savedsearch://ESCU - Splunk DOS Via Dump SPL Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats. -how_to_implement = This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} -known_false_positives = Segmentation faults may occur due to other causes, so this search may produce false positives -providing_technologies = null - -[savedsearch://ESCU - Splunk DoS via Malformed S2S Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} -known_false_positives = None. -providing_technologies = null - -[savedsearch://ESCU - Splunk DOS via printf search function - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. -how_to_implement = This search requires the ability to search internal indexes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} -known_false_positives = This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Edit User Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as "change_own_password" and "edit_password" where the info field is "granted" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} -known_false_positives = This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. -providing_technologies = null - -[savedsearch://ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. -how_to_implement = Need to monitor Splunkd data from Universal Forwarders. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -known_false_positives = This search may reveal non malicious zip files causing errors as well. -providing_technologies = null - -[savedsearch://ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. -how_to_implement = Requires access to internal indexes and REST API enabled instances. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} -known_false_positives = This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation. -providing_technologies = null - -[savedsearch://ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation. -how_to_implement = Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = Irregular path with files that may be purposely called for benign reasons may produce false positives. -providing_technologies = null - -[savedsearch://ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. -how_to_implement = This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -known_false_positives = The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk ES DoS Through Investigation Attachments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. -how_to_implement = This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -known_false_positives = This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} -known_false_positives = This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment. -how_to_implement = Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -known_false_positives = This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives. -providing_technologies = null - -[savedsearch://ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended. -how_to_implement = This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} -known_false_positives = This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives. -providing_technologies = null - -[savedsearch://ESCU - Splunk list all nonstandard admin accounts - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. -how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place. -providing_technologies = null - -[savedsearch://ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} -known_false_positives = This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} -known_false_positives = This search may find additional path traversal exploitation attempts or malformed requests. -providing_technologies = null - -[savedsearch://ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. -how_to_implement = This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. -how_to_implement = This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} -known_false_positives = None at this time. -providing_technologies = null - -[savedsearch://ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} -known_false_positives = While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration. -providing_technologies = null - -[savedsearch://ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment. -how_to_implement = Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} -known_false_positives = This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward. -providing_technologies = null - -[savedsearch://ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when "simpleRequest SSL certificate validation is enabled without hostname verification." This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk. -how_to_implement = Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} -known_false_positives = This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089. -providing_technologies = null - -[savedsearch://ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results. -how_to_implement = This search does not require additional data ingestion. It requires the ability to search _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} -known_false_positives = This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack. -providing_technologies = null - -[savedsearch://ESCU - Splunk RCE via Serialized Session Payload - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com -how_to_implement = Requires access to the _audit index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -known_false_positives = There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. -how_to_implement = This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -known_false_positives = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point. -providing_technologies = null - -[savedsearch://ESCU - Splunk RCE via User XSLT - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -known_false_positives = This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Reflected XSS in the templates lists radio - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance. -how_to_implement = This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. -how_to_implement = Need access to the internal indexes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture. -how_to_implement = Requires implementation of Splunk_Audit.Search_Activity datamodel. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} -known_false_positives = This search encompasses many commands. -providing_technologies = null - -[savedsearch://ESCU - Splunk Stored XSS via Data Model objectName field - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. -how_to_implement = This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. -how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -known_false_positives = This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. -how_to_implement = Requires access to internal splunkd_access. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -known_false_positives = This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned. -providing_technologies = null - -[savedsearch://ESCU - Splunk User Enumeration Attempt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} -known_false_positives = Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk XSS in Highlighted JSON Events - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. -how_to_implement = This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges). -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk XSS in Monitoring Console - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -known_false_positives = Use of the monitoring console where the less-than sign (<) is the first character in the description field. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk XSS in Save table dialog header in search page - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. -how_to_implement = Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances. -providing_technologies = ["Splunk Internal Logs"] - -[savedsearch://ESCU - Splunk XSS via View - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. -how_to_implement = This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -known_false_positives = The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated. -providing_technologies = null - -[savedsearch://ESCU - Suspicious Email Attachment Extensions - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. -how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ -**Splunk Phantom Playbook Integration** \ -If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.' -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - Suspicious Java Classes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. -how_to_implement = In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = There are no known false positives. -providing_technologies = null - -[savedsearch://ESCU - Web Servers Executing Suspicious Processes - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} -known_false_positives = Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment. -how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -known_false_positives = None. -providing_technologies = null - -[savedsearch://ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule] -type = detection -asset_type = Cloud Instance -confidence = medium -explanation = This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -providing_technologies = null - -[savedsearch://ESCU - Abnormally High Number Of Cloud Instances Launched - Rule] -type = detection -asset_type = Cloud Instance -confidence = medium -explanation = This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -providing_technologies = null - -[savedsearch://ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls. -how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -known_false_positives = None. -providing_technologies = null - -[savedsearch://ESCU - Amazon EKS Kubernetes cluster scan detection - Rule] -type = detection -asset_type = Amazon EKS Kubernetes cluster -confidence = medium -explanation = The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context. -providing_technologies = null - -[savedsearch://ESCU - Amazon EKS Kubernetes Pod scan detection - Rule] -type = detection -asset_type = Amazon EKS Kubernetes cluster Pod -confidence = medium -explanation = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. -providing_technologies = null - -[savedsearch://ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} -known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the deletion of AWS CloudTrail logs, a critical event that could indicate an adversary's attempt to evade detection. By identifying `DeleteTrail` events within CloudTrail logs, this analytic helps in uncovering efforts to impair defense mechanisms by preventing the logging of malicious activities. Such actions allow adversaries to operate undetected within a compromised AWS environment. Recognizing these deletion events is crucial for a Security Operations Center (SOC) as it signals a potential compromise and the attacker's intent to hide their tracks, making it a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a complete loss of visibility into the activities within the environment, hindering incident response and forensics efforts. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the deletion of CloudWatch Log Groups within AWS CloudTrail logs. This action is indicative of an attacker's attempt to evade detection by disrupting the logging and monitoring capabilities of CloudWatch. By identifying and analyzing `DeleteLogGroup` events, this analytic helps in uncovering efforts to obscure malicious activities within a compromised AWS environment. Such evasion tactics are critical for a Security Operations Center (SOC) to identify as they signal an attacker's intent to operate undetected, posing a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a loss of visibility into potentially malicious activities, hindering incident response and forensics efforts. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Defense Evasion Impair Security Services - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the deletion of critical AWS Security Services configurations through specific API calls to services like CloudWatch, GuardDuty, and Web Application Firewalls. By monitoring for these deletion actions, the analytic aims to identify attempts by adversaries to undermine security defenses, such as erasing logging configurations or removing detection mechanisms. This behavior is crucial for a Security Operations Center (SOC) to identify as it can indicate an attacker's intent to operate undetected by eliminating evidence of their presence and activities. The impact of such attacks is significant, potentially leaving the environment vulnerable to further exploitation without any traceable logs or alerts. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = When your development is spreaded in different time zones, applying this rule can be difficult. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS ECR Container Upload Unknown User - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS IAM Delete Policy - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the deletion of an AWS policy, a critical action that could indicate an attempt to alter permissions or reduce security controls. By monitoring AWS logs for `DeletePolicy` events, this analytic identifies both successful and attempted deletions, providing insights into potentially malicious activities. Identifying such behavior is crucial for a Security Operations Center (SOC) as it may signal an adversary's effort to escalate privileges or evade detection. The impact of unauthorized policy deletion is significant, potentially leading to compromised accounts or data exposure. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS IAM Failure Group Deletion - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS IAM Successful Group Deletion - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. -how_to_implement = You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with less risk of detection, facilitating further malicious activities. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS New MFA Method Registered For User - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration. Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources. -how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - AWS AMI Attribute Modification for Exfiltration - Rule] -type = detection -asset_type = EC2 Snapshot -confidence = medium -explanation = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Concurrent Sessions From Different Ips - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} -known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Console Login Failed During MFA Challenge - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} -known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Create Policy Version to allow all resources - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS CreateAccessKey - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS CreateLoginProfile - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Credential Access Failed Login - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} -known_false_positives = Users may genuinely mistype or forget the password. -providing_technologies = null - -[savedsearch://ESCU - AWS Credential Access GetPasswordData - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} -known_false_positives = Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Credential Access RDS Password reset - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = Users may genuinely reset the RDS password. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request. -providing_technologies = null - -[savedsearch://ESCU - AWS Defense Evasion Delete Cloudtrail - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. -how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. -how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Defense Evasion Impair Security Services - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. -how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Defense Evasion PutBucketLifecycle - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. -how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. -how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Defense Evasion Update Cloudtrail - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. -how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - aws detect attach to role policy - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure. -how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies. -providing_technologies = null - -[savedsearch://ESCU - aws detect permanent key creation - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. -providing_technologies = null - -[savedsearch://ESCU - aws detect role creation - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. -how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. -providing_technologies = null - -[savedsearch://ESCU - aws detect sts assume role abuse - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - aws detect sts get session token abuse - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure. -how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} -known_false_positives = Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. -providing_technologies = null - -[savedsearch://ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule] -type = detection -asset_type = S3 Bucket -confidence = medium -explanation = The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality. -how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -known_false_positives = There maybe buckets provisioned with S3 encryption -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Disable Bucket Versioning - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects AWS CloudTrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} -known_false_positives = It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS EC2 Snapshot Shared Externally - Rule] -type = detection -asset_type = EC2 Snapshot -confidence = medium -explanation = The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS ECR Container Scanning Findings High - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS ECR Container Scanning Findings Medium - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS ECR Container Upload Outside Business Hours - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = When your development is spreaded in different time zones, applying this rule can be difficult. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS ECR Container Upload Unknown User - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Excessive Security Scanning - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} -known_false_positives = It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Exfiltration via Batch Service - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an AWS Administrator or a user has legitimately created this job for some tasks. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Exfiltration via Bucket Replication - Rule] -type = detection -asset_type = EC2 Snapshot -confidence = medium -explanation = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region. \ -S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Exfiltration via DataSync Task - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Exfiltration via EC2 Snapshot - Rule] -type = detection -asset_type = EC2 Snapshot -confidence = medium -explanation = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS High Number Of Failed Authentications For User - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS High Number Of Failed Authentications From Ip - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS IAM AccessDenied Discovery Events - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. -how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} -known_false_positives = It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS IAM Assume Role Policy Brute Force - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. -how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS IAM Delete Policy - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS IAM Failure Group Deletion - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. -how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS IAM Successful Group Deletion - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. -how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} -known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Lambda UpdateFunctionCode - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. -how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Multi-Factor Authentication Disabled - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Multiple Failed MFA Requests For User - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS CloudTrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} -known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. -how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = No known false postives for this detection. Please review this alert -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Network Access Control List Created with All Open Ports - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Network Access Control List Deleted - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a user has legitimately deleted a network ACL. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS New MFA Method Registered For User - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches. -how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Password Policy Changes - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS S3 Exfiltration Behavior Identified - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -how_to_implement = You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} -known_false_positives = alse positives may be present based on automated tooling or system administrators. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - AWS SAML Access by Provider User and Principal - Rule] -type = detection -asset_type = AWS Federated Account -confidence = medium -explanation = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS SAML Update identity provider - Rule] -type = detection -asset_type = AWS Federated Account -confidence = medium -explanation = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} -known_false_positives = Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS SetDefaultPolicyVersion - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Successful Console Authentication From Multiple IPs - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} -known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Successful Single-Factor Authentication - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated -how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. -how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = No known false postives for this detection. Please review this alert -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS UpdateLoginProfile - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Azure Active Directory High Risk Sign-in - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} -known_false_positives = Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Application Administrator Role Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Authentication Failed During MFA Challenge - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} -known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} -known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Concurrent Sessions From Different Ips - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} -known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Device Code Authentication - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} -known_false_positives = In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD External Guest User Invited - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} -known_false_positives = Administrator may legitimately invite external guest users. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Global Administrator Role Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD High Number Of Failed Authentications For User - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} -known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} -known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multi-Factor Authentication Disabled - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multiple Denied MFA Requests For User - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} -known_false_positives = Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multiple Failed MFA Requests For User - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multiple Service Principals Created by SP - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multiple Service Principals Created by User - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD New Custom Domain Added - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} -known_false_positives = In most organizations, new customm domains will be updated infrequently. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD New Federated Domain Added - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} -known_false_positives = In most organizations, domain federation settings will be updated infrequently. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD New MFA Method Registered - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} -known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD New MFA Method Registered For User - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD OAuth Application Consent Granted By User - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD PIM Role Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD PIM Role Assignment Activated - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Privileged Graph API Permission Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Privileged Role Assigned - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Service Principal Authentication - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Service Principal Created - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} -known_false_positives = Administrator may legitimately create Service Principal. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Service Principal New Client Credentials - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} -known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Service Principal Owner Added - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = Administrator may legitimately add new owners for Service Principals. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Successful Authentication From Different Ips - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} -known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Successful PowerShell Authentication - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Successful Single-Factor Authentication - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. \ -The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD User Consent Blocked for Risky Application - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = UPDATE_KNOWN_FALSE_POSITIVES -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD User Consent Denied for OAuth Application - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = Users may deny consent for legitimate applications by mistake, filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD User Enabled And Password Reset - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure AD User ImmutableId Attribute Updated - Rule] -type = detection -asset_type = Azure Active Directory -confidence = medium -explanation = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. -providing_technologies = ["Azure AD", "Entra ID"] - -[savedsearch://ESCU - Azure Automation Account Created - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately create Azure Automation accounts. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Azure Automation Runbook Created - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately create Azure Automation Runbooks. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Azure Runbook Webhook Created - Rule] -type = detection -asset_type = Azure Tenant -confidence = medium -explanation = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. -how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Administrators may legitimately create Azure Runbook Webhooks. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Circle CI Disable Security Job - Rule] -type = detection -asset_type = CircleCI -confidence = medium -explanation = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. -how_to_implement = You must index CircleCI logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Circle CI Disable Security Step - Rule] -type = detection -asset_type = CircleCI -confidence = medium -explanation = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. -how_to_implement = You must index CircleCI logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Cloud API Calls From Previously Unseen User Roles - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = None. -providing_technologies = null - -[savedsearch://ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule] -type = detection -asset_type = Cloud Compute Instance -confidence = medium -explanation = The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment. -how_to_implement = You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. -providing_technologies = null - -[savedsearch://ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule] -type = detection -asset_type = Cloud Compute Instance -confidence = medium -explanation = The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule] -type = detection -asset_type = Cloud Compute Instance -confidence = medium -explanation = The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. -providing_technologies = null - -[savedsearch://ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule] -type = detection -asset_type = Cloud Compute Instance -confidence = medium -explanation = The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. -providing_technologies = null - -[savedsearch://ESCU - Cloud Instance Modified By Previously Unseen User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure. -how_to_implement = This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. -providing_technologies = null - -[savedsearch://ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = null - -[savedsearch://ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = null - -[savedsearch://ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = null - -[savedsearch://ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = null - -[savedsearch://ESCU - Cloud Security Groups Modifications by User - Rule] -type = detection -asset_type = Cloud Instance -confidence = medium -explanation = The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on all user and service accounts that have created/modified/deleted a security group . \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and values of the security objects affected. -how_to_implement = This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1578.005"], "nist": ["DE.AE"]} -known_false_positives = It is possible that legitimate user/admin may modify a number of security groups -providing_technologies = null - -[savedsearch://ESCU - Detect AWS Console Login by New User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} -known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Detect AWS Console Login by User from New City - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} -known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Detect AWS Console Login by User from New Country - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} -known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Detect AWS Console Login by User from New Region - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} -known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Detect GCP Storage access from a new IP - Rule] -type = detection -asset_type = GCP Storage Bucket -confidence = medium -explanation = The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment. -how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} -known_false_positives = GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Detect New Open GCP Storage Buckets - Rule] -type = detection -asset_type = GCP Storage Bucket -confidence = medium -explanation = The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. -how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Detect New Open S3 buckets - Rule] -type = detection -asset_type = S3 Bucket -confidence = medium -explanation = The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering. -how_to_implement = You must install the AWS App for Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect New Open S3 Buckets over AWS CLI - Rule] -type = detection -asset_type = S3 Bucket -confidence = medium -explanation = The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk. -how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect S3 access from a new IP - Rule] -type = detection -asset_type = S3 Bucket -confidence = medium -explanation = The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} -known_false_positives = S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour -providing_technologies = null - -[savedsearch://ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = None -providing_technologies = null - -[savedsearch://ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = None -providing_technologies = null - -[savedsearch://ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections. -providing_technologies = null - -[savedsearch://ESCU - Detect Spike in S3 Bucket deletion - Rule] -type = detection -asset_type = S3 Bucket -confidence = medium -explanation = The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} -known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - GCP Authentication Failed During MFA Challenge - Rule] -type = detection -asset_type = Google Cloud Platform tenant -confidence = medium -explanation = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} -known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Detect gcploit framework - Rule] -type = detection -asset_type = GCP Account -confidence = medium -explanation = The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. -how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} -known_false_positives = Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Kubernetes cluster pod scan detection - Rule] -type = detection -asset_type = GCP Kubernetes cluster -confidence = medium -explanation = The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment. -how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Multi-Factor Authentication Disabled - Rule] -type = detection -asset_type = GCP -confidence = medium -explanation = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} -known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Multiple Failed MFA Requests For User - Rule] -type = detection -asset_type = Google Cloud Platform tenant -confidence = medium -explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule] -type = detection -asset_type = Google Cloud Platform tenant -confidence = medium -explanation = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. -how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = No known false postives for this detection. Please review this alert. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Successful Single-Factor Authentication - Rule] -type = detection -asset_type = Google Cloud Platform tenant -confidence = medium -explanation = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule] -type = detection -asset_type = Google Cloud Platform tenant -confidence = medium -explanation = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` -how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = No known false positives for this detection. Please review this alert -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Gdrive suspicious file sharing - Rule] -type = detection -asset_type = GDrive -confidence = medium -explanation = The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations. -how_to_implement = Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GitHub Actions Disable Security Workflow - Rule] -type = detection -asset_type = GitHub -confidence = medium -explanation = The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase. -how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Github Commit Changes In Master - Rule] -type = detection -asset_type = GitHub -confidence = medium -explanation = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} -known_false_positives = Admin can do changes directly to master branch -providing_technologies = null - -[savedsearch://ESCU - Github Commit In Develop - Rule] -type = detection -asset_type = GitHub -confidence = medium -explanation = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} -known_false_positives = admin can do changes directly to develop branch -providing_technologies = null - -[savedsearch://ESCU - GitHub Dependabot Alert - Rule] -type = detection -asset_type = GitHub -confidence = medium -explanation = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. -how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - GitHub Pull Request from Unknown User - Rule] -type = detection -asset_type = GitHub -confidence = medium -explanation = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." -how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Gsuite Drive Share In External Email - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. -how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} -known_false_positives = network admin or normal user may share files to customer and external team. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GSuite Email Suspicious Attachment - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. -how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Gsuite Email Suspicious Subject With Attachment - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. -how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Gsuite Email With Known Abuse Web Service Link - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. -how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = normal email contains this link that are known application within the organization or network can be catched by this detection. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. -how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} -known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Gsuite suspicious calendar invite - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization. -how_to_implement = In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Gsuite Suspicious Shared File Name - Rule] -type = detection -asset_type = GSuite -confidence = medium -explanation = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. -how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - High Number of Login Failures from a single source - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} -known_false_positives = An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Access Scanning - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. -how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. -how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. -how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure. -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Create or Update Privileged Pod - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Cron Job Creation - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes DaemonSet Deployed - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Falco Shell Spawned - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -how_to_implement = The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes newly seen TCP edge - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes newly seen UDP edge - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Nginx Ingress LFI - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. -how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Nginx Ingress RFI - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment. -how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Node Port Creation - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Pod Created in Default Namespace - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Pod With Host Network Attachment - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Previously Unseen Container Image Name - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Previously Unseen Process - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Process Running From New Path - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Scanner Image Pulling - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster. -how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. -how_to_implement = You must ingest Kubernetes audit logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Shell Running on Worker Node - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. -how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Suspicious Image Pulling - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Unauthorized Access - Rule] -type = detection -asset_type = Kubernetes -confidence = medium -explanation = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - O365 Add App Role Assignment Grant User - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -known_false_positives = The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Added Service Principal - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -known_false_positives = The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Admin Consent Bypassed by Service Principal - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Advanced Audit Disabled - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -known_false_positives = Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Application Registration Owner Added - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = Application owners may be added for legitimate reasons, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 ApplicationImpersonation Role Assigned - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -known_false_positives = While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Block User Consent For Risky Apps Disabled - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} -known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Bypass MFA via Trusted IP - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. -how_to_implement = You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Compliance Content Search Exported - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} -known_false_positives = Compliance content searche exports may be executed for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Compliance Content Search Started - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} -known_false_positives = Compliance content searches may be executed for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Concurrent Sessions From Different Ips - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Disable MFA - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. -how_to_implement = You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} -known_false_positives = Unless it is a special case, it is uncommon to disable MFA or Strong Authentication -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Elevated Mailbox Permission Assigned - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -known_false_positives = FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Excessive Authentication Failures Alert - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -known_false_positives = The threshold for alert is above 10 attempts and this should reduce the number of false positives. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Excessive SSO logon errors - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} -known_false_positives = Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 File Permissioned Application Consent Granted by User - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = OAuth applications that require file permissions may be legitimate, investigate and filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 FullAccessAsApp Permission Assigned - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 High Number Of Failed Authentications for User - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} -known_false_positives = Although unusual, users who have lost their passwords may trigger this detection. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 High Privilege Role Granted - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Privilege roles may be assigned for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Mailbox Email Forwarding Enabled - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} -known_false_positives = Email forwarding may be configured for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Mailbox Folder Read Permission Assigned - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -known_false_positives = Mailbox folder permissions may be configured for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Mailbox Folder Read Permission Granted - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -known_false_positives = Mailbox folder permissions may be configured for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Mailbox Read Access Granted to Application - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multi-Source Failed Authentications Spike - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multiple Failed MFA Requests For User - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} -known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multiple Mailboxes Accessed via API - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold - set here to flag over five unique mailboxes accessed within 10 minutes - to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multiple Service Principals Created by SP - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multiple Service Principals Created by User - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} -known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 New Email Forwarding Rule Created - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} -known_false_positives = Users may create email forwarding rules for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 New Email Forwarding Rule Enabled - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} -known_false_positives = Users may create email forwarding rules for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 New Federated Domain Added - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -known_false_positives = The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 New Forwarding Mailflow Rule Created - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} -known_false_positives = Forwarding mail flow rules may be created for legitimate reasons, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 New MFA Method Registered - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} -known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 OAuth App Mailbox Access via EWS - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} -known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 OAuth App Mailbox Access via Graph API - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} -known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Privileged Graph API Permission Assigned - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 PST export alert - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} -known_false_positives = PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Security And Compliance Alert Triggered - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} -known_false_positives = O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Service Principal New Client Credentials - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} -known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Tenant Wide Admin Consent Granted - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 User Consent Blocked for Risky Application - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 User Consent Denied for OAuth Application - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - Risk Rule for Dev Sec Ops by Repository - Rule] -type = detection -asset_type = Amazon Elastic Container Registry -confidence = medium -explanation = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -how_to_implement = Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = Unknown -providing_technologies = null - -[savedsearch://ESCU - Abnormally High AWS Instances Launched by User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Abnormally High AWS Instances Terminated by User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - ASL AWS CreateAccessKey - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Excessive Security Scanning - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. -how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - ASL AWS Password Policy Changes - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. -providing_technologies = ["Amazon Security Lake"] - -[savedsearch://ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule] -type = detection -asset_type = AWS EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets -how_to_implement = You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. -providing_technologies = null - -[savedsearch://ESCU - Clients Connecting to Multiple DNS Servers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. -how_to_implement = This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro. \ -This search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** Distinct DNS Connections, **Field:** dest_count \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -known_false_positives = It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate. -providing_technologies = null - -[savedsearch://ESCU - Cloud Network Access Control List Deleted - Rule] -type = detection -asset_type = Instance -confidence = medium -explanation = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate -how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a user has legitimately deleted a network ACL. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Correlation by Repository and Risk - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -how_to_implement = For Dev Sec Ops POC -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Correlation by User and Risk - Rule] -type = detection -asset_type = AWS Account -confidence = medium -explanation = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. -how_to_implement = For Dev Sec Ops POC -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Detect Activity Related to Pass the Hash Attacks - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. -how_to_implement = To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} -known_false_positives = Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect API activity from users without MFA - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them. \ -This search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** AWS Event Name, **Field:** eventName \ -* **Label:** AWS User ARN, **Field:** userIdentity.arn \ -* **Label:** AWS User Type, **Field:** userIdentity.type \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect AWS API Activities From Unapproved Accounts - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called "Create a list of approved AWS service accounts": run it once every 30 days to create and validate a list of service accounts. \ -This search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** AWS Event Name, **Field:** eventName \ -* **Label:** First Time, **Field:** firstTime \ -* **Label:** Last Time, **Field:** lastTime \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. -how_to_implement = You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \ -**Splunk>Phantom Playbook Integration** \ -If Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ -(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`) -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} -known_false_positives = If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains. -providing_technologies = null - -[savedsearch://ESCU - Detect Long DNS TXT Record Response - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. -how_to_implement = To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -known_false_positives = It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives. -providing_technologies = null - -[savedsearch://ESCU - Detect Mimikatz Using Loaded Images - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. -how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. -how_to_implement = You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} -known_false_positives = The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect new API calls from user roles - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in AWS CloudTrail" support search once to create a history of previously seen user roles. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect new user AWS Console Login - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen users in AWS CloudTrail" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run "Update previously seen users in AWS CloudTrail" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect Spike in AWS API Activity - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. \ -This search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** AWS Event Name, **Field:** eventName \ -* **Label:** Number of API Calls, **Field:** numberOfApiCalls \ -* **Label:** Unique API Calls, **Field:** uniqueApisCalled \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = None. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect Spike in Network ACL Activity - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} -known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect Spike in Security Group Activity - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Detect USB device insertion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = Legitimate USB activity will also be detected. Please verify and investigate as appropriate. -providing_technologies = null - -[savedsearch://ESCU - Detect web traffic to dynamic domain providers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for web connections to dynamic DNS providers. -how_to_implement = This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains. \ -This search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** IsDynamicDNS, **Field:** isDynDNS \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} -known_false_positives = It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Detection of DNS Tunnels - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ -NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. -how_to_implement = To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -known_false_positives = It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment. -providing_technologies = null - -[savedsearch://ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. -how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} -known_false_positives = Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. -providing_technologies = null - -[savedsearch://ESCU - DNS record changed - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. -how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search "Discover DNS record". \ -**Splunk>Phantom Playbook Integration** \ -If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ -(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`) -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} -known_false_positives = Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate. -providing_technologies = null - -[savedsearch://ESCU - Dump LSASS via procdump Rename - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} -known_false_positives = None identified. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - EC2 Instance Modified With Previously Unseen User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - EC2 Instance Started In Previously Unseen Region - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - EC2 Instance Started With Previously Unseen AMI - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 AMIs" support search once to create a history of previously seen AMIs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - EC2 Instance Started With Previously Unseen User - Rule] -type = detection -asset_type = AWS Instance -confidence = medium -explanation = This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior. -providing_technologies = ["Amazon Web Services - Cloudtrail"] - -[savedsearch://ESCU - Execution of File With Spaces Before Extension - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} -known_false_positives = None identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Extended Period Without Successful Netbackup Backups - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring. -how_to_implement = To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - First time seen command line argument - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} -known_false_positives = Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GCP Detect accounts with high risk roles by project - Rule] -type = detection -asset_type = GCP Account -confidence = medium -explanation = This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. -how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Detect high risk permissions by resource and account - Rule] -type = detection -asset_type = GCP Account -confidence = medium -explanation = This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. -how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - gcp detect oauth token abuse - Rule] -type = detection -asset_type = GCP Account -confidence = medium -explanation = This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. -how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - GCP Kubernetes cluster scan detection - Rule] -type = detection -asset_type = GCP Kubernetes cluster -confidence = medium -explanation = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster -how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} -known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context. -providing_technologies = ["Google Cloud Platform", "Google Workspace"] - -[savedsearch://ESCU - Identify New User Accounts - Rule] -type = detection -asset_type = Domain Server -confidence = medium -explanation = This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. -how_to_implement = To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} -known_false_positives = If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately. -providing_technologies = null - -[savedsearch://ESCU - Kubernetes AWS detect most active service accounts by pod - Rule] -type = detection -asset_type = AWS EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] -type = detection -asset_type = AWS EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes AWS detect sensitive role access - Rule] -type = detection -asset_type = AWS EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule] -type = detection -asset_type = AWS EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure active service accounts by pod namespace - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure detect RBAC authorization by account - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure detect sensitive object access - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure detect sensitive role access - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes service accounts with failure or forbidden access status -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information on rare Kubectl calls with IP, verb namespace and object access context -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure pod scan fingerprint - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes Azure scan fingerprint - Rule] -type = detection -asset_type = Azure AKS Kubernetes cluster -confidence = medium -explanation = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure -how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. -providing_technologies = ["Kubernetes"] - -[savedsearch://ESCU - Kubernetes GCP detect most active service accounts by pod - Rule] -type = detection -asset_type = GCP GKE Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision -how_to_implement = You must install splunk GCP add on. This search works with pubsub messaging service logs -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. -providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] - -[savedsearch://ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule] -type = detection -asset_type = GCP GKE Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -how_to_implement = You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] - -[savedsearch://ESCU - Kubernetes GCP detect sensitive object access - Rule] -type = detection -asset_type = GCP GKE Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets -how_to_implement = You must install splunk add on for GCP . This search works with pubsub messaging service logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. -providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] - -[savedsearch://ESCU - Kubernetes GCP detect sensitive role access - Rule] -type = detection -asset_type = GCP GKE EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging servicelogs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. -providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] - -[savedsearch://ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule] -type = detection -asset_type = GCP GKE Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI -how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging service logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. -providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] - -[savedsearch://ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule] -type = detection -asset_type = GCP GKE Kubernetes cluster -confidence = medium -explanation = This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context -how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging logs. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets -providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] - -[savedsearch://ESCU - Monitor DNS For Brand Abuse - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. -how_to_implement = You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = None at this time -providing_technologies = null - -[savedsearch://ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule] -type = detection -asset_type = Okta Tenant -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. -how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1110.003", "T1078", "T1078.001"], "nist": ["DE.CM"]} -known_false_positives = A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - O365 Suspicious Admin Email Forwarding - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Suspicious Rights Delegation - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. -how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} -known_false_positives = While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed. -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - O365 Suspicious User Email Forwarding - Rule] -type = detection -asset_type = O365 Tenant -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. -how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Office 365"] - -[savedsearch://ESCU - Okta Account Locked Out - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. -how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Account Lockout Events - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. -how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} -known_false_positives = None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Failed SSO Attempts - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". -how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} -known_false_positives = There may be a faulty config preventing legitmate users from accessing apps they should have access to. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} -known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} -known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Okta Two or More Rejected Okta Pushes - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. -how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. -providing_technologies = ["Okta"] - -[savedsearch://ESCU - Open Redirect in Splunk Web - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. -how_to_implement = No extra steps needed to implement this search. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - Osquery pack - ColdRoot detection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for ColdRoot events from the osx-attacks osquery pack. -how_to_implement = In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = There are no known false positives. -providing_technologies = null - -[savedsearch://ESCU - Processes created by netsh - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} -known_false_positives = It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" process path since it is a legitimate process by Mircosoft. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Prohibited Software On Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for applications on the endpoint that you have marked as prohibited. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Reg exe used to hide files directories via registry keys - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for command-line arguments used to hide a file or directory using the reg add command. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} -known_false_positives = None at the moment -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Registry Key modifications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search monitors for remote modifications to registry keys. -how_to_implement = To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Scheduled tasks used in BadRabbit ransomware - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} -known_false_positives = No known false positives -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Spectre and Meltdown Vulnerable Systems - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. -how_to_implement = The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = It is possible that your vulnerability scanner is not detecting that the patches have been applied. -providing_technologies = null - -[savedsearch://ESCU - Splunk Enterprise Information Disclosure - Rule] -type = detection -asset_type = Splunk Server -confidence = medium -explanation = This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. -how_to_implement = The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information. -providing_technologies = null - -[savedsearch://ESCU - Suspicious Changes to File Associations - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} -known_false_positives = There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Email - UBA Anomaly - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). -how_to_implement = You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender. -providing_technologies = null - -[savedsearch://ESCU - Suspicious File Write - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for files created with names that have been linked to malicious activity. -how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Powershell Command-Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} -known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Rundll32 Rename - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} -known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious writes to System Volume Information - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = This search detects writes to the 'System Volume Information' folder by something other than the System process. -how_to_implement = You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} -known_false_positives = It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Uncommon Processes On Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for applications on the endpoint that you have marked as uncommon. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Unsigned Image Loaded by LSASS - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. -how_to_implement = This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} -known_false_positives = Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Unsuccessful Netbackup backups - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search gives you the hosts where a backup was attempted and then failed. -how_to_implement = To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - Web Fraud - Account Harvesting - Rule] -type = detection -asset_type = Account -confidence = medium -explanation = This search is used to identify the creation of multiple user accounts using the same email domain name. -how_to_implement = We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} -known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated. -providing_technologies = null - -[savedsearch://ESCU - Web Fraud - Anomalous User Clickspeed - Rule] -type = detection -asset_type = Account -confidence = medium -explanation = This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. -how_to_implement = Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior. -providing_technologies = null - -[savedsearch://ESCU - Web Fraud - Password Sharing Across Accounts - Rule] -type = detection -asset_type = Account -confidence = medium -explanation = This search is used to identify user accounts that share a common password. -how_to_implement = We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior. -providing_technologies = null - -[savedsearch://ESCU - Windows connhost exe started forcefully - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} -known_false_positives = This process should not be ran forcefully, we have not see any false positives for this detection -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DLL Search Order Hijacking Hunt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows hosts file modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for modifications to the hosts file on all Windows endpoints across your environment. -how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = There may be legitimate reasons for system administrators to add entries to this file. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - 3CX Supply Chain Attack Network Indicators - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches. -how_to_implement = To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed. -providing_technologies = null - -[savedsearch://ESCU - 7zip CommandLine To SMB Share Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Access LSASS Memory for Dump Creation - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. -how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Account Discovery With Net App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Admin or power user may used this series of command. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Active Directory Lateral Movement Identified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. -providing_technologies = null - -[savedsearch://ESCU - Active Directory Privilege Escalation Identified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} -known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. -providing_technologies = null - -[savedsearch://ESCU - Active Setup Registry Autostart - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} -known_false_positives = Active setup installer may add or modify this registry. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Add DefaultUser And Password In Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Add or Set Windows Defender Exclusion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Admin or user may choose to use this windows features. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - AdsiSearcher Account Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Allow File And Printing Sharing In Firewall - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -known_false_positives = network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Allow Inbound Traffic In Firewall Rule - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -known_false_positives = administrator may allow inbound traffic in certain network or machine. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Allow Network Discovery In Firewall - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Allow Operation with Consent Admin - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Anomalous usage of 7zip - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Any Powershell DownloadFile - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Any Powershell DownloadString - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Attacker Tools On Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} -known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Attempt To Add Certificate To Untrusted Store - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} -known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Attempt To Stop Security Service - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Attempted Credential Dump From Registry via Reg exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -known_false_positives = None identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Auto Admin Logon Registry Entry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Batch File Write to System32 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} -known_false_positives = It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Bcdedit Command Back To Normal Mode Boot - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - BCDEdit Failure Recovery Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as "recoveryenabled" and "no". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = Administrators may modify the boot configuration. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - BITS Job Persistence - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - BITSAdmin Download File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives, however it may be required to filter based on parent process name or network connection. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CertUtil Download With URLCache and Split Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths. During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Certutil exe certificate extraction - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CertUtil With Decode Argument - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} -known_false_positives = Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Change Default File Association - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Change To Safe Mode With Network Config - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CHCP Command Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -known_false_positives = other tools or script may used this to change code page to UTF-* or others -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Check Elevated CMD using whoami - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Child Processes of Spoolsv exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Clear Unallocated Sector Using Cipher App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} -known_false_positives = administrator may execute this app to manage disk -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Clop Common Exec Parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} -known_false_positives = Operators can execute third party tools using these parameters. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Clop Ransomware Known Service Name - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - CMD Carry Out String Command Parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives may be high based on legitimate scripted code in any environment. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CMD Echo Pipe - Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} -known_false_positives = Unknown. It is possible filtering may be required to ensure fidelity. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Cmdline Tool Not Executed In CMD Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} -known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate windows application that are not on the list loading this dll. Filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Cobalt Strike Named Pipes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ -Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Common Ransomware Extensions - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. -how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} -known_false_positives = It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Common Ransomware Notes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. -how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a legitimate file could be created with the same name used by ransomware note files. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - ConnectWise ScreenConnect Path Traversal - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -how_to_implement = This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -how_to_implement = To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Conti Common Exec parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} -known_false_positives = 3rd party tool may have commandline parameter that can trigger this detection. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Control Loading from World Writable Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Create local admin accounts using net exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} -known_false_positives = Administrators often leverage net.exe to create admin accounts. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Create or delete windows shares using net exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} -known_false_positives = Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Create Remote Thread In Shell Application - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Create Remote Thread into LSASS - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon EventID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. -how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Creation of lsass Dump with Taskmgr - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. -how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Creation of Shadow Copy - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate administrator usage of Vssadmin or Wmic will create false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Creation of Shadow Copy with wmic and powershell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Legtimate administrator usage of wmic to create a shadow copy. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Credential Dumping via Symlink to Shadow Copy - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - CSC Net On The Fly Compilation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} -known_false_positives = A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Curl Download and Bash Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however filtering may be required. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Delete ShadowCopy With PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Deleting Of Net Users - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} -known_false_positives = System administrators or scripts may delete user accounts via this technique. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Deleting Shadow Copies - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect AzureHound Command-Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = Unknown. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect AzureHound File Modifications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. -how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Baron Samedit CVE-2021-3156 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. -how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. -how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = If sudoedit is throwing segfaults for other reasons this will pick those up too. -providing_technologies = null - -[savedsearch://ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. -how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Detect Certify Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Certify With PowerShell Script Block Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = Unknown, partial script block matches. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect Certipy File Modifications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Computer Changed with Anonymous Account - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. -how_to_implement = This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -known_false_positives = None thus far found -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect Credential Dumping through LSASS access - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. -how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Detect Empire with PowerShell Script Block Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect Excessive Account Lockouts From Endpoint - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials. -how_to_implement = You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \ -**Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ -Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`) -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} -known_false_positives = It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. -providing_technologies = null - -[savedsearch://ESCU - Detect Excessive User Account Lockouts - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network. -how_to_implement = ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} -known_false_positives = It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts. -providing_technologies = null - -[savedsearch://ESCU - Detect Exchange Web Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect HTML Help Renamed - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} -known_false_positives = Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect HTML Help Spawn Child Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect HTML Help URL in Command Line - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} -known_false_positives = It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect mshta inline hta execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect mshta renamed - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} -known_false_positives = Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect MSHTA Url in Command Line - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -known_false_positives = It is possible legitimate applications may perform this behavior and will need to be filtered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect New Local Admin account - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. -how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} -known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Detect Outlook exe writing a zip file - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network. -how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = It is not uncommon for outlook to write legitimate zip files to the disk. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Path Interception By Creation Of program exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect processes used for System Network Configuration Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} -known_false_positives = It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Prohibited Applications Spawning cmd exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} -known_false_positives = There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect PsExec With accepteula Flag - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Rare Executables - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the occurrence of rare processes that appear only once across the network within a specified timeframe. It operates by compiling a list of process executions. This detection is crucial for a Security Operations Center (SOC) as it helps in identifying potentially malicious activities or unauthorized software that could indicate a security breach or an ongoing attack. Identifying such rare processes allows for early detection of threats, minimizing the potential impact of an attack which could range from data theft to complete system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -known_false_positives = Some legitimate processes may be only rarely executed in your environment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect RClone Command-Line Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Regasm Spawning a Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Regasm with Network Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Detect Regasm with no Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Regsvcs Spawning a Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Regsvcs with Network Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Detect Regsvcs with No Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Regsvr32 Application Control Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ -Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives related to third party software registering .DLL's. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Remote Access Software Usage File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = Known or approved applications used by the organization or usage of built-in functions. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Remote Access Software Usage FileInfo - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = Known or approved applications used by the organization or usage of built-in functions. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Detect Remote Access Software Usage Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Renamed 7-Zip - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -known_false_positives = Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Renamed PSExec - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} -known_false_positives = Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Renamed RClone - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Renamed WinRAR - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -known_false_positives = Unknown. It is possible third party applications use renamed instances of WinRAR. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect RTLO In File Name - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -how_to_implement = To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} -known_false_positives = Implementation in regions that use right to left in native language. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect RTLO In Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} -known_false_positives = Implementation in regions that use right to left in native language. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may use setupapi triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Rundll32 Inline HTA Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect SharpHound Command-Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect SharpHound File Modifications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. -how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect SharpHound Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if a suspicious processname is similar to a benign processname. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} -known_false_positives = This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect Webshell Exploit Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect WMI Event Subscription Persistence - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID equals 19 \ -1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ -1. Binding - Registers a filter to a consumer. EventID equals 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -how_to_implement = To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} -known_false_positives = It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Detection of tools built by NirSoft - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} -known_false_positives = While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable AMSI Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = network operator may disable this feature of windows but not so common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Defender AntiVirus Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable windows defender product -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Defender BlockAtFirstSeen Feature - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable windows defender product -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Defender Enhanced Notification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = user may choose to disable windows defender AV -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Defender MpEngine Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable windows defender product -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Defender Spynet Reporting - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable windows defender product -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Defender Submit Samples Consent Feature - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable windows defender product -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable ETW Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = network operator may disable this feature of windows but not so common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Logs Using WevtUtil - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of "wevtutil.exe" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} -known_false_positives = network operator may disable audit event logs for debugging purposes. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Registry Tool - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -known_false_positives = admin may disable this application for non technical user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Schedule Task - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin may disable problematic schedule task -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Security Logs Using MiniNt Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Unknown. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Show Hidden Files - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable UAC Remote Restriction - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = admin may set this policy for non-critical machine. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Windows App Hotkeys - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Windows Behavior Monitoring - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable this windows features. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disable Windows SmartScreen Protection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable this windows features. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. \ -Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use PowerView for troubleshooting -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Disabling CMD Application - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -known_false_positives = admin may disable this application for non technical user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling ControlPanel - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" with a value of "0x00000001". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -known_false_positives = admin may disable this application for non technical user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling Defender Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to disable windows defender product -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling Firewall with Netsh - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like "firewall," "off," or "disable." This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = admin may disable firewall during testing or fixing network problem. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling FolderOptions Windows Feature - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin may disable this application for non technical user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling Net User Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling NoRun Windows App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -known_false_positives = admin may disable this application for non technical user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling Remote User Account Control - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling SystemRestore In Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = in some cases admin can disable systemrestore on a machine. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling Task Manager - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin may disable this application for non technical user. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} -known_false_positives = Potential to be triggered by an administrator disabling protections for troubleshooting purposes. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - DLLHost with no Command Line Arguments with Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - DNS Exfiltration Using Nslookup App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} -known_false_positives = admin nslookup usage -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Account Discovery with Dsquery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Account Discovery With Net App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Account Discovery with Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Controller Discovery with Nltest - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Controller Discovery with Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Group Discovery with Adsisearcher - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Domain Group Discovery With Dsquery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Group Discovery With Net - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Domain Group Discovery With Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Download Files Using Telegram - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = normal download of file in telegram app. (if it was a common app in network) -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Drop IcedID License dat - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - DSQuery Domain Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage. \ -Within this detection, it is assumed `dsquery.exe` is not moved or renamed. \ -The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process. \ -DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system. \ -The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory. \ -In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives. If there is a true false positive, filter based on command-line or parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Dump LSASS via comsvcs DLL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = None identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Dump LSASS via procdump - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = None identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Elevated Group Discovery With Net - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Elevated Group Discovery with PowerView - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerView for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Elevated Group Discovery With Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Enable RDP In Other Port Number - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Enable WDigest UseLogonCredential Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Enumerate Users Local Group Using Telegram - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Esentutl SAM Copy - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - ETW Registry Disabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Eventvwr UAC Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = Some false positives may be present and will need to be filtered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excel Spawning PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, but if any are present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excel Spawning Windows Script Host - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive Attempt To Disable Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used with parameters like "config" or "Disabled" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive distinct processes from Windows Temp - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive File Deletion In WinDefender Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. -how_to_implement = To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Excessive number of service control start as disabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive number of taskhost processes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive Service Stop Attempt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive Usage Of Cacls App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} -known_false_positives = Administrators or administrative scripts may use this application. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive Usage Of Net App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} -known_false_positives = unknown. Filter as needed. Modify the time span as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Excessive Usage of NSLOOKUP App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Excessive Usage Of SC Service Utility - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} -known_false_positives = excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Excessive Usage Of Taskkill - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = Unknown. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Exchange PowerShell Abuse via SSRF - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ -Modification of this analytic is requried to ensure fields are mapped accordingly. \ - \ -A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ - \ -An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ -Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. -how_to_implement = The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives, however, tune as needed. -providing_technologies = null - -[savedsearch://ESCU - Exchange PowerShell Module Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell. \ -Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ -Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ -Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ -Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Executable File Written in Administrative SMB Share - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} -known_false_positives = System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Executables Or Script Creation In Suspicious Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} -known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Execute Javascript With Jscript COM CLSID - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Execution of File with Multiple Extensions - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} -known_false_positives = None identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Extraction of Registry Hives - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -known_false_positives = It is possible some agent based products will generate false positives. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - File with Samsam Extension - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. -how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = Because these extensions are not typically used in normal operations, you should investigate all results. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Firewall Allowed Program Enable - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - First Time Seen Child Process of Zoom - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} -known_false_positives = A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - First Time Seen Running Windows Service - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats. -how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} -known_false_positives = A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process. -providing_technologies = null - -[savedsearch://ESCU - FodHelper UAC Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)` \ -Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = Limited to no false positives are expected. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Fsutil Zeroing File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get ADUser with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get ADUser with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get DomainPolicy with Powershell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get DomainPolicy with Powershell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get-DomainTrust with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get-DomainTrust with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -known_false_positives = It is possible certain system management frameworks utilize this command to gather trust information. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get DomainUser with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get DomainUser with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get-ForestTrust with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get-ForestTrust with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present. Tune as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Get WMIObject Group Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetAdComputer with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetAdComputer with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetAdGroup with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetAdGroup with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetCurrent User with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetCurrent User with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetDomainComputer with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use PowerView for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetDomainComputer with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use PowerView for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetDomainController with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use PowerView for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetDomainController with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetDomainGroup with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetDomainGroup with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this PowerView functions for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetLocalUser with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetLocalUser with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetNetTcpconnection with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetNetTcpconnection with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetWmiObject Ds Computer with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetWmiObject Ds Group with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetWmiObject DS User with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetWmiObject DS User with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GetWmiObject User Account with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - GetWmiObject User Account with PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - GPUpdate with no Command Line Arguments with Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Headless Browser Mockbin or Mocky Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Headless Browser Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} -known_false_positives = This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Hide User Account From Sign-In Screen - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Unknown. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Hiding Files And Directories With Attrib exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} -known_false_positives = Some applications and users may legitimately use attrib.exe to interact with the files. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - High Frequency Copy Of Files In Network Share - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} -known_false_positives = This behavior may seen in normal transfer of file within network if network share is common place for sharing documents. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - High Process Termination Frequency - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -known_false_positives = admin or user tool that can terminate multiple process. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Hunting 3CXDesktopApp Software - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} -known_false_positives = There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Icacls Deny Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} -known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - ICACLS Grant Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} -known_false_positives = Unknown. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - IcedID Exfiltrated Archived File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Impacket Lateral Movement Commandline Parameters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Java Class File download by Java User Agent - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). -how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = Filtering may be required in some instances, filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Java Writing JSP File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Jscript Execution Using Cscript App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Kerberoasting spn request with RC4 encryption - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} -known_false_positives = Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -known_false_positives = Unknown. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, Administrators may need to set this flag for legitimate purposes. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} -known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Kerberos TGT Request Using RC4 Encryption - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} -known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Kerberos User Enumeration - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} -known_false_positives = Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Known Services Killed by Ransomware - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = Admin activities or installing related updates may do a sudden stop to list of services we monitor. -providing_technologies = null - -[savedsearch://ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Add Files In Known Crontab Directories - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Add User Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Adding Crontab Using List Parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux apt-get Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux APT Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux At Allow Config File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives. \ -Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux At Application Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes. \ -During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes. \ -The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux AWK Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Busybox Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux c89 Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux c99 Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Change File Owner To Root - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Clipboard Data Copy - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Common Process For Elevation Control - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Composer Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Cpulimit Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Csvtool Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Curl Upload File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Data Destruction Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux DD File Overwrite - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Decode Base64 to Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on legitimate software being utilized. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Deleting Critical Directory Using RM Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Deletion Of Cron Jobs - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Deletion Of Init Daemon Script - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Deletion Of Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Deletion of SSL Certificate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Disable Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Doas Conf File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Doas Tool Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Docker Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Edit Cron Table Parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e). \ -Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise. \ -To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested. \ -Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Emacs Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux File Created In Kernel Driver Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux File Creation In Init Boot Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux File Creation In Profile Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Find Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux GDB Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Gem Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux GNU Awk Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Hardware Addition SwapOff - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} -known_false_positives = administrator may disable swapping of devices in a linux host. Filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Impair Defenses Process Kill - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = network admin can terminate a process using this linux command. Filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Indicator Removal Clear Cache - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Indicator Removal Service File Deletion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} -known_false_positives = network admin can delete services unit configuration file as part of normal software installation. Filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Ingress Tool Transfer Hunting - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present. This query is meant to help tune other curl and wget analytics. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Ingress Tool Transfer with Curl - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present. Tune and then change type to TTP. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Iptables Firewall Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -known_false_positives = administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Java Spawning Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Kernel Module Enumeration - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Kworker Process In Writable Process Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Make Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux MySQL Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Ngrok Reverse Proxy Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if Ngrok is an authorized utility. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Node Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux NOPASSWD Entry In Sudoers File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include "base64 -d" or "base64 --decode". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present and will require some tuning based on processes. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Octave Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux OpenVPN Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. -how_to_implement = Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -providing_technologies = null - -[savedsearch://ESCU - Linux PHP Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux pkexec Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Access To Credential Files - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Access To Sudoers File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Append Command To At Allow Config File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command. \ -In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Append Command To Profile Config File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically. \ -The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered. \ -This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Cronjob Modification With Editor - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities. \ -In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration. \ -To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon. \ -Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Possible Ssh Key File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Preload Hijack Library Calls - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Proxy Socks Curl - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on proxy usage internally. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Puppet Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux RPM Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Ruby Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Service File Created In Systemd Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host. \ -The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -known_false_positives = False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Service Restarted - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation. \ -It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives. \ -Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Service Started Or Enabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Setuid Using Chmod Utility - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Setuid Using Setcap Utility - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Shred Overwrite Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Sqlite3 Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux SSH Authorized Keys Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like "bash" and "cat" interacting with "authorized_keys" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} -known_false_positives = Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux SSH Remote Services Script Execute - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} -known_false_positives = This is not a common command to be executed. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Stdout Redirection To Dev Null File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Stop Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Sudo OR Su Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Sudoers Tmp File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux System Network Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux System Reboot Via System Request Key - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Unix Shell Enable All SysRq Functions - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Linux Visudo Utility Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Living Off The Land Detection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following correlation identifies multiple risk events associated with the "Living Off The Land" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities. -how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} -known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much. -providing_technologies = null - -[savedsearch://ESCU - Loading Of Dynwrapx Module - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. -how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Local Account Discovery with Net - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Local Account Discovery With Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. -how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} -known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. -providing_technologies = null - -[savedsearch://ESCU - Logon Script Event Trigger Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - LOLBAS With Network Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. -how_to_implement = To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") -providing_technologies = null - -[savedsearch://ESCU - MacOS - Re-opened Applications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - MacOS LOLbin - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk. -how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} -known_false_positives = None identified. -providing_technologies = null - -[savedsearch://ESCU - MacOS plutil - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security. -how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} -known_false_positives = Administrators using plutil to change plist files. -providing_technologies = null - -[savedsearch://ESCU - Mailsniper Invoke functions - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Malicious InProcServer32 Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Malicious Powershell Executed As A Service - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} -known_false_positives = Creating a hidden powershell service is rare and could key off of those instances. -providing_technologies = null - -[savedsearch://ESCU - Malicious PowerShell Process - Encoded Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \ -The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ -During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ -Alternatively, may use regex per matching here https://regexr.com/662ov. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} -known_false_positives = System administrators may use this option, but it's not common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = These characters might be legitimately on the command-line, but it is not common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} -known_false_positives = Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Mmc LOLBAS Execution Process Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Modification Of Wallpaper - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} -known_false_positives = 3rd party tool may used to changed the wallpaper of the machine -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Modify ACL permission To Files Or Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} -known_false_positives = administrators may use this command. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Monitor Registry Keys for Print Monitors - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} -known_false_positives = You will encounter noise from legitimate print-monitor registry entries. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - MS Scripting Process Loading Ldap Module - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} -known_false_positives = automation scripting language may used by network operator to do ldap query. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - MS Scripting Process Loading WMI Module - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} -known_false_positives = automation scripting language may used by network operator to do ldap query. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - MSBuild Suspicious Spawned By Script Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as developers do not spawn MSBuild via a WSH. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -known_false_positives = limitted. this anomaly behavior is not commonly seen in clean host. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - MSHTML Module Load in Office Product - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection identifies the loading of the mshtml.dll module into an Office product. This behavior is associated with CVE-2021-40444, where a malicious document loads ActiveX, thereby activating the MSHTML component. The vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent processes and document any file modifications for further analysis. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - MSI Module Loaded by Non-System Binary - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \ - \ -1. Generation of an MSI that will trigger bad behavior. \ -1. Preparing a directory for MSI installation. \ -1. Inducing an error state. \ -1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ -In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} -known_false_positives = It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Msmpeng Application DLL Side Loading - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} -known_false_positives = quite minimal false positive expected. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Net Localgroup Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - NET Profiler UAC bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = limited false positive. It may trigger by some windows update that will modify this registry. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Network Connection Discovery With Arp - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Network Connection Discovery With Net - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Network Connection Discovery With Netstat - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Network Discovery Using Route Windows App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} -known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Network Share Discovery Via Dir Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} -known_false_positives = System Administrators may use looks like net.exe or "dir commandline" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Network Traffic to Active Directory Web Services Protocol - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. -how_to_implement = The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. -providing_technologies = null - -[savedsearch://ESCU - Nishang PowershellTCPOneLine - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives may be present. Filter as needed based on initial analysis. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - NLTest Domain Trust Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -known_false_positives = Administrators may use nltest for troubleshooting purposes, otherwise, rarely used. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} -known_false_positives = other browser not listed related to firefox may catch by this rule. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Non Firefox Process Access Firefox Profile Dir - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} -known_false_positives = other browser not listed related to firefox may catch by this rule. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Notepad with no Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering may need to occur based on organization endpoint behavior. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Ntdsutil Export NTDS - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ -ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ -This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Application Drop Executable - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = office macro for automation may do this behavior -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Application Spawn Regsvr32 process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Application Spawn rundll32 process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Document Creating Schedule Task - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a potentially malicious office document that creates a scheduled task entry either through a macro VBA API or by loading taskschd.dll. This technique has been observed in numerous instances of malicious macro malware aiming to establish persistence or beaconing through task schedule entries. The analytic will return the first and last time the task was registered, as well as details such as the `Command` to be executed, `Task Name`, `Author`, `Enabled` status, and whether it is `Hidden`. schtasks.exe is natively located in `C:\Windows\system32` and `C:\Windows\syswow64`. The DLL(s) `taskschd.dll` are loaded when schtasks.exe or TaskService is initiated. If this DLL is found loaded by another process, it may indicate that a scheduled task is being registered within that process's context in memory. During triage, determine the source of the scheduled task. Was it schtasks.exe or via TaskService? Review the job created and the command to be executed. Capture any artifacts on disk for further review. Identify any parallel processes within the same timeframe to pinpoint the source.' -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Office Document Executing Macro Code - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Office Document Spawned Child Process To Download - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = Default browser not in the filter list. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawn CMD Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = IT or network admin may create an document automation that will run shell script. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawning BITSAdmin - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = No false positives known. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawning CertUtil - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = No false positives known. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawning MSHTA - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = No false positives known. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawning Rundll32 with no DLL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, but if any are present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawning Windows Script Host - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on macro based approved documents in the organization. Filtering may be needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Spawning Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = No false positives known. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Product Writing cab or inf - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Office Spawning Control - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives should be present. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Outbound Network Connection from Java Using Default Ports - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = Legitimate Java applications may use perform outbound connections to these ports. Filter as needed -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Overwriting Accessibility Binaries - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. -how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} -known_false_positives = Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. -how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Password Policy Discovery with Net - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Permission Modification using Takeown App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} -known_false_positives = takeown.exe is a normal windows application that may used by network operator. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - PetitPotam Network Share Access Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ -To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ -It is possible this is not enabled by default and may need to be reviewed and enabled. \ - \ -During triage, review parallel security events to identify further suspicious activity. -how_to_implement = Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} -known_false_positives = False positives have been limited when the Anonymous Logon is used for Account Name. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. -how_to_implement = The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible if the environment is using certificates for authentication. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Ping Sleep Batch Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator may execute this command. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Possible Browser Pass View Parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} -known_false_positives = False positive is quite limited. Filter is needed -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Possible Lateral Movement PowerShell Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. \ -Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Potential password in username - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. -how_to_implement = To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} -known_false_positives = Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating. -providing_technologies = null - -[savedsearch://ESCU - Potentially malicious code on commandline - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} -known_false_positives = This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - PowerShell 4104 Hunting - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} -known_false_positives = Limited false positives. May filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell - Connect To Internet With Hidden Window - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present if any scripts are adding to inprocserver32. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Creating Thread Mutex - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = powershell developer may used this function in their script for instance checking too. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Disable Security Monitoring - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives. However, tune based on scripts that may perform this action. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - PowerShell Domain Enumeration - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = It is possible there will be false positives, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Enable PowerShell Remoting - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -known_false_positives = Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Enable SMB1Protocol Feature - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} -known_false_positives = network operator may enable or disable this windows feature. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Execute COM Object - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = network operrator may use this command. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ -In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ -Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ - \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Get LocalGroup Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Tune as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Invoke CIMMethod CIMSession - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Invoke WmiExec Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Load Module in Meterpreter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be very limited as this is strict to MetaSploit behavior. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as day to day scripts do not use this method. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Processing Stream Of Data - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = powershell may used this function to process compressed data. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Remote Services Add TrustedHost - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} -known_false_positives = user and network administrator may used this function to add trusted host. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Remote Thread To Known Windows Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Powershell Remove Windows Defender Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Script Block With URL Chain - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} -known_false_positives = Unknown, possible custom scripting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell Start-BitsTransfer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - PowerShell Start or Stop Service - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} -known_false_positives = This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Using memory As Backing Store - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} -known_false_positives = powershell may used this function to store out object into memory. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - PowerShell WebRequest Using Memory Stream - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} -known_false_positives = Unknown, possible custom scripting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Powershell Windows Defender Exclusion Commands - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to use this windows features. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of "bcdedit.exe" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = Administrators may modify the boot configuration ignore failure during testing and debugging. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Print Processor Registry Autostart - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = possible new printer installation may add driver component on this registry. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Print Spooler Adding A Printer Driver - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ - \ -Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. -how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = Unknown. This may require filtering. -providing_technologies = null - -[savedsearch://ESCU - Print Spooler Failed to Load a Plug-in - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ -Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ -The analytic is based on file path and failure to load the plug-in. \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = False positives are unknown and filtering may be required. -providing_technologies = null - -[savedsearch://ESCU - Process Creating LNK file in Suspicious Location - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system. -how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} -known_false_positives = This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Process Deleting Its Process File Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Process Execution via WMI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, administrators may use wmi to execute commands for legitimate purposes. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Process Kill Base On File Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Unknown. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Process Writing DynamicWrapperX - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Processes launching netsh - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Processes Tapping Keyboard Events - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input -how_to_implement = In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment. -providing_technologies = null - -[savedsearch://ESCU - Randomly Generated Scheduled Task Name - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} -known_false_positives = Legitimate applications may use random Scheduled Task names. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Randomly Generated Windows Service Name - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} -known_false_positives = Legitimate applications may use random Windows Service names. -providing_technologies = null - -[savedsearch://ESCU - Ransomware Notes bulk creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. -how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Recon AVProduct Through Pwh or WMI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} -known_false_positives = network administrator may used this command for checking purposes -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Recon Using WMI Class - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Reconnaissance"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} -known_false_positives = network administrator may used this command for checking purposes -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Recursive Delete of Directory In Batch CMD - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} -known_false_positives = network operator may use this batch command to delete recursively a directory or files within directory -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} -known_false_positives = It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Registry Keys for Creating SHIM Databases - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} -known_false_positives = There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Registry Keys Used For Persistence - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} -known_false_positives = There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Registry Keys Used For Privilege Escalation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} -known_false_positives = There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} -known_false_positives = Other third part application may used this parameter but not so common in base windows environment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} -known_false_positives = minimal. but network operator can use this application to load dll. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remcos client registry install entry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remcos RAT File Creation in Remcos Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Desktop Process Running On System - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -known_false_positives = Remote Desktop may be used legitimately by users on the network. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Remote Process Instantiation via WinRM and Winrs - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Process Instantiation via WMI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Process Instantiation via WMI and PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Remote System Discovery with Adsisearcher - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Remote System Discovery with Dsquery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote System Discovery with Net - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote System Discovery with Wmic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Remote WMI Command Attempt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Administrators may use this legitimately to gather info from remote systems. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Resize ShadowStorage volume - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = network admin can resize the shadowstorage for valid purposes. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Revil Common Exec Parameter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as "-nolan", "-nolocal", "-fast", and "-full". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} -known_false_positives = third party tool may have same command line parameters as revil ransomware. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Revil Registry Entry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rubeus Command Line Parameters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. -how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may obtain a handle for winlogon.exe. Filter as needed -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Runas Execution in CommandLine - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} -known_false_positives = A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rundll32 Control RunDLL Hunt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} -known_false_positives = This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rundll32 Control RunDLL World Writable Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rundll32 Create Remote Thread To A Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Rundll32 CreateRemoteThread In Browser - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Rundll32 DNSQuery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Rundll32 LockWorkStation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rundll32 Process Creating Exe Dll Files - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Rundll32 Shimcache Flush - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Rundll32 with no Command Line Arguments with Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - RunDLL Loading DLL By Ordinal - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Ryuk Test Files Detected - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the presence of files containing the keyword "Ryuk" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage. -how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} -known_false_positives = If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Ryuk Wake on LAN Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} -known_false_positives = Limited to no known false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - SAM Database File Access Attempt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} -known_false_positives = Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Samsam Test File Write - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of a file named "test.txt" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage. -how_to_implement = You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} -known_false_positives = No false positives have been identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Sc exe Manipulating Windows Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} -known_false_positives = Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - SchCache Change By App Connect And Create ADSI Object - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -known_false_positives = normal application like mmc.exe and other ldap query tool may trigger this detections. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Schedule Task with HTTP Command Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. \ -The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. \ -Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. \ -Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Schedule Task with Rundll32 Command Trigger - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. \ -If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. \ -To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. \ -Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users. \ -Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Scheduled Task Deleted Or Created via CMD - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Scheduled Task Initiation on Remote Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Schtasks Run Task On Demand - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -known_false_positives = Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Schtasks scheduling job on remote system - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Schtasks used for forcing a reboot - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Screensaver Event Trigger Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Script Execution via WMI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Sdclt UAC Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = Limited to no false positives are expected. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Sdelete Application Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -known_false_positives = user may execute and use this application -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - SearchProtocolHost with no Command Line with Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - SecretDumps Offline NTDS Dumping Tool - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - ServicePrincipalNames Discovery with PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ -During triage, review parallel processes for further suspicious activity. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - ServicePrincipalNames Discovery with SetSPN - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -Example usage includes the following \ -* setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ -Values \ -* -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ -During triage, review parallel processes for further suspicious activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} -known_false_positives = False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Services Escalate Exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Services LOLBAS Execution Process Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to "Unrestricted" or "Bypass." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -known_false_positives = Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Shim Database File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} -known_false_positives = Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Shim Database Installation With Suspicious Parameters - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} -known_false_positives = None identified -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Short Lived Scheduled Task - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution. \ -To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs. \ -It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives. \ -Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} -known_false_positives = Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Short Lived Windows Accounts - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. -how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} -known_false_positives = It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. -providing_technologies = null - -[savedsearch://ESCU - SilentCleanup UAC Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Single Letter Process On Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} -known_false_positives = Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - SLUI RunAs Elevated - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives should be present as this is not commonly used by legitimate applications. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - SLUI Spawning a Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Spike in File Writes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network. -how_to_implement = In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Spoolsv Spawning Rundll32 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Spoolsv Suspicious Loaded Modules - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Spoolsv Suspicious Process Access - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. -how_to_implement = To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = Unknown. Filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Spoolsv Writing a DLL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = Unknown. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Spoolsv Writing a DLL - Sysmon - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives. Filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Sqlite Module In Temp Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -how_to_implement = The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present based on automated tooling or system administrators. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Sunburst Correlation DLL and Network Event - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems. -how_to_implement = This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Suspicious Computer Account Name Change - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} -known_false_positives = Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Suspicious Copy on System32 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} -known_false_positives = every user may do this event but very un-ussual. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Curl Network Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = Unknown. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious DLLHost no Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Driver Loaded Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives will be present. Some applications do load drivers -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Suspicious Event Log Service Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.AE"]} -known_false_positives = It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Suspicious GPUpdate no Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious IcedID Rundll32 Cmdline - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = limitted. this parameter is not commonly used by windows application but can be used by the network operator. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Image Creation In Appdata Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Kerberos Service Ticket Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} -known_false_positives = We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Suspicious Linux Discovery Commands - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host. \ -The search logic specifically looks for high number of distinct commands run in a short period of time. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} -known_false_positives = Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious microsoft workflow compiler rename - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} -known_false_positives = Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious microsoft workflow compiler usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious msbuild path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} -known_false_positives = Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious MSBuild Rename - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} -known_false_positives = Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious MSBuild Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious mshta child process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious mshta spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious PlistBuddy Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} -known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious PlistBuddy Usage via OSquery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -how_to_implement = OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} -known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. -providing_technologies = null - -[savedsearch://ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} -known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Suspicious Process Executed From Container File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} -known_false_positives = Various business process or userland applications and behavior. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Process File Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} -known_false_positives = Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Process With Discord DNS Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. -how_to_implement = his detection relies on sysmon logs with the Event ID 22, DNS Query. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} -known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Suspicious Reg exe Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Rundll32 dllregisterserver - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Rundll32 no Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Rundll32 PluginInit - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of the rundll32.exe process with the "plugininit" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the "plugininit" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = third party application may used this dll export name to execute function. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Rundll32 StartW - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Scheduled Task from Public Directory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon EventID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command. \ -The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} -known_false_positives = The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} -known_false_positives = Unknown. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious Ticket Granting Ticket Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} -known_false_positives = A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Suspicious WAV file in Appdata Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious wevtutil Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} -known_false_positives = The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Suspicious writes to windows Recycle Bin - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. -how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} -known_false_positives = Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Svchost LOLBAS Execution Process Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - System Info Gathering Using Dxdiag Application - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} -known_false_positives = This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - System Information Discovery Detection - Rule] -type = detection -asset_type = Windows -confidence = medium -explanation = The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} -known_false_positives = Administrators debugging servers -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - System Processes Run From Unexpected Locations - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process. \ -This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10. \ -During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} -known_false_positives = This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - System User Discovery With Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - System User Discovery With Whoami - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Time Provider Persistence Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Trickbot Named Pipe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - UAC Bypass MMC Load Unsigned Dll - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} -known_false_positives = unknown. all of the dll loaded by mmc.exe is microsoft signed dll. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - UAC Bypass With Colorui COM Object - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} -known_false_positives = not so common. but 3rd part app may load this dll. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Uninstall App Using MsiExec - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} -known_false_positives = unknown. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Unknown Process Using The Kerberos Protocol - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} -known_false_positives = Custom applications may leverage the Kerberos protocol. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Unload Sysmon Filter Driver - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Unknown at the moment -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Unloading AMSI via Reflection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} -known_false_positives = Potential for some third party applications to disable AMSI upon invocation. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Unusual Number of Computer Service Tickets Requested - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} -known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -known_false_positives = An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Unusually Long Command Line - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Some legitimate applications start with long command lines. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Unusually Long Command Line - MLTK - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - User Discovery With Env Vars PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - User Discovery With Env Vars PowerShell Script Block - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - USN Journal Deletion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -known_false_positives = None identified -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Vbscript Execution Using Wscript App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Verclsid CLSID Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} -known_false_positives = windows can used this application for its normal COM object validation. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - W3WP Spawning Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} -known_false_positives = Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WBAdmin Delete System Backups - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -known_false_positives = Administrators may modify the boot configuration. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Wbemprox COM Object Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} -known_false_positives = legitimate process that are not in the exception list may trigger this event. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Wermgr Process Connecting To IP Check Web Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Wermgr Process Create Executable File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Wget Download and Bash Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however filtering may be required. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Abused Web Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} -known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} -known_false_positives = Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} -known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} -known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Account Discovery for None Disable User Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Account Discovery for Sam Account Name - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Abnormal Object Access Activity - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment. -how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} -known_false_positives = Service accounts or applications that routinely query Active Directory for information. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD AdminSDHolder ACL Modified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. -how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} -known_false_positives = Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Cross Domain SID History Addition - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. -how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} -known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." -how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Domain Controller Promotion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. -how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -known_false_positives = None. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Domain Replication ACL Addition - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} -known_false_positives = When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD DSRM Account Changes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = Disaster recovery events. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows AD DSRM Password Reset - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. -how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. -providing_technologies = null - -[savedsearch://ESCU - Windows AD Privileged Account SID History Addition - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. -how_to_implement = Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} -known_false_positives = Migration of privileged accounts. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Privileged Object Access Activity - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. -how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -known_false_positives = Service accounts or applications that routinely query Active Directory for information. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Replication Request Initiated by User Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. -how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Azure AD Connect syncing operations. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. -how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} -known_false_positives = Genuine DC promotion may trigger this alert. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Same Domain SID History Addition - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. -how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required.. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. -how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. -how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. -how_to_implement = To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -known_false_positives = None. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD Short Lived Server Object - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. -how_to_implement = To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -known_false_positives = Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AD SID History Attribute Modified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. -how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} -known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows AdFind Exe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Admin Permission Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -how_to_implement = To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} -known_false_positives = An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Admon Default Group Policy Object Modified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Admon Group Policy Object Created - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Alternate DataStream - Base64 Content - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic leverages Sysmon EventID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. -how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Alternate DataStream - Executable Content - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to detect when data, possessing an IMPHASH value, is written to an Alternate Data Stream (ADS) in the NTFS file system. The presence of an IMPHASH value suggests that the written data has a Portable Executable (PE) structure, indicating its potential to be executed. Such behavior could be a sign of a threat actor staging malicious code within hard-to-detect areas of the file system for future use or persistence. It's important to note that for this analytic to function correctly, import hashing/imphash must be enabled within Sysmon. This allows the capture of the IMPHASH value, a unique identifier for the imported functions of a PE, providing a robust mechanism for detecting hidden malicious activity leveraging ADS. -how_to_implement = Target environment must ingest Sysmon data, specifically Event ID 15, and import hashing/imphash must be enabled within Sysmon. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Alternate DataStream - Process Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This behavior could indicate that a threat actor staged malicious code within a difficult to detect area of the file system and is now attempting to execute it. -how_to_implement = Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EventID 1. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Apache Benchmark Binary - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a default behavior of a MetaSploit payload. MetaSploit uses Apache Benchmark to generate payloads. The payloads contain standard artifacts including "Apache Benchmark" and the original file name is always ab.exe. During triage, review the process and it's path. It is possible network connections spawned from it. Review parallel processes for further behaviors. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious process creating or connecting to a possible Qakbot named pipe . This technique was seen in Qakbot malware that creates named pipe after injecting its code in legitimate process to communicate on other process that also has an injected code to steal information on the compromised host. This Anomaly detection can be a good pivot for possible Qakbot infection. This detection looks for possible random generated named pipe (in GUID form) created by known process being abused by Qakbot. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious wermgr.exe process creating or connecting to a named pipe. Wermgr.exe is part of Windows OS Problem reporting application responsible for reporting problems, fault or error happen on the Windows OS. This file is being abused by several Threat actors and malware such as Trickbot and Qakbot to execute their malicious code. This anomaly detection can be a good pivot on possible wermgr.exe processes having injected malicious code that might be related to qakbot infection that communicates via named pipe. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of default or publicly known named pipes used by RMX remote admin tool. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. RMX Tool uses named pipes in many way as part of its communication for its server and client component. This tool was abuse by several adversaries and malware like Azorult to collect data to the targeted host. This TTP is a good indicator that this tool was install in production premise and need to check if the user has a valid reason why it need to install this legitimate application. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present. Filter based on pipe name or process. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows AppLocker Block Events - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects attempts to bypass application restrictions by identifying Windows AppLocker policy violations. It leverages Windows AppLocker event logs, specifically EventCodes 8007, 8004, 8022, 8025, 8029, and 8040, to pinpoint blocked actions. This activity is significant for a SOC as it highlights potential unauthorized application executions, which could indicate malicious intent or policy circumvention. If confirmed malicious, this activity could allow an attacker to execute unauthorized applications, potentially leading to further system compromise or data exfiltration. -how_to_implement = To implement this analytic, you must be ingesting Windows AppLocker logs into Splunk. Ensure proper logging is setup for AppLocker and data is being ingested into Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"]} -known_false_positives = Administrators may legitimately use AppLocker to allow applications. -providing_technologies = null - -[savedsearch://ESCU - Windows AppLocker Execution from Uncommon Locations - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify executions of applications or scripts from uncommon or suspicious file paths, which could be indicative of malware or unauthorized activity. By leveraging a simple statistical model, the query analyzes the frequency of application executions across different file paths. It calculates the average (avg) number of executions per file path and uses the standard deviation (stdev) to measure the variation or dispersion of the execution counts from the average. A file path is considered uncommon or suspicious if the number of executions from it is significantly higher than what is expected based on the calculated average and standard deviation. Specifically, the analytic flags any file path from which the number of executions exceeds the upper bound, defined as the average plus two times the standard deviation (avg+stdev*2). This approach helps in pinpointing anomalies in application execution patterns, potentially uncovering malicious activities or policy violations. -how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"]} -known_false_positives = False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. -providing_technologies = null - -[savedsearch://ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. -how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. -providing_technologies = null - -[savedsearch://ESCU - Windows AppLocker Rare Application Launch Detection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat. -how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"]} -known_false_positives = False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. -providing_technologies = null - -[savedsearch://ESCU - Windows Archive Collected Data via Powershell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560"], "nist": ["DE.AE"]} -known_false_positives = powershell may used this function to archive data. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Archive Collected Data via Rar - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -known_false_positives = user and network administrator can execute this command. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows AutoIt3 Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter on DLL name or parent process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"]} -known_false_positives = Administrators may allow creation of script or exe in this path. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows BootLoader Inventory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. -how_to_implement = To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"]} -known_false_positives = No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. -providing_technologies = null - -[savedsearch://ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows CAB File on Disk - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"]} -known_false_positives = False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Cached Domain Credentials Reg Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Change Default File Association For No File Ext - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} -known_false_positives = It is possible there will be false positives, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows COM Hijacking InprocServer32 Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and some filtering may be required. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -known_false_positives = Not known at this moment. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Command Shell Fetch Env Variables - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = shell process that are not included in this search may cause False positive. Filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. -how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -providing_technologies = null - -[savedsearch://ESCU - Windows Computer Account Created by Computer Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -known_false_positives = It is possible third party applications may have a computer account that adds computer accounts, filtering may be required. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -known_false_positives = It is possible false positives will be present based on third party applications. Filtering may be needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Computer Account With SPN - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -known_false_positives = It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows ConHost with Headless Argument - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Create Local Account - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data. -how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} -known_false_positives = It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume. -providing_technologies = null - -[savedsearch://ESCU - Windows Credential Access From Browser Password Store - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = Uninstall application may access this registry to remove the entry of the target application. filter is needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Credentials from Password Stores Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} -known_false_positives = network administrator can use this tool for auditing process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Credentials from Password Stores Deletion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} -known_false_positives = network administrator can use this tool for auditing process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Credentials from Password Stores Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} -known_false_positives = network administrator can use this tool for auditing process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Credentials in Registry Reg Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Curl Download to Suspicious Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ --O or --output is used when a file is to be downloaded and placed in a specified location. \ -During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Curl Upload to Remote Destination - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ -`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ - \ -`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ - \ -HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ - \ -Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = False positives may be limited to source control applications and may be required to be filtered out. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. -how_to_implement = To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} -known_false_positives = 3rd part software application can change the wallpaper. Filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Default Group Policy Object Modified - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Default Group Policy Object Modified with GPME - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Defender ASR Audit Events - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. -how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} -known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only. -providing_technologies = ["Microsoft Defender"] - -[savedsearch://ESCU - Windows Defender ASR Block Events - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} -known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only. -providing_technologies = ["Microsoft Defender"] - -[savedsearch://ESCU - Windows Defender ASR Registry Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. -providing_technologies = ["Microsoft Defender"] - -[savedsearch://ESCU - Windows Defender ASR Rule Disabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. -how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive. -providing_technologies = ["Microsoft Defender"] - -[savedsearch://ESCU - Windows Defender ASR Rules Stacking - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. \ -Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. -how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. -providing_technologies = ["Microsoft Defender"] - -[savedsearch://ESCU - Windows Defender Exclusion Registry Entry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = admin or user may choose to use this windows features. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Delete or Modify System Firewall - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"]} -known_false_positives = Administrator may modify or delete firewall configuration. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = This detection can catch for third party application updates or installation. In this scenario false positive filter is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Change Password Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable LogOff Button Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Memory Crash Dump - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Notification Center - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = admin or user may choose to disable this windows features. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable or Modify Tools Via Taskkill - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"]} -known_false_positives = Network administrator can use this application to kill process during audit or investigation. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Shutdown Button Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DisableAntiSpyware Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DiskCryptor Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -known_false_positives = It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Diskshadow Proxy Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} -known_false_positives = Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter` -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DISM Remove Defender - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This hunting analytic identifies known Windows libraries potentially used in DLL search order hijacking or DLL Sideloading scenarios. Such cases may necessitate recompiling the DLL, relocating the DLL, or moving the vulnerable process. The query searches for any processes running outside of system32 or syswow64 directories. Certain libraries inherently operate from different application paths and must be added to the exclusion list as required. The lookup includes Microsoft native libraries cataloged in the Hijacklibs.net project. -how_to_implement = The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DLL Side-Loading In Calc - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\system32 or %systemroot%\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation. -how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DNS Gather Network Info - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.002"], "nist": ["DE.AE"]} -known_false_positives = network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows DnsAdmins New Member Added - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. -how_to_implement = To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -known_false_positives = New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. This technique was seen used in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname", "accountexpires", "lastlogon" and so on. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} -known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Domain Admin Impersonation Indicator - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. -how_to_implement = To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -known_false_positives = False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows DotNet Binary in Non Standard Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file_macro macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Driver Inventory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently. -how_to_implement = To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} -known_false_positives = Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths. -providing_technologies = null - -[savedsearch://ESCU - Windows Driver Load Non-Standard Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths. -how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths. -providing_technologies = null - -[savedsearch://ESCU - Windows Drivers Loaded by Signature - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.AE"]} -known_false_positives = This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named "EnableAt" in the following registry path: "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} -known_false_positives = In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Event For Service Disabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = Windows service update may cause this event. In that scenario, filtering is needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Event Log Cleared - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} -known_false_positives = It is possible that these logs may be legitimately cleared by Administrators. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Event Triggered Image File Execution Options Injection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and \SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring. -how_to_implement = This analytic requires capturing the Windows Event Log Application channel in XML. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.012"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present and tuning will be required before turning into a TTP or notable. -providing_technologies = null - -[savedsearch://ESCU - Windows Excessive Disabled Services Event - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = null - -[savedsearch://ESCU - Windows Executable in Loaded Modules - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or other malicious software instances that introduce executable files as modules within a targeted host. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1129"], "nist": ["DE.CM"]} -known_false_positives = unknown. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Execute Arbitrary Commands with MSDT - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Export Certificate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources. -how_to_implement = To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export. -providing_technologies = null - -[savedsearch://ESCU - Windows File Share Discovery With Powerview - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} -known_false_positives = Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} -known_false_positives = third party application may use this network protocol as part of its feature. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows File Without Extension In Critical Folder - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -known_false_positives = Unknown at this point -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} -known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Findstr GPP Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Forest Discovery with GetForestDomain - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Gather Victim Host Information Camera - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592.001", "T1592"], "nist": ["DE.AE"]} -known_false_positives = Administrators may execute this powershell command to get hardware information related to camera on $dest$. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Gather Victim Identity SAM Info - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object. -how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589.001", "T1589"], "nist": ["DE.AE"]} -known_false_positives = this module can be loaded by a third party application. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.005", "T1590"], "nist": ["DE.AE"]} -known_false_positives = Filter internet browser application to minimize the false positive of this detection. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Group Policy Object Created - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"]} -known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Hidden Schedule Task Settings - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Hide Notification Features Through Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows High File Deletion Frequency - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search identifies a high frequency of file deletions relative to the process name and process ID. Such events typically occur when ransomware attempts to encrypt files with specific extensions, leading Sysmon to treat the original files as deleted as soon as they are replaced with encrypted data. -how_to_implement = To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} -known_false_positives = Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a process loading version.dll that is not in %windir%\\system32 or %windir%\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host. -how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Hunting System Account Targeting Lsass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.AE"]} -known_false_positives = False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Identify Protocol Handlers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for "mailto:" links. When the user clicks a "mailto:" link, the browser opens the application selected as the handler for the "mailto:" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows IIS Components Add New Module - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present until properly tuned. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation. -how_to_implement = You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.004", "T1505"], "nist": ["DE.AE"]} -known_false_positives = This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows IIS Components Module Failed to Load - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not. -how_to_implement = IIS must be installed and Application event logs must be collected in order to utilize this analytic. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present until all module failures are resolved or reviewed. -providing_technologies = null - -[savedsearch://ESCU - Windows IIS Components New Module Added - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules. -how_to_implement = You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = Administrators may execute this command that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The "QuickScanInterval" in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The "WppTracingLevel" registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to "WppTracingLevel" within Windows Defender settings or its functionalities, it's challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Configure App Install Control - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. When attackers modify "ConfigureAppInstallControlEnabled" to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to "clean," aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies "no action," meaning that the antivirus software refrains from taking immediate steps against the identified threat. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on organization use of Applocker. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It's possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols or communication methods used by malware or suspicious software. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable PUA Protection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft's cloud-based services. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Web Evaluation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The "EnableWebContentEvaluation" registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify "EnableWebContentEvaluation" to 0, they might attempt to disable the browser's capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft's servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The "DisableScanOnUpdate" registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. When attackers modify "PreventOverride" to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The "PreventSmartScreenPromptOverride" registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify "PreventSmartScreenPromptOverride" to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to "warn" might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to "warn," the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defenses Disable HVCI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = False positives will be limited to administrative scripts disabling HVCI. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Indicator Removal Via Rmdir - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execute rmdir commandline to delete files and directory tree. This technique has been observed in the actions of various malware strains, such as DarkGate, as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. Notably, this deletion method doesn't exclusively require elevated privileges and can be executed by regular users or network administrators, although it's not the typical approach used for file deletion. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.AE"]} -known_false_positives = user and network administrator can execute this command. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Indirect Command Execution Via forfiles - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} -known_false_positives = Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Indirect Command Execution Via pcalua - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} -known_false_positives = Some legacy applications may be run using pcalua.exe. Filter these results as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Information Discovery Fsutil - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Ingress Tool Transfer Using Explorer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows InProcServer32 New Outlook Form - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the creation or modification of registry keys associated with new Outlook form installations that could indicate exploitation of CVE-2024-21378. The vulnerability allows for authenticated remote code execution via synced form objects by abusing the InProcServer32 registry key. The attack involves syncing malicious form objects that carry special properties and attachments used to "install" the form on a client, potentially leading to arbitrary file and registry key creation under HKEY_CLASSES_ROOT (HKCR), and ultimately, remote code execution. This detection focuses on monitoring for registry modifications involving InProcServer32 keys or equivalent that are linked to Outlook form installations, which are indicative of an attempt to exploit this vulnerability. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1566", "T1112"], "nist": ["DE.AE"]} -known_false_positives = False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Input Capture Using Credential UI Dll - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login. -how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1056.002", "T1056"], "nist": ["DE.AE"]} -known_false_positives = this module can be loaded by a third party application. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows InstallUtil Credential Theft - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This technique can be employed to execute code that bypasses application control and captures credentials using tools like Mimikatz. \ -When `InstallUtil.exe` is used maliciously, it typically specifies the path to an executable on the filesystem. It is important to observe the parent process in such cases. Suspicious activity often involves being spawned from non-standard processes such as `Cmd.exe`, `PowerShell.exe`, or `Explorer.exe`. \ -Conversely, when used by developers, it is usually accompanied by multiple command-line switches/arguments and originates from Visual Studio. \ -During triage, review any resulting network connections, file modifications, and concurrent processes. Capture any artifacts for further review.' -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows InstallUtil in Non Standard Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows InstallUtil Remote Network Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows InstallUtil Uninstall Option - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives should be present. Filter as needed by parent process or application. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows InstallUtil Uninstall Option with Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows InstallUtil URL in Command Line - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows ISO LNK File Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\AppData\Local\Temp\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"]} -known_false_positives = False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Java Spawning Shells - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Kerberos Local Successful Logon - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Known Abused DLL Created - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify instances where Dynamic Link Libraries (DLLs) with a known history of being exploited are created in locations that are not typical for their use. This could indicate that an attacker is attempting to exploit the DLL search order hijacking or sideloading techniques. DLL search order hijacking involves tricking an application into loading a malicious DLL instead of the legitimate one it was intending to load. This is often achieved by placing the malicious DLL in a directory that is searched before the directory containing the legitimate DLL. Sideloading, similarly, involves placing a malicious DLL with the same name as a legitimate DLL that an application is known to load, in a location that the application will search before finding the legitimate version. Both of these techniques can be used by attackers to execute arbitrary code, maintain persistence on a system, and potentially elevate their privileges, all while appearing as legitimate operations to the untrained eye. This analytic aims to shed light on such suspicious activities by monitoring for the creation of known abused DLLs in unconventional locations, thereby helping in the early detection of these stealthy attack techniques. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574.002", "T1574"], "nist": ["DE.AE"]} -known_false_positives = This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Known GraphicalProton Loaded Modules - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a potential suspicious process loading dll modules related to Graphicalproton backdoor implant of SVR. These DLL modules have been observed in SVR attacks, commonly used to install backdoors on targeted hosts. This anomaly detection highlights the need for thorough investigation and immediate mitigation measures to safeguard the network against potential breaches. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows KrbRelayUp Service Creation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data. -how_to_implement = To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Large Number of Computer Service Tickets Requested - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. \ -Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1135", "T1078"], "nist": ["DE.AE"]} -known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Lateral Tool Transfer RemCom - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1570"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on Administrative use. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Ldifde Directory Object Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1069.002"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Linked Policies In ADSI Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Local Administrator Credential Stuffing - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.004"], "nist": ["DE.CM"]} -known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows LSA Secrets NoLMhash Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.004"], "nist": ["DE.CM"]} -known_false_positives = Administrator may change this registry setting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Mail Protocol In Non-Common Process Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} -known_false_positives = third party application may use this network protocol as part of its feature. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Mark Of The Web Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.005"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Masquerading Explorer As Child Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Masquerading Msdtc Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, thereby evading immediate suspicion. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Mimikatz Binary Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Mimikatz Crypto Export File Extensions - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Auto Minor Updates - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Treat minor updates like other updates". -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Auto Update Notif - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to "Notify before download". -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Default Icon Setting - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Disable Restricted Admin - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored closely for any signs of tampering or unauthorized alterations. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrator may change this registry setting. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Disable Toast Notifications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry DisableSecuritySettings - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Disabling WER Settings - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry DisAllow Windows App - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry DontShowUI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry EnableLinkedConnections - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry LongPathsEnabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry MaxConnectionPerServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow "Logged-on user gets to choose whether or not to restart his or her compute". -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry No Auto Update - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Disable Automatic Updates". -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry NoChangingWallPaper - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user's control over their system's visual settings. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry ProxyEnable - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry ProxyServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This "Binary Data" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Reg Restore - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of reg.exe with "restore" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check the registry modification restriction in targeted host after gaining access to it. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = network administrator can use this command tool to backup registry before updates or modifying critical registries. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may execute this command that may cause some false positive. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Risk Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code. -how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -providing_technologies = null - -[savedsearch://ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry Tamper Protection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry USeWuServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use "The WUServer value unless this key is set". -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as part of their malicious activities. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry WuServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Registry wuStatusServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Modify System Firewall with Notable Process Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.CM"]} -known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MOF Event Triggered Execution via WMI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\Windows\System32\wbem. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or file paths. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MOVEit Transfer Writing ASPX - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation. -how_to_implement = The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Mshta Execution In Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSHTA Writing to World Writable Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named `invite.txt` to the `C:\Windows\Tasks` directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with `SqlDumper.exe` in this campaign. \ \ -The analytic is designed to detect the initial file write operation by `mshta.exe` to directories that are typically writable by any user, such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of `mshta.exe` to write to these locations, which is a deviation from the utility's legitimate use cases and thus serves as a strong indicator of compromise (IoC). \ \ -The ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs. -how_to_implement = The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows MSIExec DLLRegisterServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -known_false_positives = This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like "msiexec," "hidewindow," and "rundll32" through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} -known_false_positives = Other possible 3rd party msi software installers use this technique as part of its installation process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSIExec Remote Download - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter by destination or parent process as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSIExec Spawn Discovery Command - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSIExec Spawn WinDBG - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -known_false_positives = False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -known_false_positives = This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows MSIExec With Network Connections - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present and filtering is required. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Multi hop Proxy TOR Website Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} -known_false_positives = third party application may use this proxies if allowed in production environment. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Multiple Account Passwords Changed - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection's threshold and timeframe to fit their specific operational context. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"]} -known_false_positives = Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Accounts Deleted - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection's threshold and timeframe to suit their specific environment. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"]} -known_false_positives = Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Accounts Disabled - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker's attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment's specifics -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"]} -known_false_positives = Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -known_false_positives = A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows New InProcServer32 Added - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to detect the addition of new InProcServer32 registry keys, which could indicate suspicious or malicious activity on a Windows endpoint. The InProcServer32 registry key specifies the path to a COM object that can be loaded into the process space of calling processes. Malware often abuses this mechanism to achieve persistence or execute code by registering a new InProcServer32 key pointing to a malicious DLL. By monitoring for the creation of new InProcServer32 keys, this analytic helps identify potential threats that leverage COM hijacking or similar techniques for execution and persistence. Understanding the normal behavior of legitimate software in your environment will aid in distinguishing between benign and malicious use of InProcServer32 modifications. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -known_false_positives = False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Ngrok Reverse Proxy Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows NirSoft AdvancedRun - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows NirSoft Utilities - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present. Filtering may be required before setting to alert. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Njrat Fileless Storage via Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.011", "T1027"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Non Discord App Access Discord LevelDB - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects suspicious file access within the Discord LevelDB database. This database contains critical data such as user profiles, messages, guilds, channels, settings, and cached information. Access to this data poses a risk of Discord credential theft or unauthorized access to sensitive information on the compromised system. Detecting such anomalies can serve as an effective pivot to identify non-Discord applications accessing this database, potentially indicating the presence of malware or trojan stealers aimed at data theft. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Non-System Account Targeting Lsass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = False positives will occur based on legitimate application requests, filter based on source image as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Odbcconf Hunting - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present as this is meant to assist with filtering and tuning. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Odbcconf Load DLL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Odbcconf Load Response File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Office Product Spawning MSDT - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows PaperCut NG Spawn Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, but most likely not. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Parent PID Spoofing with Explorer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious explorer.exe process that has "/root" process commandline. The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and operate undetected within the system. This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, it attempts to evade scrutiny and evade detection by security measures. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.004", "T1134"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Password Managers Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.005"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious outlook.exe process dropped a dll file. This technique was seen in CVE-2024-21378, involves the loading of a custom MAPI form to execute a potentially malicious DLL. Detecting such TTPs serves as a crucial pivot point to identify potential adversaries, malware, or red team activity attempting to leverage this method within phishing campaigns. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Phishing PDF File Executes URL Link - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Phishing Recent ISO Exec Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Possible Credential Dumping - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \ -GrantedAccess is the requested permissions by the SourceImage into the TargetImage. \ - \ -CallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \ -dbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \ -The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -known_false_positives = False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Post Exploitation Risk Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment. -how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -providing_technologies = null - -[savedsearch://ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on developers or third party utilities adding items to the GAC. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Powershell Cryptography Namespace - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerShell Disable HTTP Logging - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to "false" or "dontLog". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"]} -known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerShell Export Certificate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} -known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerShell Export PfxCertificate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} -known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} -known_false_positives = This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} -known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Powershell Import Applocker Policy - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"]} -known_false_positives = administrators may execute this command that may cause some false positive. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Powershell RemoteSigned File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the use of "remotesigned" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to "remotesigned," it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows PowerShell ScheduleTask - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} -known_false_positives = Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerSploit GPP Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerView AD Access Control List Enumeration - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerView Constrained Delegation Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerView Kerberos Service Ticket Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} -known_false_positives = False positive may include Administrators using PowerView for troubleshooting and management. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerView SPN Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} -known_false_positives = False positive may include Administrators using PowerView for troubleshooting and management. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Private Keys Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges. -how_to_implement = Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated by administrators installing benign applications using run-as/elevation. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Privilege Escalation System Process Without System Parent - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Process Commandline Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects Windows Management Instrumentation Command-line (WMIC) command used to retrieve information about running processes and specifically fetches the command lines used to launch those processes. This Hunting detection can be a good indicator for possible suspicious user or process getting list of process with its command line using wmic application which is not a common practice for a non-technical user. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1057"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a non-service searchindexer.exe process. QakBot, a notorious banking trojan and information stealer, often deploys a process named "searchindexer.exe" as part of its malicious activities. This legitimate Windows process, "Search Indexer," is manipulated by QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, the malicious "searchindexer.exe" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Process Injection into Notepad - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to "firefox.exe", "chrome.exe" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1055"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Process Injection Remote Thread - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection. -how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Process Injection Wermgr Child Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Process Injection With Public Source Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation. -how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} -known_false_positives = Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Process With NamedPipe CommandLine - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} -known_false_positives = Normal browser application may use this technique. Please update the filter macros to remove false positives. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Process Writing File to World Writable Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process writing a file, specifically a .txt, to a world writable path. This technique is used by adversaries to deliver payloads to a system. It is not common for living off the land binaries to write to these paths. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.AE"]} -known_false_positives = False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Processes Killed By Industroyer2 Malware - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -known_false_positives = False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Protocol Tunneling with Plink - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1572", "T1021.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Proxy Via Netsh - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} -known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Proxy Via Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Query Registry Browser List Application - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = uninstall application may access this registry to remove the entry of the target application. filter is needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Query Registry Reg Save - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of reg.exe with "save" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check registry modification restriction in targeted host after gaining access to it. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = network administrator can use this command tool to backup registry before updates or modifying critical registries. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Query Registry UnInstall Program List - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the "Uninstall" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -known_false_positives = Uninstall application may access this registry to remove the entry of the target application. Filter is needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Raccine Scheduled Task Deletion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a "ransomware vaccine" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, however filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Rapid Authentication On Multiple Hosts - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Rasautou DLL Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"]} -known_false_positives = False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Raw Access To Disk Volume Partition - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the "hermeticwiper" malware. This detection is a good indicator that there is a process try to read or write on boot sector. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"]} -known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Raw Access To Master Boot Record Drive - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"]} -known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows RDP Connection Successful - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf. -how_to_implement = The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1563.002"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present, filter as needed or restrict to critical assets on the perimeter. -providing_technologies = null - -[savedsearch://ESCU - Windows Registry BootExecute Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process. -how_to_implement = To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542", "T1547.001"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and will need to be filtered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Registry Certificate Added - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with "\Blob" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.AE"]} -known_false_positives = False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Registry Delete Task SD - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. \ -Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} -known_false_positives = False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Registry Modification for Safe Mode Persistence - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode. -how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} -known_false_positives = updated windows application needed in safe boot may used this registry -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Registry Payload Injection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.011"], "nist": ["DE.CM"]} -known_false_positives = Unknown, possible custom scripting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Registry SIP Provider Modification - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon EventID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} -known_false_positives = Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Regsvr32 Renamed Binary - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1218"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping. -how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1219", "T1003"], "nist": ["DE.AE"]} -known_false_positives = This module can be loaded by a third party application. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Remote Access Software Hunt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Access Software RMS Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.CM"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Assistance Spawning Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, filter as needed. Add additional shells as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Create Service - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} -known_false_positives = Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -known_false_positives = This tool was designed for home usage and not commonly seen in production environment. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Services Allow Rdp In Firewall - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Services Allow Remote Assistance - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Remote Services Rdp Enable - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -known_false_positives = administrators may enable or disable this feature that may cause some false positive. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Replication Through Removable Media - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1091"], "nist": ["DE.CM"]} -known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Root Domain linked policies Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery. -how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Rundll32 Apply User Settings Changes - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings without their knowledge or consent. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Rundll32 WebDAV Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present based on legitimate software, filtering may need to occur. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Rundll32 WebDav With Network Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present based on legitimate software, filtering may need to occur. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Scheduled Task Created Via XML - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application. \ -When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Scheduled Task Service Spawned Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1059"], "nist": ["DE.CM"]} -known_false_positives = Unknown, possible custom scripting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Scheduled Task with Highest Privileges - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches. \ -The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -known_false_positives = False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Schtasks Create Run As System - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Screen Capture Via Powershell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Security Account Manager Stopped - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the "net stop samss" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -known_false_positives = SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Security Support Provider Reg Query - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.005", "T1547"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Server Software Component GACUtil Install to GAC - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Create Kernel Mode Driver - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on common applications adding new drivers, however, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Create RemComSvc - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network. -how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filter as needed based on administrative activity. -providing_technologies = null - -[savedsearch://ESCU - Windows Service Create SliverC2 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). -how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, but if another service out there is named Sliver, filtering may be needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Service Create with Tscon - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Created with Suspicious Service Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may install services with uncommon services paths. -providing_technologies = null - -[savedsearch://ESCU - Windows Service Created Within Public Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may install services with uncommon services paths. -providing_technologies = null - -[savedsearch://ESCU - Windows Service Creation on Remote Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Creation Using Registry Entry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} -known_false_positives = Third party tools may used this technique to create services but not so common. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Deletion In Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -known_false_positives = This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Initiation on Remote Endpoint - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -known_false_positives = Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Stop By Deletion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -known_false_positives = It is possible administrative scripts may start/stop/delete services. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Stop Via Net and SC Application - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -known_false_positives = Windows OS or software may stop and restart services due to some critical update. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Service Stop Win Updates - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040) -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -known_false_positives = Network administrator may disable this services as part of its audit process within the network. Filter is needed. -providing_technologies = null - -[savedsearch://ESCU - Windows SIP Provider Inventory - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. -how_to_implement = To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited as this is a hunting query for inventory. -providing_technologies = null - -[savedsearch://ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. -how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Snake Malware File Modification Crmlog - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present and will require tuning based on program Ids in large organizations. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Snake Malware Service Create - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory. -how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1569.002"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this is a strict primary indicator used by Snake Malware. -providing_technologies = null - -[savedsearch://ESCU - Windows SOAPHound Binary Execution - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the common command-line argument used by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -known_false_positives = Windows Office document may contain legitimate url link other than MS office Domain. filter is needed -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.CM"]} -known_false_positives = No false positives known. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -how_to_implement = To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"]} -known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows SQL Spawning CertUtil - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. -how_to_implement = The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) -how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). -how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1550"], "nist": ["DE.CM"]} -known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively. -how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates Certificate Request - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 "Certificate Services received a certificate request". -how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is "Acquire Certificate Private Key". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike. -how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Windows Steal Authentication Certificates CS Backup - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment. -how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates Export Certificate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = Filtering may be requried based on automated utilities and third party applications that may export certificates. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -known_false_positives = Filtering may be requried based on automated utilities and third party applications that may export certificates. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Suspect Process With Authentication Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations. Most attacker toolkits offer some degree of interaction with AD/LDAP. -how_to_implement = To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.002", "T1204", "T1204.002"], "nist": ["DE.AE"]} -known_false_positives = Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise. -providing_technologies = null - -[savedsearch://ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.001", "T1218"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Discovery Using ldap Nslookup - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = dministrator may execute this commandline tool for auditing purposes. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Discovery Using Qwinsta - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrator may execute this commandline tool for auditing purposes. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System File on Disk - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver. -how_to_implement = To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). This will level out the noise generated to potentally lead to generating notables. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System LogOff Commandline - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} -known_false_positives = Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Network Config Discovery Display DNS - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Network Connections Discovery Netsh - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -known_false_positives = network administrator can use this tool for auditing process. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Reboot CommandLine - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} -known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1216", "T1218"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Shutdown CommandLine - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} -known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System Time Discovery W32tm Delay - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1124"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System User Discovery Via Quser - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = network administrator can use this command tool to audit RDP access of user in specific network or host. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows System User Privilege Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the execution of `whoami.exe` with /priv parameter. This whoami command is used to display or shows the privileges assigned to the current user account. This hunting query can be a good pivot start to look for suspicious usage of whoami application that might related to a malware or adversaries. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Terminating Lsass Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment. -how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = unknown -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Time Based Evasion - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as evasion tactics. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Time Based Evasion via Choice Exec - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. This technique, observed in the SnakeKeylogger malware, is utilized for time delays or 'Sleep' commands in its code execution or before the deletion of its copies on compromised hosts. Detecting this anomaly serves as a valuable pivot to uncover suspicious processes attempting to evade detection through time-based evasion techniques. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497.003", "T1497"], "nist": ["DE.AE"]} -known_false_positives = administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows UAC Bypass Suspicious Child Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} -known_false_positives = Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} -known_false_positives = Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a suspicious query on outlook credentials registry in Windows OS registry. typically refers to user profiles associated with Microsoft Outlook. Within this key, Outlook stores configuration settings, including account information such as email addresses, server details, and authentication credentials. Accessing or modifying this registry key can potentially compromise users' email security, making it a target for attackers seeking to steal sensitive information or execute unauthorized actions within Outlook. This anomaly detection is a good pivot to catch possible Trojan Stealer or RAT that tries to steal sensitive information to its targeted host. -how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552"], "nist": ["DE.AE"]} -known_false_positives = third party software may access this outlook registry. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unsigned DLL Side-Loading - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the "dismcore.dll" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. In the case of Warzone RAT (Ave Maria), the dropped "dismcore.dll" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, thereby granting the malware elevated privileges and enabling further compromise of the target system. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.AE"]} -known_false_positives = It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Unsigned MS DLL Side-Loading - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute malicious code automatically by running a legitimate process. The analytics involves searching Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). Additionally, it verifies whether the loaded DLL is signed and checks if the folder paths of the `Image` and `ImageLoaded` are identical. This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting. -how_to_implement = The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1547"], "nist": ["DE.AE"]} -known_false_positives = False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a source process name failing to authenticate with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -known_false_positives = A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - Windows User Execution Malicious URL Shortcut File - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website. -how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002", "T1204"], "nist": ["DE.CM"]} -known_false_positives = Administrators may allow creation of script or exe in this path. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Valid Account With Never Expires Password - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -known_false_positives = This behavior is not commonly seen in production environment and not advisable, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows Vulnerable 3CX Software - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows Vulnerable Driver Loaded - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver. -how_to_implement = Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows WinDBG Spawning AutoIt3 - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -known_false_positives = False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows WinLogon with Public Network Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\ The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system. \ -Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation. \ -This analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.003"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows WMI Impersonate Token - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process. -how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -known_false_positives = administrator may execute impersonate wmi object script for auditing. Filter is needed. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - Windows WMI Process And Service List - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -known_false_positives = netowrk administrator or IT may execute this command for auditing processes and services. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Windows WMI Process Call Create - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -known_false_positives = Administrators may execute this command for testing or auditing. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. \ -The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. \ -Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. \ -During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - WinEvent Scheduled Task Created Within Public Path - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. \ -When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory. \ -During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. \ -By conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system. -how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately. -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment. \ -After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis. \ -To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field. \ -False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise. \ -Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -how_to_implement = Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present. Filter based on ActionName paths or specify keywords of interest. -providing_technologies = null - -[savedsearch://ESCU - Winhlp32 Spawning a Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies winhlp32.exe, found natively in `c:\windows\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WinRAR Spawning Shell Application - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -known_false_positives = Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WinRM Spawning a Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Winword Spawning Cmd - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, but if any are present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Winword Spawning PowerShell - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited, but if any are present, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Winword Spawning Windows Script Host - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -known_false_positives = There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WMI Permanent Event Subscription - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon EventID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. -how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. -providing_technologies = null - -[savedsearch://ESCU - WMI Permanent Event Subscription - Sysmon - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID = 19 \ -1. Consumer - An action to take upon triggering the filter. EventID = 20 \ -1. Binding - Registers a filter to a consumer. EventID = 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -how_to_implement = To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} -known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - WMI Recon Running Process Or Services - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} -known_false_positives = Network administrator may used this command for checking purposes -providing_technologies = ["Microsoft Windows"] - -[savedsearch://ESCU - WMI Temporary Event Subscription - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. -how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. -providing_technologies = null - -[savedsearch://ESCU - Wmic Group Discovery - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. \ -Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes and identify any further suspicious behavior. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -known_false_positives = Administrators or power users may use this command for troubleshooting. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Wmic NonInteractive App Uninstallation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -known_false_positives = Third party application may use this approach to uninstall applications. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WMIC XSL Execution via URL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} -known_false_positives = False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Wscript Or Cscript Suspicious Child Process - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"]} -known_false_positives = Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - WSReset UAC Bypass - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - XMRIG Driver Loaded - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited. -providing_technologies = ["Microsoft Sysmon"] - -[savedsearch://ESCU - XSL Script Execution With WMIC - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique. -how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] - -[savedsearch://ESCU - Detect ARP Poisoning - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications. -how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} -known_false_positives = This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely). -providing_technologies = null - -[savedsearch://ESCU - Detect DGA domains using pretrained model in DSDL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5. -how_to_implement = Steps to deploy DGA detection model into Splunk App DSDL.\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz` \ -* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks` \ -* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app. \ -* Below steps need to be followed inside Jupyter lab \ -* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. \ -* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data` \ -* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab \ -* Save the notebook using the save option in jupyter notebook. \ -* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if domain name is similar to dga generated domains. -providing_technologies = null - -[savedsearch://ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5. -how_to_implement = Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. \ -* Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks \ -* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app. \ -* Below steps need to be followed inside Jupyter lab \ -* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. \ -* Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data` \ -* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab \ -* Save the notebook using the save option in jupyter notebook. \ -* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if DNS data exfiltration request look very similar to benign DNS requests. -providing_technologies = null - -[savedsearch://ESCU - Detect hosts connecting to dynamic domain providers - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains. -how_to_implement = First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`. \ -This search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** DNS Query, **Field:** query \ -* **Label:** DNS Answer, **Field:** answer \ -* **Label:** IsDynamicDNS, **Field:** isDynDNS \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -known_false_positives = Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified. -providing_technologies = null - -[savedsearch://ESCU - Detect IPv6 Network Infrastructure Threats - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption. -how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} -known_false_positives = None currently known -providing_technologies = null - -[savedsearch://ESCU - Detect Large Outbound ICMP Packets - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity. -how_to_implement = In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1095"], "nist": ["DE.CM"]} -known_false_positives = ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list. -providing_technologies = null - -[savedsearch://ESCU - Detect Outbound LDAP Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space. -how_to_implement = In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1059"], "nist": ["DE.AE"]} -known_false_positives = Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. -providing_technologies = null - -[savedsearch://ESCU - Detect Outbound SMB Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise. -how_to_implement = This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.002", "T1071"], "nist": ["DE.CM"]} -known_false_positives = It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary. -providing_technologies = null - -[savedsearch://ESCU - Detect Port Security Violation - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. -how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} -known_false_positives = This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network. -providing_technologies = null - -[savedsearch://ESCU - Detect Remote Access Software Usage DNS - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects when a known remote access software domains are contacted from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -providing_technologies = null - -[savedsearch://ESCU - Detect Remote Access Software Usage Traffic - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects when a known remote access software application traffic is detected from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -providing_technologies = null - -[savedsearch://ESCU - Detect Rogue DHCP Server - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack). -how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"]} -known_false_positives = This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface. -providing_technologies = null - -[savedsearch://ESCU - Detect SNICat SNI Exfiltration - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity. -how_to_implement = You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} -known_false_positives = Unknown -providing_technologies = ["Zeek"] - -[savedsearch://ESCU - Detect Software Download To Network Device - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. -how_to_implement = This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.005", "T1542"], "nist": ["DE.CM"]} -known_false_positives = This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices. -providing_technologies = null - -[savedsearch://ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for "unknown/suspicious" and otherwise 0 for "not suspicious". The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5. -how_to_implement = Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. \ -* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`. \ -* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`. \ -* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app. \ -* Below steps need to be followed inside Jupyter lab. \ -* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook. \ -* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`. \ -* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab. \ -* Save the notebook using the save option in Jupyter notebook. \ -* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents. -providing_technologies = null - -[savedsearch://ESCU - Detect Traffic Mirroring - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. -how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery"], "mitre_attack": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"]} -known_false_positives = This search will return false positives for any legitimate traffic captures by network administrators. -providing_technologies = null - -[savedsearch://ESCU - Detect Unauthorized Assets by MAC address - Rule] -type = detection -asset_type = Infrastructure -confidence = medium -explanation = By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found. -how_to_implement = This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information. -providing_technologies = null - -[savedsearch://ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. -how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Detect Windows DNS SIGRed via Zeek - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. -how_to_implement = You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Detect Zerologon via Zeek - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . -how_to_implement = You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = ["Zeek"] - -[savedsearch://ESCU - DNS Query Length Outliers - MLTK - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems. -how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of DNS Query Length - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. \ -This search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ - * **Label:** DNS Query, **Field:** query \ -* **Label:** DNS Query Length, **Field:** query_length \ -* **Label:** Number of events, **Field:** count \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} -known_false_positives = If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. -providing_technologies = null - -[savedsearch://ESCU - DNS Query Length With High Standard Deviation - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment. -how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} -known_false_positives = It's possible there can be long domain names that are legitimate. -providing_technologies = null - -[savedsearch://ESCU - Excessive DNS Failures - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers. -how_to_implement = To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} -known_false_positives = It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment. -providing_technologies = null - -[savedsearch://ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. -how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - High Volume of Bytes Out to Url - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} -known_false_positives = This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment. -providing_technologies = null - -[savedsearch://ESCU - Hosts receiving high volume of network traffic from email server - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. -how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002", "T1114"], "nist": ["DE.AE"]} -known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. -providing_technologies = null - -[savedsearch://ESCU - Large Volume of DNS ANY Queries - Rule] -type = detection -asset_type = DNS Servers -confidence = medium -explanation = The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure. -how_to_implement = To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498", "T1498.002"], "nist": ["DE.AE"]} -known_false_positives = Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment. -providing_technologies = null - -[savedsearch://ESCU - Multiple Archive Files Http Post Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} -known_false_positives = Normal archive transfer via HTTP protocol may trip this detection. -providing_technologies = null - -[savedsearch://ESCU - Ngrok Reverse Proxy on Network - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool. -how_to_implement = The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} -known_false_positives = False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. -providing_technologies = null - -[savedsearch://ESCU - Plain HTTP POST Exfiltrated Data - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration. -how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Prohibited Network Traffic Allowed - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed according to the Network_Traffic data model. It operates by cross-referencing traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices that could allow unauthorized access or data exfiltration, directly impacting the organization's security posture. -how_to_implement = In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - Protocol or Port Mismatch - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected. -how_to_implement = Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} -known_false_positives = None identified -providing_technologies = null - -[savedsearch://ESCU - Protocols passing authentication in cleartext - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances. -how_to_implement = This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = Some networks may use kerberized FTP or telnet servers, however, this is rare. -providing_technologies = null - -[savedsearch://ESCU - Remote Desktop Network Bruteforce - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. -how_to_implement = You must ensure that your network traffic data is populating the Network_Traffic data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -known_false_positives = RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network. -providing_technologies = null - -[savedsearch://ESCU - Remote Desktop Network Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389, the default RDP port. It identifies this activity by filtering out traffic from known RDP sources and destinations, focusing on atypical RDP connections within the network. This detection is crucial for a Security Operations Center (SOC) as unauthorized RDP access can indicate an attacker's attempt to gain control over networked systems, potentially leading to data theft, ransomware deployment, or further network compromise. The impact of such unauthorized access can be significant, ranging from data breaches to complete system and network control loss. -how_to_implement = To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search "Identify Systems Creating Remote Desktop Traffic" to identify systems that originate the traffic and the search "Identify Systems Receiving Remote Desktop Traffic" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the "common_rdp_source" or "common_rdp_destination" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -known_false_positives = Remote Desktop may be used legitimately by users on the network. -providing_technologies = null - -[savedsearch://ESCU - SMB Traffic Spike - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. -how_to_implement = This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} -known_false_positives = A file server may experience high-demand loads that could cause this analytic to trigger. -providing_technologies = null - -[savedsearch://ESCU - SMB Traffic Spike - MLTK - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network. -how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of SMB Traffic - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. \ -This search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** Number of events, **Field:** count \ -Detailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} -known_false_positives = If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results -providing_technologies = null - -[savedsearch://ESCU - Splunk Identified SSL TLS Certificates - Rule] -type = detection -asset_type = Proxy -confidence = medium -explanation = The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL. -how_to_implement = Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1040"], "nist": ["DE.AE"]} -known_false_positives = False positives will not be present as it is meant to assist with identifying default certificates being utilized. -providing_technologies = null - -[savedsearch://ESCU - SSL Certificates with Punycode - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with -how_to_implement = Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - TOR Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. -how_to_implement = In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1090.003"], "nist": ["DE.CM"]} -known_false_positives = None at this time -providing_technologies = null - -[savedsearch://ESCU - Unusually Long Content-Type Length - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches. -how_to_implement = This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -known_false_positives = Very few legitimate Content-Type fields will have a length greater than 100 characters. -providing_technologies = null - -[savedsearch://ESCU - Windows AD Replication Service Traffic - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques. -how_to_implement = To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"]} -known_false_positives = New domain controllers or certian scripts run by administrators. -providing_technologies = null - -[savedsearch://ESCU - Windows AD Rogue Domain Controller Network Activity - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;) -how_to_implement = Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -known_false_positives = None. -providing_technologies = ["Zeek"] - -[savedsearch://ESCU - Zeek x509 Certificate with Punycode - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually. -how_to_implement = The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after). -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. -providing_technologies = ["Zeek"] - -[savedsearch://ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule] -type = detection -asset_type = VPN Appliance -confidence = medium -explanation = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -providing_technologies = null - -[savedsearch://ESCU - Adobe ColdFusion Access Control Bypass - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -providing_technologies = null - -[savedsearch://ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager. \ -Our analytic pinpoints exploitation by monitoring web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. \ -If a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment. -providing_technologies = null - -[savedsearch://ESCU - Cisco IOS XE Implant Access - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. -providing_technologies = null - -[savedsearch://ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ -This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ -If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ -Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. -providing_technologies = null - -[savedsearch://ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process. \ -Given the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority. \ -The search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. \ -Please be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only. -providing_technologies = null - -[savedsearch://ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method, indicative of a file upload attempt. \ -This behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation. \ -The impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation. \ -However, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum. -how_to_implement = Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. -providing_technologies = null - -[savedsearch://ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. -providing_technologies = null - -[savedsearch://ESCU - Confluence Data Center and Server Privilege Escalation - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. -providing_technologies = null - -[savedsearch://ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule] -type = detection -asset_type = Web Application -confidence = medium -explanation = This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. -providing_technologies = null - -[savedsearch://ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. -providing_technologies = null - -[savedsearch://ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -how_to_implement = To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. -providing_technologies = null - -[savedsearch://ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise. -how_to_implement = You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} -known_false_positives = It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. -providing_technologies = null - -[savedsearch://ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. -how_to_implement = To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;). -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = unknown -providing_technologies = null - -[savedsearch://ESCU - Detect malicious requests to exploit JBoss servers - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security. -how_to_implement = You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = No known false positives for this detection. -providing_technologies = null - -[savedsearch://ESCU - Detect Remote Access Software Usage URL - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects when a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -how_to_implement = The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -providing_technologies = null - -[savedsearch://ESCU - Exploit Public Facing Application via Apache Commons Text - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. -how_to_implement = To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4). -providing_technologies = null - -[savedsearch://ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). -providing_technologies = null - -[savedsearch://ESCU - F5 TMUI Authentication Bypass - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed. -providing_technologies = null - -[savedsearch://ESCU - Fortinet Appliance Auth bypass - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \ -Add new local users. \ -Update networking configurations to reroute traffic. \ -Download the system configuration. \ -Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. -providing_technologies = null - -[savedsearch://ESCU - Hunting for Log4Shell - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \ -The first jndi match identifies the standard pattern of `{jndi:` \ -jndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the "base" score used later. \ -jndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \ -all_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \ -env works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \ -uri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \ -keywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \ -lookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \ -Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \ -Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest. -how_to_implement = Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. -providing_technologies = null - -[savedsearch://ESCU - Ivanti Connect Secure Command Injection Attempts - Rule] -type = detection -asset_type = VPN Appliance -confidence = medium -explanation = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -providing_technologies = null - -[savedsearch://ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule] -type = detection -asset_type = VPN Appliance -confidence = medium -explanation = The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -providing_technologies = null - -[savedsearch://ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule] -type = detection -asset_type = VPN Appliance -confidence = medium -explanation = This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -providing_technologies = null - -[savedsearch://ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint "/mifs/aad/api/v2/authorized/users?*" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action. -how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. -providing_technologies = null - -[savedsearch://ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation. -how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. -providing_technologies = null - -[savedsearch://ESCU - Ivanti Sentry Authentication Bypass - Rule] -type = detection -asset_type = Network -confidence = medium -explanation = This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. -how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt. -providing_technologies = null - -[savedsearch://ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment. -providing_technologies = null - -[savedsearch://ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution. Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -how_to_implement = The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. -providing_technologies = null - -[savedsearch://ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution.Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -how_to_implement = The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. -providing_technologies = null - -[savedsearch://ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = CVE-2024-27199 reveals a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated attackers to bypass authentication for a limited set of endpoints. This vulnerability exploits path traversal issues, enabling attackers to access and potentially modify system settings or disclose sensitive server information without proper authentication. Identified vulnerable paths include /res/, /update/, and /.well-known/acme-challenge/, among others. Attackers can manipulate these paths to reach restricted JSP pages and servlet endpoints, such as /app/https/settings/uploadCertificate, which could allow for the uploading of malicious HTTPS certificates or modification of server settings. This detection aims to identify potential exploitation attempts by monitoring for unusual access patterns to these endpoints, which could indicate an authentication bypass attempt in progress. -how_to_implement = The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives. -providing_technologies = null - -[savedsearch://ESCU - JetBrains TeamCity RCE Attempt - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE). -how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment. -providing_technologies = null - -[savedsearch://ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -how_to_implement = To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1190", "T1105", "T1059"], "nist": ["DE.CM"]} -known_false_positives = Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor. -providing_technologies = null - -[savedsearch://ESCU - Log4Shell JNDI Payload Injection Attempt - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. -providing_technologies = null - -[savedsearch://ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. -providing_technologies = null - -[savedsearch://ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. -how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -providing_technologies = null - -[savedsearch://ESCU - Monitor Web Traffic For Brand Abuse - Rule] -type = detection -asset_type = Endpoint -confidence = medium -explanation = The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage. -how_to_implement = You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. -annotations = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -known_false_positives = None at this time -providing_technologies = null - -[savedsearch://ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule] -type = detection -asset_type = Web Proxy -confidence = medium -explanation = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -how_to_implement = To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. -providing_technologies = null - -[savedsearch://ESCU - PaperCut NG Remote Web Access Attempt - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present, filter as needed. -providing_technologies = null - -[savedsearch://ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. -how_to_implement = To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = False positives will be limited, however tune or modify the query as needed. -providing_technologies = null - -[savedsearch://ESCU - Spring4Shell Payload URL Request - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = The jsp file names are static names used in current proof of concept code. = -providing_technologies = null - -[savedsearch://ESCU - SQL Injection with Long URLs - Rule] -type = detection -asset_type = Database Server -confidence = medium -explanation = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. -how_to_implement = To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. -providing_technologies = null - -[savedsearch://ESCU - Supernova Webshell - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. -how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} -known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic. -providing_technologies = null - -[savedsearch://ESCU - VMWare Aria Operations Exploit Attempt - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system. \ -The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability. \ -The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint. \ -Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network. -how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]} -known_false_positives = False positives will be present based on gateways in use, modify the status field as needed. -providing_technologies = null - -[savedsearch://ESCU - VMware Server Side Template Injection Hunt - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. -how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. -how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. -providing_technologies = null - -[savedsearch://ESCU - Web JSP Request via URL - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. -providing_technologies = null - -[savedsearch://ESCU - Web Remote ShellServlet Access - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = This analytic identifies attempts to access the Remote ShellServlet on a web server, which is utilized to execute commands. Such activity is commonly linked with web shells and other forms of malicious behavior. It was specifically detected on a Confluence server in relation to CVE-2023-22518 and CVE-2023-22515. Activities preceding access to the shell servlet include the addition of a plugin to Confluence. Additionally, it is advisable to monitor for ShellServlet?act=3, ShellServlet, or obfuscated variations such as Sh3llServlet1. -how_to_implement = This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives. -providing_technologies = null - -[savedsearch://ESCU - Web Spring4Shell HTTP Request Class Module - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". -how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may occur and filtering may be required. Restrict analytic to asset type. -providing_technologies = null - -[savedsearch://ESCU - Web Spring Cloud Function FunctionRouter - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. -providing_technologies = null - -[savedsearch://ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. -how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -known_false_positives = False positives are limited. -providing_technologies = null - -[savedsearch://ESCU - WordPress Bricks Builder plugin RCE - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. The search is focused on the URL path "/wp-json/bricks/v1/render_element" with a status code of 200 and a POST method. It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024. The vulnerability is tracked as CVE-2024-25600. The POC exploit is simple enough and will spawn commands on the target server. The exploit is actively being used in the wild. -how_to_implement = The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed. -providing_technologies = null - -[savedsearch://ESCU - WS FTP Remote Code Execution - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. -how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Adware Activities Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The following analytic is designed to detect potential adware activity which is blocked by Zscaler. Utilizing Splunk search functionality, it filters web proxy logs for blocked actions associated with adware threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible adware intrusions. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Behavior Analysis Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is built to identify threats blocked by the Zscaler proxy based on behavior analysis. It filters web proxy logs for entries where actions are blocked and threat names and classes are specified. The search further refines the results to include only those with reasons related to "block". It then aggregates the count, providing a clear view of the threat landscape as handled by the behavior analysis proxy. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscalar configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Employment Search Web Activity - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is designed to identify destinations within a network deemed as potential Empolyment Searches. Utilizing Splunk's search functionality, it processes web proxy logs, focusing on entries marked as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the employment risk destinations. This anomaly-type detection aids in monitoring and managing risks, promoting a secure environment from insider threats. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Exploit Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.CM"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Legal Liability Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is aimed at identifying the most significant legal liability threats blocked by zcaler web proxy. It leverages web proxy logs to list the destinations, device owners, users, URL categories, and actions that are associated with Legal Liability, by utilizing stats on unique fields, it ensures a precise focus on unique legal liability threats, thereby providing valuable insights for organizations to enforce legal compliance and risk management. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Malware Activity Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic targets the detection of potential malware activities within a network that are blocked by Zscaler. By filtering web proxy logs for blocked actions associated with malware, where a threat category is specified, the analytic aggregates occurrences by user, URL, and threat category. This approach ensures a focused identification of malware activities, making it an effective tool for ongoing network security monitoring and anomaly detection. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscalar configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Phishing Activity Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is devised to detect likely phishing attempts within a network blocked by Zscaler. By leveraging Splunk search functionality, it evaluates web proxy logs for blocked actions correlated with phishing threats, specifically those tagged as HTML.Phish. Critical data points such as the user, threat name, URL, and hostname are analyzed to accentuate possible phishing activities. This anomaly-type detection serves as an early warning system, facilitating prompt investigation and mitigation of phishing threats, thereby bolstering network security. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscalar configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Potentially Abused File Download - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is engineered to detect potential rarely abused malicious filetypes downloaded within a network. They are usually used to spread malwares. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to potential threats. Essential data points like the deviceowner, user, urlcategory, url, dest, and filename taken are analyzed to highlight possible malicious endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of malicious download activities, ensuring a safer network environment. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is designed to identify blocked destinations within a network deemed as privacy risks by Zscaler. Utilizing Splunk search functionality, it processes web proxy logs, focusing on entries marked as Privacy Risk. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the privacy risk destinations. This anomaly-type detection aids in monitoring and managing privacy risks, promoting a secure network environment. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Scam Destinations Threat Blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -[savedsearch://ESCU - Zscaler Virus Download threat blocked - Rule] -type = detection -asset_type = Web Server -confidence = medium -explanation = The analytic is formulated to detect blocked virus download activities within a network by Zscaler. Employing Splunk's search functionality, it reviews web proxy logs for blocked actions indicative of virus threats downloads. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to pinpoint possible virus downloads. As an anomaly-type detection, this analytic facilitates early detection and remediation of virus download attempts, contributing to enhanced network security. -how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -known_false_positives = False positives are limited to Zscaler configuration. -providing_technologies = null - -### END DETECTIONS ### - -### STORIES ### - -[analytic_story://3CX Supply Chain Attack] -category = Adversary Tactics -last_updated = 2023-03-30 -version = 1 -references = ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"] -description = On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike) -narrative = On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced. - -[analytic_story://Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring] -category = Cloud Security -last_updated = 2024-01-08 -version = 1 -references = ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"] -maintainers = [{"company": "Patrick Bareiss, Splunk", "email": "-", "name": "Matthew Moore"}] -spec_version = 3 -searches = ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"] -description = Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments. -narrative = Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data. - -[analytic_story://AcidRain] -category = Malware -last_updated = 2022-04-12 -version = 1 -references = ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more. -narrative = Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal. - -[analytic_story://Active Directory Discovery] -category = Adversary Tactics -last_updated = 2021-08-20 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"] -description = Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments. -narrative = Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next. \ -Once an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc. - -[analytic_story://Active Directory Kerberos Attacks] -category = Adversary Tactics -last_updated = 2022-02-02 -version = 1 -references = ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"] -description = Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments. -narrative = Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc. \ -This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks. - -[analytic_story://Active Directory Lateral Movement] -category = Adversary Tactics -last_updated = 2021-12-09 -version = 3 -references = ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"] -maintainers = [{"company": "Mauricio Velazco Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"] -description = Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage. -narrative = Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. \ -Indications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or "crown jewels" to a persistent threat actor. \ -An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. \ -If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. \ -It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software. - -[analytic_story://Active Directory Password Spraying] -category = Adversary Tactics -last_updated = 2021-04-07 -version = 2 -references = ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"] -description = Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments. -narrative = In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place. \ -Password Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc. \ -Specifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises. - -[analytic_story://Active Directory Privilege Escalation] -category = Adversary Tactics -last_updated = 2023-03-20 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"] -description = Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments. -narrative = Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. \ -Active Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success. \ -The following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network. - -[analytic_story://Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360] -category = Adversary Tactics -last_updated = 2023-08-23 -version = 1 -references = ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"] -description = In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities. -narrative = Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures. \ -In conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities. - -[analytic_story://AgentTesla] -category = Malware -last_updated = 2022-04-12 -version = 1 -references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report. -narrative = Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal. - -[analytic_story://Amadey] -category = Malware -last_updated = 2023-06-16 -version = 1 -references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers. -narrative = Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances. - -[analytic_story://Apache Struts Vulnerability] -category = Vulnerability -last_updated = 2018-12-06 -version = 1 -references = ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Investigate Suspicious Strings in HTTP Header - Response Task", "ESCU - Investigate Web POSTs From src - Response Task"] -description = Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities. -narrative = In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack. \ -The exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header. \ -This Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation. \ -The second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting. \ -First, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope. \ -When looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target. \ -Various types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future. \ -Looking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of "who," in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope. \ -Gathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \ -hen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit. \ -hen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature. \ -In the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature. \ -Often, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\Windows\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited. \ -It can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script. - -[analytic_story://APT29 Diplomatic Deceptions with WINELOADER] -category = Adversary Tactics -last_updated = 2024-03-26 -version = 1 -references = ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"] -maintainers = [{"company": "splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"] -description = APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities. -narrative = APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets. - -[analytic_story://Asset Tracking] -category = Best Practices -last_updated = 2017-09-13 -version = 1 -references = ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect Unauthorized Assets by MAC address - Rule", "ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task", "ESCU - Get Notable History - Response Task"] -description = Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further. -narrative = This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets. - -[analytic_story://AsyncRAT] -category = Malware -last_updated = 2023-01-24 -version = 1 -references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more. -narrative = although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware. - -[analytic_story://Atlassian Confluence Server and Data Center CVE-2022-26134] -category = Adversary Tactics -last_updated = 2022-06-03 -version = 1 -references = ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"] -description = On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release. -narrative = Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk. - -[analytic_story://AwfulShred] -category = Malware -last_updated = 2023-01-24 -version = 1 -references = ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops. -narrative = AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system. - -[analytic_story://AWS Cross Account Activity] -category = Cloud Security -last_updated = 2018-06-04 -version = 1 -references = ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule", "ESCU - AWS Investigate User Activities By AccessKeyId - Response Task", "ESCU - Get Notable History - Response Task"] -description = Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity. -narrative = Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period. \ -Herein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment. \ -This Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply. - -[analytic_story://AWS Defense Evasion] -category = Cloud Security -last_updated = 2022-07-15 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0005/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Gowthamaraj Rajendran"}] -spec_version = 3 -searches = ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"] -description = Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others. -narrative = Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group. - -[analytic_story://AWS IAM Privilege Escalation] -category = Cloud Security -last_updated = 2021-03-08 -version = 1 -references = ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"] -description = This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation. -narrative = Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions. \ -However, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. - -[analytic_story://AWS Identity and Access Management Account Takeover] -category = Cloud Security -last_updated = 2022-08-19 -version = 2 -references = ["https://attack.mitre.org/tactics/TA0006/"] -maintainers = [{"company": "Bhavin Patel, Splunk", "email": "-", "name": "Gowthamaraj Rajendran"}] -spec_version = 3 -searches = ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"] -description = Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS. -narrative = Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities. - -[analytic_story://AWS Network ACL Activity] -category = Cloud Security -last_updated = 2018-05-21 -version = 2 -references = ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it. -narrative = AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls. - -[analytic_story://AWS Security Hub Alerts] -category = Cloud Security -last_updated = 2020-08-04 -version = 1 -references = ["https://aws.amazon.com/security-hub/features/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task"] -description = This story is focused around detecting Security Hub alerts generated from AWS -narrative = AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager. - -[analytic_story://AWS User Monitoring] -category = Cloud Security -last_updated = 2018-03-12 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"] -description = Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment. -narrative = It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018. \ -In addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. \ -Fortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. \ -The detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts. - -[analytic_story://Azorult] -category = Malware -last_updated = 2022-06-09 -version = 1 -references = ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US\u0026sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information. -narrative = Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal. - -[analytic_story://Azure Active Directory Account Takeover] -category = Adversary Tactics -last_updated = 2022-07-14 -version = 2 -references = ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"] -description = Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants. -narrative = Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts. - -[analytic_story://Azure Active Directory Persistence] -category = Cloud Security -last_updated = 2022-08-17 -version = 1 -references = ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"] -description = Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants. -narrative = Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. - -[analytic_story://Azure Active Directory Privilege Escalation] -category = Adversary Tactics -last_updated = 2023-04-24 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"] -description = Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants. -narrative = Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities. \ -Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. \ -Privilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success. \ -The following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants. - -[analytic_story://Baron Samedit CVE-2021-3156] -category = Adversary Tactics -last_updated = 2021-01-27 -version = 1 -references = ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Shannon Davis"}] -spec_version = 3 -searches = ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"] -description = Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. -narrative = A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing "\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection. - -[analytic_story://BishopFox Sliver Adversary Emulation Framework] -category = Adversary Tactics -last_updated = 2023-01-24 -version = 1 -references = ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"] -description = The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023). -narrative = Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox. - -[analytic_story://BITS Jobs] -category = Adversary Tactics -last_updated = 2021-03-26 -version = 1 -references = ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"] -description = Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -narrative = Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). - -[analytic_story://BlackByte Ransomware] -category = Malware -last_updated = 2023-07-10 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more. -narrative = BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key. - -[analytic_story://BlackLotus Campaign] -category = Adversary Tactics -last_updated = 2023-04-14 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"] -description = The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality -narrative = The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign. - -[analytic_story://BlackMatter Ransomware] -category = Malware -last_updated = 2021-09-06 -version = 1 -references = ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more. -narrative = BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data. - -[analytic_story://Brand Monitoring] -category = Abuse -last_updated = 2017-12-19 -version = 1 -references = ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule", "ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name. -narrative = While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in. \ -You can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense. \ -Notable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches. - -[analytic_story://Brute Ratel C4] -category = Data Destruction -last_updated = 2022-08-23 -version = 1 -references = ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more. -narrative = Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network. - -[analytic_story://Caddy Wiper] -category = Data Destruction -last_updated = 2022-03-25 -version = 1 -references = ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"] -maintainers = [{"company": "Rod Soto, Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"] -description = Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions. -narrative = Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions. - -[analytic_story://Chaos Ransomware] -category = Malware -last_updated = 2023-01-11 -version = 1 -references = ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more. -narrative = CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks. - -[analytic_story://CISA AA22-257A] -category = Adversary Tactics -last_updated = 2022-09-15 -version = 1 -references = ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"] -description = The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. -narrative = This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors. - -[analytic_story://CISA AA22-264A] -category = Adversary Tactics -last_updated = 2022-09-22 -version = 1 -references = ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"] -description = Iranian State Actors Conduct Cyber Operations Against the Government of Albania. -narrative = The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran. - -[analytic_story://CISA AA22-277A] -category = Adversary Tactics -last_updated = 2022-10-05 -version = 1 -references = ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"] -description = From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized. -narrative = CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data. - -[analytic_story://CISA AA22-320A] -category = Adversary Tactics -last_updated = 2022-11-16 -version = 1 -references = ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"] -description = CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective. -narrative = From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors. - -[analytic_story://CISA AA23-347A] -category = Data Destruction -last_updated = 2023-12-14 -version = 1 -references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"] -maintainers = [{"company": "Rod Soto, Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host. -narrative = SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation. - -[analytic_story://Cisco IOS XE Software Web Management User Interface vulnerability] -category = Adversary Tactics -last_updated = 2023-10-17 -version = 1 -references = ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Cisco IOS XE Implant Access - Rule"] -description = Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. -narrative = Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed. - -[analytic_story://Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966] -category = Adversary Tactics -last_updated = 2023-10-24 -version = 1 -references = ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"] -description = A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised. -narrative = On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability. - -[analytic_story://Citrix Netscaler ADC CVE-2023-3519] -category = Adversary Tactics -last_updated = 2023-07-20 -version = 1 -references = ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"] -description = The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises. -narrative = Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls. \ -The compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures. \ -The threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \ \ -Advisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices. - -[analytic_story://Citrix ShareFile RCE CVE-2023-24489] -category = Adversary Tactics -last_updated = 2023-07-26 -version = 1 -references = ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"] -description = A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue. -narrative = The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution. \ -The application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception. \ -The Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used. \ -The vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update. - -[analytic_story://Clop Ransomware] -category = Malware -last_updated = 2021-03-17 -version = 1 -references = ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"] -maintainers = [{"company": "Teoderick Contreras, Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more. -narrative = Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data. - -[analytic_story://Cloud Cryptomining] -category = Cloud Security -last_updated = 2019-10-02 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule", "ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"] -description = Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior. -narrative = Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \ -Cryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \ -When malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \ -This Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches. - -[analytic_story://Cloud Federated Credential Abuse] -category = Cloud Security -last_updated = 2021-01-26 -version = 1 -references = ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"] -description = This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements. -narrative = This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches. - -[analytic_story://Cobalt Strike] -category = Adversary Tactics -last_updated = 2021-02-16 -version = 1 -references = ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"] -description = Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility. -narrative = This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it. \ -Splunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames. \ -`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into. \ -Pipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic. \ -With that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered: \ -- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection? \ -- What is the default, or normal, process lineage for spawnto_ value? \ -- Does the spawnto_ value make network connections? \ -- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll? \ -While investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives. - -[analytic_story://ColdRoot MacOS RAT] -category = Malware -last_updated = 2019-01-09 -version = 1 -references = ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Jose Hernandez"}] -spec_version = 3 -searches = ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Investigate Network Traffic From src ip - Response Task"] -description = Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more. -narrative = Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously. \ -This Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more. \ -Searches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger. - -[analytic_story://Collection and Staging] -category = Adversary Tactics -last_updated = 2020-02-03 -version = 1 -references = ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. -narrative = A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on. \ -Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. \ -Use the searches to detect and monitor suspicious behavior related to these activities. - -[analytic_story://Command And Control] -category = Adversary Tactics -last_updated = 2018-06-01 -version = 1 -references = ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators. -narrative = Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker. \ -Because this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists. - -[analytic_story://Compromised User Account] -category = Adversary Tactics -last_updated = 2023-01-19 -version = 1 -references = ["https://www.proofpoint.com/us/threat-reference/compromised-account"] -maintainers = [{"company": "Bhavin Patel, Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"] -description = Monitor for activities and techniques associated with Compromised User Account attacks. -narrative = Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts. - -[analytic_story://Confluence Data Center and Confluence Server Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-01-22 -version = 1 -references = ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"] -description = The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server. -narrative = The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments. - -[analytic_story://ConnectWise ScreenConnect Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-02-21 -version = 1 -references = ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"] -description = This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities. -narrative = The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation. - -[analytic_story://Credential Dumping] -category = Adversary Tactics -last_updated = 2020-02-04 -version = 3 -references = ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Investigate Failed Logins for Multiple Destinations - Response Task", "ESCU - Investigate Pass the Hash Attempts - Response Task", "ESCU - Investigate Pass the Ticket Attempts - Response Task", "ESCU - Investigate Previous Unseen User - Response Task"] -description = Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping. -narrative = Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files. \ -Once attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations. \ -The detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping. - -[analytic_story://CrushFTP Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-05-16 -version = 1 -references = ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CrushFTP Server Side Template Injection - Rule"] -description = CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox. -narrative = CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats. - -[analytic_story://CVE-2022-40684 Fortinet Appliance Auth bypass] -category = Adversary Tactics -last_updated = 2022-10-14 -version = 1 -references = ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Fortinet Appliance Auth bypass - Rule"] -description = Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684. -narrative = FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai) - -[analytic_story://CVE-2023-21716 Word RTF Heap Corruption] -category = Adversary Tactics -last_updated = 2023-03-10 -version = 1 -references = ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"] -description = A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files. -narrative = This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s "wwlib.dll" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023) - -[analytic_story://CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server] -category = Adversary Tactics -last_updated = 2023-10-04 -version = 1 -references = ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"] -description = On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided. -narrative = Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats. \ -By monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation. \ -Furthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints. \ -In parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored. - -[analytic_story://CVE-2023-23397 Outlook Elevation of Privilege] -category = Adversary Tactics -last_updated = 2023-03-15 -version = 1 -references = ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"] -description = Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. -narrative = Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft) - -[analytic_story://CVE-2023-36884 Office and Windows HTML RCE Vulnerability] -category = Adversary Tactics -last_updated = 2023-07-11 -version = 1 -references = ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"] -description = CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key. -narrative = CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch. \ -An attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access. \ -Currently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency. \ -In the meantime, users of Microsoft Defender for Office and those utilizing the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing. \ -For users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as "1". This action aims to mitigate the risk until a permanent fix is available. \ -The disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue. - -[analytic_story://Cyclops Blink] -category = Malware -last_updated = 2024-03-14 -version = 2 -references = ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server. -narrative = Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal. - -[analytic_story://DarkCrystal RAT] -category = Malware -last_updated = 2022-07-26 -version = 1 -references = ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses. -narrative = Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal. - -[analytic_story://DarkGate Malware] -category = Adversary Tactics -last_updated = 2023-10-31 -version = 1 -references = ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"] -description = Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives. -narrative = Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts. \ -Marquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components. \ -The analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks. \ -Significantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains. - -[analytic_story://DarkSide Ransomware] -category = Malware -last_updated = 2021-05-12 -version = 1 -references = ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware -narrative = This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload. - -[analytic_story://Data Destruction] -category = Malware -last_updated = 2023-04-06 -version = 1 -references = ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of "DoubleZero Destructor", "CaddyWiper", "AcidRain", "AwfulShred", "Hermetic Wiper", "Swift Slicer", "Whisper Gate" and many more. -narrative = Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services. - -[analytic_story://Data Exfiltration] -category = Adversary Tactics -last_updated = 2023-05-17 -version = 2 -references = ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"] -maintainers = [{"company": "Shannon Davis, Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Get Notable History - Response Task"] -description = Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets. -narrative = This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place. \ -Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection. - -[analytic_story://Data Protection] -category = Abuse -last_updated = 2017-09-14 -version = 1 -references = ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration. -narrative = Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point. - -[analytic_story://Deobfuscate-Decode Files or Information] -category = Adversary Tactics -last_updated = 2021-03-24 -version = 1 -references = ["https://attack.mitre.org/techniques/T1140/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CertUtil With Decode Argument - Rule"] -description = Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. -narrative = An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents. - -[analytic_story://AWS Cryptomining] -category = Cloud Security -last_updated = 2018-03-08 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Logon Rights Modifications For Endpoint - Response Task", "ESCU - Get Logon Rights Modifications For User - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"] -description = Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior. -narrative = Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \ -Cryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \ -When malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \ -This Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches. - -[analytic_story://AWS Suspicious Provisioning Activities] -category = Cloud Security -last_updated = 2018-03-16 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule", "ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From City - Response Task", "ESCU - Get All AWS Activity From Country - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get All AWS Activity From Region - Response Task"] -description = Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network. -narrative = Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. \ -This Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further. - -[analytic_story://Common Phishing Frameworks] -category = Adversary Tactics -last_updated = 2019-04-29 -version = 1 -references = ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Splunk Research Team"}] -spec_version = 3 -searches = ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule", "ESCU - Get Certificate logs for a domain - Response Task"] -description = Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. -narrative = As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks. \ -This Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2. - -[analytic_story://Container Implantation Monitoring and Investigation] -category = Cloud Security -last_updated = 2020-02-20 -version = 1 -references = ["https://github.com/splunk/cloud-datamodel-security-research"] -maintainers = [{"company": "Rico Valdez, Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = [] -description = Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry. -narrative = Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry. - -[analytic_story://Host Redirection] -category = Abuse -last_updated = 2017-09-14 -version = 1 -references = ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task"] -description = Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website. -narrative = Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications. - -[analytic_story://Kubernetes Sensitive Role Activity] -category = Cloud Security -last_updated = 2020-05-20 -version = 1 -references = ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule", "ESCU - Get Notable History - Response Task"] -description = This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. -narrative = Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities - -[analytic_story://Lateral Movement] -category = Adversary Tactics -last_updated = 2020-02-04 -version = 2 -references = ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"] -description = DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts. -narrative = Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or "crown jewels" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software. - -[analytic_story://Monitor Backup Solution] -category = Best Practices -last_updated = 2017-09-12 -version = 1 -references = ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule", "ESCU - All backup logs for host - Response Task", "ESCU - Get Notable History - Response Task"] -description = Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints. -narrative = Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint. - -[analytic_story://Monitor for Unauthorized Software] -category = Best Practices -last_updated = 2017-09-15 -version = 1 -references = ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. -narrative = It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs. \ -It is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. - -[analytic_story://Office 365 Detections] -category = Cloud Security -last_updated = 2020-12-16 -version = 2 -references = ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"] -maintainers = [{"company": "Mauricio Velazco, Splunk", "email": "-", "name": "Patrick Bareiss"}] -spec_version = 3 -searches = [] -description = Monitor for activities and anomalies indicative of potential threats within Office 365 environments. -narrative = Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner. - -[analytic_story://Spectre And Meltdown Vulnerabilities] -category = Vulnerability -last_updated = 2018-01-08 -version = 1 -references = ["https://meltdownattack.com/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule", "ESCU - Get Notable History - Response Task"] -description = Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story. -narrative = Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched. - -[analytic_story://Suspicious AWS EC2 Activities] -category = Cloud Security -last_updated = 2018-02-09 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule", "ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"] -description = Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it. -narrative = AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities. - -[analytic_story://Unusual AWS EC2 Modifications] -category = Cloud Security -last_updated = 2018-04-09 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get Notable History - Response Task"] -description = Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation. -narrative = A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised. \ -Searches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior. - -[analytic_story://Web Fraud Detection] -category = Abuse -last_updated = 2018-10-08 -version = 1 -references = ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Jim Apger"}] -spec_version = 3 -searches = ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Web Session Information via session id - Response Task"] -description = Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets. -narrative = The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category. \ -These crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon. \ -When developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few. \ -The account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign. \ -The anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human. \ -Another search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script. - -[analytic_story://Detect Zerologon Attack] -category = Adversary Tactics -last_updated = 2020-09-18 -version = 1 -references = ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"] -maintainers = [{"company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule", "ESCU - Get Notable History - Response Task"] -description = Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier. -narrative = This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload. - -[analytic_story://Dev Sec Ops] -category = Cloud Security -last_updated = 2021-08-18 -version = 1 -references = ["https://www.redhat.com/en/topics/devops/what-is-devsecops"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Patrick Bareiss"}] -spec_version = 3 -searches = ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"] -description = This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor. -narrative = DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter. - -[analytic_story://DHS Report TA18-074A] -category = Malware -last_updated = 2020-01-22 -version = 2 -references = ["https://www.us-cert.gov/ncas/alerts/TA18-074A"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process File Activity - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"] -description = Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more. -narrative = The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \ -There is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. \ -One joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant. \ -Suspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well. - -[analytic_story://Disabling Security Tools] -category = Adversary Tactics -last_updated = 2020-02-04 -version = 2 -references = ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others. -narrative = Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running). - -[analytic_story://DNS Amplification Attacks] -category = Abuse -last_updated = 2016-09-13 -version = 1 -references = ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Large Volume of DNS ANY Queries - Rule", "ESCU - Get Notable History - Response Task"] -description = DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims. -narrative = The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack. \ -The search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims. - -[analytic_story://DNS Hijacking] -category = Adversary Tactics -last_updated = 2020-02-04 -version = 1 -references = ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - Get DNS Server History for a host - Response Task"] -description = Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records. -narrative = Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols. \ -The gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well. \ -On January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days: \ -1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA. \ -1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records. \ -1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled. \ -1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well. \ -In DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns. \ -The searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment. - -[analytic_story://Domain Trust Discovery] -category = Adversary Tactics -last_updated = 2021-03-25 -version = 1 -references = ["https://attack.mitre.org/techniques/T1482/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"] -description = Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. -narrative = Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts. - -[analytic_story://Double Zero Destructor] -category = Data Destruction -last_updated = 2022-03-25 -version = 1 -references = ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"] -maintainers = [{"company": "Rod Soto, Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"] -description = Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD. -narrative = Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls. - -[analytic_story://Dynamic DNS] -category = Malware -last_updated = 2018-09-06 -version = 2 -references = ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists. -narrative = Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified. - -[analytic_story://Emotet Malware DHS Report TA18-201A] -category = Malware -last_updated = 2020-01-27 -version = 1 -references = ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"] -description = Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment. -narrative = The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. \ -According to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014. \ -The searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. - -[analytic_story://F5 Authentication Bypass with TMUI] -category = Adversary Tactics -last_updated = 2023-10-30 -version = 1 -references = ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - F5 TMUI Authentication Bypass - Rule"] -description = Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively. -narrative = Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the "Transfer-Encoding" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions. \ -Similarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API. \ -Nuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks. - -[analytic_story://F5 BIG-IP Vulnerability CVE-2022-1388] -category = Adversary Tactics -last_updated = 2022-05-10 -version = 1 -references = ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20\u0026t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"] -description = CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API. -narrative = CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low. - -[analytic_story://F5 TMUI RCE CVE-2020-5902] -category = Adversary Tactics -last_updated = 2020-08-02 -version = 1 -references = ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Shannon Davis"}] -spec_version = 3 -searches = ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule", "ESCU - Get Notable History - Response Task"] -description = Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise. -narrative = A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/) - -[analytic_story://FIN7] -category = Malware -last_updated = 2021-09-14 -version = 1 -references = ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution. -narrative = FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host. - -[analytic_story://Flax Typhoon] -category = Adversary Tactics -last_updated = 2023-08-25 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"] -description = Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. -narrative = Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems. - -[analytic_story://Forest Blizzard] -category = Adversary Tactics -last_updated = 2023-09-11 -version = 1 -references = ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"] -description = CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's "Steal-It" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses. -narrative = APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's "Steal-It" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their "Living Off The Land" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies. - -[analytic_story://Fortinet FortiNAC CVE-2022-39952] -category = Adversary Tactics -last_updated = 2023-02-21 -version = 1 -references = ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"] -description = On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai). -narrative = This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory. - -[analytic_story://GCP Account Takeover] -category = Account Compromise -last_updated = 2022-10-12 -version = 1 -references = ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"] -maintainers = [{"company": "Bhavin Patel, Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"] -description = Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants. -narrative = Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts. - -[analytic_story://GCP Cross Account Activity] -category = Cloud Security -last_updated = 2020-09-01 -version = 1 -references = ["https://cloud.google.com/iam/docs/understanding-service-accounts"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule", "ESCU - Get Notable History - Response Task"] -description = Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity. -narrative = Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period. \ -In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment. \ -This Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply. - -[analytic_story://Graceful Wipe Out Attack] -category = Data Destruction -last_updated = 2023-06-15 -version = 1 -references = ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"] -description = This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon. -narrative = Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system. - -[analytic_story://HAFNIUM Group] -category = Adversary Tactics -last_updated = 2021-03-03 -version = 1 -references = ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"] -description = HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. -narrative = On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable. \ -While the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server. \ -The following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology. - -[analytic_story://Hermetic Wiper] -category = Data Destruction -last_updated = 2022-03-02 -version = 1 -references = ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"] -maintainers = [{"company": "Rod Soto, Michael Haag, Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"] -description = This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more. -narrative = Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction. - -[analytic_story://Hidden Cobra Malware] -category = Malware -last_updated = 2020-01-22 -version = 2 -references = ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"] -description = Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A. -narrative = North Korea's government-sponsored "cyber army" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as "Hidden Cobra," has surreptitiously crept onto the collective radar as a preeminent global threat. \ -These state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie "The Interview" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking. \ -In June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed "Joanap," is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, "Brambul," is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations. \ -Among other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, "adnim$," which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers. - -[analytic_story://IcedID] -category = Malware -last_updated = 2021-07-29 -version = 1 -references = ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection. -narrative = IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains "license.dat" which is the actual core icedid bot. - -[analytic_story://IIS Components] -category = Adversary Tactics -last_updated = 2022-12-19 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"] -description = Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. -narrative = IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers. \ -Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts. \ -Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE) - -[analytic_story://Industroyer2] -category = Malware -last_updated = 2022-04-21 -version = 1 -references = ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction. -narrative = Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host. - -[analytic_story://Information Sabotage] -category = Abuse -last_updated = 2021-11-17 -version = 1 -references = ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - High Frequency Copy Of Files In Network Share - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage. -narrative = Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations. - -[analytic_story://Ingress Tool Transfer] -category = Adversary Tactics -last_updated = 2021-03-24 -version = 1 -references = ["https://attack.mitre.org/techniques/T1105/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"] -description = Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. -narrative = Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors. - -[analytic_story://Insider Threat] -category = Adversary Tactics -last_updated = 2022-05-19 -version = 1 -references = ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Jose Hernandez"}] -spec_version = 3 -searches = ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"] -description = Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment. -narrative = Insider Threats are best defined by CISA: "Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs." An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider. - -[analytic_story://Ivanti Connect Secure VPN Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-01-16 -version = 1 -references = ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"] -description = The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits. -narrative = Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks. - -[analytic_story://Ivanti EPMM Remote Unauthenticated Access] -category = Vulnerability -last_updated = 2023-08-08 -version = 2 -references = ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"] -description = Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security. -narrative = Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server. \ -Recently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/. \ -When combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats. - -[analytic_story://Ivanti Sentry Authentication Bypass CVE-2023-38035] -category = Adversary Tactics -last_updated = 2023-08-24 -version = 1 -references = ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Ivanti Sentry Authentication Bypass - Rule"] -description = A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise. -narrative = CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges. \ -While this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry. \ -As of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely. - -[analytic_story://JBoss Vulnerability] -category = Vulnerability -last_updated = 2017-09-14 -version = 1 -references = ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule", "ESCU - Get Notable History - Response Task"] -description = In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others. -narrative = This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice. \ -It is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope. \ -When looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host. \ -Various types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts. \ -The following factors may assist you in determining whether the event is malicious: \ -1. Country of origin \ -1. Responsible party \ -1. Fully qualified domain names associated with the external IP address \ -1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope. \ -Gathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \ -hen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit. \ -If you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature. \ -If a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature. \ -Often, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\Windows\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. \ -It can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script. - -[analytic_story://Jenkins Server Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-01-29 -version = 1 -references = ["https://www.jenkins.io/security/advisory/2024-01-24/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"] -description = This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. -narrative = The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. - -[analytic_story://JetBrains TeamCity Unauthenticated RCE] -category = Adversary Tactics -last_updated = 2023-10-01 -version = 1 -references = ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - JetBrains TeamCity RCE Attempt - Rule"] -description = A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version. -narrative = The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts. - -[analytic_story://JetBrains TeamCity Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-03-04 -version = 1 -references = ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"] -description = This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk. -narrative = JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities. - -[analytic_story://Juniper JunOS Remote Code Execution] -category = Adversary Tactics -last_updated = 2023-08-29 -version = 1 -references = ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"] -description = Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes. -narrative = Juniper Networks, a networking hardware company, has released an "out-of-cycle" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication. \ -The vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts. \ -Additionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a "world-ending" unauthenticated remote code execution. \ -In conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact. - -[analytic_story://Kubernetes Scanning Activity] -category = Cloud Security -last_updated = 2020-04-15 -version = 1 -references = ["https://github.com/splunk/cloud-datamodel-security-research"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule", "ESCU - Amazon EKS Kubernetes activity by src ip - Response Task", "ESCU - GCP Kubernetes activity by src ip - Response Task", "ESCU - Get Notable History - Response Task"] -description = This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names. -narrative = Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster. - -[analytic_story://Kubernetes Security] -category = Cloud Security -last_updated = 2023-12-06 -version = 1 -references = ["https://kubernetes.io/docs/concepts/security/"] -maintainers = [{"company": "no", "email": "-", "name": "Patrick Bareiss"}] -spec_version = 3 -searches = ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"] -description = Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications. -narrative = Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense. - -[analytic_story://Kubernetes Sensitive Object Access Activity] -category = Cloud Security -last_updated = 2020-05-20 -version = 1 -references = ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule", "ESCU - Get Notable History - Response Task"] -description = This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason. -narrative = Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects. - -[analytic_story://Linux Living Off The Land] -category = Adversary Tactics -last_updated = 2022-07-27 -version = 1 -references = ["https://gtfobins.github.io/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"] -description = Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems. -narrative = Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort. - -[analytic_story://Linux Persistence Techniques] -category = Adversary Tactics -last_updated = 2021-12-17 -version = 1 -references = ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"] -description = Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment. -narrative = Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment. - -[analytic_story://Linux Post-Exploitation] -category = Adversary Tactics -last_updated = 2021-12-03 -version = 1 -references = ["https://attack.mitre.org/matrices/enterprise/linux/"] -maintainers = [{"company": "no", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Suspicious Linux Discovery Commands - Rule"] -description = This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin. -narrative = These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version. - -[analytic_story://Linux Privilege Escalation] -category = Adversary Tactics -last_updated = 2021-12-17 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0004/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"] -description = Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more. -narrative = Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment. - -[analytic_story://Linux Rootkit] -category = Adversary Tactics -last_updated = 2022-07-27 -version = 1 -references = ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"] -description = Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. -narrative = Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names. - -[analytic_story://Living Off The Land] -category = Adversary Tactics -last_updated = 2022-03-16 -version = 2 -references = ["https://lolbas-project.github.io/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Lou Stella"}] -spec_version = 3 -searches = ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"] -description = Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment. -narrative = Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior. - -[analytic_story://Local Privilege Escalation With KrbRelayUp] -category = Privilege Escalation -last_updated = 2022-04-28 -version = 1 -references = ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"] -maintainers = [{"company": "Mauricio Velazco, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"] -description = KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers. -narrative = In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell. - -[analytic_story://LockBit Ransomware] -category = Malware -last_updated = 2023-01-16 -version = 1 -references = ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more. -narrative = LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed. - -[analytic_story://Log4Shell CVE-2021-44228] -category = Adversary Tactics -last_updated = 2021-12-11 -version = 1 -references = ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"] -maintainers = [{"company": "no", "email": "-", "name": "Jose Hernandez"}] -spec_version = 3 -searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"] -description = Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition. -narrative = In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called ["A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system. - -[analytic_story://Malicious PowerShell] -category = Adversary Tactics -last_updated = 2017-08-23 -version = 5 -references = ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent. -narrative = The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope. \ -The following factors may assist you in determining whether the event is malicious: \ -1. Country of origin \ -1. Responsible party \ -1. Fully qualified domain names associated with the external IP address \ -1. Registration of fully qualified domain names associated with external IP address \ -Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope. \ -Gathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \ -Often, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\Windows\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited. \ -It can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well. \ -In the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites. \ -Most recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified. - -[analytic_story://Masquerading - Rename System Utilities] -category = Adversary Tactics -last_updated = 2021-04-26 -version = 1 -references = ["https://attack.mitre.org/techniques/T1036/003/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"] -description = Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. -narrative = Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. \ -The following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute. \ -There will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection. - -[analytic_story://MetaSploit] -category = Adversary Tactics -last_updated = 2022-11-21 -version = 1 -references = ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"] -description = The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related. -narrative = The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems. \ -The Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\ \ -Portions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\ \ -This framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis) - -[analytic_story://Meterpreter] -category = Adversary Tactics -last_updated = 2021-06-08 -version = 1 -references = ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"] -maintainers = [{"company": "no", "email": "-", "name": "Michael Hart"}] -spec_version = 3 -searches = ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"] -description = Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions. -narrative = This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels. \ -Meterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections. \ -While investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives. - -[analytic_story://Microsoft MSHTML Remote Code Execution CVE-2021-40444] -category = Adversary Tactics -last_updated = 2021-09-08 -version = 1 -references = ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"] -description = CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents. -narrative = Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \ -1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed. - -[analytic_story://Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357] -category = Vulnerability -last_updated = 2023-09-27 -version = 1 -references = ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"] -maintainers = [{"company": "Gowthamaraj Rajendran, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"] -description = This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability. -narrative = Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security. - -[analytic_story://Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190] -category = Adversary Tactics -last_updated = 2022-05-31 -version = 1 -references = ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20\u0026t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"] -maintainers = [{"company": "Teoderick Contreras, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"] -description = On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. -narrative = A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights. - -[analytic_story://Monitor for Updates] -category = Best Practices -last_updated = 2017-09-15 -version = 1 -references = ["https://learn.cisecurity.org/20-controls-download"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - No Windows Updates in a time frame - Rule", "ESCU - Get Notable History - Response Task"] -description = Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches. -narrative = It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors. \ -Searches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter. \ -Microsoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed. - -[analytic_story://MOVEit Transfer Critical Vulnerability] -category = Adversary Tactics -last_updated = 2023-06-01 -version = 1 -references = ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"] -description = A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\MOVEitTransfer\wwwroot\ folder for unusual files. A patch is currently released. -narrative = Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads. \ -The zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft. \ -In response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\MOVEitTransfer\wwwroot\ folder for unexpected files, including backups or large file downloads. \ -Blocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers. \ -There is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability. \ -While Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations. - -[analytic_story://Netsh Abuse] -category = Abuse -last_updated = 2017-01-05 -version = 1 -references = ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system. -narrative = It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system. \ -To get started, run the detection search to identify parent processes of `netsh.exe`. - -[analytic_story://Network Discovery] -category = Malware -last_updated = 2022-02-14 -version = 1 -references = ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Linux System Network Discovery - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more. -narrative = Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. - -[analytic_story://NjRAT] -category = Malware -last_updated = 2023-09-07 -version = 2 -references = ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"] -description = NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions. -narrative = NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has "worm" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information. - -[analytic_story://NOBELIUM Group] -category = Adversary Tactics -last_updated = 2020-12-14 -version = 3 -references = ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"] -maintainers = [{"company": "Michael Haag, Mauricio Velazco, Splunk", "email": "-", "name": "Patrick Bareiss"}] -spec_version = 3 -searches = ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"] -description = NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity. -narrative = This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches. - -[analytic_story://Office 365 Account Takeover] -category = Adversary Tactics -last_updated = 2023-10-17 -version = 1 -references = ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"] -maintainers = [{"company": "Patrick Bareiss, Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"] -description = Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments. -narrative = Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments. - -[analytic_story://Office 365 Collection Techniques] -category = Adversary Tactics -last_updated = 2024-02-12 -version = 1 -references = [] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"] -description = Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. -narrative = Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information - -[analytic_story://Office 365 Persistence Mechanisms] -category = Adversary Tactics -last_updated = 2023-10-17 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"] -maintainers = [{"company": "Patrick Bareiss, Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"] -description = Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments. -narrative = Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data. - -[analytic_story://Okta Account Takeover] -category = Adversary Tactics -last_updated = 2024-03-06 -version = 1 -references = ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"] -maintainers = [{"company": "Mauricio Velazco, Bhavin Patel, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"] -description = The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants. -narrative = Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts. - -[analytic_story://Okta MFA Exhaustion] -category = Adversary Tactics -last_updated = 2022-09-27 -version = 1 -references = ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"] -description = A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks. -narrative = An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of "fatigue" regarding these MFA prompts. - -[analytic_story://OpenSSL CVE-2022-3602] -category = Adversary Tactics -last_updated = 2022-11-02 -version = 1 -references = ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"] -maintainers = [{"company": "splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"] -description = OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6. -narrative = A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it. - -[analytic_story://Orangeworm Attack Group] -category = Malware -last_updated = 2020-01-22 -version = 2 -references = ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry. -narrative = In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections. \ -Awareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers. \ -Healthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines. \ -This Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised. - -[analytic_story://Outlook RCE CVE-2024-21378] -category = Adversary Tactics -last_updated = 2024-03-20 -version = 1 -references = ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"] -maintainers = [{"company": "Teoderick Contreras, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"] -description = CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk. -narrative = CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats. - -[analytic_story://PaperCut MF NG Vulnerability] -category = Adversary Tactics -last_updated = 2023-05-15 -version = 1 -references = ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"] -description = The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities. -narrative = PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply "Allow list" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network. \ -The vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend. \ -The exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC. \ -Applying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance. - -[analytic_story://PetitPotam NTLM Relay on Active Directory Certificate Services] -category = Adversary Tactics -last_updated = 2021-08-31 -version = 1 -references = ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"] -maintainers = [{"company": "Mauricio Velazco, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"] -description = PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances. -narrative = In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges. - -[analytic_story://Phemedrone Stealer] -category = Malware -last_updated = 2024-01-24 -version = 2 -references = ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"] -description = Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities. -narrative = Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary. - -[analytic_story://PlugX] -category = Malware -last_updated = 2023-10-12 -version = 2 -references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"] -description = PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host. -narrative = PlugX, known as the "silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver. - -[analytic_story://Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns] -category = Adversary Tactics -last_updated = 2020-01-22 -version = 1 -references = ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"] -maintainers = [{"company": "iDefense", "email": "-", "name": "iDefense Cyber Espionage Team"}] -spec_version = 3 -searches = ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group. -narrative = This story was created as a joint effort between iDefense and Splunk. \ -iDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, "Orz," which is associated with the threat actors known as MUDCARP (as well as "temp.Periscope" and "Leviathan"). The file is executed using Wscript. \ -The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\zipfldr.dll,RouteTheCall c:\\programdata\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild. \ -This Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot. \ -If behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following: \ -1. www.chemscalere[.]com \ -1. chemscalere[.]com \ -1. about.chemscalere[.]com \ -1. autoconfig.chemscalere[.]com \ -1. autodiscover.chemscalere[.]com \ -1. catalog.chemscalere[.]com \ -1. cpanel.chemscalere[.]com \ -1. db.chemscalere[.]com \ -1. ftp.chemscalere[.]com \ -1. mail.chemscalere[.]com \ -1. news.chemscalere[.]com \ -1. update.chemscalere[.]com \ -1. webmail.chemscalere[.]com \ -1. www.candlelightparty[.]org \ -1. candlelightparty[.]org \ -1. newapp.freshasianews[.]com \ -In addition, iDefense also recommends that organizations review their environments for activity related to the following hashes: \ -1. cd195ee448a3657b5c2c2d13e9c7a2e2 \ -1. b43ad826fe6928245d3c02b648296b43 \ -1. 889a9b52566448231f112a5ce9b5dfaf \ -1. b8ec65dab97cdef3cd256cc4753f0c54 \ -1. 04d83cd3813698de28cfbba326d7647c - -[analytic_story://Prestige Ransomware] -category = Malware -last_updated = 2022-11-30 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware -narrative = This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat. - -[analytic_story://PrintNightmare CVE-2021-34527] -category = Vulnerability -last_updated = 2021-07-01 -version = 1 -references = ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"] -maintainers = [{"company": "no", "email": "-", "name": "Splunk Threat Research Team"}] -spec_version = 3 -searches = ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"] -description = The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. -narrative = This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation). \ -The prerequisites for successful exploitation consist of: \ -1. Print Spooler service enabled on the target system \ -1. Network connectivity to the target system (initial access has been obtained) \ -1. Hash or password for a low privileged user ( or computer ) account. \ -In the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below. - -[analytic_story://Prohibited Traffic Allowed or Protocol Mismatch] -category = Best Practices -last_updated = 2017-09-11 -version = 1 -references = ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"] -description = Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers. -narrative = A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts. - -[analytic_story://ProxyNotShell] -category = Adversary Tactics -last_updated = 2022-09-30 -version = 1 -references = ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20\u0026t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20\u0026t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"] -description = Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082. -narrative = Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story. - -[analytic_story://ProxyShell] -category = Adversary Tactics -last_updated = 2021-08-24 -version = 1 -references = ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"] -maintainers = [{"company": "Teoderick Contreras, Mauricio Velazco, Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"] -description = ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. -narrative = During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions. - -[analytic_story://Qakbot] -category = Malware -last_updated = 2022-11-14 -version = 2 -references = ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK). -narrative = QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading. - -[analytic_story://Ransomware] -category = Malware -last_updated = 2020-02-04 -version = 1 -references = ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule", "ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others. -narrative = Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware. - -[analytic_story://Ransomware Cloud] -category = Malware -last_updated = 2020-10-27 -version = 1 -references = ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"] -maintainers = [{"company": "David Dorsey, Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule", "ESCU - Get Notable History - Response Task"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features. -narrative = Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources. - -[analytic_story://RedLine Stealer] -category = Malware -last_updated = 2023-04-24 -version = 1 -references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection.. -narrative = RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information. - -[analytic_story://Remcos] -category = Malware -last_updated = 2021-09-23 -version = 1 -references = ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.\u0026text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection.. -narrative = Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors. - -[analytic_story://Reverse Network Proxy] -category = Adversary Tactics -last_updated = 2022-11-16 -version = 1 -references = ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"] -description = The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access. -narrative = This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified. - -[analytic_story://Revil Ransomware] -category = Malware -last_updated = 2021-06-04 -version = 1 -references = ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more. -narrative = Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data. - -[analytic_story://Rhysida Ransomware] -category = Malware -last_updated = 2023-12-12 -version = 1 -references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"] -description = Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities. -narrative = This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact "targets of opportunity," including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates. - -[analytic_story://Router and Infrastructure Security] -category = Best Practices -last_updated = 2017-09-12 -version = 1 -references = ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule", "ESCU - Get Notable History - Response Task"] -description = Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers. -narrative = Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic. \ -This Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data. - -[analytic_story://Ryuk Ransomware] -category = Malware -last_updated = 2020-11-06 -version = 1 -references = ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Jose Hernandez"}] -spec_version = 3 -searches = ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Get Notable History - Response Task"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more. -narrative = Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot. - -[analytic_story://sAMAccountName Spoofing and Domain Controller Impersonation] -category = Privilege Escalation -last_updated = 2021-12-20 -version = 1 -references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] -spec_version = 3 -searches = ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"] -description = Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities. -narrative = On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation. - -[analytic_story://SamSam Ransomware] -category = Malware -last_updated = 2018-12-13 -version = 1 -references = ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule", "ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more. -narrative = The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom. \ -Although categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a "spray-and-pray" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems. \ -SamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars. \ -In a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum. \ -According to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files. \ -This Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP. - -[analytic_story://Sandworm Tools] -category = Data Destruction -last_updated = 2022-04-05 -version = 1 -references = ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the "Sandworm" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators. -narrative = The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts. - -[analytic_story://Scheduled Tasks] -category = Adversary Tactics -last_updated = 2023-06-12 -version = 1 -references = ["https://attack.mitre.org/techniques/T1053/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs. -narrative = MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS. \ -The technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers). \ -Scheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval. \ -The At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence. \ -Cron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence. \ -Launchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events. \ -The At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence. \ -Systemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence. \ -Detection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks. - -[analytic_story://Signed Binary Proxy Execution InstallUtil] -category = Adversary Tactics -last_updated = 2021-11-12 -version = 1 -references = ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"] -description = Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. -narrative = InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. \ -There are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe. \ -Typically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. \ -Note that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. \ -Parallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion. - -[analytic_story://Silver Sparrow] -category = Adversary Tactics -last_updated = 2021-02-24 -version = 1 -references = ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"] -description = Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence. -narrative = Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references. - -[analytic_story://Snake Keylogger] -category = Adversary Tactics -last_updated = 2024-02-12 -version = 1 -references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"] -description = SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security. -narrative = SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences. - -[analytic_story://Snake Malware] -category = Adversary Tactics -last_updated = 2023-05-10 -version = 1 -references = ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"] -description = The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. -narrative = The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023) - -[analytic_story://Sneaky Active Directory Persistence Tricks] -category = Adversary Tactics -last_updated = 2024-03-14 -version = 2 -references = ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc\u0026feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"] -maintainers = [{"company": "Mauricio Velazco, Splunk", "email": "-", "name": "Dean Luxton"}] -spec_version = 3 -searches = ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"] -description = Monitor for activities and techniques associated with Windows Active Directory persistence techniques. -narrative = Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks. \ -In 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them. \ -This analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging. - -[analytic_story://Spearphishing Attachments] -category = Adversary Tactics -last_updated = 2019-04-29 -version = 1 -references = ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Splunk Research Team"}] -spec_version = 3 -searches = ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"] -description = Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack. -narrative = Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email. \ -As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely "automate" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. \ -While any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. \ -Following is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/): \ -1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file \ -1. The .lnk file executes a PowerShell script \ -1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire). \ -This Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes. - -[analytic_story://Splunk Vulnerabilities] -category = Best Practices -last_updated = 2024-01-22 -version = 1 -references = ["https://www.splunk.com/en_us/product-security/announcements.html"] -maintainers = [{"company": "Rod Soto, Eric McGinnis, Splunk", "email": "-", "name": "Lou Stella"}] -spec_version = 3 -searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"] -description = Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product. -narrative = This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly. - -[analytic_story://Spring4Shell CVE-2022-22965] -category = Adversary Tactics -last_updated = 2022-04-05 -version = 1 -references = ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"] -description = Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications. -narrative = An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. \ -According to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time: \ -- Java Development Kit (JDK) 9 or greater \ -- Apache Tomcat as the Servlet container \ -- Packaged as a WAR \ -- spring-webmvc or spring-webflux dependency \ - - -[analytic_story://SQL Injection] -category = Adversary Tactics -last_updated = 2017-09-19 -version = 1 -references = ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - SQL Injection with Long URLs - Rule", "ESCU - Get Notable History - Response Task"] -description = Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters. -narrative = It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements. \ -This Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment. - -[analytic_story://Subvert Trust Controls SIP and Trust Provider Hijacking] -category = Adversary Tactics -last_updated = 2023-10-10 -version = 1 -references = ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"] -description = Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. -narrative = In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed. - -[analytic_story://Suspicious AWS Login Activities] -category = Cloud Security -last_updated = 2019-05-01 -version = 1 -references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task"] -description = Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. -narrative = It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker. - -[analytic_story://Suspicious AWS S3 Activities] -category = Cloud Security -last_updated = 2023-04-24 -version = 3 -references = ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS S3 Bucket details via bucketName - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"] -description = Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked. -narrative = One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations. \ -However, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. \ -It is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur. - -[analytic_story://Suspicious AWS Traffic] -category = Cloud Security -last_updated = 2018-05-07 -version = 1 -references = ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC). -narrative = A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network. \ -Amazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs. \ -Attackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities. \ -The searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors. - -[analytic_story://Suspicious Cloud Authentication Activities] -category = Cloud Security -last_updated = 2020-06-04 -version = 1 -references = ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"] -description = Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. -narrative = It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise. \ -This Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS. - -[analytic_story://Suspicious Cloud Instance Activities] -category = Cloud Security -last_updated = 2020-08-25 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task"] -description = Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment. -narrative = Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities. - -[analytic_story://Suspicious Cloud Provisioning Activities] -category = Cloud Security -last_updated = 2018-08-20 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule", "ESCU - Get Notable History - Response Task"] -description = Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment. -narrative = Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. \ -This Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further. - -[analytic_story://Suspicious Cloud User Activities] -category = Cloud Security -last_updated = 2020-09-04 -version = 1 -references = ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule", "ESCU - AWS Investigate User Activities By ARN - Response Task"] -description = Detect and investigate suspicious activities by users and roles in your cloud environments. -narrative = It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018. \ -In addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage. - -[analytic_story://Suspicious Command-Line Executions] -category = Adversary Tactics -last_updated = 2020-02-03 -version = 2 -references = ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems. -narrative = The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation. - -[analytic_story://Suspicious Compiled HTML Activity] -category = Adversary Tactics -last_updated = 2021-02-11 -version = 1 -references = ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"] -description = Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. -narrative = Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). \ -HH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file. \ -During investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis. \ -Upon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load. - -[analytic_story://Suspicious DNS Traffic] -category = Adversary Tactics -last_updated = 2017-09-18 -version = 1 -references = ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"] -description = Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses. -narrative = Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses. - -[analytic_story://Suspicious Emails] -category = Adversary Tactics -last_updated = 2020-01-27 -version = 1 -references = ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule", "ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task"] -description = Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story. -narrative = It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content. \ -Once a phishing message has been detected, the next steps are to answer the following questions: \ -1. Which users have received this or a similar message in the past? \ -1. When did the targeted campaign begin? \ -1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions. - -[analytic_story://Suspicious GCP Storage Activities] -category = Cloud Security -last_updated = 2020-08-05 -version = 1 -references = ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Shannon Davis"}] -spec_version = 3 -searches = ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule", "ESCU - Get Notable History - Response Task"] -description = Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required. -narrative = Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses. - -[analytic_story://Suspicious MSHTA Activity] -category = Adversary Tactics -last_updated = 2021-01-20 -version = 2 -references = ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"] -maintainers = [{"company": "Michael Haag, Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. -narrative = One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript. \ -The searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code. \ -Triage \ -Validate execution \ -1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\windows\system32 or c:\windows\syswow64, it should be highly suspect. \ -1. Determine if script code was executed with MSHTA. \ -Situational Awareness \ -The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe. \ -1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? \ -1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs? \ -1. Network connections. Any network connections? Review the reputation of the remote IP or domain. \ -Retrieval of script code \ -The objective of this step is to confirm the executed script code is benign or malicious. - -[analytic_story://Suspicious Okta Activity] -category = Adversary Tactics -last_updated = 2020-04-02 -version = 1 -references = ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule", "ESCU - Investigate Okta Activity by app - Response Task", "ESCU - Investigate Okta Activity by IP Address - Response Task", "ESCU - Investigate User Activities In Okta - Response Task"] -description = Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors. -narrative = Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. \ -While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. \ -With people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed. - -[analytic_story://Suspicious Regsvcs Regasm Activity] -category = Adversary Tactics -last_updated = 2021-02-11 -version = 1 -references = ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"] -description = Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. -narrative = Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code. - -[analytic_story://Suspicious Regsvr32 Activity] -category = Adversary Tactics -last_updated = 2021-01-29 -version = 1 -references = ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"] -description = Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code. -narrative = One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with "SquiblyDoo" using the "scrobj.dll" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\windows\system32 or c:\windows\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious. - -[analytic_story://Suspicious Rundll32 Activity] -category = Adversary Tactics -last_updated = 2021-02-03 -version = 1 -references = ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"] -description = Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code. -narrative = One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code. - -[analytic_story://Suspicious Windows Registry Activities] -category = Adversary Tactics -last_updated = 2018-05-31 -version = 1 -references = ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system. -narrative = Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification. \ -The registry is a key component of the Windows operating system. It has a hierarchical database called "registry" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment. \ -The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry. - -[analytic_story://Suspicious WMI Use] -category = Adversary Tactics -last_updated = 2018-10-23 -version = 2 -references = ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"] -description = Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred. -narrative = WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end. - -[analytic_story://Suspicious Zoom Child Processes] -category = Adversary Tactics -last_updated = 2020-04-13 -version = 1 -references = ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule", "ESCU - Get Process File Activity - Response Task"] -description = Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection. -narrative = Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems. \ -Current detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation. - -[analytic_story://Swift Slicer] -category = Data Destruction -last_updated = 2023-02-01 -version = 1 -references = ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"] -maintainers = [{"company": "Rod Soto, Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc. -narrative = Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment. - -[analytic_story://SysAid On-Prem Software CVE-2023-47246 Vulnerability] -category = Malware -last_updated = 2023-11-09 -version = 1 -references = ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"] -description = A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment. -narrative = The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network. - -[analytic_story://Text4Shell CVE-2022-42889] -category = Adversary Tactics -last_updated = 2022-10-26 -version = 1 -references = ["https://sysdig.com/blog/cve-2022-42889-text4shell/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"] -description = A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library. -narrative = Apache Commons Text is a Java library described as "a library focused on algorithms working on strings." We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the "script," "dns," and "url" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell. - -[analytic_story://Trickbot] -category = Malware -last_updated = 2021-04-20 -version = 1 -references = ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"] -maintainers = [{"company": "Teoderick Contreras, Splunk", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment. -narrative = trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data. - -[analytic_story://Trusted Developer Utilities Proxy Execution] -category = Adversary Tactics -last_updated = 2021-01-12 -version = 1 -references = ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"] -description = Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code. -narrative = Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. \ -The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code. - -[analytic_story://Trusted Developer Utilities Proxy Execution MSBuild] -category = Adversary Tactics -last_updated = 2021-01-21 -version = 1 -references = ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"] -description = Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code. -narrative = Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. \ -The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution. \ -The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code. \ -Triage \ -Validate execution \ -1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata. \ -1. Determine if script code was executed with MSBuild. \ -Situational Awareness \ -The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe. \ -1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? \ -1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs? \ -1. Network connections. Any network connections? Review the reputation of the remote IP or domain. \ -Retrieval of script code \ -The objective of this step is to confirm the executed script code is benign or malicious. - -[analytic_story://Unusual Processes] -category = Malware -last_updated = 2020-02-04 -version = 2 -references = ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation. -narrative = Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types. \ -This Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host. \ -In the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity. - -[analytic_story://Use of Cleartext Protocols] -category = Best Practices -last_updated = 2017-09-15 -version = 1 -references = ["https://www.monkey.org/~dugsong/dsniff/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Protocols passing authentication in cleartext - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"] -description = Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted. -narrative = Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems. - -[analytic_story://VMware Aria Operations vRealize CVE-2023-20887] -category = Adversary Tactics -last_updated = 2023-06-21 -version = 1 -references = ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"] -description = CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint ("/saas./resttosaasservlet") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat. -narrative = CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations. \ -This particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability. \ -The exploit operates by sending a specially crafted payload to the "/saas./resttosaasservlet" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system. \ -What makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the "/saas./resttosaasservlet" endpoint and suspicious ncat commands in network traffic, which can help in its detection. \ -VMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887. - -[analytic_story://VMware Server Side Injection and Privilege Escalation] -category = Adversary Tactics -last_updated = 2022-05-19 -version = 1 -references = ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"] -description = Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges. -narrative = On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6. - -[analytic_story://Volt Typhoon] -category = Data Destruction -last_updated = 2023-05-25 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"] -description = This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the "Volt Typhoon" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more. -narrative = Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \ -They issue commands via the command line to: 1. collect data, including credentials from local and network systems, \ -2. put the data into an archive file to stage it for exfiltration, and then \ -3. use the stolen valid credentials to maintain persistence. \ -In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar. - -[analytic_story://Warzone RAT] -category = Malware -last_updated = 2023-07-26 -version = 1 -references = ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"] -description = This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more. -narrative = Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools." This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively. - -[analytic_story://WhisperGate] -category = Data Destruction -last_updated = 2022-01-19 -version = 1 -references = ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"] -description = This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more. -narrative = WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques. - -[analytic_story://Windows AppLocker] -category = Unauthorized Software -last_updated = 2024-03-21 -version = 1 -references = [] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"] -description = Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications. -narrative = AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \ \ -Organizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \ \ -In summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats. - -[analytic_story://Windows Attack Surface Reduction] -category = Best Practices -last_updated = 2023-11-27 -version = 1 -references = ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"] -description = This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. -narrative = This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes. - -[analytic_story://Windows BootKits] -category = Adversary Tactics -last_updated = 2023-05-03 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"] -description = Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. -narrative = A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections. - -[analytic_story://Windows Certificate Services] -category = Adversary Tactics -last_updated = 2023-02-01 -version = 1 -references = ["https://attack.mitre.org/techniques/T1649/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"] -description = Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. -narrative = The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK) - -[analytic_story://Windows Defense Evasion Tactics] -category = Adversary Tactics -last_updated = 2018-05-31 -version = 1 -references = ["https://attack.mitre.org/wiki/Defense_Evasion"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others -narrative = Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms. - -[analytic_story://Windows Discovery Techniques] -category = Adversary Tactics -last_updated = 2021-03-04 -version = 1 -references = ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Hart"}] -spec_version = 3 -searches = ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"] -description = Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack. -narrative = Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments. - -[analytic_story://Windows DNS SIGRed CVE-2020-1350] -category = Adversary Tactics -last_updated = 2020-07-28 -version = 1 -references = ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Shannon Davis"}] -spec_version = 3 -searches = ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule", "ESCU - Get Notable History - Response Task"] -description = Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit. -narrative = When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB). - -[analytic_story://Windows Drivers] -category = Adversary Tactics -last_updated = 2022-03-30 -version = 1 -references = ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"] -description = Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. -narrative = A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\system32\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way. - -[analytic_story://Windows Error Reporting Service Elevation of Privilege Vulnerability] -category = Adversary Tactics -last_updated = 2023-08-24 -version = 1 -references = ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"] -description = In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature. -narrative = In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for "0day" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874. \ -The WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access. \ -The observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers. \ -CrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries. - -[analytic_story://Windows File Extension and Association Abuse] -category = Malware -last_updated = 2018-01-26 -version = 1 -references = ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques. -narrative = Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications. \ -Since its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe. \ -Attackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to "hide extensions for known file types." In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is. \ -Changing the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred. \ -Run the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations. - -[analytic_story://Windows Log Manipulation] -category = Adversary Tactics -last_updated = 2017-09-12 -version = 2 -references = ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense. -narrative = Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated. \ -The Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified). - -[analytic_story://Windows Persistence Techniques] -category = Adversary Tactics -last_updated = 2018-05-31 -version = 2 -references = ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Bhavin Patel"}] -spec_version = 3 -searches = ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment. -narrative = Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment. - -[analytic_story://Windows Post-Exploitation] -category = Adversary Tactics -last_updated = 2022-11-30 -version = 1 -references = ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"] -description = This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more. -narrative = These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the "Prestige ransomware" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System. - -[analytic_story://Windows Privilege Escalation] -category = Adversary Tactics -last_updated = 2020-02-04 -version = 2 -references = ["https://attack.mitre.org/tactics/TA0004/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] -spec_version = 3 -searches = ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more. -narrative = Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment. - -[analytic_story://Windows Registry Abuse] -category = Malware -last_updated = 2022-03-17 -version = 1 -references = ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"] -description = Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner. -narrative = Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection. - -[analytic_story://Windows Service Abuse] -category = Malware -last_updated = 2017-11-02 -version = 3 -references = ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Rico Valdez"}] -spec_version = 3 -searches = ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] -description = Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner. -narrative = The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection. - -[analytic_story://Windows System Binary Proxy Execution MSIExec] -category = Adversary Tactics -last_updated = 2022-06-16 -version = 1 -references = ["https://attack.mitre.org/techniques/T1218/007/"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"] -description = Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). -narrative = Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled. - -[analytic_story://WinRAR Spoofing Attack CVE-2023-38831] -category = Adversary Tactics -last_updated = 2023-08-29 -version = 1 -references = ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - WinRAR Spawning Shell Application - Rule"] -description = Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege. -narrative = Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. \ -The vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses. \ -Group-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation. \ -In conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them. - -[analytic_story://Winter Vivern] -category = Malware -last_updated = 2023-02-16 -version = 1 -references = ["https://cert.gov.ua/article/3761023"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] -description = Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators. -narrative = The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task. - -[analytic_story://WordPress Vulnerabilities] -category = Adversary Tactics -last_updated = 2024-02-22 -version = 1 -references = ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - WordPress Bricks Builder plugin RCE - Rule"] -description = This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. -narrative = The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. - -[analytic_story://WS FTP Server Critical Vulnerabilities] -category = Adversary Tactics -last_updated = 2023-10-01 -version = 1 -references = ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"] -maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] -spec_version = 3 -searches = ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"] -description = A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023. -narrative = Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. - -[analytic_story://XMRig] -category = Malware -last_updated = 2021-05-07 -version = 1 -references = ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"] -maintainers = [{"company": "Rod Soto Splunk", "email": "-", "name": "Teoderick Contreras"}] -spec_version = 3 -searches = ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. -narrative = XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017. - -[analytic_story://Zscaler Browser Proxy Threats] -category = Adversary Tactics -last_updated = 2023-10-25 -version = 1 -references = ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"] -maintainers = [{"company": "Gowthamaraj Rajendran", "email": "-", "name": "Rod Soto"}] -spec_version = 3 -searches = ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"] -description = Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment. -narrative = Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network. - -### END STORIES ### - -### RESPONSE TASKS ### - -[savedsearch://ESCU - All backup logs for host - Response Task] -type = investigation -explanation = none -how_to_implement = The successfully implement this search you must first send your backup logs to Splunk. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Amazon EKS Kubernetes activity by src ip - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Cloud Watch EKS inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - AWS Investigate Security Hub alerts by dest - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - AWS Investigate User Activities By AccessKeyId - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - AWS Investigate User Activities By ARN - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - AWS Network ACL Details from ID - Response Task] -type = investigation -explanation = none -how_to_implement = In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS description inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - AWS Network Interface details via resourceId - Response Task] -type = investigation -explanation = none -how_to_implement = In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS configuration inputs -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - AWS S3 Bucket details via bucketName - Response Task] -type = investigation -explanation = none -how_to_implement = To implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later) and configure your AWS inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - GCP Kubernetes activity by src ip - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get All AWS Activity From City - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get All AWS Activity From Country - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get All AWS Activity From IP Address - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get All AWS Activity From Region - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Backup Logs For Endpoint - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting your backup logs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Certificate logs for a domain - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting your certificates or SSL logs from your network traffic into your Certificates datamodel. Please note the wildcard(*) before domain in the search syntax, we use to match for all domain and subdomain combinations -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get DNS Server History for a host - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search, you must be ingesting your DNS traffic -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get DNS traffic ratio - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting your network traffic -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get EC2 Instance Details by instanceId - Response Task] -type = investigation -explanation = none -how_to_implement = In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS description inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get EC2 Launch Details - Response Task] -type = investigation -explanation = none -how_to_implement = In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS description inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Email Info - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must be ingesting your email logs or capturing unencrypted network traffic which contains email communications. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Emails From Specific Sender - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must ingest your email logs or capture unencrypted email communications within network traffic, and populate the Email data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search, you must be ingesting the logs from your DHCP server. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get History Of Email Sources - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must ingest your email logs or capture unencrypted email communications within network traffic, and populate the Email data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Logon Rights Modifications For Endpoint - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must be ingesting your Windows event logs -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Logon Rights Modifications For User - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must be ingesting your Windows event logs -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Notable History - Response Task] -type = investigation -explanation = none -how_to_implement = If you are using Enterprise Security you are likely already creating notable events with your correlation rules. No additional configuration is necessary. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must ingest your email logs or capture unencrypted email communications within network traffic, and populate the Email data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Parent Process Info - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Process File Activity - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Process Info - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Process Information For Port Activity - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you must be ingesting endpoint data that associates processes with network events and populate the Endpoint Datamodel -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Process Responsible For The DNS Traffic - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting endpoint data that associates processes with network events into the Endpoint datamodel. This can come from endpoint protection products such as carbon black, or endpoint data sources such as Sysmon. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Sysmon WMI Activity for Host - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate events for WMI activity. In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Get Web Session Information via session id - Response Task] -type = investigation -explanation = none -how_to_implement = This search leverages data extracted from Stream:HTTP. You must configure the HTTP stream using the Splunk Stream App on your Splunk Stream deployment server. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate AWS activities via region name - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate AWS User Activities by user field - Response Task] -type = investigation -explanation = none -how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Failed Logins for Multiple Destinations - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Network Traffic From src ip - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search, you must be ingesting your web-traffic logs and populating the web data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Okta Activity by app - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting Okta logs -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Okta Activity by IP Address - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting Okta logs -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Pass the Hash Attempts - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you need be ingesting windows security logs. This search uses an input macro named `wineventlog_security`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Security logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Pass the Ticket Attempts - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you need to be ingesting windows security logs. This search uses an input macro named `wineventlog_security`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Security logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Previous Unseen User - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Successful Remote Desktop Authentications - Response Task] -type = investigation -explanation = none -how_to_implement = You must be populating the Authentication data model with security events from your Windows event logs. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Suspicious Strings in HTTP Header - Response Task] -type = investigation -explanation = none -how_to_implement = This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate User Activities In Okta - Response Task] -type = investigation -explanation = none -how_to_implement = You must be ingesting Okta logs -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - -[savedsearch://ESCU - Investigate Web POSTs From src - Response Task] -type = investigation -explanation = none -how_to_implement = To successfully implement this search, you must be ingesting your web-traffic logs and populating the web data model. -known_false_positives = not defined -earliest_time_offset = 14400 -latest_time_offset = 0 - - -### END RESPONSE TASKS ### \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/app.conf b/dist/DA-ESS-ContentUpdate/default/app.conf deleted file mode 100644 index b0a76d6bf7..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/app.conf +++ /dev/null @@ -1,41 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# -## Splunk app configuration file - -[install] -is_configured = false -state = enabled -state_change_requires_restart = false -build = 20240606174906 - -[triggers] -reload.analytic_stories = simple -reload.usage_searches = simple -reload.use_case_library = simple -reload.correlationsearches = simple -reload.analyticstories = simple -reload.governance = simple -reload.managed_configurations = simple -reload.postprocess = simple -reload.content-version = simple -reload.es_investigations = simple - -[launcher] -author = Splunk -version = 4.33.0 -description = Explore the Analytic Stories included with ES Content Updates. - -[ui] -is_visible = true -label = ES Content Updates - -[package] -id = DA-ESS-ContentUpdate - - - diff --git a/dist/DA-ESS-ContentUpdate/default/collections.conf b/dist/DA-ESS-ContentUpdate/default/collections.conf deleted file mode 100644 index 14d957293e..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/collections.conf +++ /dev/null @@ -1,100 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# - -[api_call_by_user_baseline] -enforceTypes = false -replicate = false - -[cloud_instances_enough_data] -enforceTypes = false -replicate = false - -[k8s_container_network_io_baseline] -enforceTypes = false -replicate = false - -[k8s_container_network_io_ratio_baseline] -enforceTypes = false -replicate = false - -[k8s_process_resource_baseline] -enforceTypes = false -replicate = false - -[k8s_process_resource_ratio_baseline] -enforceTypes = false -replicate = false - -[previously_seen_api_calls_from_user_roles] -enforceTypes = false -replicate = false - -[previously_seen_aws_cross_account_activity] -enforceTypes = false -replicate = false - -[previously_seen_aws_regions] -enforceTypes = false -replicate = false - -[previously_seen_cloud_api_calls_per_user_role] -enforceTypes = false -replicate = false - -[previously_seen_cloud_compute_creations_by_user] -enforceTypes = false -replicate = false - -[previously_seen_cloud_compute_images] -enforceTypes = false -replicate = false - -[previously_seen_cloud_compute_instance_types] -enforceTypes = false -replicate = false - -[previously_seen_cloud_instance_modifications_by_user] -enforceTypes = false -replicate = false - -[previously_seen_cloud_provisioning_activity_sources] -enforceTypes = false -replicate = false - -[previously_seen_cloud_regions] -enforceTypes = false -replicate = false - -[previously_seen_gcp_storage_access_from_remote_ip] -enforceTypes = false -replicate = false - -[previously_seen_running_windows_services] -enforceTypes = false -replicate = false - -[previously_seen_S3_access_from_remote_ip] -enforceTypes = false -replicate = false - -[previously_seen_users_console_logins] -enforceTypes = false -replicate = false - -[s3_deletion_baseline] -enforceTypes = false -replicate = false - -[security_group_activity_baseline] -enforceTypes = false -replicate = false - -[zoom_first_time_child_process] -enforceTypes = false -replicate = false - diff --git a/dist/DA-ESS-ContentUpdate/default/commands.conf b/dist/DA-ESS-ContentUpdate/default/commands.conf deleted file mode 100644 index ad3cbfdfd0..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/commands.conf +++ /dev/null @@ -1,11 +0,0 @@ -# deprecated please see gist: https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1 -#[dnstwist] -#filename = dnstwist.py -#chunked = true - -# run story functionality has been moved to: https://github.com/splunk/analytic_story_execution' -# [runstory] -# filename = runstory.py -# chunked = true -# is_risky = true - diff --git a/dist/DA-ESS-ContentUpdate/default/content-version.conf b/dist/DA-ESS-ContentUpdate/default/content-version.conf deleted file mode 100644 index 8c20be2511..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/content-version.conf +++ /dev/null @@ -1,9 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# -[content-version] -version = 4.33.0 \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/nav/default.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/nav/default.xml deleted file mode 100644 index 438c284fad..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/nav/default.xml +++ /dev/null @@ -1,7 +0,0 @@ - \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml deleted file mode 100644 index 8f5321afa0..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_all_backup_logs_for_host___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | search `netbackup` dest=$dest$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml deleted file mode 100644 index 17c1a7c422..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `aws_cloudwatchlogs_eks` |rename sourceIPs{} as src_ip |search src_ip=$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(user.username) values(requestURI) values(verb) values(userAgent) by source annotations.authorization.k8s.io/decision src_ip - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml deleted file mode 100644 index ce3f69c61e..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `aws_securityhub_firehose` "findings{}.Resources{}.Type"=AWSEC2Instance | rex field=findings{}.Resources{}.Id .*instance/(?<instance>.*)| rename instance as dest| search dest = $dest$ |rename findings{}.* as * | rename Remediation.Recommendation.Text as Remediation | table dest Title ProductArn Description FirstObservedAt RecordState Remediation - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml deleted file mode 100644 index 435b2ee9aa..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` | rename userIdentity.accessKeyId as accessKeyId| search accessKeyId=$accessKeyId$ | spath output=user path=userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, awsRegion, eventName, errorCode, errorMessage - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml deleted file mode 100644 index 2cd709a332..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_investigate_user_activities_by_arn___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` | search user=$user$| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml deleted file mode 100644 index b0ad30b6d0..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_acl_details_from_id___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `aws_description` | rename id as networkAclId | search networkAclId=$networkAclId$ | table id account_id vpc_id network_acl_entries{}.* - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml deleted file mode 100644 index b5e7efe838..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_network_interface_details_via_resourceid___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `aws_config` resourceId=$resourceId$ | table _time ARN relationships{}.resourceType relationships{}.name relationships{}.resourceId configuration.privateIpAddresses{}.privateIpAddress configuration.privateIpAddresses{}.association.publicIp - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml deleted file mode 100644 index 0efc4760f0..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_aws_s3_bucket_details_via_bucketname___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `aws_config` | rename resourceId as bucketName |search bucketName=$bucketName$ | table resourceCreationTime bucketName vendor_region action aws_account_id supplementaryConfiguration.AccessControlList - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml deleted file mode 100644 index 67f04d8173..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `google_gcp_pubsub_message` | rename data.protoPayload.requestMetadata.callerIp as src_ip | search src_ip =$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_names values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent values(data.protoPayload.authenticationInfo.principalEmail) as user values(data.protoPayload.status.message) by src_ip data.resource.labels.cluster_name data.resource.type - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml deleted file mode 100644 index 2d0d2ae63f..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_city___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` | iplocation sourceIPAddress | search City=$City$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, City, user, userName, userType, src_ip, awsRegion, eventName, errorCode - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml deleted file mode 100644 index 979f85ef28..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_country___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` | iplocation sourceIPAddress | search Country=$Country$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Country, user, userName, userType, src_ip, awsRegion, eventName, errorCode - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml deleted file mode 100644 index ba151247d8..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_ip_address___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` | iplocation sourceIPAddress | search src_ip=$src_ip$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, user, userName, userType, src_ip, awsRegion, eventName, errorCode - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml deleted file mode 100644 index bf3e63afa8..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_all_aws_activity_from_region___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` | iplocation sourceIPAddress | search Region=$Region$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Region, user, userName, userType, src_ip, awsRegion, eventName, errorCode - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml deleted file mode 100644 index 27cc657318..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_backup_logs_for_endpoint___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `netbackup` COMPUTERNAME=$dest$ | rename COMPUTERNAME as dest, MESSAGE as signature | table _time, dest, signature - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml deleted file mode 100644 index e25fb11cf6..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_certificate_logs_for_a_domain___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Certificates.All_Certificates where All_Certificates.SSL.ssl_subject_common_name=*$domain$ by All_Certificates.dest All_Certificates.src All_Certificates.SSL.ssl_issuer_common_name All_Certificates.SSL.ssl_subject_common_name All_Certificates.SSL.ssl_hash | `drop_dm_object_name(All_Certificates)` | `drop_dm_object_name(SSL)` | rename ssl_subject_common_name as domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml deleted file mode 100644 index bf17947eb8..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_server_history_for_a_host___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | search tag=dns src_ip=$src_ip$ dest_port=53 | streamstats time_window=1d count values(dest_ip) as dcip by src_ip | table date_mday src_ip dcip count | sort -count - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml deleted file mode 100644 index a0084d54b0..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_dns_traffic_ratio___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats allow_old_summaries=true sum(All_Traffic.bytes_out) as "bytes_out" sum(All_Traffic.bytes_in) as "bytes_in" from datamodel=Network_Traffic where nodename=All_Traffic All_Traffic.dest_port=53 by All_Traffic.src All_Traffic.dest| `drop_dm_object_name(All_Traffic)` | rename src as src_ip | rename dest as dest_ip | search src_ip=$src_ip$ | search dest_ip = $dest_ip | eval ratio = (bytes_out/bytes_in) | table ratio - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml deleted file mode 100644 index 786db5b7e6..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_instance_details_by_instanceid___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `aws_description` | dedup id sortby -_time |rename id as instanceId| search instanceId=$instanceId$ | spath output=tags path=tags | eval tags=mvzip(key,value," = "), ip_address=if((ip_address == "null"),private_ip_address,ip_address) | table id, tags.Name, aws_account_id, placement, instance_type, key_name, ip_address, launch_time, state, vpc_id, subnet_id, tags | rename aws_account_id as "Account ID", id as ID, instance_type as Type, ip_address as "IP Address", key_name as "Key Pair", launch_time as "Launch Time", placement as "Availability Zone", state as State, subnet_id as Subnet, "tags.Name" as Name, vpc_id as VPC - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml deleted file mode 100644 index 08a8822cec..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_ec2_launch_details___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` dest=$dest$ |rename userIdentity.arn as arn, responseElements.instancesSet.items{}.instanceId as dest, responseElements.instancesSet.items{}.privateIpAddress as privateIpAddress, responseElements.instancesSet.items{}.imageId as amiID, responseElements.instancesSet.items{}.architecture as architecture, responseElements.instancesSet.items{}.keyName as keyName | table arn, awsRegion, dest, architecture, privateIpAddress, amiID, keyName - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml deleted file mode 100644 index 5f5e662c21..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_email_info___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | from datamodel Email.All_Email | search message_id=$message_id$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml deleted file mode 100644 index ebc1ac13d5..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_emails_from_specific_sender___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | from datamodel Email.All_Email | search src_user=$src_user$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml deleted file mode 100644 index db5fe065c3..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST All_Sessions.src_mac= $src_mac$ by All_Sessions.src_ip All_Sessions.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml deleted file mode 100644 index e1d0b4e5b5..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_history_of_email_sources___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - |tstats `security_content_summariesonly` values(All_Email.dest) as dest values(All_Email.recipient) as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email by All_Email.src |`drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search src=$src$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml deleted file mode 100644 index 6950951424..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_endpoint___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `wineventlog_security` (signature_id=4718 OR signature_id=4717) dest=$dest$ | rename user as "Account Modified" | table _time, dest, "Account Modified", Access_Right, signature - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml deleted file mode 100644 index bff35cb071..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_logon_rights_modifications_for_user___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `wineventlog_security` (signature_id=4718 OR signature_id=4717) user=$user$ | rename user as "Account Modified" | table _time, dest, "Account Modified", Access_Right, signature - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml deleted file mode 100644 index 92e09e3e75..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_notable_history___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | search `notable` | search dest=$dest$ | table _time, dest, rule_name, owner, priority, severity, status_description - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml deleted file mode 100644 index def3c91e63..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_parent_process_info___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.parent_process_name Processes.process_name Processes.dest | `drop_dm_object_name("Processes")` | search parent_process_name= $parent_process_name$ |search dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml deleted file mode 100644 index fdcf1d29dc..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_file_activity___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` values(Filesystem.file_name) as file_name values(Filesystem.dest) as dest, values(Filesystem.process_name) as process_name from datamodel=Endpoint.Filesystem by Filesystem.dest Filesystem.process_name Filesystem.file_path, Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | search dest=$dest$ | search process_name=$process_name$ | table _time, process_name, dest, action, file_name, file_path - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml deleted file mode 100644 index 6c17c7ecb5..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_info___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.parent_process_name Processes.process_name Processes.dest | `drop_dm_object_name("Processes")` | search process_name= $process_name$ | search dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml deleted file mode 100644 index fd17bad0c1..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_information_for_port_activity___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search dest=$dest$ | join dest type=inner [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports by Ports.process_id Ports.src Ports.dest_port | `drop_dm_object_name(Ports)` | search dest_port=$dest_port$ | rename src as dest] - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml deleted file mode 100644 index 6a30fbf35b..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_process_responsible_for_the_dns_traffic___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search dest = $dest$ | join dest type=inner [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml deleted file mode 100644 index d40580becd..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_sysmon_wmi_activity_for_host___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `sysmon` EventCode>18 EventCode<22 | rename host as dest | search dest=$dest$| table _time, dest, user, Name, Operation, EventType, Type, Query, Consumer, Filter - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml deleted file mode 100644 index 8aedde2479..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_get_web_session_information_via_session_id___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `stream_http` session_id = $session_id$ | stats values(url) values(http_user_agent) by src_ip status - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml deleted file mode 100644 index b00e3581a1..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_activities_via_region_name___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` vendor_region=$vendor_region$| rename requestParameters.instancesSet.items{}.instanceId as instanceId | stats values(eventName) by user instanceId vendor_region - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml deleted file mode 100644 index 566b4bbe61..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_aws_user_activities_by_user_field___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `cloudtrail` user=$user$ | table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml deleted file mode 100644 index e4eee35e85..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login dc(Authentication.dest) AS distinct_count_dest values(Authentication.dest) AS Authentication.dest values(Authentication.app) AS Authentication.app from datamodel=Authentication where Authentication.action=failure by Authentication.user | where distinct_count_dest > 1 | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | `drop_dm_object_name("Authentication")` | search user=$user$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml deleted file mode 100644 index 1b0d6cce04..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_network_traffic_from_src_ip___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | from datamodel Network_Traffic.All_Traffic | search src_ip=$src_ip$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml deleted file mode 100644 index 33ea370730..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_okta_activity_by_app___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `okta` app=$app$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml deleted file mode 100644 index 1dd530c6fb..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_hash_attempts___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `wineventlog_security` EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate | stats count earliest(_time) as first_login latest(_time) as last_login by src_user dest | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | search dest=$dest$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml deleted file mode 100644 index 19770aba61..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_pass_the_ticket_attempts___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user "(?<new_user>[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count) AS max_count sum(count) AS sum_count BY new_user, dest| search dest=$dest$ | where sum_count/max_count!=2 | rename new_user AS user - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml deleted file mode 100644 index 4a79a8e862..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_previous_unseen_user___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login values(Authentication.dest) AS Authentication.dest values(Authentication.app) AS Authentication.app values(Authentication.action) AS Authentication.action from datamodel=Authentication where Authentication.action=success by _time, Authentication.user | bucket _time span=30d | stats count min(first_login) as first_login max(last_login) as last_login values(Authentication.dest) AS Authentication.dest by Authentication.user | where count=1 | where first_login >= relative_time(now(), "-30d") | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | `drop_dm_object_name("Authentication")` | search dest=$dest$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml deleted file mode 100644 index 3f207afbcc..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_successful_remote_desktop_authentications___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app Authentication.user Authentication.signature Authentication.src_nt_domain | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("Authentication")` | search dest=$dest$ | table firstTime lastTime src src_nt_domain dest user app count | sort count - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml deleted file mode 100644 index 7fa85b4d07..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_suspicious_strings_in_http_header___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `stream_http` | search src_ip=$src_ip$ | search dest_ip=$dest_ip$ | eval cs_content_type_length = len(cs_content_type) | search cs_content_type_length > 100 | rex field="cs_content_type" (?<suspicious_strings>cmd.exe) | eval suspicious_strings_found=if(match(cs_content_type, "application"), "True", "False") | rename suspicious_strings_found AS "Suspicious Content-Type Found" | fields "Suspicious Content-Type Found", dest_ip, src_ip, suspicious_strings, cs_content_type, cs_content_type_length, url - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml deleted file mode 100644 index b005793cc2..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_user_activities_in_okta___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - `okta` user=$user$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml deleted file mode 100644 index e0a798dbae..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/panels/workbench_panel_investigate_web_posts_from_src___response_task.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - | tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name("Web")`| search http_method, "POST" | search src=$src$ - - - -
-
diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_applocker.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_applocker.xml deleted file mode 100644 index 8bc453fe16..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_applocker.xml +++ /dev/null @@ -1,401 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_summary.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_summary.xml deleted file mode 100644 index 0af3fa774f..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/views/escu_summary.xml +++ /dev/null @@ -1,193 +0,0 @@ -
- - - - Splunk Security Content - - | rest /services/saved/searches splunk_server=local count=0 | search title="ESCU - *" - - - | rest /services/configs/conf-analyticstories splunk_server=local count=0 |search eai:acl.app = "DA-ESS-ContentUpdate" - - - * - * - * - * - - - - -
- - - -

Explore the Analytic Stories included with Splunk Security via ES Use Case Library or Splunk Security Essentials.

- -
-
- - - - Total Analytic Stories - - search title="analytic_story://*" |stats count - - - - - - - - - - - - - - - - - - - - Total Detections - - stats count by action.correlationsearch.label| eventstats sum(count) as total_detection_count| fields total_detection_count - - - - - - - - - - - - - - - - - - - - ESCU App Version - - | rest /services/configs/conf-content-version splunk_server=local count=0 | table version - - - - - - - - - - - - - - - - - - - - - Story Categories - - - | rest /services/configs/conf-analyticstories splunk_server=local count=0 | search eai:acl.app = "DA-ESS-ContentUpdate"| search title="analytic_story://*"| stats count by category - - - $click.value$ - $click.value$ - - - - - - - - - - - Analytic Stories by MITRE Technique ID - - - - | rest /services/saved/searches splunk_server=local count=0 | search title="ESCU - *" -| spath input=action.correlationsearch.annotations path=mitre_attack{} output="MITRE Technique ID" -| spath input=action.correlationsearch.annotations path=analytic_story{} output=story_name - | stats dc(story_name) as "Analytic Stories" by "MITRE Technique ID" - - - - $click.value$ - $click.value$ - - - - - - - - - - All - - now - | rest /services/configs/conf-savedsearches splunk_server=local count=0 -| search action.escu.search_type = detection -| spath input=action.correlationsearch.annotations path=analytic_story{} output="story" -| mvexpand story -| dedup story | fields story - - story - story - * - " - " - * - - - - - - Analytic Story Details - - | rest /services/configs/conf-savedsearches splunk_server=local count=0 -| search action.escu.search_type = detection -| spath input=action.correlationsearch.annotations path=analytic_story{} output="analytic_story" -| spath input=action.correlationsearch.annotations path=mitre_attack{} output="mitre_attack" -| spath input=action.escu.data_models path={} output="Data Models" -| rename title as "Detections" -| join analytic_story - [| rest /services/configs/conf-analyticstories splunk_server=local count=0 - | search title="analytic_story://*" - | eval "analytic_story"=replace(title,"analytic_story://","" ) - ] -| search analytic_story= $story$ -|stats values(Detections) as Detections values(mitre_attack) as "MITRE Technique ID" values(last_updated) as "Last Updated" by analytic_story description| rename analytic_story as "Analytic Story"| rename description as Description| table "Analytic Story" Description Detections "MITRE Technique ID" "Last Updated" - $earliest$ - $latest$ - - - - - - - - - - - - -
-
-
-
\ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/data/ui/views/feedback.xml b/dist/DA-ESS-ContentUpdate/default/data/ui/views/feedback.xml deleted file mode 100644 index 3ec519bfd2..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/data/ui/views/feedback.xml +++ /dev/null @@ -1,13 +0,0 @@ -
- - Welcome to Splunk Enterprise Security Content Updates Feedback Center. - - - - Contact us at research@splunk.com to send us support requests, bug reports, or questions directly to the Splunk Security Research Team. -
Please specify your request type and/or the title of any related Analytic Stories.
- You can also find us in the #security-research room in the Splunk Slack channel
- -
-
-
diff --git a/dist/DA-ESS-ContentUpdate/default/distsearch.conf b/dist/DA-ESS-ContentUpdate/default/distsearch.conf deleted file mode 100644 index 23129734b3..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/distsearch.conf +++ /dev/null @@ -1,5 +0,0 @@ -[replicationSettings:refineConf] -replicate.analytic_stories = false - -[replicationBlacklist] -excludeESCU = apps[/\\]DA-ESS-ContentUpdate[/\\]lookups[/\\]... diff --git a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf deleted file mode 100644 index 7309ce7102..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf +++ /dev/null @@ -1,768 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# - -[panel://workbench_panel_all_backup_logs_for_host___response_task] -label = All backup logs for host -description = Retrieve the backup logs for the last 2 weeks for a specific host in order to investigate why backups are not completing successfully. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task] -label = Amazon EKS Kubernetes activity by src ip -description = This search provides investigation data about requests via user agent, authentication request URI, verb and cluster name data against Kubernetes cluster from a specific IP address -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task] -label = AWS Investigate Security Hub alerts by dest -description = This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id). -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task] -label = AWS Investigate User Activities By AccessKeyId -description = This search retrieves the times, ARN, source IPs, AWS regions, event names, and the result of the event for specific credentials. -disabled = 0 -tokens = {\ - "accessKeyId": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR accessKeyId=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_aws_investigate_user_activities_by_arn___response_task] -label = AWS Investigate User Activities By ARN -description = This search lists all the logged CloudTrail activities by a specific user ARN and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information. -disabled = 0 -tokens = {\ - "user": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR user=",\ - "valueType": "primitive",\ - "value": "identity",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_aws_network_acl_details_from_id___response_task] -label = AWS Network ACL Details from ID -description = This search queries AWS description logs and returns all the information about a specific network ACL via network ACL ID -disabled = 0 -tokens = {\ - "networkAclId": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR networkAclId=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_aws_network_interface_details_via_resourceid___response_task] -label = AWS Network Interface details via resourceId -description = This search queries AWS configuration logs and returns the information about a specific network interface via network interface ID. The information will include the ARN of the network interface, its relationships with other AWS resources, the public and the private IP associated with the network interface. -disabled = 0 -tokens = {\ - "resourceId": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR resourceId=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_aws_s3_bucket_details_via_bucketname___response_task] -label = AWS S3 Bucket details via bucketName -description = This search queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, AWS account ID, and configuration values of the access-control lists associated with the bucket. -disabled = 0 -tokens = {\ - "bucketName": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR bucketName=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task] -label = GCP Kubernetes activity by src ip -description = This search provides investigation data about requests via user agent, authentication request URI, resource path and cluster name data against Kubernetes cluster from a specific IP address -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_all_aws_activity_from_city___response_task] -label = Get All AWS Activity From City -description = This search retrieves all the activity from a specific city and will create a table containing the time, city, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -disabled = 0 -tokens = {\ - "City": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR City=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_all_aws_activity_from_country___response_task] -label = Get All AWS Activity From Country -description = This search retrieves all the activity from a specific country and will create a table containing the time, country, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -disabled = 0 -tokens = {\ - "Country": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR Country=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_all_aws_activity_from_ip_address___response_task] -label = Get All AWS Activity From IP Address -description = This search retrieves all the activity from a specific IP address and will create a table containing the time, ARN, username, the type of user, the IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_all_aws_activity_from_region___response_task] -label = Get All AWS Activity From Region -description = This search retrieves all the activity from a specific geographic region and will create a table containing the time, geographic region, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -disabled = 0 -tokens = {\ - "Region": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR Region=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_backup_logs_for_endpoint___response_task] -label = Get Backup Logs For Endpoint -description = This search will tell you the backup status from your netbackup_logs of a specific endpoint for the last week. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_certificate_logs_for_a_domain___response_task] -label = Get Certificate logs for a domain -description = This search queries the Certificates datamodel and give you all the information for a specific domain. Please note that the certificates issued by "Let's Encrypt" are widely used by attackers. -disabled = 0 -tokens = {\ - "domain": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR domain=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_dns_server_history_for_a_host___response_task] -label = Get DNS Server History for a host -description = While investigating any detections it is important to understand which and how many DNS servers a host has connected to in the past. This search uses data that is tagged as DNS and gives you a count and list of DNS servers that a particular host has connected to the previous 24 hours. -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_dns_traffic_ratio___response_task] -label = Get DNS traffic ratio -description = This search calculates the ratio of DNS traffic originating and coming from a host to a list of DNS servers over the last 24 hours. A high value of this ratio could be very useful to quickly understand if a src_ip (host) is sending a high volume of data out via port 53, could be an indicator of data exfiltration via DNS. -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_ec2_instance_details_by_instanceid___response_task] -label = Get EC2 Instance Details by instanceId -description = This search queries AWS description logs and returns all the information about a specific instance via the instanceId field -disabled = 0 -tokens = {\ - "instanceId": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR instanceId=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_ec2_launch_details___response_task] -label = Get EC2 Launch Details -description = This search returns some of the launch details for a EC2 instance. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_email_info___response_task] -label = Get Email Info -description = This search returns all the information Splunk might have collected a specific email message over the last 2 hours. -disabled = 0 -tokens = {\ - "message_id": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR message_id=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_emails_from_specific_sender___response_task] -label = Get Emails From Specific Sender -description = This search returns all the emails from a specific sender over the last 24 and next hours. -disabled = 0 -tokens = {\ - "src_user": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_user=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task] -label = Get First Occurrence and Last Occurrence of a MAC Address -description = This search allows you to gather more context around a notable which has detected a new device connecting to your network. Use this search to determine the first and last occurrences of the suspicious device attempting to connect with your network. -disabled = 0 -tokens = {\ - "src_mac": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_mac=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_history_of_email_sources___response_task] -label = Get History Of Email Sources -description = This search returns a list of all email sources seen in the 48 hours prior to the notable event to 24 hours after, and the number of emails from each source. -disabled = 0 -tokens = {\ - "src": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_logon_rights_modifications_for_endpoint___response_task] -label = Get Logon Rights Modifications For Endpoint -description = This search allows you to retrieve any modifications to logon rights associated with a specific host. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_logon_rights_modifications_for_user___response_task] -label = Get Logon Rights Modifications For User -description = This search allows you to retrieve any modifications to logon rights for a specific user account. -disabled = 0 -tokens = {\ - "user": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR user=",\ - "valueType": "primitive",\ - "value": "identity",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_notable_history___response_task] -label = Get Notable History -description = This search queries the notable index and returns all the Notable Events for the particular destination host, giving the analyst an overview of the incidents that may have occurred with the host under investigation. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_parent_process_info___response_task] -label = Get Parent Process Info -description = This search queries the Endpoint data model to give you details about the parent process of a process running on a host which is under investigation. Enter the values of the process name in question and the dest -disabled = 0 -tokens = {\ - "parent_process_name": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR parent_process_name=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - },\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_process_file_activity___response_task] -label = Get Process File Activity -description = This search returns the file activity for a specific process on a specific endpoint -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - },\ - "process_name": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR process_name=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_process_info___response_task] -label = Get Process Info -description = This search queries the Endpoint data model to give you details about the process running on a host which is under investigation. To gather the process info, enter the values for the process name in question and the destination IP address. -disabled = 0 -tokens = {\ - "process_name": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR process_name=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - },\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_process_information_for_port_activity___response_task] -label = Get Process Information For Port Activity -description = This search will return information about the process associated with observed network traffic to a specific destination port from a specific host. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - },\ - "dest_port": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest_port=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_process_responsible_for_the_dns_traffic___response_task] -label = Get Process Responsible For The DNS Traffic -description = While investigating, an analyst will want to know what process and parent_process is responsible for generating suspicious DNS traffic. Use the following search and enter the value of `dest` in the search to get specific details on the process responsible for creating the DNS traffic. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_sysmon_wmi_activity_for_host___response_task] -label = Get Sysmon WMI Activity for Host -description = This search queries Sysmon WMI events for the host of interest. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_get_web_session_information_via_session_id___response_task] -label = Get Web Session Information via session id -description = This search helps an analyst investigate a notable event to find out more about a specific web session. The search looks for a specific web session ID in the HTTP web traffic and outputs the URL and user agents, grouped by source IP address and HTTP status code. -disabled = 0 -tokens = {\ - "session_id": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR session_id=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_aws_activities_via_region_name___response_task] -label = Investigate AWS activities via region name -description = This search lists all the user activities logged by CloudTrail for a specific region in question and will create a table of the values of parameters requested, the type of the event and the response from the AWS API by each user -disabled = 0 -tokens = {\ - "vendor_region": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR vendor_region=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_aws_user_activities_by_user_field___response_task] -label = Investigate AWS User Activities by user field -description = This search lists all the logged CloudTrail activities by a specific user and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and the user's identity information. -disabled = 0 -tokens = {\ - "user": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR user=",\ - "valueType": "primitive",\ - "value": "identity",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task] -label = Investigate Failed Logins for Multiple Destinations -description = This search returns failed logins to multiple destinations by user. -disabled = 0 -tokens = {\ - "user": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR user=",\ - "valueType": "primitive",\ - "value": "identity",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_network_traffic_from_src_ip___response_task] -label = Investigate Network Traffic From src ip -description = This search allows you to find all the network traffic from a specific IP address. -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_okta_activity_by_app___response_task] -label = Investigate Okta Activity by app -description = This search returns all okta events associated with a specific app -disabled = 0 -tokens = {\ - "app": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR app=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_pass_the_hash_attempts___response_task] -label = Investigate Pass the Hash Attempts -description = This search hunts for dumped NTLM hashes used for pass the hash. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_pass_the_ticket_attempts___response_task] -label = Investigate Pass the Ticket Attempts -description = This search hunts for dumped kerberos ticket from LSASS memory. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_previous_unseen_user___response_task] -label = Investigate Previous Unseen User -description = This search returns previous unseen user, which didn't log in for 30 days. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_successful_remote_desktop_authentications___response_task] -label = Investigate Successful Remote Desktop Authentications -description = This search returns the source, destination, and user for all successful remote-desktop authentications. A successful authentication after a brute-force attack on a destination machine is suspicious behavior. -disabled = 0 -tokens = {\ - "dest": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest=",\ - "valueType": "primitive",\ - "value": "asset",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_suspicious_strings_in_http_header___response_task] -label = Investigate Suspicious Strings in HTTP Header -description = This search helps an analyst investigate a notable event related to a potential Apache Struts exploitation. To investigate, we will want to isolate and analyze the "payload" or the commands that were passed to the vulnerable hosts by creating a few regular expressions to carve out the commands focusing on common keywords from the payload, such as cmd.exe, /bin/bash and whois. The search returns these suspicious strings found in the HTTP logs of the system of interest. -disabled = 0 -tokens = {\ - "src_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - },\ - "dest_ip": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR dest_ip=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_user_activities_in_okta___response_task] -label = Investigate User Activities In Okta -description = This search returns all okta events by a specific user -disabled = 0 -tokens = {\ - "user": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR user=",\ - "valueType": "primitive",\ - "value": "identity",\ - "default": "null"\ - }\ -}\ - - -[panel://workbench_panel_investigate_web_posts_from_src___response_task] -label = Investigate Web POSTs From src -description = This investigative search retrieves POST requests from a specified source IP or hostname. Identifying the POST requests, as well as their associated destination URLs and user agent(s), may help you scope and characterize the suspicious traffic. -disabled = 0 -tokens = {\ - "src": {\ - "valuePrefix": "\"",\ - "valueSuffix": "\"",\ - "delimiter": " OR src=",\ - "valueType": "primitive",\ - "value": "file",\ - "default": "null"\ - }\ -}\ - - diff --git a/dist/DA-ESS-ContentUpdate/default/macros.conf b/dist/DA-ESS-ContentUpdate/default/macros.conf deleted file mode 100644 index 99d2658d7f..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/macros.conf +++ /dev/null @@ -1,7270 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# - -[admon] -definition = source=ActiveDirectory -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[amazon_security_lake] -definition = sourcetype=aws:cloudtrail:lake -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[applocker] -definition = (source="WinEventLog:Microsoft-Windows-AppLocker/*" OR source="XmlWinEventLog:Microsoft-Windows-AppLocker/*") -description = This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events. - -[audit_searches] -definition = index=_audit sourcetype=audittrail action=search -description = Macro to enable easy searching of audittrail logs for searches - -[audittrail] -definition = index=_audit sourcetype=audittrail -description = Macro to enable easy searching of audittrail logs - -[aws_cloudwatchlogs_eks] -definition = sourcetype="aws:cloudwatchlogs:eks" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[aws_config] -definition = sourcetype=aws:config -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[aws_description] -definition = sourcetype="aws:description" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[aws_ecr_users] -definition = userName IN (user) -description = specify the user allowed to push Images to AWS ECR. - -[aws_ecr_users_asl] -definition = actor.user.name IN (admin) -description = specify the user allowed to push Images to AWS ECR. - -[aws_s3_accesslogs] -definition = sourcetype=aws:s3:accesslogs -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[aws_securityhub_finding] -definition = sourcetype="aws:securityhub:finding" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[aws_securityhub_firehose] -definition = sourcetype="aws:securityhub:firehose" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[azure_audit] -definition = sourcetype=mscs:azure:audit -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[azure_monitor_aad] -definition = sourcetype=azure:monitor:aad -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[azuread] -definition = sourcetype=mscs:azure:eventhub -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[base64decode(1)] -args = b64in -definition = eval b64x_split=split($b64in$,"") | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,"") | rex field=b64x_join "(?.{8})" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,"") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,":NUL:",""),":SPACE:"," ") | rex field=$b64in$_decode mode=sed "s/\x00//g" -description = Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation. - -[bootloader_inventory] -definition = sourcetype = PwSh:bootloader -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[brand_abuse_dns] -definition = lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true -description = This macro limits the output to only domains that are in the brand monitoring lookup file - -[brand_abuse_email] -definition = lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse | search domain_abuse=true -description = This macro limits the output to only domains that are in the brand monitoring lookup file - -[brand_abuse_web] -definition = lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true -description = This macro limits the output to only domains that are in the brand monitoring lookup file - -[capi2_operational] -definition = (source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational) -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[certificateservices_lifecycle] -definition = (source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational) -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[circleci] -definition = sourcetype=circleci -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[cisco_networks] -definition = eventtype=cisco_ios -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[cloud_api_calls_from_previously_unseen_user_roles_activity_window] -definition = "-70m@m" -description = Use this macro to determine how far back you should be checking for new commands from user roles - -[cloudtrail] -definition = sourcetype=aws:cloudtrail -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[cloudwatch_eks] -definition = sourcetype="aws:cloudwatchlogs:eks" -description = customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environmnent. - -[cloudwatch_vpc] -definition = sourcetype=aws:cloudwatchlogs:vpcflow -description = customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent. - -[cloudwatchlogs_vpcflow] -definition = sourcetype=aws:cloudwatchlogs:vpcflow -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[crushftp] -definition = sourcetype="crushftp:sessionlogs" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[driverinventory] -definition = sourcetype=PwSh:DriverInventory -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[dynamic_dns_providers] -definition = lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True -description = This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user. - -[dynamic_dns_web_traffic] -definition = lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True -description = This is a description - -[ec2_modification_api_calls] -definition = (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances) -description = This is a list of AWS event names that have to do with modifying Amazon EC2 instances - -[evilginx_phishlets_0365] -definition = (query=login* AND query=www*) -description = This limits the query fields to domains that are associated with evilginx masquerading as Office 365 - -[evilginx_phishlets_amazon] -definition = (query=fls-na* AND query = www* AND query=images*) -description = This limits the query fields to domains that are associated with evilginx masquerading as Amazon - -[evilginx_phishlets_aws] -definition = (query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*) -description = This limits the query fields to domains that are associated with evilginx masquerading as an AWS console - -[evilginx_phishlets_facebook] -definition = (query=www* AND query = m* AND query=static*) -description = This limits the query fields to domains that are associated with evilginx masquerading as FaceBook - -[evilginx_phishlets_github] -definition = (query=api* AND query = github*) -description = This limits the query fields to domains that are associated with evilginx masquerading as GitHub - -[evilginx_phishlets_google] -definition = (query=accounts* AND query=ssl* AND query=www*) -description = This limits the query fields to domains that are associated with evilginx masquerading as Google - -[evilginx_phishlets_outlook] -definition = (query=outlook* AND query=login* AND query=account*) -description = This limits the query fields to domains that are associated with evilginx masquerading as Outlook - -[exchange] -definition = sourcetype="MSWindows:IIS" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[f5_bigip_rogue] -definition = index=netops sourcetype="f5:bigip:rogue" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[filter_rare_process_allow_list] -definition = lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list="false" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list="false" -description = This macro is intended to allow_list processes that have been definied as rare - -[github] -definition = sourcetype=aws:firehose:json -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[github_known_users] -definition = user IN (user_names_here) -description = specify the user allowed to create PRs in Github projects. - -[google_gcp_pubnet_message] -definition = sourcetype="google:gcp:pubsub:message" -description = customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environmnent. - -[google_gcp_pubsub_message] -definition = sourcetype="google:gcp:pubsub:message" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[gsuite_calendar] -definition = sourcetype=gsuite:calendar:json -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[gsuite_drive] -definition = sourcetype=gsuite:drive:json -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[gsuite_gmail] -definition = sourcetype=gsuite:gmail:bigquery -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[gws_login_mfa_methods] -definition = event.parameters{}.multiValue{} IN ("backup_code", "google_authenticator", "google_prompt", "idv_any_phone", "idv_preregistered_phone", "internal_two_factor", "knowledge_employee_id", "knowledge_preregistered_email", "login_location", "knowledge_preregistered_phone", "offline_otp", "security_key", "security_key_otp") -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[gws_reports_admin] -definition = sourcetype=gws:reports:admin -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[gws_reports_login] -definition = sourcetype=gws:reports:login -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[iis_get_webglobalmodule] -definition = sourcetype="Pwsh:InstalledIISModules" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[iis_operational_logs] -definition = sourcetype="IIS:Configuration:Operational" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[is_net_windows_file_macro] -definition = lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true -description = This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11. - -[is_nirsoft_software_macro] -definition = lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true -description = This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based. - -[is_windows_system_file_macro] -definition = lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true -description = This macro limits the output to process names that are in the Windows System directory - -[kube_allowed_images] -definition = objectRef.name IN (*splunk*, *falco*) -description = Define your images which are allowed to connect to your kubernetes cluster. - -[kube_allowed_locations] -definition = Country="United States" -description = Define your locations which are allowed to connect to your kubernetes cluster. - -[kube_allowed_user_agents] -definition = userAgent=Helm/3.13.2 -description = Define your user agents which are allowed to connect to your kubernetes cluster. - -[kube_allowed_user_groups] -definition = user.groups{} IN (admin) -description = Define your user groups which are allowed to connect to your kubernetes cluster. - -[kube_allowed_user_names] -definition = user.username=admin -description = Define your user names which are allowed to connect to your kubernetes cluster. - -[kube_audit] -definition = source="kubernetes" -description = customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent. - -[kube_container_falco] -definition = sourcetype="kube:container:falco" -description = customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent. - -[kube_objects_events] -definition = sourcetype=kube:objects:events -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[kubernetes_azure] -definition = sourcetype=mscs:storage:blob:json -description = customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent. - -[kubernetes_container_controller] -definition = sourcetype=kube:container:controller -description = customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent. - -[kubernetes_metrics] -definition = index=kubernetes_metrics -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[linux_hosts] -definition = index=* -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[linux_shells] -definition = (Processes.process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell")) -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[ms_defender] -definition = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[msexchange_management] -definition = sourcetype=MSExchange:management -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[netbackup] -definition = sourcetype="netbackup_logs" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[network_acl_events] -definition = (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation) -description = This is a list of AWS event names that are associated with Network ACLs - -[nginx_access_logs] -definition = (sourcetype="nginx:plus:kv" OR sourcetype="nginx:plus:access") -description = This is the base macro for Nginx sourcetypes - -[o365_graph] -definition = sourcetype=o365:graph:api -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[o365_management_activity] -definition = sourcetype=o365:management:activity -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[okta] -definition = eventtype=okta_log OR sourcetype = "OktaIM2:log" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[osquery] -definition = sourcetype=osquery:results -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[osquery_process] -definition = eventtype="osquery-process" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[papercutng] -definition = sourcetype="papercutng" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[path_traversal_spl_injection] -definition = index=_internal sourcetype=splunkd_ui_access -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[pingid] -definition = source=PINGID -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[potential_password_in_username_false_positive_reduction] -definition = search * -description = Add customer specific known false positives to the map command used in detection - Potential password in username - -[potentially_malicious_code_on_cmdline_tokenize_score] -definition = eval orig_process=process, process=replace(lower(process), "`", "") | makemv tokenizer="([\w\d\-]+)" process | eval unusual_cmdline_feature_for=if(match(process, "^for$"), mvcount(mvfilter(match(process, "^for$"))), 0), unusual_cmdline_feature_netsh=if(match(process, "^netsh$"), mvcount(mvfilter(match(process, "^netsh$"))), 0), unusual_cmdline_feature_readbytes=if(match(process, "^readbytes$"), mvcount(mvfilter(match(process, "^readbytes$"))), 0), unusual_cmdline_feature_set=if(match(process, "^set$"), mvcount(mvfilter(match(process, "^set$"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, "^unrestricted$"), mvcount(mvfilter(match(process, "^unrestricted$"))), 0), unusual_cmdline_feature_winstations=if(match(process, "^winstations$"), mvcount(mvfilter(match(process, "^winstations$"))), 0), unusual_cmdline_feature_-value=if(match(process, "^-value$"), mvcount(mvfilter(match(process, "^-value$"))), 0), unusual_cmdline_feature_compression=if(match(process, "^compression$"), mvcount(mvfilter(match(process, "^compression$"))), 0), unusual_cmdline_feature_server=if(match(process, "^server$"), mvcount(mvfilter(match(process, "^server$"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, "^set-mppreference$"), mvcount(mvfilter(match(process, "^set-mppreference$"))), 0), unusual_cmdline_feature_terminal=if(match(process, "^terminal$"), mvcount(mvfilter(match(process, "^terminal$"))), 0), unusual_cmdline_feature_-name=if(match(process, "^-name$"), mvcount(mvfilter(match(process, "^-name$"))), 0), unusual_cmdline_feature_catch=if(match(process, "^catch$"), mvcount(mvfilter(match(process, "^catch$"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, "^get-wmiobject$"), mvcount(mvfilter(match(process, "^get-wmiobject$"))), 0), unusual_cmdline_feature_hklm=if(match(process, "^hklm$"), mvcount(mvfilter(match(process, "^hklm$"))), 0), unusual_cmdline_feature_streamreader=if(match(process, "^streamreader$"), mvcount(mvfilter(match(process, "^streamreader$"))), 0), unusual_cmdline_feature_system32=if(match(process, "^system32$"), mvcount(mvfilter(match(process, "^system32$"))), 0), unusual_cmdline_feature_username=if(match(process, "^username$"), mvcount(mvfilter(match(process, "^username$"))), 0), unusual_cmdline_feature_webrequest=if(match(process, "^webrequest$"), mvcount(mvfilter(match(process, "^webrequest$"))), 0), unusual_cmdline_feature_count=if(match(process, "^count$"), mvcount(mvfilter(match(process, "^count$"))), 0), unusual_cmdline_feature_webclient=if(match(process, "^webclient$"), mvcount(mvfilter(match(process, "^webclient$"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, "^writeallbytes$"), mvcount(mvfilter(match(process, "^writeallbytes$"))), 0), unusual_cmdline_feature_convert=if(match(process, "^convert$"), mvcount(mvfilter(match(process, "^convert$"))), 0), unusual_cmdline_feature_create=if(match(process, "^create$"), mvcount(mvfilter(match(process, "^create$"))), 0), unusual_cmdline_feature_function=if(match(process, "^function$"), mvcount(mvfilter(match(process, "^function$"))), 0), unusual_cmdline_feature_net=if(match(process, "^net$"), mvcount(mvfilter(match(process, "^net$"))), 0), unusual_cmdline_feature_com=if(match(process, "^com$"), mvcount(mvfilter(match(process, "^com$"))), 0), unusual_cmdline_feature_http=if(match(process, "^http$"), mvcount(mvfilter(match(process, "^http$"))), 0), unusual_cmdline_feature_io=if(match(process, "^io$"), mvcount(mvfilter(match(process, "^io$"))), 0), unusual_cmdline_feature_system=if(match(process, "^system$"), mvcount(mvfilter(match(process, "^system$"))), 0), unusual_cmdline_feature_new-object=if(match(process, "^new-object$"), mvcount(mvfilter(match(process, "^new-object$"))), 0), unusual_cmdline_feature_if=if(match(process, "^if$"), mvcount(mvfilter(match(process, "^if$"))), 0), unusual_cmdline_feature_threading=if(match(process, "^threading$"), mvcount(mvfilter(match(process, "^threading$"))), 0), unusual_cmdline_feature_mutex=if(match(process, "^mutex$"), mvcount(mvfilter(match(process, "^mutex$"))), 0), unusual_cmdline_feature_cryptography=if(match(process, "^cryptography$"), mvcount(mvfilter(match(process, "^cryptography$"))), 0), unusual_cmdline_feature_computehash=if(match(process, "^computehash$"), mvcount(mvfilter(match(process, "^computehash$"))), 0) -description = Performs the tokenization and application of the malicious commandline classifier - -[powershell] -definition = (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational") -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[previously_seen_cloud_api_calls_per_user_role_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of cloud api calls per user role - -[previously_seen_cloud_compute_creations_by_user_search_window_begin_offset] -definition = "-70m@m" -description = Use this macro to determine how far into the past the window should be to determine if the user is new or not - -[previously_seen_cloud_compute_image_search_window_begin_offset] -definition = "-70m@m" -description = Use this macro to determine how far into the past the window should be to determine if the image is new or not - -[previously_seen_cloud_compute_images_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of cloud instance images - -[previously_seen_cloud_compute_instance_type_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of cloud instance types - -[previously_seen_cloud_compute_instance_types_search_window_begin_offset] -definition = "-70m@m" -description = Use this macro to determine how far into the past the window should be to determine if the instance type is new or not - -[previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset] -definition = "-70m@m" -description = Use this macro to determine how far into the past the window should be to determine if the user is new or not - -[previously_seen_cloud_provisioning_activity_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of cloud provisioning locations - -[previously_seen_cloud_region_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of cloud regions - -[previously_seen_cloud_regions_search_window_begin_offset] -definition = "-70m@m" -description = Use this macro to determine how far into the past the window should be to determine if the region is new or not - -[previously_seen_windows_services_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of Windows services - -[previously_seen_windows_services_window] -definition = "-70m@m" -description = Use this macro to determine how far back you should be checking for new Windows services - -[previously_seen_zoom_child_processes_forget_window] -definition = "-90d@d" -description = Use this macro to determine how long to keep track of zoom child processes - -[previously_seen_zoom_child_processes_window] -definition = "-70m@m" -description = Use this macro to determine how far back you should be checking for new zoom child processes - -[previously_unseen_cloud_provisioning_activity_window] -definition = "-70m@m" -description = Use this macro to determine how far back you should be checking for new provisioning activities - -[printservice] -definition = source="wineventlog:microsoft-windows-printservice/operational" OR source="WinEventLog:Microsoft-Windows-PrintService/Admin" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[process_bitsadmin] -definition = (Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_certutil] -definition = (Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_cmd] -definition = (Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_copy] -definition = (Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_csc] -definition = (Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_curl] -definition = (Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_diskshadow] -definition = (Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_dllhost] -definition = (Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_dsquery] -definition = (Processes.process_name=dsquery.exe OR Processes.original_file_name=dsquery.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_dxdiag] -definition = (Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_esentutl] -definition = (Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_fodhelper] -definition = (Processes.process_name=fodhelper.exe OR Processes.original_file_name=FodHelper.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_gpupdate] -definition = (Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_hh] -definition = (Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_installutil] -definition = (Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_microsoftworkflowcompiler] -definition = (Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_msbuild] -definition = (Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_mshta] -definition = (Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_msiexec] -definition = (Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_net] -definition = (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_netsh] -definition = (Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_nltest] -definition = (Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_ntdsutil] -definition = (Processes.process_name=ntdsutil.exe OR Processes.original_file_name=ntdsutil.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_ping] -definition = (Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_powershell] -definition = (Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_procdump] -definition = (Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_psexec] -definition = (Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_rclone] -definition = (Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe) -description = Matches the process with its original file name. - -[process_reg] -definition = (Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_regasm] -definition = (Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_regsvcs] -definition = (Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_regsvr32] -definition = (Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_route] -definition = (Processes.process_name=route.exe OR Processes.original_file_name=route.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_runas] -definition = (Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_rundll32] -definition = (Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_schtasks] -definition = (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_sdelete] -definition = (Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_setspn] -definition = (Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_verclsid] -definition = (Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_vssadmin] -definition = (Processes.process_name=vssadmin.exe OR Processes.original_file_name=VSSADMIN.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_wbadmin] -definition = (Processes.process_name=wbadmin.exe OR Processes.original_file_name=WBADMIN.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_wermgr] -definition = (Processes.process_name=wermgr.exe OR Processes.original_file_name=wermgr.EXE) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[process_wmic] -definition = (Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe) -description = Matches the process with its original file name, data for this macro came from https://strontic.github.io/ - -[prohibited_apps_launching_cmd_macro] -definition = | inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name="*" . parent_process_name | table parent_process_name -description = This macro outputs a list of process that should not be the parent process of cmd.exe - -[prohibited_softwares] -definition = lookup prohibited_softwares app as process_name OUTPUT is_prohibited | search is_prohibited=True -description = This macro limits the output to process_names that have been marked as prohibited - -[ransomware_extensions] -definition = lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False -description = This macro limits the output to files that have extensions associated with ransomware - -[ransomware_notes] -definition = lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as "Known Ransomware Notes" | search "Known Ransomware Notes"=True -description = This macro limits the output to files that have been identified as a ransomware note - -[remoteconnectionmanager] -definition = source="WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[remove_valid_domains] -definition = eval domain=trim(domain,"*") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain="*"+domain+"*" -description = This macro removes valid domains from the output - -[risk_index] -definition = index=risk -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[s3_accesslogs] -definition = sourcetype=aws:s3:accesslogs -description = customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent. - -[security_content_ctime(1)] -args = field -definition = convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) -description = convert epoch time to string - -[security_content_summariesonly] -definition = summariesonly=false allow_old_summaries=true fillnull_value=null -description = search data model's summaries only - -[security_group_api_calls] -definition = (eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress) -description = This macro is a list of AWS event names associated with security groups - -[splunk_crash_log] -definition = (index=_internal AND sourcetype=splunkd_crash_log) -description = Searches through the Splunk Crash Log for low-level errors and crashes - -[splunk_python] -definition = index=_internal sourcetype=splunk_python -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkd] -definition = index=_internal sourcetype=splunkd -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkd_failed_auths] -definition = index=_audit "action=login attempt" "info=failed" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkd_investigation_rest_handler] -definition = index=_internal sourcetype=investigation_rest_handler -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkd_ui] -definition = index=_internal sourcetype=splunkd_ui_access -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkd_web] -definition = index=_internal sourcetype=splunk_web_access -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkd_webx] -definition = index=_internal sourcetype=splunk_web_access -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[splunkda] -definition = index=_internal sourcetype=splunkd_access -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[stream_dns] -definition = sourcetype=stream:dns -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[stream_http] -definition = sourcetype=stream:http -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[stream_tcp] -definition = sourcetype=stream:tcp -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[subjectinterfacepackage] -definition = sourcetype="PwSh:SubjectInterfacePackage" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[suricata] -definition = sourcetype=suricata -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[suspicious_email_attachments] -definition = lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true -description = This macro limits the output to email attachments that have suspicious extensions - -[suspicious_writes] -definition = lookup suspicious_writes_lookup file as file_name OUTPUT note as "Reference" | search "Reference" != False -description = This macro limites the output to file names that have been marked as suspicious - -[sysmon] -definition = sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[system_network_configuration_discovery_tools] -definition = (process_name= "arp.exe" OR process_name= "at.exe" OR process_name= "attrib.exe" OR process_name= "cscript.exe" OR process_name= "dsquery.exe" OR process_name= "hostname.exe" OR process_name= "ipconfig.exe" OR process_name= "mimikatz.exe" OR process_name= "nbstat.exe" OR process_name= "net.exe" OR process_name= "netsh.exe" OR process_name= "nslookup.exe" OR process_name= "ping.exe" OR process_name= "quser.exe" OR process_name= "qwinsta.exe" OR process_name= "reg.exe" OR process_name= "runas.exe" OR process_name= "sc.exe" OR process_name= "schtasks.exe" OR process_name= "ssh.exe" OR process_name= "systeminfo.exe" OR process_name= "taskkill.exe" OR process_name= "telnet.exe" OR process_name= "tracert.exe" OR process_name="wscript.exe" OR process_name= "xcopy.exe") -description = This macro is a list of process that can be used to discover the network configuration - -[uacbypass_process_name] -definition = BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe -description = A listing of processes known to be abused for User Account Control bypass exploitation. - -[uncommon_processes] -definition = lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true -description = This macro limits the output to processes that have been marked as uncommon - -[windows_shells] -definition = (Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe) -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[wineventlog_application] -definition = eventtype=wineventlog_application OR source="XmlWinEventLog:Application" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[wineventlog_security] -definition = eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[wineventlog_system] -definition = eventtype=wineventlog_system -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[wineventlog_task_scheduler] -definition = source="XmlWinEventLog:Security" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[wmi] -definition = sourcetype="wineventlog:microsoft-windows-wmi-activity/operational" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[zeek_rpc] -definition = index=zeek sourcetype="zeek:rpc:json" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[zeek_ssl] -definition = index=zeek sourcetype="zeek:ssl:json" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[zeek_x509] -definition = sourcetype="zeek:x509:json" -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[zscaler_proxy] -definition = source=zscaler sourcetype=zscalernss-web -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - -[crushftp_server_side_template_injection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_login_attempts_to_routers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_risky_spl_using_pretrained_ml_model_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[email_attachments_with_lots_of_spaces_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[email_files_written_outside_of_the_outlook_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[email_servers_sending_high_volume_traffic_to_hosts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[monitor_email_for_brand_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[no_windows_updates_in_a_time_frame_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_authentication_failed_during_mfa_challenge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_idp_lifecycle_modifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_mfa_exhaustion_hunt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_mismatch_between_source_and_response_for_verify_push_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_multi_factor_authentication_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_multiple_accounts_locked_out_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_multiple_failed_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_multiple_failed_requests_to_access_applications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_multiple_users_failing_to_authenticate_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_new_api_token_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_new_device_enrolled_on_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_phishing_detection_with_fastpass_origin_check_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_risk_threshold_exceeded_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_successful_single_factor_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_suspicious_activity_reported_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_suspicious_use_of_a_session_cookie_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_threatinsight_threat_detected_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_unauthorized_access_to_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_user_logins_from_multiple_cities_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[path_traversal_spl_injection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[persistent_xss_in_rapiddiag_through_user_interface_views_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[pingid_mismatch_auth_source_and_verification_response_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[pingid_multiple_failed_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[pingid_new_mfa_method_after_credential_reset_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[pingid_new_mfa_method_registered_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_absolute_path_traversal_using_runshellscript_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_account_discovery_drilldown_dashboard_disclosure_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_authentication_token_exposure_in_debug_log_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_code_injection_via_custom_dashboard_leading_to_rce_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_command_and_scripting_interpreter_delete_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_command_and_scripting_interpreter_risky_commands_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_command_and_scripting_interpreter_risky_spl_mltk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_digital_certificates_infrastructure_version_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_digital_certificates_lack_of_encryption_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_dos_using_malformed_saml_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_dos_via_dump_spl_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_dos_via_malformed_s2s_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_dos_via_printf_search_function_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_edit_user_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_endpoint_denial_of_service_dos_zip_bomb_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_enterprise_kv_store_incorrect_authorization_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_enterprise_windows_deserialization_file_partition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_es_dos_investigations_manager_via_investigation_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_es_dos_through_investigation_attachments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_http_response_splitting_via_rest_spl_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_improperly_formatted_parameter_crashes_splunkd_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_information_disclosure_in_splunk_add_on_builder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_list_all_nonstandard_admin_accounts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_low_privilege_user_can_view_hashed_splunk_password_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_process_injection_forwarder_bundle_downloads_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_protocol_impersonation_weak_encryption_configuration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_protocol_impersonation_weak_encryption_selfsigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_protocol_impersonation_weak_encryption_simplerequest_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_rce_via_serialized_session_payload_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_rce_via_user_xslt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_reflected_xss_in_the_templates_lists_radio_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_reflected_xss_on_app_search_table_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_risky_command_abuse_disclosed_february_2023_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_stored_xss_via_data_model_objectname_field_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_unauthenticated_log_injection_web_service_log_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_user_enumeration_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_xss_in_highlighted_json_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_xss_in_monitoring_console_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_xss_in_save_table_dialog_header_in_search_page_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_xss_via_view_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_email_attachment_extensions_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_java_classes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_servers_executing_suspicious_processes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_number_of_cloud_infrastructure_api_calls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_number_of_cloud_instances_destroyed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_number_of_cloud_instances_launched_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_number_of_cloud_security_group_api_calls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[amazon_eks_kubernetes_cluster_scan_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[amazon_eks_kubernetes_pod_scan_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_concurrent_sessions_from_different_ips_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_defense_evasion_delete_cloudtrail_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_defense_evasion_delete_cloudwatch_log_group_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_defense_evasion_impair_security_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_defense_evasion_stop_logging_cloudtrail_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_defense_evasion_update_cloudtrail_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_ecr_container_upload_outside_business_hours_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_ecr_container_upload_unknown_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_iam_delete_policy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_iam_failure_group_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_iam_successful_group_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_multi_factor_authentication_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_new_mfa_method_registered_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ami_attribute_modification_for_exfiltration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_concurrent_sessions_from_different_ips_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_console_login_failed_during_mfa_challenge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_create_policy_version_to_allow_all_resources_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_createaccesskey_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_createloginprofile_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_credential_access_failed_login_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_credential_access_getpassworddata_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_credential_access_rds_password_reset_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_cross_account_activity_from_previously_unseen_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_defense_evasion_delete_cloudtrail_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_defense_evasion_delete_cloudwatch_log_group_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_defense_evasion_impair_security_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_defense_evasion_putbucketlifecycle_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_defense_evasion_stop_logging_cloudtrail_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_defense_evasion_update_cloudtrail_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_attach_to_role_policy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_permanent_key_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_role_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_sts_assume_role_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_sts_get_session_token_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_detect_users_with_kms_keys_performing_encryption_s3_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_disable_bucket_versioning_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ec2_snapshot_shared_externally_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ecr_container_scanning_findings_high_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ecr_container_scanning_findings_low_informational_unknown_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ecr_container_scanning_findings_medium_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ecr_container_upload_outside_business_hours_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_ecr_container_upload_unknown_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_excessive_security_scanning_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_exfiltration_via_anomalous_getobject_api_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_exfiltration_via_batch_service_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_exfiltration_via_bucket_replication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_exfiltration_via_datasync_task_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_exfiltration_via_ec2_snapshot_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_high_number_of_failed_authentications_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_high_number_of_failed_authentications_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_iam_accessdenied_discovery_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_iam_assume_role_policy_brute_force_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_iam_delete_policy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_iam_failure_group_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_iam_successful_group_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_lambda_updatefunctioncode_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_multi_factor_authentication_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_multiple_failed_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_multiple_users_failing_to_authenticate_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_network_access_control_list_created_with_all_open_ports_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_network_access_control_list_deleted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_new_mfa_method_registered_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_password_policy_changes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_s3_exfiltration_behavior_identified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_saml_access_by_provider_user_and_principal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_saml_update_identity_provider_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_setdefaultpolicyversion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_successful_console_authentication_from_multiple_ips_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_successful_single_factor_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_unusual_number_of_failed_authentications_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_updateloginprofile_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_active_directory_high_risk_sign_in_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_admin_consent_bypassed_by_service_principal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_application_administrator_role_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_authentication_failed_during_mfa_challenge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_block_user_consent_for_risky_apps_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_concurrent_sessions_from_different_ips_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_device_code_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_external_guest_user_invited_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_fullaccessasapp_permission_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_global_administrator_role_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_high_number_of_failed_authentications_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_high_number_of_failed_authentications_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multi_factor_authentication_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multi_source_failed_authentications_spike_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multiple_appids_and_useragents_authentication_spike_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multiple_denied_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multiple_failed_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multiple_service_principals_created_by_sp_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multiple_service_principals_created_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_multiple_users_failing_to_authenticate_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_new_custom_domain_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_new_federated_domain_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_new_mfa_method_registered_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_new_mfa_method_registered_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_oauth_application_consent_granted_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_pim_role_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_pim_role_assignment_activated_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_privileged_authentication_administrator_role_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_privileged_graph_api_permission_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_privileged_role_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_privileged_role_assigned_to_service_principal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_service_principal_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_service_principal_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_service_principal_new_client_credentials_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_service_principal_owner_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_successful_authentication_from_different_ips_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_successful_powershell_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_successful_single_factor_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_tenant_wide_admin_consent_granted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_unusual_number_of_failed_authentications_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_user_consent_blocked_for_risky_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_user_consent_denied_for_oauth_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_user_enabled_and_password_reset_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_ad_user_immutableid_attribute_updated_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_automation_account_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_automation_runbook_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[azure_runbook_webhook_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[circle_ci_disable_security_job_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[circle_ci_disable_security_step_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_api_calls_from_previously_unseen_user_roles_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_compute_instance_created_by_previously_unseen_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_compute_instance_created_in_previously_unused_region_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_compute_instance_created_with_previously_unseen_image_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_compute_instance_created_with_previously_unseen_instance_type_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_instance_modified_by_previously_unseen_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_provisioning_activity_from_previously_unseen_city_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_provisioning_activity_from_previously_unseen_country_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_provisioning_activity_from_previously_unseen_ip_address_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_provisioning_activity_from_previously_unseen_region_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_security_groups_modifications_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_aws_console_login_by_new_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_aws_console_login_by_user_from_new_city_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_aws_console_login_by_user_from_new_country_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_aws_console_login_by_user_from_new_region_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_gcp_storage_access_from_a_new_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_open_gcp_storage_buckets_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_open_s3_buckets_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_open_s3_buckets_over_aws_cli_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_s3_access_from_a_new_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_aws_security_hub_alerts_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_blocked_outbound_traffic_from_your_aws_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_s3_bucket_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_authentication_failed_during_mfa_challenge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_detect_gcploit_framework_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_kubernetes_cluster_pod_scan_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_multi_factor_authentication_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_multiple_failed_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_multiple_users_failing_to_authenticate_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_successful_single_factor_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_unusual_number_of_failed_authentications_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gdrive_suspicious_file_sharing_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[github_actions_disable_security_workflow_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[github_commit_changes_in_master_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[github_commit_in_develop_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[github_dependabot_alert_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[github_pull_request_from_unknown_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_drive_share_in_external_email_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_email_suspicious_attachment_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_email_suspicious_subject_with_attachment_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_email_with_known_abuse_web_service_link_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_outbound_email_with_attachment_to_external_domain_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_suspicious_calendar_invite_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gsuite_suspicious_shared_file_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[high_number_of_login_failures_from_a_single_source_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_abuse_of_secret_by_unusual_location_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_abuse_of_secret_by_unusual_user_agent_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_abuse_of_secret_by_unusual_user_group_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_abuse_of_secret_by_unusual_user_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_access_scanning_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_anomalous_inbound_network_activity_from_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_anomalous_inbound_outbound_network_io_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_anomalous_outbound_network_activity_from_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_anomalous_traffic_on_network_edge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_aws_detect_suspicious_kubectl_calls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_create_or_update_privileged_pod_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_cron_job_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_daemonset_deployed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_falco_shell_spawned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_newly_seen_tcp_edge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_newly_seen_udp_edge_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_nginx_ingress_lfi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_nginx_ingress_rfi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_node_port_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_pod_created_in_default_namespace_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_pod_with_host_network_attachment_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_previously_unseen_container_image_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_previously_unseen_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_process_running_from_new_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_process_with_anomalous_resource_utilisation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_process_with_resource_ratio_anomalies_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_scanner_image_pulling_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_scanning_by_unauthenticated_ip_address_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_shell_running_on_worker_node_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_shell_running_on_worker_node_with_cpu_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_suspicious_image_pulling_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_unauthorized_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_add_app_role_assignment_grant_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_added_service_principal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_admin_consent_bypassed_by_service_principal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_advanced_audit_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_application_registration_owner_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_applicationimpersonation_role_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_block_user_consent_for_risky_apps_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_bypass_mfa_via_trusted_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_compliance_content_search_exported_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_compliance_content_search_started_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_concurrent_sessions_from_different_ips_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_disable_mfa_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_elevated_mailbox_permission_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_excessive_authentication_failures_alert_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_excessive_sso_logon_errors_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_file_permissioned_application_consent_granted_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_fullaccessasapp_permission_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_high_number_of_failed_authentications_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_high_privilege_role_granted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_mail_permissioned_application_consent_granted_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_mailbox_email_forwarding_enabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_mailbox_folder_read_permission_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_mailbox_folder_read_permission_granted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_mailbox_inbox_folder_shared_with_all_users_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_mailbox_read_access_granted_to_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multi_source_failed_authentications_spike_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multiple_appids_and_useragents_authentication_spike_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multiple_failed_mfa_requests_for_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multiple_mailboxes_accessed_via_api_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multiple_service_principals_created_by_sp_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multiple_service_principals_created_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_multiple_users_failing_to_authenticate_from_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_new_email_forwarding_rule_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_new_email_forwarding_rule_enabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_new_federated_domain_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_new_forwarding_mailflow_rule_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_new_mfa_method_registered_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_oauth_app_mailbox_access_via_ews_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_oauth_app_mailbox_access_via_graph_api_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_privileged_graph_api_permission_assigned_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_pst_export_alert_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_security_and_compliance_alert_triggered_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_service_principal_new_client_credentials_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_tenant_wide_admin_consent_granted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_user_consent_blocked_for_risky_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_user_consent_denied_for_oauth_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[risk_rule_for_dev_sec_ops_by_repository_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_aws_instances_launched_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_aws_instances_launched_by_user___mltk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_aws_instances_terminated_by_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[abnormally_high_aws_instances_terminated_by_user___mltk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_createaccesskey_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_excessive_security_scanning_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[asl_aws_password_policy_changes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_cloud_provisioning_from_previously_unseen_city_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_cloud_provisioning_from_previously_unseen_country_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_cloud_provisioning_from_previously_unseen_ip_address_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_cloud_provisioning_from_previously_unseen_region_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[aws_eks_kubernetes_cluster_sensitive_object_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[clients_connecting_to_multiple_dns_servers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cloud_network_access_control_list_deleted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[correlation_by_repository_and_risk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[correlation_by_user_and_risk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_activity_related_to_pass_the_hash_attacks_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_api_activity_from_users_without_mfa_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_aws_api_activities_from_unapproved_accounts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_long_dns_txt_record_response_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_mimikatz_using_loaded_images_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_mimikatz_via_powershell_and_eventcode_4703_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_api_calls_from_user_roles_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_user_aws_console_login_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_aws_api_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_network_acl_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_spike_in_security_group_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_usb_device_insertion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_web_traffic_to_dynamic_domain_providers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detection_of_dns_tunnels_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dns_query_requests_resolved_by_unauthorized_dns_servers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dns_record_changed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dump_lsass_via_procdump_rename_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ec2_instance_modified_with_previously_unseen_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ec2_instance_started_in_previously_unseen_region_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ec2_instance_started_with_previously_unseen_ami_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ec2_instance_started_with_previously_unseen_instance_type_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ec2_instance_started_with_previously_unseen_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[execution_of_file_with_spaces_before_extension_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[extended_period_without_successful_netbackup_backups_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[first_time_seen_command_line_argument_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_detect_accounts_with_high_risk_roles_by_project_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_detect_high_risk_permissions_by_resource_and_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_detect_oauth_token_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gcp_kubernetes_cluster_scan_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[identify_new_user_accounts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_aws_detect_most_active_service_accounts_by_pod_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_aws_detect_rbac_authorization_by_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_aws_detect_sensitive_role_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_active_service_accounts_by_pod_namespace_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_detect_rbac_authorization_by_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_detect_sensitive_object_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_detect_sensitive_role_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_detect_suspicious_kubectl_calls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_pod_scan_fingerprint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_azure_scan_fingerprint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_gcp_detect_rbac_authorizations_by_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_gcp_detect_sensitive_object_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_gcp_detect_sensitive_role_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kubernetes_gcp_detect_suspicious_kubectl_calls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[monitor_dns_for_brand_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_suspicious_admin_email_forwarding_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_suspicious_rights_delegation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[o365_suspicious_user_email_forwarding_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_account_locked_out_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_account_lockout_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_failed_sso_attempts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_threatinsight_login_failure_with_high_unknown_users_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_threatinsight_suspected_passwordspray_attack_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[okta_two_or_more_rejected_okta_pushes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[open_redirect_in_splunk_web_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[osquery_pack___coldroot_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[processes_created_by_netsh_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[prohibited_software_on_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[reg_exe_used_to_hide_files_directories_via_registry_keys_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_registry_key_modifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[scheduled_tasks_used_in_badrabbit_ransomware_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spectre_and_meltdown_vulnerable_systems_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_enterprise_information_disclosure_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_changes_to_file_associations_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_email___uba_anomaly_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_file_write_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_powershell_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_rundll32_rename_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_writes_to_system_volume_information_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[uncommon_processes_on_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unsigned_image_loaded_by_lsass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unsuccessful_netbackup_backups_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_fraud___account_harvesting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_fraud___anomalous_user_clickspeed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_fraud___password_sharing_across_accounts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_connhost_exe_started_forcefully_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dll_search_order_hijacking_hunt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_hosts_file_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[3cx_supply_chain_attack_network_indicators_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[7zip_commandline_to_smb_share_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[access_lsass_memory_for_dump_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[account_discovery_with_net_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[active_directory_lateral_movement_identified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[active_directory_privilege_escalation_identified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[active_setup_registry_autostart_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[add_defaultuser_and_password_in_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[add_or_set_windows_defender_exclusion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[adsisearcher_account_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[allow_file_and_printing_sharing_in_firewall_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[allow_inbound_traffic_by_firewall_rule_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[allow_inbound_traffic_in_firewall_rule_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[allow_network_discovery_in_firewall_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[allow_operation_with_consent_admin_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[anomalous_usage_of_7zip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[any_powershell_downloadfile_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[any_powershell_downloadstring_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[attacker_tools_on_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[attempt_to_add_certificate_to_untrusted_store_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[attempt_to_stop_security_service_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[attempted_credential_dump_from_registry_via_reg_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[auto_admin_logon_registry_entry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[batch_file_write_to_system32_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[bcdedit_command_back_to_normal_mode_boot_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[bcdedit_failure_recovery_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[bits_job_persistence_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[bitsadmin_download_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[certutil_download_with_urlcache_and_split_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[certutil_download_with_verifyctl_and_split_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[certutil_exe_certificate_extraction_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[certutil_with_decode_argument_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[change_default_file_association_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[change_to_safe_mode_with_network_config_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[chcp_command_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[check_elevated_cmd_using_whoami_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[child_processes_of_spoolsv_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[clear_unallocated_sector_using_cipher_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[clop_common_exec_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[clop_ransomware_known_service_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cmd_carry_out_string_command_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cmd_echo_pipe___escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cmdline_tool_not_executed_in_cmd_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cmlua_or_cmstplua_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cobalt_strike_named_pipes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[common_ransomware_extensions_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[common_ransomware_notes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[connectwise_screenconnect_path_traversal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[connectwise_screenconnect_path_traversal_windows_sacl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[conti_common_exec_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[control_loading_from_world_writable_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[create_local_admin_accounts_using_net_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[create_or_delete_windows_shares_using_net_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[create_remote_thread_in_shell_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[create_remote_thread_into_lsass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[creation_of_lsass_dump_with_taskmgr_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[creation_of_shadow_copy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[creation_of_shadow_copy_with_wmic_and_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[credential_dumping_via_copy_command_from_shadow_copy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[credential_dumping_via_symlink_to_shadow_copy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[csc_net_on_the_fly_compilation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[curl_download_and_bash_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[delete_shadowcopy_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[deleting_of_net_users_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[deleting_shadow_copies_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_azurehound_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_azurehound_file_modifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_baron_samedit_cve_2021_3156_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_baron_samedit_cve_2021_3156_segfault_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_baron_samedit_cve_2021_3156_via_osquery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_certify_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_certify_with_powershell_script_block_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_certipy_file_modifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_computer_changed_with_anonymous_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_copy_of_shadowcopy_with_script_block_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_credential_dumping_through_lsass_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_empire_with_powershell_script_block_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_excessive_account_lockouts_from_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_excessive_user_account_lockouts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_exchange_web_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_html_help_renamed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_html_help_spawn_child_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_html_help_url_in_command_line_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_html_help_using_infotech_storage_handlers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_mimikatz_with_powershell_script_block_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_mshta_inline_hta_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_mshta_renamed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_mshta_url_in_command_line_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_new_local_admin_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_outlook_exe_writing_a_zip_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_path_interception_by_creation_of_program_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_processes_used_for_system_network_configuration_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_prohibited_applications_spawning_cmd_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_psexec_with_accepteula_flag_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rare_executables_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rclone_command_line_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regasm_spawning_a_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regasm_with_network_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regasm_with_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regsvcs_spawning_a_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regsvcs_with_network_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regsvcs_with_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_regsvr32_application_control_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_remote_access_software_usage_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_remote_access_software_usage_fileinfo_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_remote_access_software_usage_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_renamed_7_zip_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_renamed_psexec_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_renamed_rclone_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_renamed_winrar_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rtlo_in_file_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rtlo_in_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rundll32_application_control_bypass___advpack_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rundll32_application_control_bypass___setupapi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rundll32_application_control_bypass___syssetup_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rundll32_inline_hta_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_sharphound_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_sharphound_file_modifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_sharphound_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_use_of_cmd_exe_to_launch_script_interpreters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_webshell_exploit_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_wmi_event_subscription_persistence_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detection_of_tools_built_by_nirsoft_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_amsi_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_defender_antivirus_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_defender_blockatfirstseen_feature_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_defender_enhanced_notification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_defender_mpengine_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_defender_spynet_reporting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_defender_submit_samples_consent_feature_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_etw_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_logs_using_wevtutil_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_registry_tool_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_schedule_task_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_security_logs_using_minint_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_show_hidden_files_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_uac_remote_restriction_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_windows_app_hotkeys_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_windows_behavior_monitoring_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disable_windows_smartscreen_protection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabled_kerberos_pre_authentication_discovery_with_powerview_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_cmd_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_controlpanel_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_defender_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_firewall_with_netsh_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_folderoptions_windows_feature_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_net_user_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_norun_windows_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_remote_user_account_control_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_systemrestore_in_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_task_manager_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[disabling_windows_local_security_authority_defences_via_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dllhost_with_no_command_line_arguments_with_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dns_exfiltration_using_nslookup_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_account_discovery_with_dsquery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_account_discovery_with_net_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_account_discovery_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_controller_discovery_with_nltest_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_controller_discovery_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_group_discovery_with_adsisearcher_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_group_discovery_with_dsquery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_group_discovery_with_net_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[domain_group_discovery_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[download_files_using_telegram_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[drop_icedid_license_dat_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dsquery_domain_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dump_lsass_via_comsvcs_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dump_lsass_via_procdump_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[elevated_group_discovery_with_net_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[elevated_group_discovery_with_powerview_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[elevated_group_discovery_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[enable_rdp_in_other_port_number_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[enable_wdigest_uselogoncredential_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[enumerate_users_local_group_using_telegram_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[esentutl_sam_copy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[etw_registry_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[eventvwr_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excel_spawning_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excel_spawning_windows_script_host_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_attempt_to_disable_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_distinct_processes_from_windows_temp_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_file_deletion_in_windefender_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_number_of_service_control_start_as_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_number_of_taskhost_processes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_service_stop_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_usage_of_cacls_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_usage_of_net_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_usage_of_nslookup_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_usage_of_sc_service_utility_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_usage_of_taskkill_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[exchange_powershell_abuse_via_ssrf_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[exchange_powershell_module_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[executable_file_written_in_administrative_smb_share_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[executables_or_script_creation_in_suspicious_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[execute_javascript_with_jscript_com_clsid_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[execution_of_file_with_multiple_extensions_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[extraction_of_registry_hives_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[file_with_samsam_extension_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[firewall_allowed_program_enable_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[first_time_seen_child_process_of_zoom_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[first_time_seen_running_windows_service_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[fodhelper_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[fsutil_zeroing_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_addefaultdomainpasswordpolicy_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_aduser_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_aduser_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_aduserresultantpasswordpolicy_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_aduserresultantpasswordpolicy_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_domainpolicy_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_domainpolicy_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_domaintrust_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_domaintrust_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_domainuser_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_domainuser_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_foresttrust_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_foresttrust_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_wmiobject_group_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[get_wmiobject_group_discovery_with_script_block_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getadcomputer_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getadcomputer_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getadgroup_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getadgroup_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getcurrent_user_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getcurrent_user_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getdomaincomputer_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getdomaincomputer_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getdomaincontroller_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getdomaincontroller_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getdomaingroup_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getdomaingroup_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getlocaluser_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getlocaluser_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getnettcpconnection_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getnettcpconnection_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_ds_computer_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_ds_computer_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_ds_group_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_ds_group_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_ds_user_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_ds_user_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_user_account_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[getwmiobject_user_account_with_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[gpupdate_with_no_command_line_arguments_with_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[headless_browser_mockbin_or_mocky_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[headless_browser_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[hide_user_account_from_sign_in_screen_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[hiding_files_and_directories_with_attrib_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[high_frequency_copy_of_files_in_network_share_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[high_process_termination_frequency_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[hunting_3cxdesktopapp_software_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[icacls_deny_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[icacls_grant_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[icedid_exfiltrated_archived_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[impacket_lateral_movement_commandline_parameters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[impacket_lateral_movement_smbexec_commandline_parameters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[impacket_lateral_movement_wmiexec_commandline_parameters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[interactive_session_on_remote_endpoint_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[java_class_file_download_by_java_user_agent_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[java_writing_jsp_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[jscript_execution_using_cscript_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kerberoasting_spn_request_with_rc4_encryption_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kerberos_pre_authentication_flag_disabled_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kerberos_service_ticket_request_using_rc4_encryption_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kerberos_tgt_request_using_rc4_encryption_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[kerberos_user_enumeration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[known_services_killed_by_ransomware_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_account_manipulation_of_ssh_config_and_keys_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_add_files_in_known_crontab_directories_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_add_user_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_adding_crontab_using_list_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_apt_get_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_apt_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_at_allow_config_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_at_application_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_awk_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_busybox_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_c89_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_c99_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_change_file_owner_to_root_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_clipboard_data_copy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_common_process_for_elevation_control_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_composer_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_cpulimit_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_csvtool_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_curl_upload_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_data_destruction_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_dd_file_overwrite_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_decode_base64_to_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_deleting_critical_directory_using_rm_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_deletion_of_cron_jobs_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_deletion_of_init_daemon_script_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_deletion_of_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_deletion_of_ssl_certificate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_disable_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_doas_conf_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_doas_tool_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_docker_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_edit_cron_table_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_emacs_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_file_created_in_kernel_driver_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_file_creation_in_init_boot_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_file_creation_in_profile_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_find_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_gdb_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_gem_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_gnu_awk_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_hardware_addition_swapoff_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_high_frequency_of_file_deletion_in_boot_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_high_frequency_of_file_deletion_in_etc_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_impair_defenses_process_kill_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_indicator_removal_clear_cache_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_indicator_removal_service_file_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_ingress_tool_transfer_hunting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_ingress_tool_transfer_with_curl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_insert_kernel_module_using_insmod_utility_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_install_kernel_module_using_modprobe_utility_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_iptables_firewall_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_java_spawning_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_kernel_module_enumeration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_kworker_process_in_writable_process_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_make_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_mysql_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_ngrok_reverse_proxy_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_node_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_nopasswd_entry_in_sudoers_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_obfuscated_files_or_information_base64_decode_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_octave_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_openvpn_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_persistence_and_privilege_escalation_risk_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_php_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_pkexec_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_access_or_modification_of_sshd_config_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_access_to_credential_files_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_access_to_sudoers_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_append_command_to_at_allow_config_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_append_command_to_profile_config_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_cronjob_modification_with_editor_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_possible_ssh_key_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_preload_hijack_library_calls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_proxy_socks_curl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_puppet_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_rpm_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_ruby_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_service_file_created_in_systemd_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_service_restarted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_service_started_or_enabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_setuid_using_chmod_utility_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_setuid_using_setcap_utility_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_shred_overwrite_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_sqlite3_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_ssh_authorized_keys_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_ssh_remote_services_script_execute_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_stdout_redirection_to_dev_null_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_stop_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_sudo_or_su_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_sudoers_tmp_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_system_network_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_system_reboot_via_system_request_key_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_unix_shell_enable_all_sysrq_functions_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[linux_visudo_utility_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[living_off_the_land_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[loading_of_dynwrapx_module_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[local_account_discovery_with_net_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[local_account_discovery_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[log4shell_cve_2021_44228_exploitation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[logon_script_event_trigger_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[lolbas_with_network_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[macos___re_opened_applications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[macos_lolbin_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[macos_plutil_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[mailsniper_invoke_functions_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[malicious_inprocserver32_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[malicious_powershell_executed_as_a_service_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[malicious_powershell_process___encoded_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[malicious_powershell_process___execution_policy_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[malicious_powershell_process_with_obfuscation_techniques_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[mimikatz_passtheticket_commandline_parameters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[mmc_lolbas_execution_process_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[modification_of_wallpaper_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[modify_acl_permission_to_files_or_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[monitor_registry_keys_for_print_monitors_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ms_exchange_mailbox_replication_service_writing_active_server_pages_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ms_scripting_process_loading_ldap_module_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ms_scripting_process_loading_wmi_module_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[msbuild_suspicious_spawned_by_script_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[mshta_spawning_rundll32_or_regsvr32_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[mshtml_module_load_in_office_product_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[msi_module_loaded_by_non_system_binary_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[msmpeng_application_dll_side_loading_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[net_localgroup_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[net_profiler_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[network_connection_discovery_with_arp_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[network_connection_discovery_with_net_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[network_connection_discovery_with_netstat_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[network_discovery_using_route_windows_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[network_share_discovery_via_dir_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[network_traffic_to_active_directory_web_services_protocol_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[nishang_powershelltcponeline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[nltest_domain_trust_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[non_chrome_process_accessing_chrome_default_dir_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[non_firefox_process_access_firefox_profile_dir_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[notepad_with_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ntdsutil_export_ntds_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_application_drop_executable_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_application_spawn_regsvr32_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_application_spawn_rundll32_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_document_creating_schedule_task_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_document_executing_macro_code_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_document_spawned_child_process_to_download_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawn_cmd_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawning_bitsadmin_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawning_certutil_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawning_mshta_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawning_rundll32_with_no_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawning_windows_script_host_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_spawning_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_product_writing_cab_or_inf_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[office_spawning_control_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[outbound_network_connection_from_java_using_default_ports_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[overwriting_accessibility_binaries_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[papercut_ng_suspicious_behavior_debug_log_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[password_policy_discovery_with_net_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[permission_modification_using_takeown_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[petitpotam_network_share_access_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[petitpotam_suspicious_kerberos_tgt_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ping_sleep_batch_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[possible_browser_pass_view_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[possible_lateral_movement_powershell_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[potential_password_in_username_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[potentially_malicious_code_on_commandline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_4104_hunting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell___connect_to_internet_with_hidden_window_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_com_hijacking_inprocserver32_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_creating_thread_mutex_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_disable_security_monitoring_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_domain_enumeration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_enable_powershell_remoting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_enable_smb1protocol_feature_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_execute_com_object_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_fileless_process_injection_via_getprocaddress_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_fileless_script_contains_base64_encoded_content_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_get_localgroup_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_get_localgroup_discovery_with_script_block_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_invoke_cimmethod_cimsession_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_invoke_wmiexec_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_load_module_in_meterpreter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_loading_dotnet_into_memory_via_reflection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_processing_stream_of_data_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_remote_services_add_trustedhost_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_remote_thread_to_known_windows_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_remove_windows_defender_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_script_block_with_url_chain_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_start_bitstransfer_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_start_or_stop_service_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_using_memory_as_backing_store_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_webrequest_using_memory_stream_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[powershell_windows_defender_exclusion_commands_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[prevent_automatic_repair_mode_using_bcdedit_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[print_processor_registry_autostart_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[print_spooler_adding_a_printer_driver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[print_spooler_failed_to_load_a_plug_in_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[process_creating_lnk_file_in_suspicious_location_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[process_deleting_its_process_file_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[process_execution_via_wmi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[process_kill_base_on_file_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[process_writing_dynamicwrapperx_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[processes_launching_netsh_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[processes_tapping_keyboard_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[randomly_generated_scheduled_task_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[randomly_generated_windows_service_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ransomware_notes_bulk_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[recon_avproduct_through_pwh_or_wmi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[recon_using_wmi_class_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[recursive_delete_of_directory_in_batch_cmd_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[reg_exe_manipulating_windows_services_registry_keys_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[registry_keys_for_creating_shim_databases_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[registry_keys_used_for_persistence_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[registry_keys_used_for_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[regsvr32_silent_and_install_param_dll_loading_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[regsvr32_with_known_silent_switch_cmdline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remcos_client_registry_install_entry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remcos_rat_file_creation_in_remcos_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_desktop_process_running_on_system_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_dcom_and_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_dcom_and_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_winrm_and_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_winrm_and_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_winrm_and_winrs_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_wmi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_wmi_and_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_process_instantiation_via_wmi_and_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_system_discovery_with_adsisearcher_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_system_discovery_with_dsquery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_system_discovery_with_net_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_system_discovery_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_wmi_command_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[resize_shadowstorage_volume_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[revil_common_exec_parameter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[revil_registry_entry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rubeus_command_line_parameters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rubeus_kerberos_ticket_exports_through_winlogon_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[runas_execution_in_commandline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_control_rundll_hunt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_control_rundll_world_writable_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_create_remote_thread_to_a_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_createremotethread_in_browser_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_dnsquery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_lockworkstation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_process_creating_exe_dll_files_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_shimcache_flush_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll32_with_no_command_line_arguments_with_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[rundll_loading_dll_by_ordinal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ryuk_test_files_detected_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ryuk_wake_on_lan_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sam_database_file_access_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[samsam_test_file_write_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sc_exe_manipulating_windows_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[schcache_change_by_app_connect_and_create_adsi_object_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[schedule_task_with_http_command_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[schedule_task_with_rundll32_command_trigger_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[scheduled_task_creation_on_remote_endpoint_using_at_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[scheduled_task_deleted_or_created_via_cmd_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[scheduled_task_initiation_on_remote_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[schtasks_run_task_on_demand_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[schtasks_scheduling_job_on_remote_system_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[schtasks_used_for_forcing_a_reboot_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[screensaver_event_trigger_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[script_execution_via_wmi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sdclt_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sdelete_application_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[searchprotocolhost_with_no_command_line_with_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[secretdumps_offline_ntds_dumping_tool_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[serviceprincipalnames_discovery_with_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[serviceprincipalnames_discovery_with_setspn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[services_escalate_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[services_lolbas_execution_process_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[shim_database_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[shim_database_installation_with_suspicious_parameters_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[short_lived_scheduled_task_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[short_lived_windows_accounts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[silentcleanup_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[single_letter_process_on_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[slui_runas_elevated_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[slui_spawning_a_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spike_in_file_writes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spoolsv_spawning_rundll32_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spoolsv_suspicious_loaded_modules_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spoolsv_suspicious_process_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spoolsv_writing_a_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spoolsv_writing_a_dll___sysmon_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sqlite_module_in_temp_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[steal_or_forge_authentication_certificates_behavior_identified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sunburst_correlation_dll_and_network_event_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_computer_account_name_change_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_copy_on_system32_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_curl_network_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_dllhost_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_driver_loaded_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_event_log_service_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_gpupdate_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_icedid_rundll32_cmdline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_image_creation_in_appdata_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_kerberos_service_ticket_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_linux_discovery_commands_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_microsoft_workflow_compiler_rename_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_microsoft_workflow_compiler_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_msbuild_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_msbuild_rename_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_msbuild_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_mshta_child_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_mshta_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_plistbuddy_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_plistbuddy_usage_via_osquery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_process_dns_query_known_abuse_web_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_process_executed_from_container_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_process_file_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_process_with_discord_dns_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_reg_exe_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_regsvr32_register_suspicious_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_rundll32_dllregisterserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_rundll32_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_rundll32_plugininit_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_rundll32_startw_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_scheduled_task_from_public_directory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_searchprotocolhost_no_command_line_arguments_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_sqlite3_lsquarantine_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_ticket_granting_ticket_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_wav_file_in_appdata_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_wevtutil_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[suspicious_writes_to_windows_recycle_bin_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[svchost_lolbas_execution_process_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[system_info_gathering_using_dxdiag_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[system_information_discovery_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[system_processes_run_from_unexpected_locations_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[system_user_discovery_with_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[system_user_discovery_with_whoami_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[time_provider_persistence_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[trickbot_named_pipe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[uac_bypass_mmc_load_unsigned_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[uac_bypass_with_colorui_com_object_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[uninstall_app_using_msiexec_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unknown_process_using_the_kerberos_protocol_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unload_sysmon_filter_driver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unloading_amsi_via_reflection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unusual_number_of_computer_service_tickets_requested_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unusual_number_of_kerberos_service_tickets_requested_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unusual_number_of_remote_endpoint_authentication_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unusually_long_command_line_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unusually_long_command_line___mltk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[user_discovery_with_env_vars_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[user_discovery_with_env_vars_powershell_script_block_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[usn_journal_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[vbscript_execution_using_wscript_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[verclsid_clsid_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[w3wp_spawning_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wbadmin_delete_system_backups_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wbemprox_com_object_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wermgr_process_connecting_to_ip_check_web_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wermgr_process_create_executable_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wermgr_process_spawned_cmd_or_powershell_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wget_download_and_bash_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_abused_web_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_access_token_manipulation_sedebugprivilege_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_access_token_manipulation_winlogon_duplicate_token_handle_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_account_discovery_for_none_disable_user_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_account_discovery_for_sam_account_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_account_discovery_with_netuser_preauthnotrequire_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_abnormal_object_access_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_adminsdholder_acl_modified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_cross_domain_sid_history_addition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_domain_controller_audit_policy_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_domain_controller_promotion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_domain_replication_acl_addition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_dsrm_account_changes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_dsrm_password_reset_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_privileged_account_sid_history_addition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_privileged_object_access_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_replication_request_initiated_by_user_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_replication_request_initiated_from_unsanctioned_location_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_same_domain_sid_history_addition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_serviceprincipalname_added_to_domain_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_short_lived_domain_account_serviceprincipalname_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_short_lived_domain_controller_spn_attribute_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_short_lived_server_object_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_sid_history_attribute_modified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_adfind_exe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_admin_permission_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_administrative_shares_accessed_on_multiple_hosts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_admon_default_group_policy_object_modified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_admon_group_policy_object_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_alternate_datastream___base64_content_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_alternate_datastream___executable_content_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_alternate_datastream___process_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_apache_benchmark_binary_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_app_layer_protocol_qakbot_namedpipe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_applocker_block_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_applocker_execution_from_uncommon_locations_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_applocker_privilege_escalation_via_unauthorized_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_applocker_rare_application_launch_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_archive_collected_data_via_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_archive_collected_data_via_rar_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_autoit3_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_autostart_execution_lsass_driver_registry_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_binary_proxy_execution_mavinject_dll_injection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_boot_or_logon_autostart_execution_in_startup_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_bootloader_inventory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_bypass_uac_via_pkgmgr_tool_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_cab_file_on_disk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_cached_domain_credentials_reg_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_change_default_file_association_for_no_file_ext_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_clipboard_data_via_get_clipboard_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_com_hijacking_inprocserver32_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_command_and_scripting_interpreter_hunting_path_traversal_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_command_and_scripting_interpreter_path_traversal_exec_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_command_shell_dcrat_forkbomb_payload_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_command_shell_fetch_env_variables_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_common_abused_cmd_shell_risk_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_computer_account_created_by_computer_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_computer_account_requesting_kerberos_ticket_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_computer_account_with_spn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_conhost_with_headless_argument_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_create_local_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credential_access_from_browser_password_store_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credential_dumping_lsass_memory_createdump_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_from_password_stores_chrome_extension_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_from_password_stores_chrome_localstate_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_from_password_stores_chrome_login_data_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_from_password_stores_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_from_password_stores_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_from_password_stores_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_credentials_in_registry_reg_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_curl_download_to_suspicious_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_curl_upload_to_remote_destination_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_data_destruction_recursive_exec_files_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defacement_modify_transcodedwallpaper_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_default_group_policy_object_modified_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_default_group_policy_object_modified_with_gpme_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defender_asr_audit_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defender_asr_block_events_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defender_asr_registry_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defender_asr_rule_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defender_asr_rules_stacking_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_defender_exclusion_registry_entry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_delete_or_modify_system_firewall_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_deleted_registry_by_a_non_critical_process_file_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_change_password_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_lock_workstation_feature_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_logoff_button_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_memory_crash_dump_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_notification_center_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_or_modify_tools_via_taskkill_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_shutdown_button_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_windows_event_logging_disable_http_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disable_windows_group_policy_features_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_disableantispyware_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_diskcryptor_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_diskshadow_proxy_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dism_remove_defender_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dll_search_order_hijacking_hunt_with_sysmon_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dll_search_order_hijacking_with_iscsicpl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dll_side_loading_in_calc_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dll_side_loading_process_child_of_calc_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dns_gather_network_info_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dnsadmins_new_member_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_domain_account_discovery_via_get_netcomputer_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_domain_admin_impersonation_indicator_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_dotnet_binary_in_non_standard_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_driver_inventory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_driver_load_non_standard_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_drivers_loaded_by_signature_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_enable_win32_scheduledjob_via_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_event_for_service_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_event_log_cleared_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_event_triggered_image_file_execution_options_injection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_excessive_disabled_services_event_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_executable_in_loaded_modules_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_execute_arbitrary_commands_with_msdt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_exfiltration_over_c2_via_invoke_restmethod_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_exfiltration_over_c2_via_powershell_uploadstring_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_export_certificate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_file_share_discovery_with_powerview_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_file_transfer_protocol_in_non_common_process_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_file_without_extension_in_critical_folder_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_files_and_dirs_access_rights_modification_via_icacls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_find_domain_organizational_units_with_getdomainou_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_find_interesting_acl_with_findinterestingdomainacl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_findstr_gpp_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_forest_discovery_with_getforestdomain_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_gather_victim_host_information_camera_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_gather_victim_identity_sam_info_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_gather_victim_network_info_through_ip_check_web_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_get_adcomputer_unconstrained_delegation_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_get_local_admin_with_findlocaladminaccess_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_group_policy_object_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_hidden_schedule_task_settings_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_hide_notification_features_through_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_high_file_deletion_frequency_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_hijack_execution_flow_version_dll_side_load_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_hunting_system_account_targeting_lsass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_identify_protocol_handlers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_iis_components_add_new_module_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_iis_components_get_webglobalmodule_module_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_iis_components_module_failed_to_load_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_iis_components_new_module_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_add_xml_applocker_rules_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_change_win_defender_health_check_intervals_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_change_win_defender_quick_scan_interval_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_change_win_defender_throttle_rate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_change_win_defender_tracing_level_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_configure_app_install_control_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_define_win_defender_threat_action_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_delete_win_defender_context_menu_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_delete_win_defender_profile_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_deny_security_software_with_applocker_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_controlled_folder_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_defender_firewall_and_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_defender_protocol_recognition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_pua_protection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_realtime_signature_delivery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_web_evaluation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_app_guard_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_compute_file_hashes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_gen_reports_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_network_protection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_report_infection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_scan_on_update_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_disable_win_defender_signature_retirement_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_overide_win_defender_phishing_filter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_override_smartscreen_prompt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defenses_disable_hvci_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_impair_defenses_disable_win_defender_auto_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_indicator_removal_via_rmdir_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_indirect_command_execution_via_forfiles_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_indirect_command_execution_via_pcalua_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_indirect_command_execution_via_series_of_forfiles_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_information_discovery_fsutil_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ingress_tool_transfer_using_explorer_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_inprocserver32_new_outlook_form_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_input_capture_using_credential_ui_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_installutil_credential_theft_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_installutil_in_non_standard_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_installutil_remote_network_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_installutil_uninstall_option_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_installutil_uninstall_option_with_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_installutil_url_in_command_line_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_iso_lnk_file_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_java_spawning_shells_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_kerberos_local_successful_logon_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_known_abused_dll_created_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_known_graphicalproton_loaded_modules_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_krbrelayup_service_creation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_large_number_of_computer_service_tickets_requested_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_lateral_tool_transfer_remcom_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ldifde_directory_object_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_linked_policies_in_adsi_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_local_administrator_credential_stuffing_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_lsa_secrets_nolmhash_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mail_protocol_in_non_common_process_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mark_of_the_web_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_masquerading_explorer_as_child_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_masquerading_msdtc_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mimikatz_binary_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mimikatz_crypto_export_file_extensions_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_authenticationleveloverride_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_auto_minor_updates_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_auto_update_notif_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_default_icon_setting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disable_restricted_admin_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disable_toast_notifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disable_win_defender_raw_write_notif_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disable_windefender_notifications_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disable_windows_security_center_notif_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disableremotedesktopantialias_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disablesecuritysettings_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disabling_wer_settings_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_disallow_windows_app_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_do_not_connect_to_win_update_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_dontshowui_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_enablelinkedconnections_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_longpathsenabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_maxconnectionperserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_no_auto_reboot_with_logon_user_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_no_auto_update_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_nochangingwallpaper_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_proxyenable_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_proxyserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_qakbot_binary_data_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_reg_restore_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_regedit_silent_reg_import_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_risk_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_suppress_win_defender_notif_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_tamper_protection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_updateserviceurlalternate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_usewuserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_with_md5_reg_key_name_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_wuserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_registry_wustatusserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_show_compress_color_and_info_tip_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_modify_system_firewall_with_notable_process_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mof_event_triggered_execution_via_wmi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_moveit_transfer_writing_aspx_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msexchange_management_mailbox_cmdlet_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mshta_execution_in_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_mshta_writing_to_world_writable_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_dllregisterserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_hidewindow_rundll32_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_remote_download_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_spawn_discovery_command_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_spawn_windbg_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_unregister_dllregisterserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_msiexec_with_network_connections_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multi_hop_proxy_tor_website_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_account_passwords_changed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_accounts_deleted_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_accounts_disabled_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_users_failed_to_authenticate_from_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_users_failed_to_authenticate_using_kerberos_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_multiple_users_remotely_failed_to_authenticate_from_host_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_new_inprocserver32_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ngrok_reverse_proxy_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_nirsoft_advancedrun_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_nirsoft_utilities_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_njrat_fileless_storage_via_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_non_discord_app_access_discord_leveldb_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_non_system_account_targeting_lsass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_odbcconf_hunting_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_odbcconf_load_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_odbcconf_load_response_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_office_product_spawning_msdt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_papercut_ng_spawn_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_parent_pid_spoofing_with_explorer_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_password_managers_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_phishing_outlook_drop_dll_in_form_dir_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_phishing_pdf_file_executes_url_link_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_phishing_recent_iso_exec_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_possible_credential_dumping_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_post_exploitation_risk_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_add_module_to_global_assembly_cache_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_cryptography_namespace_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_disable_http_logging_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_export_certificate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_export_pfxcertificate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_get_ciminstance_remote_computer_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_iis_components_webglobalmodule_usage_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_import_applocker_policy_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_remotesigned_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_scheduletask_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powershell_wmi_win32_scheduledjob_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powersploit_gpp_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powerview_ad_access_control_list_enumeration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powerview_constrained_delegation_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powerview_kerberos_service_ticket_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powerview_spn_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_powerview_unconstrained_delegation_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_private_keys_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_privilege_escalation_suspicious_process_elevation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_privilege_escalation_system_process_without_system_parent_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_privilege_escalation_user_process_spawn_system_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_commandline_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_injection_in_non_service_searchindexer_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_injection_into_notepad_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_injection_of_wermgr_to_known_browser_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_injection_remote_thread_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_injection_wermgr_child_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_injection_with_public_source_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_with_namedpipe_commandline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_process_writing_file_to_world_writable_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_processes_killed_by_industroyer2_malware_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_protocol_tunneling_with_plink_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_proxy_via_netsh_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_proxy_via_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_query_registry_browser_list_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_query_registry_reg_save_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_query_registry_uninstall_program_list_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_raccine_scheduled_task_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_rapid_authentication_on_multiple_hosts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_rasautou_dll_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_raw_access_to_disk_volume_partition_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_raw_access_to_master_boot_record_drive_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_rdp_connection_successful_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_registry_bootexecute_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_registry_certificate_added_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_registry_delete_task_sd_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_registry_modification_for_safe_mode_persistence_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_registry_payload_injection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_registry_sip_provider_modification_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_regsvr32_renamed_binary_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_access_software_brc4_loaded_dll_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_access_software_hunt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_access_software_rms_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_assistance_spawning_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_create_service_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_service_rdpwinst_tool_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_services_allow_rdp_in_firewall_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_services_allow_remote_assistance_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_remote_services_rdp_enable_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_replication_through_removable_media_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_root_domain_linked_policies_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_rundll32_apply_user_settings_changes_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_rundll32_webdav_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_rundll32_webdav_with_network_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_scheduled_task_created_via_xml_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_scheduled_task_service_spawned_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_scheduled_task_with_highest_privileges_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_schtasks_create_run_as_system_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_screen_capture_via_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_security_account_manager_stopped_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_security_support_provider_reg_query_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_server_software_component_gacutil_install_to_gac_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_create_kernel_mode_driver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_create_remcomsvc_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_create_sliverc2_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_create_with_tscon_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_created_with_suspicious_service_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_created_within_public_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_creation_on_remote_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_creation_using_registry_entry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_deletion_in_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_initiation_on_remote_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_stop_by_deletion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_stop_via_net__and_sc_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_service_stop_win_updates_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_sip_provider_inventory_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_sip_winverifytrust_failed_trust_validation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_snake_malware_file_modification_crmlog_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_snake_malware_kernel_driver_comadmin_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_snake_malware_registry_modification_wav_openwithprogids_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_snake_malware_service_create_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_soaphound_binary_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_spearphishing_attachment_onenote_spawn_mshta_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_special_privileged_logon_on_multiple_hosts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_sql_spawning_certutil_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_sqlwriter_sqldumper_dll_sideload_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates___esc1_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates___esc1_authentication_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_certificate_issued_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_certificate_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_certutil_backup_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_cryptoapi_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_cs_backup_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_export_certificate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_authentication_certificates_export_pfxcertificate_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_steal_or_forge_kerberos_tickets_klist_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_suspect_process_with_authentication_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_binary_proxy_execution_compiled_html_file_decompile_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_discovery_using_ldap_nslookup_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_discovery_using_qwinsta_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_file_on_disk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_logoff_commandline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_network_config_discovery_display_dns_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_network_connections_discovery_netsh_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_reboot_commandline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_script_proxy_execution_syncappvpublishingserver_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_shutdown_commandline_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_time_discovery_w32tm_delay_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_user_discovery_via_quser_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_system_user_privilege_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_terminating_lsass_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_time_based_evasion_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_time_based_evasion_via_choice_exec_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_uac_bypass_suspicious_child_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_uac_bypass_suspicious_escalation_behavior_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unsecured_outlook_credentials_access_in_registry_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unsigned_dll_side_loading_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unsigned_ms_dll_side_loading_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_users_failed_to_authenticate_from_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_user_execution_malicious_url_shortcut_file_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_valid_account_with_never_expires_password_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_vulnerable_3cx_software_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_vulnerable_driver_loaded_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_windbg_spawning_autoit3_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_winlogon_with_public_network_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_wmi_impersonate_token_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_wmi_process_and_service_list_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_wmi_process_call_create_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winevent_scheduled_task_created_to_spawn_shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winevent_scheduled_task_created_within_public_path_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winevent_windows_task_scheduler_event_action_started_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winhlp32_spawning_a_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winrar_spawning_shell_application_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winrm_spawning_a_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winword_spawning_cmd_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winword_spawning_powershell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[winword_spawning_windows_script_host_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmi_permanent_event_subscription_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmi_permanent_event_subscription___sysmon_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmi_recon_running_process_or_services_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmi_temporary_event_subscription_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmic_group_discovery_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmic_noninteractive_app_uninstallation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmic_xsl_execution_via_url_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wmiprsve_lolbas_execution_process_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wscript_or_cscript_suspicious_child_process_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wsmprovhost_lolbas_execution_process_spawn_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wsreset_uac_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[xmrig_driver_loaded_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[xsl_script_execution_with_wmic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_arp_poisoning_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_dga_domains_using_pretrained_model_in_dsdl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_hosts_connecting_to_dynamic_domain_providers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_ipv6_network_infrastructure_threats_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_large_outbound_icmp_packets_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_outbound_ldap_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_outbound_smb_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_port_security_violation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_remote_access_software_usage_dns_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_remote_access_software_usage_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_rogue_dhcp_server_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_snicat_sni_exfiltration_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_software_download_to_network_device_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_traffic_mirroring_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_unauthorized_assets_by_mac_address_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_windows_dns_sigred_via_splunk_stream_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_windows_dns_sigred_via_zeek_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_zerologon_via_zeek_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dns_query_length_outliers___mltk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[dns_query_length_with_high_standard_deviation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[excessive_dns_failures_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[high_volume_of_bytes_out_to_url_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[hosts_receiving_high_volume_of_network_traffic_from_email_server_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[large_volume_of_dns_any_queries_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[multiple_archive_files_http_post_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ngrok_reverse_proxy_on_network_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[plain_http_post_exfiltrated_data_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[prohibited_network_traffic_allowed_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[protocol_or_port_mismatch_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[protocols_passing_authentication_in_cleartext_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_desktop_network_bruteforce_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[remote_desktop_network_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[smb_traffic_spike_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[smb_traffic_spike___mltk_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[splunk_identified_ssl_tls_certificates_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ssl_certificates_with_punycode_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[tor_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[unusually_long_content_type_length_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_replication_service_traffic_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_ad_rogue_domain_controller_network_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zeek_x509_certificate_with_punycode_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[adobe_coldfusion_access_control_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[adobe_coldfusion_unauthenticated_arbitrary_file_read_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[cisco_ios_xe_implant_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[citrix_adc_and_gateway_unauthorized_data_disclosure_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[citrix_adc_exploitation_cve_2023_3519_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[citrix_sharefile_exploitation_cve_2023_24489_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[confluence_cve_2023_22515_trigger_vulnerability_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[confluence_data_center_and_server_privilege_escalation_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[connectwise_screenconnect_authentication_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_attackers_scanning_for_vulnerable_jboss_servers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_f5_tmui_rce_cve_2020_5902_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_malicious_requests_to_exploit_jboss_servers_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[detect_remote_access_software_usage_url_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[exploit_public_facing_application_via_apache_commons_text_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[f5_tmui_authentication_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[fortinet_appliance_auth_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[hunting_for_log4shell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ivanti_connect_secure_command_injection_attempts_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ivanti_connect_secure_ssrf_in_saml_component_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ivanti_connect_secure_system_information_access_via_auth_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ivanti_sentry_authentication_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[jenkins_arbitrary_file_read_cve_2024_23897_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[jetbrains_teamcity_rce_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[juniper_networks_remote_code_execution_exploit_detection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[log4shell_jndi_payload_injection_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[log4shell_jndi_payload_injection_with_outbound_connection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[microsoft_sharepoint_server_elevation_of_privilege_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[monitor_web_traffic_for_brand_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[nginx_connectwise_screenconnect_authentication_bypass_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[papercut_ng_remote_web_access_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[proxyshell_proxynotshell_behavior_detected_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[spring4shell_payload_url_request_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[sql_injection_with_long_urls_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[supernova_webshell_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[vmware_aria_operations_exploit_attempt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[vmware_server_side_template_injection_hunt_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[vmware_workspace_one_freemarker_server_side_template_injection_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_jsp_request_via_url_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_remote_shellservlet_access_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_spring4shell_http_request_class_module_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[web_spring_cloud_function_functionrouter_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[windows_exchange_autodiscover_ssrf_abuse_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[wordpress_bricks_builder_plugin_rce_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[ws_ftp_remote_code_execution_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_adware_activities_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_behavior_analysis_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_cryptominer_downloaded_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_employment_search_web_activity_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_exploit_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_legal_liability_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_malware_activity_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_phishing_activity_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_potentially_abused_file_download_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_privacy_risk_destinations_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_scam_destinations_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - -[zscaler_virus_download_threat_blocked_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - diff --git a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf deleted file mode 100644 index 30f8584973..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf +++ /dev/null @@ -1,74399 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# -### ESCU DETECTIONS ### - -[ESCU - CrushFTP Server Side Template Injection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis. -action.escu.how_to_implement = CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs. -action.escu.known_false_positives = False positives should be limited, however tune or filter as needed. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CrushFTP Server Side Template Injection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CrushFTP Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CrushFTP Server Side Template Injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["CrushFTP Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2024-4040"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis. -action.notable.param.rule_title = CrushFTP Server Side Template Injection -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `crushftp` | rex field=_raw "\[(?HTTPS|HTTP):(?[^\:]+):(?[^\:]+):(?\d+\.\d+\.\d+\.\d+)\] (?READ|WROTE): \*(?[A-Z]+) (?[^\s]+) HTTP/[^\*]+\*" | eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation by " . src_ip, "false") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter` - -[ESCU - Detect New Login Attempts to Routers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise. -action.escu.how_to_implement = To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure. -action.escu.known_false_positives = Legitimate router connections may appear as new connections -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect New Login Attempts to Routers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect New Login Attempts to Routers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise. -action.notable.param.rule_title = Detect New Login Attempts to Routers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter` - -[ESCU - Detect Risky SPL using Pretrained ML Model - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Splunk_Audit"] -action.escu.eli5 = The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. -action.escu.how_to_implement = This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb. -action.escu.known_false_positives = False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords. -action.escu.creation_date = 2022-06-16 -action.escu.modification_date = 2022-06-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Risky SPL using Pretrained ML Model - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = A potentially risky Splunk command has been run by $user$, kindly review. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Risky SPL using Pretrained ML Model - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b4aefb5f-1037-410d-a149-1e091288ba33", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. " " .'Search_Activity.user'. " " .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter` - -[ESCU - Email Attachments With Lots Of Spaces - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment. -action.escu.how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \ -**Splunk Phantom Playbook Integration** \ -If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. -action.escu.known_false_positives = None at this time -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Email Attachments With Lots Of Spaces - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Email Attachments With Lots Of Spaces - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?.*)@" | `email_attachments_with_lots_of_spaces_filter` - -[ESCU - Email files written outside of the Outlook directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -action.escu.known_false_positives = Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Email files written outside of the Outlook directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Collection and Staging"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Email files written outside of the Outlook directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network. -action.notable.param.rule_title = Email files written outside of the Outlook directory -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` - -[ESCU - Email servers sending high volume traffic to hosts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. -action.escu.how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -action.escu.known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Email servers sending high volume traffic to hosts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Collection and Staging", "HAFNIUM Group"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Email servers sending high volume traffic to hosts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter` - -[ESCU - Monitor Email For Brand Abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage. -action.escu.how_to_implement = You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. -action.escu.known_false_positives = None at this time -action.escu.creation_date = 2024-04-16 -action.escu.modification_date = 2024-04-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Monitor Email For Brand Abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Monitor Email For Brand Abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage. -action.notable.param.rule_title = Monitor Email For Brand Abuse -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter` - -[ESCU - No Windows Updates in a time frame - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Updates"] -action.escu.eli5 = This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason. -action.escu.how_to_implement = To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2017-09-15 -action.escu.modification_date = 2017-09-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - No Windows Updates in a time frame - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Monitor for Updates"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - No Windows Updates in a time frame - Rule -action.correlationsearch.annotations = {"analytic_story": ["Monitor for Updates"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter` - -[ESCU - Okta Authentication Failed During MFA Challenge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials. -action.escu.creation_date = 2024-03-11 -action.escu.modification_date = 2024-03-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Authentication Failed During MFA Challenge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]" -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Authentication Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e2b99e7d-d956-411a-a120-2b14adfdde93", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.notable.param.rule_title = Okta Authentication Failed During MFA Challenge -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter` - -[ESCU - Okta IDP Lifecycle Modifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta IDP Lifecycle Modifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]" -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta IDP Lifecycle Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e0be2c83-5526-4219-a14f-c3db2e763d15", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType IN ("system.idp.lifecycle.activate","system.idp.lifecycle.create","system.idp.lifecycle.delete","system.idp.lifecycle.deactivate") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter` - -[ESCU - Okta MFA Exhaustion Hunt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. -action.escu.creation_date = 2022-09-27 -action.escu.modification_date = 2022-09-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta MFA Exhaustion Hunt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover", "Okta MFA Exhaustion"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta MFA Exhaustion Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, "%c") | search (pushes>1) | eval totalattempts=successes+failures | eval finding="Normal authentication pattern" | eval finding=if(failures==pushes AND pushes>1,"Authentication attempts not successful because multiple pushes denied",finding) | eval finding=if(totalattempts==0,"Multiple pushes sent and ignored",finding) | eval finding=if(successes>0 AND pushes>3,"Probably should investigate. Multiple pushes sent, eventual successful authentication!",finding) | `okta_mfa_exhaustion_hunt_filter` - -[ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic. \ -For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ -Source of Push (Sign-In) \ -eventType eq \"system.push.send_factor_verify_push\" \ -User Push Response (Okta Verify client) \ -eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ -In sequence, the logic for the analytic - \ -* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ -* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. * Creates a ratio of successful sign-ins to pushes. \ -* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic. \ -For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ -Source of Push (Sign-In) \ -eventType eq \"system.push.send_factor_verify_push\" \ -User Push Response (Okta Verify client) \ -eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ -In sequence, the logic for the analytic - \ -* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ -* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. * Creates a ratio of successful sign-ins to pushes. \ -* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. -action.escu.creation_date = 2023-03-17 -action.escu.modification_date = 2023-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover", "Okta MFA Exhaustion"] -action.risk = 1 -action.risk.param._risk_message = A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$ -action.risk.param._risk = [{"risk_object_field": "actor.alternateId", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Okta Mismatch Between Source and Response for Verify Push Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic. \ -For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ -Source of Push (Sign-In) \ -eventType eq \"system.push.send_factor_verify_push\" \ -User Push Response (Okta Verify client) \ -eventType eq "user.authentication.auth_via_mfa" AND debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" \ -In sequence, the logic for the analytic - \ -* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ -* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. * Creates a ratio of successful sign-ins to pushes. \ -* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. -action.notable.param.rule_title = Okta Mismatch Between Source and Response for Verify Push Request -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor="OKTA_VERIFY_PUSH") | eval groupby="authenticationContext.externalSessionId" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType="system.push.send_factor_verify_push" AND "outcome.result"="SUCCESS",1,0))) as total_pushes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="SUCCESS",1,0))) as total_successes sum(eval(if(eventType="user.authentication.auth_via_mfa" AND "outcome.result"="FAILURE",1,0))) as total_rejected sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New Device=POSITIVE%",1,0))) as suspect_device_from_source sum(eval(if(eventType="system.push.send_factor_verify_push" AND "debugContext.debugData.behaviors" LIKE "%New IP=POSITIVE%",0,0))) as suspect_ip_from_source values(eval(if(eventType="system.push.send_factor_verify_push","client.ipAddress",""))) as src values(eval(if(eventType="user.authentication.auth_via_mfa","client.ipAddress",""))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter` - -[ESCU - Okta Multi-Factor Authentication Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity. -action.escu.creation_date = 2024-03-11 -action.escu.modification_date = 2024-03-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Multi-Factor Authentication Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.notable.param.rule_title = Okta Multi-Factor Authentication Disabled -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype="OktaIM2:log" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter` - -[ESCU - Okta Multiple Accounts Locked Out - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity. -action.escu.creation_date = 2024-03-06 -action.escu.modification_date = 2024-03-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Multiple Accounts Locked Out - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Multiple Accounts Locked Out - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a511426e-184f-4de6-8711-cfd2af29d1e1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter` - -[ESCU - Okta Multiple Failed MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity. -action.escu.creation_date = 2024-03-05 -action.escu.modification_date = 2024-03-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Multiple Failed MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Multiple failed MFA requests for user [$src_user$] from IP Address - [$src_ip$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "826dbaae-a1e6-4c8c-b384-d16898956e73", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter` - -[ESCU - Okta Multiple Failed Requests to Access Applications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: * Retrieves policy evaluation and SSO details in events that contain the Application requested \ -* Formats target fields so we can aggregate specifically on Applications (AppInstances) \ -* Groups by User, Session and IP \ -* Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ -* Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: * Retrieves policy evaluation and SSO details in events that contain the Application requested \ -* Formats target fields so we can aggregate specifically on Applications (AppInstances) \ -* Groups by User, Session and IP \ -* Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ -* Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. -action.escu.how_to_implement = This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -action.escu.known_false_positives = False positives may be present based on organization size and configuration of Okta. -action.escu.creation_date = 2023-03-17 -action.escu.modification_date = 2023-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Multiple Failed Requests to Access Applications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Okta Multiple Failed Requests to Access Applications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', ": ") | eval targets=mvfilter(targets LIKE "AppInstance%") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType="policy.evaluate_sign_on",targets,NULL))) as total_challenges sum(eval(if(eventType="user.authentication.sso",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if("outcome.result"="SUCCESS",targets,NULL))) as success_apps values(eval(if(":outcome.result"!="SUCCESS",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity="HIGH", mitre_technique_id="T1538", description="actor.alternateId". " from " . "client.ipAddress" . " seen opening " . total_challenges . " chiclets/apps with " . total_successes . " challenges successfully passed" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter` - -[ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. -action.escu.creation_date = 2024-03-06 -action.escu.modification_date = 2024-03-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "de365ffa-42f5-46b5-b43f-fa72290b8218", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action="failure" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter` - -[ESCU - Okta New API Token Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. -action.escu.creation_date = 2022-09-21 -action.escu.modification_date = 2022-09-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta New API Token Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta New API Token Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.notable.param.rule_title = Okta New API Token Created -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter` - -[ESCU - Okta New Device Enrolled on Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.escu.how_to_implement = The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = It is possible that the user has legitimately added a new device to their account. Please verify this activity. -action.escu.creation_date = 2024-03-08 -action.escu.modification_date = 2024-03-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta New Device Enrolled on Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta New Device Enrolled on Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts. -action.notable.param.rule_title = Okta New Device Enrolled on Account -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter` - -[ESCU - Okta Phishing Detection with FastPass Origin Check - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. -action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -action.escu.known_false_positives = Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. -action.escu.creation_date = 2023-03-09 -action.escu.modification_date = 2023-03-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Phishing Detection with FastPass Origin Check - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Okta FastPass has prevented $user$ from authenticating to a malicious site. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Okta Phishing Detection with FastPass Origin Check - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. -action.notable.param.rule_title = Okta Phishing Detection with FastPass Origin Check -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter` - -[ESCU - Okta Risk Threshold Exceeded - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. -action.escu.how_to_implement = This search leverages the Risk Framework from Enterprise Security. Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. -action.escu.known_false_positives = False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization. -action.escu.creation_date = 2024-04-02 -action.escu.modification_date = 2024-04-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Risk Threshold Exceeded - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Okta Risk Threshold Exceeded - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user. -action.notable.param.rule_title = RBA: Okta Risk Threshold Exceeded -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter` - -[ESCU - Okta Successful Single Factor Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where "Okta Verify" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the "targets" in the detection search. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where "Okta Verify" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the "targets" in the detection search. -action.escu.how_to_implement = This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary. -action.escu.creation_date = 2024-04-08 -action.escu.modification_date = 2024-04-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Successful Single Factor Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$]. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Successful Single Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "98f6ad4f-4325-4096-9d69-45dc8e638e82", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !="Okta Verify" | `okta_successful_single_factor_authentication_filter` - -[ESCU - Okta Suspicious Activity Reported - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment. -action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities. -action.escu.known_false_positives = False positives should be minimal, given the high fidelity of this detection. marker. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Suspicious Activity Reported - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Suspicious Activity Reported - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment. -action.notable.param.rule_title = Okta Suspicious Activity Reported -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter` - -[ESCU - Okta Suspicious Use of a Session Cookie - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \ -* Retrieves policy evaluation events from successful authentication events. \ -* Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \ -* It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \ -* Retrieves policy evaluation events from successful authentication events. \ -* Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \ -* It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination. -action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = False positives may occur, depending on the organization's size and the configuration of Okta. -action.escu.creation_date = 2024-03-17 -action.escu.modification_date = 2024-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Suspicious Use of a Session Cookie - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover", "Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Suspicious Use of a Session Cookie - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover", "Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter` - -[ESCU - Okta ThreatInsight Threat Detected - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users. -action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary. -action.escu.creation_date = 2022-09-21 -action.escu.modification_date = 2022-09-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta ThreatInsight Threat Detected - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"risk_object_field": "app", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta ThreatInsight Threat Detected - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter` - -[ESCU - Okta Unauthorized Access to Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment. -action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates. -action.escu.creation_date = 2024-03-07 -action.escu.modification_date = 2024-03-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Unauthorized Access to Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$] -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta Unauthorized Access to Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5f661629-9750-4cb9-897c-1f05d6db8727", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action="failure" by _time Authentication.src Authentication.user | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter` - -[ESCU - Okta User Logins from Multiple Cities - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1586.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches. -action.escu.how_to_implement = This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). -action.escu.known_false_positives = It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive. -action.escu.creation_date = 2024-03-07 -action.escu.modification_date = 2024-03-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta User Logins from Multiple Cities - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized. -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Okta User Logins from Multiple Cities - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1586.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name("Authentication")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter` - -[ESCU - Path traversal SPL injection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter ("../../../../../../../../../") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -action.escu.known_false_positives = This search may find additional path traversal exploitation attempts. -action.escu.creation_date = 2024-03-19 -action.escu.modification_date = 2024-03-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Path traversal SPL injection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Path traversal exploitation attempt from $clientip$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "clientip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Path traversal SPL injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-26889"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. -action.notable.param.rule_title = Path traversal SPL injection -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `path_traversal_spl_injection` | search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter` - -[ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index -action.escu.known_false_positives = This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search. -action.escu.creation_date = 2023-02-14 -action.escu.modification_date = 2023-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = A potential XSS attempt has been detected from $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22932"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. -action.notable.param.rule_title = Persistent XSS in RapidDiag through User Interface Views -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter` - -[ESCU - PingID Mismatch Auth Source and Verification Response - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. -action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -action.escu.known_false_positives = False positives may be generated by users working out the geographic region where the organizations services or technology is hosted. -action.escu.creation_date = 2023-09-26 -action.escu.modification_date = 2023-09-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PingID Mismatch Auth Source and Verification Response - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Ping ID"] -action.escu.analytic_story = ["Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$]. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PingID Mismatch Auth Source and Verification Response - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "15b0694e-caa2-4009-8d83-a1f98b86d086", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. -action.notable.param.rule_title = PingID Mismatch Auth Source and Verification Response -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT "result.message" IN ("*pair*","*create*","*delete*")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*") | rex field=result.message "IP Address: (?:N\/A)?(?.+)?\n" | rex field=result.message "Action: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application Name: (?:N\/A)?(?.+)?\n" | rex field=result.message "Requested Application ID: (?:N\/A)?(?.+)?\n" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter` - -[ESCU - PingID Multiple Failed MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -action.escu.known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. -action.escu.creation_date = 2023-09-26 -action.escu.modification_date = 2023-09-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PingID Multiple Failed MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Ping ID"] -action.escu.analytic_story = ["Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PingID Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c1bc706a-0025-4814-ad30-288f38865036", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.notable.param.rule_title = PingID Multiple Failed MFA Requests For User -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter` - -[ESCU - PingID New MFA Method After Credential Reset - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. -action.escu.how_to_implement = Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -action.escu.known_false_positives = False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration. -action.escu.creation_date = 2023-09-26 -action.escu.modification_date = 2023-09-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PingID New MFA Method After Credential Reset - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows", "Ping ID"] -action.escu.analytic_story = ["Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PingID New MFA Method After Credential Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2fcbce12-cffa-4c84-b70c-192604d201d0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. -action.notable.param.rule_title = PingID New MFA Method After Credential Reset -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `pingid` "result.message" = "*Device Paired*" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter` - -[ESCU - PingID New MFA Method Registered For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment. -action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -action.escu.known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. -action.escu.creation_date = 2024-05-07 -action.escu.modification_date = 2024-05-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PingID New MFA Method Registered For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Ping ID"] -action.escu.analytic_story = ["Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = An MFA configuration change was detected for [$user$], the device [$object$] was $action$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 10}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PingID New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "892dfeaf-461d-4a78-aac8-b07e185c9bce", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment. -action.notable.param.rule_title = PingID New MFA Method Registered For User -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `pingid` "result.message"="Device Paired*" result.status="SUCCESS" | rex field=result.message "Device (Unp)?(P)?aired (?.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter` - -[ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise. -action.escu.how_to_implement = Must have access to internal indexes. Only applies to Splunk on Windows versions. -action.escu.known_false_positives = The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2023-40597"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "356bd3fe-f59b-4f64-baa1-51495411b7ad", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunk_python` *runshellscript* | eval log_split=split(_raw, "runshellscript: ") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,"\[",""),"\]",""),"'","") | eval array_indices=split(data_cleaned,",") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != "*C:*" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter` - -[ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. -action.escu.how_to_implement = This search uses REST function to query for dashboards with environment variables present in URL options. -action.escu.known_false_positives = This search may reveal non malicious URLs with environment variables used in organizations. -action.escu.creation_date = 2022-08-02 -action.escu.modification_date = 2022-08-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential exposure of environment variables from url embedded in dashboard -action.risk.param._risk = [{"risk_object_field": "author", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-37438"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. -action.notable.param.rule_title = Splunk Account Discovery Drilldown Dashboard Disclosure -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$env:*" eai:data="*url*" eai:data="*options*" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS "Dashboard XML" | fields Author Permissions App "Dashboard XML" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter` - -[ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment. -action.escu.how_to_implement = Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable. -action.escu.known_false_positives = This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Splunk App for Lookup File Editing RCE via User XSLT - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 2, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a053e6a6-2146-483a-9798-2d43652f3299", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | rest splunk_server=local /services/data/lookup-table-files/ | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter` - -[ESCU - Splunk Authentication Token Exposure in Debug Log - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1654"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. -action.escu.how_to_implement = Requires access to internal Splunk indexes. -action.escu.known_false_positives = Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9 -action.escu.creation_date = 2024-03-18 -action.escu.modification_date = 2024-03-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Authentication Token Exposure in Debug Log - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible JsonWebToken exposure, please investigate affected $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Authentication Token Exposure in Debug Log - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-29945"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1654"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9a67e749-d291-40dd-8376-d422e7ecf8b5", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. -action.notable.param.rule_title = Splunk Authentication Token Exposure in Debug Log -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" event_message="Validating token:*" | rex "Validating token: (?.*)\.$" | search token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter` - -[ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -action.escu.known_false_positives = Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. -action.escu.creation_date = 2022-10-11 -action.escu.modification_date = 2022-10-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Splunk Code Injection via custom dashboard leading to RCE - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43571"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b06b41d7-9570-4985-8137-0784f582a1b3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?[^\/]*)" | rex field=URL "\/data\/ui\/views\/(?[^\/]*)" | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter` - -[ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Splunk_Audit"] -action.escu.eli5 = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. -action.escu.how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. -action.escu.known_false_positives = False positives may be present if this command is used as a common practice. Filter as needed. -action.escu.creation_date = 2022-05-27 -action.escu.modification_date = 2022-05-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = $user$ executed the 'delete' command, if this is unexpected it should be reviewed. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 27}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2022-32154"], "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN ("*| delete*") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter` - -[ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Splunk_Audit"] -action.escu.eli5 = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. -action.escu.how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = False positives will be present until properly filtered by Username and search name. -action.escu.creation_date = 2022-05-23 -action.escu.modification_date = 2022-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154", "CVE-2024-29946"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN ("*| runshellscript *", "*| collect *","*| delete *", "*| fit *", "*| outputcsv *", "*| outputlookup *", "*| run *", "*| script *", "*| sendalert *", "*| sendemail *", "*| tscolle*") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter` - -[ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Splunk_Audit"] -action.escu.eli5 = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) -action.escu.how_to_implement = This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands. -action.escu.known_false_positives = If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky. -action.escu.creation_date = 2022-05-27 -action.escu.modification_date = 2022-05-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Abnormally long run time for risk SPL command seen by user $(Search_Activity.user). -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN ("*| runshellscript *", "*| collect *","*| delete *", "*| fit *", "*| outputcsv *", "*| outputlookup *", "*| run *", "*| script *", "*| sendalert *", "*| sendemail *", "*| tscolle*")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter` - -[ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. -action.escu.how_to_implement = Requires access to internal index. -action.escu.known_false_positives = This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives. -action.escu.creation_date = 2023-02-14 -action.escu.modification_date = 2023-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential CSRF exploitation attempt from $splunk_server$ -action.risk.param._risk = [{"risk_object_field": "splunk_server", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22942"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. -action.notable.param.rule_title = Splunk csrf in the ssg kvstore client endpoint -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkda` uri_path="/en-US/splunkd/__raw/services/ssg/kvstore_client" method="GET" delete_field_value="spacebridge_server" status="200" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter` - -[ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. -action.escu.how_to_implement = The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. -action.escu.known_false_positives = This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. -action.escu.creation_date = 2022-11-01 -action.escu.modification_date = 2022-11-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43566"], "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `audit_searches` info=granted search NOT ("audit_searches") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))| eval warning=if(match(search,"\\\\\""), "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter` - -[ESCU - Splunk Digital Certificates Infrastructure Version - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = No known at this time. -action.escu.creation_date = 2022-05-26 -action.escu.modification_date = 2022-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Digital Certificates Infrastructure Version - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Digital Certificates Infrastructure Version - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32153"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search="sslConfig"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value="Not Set" | rename sslVerifyServerCert as "Server.conf:SslConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:SslConfig:sslVerifyServerName", serverCert as "Server.conf:SslConfig:serverCert" | `splunk_digital_certificates_infrastructure_version_filter` - -[ESCU - Splunk Digital Certificates Lack of Encryption - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. -action.escu.how_to_implement = This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the "ssl=false" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = None at this time -action.escu.creation_date = 2022-05-26 -action.escu.modification_date = 2022-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Digital Certificates Lack of Encryption - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = $hostname$ is not using TLS when forwarding data -action.risk.param._risk = [{"risk_object_field": "hostname", "risk_object_type": "system", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Digital Certificates Lack of Encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32151"], "impact": 25, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` group="tcpin_connections" ssl="false" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter` - -[ESCU - Splunk DoS Using Malformed SAML Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. -action.escu.how_to_implement = To run this search, you must have access to the _internal index. -action.escu.known_false_positives = This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file. -action.escu.creation_date = 2023-09-05 -action.escu.modification_date = 2023-09-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk DoS Using Malformed SAML Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk DoS Using Malformed SAML Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e8a86d5-f323-4567-95be-8e817e2baee6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter` - -[ESCU - Splunk DOS Via Dump SPL Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats. -action.escu.how_to_implement = This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. -action.escu.known_false_positives = Segmentation faults may occur due to other causes, so this search may produce false positives -action.escu.creation_date = 2024-05-03 -action.escu.modification_date = 2024-05-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk DOS Via Dump SPL Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk DOS Via Dump SPL Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunk_crash_log` "*Segmentation fault*" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter` - -[ESCU - Splunk DoS via Malformed S2S Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422. -action.escu.known_false_positives = None. -action.escu.creation_date = 2022-03-24 -action.escu.modification_date = 2022-03-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk DoS via Malformed S2S Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 50}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk DoS via Malformed S2S Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-3422"], "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fc246e56-953b-40c1-8634-868f9e474cbd", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. -action.notable.param.rule_title = Splunk DoS via Malformed S2S Request -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` log_level="ERROR" component="TcpInputProc" thread_name="FwdDataReceiverThread" "Invalid _meta atom" | table host, src | `splunk_dos_via_malformed_s2s_request_filter` - -[ESCU - Splunk DOS via printf search function - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. -action.escu.how_to_implement = This search requires the ability to search internal indexes. -action.escu.known_false_positives = This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash. -action.escu.creation_date = 2023-08-30 -action.escu.modification_date = 2023-08-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk DOS via printf search function - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk DOS via printf search function - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-40594"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "78b48d08-075c-4eac-bd07-e364c3780867", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `audit_searches` "*makeresults * eval * fieldformat *printf*" user!="splunk_system_user" search!="*audit_searches*" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter` - -[ESCU - Splunk Edit User Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as "change_own_password" and "edit_password" where the info field is "granted" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as "change_own_password" and "edit_password" where the info field is "granted" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. -action.escu.known_false_positives = This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Edit User Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Edit User Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2023-32707"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "39e1c326-67d7-4c0d-8584-8056354f6593", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `audittrail` action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter` - -[ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. -action.escu.how_to_implement = Need to monitor Splunkd data from Universal Forwarders. -action.escu.known_false_positives = This search may reveal non malicious zip files causing errors as well. -action.escu.creation_date = 2022-08-02 -action.escu.modification_date = 2022-08-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential exposure of environment variables from url embedded in dashboard -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 75}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 75, "cve": ["CVE-2022-37439"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. -action.notable.param.rule_title = Splunk Endpoint Denial of Service DoS Zip Bomb -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter` - -[ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. -action.escu.how_to_implement = Requires access to internal indexes and REST API enabled instances. -action.escu.known_false_positives = This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation. -action.escu.creation_date = 2024-01-18 -action.escu.modification_date = 2024-01-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2024-23675"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8f0e8380-a835-4f2b-b749-9ce119364df0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter` - -[ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation. -action.escu.how_to_implement = Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions. -action.escu.known_false_positives = Irregular path with files that may be purposely called for benign reasons may produce false positives. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible Windows Deserialization exploitation via irregular path file against $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2024-23678"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "947d4d2e-1b64-41fc-b32a-736ddb88ce97", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation. -action.notable.param.rule_title = Splunk Enterprise Windows Deserialization File Partition -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunk_python` request_path="/en-US/app/search/C:\\Program" *strings* | rex "request_path=(?[^\"]+)" | rex field=file_path "[^\"]+/(?[^\"\'\s/\\\\]+)" | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_windows_deserialization_file_partition_filter` - -[ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. -action.escu.how_to_implement = This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2. -action.escu.known_false_positives = The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event. -action.escu.creation_date = 2024-01-04 -action.escu.modification_date = 2024-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise Security"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Denial of Service Attack against Splunk ES Investigation Manager by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "host", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22165"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7f6a07bd-82ef-46b8-8eba-802278abd00e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. -action.notable.param.rule_title = Splunk ES DoS Investigations Manager via Investigation Creation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_investigations_manager_via_investigation_creation_filter` - -[ESCU - Splunk ES DoS Through Investigation Attachments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. -action.escu.how_to_implement = This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2. -action.escu.known_false_positives = This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager. -action.escu.creation_date = 2024-01-04 -action.escu.modification_date = 2024-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk ES DoS Through Investigation Attachments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise Security"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Denial of Service detected at Splunk ES affecting $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk ES DoS Through Investigation Attachments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22164"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb85b25e-2d6b-4e39-bd27-50db42edcb8f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. -action.notable.param.rule_title = Splunk ES DoS Through Investigation Attachments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_investigation_rest_handler` status=error object=investigation | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter` - -[ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. -action.escu.known_false_positives = This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. -action.escu.creation_date = 2023-05-23 -action.escu.modification_date = 2023-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") AND NOT search="*audit_searches*" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter` - -[ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} -action.escu.data_models = ["Splunk_Audit"] -action.escu.eli5 = The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment. -action.escu.how_to_implement = Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel. -action.escu.known_false_positives = This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = An attempt to exploit ingest eval parameter was detected from $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Splunk Improperly Formatted Parameter Crashes splunkd - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-22941"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "08978eca-caff-44c1-84dc-53f17def4e14", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment. -action.notable.param.rule_title = Splunk Improperly Formatted Parameter Crashes splunkd -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search="*makeresults*"AND Search_Activity.search="*ingestpreview*transforms*") Search_Activity.search_type=adhoc Search_Activity.search!="*splunk_improperly_formatted_parameter_crashes_splunkd_filter*" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter` - -[ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended. -action.escu.how_to_implement = This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed. -action.escu.known_false_positives = This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b7b82980-4a3e-412e-8661-4531d8758735", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | rest /services/apps/local | search disabled=0 core=0 label="Splunk Add-on Builder" | dedup label | search version < 4.1.4 | eval WarningMessage="Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111" | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter` - -[ESCU - Splunk list all nonstandard admin accounts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. -action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them. -action.escu.known_false_positives = It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place. -action.escu.creation_date = 2023-02-07 -action.escu.modification_date = 2023-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk list all nonstandard admin accounts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Splunk list all nonstandard admin accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter` - -[ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. -action.escu.known_false_positives = This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts. -action.escu.creation_date = 2023-05-09 -action.escu.modification_date = 2023-05-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter` - -[ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -action.escu.known_false_positives = This search may find additional path traversal exploitation attempts or malformed requests. -action.escu.creation_date = 2023-05-11 -action.escu.modification_date = 2023-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter` - -[ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. -action.escu.how_to_implement = This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. -action.escu.known_false_positives = This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability. -action.escu.creation_date = 2023-05-09 -action.escu.modification_date = 2023-05-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 20, "cve": ["CVE-2019-8331"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter` - -[ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. -action.escu.how_to_implement = This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = None at this time. -action.escu.creation_date = 2022-05-26 -action.escu.modification_date = 2022-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-32157"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` component="PackageDownloadRestHandler" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter` - -[ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration. -action.escu.creation_date = 2022-05-25 -action.escu.modification_date = 2022-05-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32151"], "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "900892bf-70a9-4787-8c99-546dd98ce461", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search="PythonSslClientConfig" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as "Server.conf:PythonSSLClientConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:PythonSSLClientConfig:sslVerifyServerName", serverCert as "Web.conf:Settings:serverCert", sslVersions as "Web.conf:Settings:sslVersions" | `splunk_protocol_impersonation_weak_encryption_configuration_filter` - -[ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment. -action.escu.how_to_implement = Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c76c7a2e-df49-414a-bb36-dce2683770de", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd` certificate event_message="X509 certificate* should not be used*" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter` - -[ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when "simpleRequest SSL certificate validation is enabled without hostname verification." This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when "simpleRequest SSL certificate validation is enabled without hostname verification." This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk. -action.escu.how_to_implement = Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089. -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunk_python` "simpleRequest SSL certificate validation is enabled without hostname verification" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter` - -[ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results. -action.escu.how_to_implement = This search does not require additional data ingestion. It requires the ability to search _internal index. -action.escu.known_false_positives = This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkda` method="POST" uri="*/services/indexing/preview*" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter` - -[ESCU - Splunk RCE via Serialized Session Payload - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com -action.escu.how_to_implement = Requires access to the _audit index. -action.escu.known_false_positives = There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse. -action.escu.creation_date = 2023-10-02 -action.escu.modification_date = 2023-10-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk RCE via Serialized Session Payload - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk RCE via Serialized Session Payload - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-40595"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d1d8fda6-874a-400f-82cf-dcbb59d8e4db", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `audit_searches` file=* (search="*makeresults*" AND search="*collect*") | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter` - -[ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. -action.escu.how_to_implement = This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. -action.escu.known_false_positives = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point. -action.escu.creation_date = 2022-10-11 -action.escu.modification_date = 2022-10-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2022-43567"], "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "baa41f09-df48-4375-8991-520beea161be", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkda` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" sort="notification.created_at:-1" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter` - -[ESCU - Splunk RCE via User XSLT - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -action.escu.known_false_positives = This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk RCE via User XSLT - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk RCE via User XSLT - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6cb7e011-55fb-48e3-a98d-164fa854e37e", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR uri="*dispatch*.xsl*") AND uri!= "*splunkd_ui*" | rex field=uri "(?=\s*([\S\s]+))" | eval decoded_field=urldecode(string) | eval action=case(match(status,"200"),"Allowed",match(status,"303|500|401|403|404|301|406"),"Blocked",1=1,"Unknown") | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value="N/A" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field - -[ESCU - Splunk Reflected XSS in the templates lists radio - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance. -action.escu.how_to_implement = This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -action.escu.known_false_positives = This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point. -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Reflected XSS in the templates lists radio - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Reflected XSS in the templates lists radio - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43568"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d532d105-c63f-4049-a8c4-e249127ca425", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter` - -[ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. -action.escu.how_to_implement = Need access to the internal indexes. -action.escu.known_false_positives = This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string. -action.escu.creation_date = 2023-09-05 -action.escu.modification_date = 2023-09-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "182f9080-4137-4629-94ac-cb1083ac981a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_web` (dataset_commands="*makeresults*" AND dataset_commands="*count*" AND dataset_commands="*eval*" AND dataset_commands="*baseSPL*") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter` - -[ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} -action.escu.data_models = ["Splunk_Audit"] -action.escu.eli5 = The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture. -action.escu.how_to_implement = Requires implementation of Splunk_Audit.Search_Activity datamodel. -action.escu.known_false_positives = This search encompasses many commands. -action.escu.creation_date = 2024-05-05 -action.escu.modification_date = 2024-05-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22931", "CVE-2023-22934", "CVE-2023-22935", "CVE-2023-22936", "CVE-2023-22939", "CVE-2023-22940", "CVE-2023-40598", "CVE-2023-40598", "CVE-2023-46214", "CVE-2024-23676"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ee69374a-d27e-4136-adac-956a96ff60fd", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats fillnull_value="N/A" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != "false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_risky_command_abuse_disclosed_february_2023_filter` - -[ESCU - Splunk Stored XSS via Data Model objectName field - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. -action.escu.how_to_implement = This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -action.escu.known_false_positives = This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. -action.escu.creation_date = 2022-10-11 -action.escu.modification_date = 2022-10-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Stored XSS via Data Model objectName field - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Stored XSS via Data Model objectName field - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43569"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "062bff76-5f9c-496e-a386-cb1adcf69871", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter` - -[ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. -action.escu.how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. -action.escu.known_false_positives = This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. -action.escu.creation_date = 2023-07-13 -action.escu.modification_date = 2023-07-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2023-32712"], "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "de3908dc-1298-446d-84b9-fa81d37e959b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter` - -[ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. -action.escu.how_to_implement = Requires access to internal splunkd_access. -action.escu.known_false_positives = This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned. -action.escu.creation_date = 2023-02-14 -action.escu.modification_date = 2023-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22937"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b7d1293f-e78f-415e-b5f6-443df3480082", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. -action.notable.param.rule_title = Splunk unnecessary file extensions allowed by lookup table uploads -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method=="DELETE" , "Deleted" ) | rex field=uri_path "(?.*?)\/ui\/views/(?.*)" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter` - -[ESCU - Splunk User Enumeration Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames. -action.escu.known_false_positives = Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives. -action.escu.creation_date = 2024-03-19 -action.escu.modification_date = 2024-03-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk User Enumeration Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = $TotalFailedAuths$ failed authentication events to Splunk from $src$ detected. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk User Enumeration Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-33845"], "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.notable.param.rule_title = Splunk User Enumeration Attempt -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter` - -[ESCU - Splunk XSS in Highlighted JSON Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. -action.escu.how_to_implement = This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes. -action.escu.known_false_positives = This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges). -action.escu.creation_date = 2023-11-16 -action.escu.modification_date = 2023-11-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk XSS in Highlighted JSON Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk XSS in Highlighted JSON Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1030bc63-0b37-4ac9-9ae0-9361c955a3cc", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users" status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter` - -[ESCU - Splunk XSS in Monitoring Console - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183. -action.escu.known_false_positives = Use of the monitoring console where the less-than sign (<) is the first character in the description field. -action.escu.creation_date = 2022-04-27 -action.escu.modification_date = 2022-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk XSS in Monitoring Console - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = A potential XSS attempt has been detected from $user$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Splunk XSS in Monitoring Console - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-27183"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.notable.param.rule_title = Splunk XSS in Monitoring Console -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_web` method="GET" uri_query="description=%3C*" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter` - -[ESCU - Splunk XSS in Save table dialog header in search page - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. -action.escu.how_to_implement = Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. -action.escu.known_false_positives = If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances. -action.escu.creation_date = 2022-10-11 -action.escu.modification_date = 2022-10-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk XSS in Save table dialog header in search page - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Splunk Internal Logs"] -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk XSS in Save table dialog header in search page - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43561"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter` - -[ESCU - Splunk XSS via View - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. -action.escu.how_to_implement = This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit. -action.escu.known_false_positives = The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated. -action.escu.creation_date = 2023-02-07 -action.escu.modification_date = 2023-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk XSS via View - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk XSS via View - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = index = _internal sourcetype IN ("splunk_web_service", "splunk_python") message="*loadParams*" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter` - -[ESCU - Suspicious Email Attachment Extensions - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. -action.escu.how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ -**Splunk Phantom Playbook Integration** \ -If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.' -action.escu.known_false_positives = None identified -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Email Attachment Extensions - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Suspicious Email Attachment Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` - -[ESCU - Suspicious Java Classes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. -action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. -action.escu.known_false_positives = There are no known false positives. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Java Classes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Apache Struts Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Suspicious Java Classes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter` - -[ESCU - Web Servers Executing Suspicious Processes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. -action.escu.creation_date = 2019-04-01 -action.escu.modification_date = 2019-04-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Servers Executing Suspicious Processes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Apache Struts Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Web Servers Executing Suspicious Processes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. -action.notable.param.rule_title = Web Servers Executing Suspicious Processes -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter` - -[ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. -action.escu.known_false_positives = None. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Compromised User Account", "Suspicious Cloud User Activities"] -action.risk = 1 -action.risk.param._risk_message = user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Infrastructure API Calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Suspicious Cloud User Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter` - -[ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. -action.escu.known_false_positives = Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -action.escu.creation_date = 2020-08-21 -action.escu.modification_date = 2020-08-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Instances Destroyed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter` - -[ESCU - Abnormally High Number Of Cloud Instances Launched - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. -action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -action.escu.creation_date = 2020-08-21 -action.escu.modification_date = 2020-08-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Instances Launched - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Instances Launched - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f2361e9f-3928-496c-a556-120cd4223a65", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter` - -[ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. -action.escu.known_false_positives = None. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.risk = 1 -action.risk.param._risk_message = user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Security Group API Calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter` - -[ESCU - Amazon EKS Kubernetes cluster scan detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. -action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Amazon EKS Kubernetes cluster scan detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Amazon EKS Kubernetes cluster scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "294c4686-63dd-4fe6-93a2-ca807626704a", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` - -[ESCU - Amazon EKS Kubernetes Pod scan detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. -action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. -action.escu.creation_date = 2020-04-15 -action.escu.modification_date = 2020-04-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Amazon EKS Kubernetes Pod scan detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Amazon EKS Kubernetes Pod scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` - -[ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -action.escu.creation_date = 2024-02-13 -action.escu.modification_date = 2024-02-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b3424bbe-3204-4469-887b-ec144483a336", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=DescribeEventAggregates "http_request.user_agent"!="AWS Internal" "src_endpoint.domain"!="health.amazonaws.com" | eval time = time/pow(10,3) | `security_content_ctime(time)` | bin span=5m time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count values(cloud.region) as cloud.region by time api.operation actor.user.account_uid actor.user.uid | where distinct_ip_count > 1 | rename cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id, actor.user.uid as user | `aws_concurrent_sessions_from_different_ips_filter` - -[ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the deletion of AWS CloudTrail logs, a critical event that could indicate an adversary's attempt to evade detection. By identifying `DeleteTrail` events within CloudTrail logs, this analytic helps in uncovering efforts to impair defense mechanisms by preventing the logging of malicious activities. Such actions allow adversaries to operate undetected within a compromised AWS environment. Recognizing these deletion events is crucial for a Security Operations Center (SOC) as it signals a potential compromise and the attacker's intent to hide their tracks, making it a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a complete loss of visibility into the activities within the environment, hindering incident response and forensics efforts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the deletion of AWS CloudTrail logs, a critical event that could indicate an adversary's attempt to evade detection. By identifying `DeleteTrail` events within CloudTrail logs, this analytic helps in uncovering efforts to impair defense mechanisms by preventing the logging of malicious activities. Such actions allow adversaries to operate undetected within a compromised AWS environment. Recognizing these deletion events is crucial for a Security Operations Center (SOC) as it signals a potential compromise and the attacker's intent to hide their tracks, making it a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a complete loss of visibility into the activities within the environment, hindering incident response and forensics efforts. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. -action.escu.creation_date = 2024-02-12 -action.escu.modification_date = 2024-02-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has deleted a CloudTrail logging for account id $aws_account_id$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1f0b47e5-0134-43eb-851c-e3258638945e", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the deletion of AWS CloudTrail logs, a critical event that could indicate an adversary's attempt to evade detection. By identifying `DeleteTrail` events within CloudTrail logs, this analytic helps in uncovering efforts to impair defense mechanisms by preventing the logging of malicious activities. Such actions allow adversaries to operate undetected within a compromised AWS environment. Recognizing these deletion events is crucial for a Security Operations Center (SOC) as it signals a potential compromise and the attacker's intent to hide their tracks, making it a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a complete loss of visibility into the activities within the environment, hindering incident response and forensics efforts. -action.notable.param.rule_title = ASL AWS Defense Evasion Delete Cloudtrail -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter` - -[ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the deletion of CloudWatch Log Groups within AWS CloudTrail logs. This action is indicative of an attacker's attempt to evade detection by disrupting the logging and monitoring capabilities of CloudWatch. By identifying and analyzing `DeleteLogGroup` events, this analytic helps in uncovering efforts to obscure malicious activities within a compromised AWS environment. Such evasion tactics are critical for a Security Operations Center (SOC) to identify as they signal an attacker's intent to operate undetected, posing a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a loss of visibility into potentially malicious activities, hindering incident response and forensics efforts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the deletion of CloudWatch Log Groups within AWS CloudTrail logs. This action is indicative of an attacker's attempt to evade detection by disrupting the logging and monitoring capabilities of CloudWatch. By identifying and analyzing `DeleteLogGroup` events, this analytic helps in uncovering efforts to obscure malicious activities within a compromised AWS environment. Such evasion tactics are critical for a Security Operations Center (SOC) to identify as they signal an attacker's intent to operate undetected, posing a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a loss of visibility into potentially malicious activities, hindering incident response and forensics efforts. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. -action.escu.creation_date = 2024-02-12 -action.escu.modification_date = 2024-02-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the deletion of CloudWatch Log Groups within AWS CloudTrail logs. This action is indicative of an attacker's attempt to evade detection by disrupting the logging and monitoring capabilities of CloudWatch. By identifying and analyzing `DeleteLogGroup` events, this analytic helps in uncovering efforts to obscure malicious activities within a compromised AWS environment. Such evasion tactics are critical for a Security Operations Center (SOC) to identify as they signal an attacker's intent to operate undetected, posing a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a loss of visibility into potentially malicious activities, hindering incident response and forensics efforts. -action.notable.param.rule_title = ASL AWS Defense Evasion Delete CloudWatch Log Group -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter` - -[ESCU - ASL AWS Defense Evasion Impair Security Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the deletion of critical AWS Security Services configurations through specific API calls to services like CloudWatch, GuardDuty, and Web Application Firewalls. By monitoring for these deletion actions, the analytic aims to identify attempts by adversaries to undermine security defenses, such as erasing logging configurations or removing detection mechanisms. This behavior is crucial for a Security Operations Center (SOC) to identify as it can indicate an attacker's intent to operate undetected by eliminating evidence of their presence and activities. The impact of such attacks is significant, potentially leaving the environment vulnerable to further exploitation without any traceable logs or alerts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects the deletion of critical AWS Security Services configurations through specific API calls to services like CloudWatch, GuardDuty, and Web Application Firewalls. By monitoring for these deletion actions, the analytic aims to identify attempts by adversaries to undermine security defenses, such as erasing logging configurations or removing detection mechanisms. This behavior is crucial for a Security Operations Center (SOC) to identify as it can indicate an attacker's intent to operate undetected by eliminating evidence of their presence and activities. The impact of such attacks is significant, potentially leaving the environment vulnerable to further exploitation without any traceable logs or alerts. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. -action.escu.creation_date = 2024-02-12 -action.escu.modification_date = 2024-02-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Impair Security Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Defense Evasion"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Defense Evasion Impair Security Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter` - -[ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. -action.escu.creation_date = 2024-02-12 -action.escu.modification_date = 2024-02-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. -action.notable.param.rule_title = ASL AWS Defense Evasion Stop Logging Cloudtrail -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter` - -[ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. -action.escu.creation_date = 2024-02-12 -action.escu.modification_date = 2024-02-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f3eb471c-16d0-404d-897c-7653f0a78cba", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. -action.notable.param.rule_title = ASL AWS Defense Evasion Update Cloudtrail -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter` - -[ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = When your development is spreaded in different time zones, applying this rule can be difficult. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Container uploaded outside business hours from $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "739ed682-27e9-4ba0-80e5-a91b97698213", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter` - -[ESCU - ASL AWS ECR Container Upload Unknown User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS ECR Container Upload Unknown User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Container uploaded from unknown user $user$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS ECR Container Upload Unknown User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "886a8f46-d7e2-4439-b9ba-aec238e31732", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter` - -[ESCU - ASL AWS IAM Delete Policy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the deletion of an AWS policy, a critical action that could indicate an attempt to alter permissions or reduce security controls. By monitoring AWS logs for `DeletePolicy` events, this analytic identifies both successful and attempted deletions, providing insights into potentially malicious activities. Identifying such behavior is crucial for a Security Operations Center (SOC) as it may signal an adversary's effort to escalate privileges or evade detection. The impact of unauthorized policy deletion is significant, potentially leading to compromised accounts or data exposure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the deletion of an AWS policy, a critical action that could indicate an attempt to alter permissions or reduce security controls. By monitoring AWS logs for `DeletePolicy` events, this analytic identifies both successful and attempted deletions, providing insights into potentially malicious activities. Identifying such behavior is crucial for a Security Operations Center (SOC) as it may signal an adversary's effort to escalate privileges or evade detection. The impact of unauthorized policy deletion is significant, potentially leading to compromised accounts or data exposure. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. -action.escu.creation_date = 2024-02-13 -action.escu.modification_date = 2024-02-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS IAM Delete Policy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS IAM Delete Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter` - -[ESCU - ASL AWS IAM Failure Group Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS IAM Failure Group Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has had mulitple failures while attempting to delete groups from $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS IAM Failure Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8d12f268-c567-4557-9813-f8389e235c06", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter` - -[ESCU - ASL AWS IAM Successful Group Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. -action.escu.how_to_implement = You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS IAM Successful Group Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS IAM Successful Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter` - -[ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with less risk of detection, facilitating further malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with less risk of detection, facilitating further malicious activities. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company -action.escu.creation_date = 2024-02-13 -action.escu.modification_date = 2024-02-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with less risk of detection, facilitating further malicious activities. -action.notable.param.rule_title = ASL AWS Multi-Factor Authentication Disabled -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter` - -[ESCU - ASL AWS New MFA Method Registered For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration. Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration. Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources. -action.escu.how_to_implement = The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. -action.escu.known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. -action.escu.creation_date = 2024-02-13 -action.escu.modification_date = 2024-02-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS New MFA Method Registered For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A new virtual device is added to user $user$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - ASL AWS New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration. Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources. -action.notable.param.rule_title = ASL AWS New MFA Method Registered For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter` - -[ESCU - AWS AMI Attribute Modification for Exfiltration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. -action.escu.creation_date = 2023-03-31 -action.escu.modification_date = 2023-03-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS AMI Attribute Modification for Exfiltration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration", "Suspicious Cloud Instance Activities"] -action.risk = 1 -action.risk.param._risk_message = AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public. -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 80}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS AMI Attribute Modification for Exfiltration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. -action.notable.param.rule_title = AWS AMI Attribute Modification for Exfiltration -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter` - -[ESCU - AWS Concurrent Sessions From Different Ips - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -action.escu.creation_date = 2023-02-01 -action.escu.modification_date = 2023-02-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Concurrent Sessions From Different Ips - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "51c04fdb-2746-465a-b86e-b413a09c9085", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.notable.param.rule_title = AWS Concurrent Sessions From Different Ips -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter` - -[ESCU - AWS Console Login Failed During MFA Challenge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. -action.escu.creation_date = 2022-10-03 -action.escu.modification_date = 2022-10-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Console Login Failed During MFA Challenge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user_name$ failed to pass MFA challenge while logging into console from $src$ -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Console Login Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "55349868-5583-466f-98ab-d3beb321961e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.notable.param.rule_title = AWS Console Login Failed During MFA Challenge -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter` - -[ESCU - AWS Create Policy Version to allow all resources - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. -action.escu.creation_date = 2024-04-16 -action.escu.modification_date = 2024-04-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Create Policy Version to allow all resources - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = User $user$ created a policy version that allows them to access any resource in their account. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Create Policy Version to allow all resources - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. -action.notable.param.rule_title = AWS Create Policy Version to allow all resources -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = "*" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter` - -[ESCU - AWS CreateAccessKey - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. -action.escu.creation_date = 2022-03-03 -action.escu.modification_date = 2022-03-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS CreateAccessKey - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS CreateAccessKey - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter` - -[ESCU - AWS CreateLoginProfile - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user. -action.escu.creation_date = 2021-07-19 -action.escu.modification_date = 2021-07-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS CreateLoginProfile - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS CreateLoginProfile - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-11ad-212bf444d111", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -action.notable.param.rule_title = AWS CreateLoginProfile -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter` - -[ESCU - AWS Credential Access Failed Login - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = Users may genuinely mistype or forget the password. -action.escu.creation_date = 2022-08-07 -action.escu.modification_date = 2022-08-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Credential Access Failed Login - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has a login failure from IP $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Credential Access Failed Login - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. -action.notable.param.rule_title = AWS Credential Access Failed Login -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter` - -[ESCU - AWS Credential Access GetPasswordData - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. -action.escu.known_false_positives = Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Credential Access GetPasswordData - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Credential Access GetPasswordData - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter` - -[ESCU - AWS Credential Access RDS Password reset - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = Users may genuinely reset the RDS password. -action.escu.creation_date = 2024-03-19 -action.escu.modification_date = 2024-03-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Credential Access RDS Password reset - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = $database_id$ password has been reset from IP $src$ -action.risk.param._risk = [{"risk_object_field": "database_id", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Credential Access RDS Password reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. -action.notable.param.rule_title = AWS Credential Access RDS Password reset -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter` - -[ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro. -action.escu.known_false_positives = Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] -action.risk = 1 -action.risk.param._risk_message = AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time. -action.risk.param._risk = [{"risk_object_field": "requestingAccountId", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - AWS Cross Account Activity From Previously Unseen Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Authentication Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New Cross Account Activity","Previously Seen") | where status = "New Cross Account Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter` - -[ESCU - AWS Defense Evasion Delete Cloudtrail - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. -action.escu.creation_date = 2022-07-13 -action.escu.modification_date = 2022-07-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Defense Evasion Delete Cloudtrail - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Defense Evasion Delete Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "82092925-9ca1-4e06-98b8-85a2d3889552", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. -action.notable.param.rule_title = AWS Defense Evasion Delete Cloudtrail -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter` - -[ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. -action.escu.creation_date = 2022-07-17 -action.escu.modification_date = 2022-07-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d308b0f1-edb7-4a62-a614-af321160710f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. -action.notable.param.rule_title = AWS Defense Evasion Delete CloudWatch Log Group -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter` - -[ESCU - AWS Defense Evasion Impair Security Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -action.escu.known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. -action.escu.creation_date = 2022-07-26 -action.escu.modification_date = 2022-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Defense Evasion Impair Security Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Defense Evasion"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Defense Evasion Impair Security Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b28c4957-96a6-47e0-a965-6c767aac1458", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter` - -[ESCU - AWS Defense Evasion PutBucketLifecycle - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. -action.escu.known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. -action.escu.creation_date = 2022-07-25 -action.escu.modification_date = 2022-07-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Defense Evasion PutBucketLifecycle - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Defense Evasion"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Defense Evasion PutBucketLifecycle - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter` - -[ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. -action.escu.creation_date = 2022-07-12 -action.escu.modification_date = 2022-07-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. -action.notable.param.rule_title = AWS Defense Evasion Stop Logging Cloudtrail -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter` - -[ESCU - AWS Defense Evasion Update Cloudtrail - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. -action.escu.creation_date = 2022-07-17 -action.escu.modification_date = 2022-07-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Defense Evasion Update Cloudtrail - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Defense Evasion"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Defense Evasion Update Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. -action.notable.param.rule_title = AWS Defense Evasion Update Cloudtrail -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter` - -[ESCU - aws detect attach to role policy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure. -action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - aws detect attach to role policy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - aws detect attach to role policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter` - -[ESCU - aws detect permanent key creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - aws detect permanent key creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - aws detect permanent key creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter` - -[ESCU - aws detect role creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. -action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. -action.escu.creation_date = 2020-07-27 -action.escu.modification_date = 2020-07-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - aws detect role creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - aws detect role creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5f04081e-ddee-4353-afe4-504f288de9ad", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter` - -[ESCU - aws detect sts assume role abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -action.escu.known_false_positives = Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - aws detect sts assume role abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - aws detect sts assume role abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter` - -[ESCU - aws detect sts get session token abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure. -action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - aws detect sts get session token abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - aws detect sts get session token abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter` - -[ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-01-11 -action.escu.modification_date = 2021-01-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Ransomware Cloud"] -action.risk = 1 -action.risk.param._risk_message = AWS account is potentially compromised and user $user$ is trying to compromise other accounts. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. -action.notable.param.rule_title = AWS Detect Users creating keys with encrypt policy without MFA -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter` - -[ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality. -action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -action.escu.known_false_positives = There maybe buckets provisioned with S3 encryption -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Ransomware Cloud"] -action.risk = 1 -action.risk.param._risk_message = User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter` - -[ESCU - AWS Disable Bucket Versioning - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects AWS CloudTrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects AWS CloudTrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. -action.escu.creation_date = 2023-05-01 -action.escu.modification_date = 2023-05-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Disable Bucket Versioning - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration", "Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Disable Bucket Versioning - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "657902a9-987d-4879-a1b2-e7a65512824b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter` - -[ESCU - AWS EC2 Snapshot Shared Externally - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. -action.escu.creation_date = 2024-05-07 -action.escu.modification_date = 2024-05-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS EC2 Snapshot Shared Externally - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration", "Suspicious Cloud Instance Activities"] -action.risk = 1 -action.risk.param._risk_message = AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 48}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS EC2 Snapshot Shared Externally - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. -action.notable.param.rule_title = AWS EC2 Snapshot Shared Externally -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = "No Match" | `aws_ec2_snapshot_shared_externally_filter` - -[ESCU - AWS ECR Container Scanning Findings High - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS ECR Container Scanning Findings High - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Vulnerabilities with severity high found in repository $repository$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 70}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings High - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture. -action.notable.param.rule_title = AWS ECR Container Scanning Findings High -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter` - -[ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Vulnerabilities with severity $severity$ found in repository $repository$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cbc95e44-7c22-443f-88fd-0424478f5589", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="low" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter` - -[ESCU - AWS ECR Container Scanning Findings Medium - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-06 -action.escu.modification_date = 2024-05-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS ECR Container Scanning Findings Medium - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Vulnerabilities with severity $severity$ found in repository $repository$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 21}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 21}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings Medium - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter` - -[ESCU - AWS ECR Container Upload Outside Business Hours - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = When your development is spreaded in different time zones, applying this rule can be difficult. -action.escu.creation_date = 2023-11-09 -action.escu.modification_date = 2023-11-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS ECR Container Upload Outside Business Hours - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Container uploaded outside business hours from $user$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS ECR Container Upload Outside Business Hours - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter` - -[ESCU - AWS ECR Container Upload Unknown User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-08-19 -action.escu.modification_date = 2021-08-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS ECR Container Upload Unknown User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Container uploaded from unknown user $user$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS ECR Container Upload Unknown User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "300688e4-365c-4486-a065-7c884462b31d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter` - -[ESCU - AWS Excessive Security Scanning - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives. -action.escu.creation_date = 2024-05-08 -action.escu.modification_date = 2024-05-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Excessive Security Scanning - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS User Monitoring"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$. -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Excessive Security Scanning - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure. -action.notable.param.rule_title = AWS Excessive Security Scanning -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter` - -[ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed. -action.escu.creation_date = 2023-04-10 -action.escu.modification_date = 2023-04-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = Anomalous S3 activities detected by user $user_arn$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter` - -[ESCU - AWS Exfiltration via Batch Service - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that an AWS Administrator or a user has legitimately created this job for some tasks. -action.escu.creation_date = 2023-04-24 -action.escu.modification_date = 2023-04-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Exfiltration via Batch Service - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Exfiltration via Batch Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. -action.notable.param.rule_title = AWS Exfiltration via Batch Service -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter` - -[ESCU - AWS Exfiltration via Bucket Replication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region. \ -S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region. \ -S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies. -action.escu.creation_date = 2023-04-28 -action.escu.modification_date = 2023-04-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Exfiltration via Bucket Replication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration", "Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Exfiltration via Bucket Replication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region. \ -S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. -action.notable.param.rule_title = AWS Exfiltration via Bucket Replication -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter` - -[ESCU - AWS Exfiltration via DataSync Task - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task -action.escu.creation_date = 2023-04-10 -action.escu.modification_date = 2023-04-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Exfiltration via DataSync Task - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration", "Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Exfiltration via DataSync Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. -action.notable.param.rule_title = AWS Exfiltration via DataSync Task -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter` - -[ESCU - AWS Exfiltration via EC2 Snapshot - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. -action.escu.known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization. -action.escu.creation_date = 2023-03-22 -action.escu.modification_date = 2023-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Exfiltration via EC2 Snapshot - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Data Exfiltration", "Suspicious Cloud Instance Activities"] -action.risk = 1 -action.risk.param._risk_message = Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "userName", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Exfiltration via EC2 Snapshot - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. -action.notable.param.rule_title = AWS Exfiltration via EC2 Snapshot -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter` - -[ESCU - AWS High Number Of Failed Authentications For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -action.escu.creation_date = 2023-01-27 -action.escu.modification_date = 2023-01-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS High Number Of Failed Authentications For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$ -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS High Number Of Failed Authentications For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e3236f49-daf3-4b70-b808-9290912ac64d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter` - -[ESCU - AWS High Number Of Failed Authentications From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -action.escu.known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -action.escu.creation_date = 2023-01-30 -action.escu.modification_date = 2023-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS High Number Of Failed Authentications From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$ -action.risk.param._risk = [{"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS High Number Of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter` - -[ESCU - AWS IAM AccessDenied Discovery Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. -action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. -action.escu.creation_date = 2021-11-12 -action.escu.modification_date = 2021-11-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS IAM AccessDenied Discovery Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.risk = 1 -action.risk.param._risk_message = User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "userIdentity.arn", "risk_object_type": "user", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS IAM AccessDenied Discovery Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3e1f1568-9633-11eb-a69c-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter` - -[ESCU - AWS IAM Assume Role Policy Brute Force - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. -action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. -action.escu.creation_date = 2021-04-01 -action.escu.modification_date = 2021-04-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS IAM Assume Role Policy Brute Force - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name. -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 28}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS IAM Assume Role Policy Brute Force - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f19e09b0-9308-11eb-b7ec-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. -action.notable.param.rule_title = AWS IAM Assume Role Policy Brute Force -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter` - -[ESCU - AWS IAM Delete Policy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. -action.escu.creation_date = 2021-04-01 -action.escu.modification_date = 2021-04-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS IAM Delete Policy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS IAM Delete Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ec3a9362-92fe-11eb-99d0-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter` - -[ESCU - AWS IAM Failure Group Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. -action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS IAM Failure Group Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has had mulitple failures while attempting to delete groups from $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS IAM Failure Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "723b861a-92eb-11eb-93b8-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter` - -[ESCU - AWS IAM Successful Group Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. -action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). -action.escu.creation_date = 2021-03-31 -action.escu.modification_date = 2021-03-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS IAM Successful Group Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS IAM Successful Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e776d06c-9267-11eb-819b-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter` - -[ESCU - AWS Lambda UpdateFunctionCode - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. -action.escu.how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. -action.escu.creation_date = 2022-02-24 -action.escu.modification_date = 2022-02-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Lambda UpdateFunctionCode - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Lambda UpdateFunctionCode - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "211b80d3-6340-4345-11ad-212bf3d0d111", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter` - -[ESCU - AWS Multi-Factor Authentication Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company -action.escu.creation_date = 2022-10-04 -action.escu.modification_date = 2022-10-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Multi-Factor Authentication Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ -action.risk.param._risk = [{"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "374832b1-3603-420c-b456-b373e24d34c0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.notable.param.rule_title = AWS Multi-Factor Authentication Disabled -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter` - -[ESCU - AWS Multiple Failed MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS CloudTrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS CloudTrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -action.escu.creation_date = 2022-10-03 -action.escu.modification_date = 2022-10-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Multiple Failed MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user_name$ is seen to have high number of MFA prompt failures within a short period of time. -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1fece617-e614-4329-9e61-3ba228c0f353", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter` - -[ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. -action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -action.escu.known_false_positives = No known false postives for this detection. Please review this alert -action.escu.creation_date = 2022-09-27 -action.escu.modification_date = 2022-09-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "71e1fb89-dd5f-4691-8523-575420de4630", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip |`aws_unusual_number_of_failed_authentications_from_ip_filter` - -[ESCU - AWS Network Access Control List Created with All Open Ports - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. -action.escu.known_false_positives = It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Network Access Control List Created with All Open Ports - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Network ACL Activity"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Network Access Control List Created with All Open Ports - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -action.notable.param.rule_title = AWS Network Access Control List Created with All Open Ports -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter` - -[ESCU - AWS Network Access Control List Deleted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -action.escu.known_false_positives = It's possible that a user has legitimately deleted a network ACL. -action.escu.creation_date = 2021-01-12 -action.escu.modification_date = 2021-01-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Network Access Control List Deleted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Network ACL Activity"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Network Access Control List Deleted - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter` - -[ESCU - AWS New MFA Method Registered For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches. -action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. -action.escu.known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS New MFA Method Registered For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches. -action.notable.param.rule_title = AWS New MFA Method Registered For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter` - -[ESCU - AWS Password Policy Changes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. -action.escu.creation_date = 2023-01-26 -action.escu.modification_date = 2023-01-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Password Policy Changes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation", "Compromised User Account"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Password Policy Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aee4a575-7064-4e60-b511-246f9baf9895", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter` - -[ESCU - AWS S3 Exfiltration Behavior Identified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.escu.how_to_implement = You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. -action.escu.known_false_positives = alse positives may be present based on automated tooling or system administrators. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS S3 Exfiltration Behavior Identified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Data Exfiltration", "Suspicious Cloud Instance Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - AWS S3 Exfiltration Behavior Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "85096389-a443-42df-b89d-200efbb1b560", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.notable.param.rule_title = RBA: AWS S3 Exfiltration Behavior Identified -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter` - -[ESCU - AWS SAML Access by Provider User and Principal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -action.escu.known_false_positives = Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks. -action.escu.creation_date = 2021-01-26 -action.escu.modification_date = 2021-01-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS SAML Access by Provider User and Principal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse"] -action.risk = 1 -action.risk.param._risk_message = From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$ -action.risk.param._risk = [{"threat_object_field": "sourceIPAddress", "threat_object_type": "ip_address"}, {"risk_object_field": "recipientAccountId", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS SAML Access by Provider User and Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bbe23980-6019-11eb-ae93-0242ac130002", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter` - -[ESCU - AWS SAML Update identity provider - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. -action.escu.creation_date = 2021-01-26 -action.escu.modification_date = 2021-01-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS SAML Update identity provider - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse"] -action.risk = 1 -action.risk.param._risk_message = User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ -action.risk.param._risk = [{"threat_object_field": "sourceIPAddress", "threat_object_type": "ip_address"}, {"risk_object_field": "userIdentity.principalId", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS SAML Update identity provider - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2f0604c6-6030-11eb-ae93-0242ac130002", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -action.notable.param.rule_title = AWS SAML Update identity provider -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter` - -[ESCU - AWS SetDefaultPolicyVersion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources -action.escu.creation_date = 2021-03-02 -action.escu.modification_date = 2021-03-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS SetDefaultPolicyVersion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS SetDefaultPolicyVersion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -action.notable.param.rule_title = AWS SetDefaultPolicyVersion -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter` - -[ESCU - AWS Successful Console Authentication From Multiple IPs - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. -action.escu.known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Successful Console Authentication From Multiple IPs - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Compromised User Account", "Suspicious AWS Login Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Successful Console Authentication From Multiple IPs - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Suspicious AWS Login Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter` - -[ESCU - AWS Successful Single-Factor Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. -action.escu.known_false_positives = It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS. -action.escu.creation_date = 2022-10-04 -action.escu.modification_date = 2022-10-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Successful Single-Factor Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$ -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Successful Single-Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated -action.notable.param.rule_title = AWS Successful Single-Factor Authentication -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter` - -[ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. -action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment -action.escu.known_false_positives = No known false postives for this detection. Please review this alert -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter` - -[ESCU - AWS UpdateLoginProfile - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. -action.escu.creation_date = 2022-03-03 -action.escu.modification_date = 2022-03-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS UpdateLoginProfile - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AWS UpdateLoginProfile - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -action.notable.param.rule_title = AWS UpdateLoginProfile -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter` - -[ESCU - Azure Active Directory High Risk Sign-in - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. -action.escu.known_false_positives = Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure Active Directory High Risk Sign-in - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = A high risk event was identified by Identify Protection for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure Active Directory High Risk Sign-in - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. -action.notable.param.rule_title = Azure Active Directory High Risk Sign-in -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter` - -[ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -action.escu.known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. -action.escu.creation_date = 2024-02-09 -action.escu.modification_date = 2024-02-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d4fea43-9182-4c5a-ada8-13701fd5615d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. -action.notable.param.rule_title = Azure AD Admin Consent Bypassed by Service Principal -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add app role assignment to service principal" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter` - -[ESCU - Azure AD Application Administrator Role Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -action.escu.known_false_positives = Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Application Administrator Role Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Application Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eac4de87-7a56-4538-a21b-277897af6d8d", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -action.notable.param.rule_title = Azure AD Application Administrator Role Assigned -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter` - -[ESCU - Azure AD Authentication Failed During MFA Challenge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Authentication Failed During MFA Challenge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ failed to pass MFA challenge -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Authentication Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.notable.param.rule_title = Azure AD Authentication Failed During MFA Challenge -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter` - -[ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "875de3d7-09bc-4916-8c0a-0929f4ced3d8", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization -action.notable.param.rule_title = Azure AD Block User Consent For Risky Apps Disabled -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Update authorization policy" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = "[true]" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter` - -[ESCU - Azure AD Concurrent Sessions From Different Ips - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Concurrent Sessions From Different Ips - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.notable.param.rule_title = Azure AD Concurrent Sessions From Different Ips -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter` - -[ESCU - Azure AD Device Code Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Device Code Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Device code requested for $user$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Device Code Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. -action.notable.param.rule_title = Azure AD Device Code Authentication -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter` - -[ESCU - Azure AD External Guest User Invited - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = Administrator may legitimately invite external guest users. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD External Guest User Invited - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = External Guest User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD External Guest User Invited - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` -action.notable.param.rule_title = Azure AD External Guest User Invited -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Invite external user" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter` - -[ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. -action.escu.creation_date = 2024-01-29 -action.escu.modification_date = 2024-01-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = User $user$ assigned the full_access_as_app permission to the app registration $object$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ae286126-f2ad-421c-b240-4ea83bd1c43a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. -action.notable.param.rule_title = Azure AD FullAccessAsApp Permission Assigned -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter` - -[ESCU - Azure AD Global Administrator Role Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Global Administrator Role Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Global Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -action.notable.param.rule_title = Azure AD Global Administrator Role Assigned -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter` - -[ESCU - Azure AD High Number Of Failed Authentications For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD High Number Of Failed Authentications For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user$ failed to authenticate more than 20 times in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD High Number Of Failed Authentications For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "630b1694-210a-48ee-a450-6f79e7679f2c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.notable.param.rule_title = Azure AD High Number Of Failed Authentications For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter` - -[ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "Compromised User Account", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = $src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.notable.param.rule_title = Azure AD High Number Of Failed Authentications From Ip -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter` - -[ESCU - Azure AD Multi-Factor Authentication Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multi-Factor Authentication Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = MFA disabled for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.notable.param.rule_title = Azure AD Multi-Factor Authentication Disabled -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter` - -[ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "NOBELIUM Group"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter` - -[ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = $user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" AND properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication AND "properties.authenticationDetails{}.succeeded"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter` - -[ESCU - Azure AD Multiple Denied MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multiple Denied MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ denied more than 9 MFA requests in a timespan of 10 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multiple Denied MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d0895c20-de71-4fd2-b56c-3fcdb888eba1", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. -action.notable.param.rule_title = Azure AD Multiple Denied MFA Requests For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter` - -[ESCU - Azure AD Multiple Failed MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multiple Failed MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.notable.param.rule_title = Azure AD Multiple Failed MFA Requests For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter` - -[ESCU - Azure AD Multiple Service Principals Created by SP - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-07 -action.escu.modification_date = 2024-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multiple Service Principals Created by SP - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multiple Service Principals Created by SP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "66cb378f-234d-4fe1-bb4c-e7878ff6b017", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter` - -[ESCU - Azure AD Multiple Service Principals Created by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-07 -action.escu.modification_date = 2024-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multiple Service Principals Created by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multiple Service Principals Created by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "32880707-f512-414e-bd7f-204c0c85b758", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter` - -[ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter` - -[ESCU - Azure AD New Custom Domain Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = In most organizations, new customm domains will be updated infrequently. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD New Custom Domain Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A new custom domain, $domain$ , was added by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD New Custom Domain Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.notable.param.rule_title = Azure AD New Custom Domain Added -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add unverified domain" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter` - -[ESCU - Azure AD New Federated Domain Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = In most organizations, domain federation settings will be updated infrequently. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD New Federated Domain Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A new federated domain, $domain$ , was added by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD New Federated Domain Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.notable.param.rule_title = Azure AD New Federated Domain Added -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter` - -[ESCU - Azure AD New MFA Method Registered - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD New MFA Method Registered - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A new MFA method was registered for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD New MFA Method Registered - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0488e814-eb81-42c3-9f1f-b2244973e3a3", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.notable.param.rule_title = Azure AD New MFA Method Registered -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Update user" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter` - -[ESCU - Azure AD New MFA Method Registered For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -action.escu.known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD New MFA Method Registered For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = A new MFA method was registered for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2628b087-4189-403f-9044-87403f777a1b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. -action.notable.param.rule_title = Azure AD New MFA Method Registered For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter` - -[ESCU - Azure AD OAuth Application Consent Granted By User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD OAuth Application Consent Granted By User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ consented an OAuth application. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD OAuth Application Consent Granted By User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10ec9031-015b-4617-b453-c0c1ab729007", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. -action.notable.param.rule_title = Azure AD OAuth Application Consent Granted By User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Consent to application" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions "Scope: (?[^,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter` - -[ESCU - Azure AD PIM Role Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD PIM Role Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An Azure AD PIM role assignment was assiged to $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD PIM Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.notable.param.rule_title = Azure AD PIM Role Assigned -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter` - -[ESCU - Azure AD PIM Role Assignment Activated - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD PIM Role Assignment Activated - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD PIM Role Assignment Activated - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.notable.param.rule_title = Azure AD PIM Role Assignment Activated -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add member to role completed (PIM activation)" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter` - -[ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -action.notable.param.rule_title = Azure AD Privileged Authentication Administrator Role Assigned -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter` - -[ESCU - Azure AD Privileged Graph API Permission Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-01-30 -action.escu.modification_date = 2024-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Privileged Graph API Permission Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = User $user$ assigned privileged Graph API permissions to $object$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Privileged Graph API Permission Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5521f8c5-1aa3-473c-9eb7-853701924a06", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. -action.notable.param.rule_title = Azure AD Privileged Graph API Permission Assigned -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter` - -[ESCU - Azure AD Privileged Role Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Privileged Role Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. -action.notable.param.rule_title = Azure AD Privileged Role Assigned -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter` - -[ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. -action.notable.param.rule_title = Azure AD Privileged Role Assigned to Service Principal -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add member to role" | rename properties.* as * | search "targetResources{}.type"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter` - -[ESCU - Azure AD Service Principal Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips. -action.escu.creation_date = 2024-02-12 -action.escu.modification_date = 2024-02-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Service Principal Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Service Principal $user$ authenticated from $src_ip$ -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Service Principal Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5a2ec401-60bb-474e-b936-1e66e7aa4060", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. -action.notable.param.rule_title = Azure AD Service Principal Authentication -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter` - -[ESCU - Azure AD Service Principal Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Administrator may legitimately create Service Principal. Filter as needed. -action.escu.creation_date = 2022-08-17 -action.escu.modification_date = 2022-08-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Service Principal Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Service Principal named $displayName$ created by $user$ -action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "user", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Service Principal Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. -action.notable.param.rule_title = Azure AD Service Principal Created -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter` - -[ESCU - Azure AD Service Principal New Client Credentials - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Service Principal New Client Credentials - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = New credentials added for Service Principal by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Service Principal New Client Credentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. -action.notable.param.rule_title = Azure AD Service Principal New Client Credentials -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management " | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter` - -[ESCU - Azure AD Service Principal Owner Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = Administrator may legitimately add new owners for Service Principals. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Service Principal Owner Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = A new owner was added for service principal $displayName$ by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Service Principal Owner Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -action.notable.param.rule_title = Azure AD Service Principal Owner Added -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Add owner to application" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter` - -[ESCU - Azure AD Successful Authentication From Different Ips - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Successful Authentication From Different Ips - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover", "Compromised User Account"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Successful Authentication From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.notable.param.rule_title = Azure AD Successful Authentication From Different Ips -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter` - -[ESCU - Azure AD Successful PowerShell Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Successful PowerShell Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Successful authentication for user $user$ using PowerShell. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Successful PowerShell Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. -action.notable.param.rule_title = Azure AD Successful PowerShell Authentication -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter` - -[ESCU - Azure AD Successful Single-Factor Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Successful Single-Factor Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Successful authentication for user $user$ without MFA -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Successful Single-Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a560e7f6-1711-4353-885b-40be53101fcd", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.notable.param.rule_title = Azure AD Successful Single-Factor Authentication -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter` - -[ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. -action.escu.known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. -action.escu.creation_date = 2023-09-14 -action.escu.modification_date = 2023-09-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Administrator $user$ consented an OAuth application for the tenant. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.notable.param.rule_title = Azure AD Tenant Wide Admin Consent Granted -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Consent to application" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter` - -[ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. \ -The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. \ -The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -action.escu.known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. -action.escu.creation_date = 2022-07-11 -action.escu.modification_date = 2022-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Possible Password Spraying attack against Azure AD from source ip $ipAddress$ -action.risk.param._risk = [{"risk_object_field": "userPrincipalName", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "ipAddress", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter` - -[ESCU - Azure AD User Consent Blocked for Risky Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = UPDATE_KNOWN_FALSE_POSITIVES -action.escu.creation_date = 2023-10-27 -action.escu.modification_date = 2023-10-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD User Consent Blocked for Risky Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD User Consent Blocked for Risky Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.notable.param.rule_title = Azure AD User Consent Blocked for Risky Application -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Consent to application" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = "\"Risky application detected\"" | rex field=permissions "Scope: (?[^,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter` - -[ESCU - Azure AD User Consent Denied for OAuth Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -action.escu.known_false_positives = Users may deny consent for legitimate applications by mistake, filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD User Consent Denied for OAuth Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ denied consent for an OAuth application. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD User Consent Denied for OAuth Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb093c30-d860-4858-a56e-cd0895d5b49c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.notable.param.rule_title = Azure AD User Consent Denied for OAuth Application -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter` - -[ESCU - Azure AD User Enabled And Password Reset - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD User Enabled And Password Reset - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD User Enabled And Password Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. -action.notable.param.rule_title = Azure AD User Enabled And Password Reset -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter` - -[ESCU - Azure AD User ImmutableId Attribute Updated - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -action.escu.known_false_positives = The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. -action.escu.creation_date = 2022-09-02 -action.escu.modification_date = 2022-09-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure AD User ImmutableId Attribute Updated - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Azure AD", "Entra ID"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure AD User ImmutableId Attribute Updated - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.notable.param.rule_title = Azure AD User ImmutableId Attribute Updated -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter` - -[ESCU - Azure Automation Account Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -action.escu.known_false_positives = Administrators may legitimately create Azure Automation accounts. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure Automation Account Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A new Azure Automation account $object$ was created by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure Automation Account Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "860902fd-2e76-46b3-b050-ba548dab576c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.notable.param.rule_title = Azure Automation Account Created -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter` - -[ESCU - Azure Automation Runbook Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -action.escu.known_false_positives = Administrators may legitimately create Azure Automation Runbooks. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure Automation Runbook Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A new Azure Automation Runbook $object$ was created by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure Automation Runbook Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.notable.param.rule_title = Azure Automation Runbook Created -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter` - -[ESCU - Azure Runbook Webhook Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -action.escu.known_false_positives = Administrators may legitimately create Azure Runbook Webhooks. Filter as needed. -action.escu.creation_date = 2023-12-20 -action.escu.modification_date = 2023-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Azure Runbook Webhook Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = A new Azure Runbook Webhook $object$ was created by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Azure Runbook Webhook Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. -action.notable.param.rule_title = Azure Runbook Webhook Created -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter` - -[ESCU - Circle CI Disable Security Job - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. -action.escu.how_to_implement = You must index CircleCI logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-02 -action.escu.modification_date = 2021-09-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Circle CI Disable Security Job - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Circle CI Disable Security Job - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0) | where mandatory_job_executed=0 | eval phase="build" | rex field=url "(?[^\/]*\/[^\/]*)$" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter` - -[ESCU - Circle CI Disable Security Step - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. -action.escu.how_to_implement = You must index CircleCI logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Circle CI Disable Security Step - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Disable security step $mandatory_step$ in job $job_name$ from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Circle CI Disable Security Step - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) | where mandatory_step_executed=0 | rex field=url "(?[^\/]*\/[^\/]*)$" | eval phase="build" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter` - -[ESCU - Cloud API Calls From Previously Unseen User Roles - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` -action.escu.known_false_positives = None. -action.escu.creation_date = 2020-09-04 -action.escu.modification_date = 2020-09-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud API Calls From Previously Unseen User Roles - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Cloud API Calls From Previously Unseen User Roles - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter` - -[ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment. -action.escu.how_to_implement = You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. -action.escu.known_false_positives = It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. -action.escu.creation_date = 2025-05-18 -action.escu.modification_date = 2025-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Cloud Cryptomining"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is creating a new instance $dest$ for the first time -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created By Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter` - -[ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. -action.escu.known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. -action.escu.creation_date = 2024-05-10 -action.escu.modification_date = 2024-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Cloud Cryptomining"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is creating an instance $dest$ in a new region for the first time -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created In Previously Unused Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter` - -[ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro. -action.escu.known_false_positives = After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user. -action.escu.creation_date = 2018-10-12 -action.escu.modification_date = 2018-10-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Cloud Cryptomining"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is creating an instance $dest$ with an image that has not been previously seen. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created With Previously Unseen Image - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc24922d-987c-4645-b288-f8c73ec194c4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter` - -[ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro. -action.escu.known_false_positives = It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type. -action.escu.creation_date = 2020-09-12 -action.escu.modification_date = 2020-09-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Cloud Cryptomining"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` - -[ESCU - Cloud Instance Modified By Previously Unseen User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure. -action.escu.how_to_implement = This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. -action.escu.known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Instance Modified By Previously Unseen User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is modifying an instance $object_id$ for the first time. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Cloud Instance Modified By Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7fb15084-b14e-405a-bd61-a6de15a40722", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter` - -[ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)` - -[ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "94994255-3acf-4213-9b3f-0494df03bb31", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)` - -[ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object_id", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)` - -[ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure. -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)` - -[ESCU - Cloud Security Groups Modifications by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on all user and service accounts that have created/modified/deleted a security group . \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and values of the security objects affected. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1578.005"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on all user and service accounts that have created/modified/deleted a security group . \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and values of the security objects affected. -action.escu.how_to_implement = This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment. -action.escu.known_false_positives = It is possible that legitimate user/admin may modify a number of security groups -action.escu.creation_date = 2024-02-21 -action.escu.modification_date = 2024-02-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Security Groups Modifications by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.risk = 1 -action.risk.param._risk_message = Unsual number cloud security group modifications detected by user - $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cloud Security Groups Modifications by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1578.005"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cfe7cca7-2746-4bdf-b712-b01ed819b9de", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = "security_group" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name("All_Changes")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter` - -[ESCU - Detect AWS Console Login by New User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -action.escu.creation_date = 2022-05-10 -action.escu.modification_date = 2022-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AWS Console Login by New User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Suspicious Cloud Authentication Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect AWS Console Login by New User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Suspicious Cloud Authentication Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User") | where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter` - -[ESCU - Detect AWS Console Login by User from New City - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. -action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -action.escu.creation_date = 2022-08-25 -action.escu.modification_date = 2022-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AWS Console Login by User from New City - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New City - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City") | where userCity = "New City" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter` - -[ESCU - Detect AWS Console Login by User from New Country - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. -action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -action.escu.creation_date = 2022-08-25 -action.escu.modification_date = 2022-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AWS Console Login by User from New Country - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New Country - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | where userCountry = "New Country" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter` - -[ESCU - Detect AWS Console Login by User from New Region - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. -action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -action.escu.creation_date = 2022-08-25 -action.escu.modification_date = 2022-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AWS Console Login by User from New Region - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | where userRegion= "New Region" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter` - -[ESCU - Detect GCP Storage access from a new IP - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment. -action.escu.how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. -action.escu.known_false_positives = GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect GCP Storage access from a new IP - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Suspicious GCP Storage Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"threat_object_field": "remote_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect GCP Storage access from a new IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter` - -[ESCU - Detect New Open GCP Storage Buckets - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. -action.escu.how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). -action.escu.known_false_positives = While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect New Open GCP Storage Buckets - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Suspicious GCP Storage Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect New Open GCP Storage Buckets - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. -action.notable.param.rule_title = Detect New Open GCP Storage Buckets -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter` - -[ESCU - Detect New Open S3 buckets - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering. -action.escu.how_to_implement = You must install the AWS App for Splunk. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect New Open S3 buckets - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect New Open S3 buckets - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering. -action.notable.param.rule_title = Detect New Open S3 buckets -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw "(?{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter` - -[ESCU - Detect New Open S3 Buckets over AWS CLI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk. -action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect New Open S3 Buckets over AWS CLI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$ -action.risk.param._risk = [{"risk_object_field": "userIdentity.userName", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect New Open S3 Buckets over AWS CLI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk. -action.notable.param.rule_title = Detect New Open S3 Buckets over AWS CLI -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` - -[ESCU - Detect S3 access from a new IP - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. -action.escu.known_false_positives = S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect S3 access from a new IP - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = New S3 access from a new IP - $src_ip$ -action.risk.param._risk = [{"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 25}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect S3 access from a new IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e6f1bb1b-f441-492b-9126-902acda217da", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter` - -[ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. -action.escu.known_false_positives = None -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Security Hub Alerts"] -action.risk = 1 -action.risk.param._risk_message = Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Security Hub Alerts"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter` - -[ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval. -action.escu.known_false_positives = None -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Security Hub Alerts"] -action.risk = 1 -action.risk.param._risk_message = Spike in AWS Security Hub alerts for user - $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Spike in AWS Security Hub Alerts for User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Security Hub Alerts"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter` - -[ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections. -action.escu.known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"] -action.risk = 1 -action.risk.param._risk_message = Blocked outbound traffic from your AWS -action.risk.param._risk = [{"risk_object_field": "resourceId", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Spike in blocked Outbound Traffic from your AWS - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter` - -[ESCU - Detect Spike in S3 Bucket deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. -action.escu.known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. -action.escu.creation_date = 2024-05-03 -action.escu.modification_date = 2024-05-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in S3 Bucket deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Spike in S3 Bucket deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e733a326-59d2-446d-b8db-14a17151aa68", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter` - -[ESCU - GCP Authentication Failed During MFA Challenge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -action.escu.known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. -action.escu.creation_date = 2024-01-04 -action.escu.modification_date = 2024-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Authentication Failed During MFA Challenge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ failed to pass MFA challenge -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GCP Authentication Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.notable.param.rule_title = GCP Authentication Failed During MFA Challenge -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter` - -[ESCU - GCP Detect gcploit framework - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. -action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -action.escu.known_false_positives = Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Detect gcploit framework - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Cross Account Activity"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - GCP Detect gcploit framework - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources. -action.notable.param.rule_title = GCP Detect gcploit framework -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter` - -[ESCU - GCP Kubernetes cluster pod scan detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment. -action.escu.how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. -action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Kubernetes cluster pod scan detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - GCP Kubernetes cluster pod scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "19b53215-4a16-405b-8087-9e6acf619842", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter` - -[ESCU - GCP Multi-Factor Authentication Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events. -action.escu.known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. -action.escu.creation_date = 2024-01-04 -action.escu.modification_date = 2024-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Multi-Factor Authentication Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = MFA disabled for User $user$ initiated by $actor.email$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "actor.email", "risk_object_type": "other", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GCP Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.notable.param.rule_title = GCP Multi-Factor Authentication Disabled -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter` - -[ESCU - GCP Multiple Failed MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -action.escu.creation_date = 2022-10-14 -action.escu.modification_date = 2022-10-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Multiple Failed MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Multiple Failed MFA requests for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GCP Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.notable.param.rule_title = GCP Multiple Failed MFA Requests For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter` - -[ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -action.escu.known_false_positives = No known false postives for this detection. Please review this alert. -action.escu.creation_date = 2022-10-12 -action.escu.modification_date = 2022-10-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$ -action.risk.param._risk = [{"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter` - -[ESCU - GCP Successful Single-Factor Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -action.escu.known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed -action.escu.creation_date = 2024-01-04 -action.escu.modification_date = 2024-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Successful Single-Factor Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Successful authentication for user $user$ without MFA -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GCP Successful Single-Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.notable.param.rule_title = GCP Successful Single-Factor Authentication -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter` - -[ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` -action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -action.escu.known_false_positives = No known false positives for this detection. Please review this alert -action.escu.creation_date = 2022-10-13 -action.escu.modification_date = 2022-10-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$ -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter` - -[ESCU - Gdrive suspicious file sharing - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations. -action.escu.how_to_implement = Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -action.escu.known_false_positives = This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gdrive suspicious file sharing - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Data Exfiltration", "Spearphishing Attachments"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Gdrive suspicious file sharing - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a7131dae-34e3-11ec-a2de-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_drive` name=change_user_access | rename parameters.* as * | search email = "*@yourdomain.com" target_user != "*@yourdomain.com" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter` - -[ESCU - GitHub Actions Disable Security Workflow - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase. -action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GitHub Actions Disable Security Workflow - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Security Workflow is disabled in branch $branch$ for repository $repository$ -action.risk.param._risk = [{"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 27}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GitHub Actions Disable Security Workflow - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0459f1a5-c0ac-4987-82d6-65081209f854", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter` - -[ESCU - Github Commit Changes In Master - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. -action.escu.known_false_positives = Admin can do changes directly to master branch -action.escu.creation_date = 2021-08-20 -action.escu.modification_date = 2021-08-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Github Commit Changes In Master - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Suspicious commit by $commit.commit.author.email$ to main branch -action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "user", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Github Commit Changes In Master - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter` - -[ESCU - Github Commit In Develop - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. -action.escu.known_false_positives = admin can do changes directly to develop branch -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Github Commit In Develop - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Suspicious commit by $commit.commit.author.email$ to develop branch -action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "user", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Github Commit In Develop - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f3030cb6-0b02-11ec-8f22-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter` - -[ESCU - GitHub Dependabot Alert - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. -action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GitHub Dependabot Alert - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Vulnerabilities found in packages used by GitHub repository $repository$ -action.risk.param._risk = [{"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 27}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GitHub Dependabot Alert - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "05032b04-4469-4034-9df7-05f607d75cba", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter` - -[ESCU - GitHub Pull Request from Unknown User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." -action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GitHub Pull Request from Unknown User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Vulnerabilities found in packages used by GitHub repository $repository$ -action.risk.param._risk = [{"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 27}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GitHub Pull Request from Unknown User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d7b9100-8878-4404-914e-ca5e551a641e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase="code" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter` - -[ESCU - Gsuite Drive Share In External Email - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -action.escu.known_false_positives = network admin or normal user may share files to customer and external team. -action.escu.creation_date = 2021-08-16 -action.escu.modification_date = 2021-08-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gsuite Drive Share In External Email - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Dev Sec Ops", "Insider Threat"] -action.risk = 1 -action.risk.param._risk_message = suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ -action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Gsuite Drive Share In External Email - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=email "[^@]+@(?[^@]+)" | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter` - -[ESCU - GSuite Email Suspicious Attachment - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -action.escu.known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. -action.escu.creation_date = 2021-08-16 -action.escu.modification_date = 2021-08-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GSuite Email Suspicious Attachment - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "destination{}.address", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GSuite Email Suspicious Attachment - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6d663014-fe92-11eb-ab07-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", "sh", "bat", "exe", "dll", "cpl", "com", "js", "vbs", "ps1", "reg","swf", "cmd", "go") | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter` - -[ESCU - Gsuite Email Suspicious Subject With Attachment - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -action.escu.known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search. -action.escu.creation_date = 2021-08-19 -action.escu.modification_date = 2021-08-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gsuite Email Suspicious Subject With Attachment - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "destination{}.address", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Gsuite Email Suspicious Subject With Attachment - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ef3971e-00f2-11ec-b54f-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") attachment{}.file_extension_type IN ("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "zip", "rar", "html","htm","hta") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter` - -[ESCU - Gsuite Email With Known Abuse Web Service Link - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -action.escu.known_false_positives = normal email contains this link that are known application within the organization or network can be catched by this detection. -action.escu.creation_date = 2021-08-23 -action.escu.modification_date = 2021-08-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gsuite Email With Known Abuse Web Service Link - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "destination{}.address", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Gsuite Email With Known Abuse Web Service Link - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8630aa22-042b-11ec-af39-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me") | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter` - -[ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -action.escu.known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. -action.escu.creation_date = 2024-03-25 -action.escu.modification_date = 2024-03-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Dev Sec Ops", "Insider Threat"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address "[^@]+@(?[^@]+)" | rex field=destination{}.address "[^@]+@(?[^@]+)" | where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter` - -[ESCU - Gsuite suspicious calendar invite - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization. -action.escu.how_to_implement = In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -action.escu.known_false_positives = This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gsuite suspicious calendar invite - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Spearphishing Attachments"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Gsuite suspicious calendar invite - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email="*yourdomain.com"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter` - -[ESCU - Gsuite Suspicious Shared File Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -action.escu.known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search -action.escu.creation_date = 2021-08-23 -action.escu.modification_date = 2021-08-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Gsuite Suspicious Shared File Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ -action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "other", "risk_score": 21}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 21}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Gsuite Suspicious Shared File Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "07eed200-03f5-11ec-98fb-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet", "presentation") | rex field=parameters.owner "[^@]+@(?[^@]+)" | rex field=parameters.target_user "[^@]+@(?[^@]+)" | where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com" | eval phase="plan" | eval severity="low" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter` - -[ESCU - High Number of Login Failures from a single source - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. -action.escu.known_false_positives = An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. -action.escu.creation_date = 2020-12-16 -action.escu.modification_date = 2020-12-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - High Number of Login Failures from a single source - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - High Number of Login Failures from a single source - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter` - -[ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-06 -action.escu.modification_date = 2023-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40a064c1-4ec1-4381-9e35-61192ba8ef82", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter` - -[ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-06 -action.escu.modification_date = 2023-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "096ab390-05ca-462c-884e-343acd5b9240", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter` - -[ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-06 -action.escu.modification_date = 2023-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter` - -[ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-06 -action.escu.modification_date = 2023-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter` - -[ESCU - Kubernetes Access Scanning - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-07 -action.escu.modification_date = 2023-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Access Scanning - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes scanning from ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Access Scanning - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2f4abe6d-5991-464d-8216-f90f42999764", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter` - -[ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. -action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-10 -action.escu.modification_date = 2024-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound Network Activity from Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10442d8b-0701-4c25-911d-d67b906e713c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key='dest.workload.name' + ":" + 'dest.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key='dest.workload.name' + ":" + 'dest.process.name' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter` - -[ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound Outbound Network IO - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4f3b0c97-657e-4547-a89a-9a50c656e3cd", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', "-\w{5}$$|-[abcdef0-9]{8,10}-\w{5}$$", "") | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = 'k8s.cluster.name' + ":" + 'service' | lookup k8s_container_network_io_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_traffic_io_filter` - -[ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d8f6e3f-39df-46d8-a9d4-96173edc501f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") | eval key = 'k8s.cluster.name' + ":" + 'service' | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> ratio higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter` - -[ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. -action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-10 -action.escu.modification_date = 2024-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Outbound Network Activity from Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dd6afee6-e0a3-4028-a089-f47dd2842c22", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key='source.workload.name' + ":" + 'source.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key='source.workload.name' + ":" + 'source.process.name' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter` - -[ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. -action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-10 -action.escu.modification_date = 2024-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Traffic on Network Edge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "886c7e51-2ea1-425d-8705-faaca5a64cc6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key='source.workload.name' + ":" + 'dest.workload.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key='source.workload.name' + ":" + 'dest.workload.name' ] | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, ",\s$$$$", "") ,", ") | where anomalies!="" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter` - -[ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure. -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -action.escu.known_false_positives = Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes AWS detect suspicious kubectl calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "042a3d32-8318-4763-9679-09db2644a8f2", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter` - -[ESCU - Kubernetes Create or Update Privileged Pod - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-14 -action.escu.modification_date = 2023-12-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Create or Update Privileged Pod - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes privileged pod created by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Create or Update Privileged Pod - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3c6bd734-334d-4818-ae7c-5234313fc5da", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"privileged\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter` - -[ESCU - Kubernetes Cron Job Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-14 -action.escu.modification_date = 2023-12-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Cron Job Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes cron job creation from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Cron Job Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` verb=create "objectRef.resource"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter` - -[ESCU - Kubernetes DaemonSet Deployed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-14 -action.escu.modification_date = 2023-12-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes DaemonSet Deployed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = DaemonSet deployed to Kubernetes by user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes DaemonSet Deployed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` "objectRef.resource"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter` - -[ESCU - Kubernetes Falco Shell Spawned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -action.escu.how_to_implement = The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-13 -action.escu.modification_date = 2023-12-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Falco Shell Spawned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = A shell is spawned in the container $container_name$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Falco Shell Spawned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d2feef92-d54a-4a19-8306-b47c6ceba5b2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_container_falco` "A shell was spawned in a container" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter` - -[ESCU - Kubernetes newly seen TCP edge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-10 -action.escu.modification_date = 2024-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes newly seen TCP edge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes newly seen TCP edge in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes newly seen TCP edge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "13f081d6-7052-428a-bbb0-892c79ca7c65", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter` - -[ESCU - Kubernetes newly seen UDP edge - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default: \ -* Name sim_npm_metrics_to_metrics_index \ -* Org ID \ -* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ -* Metric Resolution 10000 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-10 -action.escu.modification_date = 2024-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes newly seen UDP edge - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes newly seen UDP edge in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes newly seen UDP edge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "49b7daca-4e3c-4899-ba15-9a175e056fa9", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter` - -[ESCU - Kubernetes Nginx Ingress LFI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. -action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Nginx Ingress LFI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Local File Inclusion Attack detected on $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Nginx Ingress LFI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0f83244b-425b-4528-83db-7a88c5f66e48", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. -action.notable.param.rule_title = Kubernetes Nginx Ingress LFI -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request "^(?\S+)\s(?\S+)\s" | eval phase="operate" | eval severity="high" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter` - -[ESCU - Kubernetes Nginx Ingress RFI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment. -action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Nginx Ingress RFI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Remote File Inclusion Attack detected on $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Nginx Ingress RFI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment. -action.notable.param.rule_title = Kubernetes Nginx Ingress RFI -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_container_controller` | rex field=_raw "^(?\S+)\s+-\s+-\s+\[(?[^\]]*)\]\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\"(?[^\"]*)\"\s\"(?[^\"]*)\"\s(?\S*)\s(?\S*)\s\[(?[^\]]*)\]\s\[(?[^\]]*)\]\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | rex field=request "^(?\S+)?\s(?\S+)\s" | rex field=url "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase="operate" | eval severity="medium" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter` - -[ESCU - Kubernetes Node Port Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-13 -action.escu.modification_date = 2023-12-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Node Port Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes node port creation from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Node Port Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d7fc865e-b8a1-4029-a960-cf4403b821b6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` "objectRef.resource"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter` - -[ESCU - Kubernetes Pod Created in Default Namespace - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Pod Created in Default Namespace - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Pod Created in Default Namespace by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Pod Created in Default Namespace - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN ("default", "kube-system", "kube-public") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter` - -[ESCU - Kubernetes Pod With Host Network Attachment - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-14 -action.escu.modification_date = 2023-12-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Pod With Host Network Attachment - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes pod with host network attachment from user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Pod With Host Network Attachment - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cce357cf-43a4-494a-814b-67cea90fe990", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\"hostNetwork\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter` - -[ESCU - Kubernetes Previously Unseen Container Image Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Previously Unseen Container Image Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Previously Unseen Container Image Name on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Previously Unseen Container Image Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fea515a4-b1d8-4cd6-80d6-e0d71397b891", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="True" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current="false" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current="true" AND current!="false" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter` - -[ESCU - Kubernetes Previously Unseen Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Previously Unseen Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Previously Unseen Process on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Previously Unseen Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8119b2f-d7f7-40be-940a-1c582870e8e2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current="True" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current="True" | rename host.name as host | `kubernetes_previously_unseen_process_filter` - -[ESCU - Kubernetes Process Running From New Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Process Running From New Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Process Running From New Path on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Process Running From New Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "454076fb-0e9e-4adf-b93a-da132621c5e6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current="True" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current="True" | rename host.name as host | `kubernetes_process_running_from_new_path_filter` - -[ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Process with Anomalous Resource Utilisation on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Process with Anomalous Resource Utilisation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + ":" + 'host.name' + ":" + 'process.executable.name' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter` - -[ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Process with Resource Ratio Anomalies on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Process with Resource Ratio Anomalies - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0d42b295-0f1f-4183-b75e-377975f47c65", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + ":" + 'host.name' + ":" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = "" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + "<> ratio higher than average by " + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + " Standard Deviations. <>=" + tostring('<>') + " avg_<>=" + tostring('avg_<>') + " 'stdev_<>'=" + tostring('stdev_<>') + ", " , anomalies) ] | eval anomalies = replace(anomalies, ",\s$", "") | where anomalies!="" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter` - -[ESCU - Kubernetes Scanner Image Pulling - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster. -action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Scanner Image Pulling - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Dev Sec Ops"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes Scanner image pulled on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Scanner Image Pulling - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4890cd6b-0112-4974-a272-c5c153aee551", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster. -action.notable.param.rule_title = Kubernetes Scanner Image Pulling -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_objects_events` object.message IN ("Pulling image *kube-hunter*", "Pulling image *kube-bench*", "Pulling image *kube-recon*", "Pulling image *kube-recon*") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase="operate" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter` - -[ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. -action.escu.how_to_implement = You must ingest Kubernetes audit logs. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-07 -action.escu.modification_date = 2023-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes scanning from ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.code"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter` - -[ESCU - Kubernetes Shell Running on Worker Node - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Shell Running on Worker Node - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes shell running on worker node on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Shell Running on Worker Node - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter` - -[ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. -action.escu.how_to_implement = To implement this detection, follow these steps: \ -* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. \ -* Enable the hostmetrics/process receiver in the OTEL configuration. \ -* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. \ -* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) \ -* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. \ -* Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". \ -* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. \ -* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') \ -* Set the Metric Resolution to 10000. \ -* Leave all other settings at their default values. \ -* Run the Search Baseline Of Kubernetes Container Network IO Ratio -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.risk = 1 -action.risk.param._risk_message = Kubernetes shell with cpu activity running on worker node on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Kubernetes Shell Running on Worker Node with CPU Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN ("sh","bash","csh", "tcsh") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter` - -[ESCU - Kubernetes Suspicious Image Pulling - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-07 -action.escu.modification_date = 2023-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Suspicious Image Pulling - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Suspicious Image Pulling - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d3a17b3-0a6d-4ae0-9421-46623a69c122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` requestObject.message="Pulling image*" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter` - -[ESCU - Kubernetes Unauthorized Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-07 -action.escu.modification_date = 2023-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Unauthorized Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Security"] -action.risk = 1 -action.risk.param._risk_message = Unauthorized access to Kubernetes from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kubernetes Unauthorized Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9b5f1832-e8b9-453f-93df-07a3d6a72a45", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter` - -[ESCU - O365 Add App Role Assignment Grant User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Add App Role Assignment Grant User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has created a new federation setting $modified_properties_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Add App Role Assignment Grant User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. -action.notable.param.rule_title = O365 Add App Role Assignment Grant User -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter` - -[ESCU - O365 Added Service Principal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. -action.escu.creation_date = 2023-08-02 -action.escu.modification_date = 2023-08-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Added Service Principal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse", "NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Added Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1668812a-6047-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. -action.notable.param.rule_title = O365 Added Service Principal -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter` - -[ESCU - O365 Admin Consent Bypassed by Service Principal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. -action.escu.creation_date = 2024-02-09 -action.escu.modification_date = 2024-02-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Admin Consent Bypassed by Service Principal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ -action.risk.param._risk = [{"risk_object_field": "dest_user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Admin Consent Bypassed by Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8a1b22eb-50ce-4e26-a691-97ff52349569", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. -action.notable.param.rule_title = O365 Admin Consent Bypassed by Service Principal -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = "ServicePrincipal" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter` - -[ESCU - O365 Advanced Audit Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. -action.escu.creation_date = 2023-09-19 -action.escu.modification_date = 2023-09-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Advanced Audit Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Advanced auditing for user $object$ was disabled by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Advanced Audit Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "49862dd4-9cb2-4c48-a542-8c8a588d9361", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. -action.notable.param.rule_title = O365 Advanced Audit Disabled -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation="Change user license." | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = "extendedAuditEventCategory" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, "NewValue") | eval possible_plan=mvindex(split_value, 1) | rex field="possible_plan" "DisabledPlans=\[(?P[^\]]+)\]" | search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter` - -[ESCU - O365 Application Registration Owner Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Application owners may be added for legitimate reasons, filter as needed. -action.escu.creation_date = 2023-09-07 -action.escu.modification_date = 2023-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Application Registration Owner Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Application registration $app_displayName$ was assigned a new owner $object$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Application Registration Owner Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c068d53f-6aaa-4558-8011-3734df878266", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations -action.notable.param.rule_title = O365 Application Registration Owner Added -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application." | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter` - -[ESCU - O365 ApplicationImpersonation Role Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed. -action.escu.creation_date = 2023-10-17 -action.escu.modification_date = 2023-10-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 ApplicationImpersonation Role Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Collection Techniques", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = $user$ granted the ApplicationImpersonation role to $target_user$ -action.risk.param._risk = [{"risk_object_field": "target_user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 ApplicationImpersonation Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "49cdce75-f814-4d56-a7a4-c64ec3a481f2", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. -action.notable.param.rule_title = O365 ApplicationImpersonation Role Assigned -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation="New-ManagementRoleAssignment" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter` - -[ESCU - O365 Block User Consent For Risky Apps Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization. -action.escu.creation_date = 2023-10-26 -action.escu.modification_date = 2023-10-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Block User Consent For Risky Apps Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Risk-based step-up consent security setting was disabled by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Block User Consent For Risky Apps Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "12a23592-e3da-4344-8545-205d3290647c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. -action.notable.param.rule_title = O365 Block User Consent For Risky Apps Disabled -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy." | eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like "%true%" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter` - -[ESCU - O365 Bypass MFA via Trusted IP - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. -action.escu.how_to_implement = You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration. -action.escu.creation_date = 2022-02-03 -action.escu.modification_date = 2022-02-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Bypass MFA via Trusted IP - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA -action.risk.param._risk = [{"threat_object_field": "ip_addresses_new_added", "threat_object_type": "ip_address"}, {"risk_object_field": "user_id", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Bypass MFA via Trusted IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. -action.notable.param.rule_title = O365 Bypass MFA via Trusted IP -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | rex max_match=100 field=ModifiedProperties{}.OldValue "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,"0") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter` - -[ESCU - O365 Compliance Content Search Exported - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Compliance content searche exports may be executed for legitimate purposes, filter as needed. -action.escu.creation_date = 2024-04-01 -action.escu.modification_date = 2024-04-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Compliance Content Search Exported - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A new compliance content search export was started by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Compliance Content Search Exported - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations. -action.notable.param.rule_title = O365 Compliance Content Search Exported -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter` - -[ESCU - O365 Compliance Content Search Started - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Compliance content searches may be executed for legitimate purposes, filter as needed. -action.escu.creation_date = 2024-04-01 -action.escu.modification_date = 2024-04-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Compliance Content Search Started - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A new compliance content search was started by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Compliance Content Search Started - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations. -action.notable.param.rule_title = O365 Compliance Content Search Started -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter` - -[ESCU - O365 Concurrent Sessions From Different Ips - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-12-04 -action.escu.modification_date = 2023-12-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Concurrent Sessions From Different Ips - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has logged in with the same session id from more than one unique IP address -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"threat_object_field": "ips", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "58e034de-1f87-4812-9dc3-a4f68c7db930", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. -action.notable.param.rule_title = O365 Concurrent Sessions From Different Ips -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter` - -[ESCU - O365 Disable MFA - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = Unless it is a special case, it is uncommon to disable MFA or Strong Authentication -action.escu.creation_date = 2022-02-03 -action.escu.modification_date = 2022-02-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Disable MFA - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $src_user$ has executed an operation $action$ for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Disable MFA - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. -action.notable.param.rule_title = O365 Disable MFA -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter` - -[ESCU - O365 Elevated Mailbox Permission Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed. -action.escu.creation_date = 2024-03-31 -action.escu.modification_date = 2024-03-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Elevated Mailbox Permission Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = Elevated mailbox permissions were assigned on $dest_user$ -action.risk.param._risk = [{"risk_object_field": "dest_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Elevated Mailbox Permission Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2246c142-a678-45f8-8546-aaed7e0efd30", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls. -action.notable.param.rule_title = O365 Elevated Mailbox Permission Assigned -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter` - -[ESCU - O365 Excessive Authentication Failures Alert - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = The threshold for alert is above 10 attempts and this should reduce the number of false positives. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Excessive Authentication Failures Alert - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Excessive Authentication Failures Alert - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d441364c-349c-453b-b55f-12eccab67cf9", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter` - -[ESCU - O365 Excessive SSO logon errors - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Excessive SSO logon errors - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse", "Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Excessive SSO logon errors - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8158ccc4-6038-11eb-ae93-0242ac130002", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter` - -[ESCU - O365 File Permissioned Application Consent Granted by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = OAuth applications that require file permissions may be legitimate, investigate and filter as needed. -action.escu.creation_date = 2023-10-18 -action.escu.modification_date = 2023-10-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 File Permissioned Application Consent Granted by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ consented an OAuth application that requests file-related permissions. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 File Permissioned Application Consent Granted by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6c382336-22b8-4023-9b80-1689e799f21f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. -action.notable.param.rule_title = O365 File Permissioned Application Consent Granted by User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", "Files.ReadWrite.AppFolder") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter` - -[ESCU - O365 FullAccessAsApp Permission Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. -action.escu.creation_date = 2024-01-29 -action.escu.modification_date = 2024-01-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 FullAccessAsApp Permission Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $user$ assigned the full_access_as_app permission to the app registration $object$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 FullAccessAsApp Permission Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. -action.notable.param.rule_title = O365 FullAccessAsApp Permission Assigned -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter` - -[ESCU - O365 High Number Of Failed Authentications for User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Although unusual, users who have lost their passwords may trigger this detection. Filter as needed. -action.escu.creation_date = 2023-10-10 -action.escu.modification_date = 2023-10-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 High Number Of Failed Authentications for User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ failed to authenticate more than 10 times in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 High Number Of Failed Authentications for User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "31641378-2fa9-42b1-948e-25e281cb98f7", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. -action.notable.param.rule_title = O365 High Number Of Failed Authentications for User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter` - -[ESCU - O365 High Privilege Role Granted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Privilege roles may be assigned for legitimate purposes, filter as needed. -action.escu.creation_date = 2023-10-20 -action.escu.modification_date = 2023-10-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 High Privilege Role Granted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = $user$ granted high privilege roles to $ObjectId$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 High Privilege Role Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e78a1037-4548-4072-bb1b-ad99ae416426", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. -action.notable.param.rule_title = O365 High Privilege Role Granted -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter` - -[ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. -action.escu.creation_date = 2023-10-12 -action.escu.modification_date = 2023-10-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ consented an OAuth application that requests mail-related permissions. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fddad083-cdf5-419d-83c6-baa85e329595", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. -action.notable.param.rule_title = O365 Mail Permissioned Application Consent Granted by User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Mail.Read", "Mail.ReadBasic", "Mail.ReadWrite", "Mail.Read.Shared", "Mail.ReadWrite.Shared", "Mail.Send", "Mail.Send.Shared") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter` - -[ESCU - O365 Mailbox Email Forwarding Enabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Email forwarding may be configured for legitimate purposes, filter as needed. -action.escu.creation_date = 2024-03-26 -action.escu.modification_date = 2024-03-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Mailbox Email Forwarding Enabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = Email forwarding configured by $user$ on mailbox $ObjectId$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Mailbox Email Forwarding Enabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b6bc75c-05d1-4101-9fc3-97e706168f24", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox. -action.notable.param.rule_title = O365 Mailbox Email Forwarding Enabled -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', "ForwardingAddress") | eval match2=mvfind('Parameters{}.Name', "ForwardingSmtpAddress") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!="" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter` - -[ESCU - O365 Mailbox Folder Read Permission Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Mailbox folder permissions may be configured for legitimate purposes, filter as needed. -action.escu.creation_date = 2024-03-29 -action.escu.modification_date = 2024-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Mailbox Folder Read Permission Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A folder was granted read permission by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Mailbox Folder Read Permission Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1435475e-2128-4417-a34f-59770733b0d5", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders. -action.notable.param.rule_title = O365 Mailbox Folder Read Permission Assigned -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter` - -[ESCU - O365 Mailbox Folder Read Permission Granted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Mailbox folder permissions may be configured for legitimate purposes, filter as needed. -action.escu.creation_date = 2024-03-28 -action.escu.modification_date = 2024-03-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Mailbox Folder Read Permission Granted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A folder was granted read permission by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Mailbox Folder Read Permission Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cd15c0a8-470e-4b12-9517-046e4927db30", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents. -action.notable.param.rule_title = O365 Mailbox Folder Read Permission Granted -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange (Operation="Set-MailboxFolderPermission" OR Operation="Add-MailboxFolderPermission" ) | eval isReadRole=if(match(AccessRights, "^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$"), "true", "false") | search isReadRole="true" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter` - -[ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed. -action.escu.creation_date = 2023-09-07 -action.escu.modification_date = 2023-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users. -action.risk.param._risk = [{"risk_object_field": "MailboxOwnerUPN", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "21421896-a692-4594-9888-5faeb8a53106", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. -action.notable.param.rule_title = O365 Mailbox Inbox Folder Shared with All Users -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', "(ReadAny)"), "true", "false") | search isReadRole = "true" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter` - -[ESCU - O365 Mailbox Read Access Granted to Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed. -action.escu.creation_date = 2023-09-01 -action.escu.modification_date = 2023-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Mailbox Read Access Granted to Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Application registration $object$ was grandes mailbox read access by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Mailbox Read Access Granted to Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "27ab61c5-f08a-438a-b4d3-325e666490b3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. -action.notable.param.rule_title = O365 Mailbox Read Access Granted to Application -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation="Update application." | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) | eval json_data=replace(json_data, "^\[\s*", "") | eval json_data=replace(json_data, "\s*\]$", "") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter` - -[ESCU - O365 Multi-Source Failed Authentications Spike - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. -action.escu.creation_date = 2023-11-09 -action.escu.modification_date = 2023-11-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multi-Source Failed Authentications Spike - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Account Takeover"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multi-Source Failed Authentications Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter` - -[ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. -action.escu.creation_date = 2023-10-24 -action.escu.modification_date = 2023-10-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "66adc486-224d-45c1-8e4d-9e7eeaba988f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter` - -[ESCU - O365 Multiple Failed MFA Requests For User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. -action.escu.creation_date = 2023-10-19 -action.escu.modification_date = 2023-10-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multiple Failed MFA Requests For User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Multiple failed MFA requestes for $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fd22124e-dbac-4744-a8ce-be10d8ec3e26", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. -action.notable.param.rule_title = O365 Multiple Failed MFA Requests For User -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter` - -[ESCU - O365 Multiple Mailboxes Accessed via API - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold - set here to flag over five unique mailboxes accessed within 10 minutes - to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold - set here to flag over five unique mailboxes accessed within 10 minutes - to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. -action.escu.creation_date = 2024-02-01 -action.escu.modification_date = 2024-02-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multiple Mailboxes Accessed via API - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multiple Mailboxes Accessed via API - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7cd853e9-d370-412f-965d-a2bcff2a2908", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold - set here to flag over five unique mailboxes accessed within 10 minutes - to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. -action.notable.param.rule_title = O365 Multiple Mailboxes Accessed via API -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter` - -[ESCU - O365 Multiple Service Principals Created by SP - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-07 -action.escu.modification_date = 2024-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multiple Service Principals Created by SP - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multiple Service Principals Created by SP - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "ServicePrincipal" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter` - -[ESCU - O365 Multiple Service Principals Created by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-07 -action.escu.modification_date = 2024-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multiple Service Principals Created by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multiple Service Principals Created by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a34e65d0-54de-4b02-9db8-5a04522067f6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "User" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter` - -[ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. -action.escu.creation_date = 2024-03-19 -action.escu.modification_date = 2024-03-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Weaponization"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. -action.notable.param.rule_title = O365 Multiple Users Failing To Authenticate From Ip -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter` - -[ESCU - O365 New Email Forwarding Rule Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Users may create email forwarding rules for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-03-27 -action.escu.modification_date = 2024-03-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 New Email Forwarding Rule Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A forwarding email inbox rule was created for $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 New Email Forwarding Rule Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "68469fd0-1315-44ba-b7e4-e92847bb76d6", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior. -action.notable.param.rule_title = O365 New Email Forwarding Rule Created -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', "ForwardTo") | eval match2=mvfind('Parameters{}.Name', "ForwardAsAttachmentTo") | eval match3=mvfind('Parameters{}.Name', "RedirectTo") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter` - -[ESCU - O365 New Email Forwarding Rule Enabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Users may create email forwarding rules for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-03-28 -action.escu.modification_date = 2024-03-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 New Email Forwarding Rule Enabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A forwarding email inbox rule was created for $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 New Email Forwarding Rule Enabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ac7c4d0a-06a3-4278-aa59-88a5e537f981", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format. -action.notable.param.rule_title = O365 New Email Forwarding Rule Enabled -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction") | eval match2=mvfind('OperationProperties{}.Value', "ForwardAsAttachmentToRecipientsAction") | eval match3=mvfind('OperationProperties{}.Value', "RedirectToRecipientsAction") | eval index = mvfind('OperationProperties{}.Name', "ServerRule") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted="*@*.*" | eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter` - -[ESCU - O365 New Federated Domain Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. -action.escu.known_false_positives = The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. -action.escu.creation_date = 2023-08-02 -action.escu.modification_date = 2023-08-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 New Federated Domain Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has added a new federated domain $new_value$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 New Federated Domain Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e155876a-6048-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. -action.notable.param.rule_title = O365 New Federated Domain Added -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation IN ("*add*", "*new*") AND Operation="*domain*" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter` - -[ESCU - O365 New Forwarding Mailflow Rule Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Forwarding mail flow rules may be created for legitimate reasons, filter as needed. -action.escu.creation_date = 2024-04-10 -action.escu.modification_date = 2024-04-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 New Forwarding Mailflow Rule Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = A new forwarding mailflow rule was created by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 New Forwarding Mailflow Rule Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "289ed0a1-4c78-4a43-9321-44ea2e089c14", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as "New-TransportRule". It specifically looks for parameters indicative of mail forwarding actions, such as "BlindCopyTo", "CopyTo", and "RedirectMessageTo". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification. -action.notable.param.rule_title = O365 New Forwarding Mailflow Rule Created -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation="New-TransportRule" | eval match1=mvfind('Parameters{}.Name', "BlindCopyTo") | eval match2=mvfind('Parameters{}.Name', "CopyTo") | eval match3=mvfind('Parameters{}.Name', "RedirectMessageTo") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!="" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter` - -[ESCU - O365 New MFA Method Registered - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. -action.escu.creation_date = 2023-10-20 -action.escu.modification_date = 2023-10-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 New MFA Method Registered - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = A new MFA method was added for $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 New MFA Method Registered - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4e12db1f-f7c7-486d-8152-a221cad6ac2b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.notable.param.rule_title = O365 New MFA Method Registered -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update user." | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter` - -[ESCU - O365 OAuth App Mailbox Access via EWS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. -action.escu.creation_date = 2024-01-31 -action.escu.modification_date = 2024-01-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 OAuth App Mailbox Access via EWS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 OAuth App Mailbox Access via EWS - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e600cf1a-0bef-4426-b42e-00176d610a4d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. -action.notable.param.rule_title = O365 OAuth App Mailbox Access via EWS -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter` - -[ESCU - O365 OAuth App Mailbox Access via Graph API - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. -action.escu.creation_date = 2024-01-31 -action.escu.modification_date = 2024-01-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 OAuth App Mailbox Access via Graph API - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 OAuth App Mailbox Access via Graph API - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9db0d5b0-4058-4cb7-baaf-77d8143539a2", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. -action.notable.param.rule_title = O365 OAuth App Mailbox Access via Graph API -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter` - -[ESCU - O365 Privileged Graph API Permission Assigned - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-01-30 -action.escu.modification_date = 2024-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Privileged Graph API Permission Assigned - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = User $user$ assigned privileged Graph API permissions to $object$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Privileged Graph API Permission Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. -action.notable.param.rule_title = O365 Privileged Graph API Permission Assigned -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter` - -[ESCU - O365 PST export alert - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. -action.escu.creation_date = 2020-12-16 -action.escu.modification_date = 2020-12-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 PST export alert - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Data Exfiltration", "Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$ -action.risk.param._risk = [{"risk_object_field": "Source", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 PST export alert - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. -action.notable.param.rule_title = O365 PST export alert -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter` - -[ESCU - O365 Security And Compliance Alert Triggered - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed. -action.escu.creation_date = 2024-03-25 -action.escu.modification_date = 2024-03-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Security And Compliance Alert Triggered - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = Security and Compliance triggered an alert for $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Security And Compliance Alert Triggered - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace. -action.notable.param.rule_title = O365 Security And Compliance Alert Triggered -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter` - -[ESCU - O365 Service Principal New Client Credentials - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. -action.escu.creation_date = 2023-08-31 -action.escu.modification_date = 2023-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Service Principal New Client Credentials - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = New credentials added for Service Principal $object$ -action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Service Principal New Client Credentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a1b229e9-d962-4222-8c62-905a8a010453", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application -action.notable.param.rule_title = O365 Service Principal New Client Credentials -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter` - -[ESCU - O365 Tenant Wide Admin Consent Granted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. -action.escu.creation_date = 2023-09-06 -action.escu.modification_date = 2023-09-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Tenant Wide Admin Consent Granted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["NOBELIUM Group", "Office 365 Persistence Mechanisms"] -action.risk = 1 -action.risk.param._risk_message = The $object$ application registration was granted tenant wide admin consent. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 Tenant Wide Admin Consent Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "50eaabf8-5180-4e86-bfb2-011472c359fc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.notable.param.rule_title = O365 Tenant Wide Admin Consent Granted -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter` - -[ESCU - O365 User Consent Blocked for Risky Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications. -action.escu.creation_date = 2023-10-11 -action.escu.modification_date = 2023-10-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 User Consent Blocked for Risky Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = O365 has blocked $user$ attempt to grant to consent to an application deemed risky. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 User Consent Blocked for Risky Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "242e4d30-cb59-4051-b0cf-58895e218f40", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.notable.param.rule_title = O365 User Consent Blocked for Risky Application -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = "Risky application detected" | rex field=permissions "Scope: (?[^,]+)" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter` - -[ESCU - O365 User Consent Denied for OAuth Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. -action.escu.known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. -action.escu.creation_date = 2023-10-12 -action.escu.modification_date = 2023-10-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 User Consent Denied for OAuth Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Account Takeover"] -action.risk = 1 -action.risk.param._risk_message = User $user$ denifed consent for an OAuth application. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - O365 User Consent Denied for OAuth Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2d8679ef-b075-46be-8059-c25116cb1072", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.notable.param.rule_title = O365 User Consent Denied for OAuth Application -action.notable.param.security_domain = identity -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter` - -[ESCU - Risk Rule for Dev Sec Ops by Repository - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.escu.how_to_implement = Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-10-27 -action.escu.modification_date = 2023-10-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Risk Rule for Dev Sec Ops by Repository - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Risk Rule for Dev Sec Ops by Repository - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "161bc0ca-4651-4c13-9c27-27770660cf67", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.notable.param.rule_title = RBA: Risk Rule for Dev Sec Ops by Repository -action.notable.param.security_domain = cloud -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter` - -[ESCU - Abnormally High AWS Instances Launched by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High AWS Instances Launched by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Launched by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter` - -[ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Launched by User - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 - -[ESCU - Abnormally High AWS Instances Terminated by User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -action.escu.known_false_positives = Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High AWS Instances Terminated by User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious AWS EC2 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Terminated by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter` - -[ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious AWS EC2 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Terminated by User - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename "IsOutlier(instances_terminated)" as isOutlier | where isOutlier=1 - -[ESCU - ASL AWS CreateAccessKey - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. -action.escu.creation_date = 2022-05-23 -action.escu.modification_date = 2022-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS CreateAccessKey - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - ASL AWS CreateAccessKey - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin "^(?[^,]+),(?.*)$" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter` - -[ESCU - ASL AWS Excessive Security Scanning - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. -action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -action.escu.known_false_positives = While this search has no known false positives. -action.escu.creation_date = 2023-06-01 -action.escu.modification_date = 2023-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Excessive Security Scanning - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS User Monitoring"] -action.risk = 1 -action.risk.param._risk_message = user $identity.user.name$ has excessive number of api calls. -action.risk.param._risk = [{"threat_object_field": "src_endpoint.ip", "threat_object_type": "ip_address"}, {"risk_object_field": "identity.user.name", "risk_object_type": "other", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - ASL AWS Excessive Security Scanning - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter` - -[ESCU - ASL AWS Password Policy Changes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. -action.escu.creation_date = 2023-05-22 -action.escu.modification_date = 2023-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ASL AWS Password Policy Changes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Security Lake"] -action.escu.analytic_story = ["AWS IAM Privilege Escalation", "Compromised User Account"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - ASL AWS Password Policy Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter` - -[ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2018-03-16 -action.escu.modification_date = 2018-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen City - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "344a1778-0b25-490c-adb1-de8beddf59cd", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter` - -[ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2018-03-16 -action.escu.modification_date = 2018-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen Country - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter` - -[ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2018-03-16 -action.escu.modification_date = 2018-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen IP Address - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "42e15012-ac14-4801-94f4-f1acbe64880b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter` - -[ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -action.escu.known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. \ -This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. -action.escu.creation_date = 2018-03-16 -action.escu.modification_date = 2018-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "7971d3df-da82-4648-a6e5-b5637bea5253", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter` - -[ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets -action.escu.how_to_implement = You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs. -action.escu.known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - AWS EKS Kubernetes cluster sensitive object access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter` - -[ESCU - Clients Connecting to Multiple DNS Servers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. -action.escu.how_to_implement = This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro. \ -This search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** Distinct DNS Connections, **Field:** dest_count \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Clients Connecting to Multiple DNS Servers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Clients Connecting to Multiple DNS Servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "74ec6f18-604b-4202-a567-86b2066be3ce", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. -action.notable.param.rule_title = Clients Connecting to Multiple DNS Servers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` - -[ESCU - Cloud Network Access Control List Deleted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate -action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro. -action.escu.known_false_positives = It's possible that a user has legitimately deleted a network ACL. -action.escu.creation_date = 2020-09-08 -action.escu.modification_date = 2020-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cloud Network Access Control List Deleted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Network ACL Activity"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Cloud Network Access Control List Deleted - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "021abc51-1862-41dd-ad43-43c739c0a983", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter` - -[ESCU - Correlation by Repository and Risk - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.escu.how_to_implement = For Dev Sec Ops POC -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-06 -action.escu.modification_date = 2021-09-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Correlation by Repository and Risk - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Correlation by Repository and Risk - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.notable.param.rule_title = RBA: Correlation by Repository and Risk -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter` - -[ESCU - Correlation by User and Risk - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. -action.escu.how_to_implement = For Dev Sec Ops POC -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-06 -action.escu.modification_date = 2021-09-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Correlation by User and Risk - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dev Sec Ops"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Correlation by User and Risk - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. -action.notable.param.rule_title = RBA: Correlation by User and Risk -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter` - -[ESCU - Detect Activity Related to Pass the Hash Attacks - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. -action.escu.how_to_implement = To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. -action.escu.known_false_positives = Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate. -action.escu.creation_date = 2020-10-15 -action.escu.modification_date = 2020-10-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Activity Related to Pass the Hash Attacks - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Activity Related to Pass the Hash Attacks - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "f5939373-8054-40ad-8c64-cec478a22a4b", "detection_version": "6"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter` - -[ESCU - Detect API activity from users without MFA - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them. \ -This search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** AWS Event Name, **Field:** eventName \ -* **Label:** AWS User ARN, **Field:** userIdentity.arn \ -* **Label:** AWS User Type, **Field:** userIdentity.type \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS. -action.escu.creation_date = 2018-05-17 -action.escu.modification_date = 2018-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect API activity from users without MFA - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS User Monitoring"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect API activity from users without MFA - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "4d46e8bd-4072-48e4-92db-0325889ef894", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter` - -[ESCU - Detect AWS API Activities From Unapproved Accounts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called "Create a list of approved AWS service accounts": run it once every 30 days to create and validate a list of service accounts. \ -This search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** AWS Event Name, **Field:** eventName \ -* **Label:** First Time, **Field:** firstTime \ -* **Label:** Last Time, **Field:** lastTime \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AWS API Activities From Unapproved Accounts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS User Monitoring"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect AWS API Activities From Unapproved Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter` - -[ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution", "Web"] -action.escu.eli5 = This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. -action.escu.how_to_implement = You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \ -**Splunk>Phantom Playbook Integration** \ -If Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ -(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`) -action.escu.known_false_positives = If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Common Phishing Frameworks"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Common Phishing Frameworks"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. -action.notable.param.rule_title = Detect DNS requests to Phishing Sites leveraging EvilGinx2 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter` - -[ESCU - Detect Long DNS TXT Record Response - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. -action.escu.how_to_implement = To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol. -action.escu.known_false_positives = It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Long DNS TXT Record Response - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Long DNS TXT Record Response - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "05437c07-62f5-452e-afdc-04dd44815bb9", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. -action.notable.param.rule_title = Detect Long DNS TXT Record Response -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type" "Answer Length" Count "First Time" "Last Time" | `detect_long_dns_txt_record_response_filter` - -[ESCU - Detect Mimikatz Using Loaded Images - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. -action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process. -action.escu.creation_date = 2019-12-03 -action.escu.modification_date = 2019-12-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Mimikatz Using Loaded Images - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Cloud Federated Credential Abuse", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack", "Sandworm Tools"] -action.risk = 1 -action.risk.param._risk_message = A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Mimikatz Using Loaded Images - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Cloud Federated Credential Abuse", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. -action.notable.param.rule_title = Detect Mimikatz Using Loaded Images -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter` - -[ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. -action.escu.how_to_implement = You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes. -action.escu.known_false_positives = The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. -action.escu.creation_date = 2019-02-27 -action.escu.modification_date = 2019-02-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "98917be2-bfc8-475a-8618-a9bb06575188", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. -action.notable.param.rule_title = Detect Mimikatz Via PowerShell And EventCode 4703 -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message "Enabled Privileges:\s+(?\w+)\s+Disabled Privileges:" | where privs="SeDebugPrivilege" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as "Enabled Privilege" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter` - -[ESCU - Detect new API calls from user roles - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in AWS CloudTrail" support search once to create a history of previously seen user roles. -action.escu.known_false_positives = It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger. -action.escu.creation_date = 2018-04-16 -action.escu.modification_date = 2018-04-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect new API calls from user roles - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS User Monitoring"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect new API calls from user roles - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "22773e84-bac0-4595-b086-20d3f335b4f1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), "-70m@m"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter` - -[ESCU - Detect new user AWS Console Login - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen users in AWS CloudTrail" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run "Update previously seen users in AWS CloudTrail" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -action.escu.known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect new user AWS Console Login - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Suspicious AWS Login Activities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect new user AWS Console Login - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus ="First Time Logging into AWS Console" | `detect_new_user_aws_console_login_filter` - -[ESCU - Detect Spike in AWS API Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. \ -This search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** AWS Event Name, **Field:** eventName \ -* **Label:** Number of API Calls, **Field:** numberOfApiCalls \ -* **Label:** Unique API Calls, **Field:** uniqueApisCalled \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = None. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in AWS API Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS User Monitoring"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Spike in AWS API Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter` - -[ESCU - Detect Spike in Network ACL Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. -action.escu.known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. -action.escu.creation_date = 2018-05-21 -action.escu.modification_date = 2018-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in Network ACL Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Network ACL Activity"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Spike in Network ACL Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter` - -[ESCU - Detect Spike in Security Group Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. -action.escu.known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. -action.escu.creation_date = 2018-04-18 -action.escu.modification_date = 2018-04-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Spike in Security Group Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS User Monitoring"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect Spike in Security Group Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter` - -[ESCU - Detect USB device insertion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change", "Change_Analysis"] -action.escu.eli5 = The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework. -action.escu.known_false_positives = Legitimate USB activity will also be detected. Please verify and investigate as appropriate. -action.escu.creation_date = 2017-11-27 -action.escu.modification_date = 2017-11-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect USB device insertion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Data Protection"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect USB device insertion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Protection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "104658f4-afdc-499f-9719-17a43f9826f5", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework. -action.notable.param.rule_title = Detect USB device insertion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result="Removable Storage device" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name("All_Changes")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter` - -[ESCU - Detect web traffic to dynamic domain providers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for web connections to dynamic DNS providers. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This search looks for web connections to dynamic DNS providers. -action.escu.how_to_implement = This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains. \ -This search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** IsDynamicDNS, **Field:** isDynDNS \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate. -action.escu.known_false_positives = It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect web traffic to dynamic domain providers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Dynamic DNS"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detect web traffic to dynamic domain providers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dynamic DNS"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for web connections to dynamic DNS providers. -action.notable.param.rule_title = Detect web traffic to dynamic domain providers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter` - -[ESCU - Detection of DNS Tunnels - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ -NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ -NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. -action.escu.how_to_implement = To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue. -action.escu.known_false_positives = It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment. -action.escu.creation_date = 2022-02-15 -action.escu.modification_date = 2022-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detection of DNS Tunnels - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Data Protection", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Detection of DNS Tunnels - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Data Protection", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "104658f4-afdc-499f-9719-17a43f9826f4", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ -NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. -action.notable.param.rule_title = Detection of DNS Tunnels -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter` - -[ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. -action.escu.how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. -action.escu.known_false_positives = Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. -action.notable.param.rule_title = DNS Query Requests Resolved by Unauthorized DNS Servers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` - -[ESCU - DNS record changed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. -action.escu.how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search "Discover DNS record". \ -**Splunk>Phantom Playbook Integration** \ -If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ -(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`) -action.escu.known_false_positives = Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DNS record changed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["DNS Hijacking"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - DNS record changed - Rule -action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. -action.notable.param.rule_title = DNS record changed -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter` - -[ESCU - Dump LSASS via procdump Rename - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2021-02-01 -action.escu.modification_date = 2021-02-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Dump LSASS via procdump Rename - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Dump LSASS via procdump Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "21276daa-663d-11eb-ae93-0242ac130002", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter` - -[ESCU - EC2 Instance Modified With Previously Unseen User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. -action.escu.known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - EC2 Instance Modified With Previously Unseen User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["Unusual AWS EC2 Modifications"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Modified With Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual AWS EC2 Modifications"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter` - -[ESCU - EC2 Instance Started In Previously Unseen Region - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. -action.escu.creation_date = 2018-02-23 -action.escu.modification_date = 2018-02-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - EC2 Instance Started In Previously Unseen Region - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started In Previously Unseen Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter` - -[ESCU - EC2 Instance Started With Previously Unseen AMI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 AMIs" support search once to create a history of previously seen AMIs. -action.escu.known_false_positives = After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user. -action.escu.creation_date = 2018-03-12 -action.escu.modification_date = 2018-03-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - EC2 Instance Started With Previously Unseen AMI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cryptomining"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen AMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter` - -[ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types. -action.escu.known_false_positives = It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type. -action.escu.creation_date = 2020-02-07 -action.escu.modification_date = 2020-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cryptomining"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen Instance Type - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter` - -[ESCU - EC2 Instance Started With Previously Unseen User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. -action.escu.known_false_positives = It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - EC2 Instance Started With Previously Unseen User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "22773e84-bac0-4595-b086-20d3f735b4f1", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter` - -[ESCU - Execution of File With Spaces Before Extension - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2020-11-19 -action.escu.modification_date = 2020-11-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Execution of File With Spaces Before Extension - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Execution of File With Spaces Before Extension - Rule -action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. -action.notable.param.rule_title = Execution of File With Spaces Before Extension -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter` - -[ESCU - Extended Period Without Successful Netbackup Backups - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring. -action.escu.how_to_implement = To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Extended Period Without Successful Netbackup Backups - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Monitor Backup Solution"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Extended Period Without Successful Netbackup Backups - Rule -action.correlationsearch.annotations = {"analytic_story": ["Monitor Backup Solution"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a34aae96-ccf8-4aef-952c-3ea214444440", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `netbackup` MESSAGE="Disk/Partition backup completed successfully." | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter` - -[ESCU - First time seen command line argument - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - First time seen command line argument - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DHS Report TA18-074A", "Hidden Cobra Malware", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - First time seen command line argument - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` - -[ESCU - GCP Detect accounts with high risk roles by project - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. -action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -action.escu.known_false_positives = Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization -action.escu.creation_date = 2020-10-09 -action.escu.modification_date = 2020-10-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Detect accounts with high risk roles by project - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - GCP Detect accounts with high risk roles by project - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "27af8c15-38b0-4408-b339-920170724adb", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter` - -[ESCU - GCP Detect high risk permissions by resource and account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. -action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -action.escu.known_false_positives = High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives. -action.escu.creation_date = 2020-10-09 -action.escu.modification_date = 2020-10-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Detect high risk permissions by resource and account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - GCP Detect high risk permissions by resource and account - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter` - -[ESCU - gcp detect oauth token abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. -action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -action.escu.known_false_positives = GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs. -action.escu.creation_date = 2020-09-01 -action.escu.modification_date = 2020-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - gcp detect oauth token abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["GCP Cross Account Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - gcp detect oauth token abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter` - -[ESCU - GCP Kubernetes cluster scan detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} -action.escu.data_models = ["Email"] -action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster -action.escu.how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. -action.escu.known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context. -action.escu.creation_date = 2020-04-15 -action.escu.modification_date = 2020-04-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GCP Kubernetes cluster scan detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace"] -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - GCP Kubernetes cluster scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster -action.notable.param.rule_title = GCP Kubernetes cluster scan detection -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 "data.labels.authorization.k8s.io/decision"=forbid "data.protoPayload.status.message"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail="system:anonymous" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` - -[ESCU - Identify New User Accounts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. -action.escu.how_to_implement = To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework. -action.escu.known_false_positives = If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately. -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Identify New User Accounts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = [] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Identify New User Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": [], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") | search empStatus="Accounts created in last week"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter` - -[ESCU - Kubernetes AWS detect most active service accounts by pod - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes AWS detect most active service accounts by pod - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect most active service accounts by pod - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter` - -[ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes AWS detect RBAC authorization by account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect RBAC authorization by account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "de7264ed-3ed9-4fef-bb01-6eefc87cefe8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter` - -[ESCU - Kubernetes AWS detect sensitive role access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -action.escu.known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes AWS detect sensitive role access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect sensitive role access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "b6013a7b-85e0-4a45-b051-10b252d69569", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter` - -[ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. -action.escu.known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect service accounts forbidden failure access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter` - -[ESCU - Kubernetes Azure active service accounts by pod namespace - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness. -action.escu.creation_date = 2020-05-26 -action.escu.modification_date = 2020-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure active service accounts by pod namespace - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure active service accounts by pod namespace - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter` - -[ESCU - Kubernetes Azure detect RBAC authorization by account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -action.escu.creation_date = 2020-05-26 -action.escu.modification_date = 2020-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure detect RBAC authorization by account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect RBAC authorization by account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "47af7d20-0607-4079-97d7-7a29af58b54e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter` - -[ESCU - Kubernetes Azure detect sensitive object access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. -action.escu.creation_date = 2020-05-20 -action.escu.modification_date = 2020-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure detect sensitive object access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect sensitive object access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter` - -[ESCU - Kubernetes Azure detect sensitive role access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. -action.escu.creation_date = 2020-05-20 -action.escu.modification_date = 2020-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure detect sensitive role access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect sensitive role access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter` - -[ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts with failure or forbidden access status -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes service accounts with failure or forbidden access status -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. -action.escu.creation_date = 2020-05-20 -action.escu.modification_date = 2020-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect service accounts forbidden failure access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "019690d7-420f-4da0-b320-f27b09961514", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter` - -[ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on rare Kubectl calls with IP, verb namespace and object access context -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on rare Kubectl calls with IP, verb namespace and object access context -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets -action.escu.creation_date = 2020-05-26 -action.escu.modification_date = 2020-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure detect suspicious kubectl calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter` - -[ESCU - Kubernetes Azure pod scan fingerprint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. -action.escu.creation_date = 2020-05-20 -action.escu.modification_date = 2020-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure pod scan fingerprint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure pod scan fingerprint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter` - -[ESCU - Kubernetes Azure scan fingerprint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure -action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -action.escu.known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. -action.escu.creation_date = 2020-05-19 -action.escu.modification_date = 2020-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes Azure scan fingerprint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Kubernetes"] -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure scan fingerprint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter` - -[ESCU - Kubernetes GCP detect most active service accounts by pod - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision -action.escu.how_to_implement = You must install splunk GCP add on. This search works with pubsub messaging service logs -action.escu.known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. -action.escu.creation_date = 2020-07-10 -action.escu.modification_date = 2020-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes GCP detect most active service accounts by pod - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect most active service accounts by pod - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter` - -[ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -action.escu.how_to_implement = You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs -action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -action.escu.creation_date = 2020-07-11 -action.escu.modification_date = 2020-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect RBAC authorizations by account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "99487de3-7192-4b41-939d-fbe9acfb1340", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter` - -[ESCU - Kubernetes GCP detect sensitive object access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets -action.escu.how_to_implement = You must install splunk add on for GCP . This search works with pubsub messaging service logs. -action.escu.known_false_positives = Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection. -action.escu.creation_date = 2020-07-11 -action.escu.modification_date = 2020-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes GCP detect sensitive object access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect sensitive object access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter` - -[ESCU - Kubernetes GCP detect sensitive role access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets -action.escu.how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging servicelogs. -action.escu.known_false_positives = Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. -action.escu.creation_date = 2020-07-11 -action.escu.modification_date = 2020-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes GCP detect sensitive role access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect sensitive role access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a46923f6-36b9-4806-a681-31f314907c30", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter` - -[ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI -action.escu.how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging service logs. -action.escu.known_false_positives = This search can give false positives as there might be inherent issues with authentications and permissions at cluster. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect service accounts forbidden failure access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter` - -[ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context -action.escu.how_to_implement = You must install splunk add on for GCP. This search works with pubsub messaging logs. -action.escu.known_false_positives = Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets -action.escu.creation_date = 2020-07-11 -action.escu.modification_date = 2020-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Google Cloud Platform", "Google Workspace", "Kubernetes"] -action.escu.analytic_story = ["Kubernetes Sensitive Object Access Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes GCP detect suspicious kubectl calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter` - -[ESCU - Monitor DNS For Brand Abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. -action.escu.how_to_implement = You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command. -action.escu.known_false_positives = None at this time -action.escu.creation_date = 2017-09-23 -action.escu.modification_date = 2017-09-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Monitor DNS For Brand Abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Brand Monitoring"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Monitor DNS For Brand Abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brand Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. -action.notable.param.rule_title = Monitor DNS For Brand Abuse -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter` - -[ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1110.003", "T1078", "T1078.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. -action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -action.escu.known_false_positives = A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search. -action.escu.creation_date = 2024-02-29 -action.escu.modification_date = 2024-02-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = Multple user accounts have failed to authenticate from a single IP. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Multiple Okta Users With Invalid Credentials From The Same IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1110.003", "T1078", "T1078.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "19cba45f-cad3-4032-8911-0c09e0444552", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. -action.notable.param.rule_title = Multiple Okta Users With Invalid Credentials From The Same IP -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` - -[ESCU - O365 Suspicious Admin Email Forwarding - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = unknown -action.escu.creation_date = 2020-12-16 -action.escu.modification_date = 2020-12-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Suspicious Admin Email Forwarding - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Data Exfiltration", "Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - O365 Suspicious Admin Email Forwarding - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter` - -[ESCU - O365 Suspicious Rights Delegation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. -action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -action.escu.known_false_positives = While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed. -action.escu.creation_date = 2020-12-15 -action.escu.modification_date = 2020-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Suspicious Rights Delegation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - O365 Suspicious Rights Delegation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. -action.notable.param.rule_title = O365 Suspicious Rights Delegation -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter` - -[ESCU - O365 Suspicious User Email Forwarding - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. -action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -action.escu.known_false_positives = unknown -action.escu.creation_date = 2020-12-16 -action.escu.modification_date = 2020-12-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - O365 Suspicious User Email Forwarding - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Office 365"] -action.escu.analytic_story = ["Data Exfiltration", "Office 365 Collection Techniques"] -action.risk = 1 -action.risk.param._risk_message = User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "ForwardingSmtpAddress", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - O365 Suspicious User Email Forwarding - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter` - -[ESCU - Okta Account Locked Out - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. -action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. -action.escu.creation_date = 2022-09-21 -action.escu.modification_date = 2022-09-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Account Locked Out - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta MFA Exhaustion", "Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = $src_user$ account has been locked out. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Okta Account Locked Out - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter` - -[ESCU - Okta Account Lockout Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. -action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -action.escu.known_false_positives = None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor. -action.escu.creation_date = 2022-09-19 -action.escu.modification_date = 2022-09-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Account Lockout Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = The following user $src_user$ has locked out their account within Okta. -action.risk.param._risk = [{"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Okta Account Lockout Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter` - -[ESCU - Okta Failed SSO Attempts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". -action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -action.escu.known_false_positives = There may be a faulty config preventing legitmate users from accessing apps they should have access to. -action.escu.creation_date = 2022-09-21 -action.escu.modification_date = 2022-09-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Failed SSO Attempts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = $src_user$ failed SSO authentication to the app. -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 16}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Okta Failed SSO Attempts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "371a6545-2618-4032-ad84-93386b8698c5", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` - -[ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -action.escu.known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. -action.escu.creation_date = 2023-03-09 -action.escu.modification_date = 2023-03-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = Okta ThreatInsight has detected or prevented a high number of login failures. -action.risk.param._risk = [{"risk_object_field": "outcome.reason", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Okta ThreatInsight Login Failure with High Unknown users - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "632663b0-4562-4aad-abe9-9f621a049738", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.notable.param.rule_title = Okta ThreatInsight Login Failure with High Unknown users -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType="security.threat.detected" AND outcome.reason="Login failures with high unknown users count*" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter` - -[ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -action.escu.known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. -action.escu.creation_date = 2023-03-09 -action.escu.modification_date = 2023-03-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = Okta ThreatInsight has detected or prevented a PasswordSpray attack. -action.risk.param._risk = [{"risk_object_field": "outcome.reason", "risk_object_type": "other", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Okta ThreatInsight Suspected PasswordSpray Attack - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.notable.param.rule_title = Okta ThreatInsight Suspected PasswordSpray Attack -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` eventType="security.threat.detected" AND outcome.reason="Password Spray" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter` - -[ESCU - Okta Two or More Rejected Okta Pushes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. -action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -action.escu.known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. -action.escu.creation_date = 2022-09-27 -action.escu.modification_date = 2022-09-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Okta Two or More Rejected Okta Pushes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Okta"] -action.escu.analytic_story = ["Okta MFA Exhaustion", "Suspicious Okta Activity"] -action.risk = 1 -action.risk.param._risk_message = $user$ account has rejected multiple Okta pushes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Okta Two or More Rejected Okta Pushes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = **DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. -action.notable.param.rule_title = Okta Two or More Rejected Okta Pushes -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `okta` outcome.reason="User rejected Okta push verify" OR (debugContext.debugData.factor="OKTA_VERIFY_PUSH" outcome.result=FAILURE legacyEventType="core.user.factor.attempt_fail" "target{}.detailEntry.methodTypeUsed"="Get a push notification") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, "@"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter` - -[ESCU - Open Redirect in Splunk Web - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. -action.escu.how_to_implement = No extra steps needed to implement this search. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2017-09-19 -action.escu.modification_date = 2017-09-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Open Redirect in Splunk Web - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Open Redirect in Splunk Web - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2016-4859"], "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability. -action.notable.param.rule_title = Open Redirect in Splunk Web -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = index=_internal sourcetype=splunk_web_access return_to="/%09/*" | `open_redirect_in_splunk_web_filter` - -[ESCU - Osquery pack - ColdRoot detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for ColdRoot events from the osx-attacks osquery pack. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for ColdRoot events from the osx-attacks osquery pack. -action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model -action.escu.known_false_positives = There are no known false positives. -action.escu.creation_date = 2019-01-29 -action.escu.modification_date = 2019-01-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Osquery pack - ColdRoot detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["ColdRoot MacOS RAT"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Osquery pack - ColdRoot detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["ColdRoot MacOS RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for ColdRoot events from the osx-attacks osquery pack. -action.notable.param.rule_title = Osquery pack - ColdRoot detection -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter` - -[ESCU - Processes created by netsh - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" process path since it is a legitimate process by Mircosoft. -action.escu.creation_date = 2020-11-23 -action.escu.modification_date = 2020-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Processes created by netsh - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Netsh Abuse"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Processes created by netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "b89919ed-fe5f-492c-b139-95dbb162041e", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. -action.notable.param.rule_title = Processes created by netsh -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter` - -[ESCU - Prohibited Software On Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for applications on the endpoint that you have marked as prohibited. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for applications on the endpoint that you have marked as prohibited. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2019-10-11 -action.escu.modification_date = 2019-10-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Prohibited Software On Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Prohibited Software On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_processes` | `prohibited_software_on_endpoint_filter` - -[ESCU - Reg exe used to hide files directories via registry keys - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for command-line arguments used to hide a file or directory using the reg add command. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for command-line arguments used to hide a file or directory using the reg add command. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None at the moment -action.escu.creation_date = 2019-02-27 -action.escu.modification_date = 2019-02-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Reg exe used to hide files directories via registry keys - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Reg exe used to hide files directories via registry keys - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for command-line arguments used to hide a file or directory using the reg add command. -action.notable.param.rule_title = Reg exe used to hide files directories via registry keys -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*" Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = "(/d\s+2)" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter` - -[ESCU - Remote Registry Key modifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search monitors for remote modifications to registry keys. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search monitors for remote modifications to registry keys. -action.escu.how_to_implement = To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right. -action.escu.known_false_positives = This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out. -action.escu.creation_date = 2020-03-02 -action.escu.modification_date = 2020-03-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Registry Key modifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Remote Registry Key modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search monitors for remote modifications to registry keys. -action.notable.param.rule_title = Remote Registry Key modifications -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="\\\\*" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter` - -[ESCU - Scheduled tasks used in BadRabbit ransomware - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = No known false positives -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Scheduled tasks used in BadRabbit ransomware - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Scheduled tasks used in BadRabbit ransomware - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection -action.notable.param.rule_title = Scheduled tasks used in BadRabbit ransomware -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter` - -[ESCU - Spectre and Meltdown Vulnerable Systems - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Vulnerabilities"] -action.escu.eli5 = The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. -action.escu.how_to_implement = The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified. -action.escu.known_false_positives = It is possible that your vulnerability scanner is not detecting that the patches have been applied. -action.escu.creation_date = 2017-01-07 -action.escu.modification_date = 2017-01-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spectre and Meltdown Vulnerable Systems - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Spectre And Meltdown Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Spectre and Meltdown Vulnerable Systems - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2017-5753"], "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities. -action.notable.param.rule_title = Spectre and Meltdown Vulnerable Systems -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve ="CVE-2017-5753" OR Vulnerabilities.cve ="CVE-2017-5715" OR Vulnerabilities.cve ="CVE-2017-5754" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter` - -[ESCU - Splunk Enterprise Information Disclosure - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. -action.escu.how_to_implement = The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives. -action.escu.known_false_positives = Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information. -action.escu.creation_date = 2018-06-14 -action.escu.modification_date = 2018-06-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Enterprise Information Disclosure - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Splunk Enterprise Information Disclosure - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2018-11409"], "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug. -action.notable.param.rule_title = Splunk Enterprise Information Disclosure -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter` - -[ESCU - Suspicious Changes to File Associations - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions. -action.escu.creation_date = 2020-07-22 -action.escu.modification_date = 2020-07-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Changes to File Associations - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Suspicious Changes to File Associations - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "1b989a0e-0129-4446-a695-f193a5b746fc", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. -action.notable.param.rule_title = Suspicious Changes to File Associations -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` - -[ESCU - Suspicious Email - UBA Anomaly - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = ["Email", "UEBA"] -action.escu.eli5 = This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). -action.escu.how_to_implement = You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance. -action.escu.known_false_positives = This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender. -action.escu.creation_date = 2020-07-22 -action.escu.modification_date = 2020-07-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Email - UBA Anomaly - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious Emails"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Suspicious Email - UBA Anomaly - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Emails"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter` - -[ESCU - Suspicious File Write - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for files created with names that have been linked to malicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for files created with names that have been linked to malicious activity. -action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor. -action.escu.known_false_positives = It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate. -action.escu.creation_date = 2019-04-25 -action.escu.modification_date = 2019-04-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious File Write - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Hidden Cobra Malware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Suspicious File Write - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter` - -[ESCU - Suspicious Powershell Command-Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. -action.escu.creation_date = 2021-01-19 -action.escu.modification_date = 2021-01-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Powershell Command-Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-320A", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Suspicious Powershell Command-Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "2cdb91d2-542c-497f-b252-be495e71f38c", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command -action.notable.param.rule_title = Suspicious Powershell Command-Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter` - -[ESCU - Suspicious Rundll32 Rename - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -action.escu.creation_date = 2022-04-07 -action.escu.modification_date = 2022-04-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Rundll32 Rename - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Masquerading - Rename System Utilities", "Suspicious Rundll32 Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Suspicious Rundll32 Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "7360137f-abad-473e-8189-acbdaa34d114", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter` - -[ESCU - Suspicious writes to System Volume Information - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects writes to the 'System Volume Information' folder by something other than the System process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search detects writes to the 'System Volume Information' folder by something other than the System process. -action.escu.how_to_implement = You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate. -action.escu.creation_date = 2020-07-22 -action.escu.modification_date = 2020-07-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious writes to System Volume Information - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Collection and Staging"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Suspicious writes to System Volume Information - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = (`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter` - -[ESCU - Uncommon Processes On Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for applications on the endpoint that you have marked as uncommon. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for applications on the endpoint that you have marked as uncommon. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2020-07-22 -action.escu.modification_date = 2020-07-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Uncommon Processes On Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Hermetic Wiper", "Unusual Processes", "Windows Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Uncommon Processes On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Unusual Processes", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` - -[ESCU - Unsigned Image Loaded by LSASS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects loading of unsigned images by LSASS. Deprecated because too noisy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. -action.escu.how_to_implement = This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs. -action.escu.creation_date = 2019-12-06 -action.escu.modification_date = 2019-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unsigned Image Loaded by LSASS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Unsigned Image Loaded by LSASS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. -action.notable.param.rule_title = Unsigned Image Loaded by LSASS -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` - -[ESCU - Unsuccessful Netbackup backups - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search gives you the hosts where a backup was attempted and then failed. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search gives you the hosts where a backup was attempted and then failed. -action.escu.how_to_implement = To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unsuccessful Netbackup backups - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Monitor Backup Solution"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Unsuccessful Netbackup backups - Rule -action.correlationsearch.annotations = {"analytic_story": ["Monitor Backup Solution"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter` - -[ESCU - Web Fraud - Account Harvesting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to identify the creation of multiple user accounts using the same email domain name. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is used to identify the creation of multiple user accounts using the same email domain name. -action.escu.how_to_implement = We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream. -action.escu.known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated. -action.escu.creation_date = 2018-10-08 -action.escu.modification_date = 2018-10-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Fraud - Account Harvesting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Web Fraud Detection"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Account Harvesting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is used to identify the creation of multiple user accounts using the same email domain name. -action.notable.param.rule_title = Web Fraud - Account Harvesting -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_content_type=text* uri="/magento2/customer/account/loginPost/" | rex field=cookie "form_key=(?\w+)" | rex field=form_data "login\[username\]=(?[^&|^$]+)" | search Username=* | rex field=Username "@(?.*)" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter` - -[ESCU - Web Fraud - Anomalous User Clickspeed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. -action.escu.how_to_implement = Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. -action.escu.known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior. -action.escu.creation_date = 2018-10-08 -action.escu.modification_date = 2018-10-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Fraud - Anomalous User Clickspeed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Web Fraud Detection"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Anomalous User Clickspeed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_content_type=text* | rex field=cookie "form_key=(?\w+)" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter` - -[ESCU - Web Fraud - Password Sharing Across Accounts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to identify user accounts that share a common password. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is used to identify user accounts that share a common password. -action.escu.how_to_implement = We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. -action.escu.known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior. -action.escu.creation_date = 2018-10-08 -action.escu.modification_date = 2018-10-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Fraud - Password Sharing Across Accounts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Web Fraud Detection"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Password Sharing Across Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data "login\[username\]=(?[^&|^$]+)" | rex field=form_data "login\[password\]=(?[^&|^$]+)" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter` - -[ESCU - Windows connhost exe started forcefully - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This process should not be ran forcefully, we have not see any false positives for this detection -action.escu.creation_date = 2020-11-06 -action.escu.modification_date = 2020-11-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows connhost exe started forcefully - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Windows connhost exe started forcefully - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. -action.notable.param.rule_title = Windows connhost exe started forcefully -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process="*C:\\Windows\\system32\\conhost.exe* 0xffffffff *-ForceV1*" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter` - -[ESCU - Windows DLL Search Order Hijacking Hunt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DLL Search Order Hijacking Hunt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Windows DLL Search Order Hijacking Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter` - -[ESCU - Windows hosts file modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for modifications to the hosts file on all Windows endpoints across your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for modifications to the hosts file on all Windows endpoints across your environment. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -action.escu.known_false_positives = There may be legitimate reasons for system administrators to add entries to this file. -action.escu.creation_date = 2018-11-02 -action.escu.modification_date = 2018-11-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows hosts file modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Host Redirection"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "field", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Windows hosts file modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Host Redirection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "1", "detection_id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for modifications to the hosts file on all Windows endpoints across your environment. -action.notable.param.rule_title = Windows hosts file modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter` - -[ESCU - 3CX Supply Chain Attack Network Indicators - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. -action.escu.known_false_positives = False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - 3CX Supply Chain Attack Network Indicators - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["3CX Supply Chain Attack"] -action.risk = 1 -action.risk.param._risk_message = Indicators related to 3CX supply chain attack have been identified on $src$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "query", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - 3CX Supply Chain Attack Network Indicators - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2023-29059"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "791b727c-deec-4fbe-a732-756131b3c5a1", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches. -action.notable.param.rule_title = 3CX Supply Chain Attack Network Indicators -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter` - -[ESCU - 7zip CommandLine To SMB Share Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-08-17 -action.escu.modification_date = 2021-08-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - 7zip CommandLine To SMB Share Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - 7zip CommandLine To SMB Share Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "01d29b48-ff6f-11eb-b81e-acde48001123", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe" OR Processes.original_file_name = "7za.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter` - -[ESCU - Access LSASS Memory for Dump Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. -action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Access LSASS Memory for Dump Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA23-347A", "Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Access LSASS Memory for Dump Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. -action.notable.param.rule_title = Access LSASS Memory for Dump Creation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` - -[ESCU - Account Discovery With Net App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Admin or power user may used this series of command. -action.escu.creation_date = 2023-01-04 -action.escu.modification_date = 2023-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Account Discovery With Net App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 5}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Account Discovery With Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "339805ce-ac30-11eb-b87d-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. -action.notable.param.rule_title = Account Discovery With Net App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="* user *" OR Processes.process="*config*" OR Processes.process="*view /all*") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter` - -[ESCU - Active Directory Lateral Movement Identified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -action.escu.known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Active Directory Lateral Movement Identified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Active Directory Lateral Movement Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.notable.param.rule_title = RBA: Active Directory Lateral Movement Identified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter` - -[ESCU - Active Directory Privilege Escalation Identified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -action.escu.known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. -action.escu.creation_date = 2023-05-23 -action.escu.modification_date = 2023-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Active Directory Privilege Escalation Identified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Active Directory Privilege Escalation Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.notable.param.rule_title = RBA: Active Directory Privilege Escalation Identified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter` - -[ESCU - Active Setup Registry Autostart - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = Active setup installer may add or modify this registry. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Active Setup Registry Autostart - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Active Setup Registry Autostart - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f64579c0-203f-11ec-abcc-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. -action.notable.param.rule_title = Active Setup Registry Autostart -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter` - -[ESCU - Add DefaultUser And Password In Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-03-29 -action.escu.modification_date = 2023-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Add DefaultUser And Password In Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackMatter Ransomware"] -action.risk = 1 -action.risk.param._risk_message = modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Add DefaultUser And Password In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter` - -[ESCU - Add or Set Windows Defender Exclusion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Admin or user may choose to use this windows features. Filter as needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Add or Set Windows Defender Exclusion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "WhisperGate", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = exclusion command $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Add or Set Windows Defender Exclusion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "WhisperGate", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "773b66fe-4dd9-11ec-8289-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.notable.param.rule_title = Add or Set Windows Defender Exclusion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*Add-MpPreference *" OR Processes.process = "*Set-MpPreference *") AND Processes.process="*-exclusion*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter` - -[ESCU - AdsiSearcher Account Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - AdsiSearcher Account Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = Powershell process having commandline "AdsiSearcher" used for user enumeration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - AdsiSearcher Account Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "de7fcadc-04f3-11ec-a241-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = AdsiSearcher Account Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=user*" ScriptBlockText = "*.findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter` - -[ESCU - Allow File And Printing Sharing In Firewall - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Allow File And Printing Sharing In Firewall - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Allow File And Printing Sharing In Firewall - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ce27646e-d411-11eb-8a00-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files -action.notable.param.rule_title = Allow File And Printing Sharing In Firewall -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"File and Printer Sharing\"*" Processes.process="*enable=Yes*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter` - -[ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. -action.escu.creation_date = 2023-03-29 -action.escu.modification_date = 2023-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "NjRAT", "PlugX", "Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "NjRAT", "PlugX", "Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0a46537c-be02-11eb-92ca-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. -action.notable.param.rule_title = Allow Inbound Traffic By Firewall Rule Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter` - -[ESCU - Allow Inbound Traffic In Firewall Rule - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -action.escu.known_false_positives = administrator may allow inbound traffic in certain network or machine. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Allow Inbound Traffic In Firewall Rule - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch"] -action.risk = 1 -action.risk.param._risk_message = Suspicious firewall modification detected on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 3}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 3}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Allow Inbound Traffic In Firewall Rule - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "cis20": ["CIS 10"], "confidence": 30, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a5d85486-b89c-11eb-8267-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. -action.notable.param.rule_title = Allow Inbound Traffic In Firewall Rule -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText = "*Inbound*" ScriptBlockText = "*Allow*" ScriptBlockText = "*-LocalPort*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter` - -[ESCU - Allow Network Discovery In Firewall - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. -action.escu.creation_date = 2021-06-23 -action.escu.modification_date = 2021-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Allow Network Discovery In Firewall - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "NjRAT", "Ransomware", "Revil Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious modification to the firewall to allow network discovery detected on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Allow Network Discovery In Firewall - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "NjRAT", "Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. -action.notable.param.rule_title = Allow Network Discovery In Firewall -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"Network Discovery\"*" Processes.process="*enable*" Processes.process="*Yes*" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter` - -[ESCU - Allow Operation with Consent Admin - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-03-29 -action.escu.modification_date = 2023-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Allow Operation with Consent Admin - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Allow Operation with Consent Admin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7de17d7a-c9d8-11eb-a812-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. -action.notable.param.rule_title = Allow Operation with Consent Admin -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter` - -[ESCU - Anomalous usage of 7zip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Anomalous usage of 7zip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Anomalous usage of 7zip - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter` - -[ESCU - Any Powershell DownloadFile - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Any Powershell DownloadFile - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Phemedrone Stealer"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Any Powershell DownloadFile - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.notable.param.rule_title = Any Powershell DownloadFile -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter` - -[ESCU - Any Powershell DownloadString - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Any Powershell DownloadString - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "IcedID", "Ingress Tool Transfer", "Malicious PowerShell", "Phemedrone Stealer", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Any Powershell DownloadString - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "IcedID", "Ingress Tool Transfer", "Malicious PowerShell", "Phemedrone Stealer", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d015ef2-7adf-11eb-95da-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.notable.param.rule_title = Any Powershell DownloadString -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter` - -[ESCU - Attacker Tools On Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. -action.escu.creation_date = 2024-01-01 -action.escu.modification_date = 2024-01-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Attacker Tools On Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-264A", "Monitor for Unauthorized Software", "SamSam Ransomware", "Unusual Processes", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Attacker Tools On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "Monitor for Unauthorized Software", "SamSam Ransomware", "Unusual Processes", "XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. -action.notable.param.rule_title = Attacker Tools On Endpoint -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter` - -[ESCU - Attempt To Add Certificate To Untrusted Store - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Attempt To Add Certificate To Untrusted Store - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Disabling Security Tools"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Attempt To Add Certificate To Untrusted Store - Rule -action.correlationsearch.annotations = {"analytic_story": ["Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "detection_version": "7"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. -action.notable.param.rule_title = Attempt To Add Certificate To Untrusted Store -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter` - -[ESCU - Attempt To Stop Security Service - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Attempt To Stop Security Service - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Data Destruction", "Disabling Security Tools", "Graceful Wipe Out Attack", "Trickbot", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Attempt To Stop Security Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Data Destruction", "Disabling Security Tools", "Graceful Wipe Out Attack", "Trickbot", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. -action.notable.param.rule_title = Attempt To Stop Security Service -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter` - -[ESCU - Attempted Credential Dump From Registry via Reg exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Attempted Credential Dump From Registry via Reg exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Data Destruction", "Industroyer2", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Attempted Credential Dump From Registry via Reg exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Data Destruction", "Industroyer2", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "detection_version": "8"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network. -action.notable.param.rule_title = Attempted Credential Dump From Registry via Reg exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter` - -[ESCU - Auto Admin Logon Registry Entry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-11 -action.escu.modification_date = 2023-04-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Auto Admin Logon Registry Entry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackMatter Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Auto Admin Logon Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.notable.param.rule_title = Auto Admin Logon Registry Entry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter` - -[ESCU - Batch File Write to System32 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Batch File Write to System32 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Batch File Write to System32 - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system. -action.notable.param.rule_title = Batch File Write to System32 -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\system32\\*", "*\\syswow64\\*") Filesystem.file_name="*.bat" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter` - -[ESCU - Bcdedit Command Back To Normal Mode Boot - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-06 -action.escu.modification_date = 2021-09-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Bcdedit Command Back To Normal Mode Boot - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackMatter Ransomware"] -action.risk = 1 -action.risk.param._risk_message = bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Bcdedit Command Back To Normal Mode Boot - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc7a8004-0f18-11ec-8c54-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.notable.param.rule_title = Bcdedit Command Back To Normal Mode Boot -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*/deletevalue*" Processes.process="*{current}*" Processes.process="*safeboot*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter` - -[ESCU - BCDEdit Failure Recovery Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as "recoveryenabled" and "no". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as "recoveryenabled" and "no". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may modify the boot configuration. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - BCDEdit Failure Recovery Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - BCDEdit Failure Recovery Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "809b31d2-5462-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as "recoveryenabled" and "no". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation. -action.notable.param.rule_title = BCDEdit Failure Recovery Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter` - -[ESCU - BITS Job Persistence - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - BITS Job Persistence - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BITS Jobs", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - BITS Job Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e97a5ffe-90bf-11eb-928a-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.notable.param.rule_title = BITS Job Persistence -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter` - -[ESCU - BITSAdmin Download File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives, however it may be required to filter based on parent process name or network connection. -action.escu.creation_date = 2022-11-29 -action.escu.modification_date = 2022-11-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - BITSAdmin Download File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BITS Jobs", "DarkSide Ransomware", "Flax Typhoon", "Ingress Tool Transfer", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - BITSAdmin Download File - Rule -action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs", "DarkSide Ransomware", "Flax Typhoon", "Ingress Tool Transfer", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "80630ff4-8e4c-11eb-aab5-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.notable.param.rule_title = BITSAdmin Download File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter` - -[ESCU - CertUtil Download With URLCache and Split Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths. During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths. During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. -action.escu.creation_date = 2022-02-03 -action.escu.modification_date = 2022-02-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CertUtil Download With URLCache and Split Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-277A", "DarkSide Ransomware", "Flax Typhoon", "Forest Blizzard", "Ingress Tool Transfer", "Living Off The Land", "ProxyNotShell"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CertUtil Download With URLCache and Split Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-277A", "DarkSide Ransomware", "Flax Typhoon", "Forest Blizzard", "Ingress Tool Transfer", "Living Off The Land", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "415b4306-8bfb-11eb-85c4-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths. During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. -action.notable.param.rule_title = CertUtil Download With URLCache and Split Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter` - -[ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. -action.escu.creation_date = 2022-02-03 -action.escu.modification_date = 2022-02-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkSide Ransomware", "Ingress Tool Transfer", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ingress Tool Transfer", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. -action.notable.param.rule_title = CertUtil Download With VerifyCtl and Split Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter` - -[ESCU - Certutil exe certificate extraction - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Certutil exe certificate extraction - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Certutil exe certificate extraction - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "337a46be-600f-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network. -action.notable.param.rule_title = Certutil exe certificate extraction -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = "*-exportPFX*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter` - -[ESCU - CertUtil With Decode Argument - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user. -action.escu.creation_date = 2021-03-23 -action.escu.modification_date = 2021-03-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CertUtil With Decode Argument - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["APT29 Diplomatic Deceptions with WINELOADER", "Deobfuscate-Decode Files or Information", "Forest Blizzard", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CertUtil With Decode Argument - Rule -action.correlationsearch.annotations = {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Deobfuscate-Decode Files or Information", "Forest Blizzard", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bfe94226-8c10-11eb-a4b3-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. -action.notable.param.rule_title = CertUtil With Decode Argument -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter` - -[ESCU - Change Default File Association - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Change Default File Association - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Prestige Ransomware", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry path $registry_path$ was modified, added, or deleted in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Change Default File Association - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Prestige Ransomware", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "462d17d8-1f71-11ec-ad07-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. -action.notable.param.rule_title = Change Default File Association -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter` - -[ESCU - Change To Safe Mode With Network Config - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-06 -action.escu.modification_date = 2021-09-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Change To Safe Mode With Network Config - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackMatter Ransomware"] -action.risk = 1 -action.risk.param._risk_message = bcdedit process with commandline $process$ to force safemode boot the $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Change To Safe Mode With Network Config - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.notable.param.rule_title = Change To Safe Mode With Network Config -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*/set*" Processes.process="*{current}*" Processes.process="*safeboot*" Processes.process="*network*" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter` - -[ESCU - CHCP Command Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = other tools or script may used this to change code page to UTF-* or others -action.escu.creation_date = 2021-07-27 -action.escu.modification_date = 2021-07-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CHCP Command Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Forest Blizzard", "IcedID"] -action.risk = 1 -action.risk.param._risk_message = parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CHCP Command Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Forest Blizzard", "IcedID"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "21d236ec-eec1-11eb-b23e-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. -action.notable.param.rule_title = CHCP Command Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter` - -[ESCU - Check Elevated CMD using whoami - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-15 -action.escu.modification_date = 2021-09-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Check Elevated CMD using whoami - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["FIN7"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Check Elevated CMD using whoami - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a9079b18-1633-11ec-859c-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. -action.notable.param.rule_title = Check Elevated CMD using whoami -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter` - -[ESCU - Child Processes of Spoolsv exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Child Processes of Spoolsv exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Child Processes of Spoolsv exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2018-8440"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system. -action.notable.param.rule_title = Child Processes of Spoolsv exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` - -[ESCU - Clear Unallocated Sector Using Cipher App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrator may execute this app to manage disk -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Clear Unallocated Sector Using Cipher App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Clear Unallocated Sector Using Cipher App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process. -action.notable.param.rule_title = Clear Unallocated Sector Using Cipher App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cipher.exe" Processes.process = "*/w:*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter` - -[ESCU - Clop Common Exec Parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Operators can execute third party tools using these parameters. -action.escu.creation_date = 2023-03-17 -action.escu.modification_date = 2023-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Clop Common Exec Parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Clop Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Clop Common Exec Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. -action.notable.param.rule_title = Clop Common Exec Parameter -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != "*temp.dat*" Processes.process = "*runrun*" OR Processes.process = "*temp.dat*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter` - -[ESCU - Clop Ransomware Known Service Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Clop Ransomware Known Service Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Clop Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of a known Clop Ransomware Service Name detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Clop Ransomware Known Service Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "07e08a12-870c-11eb-b5f9-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. -action.notable.param.rule_title = Clop Ransomware Known Service Name -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ServiceName IN ("SecurityCenterIBM", "WinCheckDRVs") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ServiceName StartType ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter` - -[ESCU - CMD Carry Out String Command Parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be high based on legitimate scripted code in any environment. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CMD Carry Out String Command Parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "Azorult", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Hermetic Wiper", "IcedID", "Living Off The Land", "Log4Shell CVE-2021-44228", "NjRAT", "PlugX", "ProxyNotShell", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Warzone RAT", "WhisperGate", "Winter Vivern"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CMD Carry Out String Command Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Azorult", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Hermetic Wiper", "IcedID", "Living Off The Land", "Log4Shell CVE-2021-44228", "NjRAT", "PlugX", "ProxyNotShell", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Warzone RAT", "WhisperGate", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "54a6ed00-3256-11ec-b031-acde48001122", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter` - -[ESCU - CMD Echo Pipe - Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. It is possible filtering may be required to ensure fidelity. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CMD Echo Pipe - Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CMD Echo Pipe - Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eb277ba0-b96b-11eb-b00e-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. -action.notable.param.rule_title = CMD Echo Pipe - Escalation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter` - -[ESCU - Cmdline Tool Not Executed In CMD Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cmdline Tool Not Executed In CMD Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-277A", "CISA AA23-347A", "DarkGate Malware", "FIN7", "Qakbot", "Rhysida Ransomware", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cmdline Tool Not Executed In CMD Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-277A", "CISA AA23-347A", "DarkGate Malware", "FIN7", "Qakbot", "Rhysida Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. -action.notable.param.rule_title = Cmdline Tool Not Executed In CMD Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe" OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter` - -[ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Legitimate windows application that are not on the list loading this dll. Filter as needed. -action.escu.creation_date = 2024-05-05 -action.escu.modification_date = 2024-05-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["DarkSide Ransomware", "LockBit Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "LockBit Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f87b5062-b405-11eb-a889-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities. -action.notable.param.rule_title = CMLUA Or CMSTPLUA UAC Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter` - -[ESCU - Cobalt Strike Named Pipes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ -Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ -Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cobalt Strike Named Pipes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "DarkSide Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cobalt Strike Named Pipes - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "DarkSide Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware", "Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5876d429-0240-4709-8b93-ea8330b411b5", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ -Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. -action.notable.param.rule_title = Cobalt Strike Named Pipes -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*, \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter` - -[ESCU - Common Ransomware Extensions - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. -action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. -action.escu.creation_date = 2022-11-10 -action.escu.modification_date = 2022-11-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Common Ransomware Extensions - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Clop Ransomware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Common Ransomware Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | rex field=file_path "(?([^\\\]*\\\)*).*" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter` - -[ESCU - Common Ransomware Notes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. -action.escu.how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -action.escu.known_false_positives = It's possible that a legitimate file could be created with the same name used by ransomware note files. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Common Ransomware Notes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "Clop Ransomware", "LockBit Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Common Ransomware Notes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "Clop Ransomware", "LockBit Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter` - -[ESCU - ConnectWise ScreenConnect Path Traversal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.how_to_implement = This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources. -action.escu.known_false_positives = False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here. -action.escu.creation_date = 2024-02-21 -action.escu.modification_date = 2024-02-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ConnectWise ScreenConnect Path Traversal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["ConnectWise ScreenConnect Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = A path traversal attack against ScreenConnect has been detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ConnectWise ScreenConnect Path Traversal - Rule -action.correlationsearch.annotations = {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-1708", "CVE-2024-1709"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "56a3ac65-e747-41f7-b014-dff7423c1dda", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.notable.param.rule_title = ConnectWise ScreenConnect Path Traversal -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter` - -[ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.how_to_implement = To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing. -action.escu.known_false_positives = False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered. -action.escu.creation_date = 2024-02-21 -action.escu.modification_date = 2024-02-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["ConnectWise ScreenConnect Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = A path traversal attack against ScreenConnect has been detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule -action.correlationsearch.annotations = {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-1708", "CVE-2024-1709"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4e127857-1fc9-4c95-9d69-ba24c91d52d7", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.notable.param.rule_title = ConnectWise ScreenConnect Path Traversal Windows SACL -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 ProcessName=*\\ScreenConnect.Service.exe file_path IN ("*\\ScreenConnect\\App_Extensions\\*") file_name IN ("*.aspx","*.ashx") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter` - -[ESCU - Conti Common Exec parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = 3rd party tool may have commandline parameter that can trigger this detection. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Conti Common Exec parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Conti Common Exec parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "624919bc-c382-11eb-adcc-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands. -action.notable.param.rule_title = Conti Common Exec parameter -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*-m local*" OR Processes.process = "*-m net*" OR Processes.process = "*-m all*" OR Processes.process = "*-nomutex*" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter` - -[ESCU - Control Loading from World Writable Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed. -action.escu.creation_date = 2021-09-08 -action.escu.modification_date = 2021-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Control Loading from World Writable Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Control Loading from World Writable Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10423ac4-10c9-11ec-8dc4-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. -action.notable.param.rule_title = Control Loading from World Writable Directory -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN ("*\\appdata\\*", "*\\windows\\temp\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter` - -[ESCU - Create local admin accounts using net exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators often leverage net.exe to create admin accounts. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Create local admin accounts using net exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA22-257A", "DHS Report TA18-074A", "DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Create local admin accounts using net exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA22-257A", "DHS Report TA18-074A", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b89919ed-fe5f-492c-b139-151bb162040e", "detection_version": "9"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. -action.notable.param.rule_title = Create local admin accounts using net exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter` - -[ESCU - Create or delete windows shares using net exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. -action.escu.creation_date = 2020-09-16 -action.escu.modification_date = 2020-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Create or delete windows shares using net exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-277A", "DarkGate Malware", "Hidden Cobra Malware", "Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Create or delete windows shares using net exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-277A", "DarkGate Malware", "Hidden Cobra Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -action.notable.param.rule_title = Create or delete windows shares using net exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` - -[ESCU - Create Remote Thread In Shell Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-31 -action.escu.modification_date = 2024-01-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Create Remote Thread In Shell Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID", "Qakbot", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Create Remote Thread In Shell Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10399c1e-f51e-11eb-b920-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. -action.notable.param.rule_title = Create Remote Thread In Shell Application -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter` - -[ESCU - Create Remote Thread into LSASS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon EventID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon EventID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. -action.escu.how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. -action.escu.creation_date = 2019-12-06 -action.escu.modification_date = 2019-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Create Remote Thread into LSASS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated. -action.risk.param._risk = [{"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Create Remote Thread into LSASS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "67d4dbef-9564-4699-8da8-03a151529edc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon EventID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. -action.notable.param.rule_title = Create Remote Thread into LSASS -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter` - -[ESCU - Creation of lsass Dump with Taskmgr - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. -action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. -action.escu.creation_date = 2020-02-03 -action.escu.modification_date = 2020-02-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Creation of lsass Dump with Taskmgr - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA22-257A", "Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Creation of lsass Dump with Taskmgr - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. -action.notable.param.rule_title = Creation of lsass Dump with Taskmgr -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter` - -[ESCU - Creation of Shadow Copy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate administrator usage of Vssadmin or Wmic will create false positives. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Creation of Shadow Copy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Creation of Shadow Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eb120f5f-b879-4a63-97c1-93352b5df844", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system. -action.notable.param.rule_title = Creation of Shadow Copy -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter` - -[ESCU - Creation of Shadow Copy with wmic and powershell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legtimate administrator usage of wmic to create a shadow copy. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Creation of Shadow Copy with wmic and powershell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping", "Living Off The Land", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Creation of Shadow Copy with wmic and powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. -action.notable.param.rule_title = Creation of Shadow Copy with wmic and powershell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter` - -[ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack -action.notable.param.rule_title = Credential Dumping via Copy Command from Shadow Copy -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` - -[ESCU - Credential Dumping via Symlink to Shadow Copy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Credential Dumping via Symlink to Shadow Copy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Credential Dumping via Symlink to Shadow Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c5eac648-fae0-4263-91a6-773df1f4c903", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. -action.notable.param.rule_title = Credential Dumping via Symlink to Shadow Copy -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter` - -[ESCU - CSC Net On The Fly Compilation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. -action.escu.creation_date = 2021-11-12 -action.escu.modification_date = 2021-11-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - CSC Net On The Fly Compilation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - CSC Net On The Fly Compilation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ea73128a-43ab-11ec-9753-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter` - -[ESCU - Curl Download and Bash Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, however filtering may be required. -action.escu.creation_date = 2021-12-10 -action.escu.modification_date = 2021-12-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Curl Download and Bash Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Linux Living Off The Land", "Log4Shell CVE-2021-44228"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Curl Download and Bash Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "900bc324-59f3-11ec-9fb4-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.notable.param.rule_title = Curl Download and Bash Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process="*-s *") OR (Processes.process="*|*" AND Processes.process="*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter` - -[ESCU - Delete ShadowCopy With PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Delete ShadowCopy With PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["DarkGate Malware", "DarkSide Ransomware", "Ransomware", "Revil Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Delete ShadowCopy With PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. -action.notable.param.rule_title = Delete ShadowCopy With PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText= "*ShadowCopy*" (ScriptBlockText = "*Delete*" OR ScriptBlockText = "*Remove*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter` - -[ESCU - Deleting Of Net Users - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = System administrators or scripts may delete user accounts via this technique. Filter as needed. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Deleting Of Net Users - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware", "Graceful Wipe Out Attack", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deleting Of Net Users - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "Graceful Wipe Out Attack", "XMRig"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1c8c6f66-acce-11eb-aafb-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. -action.notable.param.rule_title = Deleting Of Net Users -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter` - -[ESCU - Deleting Shadow Copies - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Deleting Shadow Copies - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-264A", "Chaos Ransomware", "Clop Ransomware", "DarkGate Malware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "SamSam Ransomware", "Windows Log Manipulation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 81}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deleting Shadow Copies - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "Chaos Ransomware", "Clop Ransomware", "DarkGate Malware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "SamSam Ransomware", "Windows Log Manipulation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b89919ed-ee5f-492c-b139-95dbb162039e", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly. -action.notable.param.rule_title = Deleting Shadow Copies -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter` - -[ESCU - Detect AzureHound Command-Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AzureHound Command-Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect AzureHound Command-Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "26f02e96-c300-11eb-b611-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.notable.param.rule_title = Detect AzureHound Command-Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*invoke-azurehound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter` - -[ESCU - Detect AzureHound File Modifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect AzureHound File Modifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect AzureHound File Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1c34549e-c31b-11eb-996b-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. -action.notable.param.rule_title = Detect AzureHound File Modifications -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter` - -[ESCU - Detect Baron Samedit CVE-2021-3156 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. -action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-01-27 -action.escu.modification_date = 2021-01-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Baron Samedit CVE-2021-3156 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Baron Samedit CVE-2021-3156"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "93fbec4e-0375-440c-8db3-4508eca470c4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. -action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter` - -[ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. -action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host -action.escu.known_false_positives = If sudoedit is throwing segfaults for other reasons this will pick those up too. -action.escu.creation_date = 2021-01-29 -action.escu.modification_date = 2021-01-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Baron Samedit CVE-2021-3156"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 Segfault - Rule -action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. -action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 Segfault -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter` - -[ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. -action.escu.how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-01-28 -action.escu.modification_date = 2021-01-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Baron Samedit CVE-2021-3156"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. -action.notable.param.rule_title = Detect Baron Samedit CVE-2021-3156 via OSQuery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter` - -[ESCU - Detect Certify Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-06-25 -action.escu.modification_date = 2023-06-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Certify Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Certify/Certipy arguments detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Certify Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. -action.notable.param.rule_title = Detect Certify Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("* find *","* auth *","* request *","* req *","* download *",) AND Processes.process IN ("* /vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*","* /ca*", "* -username *","* -u *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter` - -[ESCU - Detect Certify With PowerShell Script Block Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. -action.escu.known_false_positives = Unknown, partial script block matches. -action.escu.creation_date = 2023-06-25 -action.escu.modification_date = 2023-06-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Certify With PowerShell Script Block Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Malicious PowerShell", "Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Certify arguments through PowerShell detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Certify With PowerShell Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f533ca6c-9440-4686-80cb-7f294c07812a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. -action.notable.param.rule_title = Detect Certify With PowerShell Script Block Logging -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),"unknown") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter` - -[ESCU - Detect Certipy File Modifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-06-25 -action.escu.modification_date = 2023-06-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Certipy File Modifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Exfiltration", "Ingress Tool Transfer", "Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Suspicious files $file_name$ related to Certipy detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Certipy File Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7e3df743-b1d8-4631-8fa8-bd5819688876", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. -action.notable.param.rule_title = Detect Certipy File Modifications -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter` - -[ESCU - Detect Computer Changed with Anonymous Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network. -action.escu.how_to_implement = This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = None thus far found -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Computer Changed with Anonymous Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Detect Zerologon Attack"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Computer Changed with Anonymous Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2020-1472"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1400624a-d42d-484d-8843-e6753e6e3645", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter` - -[ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9251299c-ea5b-11eb-a8de-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Detect Copy of ShadowCopy with Script Block Logging -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*copy*","*[System.IO.File]::Copy*") AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter` - -[ESCU - Detect Credential Dumping through LSASS access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. -action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Credential Dumping through LSASS access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA23-347A", "Credential Dumping", "Detect Zerologon Attack"] -action.risk = 1 -action.risk.param._risk_message = The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Credential Dumping through LSASS access - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "Detect Zerologon Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2c365e57-4414-4540-8dc0-73ab10729996", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. -action.notable.param.rule_title = Detect Credential Dumping through LSASS access -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` - -[ESCU - Detect Empire with PowerShell Script Block Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Empire with PowerShell Script Block Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$. -action.risk.param._risk = [{"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Empire with PowerShell Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc1dc6b8-c954-11eb-bade-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Detect Empire with PowerShell Script Block Logging -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter` - -[ESCU - Detect Excessive Account Lockouts From Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials. -action.escu.how_to_implement = You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \ -**Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ -Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`) -action.escu.known_false_positives = It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Password Spraying"] -action.risk = 1 -action.risk.param._risk_message = Multiple accounts have been locked out. Review $dest$ and results related to $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "detection_version": "9"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter` - -[ESCU - Detect Excessive User Account Lockouts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network. -action.escu.how_to_implement = ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. -action.escu.known_false_positives = It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts. -action.escu.creation_date = 2025-05-20 -action.escu.modification_date = 2025-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Excessive User Account Lockouts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Password Spraying"] -action.risk = 1 -action.risk.param._risk_message = Excessive user account lockouts for $user$ in a short period of time -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Excessive User Account Lockouts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "detection_version": "6"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter` - -[ESCU - Detect Exchange Web Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Exchange Web Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA22-257A", "HAFNIUM Group", "ProxyNotShell", "ProxyShell"] -action.risk = 1 -action.risk.param._risk_message = A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Exchange Web Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "HAFNIUM Group", "ProxyNotShell", "ProxyShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.notable.param.rule_title = Detect Exchange Web Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter` - -[ESCU - Detect HTML Help Renamed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. -action.escu.creation_date = 2022-04-07 -action.escu.modification_date = 2022-04-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect HTML Help Renamed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Compiled HTML Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect HTML Help Renamed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "62fed254-513b-460e-953d-79771493a9f3", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter` - -[ESCU - Detect HTML Help Spawn Child Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect HTML Help Spawn Child Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Living Off The Land", "Suspicious Compiled HTML Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect HTML Help Spawn Child Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Living Off The Land", "Suspicious Compiled HTML Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Detect HTML Help Spawn Child Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter` - -[ESCU - Detect HTML Help URL in Command Line - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect HTML Help URL in Command Line - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Compiled HTML Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect HTML Help URL in Command Line - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Detect HTML Help URL in Command Line -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter` - -[ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Compiled HTML Activity"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Detect HTML Help Using InfoTech Storage Handlers -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN ("*its:*", "*mk:@MSITStore:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter` - -[ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Sandworm Tools"] -action.risk = 1 -action.risk.param._risk_message = The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$. -action.risk.param._risk = [{"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8148c29c-c952-11eb-9255-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Detect Mimikatz With PowerShell Script Block Logging -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter` - -[ESCU - Detect mshta inline hta execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect mshta inline hta execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious MSHTA Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect mshta inline hta execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a0873b32-5b68-11eb-ae93-0242ac130002", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. -action.notable.param.rule_title = Detect mshta inline hta execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter` - -[ESCU - Detect mshta renamed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. -action.escu.creation_date = 2022-04-07 -action.escu.modification_date = 2022-04-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect mshta renamed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious MSHTA Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect mshta renamed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter` - -[ESCU - Detect MSHTA Url in Command Line - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible legitimate applications may perform this behavior and will need to be filtered. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect MSHTA Url in Command Line - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious MSHTA Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to access a remote destination to download an additional payload. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect MSHTA Url in Command Line - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.notable.param.rule_title = Detect MSHTA Url in Command Line -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process="*http://*" OR Processes.process="*https://*") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter` - -[ESCU - Detect New Local Admin account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. -action.escu.how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 -action.escu.known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect New Local Admin account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA22-257A", "DHS Report TA18-074A", "HAFNIUM Group"] -action.risk = 1 -action.risk.param._risk_message = A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect New Local Admin account - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "DHS Report TA18-074A", "HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b25f6f62-0712-43c1-b203-083231ffd97d", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. -action.notable.param.rule_title = Detect New Local Admin account -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter` - -[ESCU - Detect Outlook exe writing a zip file - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network. -action.escu.how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -action.escu.known_false_positives = It is not uncommon for outlook to write legitimate zip files to the disk. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Outlook exe writing a zip file - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Amadey", "Remcos", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Outlook exe writing a zip file - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "Remcos", "Spearphishing Attachments"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network. -action.notable.param.rule_title = Detect Outlook exe writing a zip file -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter` - -[ESCU - Detect Path Interception By Creation Of program exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Path Interception By Creation Of program exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Path Interception By Creation Of program exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint. -action.notable.param.rule_title = Detect Path Interception By Creation Of program exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process "^.*?\\\\(?[^\\\\]*\.(?:exe|bat|com|ps1))" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter` - -[ESCU - Detect processes used for System Network Configuration Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect processes used for System Network Configuration Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 32}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 32}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect processes used for System Network Configuration Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. -action.notable.param.rule_title = Detect processes used for System Network Configuration Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter` - -[ESCU - Detect Prohibited Applications Spawning cmd exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Prohibited Applications Spawning cmd exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NOBELIUM Group", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Prohibited Applications Spawning cmd exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "detection_version": "7"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter` - -[ESCU - Detect PsExec With accepteula Flag - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect PsExec With accepteula Flag - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "IcedID", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect PsExec With accepteula Flag - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "IcedID", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "27c3a83d-cada-47c6-9042-67baf19d2574", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. -action.notable.param.rule_title = Detect PsExec With accepteula Flag -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter` - -[ESCU - Detect Rare Executables - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the occurrence of rare processes that appear only once across the network within a specified timeframe. It operates by compiling a list of process executions. This detection is crucial for a Security Operations Center (SOC) as it helps in identifying potentially malicious activities or unauthorized software that could indicate a security breach or an ongoing attack. Identifying such rare processes allows for early detection of threats, minimizing the potential impact of an attack which could range from data theft to complete system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the occurrence of rare processes that appear only once across the network within a specified timeframe. It operates by compiling a list of process executions. This detection is crucial for a Security Operations Center (SOC) as it helps in identifying potentially malicious activities or unauthorized software that could indicate a security breach or an ongoing attack. Identifying such rare processes allows for early detection of threats, minimizing the potential impact of an attack which could range from data theft to complete system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate processes may be only rarely executed in your environment. -action.escu.creation_date = 2024-03-12 -action.escu.modification_date = 2024-03-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Rare Executables - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Rhysida Ransomware", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = A rare process - [$process_name$] has been detected on less than 10 hosts in your environment. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Rare Executables - Rule -action.correlationsearch.annotations = {"analytic_story": ["Rhysida Ransomware", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter` - -[ESCU - Detect RClone Command-Line Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed. -action.escu.creation_date = 2021-11-29 -action.escu.modification_date = 2021-11-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect RClone Command-Line Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkSide Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect RClone Command-Line Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -action.notable.param.rule_title = Detect RClone Command-Line Usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter` - -[ESCU - Detect Regasm Spawning a Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2024-04-29 -action.escu.modification_date = 2024-04-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regasm Spawning a Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware", "Living Off The Land", "Snake Keylogger", "Suspicious Regsvcs Regasm Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regasm Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "Living Off The Land", "Snake Keylogger", "Suspicious Regsvcs Regasm Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.notable.param.rule_title = Detect Regasm Spawning a Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN ("conhost.exe")) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter` - -[ESCU - Detect Regasm with Network Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2024-01-30 -action.escu.modification_date = 2024-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regasm with Network Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regasm with Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.notable.param.rule_title = Detect Regasm with Network Connection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter` - -[ESCU - Detect Regasm with no Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regasm with no Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regasm with no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. -action.notable.param.rule_title = Detect Regasm with no Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regasm\.exe.{0,4}$)" | `detect_regasm_with_no_command_line_arguments_filter` - -[ESCU - Detect Regsvcs Spawning a Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regsvcs Spawning a Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regsvcs Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.notable.param.rule_title = Detect Regsvcs Spawning a Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter` - -[ESCU - Detect Regsvcs with Network Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2024-01-30 -action.escu.modification_date = 2024-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regsvcs with Network Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regsvcs with Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.notable.param.rule_title = Detect Regsvcs with Network Connection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter` - -[ESCU - Detect Regsvcs with No Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regsvcs with No Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regsvcs with No Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.notable.param.rule_title = Detect Regsvcs with No Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(regsvcs\.exe.{0,4}$)"| `detect_regsvcs_with_no_command_line_arguments_filter` - -[ESCU - Detect Regsvr32 Application Control Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ -Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ -Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives related to third party software registering .DLL's. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Regsvr32 Application Control Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Suspicious Regsvr32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Regsvr32 Application Control Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "070e9b80-6252-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ -Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. -action.notable.param.rule_title = Detect Regsvr32 Application Control Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter` - -[ESCU - Detect Remote Access Software Usage File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Known or approved applications used by the organization or usage of built-in functions. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Remote Access Software Usage File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A file for known a remote access software [$file_name$] was created on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Remote Access Software Usage File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3bf5541a-6a45-4fdc-b01d-59b899fff961", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter` - -[ESCU - Detect Remote Access Software Usage FileInfo - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. -action.escu.known_false_positives = Known or approved applications used by the organization or usage of built-in functions. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Remote Access Software Usage FileInfo - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A file attributes for known a remote access software [$process_name$] was detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Remote Access Software Usage FileInfo - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter` - -[ESCU - Detect Remote Access Software Usage Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Remote Access Software Usage Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A process for a known remote access software $process_name$ was identified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Remote Access Software Usage Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ffd5e001-2e34-48f4-97a2-26dc4bb08178", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter` - -[ESCU - Detect Renamed 7-Zip - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Renamed 7-Zip - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Collection and Staging"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Renamed 7-Zip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4057291a-b8cf-11eb-95fe-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter` - -[ESCU - Detect Renamed PSExec - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. -action.escu.creation_date = 2022-04-07 -action.escu.modification_date = 2022-04-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Renamed PSExec - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Renamed PSExec - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "683e6196-b8e8-11eb-9a79-acde48001122", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter` - -[ESCU - Detect Renamed RClone - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Renamed RClone - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkSide Ransomware", "Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Renamed RClone - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6dca1124-b3ec-11eb-9328-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter` - -[ESCU - Detect Renamed WinRAR - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. It is possible third party applications use renamed instances of WinRAR. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Renamed WinRAR - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-277A", "Collection and Staging"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Renamed WinRAR - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-277A", "Collection and Staging"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter` - -[ESCU - Detect RTLO In File Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Implementation in regions that use right to left in native language. -action.escu.creation_date = 2023-04-26 -action.escu.modification_date = 2023-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect RTLO In File Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect RTLO In File Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.notable.param.rule_title = Detect RTLO In File Name -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = "\\x{202E}" | rex field=file_name "(?.+)(?\\x{202E})(?.+)" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter` - -[ESCU - Detect RTLO In Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Implementation in regions that use right to left in native language. -action.escu.creation_date = 2023-04-26 -action.escu.modification_date = 2023-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect RTLO In Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect RTLO In Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.notable.param.rule_title = Detect RTLO In Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process="\\x{202E}" | rex field=process "(?.+)(?\\x{202E})(?.+)" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter` - -[ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive. -action.escu.creation_date = 2021-02-04 -action.escu.modification_date = 2021-02-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.notable.param.rule_title = Detect Rundll32 Application Control Bypass - advpack -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter` - -[ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use setupapi triggering a false positive. -action.escu.creation_date = 2021-02-04 -action.escu.modification_date = 2021-02-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.notable.param.rule_title = Detect Rundll32 Application Control Bypass - setupapi -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter` - -[ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive. -action.escu.creation_date = 2021-02-04 -action.escu.modification_date = 2021-02-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.notable.param.rule_title = Detect Rundll32 Application Control Bypass - syssetup -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter` - -[ESCU - Detect Rundll32 Inline HTA Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -action.escu.creation_date = 2021-01-20 -action.escu.modification_date = 2021-01-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Rundll32 Inline HTA Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "NOBELIUM Group", "Suspicious MSHTA Activity"] -action.risk = 1 -action.risk.param._risk_message = Suspicious rundll32.exe inline HTA execution on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Rundll32 Inline HTA Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "NOBELIUM Group", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "91c79f14-5b41-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.notable.param.rule_title = Detect Rundll32 Inline HTA Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter` - -[ESCU - Detect SharpHound Command-Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect SharpHound Command-Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = Possible SharpHound command-Line arguments identified on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect SharpHound Command-Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.notable.param.rule_title = Detect SharpHound Command-Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter` - -[ESCU - Detect SharpHound File Modifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect SharpHound File Modifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = Potential SharpHound file modifications identified on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect SharpHound File Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "42b4b438-beed-11eb-ba1d-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. -action.notable.param.rule_title = Detect SharpHound File Modifications -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter` - -[ESCU - Detect SharpHound Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect SharpHound Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = Potential SharpHound binary identified on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect SharpHound Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dd04b29a-beed-11eb-87bc-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. -action.notable.param.rule_title = Detect SharpHound Usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter` - -[ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if a suspicious processname is similar to a benign processname. -action.escu.creation_date = 2023-01-23 -action.escu.modification_date = 2023-01-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Command-Line Executions"] -action.risk = 1 -action.risk.param._risk_message = The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect suspicious processnames using pretrained model in DSDL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter` - -[ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. -action.escu.creation_date = 2023-12-07 -action.escu.modification_date = 2023-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions"] -action.risk = 1 -action.risk.param._risk_message = cmd.exe launching script interpreters $process_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b89919ed-fe5f-492c-b139-95dbb162039e", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine -action.notable.param.rule_title = Detect Use of cmd exe to Launch Script Interpreters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter` - -[ESCU - Detect Webshell Exploit Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Webshell Exploit Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "HAFNIUM Group", "ProxyNotShell", "ProxyShell", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "WS FTP Server Critical Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Webshell Exploit Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "HAFNIUM Group", "ProxyNotShell", "ProxyShell", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. -action.notable.param.rule_title = Detect Webshell Exploit Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("arp.exe","at.exe","bash.exe","bitsadmin.exe","certutil.exe","cmd.exe","cscript.exe", "dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","ksh.exe","nbstat.exe", "net.exe","net1.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","pathping.exe", "ping.exe","powershell.exe","pwsh.exe","qprocess.exe","query.exe","qwinsta.exe","reg.exe","rundll32.exe","sc.exe", "scrcons.exe","schtasks.exe","sh.exe","systeminfo.exe","tasklist.exe","tracert.exe","ver.exe","vssadmin.exe", "wevtutil.exe","whoami.exe","wmic.exe","wscript.exe","wusa.exe","zsh.exe") AND Processes.parent_process_name IN ("w3wp.exe", "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe","tomcat*.exe")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter` - -[ESCU - Detect WMI Event Subscription Persistence - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID equals 19 \ -1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ -1. Binding - Registers a filter to a consumer. EventID equals 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID equals 19 \ -1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ -1. Binding - Registers a filter to a consumer. EventID equals 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume. -action.escu.known_false_positives = It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage. -action.escu.creation_date = 2021-06-16 -action.escu.modification_date = 2021-06-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect WMI Event Subscription Persistence - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = Possible malicious WMI Subscription created on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect WMI Event Subscription Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "01d9a0c2-cece-11eb-ab46-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID equals 19 \ -1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ -1. Binding - Registers a filter to a consumer. EventID equals 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.notable.param.rule_title = Detect WMI Event Subscription Persistence -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter` - -[ESCU - Detection of tools built by NirSoft - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detection of tools built by NirSoft - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detection of tools built by NirSoft - Rule -action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system. -action.notable.param.rule_title = Detection of tools built by NirSoft -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter` - -[ESCU - Disable AMSI Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = network operator may disable this feature of windows but not so common. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable AMSI Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Disable AMSI Through Registry on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable AMSI Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9c27ec42-d338-11eb-9044-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.notable.param.rule_title = Disable AMSI Through Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter` - -[ESCU - Disable Defender AntiVirus Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable windows defender product -action.escu.creation_date = 2023-04-11 -action.escu.modification_date = 2023-04-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Defender AntiVirus Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Defender AntiVirus Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aa4f695a-3024-11ec-9987-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.notable.param.rule_title = Disable Defender AntiVirus Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter` - -[ESCU - Disable Defender BlockAtFirstSeen Feature - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable windows defender product -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Defender BlockAtFirstSeen Feature - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Defender BlockAtFirstSeen Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2dd719ac-3021-11ec-97b4-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. -action.notable.param.rule_title = Disable Defender BlockAtFirstSeen Feature -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter` - -[ESCU - Disable Defender Enhanced Notification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = user may choose to disable windows defender AV -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Defender Enhanced Notification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Defender Enhanced Notification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc65678c-301f-11ec-8e30-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. -action.notable.param.rule_title = Disable Defender Enhanced Notification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*Microsoft\\Windows Defender\\Reporting*" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter` - -[ESCU - Disable Defender MpEngine Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable windows defender product -action.escu.creation_date = 2023-04-11 -action.escu.modification_date = 2023-04-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Defender MpEngine Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Defender MpEngine Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cc391750-3024-11ec-955a-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.notable.param.rule_title = Disable Defender MpEngine Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter` - -[ESCU - Disable Defender Spynet Reporting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable windows defender product -action.escu.creation_date = 2024-05-07 -action.escu.modification_date = 2024-05-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Defender Spynet Reporting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Qakbot", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Defender Spynet Reporting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Qakbot", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "898debf4-3021-11ec-ba7c-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender. -action.notable.param.rule_title = Disable Defender Spynet Reporting -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter` - -[ESCU - Disable Defender Submit Samples Consent Feature - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable windows defender product -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Defender Submit Samples Consent Feature - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Defender Submit Samples Consent Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "73922ff8-3022-11ec-bf5e-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. -action.notable.param.rule_title = Disable Defender Submit Samples Consent Feature -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter` - -[ESCU - Disable ETW Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = network operator may disable this feature of windows but not so common. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable ETW Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Disable ETW Through Registry on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable ETW Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.notable.param.rule_title = Disable ETW Through Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter` - -[ESCU - Disable Logs Using WevtUtil - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of "wevtutil.exe" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of "wevtutil.exe" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network operator may disable audit event logs for debugging purposes. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Logs Using WevtUtil - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Ransomware", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = WevtUtil.exe used to disable Event Logging on $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Logs Using WevtUtil - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "236e7c8e-c9d9-11eb-a824-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of "wevtutil.exe" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident. -action.notable.param.rule_title = Disable Logs Using WevtUtil -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "wevtutil.exe" Processes.process = "*sl*" Processes.process = "*/e:false*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter` - -[ESCU - Disable Registry Tool - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Registry Tool - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Disabled Registry Tools on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Registry Tool - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cd2cf33c-9201-11eb-a10a-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. -action.notable.param.rule_title = Disable Registry Tool -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter` - -[ESCU - Disable Schedule Task - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = admin may disable problematic schedule task -action.escu.creation_date = 2021-10-18 -action.escu.modification_date = 2021-10-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Schedule Task - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = schtask process with commandline $process$ to disable schedule task in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Schedule Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "db596056-3019-11ec-a9ff-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. -action.notable.param.rule_title = Disable Schedule Task -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter` - -[ESCU - Disable Security Logs Using MiniNt Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = Unknown. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Security Logs Using MiniNt Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Security Logs Using MiniNt Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "39ebdc68-25b9-11ec-aec7-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log -action.notable.param.rule_title = Disable Security Logs Using MiniNt Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter` - -[ESCU - Disable Show Hidden Files - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Show Hidden Files - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Disabled 'Show Hidden Files' on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Show Hidden Files - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_data = "0x00000000" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter` - -[ESCU - Disable UAC Remote Restriction - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may set this policy for non-critical machine. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable UAC Remote Restriction - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable UAC Remote Restriction - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9928b732-210e-11ec-b65e-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. -action.notable.param.rule_title = Disable UAC Remote Restriction -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy" Registry.registry_value_data="0x00000001" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter` - -[ESCU - Disable Windows App Hotkeys - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Windows App Hotkeys - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Registry Abuse", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Disabled 'Windows App Hotkeys' on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Windows App Hotkeys - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Registry Abuse", "XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1490f224-ad8b-11eb-8c4f-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. -action.notable.param.rule_title = Disable Windows App Hotkeys -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_data= "HotKey Disabled" AND Registry.registry_value_name = "Debugger") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter` - -[ESCU - Disable Windows Behavior Monitoring - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable this windows features. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Windows Behavior Monitoring - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "Ransomware", "RedLine Stealer", "Revil Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender real time behavior monitoring disabled on $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Windows Behavior Monitoring - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "Ransomware", "RedLine Stealer", "Revil Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "79439cae-9200-11eb-a4d3-acde48001122", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software. -action.notable.param.rule_title = Disable Windows Behavior Monitoring -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" AND Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter` - -[ESCU - Disable Windows SmartScreen Protection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable this windows features. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disable Windows SmartScreen Protection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows Smartscreen was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disable Windows SmartScreen Protection - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "664f0fd0-91ff-11eb-a56f-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -action.notable.param.rule_title = Disable Windows SmartScreen Protection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled", "*\\Microsoft\\Windows\\System\\EnableSmartScreen") Registry.registry_value_data IN ("Off", "0") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter` - -[ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "114c6bfe-9406-11ec-bcce-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. -action.notable.param.rule_title = Disabled Kerberos Pre-Authentication Discovery With Get-ADUser -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter` - -[ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. \ -Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. \ -Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting -action.escu.creation_date = 2022-05-03 -action.escu.modification_date = 2022-05-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b0b34e2c-90de-11ec-baeb-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. \ -Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. -action.notable.param.rule_title = Disabled Kerberos Pre-Authentication Discovery With PowerView -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter` - -[ESCU - Disabling CMD Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling CMD Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows command prompt was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling CMD Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ff86077c-9212-11eb-a1e6-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. -action.notable.param.rule_title = Disabling CMD Application -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter` - -[ESCU - Disabling ControlPanel - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" with a value of "0x00000001". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" with a value of "0x00000001". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling ControlPanel - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows Control Panel was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling ControlPanel - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6ae0148e-9215-11eb-a94a-acde48001122", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" with a value of "0x00000001". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts. -action.notable.param.rule_title = Disabling ControlPanel -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter` - -[ESCU - Disabling Defender Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable windows defender product -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling Defender Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "RedLine Stealer", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling Defender Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "RedLine Stealer", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "911eacdc-317f-11ec-ad30-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.notable.param.rule_title = Disabling Defender Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter` - -[ESCU - Disabling Firewall with Netsh - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like "firewall," "off," or "disable." This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like "firewall," "off," or "disable." This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = admin may disable firewall during testing or fixing network problem. -action.escu.creation_date = 2024-05-04 -action.escu.modification_date = 2024-05-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling Firewall with Netsh - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = The Windows Firewall was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling Firewall with Netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6860a62c-9203-11eb-9e05-acde48001122", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" (Processes.process= "*off*" OR Processes.process= "*disable*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter` - -[ESCU - Disabling FolderOptions Windows Feature - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling FolderOptions Windows Feature - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows Folder Options, to hide files, was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling FolderOptions Windows Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "83776de4-921a-11eb-868a-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. -action.notable.param.rule_title = Disabling FolderOptions Windows Feature -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter` - -[ESCU - Disabling Net User Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling Net User Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["XMRig"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling Net User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c0325326-acd6-11eb-98c2-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks. -action.notable.param.rule_title = Disabling Net User Account -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter` - -[ESCU - Disabling NoRun Windows App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling NoRun Windows App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows registry was modified to disable run application in window start menu on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling NoRun Windows App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "de81bc46-9213-11eb-adc9-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. -action.notable.param.rule_title = Disabling NoRun Windows App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter` - -[ESCU - Disabling Remote User Account Control - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. -action.escu.known_false_positives = This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling Remote User Account Control - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Azorult", "Remcos", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling Remote User Account Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Azorult", "Remcos", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment. -action.notable.param.rule_title = Disabling Remote User Account Control -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter` - -[ESCU - Disabling SystemRestore In Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = in some cases admin can disable systemrestore on a machine. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling SystemRestore In Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows registry was modified to disable system restore on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling SystemRestore In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. -action.notable.param.rule_title = Disabling SystemRestore In Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter` - -[ESCU - Disabling Task Manager - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling Task Manager - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows Task Manager was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling Task Manager - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dac279bc-9202-11eb-b7fb-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. -action.notable.param.rule_title = Disabling Task Manager -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter` - -[ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Potential to be triggered by an administrator disabling protections for troubleshooting purposes. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access. -action.notable.param.rule_title = Disabling Windows Local Security Authority Defences via Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\*", "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter` - -[ESCU - DLLHost with no Command Line Arguments with Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DLLHost with no Command Line Arguments with Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_image", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - DLLHost with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f1c07594-a141-11eb-8407-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = DLLHost with no Command Line Arguments with Network -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter` - -[ESCU - DNS Exfiltration Using Nslookup App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = admin nslookup usage -action.escu.creation_date = 2021-04-15 -action.escu.modification_date = 2021-04-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DNS Exfiltration Using Nslookup App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - DNS Exfiltration Using Nslookup App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2452e632-9e0d-11eb-bacd-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.notable.param.rule_title = DNS Exfiltration Using Nslookup App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "nslookup.exe" Processes.process = "*-querytype=*" OR Processes.process="*-qt=*" OR Processes.process="*-q=*" OR Processes.process="-type=*" OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter` - -[ESCU - Domain Account Discovery with Dsquery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-24 -action.escu.modification_date = 2021-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Account Discovery with Dsquery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Account Discovery with Dsquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe" AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter` - -[ESCU - Domain Account Discovery With Net App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Account Discovery With Net App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Account Discovery With Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "98f6a534-04c2-11ec-96b2-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Domain Account Discovery With Net App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "* user*" AND Processes.process = "*/do*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter` - -[ESCU - Domain Account Discovery with Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2024-05-11 -action.escu.modification_date = 2024-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Account Discovery with Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Account Discovery with Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "383572e0-04c5-11ec-bdcc-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information. -action.notable.param.rule_title = Domain Account Discovery with Wmic -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe" AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process = "*ds_user*" AND Processes.process = "*GET*" AND Processes.process = "*ds_samaccountname*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter` - -[ESCU - Domain Controller Discovery with Nltest - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Controller Discovery with Nltest - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Domain controller discovery on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Controller Discovery with Nltest - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Domain Controller Discovery with Nltest -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="nltest.exe") (Processes.process="*/dclist:*" OR Processes.process="*/dsgetdc:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter` - -[ESCU - Domain Controller Discovery with Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Controller Discovery with Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Controller Discovery with Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter` - -[ESCU - Domain Group Discovery with Adsisearcher - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Group Discovery with Adsisearcher - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Domain group discovery enumeration using PowerShell on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Group Discovery with Adsisearcher - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Domain Group Discovery with Adsisearcher -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter` - -[ESCU - Domain Group Discovery With Dsquery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Group Discovery With Dsquery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Group Discovery With Dsquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter` - -[ESCU - Domain Group Discovery With Net - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Group Discovery With Net - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Graceful Wipe Out Attack", "Prestige Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Group Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Prestige Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter` - -[ESCU - Domain Group Discovery With Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Domain Group Discovery With Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Domain Group Discovery With Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter` - -[ESCU - Download Files Using Telegram - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = normal download of file in telegram app. (if it was a common app in network) -action.escu.creation_date = 2021-05-06 -action.escu.modification_date = 2021-05-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Download Files Using Telegram - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Phemedrone Stealer", "Snake Keylogger", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Suspicious files were downloaded with the Telegram application on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Download Files Using Telegram - Rule -action.correlationsearch.annotations = {"analytic_story": ["Phemedrone Stealer", "Snake Keylogger", "XMRig"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "58194e28-ae5e-11eb-8912-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. -action.notable.param.rule_title = Download Files Using Telegram -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter` - -[ESCU - Drop IcedID License dat - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-07-30 -action.escu.modification_date = 2021-07-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Drop IcedID License dat - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Drop IcedID License dat - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b7a045fc-f14a-11eb-8e79-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter` - -[ESCU - DSQuery Domain Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage. \ -Within this detection, it is assumed `dsquery.exe` is not moved or renamed. \ -The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process. \ -DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system. \ -The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory. \ -In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage. \ -Within this detection, it is assumed `dsquery.exe` is not moved or renamed. \ -The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process. \ -DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system. \ -The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory. \ -In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives. If there is a true false positive, filter based on command-line or parent process. -action.escu.creation_date = 2021-03-31 -action.escu.modification_date = 2021-03-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DSQuery Domain Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Domain Trust Discovery"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - DSQuery Domain Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cc316032-924a-11eb-91a2-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage. \ -Within this detection, it is assumed `dsquery.exe` is not moved or renamed. \ -The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process. \ -DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system. \ -The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory. \ -In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. -action.notable.param.rule_title = DSQuery Domain Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter` - -[ESCU - Dump LSASS via comsvcs DLL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Dump LSASS via comsvcs DLL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-257A", "CISA AA22-264A", "Credential Dumping", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Industroyer2", "Living Off The Land", "Prestige Ransomware", "Suspicious Rundll32 Activity", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Dump LSASS via comsvcs DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "Credential Dumping", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Industroyer2", "Living Off The Land", "Prestige Ransomware", "Suspicious Rundll32 Activity", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. -action.notable.param.rule_title = Dump LSASS via comsvcs DLL -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter` - -[ESCU - Dump LSASS via procdump - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2022-08-31 -action.escu.modification_date = 2022-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Dump LSASS via procdump - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Dump LSASS via procdump - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed. \ -During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.notable.param.rule_title = Dump LSASS via procdump -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter` - -[ESCU - Elevated Group Discovery With Net - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Elevated Group Discovery With Net - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Rhysida Ransomware", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Elevated domain group discovery enumeration on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Elevated Group Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Rhysida Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.notable.param.rule_title = Elevated Group Discovery With Net -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process="*group*" AND Processes.process="*/do*") (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter` - -[ESCU - Elevated Group Discovery with PowerView - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerView for troubleshooting. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Elevated Group Discovery with PowerView - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Elevated Group Discovery with PowerView - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10d62950-0de5-4199-a710-cff9ea79b413", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (Message = "*Get-DomainGroupMember*") AND Message IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest, User as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter` - -[ESCU - Elevated Group Discovery With Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Elevated Group Discovery With Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Elevated domain group discovery enumeration on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Elevated Group Discovery With Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.notable.param.rule_title = Elevated Group Discovery With Wmic -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap*) (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter` - -[ESCU - Enable RDP In Other Port Number - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Enable RDP In Other Port Number - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = RDP was moved to a non-standard port on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Enable RDP In Other Port Number - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "99495452-b899-11eb-96dc-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. -action.notable.param.rule_title = Enable RDP In Other Port Number -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter` - -[ESCU - Enable WDigest UseLogonCredential Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Enable WDigest UseLogonCredential Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-320A", "Credential Dumping", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = wdigest registry $registry_path$ was modified in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Enable WDigest UseLogonCredential Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Credential Dumping", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. -action.notable.param.rule_title = Enable WDigest UseLogonCredential Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*" Registry.registry_value_name = "UseLogonCredential" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter` - -[ESCU - Enumerate Users Local Group Using Telegram - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Enumerate Users Local Group Using Telegram - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["XMRig"] -action.risk = 1 -action.risk.param._risk_message = The Telegram application has been identified enumerating local groups on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Enumerate Users Local Group Using Telegram - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fcd74532-ae54-11eb-a5ab-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. -action.notable.param.rule_title = Enumerate Users Local Group Using Telegram -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4798 CallerProcessName = "*\\telegram.exe" | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter` - -[ESCU - Esentutl SAM Copy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited. Filter as needed. -action.escu.creation_date = 2021-08-18 -action.escu.modification_date = 2021-08-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Esentutl SAM Copy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping", "Living Off The Land"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Esentutl SAM Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d372f928-ce4f-11eb-a762-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter` - -[ESCU - ETW Registry Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-10 -action.escu.modification_date = 2024-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ETW Registry Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ETW Registry Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ed523ac-276b-11ec-ac39-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. -action.notable.param.rule_title = ETW Registry Disabled -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter` - -[ESCU - Eventvwr UAC Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some false positives may be present and will need to be filtered. -action.escu.creation_date = 2022-11-14 -action.escu.modification_date = 2022-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Eventvwr UAC Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Eventvwr UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. -action.notable.param.rule_title = Eventvwr UAC Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*mscfile\\shell\\open\\command\\*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter` - -[ESCU - Excel Spawning PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excel Spawning PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excel Spawning PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "42d40a22-9be3-11eb-8f08-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.notable.param.rule_title = Excel Spawning PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter` - -[ESCU - Excel Spawning Windows Script Host - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excel Spawning Windows Script Host - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excel Spawning Windows Script Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57fe880a-9be3-11eb-9bf3-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.notable.param.rule_title = Excel Spawning Windows Script Host -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" Processes.process_name IN ("cscript.exe", "wscript.exe") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter` - -[ESCU - Excessive Attempt To Disable Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used with parameters like "config" or "Disabled" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used with parameters like "config" or "Disabled" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-04 -action.escu.modification_date = 2024-05-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Attempt To Disable Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Attempt To Disable Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "sc.exe" AND Processes.process="*config*" OR Processes.process="*Disabled*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter` - -[ESCU - Excessive distinct processes from Windows Temp - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive distinct processes from Windows Temp - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Meterpreter"] -action.risk = 1 -action.risk.param._risk_message = Multiple processes were executed out of windows\temp within a short amount of time on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive distinct processes from Windows Temp - Rule -action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "23587b6a-c479-11eb-b671-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\Windows\\Temp\\*" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter` - -[ESCU - Excessive File Deletion In WinDefender Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. -action.escu.how_to_implement = To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -action.escu.known_false_positives = Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives. -action.escu.creation_date = 2024-03-05 -action.escu.modification_date = 2024-03-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive File Deletion In WinDefender Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackByte Ransomware", "Data Destruction", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "deleted_files", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive File Deletion In WinDefender Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b5baa09a-7a05-11ec-8da4-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation. -action.notable.param.rule_title = Excessive File Deletion In WinDefender Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender\\*" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter` - -[ESCU - Excessive number of service control start as disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time. -action.escu.creation_date = 2021-06-25 -action.escu.modification_date = 2021-06-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive number of service control start as disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive number of service control start as disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "77592bec-d5cc-11eb-9e60-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "sc.exe" AND Processes.process="*start= disabled*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter` - -[ESCU - Excessive number of taskhost processes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive number of taskhost processes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Meterpreter"] -action.risk = 1 -action.risk.param._risk_message = An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive number of taskhost processes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f443dac2-c7cf-11eb-ab51-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "taskhost.exe" OR Processes.process_name = "taskhostex.exe" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == "taskhost.exe", pid_count, 0) | eval taskhostex_count_=if(process_name == "taskhostex.exe", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter` - -[ESCU - Excessive Service Stop Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-05-04 -action.escu.modification_date = 2021-05-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Service Stop Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Ransomware", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Service Stop Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Ransomware", "XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter` - -[ESCU - Excessive Usage Of Cacls App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or administrative scripts may use this application. Filter as needed. -action.escu.creation_date = 2021-05-07 -action.escu.modification_date = 2021-05-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Usage Of Cacls App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Prestige Ransomware", "Windows Post-Exploitation", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Usage Of Cacls App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Prestige Ransomware", "Windows Post-Exploitation", "XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0bdf6092-af17-11eb-939a-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter` - -[ESCU - Excessive Usage Of Net App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown. Filter as needed. Modify the time span as needed. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Usage Of Net App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Graceful Wipe Out Attack", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Usage Of Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Graceful Wipe Out Attack", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation", "XMRig"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "45e52536-ae42-11eb-b5c6-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter` - -[ESCU - Excessive Usage of NSLOOKUP App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-06-03 -action.escu.modification_date = 2022-06-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Usage of NSLOOKUP App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Usage of NSLOOKUP App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter` - -[ESCU - Excessive Usage Of SC Service Utility - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. -action.escu.known_false_positives = excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission. -action.escu.creation_date = 2021-06-24 -action.escu.modification_date = 2021-06-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Usage Of SC Service Utility - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Azorult", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Excessive Usage Of SC Service Utility -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Usage Of SC Service Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cb6b339e-d4c6-11eb-a026-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter` - -[ESCU - Excessive Usage Of Taskkill - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. Filter as needed. -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive Usage Of Taskkill - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Azorult", "CISA AA22-264A", "CISA AA22-277A", "NjRAT", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Excessive Usage Of Taskkill - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Azorult", "CISA AA22-264A", "CISA AA22-277A", "NjRAT", "XMRig"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fe5bca48-accb-11eb-a67c-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter` - -[ESCU - Exchange PowerShell Abuse via SSRF - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ -Modification of this analytic is requried to ensure fields are mapped accordingly. \ - \ -A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ - \ -An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ -Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ -Modification of this analytic is requried to ensure fields are mapped accordingly. \ - \ -A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ - \ -An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ -Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. -action.escu.how_to_implement = The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. -action.escu.known_false_positives = Limited false positives, however, tune as needed. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Exchange PowerShell Abuse via SSRF - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"] -action.risk = 1 -action.risk.param._risk_message = Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Exchange PowerShell Abuse via SSRF - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "29228ab4-0762-11ec-94aa-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ -Modification of this analytic is requried to ensure fields are mapped accordingly. \ - \ -A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ - \ -An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ -Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. -action.notable.param.rule_title = Exchange PowerShell Abuse via SSRF -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter` - -[ESCU - Exchange PowerShell Module Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell. \ -Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ -Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ -Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ -Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell. \ -Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ -Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ -Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ -Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Exchange PowerShell Module Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA22-264A", "CISA AA22-277A", "ProxyNotShell", "ProxyShell"] -action.risk = 1 -action.risk.param._risk_message = Suspicious Exchange PowerShell module usaged was identified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Exchange PowerShell Module Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "CISA AA22-277A", "ProxyNotShell", "ProxyShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2d10095e-05ae-11ec-8fdf-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell. \ -Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ -Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ -Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ -Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). -action.notable.param.rule_title = Exchange PowerShell Module Usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter` - -[ESCU - Executable File Written in Administrative SMB Share - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -action.escu.known_false_positives = System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Executable File Written in Administrative SMB Share - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "Prestige Ransomware", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = $src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Executable File Written in Administrative SMB Share - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "Prestige Ransomware", "Trickbot"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f63c34fe-a435-11eb-935a-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. -action.notable.param.rule_title = Executable File Written in Administrative SMB Share -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.exe","*.dll") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter` - -[ESCU - Executables Or Script Creation In Suspicious Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Executables Or Script Creation In Suspicious Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "NjRAT", "PlugX", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Snake Keylogger", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Executables Or Script Creation In Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "NjRAT", "PlugX", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Snake Keylogger", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\windows\\fonts\\* OR Filesystem.file_path = *\\windows\\temp\\* OR Filesystem.file_path = *\\users\\public\\* OR Filesystem.file_path = *\\windows\\debug\\* OR Filesystem.file_path = *\\Users\\Administrator\\Music\\* OR Filesystem.file_path = *\\Windows\\servicing\\* OR Filesystem.file_path = *\\Users\\Default\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\Windows\\Media\\* OR Filesystem.file_path = *\\Windows\\repair\\* OR Filesystem.file_path = *\\AppData\\Local\\Temp* OR Filesystem.file_path = *\\PerfLogs\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter` - -[ESCU - Execute Javascript With Jscript COM CLSID - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-06-22 -action.escu.modification_date = 2021-06-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Execute Javascript With Jscript COM CLSID - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Execute Javascript With Jscript COM CLSID - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc64d064-d346-11eb-8588-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. -action.notable.param.rule_title = Execute Javascript With Jscript COM CLSID -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cscript.exe" Processes.process="*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter` - -[ESCU - Execution of File with Multiple Extensions - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2020-11-18 -action.escu.modification_date = 2020-11-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Execution of File with Multiple Extensions - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "DarkGate Malware", "Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"] -action.risk = 1 -action.risk.param._risk_message = process $process$ have double extensions in the file name is executed on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Execution of File with Multiple Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "DarkGate Malware", "Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. -action.notable.param.rule_title = Execution of File with Multiple Extensions -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter` - -[ESCU - Extraction of Registry Hives - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible some agent based products will generate false positives. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Extraction of Registry Hives - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-257A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Extraction of Registry Hives - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8bbb7d58-b360-11eb-ba21-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. -action.notable.param.rule_title = Extraction of Registry Hives -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system *" OR Processes.process="*\security *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter` - -[ESCU - File with Samsam Extension - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. -action.escu.how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -action.escu.known_false_positives = Because these extensions are not typically used in normal operations, you should investigate all results. -action.escu.creation_date = 2018-12-14 -action.escu.modification_date = 2018-12-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - File with Samsam Extension - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - File with Samsam Extension - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents. -action.notable.param.rule_title = File with Samsam Extension -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name "(?\.[^\.]+)$" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter` - -[ESCU - Firewall Allowed Program Enable - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. -action.escu.creation_date = 2021-11-12 -action.escu.modification_date = 2021-11-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Firewall Allowed Program Enable - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "BlackByte Ransomware", "NjRAT", "PlugX", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Firewall Allowed Program Enable - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "BlackByte Ransomware", "NjRAT", "PlugX", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9a8f63a8-43ac-11ec-904c-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*" Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter` - -[ESCU - First Time Seen Child Process of Zoom - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - First Time Seen Child Process of Zoom - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Zoom Child Processes"] -action.risk = 1 -action.risk.param._risk_message = Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - First Time Seen Child Process of Zoom - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Zoom Child Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter` - -[ESCU - First Time Seen Running Windows Service - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats. -action.escu.how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -action.escu.known_false_positives = A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - First Time Seen Running Windows Service - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - First Time Seen Running Windows Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "823136f2-d755-4b6d-ae04-372b486a5808", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) service entered the (?\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter` - -[ESCU - FodHelper UAC Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)` \ -Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)` \ -Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited to no false positives are expected. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - FodHelper UAC Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Suspicious registy keys added by process fodhelper.exe with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - FodHelper UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute` \ -* `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)` \ -Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. -action.notable.param.rule_title = FodHelper UAC Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter` - -[ESCU - Fsutil Zeroing File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-08-11 -action.escu.modification_date = 2021-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Fsutil Zeroing File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["LockBit Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Possible file data deletion on $dest$ using $process$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Fsutil Zeroing File - Rule -action.correlationsearch.annotations = {"analytic_story": ["LockBit Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. -action.notable.param.rule_title = Fsutil Zeroing File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process="*setzerodata*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter` - -[ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-26 -action.escu.modification_date = 2021-08-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "36e46ebe-065a-11ec-b4c7-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter` - -[ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter` - -[ESCU - Get ADUser with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get ADUser with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get ADUser with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*" AND Processes.process = "*-filter*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter` - -[ESCU - Get ADUser with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get ADUser with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get ADUser with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "21432e40-04f4-11ec-b7e6-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter` - -[ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8b5ef342-065a-11ec-b0fc-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Get ADUserResultantPasswordPolicy with Powershell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUserResultantPasswordPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter` - -[ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = powershell process having commandline to query domain user password policy detected on host - $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "737e1eb0-065a-11ec-921a-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Get ADUserResultantPasswordPolicy with Powershell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter` - -[ESCU - Get DomainPolicy with Powershell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-26 -action.escu.modification_date = 2021-08-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get DomainPolicy with Powershell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get DomainPolicy with Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b8f9947e-065a-11ec-aafb-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Get DomainPolicy with Powershell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainPolicy*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter` - -[ESCU - Get DomainPolicy with Powershell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get DomainPolicy with Powershell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = powershell process having commandline $ScriptBlockText$ to query domain policy. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get DomainPolicy with Powershell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a360d2b2-065a-11ec-b0bf-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Get DomainPolicy with Powershell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter` - -[ESCU - Get-DomainTrust with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. -action.escu.creation_date = 2021-08-24 -action.escu.modification_date = 2021-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get-DomainTrust with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get-DomainTrust with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4fa7f846-054a-11ec-a836-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.notable.param.rule_title = Get-DomainTrust with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter` - -[ESCU - Get-DomainTrust with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible certain system management frameworks utilize this command to gather trust information. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get-DomainTrust with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get-DomainTrust with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "89275e7e-0548-11ec-bf75-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Get-DomainTrust with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter` - -[ESCU - Get DomainUser with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get DomainUser with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get DomainUser with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9a5a41d6-04e7-11ec-923c-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Get DomainUser with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainUser*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter` - -[ESCU - Get DomainUser with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get DomainUser with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Powershell process having commandline "*Get-DomainUser*" for user enumeration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get DomainUser with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "61994268-04f4-11ec-865c-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Get DomainUser with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter` - -[ESCU - Get-ForestTrust with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. -action.escu.creation_date = 2021-09-02 -action.escu.modification_date = 2021-09-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get-ForestTrust with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get-ForestTrust with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "584f4884-0bf1-11ec-a5ec-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.notable.param.rule_title = Get-ForestTrust with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter` - -[ESCU - Get-ForestTrust with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2022-02-24 -action.escu.modification_date = 2022-02-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get-ForestTrust with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get-ForestTrust with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Get-ForestTrust with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter` - -[ESCU - Get WMIObject Group Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2021-09-14 -action.escu.modification_date = 2021-09-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get WMIObject Group Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get WMIObject Group Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5434f670-155d-11ec-8cca-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter` - -[ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "69df7f7c-155d-11ec-a055-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText = "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter` - -[ESCU - GetAdComputer with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-07 -action.escu.modification_date = 2021-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetAdComputer with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetAdComputer with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter` - -[ESCU - GetAdComputer with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetAdComputer with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA22-320A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetAdComputer with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter` - -[ESCU - GetAdGroup with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetAdGroup with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetAdGroup with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter` - -[ESCU - GetAdGroup with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetAdGroup with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetAdGroup with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter` - -[ESCU - GetCurrent User with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetCurrent User with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetCurrent User with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter` - -[ESCU - GetCurrent User with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetCurrent User with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetCurrent User with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "80879283-c30f-44f7-8471-d1381f6d437a", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter` - -[ESCU - GetDomainComputer with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting. -action.escu.creation_date = 2021-09-07 -action.escu.modification_date = 2021-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetDomainComputer with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery enumeration on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetDomainComputer with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetDomainComputer with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter` - -[ESCU - GetDomainComputer with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetDomainComputer with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery with PowerView on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetDomainComputer with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f64da023-b988-4775-8d57-38e512beb56e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetDomainComputer with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter` - -[ESCU - GetDomainController with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use PowerView for troubleshooting. -action.escu.creation_date = 2021-09-07 -action.escu.modification_date = 2021-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetDomainController with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetDomainController with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter` - -[ESCU - GetDomainController with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetDomainController with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery with PowerView on $Computer$ by $UserID$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetDomainController with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "676b600a-a94d-4951-b346-11329431e6c1", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetDomainController with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter` - -[ESCU - GetDomainGroup with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetDomainGroup with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Domain group discovery with PowerView on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetDomainGroup with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "93c94be3-bead-4a60-860f-77ca3fe59903", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetDomainGroup with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter` - -[ESCU - GetDomainGroup with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerView functions for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetDomainGroup with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Domain group discovery enumeration using PowerView on $Computer$ by $UserID$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetDomainGroup with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetDomainGroup with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter` - -[ESCU - GetLocalUser with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2021-08-23 -action.escu.modification_date = 2021-08-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetLocalUser with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetLocalUser with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "85fae8fa-0427-11ec-8b78-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter` - -[ESCU - GetLocalUser with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetLocalUser with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Malicious PowerShell"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetLocalUser with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2e891cbe-0426-11ec-9c9c-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter` - -[ESCU - GetNetTcpconnection with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetNetTcpconnection with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetNetTcpconnection with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter` - -[ESCU - GetNetTcpconnection with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-04-02 -action.escu.modification_date = 2022-04-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetNetTcpconnection with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetNetTcpconnection with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "091712ff-b02a-4d43-82ed-34765515d95d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter` - -[ESCU - GetWmiObject Ds Computer with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-07 -action.escu.modification_date = 2021-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject Ds Computer with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery enumeration using WMI on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 21}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject Ds Computer with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetWmiObject Ds Computer with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" AND Processes.process="*class ds_computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter` - -[ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery enumeration on $Computer$ by $UserID$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetWmiObject Ds Computer with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter` - -[ESCU - GetWmiObject Ds Group with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject Ds Group with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Domain group discovery enumeration on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject Ds Group with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "df275a44-4527-443b-b884-7600e066e3eb", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetWmiObject Ds Group with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*" AND Processes.process="*class ds_group*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter` - -[ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Domain group discovery enumeration using PowerShell on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "67740bd3-1506-469c-b91d-effc322cc6e5", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetWmiObject Ds Group with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter` - -[ESCU - GetWmiObject DS User with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-24 -action.escu.modification_date = 2021-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject DS User with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject DS User with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "22d3b118-04df-11ec-8fa3-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetWmiObject DS User with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe" OR Processes.process_name="powershell*") AND Processes.process = "*get-wmiobject*" AND Processes.process = "*ds_user*" AND Processes.process = "*root\\directory\\ldap*" AND Processes.process = "*-namespace*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter` - -[ESCU - GetWmiObject DS User with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject DS User with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = powershell process having commandline for user enumeration detected on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject DS User with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fabd364e-04f3-11ec-b34b-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = GetWmiObject DS User with PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter` - -[ESCU - GetWmiObject User Account with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject User Account with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Winter Vivern"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject User Account with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b44f6ac6-0429-11ec-87e9-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter` - -[ESCU - GetWmiObject User Account with PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GetWmiObject User Account with PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Malicious PowerShell", "Winter Vivern"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GetWmiObject User Account with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "640b0eda-0429-11ec-accd-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter` - -[ESCU - GPUpdate with no Command Line Arguments with Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - GPUpdate with no Command Line Arguments with Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}, {"threat_object_field": "C2", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - GPUpdate with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2c853856-a140-11eb-a5b5-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = GPUpdate with no Command Line Arguments with Network -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter` - -[ESCU - Headless Browser Mockbin or Mocky Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. -action.escu.creation_date = 2023-09-11 -action.escu.modification_date = 2023-09-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Headless Browser Mockbin or Mocky Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Forest Blizzard"] -action.risk = 1 -action.risk.param._risk_message = Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Headless Browser Mockbin or Mocky Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "94fc85a1-e55b-4265-95e1-4b66730e05c0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. -action.notable.param.rule_title = Headless Browser Mockbin or Mocky Request -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*" AND (Processes.process="*mockbin.org/*" OR Processes.process="*mocky.io/*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter` - -[ESCU - Headless Browser Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. -action.escu.creation_date = 2023-09-08 -action.escu.modification_date = 2023-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Headless Browser Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Forest Blizzard"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Headless Browser Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "869ba261-c272-47d7-affe-5c0aa85c93d6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter` - -[ESCU - Hide User Account From Sign-In Screen - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = Unknown. Filter as needed. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Hide User Account From Sign-In Screen - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Warzone RAT", "Windows Registry Abuse", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "registry_value_name", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Hide User Account From Sign-In Screen - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Warzone RAT", "Windows Registry Abuse", "XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "834ba832-ad89-11eb-937d-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. -action.notable.param.rule_title = Hide User Account From Sign-In Screen -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" AND Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter` - -[ESCU - Hiding Files And Directories With Attrib exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some applications and users may legitimately use attrib.exe to interact with the files. -action.escu.creation_date = 2024-01-01 -action.escu.modification_date = 2024-01-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Hiding Files And Directories With Attrib exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Hiding Files And Directories With Attrib exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. -action.notable.param.rule_title = Hiding Files And Directories With Attrib exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` - -[ESCU - High Frequency Copy Of Files In Network Share - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -action.escu.known_false_positives = This behavior may seen in normal transfer of file within network if network share is common place for sharing documents. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - High Frequency Copy Of Files In Network Share - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Information Sabotage", "Insider Threat"] -action.risk = 1 -action.risk.param._risk_message = High frequency copy of document into a network share from $src_ip$ by $src_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 9}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - High Frequency Copy Of Files In Network Share - Rule -action.correlationsearch.annotations = {"analytic_story": ["Information Sabotage", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40925f12-4709-11ec-bb43-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter` - -[ESCU - High Process Termination Frequency - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = admin or user tool that can terminate multiple process. -action.escu.creation_date = 2022-09-14 -action.escu.modification_date = 2022-09-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - High Process Termination Frequency - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackByte Ransomware", "Clop Ransomware", "LockBit Ransomware", "Rhysida Ransomware", "Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = High frequency process termination (more than 15 processes within 3s) detected on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "proc_terminated", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - High Process Termination Frequency - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware", "LockBit Ransomware", "Rhysida Ransomware", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "17cd75b2-8666-11eb-9ab4-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter` - -[ESCU - Hunting 3CXDesktopApp Software - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. -action.escu.creation_date = 2023-03-30 -action.escu.modification_date = 2023-03-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Hunting 3CXDesktopApp Software - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["3CX Supply Chain Attack"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Hunting 3CXDesktopApp Software - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-29059"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name="3CX Desktop App" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter` - -[ESCU - Icacls Deny Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. -action.escu.creation_date = 2023-06-06 -action.escu.modification_date = 2023-06-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Icacls Deny Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Sandworm Tools", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Icacls Deny Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Sandworm Tools", "XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. -action.notable.param.rule_title = Icacls Deny Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter` - -[ESCU - ICACLS Grant Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. Filter as needed. -action.escu.creation_date = 2023-06-06 -action.escu.modification_date = 2023-06-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ICACLS Grant Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ICACLS Grant Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "XMRig"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b1b1e316-accc-11eb-a9b4-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. -action.notable.param.rule_title = ICACLS Grant Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter` - -[ESCU - IcedID Exfiltrated Archived File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - IcedID Exfiltrated Archived File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - IcedID Exfiltrated Archived File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0db4da70-f14b-11eb-8043-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter` - -[ESCU - Impacket Lateral Movement Commandline Parameters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Impacket Lateral Movement Commandline Parameters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Impacket Lateral Movement Commandline Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.notable.param.rule_title = Impacket Lateral Movement Commandline Parameters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = "*/Q /c * \\\\127.0.0.1\\*$*" AND Processes.process IN ("*2>&1*","*2>&1*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter` - -[ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. -action.notable.param.rule_title = Impacket Lateral Movement smbexec CommandLine Parameters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process,"(?i)echo\s+cd") AND match(process, "(?i)\\__output") AND match(process, "(?i)C:\\\\Windows\\\\[a-zA-Z]{1,8}\\.bat") AND match(process, "\\\\127\.0\.0\.1\\.*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter` - -[ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.notable.param.rule_title = Impacket Lateral Movement WMIExec Commandline Parameters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process, "\\\\127\.0\.0\.1\\.*") AND match(process, "__\\d{1,10}\\.\\d{1,10}") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter` - -[ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = An interactive session was opened on a remote endpoint from $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. -action.notable.param.rule_title = Interactive Session on Remote Endpoint with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter` - -[ESCU - Java Class File download by Java User Agent - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -action.escu.known_false_positives = Filtering may be required in some instances, filter as needed. -action.escu.creation_date = 2021-12-13 -action.escu.modification_date = 2021-12-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Java Class File download by Java User Agent - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Log4Shell CVE-2021-44228"] -action.risk = 1 -action.risk.param._risk_message = A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "http_user_agent", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "http_method", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Java Class File download by Java User Agent - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8281ce42-5c50-11ec-82d2-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). -action.notable.param.rule_title = Java Class File download by Java User Agent -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.http_user_agent="*Java*" Web.http_method="GET" Web.url="*.class*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter` - -[ESCU - Java Writing JSP File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment. -action.escu.creation_date = 2022-06-03 -action.escu.modification_date = 2022-06-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Java Writing JSP File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Spring4Shell CVE-2022-22965", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Java Writing JSP File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Spring4Shell CVE-2022-22965", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eb65619c-4f8d-4383-a975-d352765d344b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. -action.notable.param.rule_title = Java Writing JSP File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("java","java.exe", "javaw.exe") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.jsp*" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter` - -[ESCU - Jscript Execution Using Cscript App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Jscript Execution Using Cscript App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["FIN7", "Remcos"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ with commandline $process$ to execute jscript in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Jscript Execution Using Cscript App - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "002f1e24-146e-11ec-a470-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network -action.notable.param.rule_title = Jscript Execution Using Cscript App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "cscript.exe" AND Processes.parent_process = "*//e:jscript*") OR (Processes.process_name = "cscript.exe" AND Processes.process = "*//e:jscript*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter` - -[ESCU - Kerberoasting spn request with RC4 encryption - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kerberoasting spn request with RC4 encryption - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Potential kerberoasting attack via service principal name requests detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kerberoasting spn request with RC4 encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5cc67381-44fa-4111-8a37-7a230943f027", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. -action.notable.param.rule_title = Kerberoasting spn request with RC4 encryption -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4769 ServiceName!="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter` - -[ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. -action.escu.known_false_positives = Unknown. -action.escu.creation_date = 2022-02-22 -action.escu.modification_date = 2022-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = Kerberos Pre Authentication was Disabled for $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0cb847ee-9423-11ec-b2df-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.notable.param.rule_title = Kerberos Pre-Authentication Flag Disabled in UserAccountControl -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don't Require Preauth' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter` - -[ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Although unlikely, Administrators may need to set this flag for legitimate purposes. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = Kerberos Pre Authentication was Disabled using PowerShell on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "59b51620-94c9-11ec-b3d5-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.notable.param.rule_title = Kerberos Pre-Authentication Flag Disabled with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" AND ScriptBlockText="*DoesNotRequirePreAuth:$true*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter` - -[ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A Kerberos Service TTicket request with RC4 encryption was requested from $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7d90f334-a482-11ec-908c-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. -action.notable.param.rule_title = Kerberos Service Ticket Request Using RC4 Encryption -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter` - -[ESCU - Kerberos TGT Request Using RC4 Encryption - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kerberos TGT Request Using RC4 Encryption - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kerberos TGT Request Using RC4 Encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "18916468-9c04-11ec-bdc6-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. -action.notable.param.rule_title = Kerberos TGT Request Using RC4 Encryption -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter` - -[ESCU - Kerberos User Enumeration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kerberos User Enumeration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based user enumeration attack $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Kerberos User Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!="*$" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter` - -[ESCU - Known Services Killed by Ransomware - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. -action.escu.known_false_positives = Admin activities or installing related updates may do a sudden stop to list of services we monitor. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Known Services Killed by Ransomware - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BlackMatter Ransomware", "LockBit Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Known services $param1$ terminated by a potential ransomware on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "param1", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Known Services Killed by Ransomware - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "LockBit Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3070f8e0-c528-11eb-b2a0-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. -action.notable.param.rule_title = Known Services Killed by Ransomware -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7036 param1 IN ("*Volume Shadow Copy*","*VSS*", "*backup*", "*sophos*", "*sql*", "*memtas*", "*mepocs*", "*veeam*", "*svc$*", "DefWatch", "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService" "YooBackup", "YooIT", "*Veeam*", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExec*", "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", "WinDefend", "wscsvc", "Sense", "sppsvc", "SecurityHealthService") param2="stopped" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter` - -[ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AcidRain"] -action.risk = 1 -action.risk.param._risk_message = SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter` - -[ESCU - Linux Add Files In Known Crontab Directories - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-17 -action.escu.modification_date = 2021-12-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Add Files In Known Crontab Directories - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = a file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Add Files In Known Crontab Directories - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "023f3452-5f27-11ec-bf00-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/cron*", "*/var/spool/cron/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter` - -[ESCU - Linux Add User Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-21 -action.escu.modification_date = 2021-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Add User Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Add User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter` - -[ESCU - Linux Adding Crontab Using List Parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Adding Crontab Using List Parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Industroyer2", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Adding Crontab Using List Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" Processes.process= "* -l*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter` - -[ESCU - Linux apt-get Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux apt-get Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux apt-get Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter` - -[ESCU - Linux APT Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux APT Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux APT Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter` - -[ESCU - Linux At Allow Config File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives. \ -Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives. \ -Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-17 -action.escu.modification_date = 2021-12-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux At Allow Config File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux At Allow Config File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "977b3082-5f3d-11ec-b954-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/at.allow", "*/etc/at.deny") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter` - -[ESCU - Linux At Application Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes. \ -During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes. \ -The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes. \ -During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes. \ -The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-05-26 -action.escu.modification_date = 2022-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux At Application Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = At application was executed in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux At Application Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("at", "atd") OR Processes.parent_process_name IN ("at", "atd") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter` - -[ESCU - Linux AWK Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-07-31 -action.escu.modification_date = 2022-07-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux AWK Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux AWK Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4510cae0-96a2-4840-9919-91d262db210a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*" AND Processes.process="*awk*" AND Processes.process="*BEGIN*system*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter` - -[ESCU - Linux Busybox Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Busybox Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Busybox Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*busybox*" AND Processes.process="*sh*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter` - -[ESCU - Linux c89 Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux c89 Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux c89 Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*c89*" AND Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter` - -[ESCU - Linux c99 Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux c99 Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux c99 Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*c99*" AND Processes.process="*-wrapper*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter` - -[ESCU - Linux Change File Owner To Root - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-21 -action.escu.modification_date = 2021-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Change File Owner To Root - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may change ownership to root on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Change File Owner To Root - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c1400ea2-6257-11ec-ad49-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = "*chown *") AND Processes.process = "* root *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter` - -[ESCU - Linux Clipboard Data Copy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Clipboard Data Copy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 16}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Clipboard Data Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN ("*-o *", "*-sel *", "*-selection *", "*clip *","*clipboard*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter` - -[ESCU - Linux Common Process For Elevation Control - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-23 -action.escu.modification_date = 2021-12-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Common Process For Elevation Control - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Common Process For Elevation Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "66ab15c0-63d0-11ec-9e70-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter` - -[ESCU - Linux Composer Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Composer Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Composer Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*composer*" AND Processes.process="*run-script*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter` - -[ESCU - Linux Cpulimit Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Cpulimit Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Cpulimit Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*cpulimit*" AND Processes.process="*-l*" AND Processes.process="*-f*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter` - -[ESCU - Linux Csvtool Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Csvtool Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Csvtool Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*csvtool*" AND Processes.process="*call*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter` - -[ESCU - Linux Curl Upload File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there. -action.escu.creation_date = 2022-07-29 -action.escu.modification_date = 2022-07-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Curl Upload File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Exfiltration", "Ingress Tool Transfer", "Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Curl Upload File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. -action.notable.param.rule_title = Linux Curl Upload File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data *","*--data-raw *", "*-I *", "*--head *") AND Processes.process IN ("*.aws/credentials*". "*.aws/config*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter` - -[ESCU - Linux Data Destruction Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Data Destruction Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Data Destruction Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. -action.notable.param.rule_title = Linux Data Destruction Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND Processes.process IN ("* -rf*", "* -fr*") AND Processes.process = "* --no-preserve-root" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter` - -[ESCU - Linux DD File Overwrite - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux DD File Overwrite - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux DD File Overwrite - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. -action.notable.param.rule_title = Linux DD File Overwrite -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dd" AND Processes.process = "*of=*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter` - -[ESCU - Linux Decode Base64 to Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present based on legitimate software being utilized. Filter as needed. -action.escu.creation_date = 2022-07-27 -action.escu.modification_date = 2022-07-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Decode Base64 to Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Decode Base64 to Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "637b603e-1799-40fd-bf87-47ecbd551b66", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. -action.notable.param.rule_title = Linux Decode Base64 to Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 -d*","*base64 --decode*") AND Processes.process="*|*" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter` - -[ESCU - Linux Deleting Critical Directory Using RM Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Deleting Critical Directory Using RM Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = A deletion in known critical list of folder using rm command $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Deleting Critical Directory Using RM Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. -action.notable.param.rule_title = Linux Deleting Critical Directory Using RM Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= "* -rf *" AND Processes.process IN ("*/boot/*", "*/var/log/*", "*/etc/*", "*/dev/*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter` - -[ESCU - Linux Deletion Of Cron Jobs - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Deletion Of Cron Jobs - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AcidRain", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Deletion Of Cron Jobs - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter` - -[ESCU - Linux Deletion Of Init Daemon Script - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Deletion Of Init Daemon Script - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AcidRain", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = Init daemon script deleted on host $dest$ by process GUID- $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Deletion Of Init Daemon Script - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.notable.param.rule_title = Linux Deletion Of Init Daemon Script -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter` - -[ESCU - Linux Deletion Of Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Deletion Of Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AcidRain", "AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Deletion Of Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.notable.param.rule_title = Linux Deletion Of Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter` - -[ESCU - Linux Deletion of SSL Certificate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Deletion of SSL Certificate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AcidRain"] -action.risk = 1 -action.risk.param._risk_message = SSL certificate deleted on host $dest$ by process GUID- $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Deletion of SSL Certificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "839ab790-a60a-4f81-bfb3-02567063f615", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter` - -[ESCU - Linux Disable Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Disable Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Disable Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.notable.param.rule_title = Linux Disable Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm") Processes.process = "* disable*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter` - -[ESCU - Linux Doas Conf File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-05 -action.escu.modification_date = 2022-01-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Doas Conf File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Doas Conf File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f6343e86-6e09-11ec-9376-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/doas.conf") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter` - -[ESCU - Linux Doas Tool Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-05 -action.escu.modification_date = 2022-01-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Doas Tool Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A doas $process_name$ with commandline $process$ was executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Doas Tool Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5a62490-6e09-11ec-884e-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "doas" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter` - -[ESCU - Linux Docker Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-07-31 -action.escu.modification_date = 2022-07-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Docker Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Docker Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN("*docker*-v*/*:*","*docker*--volume*/*:*") OR Processes.process IN("*docker*exec*sh*","*docker*exec*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter` - -[ESCU - Linux Edit Cron Table Parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e). \ -Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise. \ -To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested. \ -Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e). \ -Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise. \ -To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested. \ -Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-17 -action.escu.modification_date = 2021-12-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Edit Cron Table Parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Edit Cron Table Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0d370304-5f26-11ec-a4bb-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter` - -[ESCU - Linux Emacs Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Emacs Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Emacs Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "92033cab-1871-483d-a03b-a7ce98665cfc", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*emacs*" AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter` - -[ESCU - Linux File Created In Kernel Driver Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-22 -action.escu.modification_date = 2021-12-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux File Created In Kernel Driver Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux File Created In Kernel Driver Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b85bbeec-6326-11ec-9311-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/kernel/drivers/*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter` - -[ESCU - Linux File Creation In Init Boot Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase -action.escu.known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-20 -action.escu.modification_date = 2021-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux File Creation In Init Boot Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux File Creation In Init Boot Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/init.d/*", "*/etc/rc.d/*", "*/sbin/init.d/*", "*/etc/rc.local*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter` - -[ESCU - Linux File Creation In Profile Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-20 -action.escu.modification_date = 2021-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux File Creation In Profile Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux File Creation In Profile Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "46ba0082-61af-11ec-9826-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/profile.d/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter` - -[ESCU - Linux Find Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Find Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Find Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*find*" AND Processes.process="*-exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter` - -[ESCU - Linux GDB Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux GDB Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux GDB Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "310b7da2-ab52-437f-b1bf-0bd458674308", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gdb*" AND Processes.process="*-nx*" AND Processes.process="*-ex*!*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter` - -[ESCU - Linux Gem Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Gem Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Gem Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gem*open*-e*" AND Processes.process="*-c*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter` - -[ESCU - Linux GNU Awk Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux GNU Awk Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux GNU Awk Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*gawk*" AND Processes.process="*BEGIN*{system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter` - -[ESCU - Linux Hardware Addition SwapOff - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrator may disable swapping of devices in a linux host. Filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Hardware Addition SwapOff - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ swap off paging device in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Hardware Addition SwapOff - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c1eea697-99ed-44c2-9b70-d8935464c499", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "swapoff" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter` - -[ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. -action.notable.param.rule_title = Linux High Frequency Of File Deletion In Boot Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter` - -[ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AcidRain", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d867448-2aff-4d07-876c-89409a752ff8", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter` - -[ESCU - Linux Impair Defenses Process Kill - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network admin can terminate a process using this linux command. Filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Impair Defenses Process Kill - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Impair Defenses Process Kill - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( "pgrep", "pkill") Processes.process = "*pkill *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter` - -[ESCU - Linux Indicator Removal Clear Cache - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Indicator Removal Clear Cache - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ clear cache using kernel drop cache system request in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Indicator Removal Clear Cache - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e0940505-0b73-4719-84e6-cb94c44a5245", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. -action.notable.param.rule_title = Linux Indicator Removal Clear Cache -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") AND Processes.process IN("* echo 3 > *", "* echo 2 > *","* echo 1 > *") AND Processes.process = "*/proc/sys/vm/drop_caches" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter` - -[ESCU - Linux Indicator Removal Service File Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network admin can delete services unit configuration file as part of normal software installation. Filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Indicator Removal Service File Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ has a commandline $process$ to delete service configuration file in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Indicator Removal Service File Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "rm" AND Processes.process = "*rm *" AND Processes.process = "*.service" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter` - -[ESCU - Linux Ingress Tool Transfer Hunting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present. This query is meant to help tune other curl and wget analytics. -action.escu.creation_date = 2024-05-10 -action.escu.modification_date = 2024-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Ingress Tool Transfer Hunting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Linux Living Off The Land"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Ingress Tool Transfer Hunting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter` - -[ESCU - Linux Ingress Tool Transfer with Curl - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present. Tune and then change type to TTP. -action.escu.creation_date = 2022-07-29 -action.escu.modification_date = 2022-07-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Ingress Tool Transfer with Curl - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Ingress Tool Transfer with Curl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 40, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, "(?i)(-O|-sO|-ksO|--output)") | `linux_ingress_tool_transfer_with_curl_filter` - -[ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-22 -action.escu.modification_date = 2021-12-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may install kernel module on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "18b5a1a0-6326-11ec-943a-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter` - -[ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-22 -action.escu.modification_date = 2021-12-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may install kernel module on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "387b278a-6326-11ec-aa2c-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter` - -[ESCU - Linux Iptables Firewall Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed. -action.escu.creation_date = 2023-04-12 -action.escu.modification_date = 2023-04-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Iptables Firewall Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cyclops Blink", "Sandworm Tools"] -action.risk = 1 -action.risk.param._risk_message = A process name - $process_name$ that may modify iptables firewall on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Iptables Firewall Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*iptables *" AND Processes.process = "* --dport *" AND Processes.process = "* ACCEPT*" AND Processes.process = "*&>/dev/null*" AND Processes.process = "* tcp *" AND NOT(Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process "--dport (?3269|636|989|994|995|8443)" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter` - -[ESCU - Linux Java Spawning Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Java Spawning Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Spring4Shell CVE-2022-22965"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Java Spawning Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Spring4Shell CVE-2022-22965"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7b09db8a-5c20-11ec-9945-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.notable.param.rule_title = Linux Java Spawning Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter` - -[ESCU - Linux Kernel Module Enumeration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Kernel Module Enumeration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Rootkit"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Kernel Module Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6df99886-0e04-4c11-8b88-325747419278", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN ("*lsmod*", "*list*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter` - -[ESCU - Linux Kworker Process In Writable Process Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-12 -action.escu.modification_date = 2023-04-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Kworker Process In Writable Process Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cyclops Blink", "Sandworm Tools"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Kworker Process In Writable Process Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = "*[kworker/*" Processes.parent_process_path IN ("/home/*", "/tmp/*", "/var/log/*") Processes.process="*iptables*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter` - -[ESCU - Linux Make Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Make Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Make Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "80b22836-5091-4944-80ee-f733ac443f4f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*make*-s*" AND Processes.process="*--eval*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter` - -[ESCU - Linux MySQL Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux MySQL Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux MySQL Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c0d810f4-230c-44ea-b703-989da02ff145", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*mysql*-e*" AND Processes.process="*\!**" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter` - -[ESCU - Linux Ngrok Reverse Proxy Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if Ngrok is an authorized utility. Filter as needed. -action.escu.creation_date = 2023-01-12 -action.escu.modification_date = 2023-01-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Ngrok Reverse Proxy Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Reverse Network Proxy"] -action.risk = 1 -action.risk.param._risk_message = A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Ngrok Reverse Proxy Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Reverse Network Proxy"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc84d574-708c-467d-b78a-4c1e20171f97", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter` - -[ESCU - Linux Node Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-07-31 -action.escu.modification_date = 2022-07-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Node Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Node Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sudo*node*" AND Processes.process="*-e*" AND Processes.process="*child_process.spawn*" AND Processes.process="*stdio*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter` - -[ESCU - Linux NOPASSWD Entry In Sudoers File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-21 -action.escu.modification_date = 2021-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux NOPASSWD Entry In Sudoers File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = a commandline $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux NOPASSWD Entry In Sudoers File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*NOPASSWD:*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter` - -[ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include "base64 -d" or "base64 --decode". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include "base64 -d" or "base64 --decode". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and will require some tuning based on processes. Filter as needed. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 -d*","*base64 --decode*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter` - -[ESCU - Linux Octave Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Octave Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Octave Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*octave-cli*" AND Processes.process="*--eval*" AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter` - -[ESCU - Linux OpenVPN Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux OpenVPN Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux OpenVPN Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*openvpn*" AND Processes.process="*--dev*" AND Processes.process="*--script-security*" AND Processes.process="*--up*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter` - -[ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. -action.escu.how_to_implement = Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment. -action.escu.known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -action.escu.creation_date = 2022-08-30 -action.escu.modification_date = 2022-08-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Linux Persistence and Privilege Escalation Risk Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. -action.notable.param.rule_title = RBA: Linux Persistence and Privilege Escalation Risk Behavior -action.notable.param.security_domain = audit -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter` - -[ESCU - Linux PHP Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux PHP Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux PHP Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*php*-r*" AND Processes.process="*system*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter` - -[ESCU - Linux pkexec Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-01-28 -action.escu.modification_date = 2022-01-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux pkexec Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux pkexec Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-4034"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "03e22c1c-8086-11ec-ac2e-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. -action.notable.param.rule_title = Linux pkexec Privilege Escalation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(^.{1}$)" | `linux_pkexec_privilege_escalation_filter` - -[ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-11 -action.escu.modification_date = 2022-01-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = a commandline $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7a85eb24-72da-11ec-ac76-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/ssh/sshd_config") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter` - -[ESCU - Linux Possible Access To Credential Files - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-10 -action.escu.modification_date = 2022-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Access To Credential Files - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Access To Credential Files - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "16107e0e-71fc-11ec-b862-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/shadow*", "*/etc/passwd*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter` - -[ESCU - Linux Possible Access To Sudoers File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-10 -action.escu.modification_date = 2022-01-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Access To Sudoers File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Access To Sudoers File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4479539c-71fc-11ec-b2e2-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/sudoers*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter` - -[ESCU - Linux Possible Append Command To At Allow Config File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command. \ -In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command. \ -In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-05-26 -action.escu.modification_date = 2022-05-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Append Command To At Allow Config File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may modify at allow config file in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Append Command To At Allow Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7bc20606-5f40-11ec-a586-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/at.allow", "*/etc/at.deny") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter` - -[ESCU - Linux Possible Append Command To Profile Config File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-20 -action.escu.modification_date = 2021-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Append Command To Profile Config File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = a commandline $process$ that may modify profile files in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Append Command To Profile Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9c94732a-61af-11ec-91e3-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*~/.bashrc", "*~/.bash_profile", "*/etc/profile", "~/.bash_login", "*~/.profile", "~/.bash_logout") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter` - -[ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically. \ -The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered. \ -This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically. \ -The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered. \ -This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. -action.escu.creation_date = 2021-12-17 -action.escu.modification_date = 2021-12-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b5b91200-5f27-11ec-bb4e-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter` - -[ESCU - Linux Possible Cronjob Modification With Editor - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities. \ -In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration. \ -To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon. \ -Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities. \ -In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration. \ -To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon. \ -Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-17 -action.escu.modification_date = 2021-12-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Cronjob Modification With Editor - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Cronjob Modification With Editor - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dcc89bde-5f24-11ec-87ca-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN("nano","vim.basic") OR Processes.process IN ("*nano *", "*vi *", "*vim *")) AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter` - -[ESCU - Linux Possible Ssh Key File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-11 -action.escu.modification_date = 2022-01-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Possible Ssh Key File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Possible Ssh Key File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c04ef40c-72da-11ec-8eac-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter` - -[ESCU - Linux Preload Hijack Library Calls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-22 -action.escu.modification_date = 2021-12-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Preload Hijack Library Calls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may hijack library function on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Preload Hijack Library Calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cbe2ca30-631e-11ec-8670-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. -action.notable.param.rule_title = Linux Preload Hijack Library Calls -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*LD_PRELOAD*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter` - -[ESCU - Linux Proxy Socks Curl - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present based on proxy usage internally. Filter as needed. -action.escu.creation_date = 2022-07-29 -action.escu.modification_date = 2022-07-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Proxy Socks Curl - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Proxy Socks Curl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. -action.notable.param.rule_title = Linux Proxy Socks Curl -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-x *", "*socks4a://*", "*socks5h://*", "*socks4://*","*socks5://*", "*--preproxy *", "--proxy*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter` - -[ESCU - Linux Puppet Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Puppet Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Puppet Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*puppet*" AND Processes.process="*apply*" AND Processes.process="*-e*" AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter` - -[ESCU - Linux RPM Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux RPM Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux RPM Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*rpm*--eval*" AND Processes.process="*lua:os.execute*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter` - -[ESCU - Linux Ruby Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. -action.escu.creation_date = 2022-08-09 -action.escu.modification_date = 2022-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Ruby Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Ruby Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "097b28b5-7004-4d40-a715-7e390501788b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*ruby*-e*" AND Processes.process="*exec*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter` - -[ESCU - Linux Service File Created In Systemd Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host. \ -The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host. \ -The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. -action.escu.creation_date = 2021-12-20 -action.escu.modification_date = 2021-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Service File Created In Systemd Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A service file named as $file_path$ is created in systemd folder on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Service File Created In Systemd Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c7495048-61b6-11ec-9a37-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN ("*/etc/systemd/system*", "*/lib/systemd/system*", "*/usr/lib/systemd/system*", "*/run/systemd/system*", "*~/.config/systemd/*", "*~/.local/share/systemd/*","*/etc/systemd/user*", "*/lib/systemd/user*", "*/usr/lib/systemd/user*", "*/run/systemd/user*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter` - -[ESCU - Linux Service Restarted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation. \ -It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives. \ -Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation. \ -It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives. \ -Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Service Restarted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may create or start a service on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Service Restarted - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "084275ba-61b8-11ec-8d64-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process IN ("*restart*", "*reload*", "*reenable*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter` - -[ESCU - Linux Service Started Or Enabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2024-01-24 -action.escu.modification_date = 2024-01-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Service Started Or Enabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = a commandline $process$ that may create or start a service on $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Service Started Or Enabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e0428212-61b7-11ec-88a3-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("systemctl", "service") OR Processes.process IN ("*systemctl *", "*service *")) Processes.process IN ("* start *", "* enable *") AND NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter` - -[ESCU - Linux Setuid Using Chmod Utility - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-21 -action.escu.modification_date = 2021-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Setuid Using Chmod Utility - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = a commandline $process$ that may set suid or sgid on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Setuid Using Chmod Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bf0304b6-6250-11ec-9d7c-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = "*chmod *") AND Processes.process IN("* g+s *", "* u+s *", "* 4777 *", "* 4577 *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter` - -[ESCU - Linux Setuid Using Setcap Utility - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-21 -action.escu.modification_date = 2021-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Setuid Using Setcap Utility - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ that may set suid or sgid on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Setuid Using Setcap Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d96022e-6250-11ec-9a19-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = "*setcap *") AND Processes.process IN ("* cap_setuid=ep *", "* cap_setuid+ep *", "* cap_net_bind_service+p *", "* cap_net_raw+ep *", "* cap_dac_read_search+ep *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter` - -[ESCU - Linux Shred Overwrite Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Shred Overwrite Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2", "Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A possible shred overwrite command $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Shred Overwrite Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2", "Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c1952cf1-643c-4965-82de-11c067cbae76", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. -action.notable.param.rule_title = Linux Shred Overwrite Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN ("*-n*", "*-u*", "*-z*", "*-s*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter` - -[ESCU - Linux Sqlite3 Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2022-08-11 -action.escu.modification_date = 2022-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Sqlite3 Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Sqlite3 Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*sqlite3*" AND Processes.process="*.shell*" AND Processes.process="*sudo*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter` - -[ESCU - Linux SSH Authorized Keys Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like "bash" and "cat" interacting with "authorized_keys" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like "bash" and "cat" interacting with "authorized_keys" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux SSH Authorized Keys Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux SSH Authorized Keys Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f5ab595e-28e5-4327-8077-5008ba97c850", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("bash","cat") Processes.process IN ("*/authorized_keys*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter` - -[ESCU - Linux SSH Remote Services Script Execute - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This is not a common command to be executed. Filter as needed. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux SSH Remote Services Script Execute - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux SSH Remote Services Script Execute - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network. -action.notable.param.rule_title = Linux SSH Remote Services Script Execute -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter` - -[ESCU - Linux Stdout Redirection To Dev Null File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Stdout Redirection To Dev Null File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cyclops Blink", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = a commandline $process$ that redirect stdout to dev/null in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Linux Stdout Redirection To Dev Null File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cyclops Blink", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*&>/dev/null*" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter` - -[ESCU - Linux Stop Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Stop Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Stop Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.notable.param.rule_title = Linux Stop Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm") Processes.process ="*stop*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter` - -[ESCU - Linux Sudo OR Su Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-01-04 -action.escu.modification_date = 2022-01-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Sudo OR Su Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Sudo OR Su Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4b00f134-6d6a-11ec-a90c-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter` - -[ESCU - Linux Sudoers Tmp File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-23 -action.escu.modification_date = 2021-12-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Sudoers Tmp File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Sudoers Tmp File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "be254a5c-63e7-11ec-89da-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter` - -[ESCU - Linux System Network Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux System Network Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Industroyer2", "Network Discovery"] -action.risk = 1 -action.risk.param._risk_message = Network discovery process $process_name_list$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux System Network Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2", "Network Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "535cb214-8b47-11ec-a2c7-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter` - -[ESCU - Linux System Reboot Via System Request Key - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux System Reboot Via System Request Key - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ execute sysrq command $process$ to reboot $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux System Reboot Via System Request Key - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. -action.notable.param.rule_title = Linux System Reboot Via System Request Key -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") Processes.process = "* echo b > *" Processes.process = "*/proc/sysrq-trigger" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter` - -[ESCU - Linux Unix Shell Enable All SysRq Functions - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Unix Shell Enable All SysRq Functions - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Data Destruction"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Unix Shell Enable All SysRq Functions - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e7a96937-3b58-4962-8dce-538e4763cf15", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("dash", "sudo", "bash") Processes.process = "* echo 1 > *" Processes.process = "*/proc/sys/kernel/sysrq" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter` - -[ESCU - Linux Visudo Utility Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2021-12-21 -action.escu.modification_date = 2021-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Linux Visudo Utility Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Persistence Techniques", "Linux Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A commandline $process$ executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Linux Visudo Utility Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "08c41040-624c-11ec-a71f-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter` - -[ESCU - Living Off The Land Detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following correlation identifies multiple risk events associated with the "Living Off The Land" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following correlation identifies multiple risk events associated with the "Living Off The Land" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities. -action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. -action.escu.known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Living Off The Land Detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Living Off The Land"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Living Off The Land Detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1be30d80-3a39-4df9-9102-64a467b24abc", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following correlation identifies multiple risk events associated with the "Living Off The Land" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities. -action.notable.param.rule_title = RBA: Living Off The Land Detection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter` - -[ESCU - Loading Of Dynwrapx Module - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). -action.escu.creation_date = 2021-11-18 -action.escu.modification_date = 2021-11-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Loading Of Dynwrapx Module - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AsyncRAT", "Remcos"] -action.risk = 1 -action.risk.param._risk_message = dynwrapx.dll loaded by process $process_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Loading Of Dynwrapx Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eac5e8ba-4857-11ec-9371-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. -action.notable.param.rule_title = Loading Of Dynwrapx Module -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName = "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter` - -[ESCU - Local Account Discovery with Net - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Local Account Discovery with Net - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Sandworm Tools"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Local Account Discovery with Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5d0d4830-0133-11ec-bae3-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter` - -[ESCU - Local Account Discovery With Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Local Account Discovery With Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Local Account Discovery With Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4902d7aa-0134-11ec-9d65-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter` - -[ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. -action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. -action.escu.known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. -action.escu.creation_date = 2022-09-09 -action.escu.modification_date = 2022-09-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA22-320A", "Log4Shell CVE-2021-44228"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Log4Shell CVE-2021-44228 Exploitation - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9be30d80-3a39-4df9-9102-64a467b24eac", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. -action.notable.param.rule_title = RBA: Log4Shell CVE-2021-44228 Exploitation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Log4Shell CVE-2021-44228" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter` - -[ESCU - Logon Script Event Trigger Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Logon Script Event Trigger Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Registry path $registry_path$ was modified, added, or deleted on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Logon Script Event Trigger Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4c38c264-1f74-11ec-b5fa-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. -action.notable.param.rule_title = Logon Script Event Trigger Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Environment\\UserInitMprLogonScript") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter` - -[ESCU - LOLBAS With Network Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. -action.escu.how_to_implement = To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. -action.escu.known_false_positives = Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") -action.escu.creation_date = 2021-12-09 -action.escu.modification_date = 2021-12-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - LOLBAS With Network Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - LOLBAS With Network Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2820f032-19eb-497e-8642-25b04a880359", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. -action.notable.param.rule_title = LOLBAS With Network Traffic -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter` - -[ESCU - MacOS - Re-opened Applications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MacOS - Re-opened Applications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["ColdRoot MacOS RAT"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - MacOS - Re-opened Applications - Rule -action.correlationsearch.annotations = {"analytic_story": ["ColdRoot MacOS RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise. -action.notable.param.rule_title = MacOS - Re-opened Applications -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter` - -[ESCU - MacOS LOLbin - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk. -action.escu.how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. -action.escu.known_false_positives = None identified. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MacOS LOLbin - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = Multiplle LOLbin are executed on host $dest$ by user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MacOS LOLbin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "58d270fb-5b39-418e-a855-4b8ac046805e", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk. -action.notable.param.rule_title = MacOS LOLbin -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `osquery` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter` - -[ESCU - MacOS plutil - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security. -action.escu.how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. -action.escu.known_false_positives = Administrators using plutil to change plist files. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MacOS plutil - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = plutil are executed on $dest$ from $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MacOS plutil - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security. -action.notable.param.rule_title = MacOS plutil -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter` - -[ESCU - Mailsniper Invoke functions - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-07 -action.escu.modification_date = 2024-05-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Mailsniper Invoke functions - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Mailsniper Invoke functions - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a36972c8-b894-11eb-9f78-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure. -action.notable.param.rule_title = Mailsniper Invoke functions -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*Invoke-GlobalO365MailSearch*", "*Invoke-GlobalMailSearch*", "*Invoke-SelfSearch*", "*Invoke-PasswordSprayOWA*", "*Invoke-PasswordSprayEWS*","*Invoke-DomainHarvestOWA*", "*Invoke-UsernameHarvestOWA*","*Invoke-OpenInboxFinder*","*Invoke-InjectGEventAPI*","*Invoke-InjectGEvent*","*Invoke-SearchGmail*", "*Invoke-MonitorCredSniper*", "*Invoke-AddGmailRule*","*Invoke-PasswordSprayEAS*","*Invoke-UsernameHarvestEAS*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter` - -[ESCU - Malicious InProcServer32 Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line. -action.escu.creation_date = 2021-10-05 -action.escu.modification_date = 2021-10-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Malicious InProcServer32 Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos", "Suspicious Regsvr32 Activity"] -action.risk = 1 -action.risk.param._risk_message = The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Malicious InProcServer32 Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "127c8d08-25ff-11ec-9223-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. -action.notable.param.rule_title = Malicious InProcServer32 Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter` - -[ESCU - Malicious Powershell Executed As A Service - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = Creating a hidden powershell service is rare and could key off of those instances. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Malicious Powershell Executed As A Service - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Malicious PowerShell", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $ImagePath$ by $user$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Malicious Powershell Executed As A Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -action.notable.param.rule_title = Malicious Powershell Executed As A Service -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) | regex l_ImagePath="powershell[.\s]|powershell_ise[.\s]|pwsh[.\s]|psexec[.\s]" | regex l_ImagePath="-nop[rofile\s]+|-w[indowstyle]*\s+hid[den]*|-noe[xit\s]+|-enc[odedcommand\s]+" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter` - -[ESCU - Malicious PowerShell Process - Encoded Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \ -The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ -During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ -Alternatively, may use regex per matching here https://regexr.com/662ov. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \ -The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ -During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ -Alternatively, may use regex per matching here https://regexr.com/662ov. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = System administrators may use this option, but it's not common. -action.escu.creation_date = 2022-01-18 -action.escu.modification_date = 2022-01-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Malicious PowerShell Process - Encoded Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-320A", "DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "Qakbot", "Sandworm Tools", "Volt Typhoon", "WhisperGate"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Malicious PowerShell Process - Encoded Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "Qakbot", "Sandworm Tools", "Volt Typhoon", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "detection_version": "7"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]") | `malicious_powershell_process___encoded_command_filter` - -[ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "DHS Report TA18-074A", "DarkCrystal RAT", "HAFNIUM Group", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = PowerShell local execution policy bypass attempt on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "DHS Report TA18-074A", "DarkCrystal RAT", "HAFNIUM Group", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment. -action.notable.param.rule_title = Malicious PowerShell Process - Execution Policy Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter` - -[ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = These characters might be legitimately on the command-line, but it is not common. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = Powershell.exe running with potential obfuscated arguments on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk. -action.notable.param.rule_title = Malicious PowerShell Process With Obfuscation Techniques -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "'"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 - -[ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "CISA AA22-320A", "CISA AA23-347A", "Sandworm Tools"] -action.risk = 1 -action.risk.param._risk_message = Mimikatz command line parameters for pass the ticket attacks were used on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "CISA AA23-347A", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "13bbd574-83ac-11ec-99d4-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. -action.notable.param.rule_title = Mimikatz PassTheTicket CommandLine Parameters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*sekurlsa::tickets /export*" OR Processes.process = "*kerberos::ptt*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter` - -[ESCU - Mmc LOLBAS Execution Process Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -action.escu.creation_date = 2021-11-23 -action.escu.modification_date = 2021-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Mmc LOLBAS Execution Process Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = Mmc.exe spawned a LOLBAS process on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Mmc LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.notable.param.rule_title = Mmc LOLBAS Execution Process Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter` - -[ESCU - Modification Of Wallpaper - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = 3rd party tool may used to changed the wallpaper of the machine -action.escu.creation_date = 2021-06-02 -action.escu.modification_date = 2021-06-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Modification Of Wallpaper - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackMatter Ransomware", "Brute Ratel C4", "LockBit Ransomware", "Ransomware", "Revil Ransomware", "Rhysida Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Wallpaper modification on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Modification Of Wallpaper - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "Brute Ratel C4", "LockBit Ransomware", "Ransomware", "Revil Ransomware", "Rhysida Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "accb0712-c381-11eb-8e5b-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. -action.notable.param.rule_title = Modification Of Wallpaper -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") OR (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter` - -[ESCU - Modify ACL permission To Files Or Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrators may use this command. Filter as needed. -action.escu.creation_date = 2022-03-17 -action.escu.modification_date = 2022-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Modify ACL permission To Files Or Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["XMRig"] -action.risk = 1 -action.risk.param._risk_message = Suspicious ACL permission modification on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Modify ACL permission To Files Or Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7e8458cc-acca-11eb-9e3f-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter` - -[ESCU - Monitor Registry Keys for Print Monitors - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = You will encounter noise from legitimate print-monitor registry entries. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Monitor Registry Keys for Print Monitors - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = New print monitor added on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Monitor Registry Keys for Print Monitors - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. -action.notable.param.rule_title = Monitor Registry Keys for Print Monitors -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter` - -[ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "ProxyShell", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "file_name", "risk_object_type": "other", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - MS Exchange Mailbox Replication service writing Active Server Pages - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "ProxyShell", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "985f322c-57a5-11ec-b9ac-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.notable.param.rule_title = MS Exchange Mailbox Replication service writing Active Server Pages -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter` - -[ESCU - MS Scripting Process Loading Ldap Module - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -action.escu.known_false_positives = automation scripting language may used by network operator to do ldap query. -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MS Scripting Process Loading Ldap Module - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["FIN7"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ loading ldap modules $ImageLoaded$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MS Scripting Process Loading Ldap Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b0c40dc-14a6-11ec-b267-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter` - -[ESCU - MS Scripting Process Loading WMI Module - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -action.escu.known_false_positives = automation scripting language may used by network operator to do ldap query. -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MS Scripting Process Loading WMI Module - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["FIN7"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ loading wmi modules $ImageLoaded$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MS Scripting Process Loading WMI Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2eba3d36-14a6-11ec-a682-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , "*\\wmiutils.dll", "*\\wbemcomn.dll") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter` - -[ESCU - MSBuild Suspicious Spawned By Script Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as developers do not spawn MSBuild via a WSH. -action.escu.creation_date = 2021-10-04 -action.escu.modification_date = 2021-10-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MSBuild Suspicious Spawned By Script Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild"] -action.risk = 1 -action.risk.param._risk_message = Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MSBuild Suspicious Spawned By Script Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "213b3148-24ea-11ec-93a2-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. -action.notable.param.rule_title = MSBuild Suspicious Spawned By Script Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("wscript.exe", "cscript.exe") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter` - -[ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = limitted. this anomaly behavior is not commonly seen in clean host. -action.escu.creation_date = 2021-07-19 -action.escu.modification_date = 2021-07-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land", "Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4aa5d062-e893-11eb-9eb2-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. -action.notable.param.rule_title = Mshta spawning Rundll32 OR Regsvr32 Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter` - -[ESCU - MSHTML Module Load in Office Product - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection identifies the loading of the mshtml.dll module into an Office product. This behavior is associated with CVE-2021-40444, where a malicious document loads ActiveX, thereby activating the MSHTML component. The vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent processes and document any file modifications for further analysis. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection identifies the loading of the mshtml.dll module into an Office product. This behavior is associated with CVE-2021-40444, where a malicious document loads ActiveX, thereby activating the MSHTML component. The vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent processes and document any file modifications for further analysis. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MSHTML Module Load in Office Product - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MSHTML Module Load in Office Product - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5f1c168e-118b-11ec-84ff-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection identifies the loading of the mshtml.dll module into an Office product. This behavior is associated with CVE-2021-40444, where a malicious document loads ActiveX, thereby activating the MSHTML component. The vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent processes and document any file modifications for further analysis. -action.notable.param.rule_title = MSHTML Module Load in Office Product -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter` - -[ESCU - MSI Module Loaded by Non-System Binary - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \ - \ -1. Generation of an MSI that will trigger bad behavior. \ -1. Preparing a directory for MSI installation. \ -1. Inducing an error state. \ -1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ -In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \ - \ -1. Generation of an MSI that will trigger bad behavior. \ -1. Preparing a directory for MSI installation. \ -1. Inducing an error state. \ -1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ -In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - MSI Module Loaded by Non-System Binary - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - MSI Module Loaded by Non-System Binary - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-41379"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccb98a66-5851-11ec-b91c-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter` - -[ESCU - Msmpeng Application DLL Side Loading - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = quite minimal false positive expected. -action.escu.creation_date = 2023-03-15 -action.escu.modification_date = 2023-03-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Msmpeng Application DLL Side Loading - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Revil Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Msmpeng Application DLL Side Loading - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine -action.notable.param.rule_title = Msmpeng Application DLL Side Loading -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll") AND NOT (Filesystem.file_path IN ("*\\Program Files\\windows defender\\*","*\\WinSxS\\*defender-service*","*\\WinSxS\\Temp\\*defender-service*")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter` - -[ESCU - Net Localgroup Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Net Localgroup Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Azorult", "Graceful Wipe Out Attack", "IcedID", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon", "Windows Discovery Techniques", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Net Localgroup Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Azorult", "Graceful Wipe Out Attack", "IcedID", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon", "Windows Discovery Techniques", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "54f5201e-155b-11ec-a6e2-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process="*localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter` - -[ESCU - NET Profiler UAC bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = limited false positive. It may trigger by some windows update that will modify this registry. -action.escu.creation_date = 2022-02-18 -action.escu.modification_date = 2022-02-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - NET Profiler UAC bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - NET Profiler UAC bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0252ca80-e30d-11eb-8aa3-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. -action.notable.param.rule_title = NET Profiler UAC bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\Environment\\COR_PROFILER_PATH" Registry.registry_value_data = "*.dll" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter` - -[ESCU - Network Connection Discovery With Arp - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Network Connection Discovery With Arp - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "IcedID", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Network Connection Discovery With Arp - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "IcedID", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter` - -[ESCU - Network Connection Discovery With Net - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-10 -action.escu.modification_date = 2021-09-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Network Connection Discovery With Net - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Azorult", "Prestige Ransomware", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Network Connection Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Azorult", "Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter` - -[ESCU - Network Connection Discovery With Netstat - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Network Connection Discovery With Netstat - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA22-277A", "CISA AA23-347A", "PlugX", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Network Connection Discovery With Netstat - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "CISA AA23-347A", "PlugX", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter` - -[ESCU - Network Discovery Using Route Windows App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Network Discovery Using Route Windows App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA22-277A", "Prestige Ransomware", "Qakbot", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Network Discovery Using Route Windows App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "Prestige Ransomware", "Qakbot", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dd83407e-439f-11ec-ab8e-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter` - -[ESCU - Network Share Discovery Via Dir Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -action.escu.known_false_positives = System Administrators may use looks like net.exe or "dir commandline" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. -action.escu.creation_date = 2023-05-23 -action.escu.modification_date = 2023-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Network Share Discovery Via Dir Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["13daa2cf-195a-43df-a8bd-7dd5ffb607b5"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["IcedID"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Network Share Discovery Via Dir Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter` - -[ESCU - Network Traffic to Active Directory Web Services Protocol - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. -action.escu.how_to_implement = The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Network Traffic to Active Directory Web Services Protocol - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Discovery Techniques"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Network Traffic to Active Directory Web Services Protocol - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "68a0056c-34cb-455f-b03d-df935ea62c4f", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `network_traffic_to_active_directory_web_services_protocol_filter` - -[ESCU - Nishang PowershellTCPOneLine - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives may be present. Filter as needed based on initial analysis. -action.escu.creation_date = 2021-03-03 -action.escu.modification_date = 2021-03-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Nishang PowershellTCPOneLine - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["HAFNIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Nishang PowershellTCPOneLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. -action.notable.param.rule_title = Nishang PowershellTCPOneLine -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter` - -[ESCU - NLTest Domain Trust Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may use nltest for troubleshooting purposes, otherwise, rarely used. -action.escu.creation_date = 2022-04-18 -action.escu.modification_date = 2022-04-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - NLTest Domain Trust Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Domain Trust Discovery", "IcedID", "Qakbot", "Rhysida Ransomware", "Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Domain trust discovery execution on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - NLTest Domain Trust Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery", "IcedID", "Qakbot", "Rhysida Ransomware", "Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c3e05466-5f22-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. -action.notable.param.rule_title = NLTest Domain Trust Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter` - -[ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = other browser not listed related to firefox may catch by this rule. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["3CX Supply Chain Attack", "AgentTesla", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = a non chrome browser process $ProcessName$ accessing $ObjectName$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "81263de4-160a-11ec-944f-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter` - -[ESCU - Non Firefox Process Access Firefox Profile Dir - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = other browser not listed related to firefox may catch by this rule. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Non Firefox Process Access Firefox Profile Dir - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["3CX Supply Chain Attack", "AgentTesla", "Azorult", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = a non firefox browser process $ProcessName$ accessing $ObjectName$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Non Firefox Process Access Firefox Profile Dir - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "Azorult", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e6fc13b0-1609-11ec-b533-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\firefox.exe", "*\\explorer.exe", "*sql*")) ObjectName="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter` - -[ESCU - Notepad with no Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering may need to occur based on organization endpoint behavior. -action.escu.creation_date = 2023-02-22 -action.escu.modification_date = 2023-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Notepad with no Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BishopFox Sliver Adversary Emulation Framework"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Notepad with no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." -action.notable.param.rule_title = Notepad with no Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(notepad\.exe.{0,4}$)" | `notepad_with_no_command_line_arguments_filter` - -[ESCU - Ntdsutil Export NTDS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ -ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ -This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ -ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ -This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives. -action.escu.creation_date = 2021-01-28 -action.escu.modification_date = 2021-01-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ntdsutil Export NTDS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Active Directory NTDS export on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ntdsutil Export NTDS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "da63bc76-61ae-11eb-ae93-0242ac130002", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ -ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ -This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. -action.notable.param.rule_title = Ntdsutil Export NTDS -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter` - -[ESCU - Office Application Drop Executable - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -action.escu.known_false_positives = office macro for automation may do this behavior -action.escu.creation_date = 2023-02-15 -action.escu.modification_date = 2023-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Application Drop Executable - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "FIN7", "PlugX", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = process $process_name$ drops a file $file_name$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Application Drop Executable - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "FIN7", "PlugX", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "73ce70c4-146d-11ec-9184-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application -action.notable.param.rule_title = Office Application Drop Executable -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe","*.dll","*.pif","*.scr","*.js","*.vbs","*.vbe","*.ps1") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter` - -[ESCU - Office Application Spawn Regsvr32 process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-02-15 -action.escu.modification_date = 2023-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Application Spawn Regsvr32 process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Qakbot"] -action.risk = 1 -action.risk.param._risk_message = Office application spawning regsvr32.exe on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Application Spawn Regsvr32 process - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2d9fc90c-f11f-11eb-9300-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. -action.notable.param.rule_title = Office Application Spawn Regsvr32 process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name = "outlook.exe" OR Processes.parent_process_name = "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name="msaccess.exe") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter` - -[ESCU - Office Application Spawn rundll32 process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-02-15 -action.escu.modification_date = 2023-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Application Spawn rundll32 process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "IcedID", "NjRAT", "Spearphishing Attachments", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Office application spawning rundll32.exe on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Application Spawn rundll32 process - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "IcedID", "NjRAT", "Spearphishing Attachments", "Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "958751e4-9c5f-11eb-b103-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. -action.notable.param.rule_title = Office Application Spawn rundll32 process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter` - -[ESCU - Office Document Creating Schedule Task - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a potentially malicious office document that creates a scheduled task entry either through a macro VBA API or by loading taskschd.dll. This technique has been observed in numerous instances of malicious macro malware aiming to establish persistence or beaconing through task schedule entries. The analytic will return the first and last time the task was registered, as well as details such as the `Command` to be executed, `Task Name`, `Author`, `Enabled` status, and whether it is `Hidden`. schtasks.exe is natively located in `C:\Windows\system32` and `C:\Windows\syswow64`. The DLL(s) `taskschd.dll` are loaded when schtasks.exe or TaskService is initiated. If this DLL is found loaded by another process, it may indicate that a scheduled task is being registered within that process's context in memory. During triage, determine the source of the scheduled task. Was it schtasks.exe or via TaskService? Review the job created and the command to be executed. Capture any artifacts on disk for further review. Identify any parallel processes within the same timeframe to pinpoint the source.' -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects a potentially malicious office document that creates a scheduled task entry either through a macro VBA API or by loading taskschd.dll. This technique has been observed in numerous instances of malicious macro malware aiming to establish persistence or beaconing through task schedule entries. The analytic will return the first and last time the task was registered, as well as details such as the `Command` to be executed, `Task Name`, `Author`, `Enabled` status, and whether it is `Hidden`. schtasks.exe is natively located in `C:\Windows\system32` and `C:\Windows\syswow64`. The DLL(s) `taskschd.dll` are loaded when schtasks.exe or TaskService is initiated. If this DLL is found loaded by another process, it may indicate that a scheduled task is being registered within that process's context in memory. During triage, determine the source of the scheduled task. Was it schtasks.exe or via TaskService? Review the job created and the command to be executed. Capture any artifacts on disk for further review. Identify any parallel processes within the same timeframe to pinpoint the source.' -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -action.escu.known_false_positives = False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Document Creating Schedule Task - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = An Office document was identified creating a scheduled task on $dest$. Investigate further. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Document Creating Schedule Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a potentially malicious office document that creates a scheduled task entry either through a macro VBA API or by loading taskschd.dll. This technique has been observed in numerous instances of malicious macro malware aiming to establish persistence or beaconing through task schedule entries. The analytic will return the first and last time the task was registered, as well as details such as the `Command` to be executed, `Task Name`, `Author`, `Enabled` status, and whether it is `Hidden`. schtasks.exe is natively located in `C:\Windows\system32` and `C:\Windows\syswow64`. The DLL(s) `taskschd.dll` are loaded when schtasks.exe or TaskService is initiated. If this DLL is found loaded by another process, it may indicate that a scheduled task is being registered within that process's context in memory. During triage, determine the source of the scheduled task. Was it schtasks.exe or via TaskService? Review the job created and the command to be executed. Capture any artifacts on disk for further review. Identify any parallel processes within the same timeframe to pinpoint the source.' -action.notable.param.rule_title = Office Document Creating Schedule Task -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter` - -[ESCU - Office Document Executing Macro Code - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -action.escu.known_false_positives = False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL. -action.escu.creation_date = 2024-03-17 -action.escu.modification_date = 2024-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Document Executing Macro Code - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AgentTesla", "Azorult", "DarkCrystal RAT", "IcedID", "NjRAT", "PlugX", "Qakbot", "Remcos", "Spearphishing Attachments", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Office document executing a macro on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Document Executing Macro Code - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Azorult", "DarkCrystal RAT", "IcedID", "NjRAT", "PlugX", "Qakbot", "Remcos", "Spearphishing Attachments", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b12c89bc-9d06-11eb-a592-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files. -action.notable.param.rule_title = Office Document Executing Macro Code -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter` - -[ESCU - Office Document Spawned Child Process To Download - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Default browser not in the filter list. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Document Spawned Child Process To Download - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT", "PlugX", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = Office document spawning suspicious child process on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Document Spawned Child Process To Download - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT", "PlugX", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. -action.notable.param.rule_title = Office Document Spawned Child Process To Download -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter` - -[ESCU - Office Product Spawn CMD Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = IT or network admin may create an document automation that will run shell script. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawn CMD Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Azorult", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "DarkCrystal RAT", "NjRAT", "PlugX", "Qakbot", "Remcos", "Trickbot", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawn CMD Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Azorult", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "DarkCrystal RAT", "NjRAT", "PlugX", "Qakbot", "Remcos", "Trickbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b8b19420-e892-11eb-9244-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. -action.notable.param.rule_title = Office Product Spawn CMD Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter` - -[ESCU - Office Product Spawning BITSAdmin - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = No false positives known. Filter as needed. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawning BITSAdmin - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawning BITSAdmin - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.notable.param.rule_title = Office Product Spawning BITSAdmin -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter` - -[ESCU - Office Product Spawning CertUtil - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = No false positives known. Filter as needed. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawning CertUtil - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawning CertUtil - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments", "Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6925fe72-a6d5-11eb-9e17-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.notable.param.rule_title = Office Product Spawning CertUtil -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter` - -[ESCU - Office Product Spawning MSHTA - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = No false positives known. Filter as needed. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawning MSHTA - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "IcedID", "NjRAT", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawning MSHTA - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "IcedID", "NjRAT", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6078fa20-a6d2-11eb-b662-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.notable.param.rule_title = Office Product Spawning MSHTA -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe", "onenote.exe","onenotem.exe", "msaccess.exe","Graph.exe","winproj.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter` - -[ESCU - Office Product Spawning Rundll32 with no DLL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawning Rundll32 with no DLL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawning Rundll32 with no DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c661f6be-a38c-11eb-be57-acde48001122", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.notable.param.rule_title = Office Product Spawning Rundll32 with no DLL -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter` - -[ESCU - Office Product Spawning Windows Script Host - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present based on macro based approved documents in the organization. Filtering may be needed. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawning Windows Script Host - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Remcos", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawning Windows Script Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Remcos", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise. -action.notable.param.rule_title = Office Product Spawning Windows Script Host -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") Processes.process_name IN ("wscript.exe", "cscript.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter` - -[ESCU - Office Product Spawning Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = No false positives known. Filter as needed. -action.escu.creation_date = 2023-07-11 -action.escu.modification_date = 2023-07-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Spawning Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "FIN7", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Spawning Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "FIN7", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.notable.param.rule_title = Office Product Spawning Wmic -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter` - -[ESCU - Office Product Writing cab or inf - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -action.escu.creation_date = 2023-02-15 -action.escu.modification_date = 2023-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Product Writing cab or inf - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Product Writing cab or inf - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f48cd1d4-125a-11ec-a447-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. -action.notable.param.rule_title = Office Product Writing cab or inf -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.inf","*.cab") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter` - -[ESCU - Office Spawning Control - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Office Spawning Control - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Office Spawning Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "053e027c-10c7-11ec-8437-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior -action.notable.param.rule_title = Office Spawning Control -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter` - -[ESCU - Outbound Network Connection from Java Using Default Ports - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate Java applications may use perform outbound connections to these ports. Filter as needed -action.escu.creation_date = 2022-06-28 -action.escu.modification_date = 2022-06-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Outbound Network Connection from Java Using Default Ports - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Log4Shell CVE-2021-44228"] -action.risk = 1 -action.risk.param._risk_message = Java performed outbound connections to default ports of LDAP or RMI on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Outbound Network Connection from Java Using Default Ports - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d2c14d28-5c47-11ec-9892-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. -action.notable.param.rule_title = Outbound Network Connection from Java Using Default Ports -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name="java.exe" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter` - -[ESCU - Overwriting Accessibility Binaries - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. -action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -action.escu.known_false_positives = Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Overwriting Accessibility Binaries - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A suspicious file modification or replace in $file_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Overwriting Accessibility Binaries - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. -action.notable.param.rule_title = Overwriting Accessibility Binaries -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter` - -[ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. -action.escu.how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. -action.escu.known_false_positives = False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. -action.escu.creation_date = 2023-05-15 -action.escu.modification_date = 2023-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["PaperCut MF NG Vulnerability"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - PaperCut NG Suspicious Behavior Debug Log - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "395163b8-689b-444b-86c7-9fe9ad624734", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter` - -[ESCU - Password Policy Discovery with Net - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Password Policy Discovery with Net - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Password Policy Discovery with Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "09336538-065a-11ec-8665-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") AND Processes.process = "*accounts*" AND Processes.process = "*/domain*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter` - -[ESCU - Permission Modification using Takeown App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = takeown.exe is a normal windows application that may used by network operator. -action.escu.creation_date = 2024-05-11 -action.escu.modification_date = 2024-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Permission Modification using Takeown App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Sandworm Tools"] -action.risk = 1 -action.risk.param._risk_message = A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Permission Modification using Takeown App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data. -action.notable.param.rule_title = Permission Modification using Takeown App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe" Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter` - -[ESCU - PetitPotam Network Share Access Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ -To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ -It is possible this is not enabled by default and may need to be reviewed and enabled. \ - \ -During triage, review parallel security events to identify further suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ -To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ -It is possible this is not enabled by default and may need to be reviewed and enabled. \ - \ -During triage, review parallel security events to identify further suspicious activity. -action.escu.how_to_implement = Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments. -action.escu.known_false_positives = False positives have been limited when the Anonymous Logon is used for Account Name. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PetitPotam Network Share Access Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["PetitPotam NTLM Relay on Active Directory Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PetitPotam Network Share Access Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "95b8061a-0a67-11ec-85ec-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ -To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ -It is possible this is not enabled by default and may need to be reviewed and enabled. \ - \ -During triage, review parallel security events to identify further suspicious activity. -action.notable.param.rule_title = PetitPotam Network Share Access Request -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter` - -[ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. -action.escu.how_to_implement = The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. -action.escu.known_false_positives = False positives are possible if the environment is using certificates for authentication. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "PetitPotam NTLM Relay on Active Directory Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "PetitPotam NTLM Relay on Active Directory Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e3ef244e-0a67-11ec-abf2-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. -action.notable.param.rule_title = PetitPotam Suspicious Kerberos TGT Request -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 src!="::1" TargetUserName=*$ CertThumbprint!="" | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter` - -[ESCU - Ping Sleep Batch Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator or network operator may execute this command. Please update the filter macros to remove false positives. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ping Sleep Batch Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Data Destruction", "Warzone RAT", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = suspicious $process$ commandline run in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ping Sleep Batch Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "Warzone RAT", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ce058d6c-79f2-11ec-b476-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*>*") OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*>*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter` - -[ESCU - Possible Browser Pass View Parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positive is quite limited. Filter is needed -action.escu.creation_date = 2021-11-22 -action.escu.modification_date = 2021-11-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Possible Browser Pass View Parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Possible Browser Pass View Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ba484e8-4b97-11ec-b19a-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter` - -[ESCU - Possible Lateral Movement PowerShell Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. \ -Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. \ -Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. -action.escu.creation_date = 2023-05-13 -action.escu.modification_date = 2023-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Possible Lateral Movement PowerShell Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell process was spawned as a child process of typically abused processes on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Possible Lateral Movement PowerShell Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. \ -Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. -action.notable.param.rule_title = Possible Lateral Movement PowerShell Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\windows\ccm\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter` - -[ESCU - Potential password in username - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. -action.escu.how_to_implement = To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. -action.escu.known_false_positives = Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating. -action.escu.creation_date = 2022-05-11 -action.escu.modification_date = 2022-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Potential password in username - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Credential Dumping", "Insider Threat"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Potential password in username - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search="| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter` - -[ESCU - Potentially malicious code on commandline - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives. -action.escu.creation_date = 2022-01-14 -action.escu.modification_date = 2022-01-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Potentially malicious code on commandline - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Command-Line Executions"] -action.risk = 1 -action.risk.param._risk_message = Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$] -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Potentially malicious code on commandline - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9c53c446-757e-11ec-871d-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter` - -[ESCU - PowerShell 4104 Hunting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Limited false positives. May filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell 4104 Hunting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A", "DarkGate Malware", "Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Malicious PowerShell", "Rhysida Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell 4104 Hunting - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "DarkGate Malware", "Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Malicious PowerShell", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d6f2b006-0041-11ec-8885-acde48001122", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter` - -[ESCU - PowerShell - Connect To Internet With Hidden Window - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell - Connect To Internet With Hidden Window - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell - Connect To Internet With Hidden Window - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "detection_version": "8"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]") | `powershell___connect_to_internet_with_hidden_window_filter` - -[ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = False positives will be present if any scripts are adding to inprocserver32. Filter as needed. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell script has been identified with InProcServer32 within the script code on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ea61e291-af05-4716-932a-67faddb6ae6f", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk. -action.notable.param.rule_title = Powershell COM Hijacking InprocServer32 Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter` - -[ESCU - Powershell Creating Thread Mutex - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = powershell developer may used this function in their script for instance checking too. -action.escu.creation_date = 2022-05-02 -action.escu.modification_date = 2022-05-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Creating Thread Mutex - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains Thread Mutex on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Creating Thread Mutex - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "637557ec-ca08-11eb-bd0a-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.notable.param.rule_title = Powershell Creating Thread Mutex -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter` - -[ESCU - Powershell Disable Security Monitoring - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives. However, tune based on scripts that may perform this action. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Disable Security Monitoring - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Revil Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender Real-time Behavior Monitoring disabled on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Disable Security Monitoring - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c148a894-dd93-11eb-bf2a-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment. -action.notable.param.rule_title = Powershell Disable Security Monitoring -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*" AND Processes.process IN ("*disablerealtimemonitoring*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*drtm *","*dioavp *","*dscrptsc *","*dbaf *","*dbm *") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter` - -[ESCU - PowerShell Domain Enumeration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible there will be false positives, filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Domain Enumeration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Domain Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e1866ce2-ca22-11eb-8e44-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = PowerShell Domain Enumeration -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter` - -[ESCU - PowerShell Enable PowerShell Remoting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives. -action.escu.creation_date = 2023-03-22 -action.escu.modification_date = 2023-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Enable PowerShell Remoting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was identified running a Invoke-PSremoting on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Enable PowerShell Remoting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter` - -[ESCU - Powershell Enable SMB1Protocol Feature - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -action.escu.known_false_positives = network operator may enable or disable this windows feature. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Enable SMB1Protocol Feature - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Powershell Enable SMB1Protocol Feature on $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Enable SMB1Protocol Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "afed80b2-d34b-11eb-a952-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. -action.notable.param.rule_title = Powershell Enable SMB1Protocol Feature -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter` - -[ESCU - Powershell Execute COM Object - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = network operrator may use this command. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Execute COM Object - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains COM CLSID command on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Execute COM Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "65711630-f9bf-11eb-8d72-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. -action.notable.param.rule_title = Powershell Execute COM Object -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter` - -[ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ -In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ -In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Limited false positives. Filter as needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains GetProcAddress API on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a26d9db4-c883-11eb-9d75-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ -In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Powershell Fileless Process Injection via GetProcAddress -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter` - -[ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ -Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ - \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ -Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ - \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited. Filter as needed. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell", "NjRAT", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains base64 command on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell", "NjRAT", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8acbc04c-c882-11eb-b060-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ -Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ - \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Powershell Fileless Script Contains Base64 Encoded Content -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter` - -[ESCU - PowerShell Get LocalGroup Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Get LocalGroup Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Get LocalGroup Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b71adfcc-155b-11ec-9413-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter` - -[ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2022-04-26 -action.escu.modification_date = 2022-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d7c6ad22-155c-11ec-bb64-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter` - -[ESCU - PowerShell Invoke CIMMethod CIMSession - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives. -action.escu.creation_date = 2023-03-22 -action.escu.modification_date = 2023-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Invoke CIMMethod CIMSession - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Invoke CIMMethod CIMSession - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "651ee958-a433-471c-b264-39725b788b83", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter` - -[ESCU - PowerShell Invoke WmiExec Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Invoke WmiExec Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was identified running a Invoke-WmiExec on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Invoke WmiExec Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0734bd21-2769-4972-a5f1-78bb1e011224", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network. -action.notable.param.rule_title = PowerShell Invoke WmiExec Usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter` - -[ESCU - Powershell Load Module in Meterpreter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = False positives should be very limited as this is strict to MetaSploit behavior. -action.escu.creation_date = 2022-11-22 -action.escu.modification_date = 2022-11-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Load Module in Meterpreter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["MetaSploit"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$. -action.risk.param._risk = [{"risk_object_field": "user_id", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Load Module in Meterpreter - Rule -action.correlationsearch.annotations = {"analytic_story": ["MetaSploit"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5905da5-d050-48db-9259-018d8f034fcf", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Powershell Load Module in Meterpreter -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*MSF.Powershell*","*MSF.Powershell.Meterpreter*","*MSF.Powershell.Meterpreter.Kiwi*","*MSF.Powershell.Meterpreter.Transport*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter` - -[ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited as day to day scripts do not use this method. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AgentTesla", "AsyncRAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "AsyncRAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "85bc3f30-ca28-11eb-bd21-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ - \ -This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = PowerShell Loading DotNET into Memory via Reflection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter` - -[ESCU - Powershell Processing Stream Of Data - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = powershell may used this function to process compressed data. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Processing Stream Of Data - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Processing Stream Of Data - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0d718b52-c9f1-11eb-bc61-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.notable.param.rule_title = Powershell Processing Stream Of Data -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter` - -[ESCU - Powershell Remote Services Add TrustedHost - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = user and network administrator may used this function to add trusted host. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Remote Services Add TrustedHost - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = a powershell script adding a remote trustedhost on $dest$ . -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Remote Services Add TrustedHost - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bef21d24-297e-45e3-9b9a-c6ac45450474", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. -action.notable.param.rule_title = Powershell Remote Services Add TrustedHost -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" ScriptBlockText IN ("* -Value *", "* -Concatenate *") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter` - -[ESCU - Powershell Remote Thread To Known Windows Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-08-25 -action.escu.modification_date = 2022-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Remote Thread To Known Windows Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Trickbot"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Remote Thread To Known Windows Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload -action.notable.param.rule_title = Powershell Remote Thread To Known Windows Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe") TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter` - -[ESCU - Powershell Remove Windows Defender Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Remove Windows Defender Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = suspicious powershell script $ScriptBlockText$ was executed on the $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Remove Windows Defender Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "adf47620-79fa-11ec-b248-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. -action.notable.param.rule_title = Powershell Remove Windows Defender Directory -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*rmdir *" AND ScriptBlockText = "*\\Microsoft\\Windows Defender*" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter` - -[ESCU - PowerShell Script Block With URL Chain - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Unknown, possible custom scripting. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Script Block With URL Chain - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Script Block With URL Chain - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Command and Control", "Installation"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4a3f2a7d-6402-4e64-a76a-869588ec3b57", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.notable.param.rule_title = PowerShell Script Block With URL Chain -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | regex ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" | rex max_match=20 field=ScriptBlockText "(?https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))" | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter` - -[ESCU - PowerShell Start-BitsTransfer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments. -action.escu.creation_date = 2021-03-29 -action.escu.modification_date = 2021-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Start-BitsTransfer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BITS Jobs"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Start-BitsTransfer - Rule -action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "39e2605a-90d8-11eb-899e-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? -action.notable.param.rule_title = PowerShell Start-BitsTransfer -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter` - -[ESCU - PowerShell Start or Stop Service - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -action.escu.creation_date = 2023-03-24 -action.escu.modification_date = 2023-03-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell Start or Stop Service - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was identified attempting to start or stop a service on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 10}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell Start or Stop Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 20, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter` - -[ESCU - Powershell Using memory As Backing Store - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = powershell may used this function to store out object into memory. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Using memory As Backing Store - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell script contains memorystream command on host $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Using memory As Backing Store - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.notable.param.rule_title = Powershell Using memory As Backing Store -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter` - -[ESCU - PowerShell WebRequest Using Memory Stream - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Unknown, possible custom scripting. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PowerShell WebRequest Using Memory Stream - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PowerShell WebRequest Using Memory Stream - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "103affa6-924a-4b53-aff4-1d5075342aab", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment. -action.notable.param.rule_title = PowerShell WebRequest Using Memory Stream -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*system.net.webclient*","*system.net.webrequest*") AND ScriptBlockText="*IO.MemoryStream*" | eval Path = case(isnotnull(Path),Path,true(),"unknown") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter` - -[ESCU - Powershell Windows Defender Exclusion Commands - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = admin or user may choose to use this windows features. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Powershell Windows Defender Exclusion Commands - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "Warzone RAT", "WhisperGate", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = exclusion command $ScriptBlockText$ executed on $Computer$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Powershell Windows Defender Exclusion Commands - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "Warzone RAT", "WhisperGate", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.notable.param.rule_title = Powershell Windows Defender Exclusion Commands -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText = "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter` - -[ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of "bcdedit.exe" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of "bcdedit.exe" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may modify the boot configuration ignore failure during testing and debugging. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of "bcdedit.exe" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage. -action.notable.param.rule_title = Prevent Automatic Repair Mode using Bcdedit -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "bcdedit.exe" Processes.process = "*bootstatuspolicy*" Processes.process = "*ignoreallfailures*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter` - -[ESCU - Print Processor Registry Autostart - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = possible new printer installation may add driver component on this registry. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Print Processor Registry Autostart - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $Registry.registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Print Processor Registry Autostart - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1f5b68aa-2037-11ec-898e-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. -action.notable.param.rule_title = Print Processor Registry Autostart -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter` - -[ESCU - Print Spooler Adding A Printer Driver - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ - \ -Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ - \ -Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. -action.escu.how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. -action.escu.known_false_positives = Unknown. This may require filtering. -action.escu.creation_date = 2021-07-01 -action.escu.modification_date = 2021-07-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Print Spooler Adding A Printer Driver - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = Suspicious print driver was loaded on endpoint $ComputerName$. -action.risk.param._risk = [{"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Print Spooler Adding A Printer Driver - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "313681a2-da8e-11eb-adad-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ - \ -Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. -action.notable.param.rule_title = Print Spooler Adding A Printer Driver -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `printservice` EventCode=316 category = "Adding a printer driver" Message = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter` - -[ESCU - Print Spooler Failed to Load a Plug-in - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ -Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ -The analytic is based on file path and failure to load the plug-in. \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ -Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ -The analytic is based on file path and failure to load the plug-in. \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. -action.escu.known_false_positives = False positives are unknown and filtering may be required. -action.escu.creation_date = 2021-07-01 -action.escu.modification_date = 2021-07-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Print Spooler Failed to Load a Plug-in - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$. -action.risk.param._risk = [{"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Print Spooler Failed to Load a Plug-in - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1adc9548-da7c-11eb-8f13-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ -Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ -The analytic is based on file path and failure to load the plug-in. \ -During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.notable.param.rule_title = Print Spooler Failed to Load a Plug-in -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter` - -[ESCU - Process Creating LNK file in Suspicious Location - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system. -action.escu.how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -action.escu.known_false_positives = This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Process Creating LNK file in Suspicious Location - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Amadey", "IcedID", "Qakbot", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ that launching .lnk file in $file_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Process Creating LNK file in Suspicious Location - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "IcedID", "Qakbot", "Spearphishing Attachments"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "detection_version": "7"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system. -action.notable.param.rule_title = Process Creating LNK file in Suspicious Location -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND (Filesystem.file_path="C:\\Users\\*" OR Filesystem.file_path="*\\Temp\\*") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter` - -[ESCU - Process Deleting Its Process File Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Process Deleting Its Process File Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Clop Ransomware", "Data Destruction", "Remcos", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Process Deleting Its Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Data Destruction", "Remcos", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f7eda4bc-871c-11eb-b110-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. -action.notable.param.rule_title = Process Deleting Its Process File Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image = "*\\cmd.exe" | eval result = if(like(process,"%".parent_process."%"), "Found", "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = "Found" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter` - -[ESCU - Process Execution via WMI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, administrators may use wmi to execute commands for legitimate purposes. -action.escu.creation_date = 2020-03-16 -action.escu.modification_date = 2020-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Process Execution via WMI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Process Execution via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. -action.notable.param.rule_title = Process Execution via WMI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN ("*\\dismhost.exe*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` - -[ESCU - Process Kill Base On File Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Process Kill Base On File Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["XMRig"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Process Kill Base On File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment. -action.notable.param.rule_title = Process Kill Base On File Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process="*process*" AND Processes.process="*executablepath*" AND Processes.process="*delete*" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter` - -[ESCU - Process Writing DynamicWrapperX - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). -action.escu.creation_date = 2021-10-05 -action.escu.modification_date = 2021-10-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Process Writing DynamicWrapperX - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Process Writing DynamicWrapperX - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b0a078e4-2601-11ec-9aec-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="dynwrapx.dll" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter` - -[ESCU - Processes launching netsh - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. -action.escu.creation_date = 2021-09-16 -action.escu.modification_date = 2021-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Processes launching netsh - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "Netsh Abuse", "Snake Keylogger", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ has launched netsh with command-line $process$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 14}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 14}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Processes launching netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "Netsh Abuse", "Snake Keylogger", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b89919ed-fe5f-492c-b139-95dbb162040e", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter` - -[ESCU - Processes Tapping Keyboard Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input -action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model. -action.escu.known_false_positives = There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment. -action.escu.creation_date = 2019-01-25 -action.escu.modification_date = 2019-01-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Processes Tapping Keyboard Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["ColdRoot MacOS RAT"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Processes Tapping Keyboard Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["ColdRoot MacOS RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input -action.notable.param.rule_title = Processes Tapping Keyboard Events -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter` - -[ESCU - Randomly Generated Scheduled Task Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. -action.escu.known_false_positives = Legitimate applications may use random Scheduled Task names. -action.escu.creation_date = 2021-11-29 -action.escu.modification_date = 2021-11-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Randomly Generated Scheduled Task Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Randomly Generated Scheduled Task Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter` - -[ESCU - Randomly Generated Windows Service Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. -action.escu.known_false_positives = Legitimate applications may use random Windows Service names. -action.escu.creation_date = 2021-11-29 -action.escu.modification_date = 2021-11-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Randomly Generated Windows Service Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Randomly Generated Windows Service Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter` - -[ESCU - Ransomware Notes bulk creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. -action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-03-12 -action.escu.modification_date = 2021-03-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ransomware Notes bulk creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackMatter Ransomware", "Chaos Ransomware", "Clop Ransomware", "DarkSide Ransomware", "LockBit Ransomware", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A high frequency file creation of $file_name$ in different file path in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ransomware Notes bulk creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "Chaos Ransomware", "Clop Ransomware", "DarkSide Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eff7919a-8330-11eb-83f8-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter` - -[ESCU - Recon AVProduct Through Pwh or WMI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = network administrator may used this command for checking purposes -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Recon AVProduct Through Pwh or WMI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Prestige Ransomware", "Qakbot", "Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains AV recon command on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Recon AVProduct Through Pwh or WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Prestige Ransomware", "Qakbot", "Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "28077620-c9f6-11eb-8785-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.notable.param.rule_title = Recon AVProduct Through Pwh or WMI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter` - -[ESCU - Recon Using WMI Class - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Reconnaissance"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = network administrator may used this command for checking purposes -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Recon Using WMI Class - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Industroyer2", "LockBit Ransomware", "Malicious PowerShell", "Qakbot"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains host recon commands detected on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Recon Using WMI Class - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Industroyer2", "LockBit Ransomware", "Malicious PowerShell", "Qakbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 75, "kill_chain_phases": ["Installation", "Reconnaissance"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "018c1972-ca07-11eb-9473-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlockText= "*Get-WmiObject*") AND (ScriptBlockText= "*Win32_Bios*" OR ScriptBlockText= "*Win32_OperatingSystem*" OR ScriptBlockText= "*Win32_Processor*" OR ScriptBlockText= "*Win32_ComputerSystem*" OR ScriptBlockText= "*Win32_PnPEntity*" OR ScriptBlockText= "*Win32_ShadowCopy*" OR ScriptBlockText= "*Win32_DiskDrive*" OR ScriptBlockText= "*Win32_PhysicalMemory*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter` - -[ESCU - Recursive Delete of Directory In Batch CMD - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network operator may use this batch command to delete recursively a directory or files within directory -action.escu.creation_date = 2022-11-12 -action.escu.modification_date = 2022-11-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Recursive Delete of Directory In Batch CMD - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Recursive Delete of Directory In Batch CMD by $user$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Recursive Delete of Directory In Batch CMD - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ba570b3a-d356-11eb-8358-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. -action.notable.param.rule_title = Recursive Delete of Directory In Batch CMD -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process="* rd *" Processes.process="*/s*" Processes.process="*/q*" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter` - -[ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Persistence Techniques", "Windows Service Abuse"] -action.risk = 1 -action.risk.param._risk_message = A reg.exe process $process_name$ with commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Persistence Techniques", "Windows Service Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 75, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8470d755-0c13-45b3-bd63-387a373c10cf", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise. -action.notable.param.rule_title = Reg exe Manipulating Windows Services Registry Keys -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter` - -[ESCU - Registry Keys for Creating SHIM Databases - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Registry Keys for Creating SHIM Databases - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A registry activity in $registry_path$ related to shim modication in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Registry Keys for Creating SHIM Databases - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "detection_version": "7"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems. -action.notable.param.rule_title = Registry Keys for Creating SHIM Databases -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter` - -[ESCU - Registry Keys Used For Persistence - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Registry Keys Used For Persistence - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "CISA AA23-347A", "Chaos Ransomware", "DHS Report TA18-074A", "DarkGate Malware", "Emotet Malware DHS Report TA18-201A", "IcedID", "NjRAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Qakbot", "Ransomware", "RedLine Stealer", "Remcos", "Snake Keylogger", "Sneaky Active Directory Persistence Tricks", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Windows Persistence Techniques", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A registry activity in $registry_path$ related to persistence in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Registry Keys Used For Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "CISA AA23-347A", "Chaos Ransomware", "DHS Report TA18-074A", "DarkGate Malware", "Emotet Malware DHS Report TA18-201A", "IcedID", "NjRAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Qakbot", "Ransomware", "RedLine Stealer", "Remcos", "Snake Keylogger", "Sneaky Active Directory Persistence Tricks", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "detection_version": "9"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. -action.notable.param.rule_title = Registry Keys Used For Persistence -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter` - -[ESCU - Registry Keys Used For Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Registry Keys Used For Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cloud Federated Credential Abuse", "Data Destruction", "Hermetic Wiper", "Suspicious Windows Registry Activities", "Windows Privilege Escalation", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A registry activity in $registry_path$ related to privilege escalation in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Registry Keys Used For Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Data Destruction", "Hermetic Wiper", "Suspicious Windows Registry Activities", "Windows Privilege Escalation", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "detection_version": "7"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. -action.notable.param.rule_title = Registry Keys Used For Privilege Escalation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter` - -[ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Other third part application may used this parameter but not so common in base windows environment. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Living Off The Land", "Remcos", "Suspicious Regsvr32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Living Off The Land", "Remcos", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f421c250-24e7-11ec-bc43-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process="*/i*" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter` - -[ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = minimal. but network operator can use this application to load dll. -action.escu.creation_date = 2021-07-27 -action.escu.modification_date = 2021-07-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "IcedID", "Living Off The Land", "Qakbot", "Remcos", "Suspicious Regsvr32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "IcedID", "Living Off The Land", "Qakbot", "Remcos", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"(?i)[\-|\/][Ss]{1}") | `regsvr32_with_known_silent_switch_cmdline_filter` - -[ESCU - Remcos client registry install entry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-14 -action.escu.modification_date = 2022-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remcos client registry install entry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remcos client registry install entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f2a1615a-1d63-11ec-97d2-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. -action.notable.param.rule_title = Remcos client registry install entry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\Software\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter` - -[ESCU - Remcos RAT File Creation in Remcos Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-21 -action.escu.modification_date = 2021-09-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remcos RAT File Creation in Remcos Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -action.risk = 1 -action.risk.param._risk_message = file $file_name$ created in $file_path$ of $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remcos RAT File Creation in Remcos Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "25ae862a-1ac3-11ec-94a1-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. -action.notable.param.rule_title = Remcos RAT File Creation in Remcos Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.dat") Filesystem.file_path = "*\\remcos\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter` - -[ESCU - Remote Desktop Process Running On System - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Remote Desktop may be used legitimately by users on the network. -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Desktop Process Running On System - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Hidden Cobra Malware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Remote Desktop Process Running On System - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f5939373-8054-40ad-8c64-cec478a22a4a", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` - -[ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-15 -action.escu.modification_date = 2021-11-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via DCOM and PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Document.ActiveView.ExecuteShellCommand*" OR Processes.process="*Document.Application.ShellExecute*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter` - -[ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via DCOM and PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText="*Document.Application.ShellExecute*" OR ScriptBlockText="*Document.ActiveView.ExecuteShellCommand*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter` - -[ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-16 -action.escu.modification_date = 2021-11-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via WinRM and PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter` - -[ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via WinRM and PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter` - -[ESCU - Remote Process Instantiation via WinRM and Winrs - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-11 -action.escu.modification_date = 2021-11-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via WinRM and Winrs - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and Winrs - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via WinRM and Winrs -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process="*-r:*" OR Processes.process="*-remote:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter` - -[ESCU - Remote Process Instantiation via WMI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon. -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via WMI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA23-347A", "Ransomware", "Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Ransomware", "Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "detection_version": "8"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network. -action.notable.param.rule_title = Remote Process Instantiation via WMI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process="*/node:*" AND Processes.process="*process*" AND Processes.process="*call*" AND Processes.process="*create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter` - -[ESCU - Remote Process Instantiation via WMI and PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-15 -action.escu.modification_date = 2021-11-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via WMI and PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI and PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via WMI and PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*" AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name create*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter` - -[ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2022-11-15 -action.escu.modification_date = 2022-11-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2a048c14-4634-11ec-a618-3e22fbd008af", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. -action.notable.param.rule_title = Remote Process Instantiation via WMI and PowerShell Script Block -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (ScriptBlockText="*-CN*" OR ScriptBlockText="*-ComputerName*") AND ScriptBlockText="*-Class Win32_Process*" AND ScriptBlockText="*-Name create*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter` - -[ESCU - Remote System Discovery with Adsisearcher - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. -action.escu.creation_date = 2022-06-29 -action.escu.modification_date = 2022-06-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote System Discovery with Adsisearcher - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery enumeration with adsisearcher on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote System Discovery with Adsisearcher - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "70803451-0047-4e12-9d63-77fa7eb8649c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Remote System Discovery with Adsisearcher -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter` - -[ESCU - Remote System Discovery with Dsquery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-31 -action.escu.modification_date = 2021-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote System Discovery with Dsquery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote System Discovery with Dsquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe") (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter` - -[ESCU - Remote System Discovery with Net - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-30 -action.escu.modification_date = 2021-08-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote System Discovery with Net - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "IcedID"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote System Discovery with Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.process_name="net1.exe") (Processes.process="*domain computers*" AND Processes.process=*/do*) OR (Processes.process="*view*" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter` - -[ESCU - Remote System Discovery with Wmic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-01 -action.escu.modification_date = 2021-09-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote System Discovery with Wmic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Remote system discovery enumeration on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote System Discovery with Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Remote System Discovery with Wmic -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe") (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_computer* AND Processes.process="*GET ds_samaccountname*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter` - -[ESCU - Remote WMI Command Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may use this legitimately to gather info from remote systems. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote WMI Command Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Graceful Wipe Out Attack", "IcedID", "Living Off The Land", "Suspicious WMI Use", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = A wmic.exe process $process$ contain node commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote WMI Command Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Graceful Wipe Out Attack", "IcedID", "Living Off The Land", "Suspicious WMI Use", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. -action.notable.param.rule_title = Remote WMI Command Attempt -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter` - -[ESCU - Resize ShadowStorage volume - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network admin can resize the shadowstorage for valid purposes. -action.escu.creation_date = 2021-03-12 -action.escu.modification_date = 2021-03-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Resize ShadowStorage volume - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Clop Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Resize ShadowStorage volume - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc760ca6-8336-11eb-bcbb-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible -action.notable.param.rule_title = Resize ShadowStorage volume -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell.exe" OR Processes.parent_process_name = "powershell_ise.exe" OR Processes.parent_process_name = "wmic.exe" Processes.process_name = "vssadmin.exe" Processes.process="*resize*" Processes.process="*shadowstorage*" Processes.process="*/maxsize*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter` - -[ESCU - Revil Common Exec Parameter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as "-nolan", "-nolocal", "-fast", and "-full". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as "-nolan", "-nolocal", "-fast", and "-full". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = third party tool may have same command line parameters as revil ransomware. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Revil Common Exec Parameter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Revil Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Revil Common Exec Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "85facebe-c382-11eb-9c3e-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as "-nolan", "-nolocal", "-fast", and "-full". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption. -action.notable.param.rule_title = Revil Common Exec Parameter -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* -nolan *" OR Processes.process = "* -nolocal *" OR Processes.process = "* -fast *" OR Processes.process = "* -full *" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter` - -[ESCU - Revil Registry Entry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-14 -action.escu.modification_date = 2022-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Revil Registry Entry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Revil Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e3d3f57a-c381-11eb-9e35-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. -action.notable.param.rule_title = Revil Registry Entry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\*" OR Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\BlackLivesMatter*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter` - -[ESCU - Rubeus Command Line Parameters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rubeus Command Line Parameters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Rubeus command line parameters were used on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rubeus Command Line Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cca37478-8377-11ec-b59a-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. -action.notable.param.rule_title = Rubeus Command Line Parameters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*ptt /ticket*" OR Processes.process = "* monitor /interval*" OR Processes.process ="* asktgt* /user:*" OR Processes.process ="* asktgs* /service:*" OR Processes.process ="* golden* /user:*" OR Processes.process ="* silver* /service:*" OR Processes.process ="* kerberoast*" OR Processes.process ="* asreproast*" OR Processes.process = "* renew* /ticket:*" OR Processes.process = "* brute* /password:*" OR Processes.process = "* brute* /passwords:*" OR Processes.process ="* harvest*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter` - -[ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. -action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. -action.escu.known_false_positives = Legitimate applications may obtain a handle for winlogon.exe. Filter as needed -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Winlogon.exe was accessed by $SourceImage$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5ed8c50a-8869-11ec-876f-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. -action.notable.param.rule_title = Rubeus Kerberos Ticket Exports Through Winlogon Access -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\Windows\\system32\\svchost.exe AND SourceImage!=C:\\Windows\\system32\\lsass.exe AND SourceImage!=C:\\Windows\\system32\\LogonUI.exe AND SourceImage!=C:\\Windows\\system32\\smss.exe AND SourceImage!=C:\\Windows\\system32\\wbem\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter` - -[ESCU - Runas Execution in CommandLine - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Runas Execution in CommandLine - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Runas Execution in CommandLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4807e716-43a4-11ec-a0e7-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter` - -[ESCU - Rundll32 Control RunDLL Hunt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. -action.escu.creation_date = 2021-09-08 -action.escu.modification_date = 2021-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 Control RunDLL Hunt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 Control RunDLL Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-40444"], "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter` - -[ESCU - Rundll32 Control RunDLL World Writable Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed. -action.escu.creation_date = 2021-09-08 -action.escu.modification_date = 2021-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 Control RunDLL World Writable Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 Control RunDLL World Writable Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1adffe86-10c3-11ec-8ce6-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. -action.notable.param.rule_title = Rundll32 Control RunDLL World Writable Directory -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN ("*\\appdata\\*", "*\\windows\\temp\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter` - -[ESCU - Rundll32 Create Remote Thread To A Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-07-29 -action.escu.modification_date = 2021-07-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 Create Remote Thread To A Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "SourceImage", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 Create Remote Thread To A Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2dbeee3a-f067-11eb-96c0-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. -action.notable.param.rule_title = Rundll32 Create Remote Thread To A Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter` - -[ESCU - Rundll32 CreateRemoteThread In Browser - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-07-26 -action.escu.modification_date = 2021-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 CreateRemoteThread In Browser - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "SourceImage", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 CreateRemoteThread In Browser - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f8a22586-ee2d-11eb-a193-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. -action.notable.param.rule_title = Rundll32 CreateRemoteThread In Browser -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter` - -[ESCU - Rundll32 DNSQuery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-02-18 -action.escu.modification_date = 2022-02-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 DNSQuery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = rundll32 process $process_name$ made a DNS query for $query$ from host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 DNSQuery - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f1483f5e-ee29-11eb-9d23-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. -action.notable.param.rule_title = Rundll32 DNSQuery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter` - -[ESCU - Rundll32 LockWorkStation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-08-09 -action.escu.modification_date = 2021-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 LockWorkStation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Process $process_name$ with cmdline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 LockWorkStation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fa90f372-f91d-11eb-816c-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= "*user32.dll,LockWorkStation*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter` - -[ESCU - Rundll32 Process Creating Exe Dll Files - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 Process Creating Exe Dll Files - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = rundll32 process drops a file $file_name$ on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 Process Creating Exe Dll Files - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6338266a-ee2a-11eb-bf68-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. -action.notable.param.rule_title = Rundll32 Process Creating Exe Dll Files -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter` - -[ESCU - Rundll32 Shimcache Flush - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-10-05 -action.escu.modification_date = 2021-10-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 Shimcache Flush - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = rundll32 process execute $process$ to clear shim cache in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 Shimcache Flush - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a913718a-25b6-11ec-96d3-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. -action.notable.param.rule_title = Rundll32 Shimcache Flush -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = "*apphelp.dll,ShimFlushCache*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter` - -[ESCU - Rundll32 with no Command Line Arguments with Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Rundll32 with no Command Line Arguments with Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Rundll32 with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "35307032-a12d-11eb-835f-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Rundll32 with no Command Line Arguments with Network -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter` - -[ESCU - RunDLL Loading DLL By Ordinal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query. -action.escu.creation_date = 2022-02-08 -action.escu.modification_date = 2022-02-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - RunDLL Loading DLL By Ordinal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RunDLL Loading DLL By Ordinal - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6c135f8d-5e60-454e-80b7-c56eed739833", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. -action.notable.param.rule_title = RunDLL Loading DLL By Ordinal -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,"rundll32.+\#\d+") | `rundll_loading_dll_by_ordinal_filter` - -[ESCU - Ryuk Test Files Detected - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the presence of files containing the keyword "Ryuk" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the presence of files containing the keyword "Ryuk" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage. -action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -action.escu.known_false_positives = If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ryuk Test Files Detected - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A creation of ryuk test file $file_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ryuk Test Files Detected - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the presence of files containing the keyword "Ryuk" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage. -action.notable.param.rule_title = Ryuk Test Files Detected -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE "Filesystem.file_path"=C:\\*Ryuk* BY "Filesystem.dest", "Filesystem.user", "Filesystem.file_path" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter` - -[ESCU - Ryuk Wake on LAN Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited to no known false positives. -action.escu.creation_date = 2021-03-01 -action.escu.modification_date = 2021-03-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ryuk Wake on LAN Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ with wake on LAN commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ryuk Wake on LAN Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "538d0152-7aaa-11eb-beaa-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. -action.notable.param.rule_title = Ryuk Wake on LAN Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*8 LAN*" OR Processes.process="*9 REP*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter` - -[ESCU - SAM Database File Access Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SAM Database File Access Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SAM Database File Access Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57551656-ebdb-11eb-afdf-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter` - -[ESCU - Samsam Test File Write - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a file named "test.txt" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of a file named "test.txt" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage. -action.escu.how_to_implement = You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -action.escu.known_false_positives = No false positives have been identified. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Samsam Test File Write - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A samsam ransomware test file creation in $file_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 12}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 12}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Samsam Test File Write - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "493a879d-519d-428f-8f57-a06a0fdc107e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of a file named "test.txt" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage. -action.notable.param.rule_title = Samsam Test File Write -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter` - -[ESCU - Sc exe Manipulating Windows Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Sc exe Manipulating Windows Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "NOBELIUM Group", "Orangeworm Attack Group", "Windows Drivers", "Windows Persistence Techniques", "Windows Service Abuse"] -action.risk = 1 -action.risk.param._risk_message = A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Sc exe Manipulating Windows Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "NOBELIUM Group", "Orangeworm Attack Group", "Windows Drivers", "Windows Persistence Techniques", "Windows Service Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. -action.notable.param.rule_title = Sc exe Manipulating Windows Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter` - -[ESCU - SchCache Change By App Connect And Create ADSI Object - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = normal application like mmc.exe and other ldap query tool may trigger this detections. -action.escu.creation_date = 2021-09-07 -action.escu.modification_date = 2021-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SchCache Change By App Connect And Create ADSI Object - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackMatter Ransomware"] -action.risk = 1 -action.risk.param._risk_message = process $Image$ create a file $TargetFilename$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SchCache Change By App Connect And Create ADSI Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "991eb510-0fc6-11ec-82d3-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename = "*.sch*" NOT (Image IN ("*\\Windows\\system32\\mmc.exe")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter` - -[ESCU - Schedule Task with HTTP Command Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. \ -The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. \ -Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. \ -Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. \ -The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. \ -Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. \ -Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Schedule Task with HTTP Command Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Living Off The Land", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Schedule Task with HTTP Command Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "523c2684-a101-11eb-916b-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine. \ -The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack. \ -Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives. \ -Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. -action.notable.param.rule_title = Schedule Task with HTTP Command Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN ("*http*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter` - -[ESCU - Schedule Task with Rundll32 Command Trigger - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. \ -If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. \ -To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. \ -Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. \ -If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. \ -To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. \ -Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-04-19 -action.escu.modification_date = 2021-04-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Schedule Task with Rundll32 Command Trigger - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["IcedID", "Living Off The Land", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Schedule Task with Rundll32 Command Trigger - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader. \ -If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. \ -To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged. \ -Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.notable.param.rule_title = Schedule Task with Rundll32 Command Trigger -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*rundll32*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter` - -[ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users. \ -Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users. \ -Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-11 -action.escu.modification_date = 2021-11-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A Windows Scheduled Task was created on a remote endpoint from $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4be54858-432f-11ec-8209-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users. \ -Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. -action.notable.param.rule_title = Scheduled Task Creation on Remote Endpoint using At -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter` - -[ESCU - Scheduled Task Deleted Or Created via CMD - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Scheduled Task Deleted Or Created via CMD - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "CISA AA22-257A", "CISA AA23-347A", "DHS Report TA18-074A", "DarkCrystal RAT", "Living Off The Land", "NOBELIUM Group", "NjRAT", "Phemedrone Stealer", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Sandworm Tools", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Scheduled Task Deleted Or Created via CMD - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "CISA AA22-257A", "CISA AA23-347A", "DHS Report TA18-074A", "DarkCrystal RAT", "Living Off The Land", "NOBELIUM Group", "NjRAT", "Phemedrone Stealer", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Sandworm Tools", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5af132c-7c17-439c-9d31-13d55340f36c", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. -action.notable.param.rule_title = Scheduled Task Deleted Or Created via CMD -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` - -[ESCU - Scheduled Task Initiation on Remote Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-11 -action.escu.modification_date = 2021-11-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Scheduled Task Initiation on Remote Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A Windows Scheduled Task was ran on a remote endpoint from $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Scheduled Task Initiation on Remote Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "95cf4608-4302-11ec-8194-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. -action.notable.param.rule_title = Scheduled Task Initiation on Remote Endpoint -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter` - -[ESCU - Schtasks Run Task On Demand - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Schtasks Run Task On Demand - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-257A", "Data Destruction", "Industroyer2", "Qakbot", "Scheduled Tasks", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = A "on demand" execution of schedule task process $process_name$ using commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Schtasks Run Task On Demand - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Data Destruction", "Industroyer2", "Qakbot", "Scheduled Tasks", "XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb37061e-af1f-11eb-a159-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. -action.notable.param.rule_title = Schtasks Run Task On Demand -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter` - -[ESCU - Schtasks scheduling job on remote system - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. -action.escu.creation_date = 2022-05-23 -action.escu.modification_date = 2022-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Schtasks scheduling job on remote system - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "NOBELIUM Group", "Phemedrone Stealer", "Prestige Ransomware", "RedLine Stealer", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Schtasks scheduling job on remote system - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "NOBELIUM Group", "Phemedrone Stealer", "Prestige Ransomware", "RedLine Stealer", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "detection_version": "6"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. -action.notable.param.rule_title = Schtasks scheduling job on remote system -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND Processes.process="*/s*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter` - -[ESCU - Schtasks used for forcing a reboot - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. -action.escu.creation_date = 2020-12-07 -action.escu.modification_date = 2020-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Schtasks used for forcing a reboot - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Schtasks used for forcing a reboot - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. -action.notable.param.rule_title = Schtasks used for forcing a reboot -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process="*shutdown*" Processes.process="*/create *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter` - -[ESCU - Screensaver Event Trigger Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Screensaver Event Trigger Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry path $registry_path$ was modified, added, or deleted in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Screensaver Event Trigger Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "58cea3ec-1f6d-11ec-8560-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. -action.notable.param.rule_title = Screensaver Event Trigger Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter` - -[ESCU - Script Execution via WMI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. -action.escu.creation_date = 2020-03-16 -action.escu.modification_date = 2020-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Script Execution via WMI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = A wmic.exe process $process_name$ that execute script in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Script Execution via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aa73f80d-d728-4077-b226-81ea0c8be589", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. -action.notable.param.rule_title = Script Execution via WMI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` - -[ESCU - Sdclt UAC Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited to no false positives are expected. -action.escu.creation_date = 2022-11-14 -action.escu.modification_date = 2022-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Sdclt UAC Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Sdclt UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d71efbf6-da63-11eb-8c6e-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. -action.notable.param.rule_title = Sdclt UAC Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\Windows\\CurrentVersion\\App Paths\\control.exe*" OR Registry.registry_path= "*\\exefile\\shell\\runas\\command\\*") (Registry.registry_value_name = "(Default)" OR Registry.registry_value_name = "IsolatedCommand")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter` - -[ESCU - Sdelete Application Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = user may execute and use this application -action.escu.creation_date = 2021-10-06 -action.escu.modification_date = 2021-10-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Sdelete Application Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Masquerading - Rename System Utilities"] -action.risk = 1 -action.risk.param._risk_message = sdelete process $process_name$ executed in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Sdelete Application Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "31702fc0-2682-11ec-85c3-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. -action.notable.param.rule_title = Sdelete Application Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter` - -[ESCU - SearchProtocolHost with no Command Line with Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SearchProtocolHost with no Command Line with Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SearchProtocolHost with no Command Line with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b690df8c-a145-11eb-a38b-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = SearchProtocolHost with no Command Line with Network -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter` - -[ESCU - SecretDumps Offline NTDS Dumping Tool - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5672819c-be09-11eb-bbfb-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. -action.notable.param.rule_title = SecretDumps Offline NTDS Dumping Tool -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "python*.exe" Processes.process = "*.py*" Processes.process = "*-ntds*" (Processes.process = "*-system*" OR Processes.process = "*-sam*" OR Processes.process = "*-security*" OR Processes.process = "*-bootkey*") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter` - -[ESCU - ServicePrincipalNames Discovery with PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ -During triage, review parallel processes for further suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ -During triage, review parallel processes for further suspicious activity. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited, however filter as needed. -action.escu.creation_date = 2022-02-26 -action.escu.modification_date = 2022-02-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ServicePrincipalNames Discovery with PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = An instance of attempting to identify service principle detected on $dest$ names. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ServicePrincipalNames Discovery with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "13243068-2d38-11ec-8908-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ -During triage, review parallel processes for further suspicious activity. -action.notable.param.rule_title = ServicePrincipalNames Discovery with PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter` - -[ESCU - ServicePrincipalNames Discovery with SetSPN - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -Example usage includes the following \ -* setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ -Values \ -* -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ -During triage, review parallel processes for further suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -Example usage includes the following \ -* setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ -Values \ -* -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ -During triage, review parallel processes for further suspicious activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed. -action.escu.creation_date = 2021-10-14 -action.escu.modification_date = 2021-10-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ServicePrincipalNames Discovery with SetSPN - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ServicePrincipalNames Discovery with SetSPN - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ -What is a ServicePrincipleName? \ -A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. \ -Example usage includes the following \ -* setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \ -Values \ -* -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ -During triage, review parallel processes for further suspicious activity. -action.notable.param.rule_title = ServicePrincipalNames Discovery with SetSPN -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process="*-t*" AND Processes.process="*-f*") OR (Processes.process="*-q*" AND Processes.process="**/**") OR (Processes.process="*-q*") OR (Processes.process="*-s*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter` - -[ESCU - Services Escalate Exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Services Escalate Exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA23-347A", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = A service process $parent_process_name$ with process path $process_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Services Escalate Exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA23-347A", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c448488c-b7ec-11eb-8253-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. -action.notable.param.rule_title = Services Escalate Exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter` - -[ESCU - Services LOLBAS Execution Process Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -action.escu.creation_date = 2021-11-22 -action.escu.modification_date = 2021-11-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Services LOLBAS Execution Process Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA23-347A", "Living Off The Land", "Qakbot"] -action.risk = 1 -action.risk.param._risk_message = Services.exe spawned a LOLBAS process on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Services LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Living Off The Land", "Qakbot"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.notable.param.rule_title = Services LOLBAS Execution Process Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter` - -[ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to "Unrestricted" or "Bypass." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to "Unrestricted" or "Bypass." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping", "DarkGate Malware", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "registry_path", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "DarkGate Malware", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "detection_version": "9"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to "Unrestricted" or "Bypass." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\Microsoft\Powershell\1\ShellIds\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges. -action.notable.param.rule_title = Set Default PowerShell Execution Policy To Unrestricted or Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter` - -[ESCU - Shim Database File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -action.escu.known_false_positives = Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation. -action.escu.creation_date = 2020-12-08 -action.escu.modification_date = 2020-12-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Shim Database File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = A process that possibly write shim database in $file_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "file_path", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Shim Database File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.notable.param.rule_title = Shim Database File Creation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\AppPatch\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter` - -[ESCU - Shim Database Installation With Suspicious Parameters - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2020-11-23 -action.escu.modification_date = 2020-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Shim Database Installation With Suspicious Parameters - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ that possible create a shim db silently in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Shim Database Installation With Suspicious Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.notable.param.rule_title = Shim Database Installation With Suspicious Parameters -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter` - -[ESCU - Short Lived Scheduled Task - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution. \ -To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs. \ -It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives. \ -Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution. \ -To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs. \ -It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives. \ -Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Short Lived Scheduled Task - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A", "CISA AA23-347A", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A windows scheduled task was created and deleted in 30 seconds on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Short Lived Scheduled Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "CISA AA23-347A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6fa31414-546e-11ec-adfa-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution. \ -To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs. \ -It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives. \ -Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -action.notable.param.rule_title = Short Lived Scheduled Task -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` - -[ESCU - Short Lived Windows Accounts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. -action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ -action.escu.known_false_positives = It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. -action.escu.creation_date = 2024-03-19 -action.escu.modification_date = 2024-03-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Short Lived Windows Accounts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A user account created or delete shortly in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Short Lived Windows Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b25f6f62-0782-43c1-b403-083231ffd97d", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. -action.notable.param.rule_title = Short Lived Windows Accounts -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter` - -[ESCU - SilentCleanup UAC Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-14 -action.escu.modification_date = 2022-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SilentCleanup UAC Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SilentCleanup UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "56d7cfcc-da63-11eb-92d4-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. -action.notable.param.rule_title = SilentCleanup UAC Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Environment\\windir" Registry.registry_value_data = "*.exe*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter` - -[ESCU - Single Letter Process On Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. -action.escu.creation_date = 2020-12-08 -action.escu.modification_date = 2020-12-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Single Letter Process On Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DHS Report TA18-074A"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process $process_name$ with single letter in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Single Letter Process On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. -action.notable.param.rule_title = Single Letter Process On Endpoint -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter` - -[ESCU - SLUI RunAs Elevated - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present as this is not commonly used by legitimate applications. -action.escu.creation_date = 2021-05-13 -action.escu.modification_date = 2021-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SLUI RunAs Elevated - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkSide Ransomware", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = A slui process $process_name$ with elevated commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SLUI RunAs Elevated - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8d124810-b3e4-11eb-96c7-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. -action.notable.param.rule_title = SLUI RunAs Elevated -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter` - -[ESCU - SLUI Spawning a Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. -action.escu.creation_date = 2021-05-13 -action.escu.modification_date = 2021-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SLUI Spawning a Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkSide Ransomware", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - SLUI Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "879c4330-b3e0-11eb-b1b1-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. -action.notable.param.rule_title = SLUI Spawning a Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter` - -[ESCU - Spike in File Writes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network. -action.escu.how_to_implement = In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system. -action.escu.known_false_positives = It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spike in File Writes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Spike in File Writes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fdb0f805-74e4-4539-8c00-618927333aae", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), count, null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` - -[ESCU - Spoolsv Spawning Rundll32 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver. -action.escu.creation_date = 2021-07-01 -action.escu.modification_date = 2021-07-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spoolsv Spawning Rundll32 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = $parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Spoolsv Spawning Rundll32 - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "15d905f6-da6b-11eb-ab82-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.notable.param.rule_title = Spoolsv Spawning Rundll32 -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter` - -[ESCU - Spoolsv Suspicious Loaded Modules - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spoolsv Suspicious Loaded Modules - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = $Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Spoolsv Suspicious Loaded Modules - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a5e451f8-da81-11eb-b245-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk. -action.notable.param.rule_title = Spoolsv Suspicious Loaded Modules -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*" ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter` - -[ESCU - Spoolsv Suspicious Process Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. -action.escu.known_false_positives = Unknown. Filter as needed. -action.escu.creation_date = 2021-07-01 -action.escu.modification_date = 2021-07-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spoolsv Suspicious Process Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "ProcessID", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Spoolsv Suspicious Process Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "799b606e-da81-11eb-93f8-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. -action.notable.param.rule_title = Spoolsv Suspicious Process Access -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*" TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter` - -[ESCU - Spoolsv Writing a DLL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -action.escu.known_false_positives = Unknown. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spoolsv Writing a DLL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Spoolsv Writing a DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.notable.param.rule_title = Spoolsv Writing a DLL -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\spool\\drivers\\x64\\*" Filesystem.file_name="*.dll" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process_guid process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name process_guid | `spoolsv_writing_a_dll_filter` - -[ESCU - Spoolsv Writing a DLL - Sysmon - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -action.escu.known_false_positives = Limited false positives. Filter as needed. -action.escu.creation_date = 2021-07-01 -action.escu.modification_date = 2021-07-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spoolsv Writing a DLL - Sysmon - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Spoolsv Writing a DLL - Sysmon - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "347fd388-da87-11eb-836d-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.notable.param.rule_title = Spoolsv Writing a DLL - Sysmon -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter` - -[ESCU - Sqlite Module In Temp Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-08-03 -action.escu.modification_date = 2021-08-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Sqlite Module In Temp Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["IcedID"] -action.risk = 1 -action.risk.param._risk_message = Process $process_name$ create a file $file_name$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Sqlite Module In Temp Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0f216a38-f45f-11eb-b09c-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. -action.notable.param.rule_title = Sqlite Module In Temp Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter` - -[ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.escu.how_to_implement = The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. -action.escu.known_false_positives = False positives may be present based on automated tooling or system administrators. Filter as needed. -action.escu.creation_date = 2023-05-01 -action.escu.modification_date = 2023-05-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["290df60e-4b5d-4a5e-b0c7-dc5348ea0c86", "78b274f8-acb0-428b-b1f7-7b0d0e73330a", "7617f689-bbd8-44bc-adcd-6f8968897848"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Certificate Services"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Steal or Forge Authentication Certificates Behavior Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.notable.param.rule_title = RBA: Steal or Forge Authentication Certificates Behavior Identified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Windows Certificate Services" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter` - -[ESCU - Sunburst Correlation DLL and Network Event - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems. -action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-11 -action.escu.modification_date = 2024-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Sunburst Correlation DLL and Network Event - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Sunburst Correlation DLL and Network Event - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "701a8740-e8db-40df-9190-5516d3819787", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems. -action.notable.param.rule_title = Sunburst Correlation DLL and Network Event -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` - -[ESCU - Suspicious Computer Account Name Change - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -action.escu.known_false_positives = Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Computer Account Name Change - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"] -action.risk = 1 -action.risk.param._risk_message = A computer account $OldTargetUserName$ was renamed with a suspicious computer name on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "OldTargetUserName", "risk_object_type": "user", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Computer Account Name Change - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.notable.param.rule_title = Suspicious Computer Account Name Change -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$" | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest | `suspicious_computer_account_name_change_filter` - -[ESCU - Suspicious Copy on System32 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = every user may do this event but very un-ussual. -action.escu.creation_date = 2023-08-17 -action.escu.modification_date = 2023-08-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Copy on System32 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "IcedID", "Qakbot", "Sandworm Tools", "Unusual Processes", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Execution of copy exe to copy file from $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Copy on System32 - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "IcedID", "Qakbot", "Sandworm Tools", "Unusual Processes", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ce633e56-25b2-11ec-9e76-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. -action.notable.param.rule_title = Suspicious Copy on System32 -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") AND `process_copy` AND Processes.process IN("*\\Windows\\System32\\*", "*\\Windows\\SysWow64\\*") AND Processes.process = "*copy*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process," ") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter` - -[ESCU - Suspicious Curl Network Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. Filter as needed. -action.escu.creation_date = 2021-02-22 -action.escu.modification_date = 2021-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Curl Network Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Linux Living Off The Land", "Silver Sparrow"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Suspicious Curl Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. -action.notable.param.rule_title = Suspicious Curl Network Connection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter` - -[ESCU - Suspicious DLLHost no Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious DLLHost no Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious DLLHost no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ff61e98c-0337-4593-a78f-72a676c56f26", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Suspicious DLLHost no Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(dllhost\.exe.{0,4}$)" | `suspicious_dllhost_no_command_line_arguments_filter` - -[ESCU - Suspicious Driver Loaded Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Limited false positives will be present. Some applications do load drivers -action.escu.creation_date = 2021-04-29 -action.escu.modification_date = 2021-04-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Driver Loaded Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Snake Keylogger", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Suspicious driver $file_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Driver Loaded Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Snake Keylogger", "XMRig"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f880acd4-a8f1-11eb-a53b-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. -action.notable.param.rule_title = Suspicious Driver Loaded Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter` - -[ESCU - Suspicious Event Log Service Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -action.escu.known_false_positives = It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Event Log Service Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Clop Ransomware", "Ransomware", "Windows Log Manipulation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Event Log Service Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter` - -[ESCU - Suspicious GPUpdate no Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Suspicious GPUpdate no Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)" | `suspicious_gpupdate_no_command_line_arguments_filter` - -[ESCU - Suspicious IcedID Rundll32 Cmdline - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = limitted. this parameter is not commonly used by windows application but can be used by the network operator. -action.escu.creation_date = 2021-07-26 -action.escu.modification_date = 2021-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious IcedID Rundll32 Cmdline - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = rundll32 process $process_name$ with commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious IcedID Rundll32 Cmdline - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bed761f8-ee29-11eb-8bf3-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. -action.notable.param.rule_title = Suspicious IcedID Rundll32 Cmdline -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter` - -[ESCU - Suspicious Image Creation In Appdata Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-07-07 -action.escu.modification_date = 2022-07-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Image Creation In Appdata Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -action.risk = 1 -action.risk.param._risk_message = Process $process_name$ creating image file $file_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Image Creation In Appdata Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f6f904c4-1ac0-11ec-806b-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. -action.notable.param.rule_title = Suspicious Image Creation In Appdata Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.png","*.jpg","*.bmp","*.gif","*.tiff") Filesystem.file_path= "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter` - -[ESCU - Suspicious Kerberos Service Ticket Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Kerberos Service Ticket Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"] -action.risk = 1 -action.risk.param._risk_message = A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Kerberos Service Ticket Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8b1297bc-6204-11ec-b7c4-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.notable.param.rule_title = Suspicious Kerberos Service Ticket Request -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter` - -[ESCU - Suspicious Linux Discovery Commands - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host. \ -The search logic specifically looks for high number of distinct commands run in a short period of time. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host. \ -The search logic specifically looks for high number of distinct commands run in a short period of time. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored. -action.escu.creation_date = 2021-12-06 -action.escu.modification_date = 2021-12-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Linux Discovery Commands - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = Suspicious Linux Discovery Commands detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Linux Discovery Commands - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0edd5112-56c9-11ec-b990-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host. \ -The search logic specifically looks for high number of distinct commands run in a short period of time. -action.notable.param.rule_title = Suspicious Linux Discovery Commands -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter` - -[ESCU - Suspicious microsoft workflow compiler rename - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious microsoft workflow compiler rename - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f0db4464-55d9-11eb-ae93-0242ac130002", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter` - -[ESCU - Suspicious microsoft workflow compiler usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM. -action.escu.creation_date = 2024-05-03 -action.escu.modification_date = 2024-05-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious microsoft workflow compiler usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Trusted Developer Utilities Proxy Execution"] -action.risk = 1 -action.risk.param._risk_message = Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system. -action.notable.param.rule_title = Suspicious microsoft workflow compiler usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter` - -[ESCU - Suspicious msbuild path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious msbuild path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"] -action.risk = 1 -action.risk.param._risk_message = Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious msbuild path - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f5198224-551c-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. -action.notable.param.rule_title = Suspicious msbuild path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\framework*\\v*\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter` - -[ESCU - Suspicious MSBuild Rename - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious MSBuild Rename - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious MSBuild Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4006adac-5937-11eb-ae93-0242ac130002", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter` - -[ESCU - Suspicious MSBuild Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -action.escu.creation_date = 2021-01-12 -action.escu.modification_date = 2021-01-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious MSBuild Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild"] -action.risk = 1 -action.risk.param._risk_message = Suspicious msbuild.exe process executed on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious MSBuild Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a115fba6-5514-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. -action.notable.param.rule_title = Suspicious MSBuild Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter` - -[ESCU - Suspicious mshta child process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -action.escu.creation_date = 2024-01-01 -action.escu.modification_date = 2024-01-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious mshta child process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious MSHTA Activity"] -action.risk = 1 -action.risk.param._risk_message = suspicious mshta child process detected on host $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious mshta child process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "60023bb6-5500-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. -action.notable.param.rule_title = Suspicious mshta child process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter` - -[ESCU - Suspicious mshta spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious mshta spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious MSHTA Activity"] -action.risk = 1 -action.risk.param._risk_message = mshta.exe spawned by wmiprvse.exe on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious mshta spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities. -action.notable.param.rule_title = Suspicious mshta spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter` - -[ESCU - Suspicious PlistBuddy Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. -action.escu.creation_date = 2021-02-22 -action.escu.modification_date = 2021-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious PlistBuddy Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Silver Sparrow"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Suspicious PlistBuddy Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.notable.param.rule_title = Suspicious PlistBuddy Usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter` - -[ESCU - Suspicious PlistBuddy Usage via OSquery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.escu.how_to_implement = OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. -action.escu.known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. -action.escu.creation_date = 2021-02-22 -action.escu.modification_date = 2021-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious PlistBuddy Usage via OSquery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Silver Sparrow"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Suspicious PlistBuddy Usage via OSquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "20ba6c32-c733-4a32-b64e-2688cf231399", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed: \ -* PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :RunAtLoad bool true" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :StartInterval integer 3600" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments array" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ -* PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ -Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.notable.param.rule_title = Suspicious PlistBuddy Usage via OSquery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter` - -[ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Data Destruction", "Phemedrone Stealer", "Remcos", "Snake Keylogger", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Phemedrone Stealer", "Remcos", "Snake Keylogger", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.notable.param.rule_title = Suspicious Process DNS Query Known Abuse Web Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter` - -[ESCU - Suspicious Process Executed From Container File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Various business process or userland applications and behavior. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Process Executed From Container File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Amadey", "Remcos", "Snake Keylogger", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process $process_name$ was launched from $file_name$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Process Executed From Container File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "Remcos", "Snake Keylogger", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 20, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8120352-3b62-411c-8cb6-7b47584dd5e8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. -action.notable.param.rule_title = Suspicious Process Executed From Container File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" | rex field=process "(?i).+\\\\(?[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter` - -[ESCU - Suspicious Process File Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Process File Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "Phemedrone Stealer", "PlugX", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"threat_object_field": "process_path", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "Phemedrone Stealer", "PlugX", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9be25988-ad82-11eb-a14f-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. -action.notable.param.rule_title = Suspicious Process File Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\windows\\fonts\\*" OR Processes.process_path = "*\\windows\\temp\\*" OR Processes.process_path = "*\\users\\public\\*" OR Processes.process_path = "*\\windows\\debug\\*" OR Processes.process_path = "*\\Users\\Administrator\\Music\\*" OR Processes.process_path = "*\\Windows\\servicing\\*" OR Processes.process_path = "*\\Users\\Default\\*" OR Processes.process_path = "*Recycle.bin*" OR Processes.process_path = "*\\Windows\\Media\\*" OR Processes.process_path = "\\Windows\\repair\\*" OR Processes.process_path = "*\\temp\\*" OR Processes.process_path = "*\\PerfLogs\\*" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter` - -[ESCU - Suspicious Process With Discord DNS Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. -action.escu.how_to_implement = his detection relies on sysmon logs with the Event ID 22, DNS Query. -action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Process With Discord DNS Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Data Destruction", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Process With Discord DNS Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d4332ae-792c-11ec-89c1-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*" AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter` - -[ESCU - Suspicious Reg exe Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Reg exe Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DHS Report TA18-074A", "Disabling Security Tools", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Reg exe Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` - -[ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues. -action.escu.creation_date = 2023-03-02 -action.escu.modification_date = 2023-03-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land", "Qakbot", "Suspicious Regsvr32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land", "Qakbot", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "62732736-6250-11eb-ae93-0242ac130002", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. -action.notable.param.rule_title = Suspicious Regsvr32 Register Suspicious Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter` - -[ESCU - Suspicious Rundll32 dllregisterserver - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names. -action.escu.creation_date = 2021-02-09 -action.escu.modification_date = 2021-02-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Rundll32 dllregisterserver - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Rundll32 dllregisterserver - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Suspicious Rundll32 dllregisterserver -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter` - -[ESCU - Suspicious Rundll32 no Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"] -action.risk = 1 -action.risk.param._risk_message = Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Suspicious Rundll32 no Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(rundll32\.exe.{0,4}$)" | `suspicious_rundll32_no_command_line_arguments_filter` - -[ESCU - Suspicious Rundll32 PluginInit - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of the rundll32.exe process with the "plugininit" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the "plugininit" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of the rundll32.exe process with the "plugininit" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the "plugininit" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = third party application may used this dll export name to execute function. -action.escu.creation_date = 2024-05-23 -action.escu.modification_date = 2024-05-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Rundll32 PluginInit - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IcedID"] -action.risk = 1 -action.risk.param._risk_message = rundll32 process $process_name$ with commandline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Rundll32 PluginInit - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "92d51712-ee29-11eb-b1ae-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of the rundll32.exe process with the "plugininit" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the "plugininit" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise. -action.notable.param.rule_title = Suspicious Rundll32 PluginInit -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter` - -[ESCU - Suspicious Rundll32 StartW - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Rundll32 StartW - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Suspicious Rundll32 Activity", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = rundll32.exe running with suspicious StartW parameters on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Rundll32 StartW - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Suspicious Rundll32 Activity", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. -action.notable.param.rule_title = Suspicious Rundll32 StartW -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter` - -[ESCU - Suspicious Scheduled Task from Public Directory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon EventID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command. \ -The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon EventID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command. \ -The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Scheduled Task from Public Directory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Living Off The Land", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = Suspicious scheduled task registered on $dest$ from Public Directory -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Scheduled Task from Public Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Living Off The Land", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7feb7972-7ac3-11eb-bac8-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter` - -[ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.notable.param.rule_title = Suspicious SearchProtocolHost no Command Line Arguments -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | `suspicious_searchprotocolhost_no_command_line_arguments_filter` - -[ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. -action.escu.creation_date = 2021-02-22 -action.escu.modification_date = 2021-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Silver Sparrow"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Suspicious SQLite3 LSQuarantine Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. -action.notable.param.rule_title = Suspicious SQLite3 LSQuarantine Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter` - -[ESCU - Suspicious Ticket Granting Ticket Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious Ticket Granting Ticket Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious Ticket Granting Ticket Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d77d349e-6269-11ec-9cfe-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),"TRUE") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter` - -[ESCU - Suspicious WAV file in Appdata Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-07-07 -action.escu.modification_date = 2022-07-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious WAV file in Appdata Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -action.risk = 1 -action.risk.param._risk_message = process $process_name$ creating image file $file_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious WAV file in Appdata Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5be109e6-1ac5-11ec-b421-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. -action.notable.param.rule_title = Suspicious WAV file in Appdata Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.wav") Filesystem.file_path = "*\\appdata\\Roaming\\*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter` - -[ESCU - Suspicious wevtutil Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious wevtutil Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Clop Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Log Manipulation"] -action.risk = 1 -action.risk.param._risk_message = Wevtutil.exe being used to clear Event Logs on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 28}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious wevtutil Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Clop Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Log Manipulation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise. -action.notable.param.rule_title = Suspicious wevtutil Usage -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN ("* cl *", "*clear-log*") (Processes.process="*System*" OR Processes.process="*Security*" OR Processes.process="*Setup*" OR Processes.process="*Application*" OR Processes.process="*trace*") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter` - -[ESCU - Suspicious writes to windows Recycle Bin - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. -action.escu.known_false_positives = Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Suspicious writes to windows Recycle Bin - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Collection and Staging", "PlugX"] -action.risk = 1 -action.risk.param._risk_message = Suspicious writes to windows Recycle Bin process $process_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Suspicious writes to windows Recycle Bin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "PlugX"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. -action.notable.param.rule_title = Suspicious writes to windows Recycle Bin -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter` - -[ESCU - Svchost LOLBAS Execution Process Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Svchost LOLBAS Execution Process Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = Svchost.exe spawned a LOLBAS process on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Svchost LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. -action.notable.param.rule_title = Svchost LOLBAS Execution Process Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter` - -[ESCU - System Info Gathering Using Dxdiag Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. -action.escu.creation_date = 2021-11-19 -action.escu.modification_date = 2021-11-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - System Info Gathering Using Dxdiag Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - System Info Gathering Using Dxdiag Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f92d74f2-4921-11ec-b685-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter` - -[ESCU - System Information Discovery Detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators debugging servers -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - System Information Discovery Detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = Potential system information discovery behavior on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - System Information Discovery Detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration. -action.notable.param.rule_title = System Information Discovery Detection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter` - -[ESCU - System Processes Run From Unexpected Locations - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process. \ -This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10. \ -During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process. \ -This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10. \ -During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths. -action.escu.creation_date = 2020-12-08 -action.escu.modification_date = 2020-12-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - System Processes Run From Unexpected Locations - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware", "Masquerading - Rename System Utilities", "Qakbot", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes", "Windows Error Reporting Service Elevation of Privilege Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - System Processes Run From Unexpected Locations - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "Masquerading - Rename System Utilities", "Qakbot", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "detection_version": "6"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter` - -[ESCU - System User Discovery With Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - System User Discovery With Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - System User Discovery With Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter` - -[ESCU - System User Discovery With Whoami - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - System User Discovery With Whoami - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA23-347A", "Qakbot", "Rhysida Ransomware", "Winter Vivern"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - System User Discovery With Whoami - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Qakbot", "Rhysida Ransomware", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter` - -[ESCU - Time Provider Persistence Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Time Provider Persistence Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = modified/added/deleted registry entry $registry_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Time Provider Persistence Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5ba382c4-2105-11ec-8d8f-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. -action.notable.param.rule_title = Time Provider Persistence Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter` - -[ESCU - Trickbot Named Pipe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Trickbot Named Pipe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Possible Trickbot namedpipe created on $dest$ by $process_name$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Trickbot Named Pipe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1804b0a4-a682-11eb-8f68-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern "\\pipe\\*lacesomepipe". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system. -action.notable.param.rule_title = Trickbot Named Pipe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter` - -[ESCU - UAC Bypass MMC Load Unsigned Dll - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown. all of the dll loaded by mmc.exe is microsoft signed dll. -action.escu.creation_date = 2021-07-12 -action.escu.modification_date = 2021-07-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - UAC Bypass MMC Load Unsigned Dll - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - UAC Bypass MMC Load Unsigned Dll - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7f04349c-e30d-11eb-bc7f-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path -action.notable.param.rule_title = UAC Bypass MMC Load Unsigned Dll -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed=false Company != "Microsoft Corporation" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter` - -[ESCU - UAC Bypass With Colorui COM Object - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = not so common. but 3rd part app may load this dll. -action.escu.creation_date = 2021-08-13 -action.escu.modification_date = 2021-08-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - UAC Bypass With Colorui COM Object - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["LockBit Ransomware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "ImageLoaded", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - UAC Bypass With Colorui COM Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["LockBit Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. -action.notable.param.rule_title = UAC Bypass With Colorui COM Object -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colorcpl.exe" NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter` - -[ESCU - Uninstall App Using MsiExec - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown. -action.escu.creation_date = 2021-08-09 -action.escu.modification_date = 2021-08-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Uninstall App Using MsiExec - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = process $process_name$ with a cmdline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Uninstall App Using MsiExec - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1fca2b28-f922-11eb-b2dd-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. -action.notable.param.rule_title = Uninstall App Using MsiExec -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= "* /qn *" Processes.process= "*/X*" Processes.process= "*REBOOT=*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter` - -[ESCU - Unknown Process Using The Kerberos Protocol - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Custom applications may leverage the Kerberos protocol. Filter as needed. -action.escu.creation_date = 2024-01-23 -action.escu.modification_date = 2024-01-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unknown Process Using The Kerberos Protocol - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = Unknown process $process_name$ using the kerberos protocol detected on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Unknown Process Using The Kerberos Protocol - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c91a0852-9fbb-11ec-af44-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. -action.notable.param.rule_title = Unknown Process Using The Kerberos Protocol -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter` - -[ESCU - Unload Sysmon Filter Driver - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown at the moment -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unload Sysmon Filter Driver - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Disabling Security Tools"] -action.risk = 1 -action.risk.param._risk_message = Possible Sysmon filter driver unloading on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Unload Sysmon Filter Driver - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "detection_version": "5"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment. -action.notable.param.rule_title = Unload Sysmon Filter Driver -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process - -[ESCU - Unloading AMSI via Reflection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Potential for some third party applications to disable AMSI upon invocation. Filter as needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unloading AMSI via Reflection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = Possible AMSI Unloading via Reflection using PowerShell on $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Unloading AMSI via Reflection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a21e3484-c94d-11eb-b55b-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ - \ -This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ -During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.notable.param.rule_title = Unloading AMSI via Reflection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter` - -[ESCU - Unusual Number of Computer Service Tickets Requested - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems. -action.escu.creation_date = 2021-12-01 -action.escu.modification_date = 2021-12-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unusual Number of Computer Service Tickets Requested - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Unusual Number of Computer Service Tickets Requested - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4769 Service_Name="*$" Account_Name!="*$*" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter` - -[ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eb3e6702-8936-11ec-98fe-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services by _time, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter` - -[ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems. -action.escu.creation_date = 2021-12-01 -action.escu.modification_date = 2021-12-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Unusual Number of Remote Endpoint Authentication Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "acb5dc74-5324-11ec-a36d-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!="*$" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter` - -[ESCU - Unusually Long Command Line - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate applications start with long command lines. -action.escu.creation_date = 2020-12-08 -action.escu.modification_date = 2020-12-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unusually Long Command Line - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = Unusually long command line $process_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Unusually Long Command Line - Rule -action.correlationsearch.annotations = {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost) - -[ESCU - Unusually Long Command Line - MLTK - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model. -action.escu.creation_date = 2019-05-08 -action.escu.modification_date = 2019-05-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unusually Long Command Line - MLTK - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Unusually Long Command Line - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter` - -[ESCU - User Discovery With Env Vars PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - User Discovery With Env Vars PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - User Discovery With Env Vars PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter` - -[ESCU - User Discovery With Env Vars PowerShell Script Block - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. -action.escu.creation_date = 2022-03-22 -action.escu.modification_date = 2022-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - User Discovery With Env Vars PowerShell Script Block - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - User Discovery With Env Vars PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter` - -[ESCU - USN Journal Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2018-12-03 -action.escu.modification_date = 2018-12-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - USN Journal Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Log Manipulation"] -action.risk = 1 -action.risk.param._risk_message = Possible USN journal deletion on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - USN Journal Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Log Manipulation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. -action.notable.param.rule_title = USN Journal Deletion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process="*deletejournal*" AND process="*usn*" | `usn_journal_deletion_filter` - -[ESCU - Vbscript Execution Using Wscript App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-10-01 -action.escu.modification_date = 2021-10-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Vbscript Execution Using Wscript App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "FIN7", "Remcos"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ with commandline $process$ to execute vbsscript -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Vbscript Execution Using Wscript App - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "FIN7", "Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "35159940-228f-11ec-8a49-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. -action.notable.param.rule_title = Vbscript Execution Using Wscript App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "wscript.exe" AND Processes.parent_process = "*//e:vbscript*") OR (Processes.process_name = "wscript.exe" AND Processes.process = "*//e:vbscript*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter` - -[ESCU - Verclsid CLSID Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = windows can used this application for its normal COM object validation. -action.escu.creation_date = 2021-09-29 -action.escu.modification_date = 2021-09-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Verclsid CLSID Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Unusual Processes"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Verclsid CLSID Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process="*/S*" Processes.process="*/C*" AND Processes.process="*{*" AND Processes.process="*}*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter` - -[ESCU - W3WP Spawning Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - W3WP Spawning Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "WS FTP Server Critical Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible Web Shell execution on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - W3WP Spawning Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-34473", "CVE-2021-34523", "CVE-2021-31207"], "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0f03423c-7c6a-11eb-bc47-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. -action.notable.param.rule_title = W3WP Spawning Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter` - -[ESCU - WBAdmin Delete System Backups - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may modify the boot configuration. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WBAdmin Delete System Backups - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = System backups deletion on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WBAdmin Delete System Backups - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss. -action.notable.param.rule_title = WBAdmin Delete System Backups -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process="*delete*" AND (Processes.process="*catalog*" OR Processes.process="*systemstatebackup*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter` - -[ESCU - Wbemprox COM Object Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = legitimate process that are not in the exception list may trigger this event. -action.escu.creation_date = 2021-06-02 -action.escu.modification_date = 2021-06-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wbemprox COM Object Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["LockBit Ransomware", "Ransomware", "Revil Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious COM Object Execution on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wbemprox COM Object Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["LockBit Ransomware", "Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d911ce0-c3be-11eb-b177-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. -action.notable.param.rule_title = Wbemprox COM Object Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.dll", "*\\wbemcomn.dll") NOT (process_name IN ("wmiprvse.exe", "WmiApSrv.exe", "unsecapp.exe")) NOT(Image IN("*\\windows\\*","*\\program files*", "*\\wbem\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter` - -[ESCU - Wermgr Process Connecting To IP Check Web Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-06-01 -action.escu.modification_date = 2022-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wermgr Process Connecting To IP Check Web Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Wermgr.exe process connecting IP location web services on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wermgr Process Connecting To IP Check Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ed313326-a0f9-11eb-a89c-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. -action.notable.param.rule_title = Wermgr Process Connecting To IP Check Web Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfismyip.com", "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org","*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter` - -[ESCU - Wermgr Process Create Executable File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-04-19 -action.escu.modification_date = 2021-04-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wermgr Process Create Executable File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Wermgr.exe writing executable files on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wermgr Process Create Executable File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ab3bcce0-a105-11eb-973c-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload -action.notable.param.rule_title = Wermgr Process Create Executable File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter` - -[ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-04-19 -action.escu.modification_date = 2021-04-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot", "Trickbot"] -action.risk = 1 -action.risk.param._risk_message = Wermgr.exe spawning suspicious processes on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e8fc95bc-a107-11eb-a978-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. -action.notable.param.rule_title = Wermgr Process Spawned CMD Or Powershell Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "wermgr.exe" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter` - -[ESCU - Wget Download and Bash Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, however filtering may be required. -action.escu.creation_date = 2021-12-11 -action.escu.modification_date = 2021-12-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wget Download and Bash Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wget Download and Bash Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "35682718-5a85-11ec-b8f7-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.notable.param.rule_title = Wget Download and Bash Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process="*-q *" OR Processes.process="*--quiet*" AND Processes.process="*-O- *") OR (Processes.process="*|*" AND Processes.process="*bash*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter` - -[ESCU - Windows Abused Web Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -action.escu.known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. -action.escu.creation_date = 2023-09-20 -action.escu.modification_date = 2023-09-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Abused Web Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = a network connection on known abused web services from $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Abused Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "01f0aef4-8591-4daa-a53d-0ed49823b681", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.notable.param.rule_title = Windows Abused Web Services -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", "*discord*", "*duckdns.org*", "*pasteio.com*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter` - -[ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AsyncRAT", "Brute Ratel C4", "CISA AA23-347A", "DarkGate Malware", "PlugX"] -action.risk = 1 -action.risk.param._risk_message = A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Brute Ratel C4", "CISA AA23-347A", "DarkGate Malware", "PlugX"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6ece9ed0-5f92-4315-889d-48560472b188", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*" AND NOT(ProcessName IN ("*\\Program File*", "*\\System32\\lsass.exe*", "*\\SysWOW64\\lsass.exe*", "*\\SysWOW64\\svchost.exe*", "*\\System32\\svchost.exe*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter` - -[ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter` - -[ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -action.risk = 1 -action.risk.param._risk_message = A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "SourceImage", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\SysWOW64\\winlogon.exe*") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter` - -[ESCU - Windows Account Discovery for None Disable User Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Account Discovery for None Disable User Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Account Discovery for None Disable User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eddbf5ba-b89e-47ca-995e-2d259804e55e", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter` - -[ESCU - Windows Account Discovery for Sam Account Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Account Discovery for Sam Account Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Windows Account Discovery for Sam Account Name on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Account Discovery for Sam Account Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "69934363-e1dd-4c49-8651-9d7663dd4d2f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter` - -[ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cf056b65-44b2-4d32-9172-d6b6f081a376", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter` - -[ESCU - Windows AD Abnormal Object Access Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment. -action.escu.how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. -action.escu.known_false_positives = Service accounts or applications that routinely query Active Directory for information. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Abnormal Object Access Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Abnormal Object Access Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "71b289db-5f2c-4c43-8256-8bf26ae7324a", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter` - -[ESCU - Windows AD AdminSDHolder ACL Modified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. -action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. -action.escu.known_false_positives = Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed -action.escu.creation_date = 2022-11-15 -action.escu.modification_date = 2022-11-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD AdminSDHolder ACL Modified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD AdminSDHolder ACL Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. -action.notable.param.rule_title = Windows AD AdminSDHolder ACL Modified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType="%%14674" ObjectDN="CN=AdminSDHolder,CN=System*" | rex field=AttributeValue max_match=10000 "A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter` - -[ESCU - Windows AD Cross Domain SID History Addition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. -action.escu.known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. -action.escu.creation_date = 2022-11-17 -action.escu.modification_date = 2022-11-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Cross Domain SID History Addition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Active Directory SID History Attribute was added to $user$ by $src_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Cross Domain SID History Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. -action.notable.param.rule_title = Windows AD Cross Domain SID History Addition -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" | rex field=TargetSid "^(?P.*)(\-|\\\)" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter` - -[ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." -action.escu.how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-01-26 -action.escu.modification_date = 2023-01-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = GPO $SubCategory$ of $Category$ was disabled on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." -action.notable.param.rule_title = Windows AD Domain Controller Audit Policy Disabled -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448","%%8450","%%8448, %%8450") OR Changes IN ("Failure removed","Success removed","Success removed, Failure removed")) dest_category="domain_controller"| replace "%%8448" with "Success removed", "%%8450" with "Failure removed", "%%8448, %%8450" with "Success removed, Failure removed" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter` - -[ESCU - Windows AD Domain Controller Promotion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled. -action.escu.known_false_positives = None. -action.escu.creation_date = 2023-01-26 -action.escu.modification_date = 2023-01-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Domain Controller Promotion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = AD Domain Controller Promotion Event Detected for $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Domain Controller Promotion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. -action.notable.param.rule_title = Windows AD Domain Controller Promotion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*","*GC/*")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,"$") | `windows_ad_domain_controller_promotion_filter` - -[ESCU - Windows AD Domain Replication ACL Addition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. -action.escu.known_false_positives = When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. -action.escu.creation_date = 2022-11-18 -action.escu.modification_date = 2022-11-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Domain Replication ACL Addition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = $src_user$ has granted $user$ permission to replicate AD objects -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows AD Domain Replication ACL Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8c372853-f459-4995-afdc-280c114d33ab", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -action.notable.param.rule_title = Windows AD Domain Replication ACL Addition -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")| where minDCSyncPermissions=\"true\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter` - -[ESCU - Windows AD DSRM Account Changes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Disaster recovery events. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD DSRM Account Changes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = DSRM Account Changes Initiated on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD DSRM Account Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "08cb291e-ea77-48e8-a95a-0799319bf056", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. -action.notable.param.rule_title = Windows AD DSRM Account Changes -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter` - -[ESCU - Windows AD DSRM Password Reset - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. -action.escu.known_false_positives = Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. -action.escu.creation_date = 2022-09-08 -action.escu.modification_date = 2022-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD DSRM Password Reset - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = DSRM Account Password was reset on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD DSRM Password Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. -action.notable.param.rule_title = Windows AD DSRM Password Reset -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="An attempt was made to set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter` - -[ESCU - Windows AD Privileged Account SID History Addition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. -action.escu.how_to_implement = Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes. -action.escu.known_false_positives = Migration of privileged accounts. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Privileged Account SID History Addition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Privileged Account SID History Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. -action.notable.param.rule_title = Windows AD Privileged Account SID History Addition -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*?)(}$|$)" | eval category="privileged" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter` - -[ESCU - Windows AD Privileged Object Access Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. -action.escu.how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. -action.escu.known_false_positives = Service accounts or applications that routinely query Active Directory for information. -action.escu.creation_date = 2023-06-01 -action.escu.modification_date = 2023-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Privileged Object Access Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = The account $user$ accessed $object_count$ privileged AD object(s). -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "object_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Privileged Object Access Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dc2f58bc-8cd2-4e51-962a-694b963acde0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. -action.notable.param.rule_title = Windows AD Privileged Object Access Activity -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", "CN=Organization Management,*") | rex field=ObjectName "CN\=(?[^,]+)" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter` - -[ESCU - Windows AD Replication Request Initiated by User Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication", "Change"] -action.escu.eli5 = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` -action.escu.known_false_positives = Azure AD Connect syncing operations. -action.escu.creation_date = 2024-01-05 -action.escu.modification_date = 2024-01-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Replication Request Initiated by User Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Replication Request Initiated by User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "51307514-1236-49f6-8686-d46d93cc2821", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. -action.notable.param.rule_title = Windows AD Replication Request Initiated by User Account -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter` - -[ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication", "Change"] -action.escu.eli5 = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers. -action.escu.known_false_positives = Genuine DC promotion may trigger this alert. -action.escu.creation_date = 2024-01-05 -action.escu.modification_date = 2024-01-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"threat_object_field": "src_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "50998483-bb15-457b-a870-965080d9e3d3", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. -action.notable.param.rule_title = Windows AD Replication Request Initiated from Unsanctioned Location -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category="domain_controller" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter` - -[ESCU - Windows AD Same Domain SID History Addition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required.. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2022-09-09 -action.escu.modification_date = 2022-09-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Same Domain SID History Addition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = Active Directory SID History Attribute was added to $user$ by $src_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Same Domain SID History Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. -action.notable.param.rule_title = Windows AD Same Domain SID History Addition -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -) | rex field=SidHistory "(^%{|^)(?P.*)(\-|\\\)" | rex field=TargetSid "^(?P.*)(\-|\\\)" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter` - -[ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. -action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -action.escu.known_false_positives = A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A Servince Principal Name for $ObjectDN$ was set by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "ObjectDN", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. -action.notable.param.rule_title = Windows AD ServicePrincipalName Added To Domain Account -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter` - -[ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. -action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -action.escu.known_false_positives = A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed. -action.escu.creation_date = 2022-11-18 -action.escu.modification_date = 2022-11-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A Servince Principal Name for $user$ was set and shortly deleted -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b681977c-d90c-4efc-81a5-c58f945fb541", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. -action.notable.param.rule_title = Windows AD Short Lived Domain Account ServicePrincipalName -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") | eval short_lived=case((duration<300),"TRUE") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter` - -[ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. -action.escu.known_false_positives = None. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. -action.notable.param.rule_title = Windows AD Short Lived Domain Controller SPN Attribute -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),"TRUE") | where short_lived="TRUE" AND mvcount(OperationType)>1 | replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter` - -[ESCU - Windows AD Short Lived Server Object - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. -action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. -action.escu.known_false_positives = Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed. -action.escu.creation_date = 2022-10-17 -action.escu.modification_date = 2022-10-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Short Lived Server Object - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Potential DCShadow Attack Detected on $Computer$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD Short Lived Server Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. -action.notable.param.rule_title = Windows AD Short Lived Server Object -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter` - -[ESCU - Windows AD SID History Attribute Modified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. -action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -action.escu.known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. -action.escu.creation_date = 2022-11-16 -action.escu.modification_date = 2022-11-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD SID History Attribute Modified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AD SID History Attribute Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1155e47d-307f-4247-beab-71071e3a458c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. -action.notable.param.rule_title = Windows AD SID History Attribute Modified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter` - -[ESCU - Windows AdFind Exe - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AdFind Exe - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Domain Trust Discovery", "Graceful Wipe Out Attack", "IcedID", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = Windows AdFind Exe -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AdFind Exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "Graceful Wipe Out Attack", "IcedID", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. -action.notable.param.rule_title = Windows AdFind Exe -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* -f *" OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="* -gcb *" OR Processes.process="* -sc *") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter` - -[ESCU - Windows Admin Permission Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. -action.escu.creation_date = 2023-09-19 -action.escu.modification_date = 2023-09-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Admin Permission Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = A file was created in root drive C:/ on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Admin Permission Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e08620cb-9488-4052-832d-97bcc0afd414", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter` - -[ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled. -action.escu.known_false_positives = An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. -action.escu.creation_date = 2023-03-23 -action.escu.modification_date = 2023-03-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "host_targets", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.notable.param.rule_title = Windows Administrative Shares Accessed On Multiple Hosts -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter` - -[ESCU - Windows Admon Default Group Policy Object Modified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.escu.how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -action.escu.known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. -action.escu.creation_date = 2023-03-29 -action.escu.modification_date = 2023-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Admon Default Group Policy Object Modified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A default domain group policy was updated on $dcName$ -action.risk.param._risk = [{"risk_object_field": "dcName", "risk_object_type": "system", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Admon Default Group Policy Object Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "83458004-db60-4170-857d-8572f16f070b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.notable.param.rule_title = Windows Admon Default Group Policy Object Modified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter` - -[ESCU - Windows Admon Group Policy Object Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.escu.how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -action.escu.known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. -action.escu.creation_date = 2023-04-06 -action.escu.modification_date = 2023-04-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Admon Group Policy Object Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A new group policy objected was created on $dcName$ -action.risk.param._risk = [{"risk_object_field": "dcName", "risk_object_type": "system", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Admon Group Policy Object Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "69201633-30d9-48ef-b1b6-e680805f0582", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.notable.param.rule_title = Windows Admon Group Policy Object Created -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter` - -[ESCU - Windows Alternate DataStream - Base64 Content - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic leverages Sysmon EventID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic leverages Sysmon EventID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. -action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2024-02-15 -action.escu.modification_date = 2024-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Alternate DataStream - Base64 Content - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Base64 content written to an NTFS alternate data stream by $user$, see command field for details. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Alternate DataStream - Base64 Content - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "683f48de-982f-4a7e-9aac-9cec550da498", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic leverages Sysmon EventID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. -action.notable.param.rule_title = Windows Alternate DataStream - Base64 Content -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=15 NOT Contents IN ("-","[ZoneTransfer]*") | regex TargetFilename="(? upperBound, "Yes", "No") | where anomaly="Yes" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter` - -[ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. -action.escu.how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. -action.escu.known_false_positives = False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. -action.escu.creation_date = 2024-03-21 -action.escu.modification_date = 2024-03-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows AppLocker"] -action.risk = 1 -action.risk.param._risk_message = An attempt to bypass application restrictions was detected on a host $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows AppLocker"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bca48629-7fa2-40d3-9e5d-807564504e28", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more. -action.notable.param.rule_title = Windows AppLocker Privilege Escalation via Unauthorized Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter` - -[ESCU - Windows AppLocker Rare Application Launch Detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat. -action.escu.how_to_implement = The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. -action.escu.known_false_positives = False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives. -action.escu.creation_date = 2024-03-21 -action.escu.modification_date = 2024-03-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AppLocker Rare Application Launch Detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows AppLocker"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AppLocker Rare Application Launch Detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows AppLocker"], "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9556f7b7-285f-4f18-8eeb-963d989f9d27", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter` - -[ESCU - Windows Archive Collected Data via Powershell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = powershell may used this function to archive data. -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Archive Collected Data via Powershell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Windows Archive Collected Data via Powershell on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Archive Collected Data via Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText = "*\\Temp\\*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter` - -[ESCU - Windows Archive Collected Data via Rar - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = user and network administrator can execute this command. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Archive Collected Data via Rar - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = a Rar.exe commandline used in archiving collected data in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Archive Collected Data via Rar - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2015de95-fe91-413d-9d62-2fe011b67e82", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="Rar.exe" OR Processes.original_file_name = "Rar.exe" AND Processes.process = "*a*" Processes.process = "* -ep1*" Processes.process = "* -r*" Processes.process = "* -y*" Processes.process = "* -v5m*" Processes.process = "* -m1*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter` - -[ESCU - Windows AutoIt3 Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. -action.escu.creation_date = 2023-10-31 -action.escu.modification_date = 2023-10-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AutoIt3 Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by -action.risk.param._risk = [{"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows AutoIt3 Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0ecb40d9-492b-4a57-9f87-515dd742794c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. -action.notable.param.rule_title = Windows AutoIt3 Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter` - -[ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. -action.escu.creation_date = 2022-08-22 -action.escu.modification_date = 2022-08-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. -action.notable.param.rule_title = Windows Autostart Execution LSASS Driver Registry Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter` - -[ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter on DLL name or parent process. -action.escu.creation_date = 2022-07-07 -action.escu.modification_date = 2022-07-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. -action.notable.param.rule_title = Windows Binary Proxy Execution Mavinject DLL Injection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN ("*injectrunning*", "*hmodule=0x*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter` - -[ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = Administrators may allow creation of script or exe in this path. -action.escu.creation_date = 2023-01-12 -action.escu.modification_date = 2023-01-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "NjRAT", "RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = a process dropped a file in %startup% folder in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "NjRAT", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "99d157cb-923f-4a00-aee9-1f385412146f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter` - -[ESCU - Windows BootLoader Inventory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. -action.escu.how_to_implement = To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. -action.escu.known_false_positives = No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows BootLoader Inventory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BlackLotus Campaign", "Windows BootKits"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows BootLoader Inventory - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter` - -[ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. -action.escu.creation_date = 2023-07-26 -action.escu.modification_date = 2023-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = A pkgmgr.exe executed with package manager xml input file on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 9}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule -action.correlationsearch.annotations = {"analytic_story": ["Warzone RAT"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cce58e2c-988a-4319-9390-0daa9eefa3cd", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter` - -[ESCU - Windows CAB File on Disk - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed. -action.escu.creation_date = 2023-11-08 -action.escu.modification_date = 2023-11-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows CAB File on Disk - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = A .cab file was written to disk on endpoint $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows CAB File on Disk - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 10, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "622f08d0-69ef-42c2-8139-66088bc25acd", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter` - -[ESCU - Windows Cached Domain Credentials Reg Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Cached Domain Credentials Reg Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Cached Domain Credentials Reg Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Processes.process = "*CACHEDLOGONSCOUNT*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter` - -[ESCU - Windows Change Default File Association For No File Ext - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Change Default File Association For No File Ext - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware"] -action.risk = 1 -action.risk.param._risk_message = process with commandline $process$ set or change the file association of a file with no file extension in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Change Default File Association For No File Ext - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. -action.notable.param.rule_title = Windows Change Default File Association For No File Ext -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process="* add *" AND Processes.process="* HKCR\\*" AND Processes.process="*\\shell\\open\\command*" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process "Notepad\.exe (?.*$)" | rex field=file_name_association "\.(?[^\.]*$)" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter` - -[ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible there will be false positives, filter as needed. -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ab73289e-2246-4de0-a14b-67006c72a893", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter` - -[ESCU - Windows COM Hijacking InprocServer32 Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and some filtering may be required. -action.escu.creation_date = 2022-09-26 -action.escu.modification_date = 2022-09-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows COM Hijacking InprocServer32 Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows COM Hijacking InprocServer32 Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. -action.notable.param.rule_title = Windows COM Hijacking InprocServer32 Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter` - -[ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. -action.escu.creation_date = 2022-06-01 -action.escu.modification_date = 2022-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 = (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter` - -[ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Not known at this moment. -action.escu.creation_date = 2022-06-01 -action.escu.modification_date = 2022-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. -action.notable.param.rule_title = Windows Command and Scripting Interpreter Path Traversal Exec -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process="*\/..\/..\/..\/*" OR Processes.process="*\\..\\..\\..\\*" OR Processes.process="*\/\/..\/\/..\/\/..\/\/*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter` - -[ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-07-28 -action.escu.modification_date = 2022-07-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT"] -action.risk = 1 -action.risk.param._risk_message = Multiple cmd.exe processes with child process of notepad.exe executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. -action.notable.param.rule_title = Windows Command Shell DCRat ForkBomb Payload -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= "cmd.exe" (Processes.process_name = "notepad.exe" OR Processes.original_file_name= "notepad.exe") Processes.parent_process = "*.bat*" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter` - -[ESCU - Windows Command Shell Fetch Env Variables - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = shell process that are not included in this search may cause False positive. Filter is needed. -action.escu.creation_date = 2022-10-27 -action.escu.modification_date = 2022-10-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Command Shell Fetch Env Variables - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Command Shell Fetch Env Variables - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. -action.notable.param.rule_title = Windows Command Shell Fetch Env Variables -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*cmd /c set" OR Processes.process = "*cmd.exe /c set" AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter` - -[ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. -action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -action.escu.known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Disabling Security Tools", "FIN7", "Netsh Abuse", "Qakbot", "Sandworm Tools", "Volt Typhoon", "Windows Defense Evasion Tactics", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Windows Common Abused Cmd Shell Risk Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Disabling Security Tools", "FIN7", "Netsh Abuse", "Qakbot", "Sandworm Tools", "Volt Typhoon", "Windows Defense Evasion Tactics", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. -action.notable.param.rule_title = RBA: Windows Common Abused Cmd Shell Risk Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter` - -[ESCU - Windows Computer Account Created by Computer Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = It is possible third party applications may have a computer account that adds computer accounts, filtering may be required. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Computer Account Created by Computer Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] -action.risk = 1 -action.risk.param._risk_message = A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack). -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Computer Account Created by Computer Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. -action.notable.param.rule_title = Windows Computer Account Created by Computer Account -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!="NT AUTHORITY" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter` - -[ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = It is possible false positives will be present based on third party applications. Filtering may be needed. -action.escu.creation_date = 2024-05-16 -action.escu.modification_date = 2024-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] -action.risk = 1 -action.risk.param._risk_message = A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fb3b2bb3-75a4-4279-848a-165b42624770", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network. -action.notable.param.rule_title = Windows Computer Account Requesting Kerberos Ticket -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter` - -[ESCU - Windows Computer Account With SPN - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Computer Account With SPN - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] -action.risk = 1 -action.risk.param._risk_message = A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Computer Account With SPN - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources. -action.notable.param.rule_title = Windows Computer Account With SPN -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4741 NewUacValue="0x80" ServicePrincipalNames IN ("*HOST/*","*RestrictedKrbHost/*") | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(TargetDomainName),values(PrimaryGroupId), values(OldUacValue), values(NewUacValue),values(SamAccountName),values(DnsHostName),values(ServicePrincipalNames) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter` - -[ESCU - Windows ConHost with Headless Argument - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. -action.escu.creation_date = 2023-11-01 -action.escu.modification_date = 2023-11-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows ConHost with Headless Argument - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = Windows ConHost with Headless Argument detected on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows ConHost with Headless Argument - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5039508-998d-4cfc-8b5e-9dcd679d9a62", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. -action.notable.param.rule_title = Windows ConHost with Headless Argument -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process="*--headless *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter` - -[ESCU - Windows Create Local Account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data. -action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ -action.escu.known_false_positives = It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume. -action.escu.creation_date = 2025-05-19 -action.escu.modification_date = 2025-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Create Local Account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Password Spraying"] -action.risk = 1 -action.risk.param._risk_message = The following $user$ was added to $dest$ as a local account. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Create Local Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying"], "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name("All_Changes")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter` - -[ESCU - Windows Credential Access From Browser Password Store - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. -action.escu.known_false_positives = The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file. -action.escu.creation_date = 2024-02-20 -action.escu.modification_date = 2024-02-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credential Access From Browser Password Store - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = A non-common browser process $process_name$ accessing browser user data folder on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credential Access From Browser Password Store - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "72013a8e-5cea-408a-9d51-5585386b4d69", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name "(?[^\\\\]+)$" | eval isMalicious=if(match(browser_process_name, extracted_process_name), "0", "1") | where isMalicious=1 and isAllowed="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter` - -[ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what. -action.escu.creation_date = 2023-01-23 -action.escu.modification_date = 2023-01-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 70}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. -action.notable.param.rule_title = Windows Credential Dumping LSASS Memory Createdump -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name="FX_VER_INTERNALNAME_STR" Processes.process="*-u *" AND Processes.process="*-f *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter` - -[ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Amadey", "CISA AA23-347A", "DarkGate Malware", "Phemedrone Stealer", "RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "CISA AA23-347A", "DarkGate Malware", "Phemedrone Stealer", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter` - -[ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. -action.escu.creation_date = 2023-04-26 -action.escu.modification_date = 2023-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3b1d09a8-a26f-473e-a510-6c6613573657", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter` - -[ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = Uninstall application may access this registry to remove the entry of the target application. filter is needed. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter` - -[ESCU - Windows Credentials from Password Stores Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this tool for auditing process. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = a process $process_name$ was executed in $dest$ to create stored credentials -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.notable.param.rule_title = Windows Credentials from Password Stores Creation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/generic*" Processes.process IN ("*/user*", "*/password*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter` - -[ESCU - Windows Credentials from Password Stores Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this tool for auditing process. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = a process $process_name$ was executed in $dest$ to delete stored credentials -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "46d676aa-40c6-4fe6-b917-d23b621f0f89", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.notable.param.rule_title = Windows Credentials from Password Stores Deletion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/delete*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter` - -[ESCU - Windows Credentials from Password Stores Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this tool for auditing process. -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials from Password Stores Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware", "Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = a process $process_name$ was executed in $dest$ to display stored username and credentials. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe" OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/list*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter` - -[ESCU - Windows Credentials in Registry Reg Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Credentials in Registry Reg Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = reg query commandline $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Credentials in Registry Reg Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process IN ("*\\Software\\ORL\\WinVNC3\\Password*", "*\\SOFTWARE\\RealVNC\\WinVNC4 /v password*", "*\\CurrentControlSet\\Services\\SNMP*", "*\\Software\\TightVNC\\Server*", "*\\Software\\SimonTatham\\PuTTY\\Sessions*", "*\\Software\\OpenSSH\\Agent\\Keys*", "*password*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter` - -[ESCU - Windows Curl Download to Suspicious Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ --O or --output is used when a file is to be downloaded and placed in a specified location. \ -During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ --O or --output is used when a file is to be downloaded and placed in a specified location. \ -During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed. -action.escu.creation_date = 2021-10-19 -action.escu.modification_date = 2021-10-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Curl Download to Suspicious Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Forest Blizzard", "IcedID", "Ingress Tool Transfer"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Curl Download to Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard", "IcedID", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c32f091e-30db-11ec-8738-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ --O or --output is used when a file is to be downloaded and placed in a specified location. \ -During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. -action.notable.param.rule_title = Windows Curl Download to Suspicious Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN ("*-O *","*--output*") Processes.process IN ("*\\appdata\\*","*\\programdata\\*","*\\public\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter` - -[ESCU - Windows Curl Upload to Remote Destination - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ -`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ - \ -`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ - \ -HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ - \ -Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ -`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ - \ -`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ - \ -HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ - \ -Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be limited to source control applications and may be required to be filtered out. -action.escu.creation_date = 2021-11-10 -action.escu.modification_date = 2021-11-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Curl Upload to Remote Destination - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ingress Tool Transfer"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Curl Upload to Remote Destination - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "42f8f1a2-4228-11ec-aade-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ -`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ - \ -`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ - \ -HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ - \ -Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. -action.notable.param.rule_title = Windows Curl Upload to Remote Destination -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN ("*-T *","*--upload-file *", "*-d *", "*--data *", "*-F *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter` - -[ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. -action.escu.how_to_implement = To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -action.escu.known_false_positives = The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives. -action.escu.creation_date = 2023-03-05 -action.escu.modification_date = 2023-03-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Data Destruction", "Swift Slicer"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "deleted_files", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Swift Slicer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application. -action.notable.param.rule_title = Windows Data Destruction Recursive Exec Files Deletion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter` - -[ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = 3rd part software application can change the wallpaper. Filter is needed. -action.escu.creation_date = 2022-08-25 -action.escu.modification_date = 2022-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Brute Ratel C4"] -action.risk = 1 -action.risk.param._risk_message = modification or creation of transcodedwallpaper file by $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !="*\\Windows\\Explorer.EXE" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter` - -[ESCU - Windows Default Group Policy Object Modified - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.escu.how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -action.escu.known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. -action.escu.creation_date = 2023-03-28 -action.escu.modification_date = 2023-03-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Default Group Policy Object Modified - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A default group policy object was modified on $Computer$ by $SubjectUserSid$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserSid", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Default Group Policy Object Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.notable.param.rule_title = Windows Default Group Policy Object Modified -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter` - -[ESCU - Windows Default Group Policy Object Modified with GPME - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. -action.escu.creation_date = 2023-04-24 -action.escu.modification_date = 2023-04-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Default Group Policy Object Modified with GPME - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A default group policy object was opened with Group Policy Manage Editor on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Default Group Policy Object Modified with GPME - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -action.notable.param.rule_title = Windows Default Group Policy Object Modified with GPME -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = "*31B2F340-016D-11D2-945F-00C04FB984F9*" OR Processes.process = "*6AC1786C-016F-11D2-945F-00C04fB984F9*" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter` - -[ESCU - Windows Defender ASR Audit Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. -action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -action.escu.known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only. -action.escu.creation_date = 2023-11-27 -action.escu.modification_date = 2023-11-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defender ASR Audit Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Defender"] -action.escu.analytic_story = ["Windows Attack Surface Reduction"] -action.risk = 1 -action.risk.param._risk_message = ASR audit event, $ASR_Rule$, was triggered on $dest$. -action.risk.param._risk = [{"risk_object_field": "ASR_Rule", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 5}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defender ASR Audit Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter` - -[ESCU - Windows Defender ASR Block Events - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -action.escu.known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only. -action.escu.creation_date = 2023-11-27 -action.escu.modification_date = 2023-11-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defender ASR Block Events - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Defender"] -action.escu.analytic_story = ["Windows Attack Surface Reduction"] -action.risk = 1 -action.risk.param._risk_message = ASR block event, $ASR_Rule$, was triggered on $dest$. -action.risk.param._risk = [{"risk_object_field": "ASR_Rule", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defender ASR Block Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "026f5f4e-e99f-4155-9e63-911ba587300b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter` - -[ESCU - Windows Defender ASR Registry Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -action.escu.known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. -action.escu.creation_date = 2023-11-27 -action.escu.modification_date = 2023-11-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defender ASR Registry Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Defender"] -action.escu.analytic_story = ["Windows Attack Surface Reduction"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defender ASR Registry Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter` - -[ESCU - Windows Defender ASR Rule Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. -action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -action.escu.known_false_positives = False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive. -action.escu.creation_date = 2023-11-27 -action.escu.modification_date = 2023-11-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defender ASR Rule Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Defender"] -action.escu.analytic_story = ["Windows Attack Surface Reduction"] -action.risk = 1 -action.risk.param._risk_message = ASR rule disabled event, $ASR_Rule$, was triggered on $dest$. -action.risk.param._risk = [{"risk_object_field": "ASR_Rule", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defender ASR Rule Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "429d611b-3183-49a7-b235-fc4203c4e1cb", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. -action.notable.param.rule_title = Windows Defender ASR Rule Disabled -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?\\d+)$" | rex field=Old_Value "0x(?\\d+)$" | rex field=New_Value "Rules\\\\(?[A-Fa-f0-9\\-]+)\\s*=" | eval New_Registry_Value=case(New_Registry_Value=="0", "Disabled", New_Registry_Value=="1", "Block", New_Registry_Value=="2", "Audit", New_Registry_Value=="6", "Warn") | eval Old_Registry_Value=case(Old_Registry_Value=="0", "Disabled", Old_Registry_Value=="1", "Block", Old_Registry_Value=="2", "Audit", Old_Registry_Value=="6", "Warn") | search New_Registry_Value="Disabled" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter` - -[ESCU - Windows Defender ASR Rules Stacking - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. \ -Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. \ -Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. -action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. -action.escu.known_false_positives = False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. -action.escu.creation_date = 2023-11-20 -action.escu.modification_date = 2023-11-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defender ASR Rules Stacking - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Defender"] -action.escu.analytic_story = ["Windows Attack Surface Reduction"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defender ASR Rules Stacking - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "425a6657-c5e4-4cbb-909e-fc9e5d326f01", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter` - -[ESCU - Windows Defender Exclusion Registry Entry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to use this windows features. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Defender Exclusion Registry Entry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Qakbot", "Remcos", "Warzone RAT", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Defender Exclusion Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Qakbot", "Remcos", "Warzone RAT", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "13395a44-4dd9-11ec-9df7-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. -action.notable.param.rule_title = Windows Defender Exclusion Registry Entry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter` - -[ESCU - Windows Delete or Modify System Firewall - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator may modify or delete firewall configuration. -action.escu.creation_date = 2023-09-08 -action.escu.modification_date = 2023-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Delete or Modify System Firewall - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = A $process_name$ deleted a firewall configuration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Delete or Modify System Firewall - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* firewall *" Processes.process = "* delete *" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter` - -[ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This detection can catch for third party application updates or installation. In this scenario false positive filter is needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Double Zero Destructor"] -action.risk = 1 -action.risk.param._risk_message = The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN ("*\\windows\\*", "*\\program files*")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter` - -[ESCU - Windows Disable Change Password Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint", "Change"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Change Password Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Registry modification in "DisableChangePassword" on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Change Password Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter` - -[ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry modification in "DisableLockWorkstation" on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c82adbc6-9f00-11ec-a81f-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter` - -[ESCU - Windows Disable LogOff Button Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable LogOff Button Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry modification in "NoLogOff" on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable LogOff Button Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("NoLogOff", "StartMenuLogOff") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter` - -[ESCU - Windows Disable Memory Crash Dump - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Memory Crash Dump - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A process was identified attempting to disable memory crash dumps on $dest$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Memory Crash Dump - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "59e54602-9680-11ec-a8a6-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). -action.notable.param.rule_title = Windows Disable Memory Crash Dump -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled") AND Registry.registry_value_data="0x00000000" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter` - -[ESCU - Windows Disable Notification Center - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = admin or user may choose to disable this windows features. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Notification Center - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = The Windows notification center was disabled on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Notification Center - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter` - -[ESCU - Windows Disable or Modify Tools Via Taskkill - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Network administrator can use this application to kill process during audit or investigation. -action.escu.creation_date = 2023-09-13 -action.escu.modification_date = 2023-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable or Modify Tools Via Taskkill - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = A taskkill process to terminate process is executed on host- $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable or Modify Tools Via Taskkill - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter` - -[ESCU - Windows Disable Shutdown Button Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Shutdown Button Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry modification in "shutdownwithoutlogon" on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Shutdown Button Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "55fb2958-9ecd-11ec-a06a-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" Registry.registry_value_data = "0x00000000") OR (Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" Registry.registry_value_data = "0x00000001")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter` - -[ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "IIS Components", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "IIS Components", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. -action.notable.param.rule_title = Windows Disable Windows Event Logging Disable HTTP Logging -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*set config*", "*httplogging*","*dontlog:true*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter` - -[ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry modification to disable windows group policy features on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "63a449ae-9f04-11ec-945e-acde48001122", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter` - -[ESCU - Windows DisableAntiSpyware Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DisableAntiSpyware Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA22-264A", "CISA AA23-347A", "RedLine Stealer", "Ryuk Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows DisableAntiSpyware registry key set to 'disabled' on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DisableAntiSpyware Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA22-264A", "CISA AA23-347A", "RedLine Stealer", "Ryuk Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "23150a40-9301-4195-b802-5bb4f43067fb", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.notable.param.rule_title = Windows DisableAntiSpyware Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter` - -[ESCU - Windows DiskCryptor Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. -action.escu.creation_date = 2021-11-15 -action.escu.modification_date = 2021-11-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DiskCryptor Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DiskCryptor Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter` - -[ESCU - Windows Diskshadow Proxy Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter` -action.escu.creation_date = 2022-02-15 -action.escu.modification_date = 2022-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Diskshadow Proxy Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = Possible Signed Binary Proxy Execution on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Diskshadow Proxy Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "58adae9e-8ea3-11ec-90f6-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. -action.notable.param.rule_title = Windows Diskshadow Proxy Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter` - -[ESCU - Windows DISM Remove Defender - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DISM Remove Defender - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DISM Remove Defender - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8567da9e-47f0-11ec-99a9-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender. -action.notable.param.rule_title = Windows DISM Remove Defender -action.notable.param.security_domain = access -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process="*/online*" AND Processes.process="*/disable-feature*" AND Processes.process="*Windows-Defender*" AND Processes.process="*/remove*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter` - -[ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This hunting analytic identifies known Windows libraries potentially used in DLL search order hijacking or DLL Sideloading scenarios. Such cases may necessitate recompiling the DLL, relocating the DLL, or moving the vulnerable process. The query searches for any processes running outside of system32 or syswow64 directories. Certain libraries inherently operate from different application paths and must be added to the exclusion list as required. The lookup includes Microsoft native libraries cataloged in the Hijacklibs.net project. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This hunting analytic identifies known Windows libraries potentially used in DLL search order hijacking or DLL Sideloading scenarios. Such cases may necessitate recompiling the DLL, relocating the DLL, or moving the vulnerable process. The query searches for any processes running outside of system32 or syswow64 directories. Certain libraries inherently operate from different application paths and must be added to the exclusion list as required. The lookup includes Microsoft native libraries cataloged in the Hijacklibs.net project. -action.escu.how_to_implement = The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup. -action.escu.known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths. -action.escu.creation_date = 2024-03-17 -action.escu.modification_date = 2024-03-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Living Off The Land", "Qakbot", "Windows Defense Evasion Tactics"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Qakbot", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter` - -[ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe. -action.escu.creation_date = 2022-07-29 -action.escu.modification_date = 2022-07-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. -action.notable.param.rule_title = Windows DLL Search Order Hijacking with iscsicpl -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter` - -[ESCU - Windows DLL Side-Loading In Calc - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\system32 or %systemroot%\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\system32 or %systemroot%\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-10-24 -action.escu.modification_date = 2022-10-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DLL Side-Loading In Calc - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DLL Side-Loading In Calc - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "af01f6db-26ac-440e-8d89-2793e303f137", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\system32 or %systemroot%\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation. -action.notable.param.rule_title = Windows DLL Side-Loading In Calc -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 Image = "*\calc.exe" AND NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*")) AND NOT(ImageLoaded IN("*:\\windows\\system32\\*", "*:\\windows\\sysWow64\\*", "*:\\windows\\WinSXS\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter` - -[ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-10-20 -action.escu.modification_date = 2022-10-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = calc.exe has a child process $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "calc.exe") AND Processes.process_name != "win32calc.exe" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter` - -[ESCU - Windows DNS Gather Network Info - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DNS Gather Network Info - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Sandworm Tools", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = A process commandline $process$ to enumerate dns record in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DNS Gather Network Info - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dnscmd.exe" Processes.process = "* /enumrecords *" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter` - -[ESCU - Windows DnsAdmins New Member Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. -action.escu.how_to_implement = To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled. -action.escu.known_false_positives = New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DnsAdmins New Member Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A new member $user$ added to the DnsAdmins group by $src_user$ -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DnsAdmins New Member Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. -action.notable.param.rule_title = Windows DnsAdmins New Member Added -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter` - -[ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. This technique was seen used in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname", "accountexpires", "lastlogon" and so on. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. This technique was seen used in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname", "accountexpires", "lastlogon" and so on. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Windows Domain Account Discovery Via Get-NetComputer in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a7fbbc4e-4571-424a-b627-6968e1c939e4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetComputer*" ScriptBlockText IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", "*logoncount*") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter` - -[ESCU - Windows Domain Admin Impersonation Indicator - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. -action.escu.known_false_positives = False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed. -action.escu.creation_date = 2023-10-06 -action.escu.modification_date = 2023-10-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Domain Admin Impersonation Indicator - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = $TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket. -action.risk.param._risk = [{"risk_object_field": "TargetUserName", "risk_object_type": "user", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Domain Admin Impersonation Indicator - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10381f93-6d38-470a-9c30-d25478e3bd3f", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. -action.notable.param.rule_title = Windows Domain Admin Impersonation Indicator -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN ("*$", "SYSTEM", "DWM-*","LOCAL SERVICE","NETWORK SERVICE", "ANONYMOUS LOGON", "UMFD-*") | where match(GroupMembership, "Domain Admins") | stats count by _time, TargetUserName, GroupMembership, host | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username | search username = "NotDA" | `windows_domain_admin_impersonation_indicator_filter` - -[ESCU - Windows DotNet Binary in Non Standard Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file_macro macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file_macro macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows DotNet Binary in Non Standard Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows DotNet Binary in Non Standard Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fddf3b56-7933-11ec-98a6-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file_macro macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup. -action.notable.param.rule_title = Windows DotNet Binary in Non Standard Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter` - -[ESCU - Windows Driver Inventory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently. -action.escu.how_to_implement = To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work. -action.escu.known_false_positives = Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths. -action.escu.creation_date = 2023-02-03 -action.escu.modification_date = 2023-02-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Driver Inventory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Drivers"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows Driver Inventory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Drivers"], "cis20": ["CIS 10"], "confidence": 10, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter` - -[ESCU - Windows Driver Load Non-Standard Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths. -action.escu.how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -action.escu.known_false_positives = False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths. -action.escu.creation_date = 2023-02-24 -action.escu.modification_date = 2023-02-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Driver Load Non-Standard Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"] -action.risk = 1 -action.risk.param._risk_message = A kernel mode driver was loaded from a non-standard path on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Driver Load Non-Standard Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9216ef3d-066a-4958-8f27-c84589465e62", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths. -action.notable.param.rule_title = Windows Driver Load Non-Standard Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" NOT (ImagePath IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter` - -[ESCU - Windows Drivers Loaded by Signature - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers. -action.escu.known_false_positives = This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat. -action.escu.creation_date = 2022-03-30 -action.escu.modification_date = 2022-03-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Drivers Loaded by Signature - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Drivers Loaded by Signature - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter` - -[ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named "EnableAt" in the following registry path: "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named "EnableAt" in the following registry path: "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary. -action.escu.creation_date = 2023-03-27 -action.escu.modification_date = 2023-03-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\CurrentVersion\\Schedule\\Configuration*" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter` - -[ESCU - Windows Event For Service Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = Windows service update may cause this event. In that scenario, filtering is needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Event For Service Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["RedLine Stealer", "Windows Defense Evasion Tactics"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Event For Service Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9c2620a8-94a1-11ec-b40c-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter` - -[ESCU - Windows Event Log Cleared - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -action.escu.known_false_positives = It is possible that these logs may be legitimately cleared by Administrators. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Event Log Cleared - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA22-264A", "Clop Ransomware", "Ransomware", "Windows Log Manipulation"] -action.risk = 1 -action.risk.param._risk_message = Windows event logs cleared on $dest$ via EventCode $EventCode$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Event Log Cleared - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "detection_version": "7"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -action.notable.param.rule_title = Windows Event Log Cleared -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = (`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter` - -[ESCU - Windows Event Triggered Image File Execution Options Injection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and \SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and \SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring. -action.escu.how_to_implement = This analytic requires capturing the Windows Event Log Application channel in XML. -action.escu.known_false_positives = False positives may be present and tuning will be required before turning into a TTP or notable. -action.escu.creation_date = 2022-09-08 -action.escu.modification_date = 2022-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Event Triggered Image File Execution Options Injection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Persistence Techniques"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Event Triggered Image File Execution Options Injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.012"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 AS "Exit_Code" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter` - -[ESCU - Windows Excessive Disabled Services Event - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Excessive Disabled Services Event - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Excessive Disabled Services Event - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c3f85976-94a5-11ec-9a58-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion. -action.notable.param.rule_title = Windows Excessive Disabled Services Event -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7040 "disabled" | stats count values(EventData_Xml) as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) as lastTime by Computer EventCode UserID | rename Computer as dest | where count >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter` - -[ESCU - Windows Executable in Loaded Modules - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or other malicious software instances that introduce executable files as modules within a targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1129"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or other malicious software instances that introduce executable files as modules within a targeted host. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown. -action.escu.creation_date = 2023-09-12 -action.escu.modification_date = 2023-09-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Executable in Loaded Modules - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = An executable $ImageLoaded$ loaded by $Image$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Executable in Loaded Modules - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1129"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3e27af56-fcf0-4113-988d-24969b062be7", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or other malicious software instances that introduce executable files as modules within a targeted host. -action.notable.param.rule_title = Windows Executable in Loaded Modules -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter` - -[ESCU - Windows Execute Arbitrary Commands with MSDT - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed. -action.escu.creation_date = 2022-06-29 -action.escu.modification_date = 2022-06-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Execute Arbitrary Commands with MSDT - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"] -action.risk = 1 -action.risk.param._risk_message = A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Execute Arbitrary Commands with MSDT - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-30190"], "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product. -action.notable.param.rule_title = Windows Execute Arbitrary Commands with MSDT -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN ("*msdt*","*ms-msdt:*","*ms-msdt:/id*","*ms-msdt:-id*","*/id*") AND (Processes.process="*IT_BrowseForFile=*" OR Processes.process="*IT_RebrowseForFile=*" OR Processes.process="*.xml*") AND Processes.process="*PCWDiagnostic*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter` - -[ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited. Filter as needed. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell script on $Computer$ is attempting to transfer files to a remote URL. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -action.notable.param.rule_title = Windows Exfiltration Over C2 Via Invoke RestMethod -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Invoke-RestMethod *" AND ScriptBlockText = "* -Uri *" AND ScriptBlockText = "* -Method *" AND ScriptBlockText = "* Post *" AND ScriptBlockText = "* -InFile *" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter` - -[ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited. Filter as needed. -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell script on $Computer$ is attempting to transfer files to a remote URL. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. -action.notable.param.rule_title = Windows Exfiltration Over C2 Via Powershell UploadString -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText = "*.UploadString*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter` - -[ESCU - Windows Export Certificate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources. -action.escu.how_to_implement = To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational. -action.escu.known_false_positives = False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export. -action.escu.creation_date = 2023-02-11 -action.escu.modification_date = 2023-02-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Export Certificate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = An certificate was exported on $dest$ from the Windows Certificate Store. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Export Certificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter` - -[ESCU - Windows File Share Discovery With Powerview - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -action.escu.known_false_positives = Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed. -action.escu.creation_date = 2023-03-20 -action.escu.modification_date = 2023-03-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows File Share Discovery With Powerview - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Invoke-ShareFinder commandlet was executed on $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows File Share Discovery With Powerview - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. -action.notable.param.rule_title = Windows File Share Discovery With Powerview -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter` - -[ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = third party application may use this network protocol as part of its feature. Filter is needed. -action.escu.creation_date = 2022-09-16 -action.escu.modification_date = 2022-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AgentTesla", "Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = a process $Image$ is having a FTP connection to $DestinationHostname$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) (DestinationPortName="ftp" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter` - -[ESCU - Windows File Without Extension In Critical Folder - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = Unknown at this point -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows File Without Extension In Critical Folder - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper"] -action.risk = 1 -action.risk.param._risk_message = Driver file with out file extension drop in $file_path$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows File Without Extension In Critical Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0dbcac64-963c-11ec-bf04-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system. -action.notable.param.rule_title = Windows File Without Extension In Critical Folder -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field="file_name" "\.(?[^\.]*$)" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter` - -[ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. -action.escu.creation_date = 2023-06-06 -action.escu.modification_date = 2023-06-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["3309f53e-b22b-4eb6-8fd2-a6cf58b355a9"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Amadey"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c76b796c-27e1-4520-91c4-4a58695c749e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. -action.notable.param.rule_title = Windows Files and Dirs Access Rights Modification Via Icacls -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, "*:N*","*/P*", "*/E*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter` - -[ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -action.escu.creation_date = 2023-08-31 -action.escu.modification_date = 2023-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. -action.notable.param.rule_title = Windows Find Domain Organizational Units with GetDomainOU -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter` - -[ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -action.escu.creation_date = 2023-08-31 -action.escu.modification_date = 2023-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e4a96dfd-667a-4487-b942-ccef5a1e81e8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. -action.notable.param.rule_title = Windows Find Interesting ACL with FindInterestingDomainAcl -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter` - -[ESCU - Windows Findstr GPP Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. -action.escu.creation_date = 2023-03-16 -action.escu.modification_date = 2023-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Findstr GPP Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Findstr was executed to discover GPP credentials on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Findstr GPP Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -action.notable.param.rule_title = Windows Findstr GPP Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter` - -[ESCU - Windows Forest Discovery with GetForestDomain - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -action.escu.creation_date = 2023-08-31 -action.escu.modification_date = 2023-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Forest Discovery with GetForestDomain - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Forest Discovery with GetForestDomain - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a14803b2-4bd9-4c08-8b57-c37980edebe8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. -action.notable.param.rule_title = Windows Forest Discovery with GetForestDomain -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter` - -[ESCU - Windows Gather Victim Host Information Camera - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592.001", "T1592"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Administrators may execute this powershell command to get hardware information related to camera on $dest$. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Gather Victim Host Information Camera - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["DarkCrystal RAT"] -action.risk = 1 -action.risk.param._risk_message = A Powershell script to enumerate camera detected on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Gather Victim Host Information Camera - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592.001", "T1592"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e4df4676-ea41-4397-b160-3ee0140dc332", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText= "* Win32_PnPEntity *" ScriptBlockText= "*SELECT*" ScriptBlockText= "*WHERE*" ScriptBlockText = "*PNPClass*" ScriptBlockText IN ("*Image*", "*Camera*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter` - -[ESCU - Windows Gather Victim Identity SAM Info - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589.001", "T1589"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object. -action.escu.how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -action.escu.known_false_positives = this module can be loaded by a third party application. Filter is needed. -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Gather Victim Identity SAM Info - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Gather Victim Identity SAM Info - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589.001", "T1589"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 (ImageLoaded = "*\\samlib.dll" AND OriginalFileName = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter` - -[ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.005", "T1590"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -action.escu.known_false_positives = Filter internet browser application to minimize the false positive of this detection. -action.escu.creation_date = 2024-02-15 -action.escu.modification_date = 2024-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Azorult", "DarkCrystal RAT", "Phemedrone Stealer", "Snake Keylogger"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "DarkCrystal RAT", "Phemedrone Stealer", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.005", "T1590"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "70f7c952-0758-46d6-9148-d8969c4481d1", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", "*geoip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter` - -[ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8640777-469f-4638-ab44-c34a3233ffac", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Windows Get-AdComputer Unconstrained Delegation Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText = "*TrustedForDelegation*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter` - -[ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. -action.escu.creation_date = 2023-08-31 -action.escu.modification_date = 2023-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d2988160-3ce9-4310-b59d-905334920cdd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. -action.notable.param.rule_title = Windows Get Local Admin with FindLocalAdminAccess -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter` - -[ESCU - Windows Group Policy Object Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.escu.how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -action.escu.known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. -action.escu.creation_date = 2023-03-27 -action.escu.modification_date = 2023-03-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Group Policy Object Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = A new group policy objected was created by $User$ -action.risk.param._risk = [{"risk_object_field": "User", "risk_object_type": "user", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Group Policy Object Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.notable.param.rule_title = Windows Group Policy Object Created -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter` - -[ESCU - Windows Hidden Schedule Task Settings - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Hidden Schedule Task Settings - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "CISA AA22-257A", "Data Destruction", "Industroyer2", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = A schedule task with hidden setting enable in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Hidden Schedule Task Settings - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-257A", "Data Destruction", "Industroyer2", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. -action.notable.param.rule_title = Windows Hidden Schedule Task Settings -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter` - -[ESCU - Windows Hide Notification Features Through Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Hide Notification Features Through Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry modification to hide windows notification on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Hide Notification Features Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" Registry.registry_value_name IN ("HideClock", "HideSCAHealth", "HideSCANetwork", "HideSCAPower", "HideSCAVolume") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter` - -[ESCU - Windows High File Deletion Frequency - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search identifies a high frequency of file deletions relative to the process name and process ID. Such events typically occur when ransomware attempts to encrypt files with specific extensions, leading Sysmon to treat the original files as deleted as soon as they are replaced with encrypted data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search identifies a high frequency of file deletions relative to the process name and process ID. Such events typically occur when ransomware attempts to encrypt files with specific extensions, leading Sysmon to treat the original files as deleted as soon as they are replaced with encrypted data. -action.escu.how_to_implement = To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. -action.escu.known_false_positives = Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives. -action.escu.creation_date = 2024-03-05 -action.escu.modification_date = 2024-03-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows High File Deletion Frequency - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Clop Ransomware", "DarkCrystal RAT", "Data Destruction", "Sandworm Tools", "Swift Slicer", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = Elevated file deletion rate observed from process [$process_name$] on machine $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "deleted_files", "threat_object_type": "file_name"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows High File Deletion Frequency - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Data Destruction", "Sandworm Tools", "Swift Slicer", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "45b125c4-866f-11eb-a95a-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode IN ("23","26") TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", "*.win") NOT TargetFilename IN ("*\\INetCache\\Content.Outlook\\*") | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter` - -[ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a process loading version.dll that is not in %windir%\\system32 or %windir%\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is to detect a process loading version.dll that is not in %windir%\\system32 or %windir%\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host. -action.escu.how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -action.risk = 1 -action.risk.param._risk_message = a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded = "*\\version.dll" AND (Signed = "false" OR NOT(ImageLoaded IN("*\\windows\\system32*", "*\\windows\\syswow64\\*"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter` - -[ESCU - Windows Hunting System Account Targeting Lsass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -action.escu.known_false_positives = False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Hunting System Account Targeting Lsass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA23-347A", "Credential Dumping"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Hunting System Account Targeting Lsass - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter` - -[ESCU - Windows Identify Protocol Handlers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for "mailto:" links. When the user clicks a "mailto:" link, the browser opens the application selected as the handler for the "mailto:" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for "mailto:" links. When the user clicks a "mailto:" link, the browser opens the application selected as the handler for the "mailto:" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line. -action.escu.creation_date = 2022-09-13 -action.escu.modification_date = 2022-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Identify Protocol Handlers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Identify Protocol Handlers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 20, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler="TRUE" | `windows_identify_protocol_handlers_filter` - -[ESCU - Windows IIS Components Add New Module - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present until properly tuned. Filter as needed. -action.escu.creation_date = 2022-12-19 -action.escu.modification_date = 2022-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows IIS Components Add New Module - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IIS Components"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows IIS Components Add New Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*install *", "*module *") AND Processes.process="*image*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter` - -[ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.004", "T1505"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation. -action.escu.how_to_implement = You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 -action.escu.known_false_positives = This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed. -action.escu.creation_date = 2024-05-03 -action.escu.modification_date = 2024-05-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["IIS Components", "WS FTP Server Critical Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components", "WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.004", "T1505"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "20db5f70-34b4-4e83-8926-fa26119de173", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter` - -[ESCU - Windows IIS Components Module Failed to Load - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not. -action.escu.how_to_implement = IIS must be installed and Application event logs must be collected in order to utilize this analytic. -action.escu.known_false_positives = False positives will be present until all module failures are resolved or reviewed. -action.escu.creation_date = 2022-12-20 -action.escu.modification_date = 2022-12-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows IIS Components Module Failed to Load - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["IIS Components"] -action.risk = 1 -action.risk.param._risk_message = A new IIS Module has been loaded and should be reviewed on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows IIS Components Module Failed to Load - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter` - -[ESCU - Windows IIS Components New Module Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules. -action.escu.how_to_implement = You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040. -action.escu.known_false_positives = False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed. -action.escu.creation_date = 2022-12-19 -action.escu.modification_date = 2022-12-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows IIS Components New Module Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["IIS Components"] -action.risk = 1 -action.risk.param._risk_message = A new IIS Module has been loaded and should be reviewed on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows IIS Components New Module Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules. -action.notable.param.rule_title = Windows IIS Components New Module Added -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter` - -[ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may execute this command that may cause some false positive. -action.escu.creation_date = 2022-06-24 -action.escu.modification_date = 2022-06-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "467ed9d9-8035-470e-ad5e-ae5189283033", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process="*Import-Module Applocker*" AND Processes.process="*Set-AppLockerPolicy *" AND Processes.process="* -XMLPolicy *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter` - -[ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = change in the health check interval of Windows Defender on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5211c260-820e-4366-b983-84bbfb5c263a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings. -action.notable.param.rule_title = Windows Impair Defense Change Win Defender Health Check Intervals -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\ServiceKeepAlive" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter` - -[ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The "QuickScanInterval" in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The "QuickScanInterval" in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender QuickScanInterval feature was modified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "783f0798-f679-4c17-b3b3-187febf0b9b8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The "QuickScanInterval" in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.notable.param.rule_title = Windows Impair Defense Change Win Defender Quick Scan Interval -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Scan\\QuickScanInterval" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter` - -[ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f7da5fca-9261-43de-a4d0-130dad1e4f4d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events. -action.notable.param.rule_title = Windows Impair Defense Change Win Defender Throttle Rate -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter` - -[ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The "WppTracingLevel" registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to "WppTracingLevel" within Windows Defender settings or its functionalities, it's challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The "WppTracingLevel" registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to "WppTracingLevel" within Windows Defender settings or its functionalities, it's challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender WppTracingLevel registry was modified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The "WppTracingLevel" registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to "WppTracingLevel" within Windows Defender settings or its functionalities, it's challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements. -action.notable.param.rule_title = Windows Impair Defense Change Win Defender Tracing Level -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\WppTracingLevel" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter` - -[ESCU - Windows Impair Defense Configure App Install Control - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. When attackers modify "ConfigureAppInstallControlEnabled" to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. When attackers modify "ConfigureAppInstallControlEnabled" to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Configure App Install Control - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Define Windows Defender App Install Control registry set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Configure App Install Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c54b7439-cfb1-44c3-bb35-b0409553077c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. When attackers modify "ConfigureAppInstallControlEnabled" to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications. -action.notable.param.rule_title = Windows Impair Defense Configure App Install Control -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" Registry.registry_value_data= "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter` - -[ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to "clean," aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies "no action," meaning that the antivirus software refrains from taking immediate steps against the identified threat. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to "clean," aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies "no action," meaning that the antivirus software refrains from taking immediate steps against the identified threat. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Define Windows Defender threat action through registry on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7215831c-8252-4ae3-8d43-db588e82f952", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to "clean," aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies "no action," meaning that the antivirus software refrains from taking immediate steps against the identified threat. -action.notable.param.rule_title = Windows Impair Defense Define Win Defender Threat Action -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" Registry.registry_value_data IN ("0x00000001", "9") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter` - -[ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2022-06-07 -action.escu.modification_date = 2022-06-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "395ed5fe-ad13-4366-9405-a228427bdd91", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter` - -[ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2022-06-07 -action.escu.modification_date = 2022-06-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender Logger registry key set to 'disabled' on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter` - -[ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = False positives may be present based on organization use of Applocker. Filter as needed. -action.escu.creation_date = 2022-06-24 -action.escu.modification_date = 2022-06-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = Applocker registry modification to deny the action of several AV products on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet. -action.notable.param.rule_title = Windows Impair Defense Deny Security Software With Applocker -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*" AND Registry.registry_path= "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*" AND Registry.registry_value_data = "*Action\=\"Deny\"*" AND Registry.registry_value_data IN("*O=SYMANTEC*","*O=MCAFEE*","*O=KASPERSKY*","*O=BLEEPING COMPUTER*", "*O=PANDA SECURITY*","*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=AVAST*", "*O=GRIDINSOFT*", "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=DOCTOR WEB*", "*O=MALWAREBYTES*", "*O=ESET*", "*O=AVIRA*", "*O=WEBROOT*") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter` - -[ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender ControlledFolderAccess feature set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3032741c-d6fc-4c69-8988-be8043d6478c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled. -action.notable.param.rule_title = Windows Impair Defense Disable Controlled Folder Access -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter` - -[ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender firewall and network protection section feature set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8467d8cd-b0f9-46fa-ac84-a30ad138983e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI. -action.notable.param.rule_title = Windows Impair Defense Disable Defender Firewall And Network -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender Security Center\\Firewall and network protection\\UILockdown" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter` - -[ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It's possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols or communication methods used by malware or suspicious software. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It's possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols or communication methods used by malware or suspicious software. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender Protocol Recognition set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2215bfb-6171-4137-af17-1a02fdd8d043", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It's possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols or communication methods used by malware or suspicious software. -action.notable.param.rule_title = Windows Impair Defense Disable Defender Protocol Recognition -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter` - -[ESCU - Windows Impair Defense Disable PUA Protection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable PUA Protection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender PUA protection set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable PUA Protection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fbfef407-cfee-4866-88c1-f8de1c16147c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security. -action.notable.param.rule_title = Windows Impair Defense Disable PUA Protection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\PUAProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter` - -[ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft's cloud-based services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Updates"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft's cloud-based services. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender File realtime signature delivery set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ffd99aea-542f-448e-b737-091c1b417274", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft's cloud-based services. -action.notable.param.rule_title = Windows Impair Defense Disable Realtime Signature Delivery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter` - -[ESCU - Windows Impair Defense Disable Web Evaluation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The "EnableWebContentEvaluation" registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify "EnableWebContentEvaluation" to 0, they might attempt to disable the browser's capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Web"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The "EnableWebContentEvaluation" registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify "EnableWebContentEvaluation" to 0, they might attempt to disable the browser's capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Web Evaluation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender web content evaluation feature set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Web Evaluation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e234970c-dcf5-4f80-b6a9-3a562544ca5b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The "EnableWebContentEvaluation" registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify "EnableWebContentEvaluation" to 0, they might attempt to disable the browser's capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation. -action.notable.param.rule_title = Windows Impair Defense Disable Web Evaluation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation" Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter` - -[ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender AuditApplicationGuard feature set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8b700d7e-54ad-4d7d-81cc-1456c4703306", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender App Guard -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Policies\\Microsoft\\AppHVSI\\AuditApplicationGuard" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter` - -[ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender File hashes computation set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender Compute File Hashes -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\MpEngine\\EnableFileHashComputation" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter` - -[ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender DisableGenericRePorts registry is set to enable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "93f114f6-cb1e-419b-ac3f-9e11a3045e70", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender Gen reports -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\DisableGenericRePorts" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter` - -[ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender Exploit Guard network protection set to disable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8b6c15c7-5556-463d-83c7-986326c21f12", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender Network Protection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter` - -[ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft's servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft's servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender DontReportInfectionInformation registry is enabled on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft's servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender Report Infection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\MRT\\DontReportInfectionInformation" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter` - -[ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The "DisableScanOnUpdate" registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Updates"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The "DisableScanOnUpdate" registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender DisableScanOnUpdate feature set to enable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0418e72f-e710-4867-b656-0688e1523e09", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The "DisableScanOnUpdate" registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender Scan On Update -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\DisableScanOnUpdate" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter` - -[ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender DisableSignatureRetirement registry is set to enable on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7567a72f-bada-489d-aef1-59743fb64a66", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection. -action.notable.param.rule_title = Windows Impair Defense Disable Win Defender Signature Retirement -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter` - -[ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. When attackers modify "PreventOverride" to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. When attackers modify "PreventOverride" to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender Phishing Filter registry was modified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "10ca081c-57b1-4a78-ba56-14a40a7e116a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. When attackers modify "PreventOverride" to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises. -action.notable.param.rule_title = Windows Impair Defense Overide Win Defender Phishing Filter -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter` - -[ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The "PreventSmartScreenPromptOverride" registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify "PreventSmartScreenPromptOverride" to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The "PreventSmartScreenPromptOverride" registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify "PreventSmartScreenPromptOverride" to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender SmartScreen prompt was override on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "08058866-7987-486f-b042-275715ef6e9d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The "PreventSmartScreenPromptOverride" registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify "PreventSmartScreenPromptOverride" to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises. -action.notable.param.rule_title = Windows Impair Defense Override SmartScreen Prompt -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter` - -[ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to "warn" might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to "warn," the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to "warn" might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to "warn," the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2024-01-08 -action.escu.modification_date = 2024-01-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender SmartScreen Level to Warn on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cc2a3425-2703-47e7-818f-3dca1b0bc56f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to "warn" might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to "warn," the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning. -action.notable.param.rule_title = Windows Impair Defense Set Win Defender Smart Screen Level To Warn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\System\\ShellSmartScreenLevel" Registry.registry_value_data="Warn" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter` - -[ESCU - Windows Impair Defenses Disable HVCI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives will be limited to administrative scripts disabling HVCI. Filter as needed. -action.escu.creation_date = 2023-04-13 -action.escu.modification_date = 2023-04-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defenses Disable HVCI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["70bd71e6-eba4-4e00-92f7-617911dbe020"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = HVCI has been disabled on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defenses Disable HVCI - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI. -action.notable.param.rule_title = Windows Impair Defenses Disable HVCI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" Registry.registry_value_data="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter` - -[ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Windows Defender Logger registry key set to 'disabled' on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter` - -[ESCU - Windows Indicator Removal Via Rmdir - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execute rmdir commandline to delete files and directory tree. This technique has been observed in the actions of various malware strains, such as DarkGate, as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. Notably, this deletion method doesn't exclusively require elevated privileges and can be executed by regular users or network administrators, although it's not the typical approach used for file deletion. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execute rmdir commandline to delete files and directory tree. This technique has been observed in the actions of various malware strains, such as DarkGate, as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. Notably, this deletion method doesn't exclusively require elevated privileges and can be executed by regular users or network administrators, although it's not the typical approach used for file deletion. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = user and network administrator can execute this command. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Indicator Removal Via Rmdir - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = a process execute rmdir command to delete files and directory tree in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Indicator Removal Via Rmdir - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c4566d2c-b094-48a1-9c59-d66e22065560", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*rmdir*" Processes.process = "* /s *" Processes.process = "* /q *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter` - -[ESCU - Windows Indirect Command Execution Via forfiles - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed. -action.escu.creation_date = 2022-04-05 -action.escu.modification_date = 2022-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Indirect Command Execution Via forfiles - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = The forfiles command (forfiles.exe) launched the process name - $process_name$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Indirect Command Execution Via forfiles - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution. -action.notable.param.rule_title = Windows Indirect Command Execution Via forfiles -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*forfiles* /c *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter` - -[ESCU - Windows Indirect Command Execution Via pcalua - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legacy applications may be run using pcalua.exe. Filter these results as needed. -action.escu.creation_date = 2022-04-05 -action.escu.modification_date = 2022-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Indirect Command Execution Via pcalua - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = The Program Compatability Assistant (pcalua.exe) launched the process $process_name$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Indirect Command Execution Via pcalua - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3428ac18-a410-4823-816c-ce697d26f7a8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution. -action.notable.param.rule_title = Windows Indirect Command Execution Via pcalua -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*pcalua* -a*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter` - -[ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = excessive forfiles process execution in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "forfiles.exe" OR Processes.original_file_name = "forfiles.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter` - -[ESCU - Windows Information Discovery Fsutil - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Information Discovery Fsutil - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = process $process_name$ with commandline $process$ is executed in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Information Discovery Fsutil - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2181f261-93e6-4166-a5a9-47deac58feff", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="fsutil.exe" OR Processes.original_file_name = "fsutil.exe" AND Processes.process = "*fsinfo*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter` - -[ESCU - Windows Ingress Tool Transfer Using Explorer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names. -action.escu.creation_date = 2022-08-30 -action.escu.modification_date = 2022-08-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Ingress Tool Transfer Using Explorer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Ingress Tool Transfer Using Explorer - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN("userinit.exe", "svchost.exe")) Processes.process IN ("* http://*", "* https://*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter` - -[ESCU - Windows InProcServer32 New Outlook Form - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation or modification of registry keys associated with new Outlook form installations that could indicate exploitation of CVE-2024-21378. The vulnerability allows for authenticated remote code execution via synced form objects by abusing the InProcServer32 registry key. The attack involves syncing malicious form objects that carry special properties and attachments used to "install" the form on a client, potentially leading to arbitrary file and registry key creation under HKEY_CLASSES_ROOT (HKCR), and ultimately, remote code execution. This detection focuses on monitoring for registry modifications involving InProcServer32 keys or equivalent that are linked to Outlook form installations, which are indicative of an attempt to exploit this vulnerability. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1566", "T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation or modification of registry keys associated with new Outlook form installations that could indicate exploitation of CVE-2024-21378. The vulnerability allows for authenticated remote code execution via synced form objects by abusing the InProcServer32 registry key. The attack involves syncing malicious form objects that carry special properties and attachments used to "install" the form on a client, potentially leading to arbitrary file and registry key creation under HKEY_CLASSES_ROOT (HKCR), and ultimately, remote code execution. This detection focuses on monitoring for registry modifications involving InProcServer32 keys or equivalent that are linked to Outlook form installations, which are indicative of an attempt to exploit this vulnerability. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives. -action.escu.creation_date = 2024-03-20 -action.escu.modification_date = 2024-03-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InProcServer32 New Outlook Form - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Outlook RCE CVE-2024-21378"] -action.risk = 1 -action.risk.param._risk_message = A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InProcServer32 New Outlook Form - Rule -action.correlationsearch.annotations = {"analytic_story": ["Outlook RCE CVE-2024-21378"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2024-21378"], "impact": 70, "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1566", "T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter` - -[ESCU - Windows Input Capture Using Credential UI Dll - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1056.002", "T1056"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login. -action.escu.how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -action.escu.known_false_positives = this module can be loaded by a third party application. Filter is needed. -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Input Capture Using Credential UI Dll - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Input Capture Using Credential UI Dll - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1056.002", "T1056"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 (ImageLoaded = "*\\credui.dll" AND OriginalFileName = "credui.dll") OR (ImageLoaded = "*\\wincredui.dll" AND OriginalFileName = "wincredui.dll") AND NOT(Image IN("*\\windows\\explorer.exe", "*\\windows\\system32\\*", "*\\windows\\sysWow64\\*", "*:\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter` - -[ESCU - Windows InstallUtil Credential Theft - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This technique can be employed to execute code that bypasses application control and captures credentials using tools like Mimikatz. \ -When `InstallUtil.exe` is used maliciously, it typically specifies the path to an executable on the filesystem. It is important to observe the parent process in such cases. Suspicious activity often involves being spawned from non-standard processes such as `Cmd.exe`, `PowerShell.exe`, or `Explorer.exe`. \ -Conversely, when used by developers, it is usually accompanied by multiple command-line switches/arguments and originates from Visual Studio. \ -During triage, review any resulting network connections, file modifications, and concurrent processes. Capture any artifacts for further review.' -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This technique can be employed to execute code that bypasses application control and captures credentials using tools like Mimikatz. \ -When `InstallUtil.exe` is used maliciously, it typically specifies the path to an executable on the filesystem. It is important to observe the parent process in such cases. Suspicious activity often involves being spawned from non-standard processes such as `Cmd.exe`, `PowerShell.exe`, or `Explorer.exe`. \ -Conversely, when used by developers, it is usually accompanied by multiple command-line switches/arguments and originates from Visual Studio. \ -During triage, review any resulting network connections, file modifications, and concurrent processes. Capture any artifacts for further review.' -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InstallUtil Credential Theft - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Signed Binary Proxy Execution InstallUtil"] -action.risk = 1 -action.risk.param._risk_message = An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InstallUtil Credential Theft - Rule -action.correlationsearch.annotations = {"analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ccfeddec-43ec-11ec-b494-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This technique can be employed to execute code that bypasses application control and captures credentials using tools like Mimikatz. \ -When `InstallUtil.exe` is used maliciously, it typically specifies the path to an executable on the filesystem. It is important to observe the parent process in such cases. Suspicious activity often involves being spawned from non-standard processes such as `Cmd.exe`, `PowerShell.exe`, or `Explorer.exe`. \ -Conversely, when used by developers, it is usually accompanied by multiple command-line switches/arguments and originates from Visual Studio. \ -During triage, review any resulting network connections, file modifications, and concurrent processes. Capture any artifacts for further review.' -action.notable.param.rule_title = Windows InstallUtil Credential Theft -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", "*\\vaultcli.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter` - -[ESCU - Windows InstallUtil in Non Standard Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InstallUtil in Non Standard Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Living Off The Land", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InstallUtil in Non Standard Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Living Off The Land", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dcf74b22-7933-11ec-857c-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment. -action.notable.param.rule_title = Windows InstallUtil in Non Standard Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter` - -[ESCU - Windows InstallUtil Remote Network Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InstallUtil Remote Network Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ generating a remote download. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InstallUtil Remote Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4fbf9270-43da-11ec-9486-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.notable.param.rule_title = Windows InstallUtil Remote Network Connection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter` - -[ESCU - Windows InstallUtil Uninstall Option - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present. Filter as needed by parent process or application. -action.escu.creation_date = 2024-04-29 -action.escu.modification_date = 2024-04-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InstallUtil Uninstall Option - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InstallUtil Uninstall Option - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.notable.param.rule_title = Windows InstallUtil Uninstall Option -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") NOT (Processes.process IN ("*C:\\WINDOWS\\CCM\\*")) NOT (Processes.parent_process_name IN ("Microsoft.SharePoint.Migration.ClientInstaller.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_installutil_uninstall_option_filter` - -[ESCU - Windows InstallUtil Uninstall Option with Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. -action.escu.creation_date = 2022-03-16 -action.escu.modification_date = 2022-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InstallUtil Uninstall Option with Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InstallUtil Uninstall Option with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1a52c836-43ef-11ec-a36c-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \ -InstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.notable.param.rule_title = Windows InstallUtil Uninstall Option with Network -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter` - -[ESCU - Windows InstallUtil URL in Command Line - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. -action.escu.creation_date = 2021-11-12 -action.escu.modification_date = 2021-11-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows InstallUtil URL in Command Line - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows InstallUtil URL in Command Line - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "28e06670-43df-11ec-a569-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control. \ -When `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \ -If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ -During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. -action.notable.param.rule_title = Windows InstallUtil URL in Command Line -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*http://*","*https://*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter` - -[ESCU - Windows ISO LNK File Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\AppData\Local\Temp\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\AppData\Local\Temp\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. -action.escu.creation_date = 2022-09-19 -action.escu.modification_date = 2022-09-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows ISO LNK File Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Amadey", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Spearphishing Attachments", "Warzone RAT"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows ISO LNK File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Amadey", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Spearphishing Attachments", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Microsoft\\Windows\\Recent\\*") Filesystem.file_name IN ("*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*vhdx.lnk") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter` - -[ESCU - Windows Java Spawning Shells - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. -action.escu.creation_date = 2023-01-23 -action.escu.modification_date = 2023-01-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Java Spawning Shells - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Log4Shell CVE-2021-44228", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows Java Spawning Shells - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228", "CVE-2022-47966"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "28c81306-5c47-11ec-bfea-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.notable.param.rule_title = Windows Java Spawning Shells -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter` - -[ESCU - Windows Kerberos Local Successful Logon - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} -action.escu.data_models = ["Authentication"] -action.escu.eli5 = The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Kerberos Local Successful Logon - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"] -action.risk = 1 -action.risk.param._risk_message = A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Kerberos Local Successful Logon - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8309c3a8-4d34-48ae-ad66-631658214653", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events. -action.notable.param.rule_title = Windows Kerberos Local Successful Logon -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter` - -[ESCU - Windows Known Abused DLL Created - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify instances where Dynamic Link Libraries (DLLs) with a known history of being exploited are created in locations that are not typical for their use. This could indicate that an attacker is attempting to exploit the DLL search order hijacking or sideloading techniques. DLL search order hijacking involves tricking an application into loading a malicious DLL instead of the legitimate one it was intending to load. This is often achieved by placing the malicious DLL in a directory that is searched before the directory containing the legitimate DLL. Sideloading, similarly, involves placing a malicious DLL with the same name as a legitimate DLL that an application is known to load, in a location that the application will search before finding the legitimate version. Both of these techniques can be used by attackers to execute arbitrary code, maintain persistence on a system, and potentially elevate their privileges, all while appearing as legitimate operations to the untrained eye. This analytic aims to shed light on such suspicious activities by monitoring for the creation of known abused DLLs in unconventional locations, thereby helping in the early detection of these stealthy attack techniques. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574.002", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is designed to identify instances where Dynamic Link Libraries (DLLs) with a known history of being exploited are created in locations that are not typical for their use. This could indicate that an attacker is attempting to exploit the DLL search order hijacking or sideloading techniques. DLL search order hijacking involves tricking an application into loading a malicious DLL instead of the legitimate one it was intending to load. This is often achieved by placing the malicious DLL in a directory that is searched before the directory containing the legitimate DLL. Sideloading, similarly, involves placing a malicious DLL with the same name as a legitimate DLL that an application is known to load, in a location that the application will search before finding the legitimate version. Both of these techniques can be used by attackers to execute arbitrary code, maintain persistence on a system, and potentially elevate their privileges, all while appearing as legitimate operations to the untrained eye. This analytic aims to shed light on such suspicious activities by monitoring for the creation of known abused DLLs in unconventional locations, thereby helping in the early detection of these stealthy attack techniques. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives. -action.escu.creation_date = 2024-02-19 -action.escu.modification_date = 2024-02-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Known Abused DLL Created - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$]. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 10}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Known Abused DLL Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 25, "impact": 40, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574.002", "T1574"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ea91651a-772a-4b02-ac3d-985b364a5f07", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter` - -[ESCU - Windows Known GraphicalProton Loaded Modules - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a potential suspicious process loading dll modules related to Graphicalproton backdoor implant of SVR. These DLL modules have been observed in SVR attacks, commonly used to install backdoors on targeted hosts. This anomaly detection highlights the need for thorough investigation and immediate mitigation measures to safeguard the network against potential breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a potential suspicious process loading dll modules related to Graphicalproton backdoor implant of SVR. These DLL modules have been observed in SVR attacks, commonly used to install backdoors on targeted hosts. This anomaly detection highlights the need for thorough investigation and immediate mitigation measures to safeguard the network against potential breaches. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Known GraphicalProton Loaded Modules - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Windows Known GraphicalProton backdoor Loaded Modules on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Known GraphicalProton Loaded Modules - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bf471c94-0324-4b19-a113-d02749b969bc", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 ImageLoaded IN ("*\\AclNumsInvertHost.dll", "*\\ModeBitmapNumericAnimate.dll", "*\\UnregisterAncestorAppendAuto.dll", "*\\DeregisterSeekUsers.dll", "*\\ScrollbarHandleGet.dll", "*\\PerformanceCaptionApi.dll", "*\\WowIcmpRemoveReg.dll", "*\\BlendMonitorStringBuild.dll", "*\\HandleFrequencyAll.dll", "*\\HardSwapColor.dll", "*\\LengthInMemoryActivate.dll", "*\\ParametersNamesPopup.dll", "*\\ModeFolderSignMove.dll", "*\\ChildPaletteConnected.dll", "*\\AddressResourcesSpec.dll") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter` - -[ESCU - Windows KrbRelayUp Service Creation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed. -action.escu.creation_date = 2024-05-09 -action.escu.modification_date = 2024-05-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows KrbRelayUp Service Creation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Local Privilege Escalation With KrbRelayUp"] -action.risk = 1 -action.risk.param._risk_message = A service was created on $dest$, related to KrbRelayUp. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows KrbRelayUp Service Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e40ef542-8241-4419-9af4-6324582ea60a", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data. -action.notable.param.rule_title = Windows KrbRelayUp Service Creation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ServiceName IN ("KrbSCM") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter` - -[ESCU - Windows Large Number of Computer Service Tickets Requested - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. \ -Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1135", "T1078"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. \ -Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. -action.escu.creation_date = 2023-03-20 -action.escu.modification_date = 2023-03-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Large Number of Computer Service Tickets Requested - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "IpAddress", "risk_object_type": "system", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Large Number of Computer Service Tickets Requested - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1135", "T1078"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter` - -[ESCU - Windows Lateral Tool Transfer RemCom - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1570"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present based on Administrative use. Filter as needed. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Lateral Tool Transfer RemCom - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Lateral Tool Transfer RemCom - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1570"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. -action.notable.param.rule_title = Windows Lateral Tool Transfer RemCom -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter` - -[ESCU - Windows Ldifde Directory Object Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1069.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2023-05-25 -action.escu.modification_date = 2023-05-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Ldifde Directory Object Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["22cf8cb9-adb1-4e8c-80ca-7c723dfc8784"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Ldifde Directory Object Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1069.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "35cd29ca-f08c-4489-8815-f715c45460d3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool. -action.notable.param.rule_title = Windows Ldifde Directory Object Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN ("*-i *", "*-f *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter` - -[ESCU - Windows Linked Policies In ADSI Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Linked Policies In ADSI Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = Windows PowerShell [Adsisearcher] was used user enumeration on $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Linked Policies In ADSI Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "510ea428-4731-4d2f-8829-a28293e427aa", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter` - -[ESCU - Windows Local Administrator Credential Stuffing - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. -action.escu.creation_date = 2023-03-22 -action.escu.modification_date = 2023-03-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Local Administrator Credential Stuffing - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Local Administrator credential stuffing attack coming from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "host_targets", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Local Administrator Credential Stuffing - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "09555511-aca6-484a-b6ab-72cd03d73c34", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.notable.param.rule_title = Windows Local Administrator Credential Stuffing -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter` - -[ESCU - Windows LSA Secrets NoLMhash Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = Administrator may change this registry setting. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows LSA Secrets NoLMhash Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Windows LSA Secrets NoLMhash Registry on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows LSA Secrets NoLMhash Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "48cc1605-538c-4223-8382-e36bee5b540d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration. -action.notable.param.rule_title = Windows LSA Secrets NoLMhash Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter` - -[ESCU - Windows Mail Protocol In Non-Common Process Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = third party application may use this network protocol as part of its feature. Filter is needed. -action.escu.creation_date = 2022-09-16 -action.escu.modification_date = 2022-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Mail Protocol In Non-Common Process Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AgentTesla"] -action.risk = 1 -action.risk.param._risk_message = a process $Image$ is having a SMTP connection to $DestinationHostname$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Mail Protocol In Non-Common Process Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird.exe","*\\outlook.exe")) (DestinationPortName="smtp" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter` - -[ESCU - Windows Mark Of The Web Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-08-14 -action.escu.modification_date = 2023-08-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Mark Of The Web Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = A mark-of-the-web data stream is deleted on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Mark Of The Web Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Warzone RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8ca13343-7405-4916-a2d1-ae34ce0c28ae", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. -action.notable.param.rule_title = Windows Mark Of The Web Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=23 TargetFilename = "*:Zone.Identifier" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter` - -[ESCU - Windows Masquerading Explorer As Child Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-04-25 -action.escu.modification_date = 2024-04-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Masquerading Explorer As Child Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Masquerading Explorer As Child Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "61490da9-52a1-4855-a0c5-28233c88c481", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections. -action.notable.param.rule_title = Windows Masquerading Explorer As Child Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN("cmd.exe", "powershell.exe", "regsvr32.exe") AND Processes.process_name = "explorer.exe" AND Processes.process IN ("*\\explorer.exe") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter` - -[ESCU - Windows Masquerading Msdtc Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, thereby evading immediate suspicion. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, thereby evading immediate suspicion. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-11-21 -action.escu.modification_date = 2023-11-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Masquerading Msdtc Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["PlugX"] -action.risk = 1 -action.risk.param._risk_message = msdtc.exe process with process commandline used by PlugX malware in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Masquerading Msdtc Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "238f3a07-8440-480b-b26f-462f41d9a47c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, thereby evading immediate suspicion. -action.notable.param.rule_title = Windows Masquerading Msdtc Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "msdtc.exe" Processes.process = "*msdtc.exe*" Processes.process IN ("* -a*", "* -b*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_masquerading_msdtc_process_filter` - -[ESCU - Windows Mimikatz Binary Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Mimikatz Binary Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-320A", "CISA AA23-347A", "Credential Dumping", "Flax Typhoon", "Sandworm Tools", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Mimikatz Binary Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "CISA AA23-347A", "Credential Dumping", "Flax Typhoon", "Sandworm Tools", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. -action.notable.param.rule_title = Windows Mimikatz Binary Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter` - -[ESCU - Windows Mimikatz Crypto Export File Extensions - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume. -action.escu.creation_date = 2024-05-09 -action.escu.modification_date = 2024-05-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Mimikatz Crypto Export File Extensions - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Sandworm Tools", "Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Certificate file extensions realted to Mimikatz were identified on disk on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Mimikatz Crypto Export File Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Sandworm Tools", "Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.keyx.rsa.pvk","*sign.rsa.pvk","*sign.dsa.pvk","*dsa.ec.p8k","*dh.ec.p8k", "*.pfx", "*.der") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter` - -[ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint", "Authentication"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = the registry for authentication level settings was modified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6410a403-36bb-490f-a06a-11c3be7d2a41", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Server Client\\AuthenticationLevelOverride" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter` - -[ESCU - Windows Modify Registry Auto Minor Updates - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Treat minor updates like other updates". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint", "Updates"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Treat minor updates like other updates". -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Auto Minor Updates - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Auto Minor Updates - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter` - -[ESCU - Windows Modify Registry Auto Update Notif - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to "Notify before download". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to "Notify before download". -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Auto Update Notif - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["12e03af7-79f9-4f95-af48-d3f12f28a260"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in Windows auto update notification on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Auto Update Notif - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions" AND Registry.registry_value_data="0x00000002" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter` - -[ESCU - Windows Modify Registry Default Icon Setting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-01-16 -action.escu.modification_date = 2023-01-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Default Icon Setting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["LockBit Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Default Icon Setting - Rule -action.correlationsearch.annotations = {"analytic_story": ["LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\defaultIcon\\(Default)*" Registry.registry_path = "*HKCR\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter` - -[ESCU - Windows Modify Registry Disable Restricted Admin - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored closely for any signs of tampering or unauthorized alterations. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored closely for any signs of tampering or unauthorized alterations. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = Administrator may change this registry setting. Filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Disable Restricted Admin - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = Windows Modify Registry Disable Restricted Admin on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Disable Restricted Admin - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cee573a0-7587-48e6-ae99-10e8c657e89a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored closely for any signs of tampering or unauthorized alterations. -action.notable.param.rule_title = Windows Modify Registry Disable Restricted Admin -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter` - -[ESCU - Windows Modify Registry Disable Toast Notifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2022-06-22 -action.escu.modification_date = 2022-06-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Disable Toast Notifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = the registry for DisallowRun settings was modified to enable in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Disable Toast Notifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter` - -[ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = The registry for raw write notification settings was modified to disable in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter` - -[ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["12e03af7-79f9-4f95-af48-d3f12f28a260"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A registry modification to disable Windows Defender notification on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -action.notable.param.rule_title = Windows Modify Registry Disable WinDefender Notifications -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter` - -[ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = the registry for security center notification settings was modified to disable mode in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter` - -[ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4927c6f1-4667-42e6-bd7a-f5222116386b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.notable.param.rule_title = Windows Modify Registry DisableRemoteDesktopAntiAlias -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableRemoteDesktopAntiAlias" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter` - -[ESCU - Windows Modify Registry DisableSecuritySettings - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry DisableSecuritySettings - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = the registry for terminal services settings was modified to disable security settings on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry DisableSecuritySettings - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "989019b4-b7aa-418a-9a17-2293e91288b6", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. -action.notable.param.rule_title = Windows Modify Registry DisableSecuritySettings -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Terminal Services\\DisableSecuritySettings" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter` - -[ESCU - Windows Modify Registry Disabling WER Settings - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Disabling WER Settings - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = the registry for WER settings was modified to be disabled on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Disabling WER Settings - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger. -action.notable.param.rule_title = Windows Modify Registry Disabling WER Settings -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter` - -[ESCU - Windows Modify Registry DisAllow Windows App - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. Filter as needed. -action.escu.creation_date = 2022-06-22 -action.escu.modification_date = 2022-06-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry DisAllow Windows App - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = The registry for DisallowRun settings was modified to enable in $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry DisAllow Windows App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine. -action.notable.param.rule_title = Windows Modify Registry DisAllow Windows App -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter` - -[ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["12e03af7-79f9-4f95-af48-d3f12f28a260"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = a registry modification in Windows auto update configuration in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter` - -[ESCU - Windows Modify Registry DontShowUI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry DontShowUI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = the registry for WER settings was modified to be disable show UI on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry DontShowUI - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4ff9767b-fdf2-489c-83a5-c6c34412d72e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur. -action.notable.param.rule_title = Windows Modify Registry DontShowUI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter` - -[ESCU - Windows Modify Registry EnableLinkedConnections - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry EnableLinkedConnections - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["4f4e2f9f-6209-4fcf-9b15-3b7455706f5b"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in Windows EnableLinkedConnections configuration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry EnableLinkedConnections - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "93048164-3358-4af0-8680-aa5f38440516", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security. -action.notable.param.rule_title = Windows Modify Registry EnableLinkedConnections -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter` - -[ESCU - Windows Modify Registry LongPathsEnabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry LongPathsEnabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["4f4e2f9f-6209-4fcf-9b15-3b7455706f5b"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackByte Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in Windows LongPathEnable configuration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry LongPathsEnabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "36f9626c-4272-4808-aadd-267acce681c0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter` - -[ESCU - Windows Modify Registry MaxConnectionPerServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-07-26 -action.escu.modification_date = 2023-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry MaxConnectionPerServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in max connection per server configuration in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry MaxConnectionPerServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["Warzone RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "064cd09f-1ff4-4823-97e0-45c2f5b087ec", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server*") Registry.registry_value_data = "0x0000000a" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter` - -[ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow "Logged-on user gets to choose whether or not to restart his or her compute". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow "Logged-on user gets to choose whether or not to restart his or her compute". -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["12e03af7-79f9-4f95-af48-d3f12f28a260"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in Windows auto update configuration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter` - -[ESCU - Windows Modify Registry No Auto Update - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Disable Automatic Updates". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Disable Automatic Updates". -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry No Auto Update - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["12e03af7-79f9-4f95-af48-d3f12f28a260"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in Windows auto update configuration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry No Auto Update - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter` - -[ESCU - Windows Modify Registry NoChangingWallPaper - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user's control over their system's visual settings. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user's control over their system's visual settings. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-12-12 -action.escu.modification_date = 2023-12-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry NoChangingWallPaper - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = the registry settings was modified to disable changing of wallpaper on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry NoChangingWallPaper - Rule -action.correlationsearch.annotations = {"analytic_story": ["Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a2276412-e254-4e9a-9082-4d92edb6a3e0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user's control over their system's visual settings. -action.notable.param.rule_title = Windows Modify Registry NoChangingWallPaper -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter` - -[ESCU - Windows Modify Registry ProxyEnable - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry ProxyEnable - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = the registry settings was modified to enable proxy on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry ProxyEnable - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyEnable" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter` - -[ESCU - Windows Modify Registry ProxyServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. -action.escu.creation_date = 2023-11-23 -action.escu.modification_date = 2023-11-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry ProxyServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = the registry settings was modified to setup proxy server on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry ProxyServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "12bdaa0b-3c59-4489-aae1-bff6d67746ef", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Internet Settings\\ProxyServer" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter` - -[ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This "Binary Data" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This "Binary Data" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = Registry with binary data created by $process_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2e768497-04e0-4188-b800-70dd2be0e30d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\*" AND Registry.registry_value_data = "Binary Data" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name="^[0-9a-fA-F]{8}" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("explorer.exe", "wermgr.exe","dxdiag.exe", "OneDriveSetup.exe", "mobsync.exe", "msra.exe", "xwizard.exe") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter` - -[ESCU - Windows Modify Registry Reg Restore - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of reg.exe with "restore" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check the registry modification restriction in targeted host after gaining access to it. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of reg.exe with "restore" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check the registry modification restriction in targeted host after gaining access to it. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this command tool to backup registry before updates or modifying critical registries. -action.escu.creation_date = 2022-12-12 -action.escu.modification_date = 2022-12-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Reg Restore - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Reg Restore - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* restore *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter` - -[ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may execute this command that may cause some false positive. Filter as needed. -action.escu.creation_date = 2022-06-24 -action.escu.modification_date = 2022-06-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = The regedit app was executed with silet mode parameter to import .reg file on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "824dd598-71be-4203-bc3b-024f4cda340e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="regedit.exe" OR Processes.original_file_name="regedit.exe") AND Processes.process="* /s *" AND Processes.process="*.reg*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter` - -[ESCU - Windows Modify Registry Risk Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code. -action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -action.escu.known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -action.escu.creation_date = 2023-06-15 -action.escu.modification_date = 2023-06-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Risk Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Registry Abuse"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Windows Modify Registry Risk Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5eb479b1-a5ea-4e01-8365-780078613776", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code. -action.notable.param.rule_title = RBA: Windows Modify Registry Risk Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*registry*") All_Risk.annotations.mitre_attack.mitre_technique_id IN ("*T1112*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter` - -[ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter` - -[ESCU - Windows Modify Registry Tamper Protection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry Tamper Protection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["12e03af7-79f9-4f95-af48-d3f12f28a260"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A registry modification to tamper Windows Defender protection on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry Tamper Protection - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. -action.notable.param.rule_title = Windows Modify Registry Tamper Protection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection" AND Registry.registry_value_data="0x00000000" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter` - -[ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A registry modification in Windows auto update configuration on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter` - -[ESCU - Windows Modify Registry USeWuServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use "The WUServer value unless this key is set". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use "The WUServer value unless this key is set". -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry USeWuServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry USeWuServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter` - -[ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as part of their malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as part of their malicious activities. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-09-25 -action.escu.modification_date = 2023-09-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = A md5 registry value name $registry_value_name$ is created on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4662c6b1-0754-455e-b9ff-3ee730af3ba8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as part of their malicious activities. -action.notable.param.rule_title = Windows Modify Registry With MD5 Reg Key Name -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\SOFTWARE\\*" Registry.registry_value_data = "Binary Data" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, "\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,"^[0-9a-fA-F]{32}$"),"md5","nonmd5") | where validation_result = "md5" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter` - -[ESCU - Windows Modify Registry WuServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry WuServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry WuServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter` - -[ESCU - Windows Modify Registry wuStatusServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Registry wuStatusServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["RedLine Stealer"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Registry wuStatusServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter` - -[ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Registry modification in "ShowCompColor" and "ShowInfoTips" on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b7548c2e-9a10-11ec-99e3-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system. -action.notable.param.rule_title = Windows Modify Show Compress Color And Info Tip Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter` - -[ESCU - Windows Modify System Firewall with Notable Process Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. -action.escu.creation_date = 2023-12-12 -action.escu.modification_date = 2023-12-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Modify System Firewall with Notable Process Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = firewall allowed program commandline $process$ of $process_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Modify System Firewall with Notable Process Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cd6d7410-9146-4471-a418-49edba6dadc4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -action.notable.param.rule_title = Windows Modify System Firewall with Notable Process Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*" Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*" Processes.process IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*","*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_system_firewall_with_notable_process_path_filter` - -[ESCU - Windows MOF Event Triggered Execution via WMI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\Windows\System32\wbem. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\Windows\System32\wbem. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or file paths. -action.escu.creation_date = 2024-04-29 -action.escu.modification_date = 2024-04-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MOF Event Triggered Execution via WMI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MOF Event Triggered Execution via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\Windows\System32\wbem. -action.notable.param.rule_title = Windows MOF Event Triggered Execution via WMI -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("cmd.exe", "powershell.exe") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN ("*\\AppData\\Local\\*","*\\Users\\Public\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter` - -[ESCU - Windows MOVEit Transfer Writing ASPX - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -action.escu.known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. -action.escu.creation_date = 2023-06-01 -action.escu.modification_date = 2023-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MOVEit Transfer Writing ASPX - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["MOVEit Transfer Critical Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = The MOVEit application on $dest$ has written a new ASPX file to disk. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows MOVEit Transfer Writing ASPX - Rule -action.correlationsearch.annotations = {"analytic_story": ["MOVEit Transfer Critical Vulnerability"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. -action.notable.param.rule_title = Windows MOVEit Transfer Writing ASPX -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter` - -[ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation. -action.escu.how_to_implement = The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype. -action.escu.known_false_positives = False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"] -action.risk = 1 -action.risk.param._risk_message = Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "396de86f-25e7-4b0e-be09-a330be35249d", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter` - -[ESCU - Windows Mshta Execution In Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-10-14 -action.escu.modification_date = 2022-10-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Mshta Execution In Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = A registry $registry_path$ contains mshta $registry_value_data$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Mshta Execution In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e13ceade-b673-4d34-adc4-4d9c01729753", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot. -action.notable.param.rule_title = Windows Mshta Execution In Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = "*mshta*" OR Registry.registry_value_data IN ("*javascript:*", "*vbscript:*","*WScript.Shell*") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter` - -[ESCU - Windows MSHTA Writing to World Writable Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named `invite.txt` to the `C:\Windows\Tasks` directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with `SqlDumper.exe` in this campaign. \ \ -The analytic is designed to detect the initial file write operation by `mshta.exe` to directories that are typically writable by any user, such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of `mshta.exe` to write to these locations, which is a deviation from the utility's legitimate use cases and thus serves as a strong indicator of compromise (IoC). \ \ -The ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named `invite.txt` to the `C:\Windows\Tasks` directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with `SqlDumper.exe` in this campaign. \ \ -The analytic is designed to detect the initial file write operation by `mshta.exe` to directories that are typically writable by any user, such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of `mshta.exe` to write to these locations, which is a deviation from the utility's legitimate use cases and thus serves as a strong indicator of compromise (IoC). \ \ -The ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs. -action.escu.how_to_implement = The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed. -action.escu.known_false_positives = False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives. -action.escu.creation_date = 2024-03-26 -action.escu.modification_date = 2024-03-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSHTA Writing to World Writable Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["APT29 Diplomatic Deceptions with WINELOADER", "Suspicious MSHTA Activity"] -action.risk = 1 -action.risk.param._risk_message = An instance of $Image$ writing to $TargetFilename$ was detected on $dest$. -action.risk.param._risk = [{"threat_object_field": "Image", "threat_object_type": "file_name"}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSHTA Writing to World Writable Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Suspicious MSHTA Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named `invite.txt` to the `C:\Windows\Tasks` directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with `SqlDumper.exe` in this campaign. \ \ -The analytic is designed to detect the initial file write operation by `mshta.exe` to directories that are typically writable by any user, such as `C:\Windows\Tasks`, `C:\Windows\Temp`, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of `mshta.exe` to write to these locations, which is a deviation from the utility's legitimate use cases and thus serves as a strong indicator of compromise (IoC). \ \ -The ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs. -action.notable.param.rule_title = Windows MSHTA Writing to World Writable Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=11 Image="*\\mshta.exe" TargetFilename IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter` - -[ESCU - Windows MSIExec DLLRegisterServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. -action.escu.creation_date = 2024-05-06 -action.escu.modification_date = 2024-05-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSIExec DLLRegisterServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows System Binary Proxy Execution MSIExec"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSIExec DLLRegisterServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. -action.notable.param.rule_title = Windows MSIExec DLLRegisterServer -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*/y*", "*-y*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter` - -[ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like "msiexec," "hidewindow," and "rundll32" through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like "msiexec," "hidewindow," and "rundll32" through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Other possible 3rd party msi software installers use this technique as part of its installation process. -action.escu.creation_date = 2024-01-03 -action.escu.modification_date = 2024-01-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = a msiexec parent process with /hidewindow rundll32 process commandline in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9683271d-92e4-43b5-a907-1983bfb9f7fd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like "msiexec," "hidewindow," and "rundll32" through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion. -action.notable.param.rule_title = Windows MsiExec HideWindow Rundll32 Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = "* /HideWindow *" Processes.process = "* rundll32*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter` - -[ESCU - Windows MSIExec Remote Download - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, filter by destination or parent process as needed. -action.escu.creation_date = 2024-05-08 -action.escu.modification_date = 2024-05-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSIExec Remote Download - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows System Binary Proxy Execution MSIExec"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSIExec Remote Download - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. -action.notable.param.rule_title = Windows MSIExec Remote Download -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*http://*", "*https://*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter` - -[ESCU - Windows MSIExec Spawn Discovery Command - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSIExec Spawn Discovery Command - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows System Binary Proxy Execution MSIExec"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSIExec Spawn Discovery Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. -action.notable.param.rule_title = Windows MSIExec Spawn Discovery Command -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter` - -[ESCU - Windows MSIExec Spawn WinDBG - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed. -action.escu.creation_date = 2023-10-31 -action.escu.modification_date = 2023-10-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSIExec Spawn WinDBG - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSIExec Spawn WinDBG - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9a18f7c2-1fe3-47b8-9467-8b3976770a30", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.notable.param.rule_title = Windows MSIExec Spawn WinDBG -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter` - -[ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. -action.escu.creation_date = 2024-05-10 -action.escu.modification_date = 2024-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows System Binary Proxy Execution MSIExec"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment. -action.notable.param.rule_title = Windows MSIExec Unregister DLLRegisterServer -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN ("*/z*", "*-z*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter` - -[ESCU - Windows MSIExec With Network Connections - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present and filtering is required. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows MSIExec With Network Connections - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows System Binary Proxy Execution MSIExec"] -action.risk = 1 -action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 35}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows MSIExec With Network Connections - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment. -action.notable.param.rule_title = Windows MSIExec With Network Connections -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter` - -[ESCU - Windows Multi hop Proxy TOR Website Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = third party application may use this proxies if allowed in production environment. Filter is needed. -action.escu.creation_date = 2022-09-16 -action.escu.modification_date = 2022-09-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multi hop Proxy TOR Website Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AgentTesla"] -action.risk = 1 -action.risk.param._risk_message = a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multi hop Proxy TOR Website Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4c2d198b-da58-48d7-ba27-9368732d0054", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 QueryName IN ("*.torproject.org", "www.theonionrouter.com") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter` - -[ESCU - Windows Multiple Account Passwords Changed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection's threshold and timeframe to fit their specific operational context. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection's threshold and timeframe to fit their specific operational context. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -action.escu.known_false_positives = Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-20 -action.escu.modification_date = 2024-02-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Account Passwords Changed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = User $src_user$ changed the passwords of multiple accounts in a short period of time. -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Account Passwords Changed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "faefb681-14be-4f0d-9cac-0bc0160c7280", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection's threshold and timeframe to fit their specific operational context. -action.notable.param.rule_title = Windows Multiple Account Passwords Changed -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter` - -[ESCU - Windows Multiple Accounts Deleted - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection's threshold and timeframe to suit their specific environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection's threshold and timeframe to suit their specific environment. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -action.escu.known_false_positives = Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-21 -action.escu.modification_date = 2024-02-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Accounts Deleted - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = User $src_user$ deleted multiple accounts in a short period of time. -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Accounts Deleted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection's threshold and timeframe to suit their specific environment. -action.notable.param.rule_title = Windows Multiple Accounts Deleted -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter` - -[ESCU - Windows Multiple Accounts Disabled - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker's attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment's specifics -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker's attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment's specifics -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled. -action.escu.known_false_positives = Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. -action.escu.creation_date = 2024-02-21 -action.escu.modification_date = 2024-02-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Accounts Disabled - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Azure Active Directory Persistence"] -action.risk = 1 -action.risk.param._risk_message = User $src_user$ disabled multiple accounts in a short period of time. -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Accounts Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1098", "T1078"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5d93894e-befa-4429-abde-7fc541020b7b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker's attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment's specifics -action.notable.param.rule_title = Windows Multiple Accounts Disabled -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter` - -[ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. -action.escu.creation_date = 2021-04-14 -action.escu.modification_date = 2021-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based password spraying attack from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"threat_object_field": "IpAddress", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "98f22d82-9d62-11eb-9fcf-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter` - -[ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. -action.escu.creation_date = 2021-04-14 -action.escu.modification_date = 2021-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based password spraying attack from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "001266a6-9d5b-11eb-829b-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Invalid Users Fail To Authenticate Using Kerberos -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter` - -[ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -action.escu.creation_date = 2021-04-15 -action.escu.modification_date = 2021-04-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential NTLM based password spraying attack from $Workstation$ -action.risk.param._risk = [{"risk_object_field": "Workstation", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57ad5a64-9df7-11eb-a290-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Invalid Users Failed To Authenticate Using NTLM -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter` - -[ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. -action.escu.creation_date = 2021-04-13 -action.escu.modification_date = 2021-04-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential password spraying attack from $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e61918fa-9ca4-11eb-836c-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -action.notable.param.rule_title = Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter` - -[ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -action.escu.creation_date = 2021-04-13 -action.escu.modification_date = 2021-04-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential NTLM based password spraying attack from $Workstation$ -action.risk.param._risk = [{"risk_object_field": "Workstation", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7ed272a4-9c77-11eb-af22-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Users Failed To Authenticate From Host Using NTLM -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter` - -[ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -action.escu.creation_date = 2021-04-13 -action.escu.modification_date = 2021-04-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential password spraying attack from $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9015385a-9c84-11eb-bef2-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Users Failed To Authenticate From Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter` - -[ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. -action.escu.creation_date = 2021-04-08 -action.escu.modification_date = 2021-04-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based password spraying attack from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3a91a212-98a9-11eb-b86a-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Users Failed To Authenticate Using Kerberos -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter` - -[ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. -action.escu.creation_date = 2021-04-13 -action.escu.modification_date = 2021-04-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential password spraying attack on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.notable.param.rule_title = Windows Multiple Users Remotely Failed To Authenticate From Host -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` - -[ESCU - Windows New InProcServer32 Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect the addition of new InProcServer32 registry keys, which could indicate suspicious or malicious activity on a Windows endpoint. The InProcServer32 registry key specifies the path to a COM object that can be loaded into the process space of calling processes. Malware often abuses this mechanism to achieve persistence or execute code by registering a new InProcServer32 key pointing to a malicious DLL. By monitoring for the creation of new InProcServer32 keys, this analytic helps identify potential threats that leverage COM hijacking or similar techniques for execution and persistence. Understanding the normal behavior of legitimate software in your environment will aid in distinguishing between benign and malicious use of InProcServer32 modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is designed to detect the addition of new InProcServer32 registry keys, which could indicate suspicious or malicious activity on a Windows endpoint. The InProcServer32 registry key specifies the path to a COM object that can be loaded into the process space of calling processes. Malware often abuses this mechanism to achieve persistence or execute code by registering a new InProcServer32 key pointing to a malicious DLL. By monitoring for the creation of new InProcServer32 keys, this analytic helps identify potential threats that leverage COM hijacking or similar techniques for execution and persistence. Understanding the normal behavior of legitimate software in your environment will aid in distinguishing between benign and malicious use of InProcServer32 modifications. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -action.escu.known_false_positives = False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results. -action.escu.creation_date = 2024-03-20 -action.escu.modification_date = 2024-03-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows New InProcServer32 Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Outlook RCE CVE-2024-21378"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows New InProcServer32 Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Outlook RCE CVE-2024-21378"], "cis20": ["CIS 10"], "confidence": 20, "cve": ["cve-2024-21378"], "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter` - -[ESCU - Windows Ngrok Reverse Proxy Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. -action.escu.creation_date = 2023-01-12 -action.escu.modification_date = 2023-01-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Ngrok Reverse Proxy Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-320A", "Reverse Network Proxy"] -action.risk = 1 -action.risk.param._risk_message = A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Ngrok Reverse Proxy Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter` - -[ESCU - Windows NirSoft AdvancedRun - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows NirSoft AdvancedRun - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "Ransomware", "Unusual Processes", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 60}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows NirSoft AdvancedRun - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Ransomware", "Unusual Processes", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb4f3090-7ae4-11ec-897f-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments. -action.notable.param.rule_title = Windows NirSoft AdvancedRun -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN ("*EXEFilename*","*/cfg*","*RunAs*", "*WindowState*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter` - -[ESCU - Windows NirSoft Utilities - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present. Filtering may be required before setting to alert. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows NirSoft Utilities - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "WhisperGate"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows NirSoft Utilities - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter` - -[ESCU - Windows Njrat Fileless Storage via Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.011", "T1027"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-09-14 -action.escu.modification_date = 2023-09-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Njrat Fileless Storage via Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = a suspicious registry entry related to NjRAT keylloging registry in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Njrat Fileless Storage via Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.011", "T1027"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. -action.notable.param.rule_title = Windows Njrat Fileless Storage via Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\[kl]" OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter` - -[ESCU - Windows Non Discord App Access Discord LevelDB - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects suspicious file access within the Discord LevelDB database. This database contains critical data such as user profiles, messages, guilds, channels, settings, and cached information. Access to this data poses a risk of Discord credential theft or unauthorized access to sensitive information on the compromised system. Detecting such anomalies can serve as an effective pivot to identify non-Discord applications accessing this database, potentially indicating the presence of malware or trojan stealers aimed at data theft. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects suspicious file access within the Discord LevelDB database. This database contains critical data such as user profiles, messages, guilds, channels, settings, and cached information. Access to this data poses a risk of Discord credential theft or unauthorized access to sensitive information on the compromised system. Detecting such anomalies can serve as an effective pivot to identify non-Discord applications accessing this database, potentially indicating the presence of malware or trojan stealers aimed at data theft. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-02-16 -action.escu.modification_date = 2024-02-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Non Discord App Access Discord LevelDB - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = A non-discord process $process_name$ accessing discord "leveldb" file on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Non Discord App Access Discord LevelDB - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1166360c-d495-45ac-87a6-8948aac1fa07", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path IN ("*\\discord\\Local Storage\\leveldb*") AND process_name != *\\discord.exe AND NOT (process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter` - -[ESCU - Windows Non-System Account Targeting Lsass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -action.escu.known_false_positives = False positives will occur based on legitimate application requests, filter based on source image as needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Non-System Account Targeting Lsass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA23-347A", "Credential Dumping"] -action.risk = 1 -action.risk.param._risk_message = A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_path", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Non-System Account Targeting Lsass - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b1ce9a72-73cf-11ec-981b-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. -action.notable.param.rule_title = Windows Non-System Account Targeting Lsass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter` - -[ESCU - Windows Odbcconf Hunting - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present as this is meant to assist with filtering and tuning. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Odbcconf Hunting - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Odbcconf Hunting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 20, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter` - -[ESCU - Windows Odbcconf Load DLL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. -action.escu.creation_date = 2022-06-28 -action.escu.modification_date = 2022-06-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Odbcconf Load DLL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Odbcconf Load DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications. -action.notable.param.rule_title = Windows Odbcconf Load DLL -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN ("*/a *", "*-a*") Processes.process="*regsvr*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter` - -[ESCU - Windows Odbcconf Load Response File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. -action.escu.creation_date = 2022-06-30 -action.escu.modification_date = 2022-06-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Odbcconf Load Response File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Odbcconf Load Response File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes. -action.notable.param.rule_title = Windows Odbcconf Load Response File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN ("*-f *","*/f *") Processes.process="*.rsp*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter` - -[ESCU - Windows Office Product Spawning MSDT - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, however filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Office Product Spawning MSDT - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Office Product Spawning MSDT - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-30190"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "127eba64-c981-40bf-8589-1830638864a7", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil. -action.notable.param.rule_title = Windows Office Product Spawning MSDT -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter` - -[ESCU - Windows PaperCut NG Spawn Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present, but most likely not. Filter as needed. -action.escu.creation_date = 2023-05-15 -action.escu.modification_date = 2023-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PaperCut NG Spawn Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["PaperCut MF NG Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PaperCut NG Spawn Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. -action.notable.param.rule_title = Windows PaperCut NG Spawn Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter` - -[ESCU - Windows Parent PID Spoofing with Explorer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious explorer.exe process that has "/root" process commandline. The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and operate undetected within the system. This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, it attempts to evade scrutiny and evade detection by security measures. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.004", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious explorer.exe process that has "/root" process commandline. The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and operate undetected within the system. This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, it attempts to evade scrutiny and evade detection by security measures. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-11-21 -action.escu.modification_date = 2023-11-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Parent PID Spoofing with Explorer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An explorer.exe process with process commandline $process$ on dest $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Parent PID Spoofing with Explorer - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.004", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious explorer.exe process that has "/root" process commandline. The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and operate undetected within the system. This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, it attempts to evade scrutiny and evade detection by security measures. -action.notable.param.rule_title = Windows Parent PID Spoofing with Explorer -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*explorer.exe*" Processes.process="*/root,*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_parent_pid_spoofing_with_explorer_filter` - -[ESCU - Windows Password Managers Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.005"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Password Managers Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = a process with commandline $process$ that can retrieve information related to password manager databases in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Password Managers Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.005"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *" OR Processes.process = "*findstr*" AND Processes.process IN ( "*.kdbx*", "*credential*", "*key3.db*","*pass*", "*cred*", "*key4.db*", "*accessTokens*", "*access_tokens*", "*.htpasswd*", "*Ntds.dit*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter` - -[ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious outlook.exe process dropped a dll file. This technique was seen in CVE-2024-21378, involves the loading of a custom MAPI form to execute a potentially malicious DLL. Detecting such TTPs serves as a crucial pivot point to identify potential adversaries, malware, or red team activity attempting to leverage this method within phishing campaigns. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious outlook.exe process dropped a dll file. This technique was seen in CVE-2024-21378, involves the loading of a custom MAPI form to execute a potentially malicious DLL. Detecting such TTPs serves as a crucial pivot point to identify potential adversaries, malware, or red team activity attempting to leverage this method within phishing campaigns. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-03-20 -action.escu.modification_date = 2024-03-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Outlook RCE CVE-2024-21378"] -action.risk = 1 -action.risk.param._risk_message = an outlook process dropped dll file into $file_path$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule -action.correlationsearch.annotations = {"analytic_story": ["Outlook RCE CVE-2024-21378"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2024-21378"], "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fca01769-5163-4b3a-ae44-de874adfc9bc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious outlook.exe process dropped a dll file. This technique was seen in CVE-2024-21378, involves the loading of a custom MAPI form to execute a potentially malicious DLL. Detecting such TTPs serves as a crucial pivot point to identify potential adversaries, malware, or red team activity attempting to leverage this method within phishing campaigns. -action.notable.param.rule_title = Windows Phishing Outlook Drop Dll In FORM Dir -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name ="*.dll" Filesystem.file_path = "*\\AppData\\Local\\Microsoft\\FORMS\\IPM*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter` - -[ESCU - Windows Phishing PDF File Executes URL Link - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed. -action.escu.creation_date = 2023-01-18 -action.escu.modification_date = 2023-01-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Phishing PDF File Executes URL Link - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Snake Keylogger", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Phishing PDF File Executes URL Link - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Keylogger", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("AcroRd32.exe", "FoxitPDFReader.exe") Processes.process_name IN ("firefox.exe", "chrome.exe", "iexplore.exe") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter` - -[ESCU - Windows Phishing Recent ISO Exec Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. -action.escu.creation_date = 2022-09-19 -action.escu.modification_date = 2022-09-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Phishing Recent ISO Exec Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AgentTesla", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Warzone RAT"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Phishing Recent ISO Exec Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso" OR Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.img" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter` - -[ESCU - Windows Possible Credential Dumping - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \ -GrantedAccess is the requested permissions by the SourceImage into the TargetImage. \ - \ -CallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \ -dbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \ -The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \ -GrantedAccess is the requested permissions by the SourceImage into the TargetImage. \ - \ -CallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \ -dbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \ -The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -action.escu.known_false_positives = False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Possible Credential Dumping - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA22-257A", "CISA AA22-264A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack"] -action.risk = 1 -action.risk.param._risk_message = A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "SourceImage", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Possible Credential Dumping - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e4723b92-7266-11ec-af45-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \ -GrantedAccess is the requested permissions by the SourceImage into the TargetImage. \ - \ -CallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \ -dbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \ -The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping. -action.notable.param.rule_title = Windows Possible Credential Dumping -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=*\\lsass.exe granted_access IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter` - -[ESCU - Windows Post Exploitation Risk Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment. -action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -action.escu.known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. -action.escu.creation_date = 2023-06-14 -action.escu.modification_date = 2023-06-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Post Exploitation Risk Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Windows Post Exploitation Risk Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "edb930df-64c2-4bb7-9b5c-889ed53fb973", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment. -action.notable.param.rule_title = RBA: Windows Post Exploitation Risk Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter` - -[ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may be present based on developers or third party utilities adding items to the GAC. -action.escu.creation_date = 2023-01-18 -action.escu.modification_date = 2023-01-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["IIS Components"] -action.risk = 1 -action.risk.param._risk_message = PowerShell was used to install a module to the Global Assembly Cache on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic. -action.notable.param.rule_title = Windows PowerShell Add Module to Global Assembly Cache -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN("*system.enterpriseservices.internal.publish*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter` - -[ESCU - Windows Powershell Cryptography Namespace - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives should be limited. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Powershell Cryptography Namespace - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["AsyncRAT"] -action.risk = 1 -action.risk.param._risk_message = A suspicious powershell script contains cryptography command detected on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Powershell Cryptography Namespace - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter` - -[ESCU - Windows PowerShell Disable HTTP Logging - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to "false" or "dontLog". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to "false" or "dontLog". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -action.escu.creation_date = 2024-05-05 -action.escu.modification_date = 2024-05-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell Disable HTTP Logging - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["IIS Components", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell Disable HTTP Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to "false" or "dontLog". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected. -action.notable.param.rule_title = Windows PowerShell Disable HTTP Logging -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN("*get-WebConfigurationProperty*","*Set-ItemProperty*") AND ScriptBlockText IN ("*httpLogging*","*Logfile.enabled*") AND ScriptBlockText IN ("*dontLog*", "*false*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter` - -[ESCU - Windows PowerShell Export Certificate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell Export Certificate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell Export Certificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*export-certificate*") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter` - -[ESCU - Windows PowerShell Export PfxCertificate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell Export PfxCertificate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell Export PfxCertificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter` - -[ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index. -action.escu.creation_date = 2023-03-27 -action.escu.modification_date = 2023-03-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter` - -[ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -action.escu.creation_date = 2022-12-21 -action.escu.modification_date = 2022-12-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["IIS Components"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter` - -[ESCU - Windows Powershell Import Applocker Policy - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = administrators may execute this command that may cause some false positive. -action.escu.creation_date = 2022-06-30 -action.escu.modification_date = 2022-06-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Powershell Import Applocker Policy - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Powershell Import Applocker Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet. -action.notable.param.rule_title = Windows Powershell Import Applocker Policy -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter` - -[ESCU - Windows Powershell RemoteSigned File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the use of "remotesigned" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to "remotesigned," it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies the use of "remotesigned" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to "remotesigned," it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. -action.escu.creation_date = 2023-06-16 -action.escu.modification_date = 2023-06-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Powershell RemoteSigned File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Amadey"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell commandline with remotesigned policy executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Powershell RemoteSigned File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f7f7456b-470d-4a95-9703-698250645ff4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter` - -[ESCU - Windows PowerShell ScheduleTask - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. -action.escu.creation_date = 2023-06-12 -action.escu.modification_date = 2023-06-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell ScheduleTask - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user_id", "risk_object_type": "user", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell ScheduleTask - Rule -action.correlationsearch.annotations = {"analytic_story": ["Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter` - -[ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place. -action.escu.creation_date = 2023-03-27 -action.escu.modification_date = 2023-03-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "47c69803-2c09-408b-b40a-063c064cbb16", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. -action.notable.param.rule_title = Windows PowerShell WMI Win32 ScheduledJob -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter` - -[ESCU - Windows PowerSploit GPP Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-03-16 -action.escu.modification_date = 2023-03-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerSploit GPP Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = Commandlets leveraged to discover GPP credentials were executed on $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "UserID", "risk_object_type": "user", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerSploit GPP Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0130a0df-83a1-4647-9011-841e950ff302", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. -action.notable.param.rule_title = Windows PowerSploit GPP Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter` - -[ESCU - Windows PowerView AD Access Control List Enumeration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. -action.escu.creation_date = 2023-04-20 -action.escu.modification_date = 2023-04-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerView AD Access Control List Enumeration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Active Directory Privilege Escalation", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = PowerView AD acccess control list enumeration detected on $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerView AD Access Control List Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1078.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "39405650-c364-4e1e-a740-32a63ef042a6", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses. -action.notable.param.rule_title = Windows PowerView AD Access Control List Enumeration -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter` - -[ESCU - Windows PowerView Constrained Delegation Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerView Constrained Delegation Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerView Constrained Delegation Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Windows PowerView Constrained Delegation Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter` - -[ESCU - Windows PowerView Kerberos Service Ticket Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = False positive may include Administrators using PowerView for troubleshooting and management. -action.escu.creation_date = 2022-06-22 -action.escu.modification_date = 2022-06-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerView Kerberos Service Ticket Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = PowerView commandlets used for requesting SPN service ticket executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 27}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerView Kerberos Service Ticket Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -action.notable.param.rule_title = Windows PowerView Kerberos Service Ticket Request -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter` - -[ESCU - Windows PowerView SPN Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = False positive may include Administrators using PowerView for troubleshooting and management. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerView SPN Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = PowerView commandlets used for SPN discovery executed on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 27}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerView SPN Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a7093c28-796c-4ebb-9997-e2c18b870837", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. -action.notable.param.rule_title = Windows PowerView SPN Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter` - -[ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. -action.notable.param.rule_title = Windows PowerView Unconstrained Delegation Discovery -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter` - -[ESCU - Windows Private Keys Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Private Keys Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = a process with commandline $process$ that can retrieve information related to private keys in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Private Keys Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *" OR Processes.process = "*findstr*" AND Processes.process IN ( "*.rdg*", "*.gpg*", "*.pgp*", "*.p12*", "*.der*", "*.csr*", "*.cer*", "*.ovpn*", "*.key*", "*.ppk*", "*.p12*", "*.pem*", "*.pfx*", "*.p7b*", "*.asc*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter` - -[ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges. -action.escu.how_to_implement = Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. -action.escu.known_false_positives = False positives may be generated by administrators installing benign applications using run-as/elevation. -action.escu.creation_date = 2023-11-30 -action.escu.modification_date = 2023-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$]. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 40, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges. -action.notable.param.rule_title = Windows Privilege Escalation Suspicious Process Elevation -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN ("system") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$")) OR (Processes.process_integrity_level IN ("high","system") AND (Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") OR Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter` - -[ESCU - Windows Privilege Escalation System Process Without System Parent - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-11-30 -action.escu.modification_date = 2023-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Privilege Escalation System Process Without System Parent - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Privilege Escalation System Process Without System Parent - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5a5351cd-ba7e-499e-ad82-2ce160ffa637", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -action.notable.param.rule_title = Windows Privilege Escalation System Process Without System Parent -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter` - -[ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-11-30 -action.escu.modification_date = 2023-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$]. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. -action.notable.param.rule_title = Windows Privilege Escalation User Process Spawn System Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user IN ("*SYSTEM","*LOCAL SERVICE","*NETWORK SERVICE","DWM-*","*$") AND Processes.process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("system") AND Processes.parent_process_path IN ("*\\\\*","*\\Users\\*","*\\Temp\\*","*\\ProgramData\\*") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter` - -[ESCU - Windows Process Commandline Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects Windows Management Instrumentation Command-line (WMIC) command used to retrieve information about running processes and specifically fetches the command lines used to launch those processes. This Hunting detection can be a good indicator for possible suspicious user or process getting list of process with its command line using wmic application which is not a common practice for a non-technical user. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1057"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects Windows Management Instrumentation Command-line (WMIC) command used to retrieve information about running processes and specifically fetches the command lines used to launch those processes. This Hunting detection can be a good indicator for possible suspicious user or process getting list of process with its command line using wmic application which is not a common practice for a non-technical user. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. Filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Commandline Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Commandline Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1057"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= "* process *" Processes.process= "* get commandline *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter` - -[ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a non-service searchindexer.exe process. QakBot, a notorious banking trojan and information stealer, often deploys a process named "searchindexer.exe" as part of its malicious activities. This legitimate Windows process, "Search Indexer," is manipulated by QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, the malicious "searchindexer.exe" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a non-service searchindexer.exe process. QakBot, a notorious banking trojan and information stealer, often deploys a process named "searchindexer.exe" as part of its malicious activities. This legitimate Windows process, "Search Indexer," is manipulated by QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, the malicious "searchindexer.exe" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-01-03 -action.escu.modification_date = 2024-01-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = An uncommon non-service searchindexer.exe process in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d131673f-ede1-47f2-93a1-0108d3e7fafd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a non-service searchindexer.exe process. QakBot, a notorious banking trojan and information stealer, often deploys a process named "searchindexer.exe" as part of its malicious activities. This legitimate Windows process, "Search Indexer," is manipulated by QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, the malicious "searchindexer.exe" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion. -action.notable.param.rule_title = Windows Process Injection In Non-Service SearchIndexer -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter` - -[ESCU - Windows Process Injection into Notepad - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed. -action.escu.creation_date = 2023-02-22 -action.escu.modification_date = 2023-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Injection into Notepad - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BishopFox Sliver Adversary Emulation Framework"] -action.risk = 1 -action.risk.param._risk_message = An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}, {"risk_object_field": "SourceImage", "risk_object_type": "other", "risk_score": 32}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Injection into Notepad - Rule -action.correlationsearch.annotations = {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter` - -[ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to "firefox.exe", "chrome.exe" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1055"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to "firefox.exe", "chrome.exe" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-10-28 -action.escu.modification_date = 2022-10-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to "firefox.exe", "chrome.exe" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application. -action.notable.param.rule_title = Windows Process Injection Of Wermgr to Known Browser -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=8 SourceImage = "*\\wermgr.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter` - -[ESCU - Windows Process Injection Remote Thread - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-06-15 -action.escu.modification_date = 2023-06-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Injection Remote Thread - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Graceful Wipe Out Attack", "Qakbot", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "SourceImage", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Injection Remote Thread - Rule -action.correlationsearch.annotations = {"analytic_story": ["Graceful Wipe Out Attack", "Qakbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection. -action.notable.param.rule_title = Windows Process Injection Remote Thread -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", "*\\notepad.exe", "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", "*\\powershell.exe") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter` - -[ESCU - Windows Process Injection Wermgr Child Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-10-27 -action.escu.modification_date = 2022-10-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Injection Wermgr Child Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = wermgr parent process has a child process $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Injection Wermgr Child Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "wermgr.exe" AND NOT (Processes.process_name IN ("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter` - -[ESCU - Windows Process Injection With Public Source Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable. -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Injection With Public Source Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Injection With Public Source Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter` - -[ESCU - Windows Process With NamedPipe CommandLine - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Normal browser application may use this technique. Please update the filter macros to remove false positives. -action.escu.creation_date = 2022-02-23 -action.escu.modification_date = 2022-02-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process With NamedPipe CommandLine - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = Process with named pipe in $process$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process With NamedPipe CommandLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e64399d4-94a8-11ec-a9da-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*" NOT (Processes.process_path IN ("*\\program files*")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter` - -[ESCU - Windows Process Writing File to World Writable Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process writing a file, specifically a .txt, to a world writable path. This technique is used by adversaries to deliver payloads to a system. It is not common for living off the land binaries to write to these paths. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process writing a file, specifically a .txt, to a world writable path. This technique is used by adversaries to deliver payloads to a system. It is not common for living off the land binaries to write to these paths. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious. -action.escu.creation_date = 2024-04-17 -action.escu.modification_date = 2024-04-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Process Writing File to World Writable Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["APT29 Diplomatic Deceptions with WINELOADER"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Process Writing File to World Writable Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c051b68c-60f7-4022-b3ad-773bec7a225b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter` - -[ESCU - Windows Processes Killed By Industroyer2 Malware - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Processes Killed By Industroyer2 Malware - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = process was terminated $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Processes Killed By Industroyer2 Malware - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=5 process_name IN ("PServiceControl.exe", "PService_PPD.exe") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter` - -[ESCU - Windows Protocol Tunneling with Plink - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1572", "T1021.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed. -action.escu.creation_date = 2022-09-15 -action.escu.modification_date = 2022-09-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Protocol Tunneling with Plink - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-257A"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Protocol Tunneling with Plink - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1572", "T1021.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization. -action.notable.param.rule_title = Windows Protocol Tunneling with Plink -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN ("*-R *", "*-L *", "*-D *", "*-l *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter` - -[ESCU - Windows Proxy Via Netsh - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. -action.escu.creation_date = 2023-05-25 -action.escu.modification_date = 2023-05-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Proxy Via Netsh - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["b8223ea9-4be2-44a6-b50a-9657a3d4e72a"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = A process $process_name$ has launched netsh with command-line $process$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Proxy Via Netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter` - -[ESCU - Windows Proxy Via Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-05-25 -action.escu.modification_date = 2023-05-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Proxy Via Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["b8223ea9-4be2-44a6-b50a-9657a3d4e72a"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = A registry modification for port proxy in$dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Proxy Via Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0270455b-1385-4579-9ac5-e77046c508ae", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter` - -[ESCU - Windows Query Registry Browser List Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = uninstall application may access this registry to remove the entry of the target application. filter is needed. -action.escu.creation_date = 2023-04-25 -action.escu.modification_date = 2023-04-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Query Registry Browser List Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process accessing installed default browser registry on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Query Registry Browser List Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path IN ("*\\SOFTWARE\\Clients\\StartMenuInternet\\*", "*\\SOFTWARE\\Clients\\StartMenuInternet\\*") AND NOT (process_path IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Program Files*", "*:\\Windows\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter` - -[ESCU - Windows Query Registry Reg Save - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of reg.exe with "save" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check registry modification restriction in targeted host after gaining access to it. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of reg.exe with "save" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check registry modification restriction in targeted host after gaining access to it. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this command tool to backup registry before updates or modifying critical registries. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Query Registry Reg Save - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Prestige Ransomware", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Query Registry Reg Save - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* save *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter` - -[ESCU - Windows Query Registry UnInstall Program List - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the "Uninstall" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the "Uninstall" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = Uninstall application may access this registry to remove the entry of the target application. Filter is needed. -action.escu.creation_date = 2023-04-25 -action.escu.modification_date = 2023-04-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Query Registry UnInstall Program List - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process $process_name$ accessing uninstall registry on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Query Registry UnInstall Program List - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path="\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter` - -[ESCU - Windows Raccine Scheduled Task Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a "ransomware vaccine" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a "ransomware vaccine" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, however filter as needed. -action.escu.creation_date = 2021-12-07 -action.escu.modification_date = 2021-12-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Raccine Scheduled Task Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Raccine Scheduled Task Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c9f010da-57ab-11ec-82bd-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a "ransomware vaccine" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior. -action.notable.param.rule_title = Windows Raccine Scheduled Task Deletion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process="*delete*" AND Processes.process="*Raccine*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter` - -[ESCU - Windows Rapid Authentication On Multiple Hosts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. -action.escu.creation_date = 2023-03-23 -action.escu.modification_date = 2023-03-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Rapid Authentication On Multiple Hosts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "host_targets", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Rapid Authentication On Multiple Hosts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.notable.param.rule_title = Windows Rapid Authentication On Multiple Hosts -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter` - -[ESCU - Windows Rasautou DLL Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed. -action.escu.creation_date = 2022-02-15 -action.escu.modification_date = 2022-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Rasautou DLL Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Rasautou DLL Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads. -action.notable.param.rule_title = Windows Rasautou DLL Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process="* -d *"AND Processes.process="* -p *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter` - -[ESCU - Windows Raw Access To Disk Volume Partition - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the "hermeticwiper" malware. This detection is a good indicator that there is a process try to read or write on boot sector. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the "hermeticwiper" malware. This detection is a good indicator that there is a process try to read or write on boot sector. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Raw Access To Disk Volume Partition - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT"] -action.risk = 1 -action.risk.param._risk_message = Process accessing disk partition $Device$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Raw Access To Disk Volume Partition - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a85aa37e-9647-11ec-90c5-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter` - -[ESCU - Windows Raw Access To Master Boot Record Drive - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Raw Access To Master Boot Record Drive - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = process accessing MBR $Device$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Raw Access To Master Boot Record Drive - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7b83f666-900c-11ec-a2d9-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector. -action.notable.param.rule_title = Windows Raw Access To Master Boot Record Drive -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter` - -[ESCU - Windows RDP Connection Successful - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1563.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf. -action.escu.how_to_implement = The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. -action.escu.known_false_positives = False positives will be present, filter as needed or restrict to critical assets on the perimeter. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows RDP Connection Successful - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement", "BlackByte Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows RDP Connection Successful - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1563.002"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter` - -[ESCU - Windows Registry BootExecute Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542", "T1547.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be present and will need to be filtered. -action.escu.creation_date = 2023-05-03 -action.escu.modification_date = 2023-05-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Registry BootExecute Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows BootKits"] -action.risk = 1 -action.risk.param._risk_message = The Registry BootExecute value was modified on $dest$ and should be reviewed immediately. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Registry BootExecute Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows BootKits"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542", "T1547.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process. -action.notable.param.rule_title = Windows Registry BootExecute Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter` - -[ESCU - Windows Registry Certificate Added - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with "\Blob" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with "\Blob" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Registry Certificate Added - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Drivers", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A root certificate was added on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Registry Certificate Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter` - -[ESCU - Windows Registry Delete Task SD - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. \ -Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. \ -Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel. -action.escu.creation_date = 2022-04-13 -action.escu.modification_date = 2022-04-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Registry Delete Task SD - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Scheduled Tasks", "Windows Persistence Techniques", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A scheduled task security descriptor was deleted from the registry on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Registry Delete Task SD - Rule -action.correlationsearch.annotations = {"analytic_story": ["Scheduled Tasks", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ffeb7893-ff06-446f-815b-33ca73224e92", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter` - -[ESCU - Windows Registry Modification for Safe Mode Persistence - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -action.escu.known_false_positives = updated windows application needed in safe boot may used this registry -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Registry Modification for Safe Mode Persistence - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Windows Drivers", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Registry Modification for Safe Mode Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Drivers", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c6149154-c9d8-11eb-9da7-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode. -action.notable.param.rule_title = Windows Registry Modification for Safe Mode Persistence -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter` - -[ESCU - Windows Registry Payload Injection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown, possible custom scripting. -action.escu.creation_date = 2023-06-15 -action.escu.modification_date = 2023-06-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Registry Payload Injection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ added a suspicious length of registry data on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 60}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Registry Payload Injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c6b2d80f-179a-41a1-b95e-ce5601d7427a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. -action.notable.param.rule_title = Windows Registry Payload Injection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter` - -[ESCU - Windows Registry SIP Provider Modification - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon EventID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon EventID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. -action.escu.creation_date = 2023-10-10 -action.escu.modification_date = 2023-10-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Registry SIP Provider Modification - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Subvert Trust Controls SIP and Trust Provider Hijacking"] -action.risk = 1 -action.risk.param._risk_message = Windows Registry SIP Provider Modification detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Registry SIP Provider Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3b4e18cb-497f-4073-85ad-1ada7c2107ab", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon EventID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.notable.param.rule_title = Windows Registry SIP Provider Modification -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") Registry.registry_value_name IN ("Dll","$DLL") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter` - -[ESCU - Windows Regsvr32 Renamed Binary - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-10-27 -action.escu.modification_date = 2022-10-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Regsvr32 Renamed Binary - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = regsvr32 was renamed as $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Regsvr32 Renamed Binary - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -action.notable.param.rule_title = Windows Regsvr32 Renamed Binary -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter` - -[ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1219", "T1003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping. -action.escu.how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -action.escu.known_false_positives = This module can be loaded by a third party application. Filter is needed. -action.escu.creation_date = 2022-08-24 -action.escu.modification_date = 2022-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Brute Ratel C4"] -action.risk = 1 -action.risk.param._risk_message = a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1219", "T1003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter` - -[ESCU - Windows Remote Access Software Hunt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software. -action.escu.creation_date = 2022-08-22 -action.escu.modification_date = 2022-08-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Access Software Hunt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Access Software Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter` - -[ESCU - Windows Remote Access Software RMS Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2022-06-22 -action.escu.modification_date = 2022-06-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Access Software RMS Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = the registry related to RMS tool is created in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Access Software RMS Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access. -action.notable.param.rule_title = Windows Remote Access Software RMS Registry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter` - -[ESCU - Windows Remote Assistance Spawning Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, filter as needed. Add additional shells as needed. -action.escu.creation_date = 2022-02-07 -action.escu.modification_date = 2022-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Assistance Spawning Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Assistance Spawning Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ced50492-8849-11ec-9f68-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source. -action.notable.param.rule_title = Windows Remote Assistance Spawning Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter` - -[ESCU - Windows Remote Create Service - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities. -action.escu.creation_date = 2023-03-20 -action.escu.modification_date = 2023-03-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Create Service - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Create Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN ("*create*") Processes.process="*\\\\*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter` - -[ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This tool was designed for home usage and not commonly seen in production environment. Filter as needed. -action.escu.creation_date = 2022-06-24 -action.escu.modification_date = 2022-06-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = Rdpwinst.exe executed on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement. -action.notable.param.rule_title = Windows Remote Service Rdpwinst Tool Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="RDPWInst.exe" OR Processes.original_file_name="RDPWInst.exe") AND Processes.process IN ("* -i*", "* -s*", "* -o*", "* -w*", "* -r*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter` - -[ESCU - Windows Remote Services Allow Rdp In Firewall - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2022-06-21 -action.escu.modification_date = 2022-06-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Services Allow Rdp In Firewall - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = new firewall rules was added to allow rdp connection to $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Services Allow Rdp In Firewall - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter` - -[ESCU - Windows Remote Services Allow Remote Assistance - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2022-06-21 -action.escu.modification_date = 2022-06-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Services Allow Remote Assistance - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = the registry for rdp protocol was modified to enable in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Services Allow Remote Assistance - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter` - -[ESCU - Windows Remote Services Rdp Enable - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = administrators may enable or disable this feature that may cause some false positive. -action.escu.creation_date = 2022-06-21 -action.escu.modification_date = 2022-06-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Remote Services Rdp Enable - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = the registry for rdp protocol was modified to enable in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Remote Services Rdp Enable - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. -action.notable.param.rule_title = Windows Remote Services Rdp Enable -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter` - -[ESCU - Windows Replication Through Removable Media - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1091"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. -action.escu.creation_date = 2023-09-07 -action.escu.modification_date = 2023-09-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Replication Through Removable Media - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "NjRAT", "PlugX"] -action.risk = 1 -action.risk.param._risk_message = executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Replication Through Removable Media - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1091"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive. -action.notable.param.rule_title = Windows Replication Through Removable Media -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "%:") AND dropped_file_path_split_count = 2 AND root_drive!= "C:" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter` - -[ESCU - Windows Root Domain linked policies Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery. -action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Root Domain linked policies Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Discovery", "Data Destruction", "Industroyer2"] -action.risk = 1 -action.risk.param._risk_message = Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Root Domain linked policies Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter` - -[ESCU - Windows Rundll32 Apply User Settings Changes - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings without their knowledge or consent. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings without their knowledge or consent. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-12-12 -action.escu.modification_date = 2023-12-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Rundll32 Apply User Settings Changes - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Process $process_name$ with cmdline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Rundll32 Apply User Settings Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings without their knowledge or consent. -action.notable.param.rule_title = Windows Rundll32 Apply User Settings Changes -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= "*user32.dll,UpdatePerUserSystemParameters*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter` - -[ESCU - Windows Rundll32 WebDAV Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present based on legitimate software, filtering may need to occur. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Rundll32 WebDAV Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-23397 Outlook Elevation of Privilege"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Rundll32 WebDAV Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2023-23397"], "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "320099b7-7eb1-4153-a2b4-decb53267de2", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment. -action.notable.param.rule_title = Windows Rundll32 WebDAV Request -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*","*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter` - -[ESCU - Windows Rundll32 WebDav With Network Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present based on legitimate software, filtering may need to occur. -action.escu.creation_date = 2024-01-30 -action.escu.modification_date = 2024-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Rundll32 WebDav With Network Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-23397 Outlook Elevation of Privilege"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows Rundll32 WebDav With Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2023-23397"], "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397. -action.notable.param.rule_title = Windows Rundll32 WebDav With Network Connection -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter` - -[ESCU - Windows Scheduled Task Created Via XML - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application. \ -When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application. \ -When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Scheduled Task Created Via XML - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Scheduled Tasks", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Scheduled Task Created Via XML - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Scheduled Tasks", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application. \ -When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. -action.notable.param.rule_title = Windows Scheduled Task Created Via XML -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process="* /xml *" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter` - -[ESCU - Windows Scheduled Task Service Spawned Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown, possible custom scripting. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Scheduled Task Service Spawned Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = A windows scheduled task spawned the shell application $process_name$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Scheduled Task Service Spawned Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 25, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates. -action.notable.param.rule_title = Windows Scheduled Task Service Spawned Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*\\system32\\svchost.exe*" AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" Processes.process_name IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter` - -[ESCU - Windows Scheduled Task with Highest Privileges - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches. \ -The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches. \ -The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Scheduled Task with Highest Privileges - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "CISA AA23-347A", "RedLine Stealer", "Scheduled Tasks"] -action.risk = 1 -action.risk.param._risk_message = a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Scheduled Task with Highest Privileges - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "CISA AA23-347A", "RedLine Stealer", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches. \ -The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. -action.notable.param.rule_title = Windows Scheduled Task with Highest Privileges -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/rl *" Processes.process = "* highest *" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter` - -[ESCU - Windows Schtasks Create Run As System - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. -action.escu.creation_date = 2022-02-07 -action.escu.modification_date = 2022-02-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Schtasks Create Run As System - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot", "Scheduled Tasks", "Windows Persistence Techniques"] -action.risk = 1 -action.risk.param._risk_message = An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Schtasks Create Run As System - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Scheduled Tasks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "41a0e58e-884c-11ec-9976-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.notable.param.rule_title = Windows Schtasks Create Run As System -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process="*/create *" AND Processes.process="*/ru *" AND Processes.process="*system*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter` - -[ESCU - Windows Screen Capture Via Powershell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-05 -action.escu.modification_date = 2023-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Screen Capture Via Powershell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A PowerShell script was identified possibly performing screen captures on $Computer$. -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Screen Capture Via Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity. -action.notable.param.rule_title = Windows Screen Capture Via Powershell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" AND ScriptBlockText = "*New-Object Drawing.Bitmap*" AND ScriptBlockText = "*.CopyFromScreen*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter` - -[ESCU - Windows Security Account Manager Stopped - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the "net stop samss" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the "net stop samss" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Security Account Manager Stopped - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ryuk Ransomware"] -action.risk = 1 -action.risk.param._risk_message = The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $process$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Security Account Manager Stopped - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the "net stop samss" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise. -action.notable.param.rule_title = Windows Security Account Manager Stopped -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"="net*.exe" "Processes.process"="*stop \"samss\"*") BY Processes.dest Processes.user Processes.process Processes.process_guid Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter` - -[ESCU - Windows Security Support Provider Reg Query - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.005", "T1547"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Security Support Provider Reg Query - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Sneaky Active Directory Persistence Tricks", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = process with reg query command line $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Security Support Provider Reg Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Sneaky Active Directory Persistence Tricks", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.005", "T1547"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SYSTEM\\CurrentControlSet\\Control\\LSA*" Processes.process IN ("*RunAsPPL*" , "*LsaCfgFlags*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter` - -[ESCU - Windows Server Software Component GACUtil Install to GAC - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed. -action.escu.creation_date = 2023-01-17 -action.escu.modification_date = 2023-01-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Server Software Component GACUtil Install to GAC - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["IIS Components"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Server Software Component GACUtil Install to GAC - Rule -action.correlationsearch.annotations = {"analytic_story": ["IIS Components"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary. -action.notable.param.rule_title = Windows Server Software Component GACUtil Install to GAC -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN ("*-i *","*/i *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter` - -[ESCU - Windows Service Create Kernel Mode Driver - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present based on common applications adding new drivers, however, filter as needed. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Create Kernel Mode Driver - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-320A", "Windows Drivers"] -action.risk = 1 -action.risk.param._risk_message = Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Create Kernel Mode Driver - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures. -action.notable.param.rule_title = Windows Service Create Kernel Mode Driver -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process="*kernel*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter` - -[ESCU - Windows Service Create RemComSvc - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network. -action.escu.how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -action.escu.known_false_positives = False positives may be present, filter as needed based on administrative activity. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Create RemComSvc - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = A new service was created related to RemCom on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 32}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Create RemComSvc - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0be4b5d6-c449-4084-b945-2392b519c33b", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ServiceName="RemCom Service" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter` - -[ESCU - Windows Service Create SliverC2 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). -action.escu.how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended. -action.escu.known_false_positives = False positives should be limited, but if another service out there is named Sliver, filtering may be needed. -action.escu.creation_date = 2023-03-03 -action.escu.modification_date = 2023-03-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Create SliverC2 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BishopFox Sliver Adversary Emulation Framework"] -action.risk = 1 -action.risk.param._risk_message = A user mode service was created on $dest$ related to SliverC2. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Create SliverC2 - Rule -action.correlationsearch.annotations = {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). -action.notable.param.rule_title = Windows Service Create SliverC2 -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ServiceName="sliver" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter` - -[ESCU - Windows Service Create with Tscon - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection. -action.escu.creation_date = 2023-03-29 -action.escu.modification_date = 2023-03-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Create with Tscon - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Create with Tscon - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c13b3d74-6b63-4db5-a841-4206f0370077", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems. -action.notable.param.rule_title = Windows Service Create with Tscon -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process="*/dest:rdp-tcp*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter` - -[ESCU - Windows Service Created with Suspicious Service Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = Legitimate applications may install services with uncommon services paths. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Created with Suspicious Service Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "Clop Ransomware", "Flax Typhoon", "PlugX", "Qakbot", "Snake Malware"] -action.risk = 1 -action.risk.param._risk_message = A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "ImagePath", "threat_object_type": "file_name"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Created with Suspicious Service Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "Clop Ransomware", "Flax Typhoon", "PlugX", "Qakbot", "Snake Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "429141be-8311-11eb-adb6-acde48001122", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services. -action.notable.param.rule_title = Windows Service Created with Suspicious Service Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter` - -[ESCU - Windows Service Created Within Public Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = Legitimate applications may install services with uncommon services paths. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Created Within Public Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement", "Snake Malware"] -action.risk = 1 -action.risk.param._risk_message = A Windows Service $ServiceName$ with a public path was created on $dest$ -action.risk.param._risk = [{"risk_object_field": "ServiceName", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Created Within Public Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution -action.notable.param.rule_title = Windows Service Created Within Public Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter` - -[ESCU - Windows Service Creation on Remote Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-10 -action.escu.modification_date = 2021-11-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Creation on Remote Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = A Windows Service was created on a remote endpoint from $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Creation on Remote Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -action.notable.param.rule_title = Windows Service Creation on Remote Endpoint -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter` - -[ESCU - Windows Service Creation Using Registry Entry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -action.escu.known_false_positives = Third party tools may used this technique to create services but not so common. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Creation Using Registry Entry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "PlugX", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = A Windows Service was created on a endpoint from $dest$ using a registry entry -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Creation Using Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "PlugX", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "25212358-948e-11ec-ad47-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. -action.notable.param.rule_title = Windows Service Creation Using Registry Entry -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter` - -[ESCU - Windows Service Deletion In Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -action.escu.known_false_positives = This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority. -action.escu.creation_date = 2024-05-14 -action.escu.modification_date = 2024-05-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Deletion In Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Brute Ratel C4", "PlugX"] -action.risk = 1 -action.risk.param._risk_message = A service was deleted on $dest$ within the Windows registry. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Deletion In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "PlugX"], "cis20": ["CIS 10"], "confidence": 30, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "daed6823-b51c-4843-a6ad-169708f1323e", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter` - -[ESCU - Windows Service Initiation on Remote Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. -action.escu.creation_date = 2021-11-10 -action.escu.modification_date = 2021-11-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Initiation on Remote Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA23-347A"] -action.risk = 1 -action.risk.param._risk_message = A Windows Service was started on a remote endpoint from $dest -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Initiation on Remote Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3f519894-4276-11ec-ab02-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. -action.notable.param.rule_title = Windows Service Initiation on Remote Endpoint -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter` - -[ESCU - Windows Service Stop By Deletion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible administrative scripts may start/stop/delete services. Filter as needed. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Stop By Deletion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Graceful Wipe Out Attack"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Stop By Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "196ff536-58d9-4d1b-9686-b176b04e430b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. -action.notable.param.rule_title = Windows Service Stop By Deletion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter` - -[ESCU - Windows Service Stop Via Net and SC Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Windows OS or software may stop and restart services due to some critical update. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Stop Via Net and SC Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Graceful Wipe Out Attack", "Prestige Ransomware"] -action.risk = 1 -action.risk.param._risk_message = $process$ was executed on $dest$ attempting to stop service. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Stop Via Net and SC Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Graceful Wipe Out Attack", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter` - -[ESCU - Windows Service Stop Win Updates - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040) -action.escu.known_false_positives = Network administrator may disable this services as part of its audit process within the network. Filter is needed. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Service Stop Win Updates - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA23-347A", "RedLine Stealer"] -action.risk = 1 -action.risk.param._risk_message = Windows update services $service_name$ was being disabled on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Service Stop Win Updates - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter` - -[ESCU - Windows SIP Provider Inventory - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. -action.escu.how_to_implement = To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 -action.escu.known_false_positives = False positives are limited as this is a hunting query for inventory. -action.escu.creation_date = 2023-10-10 -action.escu.modification_date = 2023-10-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows SIP Provider Inventory - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Subvert Trust Controls SIP and Trust Provider Hijacking"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows SIP Provider Inventory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "21c5af91-1a4a-4511-8603-64fb41df3fad", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter` - -[ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. -action.escu.how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. -action.escu.known_false_positives = False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. -action.escu.creation_date = 2023-10-10 -action.escu.modification_date = 2023-10-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Subvert Trust Controls SIP and Trust Provider Hijacking"] -action.risk = 1 -action.risk.param._risk_message = Failed trust validation via the CryptoAPI 2 on $dest$ for a binary. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6ffc7f88-415b-4278-a80d-b957d6539e1a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `capi2_operational` EventID=81 "The digital signature of the object did not verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter` - -[ESCU - Windows Snake Malware File Modification Crmlog - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme. -action.escu.creation_date = 2024-05-07 -action.escu.modification_date = 2024-05-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Snake Malware File Modification Crmlog - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["7e47ee60-9dd1-4269-9c4f-97953b183268"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Snake Malware"] -action.risk = 1 -action.risk.param._risk_message = A file related to Snake Malware has been identified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Snake Malware File Modification Crmlog - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "27187e0e-c221-471d-a7bd-04f698985ff6", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat. -action.notable.param.rule_title = Windows Snake Malware File Modification Crmlog -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND Filesystem.file_name="*.crmlog" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter` - -[ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2023-05-11 -action.escu.modification_date = 2023-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["e5cb5564-cc7b-4050-86e8-f2d9eec1941f"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Snake Malware"] -action.risk = 1 -action.risk.param._risk_message = A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "628d9c7c-3242-43b5-9620-7234c080a726", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory. -action.notable.param.rule_title = Windows Snake Malware Kernel Driver Comadmin -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" AND Filesystem.file_name="comadmin.dat" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter` - -[ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = False positives may be present and will require tuning based on program Ids in large organizations. -action.escu.creation_date = 2023-05-10 -action.escu.modification_date = 2023-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["8318ad20-0488-4a64-98f4-72525a012f6b"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Snake Malware"] -action.risk = 1 -action.risk.param._risk_message = A registry modification related to Snake Malware has been identified on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader. -action.notable.param.rule_title = Windows Snake Malware Registry Modification wav OpenWithProgIds -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter` - -[ESCU - Windows Snake Malware Service Create - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1569.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -action.escu.known_false_positives = False positives should be limited as this is a strict primary indicator used by Snake Malware. -action.escu.creation_date = 2023-05-11 -action.escu.modification_date = 2023-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Snake Malware Service Create - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.atomic_red_team_guids = ["b8db787e-dbea-493c-96cb-9272296ddc49"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Snake Malware"] -action.risk = 1 -action.risk.param._risk_message = A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Snake Malware Service Create - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Malware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1547.006", "T1569.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory. -action.notable.param.rule_title = Windows Snake Malware Service Create -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_system` EventCode=7045 ImagePath="*\\windows\\winSxS\\*" ImagePath="*\Werfault.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter` - -[ESCU - Windows SOAPHound Binary Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the common command-line argument used by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the common command-line argument used by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed. -action.escu.creation_date = 2024-03-14 -action.escu.modification_date = 2024-03-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows SOAPHound Binary Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Discovery Techniques"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ was executed on $dest$ related to SOAPHound. -action.risk.param._risk = [{"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows SOAPHound Binary Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e53f839-e127-4d6d-a54d-a2f67044a57f", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the common command-line argument used by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives. -action.notable.param.rule_title = Windows SOAPHound Binary Execution -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="soaphound.exe" OR Processes.original_file_name="soaphound.exe" AND Processes.process IN ("*--buildcache *", "*--bhdump *", "*--certdump *", "*--dnsdump *", "*-c *", "*--cachefilename *", "*-o *", "*--outputdirectory *") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_soaphound_binary_execution_filter` - -[ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = Windows Office document may contain legitimate url link other than MS office Domain. filter is needed -action.escu.creation_date = 2023-02-15 -action.escu.modification_date = 2023-02-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["AsyncRAT", "Spearphishing Attachments"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe","*\\onenote.exe", "*\\onenotem.exe","*\\onenoteviewer.exe","*\\onenoteim.exe", "*\\msaccess.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter` - -[ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = No false positives known. Filter as needed. -action.escu.creation_date = 2023-01-24 -action.escu.modification_date = 2023-01-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.notable.param.rule_title = Windows Spearphishing Attachment Onenote Spawn Mshta -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("onenote.exe", "onenotem.exe") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter` - -[ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled. -action.escu.known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.notable.param.rule_title = Windows Special Privileged Logon On Multiple Hosts -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL SERVICE","NETWORK SERVICE","SYSTEM","*$")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter` - -[ESCU - Windows SQL Spawning CertUtil - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. -action.escu.creation_date = 2023-08-25 -action.escu.modification_date = 2023-08-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows SQL Spawning CertUtil - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Flax Typhoon"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows SQL Spawning CertUtil - Rule -action.correlationsearch.annotations = {"analytic_story": ["Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dfc18a5a-946e-44ee-a373-c0f60d06e676", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.notable.param.rule_title = Windows SQL Spawning CertUtil -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter` - -[ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. -action.escu.how_to_implement = The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -action.escu.known_false_positives = False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. -action.escu.creation_date = 2024-03-25 -action.escu.modification_date = 2024-03-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["APT29 Diplomatic Deceptions with WINELOADER"] -action.risk = 1 -action.risk.param._risk_message = An instance of $Image$ loading $ImageLoaded$ was detected on $dest$. -action.risk.param._risk = [{"threat_object_field": "Image", "threat_object_type": "file_name"}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule -action.correlationsearch.annotations = {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. -action.notable.param.rule_title = Windows SqlWriter SQLDumper DLL Sideload -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 (Image="*\\SQLDumper.exe" OR Image="*\\SQLWriter.exe") ImageLoaded="*\\vcruntime140.dll" NOT ImageLoaded="C:\\Windows\\System32\\*" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter` - -[ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) -action.escu.how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -action.escu.known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. -action.escu.creation_date = 2024-01-03 -action.escu.modification_date = 2024-01-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Possible AD CS ESC1 activity by $src_user$ - $flavor_text$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 60}, {"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 60}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cbe761fc-d945-4c8c-a71d-e26d12255d32", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) -action.notable.param.rule_title = Windows Steal Authentication Certificates - ESC1 Abuse -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" | eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was issued using request ID: ".'RequestId'.". To revoke this certifacte use this request ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter` - -[ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1550"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). -action.escu.how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -action.escu.known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. -action.escu.creation_date = 2023-05-25 -action.escu.modification_date = 2023-05-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Possible AD CS ESC1 authentication on $dest$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "ssl_hash", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "ssl_serial", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1550"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). -action.notable.param.rule_title = Windows Steal Authentication Certificates - ESC1 Authentication -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode IN (4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes "(?i)CertificateTemplate:(?[^\r\n]+)" | rex field=Attributes "(?i)ccm:(?[^\r\n]+)" | rex max_match=10 field=Attributes "(?i)(upn=(?[^\r\n&]+))" | rex max_match=10 field=Attributes "(?i)(dns=(?[^\r\n&]+))" | rex field=Requester "(.+\\\\)?(?[^\r\n]+)" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id=="4887", "User account [".'user'."] authenticated after a suspicious certificate was issued for it by [".'src_user'."] using certificate request ID: ".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter` - -[ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively. -action.escu.how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -action.escu.known_false_positives = False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. -action.escu.creation_date = 2023-02-06 -action.escu.modification_date = 2023-02-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = A certificate was issued to $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 8}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter` - -[ESCU - Windows Steal Authentication Certificates Certificate Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 "Certificate Services received a certificate request". -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 "Certificate Services received a certificate request". -action.escu.how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -action.escu.known_false_positives = False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. -action.escu.creation_date = 2023-02-06 -action.escu.modification_date = 2023-02-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates Certificate Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = A certificate was requested by $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 8}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates Certificate Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter` - -[ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. -action.escu.creation_date = 2024-05-04 -action.escu.modification_date = 2024-05-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 40}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter` - -[ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is "Acquire Certificate Private Key". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is "Acquire Certificate Private Key". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike. -action.escu.how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information. -action.escu.known_false_positives = False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed. -action.escu.creation_date = 2023-02-08 -action.escu.modification_date = 2023-02-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = Certificates were exported via the CryptoAPI 2 on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 24}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter` - -[ESCU - Windows Steal Authentication Certificates CS Backup - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment. -action.escu.how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference. -action.escu.known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. -action.escu.creation_date = 2024-05-11 -action.escu.modification_date = 2024-05-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates CS Backup - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = The Active Directory Certiciate Services was backed up on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates CS Backup - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter` - -[ESCU - Windows Steal Authentication Certificates Export Certificate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Filtering may be requried based on automated utilities and third party applications that may export certificates. -action.escu.creation_date = 2024-05-10 -action.escu.modification_date = 2024-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates Export Certificate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates Export Certificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-certificate*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter` - -[ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Filtering may be requried based on automated utilities and third party applications that may export certificates. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Certificate Services"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "391329f3-c14b-4b8d-8b37-ac5012637360", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-pfxcertificate*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter` - -[ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="klist.exe" OR Processes.original_file_name = "klist.exe" Processes.parent_process_name IN ("cmd.exe", "powershell*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter` - -[ESCU - Windows Suspect Process With Authentication Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations. Most attacker toolkits offer some degree of interaction with AD/LDAP. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.002", "T1204", "T1204.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations. Most attacker toolkits offer some degree of interaction with AD/LDAP. -action.escu.how_to_implement = To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations. -action.escu.known_false_positives = Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Suspect Process With Authentication Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Discovery"] -action.risk = 1 -action.risk.param._risk_message = The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Suspect Process With Authentication Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.002", "T1204", "T1204.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "953322db-128a-4ce9-8e89-56e039e33d98", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?.*)$" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter` - -[ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.001", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, filter as needed. -action.escu.creation_date = 2022-08-31 -action.escu.modification_date = 2022-08-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Suspicious Compiled HTML Activity"] -action.risk = 1 -action.risk.param._risk_message = $process_name$ has been identified using decompile against a CHM on $dest$ under user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.001", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage. -action.notable.param.rule_title = Windows System Binary Proxy Execution Compiled HTML File Decompile -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter` - -[ESCU - Windows System Discovery Using ldap Nslookup - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = dministrator may execute this commandline tool for auditing purposes. Filter as needed. -action.escu.creation_date = 2022-10-21 -action.escu.modification_date = 2022-10-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Discovery Using ldap Nslookup - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = System nslookup domain discovery on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 1}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Discovery Using ldap Nslookup - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "nslookup.exe" OR Processes.original_file_name = "nslookup.exe") AND Processes.process = "*_ldap._tcp.dc._msdcs*" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter` - -[ESCU - Windows System Discovery Using Qwinsta - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator may execute this commandline tool for auditing purposes. Filter as needed. -action.escu.creation_date = 2022-10-21 -action.escu.modification_date = 2022-10-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Discovery Using Qwinsta - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Discovery Using Qwinsta - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "qwinsta.exe" OR Processes.original_file_name = "qwinsta.exe" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter` - -[ESCU - Windows System File on Disk - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). This will level out the noise generated to potentally lead to generating notables. -action.escu.known_false_positives = False positives will be present. Filter as needed. -action.escu.creation_date = 2022-05-16 -action.escu.modification_date = 2022-05-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System File on Disk - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA22-264A", "Windows Drivers"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System File on Disk - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter` - -[ESCU - Windows System LogOff Commandline - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine. -action.escu.creation_date = 2022-07-27 -action.escu.modification_date = 2022-07-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System LogOff Commandline - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT", "NjRAT"] -action.risk = 1 -action.risk.param._risk_message = Process name $process_name$ is seen to execute logoff commandline on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System LogOff Commandline - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter` - -[ESCU - Windows System Network Config Discovery Display DNS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Network Config Discovery Display DNS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = process $process_name$ with commandline $process$ is executed in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Network Config Discovery Display DNS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="ipconfig.exe" OR Processes.original_file_name = "ipconfig.exe" AND Processes.process = "*/displaydns*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter` - -[ESCU - Windows System Network Connections Discovery Netsh - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this tool for auditing process. -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Network Connections Discovery Netsh - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Snake Keylogger", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = netsh process with command line $process$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Network Connections Discovery Netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Snake Keylogger", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = "* show *" Processes.process IN ("*state*", "*config*", "*wlan*", "*profile*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter` - -[ESCU - Windows System Reboot CommandLine - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. -action.escu.creation_date = 2022-07-27 -action.escu.modification_date = 2022-07-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Reboot CommandLine - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT", "DarkGate Malware", "NjRAT"] -action.risk = 1 -action.risk.param._risk_message = Process $process_name$ that executed reboot via commandline on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Reboot CommandLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter` - -[ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1216", "T1218"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise. -action.escu.creation_date = 2024-05-18 -action.escu.modification_date = 2024-05-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1216", "T1218"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk. -action.notable.param.rule_title = Windows System Script Proxy Execution Syncappvpublishingserver -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe") Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter` - -[ESCU - Windows System Shutdown CommandLine - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. -action.escu.creation_date = 2023-06-20 -action.escu.modification_date = 2023-06-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Shutdown CommandLine - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT", "DarkGate Malware", "NjRAT", "Sandworm Tools"] -action.risk = 1 -action.risk.param._risk_message = Process $process_name$ seen to execute shutdown via commandline on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Shutdown CommandLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter` - -[ESCU - Windows System Time Discovery W32tm Delay - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1124"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-07-28 -action.escu.modification_date = 2022-07-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System Time Discovery W32tm Delay - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT"] -action.risk = 1 -action.risk.param._risk_message = Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System Time Discovery W32tm Delay - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1124"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= "* /stripchart *" Processes.process= "* /computer:localhost *" Processes.process= "* /period:*" Processes.process= "* /dataonly *" Processes.process= "* /samples:*" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter` - -[ESCU - Windows System User Discovery Via Quser - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = network administrator can use this command tool to audit RDP access of user in specific network or host. -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System User Discovery Via Quser - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System User Discovery Via Quser - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter` - -[ESCU - Windows System User Privilege Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the execution of `whoami.exe` with /priv parameter. This whoami command is used to display or shows the privileges assigned to the current user account. This hunting query can be a good pivot start to look for suspicious usage of whoami application that might related to a malware or adversaries. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `whoami.exe` with /priv parameter. This whoami command is used to display or shows the privileges assigned to the current user account. This hunting query can be a good pivot start to look for suspicious usage of whoami application that might related to a malware or adversaries. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. Filter as needed. -action.escu.creation_date = 2023-12-15 -action.escu.modification_date = 2023-12-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows System User Privilege Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows System User Privilege Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="whoami.exe" Processes.process= "*/priv*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter` - -[ESCU - Windows Terminating Lsass Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment. -action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Terminating Lsass Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Data Destruction", "Double Zero Destructor"] -action.risk = 1 -action.risk.param._risk_message = a process $SourceImage$ terminates Lsass process in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Terminating Lsass Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter` - -[ESCU - Windows Time Based Evasion - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as evasion tactics. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as evasion tactics. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-09-08 -action.escu.modification_date = 2023-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Time Based Evasion - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NjRAT"] -action.risk = 1 -action.risk.param._risk_message = A $process_name$ did a suspicious ping to invalid IP address on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Time Based Evasion - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "34502357-deb1-499a-8261-ffe144abf561", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as evasion tactics. -action.notable.param.rule_title = Windows Time Based Evasion -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "ping.exe" Processes.parent_process = "* ping 0 -n *" OR Processes.process = "* ping 0 -n *" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter` - -[ESCU - Windows Time Based Evasion via Choice Exec - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. This technique, observed in the SnakeKeylogger malware, is utilized for time delays or 'Sleep' commands in its code execution or before the deletion of its copies on compromised hosts. Detecting this anomaly serves as a valuable pivot to uncover suspicious processes attempting to evade detection through time-based evasion techniques. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497.003", "T1497"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. This technique, observed in the SnakeKeylogger malware, is utilized for time delays or 'Sleep' commands in its code execution or before the deletion of its copies on compromised hosts. Detecting this anomaly serves as a valuable pivot to uncover suspicious processes attempting to evade detection through time-based evasion techniques. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Time Based Evasion via Choice Exec - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = A $process_name$ has a choice time delay commandline on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Time Based Evasion via Choice Exec - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497.003", "T1497"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5f54b38-10bf-4b3a-b6fc-85949862ed50", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = "*/T*" Processes.process = "*/N*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter` - -[ESCU - Windows UAC Bypass Suspicious Child Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -action.escu.known_false_positives = Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. -action.escu.creation_date = 2023-11-20 -action.escu.modification_date = 2023-11-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows UAC Bypass Suspicious Child Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}, {"threat_object_field": "process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows UAC Bypass Suspicious Child Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 75, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -action.notable.param.rule_title = Windows UAC Bypass Suspicious Child Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript","cscript.exe","bash.exe","werfault.exe") OR Processes.process IN ("*\\\\*","*\\Users\\*","*\\ProgramData\\*","*\\Temp\\*")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter` - -[ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -action.escu.known_false_positives = Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. -action.escu.creation_date = 2023-11-20 -action.escu.modification_date = 2023-11-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics"] -action.risk = 1 -action.risk.param._risk_message = A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "00d050d3-a5b4-4565-a6a5-a31f69681dc3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. -action.notable.param.rule_title = Windows UAC Bypass Suspicious Escalation Behavior -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval original_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0) | rename process_guid as join_guid_1, process* as parent_process* | join max=0 dest join_guid_1 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("high","system") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] | join max=0 dest join_guid_2 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN ("high","system") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_2 | eval elevated_integrity_level = CASE(match(process_integrity_level,"low"),1,match(process_integrity_level,"medium"),2,match(process_integrity_level,"high"),3,match(process_integrity_level,"system"),4,true(),0)] | where elevated_integrity_level > original_integrity_level | table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter` - -[ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a suspicious query on outlook credentials registry in Windows OS registry. typically refers to user profiles associated with Microsoft Outlook. Within this key, Outlook stores configuration settings, including account information such as email addresses, server details, and authentication credentials. Accessing or modifying this registry key can potentially compromise users' email security, making it a target for attackers seeking to steal sensitive information or execute unauthorized actions within Outlook. This anomaly detection is a good pivot to catch possible Trojan Stealer or RAT that tries to steal sensitive information to its targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a suspicious query on outlook credentials registry in Windows OS registry. typically refers to user profiles associated with Microsoft Outlook. Within this key, Outlook stores configuration settings, including account information such as email addresses, server details, and authentication credentials. Accessing or modifying this registry key can potentially compromise users' email security, making it a target for attackers seeking to steal sensitive information or execute unauthorized actions within Outlook. This anomaly detection is a good pivot to catch possible Trojan Stealer or RAT that tries to steal sensitive information to its targeted host. -action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -action.escu.known_false_positives = third party software may access this outlook registry. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = A suspicious process $process_name$ accessing outlook credentials registry on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "36334123-077d-47a2-b70c-6c7b3cc85049", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4663 object_file_path IN ("*\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676*", "*\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676*") AND process_name != *\\outlook.exe | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter` - -[ESCU - Windows Unsigned DLL Side-Loading - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the "dismcore.dll" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. In the case of Warzone RAT (Ave Maria), the dropped "dismcore.dll" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, thereby granting the malware elevated privileges and enabling further compromise of the target system. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the "dismcore.dll" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. In the case of Warzone RAT (Ave Maria), the dropped "dismcore.dll" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, thereby granting the malware elevated privileges and enabling further compromise of the target system. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed. -action.escu.creation_date = 2023-07-26 -action.escu.modification_date = 2023-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unsigned DLL Side-Loading - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["NjRAT", "Warzone RAT"] -action.risk = 1 -action.risk.param._risk_message = An unsigned dll module was loaded on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unsigned DLL Side-Loading - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5a83ce44-8e0f-4786-a775-8249a525c879", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter` - -[ESCU - Windows Unsigned MS DLL Side-Loading - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute malicious code automatically by running a legitimate process. The analytics involves searching Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). Additionally, it verifies whether the loaded DLL is signed and checks if the folder paths of the `Image` and `ImageLoaded` are identical. This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1547"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute malicious code automatically by running a legitimate process. The analytics involves searching Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). Additionally, it verifies whether the loaded DLL is signed and checks if the folder paths of the `Image` and `ImageLoaded` are identical. This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting. -action.escu.how_to_implement = The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -action.escu.known_false_positives = False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. -action.escu.creation_date = 2024-04-05 -action.escu.modification_date = 2024-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unsigned MS DLL Side-Loading - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["APT29 Diplomatic Deceptions with WINELOADER"] -action.risk = 1 -action.risk.param._risk_message = An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$. -action.risk.param._risk = [{"threat_object_field": "Image", "threat_object_type": "file_name"}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unsigned MS DLL Side-Loading - Rule -action.correlationsearch.annotations = {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1547"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter` - -[ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based password spraying attack from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f65aa026-b811-42ab-b4b9-d9088137648f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter` - -[ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based password spraying attack from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter` - -[ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential NTLM based password spraying attack from $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "15603165-147d-4a6e-9778-bd0ff39e668f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter` - -[ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential password spraying attack from $Computer$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "Computer", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter` - -[ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential Kerberos based password spraying attack from $IpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter` - -[ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a source process name failing to authenticate with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a source process name failing to authenticate with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential password spraying attack from $Computer$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "Computer", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` - -[ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user). \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will only trigger on domain controllers, not on member servers or workstations. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential NTLM based password spraying attack from $Workstation$ -action.risk.param._risk = [{"risk_object_field": "Workstation", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter` - -[ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt. \ -The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises. \ -This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation. \ -The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -action.escu.known_false_positives = A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. -action.escu.creation_date = 2022-09-22 -action.escu.modification_date = 2022-09-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Password Spraying", "Volt Typhoon"] -action.risk = 1 -action.risk.param._risk_message = Potential password spraying attack on $Computer$ -action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter` - -[ESCU - Windows User Execution Malicious URL Shortcut File - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002", "T1204"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -action.escu.known_false_positives = Administrators may allow creation of script or exe in this path. -action.escu.creation_date = 2023-01-12 -action.escu.modification_date = 2023-01-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows User Execution Malicious URL Shortcut File - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Chaos Ransomware", "NjRAT", "Snake Keylogger"] -action.risk = 1 -action.risk.param._risk_message = a process created URL shortcut file in $file_path$ of $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows User Execution Malicious URL Shortcut File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Chaos Ransomware", "NjRAT", "Snake Keylogger"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002", "T1204"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website. -action.notable.param.rule_title = Windows User Execution Malicious URL Shortcut File -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = |tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN ("*\\Program Files*")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter` - -[ESCU - Windows Valid Account With Never Expires Password - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = This behavior is not commonly seen in production environment and not advisable, filter as needed. -action.escu.creation_date = 2022-06-23 -action.escu.modification_date = 2022-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Valid Account With Never Expires Password - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Valid Account With Never Expires Password - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines. -action.notable.param.rule_title = Windows Valid Account With Never Expires Password -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="* accounts *" AND Processes.process="* /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter` - -[ESCU - Windows Vulnerable 3CX Software - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed. -action.escu.creation_date = 2023-03-30 -action.escu.modification_date = 2023-03-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Vulnerable 3CX Software - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["3CX Supply Chain Attack"] -action.risk = 1 -action.risk.param._risk_message = A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Vulnerable 3CX Software - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2023-29059"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f2cc1584-46ee-485b-b905-977c067f36de", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -action.notable.param.rule_title = Windows Vulnerable 3CX Software -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter` - -[ESCU - Windows Vulnerable Driver Loaded - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver. -action.escu.how_to_implement = Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable. -action.escu.known_false_positives = False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. -action.escu.creation_date = 2022-12-12 -action.escu.modification_date = 2022-12-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Vulnerable Driver Loaded - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["BlackByte Ransomware", "Windows Drivers"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows Vulnerable Driver Loaded - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter` - -[ESCU - Windows WinDBG Spawning AutoIt3 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed. -action.escu.creation_date = 2023-10-31 -action.escu.modification_date = 2023-10-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows WinDBG Spawning AutoIt3 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkGate Malware"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 100}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows WinDBG Spawning AutoIt3 - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7aec015b-cd69-46c3-85ed-dac152056aa4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. -action.notable.param.rule_title = Windows WinDBG Spawning AutoIt3 -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, "\\.(au3|a3x|exe|aut|aup)$"), "Yes", "No") | search matches_extension="Yes" | `windows_windbg_spawning_autoit3_filter` - -[ESCU - Windows WinLogon with Public Network Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\ The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system. \ -Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation. \ -This analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint", "Network_Traffic"] -action.escu.eli5 = The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\ The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system. \ -Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation. \ -This analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered. -action.escu.creation_date = 2024-01-30 -action.escu.modification_date = 2024-01-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows WinLogon with Public Network Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["BlackLotus Campaign"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows WinLogon with Public Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackLotus Campaign"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.003"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter` - -[ESCU - Windows WMI Impersonate Token - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process. -action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -action.escu.known_false_positives = administrator may execute impersonate wmi object script for auditing. Filter is needed. -action.escu.creation_date = 2022-10-24 -action.escu.modification_date = 2022-10-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows WMI Impersonate Token - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Qakbot"] -action.risk = 1 -action.risk.param._risk_message = wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows WMI Impersonate Token - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", "0x1fffff") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter` - -[ESCU - Windows WMI Process And Service List - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = netowrk administrator or IT may execute this command for auditing processes and services. -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows WMI Process And Service List - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware", "Windows Post-Exploitation"] -action.risk = 1 -action.risk.param._risk_message = wmi command $process$ to list processes and services in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 4}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows WMI Process And Service List - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 20, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN ("*process list*", "*service list*") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter` - -[ESCU - Windows WMI Process Call Create - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may execute this command for testing or auditing. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows WMI Process Call Create - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "IcedID", "Qakbot", "Suspicious WMI Use", "Volt Typhoon"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows WMI Process Call Create - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "IcedID", "Qakbot", "Suspicious WMI Use", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "0661c2de-93de-11ec-9833-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "* process *" Processes.process = "* call *" Processes.process = "* create *" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter` - -[ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. \ -The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. \ -Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. \ -During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. \ -The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. \ -Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. \ -During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA22-257A", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "Windows Persistence Techniques", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A windows scheduled task was created (task name=$TaskName$) on $dest$ by the following command: $TaskContent$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "Windows Persistence Techniques", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "203ef0ea-9bd8-11eb-8201-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript. \ -The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'. \ -Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory. \ -During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. -action.notable.param.rule_title = WinEvent Scheduled Task Created to Spawn Shell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 TaskContent IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter` - -[ESCU - WinEvent Scheduled Task Created Within Public Path - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. \ -When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory. \ -During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. \ -By conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. \ -When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory. \ -During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. \ -By conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -action.escu.known_false_positives = False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WinEvent Scheduled Task Created Within Public Path - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "AsyncRAT", "CISA AA22-257A", "CISA AA23-347A", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"] -action.risk = 1 -action.risk.param._risk_message = A windows scheduled task was created (task name=$TaskName$) on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WinEvent Scheduled Task Created Within Public Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "AsyncRAT", "CISA AA22-257A", "CISA AA23-347A", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5d9c6eee-988c-11eb-8253-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path. \ -When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory. \ -During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation. \ -By conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system. -action.notable.param.rule_title = WinEvent Scheduled Task Created Within Public Path -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_security` EventCode=4698 TaskContent IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter` - -[ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment. \ -After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis. \ -To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field. \ -False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise. \ -Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment. \ -After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis. \ -To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field. \ -False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise. \ -Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -action.escu.how_to_implement = Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message. -action.escu.known_false_positives = False positives will be present. Filter based on ActionName paths or specify keywords of interest. -action.escu.creation_date = 2024-04-26 -action.escu.modification_date = 2024-04-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Amadey", "AsyncRAT", "CISA AA22-257A", "DarkCrystal RAT", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Qakbot", "Sandworm Tools", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern", "Winter Vivern"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule -action.correlationsearch.annotations = {"analytic_story": ["Amadey", "AsyncRAT", "CISA AA22-257A", "DarkCrystal RAT", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Qakbot", "Sandworm Tools", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern", "Winter Vivern"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b3632472-310b-11ec-9aab-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter` - -[ESCU - Winhlp32 Spawning a Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies winhlp32.exe, found natively in `c:\windows\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies winhlp32.exe, found natively in `c:\windows\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed. -action.escu.creation_date = 2021-10-05 -action.escu.modification_date = 2021-10-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Winhlp32 Spawning a Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Remcos"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Winhlp32 Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d17dae9e-2618-11ec-b9f5-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies winhlp32.exe, found natively in `c:\windows\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze. -action.notable.param.rule_title = Winhlp32 Spawning a Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN ("*\\appdata\\*","*\\programdata\\*", "*\\temp\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter` - -[ESCU - WinRAR Spawning Shell Application - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.creation_date = 2023-08-29 -action.escu.modification_date = 2023-08-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WinRAR Spawning Shell Application - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["WinRAR Spoofing Attack CVE-2023-38831"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 70}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WinRAR Spawning Shell Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["WinRAR Spoofing Attack CVE-2023-38831"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2023-38831"], "impact": 100, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d2f36034-37fa-4bd4-8801-26807c15540f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks. -action.notable.param.rule_title = WinRAR Spawning Shell Application -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter` - -[ESCU - WinRM Spawning a Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WinRM Spawning a Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CISA AA23-347A", "Rhysida Ransomware", "Unusual Processes"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - WinRM Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Rhysida Ransomware", "Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-31166"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a081836a-ba4d-11eb-8593-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying. -action.notable.param.rule_title = WinRM Spawning a Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter` - -[ESCU - Winword Spawning Cmd - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. -action.escu.creation_date = 2021-04-22 -action.escu.modification_date = 2021-04-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Winword Spawning Cmd - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = $parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Winword Spawning Cmd - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6fcbaedc-a37b-11eb-956b-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`. -action.notable.param.rule_title = Winword Spawning Cmd -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter` - -[ESCU - Winword Spawning PowerShell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives should be limited, but if any are present, filter as needed. -action.escu.creation_date = 2021-04-12 -action.escu.modification_date = 2021-04-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Winword Spawning PowerShell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = $parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Winword Spawning PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b2c950b8-9be2-11eb-8658-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.notable.param.rule_title = Winword Spawning PowerShell -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="winword.exe" `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter` - -[ESCU - Winword Spawning Windows Script Host - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed. -action.escu.creation_date = 2021-04-12 -action.escu.modification_date = 2021-04-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Winword Spawning Windows Script Host - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["CVE-2023-21716 Word RTF Heap Corruption", "Spearphishing Attachments"] -action.risk = 1 -action.risk.param._risk_message = User $user$ on $dest$ spawned Windows Script Host from Winword.exe -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Winword Spawning Windows Script Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "637e1b5c-9be1-11eb-9c32-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.notable.param.rule_title = Winword Spawning Windows Script Host -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="winword.exe" Processes.process_name IN ("cscript.exe", "wscript.exe") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter` - -[ESCU - WMI Permanent Event Subscription - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon EventID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon EventID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -action.escu.known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. -action.escu.creation_date = 2018-10-23 -action.escu.modification_date = 2018-10-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WMI Permanent Event Subscription - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - WMI Permanent Event Subscription - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon EventID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. -action.notable.param.rule_title = WMI Permanent Event Subscription -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter` - -[ESCU - WMI Permanent Event Subscription - Sysmon - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID = 19 \ -1. Consumer - An action to take upon triggering the filter. EventID = 20 \ -1. Binding - Registers a filter to a consumer. EventID = 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID = 19 \ -1. Consumer - An action to take upon triggering the filter. EventID = 20 \ -1. Binding - Registers a filter to a consumer. EventID = 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.escu.how_to_implement = To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields. -action.escu.known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WMI Permanent Event Subscription - Sysmon - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = WMI Permanent Event Subscription detected on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WMI Permanent Event Subscription - Sysmon - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. \ -All event subscriptions have three components \ -1. Filter - WQL Query for the events we want. EventID = 19 \ -1. Consumer - An action to take upon triggering the filter. EventID = 20 \ -1. Binding - Registers a filter to a consumer. EventID = 21 \ -Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.notable.param.rule_title = WMI Permanent Event Subscription - Sysmon -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter` - -[ESCU - WMI Recon Running Process Or Services - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -action.escu.known_false_positives = Network administrator may used this command for checking purposes -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WMI Recon Running Process Or Services - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"] -action.risk = 1 -action.risk.param._risk_message = Suspicious powerShell script execution by $user$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WMI Recon Running Process Or Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 20, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `powershell` EventCode=4104 ScriptBlockText= "*SELECT*" AND (ScriptBlockText="*Win32_Process*" OR ScriptBlockText="*Win32_Service*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter` - -[ESCU - WMI Temporary Event Subscription - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -action.escu.known_false_positives = Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. -action.escu.creation_date = 2018-10-23 -action.escu.modification_date = 2018-10-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WMI Temporary Event Subscription - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - WMI Temporary Event Subscription - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. -action.notable.param.rule_title = WMI Temporary Event Subscription -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?[^;|^$]+)" | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter` - -[ESCU - Wmic Group Discovery - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. \ -Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes and identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. \ -Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ -During triage, review parallel processes and identify any further suspicious behavior. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-09-14 -action.escu.modification_date = 2021-09-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wmic Group Discovery - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wmic Group Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "83317b08-155b-11ec-8e00-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process="*group get name*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter` - -[ESCU - Wmic NonInteractive App Uninstallation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Third party application may use this approach to uninstall applications. -action.escu.creation_date = 2022-07-19 -action.escu.modification_date = 2022-07-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wmic NonInteractive App Uninstallation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "IcedID"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wmic NonInteractive App Uninstallation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process="* product *" Processes.process="*where name*" Processes.process="*call uninstall*" Processes.process="*/nointeractive*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter` - -[ESCU - WMIC XSL Execution via URL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed. -action.escu.creation_date = 2021-11-11 -action.escu.modification_date = 2021-11-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WMIC XSL Execution via URL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WMIC XSL Execution via URL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "787e9dd0-4328-11ec-a029-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download. -action.notable.param.rule_title = WMIC XSL Execution via URL -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN ("*http://*", "*https://*") Processes.process="*/format:*" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter` - -[ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -action.escu.creation_date = 2021-11-22 -action.escu.modification_date = 2021-11-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = Wmiprsve.exe spawned a LOLBAS process on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.notable.param.rule_title = Wmiprsve LOLBAS Execution Process Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter` - -[ESCU - Wscript Or Cscript Suspicious Child Process - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wscript Or Cscript Suspicious Child Process - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Data Destruction", "FIN7", "NjRAT", "Remcos", "Unusual Processes", "WhisperGate"] -action.risk = 1 -action.risk.param._risk_message = wscript or cscript parent process spawned $process_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wscript Or Cscript Suspicious Child Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "FIN7", "NjRAT", "Remcos", "Unusual Processes", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1f35e1da-267b-11ec-90a9-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code. -action.notable.param.rule_title = Wscript Or Cscript Suspicious Child Process -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("cscript.exe", "wscript.exe") Processes.process_name IN ("regsvr32.exe", "rundll32.exe","winhlp32.exe","certutil.exe","msbuild.exe","cmd.exe","powershell*","wmic.exe","mshta.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter` - -[ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. -action.escu.creation_date = 2021-11-22 -action.escu.modification_date = 2021-11-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] -action.risk = 1 -action.risk.param._risk_message = Wsmprovhost.exe spawned a LOLBAS process on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.notable.param.rule_title = Wsmprovhost LOLBAS Execution Process Spawn -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter` - -[ESCU - WSReset UAC Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-14 -action.escu.modification_date = 2022-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WSReset UAC Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"] -action.risk = 1 -action.risk.param._risk_message = Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WSReset UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8b5901bc-da63-11eb-be43-acde48001122", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control. -action.notable.param.rule_title = WSReset UAC Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command*" AND (Registry.registry_value_name = "(Default)" OR Registry.registry_value_name = "DelegateExecute") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter` - -[ESCU - XMRIG Driver Loaded - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -action.escu.known_false_positives = False positives should be limited. -action.escu.creation_date = 2024-05-06 -action.escu.modification_date = 2024-05-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - XMRIG Driver Loaded - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Microsoft Sysmon"] -action.escu.analytic_story = ["CISA AA22-320A", "XMRig"] -action.risk = 1 -action.risk.param._risk_message = A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - XMRIG Driver Loaded - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "90080fa6-a8df-11eb-91e4-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining. -action.notable.param.rule_title = XMRIG Driver Loaded -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter` - -[ESCU - XSL Script Execution With WMIC - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique. -action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-09-13 -action.escu.modification_date = 2021-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - XSL Script Execution With WMIC - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Carbon Black Response", "CrowdStrike Falcon", "Microsoft Sysmon", "Microsoft Windows", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["FIN7", "Suspicious WMI Use"] -action.risk = 1 -action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - XSL Script Execution With WMIC - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "004e32e2-146d-11ec-a83f-acde48001122", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique. -action.notable.param.rule_title = XSL Script Execution With WMIC -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter` - -[ESCU - Detect ARP Poisoning - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications. -action.escu.how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -action.escu.known_false_positives = This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely). -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect ARP Poisoning - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect ARP Poisoning - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b44bebd6-bd39-467b-9321-73971bcd1aac", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications. -action.notable.param.rule_title = Detect ARP Poisoning -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter` - -[ESCU - Detect DGA domains using pretrained model in DSDL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5. -action.escu.how_to_implement = Steps to deploy DGA detection model into Splunk App DSDL.\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz` \ -* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks` \ -* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app. \ -* Below steps need to be followed inside Jupyter lab \ -* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. \ -* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data` \ -* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab \ -* Save the notebook using the save option in jupyter notebook. \ -* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder. -action.escu.known_false_positives = False positives may be present if domain name is similar to dga generated domains. -action.escu.creation_date = 2023-01-18 -action.escu.modification_date = 2023-01-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect DGA domains using pretrained model in DSDL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "DNS Hijacking", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "domain", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect DGA domains using pretrained model in DSDL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter` - -[ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5. -action.escu.how_to_implement = Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. \ -* Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks \ -* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app. \ -* Below steps need to be followed inside Jupyter lab \ -* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook. \ -* Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data` \ -* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab \ -* Save the notebook using the save option in jupyter notebook. \ -* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -action.escu.known_false_positives = False positives may be present if DNS data exfiltration request look very similar to benign DNS requests. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = A DNS data exfiltration request was sent by this host $src$ , kindly review. -action.risk.param._risk = [{"risk_object_field": "query", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "92f65c3a-168c-11ed-71eb-0242ac120012", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name("DNS")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter` - -[ESCU - Detect hosts connecting to dynamic domain providers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains. -action.escu.how_to_implement = First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`. \ -This search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** DNS Query, **Field:** query \ -* **Label:** DNS Answer, **Field:** answer \ -* **Label:** IsDynamicDNS, **Field:** isDynDNS \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified. -action.escu.creation_date = 2021-01-14 -action.escu.modification_date = 2021-01-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect hosts connecting to dynamic domain providers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = A dns query $query$ from your infra connecting to suspicious domain in host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect hosts connecting to dynamic domain providers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains. -action.notable.param.rule_title = Detect hosts connecting to dynamic domain providers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter` - -[ESCU - Detect IPv6 Network Infrastructure Threats - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption. -action.escu.how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -action.escu.known_false_positives = None currently known -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect IPv6 Network Infrastructure Threats - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect IPv6 Network Infrastructure Threats - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption. -action.notable.param.rule_title = Detect IPv6 Network Infrastructure Threats -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cisco_networks` facility="SISF" mnemonic IN ("IP_THEFT","MAC_THEFT","MAC_AND_IP_THEFT","PAK_DROP") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter` - -[ESCU - Detect Large Outbound ICMP Packets - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1095"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity. -action.escu.how_to_implement = In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model -action.escu.known_false_positives = ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list. -action.escu.creation_date = 2018-06-01 -action.escu.modification_date = 2018-06-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Large Outbound ICMP Packets - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Large Outbound ICMP Packets - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1095"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity. -action.notable.param.rule_title = Detect Large Outbound ICMP Packets -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter` - -[ESCU - Detect Outbound LDAP Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1059"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space. -action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. -action.escu.known_false_positives = Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Outbound LDAP Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Log4Shell CVE-2021-44228"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Outbound LDAP Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2021-44228"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1059"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter` - -[ESCU - Detect Outbound SMB Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.002", "T1071"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise. -action.escu.how_to_implement = This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model -action.escu.known_false_positives = It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary. -action.escu.creation_date = 2024-02-27 -action.escu.modification_date = 2024-02-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Outbound SMB Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["DHS Report TA18-074A", "Hidden Cobra Malware", "NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "dest_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Outbound SMB Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "NOBELIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.002", "T1071"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "detection_version": "4"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise. -action.notable.param.rule_title = Detect Outbound SMB Traffic -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") by All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")` | eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12" ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10" ,dest_ip) ,"1", 1=1,"0") | search match=0 | fields - match | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter` - -[ESCU - Detect Port Security Violation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. -action.escu.how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -action.escu.known_false_positives = This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network. -action.escu.creation_date = 2020-10-28 -action.escu.modification_date = 2020-10-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Port Security Violation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Port Security Violation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. -action.notable.param.rule_title = Detect Port Security Violation -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cisco_networks` (facility="PM" mnemonic="ERR_DISABLE" disable_cause="psecure-violation") OR (facility="PORT_SECURITY" mnemonic="PSECURE_VIOLATION" OR mnemonic="PSECURE_VIOLATION_VLAN") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter` - -[ESCU - Detect Remote Access Software Usage DNS - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a known remote access software domains are contacted from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic detects when a known remote access software domains are contacted from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Remote Access Software Usage DNS - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A domain for a known remote access software $query$ was contacted by $src$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "query", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Remote Access Software Usage DNS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a16b797d-e309-41bd-8ba0-5067dae2e4be", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter` - -[ESCU - Detect Remote Access Software Usage Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a known remote access software application traffic is detected from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic detects when a known remote access software application traffic is detected from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Remote Access Software Usage Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Application traffic for a known remote access software [$signature$] was detected from $src$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Remote Access Software Usage Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "885ea672-07ee-475a-879e-60d28aa5dd42", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter` - -[ESCU - Detect Rogue DHCP Server - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack). -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack). -action.escu.how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -action.escu.known_false_positives = This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface. -action.escu.creation_date = 2020-08-11 -action.escu.modification_date = 2020-08-11 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Rogue DHCP Server - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Rogue DHCP Server - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack). -action.notable.param.rule_title = Detect Rogue DHCP Server -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter` - -[ESCU - Detect SNICat SNI Exfiltration - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity. -action.escu.how_to_implement = You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place. -action.escu.known_false_positives = Unknown -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect SNICat SNI Exfiltration - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Zeek"] -action.escu.analytic_story = ["Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect SNICat SNI Exfiltration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "82d06410-134c-11eb-adc1-0242ac120002", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity. -action.notable.param.rule_title = Detect SNICat SNI Exfiltration -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zeek_ssl` | rex field=server_name "(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter` - -[ESCU - Detect Software Download To Network Device - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.005", "T1542"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. -action.escu.how_to_implement = This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory. -action.escu.known_false_positives = This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices. -action.escu.creation_date = 2020-10-28 -action.escu.modification_date = 2020-10-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Software Download To Network Device - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Software Download To Network Device - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.005", "T1542"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "cc590c66-f65f-48f2-986a-4797244762f8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. -action.notable.param.rule_title = Detect Software Download To Network Device -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter` - -[ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for "unknown/suspicious" and otherwise 0 for "not suspicious". The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for "unknown/suspicious" and otherwise 0 for "not suspicious". The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5. -action.escu.how_to_implement = Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`. \ -* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`. \ -* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`. \ -* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app. \ -* Below steps need to be followed inside Jupyter lab. \ -* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook. \ -* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`. \ -* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab. \ -* Save the notebook using the save option in Jupyter notebook. \ -* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -action.escu.known_false_positives = False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents. -action.escu.creation_date = 2023-01-15 -action.escu.modification_date = 2023-01-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = A suspicious DNS TXT response was detected on host $src$ , kindly review. -action.risk.param._risk = [{"risk_object_field": "answer", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 45}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter` - -[ESCU - Detect Traffic Mirroring - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery"], "mitre_attack": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. -action.escu.how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring. -action.escu.known_false_positives = This search will return false positives for any legitimate traffic captures by network administrators. -action.escu.creation_date = 2020-10-28 -action.escu.modification_date = 2020-10-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Traffic Mirroring - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Router and Infrastructure Security"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Traffic Mirroring - Rule -action.correlationsearch.annotations = {"analytic_story": ["Router and Infrastructure Security"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives", "Delivery"], "mitre_attack": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "42b3b753-5925-49c5-9742-36fa40a73990", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. -action.notable.param.rule_title = Detect Traffic Mirroring -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter` - -[ESCU - Detect Unauthorized Assets by MAC address - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Sessions"] -action.escu.eli5 = By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found. -action.escu.how_to_implement = This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated. -action.escu.known_false_positives = This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information. -action.escu.creation_date = 2017-09-13 -action.escu.modification_date = 2017-09-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Unauthorized Assets by MAC address - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Asset Tracking"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Unauthorized Assets by MAC address - Rule -action.correlationsearch.annotations = {"analytic_story": ["Asset Tracking"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found. -action.notable.param.rule_title = Detect Unauthorized Assets by MAC address -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name("Network_Sessions")`|`drop_dm_object_name("All_Sessions")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter` - -[ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. -action.escu.how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2020-07-28 -action.escu.modification_date = 2020-07-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows DNS SIGRed CVE-2020-1350"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Windows DNS SIGRed via Splunk Stream - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2020-1350"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "babd8d10-d073-11ea-87d0-0242ac130003", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. -action.notable.param.rule_title = Detect Windows DNS SIGRed via Splunk Stream -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count - -[ESCU - Detect Windows DNS SIGRed via Zeek - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic", "Network_Resolution"] -action.escu.eli5 = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. -action.escu.how_to_implement = You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2020-07-28 -action.escu.modification_date = 2020-07-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Windows DNS SIGRed via Zeek - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Windows DNS SIGRed CVE-2020-1350"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Windows DNS SIGRed via Zeek - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2020-1350"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c5c622e4-d073-11ea-87d0-0242ac130003", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. -action.notable.param.rule_title = Detect Windows DNS SIGRed via Zeek -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count - -[ESCU - Detect Zerologon via Zeek - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . -action.escu.how_to_implement = You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2020-09-15 -action.escu.modification_date = 2020-09-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Zerologon via Zeek - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Zeek"] -action.escu.analytic_story = ["Detect Zerologon Attack", "Rhysida Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect Zerologon via Zeek - Rule -action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack", "Rhysida Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2020-1472"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . -action.notable.param.rule_title = Detect Zerologon via Zeek -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter` - -[ESCU - DNS Query Length Outliers - MLTK - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems. -action.escu.how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of DNS Query Length - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. \ -This search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ - * **Label:** DNS Query, **Field:** query \ -* **Label:** DNS Query Length, **Field:** query_length \ -* **Label:** Number of events, **Field:** count \ -Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DNS Query Length Outliers - MLTK - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - DNS Query Length Outliers - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename "IsOutlier(query_length)" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` - -[ESCU - DNS Query Length With High Standard Deviation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment. -action.escu.how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. -action.escu.known_false_positives = It's possible there can be long domain names that are legitimate. -action.escu.creation_date = 2024-02-14 -action.escu.modification_date = 2024-02-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - DNS Query Length With High Standard Deviation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 56}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - DNS Query Length With High Standard Deviation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "detection_version": "5"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN("Pointer","PTR") by DNS.query host| `drop_dm_object_name("DNS")` | eval tlds=split(query,".") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter` - -[ESCU - Excessive DNS Failures - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers. -action.escu.how_to_implement = To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -action.escu.known_false_positives = It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment. -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Excessive DNS Failures - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Suspicious DNS Traffic"] -action.risk = 1 -action.risk.param._risk_message = Excessive DNS failures detected on $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Excessive DNS Failures - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "104658f4-afdc-499e-9719-17243f9826f1", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src" "DNS.query" "DNS.reply_code" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter` - -[ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -action.escu.known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. -action.escu.creation_date = 2022-05-10 -action.escu.modification_date = 2022-05-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["F5 BIG-IP Vulnerability CVE-2022-1388"] -action.risk = 1 -action.risk.param._risk_message = An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule -action.correlationsearch.annotations = {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-1388"], "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. -action.notable.param.rule_title = F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.url="*/mgmt/tm/util/bash*" Web.http_method="POST" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter` - -[ESCU - High Volume of Bytes Out to Url - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior. -action.escu.known_false_positives = This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - High Volume of Bytes Out to Url - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 9}, {"threat_object_field": "dest", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - High Volume of Bytes Out to Url - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 13"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name("Web")`| `high_volume_of_bytes_out_to_url_filter` - -[ESCU - Hosts receiving high volume of network traffic from email server - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002", "T1114"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security. -action.escu.how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -action.escu.known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Hosts receiving high volume of network traffic from email server - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Collection and Staging"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Hosts receiving high volume of network traffic from email server - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002", "T1114"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter` - -[ESCU - Large Volume of DNS ANY Queries - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498", "T1498.002"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure. -action.escu.how_to_implement = To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -action.escu.known_false_positives = Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment. -action.escu.creation_date = 2024-05-15 -action.escu.modification_date = 2024-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Large Volume of DNS ANY Queries - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["DNS Amplification Attacks"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Large Volume of DNS ANY Queries - Rule -action.correlationsearch.annotations = {"analytic_story": ["DNS Amplification Attacks"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498", "T1498.002"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest" | `drop_dm_object_name("DNS")` | where count>200 | `large_volume_of_dns_any_queries_filter` - -[ESCU - Multiple Archive Files Http Post Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration. -action.escu.known_false_positives = Normal archive transfer via HTTP protocol may trip this detection. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Multiple Archive Files Http Post Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Multiple Archive Files Http Post Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Data Exfiltration"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "4477f3ea-a28f-11eb-b762-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration. -action.notable.param.rule_title = Multiple Archive Files Http Post Traffic -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = "7z" OR archive_hdr1 = "PK" OR archive_hdr2="Rar!") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter` - -[ESCU - Ngrok Reverse Proxy on Network - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Resolution"] -action.escu.eli5 = The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool. -action.escu.how_to_implement = The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source. -action.escu.known_false_positives = False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. -action.escu.creation_date = 2022-11-16 -action.escu.modification_date = 2022-11-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ngrok Reverse Proxy on Network - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA22-320A", "Reverse Network Proxy"] -action.risk = 1 -action.risk.param._risk_message = An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 50}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ngrok Reverse Proxy on Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "cis20": ["CIS 13"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5790a766-53b8-40d3-a696-3547b978fcf0", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN ("*.ngrok.com","*.ngrok.io", "ngrok.*.tunnel.com", "korgn.*.lennut.com") by DNS.src DNS.query DNS.answer | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter` - -[ESCU - Plain HTTP POST Exfiltrated Data - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Plain HTTP POST Exfiltrated Data - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Data Exfiltration"] -action.risk = 1 -action.risk.param._risk_message = A http post $http_method$ sending packet with plain text of information in uri path $uri_path$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Plain HTTP POST Exfiltrated Data - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Data Exfiltration"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e2b36208-a364-11eb-8909-acde48001122", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration. -action.notable.param.rule_title = Plain HTTP POST Exfiltrated Data -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter` - -[ESCU - Prohibited Network Traffic Allowed - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed according to the Network_Traffic data model. It operates by cross-referencing traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices that could allow unauthorized access or data exfiltration, directly impacting the organization's security posture. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed according to the Network_Traffic data model. It operates by cross-referencing traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices that could allow unauthorized access or data exfiltration, directly impacting the organization's security posture. -action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2024-02-27 -action.escu.modification_date = 2024-02-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Prohibited Network Traffic Allowed - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "dest_ip", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Prohibited Network Traffic Allowed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ce5a0962-849f-4720-a678-753fe6674479", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed according to the Network_Traffic data model. It operates by cross-referencing traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices that could allow unauthorized access or data exfiltration, directly impacting the organization's security posture. -action.notable.param.rule_title = Prohibited Network Traffic Allowed -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `prohibited_network_traffic_allowed_filter` - -[ESCU - Protocol or Port Mismatch - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected. -action.escu.how_to_implement = Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports. -action.escu.known_false_positives = None identified -action.escu.creation_date = 2020-07-21 -action.escu.modification_date = 2020-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Protocol or Port Mismatch - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Protocol or Port Mismatch - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `protocol_or_port_mismatch_filter` - -[ESCU - Protocols passing authentication in cleartext - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances. -action.escu.how_to_implement = This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22) -action.escu.known_false_positives = Some networks may use kerberized FTP or telnet servers, however, this is rare. -action.escu.creation_date = 2021-08-19 -action.escu.modification_date = 2021-08-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Protocols passing authentication in cleartext - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Use of Cleartext Protocols"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Protocols passing authentication in cleartext - Rule -action.correlationsearch.annotations = {"analytic_story": ["Use of Cleartext Protocols"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances. -action.notable.param.rule_title = Protocols passing authentication in cleartext -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `protocols_passing_authentication_in_cleartext_filter` - -[ESCU - Remote Desktop Network Bruteforce - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. -action.escu.how_to_implement = You must ensure that your network traffic data is populating the Network_Traffic data model. -action.escu.known_false_positives = RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network. -action.escu.creation_date = 2024-05-17 -action.escu.modification_date = 2024-05-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Desktop Network Bruteforce - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ryuk Ransomware", "SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = $dest$ may be the target of an RDP Bruteforce -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Remote Desktop Network Bruteforce - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "SamSam Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a98727cc-286b-4ff2-b898-41df64695923", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. -action.notable.param.rule_title = Remote Desktop Network Bruteforce -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter` - -[ESCU - Remote Desktop Network Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389, the default RDP port. It identifies this activity by filtering out traffic from known RDP sources and destinations, focusing on atypical RDP connections within the network. This detection is crucial for a Security Operations Center (SOC) as unauthorized RDP access can indicate an attacker's attempt to gain control over networked systems, potentially leading to data theft, ransomware deployment, or further network compromise. The impact of such unauthorized access can be significant, ranging from data breaches to complete system and network control loss. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389, the default RDP port. It identifies this activity by filtering out traffic from known RDP sources and destinations, focusing on atypical RDP connections within the network. This detection is crucial for a Security Operations Center (SOC) as unauthorized RDP access can indicate an attacker's attempt to gain control over networked systems, potentially leading to data theft, ransomware deployment, or further network compromise. The impact of such unauthorized access can be significant, ranging from data breaches to complete system and network control loss. -action.escu.how_to_implement = To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search "Identify Systems Creating Remote Desktop Traffic" to identify systems that originate the traffic and the search "Identify Systems Receiving Remote Desktop Traffic" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the "common_rdp_source" or "common_rdp_destination" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups. -action.escu.known_false_positives = Remote Desktop may be used legitimately by users on the network. -action.escu.creation_date = 2024-02-27 -action.escu.modification_date = 2024-02-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Remote Desktop Network Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "dest", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Remote Desktop Network Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "272b8407-842d-4b3d-bead-a704584003d3", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action="allowed" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` - -[ESCU - SMB Traffic Spike - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. -action.escu.how_to_implement = This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. -action.escu.known_false_positives = A file server may experience high-demand loads that could cause this analytic to trigger. -action.escu.creation_date = 2020-07-22 -action.escu.modification_date = 2020-07-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SMB Traffic Spike - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - SMB Traffic Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name("All_Traffic")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` - -[ESCU - SMB Traffic Spike - MLTK - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network. -action.escu.how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of SMB Traffic - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. \ -This search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ -* **Label:** Number of events, **Field:** count \ -Detailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -action.escu.known_false_positives = If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SMB Traffic Spike - MLTK - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - SMB Traffic Spike - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "detection_version": "4"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` - -[ESCU - Splunk Identified SSL TLS Certificates - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1040"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL. -action.escu.how_to_implement = Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -action.escu.known_false_positives = False positives will not be present as it is meant to assist with identifying default certificates being utilized. -action.escu.creation_date = 2022-05-25 -action.escu.modification_date = 2022-05-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Splunk Identified SSL TLS Certificates - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Splunk Vulnerabilities"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Splunk Identified SSL TLS Certificates - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-32151", "CVE-2022-32152"], "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1040"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "620fbb89-86fd-4e2e-925f-738374277586", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS "Host(s) with Default Cert" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter` - -[ESCU - SSL Certificates with Punycode - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with -action.escu.how_to_implement = Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines. -action.escu.known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. -action.escu.creation_date = 2022-11-01 -action.escu.modification_date = 2022-11-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SSL Certificates with Punycode - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["OpenSSL CVE-2022-3602"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - SSL Certificates with Punycode - Rule -action.correlationsearch.annotations = {"analytic_story": ["OpenSSL CVE-2022-3602"], "cis20": ["CIS 13"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "696694df-5706-495a-81f2-79501fa11b90", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name("All_Certificates.SSL")` | eval punycode=if(like(ssl_issuer_email_domain,"%xn--%"),1,0) | where punycode=1 | cyberchef infield="ssl_issuer_email_domain" outfield="convertedPuny" jsonrecipe="[{"op":"From Punycode","args":[true]}]" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter` - -[ESCU - TOR Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1090.003"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. -action.escu.how_to_implement = In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. -action.escu.known_false_positives = None at this time -action.escu.creation_date = 2023-09-20 -action.escu.modification_date = 2023-09-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - TOR Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "NOBELIUM Group", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 80}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - TOR Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "NOBELIUM Group", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "cis20": ["CIS 13"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1090.003"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. -action.notable.param.rule_title = TOR Traffic -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `tor_traffic_filter` - -[ESCU - Unusually Long Content-Type Length - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches. -action.escu.how_to_implement = This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. -action.escu.known_false_positives = Very few legitimate Content-Type fields will have a length greater than 100 characters. -action.escu.creation_date = 2024-05-13 -action.escu.modification_date = 2024-05-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Unusually Long Content-Type Length - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Apache Struts Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Unusually Long Content-Type Length - Rule -action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter` - -[ESCU - Windows AD Replication Service Traffic - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"]} -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. -action.escu.known_false_positives = New domain controllers or certian scripts run by administrators. -action.escu.creation_date = 2022-11-26 -action.escu.modification_date = 2022-11-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Replication Service Traffic - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Active Directory Replication Traffic from Unknown Source - $src$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows AD Replication Service Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques. -action.notable.param.rule_title = Windows AD Replication Service Traffic -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter` - -[ESCU - Windows AD Rogue Domain Controller Network Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;) -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} -action.escu.data_models = ["Change"] -action.escu.eli5 = This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;) -action.escu.how_to_implement = Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities. -action.escu.known_false_positives = None. -action.escu.creation_date = 2022-09-08 -action.escu.modification_date = 2022-09-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows AD Rogue Domain Controller Network Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Zeek"] -action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] -action.risk = 1 -action.risk.param._risk_message = Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$) -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Windows AD Rogue Domain Controller Network Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;) -action.notable.param.rule_title = Windows AD Rogue Domain Controller Network Activity -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category="Domain Controller") OR NOT (src_category="Domain Controller") | fillnull value="Unknown" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter` - -[ESCU - Zeek x509 Certificate with Punycode - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually. -action.escu.how_to_implement = The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after). -action.escu.known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. -action.escu.creation_date = 2022-11-03 -action.escu.modification_date = 2022-11-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zeek x509 Certificate with Punycode - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = ["Zeek"] -action.escu.analytic_story = ["OpenSSL CVE-2022-3602"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Zeek x509 Certificate with Punycode - Rule -action.correlationsearch.annotations = {"analytic_story": ["OpenSSL CVE-2022-3602"], "cis20": ["CIS 13"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | rex field=san.other_fields{} "\@(?xn--.*)" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter` - -[ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -action.escu.creation_date = 2024-01-16 -action.escu.modification_date = 2024-01-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti Connect Secure VPN Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-46805", "CVE-2024-21887"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "15838756-f425-43fa-9d88-a7f88063e81a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. -action.notable.param.rule_title = Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter` - -[ESCU - Adobe ColdFusion Access Control Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -action.escu.creation_date = 2023-08-23 -action.escu.modification_date = 2023-08-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Adobe ColdFusion Access Control Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-29298 against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Adobe ColdFusion Access Control Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2023-29298"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d6821c0b-fcdc-4c95-a77f-e10752fae41a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments. -action.notable.param.rule_title = Adobe ColdFusion Access Control Bypass -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", "/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter` - -[ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager. \ -Our analytic pinpoints exploitation by monitoring web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. \ -If a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager. \ -Our analytic pinpoints exploitation by monitoring web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. \ -If a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment. -action.escu.creation_date = 2023-08-23 -action.escu.modification_date = 2023-08-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-26360 against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule -action.correlationsearch.annotations = {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2023-26360"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "695aceae-21db-4e7f-93ac-a52e39d02b93", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager. \ -Our analytic pinpoints exploitation by monitoring web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. \ -If a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security. -action.notable.param.rule_title = Adobe ColdFusion Unauthenticated Arbitrary File Read -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/cf_scripts/scripts/ajax/ckeditor/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter` - -[ESCU - Cisco IOS XE Implant Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. -action.escu.creation_date = 2023-10-17 -action.escu.modification_date = 2023-10-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Cisco IOS XE Implant Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Cisco IOS XE Software Web Management User Interface vulnerability"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-20198 against $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Cisco IOS XE Implant Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cisco IOS XE Software Web Management User Interface vulnerability"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2023-20198"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "07c36cda-6567-43c3-bc1a-89dff61e2cd9", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. -action.notable.param.rule_title = Cisco IOS XE Implant Access -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter` - -[ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ -This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ -If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ -Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ -This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ -If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ -Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. -action.escu.known_false_positives = False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. -action.escu.creation_date = 2023-10-24 -action.escu.modification_date = 2023-10-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule -action.correlationsearch.annotations = {"analytic_story": ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"], "cis20": ["CIS 13"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b593cac5-dd20-4358-972a-d945fefdaf17", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ -This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ -If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ -Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. -action.notable.param.rule_title = Citrix ADC and Gateway Unauthorized Data Disclosure -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter` - -[ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process. \ -Given the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority. \ -The search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. \ -Please be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process. \ -Given the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority. \ -The search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. \ -Please be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only. -action.escu.creation_date = 2023-07-21 -action.escu.modification_date = 2023-07-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Citrix Netscaler ADC CVE-2023-3519"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Citrix Netscaler ADC CVE-2023-3519"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-3519"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter` - -[ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method, indicative of a file upload attempt. \ -This behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation. \ -The impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation. \ -However, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method, indicative of a file upload attempt. \ -This behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation. \ -The impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation. \ -However, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum. -action.escu.how_to_implement = Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not. -action.escu.known_false_positives = False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. -action.escu.creation_date = 2023-07-26 -action.escu.modification_date = 2023-07-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Citrix ShareFile RCE CVE-2023-24489"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Citrix ShareFile RCE CVE-2023-24489"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2023-24489"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "172c59f2-5fae-45e5-8e51-94445143e93f", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter` - -[ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. -action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. -action.escu.creation_date = 2023-10-23 -action.escu.modification_date = 2023-10-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"] -action.risk = 1 -action.risk.param._risk_message = Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "630ea8b2-2800-4f5d-9cbc-d65c567349b0", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -action.notable.param.rule_title = Confluence CVE-2023-22515 Trigger Vulnerability -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter` - -[ESCU - Confluence Data Center and Server Privilege Escalation - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. -action.escu.creation_date = 2023-10-18 -action.escu.modification_date = 2023-10-18 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Confluence Data Center and Server Privilege Escalation - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "Confluence Data Center and Confluence Server Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Confluence Data Center and Server Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "Confluence Data Center and Confluence Server Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-22518"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "115bebac-0976-4f7d-a3ec-d1fb45a39a11", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -action.notable.param.rule_title = Confluence Data Center and Server Privilege Escalation -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*", "*/json/setup-restore-local.action*", "*/json/setup-restore-progress.action*", "*/json/setup-restore.action*", "*/bootstrap/selectsetupstep.action*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter` - -[ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. -action.escu.creation_date = 2024-01-22 -action.escu.modification_date = 2024-01-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Confluence Data Center and Confluence Server Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Confluence Data Center and Confluence Server Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2023-22527"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat. -action.notable.param.rule_title = Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter` - -[ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. -action.escu.known_false_positives = Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. -action.escu.creation_date = 2022-06-03 -action.escu.modification_date = 2022-06-03 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Confluence Data Center and Confluence Server Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Confluence Data Center and Confluence Server Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2022-26134"], "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. -action.notable.param.rule_title = Confluence Unauthenticated Remote Code Execution CVE-2022-26134 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" Web.url="*java.lang.Runtime@getRuntime().exec*") OR (Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*") OR (Web.url="*getEngineByName*" AND Web.url="*nashorn*" AND Web.url="*ProcessBuilder*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter` - -[ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.how_to_implement = To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further. -action.escu.known_false_positives = False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. -action.escu.creation_date = 2024-02-23 -action.escu.modification_date = 2024-02-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["ConnectWise ScreenConnect Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = An authentication bypass attempt against ScreenConnect has been detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2024-1708", "CVE-2024-1709"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d3f7a803-e802-448b-8eb2-e796b223bfff", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.notable.param.rule_title = ConnectWise ScreenConnect Authentication Bypass -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | rex field=Web.url "/SetupWizard.aspx/(?.+)" | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter` - -[ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise. -action.escu.how_to_implement = You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. -action.escu.known_false_positives = It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["JBoss Vulnerability", "SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect attackers scanning for vulnerable JBoss servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "104658f4-afdc-499e-9719-17243f982681", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise. -action.notable.param.rule_title = Detect attackers scanning for vulnerable JBoss servers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter` - -[ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. -action.escu.how_to_implement = To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;). -action.escu.known_false_positives = unknown -action.escu.creation_date = 2024-05-22 -action.escu.modification_date = 2024-05-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["F5 TMUI RCE CVE-2020-5902"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect F5 TMUI RCE CVE-2020-5902 - Rule -action.correlationsearch.annotations = {"analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2020-5902"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. -action.notable.param.rule_title = Detect F5 TMUI RCE CVE-2020-5902 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `f5_bigip_rogue` | regex _raw="(hsqldb;|.*\\.\\.;.*)" | search `detect_f5_tmui_rce_cve_2020_5902_filter` - -[ESCU - Detect malicious requests to exploit JBoss servers - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security. -action.escu.how_to_implement = You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model -action.escu.known_false_positives = No known false positives for this detection. -action.escu.creation_date = 2024-05-19 -action.escu.modification_date = 2024-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect malicious requests to exploit JBoss servers - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["JBoss Vulnerability", "SamSam Ransomware"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Detect malicious requests to exploit JBoss servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security. -action.notable.param.rule_title = Detect malicious requests to exploit JBoss servers -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter` - -[ESCU - Detect Remote Access Software Usage URL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects when a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects when a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. -action.escu.how_to_implement = The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Detect Remote Access Software Usage URL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Command And Control", "Insider Threat", "Ransomware"] -action.risk = 1 -action.risk.param._risk_message = A domain for a known remote access software $url_domain$ was contacted by $src$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "url_domain", "risk_object_type": "other", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Detect Remote Access Software Usage URL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9296f515-073c-43a5-88ec-eda5a4626654", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_url_filter` - -[ESCU - Exploit Public Facing Application via Apache Commons Text - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. -action.escu.how_to_implement = To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. -action.escu.known_false_positives = False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4). -action.escu.creation_date = 2024-05-21 -action.escu.modification_date = 2024-05-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Exploit Public Facing Application via Apache Commons Text - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Text4Shell CVE-2022-42889"] -action.risk = 1 -action.risk.param._risk_message = A URL was requested related to Text4Shell on $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Exploit Public Facing Application via Apache Commons Text - Rule -action.correlationsearch.annotations = {"analytic_story": ["Text4Shell CVE-2022-42889"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-42889"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "detection_version": "3"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name("Web")` | eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0) | eval lookup = if(like(lower(uri_query), "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0) | eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), "%xml%") OR like(lower(uri_query), "%base%"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter` - -[ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). -action.escu.creation_date = 2024-05-09 -action.escu.modification_date = 2024-05-09 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Fortinet FortiNAC CVE-2022-39952"] -action.risk = 1 -action.risk.param._risk_message = Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-39952"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server. -action.notable.param.rule_title = Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter` - -[ESCU - F5 TMUI Authentication Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel. -action.escu.known_false_positives = False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - F5 TMUI Authentication Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["F5 Authentication Bypass with TMUI"] -action.risk = 1 -action.risk.param._risk_message = Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - F5 TMUI Authentication Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["F5 Authentication Bypass with TMUI"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2023-46747"], "impact": 100, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "88bf127c-613e-4579-99e4-c4d4b02f3840", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - "*/mgmt/tm/auth/user/*", with the PATCH method and 200 status. Additional URI's will occur around the same time include "*/mgmt/shared/authn/login*" and "*/tmui/login.jsp*", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network. -action.notable.param.rule_title = F5 TMUI Authentication Bypass -action.notable.param.security_domain = endpoint -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/mgmt/tm/auth/user/*") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter` - -[ESCU - Fortinet Appliance Auth bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \ -Add new local users. \ -Update networking configurations to reroute traffic. \ -Download the system configuration. \ -Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \ -Add new local users. \ -Update networking configurations to reroute traffic. \ -Download the system configuration. \ -Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. -action.escu.creation_date = 2022-10-14 -action.escu.modification_date = 2022-10-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Fortinet Appliance Auth bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CVE-2022-40684 Fortinet Appliance Auth bypass"] -action.risk = 1 -action.risk.param._risk_message = Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Fortinet Appliance Auth bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2022-40684"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \ -Add new local users. \ -Update networking configurations to reroute traffic. \ -Download the system configuration. \ -Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai -action.notable.param.rule_title = Fortinet Appliance Auth bypass -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/api/v2/cmdb/system/admin*") Web.http_method IN ("GET", "PUT") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter` - -[ESCU - Hunting for Log4Shell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \ -The first jndi match identifies the standard pattern of `{jndi:` \ -jndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the "base" score used later. \ -jndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \ -all_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \ -env works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \ -uri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \ -keywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \ -lookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \ -Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \ -Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \ -The first jndi match identifies the standard pattern of `{jndi:` \ -jndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the "base" score used later. \ -jndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \ -all_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \ -env works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \ -uri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \ -keywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \ -lookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \ -Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \ -Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest. -action.escu.how_to_implement = Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. -action.escu.known_false_positives = It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. -action.escu.creation_date = 2021-12-14 -action.escu.modification_date = 2021-12-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Hunting for Log4Shell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA22-320A", "Log4Shell CVE-2021-44228"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Hunting for Log4Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "158b68fa-5d1a-11ec-aac8-acde48001122", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter` - -[ESCU - Ivanti Connect Secure Command Injection Attempts - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -action.escu.creation_date = 2024-01-17 -action.escu.modification_date = 2024-01-17 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ivanti Connect Secure Command Injection Attempts - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti Connect Secure VPN Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ivanti Connect Secure Command Injection Attempts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2023-46805", "CVE-2024-21887"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "1f32a7e0-a060-4545-b7de-73fcf9ad536e", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -action.notable.param.rule_title = Ivanti Connect Secure Command Injection Attempts -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter` - -[ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -action.escu.creation_date = 2024-02-05 -action.escu.modification_date = 2024-02-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti Connect Secure VPN Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2024-21893 against $dest$ from $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2024-21893"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "8e6ca490-7af3-4299-9a24-39fb69759925", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution. -action.notable.param.rule_title = Ivanti Connect Secure SSRF in SAML Component -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter` - -[ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -action.escu.known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -action.escu.creation_date = 2024-01-16 -action.escu.modification_date = 2024-01-16 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti Connect Secure VPN Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-46805", "CVE-2024-21887"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d51c13dd-a232-4c83-a2bb-72ab36233c5d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter` - -[ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint "/mifs/aad/api/v2/authorized/users?*" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint "/mifs/aad/api/v2/authorized/users?*" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action. -action.escu.how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -action.escu.known_false_positives = The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. -action.escu.creation_date = 2023-07-31 -action.escu.modification_date = 2023-07-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti EPMM Remote Unauthenticated Access"] -action.risk = 1 -action.risk.param._risk_message = Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-35078"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint "/mifs/aad/api/v2/authorized/users?*" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action. -action.notable.param.rule_title = Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mifs/aad/api/v2/authorized/users?*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter` - -[ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation. -action.escu.how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -action.escu.known_false_positives = Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. -action.escu.creation_date = 2023-08-08 -action.escu.modification_date = 2023-08-08 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti EPMM Remote Unauthenticated Access"] -action.risk = 1 -action.risk.param._risk_message = Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-35082"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e03edeba-4942-470c-a664-27253f3ad351", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation. -action.notable.param.rule_title = Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mifs/asfV3/api/v2/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter` - -[ESCU - Ivanti Sentry Authentication Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. -action.escu.how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -action.escu.known_false_positives = It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt. -action.escu.creation_date = 2023-08-24 -action.escu.modification_date = 2023-08-24 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Ivanti Sentry Authentication Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Ivanti Sentry Authentication Bypass CVE-2023-38035"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-38035 against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Ivanti Sentry Authentication Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ivanti Sentry Authentication Bypass CVE-2023-38035"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2023-38035"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. -action.notable.param.rule_title = Ivanti Sentry Authentication Bypass -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter` - -[ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source. -action.escu.known_false_positives = False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment. -action.escu.creation_date = 2024-01-26 -action.escu.modification_date = 2024-01-26 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Jenkins Server Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Jenkins Server Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2024-23897"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information. -action.notable.param.rule_title = Jenkins Arbitrary File Read CVE-2024-23897 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter` - -[ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution. Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution. Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -action.escu.how_to_implement = The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs. -action.escu.known_false_positives = False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. -action.escu.creation_date = 2024-03-04 -action.escu.modification_date = 2024-03-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["JetBrains TeamCity Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule -action.correlationsearch.annotations = {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2024-27198"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution. Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -action.notable.param.rule_title = JetBrains TeamCity Authentication Bypass CVE-2024-27198 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url="*?jsp=*" AND Web.url="*;.jsp*") Web.status=200 Web.http_method=POST) OR (Web.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter` - -[ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution.Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution.Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -action.escu.how_to_implement = The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -action.escu.known_false_positives = False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources. -action.escu.creation_date = 2024-03-04 -action.escu.modification_date = 2024-03-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["JetBrains TeamCity Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule -action.correlationsearch.annotations = {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2024-27198"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution.Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures. -action.notable.param.rule_title = JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `suricata` ((http.url="*?jsp=*" AND http.url="*;.jsp*") http.status=200 http_method=POST) OR (http.url IN ("*jsp=/app/rest/users;.jsp","*?jsp=/app/rest/users;.jsp","*?jsp=.*/app/rest/users/id:*/tokens;*") http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter` - -[ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = CVE-2024-27199 reveals a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated attackers to bypass authentication for a limited set of endpoints. This vulnerability exploits path traversal issues, enabling attackers to access and potentially modify system settings or disclose sensitive server information without proper authentication. Identified vulnerable paths include /res/, /update/, and /.well-known/acme-challenge/, among others. Attackers can manipulate these paths to reach restricted JSP pages and servlet endpoints, such as /app/https/settings/uploadCertificate, which could allow for the uploading of malicious HTTPS certificates or modification of server settings. This detection aims to identify potential exploitation attempts by monitoring for unusual access patterns to these endpoints, which could indicate an authentication bypass attempt in progress. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = CVE-2024-27199 reveals a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated attackers to bypass authentication for a limited set of endpoints. This vulnerability exploits path traversal issues, enabling attackers to access and potentially modify system settings or disclose sensitive server information without proper authentication. Identified vulnerable paths include /res/, /update/, and /.well-known/acme-challenge/, among others. Attackers can manipulate these paths to reach restricted JSP pages and servlet endpoints, such as /app/https/settings/uploadCertificate, which could allow for the uploading of malicious HTTPS certificates or modification of server settings. This detection aims to identify potential exploitation attempts by monitoring for unusual access patterns to these endpoints, which could indicate an authentication bypass attempt in progress. -action.escu.how_to_implement = The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed. -action.escu.known_false_positives = False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives. -action.escu.creation_date = 2024-03-04 -action.escu.modification_date = 2024-03-04 -action.escu.confidence = high -action.escu.full_search_name = ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["JetBrains TeamCity Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule -action.correlationsearch.annotations = {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2024-27199"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = CVE-2024-27199 reveals a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated attackers to bypass authentication for a limited set of endpoints. This vulnerability exploits path traversal issues, enabling attackers to access and potentially modify system settings or disclose sensitive server information without proper authentication. Identified vulnerable paths include /res/, /update/, and /.well-known/acme-challenge/, among others. Attackers can manipulate these paths to reach restricted JSP pages and servlet endpoints, such as /app/https/settings/uploadCertificate, which could allow for the uploading of malicious HTTPS certificates or modification of server settings. This detection aims to identify potential exploitation attempts by monitoring for unusual access patterns to these endpoints, which could indicate an authentication bypass attempt in progress. -action.notable.param.rule_title = JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `suricata` http.url IN ("*../admin/diagnostic.jsp*", "*../app/https/settings/*", "*../app/pipeline*", "*../app/oauth/space/createBuild.html*", "*../res/*", "*../update/*", "*../.well-known/acme-challenge/*", "*../app/availableRunners*", "*../app/https/settings/setPort*", "*../app/https/settings/certificateInfo*", "*../app/https/settings/defaultHttpsPort*", "*../app/https/settings/fetchFromAcme*", "*../app/https/settings/removeCertificate*", "*../app/https/settings/uploadCertificate*", "*../app/https/settings/termsOfService*", "*../app/https/settings/triggerAcmeChallenge*", "*../app/https/settings/cancelAcmeChallenge*", "*../app/https/settings/getAcmeOrder*", "*../app/https/settings/setRedirectStrategy*") http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter` - -[ESCU - JetBrains TeamCity RCE Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE). -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE). -action.escu.how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -action.escu.known_false_positives = If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment. -action.escu.creation_date = 2023-10-01 -action.escu.modification_date = 2023-10-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - JetBrains TeamCity RCE Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA23-347A", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"risk_object_field": "url", "risk_object_type": "other", "risk_score": 81}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - JetBrains TeamCity RCE Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2023-42793"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "89a58e5f-1365-4793-b45c-770abbb32b6c", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE). -action.notable.param.rule_title = JetBrains TeamCity RCE Attempt -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/app/rest/users/id:1/tokens/RPC2*") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter` - -[ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1190", "T1105", "T1059"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.how_to_implement = To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products. -action.escu.known_false_positives = Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor. -action.escu.creation_date = 2023-08-29 -action.escu.modification_date = 2023-08-29 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Juniper JunOS Remote Code Execution"] -action.risk = 1 -action.risk.param._risk_message = This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Juniper JunOS Remote Code Execution"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-36844", "CVE-2023-36845", "CVE-2023-36846", "CVE-2023-36847"], "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1190", "T1105", "T1059"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.notable.param.rule_title = Juniper Networks Remote Code Execution Exploit Detection -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter` - -[ESCU - Log4Shell JNDI Payload Injection Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -action.escu.known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. -action.escu.creation_date = 2021-12-13 -action.escu.modification_date = 2021-12-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Log4Shell JNDI Payload Injection Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA22-257A", "CISA AA22-320A", "Log4Shell CVE-2021-44228"] -action.risk = 1 -action.risk.param._risk_message = CVE-2021-44228 Log4Shell triggered for host $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Log4Shell JNDI Payload Injection Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "CISA AA22-320A", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2021-44228"], "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | from datamodel Web.Web | regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w+(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter` - -[ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Network_Traffic", "Web"] -action.escu.eli5 = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -action.escu.known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. -action.escu.creation_date = 2021-12-13 -action.escu.modification_date = 2021-12-13 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA22-320A", "Log4Shell CVE-2021-44228"] -action.risk = 1 -action.risk.param._risk_message = CVE-2021-44228 Log4Shell triggered for host $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2021-44228"], "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | from datamodel Web.Web | rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?[a-zA-Z0-9\.\-\_\$]+)" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter` - -[ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. -action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. -action.escu.known_false_positives = False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. -action.escu.creation_date = 2023-09-27 -action.escu.modification_date = 2023-09-27 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"] -action.risk = 1 -action.risk.param._risk_message = Possible exploitation of CVE-2023-29357 against $dest$ from $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2023-29357"], "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. -action.notable.param.rule_title = Microsoft SharePoint Server Elevation of Privilege -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/_api/web/siteusers*","/_api/web/currentuser*") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter` - -[ESCU - Monitor Web Traffic For Brand Abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage. -action.escu.mappings = {"cis20": ["CIS 13"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage. -action.escu.how_to_implement = You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for. -action.escu.known_false_positives = None at this time -action.escu.creation_date = 2024-05-20 -action.escu.modification_date = 2024-05-20 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Monitor Web Traffic For Brand Abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Brand Monitoring"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Monitor Web Traffic For Brand Abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brand Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage. -action.notable.param.rule_title = Monitor Web Traffic For Brand Abuse -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter` - -[ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.escu.how_to_implement = To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx. -action.escu.known_false_positives = False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise. -action.escu.creation_date = 2024-02-23 -action.escu.modification_date = 2024-02-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["ConnectWise ScreenConnect Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = An authentication bypass attempt against ScreenConnect has been detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2024-1708", "CVE-2024-1709"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b3f7a803-e802-448b-8eb2-e796b223bccc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. -action.notable.param.rule_title = Nginx ConnectWise ScreenConnect Authentication Bypass -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter` - -[ESCU - PaperCut NG Remote Web Access Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -action.escu.known_false_positives = False positives may be present, filter as needed. -action.escu.creation_date = 2023-05-15 -action.escu.modification_date = 2023-05-15 -action.escu.confidence = high -action.escu.full_search_name = ESCU - PaperCut NG Remote Web Access Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["PaperCut MF NG Vulnerability"] -action.risk = 1 -action.risk.param._risk_message = URIs specific to PaperCut NG have been access by a public IP against $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - PaperCut NG Remote Web Access Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 13"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. -action.notable.param.rule_title = PaperCut NG Remote Web Access Attempt -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.url IN ("/app?service=page/SetupCompleted", "/app", "/app?service=page/PrinterList", "/app?service=direct/1/PrinterList/selectPrinter&sp=*", "/app?service=direct/1/PrinterDetails/printerOptionsTab.tab") NOT (src IN ("10.*.*.*","172.16.*.*", "192.168.*.*", "169.254.*.*", "127.*.*.*", "fc00::*", "fd00::*", "fe80::*")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter` - -[ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. -action.escu.how_to_implement = To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior. -action.escu.known_false_positives = False positives will be limited, however tune or modify the query as needed. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - ProxyShell ProxyNotShell Behavior Detected - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Correlation"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. -action.notable.param.rule_title = RBA: ProxyShell ProxyNotShell Behavior Detected -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter` - -[ESCU - Spring4Shell Payload URL Request - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -action.escu.known_false_positives = The jsp file names are static names used in current proof of concept code. = -action.escu.creation_date = 2022-07-12 -action.escu.modification_date = 2022-07-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Spring4Shell Payload URL Request - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Spring4Shell CVE-2022-22965"] -action.risk = 1 -action.risk.param._risk_message = A URL was requested related to Spring4Shell POC code on $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Spring4Shell Payload URL Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 60, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9d44d649-7d67-4559-95c1-8022ff49420b", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.notable.param.rule_title = Spring4Shell Payload URL Request -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter` - -[ESCU - SQL Injection with Long URLs - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. -action.escu.how_to_implement = To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. -action.escu.known_false_positives = It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. -action.escu.creation_date = 2022-03-28 -action.escu.modification_date = 2022-03-28 -action.escu.confidence = high -action.escu.full_search_name = ESCU - SQL Injection with Long URLs - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["SQL Injection"] -action.risk = 1 -action.risk.param._risk_message = SQL injection attempt with url $url$ detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - SQL Injection with Long URLs - Rule -action.correlationsearch.annotations = {"analytic_story": ["SQL Injection"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "detection_version": "3"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. -action.notable.param.rule_title = SQL Injection with Long URLs -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name("Web")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, "alter%20table")) + mvcount(split(url, "between")) + mvcount(split(url, "create%20table")) + mvcount(split(url, "create%20database")) + mvcount(split(url, "create%20index")) + mvcount(split(url, "create%20view")) + mvcount(split(url, "delete")) + mvcount(split(url, "drop%20database")) + mvcount(split(url, "drop%20index")) + mvcount(split(url, "drop%20table")) + mvcount(split(url, "exists")) + mvcount(split(url, "exec")) + mvcount(split(url, "group%20by")) + mvcount(split(url, "having")) + mvcount(split(url, "insert%20into")) + mvcount(split(url, "inner%20join")) + mvcount(split(url, "left%20join")) + mvcount(split(url, "right%20join")) + mvcount(split(url, "full%20join")) + mvcount(split(url, "select")) + mvcount(split(url, "distinct")) + mvcount(split(url, "select%20top")) + mvcount(split(url, "union")) + mvcount(split(url, "xp_cmdshell")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter` - -[ESCU - Supernova Webshell - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. -action.escu.how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. -action.escu.known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic. -action.escu.creation_date = 2021-01-06 -action.escu.modification_date = 2021-01-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Supernova Webshell - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["NOBELIUM Group"] -action.risk = 1 -action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Experimental - Supernova Webshell - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. -action.notable.param.rule_title = Supernova Webshell -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter` - -[ESCU - VMWare Aria Operations Exploit Attempt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system. \ -The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability. \ -The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint. \ -Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system. \ -The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability. \ -The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint. \ -Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. -action.escu.known_false_positives = False positives will be present based on gateways in use, modify the status field as needed. -action.escu.creation_date = 2023-06-21 -action.escu.modification_date = 2023-06-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - VMWare Aria Operations Exploit Attempt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["VMware Aria Operations vRealize CVE-2023-20887"] -action.risk = 1 -action.risk.param._risk_message = An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887 -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - VMWare Aria Operations Exploit Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system. \ -The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability. \ -The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint. \ -Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network. -action.notable.param.rule_title = VMWare Aria Operations Exploit Attempt -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter` - -[ESCU - VMware Server Side Template Injection Hunt - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing "deviceudid" and keywords like "java.lang.ProcessBuilder" or "freemarker.template.utility.ObjectConstructor" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -action.escu.known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. -action.escu.creation_date = 2024-05-12 -action.escu.modification_date = 2024-05-12 -action.escu.confidence = high -action.escu.full_search_name = ESCU - VMware Server Side Template Injection Hunt - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["VMware Server Side Injection and Privilege Escalation"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - VMware Server Side Template Injection Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2022-22954"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Hunting"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "detection_version": "2"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*deviceudid=*" AND Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter` - -[ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -action.escu.known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. -action.escu.creation_date = 2022-05-19 -action.escu.modification_date = 2022-05-19 -action.escu.confidence = high -action.escu.full_search_name = ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["VMware Server Side Injection and Privilege Escalation"] -action.risk = 1 -action.risk.param._risk_message = An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-22954"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" AND Web.url="*freemarker.template.utility.Execute*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter` - -[ESCU - Web JSP Request via URL - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. -action.escu.creation_date = 2022-04-05 -action.escu.modification_date = 2022-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web JSP Request via URL - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Spring4Shell CVE-2022-22965"] -action.risk = 1 -action.risk.param._risk_message = A suspicious URL has been requested against $dest$ by $src$, related to web shell activity. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Web JSP Request via URL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-22965"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "2850c734-2d44-4431-8139-1a56f6f54c01", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.notable.param.rule_title = Web JSP Request via URL -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*.jsp?cmd=*","*j&cmd=*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter` - -[ESCU - Web Remote ShellServlet Access - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = This analytic identifies attempts to access the Remote ShellServlet on a web server, which is utilized to execute commands. Such activity is commonly linked with web shells and other forms of malicious behavior. It was specifically detected on a Confluence server in relation to CVE-2023-22518 and CVE-2023-22515. Activities preceding access to the shell servlet include the addition of a plugin to Confluence. Additionally, it is advisable to monitor for ShellServlet?act=3, ShellServlet, or obfuscated variations such as Sh3llServlet1. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = This analytic identifies attempts to access the Remote ShellServlet on a web server, which is utilized to execute commands. Such activity is commonly linked with web shells and other forms of malicious behavior. It was specifically detected on a Confluence server in relation to CVE-2023-22518 and CVE-2023-22515. Activities preceding access to the shell servlet include the addition of a plugin to Confluence. Additionally, it is advisable to monitor for ShellServlet?act=3, ShellServlet, or obfuscated variations such as Sh3llServlet1. -action.escu.how_to_implement = This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic. -action.escu.known_false_positives = False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives. -action.escu.creation_date = 2024-04-02 -action.escu.modification_date = 2024-04-02 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Remote ShellServlet Access - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"] -action.risk = 1 -action.risk.param._risk_message = An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$. -action.risk.param._risk = [{"threat_object_field": "src", "threat_object_type": "ip_address"}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Web Remote ShellServlet Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "c2a332c3-24a2-4e24-9455-0e80332e6746", "detection_version": "2"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies attempts to access the Remote ShellServlet on a web server, which is utilized to execute commands. Such activity is commonly linked with web shells and other forms of malicious behavior. It was specifically detected on a Confluence server in relation to CVE-2023-22518 and CVE-2023-22515. Activities preceding access to the shell servlet include the addition of a plugin to Confluence. Additionally, it is advisable to monitor for ShellServlet?act=3, ShellServlet, or obfuscated variations such as Sh3llServlet1. -action.notable.param.rule_title = Web Remote ShellServlet Access -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*plugins/servlet/com.jsos.shell/*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter` - -[ESCU - Web Spring4Shell HTTP Request Class Module - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". -action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -action.escu.known_false_positives = False positives may occur and filtering may be required. Restrict analytic to asset type. -action.escu.creation_date = 2022-04-06 -action.escu.modification_date = 2022-04-06 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Spring4Shell HTTP Request Class Module - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Spring4Shell CVE-2022-22965"] -action.risk = 1 -action.risk.param._risk_message = A http body request related to Spring4Shell has been sent to $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Web Spring4Shell HTTP Request Class Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-22965"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". -action.notable.param.rule_title = Web Spring4Shell HTTP Request Class Module -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `stream_http` http_method IN ("POST") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN ("*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*", "*class.module.classLoader.resources.context.parent.pipeline.first.pattern*","*suffix=.jsp*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter` - -[ESCU - Web Spring Cloud Function FunctionRouter - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -action.escu.known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. -action.escu.creation_date = 2022-04-05 -action.escu.modification_date = 2022-04-05 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Web Spring Cloud Function FunctionRouter - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Spring4Shell CVE-2022-22965"] -action.risk = 1 -action.risk.param._risk_message = A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Web Spring Cloud Function FunctionRouter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 60, "cve": ["CVE-2022-22963"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "89dddbad-369a-4f8a-ace2-2439218735bc", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. -action.notable.param.rule_title = Web Spring Cloud Function FunctionRouter -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count from datamodel=Web where Web.http_method IN ("POST") Web.url="*/functionRouter*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter` - -[ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. -action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. -action.escu.known_false_positives = False positives are limited. -action.escu.creation_date = 2023-07-10 -action.escu.modification_date = 2023-07-10 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"] -action.risk = 1 -action.risk.param._risk_message = Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2021-34523", "CVE-2021-34473", "CVE-2021-31207", "CVE-2022-41040", "CVE-2022-41082"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. -action.notable.param.rule_title = Windows Exchange Autodiscover SSRF Abuse -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name("Web")` | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover%"),1,0) | eval powershell = if(match(lower(uri_query),"powershell"), "1",0) | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter` - -[ESCU - WordPress Bricks Builder plugin RCE - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. The search is focused on the URL path "/wp-json/bricks/v1/render_element" with a status code of 200 and a POST method. It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024. The vulnerability is tracked as CVE-2024-25600. The POC exploit is simple enough and will spawn commands on the target server. The exploit is actively being used in the wild. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. The search is focused on the URL path "/wp-json/bricks/v1/render_element" with a status code of 200 and a POST method. It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024. The vulnerability is tracked as CVE-2024-25600. The POC exploit is simple enough and will spawn commands on the target server. The exploit is actively being used in the wild. -action.escu.how_to_implement = The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed. -action.escu.known_false_positives = False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed. -action.escu.creation_date = 2024-02-22 -action.escu.modification_date = 2024-02-22 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WordPress Bricks Builder plugin RCE - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["WordPress Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WordPress Bricks Builder plugin RCE - Rule -action.correlationsearch.annotations = {"analytic_story": ["WordPress Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2024-25600"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "56a8771a-3fda-4959-b81d-2f266e2f679f", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. The search is focused on the URL path "/wp-json/bricks/v1/render_element" with a status code of 200 and a POST method. It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024. The vulnerability is tracked as CVE-2024-25600. The POC exploit is simple enough and will spawn commands on the target server. The exploit is actively being used in the wild. -action.notable.param.rule_title = WordPress Bricks Builder plugin RCE -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/wp-json/bricks/v1/render_element") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter` - -[ESCU - WS FTP Remote Code Execution - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} -action.escu.data_models = ["Web"] -action.escu.eli5 = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. -action.escu.how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -action.escu.known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. -action.escu.creation_date = 2023-10-01 -action.escu.modification_date = 2023-10-01 -action.escu.confidence = high -action.escu.full_search_name = ESCU - WS FTP Remote Code Execution - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["WS FTP Server Critical Vulnerabilities"] -action.risk = 1 -action.risk.param._risk_message = Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$ -action.risk.param._risk = [{"risk_object_field": "url", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "src", "threat_object_type": "ip_address"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - WS FTP Remote Code Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2023-40044"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. -action.notable.param.rule_title = WS FTP Remote Code Execution -action.notable.param.security_domain = network -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter` - -[ESCU - Zscaler Adware Activities Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The following analytic is designed to detect potential adware activity which is blocked by Zscaler. Utilizing Splunk search functionality, it filters web proxy logs for blocked actions associated with adware threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible adware intrusions. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The following analytic is designed to detect potential adware activity which is blocked by Zscaler. Utilizing Splunk search functionality, it filters web proxy logs for blocked actions associated with adware threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible adware intrusions. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Adware Activities Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 8}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 8}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Adware Activities Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "3407b250-345a-4d71-80db-c91e555a3ece", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter` - -[ESCU - Zscaler Behavior Analysis Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is built to identify threats blocked by the Zscaler proxy based on behavior analysis. It filters web proxy logs for entries where actions are blocked and threat names and classes are specified. The search further refines the results to include only those with reasons related to "block". It then aggregates the count, providing a clear view of the threat landscape as handled by the behavior analysis proxy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is built to identify threats blocked by the Zscaler proxy based on behavior analysis. It filters web proxy logs for entries where actions are blocked and threat names and classes are specified. The search further refines the results to include only those with reasons related to "block". It then aggregates the count, providing a clear view of the threat landscape as handled by the behavior analysis proxy. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscalar configuration. -action.escu.creation_date = 2023-10-31 -action.escu.modification_date = 2023-10-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Behavior Analysis Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 8}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 8}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Behavior Analysis Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "289ad59f-8939-4331-b805-f2bd51d36fb8", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter` - -[ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 32}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 32}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter` - -[ESCU - Zscaler Employment Search Web Activity - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is designed to identify destinations within a network deemed as potential Empolyment Searches. Utilizing Splunk's search functionality, it processes web proxy logs, focusing on entries marked as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the employment risk destinations. This anomaly-type detection aids in monitoring and managing risks, promoting a secure environment from insider threats. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is designed to identify destinations within a network deemed as potential Empolyment Searches. Utilizing Splunk's search functionality, it processes web proxy logs, focusing on entries marked as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the employment risk destinations. This anomaly-type detection aids in monitoring and managing risks, promoting a secure environment from insider threats. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-11-14 -action.escu.modification_date = 2023-11-14 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Employment Search Web Activity - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 4}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 4}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Employment Search Web Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 5, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5456bdef-d765-4565-8e1f-61ca027bc50e", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` urlsupercategory="Job/Employment Search" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter` - -[ESCU - Zscaler Exploit Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.CM"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-31 -action.escu.modification_date = 2023-10-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Exploit Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Exploit Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.CM"], "type": "TTP"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "94665d8c-b841-4ff4-acb4-34d613e2cbfe", "detection_version": "1"} -schedule_window = auto -action.notable = 1 -action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts. -action.notable.param.rule_title = Zscaler Exploit Threat Blocked -action.notable.param.security_domain = threat -action.notable.param.severity = high -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter` - -[ESCU - Zscaler Legal Liability Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is aimed at identifying the most significant legal liability threats blocked by zcaler web proxy. It leverages web proxy logs to list the destinations, device owners, users, URL categories, and actions that are associated with Legal Liability, by utilizing stats on unique fields, it ensures a precise focus on unique legal liability threats, thereby providing valuable insights for organizations to enforce legal compliance and risk management. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is aimed at identifying the most significant legal liability threats blocked by zcaler web proxy. It leverages web proxy logs to list the destinations, device owners, users, URL categories, and actions that are associated with Legal Liability, by utilizing stats on unique fields, it ensures a precise focus on unique legal liability threats, thereby providing valuable insights for organizations to enforce legal compliance and risk management. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-31 -action.escu.modification_date = 2023-10-31 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Legal Liability Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Legal Liability Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 20, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "bbf55ebf-c416-4f62-94d9-4064f2a28014", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` urlclass="Legal Liability" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter` - -[ESCU - Zscaler Malware Activity Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic targets the detection of potential malware activities within a network that are blocked by Zscaler. By filtering web proxy logs for blocked actions associated with malware, where a threat category is specified, the analytic aggregates occurrences by user, URL, and threat category. This approach ensures a focused identification of malware activities, making it an effective tool for ongoing network security monitoring and anomaly detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic targets the detection of potential malware activities within a network that are blocked by Zscaler. By filtering web proxy logs for blocked actions associated with malware, where a threat category is specified, the analytic aggregates occurrences by user, URL, and threat category. This approach ensures a focused identification of malware activities, making it an effective tool for ongoing network security monitoring and anomaly detection. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscalar configuration. -action.escu.creation_date = 2023-10-25 -action.escu.modification_date = 2023-10-25 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Malware Activity Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Malware Activity Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "ae874ad8-e353-40a7-87d4-420cdfb27d1a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter` - -[ESCU - Zscaler Phishing Activity Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is devised to detect likely phishing attempts within a network blocked by Zscaler. By leveraging Splunk search functionality, it evaluates web proxy logs for blocked actions correlated with phishing threats, specifically those tagged as HTML.Phish. Critical data points such as the user, threat name, URL, and hostname are analyzed to accentuate possible phishing activities. This anomaly-type detection serves as an early warning system, facilitating prompt investigation and mitigation of phishing threats, thereby bolstering network security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is devised to detect likely phishing attempts within a network blocked by Zscaler. By leveraging Splunk search functionality, it evaluates web proxy logs for blocked actions correlated with phishing threats, specifically those tagged as HTML.Phish. Critical data points such as the user, threat name, URL, and hostname are analyzed to accentuate possible phishing activities. This anomaly-type detection serves as an early warning system, facilitating prompt investigation and mitigation of phishing threats, thereby bolstering network security. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscalar configuration. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Phishing Activity Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Phishing Activity Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 20, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "68d3e2c1-e97f-4310-b080-dea180b48aa9", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname="HTML.Phish*" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter` - -[ESCU - Zscaler Potentially Abused File Download - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is engineered to detect potential rarely abused malicious filetypes downloaded within a network. They are usually used to spread malwares. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to potential threats. Essential data points like the deviceowner, user, urlcategory, url, dest, and filename taken are analyzed to highlight possible malicious endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of malicious download activities, ensuring a safer network environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is engineered to detect potential rarely abused malicious filetypes downloaded within a network. They are usually used to spread malwares. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to potential threats. Essential data points like the deviceowner, user, urlcategory, url, dest, and filename taken are analyzed to highlight possible malicious endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of malicious download activities, ensuring a safer network environment. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-11-21 -action.escu.modification_date = 2023-11-21 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Potentially Abused File Download - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 8}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 8}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Potentially Abused File Download - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "b0c21379-f4ba-4bac-a958-897e260f964a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter` - -[ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is designed to identify blocked destinations within a network deemed as privacy risks by Zscaler. Utilizing Splunk search functionality, it processes web proxy logs, focusing on entries marked as Privacy Risk. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the privacy risk destinations. This anomaly-type detection aids in monitoring and managing privacy risks, promoting a secure network environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = ["Risk"] -action.escu.eli5 = The analytic is designed to identify blocked destinations within a network deemed as privacy risks by Zscaler. Utilizing Splunk search functionality, it processes web proxy logs, focusing on entries marked as Privacy Risk. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the privacy risk destinations. This anomaly-type detection aids in monitoring and managing privacy risks, promoting a secure network environment. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 8}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 8}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "5456bdef-d765-4565-8e1f-61ca027bc50d", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked urlclass="Privacy Risk" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter` - -[ESCU - Zscaler Scam Destinations Threat Blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Scam Destinations Threat Blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 8}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 8}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Scam Destinations Threat Blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "a0c21379-f4ba-4bac-a958-897e260f964a", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter` - -[ESCU - Zscaler Virus Download threat blocked - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = The analytic is formulated to detect blocked virus download activities within a network by Zscaler. Employing Splunk's search functionality, it reviews web proxy logs for blocked actions indicative of virus threats downloads. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to pinpoint possible virus downloads. As an anomaly-type detection, this analytic facilitates early detection and remediation of virus download attempts, contributing to enhanced network security. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = The analytic is formulated to detect blocked virus download activities within a network by Zscaler. Employing Splunk's search functionality, it reviews web proxy logs for blocked actions indicative of virus threats downloads. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to pinpoint possible virus downloads. As an anomaly-type detection, this analytic facilitates early detection and remediation of virus download attempts, contributing to enhanced network security. -action.escu.how_to_implement = You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment. -action.escu.known_false_positives = False positives are limited to Zscaler configuration. -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Zscaler Virus Download threat blocked - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Zscaler Browser Proxy Threats"] -action.risk = 1 -action.risk.param._risk_message = Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$]. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 40}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"threat_object_field": "url", "threat_object_type": "url"}] -action.risk.param._risk_score = 0 -action.risk.param.verbose = 0 -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Zscaler Virus Download threat blocked - Rule -action.correlationsearch.annotations = {"analytic_story": ["Zscaler Browser Proxy Threats"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"], "type": "Anomaly"} -action.correlationsearch.metadata = {"deprecated": "0", "detection_id": "aa19e627-d448-4a31-85cd-82068dec5691", "detection_version": "1"} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `zscaler_proxy` action=blocked threatname!="None" threatclass=Virus | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter` - -### END ESCU DETECTIONS ### - -### ESCU BASELINES ### - -[ESCU - Baseline of blocked outbound traffic from AWS] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of blocked outbound traffic from AWS -description = This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly. -action.escu.creation_date = 2018-05-07 -action.escu.modification_date = 2018-05-07 -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`. -disabled = true -is_visible = false -search = `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count - -[ESCU - Baseline Of Cloud Infrastructure API Calls Per User] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Cloud Infrastructure API Calls Per User -description = This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances created in a small time window. -action.escu.creation_date = 2020-09-07 -action.escu.modification_date = 2020-09-07 -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances created in a small time window. -action.escu.how_to_implement = You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. -disabled = true -is_visible = false -search = | tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time api_calls, user, HourOfDay, isWeekend | eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend | where api_calls >= 1 | fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true - -[ESCU - Baseline Of Cloud Instances Destroyed] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Cloud Instances Destroyed -description = This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are destroyed in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances destroyed in a small time window. -action.escu.creation_date = 2020-08-25 -action.escu.modification_date = 2020-08-25 -action.escu.analytic_story = ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are destroyed in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances destroyed in a small time window. -action.escu.how_to_implement = You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. \ -More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = | tstats count as instances_destroyed from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by _time span=1h | makecontinuous span=1h _time | eval instances_destroyed=coalesce(instances_destroyed, (random()%2)*0.0000000001) | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time instances_destroyed, HourOfDay, isWeekend | fit DensityFunction instances_destroyed by "HourOfDay,isWeekend" into cloud_excessive_instances_destroyed_v1 dist=expon show_density=true - -[ESCU - Baseline Of Cloud Instances Launched] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Cloud Instances Launched -description = This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are created in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances created in a small time window. -action.escu.creation_date = 2020-08-14 -action.escu.modification_date = 2020-08-14 -action.escu.analytic_story = ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are created in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances created in a small time window. -action.escu.how_to_implement = You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. \ -More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = | tstats count as instances_launched from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by _time span=1h | makecontinuous span=1h _time | eval instances_launched=coalesce(instances_launched, (random()%2)*0.0000000001) | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time instances_launched, HourOfDay, isWeekend | fit DensityFunction instances_launched by "HourOfDay,isWeekend" into cloud_excessive_instances_created_v1 dist=expon show_density=true - -[ESCU - Baseline Of Cloud Security Group API Calls Per User] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Cloud Security Group API Calls Per User -description = This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls for security groups are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. -action.escu.creation_date = 2020-09-07 -action.escu.modification_date = 2020-09-07 -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls for security groups are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. -action.escu.how_to_implement = You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. -disabled = true -is_visible = false -search = | tstats count as security_group_api_calls from datamodel=Change where All_Changes.object_category=firewall All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time security_group_api_calls, user, HourOfDay, isWeekend | eventstats dc(security_group_api_calls) as security_group_api_calls by user, HourOfDay, isWeekend | where security_group_api_calls >= 1 | fit DensityFunction security_group_api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_security_group_api_calls_v1 dist=norm show_density=true - -[ESCU - Baseline of Command Line Length - MLTK] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of Command Line Length - MLTK -description = This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line. -action.escu.creation_date = 2019-05-08 -action.escu.modification_date = 2019-05-08 -action.escu.analytic_story = ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Unusual Processes"] -action.escu.data_models = [] -cron_schedule = 0 0 1 * * -enableSched = 1 -dispatch.earliest_time = -30d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line. -action.escu.how_to_implement = You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel - -[ESCU - Baseline of DNS Query Length - MLTK] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of DNS Query Length - MLTK -description = This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query. -action.escu.creation_date = 2019-05-08 -action.escu.modification_date = 2019-05-08 -action.escu.analytic_story = ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"] -action.escu.data_models = ["Network_Resolution"] -cron_schedule = 0 0 */30 * * -enableSched = 1 -dispatch.earliest_time = -30d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query. -action.escu.how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name("DNS")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel - -[ESCU - Baseline Of Kubernetes Container Network IO] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Kubernetes Container Network IO -description = This baseline rule calculates the average and standard deviation of inbound and outbound network IO for each Kubernetes container. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the network IO for each container. This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.escu.data_models = [] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -30d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This baseline rule calculates the average and standard deviation of inbound and outbound network IO for each Kubernetes container. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the network IO for each container. This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. -action.escu.how_to_implement = To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on (ref: https://splunkbase.splunk.com/app/5247) 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values. -disabled = true -is_visible = false -search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") | eval key = 'k8s.cluster.name' + ":" + 'service' | stats avg(eval(if(direction="transmit", io,null()))) as avg_outbound_network_io avg(eval(if(direction="receive", io,null()))) as avg_inbound_network_io stdev(eval(if(direction="transmit", io,null()))) as stdev_outbound_network_io stdev(eval(if(direction="receive", io,null()))) as stdev_inbound_network_io count latest(_time) as last_seen by key | outputlookup k8s_container_network_io_baseline - -[ESCU - Baseline Of Kubernetes Container Network IO Ratio] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Kubernetes Container Network IO Ratio -description = This baseline rule calculates the average ratio of inbound to outbound network IO for each Kubernetes container. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the network IO ratio for each container. This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. -action.escu.creation_date = 2023-12-19 -action.escu.modification_date = 2023-12-19 -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.escu.data_models = [] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -30d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This baseline rule calculates the average ratio of inbound to outbound network IO for each Kubernetes container. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the network IO ratio for each container. This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. -action.escu.how_to_implement = To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values. -disabled = true -is_visible = false -search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', "-\w{5}$|-[abcdef0-9]{8,10}-\w{5}$", "") | eval key = 'k8s.cluster.name' + ":" + 'service' | stats avg(eval(if(direction="transmit", io,null()))) as outbound_network_io avg(eval(if(direction="receive", io,null()))) as inbound_network_io by key _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | stats avg(*:*) as avg_*:* stdev(*:*) as stdev_*:* count latest(_time) as last_seen by key | outputlookup k8s_container_network_io_ratio_baseline - -[ESCU - Baseline Of Kubernetes Process Resource] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Kubernetes Process Resource -description = This baseline rule calculates the average and standard deviation of various process resources in a Kubernetes environment. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the resource utilization for each process. This baseline can be used to detect anomalies in process resource utilization, which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior. -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.escu.data_models = [] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -30d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This baseline rule calculates the average and standard deviation of various process resources in a Kubernetes environment. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the resource utilization for each process. This baseline can be used to detect anomalies in process resource utilization, which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior. -action.escu.how_to_implement = To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on. 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values. -disabled = true -is_visible = false -search = | mstats avg(process.*) as avg_process.* stdev(*) as stdev_* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name | eval key = 'k8s.cluster.name' + ":" + 'host.name' + ":" + 'process.executable.name' | fillnull | outputlookup k8s_process_resource_baseline - -[ESCU - Baseline Of Kubernetes Process Resource Ratio] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline Of Kubernetes Process Resource Ratio -description = This baseline rule calculates the average and standard deviation of the ratio of various process resources in a Kubernetes environment. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the resource ratios for each process. This baseline can be used to detect anomalies in process resource utilization, which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior. -action.escu.creation_date = 2023-12-18 -action.escu.modification_date = 2023-12-18 -action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] -action.escu.data_models = [] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -30d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This baseline rule calculates the average and standard deviation of the ratio of various process resources in a Kubernetes environment. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the resource ratios for each process. This baseline can be used to detect anomalies in process resource utilization, which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior. -action.escu.how_to_implement = To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on.(ref: https://splunkbase.splunk.com/app/5247) 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input "sim_process_metrics_to_metrics_index". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values. -disabled = true -is_visible = false -search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.memory.utilization' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + ":" + 'host.name' + ":" + 'process.executable.name' | fillnull | stats avg(cpu:mem) as avg_cpu:mem stdev(cpu:mem) as stdev_cpu:mem avg(cpu:disk) as avg_cpu:disk stdev(cpu:disk) as stdev_cpu:disk avg(mem:disk) as avg_mem:disk stdev(mem:disk) as stdev_mem:disk avg(cpu:threads) as avg_cpu:threads stdev(cpu:threads) as stdev_cpu:threads avg(disk:threads) as avg_disk:threads stdev(disk:threads) as stdev_disk:threads count latest(_time) as last_seen by key | outputlookup k8s_process_resource_ratio_baseline - -[ESCU - Baseline of Network ACL Activity by ARN] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of Network ACL Activity by ARN -description = This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.creation_date = 2018-05-21 -action.escu.modification_date = 2018-05-21 -action.escu.analytic_story = ["AWS Network ACL Activity"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`. -disabled = true -is_visible = false -search = `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count - -[ESCU - Baseline of S3 Bucket deletion activity by ARN] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of S3 Bucket deletion activity by ARN -description = This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.creation_date = 2018-07-17 -action.escu.modification_date = 2018-07-17 -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count - -[ESCU - Baseline of Security Group Activity by ARN] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of Security Group Activity by ARN -description = This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.creation_date = 2018-04-17 -action.escu.modification_date = 2018-04-17 -action.escu.analytic_story = ["AWS User Monitoring"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. -disabled = true -is_visible = false -search = `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count - -[ESCU - Baseline of SMB Traffic - MLTK] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of SMB Traffic - MLTK -description = This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week. -action.escu.creation_date = 2019-05-08 -action.escu.modification_date = 2019-05-08 -action.escu.analytic_story = ["DHS Report TA18-074A", "Disabling Security Tools", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Netsh Abuse", "Ransomware"] -action.escu.data_models = ["Network_Traffic"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week. -action.escu.how_to_implement = You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding "src" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction count by "HourOfDay,DayOfWeek" into smb_pdfmodel - -[ESCU - Count of assets by category] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Count of assets by category -description = This search shows you every asset category you have and the assets that belong to those categories. -action.escu.creation_date = 2017-09-13 -action.escu.modification_date = 2017-09-13 -action.escu.analytic_story = ["Asset Tracking"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search shows you every asset category you have and the assets that belong to those categories. -action.escu.how_to_implement = To successfully implement this search you must first leverage the Assets and Identity framework in Enterprise Security to populate your assets_by_str.csv file which should then be mapped to the Identity_Management data model. The Identity_Management data model will contain a list of known authorized company assets. Ensure that all inventoried systems are constantly vetted and updated. -disabled = true -is_visible = false -search = | from datamodel Identity_Management.All_Assets | stats count values(nt_host) by category | sort -count - -[ESCU - Count of Unique IPs Connecting to Ports] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Count of Unique IPs Connecting to Ports -description = The search counts the number of times a connection was observed to each destination port, and the number of unique source IPs connecting to them. -action.escu.creation_date = 2017-09-13 -action.escu.modification_date = 2017-09-13 -action.escu.analytic_story = ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"] -action.escu.data_models = ["Network_Traffic"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = The search counts the number of times a connection was observed to each destination port, and the number of unique source IPs connecting to them. -action.escu.how_to_implement = To successfully implement this search, you must be ingesting network traffic, and populating the Network_Traffic data model. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | sort - count - -[ESCU - Create a list of approved AWS service accounts] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Create a list of approved AWS service accounts -description = This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file. -action.escu.creation_date = 2018-12-03 -action.escu.modification_date = 2018-12-03 -action.escu.analytic_story = ["AWS User Monitoring"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the service account entires in `aws_service_accounts.csv`, which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate. -disabled = true -is_visible = false -search = `cloudtrail` errorCode=success | rename userName as identity | search NOT [inputlookup identity_lookup_expanded | fields identity] | stats count by identity | table identity | outputlookup aws_service_accounts | stats count - -[ESCU - Add Prohibited Processes to Enterprise Security] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Add Prohibited Processes to Enterprise Security -description = This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints. -action.escu.creation_date = 2017-09-15 -action.escu.modification_date = 2017-09-15 -action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints. -action.escu.how_to_implement = This search should be run on each new install of ESCU. -disabled = true -is_visible = false -search = | inputlookup prohibited_processes | search note!=ESCU* | inputlookup append=T prohibited_processes | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup prohibited_processes | stats count - -[ESCU - Baseline of API Calls per User ARN] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of API Calls per User ARN -description = This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.creation_date = 2018-04-09 -action.escu.modification_date = 2018-04-09 -action.escu.analytic_story = ["AWS User Monitoring"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | stats count - -[ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK -description = This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window. -action.escu.creation_date = 2019-11-14 -action.escu.modification_date = 2019-11-14 -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. \ -In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. \ -More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = `cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1 - -[ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK -description = This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window. -action.escu.creation_date = 2019-11-14 -action.escu.modification_date = 2019-11-14 -action.escu.analytic_story = ["Suspicious AWS EC2 Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. \ -In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. \ -More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`. -disabled = true -is_visible = false -search = `cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1 - -[ESCU - Previously seen API call per user roles in CloudTrail] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously seen API call per user roles in CloudTrail -description = This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user role and name of the API call--that occurred within the last 30 days. In this support search, we are only looking for events where the user identity is Assumed Role. -action.escu.creation_date = 2018-04-16 -action.escu.modification_date = 2018-04-16 -action.escu.analytic_story = ["AWS User Monitoring"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user role and name of the API call--that occurred within the last 30 days. In this support search, we are only looking for events where the user identity is Assumed Role. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user role entries in `previously_seen_api_calls_from_user_roles.csv`, which is a lookup file created as a result of running this support search. -disabled = true -is_visible = false -search = `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | stats count - -[ESCU - Previously Seen AWS Provisioning Activity Sources] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen AWS Provisioning Activity Sources -description = This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. -action.escu.creation_date = 2018-03-16 -action.escu.modification_date = 2018-03-16 -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src | stats count - -[ESCU - Previously Seen EC2 AMIs] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen EC2 AMIs -description = This search builds a table of previously seen AMIs used to launch EC2 instances -action.escu.creation_date = 2018-03-12 -action.escu.modification_date = 2018-03-12 -action.escu.analytic_story = ["AWS Cryptomining"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen AMIs used to launch EC2 instances -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis | stats count - -[ESCU - Previously Seen EC2 Instance Types] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen EC2 Instance Types -description = This search builds a table of previously seen EC2 instance types -action.escu.creation_date = 2018-03-08 -action.escu.modification_date = 2018-03-08 -action.escu.analytic_story = ["AWS Cryptomining"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen EC2 instance types -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType as instanceType | fillnull value="m1.small" instanceType | stats earliest(_time) as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types | stats count - -[ESCU - Previously Seen EC2 Launches By User] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen EC2 Launches By User -description = This search builds a table of previously seen ARNs that have launched a EC2 instance. -action.escu.creation_date = 2018-03-15 -action.escu.modification_date = 2018-03-15 -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen ARNs that have launched a EC2 instance. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user | stats count - -[ESCU - Previously seen users in CloudTrail] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously seen users in CloudTrail -description = This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days. NOTE - This baseline search is deprecated and has been updated to use the Authentication Datamodel -action.escu.creation_date = 2018-04-30 -action.escu.modification_date = 2018-04-30 -action.escu.analytic_story = ["Suspicious AWS Login Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days. NOTE - This baseline search is deprecated and has been updated to use the Authentication Datamodel -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins_cloudtrail`, which is a lookup file created as a result of running this support search. -disabled = true -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins_cloudtrail | stats count - -[ESCU - Update previously seen users in CloudTrail] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Update previously seen users in CloudTrail -description = This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour. NOTE - This baseline search is deprecated and has been updated to use the Authentication Datamodel -action.escu.creation_date = 2018-04-30 -action.escu.modification_date = 2018-04-30 -action.escu.analytic_story = ["Suspicious AWS Login Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour. NOTE - This baseline search is deprecated and has been updated to use the Authentication Datamodel -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins_cloudtrail`, which is a lookup file created as a result of running this support search. -disabled = true -is_visible = false -search = `cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region LIKE "",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins_cloudtrail - -[ESCU - Discover DNS records] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Discover DNS records -description = The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup -action.escu.creation_date = 2019-02-14 -action.escu.modification_date = 2019-02-14 -action.escu.analytic_story = ["DNS Hijacking"] -action.escu.data_models = ["Network_Resolution"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup -action.escu.how_to_implement = To successfully implement this search, you must be ingesting DNS logs, and populating the Network_Resolution data model. Also make sure that the cim_corporate_web_domains and cim_corporate_email_domains lookups are populated with the domains owned by your corporation -disabled = true -is_visible = false -search = | inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query | rename DNS.query as query | where query!="unknown" | rex field=query "(?\w+\.\w+?)(?:$|/)"] | makemv delim=" " answer | makemv delim=" " type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records - -[ESCU - DNSTwist Domain Names] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - DNSTwist Domain Names -description = This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches. -action.escu.creation_date = 2018-10-08 -action.escu.modification_date = 2018-10-08 -action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches. -action.escu.how_to_implement = To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\_SA\_CIM**. -disabled = true -is_visible = false -search = | dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse="true" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count - -[ESCU - Identify Systems Creating Remote Desktop Traffic] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Identify Systems Creating Remote Desktop Traffic -description = This search counts the numbers of times the system has generated remote desktop traffic. -action.escu.creation_date = 2017-09-15 -action.escu.modification_date = 2017-09-15 -action.escu.analytic_story = ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"] -action.escu.data_models = ["Network_Traffic"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search counts the numbers of times the system has generated remote desktop traffic. -action.escu.how_to_implement = To successfully implement this search, you must ingest network traffic and populate the Network_Traffic data model. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.src | `drop_dm_object_name("All_Traffic")` | sort - count - -[ESCU - Identify Systems Receiving Remote Desktop Traffic] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Identify Systems Receiving Remote Desktop Traffic -description = This search counts the numbers of times the system has created remote desktop traffic -action.escu.creation_date = 2017-09-15 -action.escu.modification_date = 2017-09-15 -action.escu.analytic_story = ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"] -action.escu.data_models = ["Network_Traffic"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search counts the numbers of times the system has created remote desktop traffic -action.escu.how_to_implement = To successfully implement this search you must ingest network traffic and populate the Network_Traffic data model. If a system receives a lot of remote desktop traffic, you can apply the category common_rdp_destination to it. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.dest | `drop_dm_object_name("All_Traffic")` | sort - count - -[ESCU - Identify Systems Using Remote Desktop] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Identify Systems Using Remote Desktop -description = This search counts the numbers of times the remote desktop process, mstsc.exe, has run on each system. -action.escu.creation_date = 2019-04-01 -action.escu.modification_date = 2019-04-01 -action.escu.analytic_story = ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"] -action.escu.data_models = ["Endpoint"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search counts the numbers of times the remote desktop process, mstsc.exe, has run on each system. -action.escu.how_to_implement = To successfully implement this search you must be ingesting endpoint data that records process activity. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name="*mstsc.exe*" by Processes.dest Processes.process_name | `drop_dm_object_name(Processes)` | sort - count - -[ESCU - Monitor Successful Backups] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Monitor Successful Backups -description = This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate. -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.analytic_story = ["Monitor Backup Solution"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate. -action.escu.how_to_implement = To successfully implement this search you must be ingesting your backup logs. -disabled = true -is_visible = false -search = `netbackup` "Disk/Partition backup completed successfully." | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE - -[ESCU - Monitor Unsuccessful Backups] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Monitor Unsuccessful Backups -description = This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate. -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.analytic_story = ["Monitor Backup Solution"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate. -action.escu.how_to_implement = To successfully implement this search you must be ingesting your backup logs. -disabled = true -is_visible = false -search = `netbackup` "An error occurred, failed to backup." | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE - -[ESCU - Previously Seen AWS Cross Account Activity] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen AWS Cross Account Activity -description = This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. -action.escu.creation_date = 2018-06-04 -action.escu.modification_date = 2018-06-04 -action.escu.analytic_story = ["AWS Cross Account Activity"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search. -disabled = true -is_visible = false -search = `cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId!=requestedAccountId | stats earliest(_time) as firstTime latest(_time) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | stats count - -[ESCU - Previously Seen AWS Cross Account Activity - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen AWS Cross Account Activity - Initial -description = This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. -action.escu.creation_date = 2020-08-15 -action.escu.modification_date = 2020-08-15 -action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] -action.escu.data_models = ["Authentication"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later)and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | table requestingAccountId requestedAccountId firstTime lastTime | outputlookup previously_seen_aws_cross_account_activity - -[ESCU - Previously Seen AWS Cross Account Activity - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen AWS Cross Account Activity - Update -description = This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. -action.escu.creation_date = 2020-08-15 -action.escu.modification_date = 2020-08-15 -action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] -action.escu.data_models = ["Authentication"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file. -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_aws_cross_account_activity` kvstore -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | inputlookup append=t previously_seen_aws_cross_account_activity | stats min(firstTime) as firstTime max(lastTime) as lastTime by requestingAccountId requestedAccountId | outputlookup previously_seen_aws_cross_account_activity - -[ESCU - Previously Seen AWS Regions] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen AWS Regions -description = This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days -action.escu.creation_date = 2018-01-08 -action.escu.modification_date = 2018-01-08 -action.escu.analytic_story = ["AWS Cryptomining", "Suspicious AWS EC2 Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. -disabled = true -is_visible = false -search = `cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions| stats count - -[ESCU - Previously Seen Cloud API Calls Per User Role - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud API Calls Per User Role - Initial -description = This search builds a table of the first and last times seen for every user role and command combination. This is broadly defined as any event that runs or creates something. This table is then cached. -action.escu.creation_date = 2020-09-03 -action.escu.modification_date = 2020-09-03 -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of the first and last times seen for every user role and command combination. This is broadly defined as any event that runs or creates something. This table is then cached. -action.escu.how_to_implement = You must be ingesting Cloud infrastructure logs from your cloud provider. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | table user, command, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_api_calls_per_user_role - -[ESCU - Previously Seen Cloud API Calls Per User Role - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud API Calls Per User Role - Update -description = This search updates the table of the first and last times seen for every user role and command combination. -action.escu.creation_date = 2020-09-03 -action.escu.modification_date = 2020-09-03 -action.escu.analytic_story = ["Suspicious Cloud User Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search updates the table of the first and last times seen for every user role and command combination. -action.escu.how_to_implement = You must be ingesting Cloud infrastructure logs from your cloud provider. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | table user, command, firstTimeSeen, lastTimeSeen | inputlookup previously_seen_cloud_api_calls_per_user_role append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by user, command | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_api_calls_per_user_role_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | table user, command, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_api_calls_per_user_role - -[ESCU - Previously Seen Cloud Compute Creations By User - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Compute Creations By User - Initial -description = This search builds a table of previously seen users that have launched a cloud compute instance. -action.escu.creation_date = 2020-08-15 -action.escu.modification_date = 2020-08-15 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen users that have launched a cloud compute instance. -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the proper TAs installed. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created AND All_Changes.object_category=instance by All_Changes.user | `drop_dm_object_name("All_Changes")` | outputlookup previously_seen_cloud_compute_creations_by_user | stats count - -[ESCU - Previously Seen Cloud Compute Creations By User - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Compute Creations By User - Update -description = This search builds a table of previously seen users that have launched a cloud compute instance. -action.escu.creation_date = 2020-08-15 -action.escu.modification_date = 2020-08-15 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen users that have launched a cloud compute instance. -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the proper TAs installed. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created AND All_Changes.object_category=instance by All_Changes.user| `drop_dm_object_name("All_Changes")` | inputlookup append=t previously_seen_cloud_compute_creations_by_user | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by user | where lastTimeSeen > relative_time(now(), "-90d@d") | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_creations_by_user - -[ESCU - Previously Seen Cloud Compute Images - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Compute Images - Initial -description = This search builds a table of previously seen images used to launch cloud compute instances -action.escu.creation_date = 2020-10-08 -action.escu.modification_date = 2020-10-08 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen images used to launch cloud compute instances -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the latest Change Datamodel accelerated -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_images - -[ESCU - Previously Seen Cloud Compute Images - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Compute Images - Update -description = This search builds a table of previously seen images used to launch cloud compute instances -action.escu.creation_date = 2020-08-12 -action.escu.modification_date = 2020-08-12 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen images used to launch cloud compute instances -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by image_id | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_images_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_images - -[ESCU - Previously Seen Cloud Compute Instance Types - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Compute Instance Types - Initial -description = This search builds a table of previously seen cloud compute instance types -action.escu.creation_date = 2020-09-03 -action.escu.modification_date = 2020-09-03 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen cloud compute instance types -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type | `drop_dm_object_name("All_Changes.Instance_Changes")` | where instance_type != "unknown" | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-14d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_instance_types - -[ESCU - Previously Seen Cloud Compute Instance Types - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Compute Instance Types - Update -description = This search builds a table of previously seen cloud compute instance types -action.escu.creation_date = 2020-09-03 -action.escu.modification_date = 2020-09-03 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen cloud compute instance types -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type | `drop_dm_object_name("All_Changes.Instance_Changes")` | where instance_type != "unknown" | inputlookup append=t previously_seen_cloud_compute_instance_types | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by instance_type | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_instance_type_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-14d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_instance_types - -[ESCU - Previously Seen Cloud Instance Modifications By User - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Instance Modifications By User - Initial -description = This search builds a table of previously seen users that have modified a cloud instance. -action.escu.creation_date = 2020-07-29 -action.escu.modification_date = 2020-07-29 -action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen users that have modified a cloud instance. -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the latest Change Datamodel accelerated. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 c=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_instance_modifications_by_user - -[ESCU - Previously Seen Cloud Instance Modifications By User - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Instance Modifications By User - Update -description = This search updates a table of previously seen Cloud Instance modifications that have been made by a user -action.escu.creation_date = 2020-07-29 -action.escu.modification_date = 2020-07-29 -action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search updates a table of previously seen Cloud Instance modifications that have been made by a user -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | inputlookup append=t previously_seen_cloud_instance_modifications_by_user | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by user | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_images_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_instance_modifications_by_user - -[ESCU - Previously Seen Cloud Provisioning Activity Sources - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Provisioning Activity Sources - Initial -description = This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. This table is then cached. -action.escu.creation_date = 2020-08-19 -action.escu.modification_date = 2020-08-19 -action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. This table is then cached. -action.escu.how_to_implement = You must be ingesting Cloud infrastructure logs from your cloud provider. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | table src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_provisioning_activity_sources - -[ESCU - Previously Seen Cloud Provisioning Activity Sources - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Provisioning Activity Sources - Update -description = This returns the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity within the last day. Cloud provisioning is broadly defined as any event that runs or creates something. It then updates this information with historical data and filters out locations that have not been seen within the specified time window. This updated table is then cached. -action.escu.creation_date = 2020-08-20 -action.escu.modification_date = 2020-08-20 -action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This returns the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity within the last day. Cloud provisioning is broadly defined as any event that runs or creates something. It then updates this information with historical data and filters out locations that have not been seen within the specified time window. This updated table is then cached. -action.escu.how_to_implement = You must be ingesting Cloud infrastructure logs from your cloud provider. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | table src, firstTimeSeen, lastTimeSeen, City, Country, Region | inputlookup previously_seen_cloud_provisioning_activity_sources append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by src, City, Country, Region | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_provisioning_activity_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | table src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_provisioning_activity_sources - -[ESCU - Previously Seen Cloud Regions - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Regions - Initial -description = This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days -action.escu.creation_date = 2020-09-02 -action.escu.modification_date = 2020-09-02 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-14d@d"), 1, 0) | outputlookup previously_seen_cloud_regions - -[ESCU - Previously Seen Cloud Regions - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Cloud Regions - Update -description = This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days -action.escu.creation_date = 2020-09-02 -action.escu.modification_date = 2020-09-02 -action.escu.analytic_story = ["Cloud Cryptomining"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days -action.escu.how_to_implement = You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | inputlookup append=t previously_seen_cloud_regions | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by vendor_region | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_region_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-14d@d"), 1, 0) | outputlookup previously_seen_cloud_regions | stats count - -[ESCU - Previously seen command line arguments] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously seen command line arguments -description = This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days. -action.escu.creation_date = 2019-03-01 -action.escu.modification_date = 2019-03-01 -action.escu.analytic_story = ["DHS Report TA18-074A", "Disabling Security Tools", "Hidden Cobra Malware", "IcedID", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity"] -action.escu.data_models = ["Endpoint"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days. -action.escu.how_to_implement = You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the "process" field in the Endpoint data model. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process="* /c *" by Processes.process | `drop_dm_object_name(Processes)` - -[ESCU - Previously Seen EC2 Modifications By User] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen EC2 Modifications By User -description = This search builds a table of previously seen ARNs that have launched a EC2 instance. -action.escu.creation_date = 2018-04-05 -action.escu.modification_date = 2018-04-05 -action.escu.analytic_story = ["Unusual AWS EC2 Modifications"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search builds a table of previously seen ARNs that have launched a EC2 instance. -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. -disabled = true -is_visible = false -search = `cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count - -[ESCU - Previously Seen Running Windows Services - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Running Windows Services - Initial -description = This collects the services that have been started across your entire enterprise. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.analytic_story = ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"] -action.escu.data_models = [] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This collects the services that have been started across your entire enterprise. -action.escu.how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -disabled = true -is_visible = false -search = `wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) service entered the (?\w+) state" | where state="running" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services - -[ESCU - Previously Seen Running Windows Services - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Running Windows Services - Update -description = This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.analytic_story = ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"] -action.escu.data_models = [] -cron_schedule = 55 * * * * -enableSched = 1 -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached. -action.escu.how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -disabled = true -is_visible = false -search = `wineventlog_system` EventCode=7036 | rex field=Message "The (?[-\(\)\s\w]+) service entered the (?\w+) state" | where state="running" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by service | where lastTimeSeen > relative_time(now(), `previously_seen_windows_services_forget_window`) | outputlookup previously_seen_running_windows_services - -[ESCU - Previously seen S3 bucket access by remote IP] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously seen S3 bucket access by remote IP -description = This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking for S3 access events where the HTTP response code from AWS is "200" -action.escu.creation_date = 2018-06-28 -action.escu.modification_date = 2018-06-28 -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking for S3 access events where the HTTP response code from AWS is "200" -action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`, which is a lookup file created as a result of running this support search. -disabled = true -is_visible = false -search = `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as earliest latest(_time) as latest by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip | stats count - -[ESCU - Previously Seen Users in CloudTrail - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Users in CloudTrail - Initial -description = This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days. -action.escu.creation_date = 2020-05-28 -action.escu.modification_date = 2020-05-28 -action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] -action.escu.data_models = ["Authentication"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days. -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins`, which is a lookup file created by this support search. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins | stats count - -[ESCU - Previously Seen Users In CloudTrail - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Users In CloudTrail - Update -description = This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour. -action.escu.creation_date = 2020-05-28 -action.escu.modification_date = 2020-05-28 -action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] -action.escu.data_models = ["Authentication"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour. -action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins`, which is a lookup file created by this support search. -disabled = true -is_visible = false -search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins - -[ESCU - Previously Seen Zoom Child Processes - Initial] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Zoom Child Processes - Initial -description = This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached. -action.escu.creation_date = 2020-05-20 -action.escu.modification_date = 2020-05-20 -action.escu.analytic_story = ["Suspicious Zoom Child Processes"] -action.escu.data_models = ["Endpoint"] -cron_schedule = 0 2 * * 0 -enableSched = 1 -dispatch.earliest_time = -90d@d -dispatch.latest_time = -1d@d -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached. -action.escu.how_to_implement = You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table dest, process_name, firstTimeSeen, lastTimeSeen | outputlookup zoom_first_time_child_process - -[ESCU - Previously Seen Zoom Child Processes - Update] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Previously Seen Zoom Child Processes - Update -description = This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name and endpoint pairs that have not been seen within the specified time window. This updated table is outputed to disk. -action.escu.creation_date = 2020-05-20 -action.escu.modification_date = 2020-05-20 -action.escu.analytic_story = ["Suspicious Zoom Child Processes"] -action.escu.data_models = ["Endpoint"] -cron_schedule = 55 * * * * -enableSched = 1 -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name and endpoint pairs that have not been seen within the specified time window. This updated table is outputed to disk. -action.escu.how_to_implement = You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table firstTimeSeen, lastTimeSeen, process_name, dest | inputlookup zoom_first_time_child_process append=t | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by process_name, dest | where lastTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_forget_window`") | outputlookup zoom_first_time_child_process - -[ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline -description = This search supports an analyst looking for abuse or misuse of the risky commands listed here: https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning This is accomplished by using the time spent executing one of these risky commands as a proxy for misuse/abuse of interest during investigation and/or hunting. The search builds a model utilizes the MLTK DensityFunction algorithm on Splunk app audit log data. The model uses the past 7 days of user history executing the above referenced commands then aggregates the total search run time for each hour as indicator of user behavior. The model identifies the top 0.1% of user search run time, indicating a risky use of these commands. Users can adjust this threshold 0.1% as interested however this will correlate to missed/false positive rates. This search should be scheduled to run at least every 7 days. The name of machine learning model generated is "risky_command_abuse" and should be configured to be globally shared (not private) in MLTK app as documented here: https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Models#Sharing_models_from_other_Splunk_apps unless the same account of training this model will be used to perform inference using this model for anomaly detection. -action.escu.creation_date = 2022-05-27 -action.escu.modification_date = 2022-05-27 -action.escu.analytic_story = ["Splunk Vulnerabilities"] -action.escu.data_models = ["Splunk_Audit"] -cron_schedule = 55 * * * * -enableSched = 1 -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search supports an analyst looking for abuse or misuse of the risky commands listed here: https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning This is accomplished by using the time spent executing one of these risky commands as a proxy for misuse/abuse of interest during investigation and/or hunting. The search builds a model utilizes the MLTK DensityFunction algorithm on Splunk app audit log data. The model uses the past 7 days of user history executing the above referenced commands then aggregates the total search run time for each hour as indicator of user behavior. The model identifies the top 0.1% of user search run time, indicating a risky use of these commands. Users can adjust this threshold 0.1% as interested however this will correlate to missed/false positive rates. This search should be scheduled to run at least every 7 days. The name of machine learning model generated is "risky_command_abuse" and should be configured to be globally shared (not private) in MLTK app as documented here: https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Models#Sharing_models_from_other_Splunk_apps unless the same account of training this model will be used to perform inference using this model for anomaly detection. -action.escu.how_to_implement = The corresponding detection of using this model is "Splunk Command and Scripting Interpreter Risky SPL MLTK". This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and it assumes Splunk accelerated audit data model is available. For large enterprises, training the model might take significant computing resources. It might require dedicated search head. The underlined machine learning algorithm this detection used is DensityFunction. It might need to increase its settings default values, such as max_fit_time, max_groups, etc. More details of achieving optimal performance and configuring DensityFunction parameters can be found here - https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Configurefitandapply Users can modify earliest=-7d@d in the search to other value so that the search can collect enough data points to build a good baseline model. Users can also modify list of risky commands in "Search_Activity.search IN" to better suit users' violation policy and their usage environment. -disabled = true -is_visible = false -search = | tstats sum(Search_Activity.total_run_time) as run_time, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") AND (Search_Activity.total_run_time>1) AND (earliest=-7d@d latest=now) AND (Search_Activity.search IN ("*| runshellscript *", "*| collect *","*| delete *", "*| fit *", "*| outputcsv *", "*| outputlookup *", "*| run *", "*| script *", "*| sendalert *", "*| sendemail *", "*| tscolle*")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | fit DensityFunction "run_time" dist=auto lower_threshold=0.000001 upper_threshold=0.001 show_density=true by Search_Activity.user into "risky_command_abuse" - -[ESCU - Systems Ready for Spectre-Meltdown Windows Patch] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Systems Ready for Spectre-Meltdown Windows Patch -description = Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this key has been written, the system can then be patched for Spectre and Meltdown. -action.escu.creation_date = 2018-01-08 -action.escu.modification_date = 2018-01-08 -action.escu.analytic_story = ["Spectre And Meltdown Vulnerabilities"] -action.escu.data_models = ["Change"] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this key has been written, the system can then be patched for Spectre and Meltdown. -action.escu.how_to_implement = You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path="HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat*") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` - -[ESCU - Windows Updates Install Failures] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Windows Updates Install Failures -description = This search is intended to give you a feel for how often Windows updates fail to install in your environment. Fluctuations in these numbers will allow you to determine when you should be concerned. -action.escu.creation_date = 2017-09-14 -action.escu.modification_date = 2017-09-14 -action.escu.analytic_story = ["Monitor for Updates"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is intended to give you a feel for how often Windows updates fail to install in your environment. Fluctuations in these numbers will allow you to determine when you should be concerned. -action.escu.how_to_implement = You must be ingesting your Windows Update Logs -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=failure by _time span=1d - -[ESCU - Windows Updates Install Successes] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = support -action.escu.full_search_name = ESCU - Windows Updates Install Successes -description = This search is intended to give you a feel for how often successful Windows updates are applied in your environments. Fluctuations in these numbers will allow you to determine when you should be concerned. -action.escu.creation_date = 2017-09-14 -action.escu.modification_date = 2017-09-14 -action.escu.analytic_story = ["Monitor for Updates"] -action.escu.data_models = [] -cron_schedule = 10 0 * * * -enableSched = 1 -dispatch.earliest_time = -1450m@m -dispatch.latest_time = -10m@m -schedule_window = auto -action.escu.providing_technologies = [] -action.escu.eli5 = This search is intended to give you a feel for how often successful Windows updates are applied in your environments. Fluctuations in these numbers will allow you to determine when you should be concerned. -action.escu.how_to_implement = You must be ingesting your Windows Update Logs -disabled = true -is_visible = false -search = | tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=installed by _time span=1d - - - -### ESCU RESPONSE TASKS ### - -[ESCU - All backup logs for host - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - All backup logs for host - Response Task -description = Retrieve the backup logs for the last 2 weeks for a specific host in order to investigate why backups are not completing successfully. -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.analytic_story = ["Monitor Backup Solution"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = Retrieve the backup logs for the last 2 weeks for a specific host in order to investigate why backups are not completing successfully. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | search `netbackup` dest=$dest$ - -[ESCU - Amazon EKS Kubernetes activity by src ip - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Amazon EKS Kubernetes activity by src ip - Response Task -description = This search provides investigation data about requests via user agent, authentication request URI, verb and cluster name data against Kubernetes cluster from a specific IP address -action.escu.creation_date = 2020-04-13 -action.escu.modification_date = 2020-04-13 -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search provides investigation data about requests via user agent, authentication request URI, verb and cluster name data against Kubernetes cluster from a specific IP address -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `aws_cloudwatchlogs_eks` |rename sourceIPs{} as src_ip |search src_ip=$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(user.username) values(requestURI) values(verb) values(userAgent) by source annotations.authorization.k8s.io/decision src_ip - -[ESCU - AWS Investigate Security Hub alerts by dest - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - AWS Investigate Security Hub alerts by dest - Response Task -description = This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id). -action.escu.creation_date = 2020-06-08 -action.escu.modification_date = 2020-06-08 -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities", "Cloud Cryptomining", "Suspicious AWS EC2 Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id). -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `aws_securityhub_firehose` "findings{}.Resources{}.Type"=AWSEC2Instance | rex field=findings{}.Resources{}.Id .*instance/(?.*)| rename instance as dest| search dest = $dest$ |rename findings{}.* as * | rename Remediation.Recommendation.Text as Remediation | table dest Title ProductArn Description FirstObservedAt RecordState Remediation - -[ESCU - AWS Investigate User Activities By AccessKeyId - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - AWS Investigate User Activities By AccessKeyId - Response Task -description = This search retrieves the times, ARN, source IPs, AWS regions, event names, and the result of the event for specific credentials. -action.escu.creation_date = 2018-06-08 -action.escu.modification_date = 2018-06-08 -action.escu.analytic_story = ["AWS Cross Account Activity"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search retrieves the times, ARN, source IPs, AWS regions, event names, and the result of the event for specific credentials. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` | rename userIdentity.accessKeyId as accessKeyId| search accessKeyId=$accessKeyId$ | spath output=user path=userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, awsRegion, eventName, errorCode, errorMessage - -[ESCU - AWS Investigate User Activities By ARN - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - AWS Investigate User Activities By ARN - Response Task -description = This search lists all the logged CloudTrail activities by a specific user ARN and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information. -action.escu.creation_date = 2019-04-30 -action.escu.modification_date = 2019-04-30 -action.escu.analytic_story = ["AWS Cryptomining", "AWS Network ACL Activity", "AWS Security Hub Alerts", "AWS Suspicious Provisioning Activities", "Cloud Cryptomining", "Command And Control", "Suspicious AWS EC2 Activities", "Suspicious AWS Login Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Cloud Instance Activities", "Suspicious Cloud User Activities", "Unusual AWS EC2 Modifications"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search lists all the logged CloudTrail activities by a specific user ARN and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` | search user=$user$| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType - -[ESCU - AWS Network ACL Details from ID - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - AWS Network ACL Details from ID - Response Task -description = This search queries AWS description logs and returns all the information about a specific network ACL via network ACL ID -action.escu.creation_date = 2017-01-22 -action.escu.modification_date = 2017-01-22 -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries AWS description logs and returns all the information about a specific network ACL via network ACL ID -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `aws_description` | rename id as networkAclId | search networkAclId=$networkAclId$ | table id account_id vpc_id network_acl_entries{}.* - -[ESCU - AWS Network Interface details via resourceId - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - AWS Network Interface details via resourceId - Response Task -description = This search queries AWS configuration logs and returns the information about a specific network interface via network interface ID. The information will include the ARN of the network interface, its relationships with other AWS resources, the public and the private IP associated with the network interface. -action.escu.creation_date = 2018-05-07 -action.escu.modification_date = 2018-05-07 -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries AWS configuration logs and returns the information about a specific network interface via network interface ID. The information will include the ARN of the network interface, its relationships with other AWS resources, the public and the private IP associated with the network interface. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `aws_config` resourceId=$resourceId$ | table _time ARN relationships{}.resourceType relationships{}.name relationships{}.resourceId configuration.privateIpAddresses{}.privateIpAddress configuration.privateIpAddresses{}.association.publicIp - -[ESCU - AWS S3 Bucket details via bucketName - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - AWS S3 Bucket details via bucketName - Response Task -description = This search queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, AWS account ID, and configuration values of the access-control lists associated with the bucket. -action.escu.creation_date = 2018-06-26 -action.escu.modification_date = 2018-06-26 -action.escu.analytic_story = ["Suspicious AWS S3 Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, AWS account ID, and configuration values of the access-control lists associated with the bucket. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `aws_config` | rename resourceId as bucketName |search bucketName=$bucketName$ | table resourceCreationTime bucketName vendor_region action aws_account_id supplementaryConfiguration.AccessControlList - -[ESCU - GCP Kubernetes activity by src ip - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - GCP Kubernetes activity by src ip - Response Task -description = This search provides investigation data about requests via user agent, authentication request URI, resource path and cluster name data against Kubernetes cluster from a specific IP address -action.escu.creation_date = 2020-04-13 -action.escu.modification_date = 2020-04-13 -action.escu.analytic_story = ["Kubernetes Scanning Activity"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search provides investigation data about requests via user agent, authentication request URI, resource path and cluster name data against Kubernetes cluster from a specific IP address -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `google_gcp_pubsub_message` | rename data.protoPayload.requestMetadata.callerIp as src_ip | search src_ip =$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_names values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent values(data.protoPayload.authenticationInfo.principalEmail) as user values(data.protoPayload.status.message) by src_ip data.resource.labels.cluster_name data.resource.type - -[ESCU - Get All AWS Activity From City - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get All AWS Activity From City - Response Task -description = This search retrieves all the activity from a specific city and will create a table containing the time, city, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.creation_date = 2018-03-19 -action.escu.modification_date = 2018-03-19 -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search retrieves all the activity from a specific city and will create a table containing the time, city, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` | iplocation sourceIPAddress | search City=$City$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, City, user, userName, userType, src_ip, awsRegion, eventName, errorCode - -[ESCU - Get All AWS Activity From Country - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get All AWS Activity From Country - Response Task -description = This search retrieves all the activity from a specific country and will create a table containing the time, country, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.creation_date = 2018-03-19 -action.escu.modification_date = 2018-03-19 -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search retrieves all the activity from a specific country and will create a table containing the time, country, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` | iplocation sourceIPAddress | search Country=$Country$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Country, user, userName, userType, src_ip, awsRegion, eventName, errorCode - -[ESCU - Get All AWS Activity From IP Address - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get All AWS Activity From IP Address - Response Task -description = This search retrieves all the activity from a specific IP address and will create a table containing the time, ARN, username, the type of user, the IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.creation_date = 2018-03-19 -action.escu.modification_date = 2018-03-19 -action.escu.analytic_story = ["AWS Network ACL Activity", "AWS Suspicious Provisioning Activities", "Command And Control", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Cloud Instance Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search retrieves all the activity from a specific IP address and will create a table containing the time, ARN, username, the type of user, the IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` | iplocation sourceIPAddress | search src_ip=$src_ip$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, user, userName, userType, src_ip, awsRegion, eventName, errorCode - -[ESCU - Get All AWS Activity From Region - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get All AWS Activity From Region - Response Task -description = This search retrieves all the activity from a specific geographic region and will create a table containing the time, geographic region, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.creation_date = 2018-03-19 -action.escu.modification_date = 2018-03-19 -action.escu.analytic_story = ["AWS Suspicious Provisioning Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search retrieves all the activity from a specific geographic region and will create a table containing the time, geographic region, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` | iplocation sourceIPAddress | search Region=$Region$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Region, user, userName, userType, src_ip, awsRegion, eventName, errorCode - -[ESCU - Get Backup Logs For Endpoint - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Backup Logs For Endpoint - Response Task -description = This search will tell you the backup status from your netbackup_logs of a specific endpoint for the last week. -action.escu.creation_date = 2017-09-14 -action.escu.modification_date = 2017-09-14 -action.escu.analytic_story = ["Ransomware", "SamSam Ransomware"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search will tell you the backup status from your netbackup_logs of a specific endpoint for the last week. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `netbackup` COMPUTERNAME=$dest$ | rename COMPUTERNAME as dest, MESSAGE as signature | table _time, dest, signature - -[ESCU - Get Certificate logs for a domain - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Certificate logs for a domain - Response Task -description = This search queries the Certificates datamodel and give you all the information for a specific domain. Please note that the certificates issued by "Let's Encrypt" are widely used by attackers. -action.escu.creation_date = 2019-04-29 -action.escu.modification_date = 2019-04-29 -action.escu.analytic_story = ["Common Phishing Frameworks"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries the Certificates datamodel and give you all the information for a specific domain. Please note that the certificates issued by "Let's Encrypt" are widely used by attackers. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Certificates.All_Certificates where All_Certificates.SSL.ssl_subject_common_name=*$domain$ by All_Certificates.dest All_Certificates.src All_Certificates.SSL.ssl_issuer_common_name All_Certificates.SSL.ssl_subject_common_name All_Certificates.SSL.ssl_hash | `drop_dm_object_name(All_Certificates)` | `drop_dm_object_name(SSL)` | rename ssl_subject_common_name as domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - -[ESCU - Get DNS Server History for a host - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get DNS Server History for a host - Response Task -description = While investigating any detections it is important to understand which and how many DNS servers a host has connected to in the past. This search uses data that is tagged as DNS and gives you a count and list of DNS servers that a particular host has connected to the previous 24 hours. -action.escu.creation_date = 2017-11-09 -action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Hidden Cobra Malware", "Host Redirection", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious AWS Traffic", "Suspicious DNS Traffic"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = While investigating any detections it is important to understand which and how many DNS servers a host has connected to in the past. This search uses data that is tagged as DNS and gives you a count and list of DNS servers that a particular host has connected to the previous 24 hours. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | search tag=dns src_ip=$src_ip$ dest_port=53 | streamstats time_window=1d count values(dest_ip) as dcip by src_ip | table date_mday src_ip dcip count | sort -count - -[ESCU - Get DNS traffic ratio - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get DNS traffic ratio - Response Task -description = This search calculates the ratio of DNS traffic originating and coming from a host to a list of DNS servers over the last 24 hours. A high value of this ratio could be very useful to quickly understand if a src_ip (host) is sending a high volume of data out via port 53, could be an indicator of data exfiltration via DNS. -action.escu.creation_date = 2017-11-09 -action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "Data Protection", "Dynamic DNS", "Hidden Cobra Malware", "Suspicious AWS Traffic", "Suspicious DNS Traffic"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This search calculates the ratio of DNS traffic originating and coming from a host to a list of DNS servers over the last 24 hours. A high value of this ratio could be very useful to quickly understand if a src_ip (host) is sending a high volume of data out via port 53, could be an indicator of data exfiltration via DNS. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats allow_old_summaries=true sum(All_Traffic.bytes_out) as "bytes_out" sum(All_Traffic.bytes_in) as "bytes_in" from datamodel=Network_Traffic where nodename=All_Traffic All_Traffic.dest_port=53 by All_Traffic.src All_Traffic.dest| `drop_dm_object_name(All_Traffic)` | rename src as src_ip | rename dest as dest_ip | search src_ip=$src_ip$ | search dest_ip = $dest_ip | eval ratio = (bytes_out/bytes_in) | table ratio - -[ESCU - Get EC2 Instance Details by instanceId - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get EC2 Instance Details by instanceId - Response Task -description = This search queries AWS description logs and returns all the information about a specific instance via the instanceId field -action.escu.creation_date = 2018-02-12 -action.escu.modification_date = 2018-02-12 -action.escu.analytic_story = ["AWS Cryptomining", "AWS Security Hub Alerts", "Cloud Cryptomining", "Suspicious AWS EC2 Activities", "Unusual AWS EC2 Modifications"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries AWS description logs and returns all the information about a specific instance via the instanceId field -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `aws_description` | dedup id sortby -_time |rename id as instanceId| search instanceId=$instanceId$ | spath output=tags path=tags | eval tags=mvzip(key,value," = "), ip_address=if((ip_address == "null"),private_ip_address,ip_address) | table id, tags.Name, aws_account_id, placement, instance_type, key_name, ip_address, launch_time, state, vpc_id, subnet_id, tags | rename aws_account_id as "Account ID", id as ID, instance_type as Type, ip_address as "IP Address", key_name as "Key Pair", launch_time as "Launch Time", placement as "Availability Zone", state as State, subnet_id as Subnet, "tags.Name" as Name, vpc_id as VPC - -[ESCU - Get EC2 Launch Details - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get EC2 Launch Details - Response Task -description = This search returns some of the launch details for a EC2 instance. -action.escu.creation_date = 2018-03-12 -action.escu.modification_date = 2018-03-12 -action.escu.analytic_story = ["AWS Cryptomining", "AWS Security Hub Alerts", "Cloud Cryptomining", "Suspicious AWS EC2 Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search returns some of the launch details for a EC2 instance. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` dest=$dest$ |rename userIdentity.arn as arn, responseElements.instancesSet.items{}.instanceId as dest, responseElements.instancesSet.items{}.privateIpAddress as privateIpAddress, responseElements.instancesSet.items{}.imageId as amiID, responseElements.instancesSet.items{}.architecture as architecture, responseElements.instancesSet.items{}.keyName as keyName | table arn, awsRegion, dest, architecture, privateIpAddress, amiID, keyName - -[ESCU - Get Email Info - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Email Info - Response Task -description = This search returns all the information Splunk might have collected a specific email message over the last 2 hours. -action.escu.creation_date = 2017-11-09 -action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search returns all the information Splunk might have collected a specific email message over the last 2 hours. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | from datamodel Email.All_Email | search message_id=$message_id$ - -[ESCU - Get Emails From Specific Sender - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Emails From Specific Sender - Response Task -description = This search returns all the emails from a specific sender over the last 24 and next hours. -action.escu.creation_date = 2017-11-09 -action.escu.modification_date = 2017-11-09 -action.escu.analytic_story = ["Brand Monitoring", "Suspicious Emails", "Web Fraud Detection"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search returns all the emails from a specific sender over the last 24 and next hours. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | from datamodel Email.All_Email | search src_user=$src_user$ - -[ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task -description = This search allows you to gather more context around a notable which has detected a new device connecting to your network. Use this search to determine the first and last occurrences of the suspicious device attempting to connect with your network. -action.escu.creation_date = 2017-09-13 -action.escu.modification_date = 2017-09-13 -action.escu.analytic_story = ["Asset Tracking"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Network_Sessions"] -action.escu.eli5 = This search allows you to gather more context around a notable which has detected a new device connecting to your network. Use this search to determine the first and last occurrences of the suspicious device attempting to connect with your network. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST All_Sessions.src_mac= $src_mac$ by All_Sessions.src_ip All_Sessions.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - -[ESCU - Get History Of Email Sources - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get History Of Email Sources - Response Task -description = This search returns a list of all email sources seen in the 48 hours prior to the notable event to 24 hours after, and the number of emails from each source. -action.escu.creation_date = 2019-02-21 -action.escu.modification_date = 2019-02-21 -action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Malicious PowerShell", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "SamSam Ransomware"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Email"] -action.escu.eli5 = This search returns a list of all email sources seen in the 48 hours prior to the notable event to 24 hours after, and the number of emails from each source. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = |tstats `security_content_summariesonly` values(All_Email.dest) as dest values(All_Email.recipient) as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email by All_Email.src |`drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search src=$src$ - -[ESCU - Get Logon Rights Modifications For Endpoint - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Logon Rights Modifications For Endpoint - Response Task -description = This search allows you to retrieve any modifications to logon rights associated with a specific host. -action.escu.creation_date = 2017-09-12 -action.escu.modification_date = 2017-09-12 -action.escu.analytic_story = ["AWS Cryptomining"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search allows you to retrieve any modifications to logon rights associated with a specific host. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `wineventlog_security` (signature_id=4718 OR signature_id=4717) dest=$dest$ | rename user as "Account Modified" | table _time, dest, "Account Modified", Access_Right, signature - -[ESCU - Get Logon Rights Modifications For User - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Logon Rights Modifications For User - Response Task -description = This search allows you to retrieve any modifications to logon rights for a specific user account. -action.escu.creation_date = 2019-02-27 -action.escu.modification_date = 2019-02-27 -action.escu.analytic_story = ["AWS Cryptomining"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search allows you to retrieve any modifications to logon rights for a specific user account. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `wineventlog_security` (signature_id=4718 OR signature_id=4717) user=$user$ | rename user as "Account Modified" | table _time, dest, "Account Modified", Access_Right, signature - -[ESCU - Get Notable History - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Notable History - Response Task -description = This search queries the notable index and returns all the Notable Events for the particular destination host, giving the analyst an overview of the incidents that may have occurred with the host under investigation. -action.escu.creation_date = 2017-09-20 -action.escu.modification_date = 2017-09-20 -action.escu.analytic_story = ["AWS Cross Account Activity", "AWS Cryptomining", "AWS Network ACL Activity", "AWS User Monitoring", "Apache Struts Vulnerability", "Asset Tracking", "Brand Monitoring", "Cloud Cryptomining", "ColdRoot MacOS RAT", "Collection and Staging", "Command And Control", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Exfiltration", "Data Protection", "Detect Zerologon Attack", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware DHS Report TA18-201A", "F5 TMUI RCE CVE-2020-5902", "GCP Cross Account Activity", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Kubernetes Scanning Activity", "Kubernetes Sensitive Object Access Activity", "Kubernetes Sensitive Role Activity", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Ransomware Cloud", "Router and Infrastructure Security", "Ryuk Ransomware", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Cloud Authentication Activities", "Suspicious Cloud Provisioning Activities", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious GCP Storage Activities", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual AWS EC2 Modifications", "Unusual Processes", "Use of Cleartext Protocols", "Web Fraud Detection", "Windows DNS SIGRed CVE-2020-1350", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries the notable index and returns all the Notable Events for the particular destination host, giving the analyst an overview of the incidents that may have occurred with the host under investigation. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | search `notable` | search dest=$dest$ | table _time, dest, rule_name, owner, priority, severity, status_description - -[ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task -description = This search returns the information of the users that sent emails to the accounts controlled by the Hidden Cobra Threat Actors: specifically to `misswang8107@gmail.com`, and from `redhat@gmail.com`. -action.escu.creation_date = 2018-06-14 -action.escu.modification_date = 2018-06-14 -action.escu.analytic_story = ["Hidden Cobra Malware"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Email"] -action.escu.eli5 = This search returns the information of the users that sent emails to the accounts controlled by the Hidden Cobra Threat Actors: specifically to `misswang8107@gmail.com`, and from `redhat@gmail.com`. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | from datamodel Email.All_Email | search recipient=misswang8107@gmail.com OR src_user=redhat@gmail.com | stats count earliest(_time) as firstTime, latest(_time) as lastTime values(dest) values(src) by src_user recipient | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - -[ESCU - Get Parent Process Info - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Parent Process Info - Response Task -description = This search queries the Endpoint data model to give you details about the parent process of a process running on a host which is under investigation. Enter the values of the process name in question and the dest -action.escu.creation_date = 2019-02-28 -action.escu.modification_date = 2019-02-28 -action.escu.analytic_story = ["Collection and Staging", "Command And Control", "DHS Report TA18-074A", "Disabling Security Tools", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "SamSam Ransomware", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search queries the Endpoint data model to give you details about the parent process of a process running on a host which is under investigation. Enter the values of the process name in question and the dest -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.parent_process_name Processes.process_name Processes.dest | `drop_dm_object_name("Processes")` | search parent_process_name= $parent_process_name$ |search dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - -[ESCU - Get Process File Activity - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Process File Activity - Response Task -description = This search returns the file activity for a specific process on a specific endpoint -action.escu.creation_date = 2019-11-06 -action.escu.modification_date = 2019-11-06 -action.escu.analytic_story = ["DHS Report TA18-074A", "Suspicious Zoom Child Processes"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search returns the file activity for a specific process on a specific endpoint -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` values(Filesystem.file_name) as file_name values(Filesystem.dest) as dest, values(Filesystem.process_name) as process_name from datamodel=Endpoint.Filesystem by Filesystem.dest Filesystem.process_name Filesystem.file_path, Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | search dest=$dest$ | search process_name=$process_name$ | table _time, process_name, dest, action, file_name, file_path - -[ESCU - Get Process Info - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Process Info - Response Task -description = This search queries the Endpoint data model to give you details about the process running on a host which is under investigation. To gather the process info, enter the values for the process name in question and the destination IP address. -action.escu.creation_date = 2019-04-01 -action.escu.modification_date = 2019-04-01 -action.escu.analytic_story = ["AWS Network ACL Activity", "Collection and Staging", "Command And Control", "DHS Report TA18-074A", "Data Protection", "Disabling Security Tools", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "SamSam Ransomware", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search queries the Endpoint data model to give you details about the process running on a host which is under investigation. To gather the process info, enter the values for the process name in question and the destination IP address. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.parent_process_name Processes.process_name Processes.dest | `drop_dm_object_name("Processes")` | search process_name= $process_name$ | search dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - -[ESCU - Get Process Information For Port Activity - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Process Information For Port Activity - Response Task -description = This search will return information about the process associated with observed network traffic to a specific destination port from a specific host. -action.escu.creation_date = 2019-04-01 -action.escu.modification_date = 2019-04-01 -action.escu.analytic_story = ["AWS Network ACL Activity", "Command And Control", "DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "SamSam Ransomware", "Suspicious AWS Traffic", "Use of Cleartext Protocols"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search will return information about the process associated with observed network traffic to a specific destination port from a specific host. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search dest=$dest$ | join dest type=inner [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports by Ports.process_id Ports.src Ports.dest_port | `drop_dm_object_name(Ports)` | search dest_port=$dest_port$ | rename src as dest] - -[ESCU - Get Process Responsible For The DNS Traffic - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Process Responsible For The DNS Traffic - Response Task -description = While investigating, an analyst will want to know what process and parent_process is responsible for generating suspicious DNS traffic. Use the following search and enter the value of `dest` in the search to get specific details on the process responsible for creating the DNS traffic. -action.escu.creation_date = 2019-04-01 -action.escu.modification_date = 2019-04-01 -action.escu.analytic_story = ["AWS Network ACL Activity", "Brand Monitoring", "Command And Control", "Data Protection", "Dynamic DNS", "Hidden Cobra Malware", "Suspicious AWS Traffic", "Suspicious DNS Traffic"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Endpoint"] -action.escu.eli5 = While investigating, an analyst will want to know what process and parent_process is responsible for generating suspicious DNS traffic. Use the following search and enter the value of `dest` in the search to get specific details on the process responsible for creating the DNS traffic. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search dest = $dest$ | join dest type=inner [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest] - -[ESCU - Get Sysmon WMI Activity for Host - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Sysmon WMI Activity for Host - Response Task -description = This search queries Sysmon WMI events for the host of interest. -action.escu.creation_date = 2018-10-23 -action.escu.modification_date = 2018-10-23 -action.escu.analytic_story = ["Ransomware", "Suspicious WMI Use"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search queries Sysmon WMI events for the host of interest. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `sysmon` EventCode>18 EventCode<22 | rename host as dest | search dest=$dest$| table _time, dest, user, Name, Operation, EventType, Type, Query, Consumer, Filter - -[ESCU - Get Web Session Information via session id - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Get Web Session Information via session id - Response Task -description = This search helps an analyst investigate a notable event to find out more about a specific web session. The search looks for a specific web session ID in the HTTP web traffic and outputs the URL and user agents, grouped by source IP address and HTTP status code. -action.escu.creation_date = 2018-10-08 -action.escu.modification_date = 2018-10-08 -action.escu.analytic_story = ["Web Fraud Detection"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search helps an analyst investigate a notable event to find out more about a specific web session. The search looks for a specific web session ID in the HTTP web traffic and outputs the URL and user agents, grouped by source IP address and HTTP status code. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `stream_http` session_id = $session_id$ | stats values(url) values(http_user_agent) by src_ip status - -[ESCU - Investigate AWS activities via region name - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate AWS activities via region name - Response Task -description = This search lists all the user activities logged by CloudTrail for a specific region in question and will create a table of the values of parameters requested, the type of the event and the response from the AWS API by each user -action.escu.creation_date = 2018-02-09 -action.escu.modification_date = 2018-02-09 -action.escu.analytic_story = ["AWS Cryptomining", "Cloud Cryptomining", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search lists all the user activities logged by CloudTrail for a specific region in question and will create a table of the values of parameters requested, the type of the event and the response from the AWS API by each user -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` vendor_region=$vendor_region$| rename requestParameters.instancesSet.items{}.instanceId as instanceId | stats values(eventName) by user instanceId vendor_region - -[ESCU - Investigate AWS User Activities by user field - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate AWS User Activities by user field - Response Task -description = This search lists all the logged CloudTrail activities by a specific user and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and the user's identity information. -action.escu.creation_date = 2018-03-12 -action.escu.modification_date = 2018-03-12 -action.escu.analytic_story = ["AWS User Monitoring", "Suspicious Cloud Authentication Activities"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search lists all the logged CloudTrail activities by a specific user and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and the user's identity information. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `cloudtrail` user=$user$ | table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType - -[ESCU - Investigate Failed Logins for Multiple Destinations - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Failed Logins for Multiple Destinations - Response Task -description = This search returns failed logins to multiple destinations by user. -action.escu.creation_date = 2019-12-10 -action.escu.modification_date = 2019-12-10 -action.escu.analytic_story = ["Credential Dumping"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search returns failed logins to multiple destinations by user. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login dc(Authentication.dest) AS distinct_count_dest values(Authentication.dest) AS Authentication.dest values(Authentication.app) AS Authentication.app from datamodel=Authentication where Authentication.action=failure by Authentication.user | where distinct_count_dest > 1 | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | `drop_dm_object_name("Authentication")` | search user=$user$ - -[ESCU - Investigate Network Traffic From src ip - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Network Traffic From src ip - Response Task -description = This search allows you to find all the network traffic from a specific IP address. -action.escu.creation_date = 2018-06-15 -action.escu.modification_date = 2018-06-15 -action.escu.analytic_story = ["ColdRoot MacOS RAT"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Network_Traffic"] -action.escu.eli5 = This search allows you to find all the network traffic from a specific IP address. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | from datamodel Network_Traffic.All_Traffic | search src_ip=$src_ip$ - -[ESCU - Investigate Okta Activity by app - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Okta Activity by app - Response Task -description = This search returns all okta events associated with a specific app -action.escu.creation_date = 2020-04-02 -action.escu.modification_date = 2020-04-02 -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search returns all okta events associated with a specific app -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `okta` app=$app$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason - -[ESCU - Investigate Okta Activity by IP Address - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Okta Activity by IP Address - Response Task -description = This search returns all okta events from a specific IP address. -action.escu.creation_date = 2020-04-02 -action.escu.modification_date = 2020-04-02 -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search returns all okta events from a specific IP address. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `okta` src_ip={src_ip} | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason - -[ESCU - Investigate Pass the Hash Attempts - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Pass the Hash Attempts - Response Task -description = This search hunts for dumped NTLM hashes used for pass the hash. -action.escu.creation_date = 2019-12-10 -action.escu.modification_date = 2019-12-10 -action.escu.analytic_story = ["Credential Dumping"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search hunts for dumped NTLM hashes used for pass the hash. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `wineventlog_security` EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate | stats count earliest(_time) as first_login latest(_time) as last_login by src_user dest | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | search dest=$dest$ - -[ESCU - Investigate Pass the Ticket Attempts - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Pass the Ticket Attempts - Response Task -description = This search hunts for dumped kerberos ticket from LSASS memory. -action.escu.creation_date = 2019-12-10 -action.escu.modification_date = 2019-12-10 -action.escu.analytic_story = ["Credential Dumping"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search hunts for dumped kerberos ticket from LSASS memory. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user "(?[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count) AS max_count sum(count) AS sum_count BY new_user, dest| search dest=$dest$ | where sum_count/max_count!=2 | rename new_user AS user - -[ESCU - Investigate Previous Unseen User - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Previous Unseen User - Response Task -description = This search returns previous unseen user, which didn't log in for 30 days. -action.escu.creation_date = 2019-12-10 -action.escu.modification_date = 2019-12-10 -action.escu.analytic_story = ["Credential Dumping"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search returns previous unseen user, which didn't log in for 30 days. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login values(Authentication.dest) AS Authentication.dest values(Authentication.app) AS Authentication.app values(Authentication.action) AS Authentication.action from datamodel=Authentication where Authentication.action=success by _time, Authentication.user | bucket _time span=30d | stats count min(first_login) as first_login max(last_login) as last_login values(Authentication.dest) AS Authentication.dest by Authentication.user | where count=1 | where first_login >= relative_time(now(), "-30d") | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | `drop_dm_object_name("Authentication")` | search dest=$dest$ - -[ESCU - Investigate Successful Remote Desktop Authentications - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Successful Remote Desktop Authentications - Response Task -description = This search returns the source, destination, and user for all successful remote-desktop authentications. A successful authentication after a brute-force attack on a destination machine is suspicious behavior. -action.escu.creation_date = 2018-12-14 -action.escu.modification_date = 2018-12-14 -action.escu.analytic_story = ["Active Directory Lateral Movement", "Hidden Cobra Malware", "SamSam Ransomware"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Authentication"] -action.escu.eli5 = This search returns the source, destination, and user for all successful remote-desktop authentications. A successful authentication after a brute-force attack on a destination machine is suspicious behavior. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app Authentication.user Authentication.signature Authentication.src_nt_domain | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("Authentication")` | search dest=$dest$ | table firstTime lastTime src src_nt_domain dest user app count | sort count - -[ESCU - Investigate Suspicious Strings in HTTP Header - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Suspicious Strings in HTTP Header - Response Task -description = This search helps an analyst investigate a notable event related to a potential Apache Struts exploitation. To investigate, we will want to isolate and analyze the "payload" or the commands that were passed to the vulnerable hosts by creating a few regular expressions to carve out the commands focusing on common keywords from the payload, such as cmd.exe, /bin/bash and whois. The search returns these suspicious strings found in the HTTP logs of the system of interest. -action.escu.creation_date = 2017-10-20 -action.escu.modification_date = 2017-10-20 -action.escu.analytic_story = ["Apache Struts Vulnerability"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search helps an analyst investigate a notable event related to a potential Apache Struts exploitation. To investigate, we will want to isolate and analyze the "payload" or the commands that were passed to the vulnerable hosts by creating a few regular expressions to carve out the commands focusing on common keywords from the payload, such as cmd.exe, /bin/bash and whois. The search returns these suspicious strings found in the HTTP logs of the system of interest. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `stream_http` | search src_ip=$src_ip$ | search dest_ip=$dest_ip$ | eval cs_content_type_length = len(cs_content_type) | search cs_content_type_length > 100 | rex field="cs_content_type" (?cmd.exe) | eval suspicious_strings_found=if(match(cs_content_type, "application"), "True", "False") | rename suspicious_strings_found AS "Suspicious Content-Type Found" | fields "Suspicious Content-Type Found", dest_ip, src_ip, suspicious_strings, cs_content_type, cs_content_type_length, url - -[ESCU - Investigate User Activities In Okta - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate User Activities In Okta - Response Task -description = This search returns all okta events by a specific user -action.escu.creation_date = 2020-04-02 -action.escu.modification_date = 2020-04-02 -action.escu.analytic_story = ["Suspicious Okta Activity"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = [] -action.escu.eli5 = This search returns all okta events by a specific user -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = `okta` user=$user$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason - -[ESCU - Investigate Web POSTs From src - Response Task] -action.escu = 0 -action.escu.enabled = 1 -action.escu.search_type = investigative -action.escu.full_search_name = ESCU - Investigate Web POSTs From src - Response Task -description = This investigative search retrieves POST requests from a specified source IP or hostname. Identifying the POST requests, as well as their associated destination URLs and user agent(s), may help you scope and characterize the suspicious traffic. -action.escu.creation_date = 2018-12-06 -action.escu.modification_date = 2018-12-06 -action.escu.analytic_story = ["Apache Struts Vulnerability"] -action.escu.earliest_time_offset = 3600 -action.escu.latest_time_offset = 86400 -action.escu.providing_technologies = [] -action.escu.data_models = ["Web"] -action.escu.eli5 = This investigative search retrieves POST requests from a specified source IP or hostname. Identifying the POST requests, as well as their associated destination URLs and user agent(s), may help you scope and characterize the suspicious traffic. -action.escu.how_to_implement = none -action.escu.known_false_positives = None at this time -disabled = true -schedule_window = auto -is_visible = false -search = | tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name("Web")`| search http_method, "POST" | search src=$src$ - - - -### END ESCU RESPONSE TASKS ### \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/transforms.conf b/dist/DA-ESS-ContentUpdate/default/transforms.conf deleted file mode 100644 index 218c47f902..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/transforms.conf +++ /dev/null @@ -1,486 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# - -[3cx_ioc_domains] -filename = 3cx_ioc_domains.csv -default_match = false -case_sensitive_match = false -# description = A list of domains from the 3CX supply chain attack. -match_type = WILDCARD(domain) -min_matches = 1 - -[__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl] -filename = __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel -case_sensitive_match = false -# description = Detect DNS Data Exfiltration using pretrained Model in DSDL - -[__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl] -filename = __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel -case_sensitive_match = false -# description = Detect suspicious DNS txt records using Pretrained Model in DSDL - -[__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl] -filename = __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel -case_sensitive_match = false -# description = Detect a suspicious processname using Pretrained Model in DSDL - -[__mlspl_pretrained_dga_model_dsdl] -filename = __mlspl_pretrained_dga_model_dsdl.mlmodel -case_sensitive_match = false -# description = Detect DGA domains using Pretrained Model in DSDL - -[__mlspl_risky_spl_pre_trained_model] -filename = __mlspl_risky_spl_pre_trained_model.mlmodel -default_match = false -case_sensitive_match = false -# description = Detect Risky SPL using Pretrained ML Model -min_matches = 1 - -[__mlspl_unusual_commandline_detection] -filename = __mlspl_unusual_commandline_detection.mlmodel -default_match = false -case_sensitive_match = false -# description = An MLTK model for detecting malicious commandlines -min_matches = 1 - -[advanced_audit_policy_guids] -filename = advanced_audit_policy_guids.csv -default_match = false -case_sensitive_match = false -# description = List of GUIDs associated with Windows advanced audit policies -match_type = WILDCARD(GUID) -min_matches = 1 - -[api_call_by_user_baseline] -collection = api_call_by_user_baseline -external_type = kvstore -# description = A collection that will contain the baseline information for number of AWS API calls per user -fields_list = arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls - -[applockereventcodes] -filename = applockereventcodes.csv -default_match = false -case_sensitive_match = false -# description = A csv of the ID and rule name for AppLocker event codes. -match_type = WILDCARD(AppLocker_Event_Code) -min_matches = 1 - -[asr_rules] -filename = asr_rules.csv -default_match = false -case_sensitive_match = false -# description = A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules. -match_type = WILDCARD(ASR_Rule) -min_matches = 1 - -[attacker_tools] -filename = attacker_tools.csv -default_match = false -case_sensitive_match = false -# description = A list of tools used by attackers -match_type = WILDCARD(attacker_tool_names) -min_matches = 1 - -[aws_service_accounts] -filename = aws_service_accounts.csv -# description = A lookup file that will contain AWS Service accounts - -[baseline_blocked_outbound_connections] -filename = baseline_blocked_outbound_connections.csv -# description = A lookup file that will contain the baseline information for number of blocked outbound connections - -[brandMonitoring_lookup] -filename = brand_monitoring.csv -default_match = false -# description = A file that contains look-a-like domains for brands that you want to monitor -match_type = WILDCARD(domain) -min_matches = 1 - -[browser_app_list] -filename = browser_app_list.csv -default_match = false -case_sensitive_match = false -# description = A list of known browser application being targeted for credential extraction. -match_type = WILDCARD(browser_process_name), WILDCARD(browser_object_path) -min_matches = 1 - -[char_conversion_matrix] -filename = char_conversion_matrix.csv -default_match = false -case_sensitive_match = true -# description = A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding. -match_type = WILDCARD(data) -min_matches = 1 - -[cloud_instances_enough_data] -collection = cloud_instances_enough_data -external_type = kvstore -default_match = false -# description = A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches -match_type = WILDCARD(filter) -fields_list = _key, filter, enough_data - -[discovered_dns_records] -filename = discovered_dns_records.csv -default_match = false -# description = A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records -min_matches = 1 - -[domain_admins] -filename = domain_admins.csv -case_sensitive_match = false -# description = List of domain admins - -[domains] -filename = domains.csv -# description = A list of domains that can be ignored - -[dynamic_dns_providers_default] -filename = dynamic_dns_providers_default.csv -case_sensitive_match = false -# description = A list of dynammic dns providers that should not be modified -match_type = WILDCARD(dynamic_dns_domains) - -[dynamic_dns_providers_local] -filename = dynamic_dns_providers_local.csv -case_sensitive_match = false -# description = A list of dynammic dns providers that can be modified -match_type = WILDCARD(dynamic_dns_domains) - -[hijacklibs] -filename = hijacklibs.csv -default_match = false -case_sensitive_match = false -# description = A list of potentially abused libraries in Windows -match_type = WILDCARD(library) -min_matches = 1 - -[hijacklibs_loaded] -filename = hijacklibs_loaded.csv -default_match = false -case_sensitive_match = false -# description = A list of potentially abused libraries in Windows -match_type = WILDCARD(library),WILDCARD(excludes) -min_matches = 1 - -[images_to_repository] -filename = images_to_repository.csv -# description = Mapping images to repositories - -[is_net_windows_file] -filename = is_net_windows_file20231221.csv -default_match = false -case_sensitive_match = false -# description = A full baseline of executable files in \Windows\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline. -min_matches = 1 - -[is_nirsoft_software] -filename = is_nirsoft_software20231221.csv -default_match = false -case_sensitive_match = false -# description = A subset of utilities provided by NirSoft that may be used by adversaries. -min_matches = 1 - -[is_suspicious_file_extension_lookup] -filename = is_suspicious_file_extension_lookup.csv -# description = A list of suspicious extensions for email attachments -match_type = WILDCARD(file_name) - -[is_windows_system_file] -filename = is_windows_system_file20231221.csv -default_match = false -case_sensitive_match = false -# description = A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10. -min_matches = 1 - -[k8s_container_network_io_baseline] -collection = k8s_container_network_io_baseline -external_type = kvstore -# description = A place holder for a list of used Kuberntes Container Network IO -fields_list = key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen - -[k8s_container_network_io_ratio_baseline] -collection = k8s_container_network_io_ratio_baseline -external_type = kvstore -# description = A place holder for a list of used Kuberntes Container Network IO Ratio -fields_list = key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen - -[k8s_process_resource_baseline] -collection = k8s_process_resource_baseline -external_type = kvstore -# description = A place holder for a list of used Kuberntes Process Resource -fields_list = host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key - -[k8s_process_resource_ratio_baseline] -collection = k8s_process_resource_ratio_baseline -external_type = kvstore -# description = A place holder for a list of used Kuberntes Process Ratios -fields_list = key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen - -[legit_domains] -filename = legit_domains.csv -# description = A list of legit domains to be used as an ignore list for possible phishing sites - -[linux_tool_discovery_process] -filename = linux_tool_discovery_process.csv -default_match = false -case_sensitive_match = false -# description = A list of suspicious bash commonly used by attackers via scripts -match_type = WILDCARD(process) -min_matches = 1 - -[local_file_inclusion_paths] -filename = local_file_inclusion_paths.csv -default_match = false -case_sensitive_match = false -# description = A list of interesting files in a local file inclusion attack -match_type = WILDCARD(local_file_inclusion_paths) -min_matches = 1 - -[lolbas_file_path] -filename = lolbas_file_path.csv -default_match = false -case_sensitive_match = false -# description = A list of LOLBAS and their file path used in determining if a script or binary is valid on windows -match_type = WILDCARD(lolbas_file_name) -min_matches = 1 - -[loldrivers] -filename = loldrivers.csv -default_match = false -case_sensitive_match = false -# description = A list of known vulnerable drivers -match_type = WILDCARD(driver_name) -min_matches = 1 - -[lookup_rare_process_allow_list_default] -filename = rare_process_allow_list_default.csv -default_match = false -case_sensitive_match = false -# description = A list of rare processes that are legitimate that is provided by Splunk -match_type = WILDCARD(process) -min_matches = 1 - -[lookup_rare_process_allow_list_local] -filename = rare_process_allow_list_local.csv -default_match = false -case_sensitive_match = false -# description = A list of rare processes that are legitimate provided by the end user -match_type = WILDCARD(process) -min_matches = 1 - -[lookup_uncommon_processes_default] -filename = uncommon_processes_default.csv -case_sensitive_match = false -# description = A list of processes that are not common -match_type = WILDCARD(process) - -[lookup_uncommon_processes_local] -filename = uncommon_processes_local.csv -case_sensitive_match = false -# description = A list of processes that are not common -match_type = WILDCARD(process) - -[mandatory_job_for_workflow] -filename = mandatory_job_for_workflow.csv -# description = A lookup file that will be used to define the mandatory job for workflow - -[mandatory_step_for_job] -filename = mandatory_step_for_job.csv -# description = A lookup file that will be used to define the mandatory step for job - -[network_acl_activity_baseline] -filename = network_acl_activity_baseline.csv -# description = A lookup file that will contain the baseline information for number of AWS Network ACL Activity - -[previously_seen_api_calls_from_user_roles] -collection = previously_seen_api_calls_from_user_roles -external_type = kvstore -# description = A placeholder for a list of IPs that have access S3 -fields_list = _key,earliest,latest,userName,eventName - -[previously_seen_aws_cross_account_activity] -collection = previously_seen_aws_cross_account_activity -external_type = kvstore -# description = A placeholder for a list of AWS accounts and assumed roles -fields_list = _key,firstTime,lastTime,requestingAccountId,requestedAccountId - -[previously_seen_aws_regions] -collection = previously_seen_aws_regions -external_type = kvstore -# description = A place holder for a list of used AWS regions -fields_list = _key,earliest,latest,awsRegion - -[previously_seen_cloud_api_calls_per_user_role] -collection = previously_seen_cloud_api_calls_per_user_role -external_type = kvstore -# description = A table of users, commands, and the first and last time that they have been seen -fields_list = _key, user, command, firstTimeSeen, lastTimeSeen, enough_data - -[previously_seen_cloud_compute_creations_by_user] -collection = previously_seen_cloud_compute_creations_by_user -external_type = kvstore -# description = A table of previously seen users creating cloud instances -fields_list = _key, firstTimeSeen, lastTimeSeen, user, enough_data - -[previously_seen_cloud_compute_images] -collection = previously_seen_cloud_compute_images -external_type = kvstore -# description = A table of previously seen Cloud image IDs -fields_list = _key, firstTimeSeen, lastTimeSeen, image_id, enough_data - -[previously_seen_cloud_compute_instance_types] -collection = previously_seen_cloud_compute_instance_types -external_type = kvstore -# description = A place holder for a list of used cloud compute instance types -fields_list = _key, firstTimeSeen, lastTimeSeen, instance_type, enough_data - -[previously_seen_cloud_instance_modifications_by_user] -collection = previously_seen_cloud_instance_modifications_by_user -external_type = kvstore -# description = A table of users seen making instance modifications, and the first and last time that the activity was observed -fields_list = _key, firstTimeSeen, lastTimeSeen, user, enough_data - -[previously_seen_cloud_provisioning_activity_sources] -collection = previously_seen_cloud_provisioning_activity_sources -external_type = kvstore -# description = A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities -fields_list = _key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data - -[previously_seen_cloud_regions] -collection = previously_seen_cloud_regions -external_type = kvstore -# description = A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities -fields_list = _key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data - -[previously_seen_cmd_line_arguments] -filename = previously_seen_cmd_line_arguments.csv -# description = A placeholder for a list of cmd line arugments that been seen before - -[previously_seen_ec2_modifications_by_user] -filename = previously_seen_ec2_modifications_by_user.csv -# description = A place holder for a list of AWS EC2 modifications done by each user - -[previously_seen_gcp_storage_access_from_remote_ip] -collection = previously_seen_gcp_storage_access_from_remote_ip -external_type = kvstore -# description = A place holder for a list of GCP storage access from remote IPs -fields_list = _key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri - -[previously_seen_running_windows_services] -collection = previously_seen_running_windows_services -external_type = kvstore -# description = A placeholder for the list of Windows Services running -fields_list = _key, service, firstTimeSeen, lastTimeSeen - -[previously_seen_S3_access_from_remote_ip] -collection = previously_seen_S3_access_from_remote_ip -external_type = kvstore -# description = A placeholder for a list of IPs that have access S3 -fields_list = _key, bucket_name,remote_ip,earliest,latest - -[previously_seen_users_console_logins] -collection = previously_seen_users_console_logins -external_type = kvstore -# description = A table of users seen doing console logins, and the first and last time that the activity was observed -fields_list = _key, firstTime, lastTime, user, src, City, Region, Country - -[privileged_azure_ad_roles] -filename = privileged_azure_ad_roles.csv -default_match = false -case_sensitive_match = false -# description = A list of privileged Azure Active Directory roles. -match_type = WILDCARD(azureadrole) -min_matches = 1 - -[prohibited_apps_launching_cmd] -filename = prohibited_apps_launching_cmd20231221.csv -# description = A list of processes that should not be launching cmd.exe -match_type = WILDCARD(prohibited_applications) - -[prohibited_processes] -filename = prohibited_processes.csv -# description = A list of processes that have been marked as prohibited - -[ransomware_extensions_lookup] -filename = ransomware_extensions_20231219.csv -default_match = false -case_sensitive_match = false -# description = A list of file extensions that are associated with ransomware -match_type = WILDCARD(Extensions) -min_matches = 1 - -[ransomware_notes_lookup] -filename = ransomware_notes_20231219.csv -default_match = false -case_sensitive_match = false -# description = A list of file names that are ransomware note files -match_type = WILDCARD(ransomware_notes) -min_matches = 1 - -[remote_access_software] -filename = remote_access_software.csv -default_match = false -case_sensitive_match = false -# description = A list of Remote Access Software -match_type = WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo) -min_matches = 1 - -[s3_deletion_baseline] -collection = s3_deletion_baseline -external_type = kvstore -# description = A placeholder for the baseline information for AWS S3 deletions -fields_list = _key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls - -[security_group_activity_baseline] -collection = security_group_activity_baseline -external_type = kvstore -# description = A placeholder for the baseline information for AWS security groups -fields_list = _key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls - -[security_services_lookup] -filename = security_services.csv -default_match = false -# description = A list of services that deal with security -match_type = WILDCARD(service) -min_matches = 1 - -[splunk_risky_command] -filename = splunk_risky_command_20240122.csv -default_match = false -case_sensitive_match = false -# description = A list of Risky Splunk Command that are candidates for abuse -match_type = WILDCARD(splunk_risky_command) -min_matches = 1 - -[suspicious_writes_lookup] -filename = suspicious_files.csv -default_match = false -# description = A list of suspicious file names -match_type = WILDCARD(file) -min_matches = 1 - -[windows_protocol_handlers] -filename = windows_protocol_handlers.csv -default_match = false -case_sensitive_match = false -# description = A list of Windows Protocol Handlers -match_type = WILDCARD(handler) -min_matches = 1 - -[zoom_first_time_child_process] -collection = zoom_first_time_child_process -external_type = kvstore -# description = A list of suspicious file names -fields_list = _key, dest, process_name, firstTimeSeen, lastTimeSeen - - -### Default transforms definitions for the lookup files we ship ### -[mitre_enrichment] -filename = mitre_enrichment.csv -# description = A lookup file that is created by generate.py \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/usage_searches.conf b/dist/DA-ESS-ContentUpdate/default/usage_searches.conf deleted file mode 100644 index 0c8aa32c0a..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/usage_searches.conf +++ /dev/null @@ -1,73 +0,0 @@ -[escu-metrics-usage] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -dispatchAs = user -search = index=_audit sourcetype="audittrail" \ -"ESCU - "\ -`comment("Find all the search names in the audittrail.")`\ -| stats count(search) by search savedsearch_name user\ -| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \ -`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\ -| rex field=search "\"(?.*)\""\ -`comment("Extract the name of the search from the search string")`\ -| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=* - -[escu-metrics-search] -action.email.useNSSubject = 1 -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -enableSched = 1 -cron_schedule = 0 0 * * * -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -search = index=_audit action=search | transaction search_id maxspan=3m | search ESCU | stats sum(total_run_time) avg(total_run_time) max(total_run_time) sum(result_count) - -[escu-metrics-search-events] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -cron_schedule = 0 0 * * * -enableSched = 1 -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -search = [search index=_audit sourcetype="audittrail" \"ESCU NOT "index=_audit" | where search !="" | dedup search_id | rex field=search "\"(?.*)\"" | rex field=_raw "user=(?[a-zA-Z0-9_\-]+)" | eval usage=if(savedsearch_name!="", "scheduled", "adhoc") | eval savedsearch_name=if(savedsearch_name != "", savedsearch_name, search_name) | table savedsearch_name search_id user _time usage | outputlookup escu_search_id.csv | table search_id] index=_audit total_run_time event_count result_count NOT "index=_audit" | lookup escu_search_id.csv search_id | stats count(savedsearch_name) AS search_count avg(total_run_time) AS search_avg_run_time sum(total_run_time) AS search_total_run_time sum(result_count) AS search_total_results earliest(_time) AS firsts latest(_time) AS lasts by savedsearch_name user usage| eval first_run=strftime(firsts, "%B %d %Y") | eval last_run=strftime(lasts, "%B %d %Y") - -[escu-metrics-search-longest-runtime] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -enableSched = 1 -cron_schedule = 0 0 * * * -disabled = 1 -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -search = index=_* ESCU [search index=_* action=search latest=-2h earliest=-1d| transaction search_id maxspan=3m | search ESCU | stats values(total_run_time) AS run by search_id | sort -run | head 1| table search_id] | table search search_id - -[escu-metrics-usage-search] -action.email.useNSSubject = 1 -alert.digest_mode = True -alert.suppress = 0 -alert.track = 0 -auto_summarize.dispatch.earliest_time = -1d@h -cron_schedule = 0 0 * * * -dispatch.earliest_time = -4h@h -dispatch.latest_time = -1h@h -enableSched = 1 -dispatchAs = user -search = index=_audit sourcetype="audittrail" \ -"ESCU - "\ -`comment("Find all the search names in the audittrail. Ignore the last few minutes so we can exclude this search's text from the result.")`\ -| stats count(search) by search savedsearch_name user\ -| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \ -`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\ -| rex field=search "\"(?.*)\""\ -`comment("Extract the name of the search from the search string")`\ -| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=* diff --git a/dist/DA-ESS-ContentUpdate/default/use_case_library.conf b/dist/DA-ESS-ContentUpdate/default/use_case_library.conf deleted file mode 100644 index 0cfdca344c..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/use_case_library.conf +++ /dev/null @@ -1,2 +0,0 @@ -### Deprecated since ESCU UI was deprecated and this conf file is no longer in use -### Using one single file analyticstories.conf that will be used both by ES and ESCU \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf deleted file mode 100644 index 88ea112a2e..0000000000 --- a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf +++ /dev/null @@ -1,373 +0,0 @@ -############# -# Automatically generated by 'contentctl build' from -# https://github.com/splunk/contentctl -# On Date: 2024-06-06T17:49:54 UTC -# Author: Splunk Threat Research Team - Splunk -# Contact: research@splunk.com -############# - -[workbench_panel_all_backup_logs_for_host___response_task] -label = Workbench - All backup logs for host -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_all_backup_logs_for_host___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task] -label = Workbench - Amazon EKS Kubernetes activity by src ip -type = link -fields = src_ip -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_amazon_eks_kubernetes_activity_by_src_ip___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task] -label = Workbench - AWS Investigate Security Hub alerts by dest -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_aws_investigate_security_hub_alerts_by_dest___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task] -label = Workbench - AWS Investigate User Activities By AccessKeyId -type = link -fields = accessKeyId -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_aws_investigate_user_activities_by_accesskeyid___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_aws_investigate_user_activities_by_arn___response_task] -label = Workbench - AWS Investigate User Activities By ARN -type = link -fields = user -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_identity=$@field_value$&panel=workbench_panel_aws_investigate_user_activities_by_arn___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_aws_network_acl_details_from_id___response_task] -label = Workbench - AWS Network ACL Details from ID -type = link -fields = networkAclId -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_aws_network_acl_details_from_id___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_aws_network_interface_details_via_resourceid___response_task] -label = Workbench - AWS Network Interface details via resourceId -type = link -fields = resourceId -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_aws_network_interface_details_via_resourceid___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_aws_s3_bucket_details_via_bucketname___response_task] -label = Workbench - AWS S3 Bucket details via bucketName -type = link -fields = bucketName -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_aws_s3_bucket_details_via_bucketname___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task] -label = Workbench - GCP Kubernetes activity by src ip -type = link -fields = src_ip -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_gcp_kubernetes_activity_by_src_ip___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_all_aws_activity_from_city___response_task] -label = Workbench - Get All AWS Activity From City -type = link -fields = City -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_all_aws_activity_from_city___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_all_aws_activity_from_country___response_task] -label = Workbench - Get All AWS Activity From Country -type = link -fields = Country -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_all_aws_activity_from_country___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_all_aws_activity_from_ip_address___response_task] -label = Workbench - Get All AWS Activity From IP Address -type = link -fields = src_ip -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_all_aws_activity_from_ip_address___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_all_aws_activity_from_region___response_task] -label = Workbench - Get All AWS Activity From Region -type = link -fields = Region -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_all_aws_activity_from_region___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_backup_logs_for_endpoint___response_task] -label = Workbench - Get Backup Logs For Endpoint -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_backup_logs_for_endpoint___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_certificate_logs_for_a_domain___response_task] -label = Workbench - Get Certificate logs for a domain -type = link -fields = domain -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_certificate_logs_for_a_domain___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_dns_server_history_for_a_host___response_task] -label = Workbench - Get DNS Server History for a host -type = link -fields = src_ip -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_dns_server_history_for_a_host___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_dns_traffic_ratio___response_task] -label = Workbench - Get DNS traffic ratio -type = link -fields = src_ip -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_dns_traffic_ratio___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_ec2_instance_details_by_instanceid___response_task] -label = Workbench - Get EC2 Instance Details by instanceId -type = link -fields = instanceId -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_ec2_instance_details_by_instanceid___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_ec2_launch_details___response_task] -label = Workbench - Get EC2 Launch Details -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_ec2_launch_details___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_email_info___response_task] -label = Workbench - Get Email Info -type = link -fields = message_id -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_email_info___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_emails_from_specific_sender___response_task] -label = Workbench - Get Emails From Specific Sender -type = link -fields = src_user -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_emails_from_specific_sender___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task] -label = Workbench - Get First Occurrence and Last Occurrence of a MAC Address -type = link -fields = src_mac -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_first_occurrence_and_last_occurrence_of_a_mac_address___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_history_of_email_sources___response_task] -label = Workbench - Get History Of Email Sources -type = link -fields = src -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_history_of_email_sources___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_logon_rights_modifications_for_endpoint___response_task] -label = Workbench - Get Logon Rights Modifications For Endpoint -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_logon_rights_modifications_for_endpoint___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_logon_rights_modifications_for_user___response_task] -label = Workbench - Get Logon Rights Modifications For User -type = link -fields = user -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_identity=$@field_value$&panel=workbench_panel_get_logon_rights_modifications_for_user___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_notable_history___response_task] -label = Workbench - Get Notable History -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_notable_history___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - - - - - -[workbench_panel_get_process_responsible_for_the_dns_traffic___response_task] -label = Workbench - Get Process Responsible For The DNS Traffic -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_process_responsible_for_the_dns_traffic___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_sysmon_wmi_activity_for_host___response_task] -label = Workbench - Get Sysmon WMI Activity for Host -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_sysmon_wmi_activity_for_host___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_get_web_session_information_via_session_id___response_task] -label = Workbench - Get Web Session Information via session id -type = link -fields = session_id -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_get_web_session_information_via_session_id___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_aws_activities_via_region_name___response_task] -label = Workbench - Investigate AWS activities via region name -type = link -fields = vendor_region -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_aws_activities_via_region_name___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_aws_user_activities_by_user_field___response_task] -label = Workbench - Investigate AWS User Activities by user field -type = link -fields = user -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_identity=$@field_value$&panel=workbench_panel_investigate_aws_user_activities_by_user_field___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task] -label = Workbench - Investigate Failed Logins for Multiple Destinations -type = link -fields = user -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_identity=$@field_value$&panel=workbench_panel_investigate_failed_logins_for_multiple_destinations___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_network_traffic_from_src_ip___response_task] -label = Workbench - Investigate Network Traffic From src ip -type = link -fields = src_ip -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_network_traffic_from_src_ip___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_okta_activity_by_app___response_task] -label = Workbench - Investigate Okta Activity by app -type = link -fields = app -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_okta_activity_by_app___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_pass_the_hash_attempts___response_task] -label = Workbench - Investigate Pass the Hash Attempts -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_pass_the_hash_attempts___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_pass_the_ticket_attempts___response_task] -label = Workbench - Investigate Pass the Ticket Attempts -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_pass_the_ticket_attempts___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_previous_unseen_user___response_task] -label = Workbench - Investigate Previous Unseen User -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_previous_unseen_user___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_successful_remote_desktop_authentications___response_task] -label = Workbench - Investigate Successful Remote Desktop Authentications -type = link -fields = dest -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_successful_remote_desktop_authentications___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - - -[workbench_panel_investigate_user_activities_in_okta___response_task] -label = Workbench - Investigate User Activities In Okta -type = link -fields = user -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_identity=$@field_value$&panel=workbench_panel_investigate_user_activities_in_okta___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - -[workbench_panel_investigate_web_posts_from_src___response_task] -label = Workbench - Investigate Web POSTs From src -type = link -fields = src -display_location = field_menu -link.uri = /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_panel_investigate_web_posts_from_src___response_task&drilldown_field=$@field_name$&use_drilldown_time=true -link.target = blank -link.method = get - diff --git a/dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv b/dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv deleted file mode 100644 index ed1a5ec157..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/3cx_ioc_domains.csv +++ /dev/null @@ -1,39 +0,0 @@ -domain,isIOC,Description -akamaicontainer.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -akamaitechcloudservices.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -azuredeploystore.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -azureonlinecloud.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -azureonlinestorage.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -dunamistrd.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -glcloudservice.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -journalide.org,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -msedgepackageinfo.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -msstorageazure.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -msstorageboxes.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -officeaddons.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -officestoragebox.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -pbxcloudeservices.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -pbxphonenetwork.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -pbxsources.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -qwepoi123098.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -sbmsa.wiki,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -sourceslabs.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -visualstudiofactory.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -zacharryblogs.com,TRUE,https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -www.3cx.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -akamaitechcloudservices.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -azureonlinestorage.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -msedgepackageinfo.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -glcloudservice.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -pbxsources.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -msstorageazure.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -officestoragebox.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -visualstudiofactory.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -azuredeploystore.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -msstorageboxes.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -officeaddons.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -sourceslabs.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -zacharryblogs.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -pbxcloudeservices.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -pbxphonenetwork.com,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ -msedgeupdate.net,TRUE,https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel deleted file mode 100644 index 4d61fec35b..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:62645"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl""}, ""args"": [""is_exfiltration"", ""src"", ""query"", ""rank""], ""target_variable"": [""is_exfiltration""], ""feature_variables"": [""src"", ""query"", ""rank""], ""model_name"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""src"", ""query"", ""rank""], ""target_variable"": ""is_exfiltration""}}","{""params"": {""mode"": ""stage"", ""algo"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl""}, ""args"": [""is_exfiltration"", ""src"", ""query"", ""rank""], ""target_variable"": [""is_exfiltration""], ""feature_variables"": [""src"", ""query"", ""rank""], ""model_name"": ""detect_dns_data_exfiltration_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel deleted file mode 100644 index 5b3968aaba..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:54270"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl""}, ""args"": [""is_unknown"", ""text""], ""target_variable"": [""is_unknown""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""text""], ""target_variable"": ""is_unknown""}}","{""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl""}, ""args"": [""is_unknown"", ""text""], ""target_variable"": [""is_unknown""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel deleted file mode 100644 index 7adfaa2dee..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:58216"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl""}, ""args"": [""label"", ""text""], ""target_variable"": [""label""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""text""], ""target_variable"": ""label""}}","{""params"": {""mode"": ""stage"", ""algo"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl""}, ""args"": [""label"", ""text""], ""target_variable"": [""label""], ""feature_variables"": [""text""], ""model_name"": ""detect_suspicious_processnames_using_pretrained_model_in_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel deleted file mode 100644 index 3e27dc8bd8..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_pretrained_dga_model_dsdl.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -MLTKContainer,"{""__mlspl_type"": [""mltkc.MLTKContainer"", ""MLTKContainer""], ""dict"": {""endpoint_url"": ""https://localhost:53378"", ""out_params"": {""params"": {""mode"": ""stage"", ""algo"": ""pretrained_dga_model_dsdl""}, ""args"": [""is_dga"", ""domain""], ""target_variable"": [""is_dga""], ""feature_variables"": [""domain""], ""model_name"": ""pretrained_dga_model_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}, ""feature_variables"": [""domain""], ""target_variable"": ""is_dga""}}","{""params"": {""mode"": ""stage"", ""algo"": ""pretrained_dga_model_dsdl""}, ""args"": [""is_dga"", ""domain""], ""target_variable"": [""is_dga""], ""feature_variables"": [""domain""], ""model_name"": ""pretrained_dga_model_dsdl"", ""algo_name"": ""MLTKContainer"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""4000"", ""max_model_size_mb"": ""30"", ""max_score_time"": ""600"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel deleted file mode 100644 index 5aa2f7fd9c..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_risky_spl_pre_trained_model.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -DetectRiskySPL,"{""__mlspl_type"": [""algos.DetectRiskySPL"", ""DetectRiskySPL""], ""dict"": {""classes"": null, ""target_variable"": [""risk_score""], ""feature_variables"": [""spl_text""], ""columns"": [""spl_text""], ""estimator"": {""__mlspl_type"": [""sklearn.pipeline"", ""Pipeline""], ""dict"": {""steps"": [[""features"", {""__mlspl_type"": [""sklearn.feature_extraction.text"", ""CountVectorizer""], ""dict"": {""input"": ""content"", ""encoding"": ""utf-8"", ""decode_error"": ""strict"", ""strip_accents"": null, ""preprocessor"": null, ""tokenizer"": null, ""analyzer"": ""word"", ""lowercase"": true, ""token_pattern"": "" collect | delete | fit | outputcsv | outputlookup |adhoc| sendalert | sendemail |splunk\\-system\\-user| tscollect | run | script | runshellscript "", ""stop_words"": null, ""max_df"": 1.0, ""min_df"": 1, ""max_features"": null, ""ngram_range"": [1, 1], ""vocabulary"": null, ""binary"": false, ""dtype"": {""__mlspl_type"": [""builtins"", ""type""], ""type"": [""numpy"", ""int64""]}, ""fixed_vocabulary_"": false, ""_stop_words_id"": 94300723879360, ""stop_words_"": {""__mlspl_type"": [""builtins"", ""set""], ""set"": []}, ""vocabulary_"": {""splunk-system-user"": 12, "" delete "": 1, ""adhoc"": 11, "" outputlookup "": 4, "" script "": 7, "" run "": 5, "" collect "": 0, "" sendemail "": 9, "" sendalert "": 8, "" outputcsv "": 3, "" fit "": 2, "" runshellscript "": 6, "" tscollect "": 10}}}], [""predictor"", {""__mlspl_type"": [""sklearn.linear_model._logistic"", ""LogisticRegression""], ""dict"": {""penalty"": ""l2"", ""dual"": false, ""tol"": 0.0001, ""C"": 1.0, ""fit_intercept"": true, ""intercept_scaling"": 1, ""class_weight"": {""0"": 1, ""1"": 10}, ""random_state"": null, ""solver"": ""liblinear"", ""max_iter"": 100, ""multi_class"": ""auto"", ""verbose"": 0, ""warm_start"": false, ""n_jobs"": null, ""l1_ratio"": null, ""n_features_in_"": 13, ""classes_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGk4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDIsKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAoAAAAAAAAAAAEAAAAAAAAA""}, ""coef_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGY4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDEsIDEzKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAqulbT8VG8TQJU6VfC9QuY/kCCmapJVFUDQl14TS2ApPw5vYc32jBxAxVuQ3Sv35D8Y+azG/kDmP9vpUE0rTwlALsMVcoUGE0ASjjFaKyMaQA2zZ/yMQRZAQLZHc97OHEAfrzTDBGwSwA==""}, ""intercept_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGY4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDEsKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAqBnhyKtBckwA==""}, ""n_iter_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGk0JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDEsKSwgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAoLAAAA""}}}]], ""memory"": null, ""verbose"": false}}}}","{""args"": [""risk_score"", ""spl_text""], ""target_variable"": [""risk_score""], ""feature_variables"": [""spl_text""], ""model_name"": ""risky_spl_pre_trained_model"", ""algo_name"": ""LogisticRegression"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""1024"", ""max_model_size_mb"": ""15"", ""max_score_time"": ""600"", ""streaming_apply"": ""false"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_unusual_commandline_detection.mlmodel b/dist/DA-ESS-ContentUpdate/lookups/__mlspl_unusual_commandline_detection.mlmodel deleted file mode 100644 index e214415ae0..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/__mlspl_unusual_commandline_detection.mlmodel +++ /dev/null @@ -1,2 +0,0 @@ -algo,model,options -LinearRegression,"{""__mlspl_type"": [""algos.LinearRegression"", ""LinearRegression""], ""dict"": {""estimator"": {""__mlspl_type"": [""sklearn.linear_model._base"", ""LinearRegression""], ""dict"": {""fit_intercept"": true, ""normalize"": false, ""copy_X"": true, ""n_jobs"": null, ""intercept_"": -1.2124304031951825, ""coef_"": {""__mlspl_type"": [""numpy"", ""ndarray""], ""npy"": ""k05VTVBZAQB2AHsnZGVzY3InOiAnPGY4JywgJ2ZvcnRyYW5fb3JkZXInOiBGYWxzZSwgJ3NoYXBlJzogKDM2LCksIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIApreM9kKtnhP0TDf2w1t+I/3qDHjxK61j8UkPlxGST1v/rMDbO+a8e/iv8JpC2l5T+6dz+pdS3nP0mN7wQ8eO0/UqU3sakDyD9ncnkR3LHzP/6iGnNrQO2/z3R1+fFX9D/5ZfOERzTQv+rvqnTxzfO/979MJJkR378n6CfDQdDYP2XRpM7gmNi/pOwWahfc5j+sabiuJ0vyv8l3R09uZf+/tJflJH4LC0AXzFbk2d7RP61rdIKV+AHAtoJRDnX89b8AAAAAAAAAAHjIjMQz+ec/tHGBbk/z8r8epfEwzMwNwFdDZaNuDOI/9b/zguLg5z/5me57PV71vy3iI7chKeg/aPI+jdvl6z94yIzEM/nnP1kSQcEw/NE/TItteBKa4T8=""}}}, ""columns"": [""unusual_cmdline_feature_for"", ""unusual_cmdline_feature_netsh"", ""unusual_cmdline_feature_readbytes"", ""unusual_cmdline_feature_set"", ""unusual_cmdline_feature_unrestricted"", ""unusual_cmdline_feature_winstations"", ""unusual_cmdline_feature_-value"", ""unusual_cmdline_feature_compression"", ""unusual_cmdline_feature_server"", ""unusual_cmdline_feature_set-mppreference"", ""unusual_cmdline_feature_terminal"", ""unusual_cmdline_feature_-name"", ""unusual_cmdline_feature_catch"", ""unusual_cmdline_feature_get-wmiobject"", ""unusual_cmdline_feature_hklm"", ""unusual_cmdline_feature_streamreader"", ""unusual_cmdline_feature_system32"", ""unusual_cmdline_feature_username"", ""unusual_cmdline_feature_webrequest"", ""unusual_cmdline_feature_count"", ""unusual_cmdline_feature_webclient"", ""unusual_cmdline_feature_writeallbytes"", ""unusual_cmdline_feature_convert"", ""unusual_cmdline_feature_create"", ""unusual_cmdline_feature_function"", ""unusual_cmdline_feature_net"", ""unusual_cmdline_feature_com"", ""unusual_cmdline_feature_http"", ""unusual_cmdline_feature_io"", ""unusual_cmdline_feature_system"", ""unusual_cmdline_feature_new-object"", ""unusual_cmdline_feature_if"", ""unusual_cmdline_feature_threading"", ""unusual_cmdline_feature_mutex"", ""unusual_cmdline_feature_cryptography"", ""unusual_cmdline_feature_computehash""], ""target_variable"": ""unusual_cmdline_logits"", ""feature_variables"": [""unusual_cmdline_feature_for"", ""unusual_cmdline_feature_netsh"", ""unusual_cmdline_feature_readbytes"", ""unusual_cmdline_feature_set"", ""unusual_cmdline_feature_unrestricted"", ""unusual_cmdline_feature_winstations"", ""unusual_cmdline_feature_-value"", ""unusual_cmdline_feature_compression"", ""unusual_cmdline_feature_server"", ""unusual_cmdline_feature_set-mppreference"", ""unusual_cmdline_feature_terminal"", ""unusual_cmdline_feature_-name"", ""unusual_cmdline_feature_catch"", ""unusual_cmdline_feature_get-wmiobject"", ""unusual_cmdline_feature_hklm"", ""unusual_cmdline_feature_streamreader"", ""unusual_cmdline_feature_system32"", ""unusual_cmdline_feature_username"", ""unusual_cmdline_feature_webrequest"", ""unusual_cmdline_feature_count"", ""unusual_cmdline_feature_webclient"", ""unusual_cmdline_feature_writeallbytes"", ""unusual_cmdline_feature_convert"", ""unusual_cmdline_feature_create"", ""unusual_cmdline_feature_function"", ""unusual_cmdline_feature_net"", ""unusual_cmdline_feature_com"", ""unusual_cmdline_feature_http"", ""unusual_cmdline_feature_io"", ""unusual_cmdline_feature_system"", ""unusual_cmdline_feature_new-object"", ""unusual_cmdline_feature_if"", ""unusual_cmdline_feature_threading"", ""unusual_cmdline_feature_mutex"", ""unusual_cmdline_feature_cryptography"", ""unusual_cmdline_feature_computehash""]}}","{""args"": [""unusual_cmdline_logits"", ""unusual_cmdline_feature_for"", ""unusual_cmdline_feature_netsh"", ""unusual_cmdline_feature_readbytes"", ""unusual_cmdline_feature_set"", ""unusual_cmdline_feature_unrestricted"", ""unusual_cmdline_feature_winstations"", ""unusual_cmdline_feature_-value"", ""unusual_cmdline_feature_compression"", ""unusual_cmdline_feature_server"", ""unusual_cmdline_feature_set-mppreference"", ""unusual_cmdline_feature_terminal"", ""unusual_cmdline_feature_-name"", ""unusual_cmdline_feature_catch"", ""unusual_cmdline_feature_get-wmiobject"", ""unusual_cmdline_feature_hklm"", ""unusual_cmdline_feature_streamreader"", ""unusual_cmdline_feature_system32"", ""unusual_cmdline_feature_username"", ""unusual_cmdline_feature_webrequest"", ""unusual_cmdline_feature_count"", ""unusual_cmdline_feature_webclient"", ""unusual_cmdline_feature_writeallbytes"", ""unusual_cmdline_feature_convert"", ""unusual_cmdline_feature_create"", ""unusual_cmdline_feature_function"", ""unusual_cmdline_feature_net"", ""unusual_cmdline_feature_com"", ""unusual_cmdline_feature_http"", ""unusual_cmdline_feature_io"", ""unusual_cmdline_feature_system"", ""unusual_cmdline_feature_new-object"", ""unusual_cmdline_feature_if"", ""unusual_cmdline_feature_threading"", ""unusual_cmdline_feature_mutex"", ""unusual_cmdline_feature_cryptography"", ""unusual_cmdline_feature_computehash""], ""target_variable"": [""unusual_cmdline_logits""], ""feature_variables"": [""unusual_cmdline_feature_for"", ""unusual_cmdline_feature_netsh"", ""unusual_cmdline_feature_readbytes"", ""unusual_cmdline_feature_set"", ""unusual_cmdline_feature_unrestricted"", ""unusual_cmdline_feature_winstations"", ""unusual_cmdline_feature_-value"", ""unusual_cmdline_feature_compression"", ""unusual_cmdline_feature_server"", ""unusual_cmdline_feature_set-mppreference"", ""unusual_cmdline_feature_terminal"", ""unusual_cmdline_feature_-name"", ""unusual_cmdline_feature_catch"", ""unusual_cmdline_feature_get-wmiobject"", ""unusual_cmdline_feature_hklm"", ""unusual_cmdline_feature_streamreader"", ""unusual_cmdline_feature_system32"", ""unusual_cmdline_feature_username"", ""unusual_cmdline_feature_webrequest"", ""unusual_cmdline_feature_count"", ""unusual_cmdline_feature_webclient"", ""unusual_cmdline_feature_writeallbytes"", ""unusual_cmdline_feature_convert"", ""unusual_cmdline_feature_create"", ""unusual_cmdline_feature_function"", ""unusual_cmdline_feature_net"", ""unusual_cmdline_feature_com"", ""unusual_cmdline_feature_http"", ""unusual_cmdline_feature_io"", ""unusual_cmdline_feature_system"", ""unusual_cmdline_feature_new-object"", ""unusual_cmdline_feature_if"", ""unusual_cmdline_feature_threading"", ""unusual_cmdline_feature_mutex"", ""unusual_cmdline_feature_cryptography"", ""unusual_cmdline_feature_computehash""], ""model_name"": ""lm_avg_char_prob"", ""algo_name"": ""LinearRegression"", ""mlspl_limits"": {""handle_new_cat"": ""default"", ""max_distinct_cat_values"": ""100"", ""max_distinct_cat_values_for_classifiers"": ""100"", ""max_distinct_cat_values_for_scoring"": ""100"", ""max_fit_time"": ""600"", ""max_inputs"": ""100000"", ""max_memory_usage_mb"": ""1000"", ""max_model_size_mb"": ""15"", ""max_score_time"": ""600"", ""streaming_apply"": ""false"", ""use_sampling"": ""true""}, ""kfold_cv"": null}" diff --git a/dist/DA-ESS-ContentUpdate/lookups/advanced_audit_policy_guids.csv b/dist/DA-ESS-ContentUpdate/lookups/advanced_audit_policy_guids.csv deleted file mode 100644 index 646c8914a8..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/advanced_audit_policy_guids.csv +++ /dev/null @@ -1,69 +0,0 @@ -Category,SubCategory,GUID -System,,{69979848-797A-11D9-BED3-505054503030} -System,Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030} -System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030} -System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030} -System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030} -System,Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030} -Logon/Logoff,,{69979849-797A-11D9-BED3-505054503030} -Logon/Logoff,Logon,{0CCE9215-69AE-11D9-BED3-505054503030} -Logon/Logoff,Logoff,{0CCE9216-69AE-11D9-BED3-505054503030} -Logon/Logoff,Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030} -Logon/Logoff,IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030} -Logon/Logoff,IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030} -Logon/Logoff,IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030} -Logon/Logoff,Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030} -Logon/Logoff,Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030} -Logon/Logoff,Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030} -Logon/Logoff,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030} -Logon/Logoff,Group Membership,{0CCE9249-69AE-11D9-BED3-505054503030} -Object Access,,{6997984A-797A-11D9-BED3-505054503030} -Object Access,File System,{0CCE921D-69AE-11D9-BED3-505054503030} -Object Access,Registry,{0CCE921E-69AE-11D9-BED3-505054503030} -Object Access,Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030} -Object Access,SAM,{0CCE9220-69AE-11D9-BED3-505054503030} -Object Access,Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030} -Object Access,Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030} -Object Access,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030} -Object Access,File Share,{0CCE9224-69AE-11D9-BED3-505054503030} -Object Access,Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030} -Object Access,Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030} -Object Access,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030} -Object Access,Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030} -Object Access,Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030} -Object Access,Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030} -Privilege Use,,{6997984B-797A-11D9-BED3-505054503030} -Privilege Use,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030} -Privilege Use,Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030} -Privilege Use,Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030} -Detailed Tracking,,{6997984C-797A-11D9-BED3-505054503030} -Detailed Tracking,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030} -Detailed Tracking,Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030} -Detailed Tracking,DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030} -Detailed Tracking,RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030} -Detailed Tracking,Plug and Play Events,{0CCE9248-69AE-11D9-BED3-505054503030} -Detailed Tracking,Token Right Adjusted Events,{0CCE924A-69AE-11D9-BED3-505054503030} -Policy Change,,{6997984D-797A-11D9-BED3-505054503030} -Policy Change,Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030} -Policy Change,Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030} -Policy Change,Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030} -Policy Change,MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030} -Policy Change,Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030} -Policy Change,Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030} -Account Management,,{6997984E-797A-11D9-BED3-505054503030} -Account Management,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030} -Account Management,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030} -Account Management,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030} -Account Management,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030} -Account Management,Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030} -Account Management,Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030} -DS Access,,{6997984F-797A-11D9-BED3-505054503030} -DS Access,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030} -DS Access,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030} -DS Access,Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030} -DS Access,Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030} -Account Logon,,{69979850-797A-11D9-BED3-505054503030} -Account Logon,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030} -Account Logon,Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030} -Account Logon,Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030} -Account Logon,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030} \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/applockereventcodes.csv b/dist/DA-ESS-ContentUpdate/lookups/applockereventcodes.csv deleted file mode 100644 index 1fa23f55b8..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/applockereventcodes.csv +++ /dev/null @@ -1,30 +0,0 @@ -EventCode, Description -8000, AppID policy conversion failed. Status * <%1> * Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes. -8001, The AppLocker policy was applied successfully to this computer. Indicates that the AppLocker policy was successfully applied to the computer. -8002, * * was allowed to run. Indicates an AppLocker rule allowed the .exe or .dll file. -8003, * * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Shown only when the Audit only enforcement mode is enabled. Indicates that the AppLocker policy would block the .exe or .dll file if the enforcement mode setting was Enforce rules. -8004, * * was prevented from running. AppLocker blocked the named EXE or DLL file. Shown only when the Enforce rules enforcement mode is enabled. -8005, * * was allowed to run. Indicates an AppLocker rule allowed the script or .msi file. -8006, * * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Shown only when the Audit only enforcement mode is enabled. Indicates that the AppLocker policy would block the script or .msi file if the Enforce rules enforcement mode was enabled. -8007, * * was prevented from running. AppLocker blocked the named Script or MSI. Shown only when the Enforce rules enforcement mode is enabled. -8008, * *: AppLocker component not available on this SKU. Indicates an edition of Windows that doesn't support AppLocker. -8020, * * was allowed to run. Added in Windows Server 2012 and Windows 8. -8021, * * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Added in Windows Server 2012 and Windows 8. -8022, * * was prevented from running. Added in Windows Server 2012 and Windows 8. -8023, * * was allowed to be installed. Added in Windows Server 2012 and Windows 8. -8024, * * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Added in Windows Server 2012 and Windows 8. -8025, * * was prevented from running. Added in Windows Server 2012 and Windows 8. -8027, No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. Added in Windows Server 2012 and Windows 8. -8028, * * was allowed to run but would have been prevented if the Config CI policy were enforced. Added in Windows Server 2016 and Windows 10. -8029, * * was prevented from running due to Config CI policy. Added in Windows Server 2016 and Windows 10. -8030, ManagedInstaller check SUCCEEDED during Appid verification of * Added in Windows Server 2016 and Windows 10. -8031, SmartlockerFilter detected file * being written by process * Added in Windows Server 2016 and Windows 10. -8032, ManagedInstaller check FAILED during Appid verification of * Added in Windows Server 2016 and Windows 10. -8033, ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. Added in Windows Server 2016 and Windows 10. -8034, ManagedInstaller Script check FAILED during Appid verification of * Added in Windows Server 2016 and Windows 10. -8035, ManagedInstaller Script check SUCCEEDED during Appid verification of * Added in Windows Server 2016 and Windows 10. -8036, * was prevented from running due to Config CI policy Added in Windows Server 2016 and Windows 10. -8037, * passed Config CI policy and was allowed to run. Added in Windows Server 2016 and Windows 10. -8038, Publisher info: Subject: * Issuer: * Signature index * (* total) Added in Windows Server 2016 and Windows 10. -8039, Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy Added in Windows Server 2016 and Windows 10. -8040, Package family name * version * was prevented from installing or updating due to Config CI policy Added in Windows Server 2016 and Windows 10. \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/asr_rules.csv b/dist/DA-ESS-ContentUpdate/lookups/asr_rules.csv deleted file mode 100644 index 2d234b187a..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/asr_rules.csv +++ /dev/null @@ -1,18 +0,0 @@ -ID,ASR_Rule -56A863A9-875E-4185-98A7-B882C64B5CE5,Block abuse of exploited vulnerable signed drivers -7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C,Block Adobe Reader from creating child processes -D4F940AB-401B-4EFC-AADC-AD5F3C50688A,Block all Office applications from creating child processes -9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2,Block credential stealing from the Windows local security authority subsystem (lsass.exe) -BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,Block executable content from email client and webmail -01443614-CD74-433A-B99E-2ECDC07BFC25,Block executable files from running unless they meet a prevalence - age - or trusted list criterion -5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,Block execution of potentially obfuscated scripts -D3E037E1-3EB8-44C8-A917-57927947596D,Block JavaScript or VBScript from launching downloaded executable content -3B576869-A4EC-4529-8536-B80A7769E899,Block Office applications from creating executable content -75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,Block Office applications from injecting code into other processes -26190899-1602-49E8-8B27-EB1D0A1CE869,Block Office communication application from creating child processes -E6DB77E5-3DF2-4CF1-B95A-636979351E5B,Block persistence through WMI event subscription -D1E49AAC-8F56-4280-B9BA-993A6D77406C,Block process creations originating from PSExec and WMI commands -B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4,Block untrusted and unsigned processes that run from USB -92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,Block Win32 API calls from Office macros -C1DB55AB-C21A-4637-BB3F-A12568109D35,Use advanced protection against ransomware -A8F5898E-1DC8-49A9-9878-85004B8A61E6,Block Webshell creation for Servers \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/attacker_tools.csv b/dist/DA-ESS-ContentUpdate/lookups/attacker_tools.csv deleted file mode 100644 index 544285222c..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/attacker_tools.csv +++ /dev/null @@ -1,31 +0,0 @@ -attacker_tool_names,description -remcom.exe,This process is an open source replacement to psexec and is not typically seen in an enterprise environment. -pwdump.exe,This process is associated with a tool used to dump password hashes on a Windows system. -pwdump2.exe,This process is associated with a tool used to dump password hashes on a Windows system. -nc.exe,This process is an open source tool used for network communications. -wce.exe,This process is associated with a tool used to dump hashes and execute pass-the-hash and pass-the-ticket attacks. -cain.exe,This process is associated with a tool used to collect user credentials and execute attacks. -nmap.exe,This process is an open source network mapping tool used to identify hosts and listening services on a network. -kidlogger.exe,This process is associated with a tool used to collect keyboard input on a host. -isass.exe,This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process. -svch0st.exe,This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process. -at.exe,This process is used to schedule other processes to run. schtasks.exe should be used instead as it provides more flexibility. -getmail.exe,This process is seen to be used by attackers to extract email files from host machines. -ntdll.exe,This process was identified as malicious by DHS Alert TA18-074A. -netpass.exe,This process was identified as malicious by DHS Alert TA18-201A and attackers use this tool to recover all network passwords stored on your system for the current logged-on user. -WebBrowserPassView.exe,This process was identified as malicious by DHS Alert TA18-201A and is used by attackers as a password recovery tool that reveals the passwords stored in Web Browsers. -OutlookAddressBookView.exe,This process was identified as malicious by DHS Alert TA18-201A and is used by attackers to steal the details of all recipients stored in the address books of Microsoft Outlook. -mailpv.exe,This process was identified by DHS Alert TA18-201A and attackers use this tool is a password-recovery tool that reveals the passwords and other account details from various email clients. -NLBrute.exe,A RDP brute force tool found in botnets for further expansion and and acquisition of targets. This process was identified in the SamSam Ransomware Campaign and attackers use this tool to brute force RDP instances with a range of commonly used passwords. -selfdel.exe,This executable was delivered in the SamSam Ransomware Campain and the attackers levereged this binary to delete its malicilous activities. -masscan.exe,This executable was delivered in the XMRig Crypto Miner -Massscan_GUI.exe,This executable was delivered in the XMRig Crypto Miner -KPortScan3.exe,This executable was delivered in the XMRig Crypto Miner and is commonly used by attackers to scan the internet -NLAChecker.exe,A scanner tool that checks for Windows hosts for Network Level Authentication. This tool allows attackers to detect Windows Servers with RDP without NLA enabled which facilitates the use of brute force non microsoft rdp tools or exploits -ns.exe,A commonly used tool used by attackers to scan and map file shares -SilverBullet.exe,Malware was discovered in our monitoring of honey pots that abuses this open source software for scanning and connecting to hosts. -kportscan3.exe, KPortScan 3.0 is a widely used port scanning tool on Hacking Forums to perform network scanning on the internal networks. -advanced_port_scanner.exe,Advanced Port Scanner is a free network scanner allowing you to quickly find open ports on network computers and retrieve versions of programs running on the detected ports. -mimikatz.exe,utility Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. -certify.exe,A tool used to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS) -certipy.exe,A tool used to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS) \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/aws_service_accounts.csv b/dist/DA-ESS-ContentUpdate/lookups/aws_service_accounts.csv deleted file mode 100644 index 29d7277364..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/aws_service_accounts.csv +++ /dev/null @@ -1 +0,0 @@ -identity diff --git a/dist/DA-ESS-ContentUpdate/lookups/baseline_blocked_outbound_connections.csv b/dist/DA-ESS-ContentUpdate/lookups/baseline_blocked_outbound_connections.csv deleted file mode 100644 index da66bfd95c..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/baseline_blocked_outbound_connections.csv +++ /dev/null @@ -1 +0,0 @@ -src_ip,numDataPoints,latestCount,avgBlockedConnections,stdevBlockedConnections \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/brand_monitoring.csv b/dist/DA-ESS-ContentUpdate/lookups/brand_monitoring.csv deleted file mode 100644 index 9ff708efd9..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/brand_monitoring.csv +++ /dev/null @@ -1 +0,0 @@ -domain,domain_abuse diff --git a/dist/DA-ESS-ContentUpdate/lookups/browser_app_list.csv b/dist/DA-ESS-ContentUpdate/lookups/browser_app_list.csv deleted file mode 100644 index 03f7eb96a8..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/browser_app_list.csv +++ /dev/null @@ -1,47 +0,0 @@ -browser_process_name,browser_object_path,isAllowed -"*Sputnik.exe","*Sputnik\Sputnik\User Data\Default\Login Data*", true -"*ChromePlus.exe","*MapleStudio\ChromePlus\User Data\Default\Login Data*", true -"*QIP Surf.exe","*QIP Surf\User Data\Default\Login Data*", true -"*BlackHawk.exe","*BlackHawk\User Data\Default\Login Data*", true -"*7Star.exe","*7Star\7Star\User Data\Default\Login Data*", true -"*Sleipnir5.exe","*Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data*", true -"*Citrio.exe","*CatalinaGroup\Citrio\User Data\Default\Login Data*", true -"*Chrome SxS.exe","*Google\Chrome SxS\User Data\Default\Login Data*", true -"*Chrome.exe","*Google\Chrome\User Data\Default\Login Data*", true -"*Coowon.exe","*Coowon\Coowon\User Data\Default\Login Data*", true -"*CocCocBrowser.exe","*CocCoc\Browser\User Data\Default\Login Data*", true -"*Uran.exe","*uCozMedia\Uran\User Data\Default\Login Data*", true -"*QQBrowser.exe","*Tencent\QQBrowser\User Data\Default\Login Data*", true -"*Orbitum.exe","*Orbitum\User Data\Default\Login Data*", true -"*Slimjet.exe","*Slimjet\User Data\Default\Login Data*", true -"*Iridium.exe","*Iridium\User Data\Default\Login Data*", true -"*Vivaldi.exe","*Vivaldi\User Data\Default\Login Data*", true -"*Chromium.exe","*Chromium\User Data\Default\Login Data*", true -"*GhostBrowser.exe","*GhostBrowser\User Data\Default\Login Data*", true -"*CentBrowser.exe","*CentBrowser\User Data\Default\Login Data*", true -"*Xvast.exe","*Xvast\User Data\Default\Login Data*", true -"*Chedot.exe","*Chedot\User Data\Default\Login Data*", true -"*SuperBird.exe","*SuperBird\User Data\Default\Login Data*", true -"*360Browser.exe","*360Browser\Browser\User Data\Default\Login Data*", true -"*360Chrome.exe","*360Chrome\Chrome\User Data\Default\Login Data*", true -"*dragon.exe","*Comodo\Dragon\User Data\Default\Login Data*", true -"*brave.exe","*BraveSoftware\Brave-Browser\User Data\Default\Login Data*", true -"*brave.exe","*BraveSoftware\Brave-Browser\User Data\Local State*", true -"*brave.exe","*BraveSoftware\Brave-Browser\User Data\Default*", true -"*torch.exe","*Torch\User Data\Default\Login Data*", true -"*UCBrowser.exe","*UCBrowser\User Data_i18n\Default\UC Login Data.18*", true -"*BliskBrowser.exe","*Blisk\User Data\Default\Login Data*", true -"*Epic Privacy Browser.exe","*Epic Privacy Browser\User Data\Default\Login Data*", true -"*nichrome.exe","*Nichrome\User Data\Default\Login Data*", true -"*AmigoBrowser.exe","*Amigo\User Data\Default\Login Data*", true -"*KometaBrowser.exe","*Kometa\User Data\Default\Login Data*", true -"*XpomBrowser.exe","*Xpom\User Data\Default\Login Data*", true -"*msedge.exe","*Microsoft\Edge\User Data\Default\Login Data*", true -"*LiebaoBrowser.exe","*Liebao7\User Data\Default\EncryptedStorage*", true -"*AvastBrowser.exe","*AVAST Software\Browser\User Data\Default\Login Data*", true -"*Kinza.exe","*Kinza\User Data\Default\Login Data*", true -"*seamonkey.exe","*Mozilla\SeaMonkey\Profiles\logins.json*", true -"*icedragon.exe","*Comodo\IceDragon\Profiles\logins.json*", true -"*cyberfox.exe","*8pecxstudios\Cyberfox\Profiles\logins.json*", true -"*SlimBrowser.exe","*FlashPeak\SlimBrowser\Profiles\logins.json*", true -"*palemoon.exe","*Moonchild Productions\Pale Moon\Profiles\logins.json*", true \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/char_conversion_matrix.csv b/dist/DA-ESS-ContentUpdate/lookups/char_conversion_matrix.csv deleted file mode 100644 index b102809604..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/char_conversion_matrix.csv +++ /dev/null @@ -1,259 +0,0 @@ -"_mkv_child","_timediff",ascii,base64bin,base64char,bin,dec,hex -0,,":NUL:",000000,A,00000000,0,00 -1,,"",000001,B,00000001,1,01 -2,,"",000010,C,00000010,2,02 -3,,"",000011,D,00000011,3,03 -4,,"",000100,E,00000100,4,04 -5,,"",000101,F,00000101,5,05 -6,,"",000110,G,00000110,6,06 -7,,"",000111,H,00000111,7,07 -8,,"",001000,I,00001000,8,08 -9,," ",001001,J,00001001,9,09 -10,," -",001010,K,00001010,10,0A -11,," ",001011,L,00001011,11,0B -12,," ",001100,M,00001100,12,0C -13,,"",001101,N,00001101,13,0D -14,,"",001110,O,00001110,14,0E -15,,"",001111,P,00001111,15,0F -16,,"",010000,Q,00010000,16,10 -17,,"",010001,R,00010001,17,11 -18,,"",010010,S,00010010,18,12 -19,,"",010011,T,00010011,19,13 -20,,"",010100,U,00010100,20,14 -21,,"",010101,V,00010101,21,15 -22,,"",010110,W,00010110,22,16 -23,,"",010111,X,00010111,23,17 -24,,"",011000,Y,00011000,24,18 -25,,"",011001,Z,00011001,25,19 -26,,"",011010,a,00011010,26,1A -27,,"",011011,b,00011011,27,1B -28,,"",011100,c,00011100,28,1C -29,,"",011101,d,00011101,29,1D -30,,"",011110,e,00011110,30,1E -31,,"",011111,f,00011111,31,1F -32,,":SPACE:",100000,g,00100000,32,20 -33,,"!",100001,h,00100001,33,21 -34,,"""",100010,i,00100010,34,22 -35,,"#",100011,j,00100011,35,23 -36,,"$",100100,k,00100100,36,24 -37,,"%",100101,l,00100101,37,25 -38,,"&",100110,m,00100110,38,26 -39,,"'",100111,n,00100111,39,27 -40,,"(",101000,o,00101000,40,28 -41,,")",101001,p,00101001,41,29 -42,,"*",101010,q,00101010,42,2A -43,,"+",101011,r,00101011,43,2B -44,,",",101100,s,00101100,44,2C -45,,"-",101101,t,00101101,45,2D -46,,".",101110,u,00101110,46,2E -47,,"/",101111,v,00101111,47,2F -48,,0,110000,w,00110000,48,30 -49,,1,110001,x,00110001,49,31 -50,,2,110010,y,00110010,50,32 -51,,3,110011,z,00110011,51,33 -52,,4,110100,0,00110100,52,34 -53,,5,110101,1,00110101,53,35 -54,,6,110110,2,00110110,54,36 -55,,7,110111,3,00110111,55,37 -56,,8,111000,4,00111000,56,38 -57,,9,111001,5,00111001,57,39 -58,,":",111010,6,00111010,58,3A -59,,";",111011,7,00111011,59,3B -60,,"<",111100,8,00111100,60,3C -61,,"=",111101,9,00111101,61,3D -62,,">",111110,"+",00111110,62,3E -63,,"?",111111,"/",00111111,63,3F -64,,"@",,,01000000,64,40 -65,,A,,,01000001,65,41 -66,,B,,,01000010,66,42 -67,,C,,,01000011,67,43 -68,,D,,,01000100,68,44 -69,,E,,,01000101,69,45 -70,,F,,,01000110,70,46 -71,,G,,,01000111,71,47 -72,,H,,,01001000,72,48 -73,,I,,,01001001,73,49 -74,,J,,,01001010,74,4A -75,,K,,,01001011,75,4B -76,,L,,,01001100,76,4C -77,,M,,,01001101,77,4D -78,,N,,,01001110,78,4E -79,,O,,,01001111,79,4F -80,,P,,,01010000,80,50 -81,,Q,,,01010001,81,51 -82,,R,,,01010010,82,52 -83,,S,,,01010011,83,53 -84,,T,,,01010100,84,54 -85,,U,,,01010101,85,55 -86,,V,,,01010110,86,56 -87,,W,,,01010111,87,57 -88,,X,,,01011000,88,58 -89,,Y,,,01011001,89,59 -90,,Z,,,01011010,90,5A -91,,"[",,,01011011,91,5B -92,,"\",,,01011100,92,5C -93,,"]",,,01011101,93,5D -94,,"^",,,01011110,94,5E -95,,"_",,,01011111,95,5F -96,,"`",,,01100000,96,60 -97,,a,,,01100001,97,61 -98,,b,,,01100010,98,62 -99,,c,,,01100011,99,63 -100,,d,,,01100100,100,64 -101,,e,,,01100101,101,65 -102,,f,,,01100110,102,66 -103,,g,,,01100111,103,67 -104,,h,,,01101000,104,68 -105,,i,,,01101001,105,69 -106,,j,,,01101010,106,6A -107,,k,,,01101011,107,6B -108,,l,,,01101100,108,6C -109,,m,,,01101101,109,6D -110,,n,,,01101110,110,6E -111,,o,,,01101111,111,6F -112,,p,,,01110000,112,70 -113,,q,,,01110001,113,71 -114,,r,,,01110010,114,72 -115,,s,,,01110011,115,73 -116,,t,,,01110100,116,74 -117,,u,,,01110101,117,75 -118,,v,,,01110110,118,76 -119,,w,,,01110111,119,77 -120,,x,,,01111000,120,78 -121,,y,,,01111001,121,79 -122,,z,,,01111010,122,7A -123,,"{",,,01111011,123,7B -124,,"|",,,01111100,124,7C -125,,"}",,,01111101,125,7D -126,,"~",,,01111110,126,7E -127,,"",,,01111111,127,7F -128,,"€",,,10000000,128,80 -129,,"",,,10000001,129,81 -130,,"‚",,,10000010,130,82 -131,,"ƒ",,,10000011,131,83 -132,,"„",,,10000100,132,84 -133,,"…",,,10000101,133,85 -134,,"†",,,10000110,134,86 -135,,"‡",,,10000111,135,87 -136,,"ˆ",,,10001000,136,88 -137,,"‰",,,10001001,137,89 -138,,"Š",,,10001010,138,8A -139,,"‹",,,10001011,139,8B -140,,"Œ",,,10001100,140,8C -141,,"",,,10001101,141,8D -142,,"Ž",,,10001110,142,8E -143,,"",,,10001111,143,8F -144,,"",,,10010000,144,90 -145,,"‘",,,10010001,145,91 -146,,"’",,,10010010,146,92 -147,,"“",,,10010011,147,93 -148,,"”",,,10010100,148,94 -149,,"•",,,10010101,149,95 -150,,"–",,,10010110,150,96 -151,,"—",,,10010111,151,97 -152,,"˜",,,10011000,152,98 -153,,"™",,,10011001,153,99 -154,,"š",,,10011010,154,9A -155,,"›",,,10011011,155,9B -156,,"œ",,,10011100,156,9C -157,,"",,,10011101,157,9D -158,,"ž",,,10011110,158,9E -159,,"Ÿ",,,10011111,159,9F -160,," ",,,10100000,160,A0 -161,,"¡",,,10100001,161,A1 -162,,"¢",,,10100010,162,A2 -163,,"£",,,10100011,163,A3 -164,,"¤",,,10100100,164,A4 -165,,"¥",,,10100101,165,A5 -166,,"¦",,,10100110,166,A6 -167,,"§",,,10100111,167,A7 -168,,"¨",,,10101000,168,A8 -169,,"©",,,10101001,169,A9 -170,,"ª",,,10101010,170,AA -171,,"«",,,10101011,171,AB -172,,"¬",,,10101100,172,AC -173,,"­",,,10101101,173,AD -174,,"®",,,10101110,174,AE -175,,"¯",,,10101111,175,AF -176,,"°",,,10110000,176,B0 -177,,"±",,,10110001,177,B1 -178,,"²",,,10110010,178,B2 -179,,"³",,,10110011,179,B3 -180,,"´",,,10110100,180,B4 -181,,"µ",,,10110101,181,B5 -182,,"¶",,,10110110,182,B6 -183,,"·",,,10110111,183,B7 -184,,"¸",,,10111000,184,B8 -185,,"¹",,,10111001,185,B9 -186,,"º",,,10111010,186,BA -187,,"»",,,10111011,187,BB -188,,"¼",,,10111100,188,BC -189,,"½",,,10111101,189,BD -190,,"¾",,,10111110,190,BE -191,,"¿",,,10111111,191,BF -192,,"À",,,11000000,192,C0 -193,,"Á",,,11000001,193,C1 -194,,"Â",,,11000010,194,C2 -195,,"Ã",,,11000011,195,C3 -196,,"Ä",,,11000100,196,C4 -197,,"Å",,,11000101,197,C5 -198,,"Æ",,,11000110,198,C6 -199,,"Ç",,,11000111,199,C7 -200,,"È",,,11001000,200,C8 -201,,"É",,,11001001,201,C9 -202,,"Ê",,,11001010,202,CA -203,,"Ë",,,11001011,203,CB -204,,"Ì",,,11001100,204,CC -205,,"Í",,,11001101,205,CD -206,,"Î",,,11001110,206,CE -207,,"Ï",,,11001111,207,CF -208,,"Ð",,,11010000,208,D0 -209,,"Ñ",,,11010001,209,D1 -210,,"Ò",,,11010010,210,D2 -211,,"Ó",,,11010011,211,D3 -212,,"Ô",,,11010100,212,D4 -213,,"Õ",,,11010101,213,D5 -214,,"Ö",,,11010110,214,D6 -215,,"×",,,11010111,215,D7 -216,,"Ø",,,11011000,216,D8 -217,,"Ù",,,11011001,217,D9 -218,,"Ú",,,11011010,218,DA -219,,"Û",,,11011011,219,DB -220,,"Ü",,,11011100,220,DC -221,,"Ý",,,11011101,221,DD -222,,"Þ",,,11011110,222,DE -223,,"ß",,,11011111,223,DF -224,,"à",,,11100000,224,E0 -225,,"á",,,11100001,225,E1 -226,,"â",,,11100010,226,E2 -227,,"ã",,,11100011,227,E3 -228,,"ä",,,11100100,228,E4 -229,,"å",,,11100101,229,E5 -230,,"æ",,,11100110,230,E6 -231,,"ç",,,11100111,231,E7 -232,,"è",,,11101000,232,E8 -233,,"é",,,11101001,233,E9 -234,,"ê",,,11101010,234,EA -235,,"ë",,,11101011,235,EB -236,,"ì",,,11101100,236,EC -237,,"í",,,11101101,237,ED -238,,"î",,,11101110,238,EE -239,,"ï",,,11101111,239,EF -240,,"ð",,,11110000,240,F0 -241,,"ñ",,,11110001,241,F1 -242,,"ò",,,11110010,242,F2 -243,,"ó",,,11110011,243,F3 -244,,"ô",,,11110100,244,F4 -245,,"õ",,,11110101,245,F5 -246,,"ö",,,11110110,246,F6 -247,,"÷",,,11110111,247,F7 -248,,"ø",,,11111000,248,F8 -249,,"ù",,,11111001,249,F9 -250,,"ú",,,11111010,250,FA -251,,"û",,,11111011,251,FB -252,,"ü",,,11111100,252,FC -253,,"ý",,,11111101,253,FD -254,,"þ",,,11111110,254,FE -255,,"ÿ",,,11111111,255,FF -,,,000000,"=",,, \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/discovered_dns_records.csv b/dist/DA-ESS-ContentUpdate/lookups/discovered_dns_records.csv deleted file mode 100644 index 74b7ee36f5..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/discovered_dns_records.csv +++ /dev/null @@ -1 +0,0 @@ -count,domain,type,query,answer \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv b/dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv deleted file mode 100644 index 2f9ee7111c..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/domain_admins.csv +++ /dev/null @@ -1,2 +0,0 @@ -username -Administrator \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/domains.csv b/dist/DA-ESS-ContentUpdate/lookups/domains.csv deleted file mode 100644 index be017ecb05..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/domains.csv +++ /dev/null @@ -1 +0,0 @@ -domain,isValidDomain diff --git a/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_default.csv b/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_default.csv deleted file mode 100644 index 33eee3e0f0..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_default.csv +++ /dev/null @@ -1,91976 +0,0 @@ -dynamic_dns_domains, isDynDNS_default -*.3d-game.com*, True -*.4irc.com*, True -*.b0ne.com*, True -*.bbsindex.com*, True -*.chatnook.com*, True -*.darktech.org*, True -*.deaftone.com*, True -*.dtdns.net*, True -*.effers.com*, True -*.etowns.net*, True -*.etowns.org*, True -*.flnet.org*, True -*.gotgeeks.com*, True -*.scieron.com*, True -*.slyip.com*, True -*.slyip.net*, True -*.suroot.com*, True -*.dynu.com*, True -*.dynu.net*, True -*.freeddns.org*, True -*.at-band-camp.net*, True -*.barrel-of-knowledge.info*, True -*.barrell-of-knowledge.info*, True -*.better-than.tv*, True -*.blogdns.com*, True -*.blogdns.net*, True -*.blogdns.org*, True -*.blogsite.org*, True -*.boldlygoingnowhere.org*, True -*.broke-it.net*, True -*.buyshouses.net*, True -*.cechire.com*, True -*.dnsalias.com*, True -*.dnsalias.net*, True -*.dnsalias.org*, True -*.dnsdojo.com*, True -*.dnsdojo.net*, True -*.dnsdojo.org*, True -*.does-it.net*, True -*.doesntexist.com*, True -*.doesntexist.org*, True -*.dontexist.com*, True -*.dontexist.net*, True -*.dontexist.org*, True -*.doomdns.com*, True -*.doomdns.org*, True -*.dvrdns.org*, True -*.dyn-o-saur.com*, True -*.dynalias.com*, True -*.dynalias.net*, True -*.dynalias.org*, True -*.dynathome.net*, True -*.dyndns-at-home.com*, True -*.dyndns-at-work.com*, True -*.dyndns-blog.com*, True -*.dyndns-free.com*, True -*.dyndns-home.com*, True -*.dyndns-ip.com*, True -*.dyndns-mail.com*, True -*.dyndns-office.com*, True -*.dyndns-pics.com*, True -*.dyndns-remote.com*, True -*.dyndns-server.com*, True -*.dyndns-web.comdyndns-web.com*, True -*.dyndns-wiki.comdyndns-wiki.com*, True -*.dyndns-work.comdyndns-work.com*, True -*.dyndns.bizdyndns.biz*, True -*.dyndns.infodyndns.info*, True -*.dyndns.orgdyndns.org*, True -*.dyndns.tv*, True -*.dyndns.ws*, True -*.endofinternet.net*, True -*.endofinternet.org*, True -*.endoftheinternet.org*, True -*.est-a-la-maison.com*, True -*.est-a-la-masion.com*, True -*.est-le-patron.com*, True -*.est-mon-blogueur.com*, True -*.for-better.biz*, True -*.for-more.biz*, True -*.for-our.info*, True -*.for-some.biz*, True -*.for-the.biz*, True -*.forgot.her.name*, True -*.forgot.his.name*, True -*.from-ak.com*, True -*.from-al.com*, True -*.from-ar.com*, True -*.from-az.net*, True -*.from-ca.com*, True -*.from-co.net*, True -*.from-ct.com*, True -*.from-dc.com*, True -*.from-de.com*, True -*.from-fl.com*, True -*.from-ga.com*, True -*.from-hi.com*, True -*.from-ia.com*, True -*.from-id.com*, True -*.from-il.com*, True -*.from-in.com*, True -*.from-ks.com*, True -*.from-ky.com*, True -*.from-la.net*, True -*.from-ma.com*, True -*.from-md.com*, True -*.from-me.org*, True -*.from-mi.com*, True -*.from-mn.com*, True -*.from-mo.com*, True -*.from-ms.com*, True -*.from-mt.com*, True -*.from-nc.com*, True -*.from-nd.com*, True -*.from-ne.com*, True -*.from-nh.com*, True -*.from-nj.com*, True -*.from-nm.com*, True -*.from-nv.com*, True -*.from-ny.net*, True -*.from-oh.com*, True -*.from-ok.com*, True -*.from-or.com*, True -*.from-pa.com*, True -*.from-pr.com*, True -*.from-ri.com*, True -*.from-sc.com*, True -*.from-sd.com*, True -*.from-tn.com*, True -*.from-tx.com*, True -*.from-ut.com*, True -*.from-va.com*, True -*.from-vt.com*, True -*.from-wa.com*, True -*.from-wi.com*, True -*.from-wv.com*, True -*.from-wy.com*, True -*.ftpaccess.cc*, True -*.fuettertdasnetz.de*, True -*.game-host.org*, True -*.game-server.cc*, True -*.getmyip.com*, True -*.gets-it.net*, True -*.go.dyndns.org*, True -*.gotdns.com*, True -*.gotdns.org*, True -*.groks-the.info*, True -*.groks-this.info*, True -*.ham-radio-op.net*, True -*.here-for-more.info*, True -*.hobby-site.com*, True -*.hobby-site.org*, True -*.home.dyndns.org*, True -*.homedns.org*, True -*.homeftp.net*, True -*.homeftp.org*, True -*.homeip.net*, True -*.homelinux.com*, True -*.homelinux.net*, True -*.homelinux.org*, True -*.homeunix.com*, True -*.homeunix.net*, True -*.homeunix.org*, True -*.iamallama.com*, True -*.in-the-band.net*, True -*.is-a-anarchist.com*, True -*.is-a-blogger.com*, True -*.is-a-bookkeeper.com*, True -*.is-a-bruinsfan.org*, True -*.is-a-bulls-fan.com*, True -*.is-a-candidate.org*, True -*.is-a-caterer.com*, True -*.is-a-celticsfan.org*, True -*.is-a-chef.com*, True -*.is-a-chef.net*, True -*.is-a-chef.org*, True -*.is-a-conservative.com*, True -*.is-a-cpa.com*, True -*.is-a-cubicle-slave.com*, True -*.is-a-democrat.com*, True -*.is-a-designer.com*, True -*.is-a-doctor.com*, True -*.is-a-financialadvisor.com*, True -*.is-a-geek.com*, True -*.is-a-geek.net*, True -*.is-a-geek.org*, True -*.is-a-green.com*, True -*.is-a-guru.com*, True -*.is-a-hard-worker.com*, True -*.is-a-hunter.com*, True -*.is-a-knight.org*, True -*.is-a-landscaper.com*, True -*.is-a-lawyer.com*, True -*.is-a-liberal.com*, True -*.is-a-libertarian.com*, True -*.is-a-linux-user.org*, True -*.is-a-llama.com*, True -*.is-a-musician.com*, True -*.is-a-nascarfan.com*, True -*.is-a-nurse.com*, True -*.is-a-painter.com*, True -*.is-a-patsfan.org*, True -*.is-a-personaltrainer.com*, True -*.is-a-photographer.com*, True -*.is-a-player.com*, True -*.is-a-republican.com*, True -*.is-a-rockstar.com*, True -*.is-a-socialist.com*, True -*.is-a-soxfan.org*, True -*.is-a-student.com*, True -*.is-a-teacher.com*, True -*.is-a-techie.com*, True -*.is-a-therapist.com*, True -*.is-an-accountant.com*, True -*.is-an-actor.com*, True -*.is-an-actress.com*, True -*.is-an-anarchist.com*, True -*.is-an-artist.com*, True -*.is-an-engineer.com*, True -*.is-an-entertainer.com*, True -*.is-by.us*, True -*.is-certified.com*, True -*.is-found.org*, True -*.is-gone.com*, True -*.is-into-anime.com*, True -*.is-into-cars.com*, True -*.is-into-cartoons.com*, True -*.is-into-games.com*, True -*.is-leet.com*, True -*.is-lost.org*, True -*.is-not-certified.com*, True -*.is-saved.org*, True -*.is-slick.com*, True -*.is-uberleet.com*, True -*.is-very-bad.org*, True -*.is-very-evil.org*, True -*.is-very-good.org*, True -*.is-very-nice.org*, True -*.is-very-sweet.org*, True -*.is-with-theband.com*, True -*.isa-geek.com*, True -*.isa-geek.net*, True -*.isa-geek.org*, True -*.isa-hockeynut.com*, True -*.issmarterthanyou.com*, True -*.isteingeek.de*, True -*.istmein.de*, True -*.kicks-ass.net*, True -*.kicks-ass.org*, True -*.knowsitall.info*, True -*.land-4-sale.us*, True -*.lebtimnetz.de*, True -*.leitungsen.de*, True -*.likes-pie.com*, True -*.likescandy.com*, True -*.mine.nu*, True -*.misconfused.org*, True -*.mypets.ws*, True -*.myphotos.cc*, True -*.neat-url.com*, True -*.office-on-the.net*, True -*.on-the-web.tv*, True -*.podzone.net*, True -*.podzone.org*, True -*.readmyblog.org*, True -*.saves-the-whales.com*, True -*.scrapper-site.net*, True -*.scrapping.cc*, True -*.selfip.biz*, True -*.selfip.com*, True -*.selfip.info*, True -*.selfip.net*, True -*.selfip.org*, True -*.sells-for-less.com*, True -*.sells-for-u.com*, True -*.sells-it.net*, True -*.sellsyourhome.org*, True -*.servebbs.com*, True -*.servebbs.net*, True -*.servebbs.org*, True -*.serveftp.net*, True -*.serveftp.org*, True -*.servegame.org*, True -*.simple-url.com*, True -*.space-to-rent.com*, True -*.stuff-4-sale.org*, True -*.stuff-4-sale.us*, True -*.teaches-yoga.com*, True -*.thruhere.net*, True -*.traeumtgerade.de*, True -*.webhop.biz*, True -*.webhop.info*, True -*.webhop.net*, True -*.webhop.org*, True -*.worse-than.tv*, True -*.writesthisblog.com*, True -*.celltrak.mobi*, True -*.onionsallyear.mobi*, True -*.golffan.us*, True -*.dnsis.us*, True -*.global-instr.us*, True -*.knekhome.us*, True -*.atlantatruckdrivingschool.us*, True -*.upjumper.us*, True -*.noip.us*, True -*.zenergycounsel.us*, True -*.pointto.us*, True -*.msof.us*, True -*.stierwalt.us*, True -*.no-ip.us*, True -*.mithrandir.us*, True -*.noip.net*, True -*.drkosman.net*, True -*.peubarge.net*, True -*.mikecartwright.net*, True -*.mydelorean.net*, True -*.altblue.net*, True -*.coccimiglio.net*, True -*.ebenhardts.net*, True -*.n0job.net*, True -*.mypsx.net*, True -*.rtam.net*, True -*.krystlik.net*, True -*.redirectme.net*, True -*.bounceme.net*, True -*.privatizehealthinsurance.net*, True -*.myeffect.net*, True -*.mydissent.net*, True -*.olavsen.net*, True -*.essentialdigitalservices.net*, True -*.eating-organic.net*, True -*.mymediapc.net*, True -*.ascension-newage.net*, True -*.landomain.net*, True -*.dns-auth.net*, True -*.nhlfan.net*, True -*.pgafan.net*, True -*.as29997.net*, True -*.qcconline.net*, True -*.hayeshomeonline.net*, True -*.no-ip.net*, True -*.ascensionsounds.net*, True -*.ctproduction.net*, True -*.btvfc.net*, True -*.dcompsolutions.net*, True -*.xattam.net*, True -*.ddns.net*, True -*.skeim.net*, True -*.omicronceti3.net*, True -*.geepar.net*, True -*.serveblog.net*, True -*.f-parts.net*, True -*.mexsipel.net*, True -*.herodias.net*, True -*.brjlaw.net*, True -*.advtechpr.net*, True -*.noipdns.net*, True -*.dykw.org*, True -*.pciqub.org*, True -*.brweb.org*, True -*.coplien.org*, True -*.couchpotatofries.org*, True -*.dnsnew.org*, True -*.noipdns.org*, True -*.jvogt.org*, True -*.themcmillans.org*, True -*.no-ip.org*, True -*.linuxdigital.org*, True -*.nocturnalaviation.org*, True -*.myftp.org*, True -*.zapto.org*, True -*.leivo.org*, True -*.themabryfamily.org*, True -*.trantornet.org*, True -*.trailsendlodge.org*, True -*.glsmalaysia.org*, True -*.medecide.org*, True -*.hopto.org*, True -*.splc-bellville.org*, True -*.dvrhome.org*, True -*.sheatfish.org*, True -*.ufcfan.org*, True -*.b-studio.org*, True -*.enemykitchen.org*, True -*.mlbfan.org*, True -*.essentialdigitalservices.org*, True -*.jzen.org*, True -*.timedilationcopyrightextensionprevention.org*, True -*.vaitrt.org*, True -*.townsel.org*, True -*.cellimagingcore.org*, True -*.collegefan.org*, True -*.read-books.org*, True -*.reijn.org*, True -*.schoin.org*, True -*.phenixs.org*, True -*.nflfan.org*, True -*.networkfactory.org*, True -*.dmchub.org*, True -*.groundwerk.info*, True -*.mywebworld.info*, True -*.njkcs.info*, True -*.no-ip.info*, True -*.dvrcam.info*, True -*.drscare.info*, True -*.juhlin.info*, True -*.johnsonfamily-uk.info*, True -*.ilovecollege.info*, True -*.mcglone.info*, True -*.mortagne.info*, True -*.brhsbears.com*, True -*.conditsis.com*, True -*.piroge.com*, True -*.warp9computers.com*, True -*.charihoproducts.com*, True -*.flowergardendaycare.com*, True -*.maurinfor.com*, True -*.redundantdns.com*, True -*.comsui.com*, True -*.v13clan.com*, True -*.dynns.com*, True -*.gradebookmax.com*, True -*.partycenteronline.com*, True -*.georgescolliers.com*, True -*.fusselscobra.com*, True -*.ilangiu.com*, True -*.foroemprende.com*, True -*.e-romagnoli.com*, True -*.hokum-smack.com*, True -*.elaynah.com*, True -*.medittech.com*, True -*.gastright.com*, True -*.stemmetje.com*, True -*.ciscofreak.com*, True -*.securitytactics.com*, True -*.dns-auth.com*, True -*.panamaoinc.com*, True -*.donandvicki.com*, True -*.clarkmackay.com*, True -*.fullcyclesupport.com*, True -*.perezsecurity.com*, True -*.sharkltd.com*, True -*.tractionbil.com*, True -*.denalmachine.com*, True -*.burlingtondrywall.com*, True -*.cr-o2.com*, True -*.cirrusdns.com*, True -*.intpropint.com*, True -*.scottstreit.com*, True -*.peregrineair.com*, True -*.alpleisureoffice.com*, True -*.servehttp.com*, True -*.serveirc.com*, True -*.linuxdaves.com*, True -*.stughead.com*, True -*.midstatecomp.com*, True -*.sonnish.com*, True -*.thesemmels.com*, True -*.noiptos.com*, True -*.thehouseofichthys.com*, True -*.china-drhan.com*, True -*.mgipr.com*, True -*.vpntraki.com*, True -*.ergonomicbags.com*, True -*.mecalco.com*, True -*.texasdollies.com*, True -*.lalosandcharlies.com*, True -*.dnsiskinky.com*, True -*.chen-security.com*, True -*.kellserve.com*, True -*.noipdns.com*, True -*.iprowave.com*, True -*.vast-consulting.com*, True -*.activewaiting.com*, True -*.blogsyte.com*, True -*.homesecuritymac.com*, True -*.aserraderoelsol.com*, True -*.canadascastillo.com*, True -*.natrofa.com*, True -*.eptechguys.com*, True -*.westbendweatheronline.com*, True -*.unitedhardwood.com*, True -*.3utilities.com*, True -*.noip.com*, True -*.twsuser.com*, True -*.tamaragibson.com*, True -*.no-ip.com*, True -*.cuesinc.com*, True -*.sysadminetworks.com*, True -*.brajkovic.com*, True -*.servegame.com*, True -*.sunsationaldrapery.com*, True -*.eltraslomitas.com*, True -*.traslomitas.com*, True -*.essentialventure.com*, True -*.rayplee.com*, True -*.rullofamily.com*, True -*.asiamariage.com*, True -*.yeti-bastard.com*, True -*.vincomlimited.com*, True -*.abledns.com*, True -*.wallyswienerworld.com*, True -*.oumage.com*, True -*.nhaffordabletech.com*, True -*.demosoftonline.com*, True -*.cbopelousas.com*, True -*.contepsa.com*, True -*.arquivirtual.com*, True -*.apothecaryhabits.com*, True -*.triplaysideri.com*, True -*.expired-dns.com*, True -*.myhomeschoolfamily.com*, True -*.golaud.com*, True -*.riquejaime.com*, True -*.vitalwerks.com*, True -*.sashdot.com*, True -*.checkor.com*, True -*.iexchangedit.com*, True -*.bsn2bsn.com*, True -*.aphroditeskateboards.com*, True -*.ptl-chemicals.com*, True -*.hughesandfinnerty.com*, True -*.essentialdigitalservices.com*, True -*.imosaseafood.com*, True -*.garypatel.com*, True -*.vaitrt.com*, True -*.upperrealm.com*, True -*.quackerscomic.com*, True -*.robertpshaw.com*, True -*.ebp-pr.com*, True -*.labradapr.com*, True -*.checkblacklist.com*, True -*.noip-monitor.com*, True -*.servemp3.com*, True -*.municipionlaredo.com*, True -*.murphykosmandanko.com*, True -*.securityexploits.com*, True -*.unusualperson.com*, True -*.damnserver.com*, True -*.geekgalaxy.com*, True -*.ditchyourip.com*, True -*.enhanceddns.com*, True -*.point2this.com*, True -*.servep2p.com*, True -*.socialadhesion.com*, True -*.giivp.com*, True -*.servehalflife.com*, True -*.servepics.com*, True -*.myvnc.com*, True -*.serveftp.com*, True -*.servecounterstrike.com*, True -*.knabrub.com*, True -*.mysecuritycamera.com*, True -*.arenaceballos.com*, True -*.cohenrs.com*, True -*.cjtooling.com*, True -*.petrimex.com*, True -*.mistermousepotato.com*, True -*.buglesshome.com*, True -*.nigelmon.com*, True -*.china-doctorhan.com*, True -*.10dv.com*, True -*.kenjenexp.com*, True -*.oohhm.com*, True -*.lundellnet.com*, True -*.gluebanc.com*, True -*.counterlight.com*, True -*.quicksytes.com*, True -*.ryointernational.com*, True -*.onthewifi.com*, True -*.hipesfamily.com*, True -*.trieditmyself.com*, True -*.kalcicrijeka.com*, True -*.thingsnewandused.com*, True -*.teatruqroqq.com*, True -*.ahvftp.com*, True -*.davidsagar.com*, True -*.palmasmex.com*, True -*.ct-omsakthi.com*, True -*.noipfreedns.com*, True -*.cmmbtrader.com*, True -*.servevent.com*, True -*.adammcarthur.com*, True -*.semelcgmf.com*, True -*.mh-it.com*, True -*.gluebank.com*, True -*.enterprisemx.com*, True -*.larzzons.com*, True -*.serendipityshores.com*, True -*.imprendum.com*, True -*.bobbiblushoe.com*, True -*.bobbiblushoes.com*, True -*.centserver.com*, True -*.rarerental.com*, True -*.grupoimpulsora.com*, True -*.almondbrady.com*, True -*.librarybag.com*, True -*.harlequinschoolbags.com*, True -*.nellopy.com*, True -*.visual-inc.com*, True -*.nstratus.com*, True -*.mysnapstream.com*, True -*.effinetsolutions.com*, True -*.workisboring.com*, True -*.stufftoread.com*, True -*.westblade.com*, True -*.vellipaa.com*, True -*.laketahoesue.com*, True -*.dpcube.com*, True -*.death-education.com*, True -*.thesource-clothing.com*, True -*.cmirg.com*, True -*.homesecuritypc.com*, True -*.serveexchange.com*, True -*.myactivedirectory.com*, True -*.briansagar.com*, True -*.sqlconcepts.com*, True -*.apptechservices.com*, True -*.health-carereform.com*, True -*.slasdot.com*, True -*.servequake.com*, True -*.doyleandprendergast.com*, True -*.webvalua.com*, True -*.sandpointplancenter.com*, True -*.amsprich.com*, True -*.tekkennetwork.com*, True -*.goldcrestcc.com*, True -*.dia4you.com*, True -*.diamond-sets.com*, True -*.digitaletcher.com*, True -*.jmjung.com*, True -*.locumm.com*, True -*.abmetalmecanica.com*, True -*.tgssys.com*, True -*.gteksecurity.com*, True -*.anyitsolution.com*, True -*.jdfinancialserver.com*, True -*.architecturevogue.com*, True -*.portfwd.com*, True -*.almosaed.biz*, True -*.fleetmanagement.biz*, True -*.no-ip.biz*, True -*.pdab.biz*, True -*.mmafan.biz*, True -*.myftp.biz*, True -*.yoursupport.biz*, True -*.servebeer.com*, True -*.sytes.net*, True -*.dynamic-dns.net*, True -*.epac.to*, True -*.longmusic.com*, True -*.compress.to*, True -*.wikaba.com*, True -*.zzux.com*, True -*.dumb1.com*, True -*.1dumb.com*, True -*.onedumb.com*, True -*.wha.la*, True -*.youndontcare.com*, True -*.yourtrap.com*, True -*.2waky.com*, True -*.sexidude.com*, True -*.mefound.com*, True -*.organiccrap.com*, True -*.toythieves.com*, True -*.justdied.com*, True -*.jungleheart.com*, True -*.mrbasic.com*, True -*.mrbonus.com*, True -*.x24hr.com*, True -*.dns04.com*, True -*.dns05.com*, True -*.zyns.com*, True -*.my03.com*, True -*.fartit.com*, True -*.itemdb.com*, True -*.instanthq.com*, True -*.xxuz.com*, True -*.jkub.com*, True -*.itsaol.com*, True -*.faqserv.com*, True -*.jetos.com*, True -*.qpoe.com*, True -*.qhigh.com*, True -*.vizvaz.com*, True -*.mrface.com*, True -*.isasecret.com*, True -*.mrslove.com*, True -*.otzo.com*, True -*.sellclassics.com*, True -*.americanunfinished.com*, True -*.serveusers.com*, True -*.serveuser.com*, True -*.freetcp.com*, True -*.ddns.info*, True -*.ns01.info*, True -*.ns02.info*, True -*.myftp.info*, True -*.mydad.info*, True -*.mymom.info*, True -*.mypicture.info*, True -*.myz.info*, True -*.squirly.info*, True -*.toh.info*, True -*.xxxy.info*, True -*.freewww.info*, True -*.freeddns.com*, True -*.myddns.com*, True -*.dynamicdns.biz*, True -*.ns01.biz*, True -*.ns02.biz*, True -*.xxxy.biz*, True -*.sexxy.biz*, True -*.freewww.biz*, True -*.www1.biz*, True -*.dhcp.biz*, True -*.edns.biz*, True -*.ftp1.biz*, True -*.mywww.biz*, True -*.gr8domain.biz*, True -*.gr8name.biz*, True -*.ftpserver.biz*, True -*.wwwhost.biz*, True -*.moneyhome.biz*, True -*.port25.biz*, True -*.esmtp.biz*, True -*.sixth.biz*, True -*.ninth.biz*, True -*.got-game.org*, True -*.bigmoney.biz*, True -*.dns2.us*, True -*.dns1.us*, True -*.ns02.us*, True -*.ns01.us*, True -*.almostmy.com*, True -*.ocry.com*, True -*.ourhobby.com*, True -*.pcanywhere.net*, True -*.ygto.com*, True -*.ddns.me.uk*, True -*.ddns.ms*, True -*.dynamicdns.me.uk*, True -*.dynamicdns.org.uk*, True -*.ddns.us*, True -*.gettrails.com*, True -*.4mydomain.com*, True -*.25u.com*, True -*.4dq.com*, True -*.4pu.com*, True -*.3-a.net*, True -*.dsmtp.com*, True -*.mynumber.org*, True -*.ns1.name*, True -*.ns2.name*, True -*.ns3.name*, True -*.changeip.name*, True -*.ddns.name*, True -*.rebatesrule.net*, True -*.ezua.com*, True -*.sendsmtp.com*, True -*.trickip.net*, True -*.trickip.org*, True -*.dnsrd.com*, True -*.lflinkup.net*, True -*.lflinkup.org*, True -*.lflink.com*, True -*.dns-dns.com*, True -*.proxydns.com*, True -*.myftp.name*, True -*.dyndns.pro*, True -*.changeip.net*, True -*.mysecondarydns.com*, True -*.changeip.org*, True -*.dns-stuff.com*, True -*.dynssl.com*, True -*.mylftv.com*, True -*.mynetav.net*, True -*.mynetav.org*, True -*.dynamicdns.co.uk*, True -*.ikwb.com*, True -*.acmetoy.com*, True -*.ddns.mobi*, True -*.dnset.com*, True -*.authorizedddns.net*, True -*.authorizedddns.org*, True -*.authorizedddns.us*, True -*.cleansite.biz*, True -*.cleansite.info*, True -*.cleansite.us*, True -*.https443.net*, True -*.https443.org*, True -*.mypop3.net*, True -*.mypop3.org*, True -*.ssl443.org*, True -*.iownyour.biz*, True -*.iownyour.org*, True -*.onmypc.biz*, True -*.onmypc.info*, True -*.onmypc.net*, True -*.onmypc.org*, True -*.0000000000000000000000.com*, True -*.0000.tk*, True -*.000webhosting.ga*, True -*.0012.gq*, True -*.004z.com*, True -*.008bond.com*, True -*.0099098.ru*, True -*.0101.ch*, True -*.010.is*, True -*.011000110100111011001101011100110011101010101001001010011101001.pl*, True -*.0-1-2-3-4-5-6-7-8-9-10-11-12-13-14-15-16-17-18.com*, True -*.0-1-2-3-4-5-6-7-8-9-10-11-12-13-14-15-16-17-18.net*, True -*.012wan.com*, True -*.01898.com*, True -*.01blog.tk*, True -*.01sw.net*, True -*.0260.info*, True -*.0260.us*, True -*.027huiteng.com*, True -*.02.cl*, True -*.02ipo.com*, True -*.03c8.net*, True -*.04sakau.tk*, True -*.0720.tk*, True -*.0739zy.xyz*, True -*.0750.cf*, True -*.07thkt4.us*, True -*.0800068078.com*, True -*.0800nautica.com.br*, True -*.0812.hk*, True -*.09199002732.ir*, True -*.0920340500.com*, True -*.0953200202.tw*, True -*.09march98.tk*, True -*.0a5.com.ar*, True -*.0bit.org*, True -*.0costsolar.com*, True -*.0craft.org*, True -*.0dbu.com*, True -*.0e-mail.ru*, True -*.0gr.pl*, True -*.0ip.com.br*, True -*.0iq.ru*, True -*.0load.com*, True -*.0ner0m.com*, True -*.0nit.com*, True -*.0nline.xyz*, True -*.0ong.com*, True -*.0on.me*, True -*.0phre4k-id.cf*, True -*.0rca.ch*, True -*.0rg.eu*, True -*.0rg.us*, True -*.0-shiny.com*, True -*.0sms.com.au*, True -*.0tjh.com*, True -*.0tue0.com*, True -*.0ubox.com*, True -*.0wnz-u.com*, True -*.0x00000001.de*, True -*.0x26.ch*, True -*.0x29a.one.pl*, True -*.0x29.com.ve*, True -*.0x55.me*, True -*.0x61.org*, True -*.0x77.me*, True -*.0x90.ml*, True -*.0xee.eu*, True -*.0x.no*, True -*.0xworm.com*, True -*.0xz0.info*, True -*.0zzie.co.uk*, True -*.1000-2000.net*, True -*.1000doors.com*, True -*.1000-happiness.com*, True -*.1000moments.net*, True -*.1000oto.com*, True -*.1000views.com*, True -*.1000virgins.com*, True -*.1000virgins.co.uk*, True -*.1001arabesque.com*, True -*.1001fakta.com*, True -*.1001presenter.nu*, True -*.100515.info*, True -*.10089danielsrunway.com*, True -*.100datesofsummer.com.au*, True -*.100giga.ro*, True -*.100konebay.co.uk*, True -*.100letters.org*, True -*.100mgblue-pill.com*, True -*.100mountain.com*, True -*.100paydayadvance1000.com*, True -*.100percent.info*, True -*.100x100logistica.com.ar*, True -*.100yearvita.com*, True -*.10101.tw*, True -*.101107577603585234182084907890239187.xyz*, True -*.101240249642023079629167864707043624.xyz*, True -*.101768225600992293696488011808460955.xyz*, True -*.101clan.net*, True -*.101eyewear.com*, True -*.10244528716173274066799407355981.xyz*, True -*.1025.ro*, True -*.103149674440460345026173397479625337.xyz*, True -*.10415248431687848670877886427371.xyz*, True -*.10454096982665866346089090654827.xyz*, True -*.1045.ca*, True -*.105632853311007563986684078732140421.xyz*, True -*.105.com.au*, True -*.105creative.com*, True -*.105creative.com.au*, True -*.105.net.au*, True -*.10668016811030272232064139659016.xyz*, True -*.10726029732480862651864413286946.xyz*, True -*.10742086223582223602607451174001.xyz*, True -*.107tv.com*, True -*.1080.ch*, True -*.10859155697777473566221838775384.xyz*, True -*.10890.biz*, True -*.108not.ru*, True -*.10983311398764301613389248808724.xyz*, True -*.10coder.com*, True -*.10perhead.com*, True -*.10things.co.za*, True -*.10whitestallion.com*, True -*.10x.es*, True -*.1111128.com*, True -*.111lotto.com*, True -*.111yxb.com*, True -*.112233.ch*, True -*.1122.cf*, True -*.112forum.nl*, True -*.112.sx*, True -*.11688.tw*, True -*.118iranian.com*, True -*.119111.net*, True -*.119dvd.com*, True -*.11bcgarden.org*, True -*.11deseptiembre.cl*, True -*.11plusnet.com*, True -*.11plusnet.co.uk*, True -*.11thcircle.com*, True -*.120buntu.com*, True -*.120v.ac*, True -*.121912.com*, True -*.121computerhelp.com*, True -*.12258.tk*, True -*.12296930123025003412952950082308.xyz*, True -*.1234567.ro*, True -*.123456mu.com*, True -*.1234casinos.com*, True -*.1234mu.com*, True -*.123erp.net*, True -*.123layby.co.za*, True -*.123ok.us*, True -*.123pozvoni.ru*, True -*.123print.ru*, True -*.123pt.eu*, True -*.123remote.org*, True -*.123voip.com*, True -*.123zq.net*, True -*.124sto.ru*, True -*.127x0x0x1.tk*, True -*.128kbps.cf*, True -*.128kbps.tk*, True -*.12ama.com*, True -*.12bobywz.com*, True -*.12b.ro*, True -*.12deerdesigns.com*, True -*.12g.ru*, True -*.12host.net*, True -*.12oclocktech.com*, True -*.12oz.io*, True -*.12qcp.com*, True -*.12thmonkeyit.com*, True -*.12v.si*, True -*.1314.cz*, True -*.1332.tw*, True -*.1337bar.com*, True -*.1337.cx*, True -*.1-3-3-7.de*, True -*.1337home.com*, True -*.1337.moe*, True -*.1337team.tk*, True -*.13492prismct.com*, True -*.1353355.com*, True -*.138985.com*, True -*.139160.com*, True -*.139190.com*, True -*.139220.com*, True -*.139535.com*, True -*.139565.com*, True -*.139869.com*, True -*.13h.pl*, True -*.13h.tw*, True -*.13jasminestreet.com*, True -*.13tribos.com.br*, True -*.1497.ru*, True -*.14east.co.uk*, True -*.14khawaii.com*, True -*.150watt.ru*, True -*.152group.co.uk*, True -*.155dvd.com*, True -*.155mall.com*, True -*.1568mu.com*, True -*.15862388836.tk*, True -*.158851.com*, True -*.15april.ga*, True -*.15kvdesign.com*, True -*.15kvdesigns.com*, True -*.15mu.com*, True -*.15puzzle.co.uk*, True -*.15rheinlandplace.ml*, True -*.16101993.com*, True -*.163163.net*, True -*.1637.tw*, True -*.1668.info*, True -*.166dvd.com*, True -*.168168.net*, True -*.16888.com.au*, True -*.1689mu.com*, True -*.168g.ml*, True -*.168grains.com*, True -*.168g.tk*, True -*.168lot.com*, True -*.168prod.com*, True -*.1696699.com*, True -*.1696699.net*, True -*.16mm.ro*, True -*.173zf.com*, True -*.17es.net*, True -*.17es.org*, True -*.17life.com*, True -*.17life.tw*, True -*.17muqj.com*, True -*.17mus.com*, True -*.17ping.cn*, True -*.17ping.com*, True -*.17pointsofdisagreement.org*, True -*.17pondviewdrive.com*, True -*.17to.com*, True -*.17w17k.tk*, True -*.1800la1taxi.com*, True -*.1-800.ro*, True -*.1-800sickfedoras.com*, True -*.18021997.com*, True -*.1816manuel.com*, True -*.1828365365.com*, True -*.185mu.com*, True -*.18888.cf*, True -*.188dvd.com*, True -*.1898.biz*, True -*.189.dk*, True -*.18mei.net*, True -*.18mo.tk*, True -*.18-porno.ru*, True -*.18tabu.ro*, True -*.18t.biz*, True -*.18theatrium.co.uk*, True -*.18wap.cf*, True -*.1933sib.tk*, True -*.193edgemontscouts.ca*, True -*.1945.la*, True -*.1954f100.com*, True -*.195zf.com*, True -*.1978sm.com*, True -*.1981taipei.com*, True -*.1981tokyo.com*, True -*.19inside.net*, True -*.19insidenet.com*, True -*.19inside.org*, True -*.1a2a3a4a.com*, True -*.1a2b.ru*, True -*.1affiliateonline.com*, True -*.1akvabur.ru*, True -*.1aroma.com*, True -*.1bar.org*, True -*.1chilcoteroad.co.uk*, True -*.1clickflix.com*, True -*.1clickkidflix.com*, True -*.1cmt.com*, True -*.1corp.net*, True -*.1corporation.us*, True -*.1-court.com*, True -*.1court.com*, True -*.1-court.net*, True -*.1court.net*, True -*.1doer.com*, True -*.1dollaradwordsscripts.com*, True -*.1dollarscripts.com*, True -*.1easyone.it*, True -*.1emporium.com*, True -*.1filme.tk*, True -*.1g1c.com.au*, True -*.1game1chance.com.au*, True -*.1gbps.net*, True -*.1gbsite.com*, True -*.1hourtraining.co.uk*, True -*.1-hr.ru*, True -*.1idiot.com*, True -*.1iks.ru*, True -*.1industry.com*, True -*.1itpanda.ru*, True -*.1kgporkm.com.br*, True -*.1kserver.com.ar*, True -*.1life1choice.com.au*, True -*.1like.tk*, True -*.1m9s.com*, True -*.1maj.nu*, True -*.1malaysiaiptv.com*, True -*.1malaysiaiptv.com.my*, True -*.1malaysiaiptv.my*, True -*.1malaysiatv.com*, True -*.1malaysiatv.com.my*, True -*.1malaysiatv.my*, True -*.1monetka.ru*, True -*.1moretimearound.com*, True -*.1mototv.ru*, True -*.1mytv.com*, True -*.1mytv.net*, True -*.1mytv.tv*, True -*.1n0.co*, True -*.1n1.se*, True -*.1nas.tk*, True -*.1newid.com*, True -*.1ng.us*, True -*.1nk.us*, True -*.1ns1der.me*, True -*.1o1.tw*, True -*.1on1technology.com*, True -*.1only.us*, True -*.1ove.ga*, True -*.1paper.com.au*, True -*.1pilot.ru*, True -*.1pizzashop.ru*, True -*.1point5million.com*, True -*.1projekts.lv*, True -*.1qituan.com*, True -*.1recruiting.in*, True -*.1remis.com.ar*, True -*.1ro3ls-dfu.cf*, True -*.1ro3ls-kag.tk*, True -*.1rtk.com*, True -*.1sendayan.net*, True -*.1slovo.com*, True -*.1sn0s.com*, True -*.1snesonora.gob.mx*, True -*.1st1.cc*, True -*.1stag.com*, True -*.1stbp.ro*, True -*.1stcc.biz*, True -*.1st-focus.co.uk*, True -*.1sthaverfordwestscoutgroup.org.uk*, True -*.1stitsupport.com*, True -*.1st-offense-inventory.com*, True -*.1stopcompanies.co.za*, True -*.1strealtyresources.com*, True -*.1strochscoutgroup.org.uk*, True -*.1ted.ru*, True -*.1tm.me*, True -*.1to1.tk*, True -*.1trp.com*, True -*.1und1-sicherheitszentrale.de*, True -*.1usd1.com*, True -*.1w1w-id.com*, True -*.1war.ru*, True -*.1waytours.com*, True -*.1weblord.com*, True -*.1world4music.com*, True -*.1x1x.tk*, True -*.1x2.su*, True -*.1xu.info*, True -*.1z.lv*, True -*.200013.net*, True -*.2000db.com*, True -*.2000info.com.br*, True -*.200.com.my*, True -*.200.my*, True -*.200puls.de*, True -*.20130703.cn*, True -*.2015autocars.info*, True -*.2015carsblog.info*, True -*.2015newcars.info*, True -*.2016carprice.info*, True -*.2016carrelease.info*, True -*.20-20-20.ro*, True -*.20248.com*, True -*.203mb.com*, True -*.2045sa.tk*, True -*.204.tw*, True -*.208racing.com*, True -*.20aniversario.es*, True -*.20gbfree.com.ar*, True -*.20host.us*, True -*.20pack.com*, True -*.2100610.ru*, True -*.2100bitcoins.com*, True -*.2100coins.com*, True -*.2100vllc.com*, True -*.2100vnewmedia.com*, True -*.2106montrose.com*, True -*.2122edward.us*, True -*.21boy.com*, True -*.21centurymicro.com*, True -*.21questionstoaskaguy.net*, True -*.21sierra.com*, True -*.21stcenturythought.com*, True -*.220ua.com*, True -*.2220018.ir*, True -*.2246666.com*, True -*.226vitech.com*, True -*.22755653.ir*, True -*.22.net.au*, True -*.23480summit.info*, True -*.236yxb.com*, True -*.23ale92.com.ve*, True -*.23eyes.org*, True -*.2400baud.net*, True -*.242itservices.co.uk*, True -*.247mediaklikmukix.com*, True -*.247mediaklikmukix.net*, True -*.24-7.ro*, True -*.247tv.net*, True -*.247yellowtaxi.com*, True -*.248nba.com*, True -*.24atoms.com*, True -*.24autohits.com*, True -*.24averia.com*, True -*.24booo.com*, True -*.24deagosto.tk*, True -*.24dob.com*, True -*.24dx.ru*, True -*.24efun.com*, True -*.24fitbrisbanecity.com*, True -*.24fssp.ru*, True -*.24hbay.com*, True -*.24here.cn*, True -*.24h.hk*, True -*.24houreaves.com*, True -*.24-hourrpo.com*, True -*.24hunter.ru*, True -*.24jam.ml*, True -*.24kare.info*, True -*.24kare.org*, True -*.24perevezu.ru*, True -*.24rls.ru*, True -*.24rx7.eu*, True -*.24serial.ru*, True -*.24snba.com*, True -*.24-video.ru*, True -*.24x7.hk*, True -*.25431010.tw*, True -*.25499cancelloterrace.com*, True -*.2555.co*, True -*.25961457067915867141930461826155.xyz*, True -*.25msa.com.ar*, True -*.25reps.com*, True -*.25watts.com.pe*, True -*.25watts.pe*, True -*.2600.si*, True -*.26-08-1992.tk*, True -*.26081992.tk*, True -*.26268888.com*, True -*.2628365365.com*, True -*.2635.cf*, True -*.2635.tk*, True -*.2639828dd1.pw*, True -*.263f06813b.pw*, True -*.26772844.com*, True -*.26sites.com*, True -*.273wellington.com*, True -*.278.es*, True -*.27mc.tk*, True -*.27mhzvirtual.ga*, True -*.280412.com*, True -*.2806777.tw*, True -*.2828.ml*, True -*.2831cafe.com*, True -*.28365365ty.com*, True -*.28365365tyzx.com*, True -*.28611111.com*, True -*.28611111.hk*, True -*.288408.com*, True -*.28856365.com*, True -*.28888.cf*, True -*.28888.ga*, True -*.28888.gq*, True -*.28888.ml*, True -*.288.co.za*, True -*.289.la*, True -*.28eastridge.net*, True -*.28gb.ru*, True -*.2992299.net*, True -*.299792458.es*, True -*.2age.net*, True -*.2age.org*, True -*.2age.ru*, True -*.2art.cl*, True -*.2at.cl*, True -*.2av.ro*, True -*.2b1music.com*, True -*.2benice.tk*, True -*.2blokeswithbeer.com*, True -*.2bolta.ru*, True -*.2btrucking.com*, True -*.2c-b.ml*, True -*.2c-me.com*, True -*.2contim.net*, True -*.2cv2021swiss.ch*, True -*.2dadesivos.com.br*, True -*.2daystrends.ro*, True -*.2dba.co.uk*, True -*.2dn.org*, True -*.2donext.com*, True -*.2dons.com*, True -*.2dosquare.com*, True -*.2fast4u.ro*, True -*.2fine.de*, True -*.2fourone.com*, True -*.2funny.ga*, True -*.2gather.ga*, True -*.2gathr.de*, True -*.2gfkitchen.com*, True -*.2group.co.uk*, True -*.2hand.hk*, True -*.2hostedoptions.com*, True -*.2hoz.com*, True -*.2hr.me*, True -*.2hu.us*, True -*.2internet.ga*, True -*.2itsupport.com*, True -*.2kan.io*, True -*.2klik.pw*, True -*.2ku.ru*, True -*.2leech.com*, True -*.2mgt.co.kr*, True -*.2minutosderelax.com*, True -*.2m.lt*, True -*.2mstudio.info*, True -*.2mucha.org*, True -*.2netserv.ro*, True -*.2new4k.com*, True -*.2nhay.com*, True -*.2nsoft.co.kr*, True -*.2o1o.co.uk*, True -*.2of1.org*, True -*.2om.us*, True -*.2peu.org*, True -*.2p.fm*, True -*.2-porn.ru*, True -*.2ps.me*, True -*.2qal.tk*, True -*.2sea.org*, True -*.2shotminimum.com*, True -*.2sh.tw*, True -*.2sign.co.uk*, True -*.2sillysausages.com*, True -*.2sni.com.br*, True -*.2so.ch*, True -*.2stacks.net*, True -*.2stepenergy.com*, True -*.2tek.info*, True -*.2to1agri.com*, True -*.2toc.com*, True -*.2track.me*, True -*.2-tube.tk*, True -*.2tutu.info*, True -*.2u4.ca*, True -*.2vp.net*, True -*.2web.ga*, True -*.2wi.com.au*, True -*.2zy.net*, True -*.300.com.my*, True -*.300.my*, True -*.302itsolutions.com*, True -*.303brewingco.com*, True -*.303brewing.com*, True -*.303brewingcompany.com*, True -*.303brewingcompany.net*, True -*.30624100.tk*, True -*.30624770.tk*, True -*.308863.com*, True -*.30landport.com*, True -*.30ohm.net*, True -*.3108.us*, True -*.31337.info*, True -*.3141.co.uk*, True -*.314.ru*, True -*.316homemedia.com*, True -*.319go.com*, True -*.31shep.com*, True -*.320w.com*, True -*.3211976.ru*, True -*.321.com.ar*, True -*.321contando.com.ar*, True -*.323net.com*, True -*.32903.org*, True -*.32ws.ga*, True -*.3303.ch*, True -*.333123.net*, True -*.3333-ace.com*, True -*.3333-telkomsel.ml*, True -*.333yxb.com*, True -*.3366vod.com*, True -*.3368668.com*, True -*.337yxb.com*, True -*.3399vod.com*, True -*.33joy.ru*, True -*.33kbps.com.ar*, True -*.349net.com*, True -*.3528shop.com*, True -*.360backupsitesrevealed.com*, True -*.360bmt.com*, True -*.360digit.com*, True -*.360drm.com*, True -*.360feedback.at*, True -*.360itek.com*, True -*.360moto.ir*, True -*.360technologies.ca*, True -*.360toothbrush.com*, True -*.360watch.co.uk*, True -*.361yxb.com*, True -*.365-24-7.de*, True -*.365365cn.com*, True -*.3653.co*, True -*.365-888.com*, True -*.365cloudit.co.uk*, True -*.365designklikmukix.com*, True -*.365designklikmukix.net*, True -*.365digitalklikmukix.com*, True -*.365mediaklikmlondonix.com*, True -*.365mediaklikmukix.co*, True -*.365mediaklikmukix.com*, True -*.365mediaklikmukix.net*, True -*.365mediaklikmukix.org*, True -*.365mediaklikmukixsolutions.com*, True -*.365mediaklikmukixtech.com*, True -*.365mediaklokmukix.com*, True -*.365mediaklokmukix.net*, True -*.365productionsklikmukix.com*, True -*.365tix.com.au*, True -*.369communications.co.za*, True -*.36kb.ru*, True -*.3773777.com*, True -*.3773777.net*, True -*.377378.com*, True -*.383.li*, True -*.383yxb.com*, True -*.38gaming.uk*, True -*.38shop.cn*, True -*.3908825.tw*, True -*.39214.com*, True -*.393.ro*, True -*.395buy.com*, True -*.395mai.com*, True -*.39delo.ru*, True -*.39northdesigns.com*, True -*.3ac.cl*, True -*.3ambusinessadvisers.com*, True -*.3ambusinessadvisers.com.au*, True -*.3ambusinessadvisers.net*, True -*.3ambusiness.com*, True -*.3ambusiness.com.au*, True -*.3am-eternal.org*, True -*.3amlife.com*, True -*.3anetwork.com.br*, True -*.3baysvilla.com*, True -*.3beaches.co.za*, True -*.3bears.co.kr*, True -*.3bs.pt*, True -*.3c4d.net*, True -*.3cb.info*, True -*.3cb.ru*, True -*.3cmphotography.com.au*, True -*.3cm.us*, True -*.3co.ca*, True -*.3comet.com*, True -*.3countriespizza.com*, True -*.3cshare.hk*, True -*.3cx-systems.co.uk*, True -*.3d3.pl*, True -*.3dboards.com*, True -*.3dcanyon.com*, True -*.3dcareer.com*, True -*.3dcity.co.za*, True -*.3dcrew.cf*, True -*.3dfx.se*, True -*.3dgeorge.com*, True -*.3djobfair.com*, True -*.3dl.am*, True -*.3dmovies.hk*, True -*.3dopticzz.tk*, True -*.3dpathogram.com*, True -*.3dprintrz.com*, True -*.3dsaya.com*, True -*.3dschile.cl*, True -*.3dsexworlds.net*, True -*.3dsystems.sg*, True -*.3dticket.ru*, True -*.3dvizija.net*, True -*.3dwise.com*, True -*.3dxtras.com*, True -*.3eagle.com*, True -*.3es.in*, True -*.3fee.com*, True -*.3forcom.biz*, True -*.3forcom.info*, True -*.3forcom.net*, True -*.3forcom.org*, True -*.3forever.com*, True -*.3fors.co*, True -*.3forsflush.com*, True -*.3genergy.gr*, True -*.3gpx.net*, True -*.3hearts.org*, True -*.3hezar.ir*, True -*.3hllcssl.com*, True -*.3hs.com.br*, True -*.3hstudio.ro*, True -*.3iat.ro*, True -*.3ii.net*, True -*.3inkjet.com*, True -*.3jpmedia.com*, True -*.3kingdoms-eu.tk*, True -*.3kingdom.tk*, True -*.3laze.com*, True -*.3menathome.org*, True -*.3-mmc.de*, True -*.3mmc.de*, True -*.3-mmc.es*, True -*.3monjes.com.ar*, True -*.3muk.com*, True -*.3n.cc*, True -*.3net.me*, True -*.3nix.net*, True -*.3nj3n.cf*, True -*.3oclock.tk*, True -*.3orangkeren.us*, True -*.3pc.com.br*, True -*.3ple-media.ro*, True -*.3porosenka.ru*, True -*.3rd-aberdeen.co.uk*, True -*.3rdeng.com*, True -*.3rdspace.hk*, True -*.3rdx.com*, True -*.3run.one.pl*, True -*.3schat.net*, True -*.3sdgames.com*, True -*.3si3ki.com*, True -*.3sierra.biz*, True -*.3sr.com.br*, True -*.3tech.com.ar*, True -*.3tigres.com.br*, True -*.3tm.net*, True -*.3trust.com*, True -*.3uu.me*, True -*.3vm.cl*, True -*.3vs3.net*, True -*.3wish.co.kr*, True -*.3x3.pl*, True -*.3xit.com*, True -*.3xviet.net*, True -*.3xx.eu*, True -*.3z.cl*, True -*.400.com.my*, True -*.400participacoes.com.br*, True -*.401616.net*, True -*.4030tel.com*, True -*.403error.ga*, True -*.4040.idv.tw*, True -*.404err.net*, True -*.404-gaming.ga*, True -*.404-gaming.tk*, True -*.404.mn*, True -*.404notfound.gq*, True -*.404r.eu*, True -*.4090.su*, True -*.40ins.ru*, True -*.40v.fi*, True -*.40vsk.lv*, True -*.4128777.tw*, True -*.417rv.ca*, True -*.417rv.com*, True -*.419037.com*, True -*.420austin.net*, True -*.420blaze.me*, True -*.4-2-0.cf*, True -*.420.io*, True -*.420retro.tk*, True -*.420tech.eu*, True -*.420tech.pl*, True -*.42614.com*, True -*.428571.com*, True -*.42k.ca*, True -*.42krosario.com.ar*, True -*.42lemons.com*, True -*.42mediaapps.com*, True -*.42o.org*, True -*.42wireless.co.za*, True -*.42x.co*, True -*.433.co.il*, True -*.4399yxb.com*, True -*.4401.us*, True -*.4406666.com*, True -*.441creative.co.uk*, True -*.44e5f64857.pw*, True -*.455c4ed4bcf69b0dfc9c850a283f05ef455c4ed4bcf69b0.cf*, True -*.456arashi.com*, True -*.46reunion.com*, True -*.4743.com*, True -*.4763539.com*, True -*.48349.com*, True -*.486-ocn.com*, True -*.48f8.net*, True -*.48squad.com*, True -*.49695.com*, True -*.498898.com*, True -*.49b.uk*, True -*.4adev.com*, True -*.4adevelopments.com*, True -*.4alga.info*, True -*.4alton.co.uk*, True -*.4always.com*, True -*.4b5b.tk*, True -*.4bebe.ro*, True -*.4bi.ro*, True -*.4calgarycontractors.com*, True -*.4calgaryrealestate.tv*, True -*.4call.me*, True -*.4-cam.ru*, True -*.4card.ru*, True -*.4cassells.com*, True -*.4chan.ca*, True -*.4checker.club*, True -*.4-choob.com*, True -*.4comex.cl*, True -*.4credits.info*, True -*.4d1.me*, True -*.4dame.ru*, True -*.4dmnc.com*, True -*.4dxm.com*, True -*.4ertenok.ru*, True -*.4ertiki.ru*, True -*.4es.ca*, True -*.4estacoespaisagismo.com*, True -*.4everfyne.com*, True -*.4everking.ml*, True -*.4eversky.com*, True -*.4fingers.ga*, True -*.4flex.net*, True -*.4freesystem.com.br*, True -*.4funsociety.com*, True -*.4g-net.co.uk*, True -*.4gs.ir*, True -*.4haks.net*, True -*.4-health.org*, True -*.4hedonism.com*, True -*.4hi.cn*, True -*.4him-menswear.ch*, True -*.4ikc.ru*, True -*.4ippi.ru*, True -*.4jc.info*, True -*.4jovemindonesia.web.id*, True -*.4k1network.net*, True -*.4k4gow.tk*, True -*.4kdz.com*, True -*.4ko.us*, True -*.4kulls-in-nz.ch*, True -*.4livestreaming.com*, True -*.4logic.pt*, True -*.4lph40m394.ch*, True -*.4lph40m394.com*, True -*.4mcqueens.com*, True -*.4mcservicios.cl*, True -*.4-med.ru*, True -*.4moms.tk*, True -*.4moviescheduling.com*, True -*.4mvtv.com*, True -*.4n4y4nz.net*, True -*.4net.tk*, True -*.4newcalgarycondos.com*, True -*.4-news.org*, True -*.4nhalf.info*, True -*.4nonymouse.tk*, True -*.4oc.ru*, True -*.4ofdakine.com*, True -*.4-on-4.com*, True -*.4peg.com*, True -*.4pet.ro*, True -*.4play.hk*, True -*.4plusnutrition.bg*, True -*.4rafaels.net*, True -*.4rief.com*, True -*.4rw.de*, True -*.4-sale.co.za*, True -*.4sale.co.za*, True -*.4sale.su*, True -*.4sta.ru*, True -*.4sterk.nl*, True -*.4storykingdom.tk*, True -*.4street4life.ru*, True -*.4swa.ru*, True -*.4sync.cf*, True -*.4sync.ga*, True -*.4sync.gq*, True -*.4sync.ml*, True -*.4sync.tk*, True -*.4td.biz*, True -*.4-teti.tk*, True -*.4thegreens.com*, True -*.4tracking.us*, True -*.4twenty.us*, True -*.4udak.cf*, True -*.4udak.ml*, True -*.4ufashion.com.pk*, True -*.4uhhc.com*, True -*.4uhhc.net*, True -*.4uhhc.org*, True -*.4uwi.ru*, True -*.4videoscheduling.com*, True -*.4wardfabrication.com*, True -*.4wardfabrication.com.au*, True -*.4wardfabrications.com*, True -*.4wardfabrications.com.au*, True -*.4-waves.com*, True -*.4waysedupsych.co.za*, True -*.4web.ga*, True -*.4web.gq*, True -*.4wh4ll3nk.tk*, True -*.4xchambers.com*, True -*.4xidea.com*, True -*.4xs.co*, True -*.4xxx.com.ar*, True -*.4yourhealth.info*, True -*.4you.tw*, True -*.50001iso.com.br*, True -*.500.com.my*, True -*.500xl.se*, True -*.502060.com*, True -*.5020.tk*, True -*.5041440.ru*, True -*.504viviendas.com.ar*, True -*.508508.biz*, True -*.508a.ru*, True -*.5092601.ru*, True -*.50friends.com.mx*, True -*.50friends.mx*, True -*.50rmail.com*, True -*.50v.fi*, True -*.5117my.com*, True -*.512kbps.tk*, True -*.5150.ws*, True -*.5181388.com*, True -*.518oak.com*, True -*.51a.org*, True -*.51j.org*, True -*.51n.org*, True -*.51q.org*, True -*.51renqi.com*, True -*.51solomo.com*, True -*.51usana.org*, True -*.51x.be*, True -*.520.com.my*, True -*.52440018.ir*, True -*.525f.com*, True -*.525ix.com*, True -*.5280insider.com*, True -*.5282288.net*, True -*.529artstower.com*, True -*.52avkm.com*, True -*.52deal.info*, True -*.52degreesnorth.com*, True -*.52domain.com*, True -*.52gm.net*, True -*.52race.com*, True -*.52uu.info*, True -*.52xh.cf*, True -*.534543587348587.tk*, True -*.53815090.com*, True -*.53herbie.tk*, True -*.5411apartments.com*, True -*.5451220.ru*, True -*.54f100.com*, True -*.54np.com*, True -*.54np.net*, True -*.54stars.ir*, True -*.54tian.com*, True -*.555757.com*, True -*.5568888.com*, True -*.559c.com*, True -*.55w.org*, True -*.562686.com*, True -*.566155.com*, True -*.566477.com*, True -*.5714.us*, True -*.575110.com*, True -*.5800xm.cf*, True -*.588489.com*, True -*.58888888888.com*, True -*.58.gs*, True -*.5-8.ro*, True -*.5942t.com*, True -*.5995599.net*, True -*.5aera.cl*, True -*.5.ai*, True -*.5anga.info*, True -*.5centben.com*, True -*.5chat.ru*, True -*.5cmu.com*, True -*.5cuerdas.com.ar*, True -*.5dclick.com*, True -*.5dearth.com*, True -*.5dimension.com.ar*, True -*.5element.pl*, True -*.5fakta.info*, True -*.5fn.co.za*, True -*.5haha.net*, True -*.5iai-shop.co.uk*, True -*.5ibc6.com*, True -*.5ibc6.net*, True -*.5ibcmm.com*, True -*.5ibcmm.net*, True -*.5ibuy.tk*, True -*.5inkjet.com*, True -*.5it3.info*, True -*.5kmu.com*, True -*.5kw.eu*, True -*.5lf.de*, True -*.5na5.ru*, True -*.5ng.ru*, True -*.5northmedia.com*, True -*.5of3.com*, True -*.5one.us*, True -*.5p9.ru*, True -*.5pathsandpitfalls.com*, True -*.5paths.org*, True -*.5perhead.com*, True -*.5psolutions.ro*, True -*.5rhythms.se*, True -*.5rose.ch*, True -*.5ryneveld.com*, True -*.5sec.com.br*, True -*.5starit.co.uk*, True -*.5starshost.tk*, True -*.5street.ca*, True -*.5taestacion.com.ar*, True -*.5taichi.com*, True -*.5tgb.tk*, True -*.5ump.com*, True -*.5xberg.com*, True -*.5ya.com.ar*, True -*.60000mu.com*, True -*.600912.com*, True -*.600.com.my*, True -*.600.my*, True -*.601203.tk*, True -*.603603.biz*, True -*.604online.com*, True -*.60-nn.com*, True -*.60rar.org*, True -*.61411111111.com*, True -*.614main.net*, True -*.617617.biz*, True -*.617617.com*, True -*.61enjoy.com*, True -*.623au.com*, True -*.6260.ch*, True -*.64k.co.za*, True -*.650606.ru*, True -*.653003.com*, True -*.653yxb.com*, True -*.6542559.com*, True -*.655985.com*, True -*.657yxb.com*, True -*.65g.us*, True -*.66123456789.com*, True -*.663oakenwald.com*, True -*.6661338.ru*, True -*.66613.ru*, True -*.666858.com*, True -*.667yxb.com*, True -*.668123.com*, True -*.668.org*, True -*.66haoyun.com*, True -*.66haoyun.net*, True -*.671yxb.com*, True -*.678dvd.com*, True -*.679670.ru*, True -*.688502.com*, True -*.688.org*, True -*.688yxb.com*, True -*.68fans.com*, True -*.68topup.my*, True -*.698yxb.com*, True -*.69.mu*, True -*.6actsofreceiving.com*, True -*.6aenglish.cf*, True -*.6b51.cf*, True -*.6cmu.com*, True -*.6d1a0563f2.pw*, True -*.6d74ca73c5.pw*, True -*.6-delta.com*, True -*.6haosf.com*, True -*.6lyokavitza.org*, True -*.6net.tk*, True -*.6od.org*, True -*.6perhead.com*, True -*.6saas.ca*, True -*.6saas.com*, True -*.6saas.info*, True -*.6saas.net*, True -*.6saas.org*, True -*.6spel.se*, True -*.6t.pl*, True -*.6west.ca*, True -*.700.com.my*, True -*.700daneh.com*, True -*.700dvd.com*, True -*.700.my*, True -*.70-30.com.ar*, True -*.70-am.com*, True -*.70offsales.com*, True -*.7-11.com.my*, True -*.711.com.my*, True -*.719.ch*, True -*.7-27.co*, True -*.72899.com*, True -*.728lombardi.com*, True -*.733666.ru*, True -*.733atm.ir*, True -*.735happ.com*, True -*.737.at*, True -*.737.ro*, True -*.7419000.ru*, True -*.747driver.com*, True -*.747minna.com*, True -*.74wd.com*, True -*.765.moe*, True -*.76-65.com*, True -*.7666602.ru*, True -*.7758mp3.com*, True -*.77695966.ir*, True -*.777devils.com*, True -*.7788.hk*, True -*.7788.tk*, True -*.781781.biz*, True -*.786.com.pk*, True -*.788yxb.com*, True -*.7890.ga*, True -*.789.ca*, True -*.7979.co.kr*, True -*.79bronco.info*, True -*.79mg.com*, True -*.7aenglish.cf*, True -*.7ammixing.com.ar*, True -*.7a.org*, True -*.7btech.com*, True -*.7camp.com*, True -*.7carmultimarcas.com.br*, True -*.7carwash.ro*, True -*.7dayapocalypse.com*, True -*.7daysargentina.tk*, True -*.7dejunio.com.ar*, True -*.7derp.com*, True -*.7dot.org*, True -*.7dukj.com*, True -*.7-eleven.com.my*, True -*.7filmesproducoes.com.br*, True -*.7-fk.tk*, True -*.7lakes.ca*, True -*.7life.cl*, True -*.7mh.org*, True -*.7perhead.com*, True -*.7placespeople.com*, True -*.7s.com.tr*, True -*.7skidok.ru*, True -*.7tangkas.com*, True -*.7tangkas.net*, True -*.7thgeneration.org*, True -*.7thmarble.com*, True -*.7thx.com*, True -*.7uj.com*, True -*.7u.org*, True -*.7wd.ir*, True -*.7wons.com*, True -*.7work.com*, True -*.80008000.com*, True -*.8001069.com*, True -*.800.com.my*, True -*.800la1taxi.com*, True -*.800.my*, True -*.802256.com*, True -*.808gameserver.tk*, True -*.80-ee.com*, True -*.80kfc.com*, True -*.80s.lt*, True -*.80yer.com*, True -*.8128.co*, True -*.8128.org.uk*, True -*.8128.uk*, True -*.815-1004.com*, True -*.815-main.com*, True -*.81gl.cf*, True -*.8266669.com*, True -*.8366789.tw*, True -*.83suncity-bj.com*, True -*.85239photography.com*, True -*.852gift.com*, True -*.855yxb.com*, True -*.85716.ml*, True -*.85716.tk*, True -*.857yxb.com*, True -*.85.fi*, True -*.85hive.com*, True -*.86136.net*, True -*.862676.com*, True -*.8634.su*, True -*.863yxb.com*, True -*.866yxb.com*, True -*.87947.com*, True -*.87ju.ga*, True -*.87.org.uk*, True -*.87rb.com*, True -*.87w.org*, True -*.8828365365.com*, True -*.888339.com*, True -*.888666888.com*, True -*.889747.com*, True -*.8899vod.com*, True -*.88jadeweb.com*, True -*.88luck.net*, True -*.88skyweb.com*, True -*.8-bit.gq*, True -*.8bitorbust.info*, True -*.8bitvillage.net*, True -*.8bong.net*, True -*.8buy.tw*, True -*.8chanradio.co*, True -*.8dal.net*, True -*.8dl.co*, True -*.8ed.im*, True -*.8imus.ro*, True -*.8kings.com*, True -*.8marzo.tk*, True -*.8odds.com*, True -*.8perhead.com*, True -*.8riewlight.com*, True -*.8tb.net*, True -*.8thlayertech.com*, True -*.8throssendale.org.uk*, True -*.8ui.org*, True -*.900.com.my*, True -*.900degreepizza.com*, True -*.900k.es*, True -*.900.my*, True -*.901.com.ar*, True -*.9031.org*, True -*.9050.be*, True -*.905tech.com*, True -*.909.com.ar*, True -*.90au.com*, True -*.90decibeles.com*, True -*.90taylorroad.info*, True -*.90taylorroadlisarow.info*, True -*.90yer.com*, True -*.911bike.com*, True -*.911cadouri.ro*, True -*.911pcdoc.com*, True -*.911print.ro*, True -*.91282618.com*, True -*.917vpn.cf*, True -*.919fm.in*, True -*.919.tw*, True -*.91fuck.tk*, True -*.91t.ru*, True -*.91vid.com*, True -*.91yazilim.com.tr*, True -*.920hhh.com*, True -*.920hot.com*, True -*.920vid.com*, True -*.9260fox.com*, True -*.9272014.com*, True -*.941fanli.net*, True -*.941in.hk*, True -*.941.ro*, True -*.9434search.com*, True -*.9533.ru*, True -*.9-5.co.za*, True -*.973.co.il*, True -*.9745.me*, True -*.975.cl*, True -*.9776600.ru*, True -*.978978.biz*, True -*.9800000.ru*, True -*.9822.ga*, True -*.984880.com*, True -*.984886.com*, True -*.987960.com*, True -*.988yxb.com*, True -*.98ashzber.ru*, True -*.98homes.com*, True -*.98x.tv*, True -*.99162366.com*, True -*.99556.com*, True -*.998yxb.com*, True -*.99bct.com*, True -*.99darsad.com*, True -*.99-dd.com*, True -*.99dollarlaptops.com*, True -*.99dollarlaptops.net*, True -*.99ring.com*, True -*.99scouts.ca*, True -*.9ch.in*, True -*.9degrees.com.ar*, True -*.9dejulio.gob.ar*, True -*.9eb.se*, True -*.9ft.ninja*, True -*.9h057.com*, True -*.9kvartira.ru*, True -*.9lines.org*, True -*.9men.com*, True -*.9perhead.com*, True -*.9satrapy.net*, True -*.9siu.com*, True -*.9stud.io*, True -*.9th-gate.com*, True -*.9to5run.com.my*, True -*.9vo.lt*, True -*.a01.ca*, True -*.a0a0a.tk*, True -*.a11y.com*, True -*.a11y.info*, True -*.a123.ga*, True -*.a14download.com*, True -*.a1bs.ru*, True -*.a1burgerdfw.com*, True -*.a1grandprix.nl*, True -*.a1k44lvt.net*, True -*.a1microtech.com*, True -*.a-1prorate.com*, True -*.a1safetyequipment.com.au*, True -*.a1workboots.com.au*, True -*.a1workplacesafetyequipment.com.au*, True -*.a1-yellowtaxi.com*, True -*.a28.info*, True -*.a2infotech.com*, True -*.a2j.hk*, True -*.a2kad.ru*, True -*.a2n.ca*, True -*.a2picture.com*, True -*.a2-z0ne.tk*, True -*.a380.gq*, True -*.a3f.ro*, True -*.a3l.com.ar*, True -*.a42r.com*, True -*.a4567.net*, True -*.a4bandas.com*, True -*.a4h.cc*, True -*.a4quality.com.br*, True -*.a4t.in*, True -*.a5e.it*, True -*.a6-999.com*, True -*.a7days.ru*, True -*.a7lasora.com*, True -*.a8pro.com*, True -*.a8-win.com*, True -*.aa22.ml*, True -*.aa5gj.org*, True -*.aaa888.co*, True -*.aaabuilt.com.au*, True -*.aaacpl.com.ar*, True -*.aaadentalemergencyclubs.com*, True -*.aaafoodhk.com*, True -*.aaamessage.com*, True -*.aaa-self-storage.com*, True -*.aaa-storage.co*, True -*.aaastorage.co*, True -*.aabit.com.au*, True -*.aabworkrent.ee*, True -*.aacdns.net*, True -*.aac.st*, True -*.aadesh.net*, True -*.aadns.tk*, True -*.aadollar.com*, True -*.aaexport.com*, True -*.aafbc.org.br*, True -*.aafep.com.br*, True -*.aagkoo.gr*, True -*.aaj.co.za*, True -*.aakersolutions.com.br*, True -*.aaksayangcindy.nom.za*, True -*.aa-letourneau.net*, True -*.aalfaiz.web.id*, True -*.aalitvyakov.ru*, True -*.aalk.org*, True -*.aallina.com*, True -*.a-ally.ru*, True -*.aaltodev.fi*, True -*.aaltopiraatit.fi*, True -*.aamacdc.org*, True -*.aama.pt*, True -*.aamir.com.np*, True -*.aamu.fi*, True -*.aandbtrans.com*, True -*.aangratisan.tk*, True -*.aanime.ga*, True -*.aann.tk*, True -*.aa-otp.com*, True -*.aap48.com*, True -*.aap52.com*, True -*.aap73.com*, True -*.aap77.com*, True -*.aap85.com*, True -*.aap92.com*, True -*.aap98.com*, True -*.aapke.net*, True -*.aappf.pt*, True -*.aaprender.com.br*, True -*.aar25.com*, True -*.aar43.com*, True -*.aar49.com*, True -*.aar65.com*, True -*.aar85.com*, True -*.aarachne.at*, True -*.aarcane.com*, True -*.aarcane.info*, True -*.aarcane.net*, True -*.aarcane.org*, True -*.aardvarkantiquemall.com*, True -*.aardwolfradio.com*, True -*.aareiijunin.com.ar*, True -*.aarmmedia.com*, True -*.aaro.ch*, True -*.aarogyamnepal.org.np*, True -*.aaron5367.com*, True -*.aaronballman.com*, True -*.aaronbocanegra.com*, True -*.aaroneddy.net*, True -*.aarongraddy.com*, True -*.aaronholmes.net*, True -*.aaron-iona.com*, True -*.aaronlambert.com*, True -*.aaronmclean.com*, True -*.aaron-media.net*, True -*.aaronmorgan.com.au*, True -*.aaronsons.net*, True -*.aaronturley.com*, True -*.aaronwilliams.info*, True -*.aaronzappia.com*, True -*.aarooran.co.uk*, True -*.aarthy.co.uk*, True -*.aarto.co.za*, True -*.aartofacts.co.za*, True -*.aartolaw.co.za*, True -*.aaryans.net*, True -*.aasee.se*, True -*.aashiengg.com*, True -*.aashi-industries.com*, True -*.aashikthapa.com.np*, True -*.aashishchapagain.com.np*, True -*.aasp-aviation.com*, True -*.aas-sv.net*, True -*.aasvp.pt*, True -*.aaterus.com*, True -*.aatrashpacks.com*, True -*.aatv.in*, True -*.aau.co.za*, True -*.aawaz.com.np*, True -*.aaww.tk*, True -*.aax85.com*, True -*.aa-z.ga*, True -*.a-a-z.gq*, True -*.aa-z.gq*, True -*.aa-z.tk*, True -*.ab0188.com*, True -*.aba98.com*, True -*.ababurko.net*, True -*.aba.co.za*, True -*.abacuscash.co.id*, True -*.abacuscash.com*, True -*.abacusdp.co.id*, True -*.abacus-it.com*, True -*.abadecla.lv*, True -*.abadiaservices.cl*, True -*.abadijayaaluminium.com*, True -*.abadilabindo.com*, True -*.abagan.com*, True -*.abaingenieria.com.ar*, True -*.abaixodocusto.com.br*, True -*.abakersdozen.com.au*, True -*.abamia.com.ve*, True -*.abangperodua.ml*, True -*.abap.co.za*, True -*.abapremoto.com*, True -*.abart997.net*, True -*.abate.com.ar*, True -*.abatek.com*, True -*.abatekgroup.com*, True -*.abbasian.info*, True -*.abbasiweb.com*, True -*.abbeydentist.com*, True -*.abbeykeith.co.uk*, True -*.ab-blaes.be*, True -*.abbotaleweekendgetaway.com*, True -*.abbotsforddental.com*, True -*.abbotsforddentalgroup.com*, True -*.abbotsfordhallforhire.org.au*, True -*.abbottcoyne.com*, True -*.abbotteo.com.ar*, True -*.abbydentalgroup.com*, True -*.abby.in*, True -*.abbymccoy.com*, True -*.abbyschildcare.com*, True -*.abbyschildcare.net*, True -*.abbyschildcare.org*, True -*.abc1.ch*, True -*.abc92.ru*, True -*.abcabogados.cl*, True -*.abcadmin.com*, True -*.abcadmin.org*, True -*.abcarroll.com*, True -*.abcbeer.com.br*, True -*.abcbeer.pt*, True -*.abcchildcare.biz*, True -*.abc-contact.com*, True -*.abc-contact.net*, True -*.abcd123.xyz*, True -*.abcdamasco.com.br*, True -*.abc-design.ch*, True -*.abcdistribuidoraembalagens.com.br*, True -*.abcdns.tk*, True -*.abcjj.me*, True -*.abcmineralgroup.com*, True -*.abcmu.com*, True -*.abcng.net*, True -*.abcofficetrad.ch*, True -*.abcpd.ca*, True -*.abcpediatria.com*, True -*.abcpediatricdentistry.ca*, True -*.abcprojekts.lv*, True -*.abcrecyclingga.com*, True -*.abcrot.ml*, True -*.abcsecurity.co.za*, True -*.abcsoft.ro*, True -*.abcsonofetal.com*, True -*.abcuniformes.mx*, True -*.abdaktech.com*, True -*.abdeckplane.org*, True -*.abdelhamidbenbadis.com*, True -*.abdh.nl*, True -*.abd-muaz.com*, True -*.abduch.adv.br*, True -*.abdurahman.co.za*, True -*.abedini-co.ir*, True -*.abedintransporte.ch*, True -*.abeeqiya.tk*, True -*.abefm.net*, True -*.abelbascomunity.cf*, True -*.abeliandevelopment.net*, True -*.abeo.in*, True -*.abequtravel.com*, True -*.aberdeenfirstaid.co.uk*, True -*.abertoagora.com.br*, True -*.abestaxi.info*, True -*.abeta.com.br*, True -*.abettafloor.com.au*, True -*.abetteraffiliate.com*, True -*.abetterpen.com*, True -*.abgaskincare.com*, True -*.abgroupbd.net*, True -*.abhaile.info*, True -*.abhashadhikari.com.np*, True -*.abhaypublicity.com*, True -*.abhilashkhatri.com.np*, True -*.abhinandh.com*, True -*.abhishekchand.com.np*, True -*.abi-05.info*, True -*.abianisguilty.com*, True -*.abi-ditzingen.de*, True -*.abiditzingen.de*, True -*.abiesolano.co.uk*, True -*.abigailiankhalida.com*, True -*.abigailiankhalida.me*, True -*.abigail-ian-khalida.xyz*, True -*.abigailmaker.com*, True -*.abiheiri.com*, True -*.abiinoojiaki.org*, True -*.abilenebeeremoval.com*, True -*.abilger.com*, True -*.abiliomarques.tk*, True -*.abilitysociety.ca*, True -*.abillionmonkeys.com*, True -*.abillog.com*, True -*.abinashbasnet.com.np*, True -*.abistax.com.au*, True -*.abitec.com*, True -*.abit.ro*, True -*.abittooskilled.com*, True -*.abiverre.ch*, True -*.abk.ch*, True -*.abkmhazaribag.in*, True -*.abl4.net*, True -*.ablass.ch*, True -*.ablass-handel.ch*, True -*.ablasshandel.ch*, True -*.abl.cl*, True -*.ablebrain.us*, True -*.ablebroadcasting.tv*, True -*.ablecomputers.com.pk*, True -*.ablivingculture.ch*, True -*.ablocfest.gr*, True -*.abmc-group.com*, True -*.abnorm.al*, True -*.abobkov.tk*, True -*.abogado.fi*, True -*.abogadopoblete.com.ar*, True -*.abogadosintegrales.cl*, True -*.abog.ca*, True -*.abogrod.pl*, True -*.aboltys.ru*, True -*.abonament.net*, True -*.aboriginalrightscoalition.org*, True -*.aboutravel.net*, True -*.aboutsafes.co.uk*, True -*.abovethebeach.ca*, True -*.abowtieabroad.in*, True -*.aboyasociados.com.ar*, True -*.abplumbing.com.au*, True -*.abpschriften.ch*, True -*.abqsimpkins.us*, True -*.abraham2013.tk*, True -*.abraham-isn.tk*, True -*.abrahim.com.ar*, True -*.abrasantia.com.ar*, True -*.abraunproductions.com*, True -*.abrazafarolas.net*, True -*.abrevia.es*, True -*.abrgrp.com*, True -*.abricknut.com*, True -*.abriendohorizontes.com.ar*, True -*.abrile.com.ar*, True -*.abriva.net*, True -*.abroadjobconsultancy.com*, True -*.abromasveiculos.com.br*, True -*.abrown.com.ar*, True -*.abrshipping.tk*, True -*.absacapital.com.au*, True -*.abscenter.ro*, True -*.abscissa.com.au*, True -*.absdus.com*, True -*.abselfie.co.uk*, True -*.absensiamano.com*, True -*.absfilesend.net*, True -*.absh.net.ru*, True -*.absinthe-desvallees.ch*, True -*.absk-singh.com.np*, True -*.absl.ro*, True -*.absoludicrous.com*, True -*.absolutecondos.net*, True -*.absolute.li*, True -*.absolutelyelegantevents.com*, True -*.absoluteorganizing.com*, True -*.absolutesteel.co.za*, True -*.absolutethumbshots.com*, True -*.absolutpower.ru*, True -*.absoluty-irc.org*, True -*.abstede.net*, True -*.abstinencia.org.br*, True -*.abstorage.ca*, True -*.abstracta.cl*, True -*.abstractadam.com*, True -*.abstracthack.com*, True -*.abt16.ru*, True -*.abthandyman.co.za*, True -*.abti.us*, True -*.ab-to-ski-valbella.ch*, True -*.abtravel.co.id*, True -*.abuser.eu*, True -*.abusers.eu*, True -*.abuser.tk*, True -*.abwild.net*, True -*.abw-net.de*, True -*.abwt.us*, True -*.abyfine.web.id*, True -*.abyloqs.tk*, True -*.abyrilz.cf*, True -*.abysshome.com*, True -*.abyssnet.net*, True -*.abytoo.com*, True -*.abyty.com*, True -*.ac1d.bz*, True -*.ac2.ac*, True -*.ac3in.com*, True -*.ac-880.com*, True -*.aca23.com*, True -*.aca66.com*, True -*.aca78.com*, True -*.aca87.com*, True -*.acaciablinds.com.au*, True -*.acacia-tours.com*, True -*.acacio.ch*, True -*.acacooperativa.cl*, True -*.academbaby.com*, True -*.academiaderock.ro*, True -*.academiainpact.cl*, True -*.academiapratic.com.br*, True -*.academic.org.il*, True -*.academictools.net*, True -*.academicwar.com*, True -*.academiedegolf.com*, True -*.academyjoomla.com*, True -*.academy-of-success.com*, True -*.academyoftruesuccess.com*, True -*.academypublish.org*, True -*.acadiabio.com*, True -*.acadianresearch.com*, True -*.acadiz.cl*, True -*.acadsurg.org*, True -*.acaecer.com.br*, True -*.acaeoverseas.com.au*, True -*.acalves.in*, True -*.acapulco4ever.com*, True -*.acarolabs.com*, True -*.acasa.cf*, True -*.acasacorazon.com*, True -*.acasadibacco.it*, True -*.acasadosmeusavos.tk*, True -*.acaso.tk*, True -*.a-cat.tk*, True -*.acatu.net*, True -*.acazo.com.br*, True -*.acbs.ch*, True -*.accaoriente.com.ve*, True -*.accc.sx*, True -*.accediendo.com.ar*, True -*.accelerantsystems.com*, True -*.acceleratedbusiness.com.au*, True -*.accelerationbootcamp.org*, True -*.accentusasociados.com.ar*, True -*.accesar.info*, True -*.accesofacil.com*, True -*.accesoriibarca.ro*, True -*.accesoriievent.ro*, True -*.accesorioscrespo.com.ar*, True -*.accesoriosguzman.com.ar*, True -*.access2view.co.uk*, True -*.accessaidsnetwork.com*, True -*.access-design.de*, True -*.accessdiving.ca*, True -*.accessfloor.co.id*, True -*.accessghanaplc.com*, True -*.accessmycloudpc.com*, True -*.access-nevada.com*, True -*.accessoriespanel.com*, True -*.accessorychoice.com*, True -*.access-ti.com.mx*, True -*.accesstoinfo.co.za*, True -*.accessukplc.com*, True -*.accidentalcritic.ca*, True -*.accidentdemunca.ro*, True -*.accidentedemunca.ro*, True -*.acciona-it.com.ar*, True -*.accionesacctel.com*, True -*.accionvegan.com.ar*, True -*.acclaimedexcavations.com.au*, True -*.acclaim.hk*, True -*.accmedia.ro*, True -*.accoaching.cl*, True -*.accoa.ro*, True -*.accommodation-basel.ch*, True -*.accommodation-greece.com*, True -*.acconboy.com*, True -*.ac-cons.ru*, True -*.accordtuner.com*, True -*.accountingtender.com*, True -*.accountsforitcontractors.com*, True -*.accounttaxpro.ca*, True -*.accporn.com*, True -*.accsa.ro*, True -*.accsf.cl*, True -*.acctaxexpert.ro*, True -*.acctech.com.au*, True -*.acctm.ac*, True -*.accuratefueling.com*, True -*.accurategauge.com*, True -*.acdaveiro.org*, True -*.ac-dc.gr*, True -*.acdc.gr*, True -*.acdds.ch*, True -*.acdelcofuelpumps.com*, True -*.acdi-corrections-versionii.com*, True -*.acdontop.tk*, True -*.acd.ro*, True -*.acdup.com*, True -*.acdup.info*, True -*.acdup.net*, True -*.acdup.org*, True -*.acdwsh.com*, True -*.ace-a6.com*, True -*.acebod.com*, True -*.acednet.ro*, True -*.acefsbo.com*, True -*.ace.gy*, True -*.ace-h7.com*, True -*.acehub.hk*, True -*.acehutara.com*, True -*.aceiteolivasalud.com*, True -*.aceiteseroticos.cl*, True -*.ace-kkk.com*, True -*.acelaw.co*, True -*.acelaw.info*, True -*.acelawnow.com*, True -*.acemuc.cl*, True -*.acenetpdx.com*, True -*.acepod.com*, True -*.aceproducationid.com*, True -*.acerboezequiel.com.ar*, True -*.acerbus.com*, True -*.acersahierros.es*, True -*.aces4comics.com*, True -*.acesat.com.au*, True -*.acescuela.com.ar*, True -*.acesfool.com*, True -*.acesid.com.ar*, True -*.acessonorte.com.br*, True -*.acessorioseroupasfemininas.com.br*, True -*.acesso.ws*, True -*.acessverige.se*, True -*.acetelcomm.com*, True -*.acetelecom.co.kr*, True -*.aceunexpo.net.ve*, True -*.ace-v7.com*, True -*.acevaq.com.br*, True -*.acevote.com*, True -*.ace-zzz.com*, True -*.acfa67.com*, True -*.acfasesores.com.ar*, True -*.acfilms.com.au*, True -*.acfondos.cl*, True -*.acgcotton.com*, True -*.acgtyrant.com*, True -*.acharalaw.com*, True -*.acharyaprakash.com.np*, True -*.acharyapravesh.com.np*, True -*.achatankaufauto.ch*, True -*.achievaexpress.com.au*, True -*.achieveemployment.com.au*, True -*.achievetatuape.com.br*, True -*.achille.com*, True -*.achillesandcaryl.com*, True -*.achmadrizali.com*, True -*.achoiceshop.com*, True -*.achomwiki.ir*, True -*.acho.pt*, True -*.achpnl.cl*, True -*.achupc.tk*, True -*.achupeta.pt*, True -*.acidbet.com*, True -*.acidbet.net*, True -*.aciddose.fi*, True -*.acidiq.ro*, True -*.acidsheep.net*, True -*.acidx.dj*, True -*.acifcorp.com*, True -*.acil.pw*, True -*.acil.us*, True -*.aciorg.org*, True -*.acisba.org.ar*, True -*.acis-online.org*, True -*.acis-rovigo.it*, True -*.acistec.cl*, True -*.acjt.ca*, True -*.ack7.com*, True -*.ackack.nl*, True -*.ackberger.se*, True -*.acker.com.ar*, True -*.ackerley.org.uk*, True -*.ackerl.org*, True -*.ackernecht.com*, True -*.acklenave.com*, True -*.acklenave.net*, True -*.acklenavenue.com*, True -*.acklenavenue.net*, True -*.acklenavenue.org*, True -*.acklenave.org*, True -*.ackuaf.org*, True -*.ack.ug*, True -*.acl-ch.ch*, True -*.acleblon.com.br*, True -*.aclgindonesia.com*, True -*.aclize.com*, True -*.acl.ninja*, True -*.acmartincastellucci.com.ar*, True -*.acmc.org.ar*, True -*.acmeacc.com*, True -*.acmeacres.us*, True -*.acmecorp.com.au*, True -*.acmecorporation.com.au*, True -*.acmecycle.com*, True -*.acmefinancial.ca*, True -*.acmelights.com*, True -*.acmelights.net*, True -*.acmemerch.com.au*, True -*.acmenet.co.uk*, True -*.acme-power.net*, True -*.acmerocket.org*, True -*.acmeservices.net*, True -*.acme.si*, True -*.acminho.pt*, True -*.acmnet.com.br*, True -*.acm-records.com*, True -*.acmsistem.tk*, True -*.acmsystem.cl*, True -*.acmuniformes.com.br*, True -*.acmx.cl*, True -*.acnecure.nl*, True -*.acnet.si*, True -*.ac-newleaf.info*, True -*.acninvest.cl*, True -*.acn-unsw.org*, True -*.acodb.com*, True -*.acomgrup.ro*, True -*.acom-invest.ro*, True -*.acompany.co.za*, True -*.acontraluz.cl*, True -*.acontraluzlatrilogia.com*, True -*.acopiadorescba.com.ar*, True -*.acopiadorescordoba.com.ar*, True -*.acopiomontecristo.com*, True -*.acopiosdelsur.com.ar*, True -*.acordeones.cl*, True -*.acornlabs.com.au*, True -*.acorporatebenefit.com*, True -*.acostarlogistics.com*, True -*.acotecsa.com.ar*, True -*.acotel.es*, True -*.acousauth.com*, True -*.acoustech.com.my*, True -*.acouster.org*, True -*.acousticdensity.ro*, True -*.acoustics.mobi*, True -*.acoustics.sg*, True -*.acoustiq.ro*, True -*.acozac.com.mx*, True -*.acpeneto.tk*, True -*.acpmurah.com*, True -*.acpy.ml*, True -*.acquadinamica.com.br*, True -*.acquirethedot.com*, True -*.acrab.tk*, True -*.acre.cl*, True -*.acresistance.com*, True -*.acrodil.it*, True -*.acroofing.co.nz*, True -*.acroofing.nz*, True -*.acroserv.ro*, True -*.acryliccustomworks.com*, True -*.acrylicworld.com.my*, True -*.acsappliancesolutions.com*, True -*.acsg.co.za*, True -*.acshell.net*, True -*.acsim.cl*, True -*.acsri.biz*, True -*.acsri.net*, True -*.acsri.org*, True -*.acsri.org.au*, True -*.acstechs.net*, True -*.act4u.biz*, True -*.actedeexecutare.ro*, True -*.acte-necesare.com*, True -*.actgifted.net.au*, True -*.acti.lv*, True -*.actingmania.com.ar*, True -*.actinolite.net*, True -*.actionbuildingconstruction.com*, True -*.actionglasses.net*, True -*.actiongroup.co.za*, True -*.actionoutside.com*, True -*.actionplan.net.au*, True -*.actiontherapeutics.com*, True -*.activafm.net*, True -*.activararaquara.com.br*, True -*.activasoluciones.com.ar*, True -*.activatedcommunity.com*, True -*.activatedcommunity.org*, True -*.active-ads.co.uk*, True -*.activeart.ch*, True -*.activebatteriesadelaide.com.au*, True -*.activebin.com*, True -*.active-cart.com*, True -*.activecleaning.be*, True -*.activecomponents.org*, True -*.activeconcept.org*, True -*.activeconductors.com.au*, True -*.activedefence.ru*, True -*.activedefense.ru*, True -*.activefrog.net*, True -*.activeit.com.ar*, True -*.activematrix.ro*, True -*.activetravel.pro*, True -*.activinum.ch*, True -*.activosfijos.com.ar*, True -*.activ-taekwondo.hr*, True -*.actmoscow.ru*, True -*.actontennisbubble.com*, True -*.actoranagrams.com*, True -*.actoron.com*, True -*.actoron.de*, True -*.actrix.org*, True -*.actschurch.com.au*, True -*.actsministrieschristianevangelism.org*, True -*.actsministries.org*, True -*.actspublishing.com*, True -*.actu.al*, True -*.actualconsulting.com*, True -*.actualidadrojinegra.com.ar*, True -*.actualmoviestarttime.com*, True -*.actualtraining.eu*, True -*.actualtraining.pt*, True -*.actuarialinvesting.com*, True -*.actuarim.co.il*, True -*.actu-conso.com*, True -*.acturus.si*, True -*.actwit.com*, True -*.actymotion.net*, True -*.actymotion.org*, True -*.actymotions.net*, True -*.actymotions.org*, True -*.actywave.com*, True -*.acu-comp.com*, True -*.acudir.com.ar*, True -*.acudirmail.com.ar*, True -*.acudistribution.ro*, True -*.acuile.com.br*, True -*.acumenasia.com*, True -*.acumor.co*, True -*.acunaconsulting.com*, True -*.acunaconsulting.com.au*, True -*.acupuncturaveterinara.ro*, True -*.acuthemes.com*, True -*.acuyouobgy.com*, True -*.acvd.net.au*, True -*.ac-webdev.com*, True -*.acx-outsourcing.ro*, True -*.ad2site.com*, True -*.ad5.hk*, True -*.ad89.de*, True -*.adachan.hk*, True -*.adadi.net*, True -*.adae.org*, True -*.adagio.tw*, True -*.adajawaban.com*, True -*.adaj-consulting.ch*, True -*.adaj-consulting.li*, True -*.adalagump3.com*, True -*.adaltech.ro*, True -*.adaluz.cl*, True -*.adamacord.com*, True -*.adamandandrea.org*, True -*.adamandkate.co.uk*, True -*.adamandsabrina.ca*, True -*.adamante.ro*, True -*.adamasa2u.com*, True -*.adambakalarz.pl*, True -*.adambusey.info*, True -*.adamcase.me*, True -*.adamchoate.info*, True -*.adamcirillo.net*, True -*.adamfoxman.com*, True -*.adamhaney.com*, True -*.adamhart.info*, True -*.adamhasnan.com*, True -*.adamhayward.co.uk*, True -*.adamherstein.net*, True -*.adamhitchens.com*, True -*.adamhouldsworth.com*, True -*.adamishe.com*, True -*.adamkan.com*, True -*.adamkdean.co.uk*, True -*.adam-keenan.com*, True -*.adam-keenan.net*, True -*.adamlikdini.com*, True -*.adammarek.net*, True -*.adammcelwee.com*, True -*.adam-modellbau.pl*, True -*.adam.mx*, True -*.adamnkasey.com*, True -*.adamnorbut.com*, True -*.adamparsons.id.au*, True -*.adampaulshere.com*, True -*.adamplato.com*, True -*.adampoirier.com*, True -*.adampowell.org.uk*, True -*.adamrafalovich.com*, True -*.adamroderick.com*, True -*.adamrozen.com*, True -*.adamrparsons.com*, True -*.adamrparsons.net*, True -*.adamsalem.com*, True -*.adamsaliu.com*, True -*.adamsbeerblog.com*, True -*.adamschleser.com*, True -*.adams-file-cloud.tk*, True -*.adamsitsolutions.com*, True -*.adamsitsolutions.net*, True -*.adamsnet.info*, True -*.adamsoft.com.br*, True -*.adamspringerart.com*, True -*.adamstrom.com*, True -*.adamusic.hk*, True -*.adamwalter.co.uk*, True -*.adamwestbrook.com*, True -*.adanaslaw.com*, True -*.adanet.es*, True -*.adanyevaneuquen.com.ar*, True -*.adaolino.com.br*, True -*.adaonatal.com*, True -*.adaone.com*, True -*.adapazar.tk*, True -*.adapterarquitetura.com*, True -*.adaptiveco.com*, True -*.adaptivewave.net*, True -*.adaptto.com.au*, True -*.adapuisi.web.id*, True -*.adasac.com*, True -*.adatfelvetel.eu*, True -*.adauto.ml*, True -*.adblue-argentina.com.ar*, True -*.adbrain.ro*, True -*.ad-bt.de*, True -*.adcash.sg*, True -*.adcastro.com.ar*, True -*.adcdr.ro*, True -*.adcenter.lt*, True -*.ad-chain.com*, True -*.ad-couture.com*, True -*.adcsapem.com.ar*, True -*.add2balance.asia*, True -*.add2balance.com*, True -*.add2balance.info*, True -*.addbyte.com*, True -*.add.co.id*, True -*.addedly.ca*, True -*.addedly.com*, True -*.adderallogy.com*, True -*.addictedto.cf*, True -*.addictedtomarijuana.org*, True -*.addictedtotheinter.net*, True -*.addiction-psychiatrist.com*, True -*.addiction-tests.com*, True -*.ad-digdaya.com*, True -*.addisneypins.com*, True -*.add-me.ga*, True -*.addmp3.info*, True -*.addondigital.co.za*, True -*.addooco.com*, True -*.addooco.co.uk*, True -*.addoocogroup.com*, True -*.addoocogroup.co.uk*, True -*.addplus.cl*, True -*.addpr.ru*, True -*.addressforaperson.net*, True -*.addtemptattoos.com*, True -*.addtomy.com*, True -*.addtomy.net*, True -*.addurad.com*, True -*.adealova1.ml*, True -*.ade.dj*, True -*.adegepp.org*, True -*.adegle.com*, True -*.adelaidebbs.net*, True -*.adelaide-best-restaurant.com*, True -*.adelaideren.net*, True -*.adelaide-rollerdoors.com.au*, True -*.adelaide-swimming-pools.com*, True -*.adelaide-swimming-pools.com.au*, True -*.adelaide-water-tanks.com*, True -*.adelaide-water-tanks.com.au*, True -*.adelaide-wedding-venues.com*, True -*.adelamicu.ro*, True -*.adele.pro*, True -*.adeliatronik.com*, True -*.ad-ella.ro*, True -*.adelmed.net.ve*, True -*.ade.lu*, True -*.adempiere-id.org*, True -*.adenfinizzola.com.ar*, True -*.adentse.com*, True -*.ade.or.id*, True -*.adepab.net*, True -*.adepoju.org*, True -*.adeptio.net.au*, True -*.adeptsuper.com*, True -*.adeptsuper.com.au*, True -*.adesa-lacteos.com.ar*, True -*.ade.sexy*, True -*.adesivete.com.br*, True -*.adesivoartesanal.com.br*, True -*.adesivosimpressos.com.br*, True -*.adeuropa.org*, True -*.adevar.net*, True -*.ade.web.id*, True -*.ade.wtf*, True -*.adf.lu*, True -*.adf.lv*, True -*.adforte.com*, True -*.adforte.lv*, True -*.adfs.com.br*, True -*.adfuzion.com.au*, True -*.adgsoftware.com*, True -*.adgs.ro*, True -*.adheee.tk*, True -*.adheeshnsupreet.com*, True -*.ad-here.biz*, True -*.adialbrasil.com.br*, True -*.adialbrasil.org.br*, True -*.adi-andrei.ro*, True -*.adictos.cl*, True -*.adie.ga*, True -*.adigunakaryascaffolding.com*, True -*.adihofer.ch*, True -*.adijaya.com*, True -*.adilqureshi.ca*, True -*.adina.ee*, True -*.ad-info.ch*, True -*.adi.ninja*, True -*.adipascu.ro*, True -*.adipeq.cl*, True -*.adipur.com*, True -*.adiq.pl*, True -*.adirca.com.ar*, True -*.adirondack-chair-kit.co.uk*, True -*.adirondack-chair-plans.co.uk*, True -*.adirondackpc.com*, True -*.adisen.net*, True -*.adistra.cl*, True -*.adistra.com*, True -*.adisuter-kundenmaurer.ch*, True -*.adis.web.id*, True -*.aditeginstruments.com*, True -*.aditia.info*, True -*.aditiya.tk*, True -*.adityabhushan.com*, True -*.adityadhara.com*, True -*.aditya-host.tk*, True -*.adivinaquienvieneacomer.com*, True -*.adix.com*, True -*.adjacentminds.com*, True -*.adjectivenoun.ca*, True -*.adjiamoor.tk*, True -*.adjiprasetyo.com*, True -*.adjustableclubs.com*, True -*.adjustableme.com*, True -*.adkkr.pl*, True -*.adkris.eu*, True -*.ad-le.com*, True -*.adler.com.au*, True -*.adlercompserv.com*, True -*.adler.id.au*, True -*.adler-llc.com*, True -*.adlush.com*, True -*.admain.cl*, True -*.adma.info*, True -*.admarco.com*, True -*.admarco.se*, True -*.admaxon.com*, True -*.adm-d.net*, True -*.admediakit.com*, True -*.admedicainvest.ro*, True -*.admfleet.com*, True -*.admieshuhada.com*, True -*.admin24.ro*, True -*.admin30.ru*, True -*.adminaustral.com.ar*, True -*.admin.com.ar*, True -*.admingroup.com*, True -*.adminiptvpanel.com*, True -*.administracionglobal.com*, True -*.administracionintegral.cl*, True -*.administrador-confiavel.eu*, True -*.administrarv.cl*, True -*.administratooor.info*, True -*.admin-love.com*, True -*.adminmedia.ro*, True -*.adminsguide.com*, True -*.admirals-recruitment.com*, True -*.admirationtheatre.com*, True -*.admirationtheatre.co.uk*, True -*.admireworkplacesafety.com.au*, True -*.adm.pp.ru*, True -*.admpublico.com.br*, True -*.admro.ro*, True -*.admsl.com.ar*, True -*.admurbanas.com.ar*, True -*.admyz.cc*, True -*.adn2.net*, True -*.adnanraja.com*, True -*.adnet.ch*, True -*.adoar.me*, True -*.adobel.tk*, True -*.adobestore.co.za*, True -*.adobra.cl*, True -*.adolar.ch*, True -*.adoldoma.in*, True -*.adoldomain.net*, True -*.adoldomain.us*, True -*.adolfodominguez.cl*, True -*.adolma.in*, True -*.adol.ninja*, True -*.adomum.gr*, True -*.adonaros.com*, True -*.adonde.pl*, True -*.adonghome.com*, True -*.adonis.pt*, True -*.adoptarunamascota.com*, True -*.adorei.com.ar*, True -*.adoropromocoes.com.br*, True -*.ador.sg*, True -*.adoubleu.de*, True -*.adpdigital.ir*, True -*.adpestandweed.co.za*, True -*.adplug.org*, True -*.adplus.cl*, True -*.adplusmobile.com*, True -*.adquira.mx*, True -*.adrenalina.si*, True -*.adrenalin-backpackers-hostel.ch*, True -*.adrenalin.cl*, True -*.adrenalin-dev.net*, True -*.adrenalin-kemerovo.ru*, True -*.adre-sin.com*, True -*.adre-win.com*, True -*.adria-bonus.com*, True -*.adrianabonsai.com.ar*, True -*.adrianagillett.com*, True -*.adrian.at*, True -*.adrianato.com.br*, True -*.adrianbird.com*, True -*.adrianbird.co.uk*, True -*.adrianbird.net*, True -*.adrianbird.org*, True -*.adrianbona.com.ar*, True -*.adriandumitrascu.ro*, True -*.adrianluong.com*, True -*.adrianmendes.com.ar*, True -*.adrianofreire.com*, True -*.adrianoprea.ro*, True -*.adrianos.org*, True -*.adrianpascual.com.ar*, True -*.adrianpp.ro*, True -*.adrianropotan.ro*, True -*.adrianscotti.com*, True -*.adrianycho.com*, True -*.adria-protocol.ro*, True -*.adrienneshih.com*, True -*.adrienvb.com*, True -*.adril.com.ar*, True -*.adrocks.bz*, True -*.adsadadasdas.com*, True -*.adsanjal.com*, True -*.adsauctions.com*, True -*.adsb-concentrator.ch*, True -*.adsclasificados.com.ar*, True -*.adsclick-free.tk*, True -*.adsd.ro*, True -*.adsensewithandi.com*, True -*.ad-server.ch*, True -*.adservlet.com*, True -*.adsex.es*, True -*.adshare.com.ar*, True -*.ads.hk*, True -*.adshoppeevents.com*, True -*.adsicks.com*, True -*.adslmodem.co.za*, True -*.adslmodems.co.za*, True -*.ads-master.ru*, True -*.adsmate.net*, True -*.ad-soft.hu*, True -*.adsoluk.com*, True -*.adsonmail.com*, True -*.adsontherun.ca*, True -*.adsorbtion.org*, True -*.adspec.com*, True -*.adspot.pk*, True -*.adspro.tk*, True -*.adss.ga*, True -*.adssolutions.tk*, True -*.a-dte.com*, True -*.adtit.com.au*, True -*.adtpdn.com*, True -*.adtserv.com.au*, True -*.aduansisa.my*, True -*.aduhaii.net*, True -*.adultfantasyhd.com*, True -*.adultfriendfinders.co.za*, True -*.adultlinkcenter.com*, True -*.adultloving.hk*, True -*.adultmaintube.com*, True -*.adult-picture.com*, True -*.adultporntubes.com*, True -*.adulttoolsandtoys.com*, True -*.adulttoybox.biz*, True -*.adult-zona.net*, True -*.adusp.ro*, True -*.advanceconsulting.ro*, True -*.advancedautoracing.com*, True -*.advancedbusinessitsolutions.com.au*, True -*.advancedelevator.ca*, True -*.advancedhabits.com.au*, True -*.advancedpretend.com*, True -*.advancedpretend.org*, True -*.advancedskincare.ie*, True -*.advancedwindowsdefense.com*, True -*.advancedwindowsdefense.com.au*, True -*.advancemaintenance.com*, True -*.advanceot.com.au*, True -*.advance-retail.com*, True -*.advaniengineering.com*, True -*.advantagebusinesscards.com*, True -*.advantagehomeimprovements.com*, True -*.advantage.web.id*, True -*.advento.com*, True -*.adventurealex.com*, True -*.adventurefitness.co.za*, True -*.adventuregameclub.com*, True -*.adventure-holidays.co.za*, True -*.adventure-racing.co.za*, True -*.adventure-rafting.si*, True -*.adventuresincode.net*, True -*.adventuresinmommysitting.com*, True -*.adventuresinsysctr.net*, True -*.adventusa.net*, True -*.adverpost.com*, True -*.adverspew.com*, True -*.adverthinking.com*, True -*.advertiseinslovenia.si*, True -*.advertising-agency.si*, True -*.advertisingagency.si*, True -*.advertising.si*, True -*.advertizing.si*, True -*.advertu.com*, True -*.advg.ch*, True -*.advies.cl*, True -*.adviseur.ro*, True -*.advisornews.net*, True -*.advisors-ao.com*, True -*.advm18.com*, True -*.advm88.com*, True -*.advocaatdewilder.be*, True -*.advocaciabrasilia.adv.br*, True -*.advocaciala.com.br*, True -*.advocum.com*, True -*.advogado-rapido.com*, True -*.advogadoscuritiba.adv.br*, True -*.advogadosorocaba.adv.br*, True -*.advokatam.lv*, True -*.advokatorlova.ru*, True -*.advokatur-schnyder.ch*, True -*.adv.org.ua*, True -*.advr.cf*, True -*.advr.ml*, True -*.advsolutionhere.eu*, True -*.advtelematic.com*, True -*.adware.cf*, True -*.adware.ml*, True -*.adwb.ru*, True -*.adwokat-szarmach.pl*, True -*.adyco.ir*, True -*.adygeia.ru*, True -*.ady-int.com*, True -*.adysdevstuff.com*, True -*.adyspeed.com*, True -*.adzeitor.tk*, True -*.adziner.com*, True -*.adzrif.my*, True -*.ae2015.net*, True -*.ae3.info*, True -*.ae7tk.com*, True -*.aeacus.xyz*, True -*.aealbertosampaio.pt*, True -*.aeba.li*, True -*.aebigilbert.ch*, True -*.aebrasil.com*, True -*.aebtech.com.br*, True -*.aecbk.com*, True -*.a-economics.com*, True -*.a-economics.ru*, True -*.ae-consulting.ro*, True -*.aedifice.net*, True -*.aedis.one.pl*, True -*.aedu.ninja*, True -*.ae-ea.us*, True -*.aee.sk*, True -*.ae-fafe.pt*, True -*.aegee-ljubljana.org*, True -*.aegesware.com*, True -*.aegisbuildingsciencesinc.ca*, True -*.aegisflightsystems.com*, True -*.aegis-office.com.ar*, True -*.aegisproperty.ca*, True -*.aeiou.net.br*, True -*.aeipi.net*, True -*.aejmcsantiago.cl*, True -*.aelearning.ro*, True -*.aelmos.ro*, True -*.ae-mc.tk*, True -*.aemde.tv*, True -*.aemon.com*, True -*.aemx.tk*, True -*.aen.su*, True -*.aeonlives.com*, True -*.aeon-x.info*, True -*.aep.hk*, True -*.aepiese.info*, True -*.aequilibriumvitae.cl*, True -*.aer0.com*, True -*.aerator-mto2.com*, True -*.aercliminstal.ro*, True -*.aergus.tk*, True -*.aerobaticworld.ch*, True -*.aerobik.ro*, True -*.aerocompara.com*, True -*.aeroeng.net*, True -*.aerofarma.com.ar*, True -*.aero-film.ro*, True -*.aerofitstudio.com*, True -*.aerofitstudio.net*, True -*.aeroflexjakarta.com*, True -*.aerofood.info*, True -*.aerohive.asia*, True -*.aeroholics.cf*, True -*.aerohunter.cn*, True -*.aerohunter.net*, True -*.aeroklubi.ee*, True -*.aerolus.eu*, True -*.aeromodele.ro*, True -*.aeromotivefuelpumps.com*, True -*.aeronhomebrew.co.uk*, True -*.aeronsilkscreen.com*, True -*.aero-pulsa.com*, True -*.aeroradardf.tk*, True -*.aeroshield.com.my*, True -*.aerosox.cf*, True -*.aerosox.tk*, True -*.aerospeed.co.uk*, True -*.aerotaxi.cl*, True -*.aerotraining.cn*, True -*.aerovance.com*, True -*.aerovin.ga*, True -*.aerovista.com.ar*, True -*.aerwear.com*, True -*.aerwear.ro*, True -*.aesa.mx*, True -*.aesas.pt*, True -*.aesinc.org*, True -*.aesthetic.hk*, True -*.aetarot.com*, True -*.aetasdesigns.com*, True -*.aetcf.pt*, True -*.aetech.ru*, True -*.aetherair.net*, True -*.aetherim.com*, True -*.aetherwerks.com*, True -*.aetherwerks.net*, True -*.aetherwerks.org*, True -*.aetvbrasil.com*, True -*.aeu.ro*, True -*.aeycia.cl*, True -*.af1.co.za*, True -*.afaa.it*, True -*.afaceriimobiliarero.ro*, True -*.afacerionline.info*, True -*.afamar.com.br*, True -*.afamilybook.org*, True -*.afamilytreeandbrush.com*, True -*.afa.moe*, True -*.afar-online.net*, True -*.afatour.biz*, True -*.afautowash.com*, True -*.afazenda2014aovivo.com*, True -*.afazenda7.com*, True -*.afccduplication.com*, True -*.afcco.com.ar*, True -*.afccsocial.com*, True -*.af.com.tr*, True -*.afdsaf.de*, True -*.afeef.my*, True -*.afelab.net*, True -*.afema.com.ar*, True -*.afe-monitoring.tk*, True -*.afengenharia.com*, True -*.aferg.com*, True -*.affable-lurking.org*, True -*.affactive.biz*, True -*.affafa.nl*, True -*.affair.ga*, True -*.affanetjaya.tk*, True -*.affen.com.ar*, True -*.affieskitchen.com*, True -*.affiliateprofitreviews.com*, True -*.affinaz.ru*, True -*.affinionmobile.com*, True -*.affinionmobile.mobi*, True -*.affittareimoveis.com.br*, True -*.affleckonline.co.uk*, True -*.affordabledesignerjeans.com*, True -*.affordablejoinery.com.au*, True -*.affordablejuice.com*, True -*.affordable-tiling.co.uk*, True -*.afhii.tk*, True -*.afiebig.cl*, True -*.afiga.com.mx*, True -*.afiles.tk*, True -*.afilgueiras.com.br*, True -*.afiliadosgp.com.ve*, True -*.afinastom.ru*, True -*.afincor.com.ar*, True -*.afitourtravel.net*, True -*.afk.la*, True -*.aflavremea.com*, True -*.a-fleur-de-pot.ch*, True -*.aflocal.com*, True -*.aflora.cl*, True -*.aflora.net*, True -*.afmarino.com*, True -*.afmini.com*, True -*.afoncinacastro.com.br*, True -*.afonk.com*, True -*.afoolonahill.com*, True -*.afoolwithnohill.com*, True -*.afoolwithoutahill.com*, True -*.afoolwithoutthehill.com*, True -*.aforce.io*, True -*.a-ford-able-auto.com*, True -*.a-ford-ableauto.com*, True -*.aforumforall.com*, True -*.afphila.com*, True -*.afproducciones.com.mx*, True -*.afps.com.au*, True -*.aframalho.com*, True -*.afrashteh.com*, True -*.afree.eu*, True -*.afree.it*, True -*.afrian.us*, True -*.africaddy.com*, True -*.africafirst.co.za*, True -*.africanbutterflies.co.za*, True -*.africandmore.ch*, True -*.africanewsnet.com*, True -*.africanlions.co.uk*, True -*.africantravelconcept.co.za*, True -*.africargo.net*, True -*.africarise.ga*, True -*.africarise.ml*, True -*.africa-service-desk.com*, True -*.afridyne.co.za*, True -*.afrik1.com*, True -*.afrikabirth.co.za*, True -*.afrinet.com*, True -*.afrioni.web.id*, True -*.afrivation.com*, True -*.afrivation.co.za*, True -*.afr.net.ru*, True -*.afro2.com.br*, True -*.afshin.ir*, True -*.afs-reisebuero.at*, True -*.afssantiago.cl*, True -*.afterdarkdvl.tk*, True -*.afterdark.info*, True -*.afterdark-kopi.tk*, True -*.afterdarkproxy.tk*, True -*.aftereffectindo.com*, True -*.afterhack.com*, True -*.afterhours-undernet.net*, True -*.afterhours-undernet.org*, True -*.afterhrspc.com*, True -*.after-like.biz*, True -*.afterparty.lt*, True -*.after-reply.com*, True -*.afterschoolemployment.com*, True -*.afterthebeep.us*, True -*.afterthefallthebook.com*, True -*.afterthehype.net*, True -*.aftertheoffer.com*, True -*.afterwater.com*, True -*.aftproduct.com*, True -*.aftqw-rt12ve.com*, True -*.aftran.com*, True -*.a-full.cl*, True -*.afutal.cl*, True -*.afvallenutrecht.nl*, True -*.afyahorttherapy.ca*, True -*.afzalan.ir*, True -*.afzc-trading.com*, True -*.againsthesky.com*, True -*.againsthesky.net*, True -*.against-lust.gq*, True -*.agam-konslet.com*, True -*.agan-tichon.co.il*, True -*.agapeprc.org*, True -*.agapesafety.com*, True -*.agapeshelties.com*, True -*.agathe-loeliger.ch*, True -*.agauchat.ch*, True -*.agaveblue.net*, True -*.agbase.nz*, True -*.agbit.com.ar*, True -*.agbox.ga*, True -*.agchxci.co.uk*, True -*.agcm.ch*, True -*.agecar.com.br*, True -*.agecco.ro*, True -*.ageep.ch*, True -*.agelogistics.net*, True -*.agen77.com*, True -*.agenabbelectricmotor.com*, True -*.agenbatupermata.com*, True -*.agenbunga.com*, True -*.agencedemartinique.com*, True -*.agenchainbeltpulley.com*, True -*.agenciacoopcba.com.ar*, True -*.agenciaid.com.br*, True -*.agencialinksearch.com.br*, True -*.agenciaole.cl*, True -*.agenciasharebrasil.com.br*, True -*.agenciasuperia.com.br*, True -*.agenciaustral.cl*, True -*.agencom.net*, True -*.agenconveyorbeltpart.com*, True -*.agencoupling.com*, True -*.agencyscams.org*, True -*.agencytr.ru*, True -*.agendasiswa.com*, True -*.agendatuhora.cl*, True -*.agendavetera.cl*, True -*.agendda.net*, True -*.agendosa.com*, True -*.agen-editing.cf*, True -*.agenelectricmotor.com*, True -*.agengearboxreducermotor.com*, True -*.agenjudicasino.biz*, True -*.agenkeziaskinexpert.com*, True -*.agenkran.com*, True -*.agenpipa.com*, True -*.agenpipapvc.com*, True -*.agenpompa.com*, True -*.agen-pulsa.com*, True -*.agenpumpindustri.com*, True -*.agensiemenselectricmotor.com*, True -*.agentabitaori.com*, True -*.agentabungpemadam.com*, True -*.agentcasinoterbesar.com*, True -*.agentecomunitario.com.br*, True -*.agenteddie6.info*, True -*.agentenda.com*, True -*.agentesaduanales.org*, True -*.agentesaduanales.org.mx*, True -*.agentninenine.com*, True -*.agentnotes.com*, True -*.agentrafo.com*, True -*.agentsdata.com.au*, True -*.agentsnetwork.com.au*, True -*.agentsolo.cf*, True -*.agentsparrow.com*, True -*.agentsubakichaintransmision.com*, True -*.agent.tw*, True -*.agentwang.com*, True -*.agenziadesign.com*, True -*.ageofdarkness.com.br*, True -*.ageofsalvo.com*, True -*.ager-service.ro*, True -*.agespri.cl*, True -*.agevolajob.com*, True -*.agevolajob.eu*, True -*.agevolajob.info*, True -*.agevolajob.it*, True -*.agevolajob.net*, True -*.agevolajob.org*, True -*.agevolassunzioni.com*, True -*.agevolassunzioni.eu*, True -*.agevolassunzioni.info*, True -*.agevolassunzioni.it*, True -*.agevolassunzioni.net*, True -*.agevolassunzioni.org*, True -*.agez.cl*, True -*.aggerexpress.ro*, True -*.agger.ro*, True -*.aggie.us*, True -*.aghanajafi.ir*, True -*.aghayev.com*, True -*.aghbaba.ir*, True -*.aghdai.net*, True -*.aghdam.org*, True -*.aghdasieh.ir*, True -*.aghdassieh.ir*, True -*.agila.com.br*, True -*.agiledevelopmenthouse.com*, True -*.agiledevelopmenthouse.com.br*, True -*.agiledh.com*, True -*.agiledh.com.br*, True -*.agilemedia.ro*, True -*.agilemeetup.com*, True -*.agilementor.us*, True -*.agile-pmo.ca*, True -*.agile-qa.com*, True -*.agile-quality.com*, True -*.agile.sg*, True -*.agiletechworks.com*, True -*.agilitychilcoa.cl*, True -*.agilityphotography.co.uk*, True -*.agilleservicos.com.br*, True -*.agincourt.cl*, True -*.agito-inc.info*, True -*.aglaglobal.com*, True -*.aglet.ml*, True -*.agl.hk*, True -*.aglopp.com*, True -*.aglot.com*, True -*.agmasesora.com*, True -*.agma.tk*, True -*.agmerparana.com*, True -*.agmet.ie*, True -*.agmlabs.com*, True -*.agnelz.com*, True -*.ag-ngawi.com*, True -*.agnish.com*, True -*.agnitio.com.ar*, True -*.agnos.is*, True -*.agnoster.com*, True -*.agnoster.net*, True -*.agnusdei.org.uk*, True -*.ago2525.com*, True -*.ago-hot.com*, True -*.agony.lv*, True -*.agoraarquitectos.cl*, True -*.agorafoto.ro*, True -*.agora-rewards.com*, True -*.agos-ti.com.ar*, True -*.agostoweb.com.ar*, True -*.agotek.cl*, True -*.agotsch.com*, True -*.agpmc.com*, True -*.agpower.ch*, True -*.agpp.ir*, True -*.agrandyear.com*, True -*.agricolalosmolinos.cl*, True -*.agricultura.ml*, True -*.agrimensuradp.com.ar*, True -*.agrinvert.com*, True -*.agriproject.pt*, True -*.agri-sense.com*, True -*.agrisurf.com*, True -*.agrisurfer.com*, True -*.agritech.co.id*, True -*.agrivirtual.com.ar*, True -*.agroalba.net*, True -*.agrobrava.ro*, True -*.agrocarrizalgourmet.com*, True -*.agroceperos.es*, True -*.agrochagual.cl*, True -*.agroconcept.cl*, True -*.agrocortex.com*, True -*.agroindustrial-leon.com.ar*, True -*.agroindustriayehuch.com.mx*, True -*.agroinvestprojetos.com.br*, True -*.agro-land.ch*, True -*.agrolider.net*, True -*.agromac.co.uk*, True -*.agromaxconsulting.com.au*, True -*.agromonitoreo.cl*, True -*.agronomica.cl*, True -*.agronoptics.com*, True -*.agropartener.ro*, True -*.agropartes.com.ar*, True -*.agropeople.ru*, True -*.agroplantaschile.cl*, True -*.agroportal.com.ar*, True -*.agro-pravo.ru*, True -*.agroquen.cl*, True -*.agrorevivir.com.ar*, True -*.agroservicios.cl*, True -*.agrotrail.com*, True -*.agrovera.cl*, True -*.agrozabala.cl*, True -*.agruca.com*, True -*.agrund.eu*, True -*.agrupacion2611.com.ar*, True -*.agrupamentobragaoeste.pt*, True -*.agsart.com.au*, True -*.agstor.com*, True -*.agstudio.com.my*, True -*.agtex.co.id*, True -*.ag-thp.de*, True -*.aguaelcielo.com*, True -*.aguanuestra.com.ar*, True -*.aguasdoporto.pt*, True -*.aguero.com.au*, True -*.aguijon.com.mx*, True -*.aguilarbrokers.com*, True -*.aguirrealcaino.cl*, True -*.aguirre-quiropraxia.com.ar*, True -*.agunguntur.net*, True -*.agungweb.asia*, True -*.agusanz.tk*, True -*.agus.asia*, True -*.agusdarlis.com*, True -*.aguspwj1.tk*, True -*.agustyar.com*, True -*.aguswidianto.com*, True -*.agus-x.mx*, True -*.aguyandtwocats.com*, True -*.agvance.com.ar*, True -*.agveiculoscasca.com.br*, True -*.agvis.ro*, True -*.agvnet.com.ar*, True -*.agwsoft.com*, True -*.agyouthcenter.com*, True -*.ahandyman.co.za*, True -*.ahapic.com*, True -*.ahard.info*, True -*.ahard.name.tr*, True -*.aharvey.co.uk*, True -*.ah-bonn.de*, True -*.ahdippe.org*, True -*.aheadofthethreat.com*, True -*.ahearnnation.com*, True -*.ahess.com*, True -*.ahhhitburns.com*, True -*.ahisat.ml*, True -*.ahliasia.com.my*, True -*.ahlikolamrenang.com*, True -*.ahlinyakulit.com*, True -*.ahlitenda.com*, True -*.ah-lui.com*, True -*.ahlussunnah.web.id*, True -*.ahmadhisyam.my*, True -*.ahmadnia.net*, True -*.ahmadreza-r.ir*, True -*.ahmadsabouri.ir*, True -*.ahmc.com*, True -*.ahmed.com.pk*, True -*.ahmed.ga*, True -*.ahmetbutun.com*, True -*.ahm.gen.tr*, True -*.ahmusyadek.tk*, True -*.ahneus.fi*, True -*.ahoeab.org*, True -*.ahorrafacturamovil.com*, True -*.ahorreagua.cl*, True -*.ahorroaireproyectos.com.ar*, True -*.ahorrofacturamovil.com*, True -*.ahoui.ch*, True -*.ahoy.co.il*, True -*.ahoyhosting.net*, True -*.ahpan.com*, True -*.ahrinia.net*, True -*.ahsiu.net*, True -*.ahs.my*, True -*.ahsong.net*, True -*.ahssu.org*, True -*.aht.co.il*, True -*.ahucacino.cf*, True -*.ah.waw.pl*, True -*.ahwaz.org*, True -*.ahyane.com*, True -*.ai-101.com*, True -*.ai2.in*, True -*.aiallanaengkurla.com*, True -*.aias-adonis.com*, True -*.aiassistant.com*, True -*.aiaudine.it*, True -*.aibe.co*, True -*.aichi.me*, True -*.aichra.pl*, True -*.aici-acum-noi.ro*, True -*.aiconsby.com*, True -*.aidachat.com*, True -*.aidai.ch*, True -*.aidaid.me*, True -*.aidaislamie.com*, True -*.aidananderson.com*, True -*.aidangent.net*, True -*.aidanwilson.com*, True -*.aidbaevents.org*, True -*.aidbayarea.org*, True -*.aideaz.com*, True -*.aidednd.info*, True -*.aidework.com*, True -*.aidoncall.com*, True -*.aids-hearing.com*, True -*.aiducation.co.uk*, True -*.aiducation.de*, True -*.aiducation-international.org*, True -*.aiducation.net*, True -*.aiducation.org*, True -*.aiducation.us*, True -*.ai-engineering.ro*, True -*.a-i-e.tk*, True -*.aiew77.com*, True -*.aifomedivinopolis.com.br*, True -*.aifos.cl*, True -*.aigiangho.com*, True -*.aigle-taxi.ch*, True -*.aigtv.com*, True -*.aiguesvic.cat*, True -*.aihua.com.au*, True -*.aiiaonline.org*, True -*.aiiatoday.org*, True -*.aiinformatics.ro*, True -*.aiipay.com*, True -*.aiiyah.org*, True -*.aikaforum.com.br*, True -*.aiken-drum.org*, True -*.aikido-bucuresti.ro*, True -*.aikidowarrior.com*, True -*.aikido-way.com*, True -*.aiko.cf*, True -*.aiko.in*, True -*.ai-labo.org*, True -*.ailani.nz*, True -*.ailan.ru*, True -*.aileenleswedding.com*, True -*.ailefi.net.ve*, True -*.ailem.cl*, True -*.aileron.co.za*, True -*.ailes-anciennes.org*, True -*.ailesdefeu.com*, True -*.ailin.org*, True -*.ailn99.com*, True -*.aimaretti.com.ar*, True -*.aimarettisa.com.ar*, True -*.aimaroyasociados.com.ar*, True -*.aimchemical.com*, True -*.aimkitchener.ca*, True -*.aimless-adventure.com*, True -*.ainet.com.ar*, True -*.aingonline.com*, True -*.aing.pro*, True -*.aink.cf*, True -*.ainosbicycles.gr*, True -*.aintno.info*, True -*.ainun-najib.info*, True -*.aiogames.com*, True -*.aioncataclysm.com*, True -*.aion.ga*, True -*.aion-online.ro*, True -*.aionstuff.ru*, True -*.aionwars.com*, True -*.aioo.be*, True -*.aioobe.net*, True -*.aioobe.org*, True -*.aioobe.se*, True -*.aios.space*, True -*.aioupload.com*, True -*.aipersona.com*, True -*.aiplab.net*, True -*.aipllc.org*, True -*.aipotu.li*, True -*.aipromoter.com*, True -*.airadeevakendari.com*, True -*.airadeevapekalongan.com*, True -*.airadeevaskincare.com*, True -*.airadeevategal.com*, True -*.airasiapromotion.org*, True -*.airassistant.com*, True -*.airaway.biz*, True -*.air-bagan.com*, True -*.air-bagan.net*, True -*.air-bagan.org*, True -*.airbook.ch*, True -*.airbyte.net*, True -*.air-compressor.tw*, True -*.airconceptsa.ch*, True -*.airconditioningservices.co.za*, True -*.aircontrol.aero*, True -*.aircontrol.kz*, True -*.air-cooled.club*, True -*.aircor.cl*, True -*.aircraft-avoid.com*, True -*.aircraftdesign.ca*, True -*.airdesk.com.au*, True -*.aireco.com.ar*, True -*.airedalecatering.co.uk*, True -*.aires.com.ar*, True -*.airetratamiento.com.ar*, True -*.airg.cf*, True -*.airg.ga*, True -*.airgloor.ch*, True -*.airg.ml*, True -*.airgom.be*, True -*.airincobain.tk*, True -*.airiononics.com.au*, True -*.airizarrylaw.com*, True -*.airlinemeals.net*, True -*.airlinetravelluggage.com*, True -*.airlogpro.com*, True -*.airlogpro.co.uk*, True -*.air-mandalay.com*, True -*.air-mandalay.net*, True -*.airmec.com.tr*, True -*.airovate.com*, True -*.airovate.com.au*, True -*.airpack.tw*, True -*.airplaneticket.ir*, True -*.airports.fi*, True -*.airscapemedia.com.au*, True -*.airshipchronicles.com*, True -*.airshipchronicles.net*, True -*.airshipchronicles.org*, True -*.airsi.de*, True -*.airsilven.com.ar*, True -*.airsoftgearmegastore.com*, True -*.airsoft-gear.ro*, True -*.airsoftgear.ro*, True -*.airsoftgunsuperstore.com*, True -*.airsoft-info.ro*, True -*.airsoft-kameleon.com*, True -*.airsolutions.cl*, True -*.airstreamottawa.ca*, True -*.airstudionet.com*, True -*.airswimmersmag.com*, True -*.airtac-plastic.com*, True -*.airtexfuelpumps.com*, True -*.airticket.lt*, True -*.airtrackaustralia.com.au*, True -*.airtrack.co.nz*, True -*.airtrack.net.au*, True -*.airtrack.net.nz*, True -*.airwalk.tk*, True -*.airwan.com.ar*, True -*.airwise.cl*, True -*.airza.net*, True -*.aisaka-taiga.com*, True -*.aisa.org.ar*, True -*.aisasgroup.co*, True -*.aisasgroup.com*, True -*.aisasgroup.info*, True -*.aisasgroup.net*, True -*.aisasgroup.org*, True -*.aiscom.ch*, True -*.aisconsia.com*, True -*.aise.asia*, True -*.aishchweblog.tk*, True -*.aislantesnuevaera.com.ar*, True -*.aisle365.us*, True -*.aiso.cl*, True -*.aispilot.com*, True -*.ais-salzburg.at*, True -*.aistis.com*, True -*.aistis.com.au*, True -*.aistis.org*, True -*.aistis.org.au*, True -*.aisy.cf*, True -*.aitchar.com.ar*, True -*.aithala.com*, True -*.aitlifesafety.net*, True -*.ait.org.au*, True -*.aitps.com.au*, True -*.aitradecraft.com*, True -*.aiue.se*, True -*.ai-visual.com*, True -*.aiwintec.com*, True -*.aixos.com.mx*, True -*.aixperts.net*, True -*.aiyo.com.br*, True -*.ai-zoom.ru*, True -*.aj3t.com*, True -*.aj81.net*, True -*.a-jablonski.com*, True -*.ajadi.org*, True -*.ajalo.com*, True -*.ajatar.org*, True -*.a-j-a-u.de*, True -*.ajaymaharaj.co.za*, True -*.ajazu.com*, True -*.ajcapital.co.id*, True -*.ajclarke.co.uk*, True -*.ajcloud.gq*, True -*.ajcqualityassurance.com*, True -*.ajcqualityassurance.co.uk*, True -*.ajctm.ac*, True -*.ajedrezjubilado.com.ar*, True -*.ajedrezmania.com*, True -*.ajedrezparatodos.com.ar*, True -*.ajeproducts.com*, True -*.ajgabogados.com.ar*, True -*.ajgdistributors.com.au*, True -*.ajhams.com*, True -*.ajh.id.au*, True -*.ajhurst.org*, True -*.ajib.ga*, True -*.ajib-on.tk*, True -*.aji.ch*, True -*.ajipr.cf*, True -*.ajireza.org*, True -*.ajisvpn.ga*, True -*.ajitbaral.com.np*, True -*.ajitent.com*, True -*.ajj-showa.com*, True -*.ajjshowa.com*, True -*.ajkair.com.au*, True -*.ajlanderos.com*, True -*.ajmdconsulting.com*, True -*.ajmpaintinginc.com*, True -*.ajnabi.org*, True -*.ajodoin.net*, True -*.ajoian.ro*, True -*.ajoonikalsi.com*, True -*.ajpertiwi.com*, True -*.ajpropiedades.cl*, True -*.ajps-3r.ro*, True -*.ajpsafety.com.au*, True -*.ajps.ro*, True -*.ajptechnical.com*, True -*.ajsa.co.za*, True -*.ajsmarketing.ca*, True -*.ajtech.pl*, True -*.ajusa.cl*, True -*.ajusrl.com.ar*, True -*.ajvivot.com.ar*, True -*.ak3.me*, True -*.ak8b.us*, True -*.akaciya.ru*, True -*.akademientrepreneur.com*, True -*.akademikomunitas.org*, True -*.akademiya-uspexa.com*, True -*.akademiyauspexa.com*, True -*.akademiya-uspexa.org*, True -*.akademiyauspexa.org*, True -*.akademiya-uspexa.ru*, True -*.akademiyauspexa.ru*, True -*.akagumi.net*, True -*.aka.id.lv*, True -*.akanet.tk*, True -*.akangcyber.cf*, True -*.akarinddr.com*, True -*.akasahomes.com*, True -*.akbar-wicaksono.net*, True -*.akbn.net*, True -*.akb-panther.ru*, True -*.akd.co.za*, True -*.akdgroup.ru*, True -*.akdtravel.ro*, True -*.akdt.tk*, True -*.akelei.org*, True -*.akers.com.au*, True -*.akfarmitseda.ac.id*, True -*.akgranitedesigns.com*, True -*.akhileshtiwari.com*, True -*.akh-it.tk*, True -*.akhyar.com*, True -*.akiaprendo.cl*, True -*.akibateraitrojan.com*, True -*.akickinthecash.com*, True -*.akidelmar.pt*, True -*.akihost.com*, True -*.akilled.tk*, True -*.akinosoft.org*, True -*.akinotomasyon.com*, True -*.akin.web.tr*, True -*.akira-from.asia*, True -*.akiranet.net*, True -*.akiro.info*, True -*.akiserv.net*, True -*.akisom.com*, True -*.akitafacilnews.com.br*, True -*.akitahandball.net*, True -*.akitainu.cl*, True -*.akiyama.ca*, True -*.akkuslarltd.com*, True -*.aklen.net*, True -*.akman.ch*, True -*.akm-s.ru*, True -*.akondo.info*, True -*.akonteknologi.com*, True -*.akos.ro*, True -*.akost.tk*, True -*.akovaunveyem.com.tr*, True -*.akpco.ir*, True -*.akpernambuco.com.br*, True -*.akpp-centr.ru*, True -*.akrab.org.my*, True -*.akral.org*, True -*.akrap.org*, True -*.akreditekuruluslar.com*, True -*.akriluss.cl*, True -*.akrine.com*, True -*.akronanimals.com*, True -*.akrym-konslet.com*, True -*.akses.com.br*, True -*.aksesorisphotobooth.com*, True -*.aksesoristenda.com*, True -*.akshayc.cf*, True -*.aksnapshots.com*, True -*.aksnilore.pl*, True -*.aksoftware.org*, True -*.aksrv.de*, True -*.aksu.cf*, True -*.akt66.com*, True -*.akt77.com*, True -*.akt88.com*, True -*.aktifa.com*, True -*.aktionserver.pt*, True -*.aktionsig.com*, True -*.aktionsig.pt*, True -*.aktionwin.com*, True -*.aktionwin.pt*, True -*.aktlex.ro*, True -*.aktualno.si*, True -*.akubantu.biz*, True -*.akubantu.info*, True -*.aku-bocah.tk*, True -*.akudatang.ga*, True -*.akuge.li*, True -*.akuliker.com*, True -*.akumar.com.np*, True -*.akumauu.ml*, True -*.akuma-zed.net*, True -*.akumulator.sk*, True -*.akune.com.br*, True -*.akusiy.es*, True -*.akusolar.sk*, True -*.akustica.cl*, True -*.akvahelp.ru*, True -*.akvelina.com*, True -*.akyasociados.com.ar*, True -*.akyros.org*, True -*.al1k.ru*, True -*.al911.com.ar*, True -*.alabamabook.com*, True -*.alabama.one.pl*, True -*.alabasgames.com*, True -*.alabrassa.com*, True -*.alabrett.com*, True -*.alabsy.com*, True -*.alaflutterphotography.com*, True -*.alagrupa.com*, True -*.al-ahkam.net*, True -*.alai.info*, True -*.alainaenslen.com*, True -*.alainet.info*, True -*.alaingoumy.com*, True -*.alainpropiedades.cl*, True -*.alaintremblet.ch*, True -*.alain-wassmer.ch*, True -*.alakdae.pl*, True -*.ala-kihnia.org*, True -*.alakorn.ru*, True -*.alambiquesdeminas.com.br*, True -*.alamdarifar.com*, True -*.alamedasbestcatering.com*, True -*.alam-hidro.com.my*, True -*.alam-maritim.com.my*, True -*.alamoala.org*, True -*.alamoelectric.com*, True -*.alamsekitar.com.my*, True -*.alam-swiber.com.my*, True -*.alam-xp.info*, True -*.alanaallanwedding.info*, True -*.alanbradburne.com*, True -*.alanbrothers.com*, True -*.alancy.com*, True -*.aland.info*, True -*.alandro.tk*, True -*.alanellen.com*, True -*.alanerdmann.com*, True -*.alanfeuerbacher.org*, True -*.alanfranklen.co.uk*, True -*.alanhicken.ca*, True -*.alanhigh.com*, True -*.alanlogistic.com*, True -*.alanmarksp.com*, True -*.alanmechanical.co.uk*, True -*.alan-n-chanda.com*, True -*.alanrjr.net*, True -*.alan-safety.com*, True -*.alanshen.com*, True -*.alanshen.net*, True -*.alanshen.org*, True -*.alan-thomas.me.uk*, True -*.alanthya.net*, True -*.alaries.com.ar*, True -*.alariva.com*, True -*.alarmahogar.cl*, True -*.al-arm.com*, True -*.alarme-emifan.ro*, True -*.alarmeemonitoramento.srv.br*, True -*.alarmesemonitoramentos.com.br*, True -*.alarmespararesidencias.srv.br*, True -*.alarmi.si*, True -*.alarm-ochrona.pl*, True -*.alarmprint.eu*, True -*.alarmprint.ro*, True -*.alarmspecs.com*, True -*.alarm-wk.com*, True -*.alasdelta.cl*, True -*.alasdies.com.ar*, True -*.ala.se*, True -*.alasino.com.ar*, True -*.alaska-al.com*, True -*.alaskasretreat.com.au*, True -*.alat2ukur.com*, True -*.alatbantusexterbaik.com*, True -*.alatlab-chemical.com*, True -*.alatmedismurah.com*, True -*.alatpemadamapi101.com*, True -*.alatpemadamapi.info*, True -*.alatpemadamapi-yamato.com*, True -*.alatpemadam-wk.com*, True -*.alatpesta-tenda.com*, True -*.alatpln.com*, True -*.alatpotongkaca.com*, True -*.alatrumahpotongayam.com*, True -*.alatsafety.co.id*, True -*.alaturidetine.eu*, True -*.albacetediario.com*, True -*.al-badri.ch*, True -*.albamagold.com*, True -*.albamaplus.com*, True -*.alban3r.info*, True -*.albania.co.za*, True -*.albani.com.ar*, True -*.albano.com.ar*, True -*.albanss.com*, True -*.albanycountytheatre.org*, True -*.albanytechnologypartners.com*, True -*.albanytechpartners.com*, True -*.albanywaterfrontcoalition.org*, True -*.albatrossmarine.com.au*, True -*.alberanteautospray.co.za*, True -*.albercons.com.ar*, True -*.albert86.com*, True -*.albert.al*, True -*.albertalibertarianparty.ca*, True -*.albertawhitetails.com*, True -*.albertlee.al*, True -*.albertn.ru*, True -*.albertocairoli.ch*, True -*.albertocorretorseguros.com.br*, True -*.albertolucchetti.com.ar*, True -*.albertopose.com.ar*, True -*.albertosalas.com.ar*, True -*.albertsgardening.com.au*, True -*.albert.tw*, True -*.albertvillekarate.com*, True -*.albica.co.uk*, True -*.albinformatica.com.br*, True -*.albingblog.com*, True -*.albinismo.com.br*, True -*.albionparkhotel.com.au*, True -*.albismail.com*, True -*.albmvas.com*, True -*.albrightscycling.com*, True -*.albto.ir*, True -*.albuerne.cl*, True -*.albume-digitale-foto.ro*, True -*.albumhitam.com*, True -*.albummeanings.com*, True -*.albummeanings.org*, True -*.album.web.tr*, True -*.albuquerquelunguinho.com.br*, True -*.alburycitymotel.com*, True -*.albus-sonitus.com*, True -*.alcapps.com*, True -*.alcarcorp.com*, True -*.alcarrer.org*, True -*.alcatel-lucent.web.tr*, True -*.alcatrazirc.net*, True -*.alcatrazmedia.us*, True -*.alcebiades.com.br*, True -*.alchemyaromatherapy.co.nz*, True -*.alchemyicon.com*, True -*.alchemywebsockets.net*, True -*.alcocer.mx*, True -*.alcochemphil.com*, True -*.alcodoc.ru*, True -*.alcohol-addicted.com*, True -*.alcomed.cl*, True -*.alcometer.lv*, True -*.alcootech.com.br*, True -*.alcrd.tk*, True -*.alcsfl.com*, True -*.alcymarmonteiro.com.br*, True -*.aldanacalligo.com.ar*, True -*.aldanet.si*, True -*.aldeadesigns.com*, True -*.aldeavision.com*, True -*.aldeavision.net*, True -*.aldeavision.org*, True -*.alden.si*, True -*.aldercs.com*, True -*.alder.net.au*, True -*.aldezabal.com.ar*, True -*.aldhya.com*, True -*.aldi691.tk*, True -*.aldia.mx*, True -*.aldiauladi.tk*, True -*.aldis.id.lv*, True -*.aldort.net*, True -*.aldosimanjuntak.com*, True -*.aldos.ru*, True -*.aldri06.tk*, True -*.aldy-fatih.net*, True -*.aldyfreestyle.org*, True -*.alebrijes.com.ve*, True -*.alecar-skoda.es*, True -*.aleclass.com.ar*, True -*.alec.no*, True -*.alecores.com.br*, True -*.alecsandro.com.br*, True -*.aled93.ru*, True -*.ale-decor.ru*, True -*.aledecor.ru*, True -*.ale-design.ru*, True -*.alege-pret.com*, True -*.alegrocredit.ro*, True -*.alegstudio.ro*, True -*.alejandrobruce.com.ar*, True -*.alejandrofabris.com.ar*, True -*.alejandrojmelo.com.ar*, True -*.alejandropelaez.com.ar*, True -*.alejandropugliese.com.ar*, True -*.alejandroreyes.com.mx*, True -*.alejandrowasserman.com*, True -*.alejolp.com.ar*, True -*.alejosanchez.com*, True -*.aleksfabricijo.tk*, True -*.alelec.net*, True -*.aleluc.ga*, True -*.alemanespanol.com.ar*, True -*.aleman.tk*, True -*.alencreuso.com.ar*, True -*.alephnullresearch.com*, True -*.alerco.cl*, True -*.alerte-cobra-for-t411.tk*, True -*.alertgroup.ru*, True -*.alert-me.net.au*, True -*.alesaavedra.com*, True -*.alesco-ti.com*, True -*.alescudrag.ro*, True -*.alesecudrag.ro*, True -*.alessandrarios.com*, True -*.alesso.net*, True -*.aletoledo.com*, True -*.aletox.com*, True -*.aletrades.com*, True -*.alevelnh.com*, True -*.alex01.tk*, True -*.alex04.tk*, True -*.alex26.tk*, True -*.alex87.tk*, True -*.alex-ab.com*, True -*.alexaja.tk*, True -*.alexak.ro*, True -*.alexalbertin.com*, True -*.alexamacdonald.com*, True -*.alexamoda.com*, True -*.alexanderbenis.ch*, True -*.alexanderhellstrom.se*, True -*.alexanderoh.ch*, True -*.alexanderpeppe.com*, True -*.alexanderrudigierltd.com*, True -*.alexanderthegreater.com*, True -*.alexanderway.co.il*, True -*.alexandra-institut.ch*, True -*.alexandra.tw*, True -*.alexandraudriste.ro*, True -*.alexandravlad.com*, True -*.alexandrechow.com.br*, True -*.alexandrecunha.com*, True -*.alexandrethibodeau.ca*, True -*.alexandrethibodeau.com*, True -*.alexandrethibodeau.info*, True -*.alexandrethibodeau.net*, True -*.alexandrinelavoie.com*, True -*.alexandros-maleme.com*, True -*.alexandrusimionesei.ro*, True -*.alexbarney.com*, True -*.alexbeliakov.ru*, True -*.alexcathy.com*, True -*.alexcelestino.com.br*, True -*.alexclink.com*, True -*.alex-coman.ro*, True -*.alexcopaci.ro*, True -*.alexcrot2.tk*, True -*.alexd.net.ru*, True -*.alexerika.ro*, True -*.alexeyg.ru*, True -*.alexeykuz.ru*, True -*.alexfb.com*, True -*.alexfrost.ru*, True -*.alexgall.ca*, True -*.alexgallego.org*, True -*.alexgracas.com*, True -*.alexhaydock.com*, True -*.alexhaydock.co.uk*, True -*.alexi.org*, True -*.alexisandbraden.com*, True -*.alexiseldorrado.com*, True -*.alexismatherlee.com*, True -*.alexispaz.com.ar*, True -*.alexivanov.com*, True -*.alexjandro.com*, True -*.alexjankuv.com*, True -*.alexlan.org*, True -*.alexleach.org.uk*, True -*.alexleclerc.com*, True -*.alexleewallace.com*, True -*.alexleow-kimmy.com*, True -*.alexluong.com*, True -*.alex-madura.tk*, True -*.alexmanasseh.com*, True -*.alexmeuer.com*, True -*.alexmisk.ru*, True -*.alexmitter.tk*, True -*.alexmmooney.com*, True -*.alexmobilier.ro*, True -*.alexmurphy.net*, True -*.alex-musicman.com*, True -*.alexpallet.ca*, True -*.alexpescaru.ro*, True -*.alexplesnicar12.tk*, True -*.alexpolson.com*, True -*.alex-popov.com*, True -*.alexrthomas.net*, True -*.alexrthomas.org*, True -*.alexrus.ro*, True -*.alexsav.in*, True -*.alexservers.cf*, True -*.alexservers.tk*, True -*.alexshaw.net.au*, True -*.alexsh.tw*, True -*.alexsoft.biz*, True -*.alexsoo.net*, True -*.alexspowart.com*, True -*.alexstanfield.com.ar*, True -*.alext.info*, True -*.alexunderbase.ro*, True -*.alexundercover.com*, True -*.alexwilliamson.co*, True -*.alexxed.com*, True -*.alexx.net*, True -*.alexyanji.com*, True -*.aleyasociados.com.ar*, True -*.alfa1024.info*, True -*.alfa145.com*, True -*.alfa145.co.uk*, True -*.alfaacessorios.com.br*, True -*.alfa-beta.pt*, True -*.alfacarretas.net*, True -*.alfacashir.com*, True -*.alfadata.com.ar*, True -*.alfafix.com.br*, True -*.alfaftrade.in*, True -*.alfajordepollo.com.ar*, True -*.alfalcons.com*, True -*.alfamaskota.com.ar*, True -*.alfamaskotas.com.ar*, True -*.alfamidiaonline.com.br*, True -*.alfanet.gr*, True -*.alfanusa.co.id*, True -*.alfaprintshop.com.mx*, True -*.alfaprod.ro*, True -*.alfareza-kece.com*, True -*.alfarit.ro*, True -*.alfarizi.tk*, True -*.alfarquintoelemento.com.ar*, True -*.alfaservicosetreinamentos.com.br*, True -*.alfateeh.com*, True -*.al-fateh.net*, True -*.alfateksystems.com*, True -*.alfawifi.com.my*, True -*.alfem.it*, True -*.alfersoft.com.ar*, True -*.alfeyagumachi.ga*, True -*.alfik.cf*, True -*.alfons151.tk*, True -*.alfopol.com*, True -*.alfra.ch*, True -*.alfreako.com*, True -*.alfredjvazquez.us*, True -*.alfredoj.info*, True -*.alfredoj.tk*, True -*.alfredstucki.ch*, True -*.alfrescofurniture.info*, True -*.alfsoft.ru*, True -*.algarvedreamproperty.com*, True -*.algedi.org*, True -*.algengeal.com*, True -*.algengeal.ru*, True -*.algida.cf*, True -*.algmh.com*, True -*.algn.tk*, True -*.algoalphahunter.com*, True -*.algo.com.au*, True -*.algodenada.com.ar*, True -*.algologias.cl*, True -*.algonquinscm.com*, True -*.algorithmsllc.com*, True -*.algrelining.co.za*, True -*.algrup.cf*, True -*.algrup.eu*, True -*.algrup.ga*, True -*.algrup.ml*, True -*.alhackid.tk*, True -*.alhanon.net*, True -*.alhaqhassanansari.tk*, True -*.ali250798.tk*, True -*.ali3nat0r.tk*, True -*.ali58.com*, True -*.alia.cl*, True -*.aliaconvex.com*, True -*.aliagafernandez.com.ar*, True -*.aliaksei.com*, True -*.aliaksei.org*, True -*.aliancetravel.com.ar*, True -*.aliantaropac.ro*, True -*.aliasbox.net*, True -*.aliasdns.org*, True -*.aliasgharhasani.ir*, True -*.aliasgharhassani.ir*, True -*.aliatauto.ro*, True -*.aliawisata.com*, True -*.alicahue.cl*, True -*.alicandro.com.ar*, True -*.alicargra.cl*, True -*.aliceinroses.com*, True -*.alicemiranda.com.au*, True -*.alicenopaisdasmaravilhas.com.br*, True -*.alicia-gonzalez.com.ar*, True -*.aliciainc.com*, True -*.aliciatamas.com*, True -*.ali.com.pk*, True -*.alicont.ro*, True -*.alicornentertainmentstudios.com.au*, True -*.alicornstudios.com*, True -*.alicufinder.com*, True -*.alicufinder.com.ar*, True -*.alidani.ro*, True -*.alien07.xyz*, True -*.alien-audio.com*, True -*.alienbattlegrounds.com*, True -*.aliencybercafe.ro*, True -*.alienseizure.com*, True -*.alifaan.ovh*, True -*.alifelesswasted.tk*, True -*.alifsyahpanji.com*, True -*.alifyasprai.com*, True -*.ali-gator911.com*, True -*.aligator911.com*, True -*.alihotspot.com*, True -*.aliislam.eu*, True -*.alijaco.com*, True -*.alikettani.com*, True -*.alikhorsandian.com*, True -*.alimentacion.cl*, True -*.alimentarirando.ch*, True -*.alimentarivavala.ch*, True -*.alimentoshen.cl*, True -*.alimentosnahuen.cl*, True -*.alina-bellydancer.ca*, True -*.ali-net.md*, True -*.alin.ro*, True -*.alioda.ro*, True -*.aliok.com.tr*, True -*.alioma.ro*, True -*.alisakit.com*, True -*.alisasalon.com*, True -*.alisasalon.ru*, True -*.alisdairmcghee.com*, True -*.al-islam.or.id*, True -*.alisoma.com*, True -*.alisonball.com*, True -*.alisonball.com.au*, True -*.alisoncartwright.com*, True -*.alisoncassidy.com*, True -*.alisoncassidy.net*, True -*.alisoncassidy.org*, True -*.alisonkrueger.com.ar*, True -*.alistairb.com*, True -*.alita.cc*, True -*.alitatun.ro*, True -*.alitour.cl*, True -*.alittehad.net*, True -*.aliud.me*, True -*.aliveandwell.com*, True -*.alivestudio.hk*, True -*.alixmark.com*, True -*.aliyahdewi.com*, True -*.alizarincrimson.ca*, True -*.alizarine.se*, True -*.aljaria.ru*, True -*.aljazborstnik.si*, True -*.aljazkurincic.tk*, True -*.aljoproductions.net*, True -*.alka1000.com*, True -*.alkalmazas.com*, True -*.alkamil.co.nz*, True -*.alkaniukas.com*, True -*.alkazimy.web.id*, True -*.alkesserang.com*, True -*.alko.bg*, True -*.all4hosting.cc*, True -*.all4moto.ro*, True -*.all4syrian.com*, True -*.all4you.ru*, True -*.alla66.com*, True -*.allaboutcelebporn.com*, True -*.allaboutcoding.com*, True -*.allaboutpowerstrips.com*, True -*.allaboutsextube.com*, True -*.allaboutsugar.gr*, True -*.allaboutthe.uk*, True -*.allaboutwedding.com*, True -*.allahabad4u.com*, True -*.allahuakbar.biz*, True -*.allamericanscripters.com*, True -*.allanalwedding.info*, True -*.allan.com.br*, True -*.allandroid.org.uk*, True -*.allanesara.com.br*, True -*.allangrant.us*, True -*.allanimelove.net*, True -*.allanmay.com*, True -*.allanmetalfabrications.com.au*, True -*.allanrandall.com*, True -*.allanrocha.org*, True -*.allans.biz*, True -*.allanseptian.com*, True -*.allanseptian.ga*, True -*.allanswers.tk*, True -*.allantenet.com*, True -*.allante.us*, True -*.allardpaintdistributors.com.au*, True -*.allards.com.au*, True -*.allard.to*, True -*.allaround.hk*, True -*.allbaba.in*, True -*.allbasta.com*, True -*.all-best-games-1.ru*, True -*.all-best-games-2.ru*, True -*.allblue17.tk*, True -*.allbookinghotels.com*, True -*.allbusiness24.com*, True -*.allbuy.ir*, True -*.allcarsmechanical.com*, True -*.allcellphones.com.ar*, True -*.allcleanservices.ch*, True -*.allcoasttaragohire.com*, True -*.allcompsodev.com*, True -*.allcoverup.com*, True -*.allcumbres.cl*, True -*.all.cx*, True -*.alldade.com*, True -*.alldade.net*, True -*.alldatasheet.ir*, True -*.alldayout.gr*, True -*.alldealsasia.my*, True -*.alldealsasia.sg*, True -*.alleciaturner.com.au*, True -*.allecto.org*, True -*.allegorytx.com*, True -*.allegragames.com*, True -*.allegramultieventos.com.ar*, True -*.allegrastudio.co.nz*, True -*.allegrastudios.com*, True -*.allegrastudios.co.nz*, True -*.allegrobandploiesti.ro*, True -*.allegrocredit.ro*, True -*.allegrodanceshop.net*, True -*.allen8r.com*, True -*.allenandmaggie.so*, True -*.allenbarnes.com*, True -*.allenbarnes.org*, True -*.allenbukoff.com*, True -*.allenfamilytree.com*, True -*.allen-heath.ro*, True -*.allenluo.com*, True -*.allenmanor.club*, True -*.allen.nom.za*, True -*.allesflicker.ch*, True -*.allesimglas.ch*, True -*.allessionne2.pw*, True -*.allessionne.pw*, True -*.alletrades.com*, True -*.alleycatactionphoto.com*, True -*.allezdecor.com*, True -*.allez.la*, True -*.allfilesdownload.com*, True -*.allforboss.co.uk*, True -*.allforest.pw*, True -*.allfoursrallyteam.com*, True -*.allfuels.com.au*, True -*.allgadget.cf*, True -*.allgreencompany.ro*, True -*.allhorses24.com*, True -*.allhosts.ca*, True -*.allhotels24.com*, True -*.alli.am*, True -*.alliance-cristal.ro*, True -*.alliance-fashion.ro*, True -*.allianceglobal-hk.com*, True -*.alliance-international.ro*, True -*.alliancetravel.tur.ar*, True -*.alliedcivil.com.au*, True -*.alliedcomputerconsulting.com*, True -*.alliedprofessionalsgroup.com*, True -*.alligatordesigns.in*, True -*.allik.com*, True -*.allili.com*, True -*.allinaweek.com*, True -*.all-in.cl*, True -*.all-inclusive.si*, True -*.allinline.tk*, True -*.allisonsays.us*, True -*.allisons.org*, True -*.allisonstuder.com*, True -*.alljackandpaint.com.au*, True -*.alljob24.com*, True -*.allkeygens.ws*, True -*.all-lights.be*, True -*.allmass.me*, True -*.allmetraindonesia.com*, True -*.allmine.co.za*, True -*.allmotorsgroupsa.com*, True -*.allmotors.tk*, True -*.allmp3.me*, True -*.all.my*, True -*.allnaturalsheabutterbathandbody.com*, True -*.allnetwork.in*, True -*.allnetwork.info*, True -*.allnuclo.com*, True -*.allocar.ch*, True -*.allods225.ru*, True -*.allods2arena.ru*, True -*.allodsarena.ru*, True -*.allods.in*, True -*.allods.mobi*, True -*.allodsnet.ru*, True -*.allodsworld.net*, True -*.all-of-mex.de*, True -*.alloglacons.ch*, True -*.allok.in*, True -*.allomoto.ch*, True -*.allone.com.ve*, True -*.allotment-shop.com*, True -*.allotment-shop.co.uk*, True -*.allott.nom.za*, True -*.allowed.org*, True -*.alloygrp.com*, True -*.allparts.cc*, True -*.allparts.info*, True -*.allpeoplesparty.org*, True -*.allpets24.com*, True -*.allprostamps.com*, True -*.allprovinylsiding.com*, True -*.allpurposerepairs.com*, True -*.allque.com*, True -*.allramps.com*, True -*.allrcthings.com*, True -*.allrcthings.com.au*, True -*.allright.tk*, True -*.allroundcricketcoaching.co.uk*, True -*.allsad.com*, True -*.allsafevideo.com*, True -*.allseasonpetsitters.com*, True -*.allserv.org*, True -*.allsextubes.net*, True -*.allsexymovies.com*, True -*.allstar2011.net*, True -*.allstardesign.ch*, True -*.allstarpcbuilds.com*, True -*.allstarproduction.ch*, True -*.all-stars.lv*, True -*.allstarsstudio.com.au*, True -*.allstitch.lv*, True -*.allstock.co.il*, True -*.allstreams.ml*, True -*.allstudio.cl*, True -*.allsupply.cl*, True -*.allthatshome.co.uk*, True -*.allthingsembroideredtx.com*, True -*.allthingshassanyeh.co.uk*, True -*.alltire.su*, True -*.alltissue.com.au*, True -*.allt.org*, True -*.alltous.com*, True -*.alltransportme.com*, True -*.alltravelpages.com*, True -*.alltreands.eu*, True -*.alltricities.com*, True -*.alltrustedtabs.com*, True -*.alltucker.com*, True -*.alltv.ro*, True -*.allup.net*, True -*.allure.com.my*, True -*.allure-pac.com.au*, True -*.alluring-escorts.net*, True -*.alluser.cf*, True -*.allvpop.com*, True -*.allweatherinsulation.com.au*, True -*.allyburns.com*, True -*.allyopen.com*, True -*.allyoucan-eat.ch*, True -*.allysonfowler.com*, True -*.allyteam.ru*, True -*.almaarif.sch.id*, True -*.almacenaurelia.com.ar*, True -*.almacendefrio.com.ar*, True -*.almacendegolosinas.com.ar*, True -*.almacenesibarra.com.mx*, True -*.almacensepsol.com*, True -*.almagemea.tk*, True -*.almaggese.com*, True -*.almagnosolucoes.com.br*, True -*.al-main.com*, True -*.almallanera.org.ve*, True -*.almamaterarad.ro*, True -*.alma-nail.tk*, True -*.almanakh.ru*, True -*.alman.com.mx*, True -*.almanis.ch*, True -*.almarhum.net*, True -*.alma-t.com*, True -*.almaworld.com*, True -*.almazara-entreolivos.com*, True -*.almecija.com.ar*, True -*.almegatf.com*, True -*.almeida.agr.br*, True -*.almeidaaidar.net.br*, True -*.almeidaautomacao.com.br*, True -*.almeida-tech-dev.ch*, True -*.almeriapoolenclosures.com*, True -*.almerrick.co.il*, True -*.almgo.org*, True -*.almifilan.com*, True -*.almigtec.com*, True -*.alminana.com.ar*, True -*.almityone.com*, True -*.almogneeman.com*, True -*.almondi.ga*, True -*.almoneera.com*, True -*.almonord.com*, True -*.almostawesome.org*, True -*.almostpurple.com*, True -*.almukarromah.com*, True -*.almuna.ru*, True -*.almunawarah.com.my*, True -*.alnguyen.com.vn*, True -*.alni.ro*, True -*.alnitak.co*, True -*.alnoorschoolandjrcollege.org*, True -*.alnuproducts.com*, True -*.alo24.ro*, True -*.aloestar.tk*, True -*.aloevera4ever.ro*, True -*.aloezavinagi.com*, True -*.alofreelancer.com.br*, True -*.alohahomeinspection.com*, True -*.alohajc.com.ar*, True -*.alohasurplus.com*, True -*.alohatransllc.com*, True -*.alohomora.ca*, True -*.alojamientolaslilas.cl*, True -*.alokinnollahwe.com*, True -*.alomonabokibigmedia.pw*, True -*.alomonabokimolmedia.pw*, True -*.alomsimoy.tk*, True -*.alonsocontreras.com*, True -*.alonsopardo.com.ar*, True -*.alonzowest.com*, True -*.alopecia.ir*, True -*.alopex.io*, True -*.alotech.com.tr*, True -*.alotofstuff.net*, True -*.alo.tw*, True -*.aloysius.web.id*, True -*.alpadave.com*, True -*.alpakaweid.ch*, True -*.alpard.cf*, True -*.alpecole.ch*, True -*.alpen-land.ch*, True -*.alpha6.ru*, True -*.alphaalpha.us*, True -*.alphabeta.ca*, True -*.alphadeltasigma.com*, True -*.alphadeltasigma.tk*, True -*.alphadogservices.co.uk*, True -*.alphafoundation.org.uk*, True -*.alpha-male.club*, True -*.alpha.moe*, True -*.alphanet.com.au*, True -*.alphanet.net.au*, True -*.alphaomegacalab.net*, True -*.alphapoint.com.au*, True -*.alphapotato.net*, True -*.alphard.in*, True -*.alpharepairs.us*, True -*.alphasigma.com.au*, True -*.alphasiren.com*, True -*.alphasoft.org*, True -*.alpha-team.ro*, True -*.alphatrucking.ca*, True -*.alpha-ville.be*, True -*.alpherat.com.ar*, True -*.alpinearm.com*, True -*.alpineinteriors.hk*, True -*.alpinerescuefoundation.ca*, True -*.alpinicussignacco.it*, True -*.alpinistiutilitari.ro*, True -*.alpinivicenza.it*, True -*.alpp.org*, True -*.alpsanit.ch*, True -*.alpsincorporated.com*, True -*.alpttm.com*, True -*.alpydent.ro*, True -*.al-qudd.us*, True -*.al-quran.asia*, True -*.alrahman.pk*, True -*.alreadysold.co.za*, True -*.alrebe.ch*, True -*.alreeter-skiing.co.uk*, True -*.alregscientific.com*, True -*.alrica.pt*, True -*.alrightgames.com*, True -*.alsamx.com*, True -*.al-sb.com*, True -*.alsisa.com*, True -*.alsis.com.mx*, True -*.al-sk.com*, True -*.alslev.dk*, True -*.alsov.tk*, True -*.alspachnet.com*, True -*.alsrl.com*, True -*.al-ss.com*, True -*.alsterlid.se*, True -*.alston.cc*, True -*.alsupnet.com*, True -*.alsvps.tk*, True -*.alt169.net*, True -*.altacimainversiones.cl*, True -*.altaconfeccionyireh.cl*, True -*.altairveiculos.com.br*, True -*.altaredmusic.com*, True -*.altaredradio.com*, True -*.altascimaslogitrans.cl*, True -*.altasib.net*, True -*.altbelt.com*, True -*.altctrldel.pl*, True -*.alte.ca*, True -*.altecbdg.co.id*, True -*.al-technologies.co.uk*, True -*.altelyou.com.my*, True -*.altelyou.my*, True -*.altenergy.com.ve*, True -*.alteraas.com*, True -*.alterdemoty.pl*, True -*.alterdemoty.tk*, True -*.alteriamotives.co.uk*, True -*.altermyth.com*, True -*.alternate.net.ru*, True -*.alternation.net*, True -*.alternativebelting.ca*, True -*.alternative-belting.com*, True -*.alternativebelting.com*, True -*.alternative-futures.com.au*, True -*.alternativeit.ro*, True -*.alternative-music.co.il*, True -*.alternativenergi.se*, True -*.alternativesources.eu*, True -*.alternativheilen.ch*, True -*.alternativinvestment.ro*, True -*.alternators.su*, True -*.alternatywnawiki.tk*, True -*.alternet.co.il*, True -*.alterq.com.ar*, True -*.altfelstudio.ro*, True -*.altfem.ro*, True -*.altgestalt.com*, True -*.altiatech.com*, True -*.altiga.eu*, True -*.altilivelli.in*, True -*.altimari.net*, True -*.altinbasakcarsaf.com.tr*, True -*.altinbasakesarp.com.tr*, True -*.altinbasakhavlu.com.tr*, True -*.altinbasaknevresim.com.tr*, True -*.altinbasaksal.com.tr*, True -*.altinbasakyazma.com.tr*, True -*.altinbasakyemeni.com.tr*, True -*.altiora.es*, True -*.altit.ru*, True -*.altitude808.com*, True -*.altiumvaults.com*, True -*.altivex.net*, True -*.altlabs.in*, True -*.altm.com.br*, True -*.altnix.in*, True -*.altoadigio.cl*, True -*.alto-el-juego.com.ar*, True -*.alt-office.net*, True -*.alt-office.org*, True -*.altoneshop.com*, True -*.altoonapython.org*, True -*.altoperformance.cl*, True -*.altorjay.com*, True -*.altoscatamarca.com.ar*, True -*.altosdegaray.com.ar*, True -*.altosdelcuruzu.com.ar*, True -*.altospantalones.com.ar*, True -*.altovidrio.cl*, True -*.altparlor.com*, True -*.altraman.co.id*, True -*.altrarunning.cl*, True -*.altr.ch*, True -*.altruistbatam.com*, True -*.altuesa.cl*, True -*.aluben.tk*, True -*.alube.us*, True -*.alubondeu.net*, True -*.alucoa.com*, True -*.alufaisca.com*, True -*.alufleco.gr*, True -*.alugloc.com.br*, True -*.alugloq.com.br*, True -*.aluminiogoias.com.br*, True -*.aluminiosgoias.com.br*, True -*.aluminiowedrzwi.pl*, True -*.aluminioweokna.pl*, True -*.aluminumrain.com*, True -*.alumniafrique.com*, True -*.alumniafrique.org*, True -*.alumniconclave.com*, True -*.alumni-elvath.cf*, True -*.alumniresearch.com*, True -*.alumniresearch.net*, True -*.alumuniumscaffolding-mjsa.com*, True -*.alunoalfamidia.com.br*, True -*.alusoft.com.br*, True -*.aluware.co.za*, True -*.aluzli.tk*, True -*.alvabearingindustri.com*, True -*.alvachart.co*, True -*.alvachart.com*, True -*.alvachartflip.com*, True -*.alvachartflow.com*, True -*.alvachartflow.net*, True -*.alvachart.net*, True -*.alvachart.org*, True -*.alvachartrand.com*, True -*.alvachartrand.net*, True -*.alvacharts.com*, True -*.alvacharts.net*, True -*.alvacharts.org*, True -*.alvachartssj.com*, True -*.alvachartstock.com*, True -*.alvacheung.com*, True -*.alvarezojeda.cl*, True -*.alvaroardiles.cl*, True -*.alvarobelmonte.es*, True -*.alvaroorgaz.com*, True -*.alvascore.com*, True -*.alvascore.net*, True -*.alveaelectric.com*, True -*.alveaelectric.pl*, True -*.alverafashion.com*, True -*.alvesdasilva.com.br*, True -*.alveus.com.ar*, True -*.alvhan.la*, True -*.alvia-danis.tk*, True -*.alvinfairburn.com*, True -*.alvinfairburn.net*, True -*.alvis.hk*, True -*.alvweb.com*, True -*.alwardah.tk*, True -*.alwaysbookkeeping.com.au*, True -*.alwayssunnyspa.com*, True -*.alwayswork.in*, True -*.alxcom.ru*, True -*.alxq.org*, True -*.alyaf.com*, True -*.alyawater.com*, True -*.alybarboza.cl*, True -*.alymoore.com*, True -*.alynauman.com*, True -*.aly.ninja*, True -*.alysaandadam.com*, True -*.alysewright.com*, True -*.alyshaboles.com*, True -*.am1180.com.ar*, True -*.am180.com*, True -*.am2000.co*, True -*.am2.ro*, True -*.am60.com*, True -*.amabel.info*, True -*.amabella.com.br*, True -*.amact.com.my*, True -*.amagastudio.eu*, True -*.amahstouch.com*, True -*.amala.com.au*, True -*.amalcraft.ml*, True -*.amalfi.cf*, True -*.amalfiwebcam.tk*, True -*.amalgamatedwater.co.za*, True -*.amalgation.nl*, True -*.amamking.com*, True -*.amanahberbagi.org*, True -*.amanahberbagi.or.id*, True -*.amanahcbs.com*, True -*.amancom.cl*, True -*.amanda23.tk*, True -*.amandaanderson.me*, True -*.amandaandshawn.com*, True -*.amandahailwood.com*, True -*.amandahourt.com*, True -*.amandaleigh.com.au*, True -*.amanda.one.pl*, True -*.amandaw.xyz*, True -*.amandiri.com*, True -*.amango.org*, True -*.aman-lawoffice.ro*, True -*.amano1.cl*, True -*.amanzimeters.co.za*, True -*.amaralmultimarcas.com.br*, True -*.amarantoclaromeco.com.ar*, True -*.amarb.com.np*, True -*.amarelinhababykids.com*, True -*.amarelinhababykids.com.br*, True -*.amarillasinter.net*, True -*.amarilloexpress.com*, True -*.amarillorentaautos.com*, True -*.amarna.org.ru*, True -*.amarnotary.ir*, True -*.amaron-maintenance.ch*, True -*.amarphonebook.com*, True -*.amarr.tk*, True -*.amarrvictor.net*, True -*.a-mas.cl*, True -*.amateur-porno.at*, True -*.amateur-pornos.at*, True -*.amateurtubevideos.com*, True -*.amateur-videos.at*, True -*.amato.com.au*, True -*.amatterofmanners.com*, True -*.amatterofmanners.org*, True -*.amattheisen.com*, True -*.amav.ro*, True -*.amaximenkov.com*, True -*.amaya4848.com*, True -*.amayacomercial.com.mx*, True -*.amazecinternational.com*, True -*.amazeusgpl.com*, True -*.amazingcruises.ru*, True -*.amazon2vietnam.com*, True -*.amazona.si*, True -*.amazonews.co*, True -*.amazonresources.com.au*, True -*.amazonsale.gq*, True -*.amazonspecials.gq*, True -*.ambalaje-cofetarie.ro*, True -*.ambalajeonline.ro*, True -*.ambassador.cn*, True -*.ambassador.hk*, True -*.ambb.ru*, True -*.amber-cypress.com*, True -*.amberfordham.com*, True -*.amberide.tk*, True -*.amberkalvin.com*, True -*.ambersteele.com*, True -*.ambertubesporn.pw*, True -*.amberwiener.com*, True -*.amberwiener.me*, True -*.ambiencetech.com*, True -*.ambientacionestitas.com.ar*, True -*.ambientfamilies.com*, True -*.ambientinformatica.com.br*, True -*.ambient-soft.com*, True -*.ambienturban.ro*, True -*.ambikabasaula.com.np*, True -*.ambiserve.com*, True -*.ambitech.rs*, True -*.ambitoitaliano.com*, True -*.ambiwhomp.com*, True -*.amb-logistics.pl*, True -*.ambqaa.com*, True -*.ambrae.net*, True -*.am-brillantengrund.at*, True -*.ambrosiacapital.com*, True -*.ambuhl.ch*, True -*.ambystoma.com.ar*, True -*.amcchile.cl*, True -*.amcinromania.ro*, True -*.amcnet.nl*, True -*.am.com.mx*, True -*.amcontadores.com.mx*, True -*.amcrete.com.pk*, True -*.amcti.com*, True -*.amc-tutorials.com*, True -*.amcworks.com.au*, True -*.amdaboutique.ro*, True -*.ameer1234567890.tk*, True -*.ameliewell.com*, True -*.ame-life.com*, True -*.amelja.ch*, True -*.amenabar.cl*, True -*.amenajaregradini.ro*, True -*.amendoeira.eu*, True -*.amendo.in*, True -*.amendoliaehijos.com.ar*, True -*.amenga.tk*, True -*.amen.org.ar*, True -*.amentrix.com*, True -*.amentrix.co.uk*, True -*.amentrix.info*, True -*.amentrix.net*, True -*.amentrix.org*, True -*.amerbrokers.net*, True -*.amerchem.com.my*, True -*.amercocontractinginc.ca*, True -*.americajhon.com.pe*, True -*.americalatinaenmovimiento.org*, True -*.americanaetc.com*, True -*.americancommerciallender.com*, True -*.americancrewhairandbody.com*, True -*.americanelectricalservices.net*, True -*.americanfamilyfunds.net*, True -*.americangolf.nl*, True -*.americanlegion.events*, True -*.americanlenders.org*, True -*.americanliensales.com*, True -*.americanlifestylephotography.com*, True -*.americanmademoving.com*, True -*.americanmarketingservice.com*, True -*.americanmedicalarbitrationassociation.com*, True -*.americano.ml*, True -*.americanpanelandcover.com*, True -*.americanprintwear.net*, True -*.americartesana.cl*, True -*.americasarmy.ro*, True -*.americasbvibuda.com*, True -*.americasfp.com*, True -*.americashowtv.com*, True -*.americas-it-consulting.com*, True -*.americasnet.com.br*, True -*.americati.cl*, True -*.americhip.ru*, True -*.ameriprise2.com*, True -*.amertrax.pl*, True -*.amerzang.de*, True -*.amesbury.com.au*, True -*.ameshq.com.au*, True -*.amestris.cl*, True -*.ameted.com*, True -*.ametrin.ro*, True -*.ameya.cf*, True -*.amfetamina.eu*, True -*.amfid.ch*, True -*.amfid.com*, True -*.amfomyisms.com*, True -*.amfrigo.hr*, True -*.am-furnici.ro*, True -*.amgrig.ro*, True -*.amhc8.com*, True -*.amhs-event-organizer.info*, True -*.ami4.pro*, True -*.amiangraf.com.ar*, True -*.amiausa.com*, True -*.amibirla.com*, True -*.amicillin500mg.com*, True -*.amideon.net*, True -*.amidorvet.ro*, True -*.amiemergencias.com*, True -*.amiesworld.com*, True -*.amigaa.com.mx*, True -*.amigosdapatty.com.br*, True -*.amigosdoiracing.com.br*, True -*.amigosecreto.info*, True -*.amigos.hk*, True -*.amigoshop.ro*, True -*.amigostreet.com*, True -*.amigotecnico.com.br*, True -*.amimages.net*, True -*.aminhaprenda.pt*, True -*.aminian.org*, True -*.amint.org.ar*, True -*.amint.ro*, True -*.amiperfectyet.com*, True -*.amirac.com*, True -*.amiraclean.com*, True -*.amirandaonline.com*, True -*.amired.com*, True -*.amirhikman.com*, True -*.amirhose.in*, True -*.amirhosting.com*, True -*.amirleonardo.com*, True -*.amirmasih.tk*, True -*.amirpresents.com*, True -*.amirsia.ga*, True -*.amirwaps.tk*, True -*.amistr.com*, True -*.amistr.net*, True -*.amitgandotra.com*, True -*.amitiejudeonoire.org*, True -*.amittal.in*, True -*.amivisa.org*, True -*.amixam.ru*, True -*.amjadkamali.com*, True -*.amjed.me*, True -*.amk-autoverzorging.nl*, True -*.amk.com.au*, True -*.amkdrive.ru*, True -*.aml.co.id*, True -*.amlikers.tk*, True -*.amlinks.com.au*, True -*.amm66.com*, True -*.amm77.com*, True -*.amm87.com*, True -*.ammar4rt.com*, True -*.ammca.com.pk*, True -*.ammerest.com*, True -*.ammmotors.co.il*, True -*.ammyysync.com*, True -*.amn24.ir*, True -*.amnfree.com*, True -*.amnfree.ru*, True -*.amnoma.lv*, True -*.am-nothing.com*, True -*.amobad.com*, True -*.amoeba.org*, True -*.amofotolivro.com.br*, True -*.amogfs.com.au*, True -*.amonneycharpente.ch*, True -*.amooseoncebitmysister.com*, True -*.amor24.ro*, True -*.amordecristo.cl*, True -*.amoreluz.org.br*, True -*.amorepazsemfronteiras.com.br*, True -*.amorettipropiedades.com*, True -*.amorettipropiedades.com.ar*, True -*.amormoderno.com.br*, True -*.amortizer.si*, True -*.amosprivilege.com*, True -*.amosys.co.uk*, True -*.amotaal.com*, True -*.amoteam.ru*, True -*.amouei.com*, True -*.amouxit.com*, True -*.amovaz.com*, True -*.amp3d.ca*, True -*.ampasand.co.uk*, True -*.ampaz.ml*, True -*.amperage.org.au*, True -*.ampervolt.cl*, True -*.amphibious.ca*, True -*.amphora-bg.com*, True -*.amphotos.cl*, True -*.ampicillin500mg.com*, True -*.amplasmurah.com*, True -*.amplifactor.com*, True -*.amplifitness.ro*, True -*.amplitrainer.ro*, True -*.amplitraining.ro*, True -*.amplitrain.ro*, True -*.amplussolutions.net*, True -*.ampndecks.co.uk*, True -*.ampnet.ca*, True -*.amppropiedades.cl*, True -*.ampradio.ca*, True -*.ampsagribusiness.com.au*, True -*.ampscommercial.com.au*, True -*.ampspowerbd.com*, True -*.ampul.cf*, True -*.ampungan.tk*, True -*.amqp.eu*, True -*.amrak.fi*, True -*.amr-auditores.cl*, True -*.amrit.ch*, True -*.amritdeepdhungana.com.np*, True -*.amrit.li*, True -*.amritsaini.com*, True -*.amrmyeel.com.ar*, True -*.ams220.com*, True -*.amsandiego.com.ve*, True -*.amsboostcontrol.com*, True -*.amsc.com.au*, True -*.amsd.com.ve*, True -*.amserver.pt*, True -*.amsi.org.ar*, True -*.amsixty.com*, True -*.amsmentors.com*, True -*.amsped.ro*, True -*.amspsibiu.ro*, True -*.amsr.es*, True -*.amsterdam.one.pl*, True -*.amtb.cc*, True -*.amt-consult.co.uk*, True -*.amtekstaff.tk*, True -*.amthorsolutions.cl*, True -*.amtob.co.za*, True -*.amtra5.tk*, True -*.am-track.info*, True -*.amuck.xyz*, True -*.amuletbaikal.ru*, True -*.amunn.us*, True -*.amurmiac.ru*, True -*.amurt.org.uk*, True -*.amusic.hk*, True -*.amutu.com*, True -*.amvrosievka.ru*, True -*.amwricanas.com*, True -*.amyandalan.hk*, True -*.amyandgavin.com*, True -*.amycollier.com*, True -*.amyfu.com*, True -*.amylock.com*, True -*.amymade.net*, True -*.amyotte.net*, True -*.amyoungtimer.nl*, True -*.amysoft.net*, True -*.amyspagnola.com*, True -*.amystalk.com*, True -*.anabajapan.net*, True -*.anabellafranco.com.ar*, True -*.anabolic-steroids.biz*, True -*.anabrito.net*, True -*.anacarolinacanalli.com.br*, True -*.anachiodi.com.ar*, True -*.anaconda.tk*, True -*.anadechoch.com.ar*, True -*.anafaulkner.com*, True -*.anafilaxia.com.br*, True -*.anaisandhenry.net*, True -*.anak-67.cf*, True -*.anakami-felimardi.com*, True -*.anakayamkampungdananakbebek.com*, True -*.anakciremai.biz*, True -*.anakciremai.com*, True -*.anakciremai.net*, True -*.anakin-mengwasser.de*, True -*.anakliya.ru*, True -*.anakmedan.gq*, True -*.anakonf.ga*, True -*.anakonf.gq*, True -*.anakonf.ml*, True -*.anakonf.tk*, True -*.anakpati.com*, True -*.anak-rantau.tk*, True -*.anaksosial.com*, True -*.anak.web.id*, True -*.analgays.com*, True -*.analiadeluca.com.ar*, True -*.analialancellotti.com.ar*, True -*.analisaforexhariini.com*, True -*.analisateknikalforexharian.com*, True -*.analisisdeconsecuencias.cl*, True -*.analisislaboratorio.com.ar*, True -*.analisisoperativo.com.ar*, True -*.analitic.pro*, True -*.analitik.pro*, True -*.analiza-afacerilor.ro*, True -*.analizyum.com*, True -*.analizyum.net*, True -*.analogbay.com*, True -*.analogias.com.ar*, True -*.analognetwork.net*, True -*.analog.ro*, True -*.analogueanvil.com*, True -*.anal-porn.info*, True -*.anal-slavery.com*, True -*.analsurvival.ru*, True -*.analyses.com.br*, True -*.analysisandcomment.com*, True -*.analyticadword.com*, True -*.analyticsaccelerator.com*, True -*.anamade.ro*, True -*.anamarchetanu.ro*, True -*.anamariadinu.ro*, True -*.anamoltimilsina.com.np*, True -*.anan785.com*, True -*.ananassi.com*, True -*.anandamarga.co.uk*, True -*.anandamarga.org.uk*, True -*.ananda.net.ve*, True -*.anandarachmat.net*, True -*.anandashopping.tk*, True -*.anandkaanan.com*, True -*.ananziproperties.co.za*, True -*.anaparthi.org*, True -*.ana-perez.ch*, True -*.anapil.tk*, True -*.anaracavaliers.com*, True -*.anarchistan.com*, True -*.anarchis.tk*, True -*.anarchistpet.tk*, True -*.anarchy46.net*, True -*.anarchycamp.org*, True -*.anarchyfarm.com*, True -*.anarchy.info*, True -*.anaritasantos.com*, True -*.anarko.com.ar*, True -*.anark.org*, True -*.anarres.info*, True -*.anarxeio.gr*, True -*.anasalhasani.com*, True -*.anaselmed.ro*, True -*.anas.gq*, True -*.anastagio.net*, True -*.anastasyassecret.com*, True -*.anastkj.ml*, True -*.anatoll.org*, True -*.anatomyplus.net*, True -*.anatorroja.info*, True -*.anaudine.it*, True -*.anavision.co.za*, True -*.anavrin.biz*, True -*.anayanz.org*, True -*.anaya-rivera.tk*, True -*.anbconstruction.com.au*, True -*.anbweb.ru*, True -*.ancarservicios.com*, True -*.ancelmo.com.br*, True -*.anceni.tk*, True -*.anchile.cl*, True -*.anchorfleetsolutions.com*, True -*.ancientbooks.eu*, True -*.anclinsa.com*, True -*.ancon.net.au*, True -*.ancora-it.ro*, True -*.ancoshop.com*, True -*.ancstudio.tw*, True -*.andahuasi.com*, True -*.andalan-advertising.com*, True -*.andalanlistrik.com*, True -*.andalasdigital.co.id*, True -*.andal.ga*, True -*.andaluzmc.tk*, True -*.andartatech.com*, True -*.andatealaputaquetepario.com*, True -*.andavi.se*, True -*.andbas.org*, True -*.andcompany.com.br*, True -*.and-e.co.uk*, True -*.andeekor.ro*, True -*.andeks.cl*, True -*.anden21.co.uk*, True -*.anderastyle.com*, True -*.anderbra.com*, True -*.ander.ro*, True -*.andersensoftware.com*, True -*.andersonacres.us*, True -*.andersonhome.us*, True -*.andersonnas.com*, True -*.andersonn.lu*, True -*.andersonoliveira.adm.br*, True -*.andersontechnologies.us*, True -*.andersthesheep.co.uk*, True -*.andesgeoquimica.cl*, True -*.andesre.cl*, True -*.andhis.web.id*, True -*.andia.cl*, True -*.andiamofitness.com*, True -*.andigenag.com*, True -*.andigen.com*, True -*.andi.hk*, True -*.andilukic.tk*, True -*.andishkadeh8.ir*, True -*.andisonindustrial.com*, True -*.andjohair.com*, True -*.andjohair.co.za*, True -*.andmad.com*, True -*.andmad.ru*, True -*.andoka.com.au*, True -*.andonasruas.com.br*, True -*.andoralite.com*, True -*.andorra.co.za*, True -*.andrade.cl*, True -*.andradepaiva.com.br*, True -*.andreaandernie.com*, True -*.andreaarmendariz.cl*, True -*.andreaconnell.ca*, True -*.andreacukier.com*, True -*.andreadowyer.com*, True -*.andreafavero.it*, True -*.andreamilene.cl*, True -*.andreanedion.com*, True -*.andrearepka.com*, True -*.andreas-bayer.ch*, True -*.andreas-grillenberger.de*, True -*.andreas-houben.de*, True -*.andreas.id.au*, True -*.andreas-noser.ch*, True -*.andreavdiaz.com.ar*, True -*.andreazottola.com.ar*, True -*.andreea-bratu.com*, True -*.andreee.net*, True -*.andreekenya.com.br*, True -*.andreevs.com*, True -*.andreevs.net*, True -*.andregas.com.br*, True -*.andreicojan.com*, True -*.andreiduma.ro*, True -*.andreigeorgescu.ro*, True -*.andreimihai.ro*, True -*.andreipetre.ro*, True -*.andreistanciu.ro*, True -*.andremachado.eti.br*, True -*.andremachado.net*, True -*.andremadar.info*, True -*.andreolivier.co.za*, True -*.andreotti.com.ar*, True -*.andreracicot.com*, True -*.andrerolim.com*, True -*.andresajessita.arq.br*, True -*.andresaudiotronic.com*, True -*.andrescaldironi.com.ar*, True -*.andrescastano.net*, True -*.andres.cat*, True -*.andrescatalan.com*, True -*.andresen.mx*, True -*.andreshaidar.com.ar*, True -*.andreslens.com*, True -*.andresmerlo.com.ar*, True -*.andresrangel.com*, True -*.andressaplaceres.com*, True -*.andrest.ro*, True -*.andresyebra.com.ar*, True -*.andreumeixide.com*, True -*.andrewbian.com.au*, True -*.andrewb.it*, True -*.andrewboehringer.com*, True -*.andrewbrooks.com.au*, True -*.andrewcaron.com*, True -*.andrewclemons.com*, True -*.andrewclemons.co.nz*, True -*.andrewclink.com*, True -*.andrewcoe.ca*, True -*.andrewcupper.com*, True -*.andrewdenton.com*, True -*.andrewerdna.co.za*, True -*.andrewjennings.com*, True -*.andrewkthompson.org*, True -*.andrew-leer.com*, True -*.andrewmao.net*, True -*.andrewmccallum.ca*, True -*.andrewmccoy.org*, True -*.andrewmellino.com*, True -*.andrewmock.com*, True -*.andrew.ms*, True -*.andrewnichols.com*, True -*.andreworr.ca*, True -*.andrewpang.net*, True -*.andrewreisner.com*, True -*.andrewrophie.com*, True -*.andrew.sc*, True -*.andrewsimpson.info*, True -*.andrewsindustries.com*, True -*.andrewslab.net*, True -*.andrewslaw.info*, True -*.andrewsparty.com*, True -*.andrewtryon.net*, True -*.andrewvernon.com.au*, True -*.andrewwarner.net*, True -*.andrewyao.hk*, True -*.andrewz.org*, True -*.andrewzumkehr.com*, True -*.andreychikachev.ru*, True -*.andreydyadyk.ru*, True -*.andreymorozov.ru*, True -*.andrijeski.net*, True -*.andrika.info*, True -*.andrius4669.org*, True -*.android-3g-net.tk*, True -*.androidauto.co.za*, True -*.androidbox.ch*, True -*.androidconsultants.tk*, True -*.androidgamex.com*, True -*.androidgeek.us*, True -*.androidgeneralstore.com*, True -*.androidgeneralstore.tk*, True -*.androidi.fi*, True -*.androidspotlight.com*, True -*.androidtabletsunleashed.com*, True -*.android-tutorial.ch*, True -*.androidtutorial.ch*, True -*.androidworld.ch*, True -*.androidxchange.com*, True -*.andromeda.fi*, True -*.andromeda-irc.net*, True -*.andropalace.pw*, True -*.andros-aegean.gr*, True -*.andros-cyclades.gr*, True -*.andros-properties.gr*, True -*.androsuper.com*, True -*.androvial-sa.com.ar*, True -*.andru-loves-masha.ch*, True -*.andrusworld.ch*, True -*.andsold.ch*, True -*.and-user.com*, True -*.andwobble.com*, True -*.andy89.ru*, True -*.andyb.id.au*, True -*.andyc.ac*, True -*.andycox.org*, True -*.andyhardin.com*, True -*.andyhawkins.me.uk*, True -*.andyho.me*, True -*.andyip.hk*, True -*.andyjohome.co.uk*, True -*.andyk.com.au*, True -*.andyknight.org*, True -*.andyliany001-stig.gq*, True -*.andyliany001-stig.tk*, True -*.andyliany02.tk*, True -*.andyliany.cf*, True -*.andylitias.net*, True -*.andylitias.us*, True -*.andyluse.com*, True -*.andymeehan.co.uk*, True -*.andynaef56.ch*, True -*.andysantiagojr.com*, True -*.andythepizzaman.ca*, True -*.andyvail.com*, True -*.andyyu.tw*, True -*.ane-firman.com*, True -*.anefirman.com*, True -*.anehandmade.com*, True -*.aneh.web.id*, True -*.aneisa.com*, True -*.anejzadravec.tk*, True -*.anekababyshop.co.id*, True -*.anekabarangmurah.com*, True -*.anekal-pa.in*, True -*.anekapulsa.com*, True -*.anekasandangtextile.com*, True -*.anekasteelteknik.com*, True -*.anekatendamurah.com*, True -*.anekatendaterpal.com*, True -*.aneka-valve.com*, True -*.aneliaterzieva.com*, True -*.anello.com.ar*, True -*.anemone.gr*, True -*.anenacla.pt*, True -*.anepanaliptos.com*, True -*.anespo.pt*, True -*.anetic.co.za*, True -*.anewepoch.com*, True -*.anewido.com*, True -*.anewindi.com*, True -*.anferny.me.uk*, True -*.anfossi.cl*, True -*.anfvolunteers.org*, True -*.angadrom.ru*, True -*.angamers.com*, True -*.angaroa.cl*, True -*.angela4.tk*, True -*.angelahaasrealtor.com*, True -*.angelajarpa.cl*, True -*.angelaphilip.com*, True -*.angelazhou.net*, True -*.angelbonet.cat*, True -*.angelclaw.ro*, True -*.angeldirector.com*, True -*.angelesfernandez.cl*, True -*.angele.tk*, True -*.angelforest.tk*, True -*.angel-hentai.net*, True -*.angelicapio.com.br*, True -*.angelicasite.com*, True -*.angelicaturner.cl*, True -*.angelicoutcomes.com*, True -*.angelicparticles.net*, True -*.angelinajolie4.ru*, True -*.angelisle.com*, True -*.angelisle.net*, True -*.angeljoan.com*, True -*.angellombardi.com*, True -*.angellore.com.mx*, True -*.angellore.mx*, True -*.angelofdeathrp.info*, True -*.angelosonthemarina.com.au*, True -*.angelphoto.se*, True -*.angelramos.es*, True -*.angelscomputer.com*, True -*.angelscomputer.info*, True -*.angelsinvestment.com*, True -*.angels-net.in*, True -*.angelsplace.ro*, True -*.angels-promotions.ro*, True -*.angelsten.tk*, True -*.angel-tear.ro*, True -*.angel-voice.ch*, True -*.angelwind.tw*, True -*.anger-aggression-violence.com*, True -*.angga.com*, True -*.angga-musyana.com*, True -*.angga.net*, True -*.anggara.gq*, True -*.anggara.tv*, True -*.anggar.ml*, True -*.anggasastra.tk*, True -*.anggel.ga*, True -*.anggicancer.eu*, True -*.anggicancer.in*, True -*.anggicyber.com*, True -*.anggiraider.net*, True -*.anggitarigan.com*, True -*.anggitarigan.net*, True -*.anggityugo.com*, True -*.anggriawan.web.id*, True -*.angheliu.ro*, True -*.anghelsaligny-3r.ro*, True -*.angiangvn.com*, True -*.angiemp3music.com*, True -*.angiodiagnostic.ru*, True -*.angiovita.com.br*, True -*.angisnail.ch*, True -*.angkasa15.cf*, True -*.angkasapura.web.id*, True -*.angk.org*, True -*.anglahuset.com*, True -*.anglersapps.ca*, True -*.angleseyinteractive.com*, True -*.angletonpharmacy.com*, True -*.anglicanplanet.net*, True -*.anglo-saxonisrael.com*, True -*.angloswissclubs.ch*, True -*.angry8ball.com*, True -*.angrybentobox.com*, True -*.angryfoodie.net*, True -*.angrygiraffe.com*, True -*.angrylizard.fi*, True -*.anguianotennis.cl*, True -*.angy8ball.com*, True -*.anhhong.net*, True -*.anhhungvn.net*, True -*.anhnhat.com*, True -*.anhosting.gq*, True -*.anhplaza.com*, True -*.anhthupro.com*, True -*.anhy.ch*, True -*.aniadeco.ro*, True -*.aniaj.tk*, True -*.aniarg.com*, True -*.aniautomacao.com.br*, True -*.anibalfily.com*, True -*.aniceplacetosit.com*, True -*.anich-anich.com*, True -*.anich.biz*, True -*.anicholson.com*, True -*.anifarm.ro*, True -*.anigps.ir*, True -*.anikart.ir*, True -*.anilbhatta.com.np*, True -*.anillosdefuego.com*, True -*.anillosdefuego.com.ar*, True -*.anillosur.net*, True -*.anilorac.pt*, True -*.anilshah.com.np*, True -*.anil-shrestha.com.np*, True -*.anil.xyz.np*, True -*.animadver.com*, True -*.animak.ml*, True -*.animalepierdute.ml*, True -*.animalepierdute.tk*, True -*.animalescompraventa.com*, True -*.animalespoliticos.com.ar*, True -*.animalistaspro.cl*, True -*.animal-photos.org*, True -*.animalscience.ir*, True -*.animalswithcameras.com*, True -*.animatedassault.com*, True -*.anime77.com*, True -*.anime-catalogues.com*, True -*.animeenespanol.tk*, True -*.animefanblog.eu*, True -*.animegate.cf*, True -*.animeloverzsub.com*, True -*.animelucifer.web.id*, True -*.animemhd.com*, True -*.anime-pages.com*, True -*.animepie.net*, True -*.anime.rs*, True -*.animesek.tk*, True -*.animes.ga*, True -*.animeshpathak.in*, True -*.animesling.com*, True -*.animesoftshare.com*, True -*.animesos.com*, True -*.animesos.net*, True -*.animesos.org*, True -*.animestan.ir*, True -*.anime-stars.com*, True -*.animesul.com.br*, True -*.animetheory.org*, True -*.animetracker.ga*, True -*.animeversus.net*, True -*.animewatch.tv*, True -*.animezido.net*, True -*.animistology.net*, True -*.animo.com.my*, True -*.animoesic.in*, True -*.animo.my*, True -*.animovie.tv*, True -*.animumrege.ca*, True -*.animunirah.my*, True -*.animux.net*, True -*.aninas.ch*, True -*.anindya.in*, True -*.anipdrem.ro*, True -*.anisan.org*, True -*.anisansia.com*, True -*.aniseedballs.co.uk*, True -*.ani.sh*, True -*.anishniroula.com.np*, True -*.anisos.com*, True -*.anisub.net*, True -*.anisyacahya.com*, True -*.anitagutierrez.com*, True -*.anithing.net*, True -*.anit.ro*, True -*.aniverse.ro*, True -*.anjar.ml*, True -*.anjarsitek.co*, True -*.anjarsyah.tk*, True -*.anjaschreurs.nl*, True -*.anj.id.au*, True -*.anjofer.com.ar*, True -*.ankaufen.ch*, True -*.ankennedy.com*, True -*.anker.web.id*, True -*.ankit.com.np*, True -*.anksome.fi*, True -*.ankycooper.com*, True -*.an-likerz.tk*, True -*.anl.sg*, True -*.anmacxinh.com*, True -*.anmei.com.au*, True -*.annabelleku.com*, True -*.annabienert.com*, True -*.annacondal.cat*, True -*.annaffiare.org*, True -*.annaglypta.com*, True -*.annagracecorbett.com*, True -*.annaiyer.com*, True -*.annaloit.com*, True -*.annalotancosmetic.ru*, True -*.annaluizaehenrique.com.br*, True -*.annalynndanh.com*, True -*.annandalehotel.com*, True -*.annange.la*, True -*.annasattic22.com*, True -*.annasequines.com*, True -*.annasleziak.be*, True -*.annatijahsynergy.com*, True -*.annatolmacheva.ru*, True -*.annaz.net.ru*, True -*.annbeha.com*, True -*.annebarbosa.com.br*, True -*.anne.co.nz*, True -*.annemariecoiffure.ch*, True -*.anneogmarius.com*, True -*.anne-richard-wedding.co.uk*, True -*.annesfavors.com*, True -*.annesys.com*, True -*.annexclub.org.np*, True -*.annfurniture.co.id*, True -*.annieandmike.us*, True -*.anniebakescakes.com*, True -*.annie.ro*, True -*.annika.net*, True -*.annika-stricken.ch*, True -*.annikastricken.ch*, True -*.anninaundalex.ch*, True -*.annisajones.com*, True -*.annitu.ro*, True -*.announce.ro*, True -*.annoyer.com*, True -*.annsmile.com*, True -*.anntelecom.pl*, True -*.annuities-pilot.com*, True -*.annwalshcounseling.com*, True -*.anodocodigo.com.br*, True -*.anoeago.com*, True -*.anojsubedi.com.np*, True -*.anokiiwin.com*, True -*.anomalyfinder.com*, True -*.anonabox.tk*, True -*.anoncat.com*, True -*.anoncorpwatch.ga*, True -*.anonimoestudio.cl*, True -*.anonizer.cf*, True -*.anonplus.org*, True -*.anonplusradio.com*, True -*.anonplusradio.info*, True -*.anonplusradio.mobi*, True -*.anonplusradio.net*, True -*.anonplusradio.org*, True -*.anon-proxy.co.uk*, True -*.anonyloss.com*, True -*.anonymous.events*, True -*.anonymoushq.tk*, True -*.anonymous.lv*, True -*.anonymous.si*, True -*.anonymx.net*, True -*.anonyymitabsolutistit.com*, True -*.anoopkalsi.com*, True -*.anope.co.uk*, True -*.anostudio.info*, True -*.anothercraptacularproject.com*, True -*.anotherlastchance.org*, True -*.anothermartini.com*, True -*.anotherstep.pt*, True -*.anothersunrise.com*, True -*.another-variation.co.uk*, True -*.anotimp.ro*, True -*.anov.us*, True -*.anowermorshed.net*, True -*.anpanmanramsumsum.com*, True -*.anpatriot.ru*, True -*.anpmech.com*, True -*.anpolis.ru*, True -*.anq2015.org*, True -*.anr.or.id*, True -*.ansambeltiktak.com*, True -*.ansedo.net*, True -*.ansett.tk*, True -*.ansgardahlen.de*, True -*.anshda.org*, True -*.anshelljaya.com*, True -*.anshlv.com*, True -*.anshulsahni.me*, True -*.anshumgupta.net*, True -*.ansieta.cl*, True -*.ansiweb.com*, True -*.ansoft.cl*, True -*.ansonltd.com*, True -*.answer168.com*, True -*.answergroup.ru*, True -*.answersbot.com*, True -*.answerstoallriddles.com*, True -*.ant3d.com*, True -*.antaccess.co.za*, True -*.antakshari.com*, True -*.antallex.ru*, True -*.antarcticmonkey.com*, True -*.antariksha.com.np*, True -*.antartour.com*, True -*.antefer.web.id*, True -*.antelite.es*, True -*.antemar-trading.fi*, True -*.antenatv.info*, True -*.anteroblue.com*, True -*.anteus.com*, True -*.antexknitting.com*, True -*.antfarm.ml*, True -*.anthearn.me.uk*, True -*.anthemnetworks.net*, True -*.anthion.net*, True -*.anthonyagro.com*, True -*.anthony-cleonice.de*, True -*.anthonyflack.com*, True -*.anthonygillet.com*, True -*.anthonygiorgio.com*, True -*.anthonyharlow.com*, True -*.anthonylam.org*, True -*.anthonyoteri.com*, True -*.anthonysdetectiveagency.com*, True -*.anthonythompson.net*, True -*.anthroempire.net*, True -*.anthyia.es*, True -*.antibioticguide4rx.com*, True -*.antibiotics-infection.com*, True -*.antibiotic-therapy.com*, True -*.antibiotic-treatment.com*, True -*.anticariatulbucuriei.ro*, True -*.anticommunity.tk*, True -*.anticorp.ro*, True -*.antidemon.com*, True -*.antidns.com*, True -*.antidrogama.ro*, True -*.antidrog.md*, True -*.antifa-i.gr*, True -*.antifa-saar.org*, True -*.antiflupills.com*, True -*.antifragileafrica.com*, True -*.antifragileafrica.org*, True -*.antigeist.net*, True -*.antigopc.com*, True -*.anti-hacker-alliance.com*, True -*.antihypertensives.net*, True -*.antikapublisita.com*, True -*.antikawolf-siberians.com*, True -*.antikfarb.ro*, True -*.antik.ga*, True -*.antilafquen.com.ar*, True -*.antilimitxx.tk*, True -*.antillenhouses.com*, True -*.anti-maho.net*, True -*.antimalak.tk*, True -*.anti-muzej.com*, True -*.antinoob.org*, True -*.antinuke.com.ar*, True -*.anti-obesitydrug.com*, True -*.antiochmusic.org*, True -*.antiohiacluj.ro*, True -*.antipetir.net*, True -*.antiphone.net*, True -*.antipodi.ch*, True -*.antiprensa.info*, True -*.antiquites-chaumont.fr*, True -*.antireferate.ro*, True -*.antis-tech.co.uk*, True -*.antitechnocrat.net*, True -*.antivaxxers.com*, True -*.antiviir.us*, True -*.antiviralmed.com*, True -*.antlersblog.net*, True -*.antnaho.us*, True -*.antofa.tk*, True -*.antoinette.cl*, True -*.antongorbunov.com*, True -*.antonhome.tk*, True -*.antonijanekic-photo.com*, True -*.antoninhomarmo.org.br*, True -*.antonioaguilar.es*, True -*.antonioestepa.com*, True -*.antonioguzman.com.ve*, True -*.antonioivaldo.com.br*, True -*.antoniolli.eng.br*, True -*.antoniomachine.com*, True -*.antoniomata.es*, True -*.antoniopaulino.com.br*, True -*.antonioreyes.com.mx*, True -*.antoniovalencia.ec*, True -*.antonkedrov.ru*, True -*.anton-kovalenko.ru*, True -*.antonliss.ru*, True -*.anton-schteinberg.com*, True -*.antonshostak.com*, True -*.antonsson.nu*, True -*.antonstrobel.com*, True -*.antonvanzyl.co.za*, True -*.antony.ml*, True -*.an-trade.eu*, True -*.antrak.org.tr*, True -*.antrea.fi*, True -*.antrom.fi*, True -*.antropocentrum.ro*, True -*.ant-tech.com*, True -*.antthomas.co.uk*, True -*.antube.ga*, True -*.antufruits.cl*, True -*.antuna.com.ar*, True -*.antwerpconsulting.be*, True -*.antworld.tk*, True -*.antychrust.tk*, True -*.antylama.pl*, True -*.anuarrahman.com*, True -*.anubin.com.ar*, True -*.anudasa.ru*, True -*.anugrahjayatenda.com*, True -*.anugrah-metalindo.com*, True -*.anugrahsentanaagro.com*, True -*.anugrah-steel.com*, True -*.anugrahsteel.com*, True -*.anuit.com*, True -*.anujw.com.np*, True -*.anukecil.com*, True -*.anumujos.tk*, True -*.anumu.net*, True -*.anuntulextra.ro*, True -*.anunturi-chirie.ro*, True -*.anunturi-gratis-online.ro*, True -*.anunturishop.ro*, True -*.anupjoshi.com.np*, True -*.anupkarmacharya.com.np*, True -*.anurag977.com.np*, True -*.anusch.com.ar*, True -*.anusoft.biz*, True -*.anvault.com*, True -*.anvb.org.br*, True -*.anvelope-vara-iarna.ro*, True -*.anv.name*, True -*.anvo.nl*, True -*.anwaltsbuero-noser.ch*, True -*.anwaltsnetz.net*, True -*.anwandter.cl*, True -*.anwar.web.id*, True -*.anxiety-depression-assessment.com*, True -*.anyalandman.com*, True -*.anydoor.to*, True -*.anyface.ch*, True -*.anyge.net*, True -*.anyguy.co.uk*, True -*.anyhelp.cl*, True -*.anyinfo2you.com*, True -*.anykeylogger.com*, True -*.anykeylogger.net*, True -*.anyleech.com*, True -*.anyprint.me*, True -*.anyroom.hk*, True -*.anysexymovies.com*, True -*.anysh.net*, True -*.anysigma.net*, True -*.anysolabs.com*, True -*.anytech.cl*, True -*.anythingpcrepair.com*, True -*.anyurl.org*, True -*.anyzone.net*, True -*.aoa-ocn.com*, True -*.aoas.ro*, True -*.aodrp.info*, True -*.aoeu.se*, True -*.aofcosta.me*, True -*.aohao.org*, True -*.aoiko.me*, True -*.aoiseitai.com*, True -*.aojimp.es*, True -*.aol-info-update.com*, True -*.aolin.net.au*, True -*.aomartinez.com.ar*, True -*.ao-nang.info*, True -*.aonecorp.com*, True -*.aoneupholstery.com*, True -*.aonhewittconsulting.cn*, True -*.aonken.cl*, True -*.aonoto.com*, True -*.aosa.co.za*, True -*.aosegoviana.com*, True -*.aospakistan.com*, True -*.aosta.ro*, True -*.ao.tl*, True -*.aottawa.com*, True -*.aovtech.com*, True -*.aozhoubaobao.com*, True -*.ap528.com*, True -*.ap8marzo.tk*, True -*.apa00.com*, True -*.apabedanya.com*, True -*.apache-solar.com*, True -*.apa.cl*, True -*.apaitu.co*, True -*.apakes.com*, True -*.apami.ro*, True -*.aparate-fitness-online.ro*, True -*.aparat-fitness.ro*, True -*.apariciocarrer.com.ar*, True -*.aparrindo.com*, True -*.apartamentbailefelix.ro*, True -*.apartamentonovonaplanta.com.br*, True -*.apart.com.ar*, True -*.aparthotelneruda.cl*, True -*.apartido.com*, True -*.apartirdorio.org*, True -*.apartmaji-valant.com*, True -*.apartman-delfin.com*, True -*.apartmani-silvana.hr*, True -*.apartment4rent.net*, True -*.apartment-am-park.at*, True -*.apartment-ampark.at*, True -*.apartmentampark.at*, True -*.apartmentsateastmelbourne.com.au*, True -*.apartmentsrentsale.com*, True -*.apartment-wizard.com*, True -*.apasale.com*, True -*.apatil.com*, True -*.apavidra.ro*, True -*.ap-bags.com*, True -*.apbcoordinacion.com.ar*, True -*.apcaustralia.org*, True -*.apcrnetwork.com*, True -*.apcs.com.my*, True -*.apd-transport.com*, True -*.apec-wto.com*, True -*.apelec.fi*, True -*.ap-elektroniikka.fi*, True -*.apelly.org*, True -*.apeproject.us*, True -*.aperados.com*, True -*.apereira.biz*, True -*.apertura.ro*, True -*.aperture.cl*, True -*.aperturelabs.cf*, True -*.aperturex.net*, True -*.apesalon.com*, True -*.apexflightacademy.com*, True -*.apexgaming.ml*, True -*.apexplastech.com*, True -*.apexpvp.tk*, True -*.apexsynergy.com*, True -*.apfelreich.com*, True -*.apfelreich.net*, True -*.apfi-jatim.org*, True -*.apfsbsupport.com*, True -*.apginvest.com*, True -*.apgq.com*, True -*.aphasiker-saar.de*, True -*.aph.org.ar*, True -*.aphredernweg.ch*, True -*.apibuddy.com*, True -*.api-center.ru*, True -*.api-cs.com*, True -*.apicultor.eu*, True -*.apidir.com*, True -*.apidrops.com*, True -*.apios.co.uk*, True -*.apk4data.com*, True -*.apk4fun.pw*, True -*.apkcache.com*, True -*.apkc.net*, True -*.apkftp.com*, True -*.apkhere.pw*, True -*.apk-run.com*, True -*.apl2.ch*, True -*.aplicacionescreativas.com*, True -*.aplicatieanunturi.eu*, True -*.aplicatieanunturi.ro*, True -*.aplitap.com*, True -*.aplittlecub.uk*, True -*.aplos.org*, True -*.apltech.info*, True -*.apmconsultores.com.ar*, True -*.apmgrup.com.tr*, True -*.apm.info.tr*, True -*.apmmx.com*, True -*.apnafunnypaki.cf*, True -*.apn.hk*, True -*.apocalipseskate.com.br*, True -*.apocalypse14.tk*, True -*.apocalypto.org.uk*, True -*.apo.cl*, True -*.apocryph.al*, True -*.apocryph.us*, True -*.apodrasi-komotini.gr*, True -*.apogeeoi.com*, True -*.apolartrio.cl*, True -*.apolloboxx.com*, True -*.apollonia-beach.com*, True -*.apollothedonkey.com*, True -*.apollowest.net*, True -*.apoptosissrv.com*, True -*.aportas.cl*, True -*.aport.ro*, True -*.apose.com.ar*, True -*.apostolof.org*, True -*.apostols.net*, True -*.apotekar.si*, True -*.apotekkeluarga.id*, True -*.apotekpurwosarifarma.co.id*, True -*.apotheker.si*, True -*.apotheke.si*, True -*.apoyosecretarial.com*, True -*.app3l.nl*, True -*.appanyplace.com*, True -*.apparitiontv.net*, True -*.appartementchambord.com*, True -*.appava.ir*, True -*.appbase.nl*, True -*.appbean.com*, True -*.appchile.cl*, True -*.appcoda.ru*, True -*.appe.al*, True -*.appengine.eu*, True -*.appfeel.com*, True -*.appfoundry.asia*, True -*.appfoundry.com.au*, True -*.appfoundry.net.au*, True -*.appgoles.tk*, True -*.appgreen.net*, True -*.appia.com.au*, True -*.appin.jp*, True -*.appin-weather.org*, True -*.appix.net.br*, True -*.applauz.org.za*, True -*.applecafe.ro*, True -*.applecars.ru*, True -*.applecottages.co.za*, True -*.applecrates.com.au*, True -*.applegraveyard.com*, True -*.apple-icloud-chazhao.com*, True -*.appleinside.us*, True -*.appleprice.com*, True -*.appleshop.co.za*, True -*.applestore.co.za*, True -*.applesystem.com.br*, True -*.appletalk.sk*, True -*.appletrade.cc*, True -*.applexu.tk*, True -*.applezoo.net*, True -*.appliancerepairsdirectory.co.za*, True -*.applied-computing.co.uk*, True -*.applied-computing-expertise.com*, True -*.applied-computing-expertise.co.uk*, True -*.appliedcomputingexpertise.co.uk*, True -*.appliedmath.ro*, True -*.appliedsystemsgroup.com*, True -*.applive.ru*, True -*.applynetwork.ir*, True -*.applz.net*, True -*.appman.nl*, True -*.appmine.com*, True -*.apponcall.com*, True -*.app-online.ro*, True -*.appp.pro*, True -*.appprof.com*, True -*.appracing.com.au*, True -*.approachableit.com*, True -*.approvework.in*, True -*.apps2world.com*, True -*.appsanjal.com*, True -*.appschem.com*, True -*.app-sddra.com.ar*, True -*.apps.dj*, True -*.appsfile.cf*, True -*.appshared.info*, True -*.appshared.web.id*, True -*.appsking.hk*, True -*.appspy.me*, True -*.appsteem.com*, True -*.appswiss.ch*, True -*.appszoo.net*, True -*.apptimize.ir*, True -*.apptocash.me*, True -*.apptracking.me*, True -*.apptransporteya.com.ar*, True -*.appucbokep.ml*, True -*.appw.mx*, True -*.appxcms.com*, True -*.appxlot.com*, True -*.apraa.org.au*, True -*.a-pratama.com*, True -*.aprayerjournal.com*, True -*.apr.com.ar*, True -*.aprel.me*, True -*.aprendacomputacion.com.ar*, True -*.aprender3d.com*, True -*.aprender3d.net*, True -*.aprender3d.org*, True -*.aprendermodosgregos.com*, True -*.aprendizdecabeleireira.com.br*, True -*.aprendizdecabeleireira.net*, True -*.apri.com*, True -*.april17th.co.uk*, True -*.aprilbarnes.com*, True -*.aprilbydesign.com*, True -*.april.ml*, True -*.aprivateschool.co.il*, True -*.aproapeorice.ro*, True -*.aprobaven.ec*, True -*.aprojal.com.br*, True -*.apro.me*, True -*.apronet.com.mx*, True -*.apronet.mx*, True -*.aprrc2013.org*, True -*.apsafetyservices.com*, True -*.apsancud.cl*, True -*.apsara.ch*, True -*.apscomm.com.my*, True -*.apscreativas.com*, True -*.apseglobal.com.br*, True -*.apset.ru*, True -*.apsis.ch*, True -*.apsisinfo.com.br*, True -*.apson.com*, True -*.aptapps.com*, True -*.aptl.ml*, True -*.aptnh.com*, True -*.apto4rent.com*, True -*.aptrc.tw*, True -*.aptusiran.net*, True -*.apuestasmauna.com.ve*, True -*.apuestohombre.com*, True -*.apulnion.com*, True -*.apulsa.biz*, True -*.apumies-jok.fi*, True -*.apuntale.com*, True -*.apuntesdigitales.es*, True -*.apvpartner.tk*, True -*.aqartel.com*, True -*.aqq26.com*, True -*.aqq59.com*, True -*.aqq79.com*, True -*.aqro.pro*, True -*.aqsasociety.in*, True -*.aqsawomenscollege.org*, True -*.aqs.com.mx*, True -*.aquabr.com*, True -*.aquachevon.com.my*, True -*.aqua-city.su*, True -*.aquaconstruct.ro*, True -*.aquafisiorj.com*, True -*.aqua-flo.biz*, True -*.aquaflo.biz*, True -*.aquaflo.net*, True -*.aquaflosupply.com*, True -*.aquahill.net*, True -*.aqualanddeva.ro*, True -*.aqualert.co.za*, True -*.aqualineboats.com.au*, True -*.aquamundos.com.ar*, True -*.aquanet.ro*, True -*.aquaplanning.ch*, True -*.aquariodesign.ch*, True -*.aquariumbd.com*, True -*.aquarium.web.id*, True -*.aquarius87.tk*, True -*.aquascapeparadise.com.my*, True -*.aqua-scooter.com*, True -*.aquaticmadness.com*, True -*.aquatux.net*, True -*.aquecetecnica.com.br*, True -*.aquienleamargaundulce.es*, True -*.aquilaconn.com.br*, True -*.aquilacoop.de*, True -*.aquilanest.org*, True -*.aquinasnet.com*, True -*.aquinnah.ca*, True -*.aqui.ro*, True -*.aquisgransa.cl*, True -*.aqumau.ml*, True -*.a-quo.com*, True -*.aquora.com.br*, True -*.aqu-rapopo.ga*, True -*.aqu-rapopo.net*, True -*.araai.com*, True -*.arabbiaeventos.com.ar*, True -*.arabelgica.be*, True -*.arabiancruises.ru*, True -*.arabianopticals.com*, True -*.arabia.ro*, True -*.arabiccenter.ru*, True -*.arabien.ca*, True -*.arabsoft-ye.com*, True -*.aracstoperi.net*, True -*.aracstoperi.org*, True -*.aracyaslamadiregi.net*, True -*.aradi.ir*, True -*.aradiom.com.tr*, True -*.araduca.com*, True -*.araex.ch*, True -*.arafos.es*, True -*.aragomchile.cl*, True -*.arahmateknik.com*, True -*.arakazam.com*, True -*.aral-ict.com*, True -*.ara-liker.net*, True -*.aramavetisyan.info*, True -*.arampamuk.com*, True -*.arangoyaeuskaraz.net*, True -*.araniedae.com*, True -*.aransa.com.ar*, True -*.aransascounty.com*, True -*.aransrl.com.ar*, True -*.aranzer.cz*, True -*.arapajouh.com*, True -*.arapajouh.ir*, True -*.arapaz.ch*, True -*.arapro.ch*, True -*.araqnid.org*, True -*.arasgps.ir*, True -*.arashtaher.ir*, True -*.arastar.co.il*, True -*.arasteca.com.br*, True -*.arastecaseguros.com.br*, True -*.arasvas.ir*, True -*.arati.com.np*, True -*.araucariacomunicaciones.cl*, True -*.araucoluz.cl*, True -*.araujo.ga*, True -*.araujosam.ga*, True -*.arawn.co.uk*, True -*.araycraft.id.au*, True -*.arbajaadventure.com*, True -*.arbeitman.id.au*, True -*.arbeitskrafte-rumanien.de*, True -*.arbeitskultur.ch*, True -*.arbeitsschutz-michalski.biz*, True -*.arbeitsschutz-michalski.com*, True -*.arbeitsschutz-michalski.eu*, True -*.arbeitsschutz-michalski.info*, True -*.arbeitsschutz-michalski.net*, True -*.arbeitsschutz-michalski.org*, True -*.a-rbi.ru*, True -*.arbit.co.za*, True -*.arbolgestion.cl*, True -*.arboli.net*, True -*.arboli.org*, True -*.arborigene.ca*, True -*.arborrosa.tk*, True -*.arbphotography.ro*, True -*.arbuz.md*, True -*.arbyte.com.ar*, True -*.arca.co*, True -*.arcadainv.ro*, True -*.arcade14.com*, True -*.arcadianconstruction.com*, True -*.arcadobicho.com.br*, True -*.arc-airedale.co.uk*, True -*.arcane.co.il*, True -*.arcanehero.com*, True -*.arc-en-ciel-camp.ch*, True -*.arceonline.ro*, True -*.arceum.se*, True -*.archaeography.com*, True -*.archaicnoesis.info*, True -*.archanet.org*, True -*.arche-noah-zollikofen.ch*, True -*.archenode.net*, True -*.archernet.id.au*, True -*.archer.tw*, True -*.archerydesign.com*, True -*.archesrl.com*, True -*.archhughes.org*, True -*.archibiz.ru*, True -*.archi-doc.com*, True -*.archi-doc.ru*, True -*.archie.or.id*, True -*.archieunderwood.com*, True -*.archieweb.com*, True -*.archi-gestiontav.ch*, True -*.archimade.ch*, True -*.archimedesproducts.com*, True -*.archiplan-plus.ch*, True -*.architango.com*, True -*.architango.net*, True -*.architask.ro*, True -*.architecturalreview.com.au*, True -*.archiv1864.ch*, True -*.archiveport.com*, True -*.archiveport.net*, True -*.archivia.ch*, True -*.archivosparabajar.tk*, True -*.archknowledge.com*, True -*.arch-linux.cf*, True -*.arch-online.info*, True -*.archoverse.net*, True -*.archpi.tk*, True -*.archreview.com.au*, True -*.archstudiodesign.net*, True -*.archtech.gr*, True -*.archvisio.com*, True -*.archviz.pt*, True -*.arc-logic.com*, True -*.arcohomeasia.com*, True -*.arcoirisfm.com.ar*, True -*.arcompany.com*, True -*.arcophotos.com*, True -*.arcosarango.com.ar*, True -*.arcperformance.co.uk*, True -*.arcprojects.ru*, True -*.arcpvp.net*, True -*.arc-studio.ru*, True -*.arcticfire.net*, True -*.arctour.ro*, True -*.arcudi.com.ar*, True -*.arcus.tk*, True -*.arcxena.info*, True -*.arda.ir*, True -*.ardaloka.biz*, True -*.ardaloka.cf*, True -*.ardaloka.com*, True -*.ardaloka.net*, True -*.ardaloka.ninja*, True -*.ardandi.net*, True -*.ardantus.web.id*, True -*.arda.org.ar*, True -*.ardcs.ir*, True -*.ardenwood.com.au*, True -*.ardhi.web.id*, True -*.ardilafiza.web.id*, True -*.ardi.li*, True -*.ardtokyo.net*, True -*.ardublock.ru*, True -*.ardublog.ru*, True -*.arduino.com.my*, True -*.arduino.hk*, True -*.arduinohobby.ro*, True -*.ardumotica.com*, True -*.ardumotica.es*, True -*.area515.tk*, True -*.area51doncaster.com*, True -*.area51reborn.info*, True -*.area69-mtb.org*, True -*.areacctv.com.ar*, True -*.areagaacteencamp.com*, True -*.areakode.tk*, True -*.areanasegurosch.com.mx*, True -*.areanasegurosmz.com.mx*, True -*.areanatividad.com.ar*, True -*.arebo.com.tr*, True -*.arec.com.ar*, True -*.areforever.com*, True -*.a-register.com*, True -*.arek2.tk*, True -*.arekmajang.info*, True -*.arellano.ec*, True -*.areload.com*, True -*.aremasservicios.com.mx*, True -*.aremasservicios.mx*, True -*.aremcuritiba.com.br*, True -*.arenadotricolor.com.br*, True -*.arenafernandasselin.com*, True -*.arendt.ca*, True -*.areostyle.ru*, True -*.ares-konslet.com*, True -*.arespgl.ro*, True -*.aresrock.com.ar*, True -*.ares-woo.com*, True -*.arethere.com*, True -*.arevalotucuman.com.ar*, True -*.arev-hotel.com*, True -*.arex-computers.com*, True -*.areyouafraidof.me*, True -*.ar-fa.com*, True -*.arfagroup.com*, True -*.arfmovie.net*, True -*.arfotoarte.com*, True -*.arfuch.com.ar*, True -*.arfumis.id.lv*, True -*.arfy.eu*, True -*.arg3.com*, True -*.arg3.net*, True -*.argacakep.tk*, True -*.argatech.com*, True -*.arg-brazil.com*, True -*.argenline.com*, True -*.argennexus.com.ar*, True -*.argenteoscar.com.ar*, True -*.argentinaads.com.ar*, True -*.argentinabroker.net*, True -*.argentinaglobalwines.com*, True -*.argentinaglobalwinesguia.com*, True -*.argentinapormisojos.com.ar*, True -*.argentinavortice.com.ar*, True -*.argentisdevelop.com.ar*, True -*.argentosingenieria.com.ar*, True -*.argento-tech.com*, True -*.argentotech.com*, True -*.argenwamp.com.ar*, True -*.argetech.com.ar*, True -*.arghack.com.ar*, True -*.arghelothapa.com.np*, True -*.arghir.ro*, True -*.argilsoln.com*, True -*.argilsolution.com*, True -*.argilsolutions.com*, True -*.argiopetech.com*, True -*.argoatv.si*, True -*.argocean.com*, True -*.argold.com.ar*, True -*.argonautsonline.net*, True -*.argos-electron.ru*, True -*.argosmaritima.com*, True -*.argos-system.ro*, True -*.argos-trade.ru*, True -*.argosyunderwriting.com*, True -*.argosyunderwriting.co.uk*, True -*.argotechnica.info*, True -*.argsa.com.ar*, True -*.argstyle.com*, True -*.argumentare.com.br*, True -*.argusdenshi.com*, True -*.argusthedog.com*, True -*.argustv.com*, True -*.arh.ca*, True -*.arhcmp.ro*, True -*.arheomet.ro*, True -*.arhidepo.ro*, True -*.arhiizdeliya.ru*, True -*.arhimedlab.com*, True -*.arh-it.ru*, True -*.arhivaradiodobrogea.ro*, True -*.arhiva-radionica.com*, True -*.arh.net.ru*, True -*.ariadelta.ir*, True -*.ariadnatlt.ru*, True -*.ari.al*, True -*.arianaahmad.com*, True -*.arianishop.net*, True -*.arianto.web.id*, True -*.ariardiansyah.net*, True -*.aricablogsurf.cl*, True -*.aricageiser.cl*, True -*.aricamionetas.com.br*, True -*.arichards.com.au*, True -*.ariciumoto.ro*, True -*.aridavies.com*, True -*.aridblend.com*, True -*.aridimage.com*, True -*.ariebooks.co.il*, True -*.ariede.com.br*, True -*.ariee.us*, True -*.ariefasha.com*, True -*.ariefcyber4rt.com*, True -*.ariefcyber4rt.co.uk*, True -*.ariefcyber4rt.de*, True -*.ariefcyber.com*, True -*.arief-ku.ml*, True -*.arielmonaco.com.ar*, True -*.arielnoguera.com.ar*, True -*.arielpuyo.com*, True -*.arielri.com.ar*, True -*.arieltorres.com.ar*, True -*.ariely.info*, True -*.ariescom.com*, True -*.ariescommerce.com*, True -*.ariesdev.com*, True -*.ariespe.cf*, True -*.ariespe.ga*, True -*.ariespe.ml*, True -*.ariespe.tk*, True -*.ariexusa.com*, True -*.ariezz.cf*, True -*.ariezz.ga*, True -*.arifbahtiar.com*, True -*.arifcorp.com.my*, True -*.arifianto.web.id*, True -*.ariframadan.me*, True -*.arif.web.id*, True -*.arimactive.com*, True -*.arimatea.cl*, True -*.arina-the-artist.com*, True -*.arinet.org*, True -*.ariniku.com*, True -*.arini.xyz*, True -*.arinya.de*, True -*.arisdefi.com*, True -*.arise.my.id*, True -*.arismadesign.ch*, True -*.aristasur.cl*, True -*.aristek.net*, True -*.aristoboutique.ro*, True -*.aristoscontab.ro*, True -*.ariswanto.tk*, True -*.aritmetica.cl*, True -*.ariwibawa.com*, True -*.arix.com*, True -*.arixo.ro*, True -*.ariyametta.sch.id*, True -*.arizki-web.com*, True -*.arizonaparana.com.ar*, True -*.arizonna.cl*, True -*.arjetairlines.com.ar*, True -*.arjunkumar.in*, True -*.arjunpanday.com.np*, True -*.arkadiem.co.uk*, True -*.arkafilm.ru*, True -*.arkanet.mx*, True -*.arkange.ch*, True -*.arkanpost.com*, True -*.arkay7.org*, True -*.arkets.com*, True -*.arkhala.net*, True -*.arkhosting.biz*, True -*.arkienal.com*, True -*.arkitera.tv*, True -*.arkivdt.co*, True -*.arkline.ru*, True -*.arksider.tk*, True -*.arksider.tw*, True -*.arksourcing.com*, True -*.arktis-ag.com*, True -*.arktis-ag.net*, True -*.arky.us*, True -*.arla32.com.br*, True -*.arlemcar.com*, True -*.arlequincafebar.ch*, True -*.arleslie.com*, True -*.arlew.com*, True -*.arlojiku.com*, True -*.armadaskis.ro*, True -*.armalo.net*, True -*.armandamarine.hr*, True -*.armani.ro*, True -*.armansoft.ir*, True -*.armarinhounica.com.br*, True -*.armasymuniciones.es*, True -*.armazemdosalgado.com.br*, True -*.armbibleblog.com*, True -*.arm-cgv.com*, True -*.armchairdesign.com*, True -*.armchairtheologian.net*, True -*.armchairtheologian.org*, True -*.armchan.com*, True -*.armed.ch*, True -*.armed-forces.ml*, True -*.armeela.com.pk*, True -*.armenia.co.za*, True -*.armeniaincentives.com*, True -*.armeriaelpirata.com.ar*, True -*.armet-internasional.com*, True -*.armidaledarts.com.au*, True -*.armidia.net*, True -*.arminareka-makassar.com*, True -*.armincl.info*, True -*.armincl.net*, True -*.armitasaze.ir*, True -*.armlinux.ro*, True -*.arm-m.ru*, True -*.arm-net.ro*, True -*.arm-ocn.com*, True -*.armopttorg.ru*, True -*.armturist.ru*, True -*.armus.com.ar*, True -*.armutlugirisim.com*, True -*.armutlugirisim.com.tr*, True -*.armyarmstrongfilms.net*, True -*.armyofpaintball.ro*, True -*.arnaknakliyat.com.tr*, True -*.arn.as*, True -*.arnauddemontard.net*, True -*.arnavnair.com*, True -*.arn-consult.com*, True -*.arndt.pw*, True -*.arnedobarreiro.com.ar*, True -*.arnel.web.id*, True -*.arneson.name*, True -*.arngrim.org*, True -*.arnica.ro*, True -*.arnlan.eu*, True -*.arnlind.name*, True -*.arnlind.us*, True -*.arno.fi*, True -*.arnoldinformwork.ca*, True -*.arnoschmid.ch*, True -*.arnotex.com*, True -*.arnoux.ch*, True -*.arnzendrug.com*, True -*.aro2u.net*, True -*.arocha.org.za*, True -*.aroeducation.com.au*, True -*.arofah.org*, True -*.aromasales.in*, True -*.aromasesabores.com.br*, True -*.aromaster.hk*, True -*.aromatherapy-essential-oils.com.au*, True -*.aroneveiculos.com.br*, True -*.aronijasadnice.com*, True -*.aronsonlaw.com*, True -*.aronssonkonsult.se*, True -*.arosafood.biz*, True -*.arosafood.com*, True -*.arosafood.info*, True -*.arosafood.net*, True -*.arosario.com*, True -*.arossierpaysage.ch*, True -*.aross.ru*, True -*.aroundtheworldin80ms.com*, True -*.aroundtheworldphotography.com*, True -*.arous.al*, True -*.aroworkforce.com.au*, True -*.arpakuutio.fi*, True -*.arpa.ml*, True -*.arpeegroup.in*, True -*.arpexcapital.com.br*, True -*.arpha.pw*, True -*.arph.org*, True -*.arpin-avocat.ch*, True -*.arppe.net*, True -*.arptoday.com*, True -*.arptoday.org*, True -*.arqpropiedades.cl*, True -*.arquedesign.com.br*, True -*.arquenco.cl*, True -*.arqueografia.com.ar*, True -*.arqueologiadelperu.com*, True -*.arquetipo.com.ar*, True -*.arquigestion.cl*, True -*.arquiobras.com.ar*, True -*.arquitaria.es*, True -*.arquitectosasociados.cl*, True -*.arquitectura360.com*, True -*.arquitetura3d.pt*, True -*.arquivodoispontozero.com.br*, True -*.arrabidabeercompany.pt*, True -*.arraialdopavulagem.com*, True -*.arrandavis.info*, True -*.arranpaul.org.uk*, True -*.arrayinvest.ru*, True -*.array.ml*, True -*.array.ws*, True -*.arrayyanalmubarak.com*, True -*.arredias.ro*, True -*.arredo-gmbh.ch*, True -*.arrevillaga.net*, True -*.arrieta.cl*, True -*.arriortua.es*, True -*.arriv.al*, True -*.arrl.info*, True -*.arrobapc.com.ar*, True -*.arrowcat.co.uk*, True -*.arrowfinancial.ca*, True -*.arrowfinancialplanningservices.com.au*, True -*.arrowgeo.com*, True -*.arrowgeomatics.com*, True -*.arrowmedia.web.id*, True -*.arrowservice.biz*, True -*.arrowtechnical.co.uk*, True -*.arroyo1.com*, True -*.arroyo-photography.com*, True -*.arrrcade.com*, True -*.arryliker.eu*, True -*.arsa.co.za*, True -*.arsamx.com*, True -*.arsemicor.com*, True -*.arsenalogist.com*, True -*.arsenamber.pl*, True -*.arsen-art.pl*, True -*.ars-informatica.ch*, True -*.arslanhafeez.com*, True -*.arslaniz.biz*, True -*.arsoft.ro*, True -*.arsov.eu*, True -*.arstom2.ru*, True -*.arsyafa01.tk*, True -*.arsyafa.tk*, True -*.arsyaindo.com*, True -*.arsystem.cl*, True -*.art14.ec*, True -*.art2003.tk*, True -*.art2themax.co.za*, True -*.art3dekor.ru*, True -*.art4shop.ru*, True -*.artadata.ir*, True -*.artafarin.com*, True -*.artagps.ir*, True -*.artaiki.gr*, True -*.art-and-photography.info*, True -*.artandte.ch*, True -*.artanis.cl*, True -*.artasomesana.ro*, True -*.artbondar.com*, True -*.artbookstore.cl*, True -*.artboulevard.ro*, True -*.art-box.us*, True -*.artbymasha.com*, True -*.artchina.tw*, True -*.artcomunicationyet.com.ve*, True -*.artcon.com.mx*, True -*.artdekor.si*, True -*.artdept.in*, True -*.art-designsalons.de*, True -*.artdiceramic.com.ar*, True -*.artdovepeace.com*, True -*.artdovepeace.org*, True -*.artebisa.com.ar*, True -*.artecam.mx*, True -*.artecto.com.mx*, True -*.artecute.com.br*, True -*.artedacaridade.com.br*, True -*.artedelis.cl*, True -*.artedotales.com.br*, True -*.arteees.com*, True -*.arteempalha.com.br*, True -*.arte-estetica.it*, True -*.artelnet.com.ar*, True -*.arteluce.mx*, True -*.artemenko.ca*, True -*.artemideus.ru*, True -*.artemovo.ru*, True -*.arteorigen.cl*, True -*.artepg.com*, True -*.arteprodent.ch*, True -*.arteran.com*, True -*.art-eria.club*, True -*.arte.ru*, True -*.artesaniasnino.com.ar*, True -*.artesaniasroque.com.mx*, True -*.artesaniassancho.com*, True -*.artescultura.eu*, True -*.artesesenta.com*, True -*.artesuave.cl*, True -*.artevirtual.cl*, True -*.artevisionario.com.mx*, True -*.artevitralyazulejos.com*, True -*.arteviva.ch*, True -*.artezanatto.com.br*, True -*.artfierforjat.ro*, True -*.artforanyday.com.au*, True -*.artframes.de*, True -*.artfutura.cl*, True -*.artgrafix.ro*, True -*.arthaadipersada.co.id*, True -*.art-hilton.com*, True -*.arthmediancommunication.com*, True -*.arthou.com*, True -*.arthou.net*, True -*.arthou.org*, True -*.arthurart.org*, True -*.arthurmagno.com.br*, True -*.arthurvaz.com.br*, True -*.arthuryue.com*, True -*.arthurzhang.net*, True -*.articlebuzz.co.uk*, True -*.articoli.ro*, True -*.articulatii.ro*, True -*.articulosbasicos.com.mx*, True -*.articulosclasicos.tk*, True -*.artiesplace.net*, True -*.artifex.si*, True -*.artifici.al*, True -*.artificialintelligence.fi*, True -*.artigrafichemoretti.it*, True -*.artika.co.il*, True -*.artikanet.org*, True -*.artikelsehat.web.id*, True -*.artikraft.com.pk*, True -*.art-image.ro*, True -*.artinbk.com*, True -*.artiosband.com*, True -*.artiosonline.com*, True -*.artioukhine.com*, True -*.artiptv.eu*, True -*.artisanimprovements.com.au*, True -*.artisanpeintre.ch*, True -*.artisan-workshop.com*, True -*.artisnotcrime.com*, True -*.artistas.ro*, True -*.artistribute.com*, True -*.artistsreproductions.ca*, True -*.artitech.com*, True -*.artlux.gr*, True -*.artmade.ir*, True -*.artofgaming.ru*, True -*.artofmail.net*, True -*.artofmedicine.org*, True -*.arto-moro-makmur.com*, True -*.artonmap.com*, True -*.artonmap.ru*, True -*.art-perfume.ru*, True -*.artperustore.com*, True -*.art-pushkin.ru*, True -*.artraduccion.com.ar*, True -*.artrrem.ro*, True -*.arts4x.com*, True -*.artscala.ro*, True -*.artsdataconnect.com*, True -*.artsedgroup.com*, True -*.artsedgroup.org*, True -*.artseducatorsgroup.com*, True -*.artseducatorsgroup.net*, True -*.artseducatorsgroup.org*, True -*.artseducators.net*, True -*.artseducators.org*, True -*.artsibe.com*, True -*.artsimpressions.com*, True -*.artsmodel.ru*, True -*.artsoap.cl*, True -*.artsoft.com.mx*, True -*.artsoft.mx*, True -*.artstower.org*, True -*.artsydomains.com*, True -*.arttecnica.com.ar*, True -*.artu.md*, True -*.arturomorgante.it*, True -*.artursbaltacis.id.lv*, True -*.art-uzp.ru*, True -*.artvision.ca*, True -*.artware.ch*, True -*.artwave.fi*, True -*.artwings.com*, True -*.artwood.it*, True -*.artwork.com.ar*, True -*.artwork.ml*, True -*.artworkshop.co.il*, True -*.artworksondavadi.org.au*, True -*.art-works.ro*, True -*.artworkstudio.ro*, True -*.artworld.tw*, True -*.artyhoney.com*, True -*.artzi.org*, True -*.aruanda.cf*, True -*.aruanda.ga*, True -*.aruanda.ml*, True -*.aruanda.tk*, True -*.aruas.net*, True -*.arujdep.cf*, True -*.arul.me*, True -*.arunachaltraders.com*, True -*.arunamarine.com*, True -*.arunarani.tk*, True -*.arunoday.tk*, True -*.arunpandey.com.np*, True -*.arunshah.co.uk*, True -*.arunshah.net*, True -*.arusloky.com*, True -*.arvonia.net*, True -*.arvoresaude.com*, True -*.arvoresaude.com.br*, True -*.arwdesigns.com*, True -*.arwen.ro*, True -*.arxiktimatiki.gr*, True -*.aryabayu.com*, True -*.arya.cf*, True -*.aryagroup.co.id*, True -*.aryanoble.co.id*, True -*.aryasamajofmiami.com*, True -*.aryasa.net*, True -*.aryazamyn.com*, True -*.arybarbosa.com*, True -*.aryfesr.cf*, True -*.aryonugroho.my.id*, True -*.aryowoker.tk*, True -*.ary-wibowo.my.id*, True -*.arywidyandarto.web.id*, True -*.aryynewbie.net*, True -*.arzt-vetterli.ch*, True -*.arzuname.com*, True -*.as6.ro*, True -*.as72.biz*, True -*.asaaco.com*, True -*.asachi.com*, True -*.asach.org*, True -*.asadana.co.id*, True -*.asadanasemesta.co.id*, True -*.asadodelosviernes.com.ar*, True -*.asaenochs.com*, True -*.asak.ru*, True -*.asalardabil.com*, True -*.asal-usul.com*, True -*.asamiswardrobe.com*, True -*.asanadesk.com*, True -*.asangreyletras.es*, True -*.asanyaab.ir*, True -*.asap2u.com.br*, True -*.asapce.com.ar*, True -*.asapmedstaff.com*, True -*.asapp.eu*, True -*.asasbox.net*, True -*.asax.ch*, True -*.asaxjt-jnc.org*, True -*.asazav.tk*, True -*.asbnet.pro*, True -*.asbsales.be*, True -*.asbsales.eu*, True -*.ascendente.com.br*, True -*.ascendwow.com*, True -*.ascenet.ch*, True -*.ascensoresnorbayres.com.ar*, True -*.ascentionmining.com*, True -*.ascenture.ro*, True -*.aschauer.cc*, True -*.aschr.com*, True -*.aschwandens.ch*, True -*.ascom.com.ar*, True -*.ascorare.ro*, True -*.ascra.org*, True -*.asctimetables.ro*, True -*.asct.ro*, True -*.ascuns.ro*, True -*.asdepannage.be*, True -*.asdfasdf.ch*, True -*.asdf.co.za*, True -*.asdflolinternet.com*, True -*.asdrive.net*, True -*.asdstw.com*, True -*.asdtreinamentos.com.br*, True -*.aseancioforum.com*, True -*.aseancioforum.org*, True -*.ased.ir*, True -*.aseg.ch*, True -*.aselive.ro*, True -*.asema.info*, True -*.asemani.org*, True -*.asemchile.cl*, True -*.asem.cl*, True -*.asemkashop.com*, True -*.asen.org.au*, True -*.asenov.ru*, True -*.asensetherapy.com*, True -*.asepnurprahing.ga*, True -*.asercorp.cl*, True -*.aserho.com.mx*, True -*.aseriesoftubes.net*, True -*.asermin.cl*, True -*.aserraderoalonso.com*, True -*.aserraderoalonso.com.ar*, True -*.asesorakarina.com.ar*, True -*.asesorcriminalista.cl*, True -*.asesoria.cl*, True -*.asesoriagaesa.com*, True -*.asesoriaintegral.com.ar*, True -*.asesoriamarchal.com*, True -*.asesoriaseinversionesdelcarmen.cl*, True -*.asesoriasgestion.cl*, True -*.asesoriasnyp.cl*, True -*.asesoriasyevenes.cl*, True -*.asesornet.cl*, True -*.asfasfsafsasfa.org*, True -*.asgaard-gaming.com*, True -*.asgaardgaming.com*, True -*.asgaard.ru*, True -*.asgard01.net*, True -*.asgard.io*, True -*.asgardnetworks.com*, True -*.asgardnetworks.net*, True -*.asgovnet.be*, True -*.asgw.cf*, True -*.asgw.ga*, True -*.asgw.ml*, True -*.ash3000k.tk*, True -*.ash3000k-wordpress.tk*, True -*.ashamka.com*, True -*.ashburycloud.com*, True -*.ashburyfarm.com*, True -*.ashburytrust.com*, True -*.ashcore.ca*, True -*.ashcore.net*, True -*.ashdalepark.net*, True -*.ashecology.com*, True -*.ashed.net*, True -*.asher.gq*, True -*.asherknibbe.com*, True -*.ashevillezen.com*, True -*.ashgillett.com*, True -*.ashgrovefarmnursery.co.uk*, True -*.ashimkc.com.np*, True -*.ashimlamichhane.com.np*, True -*.ashinokago.com*, True -*.ashishmehra.com*, True -*.ashishsingh.cf*, True -*.ashlandheights.net*, True -*.ashleewicks.ca*, True -*.ashleyads.com*, True -*.ashley-davis.net*, True -*.ashleyhames.com*, True -*.ashleyhames.co.uk*, True -*.ashleyhub.com*, True -*.ashleyskippers.com*, True -*.ashleythenewbie.com*, True -*.ashmedai.net*, True -*.ashokadhikari.com.np*, True -*.ashokbasnet.com.np*, True -*.ashokthakur.com.np*, True -*.ashorethingrun.ca*, True -*.ashpool.net*, True -*.ashrafsolomon.co.za*, True -*.ashrealms.com*, True -*.ashterhost.com*, True -*.ashtonsimpressions.com.au*, True -*.ashtonus.com*, True -*.ashtrono.my*, True -*.ashwarp.com*, True -*.ashwinbose.com*, True -*.asiabolabet.com*, True -*.asiabolanews.com*, True -*.asiabusinesscentres.com*, True -*.asiachromecemerlang.com*, True -*.asiafans.cl*, True -*.asiaglobalteknik.com*, True -*.asiaherewe.com*, True -*.asiahockey.com*, True -*.asiahockey.info*, True -*.asiaikuba.pl*, True -*.asiakomputer.com*, True -*.asiamooc.com*, True -*.asianartweekhk.com*, True -*.asianbiscuitandconfectionery.com.np*, True -*.asianblackorgies.com*, True -*.asianexus.com*, True -*.asianflowergirl.com*, True -*.asianfreshproduce.com*, True -*.asiangirlsexporn.com*, True -*.asianhottiespussy.com*, True -*.asianrisk.com*, True -*.asianthaifoods.com.np*, True -*.asiapacificpatent.cn*, True -*.asiapacificpatent.com*, True -*.asiapacificpatent.net*, True -*.asia-petro.co.id*, True -*.asiaprendo.cl*, True -*.asiapr.id*, True -*.asiapr.net*, True -*.asiareps.cl*, True -*.asiareps.com.pe*, True -*.asiareps.hk*, True -*.asiaroxy.com*, True -*.asia-tools.asia*, True -*.asiatoys.net*, True -*.asiatravel.jp*, True -*.asiatruk.com*, True -*.asiaweekhongkong.com*, True -*.asiawinway.com*, True -*.asiaxcom.com*, True -*.asiax.hk*, True -*.asiaxpatholiday.com*, True -*.a-sides.be*, True -*.asig.md*, True -*.asigura-tot.ro*, True -*.asigurtot.ro*, True -*.asikeskrim.com*, True -*.asimrachivilcoy.com.ar*, True -*.asirargentina.com.ar*, True -*.asir.com.ar*, True -*.a-sirius.com*, True -*.asis24horas.com*, True -*.asisko.cl*, True -*.asi-soft.es*, True -*.asistentafarmacie.ro*, True -*.asistentemovil.com.ar*, True -*.asitalcual.cl*, True -*.asit.cl*, True -*.asitconstruct.ro*, True -*.asitss.com*, True -*.asjprice.co.uk*, True -*.ask2ask.com*, True -*.aska-nn.ru*, True -*.askewops.com.au*, True -*.askex.com*, True -*.askhartleyauto.com*, True -*.askin.ws*, True -*.askonas.net*, True -*.asksakis.com*, True -*.aslamjayatenda.com*, True -*.asliceofheaven.net*, True -*.aslijepretlumajang.or.id*, True -*.asliku.com*, True -*.asmacwa.com*, True -*.asmaraol.cf*, True -*.asmaraol.tk*, True -*.asmartartz.co.uk*, True -*.asmartinsfisioterapia.com.br*, True -*.asm.com.ar*, True -*.asmecexternal.com*, True -*.asmecftp.com*, True -*.asmedia.ro*, True -*.asmlair.net*, True -*.asm-panel.ga*, True -*.asn.co.za*, True -*.asnet.pt*, True -*.asnn.org*, True -*.asnur5.tk*, True -*.asoappstore.com*, True -*.asoch.cl*, True -*.asociacionabogados.com.ar*, True -*.asociacionchilenadepnl.cl*, True -*.asociacion.cl*, True -*.asociadasnatura.com*, True -*.asoci.al*, True -*.asociatiabetania.org*, True -*.asociatiagreenpark.ro*, True -*.asociatiahoreavuscan.ro*, True -*.asociatia-uniiv.org*, True -*.asolafirma.com.ar*, True -*.asolarsystem.com*, True -*.asoportuguesa.org.ve*, True -*.asopyrvi.cf*, True -*.asospa.com*, True -*.aspactech.com*, True -*.aspade.com*, True -*.asparagusandmelon.ch*, True -*.asparrenamaitia.eu*, True -*.aspcentre.com.au*, True -*.aspcommunication.tk*, True -*.aspdebugger.com*, True -*.aspdebugger.net*, True -*.aspepc.cat*, True -*.asperamatos.gr*, True -*.aspergatus.ch*, True -*.asperger.org.il*, True -*.aspersoft.com*, True -*.as-photography.ch*, True -*.aspiegroup.eu*, True -*.aspirerecruit.com.au*, True -*.aspire-sec.info*, True -*.aspoerri.ch*, True -*.asprev.cl*, True -*.asprocer.cl*, True -*.asprone.com*, True -*.asprop.ro*, True -*.aspserver.net*, True -*.asptoyou.ch*, True -*.aspxwebdeveloper.com*, True -*.asquha.com*, True -*.asra-ps.com*, True -*.asraraspia.web.id*, True -*.asreed.com*, True -*.asrivas.me*, True -*.asrock.pl*, True -*.asrov.com*, True -*.ass66.com*, True -*.assalaamtmg.sch.id*, True -*.assanadiyah.info*, True -*.assassins.ninja*, True -*.assdingos.com*, True -*.assefair.ro*, True -*.assef.com.ar*, True -*.asselin-family.com*, True -*.assembl.net*, True -*.assemblylinemonitoringsystem.in*, True -*.assendo.cl*, True -*.assenov.net*, True -*.assessmentengine.com*, True -*.assessoriagaesa.com*, True -*.assessorpolitico.com.br*, True -*.assetrecovery.co.uk*, True -*.assetsconnect.com*, True -*.assholetenants.com*, True -*.assi.cl*, True -*.assimcomoe.com.br*, True -*.assimilate.info*, True -*.assi.si*, True -*.assis.net.br*, True -*.assistant.hk*, True -*.assistenciaariston.pt*, True -*.assistenzadentrocasa.net*, True -*.assis.tk*, True -*.assitport.com*, True -*.assitport.co.za*, True -*.associateinnovations.com*, True -*.associateinnovations.net*, True -*.associateinnovations.us*, True -*.assopopoliss.com*, True -*.assortednotions.com*, True -*.assterpiece.com*, True -*.assterpiece.net*, True -*.asstubez.net*, True -*.assunzioniagevolate.com*, True -*.assunzioniagevolate.eu*, True -*.assunzioniagevolate.it*, True -*.assunzioniagevolate.net*, True -*.assunzioniagevolate.org*, True -*.assuregloves.com*, True -*.assureware.com*, True -*.assylbek.kz*, True -*.astafac.eu*, True -*.astagadev.com*, True -*.astakaryajayascaffolding.com*, True -*.astaro-firewall.com*, True -*.astarta39.ru*, True -*.astaxi.ro*, True -*.astecaassociados.com.br*, True -*.asteca.com.br*, True -*.astecacorretora.com.br*, True -*.astecolifestyle.ro*, True -*.asterhk.com*, True -*.asterisco45.com*, True -*.asterisk-pbx.hk*, True -*.asterisktools.com.br*, True -*.aster.net.au*, True -*.asteroide.es*, True -*.astersky.ru*, True -*.astervoip.com.ar*, True -*.astetecomunicaciones.cl*, True -*.astetic.net*, True -*.astheams.web.id*, True -*.astikiu.lt*, True -*.astiz.tk*, True -*.asto344.pl*, True -*.astokoajie.com*, True -*.astol.pro*, True -*.astonishmillion.com*, True -*.astrabus.ru*, True -*.astracom.ro*, True -*.astradev.ru*, True -*.astrajaya.com*, True -*.astrajur.tk*, True -*.astralmusings.com*, True -*.astralstorm.info*, True -*.astraltech.org*, True -*.astra-passengers.ro*, True -*.astraprod.ro*, True -*.astraybay.com*, True -*.astraybay.org*, True -*.astre.cf*, True -*.astriaporta.net*, True -*.astria.rs*, True -*.astril.net*, True -*.astroarquetipica.com.ar*, True -*.astrocenter.com.br*, True -*.astrodestino.com.ar*, True -*.astrodestin.ro*, True -*.astro-fx.com*, True -*.astrogeo.org*, True -*.astrognost.com*, True -*.astroic.com*, True -*.astroidea.net*, True -*.astroinnova.org*, True -*.astroinventions.com*, True -*.astroism.com*, True -*.astrokinesis.com*, True -*.astrolog4u.ru*, True -*.astrom.fr*, True -*.astrom-it.nu*, True -*.astrom-it.se*, True -*.astronomyontap.com*, True -*.astronomyontap.org*, True -*.astronosotros.cl*, True -*.astropenguin.net*, True -*.astrophotography.ch*, True -*.astropol.net*, True -*.astropol.ru*, True -*.astrospar.net*, True -*.astro-svet.ru*, True -*.astroza.cl*, True -*.astrumit.com*, True -*.astudilloabogados.cl*, True -*.asturdj.es*, True -*.asturiasmotor.com*, True -*.asturking.es*, True -*.asturleonesa.es*, True -*.ast.web.id*, True -*.astyfidis.com*, True -*.asu03.ru*, True -*.asumihhan.org*, True -*.asu.mx*, True -*.asunim.co*, True -*.asunim.co.za*, True -*.asuphotography.com*, True -*.asuransiangkutanlaut.com*, True -*.asuransikebakaran.com*, True -*.asuransiku.org*, True -*.asuransimarineindo.com*, True -*.asuransirangkakapal.com*, True -*.asuransirumah.org*, True -*.asuransitanggunggugat.com*, True -*.asurekti.cf*, True -*.asury.com*, True -*.asu.su*, True -*.asuszenfoneblog.com*, True -*.asutenan.tk*, True -*.asuwcr.com*, True -*.asuwifi.net*, True -*.asvj.ro*, True -*.asylarman.com*, True -*.asylumseekerscentre.org.au*, True -*.async.cl*, True -*.asynchronous.net.au*, True -*.asyouwishportraiture.com*, True -*.asyscom.cl*, True -*.asysnet.tk*, True -*.asystme.com.ar*, True -*.at0m1k.ca*, True -*.at1978.co.uk*, True -*.ata33.com*, True -*.ata66.com*, True -*.atabaksepehr.com*, True -*.atabaksepehr.ir*, True -*.atabaque.cf*, True -*.atabaque.ga*, True -*.atabaque.ml*, True -*.atabaques.cf*, True -*.atabaques.ga*, True -*.atabaques.ml*, True -*.atabaques.tk*, True -*.atabaque.tk*, True -*.atacadodesapatilhas.com.br*, True -*.atacc-service.com*, True -*.atac-galati.ro*, True -*.ataciara.fi*, True -*.atacomputers.net*, True -*.atacorp.co*, True -*.atahotel.co.id*, True -*.ataindonesia.net*, True -*.atalayaconstruye.com.ar*, True -*.atalayer.com*, True -*.atalhos.com.br*, True -*.atallman.us*, True -*.atamakurakura.com*, True -*.atanasov.us*, True -*.atanius.com*, True -*.atapaluminium.com*, True -*.atapindustries.com*, True -*.atapindustries.net*, True -*.atapsegitiga.com*, True -*.atari8warez.com*, True -*.atarichile.com*, True -*.atariclub.com.br*, True -*.ataschem.com*, True -*.ataschemical.com*, True -*.atashico.ir*, True -*.ataskimya.com*, True -*.atasteofbrazil.com*, True -*.ataxiaontario.ca*, True -*.ataxia.ru*, True -*.atbthedj.com*, True -*.atbthedj.co.uk*, True -*.atcctld.com*, True -*.atcfirealarms.co.uk*, True -*.atclandscape.ca*, True -*.atclandscape.com*, True -*.atclandscaping.ca*, True -*.atc-magazine.kz*, True -*.atc.org.il*, True -*.atcplastering.com.au*, True -*.atcrenovations.com.au*, True -*.atcr.eu*, True -*.atdgroup.ro*, True -*.atdhyctive.ga*, True -*.atdot.se*, True -*.ateansesonline.com.ar*, True -*.atechnikality.net*, True -*.atechwebsite.com*, True -*.ateimed.co.uk*, True -*.atelie-plastelin.com*, True -*.atelier16.eu*, True -*.atelier27.ch*, True -*.atelier-creatie.ro*, True -*.atelier-creation.net*, True -*.atelierdepapel.com.ar*, True -*.atelierdesign.ru*, True -*.atelier-du-cafe.com*, True -*.atelierelf.ch*, True -*.atelierexpert.ro*, True -*.ateliermarieann.com.ar*, True -*.atelier-miyabi.net*, True -*.ateliermusikbewegung.ch*, True -*.atelierpinion.ro*, True -*.atelierulauto.ro*, True -*.atelis.net*, True -*.atem-entdecken.ch*, True -*.ateminstitut-schweiz.ch*, True -*.atemschule-bern.ch*, True -*.atemschule-schweiz.ch*, True -*.atemtherapieausbildung-bern.ch*, True -*.atemtherapieausbildung.ch*, True -*.atenacorretora.com.br*, True -*.atendimentobr.com*, True -*.atenera.com*, True -*.aterymsrl.com.ar*, True -*.atesakdogan.com*, True -*.atetoomuch.info*, True -*.atf.com.np*, True -*.atforis.com*, True -*.atgrocks.com*, True -*.athalpha.com*, True -*.athanasopoulou.eu*, True -*.atharley.com*, True -*.atheists.org.nz*, True -*.athenabutterfly.com*, True -*.athenacentral.org*, True -*.athenaeum.gr*, True -*.athenagaming.com*, True -*.athenainterpares.com*, True -*.athens-athens.com*, True -*.athertonweb.com*, True -*.athickfamily.tk*, True -*.athira.ch*, True -*.athirach.com*, True -*.athleticphysiotherapy.com.au*, True -*.atholdinginc.com*, True -*.atholiday-rental.com*, True -*.athome.ro*, True -*.athreattosociety.com*, True -*.athynium.com*, True -*.atikahnorbaki.com*, True -*.atilacorrea.net*, True -*.atilioboron.com.ar*, True -*.atiracom.net*, True -*.atirainc.com*, True -*.atiszanszabadastilus.hu*, True -*.atitudemovel.com.br*, True -*.atitudeveiculos.com*, True -*.atizapanenaccion.mx*, True -*.atkinson.net.au*, True -*.at-kniga.com*, True -*.atk-online.net*, True -*.atlanpix.es*, True -*.atlanpix.net*, True -*.atlantablackmedia.com*, True -*.atlantabubblebooty.com*, True -*.atlantabusinessdirectory.org*, True -*.atlantahouse-rt.ro*, True -*.atlantamobilewebdesign.com*, True -*.atlantapasion.com.ar*, True -*.atlantawebcompany.com*, True -*.atlantawebcompany.net*, True -*.atlantawoodjoiners.com*, True -*.atlant.com.au*, True -*.atlanticavenuemusic.com*, True -*.atlanticmoon.ro*, True -*.atlanticnetworks.net*, True -*.atlanticpoolsjakarta.com*, True -*.atlantisconsulting.gr*, True -*.atlantis.kz*, True -*.atlantis-networks.co.uk*, True -*.atlantisresearch.gr*, True -*.atlantistax.com*, True -*.atlantistehnologic.com*, True -*.atlantix.ml*, True -*.atlas-air.co.il*, True -*.atlasengineering.biz*, True -*.atlasintl.com.pk*, True -*.atlaslogistics.com.pk*, True -*.atlasmartialacademy.com*, True -*.atlasolar.com*, True -*.atlasprofilax.ch*, True -*.atlassrl.com.ar*, True -*.atlasstronghold.com*, True -*.atletasmarciales.com.ar*, True -*.atleticopiazza8marzo.tk*, True -*.atleti.cz*, True -*.atlmodels.net*, True -*.atlmusic1.com*, True -*.atlncsintern.net*, True -*.atlproduction.net*, True -*.atlygin.com*, True -*.atm733.com*, True -*.atm733.ir*, True -*.atmbech.cl*, True -*.atmgroup.si*, True -*.atmhost.net*, True -*.atminiacrefarm.com*, True -*.atmosferalabs.com.ar*, True -*.atmpchk.com*, True -*.atn.co.za*, True -*.atnewgtld.com*, True -*.atobindesign.com*, True -*.atobsoftware.com*, True -*.atob.ws*, True -*.atogllc.com*, True -*.atoka.com*, True -*.atolon.org*, True -*.atomcomputerassistance.com*, True -*.atomenergy.com.np*, True -*.atomflux.com*, True -*.atomicbullfrog.com*, True -*.atomiccamel.com*, True -*.atomicclockmusic.org*, True -*.atomicfusion.ca*, True -*.atomicfuxion.com*, True -*.atomic-hub.ro*, True -*.atomicity.org*, True -*.atomiclinda.com*, True -*.atomicmonkey.co.uk*, True -*.atomicmouse.co.uk*, True -*.atomicnet.ro*, True -*.atomicsystem.net*, True -*.atomicvigil.net*, True -*.atom-it.dk*, True -*.atomix.cl*, True -*.atomizerprovider.com*, True -*.atompcrepair.com*, True -*.atomssa.com*, True -*.atonius.com*, True -*.aton.kz*, True -*.aton.net.ru*, True -*.aton-spec.ru*, True -*.atopkas.gr*, True -*.atorcha.es*, True -*.atorrez.com*, True -*.atosystem.com*, True -*.atoy.info*, True -*.atozfilmstudios.com*, True -*.atoznetworks.com*, True -*.atozsafewarehouse.com*, True -*.atozsafewarehouse.co.uk*, True -*.atp30.com*, True -*.atpbrokers.com*, True -*.atpconsulting.ro*, True -*.atpeople.com*, True -*.atpersada.com*, True -*.atpis.net*, True -*.atputies.lv*, True -*.atraktor.ro*, True -*.atreedown.com*, True -*.atreides.cl*, True -*.atrians.com.br*, True -*.atrin-media.ir*, True -*.atriumarquitectos.cl*, True -*.atriumesoteric.org*, True -*.atsa.info*, True -*.at-srv.ru*, True -*.attachmentrentals.com.au*, True -*.attacker.cf*, True -*.attacks.cf*, True -*.attadaletravel.com.au*, True -*.attak.ga*, True -*.attardo-sanitaires.ch*, True -*.at-taufiq.tk*, True -*.attcastellar.cat*, True -*.attcommercial.in*, True -*.attendance.ga*, True -*.attendasolutions.com*, True -*.atterprise.com.au*, True -*.atticapellet.gr*, True -*.attic-door.ru*, True -*.attikopellet.gr*, True -*.attoapp.com*, True -*.atto-biolab.com*, True -*.attomic.com.au*, True -*.attomos.com.br*, True -*.attorneyassetsolutions.com*, True -*.attorneydebthelpers.com*, True -*.attorneyintexas.net*, True -*.attqelab.net*, True -*.attrabyte.com.au*, True -*.attrahent.com*, True -*.attsucks.tk*, True -*.att-ur.tk*, True -*.atty.co.uk*, True -*.atty.hk*, True -*.at-udon.com*, True -*.at-uk.co.uk*, True -*.atupproviders.com*, True -*.atusalud.info*, True -*.atv-greifswald.de*, True -*.atw.ac.id*, True -*.at-war.com*, True -*.at-who.com*, True -*.atwoki.com*, True -*.at-work.tk*, True -*.atxds.com*, True -*.atxec.com*, True -*.atxestates.com*, True -*.at-you.cf*, True -*.atyourplace.ch*, True -*.atyourway.com.ar*, True -*.atzerk.net*, True -*.au-32.ch*, True -*.aubergeduraimeux.ch*, True -*.aubertstrassmann.ch*, True -*.aubior.com*, True -*.aubior.fr*, True -*.auburnderm.org*, True -*.aucayan.ch*, True -*.auchevalblanc.ch*, True -*.aucity.com.au*, True -*.aucool.com*, True -*.auctionburglar.com*, True -*.auction-thief.com*, True -*.aucula.net*, True -*.audacity.sg*, True -*.audax.com.ar*, True -*.audaxintl.com.ar*, True -*.audeas.com.ar*, True -*.audgard.ru*, True -*.audh.net*, True -*.audi90.ch*, True -*.audiacloud.me*, True -*.audible.gq*, True -*.audiobooty.com*, True -*.audiobrenner.ch*, True -*.audiobrenner.li*, True -*.audiodd.ro*, True -*.audiograma.com*, True -*.audiologyhr.com*, True -*.audioloud.com.br*, True -*.audio-luxury.com*, True -*.audiomagazin.ro*, True -*.audiomas.com.ar*, True -*.audiophile.cf*, True -*.audiophools.net*, True -*.audioplanet.ru*, True -*.audiopro.com.mx*, True -*.audiopro.mx*, True -*.audio-server.ch*, True -*.audiosociety.net*, True -*.audiostatic.net*, True -*.audiovailable.com*, True -*.audiovisu.al*, True -*.auditame.com*, True -*.auditbricks.com*, True -*.audit-contabil.ro*, True -*.auditcontabil.ro*, True -*.auditleague.ro*, True -*.auditoradea.ro*, True -*.auditore.org*, True -*.auditor.hk*, True -*.auditoriocheguevara.org*, True -*.auditsk.ru*, True -*.auditural.com*, True -*.audityourcarrier.com*, True -*.audolatry.com*, True -*.auersperg.si*, True -*.aufenthaltsraum.cf*, True -*.aufenthaltsraum.ml*, True -*.aufenthaltsraum.tk*, True -*.augaming.net*, True -*.augenarzt-fischer.ch*, True -*.augmentgames.com*, True -*.augmentin-uk.com*, True -*.augsburg.freifunk.net*, True -*.augustbayfacilities.com*, True -*.augustgermar.tk*, True -*.aujebi.com.br*, True -*.auks.com.ar*, True -*.aulaxpress.com*, True -*.aulaxpress.es*, True -*.auldhill.net*, True -*.aulin.ch*, True -*.aulro.com.au*, True -*.aun-eg.com*, True -*.aunestamosvivos.cl*, True -*.aunumerosix.ch*, True -*.auparadisdelamariee.ch*, True -*.aupetitpoucet.ch*, True -*.aupita.com.ar*, True -*.aupong.hk*, True -*.aupresfabric.com*, True -*.auprom.cl*, True -*.auquisa.com.ar*, True -*.auraabadicargo.com*, True -*.auraplant.com.mx*, True -*.auraria.org*, True -*.aurarock.com.ar*, True -*.aura-somaaustralasia.com*, True -*.aura-soma.com.au*, True -*.aurelia12.tk*, True -*.aureliaalfath.tk*, True -*.aurelio.mx*, True -*.aureliordache.ro*, True -*.aureus.asia*, True -*.aurica.md*, True -*.auriev.ru*, True -*.aurilo.com.au*, True -*.aurl.to*, True -*.auroracoworking.com*, True -*.auroracoworking.si*, True -*.aurorainnata.com*, True -*.aurora.so*, True -*.aurorawave.net*, True -*.auroreansky.net*, True -*.auroregremion.com*, True -*.auroria.ru*, True -*.auryssanchez.com*, True -*.ausbackupguide.com*, True -*.ausbackupguide.com.au*, True -*.ausband.com*, True -*.ausbeck.net*, True -*.ausbeck.org*, True -*.auscanforum.com*, True -*.ausdrucksmalen-sulser.ch*, True -*.ausenses.com.au*, True -*.ausgrand.com.au*, True -*.ausinformatics.com*, True -*.ausinformatics.com.au*, True -*.auslanka.com.au*, True -*.ausmacworld.com*, True -*.ausmacworld.com.au*, True -*.ausmanagement.com.au*, True -*.ausmarsh.info*, True -*.ausmleben.de*, True -*.ausnetwebhosting.com*, True -*.ausplots.org.au*, True -*.ausproperti.com.au*, True -*.ausshir.ca*, True -*.aussie50.com*, True -*.aussiedogs.us*, True -*.aussieflagsandflagpoles.com.au*, True -*.aussiegoal.com*, True -*.aussielight.ninja*, True -*.aussiemarquees.com.au*, True -*.aussiepaleoplan.com.au*, True -*.aussierob.com*, True -*.aussietorrents.com*, True -*.aussietvaerials.com.au*, True -*.aussietvaerials.net.au*, True -*.aussievitamin.com*, True -*.auss-logistic.ru*, True -*.austechxpert.com*, True -*.austechxpert.com.au*, True -*.austhollett.com*, True -*.austinaccess.com*, True -*.austin-chayonryu.com*, True -*.austingemmer.com*, True -*.austinhawks.net*, True -*.austinlightguy.com*, True -*.austinprabhu.com*, True -*.austinprosthodontics.com*, True -*.austin-taekwon-karate.com*, True -*.austintaiwan.com*, True -*.austintreetrimmingservices.com*, True -*.austin-winger.com*, True -*.austmacworld.com*, True -*.austmacworld.com.au*, True -*.australia.ai*, True -*.australianbackupguide.com*, True -*.australianbackupguide.com.au*, True -*.australiancrocodileproducts.com*, True -*.australiancrocodileproducts.com.au*, True -*.australiandesignreview.com.au*, True -*.australianhostmaster.com*, True -*.australianhostmaster.net*, True -*.australianhostmaster.net.au*, True -*.australianhuntermag.com*, True -*.australianhuntermag.com.au*, True -*.australianmacworld.com*, True -*.australianmacworld.com.au*, True -*.australiansailing.org.au*, True -*.australiansauce.com.ar*, True -*.australianshooter.com.au*, True -*.australianwebsitesales.com.au*, True -*.australianwildharvest.com*, True -*.australiasummer.com*, True -*.austria-escort.at*, True -*.austrobot.info*, True -*.austrobot.org*, True -*.austrodiesel.me*, True -*.austrogaming.tk*, True -*.austrotherm.bg*, True -*.ausunit.com*, True -*.ausuper.com.au*, True -*.autalonexpress.ch*, True -*.autamization.com*, True -*.autentica-seitan.es*, True -*.authentibles.com*, True -*.authenticdance.ro*, True -*.authentic-seitan.co.uk*, True -*.authentic-seitan.tk*, True -*.authentieke-seitan.nl*, True -*.authentisch-seitan.de*, True -*.authority-guild.eu*, True -*.authr.ca*, True -*.autiga.pl*, True -*.autismbaiamare-tale.ro*, True -*.autismwalk.com.au*, True -*.autisticpeoplemeet.tk*, True -*.auto-ahtola.fi*, True -*.autoalex.at*, True -*.autobacklink.ir*, True -*.autoblitz.biz*, True -*.autoblogauction.com*, True -*.autoblogrevolution.com*, True -*.autobodycreationsmd.com*, True -*.autobogyo.ro*, True -*.autobot.am*, True -*.autobot.in*, True -*.autocarazinho.com.br*, True -*.autoces.com.my*, True -*.autoclasic-club.ro*, True -*.autoclassic1.com*, True -*.autoclever.ro*, True -*.autoclube.net*, True -*.autoclubsaratov.ru*, True -*.autocontrolvalve.com*, True -*.autocultivo.info*, True -*.autodbase.ru*, True -*.autodepanare.ro*, True -*.autodromossa.com*, True -*.autoescuelaelsoto.com*, True -*.autoespacio.com*, True -*.autoestimanutricao.com.br*, True -*.autoflod.ga*, True -*.auto-focsani.ro*, True -*.autofollow.pw*, True -*.autogenie.eu*, True -*.autogestionme.com.ve*, True -*.autogoverno.net*, True -*.auto-guru.net*, True -*.autohar.ro*, True -*.autohoule.com*, True -*.autoimpuls.ro*, True -*.autoindependentreflexes.net*, True -*.auto-insurance-ana.com*, True -*.auto-k33.com*, True -*.autokiln.com*, True -*.autoklinik-mannheim.de*, True -*.autokupol.ru*, True -*.autolafavorita.com.ar*, True -*.auto-land.ch*, True -*.autolike.am*, True -*.autolike.club*, True -*.autolike.cz*, True -*.autolike.fm*, True -*.autolike.in*, True -*.autolike.jp*, True -*.autolike.mx*, True -*.autoliker.mx*, True -*.autolikers.biz*, True -*.autolikers.in*, True -*.autoliker.us*, True -*.autolikerz.gq*, True -*.autolikes.biz*, True -*.autolike.tk*, True -*.autoline.com.au*, True -*.autolink.net.nz*, True -*.auto-livorno.ro*, True -*.autoload.org*, True -*.autologistics.com.pk*, True -*.automapp.hk*, True -*.automar.ch*, True -*.automastermultimarcas.com.br*, True -*.automata.hk*, True -*.automatecno.cl*, True -*.automateeverything.ca*, True -*.automatehyd.ro*, True -*.automaticasoft.com*, True -*.automationprogrammer.co.uk*, True -*.automationprogrammer.info*, True -*.automation-x.ru*, True -*.automationx.ru*, True -*.automative.io*, True -*.automatontransfusion.com*, True -*.automatorm.com*, True -*.automatromania.ro*, True -*.automatydrzwiowe.pl*, True -*.automaxrondebult.co.za*, True -*.automeh.ru*, True -*.automercato24.it*, True -*.automont.com.ar*, True -*.automotive.si*, True -*.automotorespampa.com*, True -*.automotors.com.au*, True -*.auto.msk.su*, True -*.autopartesjc.com.ar*, True -*.autopartscompany.com*, True -*.autopiese24.ro*, True -*.autopistadelaconcagua.cl*, True -*.autopistadelitata.cl*, True -*.autoplast.sk*, True -*.autoprin.com*, True -*.autoproduzioni.info*, True -*.autoreconservices.com*, True -*.autoronen.co.il*, True -*.autoroutedemorges.ch*, True -*.autosearch.tk*, True -*.autoservices.net.nz*, True -*.autoservicesnewmarket.co.nz*, True -*.autoshipment.com*, True -*.autosites.com*, True -*.autosmallorcador.es*, True -*.autosmallorca.es*, True -*.autosmartdiy.com*, True -*.autosroig.es*, True -*.autostart42.ru*, True -*.autostd.ru*, True -*.auto-stefan.ro*, True -*.autostyling.it*, True -*.autosuficiencia.com.ar*, True -*.autosundso.com*, True -*.autosystem.cl*, True -*.autoteq.com*, True -*.autoth.com*, True -*.autotreviso-targoviste.ro*, True -*.autot.tk*, True -*.autoulkomailta.fi*, True -*.autounik.ro*, True -*.autourdespieds.ch*, True -*.autovest-exports.co.za*, True -*.autovia.cl*, True -*.autovisiones.com.ar*, True -*.autovisitor.net*, True -*.autoworkscarcare.com.au*, True -*.autowww.ru*, True -*.autoyapilar.com.ar*, True -*.autoyard.eu*, True -*.autozonesa.ch*, True -*.autre-monde.com*, True -*.autsoft.ch*, True -*.auu62.com*, True -*.auu74.com*, True -*.auu82.com*, True -*.auu94.com*, True -*.auu.lv*, True -*.auxmatinslents.org*, True -*.auyri.com.br*, True -*.auzonnet.com*, True -*.auzth.info*, True -*.av135.com*, True -*.ava-crm.ir*, True -*.avadent.cl*, True -*.avalanworld.com*, True -*.avaliesuaempresa.com.br*, True -*.avalon.tk*, True -*.avanceinformatica.com*, True -*.avangarda-nationala.ro*, True -*.avannza.com*, True -*.avanteit.com*, True -*.avante.sg*, True -*.avantis-re.gr*, True -*.avant.ninja*, True -*.avantosaukot.fi*, True -*.avanttex.com*, True -*.avaphotodesign.com*, True -*.avaprovi.com.mx*, True -*.avarte.com.mx*, True -*.avashmulmi.com.np*, True -*.avasolutions.com.br*, True -*.avatarimperium.tk*, True -*.avatarredondo.com.ar*, True -*.avatarsd.com*, True -*.av-c.net*, True -*.avcom.ro*, True -*.avcomunicacao.com.br*, True -*.avcorm.net*, True -*.av-d.co*, True -*.avdelmar198.com.ar*, True -*.av-dream.info*, True -*.aveaisg.com*, True -*.avedissian.us*, True -*.ave-doo.rs*, True -*.ave-intermed.ro*, True -*.avemaria.cl*, True -*.avengre.com*, True -*.aventador.ro*, True -*.aventurakids.pt*, True -*.aventureirosdopx.ga*, True -*.avenuecarriagecrossing.com*, True -*.aveplan.fi*, True -*.averdadecrua.com.br*, True -*.averight.com*, True -*.averill.co.id*, True -*.avero.com.ar*, True -*.averycreations.com*, True -*.averyhq.com*, True -*.averytvonline.co.uk*, True -*.avf.pw*, True -*.avgtek.com*, True -*.aviamedia.ru*, True -*.aviamegahabadi.com*, True -*.avianrefuge.com*, True -*.avianwonders.com*, True -*.aviarampatzis.com*, True -*.aviationconsultingllc.net*, True -*.aviationconsultingllc.org*, True -*.aviation-service.com*, True -*.aviationstory.com*, True -*.aviationtrim.com*, True -*.aviatrade.ru*, True -*.avicola.co*, True -*.avicoladonnicolas.com*, True -*.avidah.net*, True -*.avidgirl.com*, True -*.avidgirls.com*, True -*.avidguy.com*, True -*.avidh.cf*, True -*.avidkid.com*, True -*.aviindos.com*, True -*.avilab.com.mx*, True -*.avilte.com.ar*, True -*.avionicstructures.com*, True -*.avionske-karte.si*, True -*.avionskekarte.si*, True -*.aviornstein.com*, True -*.aviskarkc.com.np*, True -*.avisoschicureo.cl*, True -*.avivavenezuela.com.ve*, True -*.avkiss.com*, True -*.avk.pw*, True -*.avls.pt*, True -*.avmediation.co.il*, True -*.avmoa.net*, True -*.avmoa.org*, True -*.avmoasite.com*, True -*.avneri1.co.il*, True -*.avni.ws*, True -*.avocatbihor.ro*, True -*.avocatblaga.ro*, True -*.avocatcorinadicu.ro*, True -*.avocatdianaelenadragomir.ro*, True -*.avocat.fi*, True -*.avocatpasala.ro*, True -*.avocatpop.ro*, True -*.a-vogt.ch*, True -*.avoimetoppimateriaalit.fi*, True -*.avonbg.com*, True -*.avova.com*, True -*.avoxhosting.tk*, True -*.avp.co.id*, True -*.avp.ms*, True -*.avppl.com*, True -*.avracol.co.za*, True -*.avrah.info*, True -*.avr-elektronik.de*, True -*.avricare.com*, True -*.avrillavigne.cf*, True -*.avrnoob.com*, True -*.avrserver.com*, True -*.avrupasafak.com*, True -*.avs24.ru*, True -*.avsimplified.com*, True -*.avstry.com*, True -*.av-system.eu*, True -*.av-system.pl*, True -*.avtechie.com*, True -*.avtechy.com*, True -*.avtohisa-snoj.si*, True -*.avtohisasnoj.si*, True -*.avtolayn.ru*, True -*.avtomarket.si*, True -*.avtomed-vrn.ru*, True -*.avtomehanikatratar.si*, True -*.avtomina.info*, True -*.avtonahodka.com*, True -*.avtonomija.org*, True -*.avtooglasnik.si*, True -*.avtopark.pro*, True -*.avtoportal.bg*, True -*.avtoradio03.ru*, True -*.avtoservis-celec.com*, True -*.avtoservis-hladin.si*, True -*.avtoservis-podlesek.si*, True -*.avtosnoj.si*, True -*.avto-sola.si*, True -*.avuar.info*, True -*.avvbeltrame.com*, True -*.avvbeltrame.it*, True -*.avvocatidallacosta.it*, True -*.avvocatitroisi.it*, True -*.avvocatodelcittadino.it*, True -*.avvocatorosa.it*, True -*.avyny.com*, True -*.avzoa.com*, True -*.avzoa.net*, True -*.avzoa.org*, True -*.aw0.be*, True -*.awahlig.de*, True -*.a-want.com*, True -*.awan.web.id*, True -*.awardpedia.org*, True -*.awarebears.co.za*, True -*.awarebears.org*, True -*.awaretek.com.au*, True -*.awarriornation.com*, True -*.awatum.de*, True -*.away.im*, True -*.awd67.com*, True -*.awd77.com*, True -*.awd84.com*, True -*.awdsites.com*, True -*.aweandreverence.net*, True -*.aweandreverence.org*, True -*.awentech.com*, True -*.awesdesign.com*, True -*.awesoft.com.ve*, True -*.awesome404.com*, True -*.awesomeautomation.com*, True -*.awesomenessssssssssssss.tk*, True -*.awesomenite.com*, True -*.awesomepony.net*, True -*.awesometastic.ca*, True -*.awesomewedding.xyz*, True -*.awfulhorse.net*, True -*.awiki.org*, True -*.awineshop.com*, True -*.awitherite.com*, True -*.awjastrzebski.pl*, True -*.awkafau.org*, True -*.awkgrepsed.com*, True -*.awksedgrep.com*, True -*.awmawatercontrol.com.au*, True -*.awmosulut.com*, True -*.awmwaste.com.au*, True -*.awnet.one.pl*, True -*.awoen.nl*, True -*.awolfeservices.tk*, True -*.awolgang.com*, True -*.awpcomputers.co.uk*, True -*.awpcomputers.uk*, True -*.awpsychology.com.au*, True -*.awrymyth.net*, True -*.awsa.com.ar*, True -*.awsomnet.net*, True -*.awsomnet.org*, True -*.awstoreid.com*, True -*.awurts.me*, True -*.axa68.com*, True -*.axa78.com*, True -*.axa98.com*, True -*.axapadang.com*, True -*.axarmail.com*, True -*.axarquiaonline.com*, True -*.axashop.ro*, True -*.axatrading.ro*, True -*.axceltech.com*, True -*.axcont.ro*, True -*.axdcomputers.co.za*, True -*.axelbiotech.com*, True -*.axelbrz.com.ar*, True -*.axelsystems.cn*, True -*.axeltech.ro*, True -*.axelwiethoff.de*, True -*.axelzone.ro*, True -*.axemindg.tk*, True -*.axemx.com*, True -*.axeprim.eu*, True -*.axeprim.pl*, True -*.axet.ru*, True -*.axfor.com*, True -*.axiatek.com*, True -*.axilonlaw.com*, True -*.axiomatic.ro*, True -*.axiomb.com*, True -*.axiom.com.np*, True -*.axiomrpi.com*, True -*.axioncomputing.com*, True -*.axiosfrontdesk.in*, True -*.axisdynamics.com.au*, True -*.axis-kitchen.com*, True -*.axislsm.com.au*, True -*.axis-soft.com.ar*, True -*.axis-x.info*, True -*.axiz.org*, True -*.axleflame.tk*, True -*.axlog.ir*, True -*.ax.lt*, True -*.axmap.com*, True -*.axonitsolutions.com*, True -*.axo.pt*, True -*.axpedia.ir*, True -*.ax.rs*, True -*.axsetubal.pt*, True -*.axx67.com*, True -*.axx76.com*, True -*.axx88.com*, True -*.axxesindo.co.id*, True -*.axxessbiometrics.net*, True -*.axxomovies.tk*, True -*.axxoncomposites.com*, True -*.axybo.com*, True -*.axyir.com*, True -*.ay828.com*, True -*.ay919.com*, True -*.ayafish.hk*, True -*.ayagroup.ca*, True -*.ayainterior.com*, True -*.ayalontech.com*, True -*.ayalontech.net*, True -*.ayalontech.org*, True -*.ayan-eric.ro*, True -*.ayank.tk*, True -*.ayasophia.com*, True -*.ayasplace.ca*, True -*.ayax.com.ar*, True -*.aybarsound.com*, True -*.aybear.com*, True -*.aybit.ch*, True -*.aycarambamexicanfood.com.au*, True -*.aydinergil.com*, True -*.aydinsener.com*, True -*.ayeconsultores.cl*, True -*.ayelenbuzzolan.com.ar*, True -*.ayelen.com.ar*, True -*.ayen-jkt48.com*, True -*.ayetbul.com*, True -*.ayfsrl.com.ar*, True -*.ayg.cl*, True -*.ayg-computacion.com.ar*, True -*.aygenerji.com*, True -*.ayitey.com*, True -*.ayjans.com*, True -*.aykensi.com*, True -*.aykos.ch*, True -*.ayla.cc*, True -*.aylince.com.tr*, True -*.aylince.name.tr*, True -*.aylingoktug.com.tr*, True -*.aylingoktug.net.tr*, True -*.aymichael.hk*, True -*.aymon.ch*, True -*.aynrand.ru*, True -*.ayobelajar.com*, True -*.ayobelajar.net*, True -*.ayokitacerita.com*, True -*.ayotu.com*, True -*.ayotzinapasomostodos.com*, True -*.ayou.be*, True -*.ayraudo.com.ar*, True -*.ayso795.org*, True -*.aysono.com*, True -*.aysphere.com*, True -*.ays-souvenirs.com.ar*, True -*.aytak-sabalan.com*, True -*.aytek-ks.com*, True -*.ayudapostventa.cl*, True -*.ayudenergy.co.il*, True -*.ayukurulush.kg*, True -*.ayunindya.com*, True -*.ayurvedaenindia.com.ar*, True -*.a-yu.tw*, True -*.ayuwelirang.com*, True -*.ayvali.net*, True -*.az161.ru*, True -*.azaautomation.ro*, True -*.azalon.com*, True -*.azamba.tv*, True -*.azambuja.eng.br*, True -*.azam.dj*, True -*.azamweb.info*, True -*.azarinekosmetik.com*, True -*.azarmassu.cl*, True -*.azasoft.ro*, True -*.azazel-sensei.com*, True -*.azcomputerworks.com*, True -*.azdomestaas.com*, True -*.azeezia.com*, True -*.az-electronic.com*, True -*.azena.info*, True -*.azeosoft.com*, True -*.azeroth-wow.com*, True -*.azerty.com.ar*, True -*.azevedomail.com*, True -*.azim-ahmad.my*, True -*.azim.my*, True -*.azimutvlg.ru*, True -*.azine.com.ar*, True -*.azio.info*, True -*.aziz.sh*, True -*.azkamanagement.com*, True -*.az-kz.ru*, True -*.azman.my*, True -*.azmatwelfare.com.pk*, True -*.azmigallery.in*, True -*.azmoons.com*, True -*.azmoons.ir*, True -*.azoebs.com*, True -*.azone.com.au*, True -*.azorescraft.com*, True -*.azoteasur.com*, True -*.azoth.com.au*, True -*.azovschool13.ru*, True -*.azovschool1.ru*, True -*.azovsea.su*, True -*.azov-sportschool2.ru*, True -*.a-zpath.com*, True -*.azrack.com*, True -*.a-zreinigungsdienst.ch*, True -*.azrhost.com*, True -*.azri.my*, True -*.azroadrunners.net*, True -*.azswfirearmstraining.com*, True -*.aztektec.com.mx*, True -*.aztelephony.com*, True -*.azt.mobi*, True -*.azulinformatica.es*, True -*.azurconstrucciones.com*, True -*.azurecube.org*, True -*.azuretubesporn.pw*, True -*.azusaa.com*, True -*.azuza.web.id*, True -*.azwqa.org*, True -*.azxp.net*, True -*.azzahrashop.com*, True -*.azzaronecostruzioni.it*, True -*.azzat.net*, True -*.azzreth.tk*, True -*.b00m.ga*, True -*.b0bcat.org*, True -*.b-0.info*, True -*.b0n0.com*, True -*.b0x.net*, True -*.b12.ro*, True -*.b1ghomer.com*, True -*.b2bmeetings.biz*, True -*.b2borg.ru*, True -*.b2directory.com*, True -*.b2go.ru*, True -*.b2phonetienda.es*, True -*.b33r.us*, True -*.b33ty.com*, True -*.b3l.net*, True -*.b3on.net*, True -*.b3rn3d.com*, True -*.b47bar.ch*, True -*.b4bconsulting.net*, True -*.b4g.org*, True -*.b4host.org*, True -*.b4ka.com.ar*, True -*.b4.my*, True -*.b4s3.de*, True -*.b4s.me*, True -*.b6u.com*, True -*.b7thailand.com*, True -*.ba00.ir*, True -*.baannoklpn.com*, True -*.baba33.com*, True -*.babacos.ch*, True -*.babadook.ru*, True -*.babakfarahani.com*, True -*.babakiss.com*, True -*.babamgr.com*, True -*.babara.ru*, True -*.babarka.ru*, True -*.babasgrappa.com*, True -*.babcom.co.za*, True -*.babeckichaussures.ch*, True -*.babedreamshop.com*, True -*.babelinformatica.es*, True -*.babelrouter.com*, True -*.babes-bolyai.eu*, True -*.babes-bolyai.info*, True -*.babiesclothes.eu*, True -*.babinszki.ca*, True -*.babkin.net*, True -*.babyaqua.ch*, True -*.babybabybabybabybaby.com*, True -*.babybon.com*, True -*.babybonus.com.au*, True -*.babycakecouture.com*, True -*.babychangestation.com.au*, True -*.babyclub38.ru*, True -*.babydressupgame.org*, True -*.babykha.com*, True -*.babylandbb.com*, True -*.babylux.ro*, True -*.babymiracles.com*, True -*.baby-mo.hk*, True -*.babymo.hk*, True -*.babyoid.com*, True -*.babypacks.cl*, True -*.babypanda.si*, True -*.babyparkings.com*, True -*.babyparty.ro*, True -*.babyphoto.hk*, True -*.babypos.hk*, True -*.babyshki.ru*, True -*.babysittercircle.co.uk*, True -*.babysteps.cl*, True -*.babystore.sg*, True -*.babytoysindo.com*, True -*.babytravelbag.com.my*, True -*.babytrike.ro*, True -*.babyyevuan.co.il*, True -*.babyyoga.com.br*, True -*.bacanopolis.cl*, True -*.bacaulcultural.ro*, True -*.bacchi.org*, True -*.bacek.com*, True -*.bachataroom.com*, True -*.bacheburger.ch*, True -*.bachmanski.ch*, True -*.bachmato.com*, True -*.bachner.biz*, True -*.back2basics-faucets.com*, True -*.back2dance.com.br*, True -*.back2gaming.ga*, True -*.backanacra.net*, True -*.backapp.cl*, True -*.backbone.hk*, True -*.backcontrol.com.ar*, True -*.backdoored.net*, True -*.backfromhellclub.co.uk*, True -*.backgarden.net*, True -*.backinharmony.com.au*, True -*.backlight-photography.com.ve*, True -*.backlight.pt*, True -*.backlinks.ml*, True -*.backnet.co.uk*, True -*.backpackers-hostel.ch*, True -*.backpacktoosmall.net*, True -*.backpaintedglass.co.uk*, True -*.backquack.net*, True -*.backriverphotography.com*, True -*.backsater.se*, True -*.backslash-home.co.uk*, True -*.backstagegroup.fi*, True -*.backtothepunk.com.ar*, True -*.backup-dns.co.za*, True -*.back-web.com*, True -*.bacnfun.tk*, True -*.bacobistro.cl*, True -*.baco.com.ar*, True -*.ba.com.ar*, True -*.bacon.cat*, True -*.bacon.com.ar*, True -*.baconconsult.de*, True -*.bacondemayo.com*, True -*.baconflaps.co.uk*, True -*.baconlon.in*, True -*.baconmingle.org*, True -*.bacox.com.ar*, True -*.bacsitamly.org*, True -*.bactolab.ch*, True -*.badabrasil.com.br*, True -*.badaconcert.com*, True -*.badanai.com.br*, True -*.badangacity.ru*, True -*.badas.cf*, True -*.badauyeu.com*, True -*.badbadleroybrown.net*, True -*.badbag.net*, True -*.badbood.com*, True -*.badboy.in*, True -*.badboy.so*, True -*.badcereal.com.br*, True -*.baddcafe.com*, True -*.badd.ninja*, True -*.badell.com*, True -*.badeni.ro*, True -*.baden.ru*, True -*.badfriend.org*, True -*.badfund.org*, True -*.badgenumber.com*, True -*.badgeralumni.com*, True -*.badger.cl*, True -*.badgerdash.tk*, True -*.badgerland.eu*, True -*.badiane.com*, True -*.badila.ro*, True -*.badkittyranch.com*, True -*.badlands.eu*, True -*.badlymistaken.ca*, True -*.badmash.si*, True -*.badminton-orleans.org*, True -*.bad.mn*, True -*.badmoodcomedy.com*, True -*.badrag.net*, True -*.badri.name*, True -*.badrobot.ch*, True -*.badrodent.com*, True -*.badroundt-inc.com*, True -*.bad-s.com*, True -*.badspelr.com*, True -*.badthings.co.uk*, True -*.badtiara.com*, True -*.badulaque.com.br*, True -*.badulescu.ro*, True -*.badwolfpcrepair.com*, True -*.bae.com.ar*, True -*.baehlerdentiste.ch*, True -*.baentje.be*, True -*.baerg.ca*, True -*.baeru.ch*, True -*.bae.tw*, True -*.baez.cl*, True -*.bafb101a.ga*, True -*.bafc.co.za*, True -*.baffleck.co.uk*, True -*.bafh.ch*, True -*.bafly.ir*, True -*.bagabin.com.au*, True -*.bagadata.com*, True -*.bagaoisan.com*, True -*.bagaswastuwiratama.com*, True -*.bagbackpack.com*, True -*.bage.ch*, True -*.bagelbyheart.com*, True -*.bagels.com.ar*, True -*.baggom.com*, True -*.bagheadinc.net*, True -*.bagifoto.com*, True -*.bagisodlarna.se*, True -*.bagiyanto.com*, True -*.baglung.tk*, True -*.bagmarbauxite.com*, True -*.bagol.ninja*, True -*.bagong.cf*, True -*.bag-online.com*, True -*.bagos.ro*, True -*.bagsandcuties.com.ar*, True -*.bagshop.hk*, True -*.bagslimited.com*, True -*.bag-technical.com*, True -*.bagua.ir*, True -*.bagusonline.web.id*, True -*.bagus.org*, True -*.bagusprint.com*, True -*.bagustransport.co.id*, True -*.baha14.com*, True -*.bahanbangunanmurah7.com*, True -*.bahan.ml*, True -*.bahanpembersihkimia.com*, True -*.bahar.co.il*, True -*.bahek.ru*, True -*.bahiacompu.com.ar*, True -*.bahialub.com.br*, True -*.bahnsinniges.ch*, True -*.bahosss.ru*, True -*.bahramshop.ir*, True -*.bahsecu.com*, True -*.baiburin.com*, True -*.baiertal.net*, True -*.baies-herelier.com*, True -*.baies-herlier.com*, True -*.baieti.cf*, True -*.baikabibai.com*, True -*.baikalipoteka.ru*, True -*.bailesarate.eu*, True -*.bailesti-cultural.ro*, True -*.bailesti.ro*, True -*.baileyhayes.info*, True -*.baileypaving.com*, True -*.bailynhelmet.org*, True -*.baiplus.net*, True -*.bairesing.com.ar*, True -*.bairrodapaz.com.br*, True -*.baistefilachicago.org*, True -*.bait-solutions.com.ar*, True -*.baitullahbarakah.com*, True -*.baitusrohmah.com*, True -*.baixargospel.org*, True -*.baixarmusicasmp3gratis.org*, True -*.baixarsofunk.org*, True -*.baixarsomusica.org*, True -*.baixarsosertanejo.org*, True -*.baizu.tw*, True -*.bajababysitting.com*, True -*.bajagemilangsemesta.com*, True -*.bajaj.or.id*, True -*.bajalibu.com*, True -*.bajanusantara.com*, True -*.bajickraljluka.tk*, True -*.bajingan-internet.tk*, True -*.bajotto.com.br*, True -*.bajubersih.com*, True -*.baju.co.id*, True -*.bajuku.asia*, True -*.bajumuslimyolenta.com*, True -*.bak7.net*, True -*.bakablog.net*, True -*.bakanopolis.cl*, True -*.bakaotakun.com*, True -*.bakasubs.ml*, True -*.bakeandroll.ru*, True -*.bakelsargentina.com.ar*, True -*.bakenrollcafe.ru*, True -*.bake-n-roll.com*, True -*.bakerandcookco.com*, True -*.baker-av.com*, True -*.bakerhouse01.com*, True -*.baker-infomatics.com*, True -*.bakerlake.org*, True -*.bakermailbox.com*, True -*.bakerpr.com.au*, True -*.bakerstreet221b.com*, True -*.bakerstreet.cl*, True -*.bakerview.net*, True -*.bakerweb.biz*, True -*.bakkali.co.uk*, True -*.bakker.co.za*, True -*.bakkeskaug.com*, True -*.bakkintranslations.com*, True -*.bakkoda.com*, True -*.bakli.ru*, True -*.bakolan.com*, True -*.bakrie-energy.com*, True -*.bakrie-petroleum.com*, True -*.bakriepetroleum.com*, True -*.baksmaten.nl*, True -*.baksterdevelopment.ru*, True -*.baktisarwendi.com*, True -*.balaban.rs*, True -*.balacoca.com*, True -*.baladelicia.com.br*, True -*.balad.tk*, True -*.balafc.net*, True -*.balairingindatabase.my*, True -*.balamsoftware.mx*, True -*.balancemanagement.com.au*, True -*.balanceodinamico.mx*, True -*.balansoare-bebelusi.ro*, True -*.balansoare-copii.ro*, True -*.balansvital.cl*, True -*.balatascabal.cl*, True -*.balavec.com*, True -*.balavec.net*, True -*.balcaodeimoveis.com*, True -*.baldacchino.net*, True -*.baldequin.com.ar*, True -*.baldgoat.com*, True -*.baldissera.com.ar*, True -*.baldocchifamily.com*, True -*.baldwingroup.biz*, True -*.baldwingroup.com*, True -*.baldwingroup.info*, True -*.balefire.com*, True -*.baleine.tk*, True -*.baleka.org*, True -*.balet-dubna.ru*, True -*.balforntower.tk*, True -*.balfrato.ml*, True -*.balhe.hu*, True -*.balibigdeal.com*, True -*.bali-camp.ml*, True -*.balidriverpro.com*, True -*.balifamily.net*, True -*.baligar.com*, True -*.balihost.net*, True -*.balikesirhurdacilik.com*, True -*.balikesirsunaygeridonusum.com*, True -*.balinks.com*, True -*.balixpescados.com.br*, True -*.balkan-construct.be*, True -*.balkan-media.ro*, True -*.balkhuplaza.com.np*, True -*.balkindustries.com*, True -*.ballapanzio.ro*, True -*.ballarentals.com*, True -*.ball.com.au*, True -*.ballester.com.ar*, True -*.ballestyplumbing.com.au*, True -*.ballistech.com.au*, True -*.ballisticsolution.com*, True -*.ballium.co.uk*, True -*.ballotbuddy.co.uk*, True -*.balloteducation.org*, True -*.ballouhome.com*, True -*.ballpits.com.au*, True -*.ballstateoffcampus.com*, True -*.ballstudio.tk*, True -*.balmaceda.com.ar*, True -*.balmey.cl*, True -*.balneologietransilvania.ro*, True -*.baloditis.lv*, True -*.balonase.ro*, True -*.balon-gate.com*, True -*.balserv.ru*, True -*.bal-tazaar.be*, True -*.balteradesign.com*, True -*.baltica.su*, True -*.balticexperts.eu*, True -*.balticlee.eu*, True -*.baltijalv.lv*, True -*.baltikauto.lv*, True -*.baltimorefellowship.org*, True -*.baltimore-investors.com*, True -*.baltmd.ru*, True -*.baltmetcompany.ru*, True -*.baltzoglou.eu*, True -*.balzamnapery.sk*, True -*.balzamynapery.sk*, True -*.bamabooks.com*, True -*.bamapos.com*, True -*.bamastuff.com*, True -*.bamatair.com*, True -*.bamatheatre.com*, True -*.bambangwibisono.com*, True -*.bambiconstrucciones.com.ar*, True -*.bambiconstructora.com.ar*, True -*.bambiniinfantwear.com*, True -*.bambinilayette.com*, True -*.bambooster.ru*, True -*.bambuhanamakmur.or.id*, True -*.bamdevpokhrel.com.np*, True -*.bamfminecraft.us*, True -*.bamgi.co.kr*, True -*.bamgi.com*, True -*.bamgi.net*, True -*.bamki.co.kr*, True -*.bam.vn*, True -*.banabanana.cl*, True -*.banamayi.org*, True -*.bananaball.org*, True -*.bananaberry.de*, True -*.bananko.cf*, True -*.banasios.gr*, True -*.banaspati.net*, True -*.bancaromaneasca.ro*, True -*.bancata.ro*, True -*.bancidinromania.ro*, True -*.banciinromania.ro*, True -*.banciromanesti.ro*, True -*.bancnikredit.si*, True -*.bancserve.biz*, True -*.bancserve.com*, True -*.bancserve.info*, True -*.bancserve.net*, True -*.bancserve.org*, True -*.bancurinoi.eu*, True -*.banda-de-alergat.ro*, True -*.bandaidglue.com*, True -*.bandalosplebes.com.mx*, True -*.bandarcapsa.com*, True -*.bandarstiker.com*, True -*.bandavillargordo.com*, True -*.b-and-b.hk*, True -*.bandb.hk*, True -*.band-dekaap.nl*, True -*.bandftechnologies.com*, True -*.bandheist.com*, True -*.bandh.ru*, True -*.bandido.ch*, True -*.bandobras.com*, True -*.bandobrothers.net*, True -*.bandohotel.co.uk*, True -*.bandsindustries.ru*, True -*.bandungcctv.co*, True -*.bandungcity.net*, True -*.bandungcyberhacking.net*, True -*.bandungphotobooth.com*, True -*.bandungtech.com*, True -*.bandungtour.com*, True -*.bandweite.de*, True -*.bandyveien.no*, True -*.banesh.ca*, True -*.bang2020.com*, True -*.bangalorepublicschool.in*, True -*.bang-ambu.com*, True -*.bangbanggeng.com*, True -*.bangbaoantoan.com*, True -*.bangcan.asia*, True -*.bang.cl*, True -*.bang-dayat.me*, True -*.bangewin.web.id*, True -*.banghers.com*, True -*.bangigor.tk*, True -*.bangitrainingcenter.com*, True -*.bangkeo24h.com.vn*, True -*.bangkeogiaynham.com*, True -*.bangkokcabin.com*, True -*.banglarkotha.net*, True -*.banglong.web.id*, True -*.bangmanalu.com*, True -*.bangsat-la.uk*, True -*.bangsawancyberindo.co.id*, True -*.bangunanmajujaya.com*, True -*.bangun.org*, True -*.bangunpapanselaras.com*, True -*.bangzoel.com*, True -*.banheirodemeninas.com.br*, True -*.baniotopoulou.eu*, True -*.bani-pe-net.tk*, True -*.baniperpost.ro*, True -*.banivirtuali.ro*, True -*.banjarband.com*, True -*.banjarlinux.com*, True -*.banjaxed.be*, True -*.bankruptcyrepresentation.com*, True -*.bankstownbaptist.org.au*, True -*.bannannaise.com*, True -*.bannedcampforum.org*, True -*.bannerten.com*, True -*.banorg.tk*, True -*.banpot.cz*, True -*.bansa27.com*, True -*.bansaj.com.np*, True -*.bansheeband.com*, True -*.bansheerocks.com*, True -*.banta79.com*, True -*.bantal-kesehatan.com*, True -*.bantechno.com*, True -*.banthaisushibar.com*, True -*.bantling.me*, True -*.bantown.com*, True -*.bany08.tk*, True -*.banyumas.ga*, True -*.baobaobeibei.tk*, True -*.baobaohuahua.tk*, True -*.baovethitcho.com*, True -*.bapakku.fm*, True -*.bapat.in*, True -*.bapat.org*, True -*.bapu.fi*, True -*.baqualitas.mobi*, True -*.baqualitas.org.uk*, True -*.baqualitas-property.co.uk*, True -*.baqualitas-property.org.uk*, True -*.baqualitas-rentals.co.uk*, True -*.baqualitas-rentals.org.uk*, True -*.barabanov.net*, True -*.barabasfarms.com*, True -*.barabon.org*, True -*.baraborneo.com*, True -*.barackobamaalienhunter.com*, True -*.barakaldovg.com.ar*, True -*.baraldi.ch*, True -*.barangplastik.com*, True -*.baraque.com.au*, True -*.baratasilva.com.br*, True -*.baratillo.com.ve*, True -*.barba2.com.ar*, True -*.barbaforte.org*, True -*.barbaradrausal.com.ar*, True -*.barbarafield.com*, True -*.barbarajunge.cl*, True -*.barbarardiles.cl*, True -*.barbararojasayala.com*, True -*.barbaria.tk*, True -*.barba.ro*, True -*.barbaste.com.ar*, True -*.barbatlacratita.ro*, True -*.barbato.ca*, True -*.barbayani.com.ar*, True -*.barbedwiretightrope.com*, True -*.barbequelords.com*, True -*.barbicanworld.com*, True -*.barbievelez.com*, True -*.barbitch.ch*, True -*.barbmorrison.com*, True -*.barbon.ca*, True -*.barcampnea.com.ar*, True -*.barcanquimicasrl.com.ar*, True -*.barcelo.com.br*, True -*.barcelonagsb.com*, True -*.barcentury.com.au*, True -*.barcewicz.com*, True -*.barclaywalsh.com*, True -*.bar-code.com.ar*, True -*.barcodedatabase.co.uk*, True -*.bar-codelabels.in*, True -*.barcodellitoral.com.ar*, True -*.barcombe.net*, True -*.barcosdellitoral.com.ar*, True -*.bardahlindustrial.com*, True -*.bardahlindustrial.ru*, True -*.bardahl-moto.com*, True -*.bardahlmoto.ru*, True -*.bardahl-truck.com*, True -*.bardahl-truck.ru*, True -*.bardanelerouge.ch*, True -*.bardeisardi.tk*, True -*.bardenprint.com*, True -*.barebyte.com*, True -*.barefoothoss.com*, True -*.barefootlive.org*, True -*.barein.ch*, True -*.barelangtour.com*, True -*.barellagirl.com*, True -*.barenghi.com.ar*, True -*.bareportbagaj.ro*, True -*.baretransversaleauto.ro*, True -*.bargainhunt.co.nz*, True -*.bargainhunt.nz*, True -*.bargainpcs.com.au*, True -*.barge-online.com*, True -*.barhousefarm.co.uk*, True -*.bariatti.com*, True -*.baridon.com.ar*, True -*.barilocheeventos.com*, True -*.barilochelibre.com.ar*, True -*.barinovy.ru*, True -*.bariografica.com*, True -*.barister.co.za*, True -*.bariyerservis.org*, True -*.bariyersistemi.org*, True -*.barjacked.com*, True -*.b-ark.ca*, True -*.barklinch.ru*, True -*.barklly.net*, True -*.barkowsky.ru*, True -*.barkpark.com*, True -*.barloworldused.co.za*, True -*.barmans.com.ar*, True -*.barmazg-p.ch*, True -*.bar-mitzvah-favors.com*, True -*.barnensbokblogg.eu*, True -*.barnes-fitch.com*, True -*.barnett.id.au*, True -*.barnett.nom.za*, True -*.barney.ro*, True -*.barneysaurous.net*, True -*.barnhorst.info*, True -*.barnhorst.me*, True -*.barnhorst.org*, True -*.barnhorst.us*, True -*.bar-nikuy.co.il*, True -*.barnowl.co.za*, True -*.barnred.com*, True -*.barnwell-vs-mays.com*, True -*.barokahrizki.com*, True -*.barometrix.cl*, True -*.baron34.com*, True -*.baroncelli.ch*, True -*.barongello.com.br*, True -*.barons.co.nz*, True -*.baroul-timis.ro*, True -*.barquense.pt*, True -*.barrabarra.com.br*, True -*.barracudafirewall.ca*, True -*.barrascout.tk*, True -*.barrasoft.com.br*, True -*.barratella.com*, True -*.barrelofmakers.org*, True -*.barretthillinsurance.com*, True -*.barrielloyd.com*, True -*.barriemcnaught.co.uk*, True -*.barringtonparkonline.com*, True -*.barrioelremanso.com.ar*, True -*.barriolaspalmas.cl*, True -*.barriosanjorge.com*, True -*.barrister.co.za*, True -*.barristers-at-law.hk*, True -*.barristersrestaurant.co.za*, True -*.barriteau.com*, True -*.barriteau.net*, True -*.barriteau.org*, True -*.barrosadvogados.adv.br*, True -*.barrosdelira.com.br*, True -*.barry-breen.net*, True -*.barrychoi.com*, True -*.barrymoutonproperties.co.za*, True -*.barrynguyen.com*, True -*.barrywilson.info*, True -*.barsan-co.ir*, True -*.barsati.com*, True -*.barsbey.com*, True -*.bartec.com.mx*, True -*.bartfai.hu*, True -*.barthini.ch*, True -*.bartholomeus.be*, True -*.bartoletti.com.ar*, True -*.bartos.net.au*, True -*.bartoszrostkowski.com*, True -*.bartozs.com*, True -*.bartvanbeurden.be*, True -*.bartzdrivingschool.com.au*, True -*.bartzmovie.com*, True -*.barunmom.net*, True -*.barupekan.net*, True -*.baruque.com.ar*, True -*.barve.biz*, True -*.barvennon.com*, True -*.barwonheadsosteopathy.com.au*, True -*.barwonheadspilates.com.au*, True -*.barycza.com*, True -*.baryon5.cf*, True -*.basakgurbuzderman.com*, True -*.basantajoshi.com.np*, True -*.bascalubuna.ro*, True -*.baschi.ch*, True -*.basculasacaraye.com.ar*, True -*.baseballtoaster.com*, True -*.basecamelectronics.com*, True -*.basecamelectronics.ru*, True -*.basecam.ru*, True -*.basecochise.org*, True -*.basedmusic.com*, True -*.baselinequartet.com*, True -*.basel-kieferorthopaedie.ch*, True -*.basem3nt.com*, True -*.basem3nt.com.au*, True -*.basementbox.com*, True -*.basenorte.cl*, True -*.baset.ir*, True -*.base-v.ch*, True -*.basewisdom.com*, True -*.bashintheface.us*, True -*.bashkatov.com*, True -*.bash.org.il*, True -*.bashrc.co*, True -*.bashtanka.ru*, True -*.basic-arc.co.il*, True -*.basiccomms.co.uk*, True -*.basicframes.com*, True -*.basicisp.co.za*, True -*.basicnetwork.ro*, True -*.basico.cl*, True -*.basics.pk*, True -*.basicstaples.com*, True -*.basicstaples.net*, True -*.basicstaples.org*, True -*.basicventure.com*, True -*.basikservers.com*, True -*.basildon.tk*, True -*.basita.co.id*, True -*.basitliginkirlikulturu.com*, True -*.basket-e.it*, True -*.basketmaster.tk*, True -*.basketyetigutierrez.com.ar*, True -*.baskinlawoffice.com*, True -*.baskinlawoffices.com*, True -*.basnetanil.com.np*, True -*.basorinformatica.es*, True -*.bassaka.ro*, True -*.bassar.co.il*, True -*.bass-bariton.ch*, True -*.bassbatts.com*, True -*.bassethoundsni.co.uk*, True -*.bassettsystems.net*, True -*.bassknockers.tk*, True -*.bassmentjacks.com*, True -*.bassmentjacks.co.uk*, True -*.bastard.hu*, True -*.basteiro.com.ar*, True -*.bastel.cl*, True -*.bastiaansen-agterberg.nl*, True -*.bastiaansen-ict.nl*, True -*.bastian16.tk*, True -*.bastidoresdainternet.com.br*, True -*.bastmetall.ru*, True -*.bastoscomputacion.com.ar*, True -*.bastus.ro*, True -*.basualdo.cl*, True -*.basutabi.com*, True -*.basvandenbosch.com*, True -*.basvandenbosch.info*, True -*.basvandenbosch.nl*, True -*.baswell.us*, True -*.basyenk.info*, True -*.basys.it*, True -*.bataapi.co.id*, True -*.batadase.com*, True -*.batak.be*, True -*.batakmanado.com*, True -*.batam.co.id*, True -*.batamcorp.com*, True -*.batamhacker.com*, True -*.batam.in*, True -*.batam.us*, True -*.bataringan-mjsa.com*, True -*.batasemenapi.com*, True -*.batataquente.org*, True -*.batbox.io*, True -*.bateman-web.com*, True -*.batepapo.mobi*, True -*.batercol.com*, True -*.bateriadejogos.com.br*, True -*.bateriafina.org*, True -*.baterias365.com.ar*, True -*.batguano.co.uk*, True -*.bathookmu.tk*, True -*.bathroomdesigsnideas.com*, True -*.bathroomright.co.uk*, True -*.bathwaterbooks.com.au*, True -*.bati-futur.ch*, True -*.batikraya.com*, True -*.batikweb.co*, True -*.batima.tk*, True -*.batin.la*, True -*.batista.si*, True -*.ba-tk.cf*, True -*.ba-tk.ga*, True -*.ba-tk.ml*, True -*.bato24.eu*, True -*.batoekang.com*, True -*.batoma.com.au*, True -*.baton4ik.ru*, True -*.batrun.co.za*, True -*.batshevabernstein.com*, True -*.batslug.com*, True -*.batteries.cf*, True -*.batteriesevent.com*, True -*.batterydoctorsnd.com*, True -*.batterystatistics.com*, True -*.battilanasrl.it*, True -*.battistella.com.br*, True -*.battlecore.ru*, True -*.battlefury.us*, True -*.battlegroupbuilder.com*, True -*.battle-of-univers.tk*, True -*.battle-pigs.com*, True -*.battlestickers.com*, True -*.battlestickerz.com*, True -*.battletubeporn.pw*, True -*.battstat.com*, True -*.battu.cc*, True -*.batuapijarefu.com*, True -*.batuapimedan.com*, True -*.batukalimaya-banten.com*, True -*.batumnang.com*, True -*.batumuliacrystal.com*, True -*.batuvidio.tk*, True -*.batx.com*, True -*.batx.org*, True -*.batyuchok.com*, True -*.batzion.co.za*, True -*.baublebabes.com*, True -*.baubuddies.de*, True -*.bauchtanz-zentrum.ch*, True -*.bauerdev.biz*, True -*.bauerdirect.co.za*, True -*.bauer-land.ch*, True -*.bauernet.co.za*, True -*.bauersachs.ch*, True -*.bauersachs.com*, True -*.bauersachs.es*, True -*.bauersachs.name*, True -*.bauersachs.net*, True -*.bauersachs.org*, True -*.bauldefutbol.cl*, True -*.bauleitungen.ch*, True -*.baumax-feedback.at*, True -*.baumes.net*, True -*.baumi.kg*, True -*.bau-nitchy.com.ar*, True -*.bauntrb.ru*, True -*.bauplaene.info*, True -*.baupreis-vergleich.com*, True -*.baupreisvergleich.com*, True -*.baupreis-vergleiche.com*, True -*.baupreisvergleiche.com*, True -*.bau-scout.ch*, True -*.baus.ec*, True -*.bautto.com.br*, True -*.bavaria.name*, True -*.bawel.biz*, True -*.bawel.ga*, True -*.bawuk.net*, True -*.bax57.com*, True -*.bax87.com*, True -*.bax97.com*, True -*.baxiride.com*, True -*.baxpower.com*, True -*.baxterspace.com*, True -*.bayangan.net*, True -*.bayard.geek.nz*, True -*.bayareafreebookcoop.com*, True -*.bayareagalleries.info*, True -*.bayareagalleries.org*, True -*.bayar-tagihan.com*, True -*.baycityboxmods.com*, True -*.baycityradio.org*, True -*.baydodevelopment.ca*, True -*.bayerl.com.ar*, True -*.bayernclearwater.com*, True -*.baygonmozzzpopgame.com*, True -*.bayham-consulting.co.uk*, True -*.bayhawks.net*, True -*.bayi.ninja*, True -*.bayipazar.com*, True -*.baylan.gen.tr*, True -*.baymaritimes.com*, True -*.baymor.com*, True -*.baynetsolution.com*, True -*.bayram-journal.ru*, True -*.baystco.com*, True -*.baystreetmanagement.com*, True -*.baytaparket.co.il*, True -*.baytex.cl*, True -*.bayton.net*, True -*.bayton.org*, True -*.bayton.tk*, True -*.baytownrvparts.com*, True -*.bayu48.co*, True -*.bayusantoso.co.uk*, True -*.bayworld.net*, True -*.baza-academic.com*, True -*.bazarartelar.com*, True -*.bazarartelar.com.br*, True -*.bazarartelar.net*, True -*.bazarartelar.net.br*, True -*.bazarhadaf.com*, True -*.bazarlalezar.ir*, True -*.bazay.ir*, True -*.bazazvuka.com*, True -*.bazele-fotografiei.tk*, True -*.bazhenovfamily.ru*, True -*.bazilart.com*, True -*.bazw.com*, True -*.bazzawill.info*, True -*.bazz-club.co.il*, True -*.bazzle.us*, True -*.bb2688.com*, True -*.bb3hk.com*, True -*.bballandcomputers.com*, True -*.bballr.com*, True -*.bbapartment.hk*, True -*.bbatoy.com*, True -*.bbb-2015.com*, True -*.bbbs.ro*, True -*.bbbsss777.com*, True -*.bbca-66.be*, True -*.bbcheungchau.com*, True -*.bbcheungchau.hk*, True -*.bbcontadores.com.ve*, True -*.bbcpalace.com*, True -*.bbcraft.net*, True -*.bbdc.gq*, True -*.bbdthailand.com*, True -*.bbe-christine.be*, True -*.bbe-hk.com*, True -*.bbele.com*, True -*.bbes.lv*, True -*.bbf49.com*, True -*.bbf54.com*, True -*.bbf79.com*, True -*.bbf85.com*, True -*.bbfgaming.info*, True -*.bbflooringllc.com*, True -*.bbgirl.eu*, True -*.bb-harmonie.nl*, True -*.bbigo67.com*, True -*.bbilegacy.com*, True -*.bbip.tk*, True -*.bbiro.com*, True -*.bbisus.com*, True -*.bbkbs.com*, True -*.bbmartinproperties.com*, True -*.bbmontagesarl.ch*, True -*.bbms.net*, True -*.bbmsportpicture.com*, True -*.bbn23.com*, True -*.bbn36.com*, True -*.bbn56.com*, True -*.bbn77.com*, True -*.bbn86.com*, True -*.bbnation.ro*, True -*.bbobbi-decor.ro*, True -*.bbox.ml*, True -*.bboymachine.net*, True -*.bbprojekte.ch*, True -*.bbpw.ch*, True -*.bbq-357.com*, True -*.bbq3.net*, True -*.bbq-boys.com*, True -*.bbq.me.uk*, True -*.bbqunltd.com*, True -*.bbrabogados.cl*, True -*.bbr.co.za*, True -*.bbrussie.com*, True -*.bbs1122.com*, True -*.bbs-gay.ru*, True -*.bbs-home.net*, True -*.bbs.io*, True -*.bbsmarket.com*, True -*.bbtie.com*, True -*.b-bt.ru*, True -*.bbva.co.uk*, True -*.bbvhub.org*, True -*.bbx97.com*, True -*.bbxdevelopment.com*, True -*.bbxr.com*, True -*.bc2pc.com*, True -*.bc5.ca*, True -*.bcappraisals.ca*, True -*.bcarsu.tk*, True -*.bcast.ws*, True -*.bcbhelectronics.com*, True -*.bcb.ro*, True -*.bccd.com.ar*, True -*.bccoa.net*, True -*.bcdfx.com*, True -*.bcdy.tk*, True -*.bcfcu.net*, True -*.bc-fisheries.com*, True -*.bcgsistemas.com.ar*, True -*.bciassetreview.cl*, True -*.bc-incubator.com*, True -*.bc-ip.com.br*, True -*.bciwm.cl*, True -*.bcjiul.ro*, True -*.bck.gr*, True -*.bclib.org*, True -*.bcloud.com.ar*, True -*.bcmba.ca*, True -*.bcnetworksolutions.com*, True -*.bcnsonline.com*, True -*.bcntecnipc.cf*, True -*.bcnz.it*, True -*.bco.in*, True -*.bcolescreations.com*, True -*.bcos.ca*, True -*.bcpbforums.ca*, True -*.bcprime.ro*, True -*.bcpsychologist.org*, True -*.bcr666.net*, True -*.bc-sa.com.ar*, True -*.bcss.co.za*, True -*.bcvip.com*, True -*.bcwebcams.com*, True -*.bcyang.org*, True -*.bcyee.com*, True -*.bdblake.com*, True -*.bdbrokerdealer.com*, True -*.bdcafe24.ml*, True -*.bdceportal.com*, True -*.bdceportal.co.za*, True -*.bdchat.ga*, True -*.b-d-c-h-a-t.tk*, True -*.bdcom.cl*, True -*.bdcom.co.id*, True -*.bdc-team.org*, True -*.bddfrs.org.uk*, True -*.bdeuronews.com*, True -*.bdh.id.au*, True -*.bdonlinemoney.tk*, True -*.bdoproductions.com*, True -*.bdsm.com.ar*, True -*.bdsm-gay.ru*, True -*.bduchesne.com*, True -*.bdumitriu.ro*, True -*.bduo.com.ar*, True -*.bdxcgi.ga*, True -*.bdxxxtube.cf*, True -*.bdxxxtube.ga*, True -*.bdxxxtube.gq*, True -*.bdxxxtube.ml*, True -*.bdxxxtube.tk*, True -*.bdy-rsk.com*, True -*.be11south.net*, True -*.be5.ro*, True -*.beabout.org*, True -*.beabouttechnology.com*, True -*.beachbeds.net*, True -*.beachbodyt25.com*, True -*.beachchurch.org*, True -*.beachcom.org*, True -*.beach-front.co.za*, True -*.beachwaralaba.com*, True -*.beac.info*, True -*.beacon515l.net.au*, True -*.beaconjuice.com*, True -*.beaconllc.org*, True -*.bea.cx*, True -*.beadell.com.au*, True -*.beadgame.org*, True -*.beadmeplease.my*, True -*.beadsforboobies.com*, True -*.beaglenet.net*, True -*.beaglepups.org*, True -*.beales.cc*, True -*.bealestreetallstars.com*, True -*.beampro.hk*, True -*.beanrockstar.com*, True -*.beansbook.com*, True -*.beanscurry.net*, True -*.beans-n-titch.co.uk*, True -*.beapalma.cl*, True -*.bearcavalry.net*, True -*.bearclaws.net*, True -*.beardofsteele.com*, True -*.bear-dog.ca*, True -*.beardserver.com*, True -*.bearfacts.net*, True -*.bearhouse4.com*, True -*.bearingcrossreference.info*, True -*.bearingpoint.com.au*, True -*.bearlioncave.com*, True -*.bearman.me*, True -*.bearns.me*, True -*.bearsdenhakuba.com*, True -*.bearsthere.com*, True -*.beastcloud.com*, True -*.beastie.in*, True -*.beastlybadgers.com*, True -*.beastmc.cf*, True -*.beastrend.com*, True -*.beastsidecrew.ch*, True -*.beast.so*, True -*.beatboxx.ch*, True -*.beatgammit.com*, True -*.beatgloor.ch*, True -*.beatnskeet.com*, True -*.beatricedavid.com*, True -*.beatrice-frei.ch*, True -*.beatrix-aebischer.ch*, True -*.beatriznegrotto.com.ar*, True -*.beatsbyjones.com*, True -*.beatsbyjones.net*, True -*.beatsondemand.ch*, True -*.beatspixelscodelife.com*, True -*.beaulieufood.com*, True -*.beaumontmusic.com*, True -*.beaupre.info*, True -*.beaute-ange.ch*, True -*.beaute-astuces.com*, True -*.beaute-conseils.com*, True -*.beauteens.com.ar*, True -*.beautemori.com*, True -*.beautiful.im*, True -*.beautifullymundane.com*, True -*.beautifulsouth.net*, True -*.beauty321.com*, True -*.beautyadvisors.net*, True -*.beautyangel.com.au*, True -*.beautydiarykania.com*, True -*.beauty.fm*, True -*.beauty.md*, True -*.beautymy.net*, True -*.beautyremix.com*, True -*.beautyskin100.com*, True -*.beautyskincareface.com*, True -*.beautystar-richli.ch*, True -*.beavercreekny.info*, True -*.beaverscarpentry.com*, True -*.bebeautiful.cf*, True -*.bebe-botez.ro*, True -*.bebebotez.ro*, True -*.bebecatalog.com*, True -*.bebecatalog.co.uk*, True -*.bebecatalog.ru*, True -*.bebekvedogumfotografcisi.com*, True -*.bebenita.com*, True -*.beberemates.cl*, True -*.bebeslindos.com.br*, True -*.bebesnic.com.ar*, True -*.bebidasgratis.com*, True -*.beb.tw*, True -*.bebucks.co.uk*, True -*.bec67.com*, True -*.bec78.com*, True -*.bec84.com*, True -*.becabeca.com*, True -*.beccagliamacchine.tk*, True -*.becciu.org*, True -*.beccuti.com.ar*, True -*.becheiraz-marche.ch*, True -*.becimagen.com.ar*, True -*.beckmannclan.com*, True -*.beck.sx*, True -*.becktransports.ch*, True -*.beckuhgen4all.com*, True -*.beckybooboo.co.uk*, True -*.beckyredmon.com*, True -*.beclear.cl*, True -*.beclicked.com*, True -*.becnel.net*, True -*.becomingistanbul.com*, True -*.becomingistanbul.net*, True -*.becomingistanbul.org*, True -*.becom.si*, True -*.becool-events.ro*, True -*.bec.or.id*, True -*.bective.co.uk*, True -*.bedbugs1234.info*, True -*.beddisongardendesigns.com*, True -*.bedi.ga*, True -*.bedi.gq*, True -*.bedjo.ml*, True -*.bednidhirijal.com.np*, True -*.bedocom.com.ar*, True -*.bedo.co.za*, True -*.bedre.lv*, True -*.bedrijfsrecht.net*, True -*.bedroommuseum.com*, True -*.bedwell.org*, True -*.bedzin.org*, True -*.bee101.co.za*, True -*.bee1.tk*, True -*.bee-advertising.ro*, True -*.beebotech.com.au*, True -*.beecloud.eu*, True -*.beecloud.info*, True -*.beecoders.com*, True -*.beecoders.info*, True -*.beeconjs.com*, True -*.beeeye.ca*, True -*.be-ef.com*, True -*.beefdata.co.nz*, True -*.beeffather.com*, True -*.bee-gogos.com*, True -*.beekerland.com*, True -*.beekerland.org*, True -*.beekerworld.com*, True -*.beekerworld.net*, True -*.beekerworld.org*, True -*.beeldbazen.com*, True -*.beeldbazen.nl*, True -*.beelook.com*, True -*.beemobileusa.com*, True -*.beenmissing.com*, True -*.been-missing.org*, True -*.beenmissing.org*, True -*.beenread.com*, True -*.beeon.tk*, True -*.beepainterscapetown.com*, True -*.beeptest.ro*, True -*.beerandrocks.net*, True -*.beerbellygrowlers.com*, True -*.beer-challenge.com*, True -*.beercity.co.za*, True -*.beercrazy.co.za*, True -*.beerfavorit.es*, True -*.beermag.co.za*, True -*.beerolympics.se*, True -*.beerporn.org*, True -*.beerprojects.com*, True -*.beersa.co.za*, True -*.beershop.co.za*, True -*.beerworld.co.za*, True -*.beesolutions.ro*, True -*.beespace.ru*, True -*.beesupplierdata.co.za*, True -*.beetlebung.com*, True -*.beetnskeet.com*, True -*.beety.nl*, True -*.befirst.pt*, True -*.befitannapolis.com*, True -*.beforebreakfastthemovie.com*, True -*.beforeidieiwant.to*, True -*.beforethemaincourse.com*, True -*.begachamberorchestra.org*, True -*.begal-motor.ninja*, True -*.begalmusik.com*, True -*.bege.ro*, True -*.begi-beri.ru*, True -*.begin-it.in*, True -*.begley.cx*, True -*.begroup.cc*, True -*.beguin.fm*, True -*.begundal.ga*, True -*.begu.ro*, True -*.behaturizm.com.tr*, True -*.behelmurah.com*, True -*.b-e-h-e-m-o-t-h.tk*, True -*.behindertemenschen.at*, True -*.behraaang.com*, True -*.behranlift.ir*, True -*.behvajeh.com*, True -*.beibeiliya.tk*, True -*.beidl.eu*, True -*.beiiiectba.ru*, True -*.beijingtimenow.com*, True -*.beilicciconsult.ro*, True -*.beilketech.com*, True -*.beimirdaheim.net*, True -*.beinbad.com*, True -*.beiraserravinhos.pt*, True -*.beirutcolorfestival.com*, True -*.beitechns.co.kr*, True -*.beitechns.com*, True -*.beiyongzhuye.com*, True -*.bejbe.biz*, True -*.bejcopuzeanu.ro*, True -*.bejoe.tk*, True -*.bejoythomas.com*, True -*.bekatul.info*, True -*.bekce.com*, True -*.bekciturkontrolsistemi.net*, True -*.bekhaus.com.br*, True -*.bekkeli.net*, True -*.bekman.com.br*, True -*.belabg.org*, True -*.bela.ga*, True -*.belairediner.net*, True -*.belaironbroadbeach.com.au*, True -*.belajarforexsimpro.com*, True -*.belajarjoomla.com*, True -*.belajarsendiri.web.id*, True -*.belajartekno.com*, True -*.belanja.gq*, True -*.belapet.co.za*, True -*.belas.me.uk*, True -*.belastingadviesbureau.eu*, True -*.belastingadviesburo.nl*, True -*.belaunde.cl*, True -*.belegadvies.com*, True -*.belekok.com*, True -*.belendelosandes.cl*, True -*.beley.org*, True -*.beleza.net.br*, True -*.belezera.com*, True -*.belezera.com.br*, True -*.belfastcomputerclinic.com*, True -*.belgarion.com*, True -*.belger.com.ar*, True -*.belgianrescuedogs.tk*, True -*.belgica.cl*, True -*.belgika.cl*, True -*.belgorigami.be*, True -*.belgras.com*, True -*.belgraveholdings.co.za*, True -*.belieberid.com*, True -*.belilokal.com*, True -*.belisima.gq*, True -*.belit-online.ir*, True -*.belitsky.info*, True -*.belitungtimurkab.go.id*, True -*.be-live.ro*, True -*.belive.ro*, True -*.belizebuilders.bz*, True -*.belizebuilders.com*, True -*.belizeprimeproperty.com*, True -*.bellaandme.co.za*, True -*.bellaboutique.ro*, True -*.belladonnadesigns.com.au*, True -*.bellagamba.net.ar*, True -*.bellagiolounge.ro*, True -*.bellamar.com.ar*, True -*.bellanissa.fr*, True -*.bellasaparts.cl*, True -*.bellasclown.com*, True -*.bellatori.co.uk*, True -*.bellbmc.com*, True -*.bellbuoychallenge.co.za*, True -*.bellcoatty.com*, True -*.bellcomo.info*, True -*.bellcoral.com*, True -*.belleandku.info*, True -*.bellemariaje.ro*, True -*.bellene.com.ar*, True -*.bellethebride.com*, True -*.bellies.ca*, True -*.bellinghamitservices.co.uk*, True -*.bellingroth.org*, True -*.bellisa.no*, True -*.belllapcycling.com*, True -*.bello.hk*, True -*.bellostante.ch*, True -*.bellot.it*, True -*.bellou.net*, True -*.belltext.com*, True -*.belluzz.net*, True -*.belluzz.tk*, True -*.bellywings.com*, True -*.belmankraul.com*, True -*.belmor.cl*, True -*.belokobylskiy.ru*, True -*.belopolsky.com*, True -*.belopolsky.ru*, True -*.beloqui.com.ar*, True -*.beloviedo.com.ar*, True -*.belpecel.com*, True -*.belray-consulting.com.au*, True -*.belrom.ro*, True -*.belshopconstrucao.com.br*, True -*.belsuono.ch*, True -*.beltconveyorjakarta.com*, True -*.beltfrog.com*, True -*.beltramino.net*, True -*.beltr.biz*, True -*.belviderekarate.com*, True -*.belwebservices.eu*, True -*.beminer.com*, True -*.bemocar.cl*, True -*.bemyfriend.ga*, True -*.benabood.com*, True -*.benadlington.biz*, True -*.benandann.com*, True -*.benandemily.org*, True -*.benandshelby.net*, True -*.benautomobile.com.br*, True -*.benbao.org*, True -*.benbau.com*, True -*.benbryson.com*, True -*.bencasper.com*, True -*.benchfx.com*, True -*.bench.si*, True -*.benchun.com*, True -*.benchwines.com*, True -*.benchworkforce.com.au*, True -*.benclarke.ca*, True -*.benclaussen.com*, True -*.bencris.ro*, True -*.ben-daglish.net*, True -*.benda.si*, True -*.bendemes.co.uk*, True -*.bendhotsat.ga*, True -*.bendiagon.com.ve*, True -*.bendinelli.com.ar*, True -*.bendita.cl*, True -*.bendorman.me*, True -*.bendotoke.tk*, True -*.bendotok.tk*, True -*.benedek.cl*, True -*.bene.gq*, True -*.benerju.ga*, True -*.benevolt.fi*, True -*.benext.com*, True -*.benga-spain.com*, True -*.bengkel-emputanjung.com*, True -*.bengkellaslistrikdantralis.com*, True -*.bengkelmarmer.com*, True -*.bengoza.com*, True -*.bengtsson.net*, True -*.benguira.info*, True -*.benguldan.com*, True -*.benguldan.net*, True -*.benguldan.org*, True -*.benhayman.com*, True -*.benh.cc*, True -*.benhelleman.com*, True -*.benhvienmat.tk*, True -*.benibuehler.ch*, True -*.benimdns.tk*, True -*.benin.co.za*, True -*.beningbening.ga*, True -*.beningle.tk*, True -*.beninzambia.com*, True -*.benisgay.co.uk*, True -*.benitez.ca*, True -*.benjaeby.ch*, True -*.benjaminboos.ch*, True -*.benjaminbustamante.com*, True -*.benjaminclaussen.com*, True -*.benjamin-fankhauser.ch*, True -*.benjaminguggisberg.ch*, True -*.benjamin.it*, True -*.benjaminmussi.com*, True -*.benjaminsproule.com*, True -*.benjidalton.com*, True -*.benjrubenstein.com*, True -*.benklett.tk*, True -*.benlaan.com*, True -*.benlab.com.ar*, True -*.benlux.cf*, True -*.benmcmullan.com*, True -*.benmintz.com*, True -*.benmook.com*, True -*.benmoore.mx*, True -*.ben-moshe.info*, True -*.benmpi.com*, True -*.benmussi.com*, True -*.bennedum.com*, True -*.bennedum.org*, True -*.benneprakeessa.com*, True -*.bennett-electric.com*, True -*.benney.info*, True -*.ben.ninja*, True -*.bennis.co.il*, True -*.bennyholmgren.com*, True -*.bennyistanto.com*, True -*.bennyp.net*, True -*.benoitdemoffarts.be*, True -*.benoitheroux.ca*, True -*.benorchard.com*, True -*.benoreilly.com*, True -*.benpaljlt.cl*, True -*.benreiss.com*, True -*.benrowland.net*, True -*.bensafety.com*, True -*.benselum.com.ar*, True -*.bensommer.com*, True -*.benson-family.net*, True -*.benspector.com*, True -*.bensproule.co.uk*, True -*.benssafetyglodok.com*, True -*.benstar.ro*, True -*.bensudano.com*, True -*.bentancour.com.ar*, True -*.bentcircuits.com*, True -*.bentelnet.com.br*, True -*.ben-teppiche.ch*, True -*.bentleyproduct.com*, True -*.bentonquest.com*, True -*.bentsquare.net*, True -*.bentug.org*, True -*.benvenutoguemes.com*, True -*.benwalther.net*, True -*.ben-wan.com*, True -*.benwight.com*, True -*.benzersanatci.com*, True -*.benz.la*, True -*.beoffline.ro*, True -*.beon.co.za*, True -*.beonehost.com*, True -*.beourguests.co.za*, True -*.bep.co.id*, True -*.bepoketprint.com*, True -*.bepon.cz*, True -*.beponklub.sk*, True -*.beponprenevesty.sk*, True -*.beponyexpres.sk*, True -*.bepreparedbeready.org*, True -*.bequem2.com.ar*, True -*.ber1.com*, True -*.berabbit.tk*, True -*.beralt.ru*, True -*.berandahosting.tk*, True -*.berandamustikaratu.com*, True -*.berasungguls.com*, True -*.berater-baum.de*, True -*.beraterbaum.de*, True -*.beratungshaus-uslar.de*, True -*.beraya.ru*, True -*.beray.com.br*, True -*.berazaluce.cl*, True -*.berbeque.ro*, True -*.berbulu.ga*, True -*.berdook.com*, True -*.bereadyinchawaii.com*, True -*.beregnungsanlage.ch*, True -*.bereme.ch*, True -*.beremotors.org*, True -*.beren.am*, True -*.berenberg.be*, True -*.ber-engineering.com*, True -*.beretta-mainardi-de.ch*, True -*.beretta-mainardi-it.ch*, True -*.berezka-lng.ru*, True -*.bergamont.ro*, True -*.bergbahnentschiertschen.ch*, True -*.berg.cl*, True -*.bergenstein.se*, True -*.bergenvpn.ml*, True -*.berger.com.ar*, True -*.bergerdynasty.com*, True -*.bergerundpfeiffer.de*, True -*.bergherz.ch*, True -*.berglund.bz*, True -*.berglund.mx*, True -*.bergoyang.tk*, True -*.bergstra.ca*, True -*.berharap.ml*, True -*.berhemb.us*, True -*.berichwithrb.ml*, True -*.ber-inc.com*, True -*.beringhs.ch*, True -*.beritahariann.org*, True -*.beritaindonesia.ga*, True -*.beritanesia.net*, True -*.beritangawi.info*, True -*.berjoget.tk*, True -*.berkahbif.com*, True -*.berkah-logam.co.id*, True -*.berkahmadani.co.id*, True -*.berkahsaranatenda.com*, True -*.berkana.com*, True -*.berkatsafety.net*, True -*.berkgenc.com*, True -*.berkmandeljc.net*, True -*.berksforobama.com*, True -*.berkshireservices.in*, True -*.berlagu.com*, True -*.berlando.me*, True -*.bermusik.co*, True -*.bernacotti.cl*, True -*.bernardbeuret.ch*, True -*.bernardifinancial.com*, True -*.bernarditakoch.com*, True -*.bernardmccormack.com*, True -*.bernardnader.com*, True -*.bernardoni.ch*, True -*.bernard-qualitas.com*, True -*.bernard-qualitas.co.uk*, True -*.bernard-qualitas.net*, True -*.bernard.zone*, True -*.bernea.ro*, True -*.berner-mandelbaer.ch*, True -*.berner-mandelbaerli.ch*, True -*.bernermandelbaerli.ch*, True -*.bernie8314.org*, True -*.berniehug.ch*, True -*.bernieryerson.com*, True -*.berninasouth.co.za*, True -*.bernina-southern-suburbs.co.za*, True -*.bernoldi.com.ar*, True -*.bernot.org*, True -*.bernshteyn.com*, True -*.bernspang.com*, True -*.bernstein.com.au*, True -*.bernstein.net.au*, True -*.berobero.com*, True -*.berrconsulting.mx*, True -*.berriolino.ch*, True -*.berrss.tk*, True -*.berry5.org*, True -*.berryfamily.id.au*, True -*.berry-jam.com*, True -*.berry-love.tk*, True -*.bersateel.com*, True -*.berserksoft.com*, True -*.bersinar.me*, True -*.bertdawg.com*, True -*.berter.com.ar*, True -*.berti-gioielli.it*, True -*.bertmillernatureclub.org*, True -*.bertoaldo.space*, True -*.bertocchismallgoods.com*, True -*.bertocchismallgoods.info*, True -*.bertocchismallgoods.net*, True -*.bertocchiveiculos.com.br*, True -*.bertolotti.org*, True -*.bertonioficial.com.br*, True -*.bertottiveiculos.com.br*, True -*.bertrandfragniereelectromenager.ch*, True -*.bertschyautomobiles.ch*, True -*.berubnet.com*, True -*.beruscaferreira.com*, True -*.besach.cl*, True -*.besafe.com.br*, True -*.beschwerdezentrum.at*, True -*.besederstore.com.ar*, True -*.besibajasurabaya.com*, True -*.besibetonbaja.com*, True -*.besibetonsurabaya.com*, True -*.besisurabaya.com*, True -*.besla.ch*, True -*.beslija.name*, True -*.besl.us*, True -*.besmaklab.ir*, True -*.besm.ch*, True -*.besmsa.ch*, True -*.be-social.ro*, True -*.besplatnno.ru*, True -*.bespokecomputersolutions.com*, True -*.bespokelawncare.co.uk*, True -*.bespokescapes.com.au*, True -*.bespooned.com*, True -*.bespooned.com.au*, True -*.besser.cl*, True -*.bessinsuranceagent.com*, True -*.besssoftware.net*, True -*.best159.com*, True -*.best2188.com*, True -*.best2388.com*, True -*.best2588.com*, True -*.best2688.com*, True -*.best2788.com*, True -*.best316.com*, True -*.best3188.com*, True -*.best3288.com*, True -*.best357.com*, True -*.best384.com*, True -*.best385.com*, True -*.best575.com*, True -*.best579.com*, True -*.best588.com*, True -*.best599.com*, True -*.best712.com*, True -*.best715.com*, True -*.bestactioncams.com*, True -*.best-adelaide-restaurant.com*, True -*.bestaluminumramps.com*, True -*.bestandwhy.com*, True -*.bestapps.gq*, True -*.bestattungen-muehlemann.ch*, True -*.bestbbqanywhere.com*, True -*.bestbefore.se*, True -*.bestbg.org*, True -*.bestbluetoothdeals.com*, True -*.bestboardhead.com.br*, True -*.best-board.ml*, True -*.bestbottlebrush.com*, True -*.bestbudgetguitar.com*, True -*.bestcabinvacation.com*, True -*.bestcabinvacations.com*, True -*.bestcantileverumbrella.info*, True -*.bestcars2015.co*, True -*.bestcarsprice.info*, True -*.bestcarss.info*, True -*.bestcarsusa.info*, True -*.bestcaving.com*, True -*.bestcellmobilespy.com*, True -*.be-st.ch*, True -*.best-chisinau.org*, True -*.bestcontrolpanel.com*, True -*.bestcp.com*, True -*.bestcrack.com*, True -*.bestcyte.com*, True -*.bestdisel.com*, True -*.bestdogz.com*, True -*.bestfather.com*, True -*.bestfinder.biz*, True -*.best-finder.net*, True -*.bestforever.com*, True -*.bestforextips.info*, True -*.bestforextradingsystems.info*, True -*.bestgardencarts.com*, True -*.bestgirls.ro*, True -*.besthub.ro*, True -*.bestinsurance-asia.com*, True -*.bestlittlehorsehouse.com*, True -*.bestlittlehorsehouseintexas.com*, True -*.best-loveletters.com*, True -*.bestmail.tk*, True -*.bestmakeupreview.com*, True -*.bestmines.tk*, True -*.bestmis.tw*, True -*.bestmother.com*, True -*.bestofbritishvideo.com*, True -*.bestofkalin.com*, True -*.bestoon.ir*, True -*.best-pharmacy365.com*, True -*.bestpodcastever.com*, True -*.bestprivacysystem.com*, True -*.bestproduct.tv*, True -*.bestreferaty.ru*, True -*.best-restaurant-adelaide.com*, True -*.best-safety.com*, True -*.bestseller.ro*, True -*.bestshells.ro*, True -*.best-skincare-product.com*, True -*.bestsoft.biz*, True -*.bestsrv.biz*, True -*.beststuffiown.com*, True -*.bestsupport.gr*, True -*.besttaxrefund.co.nz*, True -*.best-times.ru*, True -*.besttoday.ru*, True -*.besttoprsps.com*, True -*.best-tutor.com*, True -*.bestultragaming.net*, True -*.besturls.ru*, True -*.bestwatersoftener123.info*, True -*.bestwayhk.com*, True -*.bestway-toloseweight.com*, True -*.bestway-toremove.info*, True -*.bestwebhostingreview.net*, True -*.bestyclub.com.br*, True -*.bestyweb.com*, True -*.bet4trade.com*, True -*.beta-blockers.net*, True -*.betacentral.ca*, True -*.betagtenheimried.ch*, True -*.betakanz.gq*, True -*.betak.net*, True -*.betal.org*, True -*.betancort.es*, True -*.betanet.la*, True -*.betansoft.net.ve*, True -*.beta.org.ve*, True -*.beta-plast.ru*, True -*.betarho.net*, True -*.betaserv.tk*, True -*.betat.me*, True -*.betatunnel.net*, True -*.betaver.net*, True -*.betaworks.eu*, True -*.bet-bar.com*, True -*.betbeers.com*, True -*.betbv1946.com*, True -*.betcool.at*, True -*.betcool.es*, True -*.betcool.net*, True -*.betertech.com.ar*, True -*.betfrica.com*, True -*.bethabe.net*, True -*.bethada.tk*, True -*.bethan.co*, True -*.bethanywalsh.com*, True -*.bethebeauty.com*, True -*.bethisraelmedia.com*, True -*.bethlehem-village.com*, True -*.bethlehem-village.info*, True -*.bethlehem-village.net*, True -*.bethlehem-village.org*, True -*.bethybee.com*, True -*.betinaportolesi.com*, True -*.betliga88.com*, True -*.betomproduction.com*, True -*.betonbob.com*, True -*.betoncoin.com*, True -*.beton-g.com*, True -*.betr.co*, True -*.betsy.cc*, True -*.bettco.ro*, True -*.betterbusinessdecisions.co.uk*, True -*.bettercallcharles.com.ar*, True -*.betterchoice.com.pk*, True -*.betterdok.com.ar*, True -*.betteremailbraulio.com*, True -*.betterfactions.com*, True -*.betterkr.ga*, True -*.betterkr.tk*, True -*.betteronlinedatingsite.com*, True -*.better.pk*, True -*.bettershare.cn*, True -*.bettersolutions.in*, True -*.betterstyle.us*, True -*.bettertogether.org.au*, True -*.bettiebangs.com*, True -*.bettips.info*, True -*.bettykellermd.com*, True -*.bettysfashions.com*, True -*.betzabesomoza.cl*, True -*.beukenbos18.be*, True -*.beulahcreek.com*, True -*.beursspecialist.com*, True -*.beverageboys.com*, True -*.bevispublishing.hk*, True -*.bevsyarnshoppe.com*, True -*.bevza.ru*, True -*.bewerbungsservice.ch*, True -*.bewgroup.com.au*, True -*.bewgroup.net*, True -*.bexaco.com*, True -*.bex.cl*, True -*.bexi.ch*, True -*.bexonallomax.com*, True -*.bexon-allomax.co.uk*, True -*.bexonallomax.co.uk*, True -*.beyderpopov.com*, True -*.beyders.com*, True -*.beyelerbmi.ch*, True -*.beykohosting.net*, True -*.beyondaccessibility.net*, True -*.beyondaegis.com*, True -*.beyondandafter.ro*, True -*.beyondcreations.me*, True -*.beyond-eden.org*, True -*.beyondlyrics.com*, True -*.beyondtech.cl*, True -*.beytorroghayeh.ir*, True -*.bez-art.ru*, True -*.bezirksli.ga*, True -*.bezrukov.su*, True -*.bezuidenhout.net.za*, True -*.bezzapinki.ru*, True -*.bfbsystems.net*, True -*.bfdistribution.cl*, True -*.bfest.gr*, True -*.bffquilts.com*, True -*.b-fitnesscenter.com*, True -*.bfooding.com*, True -*.bfordham.org*, True -*.bfsfilmandtelevision.com*, True -*.bfu.co.za*, True -*.b-gaming.us*, True -*.bganov.com*, True -*.bga-servicios.cl*, True -*.bgazrt.ro*, True -*.bgcard.biz*, True -*.bgcasher.com*, True -*.bgcomputerconsulting.net*, True -*.bgcrew.org*, True -*.bgdsupport.com*, True -*.bge.cl*, True -*.bgg.cl*, True -*.bghosting.tk*, True -*.bginfo.tk*, True -*.bgordon.info*, True -*.bgpogrebenie.com*, True -*.bgpv.ch*, True -*.bgrnews.com*, True -*.bgrt.in*, True -*.bgspecialists.net*, True -*.bgvele.com*, True -*.bgx.ro*, True -*.bhadunk.ml*, True -*.bhagirathgiri.com.np*, True -*.bhandaribishal.com.np*, True -*.bhandaridinesh.com.np*, True -*.bhanjyangvillage.com.np*, True -*.bhansen.org*, True -*.bhariesshkumar.in*, True -*.bhattaraibishnu.com.np*, True -*.bhattaraichetan.com.np*, True -*.bhb.li*, True -*.bhc8.com*, True -*.bhcni.co.uk*, True -*.bhcni.org.uk*, True -*.bhcotax.com.au*, True -*.bhcxdfcbknjk.cf*, True -*.bheartworks.com*, True -*.bhelec.com.au*, True -*.bhenner.com*, True -*.bhienzs.tk*, True -*.bhms.com*, True -*.bhnets.com*, True -*.bhola.ga*, True -*.bhoowan.com.np*, True -*.bhosting4u.com*, True -*.bhpruebas.com*, True -*.bhs1980.org*, True -*.bhss.ru*, True -*.bhusal.com.np*, True -*.bh-white.com*, True -*.biaapa.in*, True -*.bialik.com*, True -*.bialkov.pl*, True -*.biam.es*, True -*.biancalanisa.com.ar*, True -*.bianchet.eu*, True -*.bianchetti.com.ar*, True -*.bianchiyasociados.com*, True -*.bianconigiuseppe.tk*, True -*.biangbola.com*, True -*.bianka.biz*, True -*.bianyisou.com*, True -*.biaspelangi.tk*, True -*.bia.tw*, True -*.bibeau.ca*, True -*.bi-beauty.com*, True -*.bibekadhikari.com.np*, True -*.bibekpoudyal.com.np*, True -*.bibekstha.com.np*, True -*.bibektimsina.com.np*, True -*.bibidaycare.us*, True -*.bibikasan.tk*, True -*.bibitayamsuper.com*, True -*.bibitunik.com*, True -*.biblebot.tk*, True -*.bible-club.co.za*, True -*.biblecommentaryforever.org*, True -*.bibleradio.org*, True -*.bibler.ch*, True -*.biblespb.ru*, True -*.biblezine.org*, True -*.biblioalmafuertesrc.com.ar*, True -*.bibliogam.cl*, True -*.bibliotecaarad.ro*, True -*.bibliotecasantosdumont.org*, True -*.bibliotecasmatogrosso.org*, True -*.bibliotekalomianki.pl*, True -*.bibloogle.com*, True -*.biblosconsulting.ru*, True -*.bibop.ch*, True -*.bibpol.ru*, True -*.bicc.org.za*, True -*.bichevina.ru*, True -*.bichobelo.com.br*, True -*.bichosbolitas.com.ar*, True -*.biciateab.com*, True -*.bicicleta-copii.ro*, True -*.bicicletaelectrica.cl*, True -*.bicicletamamasicopilul.ro*, True -*.bicicleta-pliabila.ro*, True -*.biciclete-bmx.ro*, True -*.biciliker.asia*, True -*.bicimotoecobike.com.ar*, True -*.biciperros.com*, True -*.biciperros.org*, True -*.bicivilidad.cl*, True -*.bickleypress.com*, True -*.bicovani.cz*, True -*.bictoncellars.com.au*, True -*.bicventas.com.mx*, True -*.bicventas.mx*, True -*.bicyclebrewerypa.com*, True -*.bicyclesonthemoon.info*, True -*.bidan64.com*, True -*.bidassistservices.com*, True -*.bidbuy.me*, True -*.bidcountry.com*, True -*.biddingtraveller.com*, True -*.bideksl.cf*, True -*.bideshbangla24.com*, True -*.bidhanpokharel.com.np*, True -*.bid.hk*, True -*.bidiscovery.com*, True -*.bids2build.com*, True -*.bid-thieves.com*, True -*.bidthieves.com*, True -*.bidurdevkota.com.np*, True -*.biedermann.ch*, True -*.biel-kleintransport.ch*, True -*.bieltorres.cat*, True -*.bienesraicesali.com*, True -*.bienestando.cl*, True -*.bienestarysalud.mx*, True -*.bien.se*, True -*.biensudaca.com.ar*, True -*.bier-chuchi.ch*, True -*.bierernst.at*, True -*.bieri.com.au*, True -*.bierlin.ru*, True -*.biertan.ro*, True -*.biesse.ro*, True -*.biexpert.com.br*, True -*.bif.co.za*, True -*.bifelbs.cf*, True -*.bifi.nz*, True -*.bifo.com.ar*, True -*.bifriendly.org*, True -*.bifrost.cl*, True -*.big-5.co.za*, True -*.bigants.com.au*, True -*.bigbadu.com.au*, True -*.bigbagbaggybag.co.uk*, True -*.big-bala.com*, True -*.bigballershotcaller.gq*, True -*.bigbass1997.com*, True -*.big-battery.com*, True -*.bigbattery.net*, True -*.bigbeauty.ch*, True -*.bigbeesteel.com*, True -*.bigbinsurance.com*, True -*.bigbirduk.co.uk*, True -*.bigblackcock.club*, True -*.bigbobsbbs.com*, True -*.bigbookoftraffic.com*, True -*.bigbox54.ru*, True -*.bigbox.info*, True -*.bigboys.ga*, True -*.bigbozz.org*, True -*.bigbq.com*, True -*.bigbrewing.co.uk*, True -*.bigbrotherdobrasil.com.br*, True -*.bigbucketcarwash.ca*, True -*.bigbucketcarwash.com*, True -*.bigbuttsmoker.us*, True -*.big-buy.com*, True -*.bigcarbon.info*, True -*.bigcloud.cf*, True -*.big-cloud.tk*, True -*.bigcraig.com*, True -*.bigcube.ro*, True -*.bigdatachile.cl*, True -*.bigdatatechnology.ru*, True -*.bigdavedev.com*, True -*.bigdik.tk*, True -*.bigdotbox.org*, True -*.bigearrecords.com*, True -*.bigelowsite.com*, True -*.bigfathooker.com*, True -*.bigfishbrother.co.uk*, True -*.bigfollow.org*, True -*.bigfuckingdope.com*, True -*.biggar.me*, True -*.biggeit.com*, True -*.bigger-bathrooms.co.uk*, True -*.biggestchat.co.uk*, True -*.bigge.us*, True -*.biggiesdowntown.com*, True -*.biggio.com.ar*, True -*.biggodzilla.com*, True -*.bigheadlabs.com*, True -*.bigheadpromo.com*, True -*.bigheadshrimp.org*, True -*.bigherdnet.com*, True -*.bighoki.org*, True -*.bigidea.hk*, True -*.bigideas.hk*, True -*.bigidea.web.id*, True -*.biginflables.com.ar*, True -*.bigio.tk*, True -*.bigiottino.tk*, True -*.bigjaco.com*, True -*.bigjungle.net*, True -*.bigkitchen.com.my*, True -*.biglibear.tk*, True -*.bigmaster.la*, True -*.bigmeanie.ca*, True -*.bignetfoz.com*, True -*.bignet.ro*, True -*.bignig.ga*, True -*.bignoisestew.ch*, True -*.bignottihnos.cl*, True -*.bigot.ca*, True -*.bigpaws.ch*, True -*.bigpet.co.il*, True -*.bigphatcars.com*, True -*.bigphim.net*, True -*.bigpineaviary.com*, True -*.bigredindians.com*, True -*.bigrocktechnologies.com*, True -*.bigsale.hk*, True -*.bigsales.hk*, True -*.bigscreensound.com*, True -*.bigsoda.net*, True -*.bigstepenergy.com*, True -*.bigstone.be*, True -*.bigstudentelections.co.uk*, True -*.bigstudentelections.org.uk*, True -*.bigtester.org*, True -*.bigtoniproductions.com*, True -*.bigtorrent.ro*, True -*.bigtoys4bigboys.ca*, True -*.bigtravel.ch*, True -*.bigtravel.nl*, True -*.biguatermaifrend.es*, True -*.bigwapsite.co.uk*, True -*.bigwebmail.com*, True -*.bigweld.ro*, True -*.bigwillie.info*, True -*.bigzachattack.com*, True -*.bihal.se*, True -*.bihlgroup.com*, True -*.bih-net.org*, True -*.bihun-jagung.com*, True -*.bijayacharya.com.np*, True -*.bijayakilla.com*, True -*.bijaykandel.com.np*, True -*.bijaykuikel.com.np*, True -*.bijaypant.com.np*, True -*.bijelestranice.hr*, True -*.bijlanis.com*, True -*.bijouxetfilles.ca*, True -*.bijouxpurelegance.com*, True -*.bijupet.ro*, True -*.bijuterii-shop.ro*, True -*.bijuteriishop.ro*, True -*.bikalpaartcenter.org*, True -*.bikashadhikari.com.np*, True -*.bikasharyal.com.np*, True -*.bikashpaudel.com.np*, True -*.bikashpoudel.com.np*, True -*.bikassapkota.com.np*, True -*.bikaugh.com*, True -*.bikee.sk*, True -*.bikehara.com*, True -*.bikeheaven.org*, True -*.bikeland-spb.ru*, True -*.bikeninja.com.br*, True -*.bikepartsaustralia.com.au*, True -*.bikergear.com*, True -*.bikerkatro.com*, True -*.bikerscommunity.eu*, True -*.bikeshedproductions.co.uk*, True -*.bikesmood.com*, True -*.bikestore.com.br*, True -*.biketag.me*, True -*.biketoss.com*, True -*.bikewyh.cf*, True -*.biki456.com*, True -*.biking24.eu*, True -*.bikingraymi.com*, True -*.bikinwebsite.com*, True -*.bikramadhikari.com.np*, True -*.bikrambasnet.com.np*, True -*.bilalbizz.com*, True -*.bilalfarm.com*, True -*.bilans.com*, True -*.bilanss.com*, True -*.bilanss.eu*, True -*.bilanss.info*, True -*.bilbordak.ir*, True -*.bildet.net*, True -*.bileklikcuzdan.com*, True -*.biletolovilka.ru*, True -*.bilet-online.ru*, True -*.bilevich.com*, True -*.bilge-bilisim.com*, True -*.bilge.web.tr*, True -*.biliblah.com*, True -*.bilii.ml*, True -*.bilimkeni.kg*, True -*.billblog.co.uk*, True -*.billboard-magazine.ru*, True -*.billboardneonbox.com*, True -*.billboxonline.com*, True -*.billcampbell.com*, True -*.billcobbler.com*, True -*.billets.tk*, True -*.billgus.com*, True -*.billhensley.com*, True -*.billiedesign.ca*, True -*.billionerror.net*, True -*.billjarrett.com*, True -*.billlearphotography.com*, True -*.billmads.com*, True -*.billmads.org*, True -*.billmckinnandassociates.com.au*, True -*.billmoss.com*, True -*.billox.com*, True -*.billreber.com*, True -*.billspheed.co.uk*, True -*.billsteinmetz.com*, True -*.billybarnes.org*, True -*.billygold.com.tr*, True -*.billyhickman.com*, True -*.billzhu.com*, True -*.billz-share.com*, True -*.bil-nasalab.com*, True -*.biloel.se*, True -*.bilt1st.com.au*, True -*.bilts.net*, True -*.bilwatosh.com*, True -*.bim100.com*, True -*.bim2u.com*, True -*.bim666.com*, True -*.bimacybernotes.net*, True -*.bimakab.go.id*, True -*.bimas.org*, True -*.bima-wirahadi.tk*, True -*.bimbam.li*, True -*.bimbinganbelajar.org*, True -*.bimbit.com*, True -*.bimbobox.info*, True -*.bimelectronic.ro*, True -*.bimodebi.co.id*, True -*.bimodebi.la*, True -*.bimtool.cl*, True -*.binaberkat.com*, True -*.binadinamikapotensia.com*, True -*.binakaryamandiri.net*, True -*.binakerta.or.id*, True -*.binarios.cl*, True -*.binarius.com.ar*, True -*.binaryden.net*, True -*.binaryeclipse.uk*, True -*.binary-elite.cf*, True -*.binaryelite.cf*, True -*.binary-elite.ga*, True -*.binaryelite.ga*, True -*.binary-elite.ml*, True -*.binaryelite.ml*, True -*.binary-elite.tk*, True -*.binaryelite.tk*, True -*.binary-front.com*, True -*.binaryfront.com*, True -*.binaryimg.com*, True -*.binarysense.ca*, True -*.binarystarfish.co.za*, True -*.binasentra.co.id*, True -*.bina.xyz*, True -*.binazirhaidari.com*, True -*.binbyz.com*, True -*.bin.bz*, True -*.binday.org*, True -*.binded.net*, True -*.bindermedical.com*, True -*.bindr4xz.tk*, True -*.bindwkill.com*, True -*.bindwkill.net*, True -*.bine.me*, True -*.bineshafzar.ir*, True -*.bingcredit.com*, True -*.binghan-gingseng.com*, True -*.bingo.si*, True -*.bingsin.com*, True -*.binhdinh.gq*, True -*.binhnguyen.cf*, True -*.binho.org*, True -*.binimail.com*, True -*.binkleychapel.net*, True -*.bin-login.name*, True -*.binmelsbroek.be*, True -*.binnorie.com.au*, True -*.bino1.co.il*, True -*.binodaryal.com.np*, True -*.binod.com.np*, True -*.binod.net.np*, True -*.binodonbangla.com*, True -*.binodpandey.com.np*, True -*.bintangcakra.com*, True -*.bintangchromindo.com*, True -*.bintang-laut.com*, True -*.bintangradio.com*, True -*.bintangtehnik.co.id*, True -*.bintaroshop.com*, True -*.b-interactive.hr*, True -*.binteresting.com*, True -*.bintzu.com*, True -*.binushacker.ml*, True -*.binyan-david.co.il*, True -*.bioaj.com*, True -*.bioanaliticasrl.com.ar*, True -*.bioanaliza.ro*, True -*.bioanimalcorp.com*, True -*.bioara.bg*, True -*.biobikebicicletas.com*, True -*.biobikebicicletas.com.br*, True -*.biobioabogados.cl*, True -*.biobiowi.com*, True -*.biobit.ro*, True -*.bioblitzgaming.ca*, True -*.biobot.info*, True -*.biocaminatascr.com*, True -*.bio-cell.net*, True -*.biochemahn.ro*, True -*.biochemromania.ro*, True -*.biocleantechnologiesinc.com*, True -*.bio-club.com.ar*, True -*.biocomputing-news.com*, True -*.biodata.ch*, True -*.biodivcluster.fi*, True -*.bio-east.com*, True -*.biofarmanet.com.ar*, True -*.biofertilizer.ru*, True -*.biogemuese.ch*, True -*.biogis.cl*, True -*.biogroupe.ch*, True -*.biogrow.com.au*, True -*.bioinfocus.com*, True -*.bioinformatics.se*, True -*.biojardin.be*, True -*.biokomputiko.de*, True -*.biokonsult.cl*, True -*.biolcati.com*, True -*.bio-lis.com*, True -*.biologiecnprsv.ro*, True -*.biologimu.web.id*, True -*.biomagnetismo.net.ve*, True -*.biomagnetismo.org.ve*, True -*.biomassivemusic.com*, True -*.biomati.ca*, True -*.biomed.com.ar*, True -*.biomedelynas.lt*, True -*.biometrics-news.com*, True -*.biometrika.cl*, True -*.biometrika.com.ar*, True -*.biometrika.pe*, True -*.biomost.fi*, True -*.bionanomat.ro*, True -*.bionet.co.za*, True -*.bionet.tw*, True -*.bionetworks.tk*, True -*.bionicles.hk*, True -*.bionicos.cl*, True -*.biopedia.info*, True -*.bioph.org*, True -*.biophotonics.com.au*, True -*.biopolaris.com*, True -*.bioprodus.ro*, True -*.biopunkmovies.net*, True -*.biorequiem.com*, True -*.bioresonanz-stucki.ch*, True -*.bioritm.ro*, True -*.bioromoil.ro*, True -*.bio-saftbar.ch*, True -*.biosaftbar.ch*, True -*.biosaftbars.ch*, True -*.biosano.cl*, True -*.bioskop12.com*, True -*.bioskop.mobi*, True -*.bioskopxxi.org*, True -*.biosprays.net*, True -*.biotas.tk*, True -*.biotechalarmes.tk*, True -*.biotechlead.com*, True -*.biotechterms.org*, True -*.bioterapiafacial.com.br*, True -*.bioterra-jdf.cl*, True -*.biotest.ws*, True -*.biotops.com*, True -*.biotracks.com.ar*, True -*.biotx.biz*, True -*.bioverse.bg*, True -*.biovitality.ro*, True -*.bipbot.com*, True -*.bipinojha.com.np*, True -*.bipolarandlovingit.com*, True -*.bipolarwear.com*, True -*.bippy.org*, True -*.biprost.ml*, True -*.biptonuri.com*, True -*.biq.si*, True -*.birax.co.uk*, True -*.birayetbiraciklama.com*, True -*.birchbay.tk*, True -*.birchfiel.com*, True -*.birch-foto.eu*, True -*.birco.com.ar*, True -*.birdbrook.org*, True -*.birdlingsbrook.com*, True -*.birdriver.org*, True -*.birdseyeviewpets.com*, True -*.birdsofnorthamerica.ca*, True -*.birenboim.com*, True -*.birladeanu.ro*, True -*.birner.name*, True -*.birogadget.com*, True -*.birokrasi.org*, True -*.birombilla.com.ar*, True -*.birouldecredite.ro*, True -*.biroumediatorgalati.ro*, True -*.birounotarialbistrita.ro*, True -*.birou-notar-public.ro*, True -*.birs-it.ch*, True -*.birtel.net*, True -*.birthcontroleffects.net*, True -*.birthdaymiguel.tk*, True -*.birthtransitions.com*, True -*.birusainju.com.np*, True -*.biryani.ch*, True -*.bis12.com*, True -*.bisanti.net*, True -*.bisber.com*, True -*.bischof-hufbeschlag.ch*, True -*.biscondola.ch*, True -*.biscotti-tapas.com*, True -*.biscu.ch*, True -*.bisericasalem.ro*, True -*.bisexu.al*, True -*.bishalcreations.tk*, True -*.bishalgautam.com.np*, True -*.bishnupokharel.com.np*, True -*.bishopallennews.com*, True -*.bishwasghale.com.np*, True -*.biside.com*, True -*.biskoto.gr*, True -*.biskutraya2u.my*, True -*.biskvi.net*, True -*.bisnisbersama.org*, True -*.bisnishebat.net*, True -*.bisoft.info*, True -*.bisoft.si*, True -*.bisonvodka.com*, True -*.bispage.net*, True -*.bispeduli.or.id*, True -*.biss.cl*, True -*.bisser-winiker.ch*, True -*.bistaumanga.com.np*, True -*.bistrivet.ro*, True -*.bistrodachapada.com.br*, True -*.bisyo.ml*, True -*.bit4.net*, True -*.bitabetonsabalan.com*, True -*.bitblast.com*, True -*.bitboss.ch*, True -*.bitcab.co.uk*, True -*.bitcalculus.com*, True -*.bitcannon.co.uk*, True -*.bitcashcoin.com*, True -*.bitcheslovedomainnames.com*, True -*.bitch-nig.ga*, True -*.bitchx.co*, True -*.bitchx.name*, True -*.bit-cloud.com*, True -*.bitcloudex.com*, True -*.bitcoinbay.com.au*, True -*.bitcoincapit.al*, True -*.bitcoincn.com*, True -*.bitcoindeals.sg*, True -*.bitcoinexchange.sg*, True -*.bitcoinhub.sg*, True -*.bitcoininvestment.co.za*, True -*.bitcoinmarkets.co.za*, True -*.bitcoinmarket.sg*, True -*.bitcoinremittance.sg*, True -*.bitcoin-sa.co.za*, True -*.bitcoin-southafrica.co.za*, True -*.bitcointrade.sg*, True -*.bitcoinuruguay.net*, True -*.bitcoinwallet.sg*, True -*.bi-t.com*, True -*.bitcom.cl*, True -*.bitconet.net*, True -*.bitcon.ro*, True -*.bitcorruption.com*, True -*.bitcraft.ch*, True -*.bitcrafters.com.br*, True -*.bite4bite.com*, True -*.bitead.com*, True -*.bitead.com.ar*, True -*.bitebackgermany.net*, True -*.bitemyshinymetalbbq.com*, True -*.bitengineersnas.co.uk*, True -*.bitentity.com*, True -*.bitermo.biz*, True -*.bitermo.me*, True -*.bitermomng.com*, True -*.bitermo.si*, True -*.biterror.tk*, True -*.bites.gr*, True -*.bitestop.com*, True -*.bitflip.net*, True -*.bitforbytes.net*, True -*.bitjug.com*, True -*.bitlegend.com*, True -*.bitlucid.com*, True -*.bitlynx.com*, True -*.bitmail.cc*, True -*.bit-mail.ga*, True -*.bitnarod.org*, True -*.bit-nibble-byte.com*, True -*.bitplus.ro*, True -*.bitrand.co.za*, True -*.bitscomputers.ca*, True -*.bitscream.tk*, True -*.bitsense.ro*, True -*.bitsenterprise.com*, True -*.bitshack.pl*, True -*.bitshares-charity.org*, True -*.bitship.tk*, True -*.bitside.ch*, True -*.bitsnbyte.com*, True -*.bitsol.com.ar*, True -*.bitspark.com.np*, True -*.bits-stl.com*, True -*.bitsvs.com*, True -*.bitterendofrosemary.com*, True -*.bittitle.com*, True -*.bittorrent.cf*, True -*.bittorrent.ro*, True -*.bittorrents.ro*, True -*.bittronia.cl*, True -*.bituven.com*, True -*.bitwander.com*, True -*.bitwisor.net*, True -*.bitwoods.com*, True -*.bitxbit.com.ar*, True -*.bitziness.com*, True -*.biuroaudytorskie.one.pl*, True -*.biurozet.pl*, True -*.bivalent.ro*, True -*.bivipsil.org*, True -*.bivman.com*, True -*.biwasbhattarai.com.np*, True -*.biworx.co.za*, True -*.bizartconsulting.com.ar*, True -*.bizavans.ru*, True -*.bizbiz.cl*, True -*.bizbooks.co.za*, True -*.bizclub.ir*, True -*.bizcom.com.ar*, True -*.bizconnect.info*, True -*.bizdesk.ca*, True -*.bizeebees.co.uk*, True -*.bizegate.gr*, True -*.biz-events.ro*, True -*.biz-id.com*, True -*.bizimpos.com*, True -*.bizinternet.my*, True -*.bizis.si*, True -*.bizlabs.net*, True -*.bizmoz.in*, True -*.bizpark.com.tr*, True -*.bizrooms.co.uk*, True -*.bizstrategy.cl*, True -*.biztalkapp.com*, True -*.biztalkportal.com*, True -*.biztech.ro*, True -*.biztec.info*, True -*.biztime.ro*, True -*.biz.tm*, True -*.biztositotu.hu*, True -*.biztube.co.za*, True -*.bizwiz.com*, True -*.bizzapp.com*, True -*.bizzberry.com*, True -*.bizzmark.biz*, True -*.bizzykiwi.com*, True -*.bj-90.com*, True -*.bja.co.id*, True -*.bj-bergrath.cf*, True -*.bj-bergrath.ga*, True -*.bj-bergrath.ml*, True -*.bj-bergrath.tk*, True -*.bjbk.org*, True -*.bjbsdk.org*, True -*.bjbs-ppob.co.id*, True -*.bjcmq.ca*, True -*.bjdtw.tk*, True -*.bjforce.com.br*, True -*.bjjarmy.com.br*, True -*.bjkventures.com*, True -*.bjmck.com.au*, True -*.bjornvold.com*, True -*.bjornvold.org*, True -*.bjournal.tk*, True -*.bjwanwang.com*, True -*.bk-2000.com*, True -*.bk35.ru*, True -*.bka69.com*, True -*.bka79.com*, True -*.bkangaroo.com*, True -*.bkat.eu*, True -*.bkfg.ru*, True -*.bkh-labs.com*, True -*.bkj-330.com*, True -*.bkkrishna.com.np*, True -*.bkkupload.com*, True -*.bklm.cl*, True -*.bklnsustainability.com*, True -*.bklynsustainability.com*, True -*.bkmusicarchive.com*, True -*.bkmusicarchive.net*, True -*.bkmusicarchive.org*, True -*.bkn42.com*, True -*.bkn53.com*, True -*.bkn82.com*, True -*.bkn99.com*, True -*.bknet.ch*, True -*.bkpsports.com*, True -*.bks.ca*, True -*.bks-chem.com*, True -*.bksentry.com*, True -*.bkst.cl*, True -*.bk-upiter.ru*, True -*.bkw.one.pl*, True -*.bl7.us*, True -*.blaastue.eu*, True -*.blaauwgeers.ninja*, True -*.blabida.com*, True -*.blabla.ro*, True -*.blablasvpn.tk*, True -*.blackadultsmeet.com*, True -*.blackalley.net*, True -*.blackandwhitedarkroom.com*, True -*.blackangusorlando.com*, True -*.blackantstudios.com*, True -*.blackaura.ca*, True -*.blackbeltmail.se*, True -*.black-bit.com*, True -*.black-bit.net*, True -*.blackbooth.com.au*, True -*.black-box.com.ar*, True -*.blackboxsss.com*, True -*.blackboxsystems.com.ar*, True -*.blackburnfc.com.au*, True -*.blackburnweather.com*, True -*.blackbush.net*, True -*.blackc0der.club*, True -*.blackc0der.info*, True -*.black-car.net*, True -*.blackcoder.net*, True -*.blackcurrantjam.ch*, True -*.blackdagger-airsoft.co.uk*, True -*.blackdiamondmemory.com*, True -*.blackducksurfboards.com.au*, True -*.blackearthproducts.co.za*, True -*.blackelephantantiques.com*, True -*.blacker.com.ar*, True -*.blackevil.de*, True -*.blackeyedangels.com*, True -*.blackeyedev.com*, True -*.blackfalds.ca*, True -*.blackfalds.com*, True -*.blackfaldsfire.com*, True -*.blackgate.tk*, True -*.blackgirlsband.com*, True -*.blackgromstudio.eu*, True -*.blackhack.eu*, True -*.blackhack.pro*, True -*.blackhat.cc*, True -*.blackhatcoders.com*, True -*.blackhatreaper.com*, True -*.blackheads.co*, True -*.blackhenge.com*, True -*.blackhillsairsoft.co.uk*, True -*.blackholefund.com*, True -*.blackis.net*, True -*.blacklab.systems*, True -*.blacklin.es*, True -*.blacklists.pro*, True -*.blacklotuskungfu.com*, True -*.blacklotus.ninja*, True -*.black-love.tk*, True -*.black-mail.com.au*, True -*.blackmesa.be*, True -*.blacknapkins.org*, True -*.blacknudez.com*, True -*.blackone.hk*, True -*.blackpearlchihuahuas.ch*, True -*.blackrhino.com.ar*, True -*.blacksapps.com*, True -*.blackseherezada.tk*, True -*.blacksheepcraft.net*, True -*.black-sky.net*, True -*.blacksmitch.com*, True -*.blacks.ninja*, True -*.blacksquare.cl*, True -*.blackstaff.ca*, True -*.blackstaropal.biz*, True -*.blackstaropal.org*, True -*.blackstone.ml*, True -*.black-stylists.com*, True -*.blacksun.li*, True -*.blacksunonline.tk*, True -*.blackswanbeerhouse.com*, True -*.blackswanfiddlers.com*, True -*.black-swords.be*, True -*.blacktieaffairs.com.au*, True -*.blacktieaffairs.co.uk*, True -*.blacktoast.net*, True -*.blacktowncomputers.com.au*, True -*.black-tracker.gr*, True -*.blackwebbeta.tk*, True -*.blackwood-designs.com*, True -*.blacraft.ga*, True -*.bladeservers.ro*, True -*.bladezeta.cl*, True -*.blagam.ru*, True -*.blagodarnyy.ru*, True -*.blagolith.com*, True -*.blago-mebel.ru*, True -*.blagovna-znamka.si*, True -*.blahchile.com*, True -*.blah.cl*, True -*.blahgoo.com*, True -*.blah.ro*, True -*.blaiconsrl.com.ar*, True -*.blaineray.com*, True -*.blairdurnford.com*, True -*.blakecorp.us*, True -*.blakelivingston.net*, True -*.blakeneybienvenue.com*, True -*.blaknet.ca*, True -*.blanccailloux.be*, True -*.blanchard-tech.net*, True -*.blancheneige.ch*, True -*.blanco.com.ar*, True -*.blancoencalada.cl*, True -*.blancogeo.com*, True -*.blancreme.ru*, True -*.blandfx.com*, True -*.blandtechnology.com*, True -*.blanjatoyota.com*, True -*.blankdrift.com*, True -*.blanketbundles.org*, True -*.blankis.se*, True -*.blanklink.com*, True -*.blankodel.ru*, True -*.blankrocks.com*, True -*.blankslatetechnologies.com*, True -*.blankslatetechnologies.net*, True -*.blankva.ro*, True -*.blantek.one.pl*, True -*.blaqrows.co.za*, True -*.blarck.com*, True -*.blarg.xyz*, True -*.blasers.co.za*, True -*.blasphemyband.com*, True -*.blasphemyband.eu*, True -*.blasphemyband.net*, True -*.blastedstudios.com*, True -*.blaster.com.ar*, True -*.blastinggreen.com*, True -*.blaszak.ca*, True -*.blatch.org*, True -*.blauerbecher.de*, True -*.blauhead.com*, True -*.blauser.org*, True -*.blaustern.ro*, True -*.blawe1.tk*, True -*.blawe2.tk*, True -*.blawg.ch*, True -*.blaybrooks.com*, True -*.blayk.us*, True -*.blazbizjak.tk*, True -*.blazeitnig.ga*, True -*.blazemind.com*, True -*.blazes.ru*, True -*.blazicmiha.tk*, True -*.blazion.org*, True -*.bleckmax.tk*, True -*.blecktornet.se*, True -*.blederz.net*, True -*.bleed.cf*, True -*.bleeping-pc.com*, True -*.bleiben.com.ar*, True -*.blenda.es*, True -*.blendedsponges.com*, True -*.blenderrenderfarm.com*, True -*.blerge.net*, True -*.blerg.net*, True -*.blessadv.com*, True -*.blessed.org.uk*, True -*.blessinfo.com.br*, True -*.blestblessing.com.au*, True -*.blethwin.com*, True -*.bleuvanille.com*, True -*.blfact.com*, True -*.blgg.rs*, True -*.blgroupsa.co.za*, True -*.blickla.cl*, True -*.bliedessy.com*, True -*.bliemli.ch*, True -*.blift.co*, True -*.blift.com.au*, True -*.blift.in*, True -*.blift.me*, True -*.blift.net*, True -*.blift.net.au*, True -*.bligus.com*, True -*.blik.ca*, True -*.blikio.com*, True -*.bliksem.us*, True -*.blindcollective.com*, True -*.blindd.ga*, True -*.blindd.tk*, True -*.blindsoul.com*, True -*.blingavan.com*, True -*.blingavan.co.uk*, True -*.blinkbase.com*, True -*.blinklab.com*, True -*.blinko.io*, True -*.blippster.com*, True -*.blisnygg.se*, True -*.blissfulblightbooks.com*, True -*.blissis.ch*, True -*.blissitte.info*, True -*.blister-pro.ru*, True -*.blisterpro.ru*, True -*.blisterupakovka.ru*, True -*.blister-upakovka.su*, True -*.blister-upak.ru*, True -*.blisterupak.ru*, True -*.blitar-coder.org*, True -*.blitarlove.us*, True -*.blitzsoft.ro*, True -*.blixa.se*, True -*.blizzie.net*, True -*.blkdogdesign.com*, True -*.blls.com.au*, True -*.blmo.ro*, True -*.bln.co.za*, True -*.blockaa23.com*, True -*.blockcert.com*, True -*.blockhousebodega.com*, True -*.blockhousecarranza.com*, True -*.blockhouse.com.mx*, True -*.blockhouse.mx*, True -*.blockhouseodega.com*, True -*.blockhousesendero.com*, True -*.blockscout.com*, True -*.bloemendal.me*, True -*.bloeminc.com*, True -*.blog01.tk*, True -*.blogads.ro*, True -*.blogadvertise.ro*, True -*.blogadvertising.ro*, True -*.blogajaib-mywapblog.cf*, True -*.blogajaibmywapblog-com.cf*, True -*.blogajaib-mywapblog.tk*, True -*.blogalal.com*, True -*.blogall.com.br*, True -*.blogbloc.ro*, True -*.blogbrands.ro*, True -*.blogbusiness.ro*, True -*.blogcash.ro*, True -*.blogdacoruja.com.br*, True -*.blogdadisney.com.br*, True -*.blogdex.cf*, True -*.blogdns.info*, True -*.blogdobilu.com.br*, True -*.blogdointercambio.com.br*, True -*.blogdomeirinho.com.br*, True -*.blogdoperon.com.br*, True -*.blogdourandir.com.br*, True -*.blogdwiks.com*, True -*.blogelectronics.com*, True -*.blogerrante.com*, True -*.blog-fathur.com*, True -*.blog-fathur.net*, True -*.blog-fathur.org*, True -*.blogganteng.com*, True -*.bloggerindo.web.id*, True -*.bloggerjateng.com*, True -*.blogger-newbie.com*, True -*.bloggersidoarjo.com*, True -*.bloggersteam.ro*, True -*.bloggerterkenal.com*, True -*.bloggervn.tk*, True -*.blogginghell.co.uk*, True -*.blog-guru.web.id*, True -*.bloghalloffame.com*, True -*.blog-harry.com*, True -*.blog-healthy.com*, True -*.bloghouse.co.kr*, True -*.blog-izam.my*, True -*.blogku.us*, True -*.blogmediagroup.com*, True -*.blogmoney.ro*, True -*.blogmovietrailers.com*, True -*.blog-navar.net*, True -*.blognecessaire.com.br*, True -*.blogner.ca*, True -*.blognewbie.tk*, True -*.blogofregret.com*, True -*.blogpunto.es*, True -*.blogranking.ro*, True -*.blogrankings.ro*, True -*.blogrank.ro*, True -*.blogranks.ro*, True -*.blog-s60.ga*, True -*.blogsaya.net*, True -*.blogscor.ro*, True -*.blogsell.com*, True -*.blog-seo.cf*, True -*.blogsofseparation.com*, True -*.blogs.or.id*, True -*.blogspaper.org*, True -*.blogspot-com.ga*, True -*.blogspotthemes.com*, True -*.blogstaples.com.ar*, True -*.blogstrapping.com*, True -*.blogsurf.ro*, True -*.blogteam.ro*, True -*.blogulanului.ro*, True -*.blogullunii.ro*, True -*.blogulugogu.ro*, True -*.blogulzanei.ro*, True -*.blogulzilei.ro*, True -*.blogvalue.ro*, True -*.blogwaffle.com*, True -*.blogwide.net*, True -*.blog-yogi.org*, True -*.blogyomi.com*, True -*.bloing.com.ar*, True -*.blok.cf*, True -*.blomland.co.za*, True -*.blonay21.ch*, True -*.blooddeath.pl*, True -*.bloodforthebloodgod.com*, True -*.blood.ir*, True -*.blood-ninja.com*, True -*.bloodskirmish.com*, True -*.bloodstone.org*, True -*.bloodthirstychildren.com*, True -*.bloodtinge.com*, True -*.bloodtroops.com*, True -*.bloodytoe.com*, True -*.blookanoo.ca*, True -*.bloomarket.hk*, True -*.bloomfieldsolutionsllc.com*, True -*.bloomfieldsolutions.net*, True -*.bloomfieldsolutions.us*, True -*.bloom.us*, True -*.bloptimization.com*, True -*.bloquetres.com.ar*, True -*.blorks.com*, True -*.blouberginteriors.co.za*, True -*.blowingupbits.com*, True -*.blowmo.net*, True -*.blownawaybeautybar.net*, True -*.blowthemall.org*, True -*.blowwater.hk*, True -*.blp.io*, True -*.blptw.com.au*, True -*.blrd.tk*, True -*.blubberblase.org*, True -*.blu-design.com*, True -*.bludru.com*, True -*.blue0rbit.com*, True -*.blue0.tk*, True -*.blue4servers.co.uk*, True -*.blue9.com.au*, True -*.blueadvisors.cl*, True -*.blue-antz.net*, True -*.blueapsara.com*, True -*.blue-army.be*, True -*.bluebag.se*, True -*.bluebest.cl*, True -*.bluebloodkustoms.com*, True -*.bluebox.cat*, True -*.blueboxkennels.com*, True -*.blueboysworld.co.uk*, True -*.bluecatnetworks.hk*, True -*.bluechiphbf.com.au*, True -*.bluechipresults.com.au*, True -*.bluechiptracker.com.au*, True -*.blue-city.ro*, True -*.bluecompass.co.uk*, True -*.bluecompassit.com*, True -*.bluecompassit.co.uk*, True -*.bluecomunicaciones.cl*, True -*.bluecrabconnection.com*, True -*.bluecross.org.br*, True -*.bluedesign.si*, True -*.bluedotcrm.com*, True -*.bluedoteducation.com*, True -*.bluedotedu.com*, True -*.blue-dot.ro*, True -*.bluedotx.com*, True -*.bluedreams.info*, True -*.blueeagles.ch*, True -*.bluee.com.mx*, True -*.blueeyes.ml*, True -*.bluefederation.net*, True -*.blueflag.us*, True -*.blueflame78504.com*, True -*.blueflux.net*, True -*.bluefuzzball.org*, True -*.bluehive.com*, True -*.blueholesoftware.com*, True -*.bluehouse-toowoomba.com.au*, True -*.blueh-server.tk*, True -*.bluehusky.com*, True -*.blue-jade.com*, True -*.blue-jade.net*, True -*.bluekaffee.com*, True -*.bluekeyfinance.com*, True -*.bluekeyfinance.com.au*, True -*.blue-liquid.co.uk*, True -*.bluemagic.net*, True -*.bluemane.ml*, True -*.bluemapleind.com*, True -*.bluemondays.org*, True -*.bluemonkeyfish.com*, True -*.bluemonster.cl*, True -*.bluemoon.com.vn*, True -*.bluemoth.asia*, True -*.bluemountainthreads.com*, True -*.bluenag.ch*, True -*.bluenakoo.com*, True -*.blueoceancapital.com*, True -*.blueoceanconsulting.com.ar*, True -*.bluepear.org*, True -*.bluepeartelevision.com*, True -*.bluepill100mg.com*, True -*.bluepill.ml*, True -*.blueprintsit.cl*, True -*.blueprinttickets.com*, True -*.bluesandsip.com*, True -*.blue-saturn.ch*, True -*.bluesaturn.ch*, True -*.bluesaturn.com*, True -*.blueshadows.cl*, True -*.bluesine.net*, True -*.blueskew.com*, True -*.bluesky.net.au*, True -*.bluesky.tw*, True -*.blueslipper.tw*, True -*.blue-sm.com*, True -*.blue-software.com*, True -*.blue-software.eu*, True -*.bluespeed.co.uk*, True -*.bluestickgames.com*, True -*.bluestormwebdesign.com*, True -*.blueswitchsolutions.com*, True -*.blueswitchsolutions.co.uk*, True -*.bluetears.org*, True -*.bluetengold.de*, True -*.bluetexinternational.com*, True -*.bluetorchsource.com*, True -*.bluetorch.us*, True -*.bluetrailllc.com*, True -*.bluetrain-jazz.com.ar*, True -*.bluewafflehouse.com*, True -*.blueware.nl*, True -*.bluewateronthebeach.com*, True -*.bluewatersky.com*, True -*.bluewindband.net*, True -*.blueworld.li*, True -*.blueyarn.net*, True -*.blue-yg.com*, True -*.bluffave.com*, True -*.bluffavenue.com*, True -*.blufreddo.it*, True -*.bluglu.org*, True -*.blumengarten.info*, True -*.blumenthalgroup.com*, True -*.blumersolutions.com*, True -*.blumnet.ca*, True -*.blundstonefootwear.com*, True -*.blunn.co.za*, True -*.bluntgang.info*, True -*.bluntz.tk*, True -*.blupa.com*, True -*.blup.ch*, True -*.blurrybits.net*, True -*.b-l.us*, True -*.bluscreen.co.nz*, True -*.blusun.ir*, True -*.blutdienst.ch*, True -*.blutrading.cl*, True -*.bluzen.co.za*, True -*.bluz.ga*, True -*.blvn.tk*, True -*.blwaterco.com*, True -*.blwc.com.au*, True -*.bm990.com*, True -*.bmarket.cl*, True -*.bmb.cc*, True -*.bmbcnet.net*, True -*.bmc420.com*, True -*.bmcandrews.com*, True -*.bmcarteras.com.ar*, True -*.bmcb.org.au*, True -*.bmck.biz*, True -*.bmc.ro*, True -*.b-metrix.com*, True -*.bmgthaiasian.com*, True -*.bmgtrainingsolutions.co.uk*, True -*.bmibeyeler.ch*, True -*.bmicapa.org*, True -*.bmichas.info*, True -*.bmid.ca*, True -*.bmif.co.uk*, True -*.bmisolutions.ch*, True -*.bmlfamily.net*, True -*.bmmultimarcas.com.br*, True -*.bmofa.org.au*, True -*.bmorat.ch*, True -*.bmortech.net*, True -*.bmpower.co.kr*, True -*.bmppho.to*, True -*.bmrresources.com*, True -*.bmtamber.co.id*, True -*.bmt-salama.co.id*, True -*.bmtsuryadarmamandiri.com*, True -*.bmtula.ru*, True -*.bmvl.ru*, True -*.bmw-147.com*, True -*.bmw-158.com*, True -*.bmw45.net*, True -*.bmw-740.com*, True -*.bmw-741.com*, True -*.bmw88.net*, True -*.bmwauto.bg*, True -*.bmwdoc.ru*, True -*.bmw-information.co.za*, True -*.bmwr.be*, True -*.bmwtpi.com*, True -*.bmwzone.ro*, True -*.bmx3r.com*, True -*.bna59.com*, True -*.bna74.com*, True -*.bnathan.com*, True -*.bnaya.co.il*, True -*.bnaz.org*, True -*.b-n-b.hk*, True -*.bnbsouthafrica.org*, True -*.bnbzaubernuss.ch*, True -*.bnccs.com.au*, True -*.bncproducts.com*, True -*.bncproducts.net*, True -*.bneis.com*, True -*.bnene.com*, True -*.bnetz.cl*, True -*.bngoutsourcing.com*, True -*.bnhymn.com*, True -*.bn-idbte4m.net*, True -*.bnisyariah.net*, True -*.bnmhotel.com*, True -*.bnowakowski.pl*, True -*.bnpt.go.id*, True -*.bnsiel.com*, True -*.bnteam.eu*, True -*.bnvoet.com*, True -*.bny28.com*, True -*.bny49.com*, True -*.bny63.com*, True -*.bny76.com*, True -*.bny85.com*, True -*.boardershop.com.ar*, True -*.boarderweekend.ch*, True -*.boardgameshub.ro*, True -*.boardgraphic.com*, True -*.board-management.se*, True -*.boardroomprophets.com*, True -*.boardthirteen.com*, True -*.boarini.com.ar*, True -*.boatbuilding.ws*, True -*.boatequipment.asia*, True -*.boatequipment.co.nz*, True -*.boatequipment.info*, True -*.boatequipment.net.nz*, True -*.boatequipment.nz*, True -*.boatingequipment.asia*, True -*.boatingequipment.co.nz*, True -*.boatingequipment.info*, True -*.boatingequipment.net.nz*, True -*.boatingequipment.nz*, True -*.boatmanage.com*, True -*.boats.com.tw*, True -*.boat-shed.biz*, True -*.bobak.co*, True -*.bobalyworks.com*, True -*.bobarctor.ch*, True -*.bob-az.com*, True -*.bobbiegravessupplycompany.com*, True -*.bobbie-russie.com*, True -*.bobbingforrainbows.com*, True -*.bobbutcher.net*, True -*.bobbyboyar.com*, True -*.bobcentury.com*, True -*.bobchesworth.com*, True -*.bobchesworth.info*, True -*.bob.com.ar*, True -*.bobd.org*, True -*.bo-be.com*, True -*.bobersek.com*, True -*.bob-esco.ro*, True -*.bobinakit.com*, True -*.bobj.co.za*, True -*.bobjoeanimation.com*, True -*.bobkonsult.no*, True -*.bobl55.com*, True -*.boblocrew.com*, True -*.boblove.org*, True -*.bobo1239.tk*, True -*.bobo.blue*, True -*.bobobodesign.com*, True -*.bobobox.net*, True -*.bobocookie.com*, True -*.bobodaifu.com*, True -*.bobofett.com*, True -*.bobosubs.net*, True -*.bobpvp.tk*, True -*.bobrinets.ru*, True -*.bobrowicz.net*, True -*.bobtheblueberry.com*, True -*.bobunited.com*, True -*.bob-vpnsg2.tk*, True -*.bob-vs.com*, True -*.bobwhitepaintball.com*, True -*.bobwills4homes.com*, True -*.bocaditospa.com.br*, True -*.bocahliyarlho.tk*, True -*.bocahmbeduth.tk*, True -*.bocahwar.net*, True -*.bocaratonweather.info*, True -*.boccevinci.com.ar*, True -*.boccl.com*, True -*.boccobottle.com*, True -*.bocelin.com*, True -*.bocellipizza.com*, True -*.bochaspolo.com.ar*, True -*.bocil.tk*, True -*.bocksar.info*, True -*.bocodol.com*, True -*.bocsoda.tk*, True -*.bodaibo.info*, True -*.bodaibo.net*, True -*.bodasdedestinomexico.com*, True -*.bodassanmiguelintegra.com*, True -*.bodecomsa.ec*, True -*.bodegaloszazos.com.ar*, True -*.bodegasafersa.es*, True -*.bodegasaries.com.ar*, True -*.bodenmann.biz*, True -*.bodensee-devils.ch*, True -*.bodhisattva.ru*, True -*.bodi-mul.us*, True -*.bodobiya.ir*, True -*.bodotietz.ch*, True -*.bodpetertk.ro*, True -*.bodycraft.ru*, True -*.bodyglove.hk*, True -*.bodyham.com*, True -*.bodyhit.ro*, True -*.body-line.ch*, True -*.bodyman.ro*, True -*.bodymindgreenyoga.com*, True -*.body-sculpture.ro*, True -*.bodyslenders.com*, True -*.bodystressreleasesa.co.za*, True -*.bodywork.ro*, True -*.bodyworkstherapies.com*, True -*.boedeli-racing-club.ch*, True -*.boeffgroup.com*, True -*.boegol.com.br*, True -*.boeke.org*, True -*.boenink.nl*, True -*.boettiger.cl*, True -*.boettner.com.ar*, True -*.boettrich.info*, True -*.bofh.gq*, True -*.bofh.ro*, True -*.bofn.net*, True -*.bofry.pl*, True -*.bofslime.net*, True -*.bogao.us*, True -*.bogarasesoramientosartisticos.com*, True -*.bogart.es*, True -*.bogazici.us*, True -*.bogdancoman.ro*, True -*.bogdanconstantinescu.ro*, True -*.bogdandebuzau.ro*, True -*.bogdani.ro*, True -*.bogdanlupascu.ro*, True -*.bogek.tk*, True -*.bogel.la*, True -*.boggle-game.com*, True -*.bogner.tk*, True -*.bogor.la*, True -*.bogors-berbagi.net*, True -*.bogor.se*, True -*.bogste.ro*, True -*.bogusx.idv.tw*, True -*.bohall.org*, True -*.bohan.li*, True -*.bohe47.com*, True -*.bohemszakacsok.hu*, True -*.bohosoftware.com*, True -*.bohosoftware.co.uk*, True -*.boilerplatemaker.com*, True -*.boiler.tw*, True -*.boillatrichonwillemin.ch*, True -*.boilmyhands.com*, True -*.boilr.mobi*, True -*.boimanapps.com*, True -*.boiseurbain.com*, True -*.bojiblog.com*, True -*.bojosmodelle.com.br*, True -*.bokchoyguru.info*, True -*.bokep12.com*, True -*.bokep23.com*, True -*.bokep57.com*, True -*.bokep-download.net*, True -*.bokepes.com*, True -*.bokepex.com*, True -*.bokepmp3.tk*, True -*.bokepmu.us*, True -*.bokepnew.co*, True -*.bokepstore.net*, True -*.bokepstreaming.net*, True -*.bokepxxx.us*, True -*.bokga.com*, True -*.bo-kite.com*, True -*.bokjjang.com*, True -*.bokparti.com*, True -*.bokssi.com*, True -*.bokstory.com*, True -*.boku.com.ar*, True -*.bola558.info*, True -*.bola558.org*, True -*.bolasports.com.br*, True -*.boldilox.co.uk*, True -*.boldrin.com.br*, True -*.boldxxxpression.info*, True -*.bolehsaja.ga*, True -*.boleteriavip.com.ar*, True -*.bolfish.tw*, True -*.bolialergice.ro*, True -*.bolid.eu*, True -*.bolinder-munktell.se*, True -*.bolivia.co.za*, True -*.bolji-upravitelj-zgrada.hr*, True -*.bolland.nu*, True -*.bolle-net.ro*, True -*.bollerman.net*, True -*.bolliful.com*, True -*.bolliger-fleurs.ch*, True -*.bollo.org.ar*, True -*.bollyfood-restaurant.ch*, True -*.bolosaospedacos.com*, True -*.bolotararara.tk*, True -*.bolovsrol.ru*, True -*.bolpo.in*, True -*.bolro.org*, True -*.bolsadeaguas.cl*, True -*.bolsasocial.cl*, True -*.bolsel.com*, True -*.bolshiebukvy.ru*, True -*.boltcrank838861.net*, True -*.bolteng.com*, True -*.boltforums.com*, True -*.boltiv.com*, True -*.boltman.nom.za*, True -*.bolton-consulting.org*, True -*.bolton.tk*, True -*.boltool-china.com*, True -*.boltsandbutterflies.com*, True -*.boltsbrasil.com.br*, True -*.boltsuper4g.ml*, True -*.bolttransit.ca*, True -*.bolttransit.com*, True -*.boltuck.org*, True -*.boltyrov.ru*, True -*.bolyai.eu*, True -*.bolyh.eu*, True -*.bom200.com*, True -*.bomaza.com*, True -*.bombacafe.tk*, True -*.bombacena.cz*, True -*.bombando.com.br*, True -*.bombertalk.com*, True -*.bombinasco.ch*, True -*.bombix.ru*, True -*.bomblaitargentina.com.ar*, True -*.bomblaitchocolates.com.ar*, True -*.bomblait.com.ar*, True -*.bomboni.si*, True -*.bomer.us*, True -*.bomgostonatural.com.br*, True -*.bommer.ca*, True -*.bommor.com.mx*, True -*.boms.com.au*, True -*.bon99.com*, True -*.bonac.si*, True -*.bonafidetv.com*, True -*.bonaire.tk*, True -*.bonait.com.ar*, True -*.bonamente.eu*, True -*.bonano.us*, True -*.bonanza.co.id*, True -*.bonar.me*, True -*.bonata.ro*, True -*.bonbearcreations.com*, True -*.bonbonetto.com*, True -*.boncfoldi.hu*, True -*.bond311.com*, True -*.bondage.ch*, True -*.bond.cl*, True -*.bo-nd.com*, True -*.bondiboydiary.com.au*, True -*.bonditomanly.com*, True -*.bondresq.co.za*, True -*.bondsac.com*, True -*.bonek.cf*, True -*.bonemusic.tk*, True -*.bonerbills.com*, True -*.bonerti.me*, True -*.bonettohome.net*, True -*.boneyard.me*, True -*.bong567.com*, True -*.bongh.it*, True -*.bongi.cf*, True -*.bongify.it*, True -*.bongify.me*, True -*.bongify.us*, True -*.bongoleo.com*, True -*.bong-toke.tk*, True -*.bongyiddang.com*, True -*.bonhamandhoward.com*, True -*.bonhumer.com*, True -*.bonik.net*, True -*.boni.ru*, True -*.bonkola.com*, True -*.bonnierizal.tk*, True -*.bonns.com*, True -*.bonoboincorperation.tk*, True -*.bono.com.ar*, True -*.bonomnia.info*, True -*.bonong.net*, True -*.bonoty.info*, True -*.bonsais.ru*, True -*.bonsays.ru*, True -*.bonuselearning.ro*, True -*.bonustaxi.ru*, True -*.bonvent.si*, True -*.bonvn.com*, True -*.bonzer.si*, True -*.boobhouse.us*, True -*.booboofree.com*, True -*.booboomoese.com*, True -*.boobytrap.ga*, True -*.boogiepop.org*, True -*.boogsmcgee.net*, True -*.boohers.net*, True -*.booka.dj*, True -*.bookagile.com*, True -*.bookalicious.com*, True -*.bookarkansasbands.com*, True -*.bookbeard.com*, True -*.book-co.com*, True -*.bookdrivinglesson.co.uk*, True -*.bookfix.ro*, True -*.bookhouse.cl*, True -*.booking1st.com*, True -*.bookingerp.com*, True -*.bookingvungtau.com*, True -*.booking.web.id*, True -*.bookinh.com.br*, True -*.bookinturkey.net*, True -*.bookkeepingchildcare.com.au*, True -*.bookkeepingwithprecision.com.au*, True -*.booklite.nl*, True -*.bookmarks.ninja*, True -*.bookmeanings.com*, True -*.bookmeanings.net*, True -*.bookmeanings.org*, True -*.bookmemphisbands.com*, True -*.bookmississippibands.com*, True -*.book-now.net.au*, True -*.bookofdread.com*, True -*.bookpub.org*, True -*.bookscloseout.eu*, True -*.booksforthehungry.com*, True -*.booksmusicfilmstv.com*, True -*.booksonline.com.pk*, True -*.bookspace.it*, True -*.bookstore.ro*, True -*.booktest.ca*, True -*.booktoaster.co.il*, True -*.booktrader.club*, True -*.bookzy.ir*, True -*.boolab.com*, True -*.boola.ro*, True -*.boomarms.com*, True -*.boombest-vip.tk*, True -*.boomerp.com.br*, True -*.boomrake.com*, True -*.boomtowndrums.com*, True -*.boonbug.com*, True -*.boongboong2.net*, True -*.boop.cf*, True -*.boopers.org*, True -*.boos-boos.ch*, True -*.booska.info*, True -*.boosmurer.ch*, True -*.boosnet.ch*, True -*.boosthostingcanada.com*, True -*.boostinoz.com*, True -*.boostmafia.net*, True -*.boostmetabolism.com*, True -*.boostnet.com.au*, True -*.boot13.com*, True -*.bootdiscounters.com*, True -*.bootdisk.la*, True -*.boothmanracing.com*, True -*.booth.moe*, True -*.bootiesoncam.com*, True -*.boot-land.ch*, True -*.bootsandass.com*, True -*.bootsuggchina.com*, True -*.booxee.rs*, True -*.booxilla.co.il*, True -*.booxilla.com*, True -*.booyahacademy.com*, True -*.booyco-electronics.co.za*, True -*.booyco-services.co.za*, True -*.booyco-yabatho.co.za*, True -*.bopp-art.com*, True -*.boranda.ro*, True -*.boratex.com.ar*, True -*.borax.se*, True -*.borcherts.de*, True -*.borcz.com*, True -*.bordeaux-transition.org*, True -*.bordecostero.com*, True -*.bordenlake.com*, True -*.bordensite.com*, True -*.borderlinereckless.com*, True -*.bordurplitka.ru*, True -*.borealmfg.com*, True -*.boreasdys.cl*, True -*.boredkidsapp.com.au*, True -*.boredmanblog.com*, True -*.borelian.cl*, True -*.borg.ch*, True -*.borge.lt*, True -*.borges.cc*, True -*.borg.hk*, True -*.borgserver.net*, True -*.boringclothes.com*, True -*.boringwolf.cf*, True -*.borin-r.ch*, True -*.boriobox.com.br*, True -*.borisguina.com*, True -*.boriskin.ru*, True -*.bork.adv.br*, True -*.borkar.in*, True -*.borless.com*, True -*.born2ride.org*, True -*.borna-la.com*, True -*.borna-niroo-karan.ir*, True -*.borneo-info.com*, True -*.borneo-wallpaper.com*, True -*.bornika.co*, True -*.bornika.ir*, True -*.born-in-rzeszow.gq*, True -*.bornsteins.com*, True -*.borntorobot.com.au*, True -*.boroasro.ga*, True -*.borobudurtourism.co.id*, True -*.borodox.com*, True -*.borojevic.eu*, True -*.boronig.cl*, True -*.borowiak.us*, True -*.borquezyburr.cl*, True -*.borregaard.com.br*, True -*.borrowedwine.com*, True -*.borsagarden.se*, True -*.borsagubi.com*, True -*.bor-sherbrooke.ca*, True -*.borsrobot.se*, True -*.borszekiszerviz.info*, True -*.borthwickdesigns.com*, True -*.borthwickdesigns.co.uk*, True -*.bortman.com.ar*, True -*.bortoncelloveiculos.com.br*, True -*.borups.org*, True -*.borzont.info*, True -*.borzymek.pl*, True -*.borzymek.tk*, True -*.bosbok1.co.za*, True -*.boscattoautomoveis.com.br*, True -*.bosch-fuel-pumps.com*, True -*.boscoautomoveis.com.br*, True -*.boscovich.com.ar*, True -*.bose-center-sofia.com*, True -*.bosgoo.com*, True -*.bosmj.net*, True -*.bosnaportal.ga*, True -*.bosnaradio.net*, True -*.bosqueredondomemorial.com*, True -*.bosquesdelmaule.cl*, True -*.bosquesdelmaule.com*, True -*.bosrup.se*, True -*.bossafety.co.id*, True -*.bossambinha.com.ve*, True -*.bossenga.com*, True -*.boss-events.com.au*, True -*.bossevents.com.au*, True -*.bosshard-restaurator.ch*, True -*.bosshardware.com*, True -*.boss-host.org*, True -*.bossi.co.il*, True -*.boss.lc*, True -*.bossone.com.br*, True -*.bostanbul.com*, True -*.bostanbul.com.tr*, True -*.bostedor.com*, True -*.bost.id.au*, True -*.bostjan.info*, True -*.bostoncareercounselor.com*, True -*.bosto.net*, True -*.bostonkeyparty.net*, True -*.bostujat.cf*, True -*.bosu.com.tr*, True -*.bosziplaza.com*, True -*.botacini.com.br*, True -*.botanicaldesigns.com*, True -*.botanicsad.ru*, True -*.botaq.la*, True -*.botargika.com*, True -*.botarmy.net*, True -*.botcah.tk*, True -*.botcyb.org*, True -*.botero-sculpture.biz*, True -*.boterosculpture.biz*, True -*.botero-sculpture.com*, True -*.boterosculpture.com*, True -*.botero-sculpture.info*, True -*.boterosculpture.info*, True -*.botero-sculpture.net*, True -*.boterosculpture.net*, True -*.botero-sculpture.org*, True -*.boterosculpture.org*, True -*.botero-sculpture.us*, True -*.boterosculpture.us*, True -*.boteros.net*, True -*.botezbebe.ro*, True -*.bot-gaul.tk*, True -*.bot-guard.tk*, True -*.botkoplak.com*, True -*.bot-liker.ml*, True -*.botnerd.com*, True -*.botnet.mobi*, True -*.botnix.com*, True -*.bot.nu*, True -*.botolplastik-botolkaca.com*, True -*.botonaoeisca.com.br*, True -*.botonaoeisca.org.br*, True -*.botpage.info*, True -*.botsev.com*, True -*.botsiqtms.ga*, True -*.bot-siwil.eu*, True -*.botsuper.tk*, True -*.botsurf.com*, True -*.bott.com.br*, True -*.bottel.cl*, True -*.bott.eng.br*, True -*.botteronursula.ch*, True -*.bottlenosebits.com*, True -*.bott.net.br*, True -*.bottoml.com*, True -*.bottomlessabyss.net*, True -*.bottomlineinc.net*, True -*.bottonfamily.org*, True -*.bottonmusic.com*, True -*.boucherfamily.org*, True -*.boucheriebyerly.ch*, True -*.boucherie-fleury.ch*, True -*.boucheriemariethoz.ch*, True -*.boudon-charpente.ch*, True -*.boulangeriedesbains.ch*, True -*.boulangeriedumouret.ch*, True -*.boulangerie-leuenberger.ch*, True -*.boulangeriepochon.ch*, True -*.boulevard-sa.com.ar*, True -*.boumann.ch*, True -*.boumaticrobotics.ca*, True -*.bounce.pw*, True -*.bouncers4rent.com*, True -*.bouncers4rent.net*, True -*.bound4lifestl.com*, True -*.bounderofadventure.com*, True -*.bounie.net*, True -*.bouquetiere.ch*, True -*.bourkefilms.com*, True -*.bourkemobile.com*, True -*.bourkemobile.com.ar*, True -*.bourneghost.org*, True -*.bournelike.co.uk*, True -*.bournemouthschoolyearbook.co.uk*, True -*.bourseafrica.com*, True -*.bourseafrica.net*, True -*.bousecraft.com*, True -*.boushahri.net*, True -*.bousias.net*, True -*.boute.ir*, True -*.bouten.org*, True -*.bouthoorn.tk*, True -*.boutiquebio.ro*, True -*.boutiquebirthdayspdx.com*, True -*.boutiquedario.com*, True -*.boutique-difference.ch*, True -*.boutiquedotricolor.com.br*, True -*.boutiquemoslem.com*, True -*.boutique-sabs.ch*, True -*.boutiquesestosenso.ch*, True -*.boutique-volupte.ch*, True -*.boutique-wundertuete.ch*, True -*.bouvart.be*, True -*.bouwmannekes.eu*, True -*.boveridiamonds.com.au*, True -*.bovswebdesign.co.uk*, True -*.bowden.in*, True -*.bowentug.com*, True -*.bowhunter.tk*, True -*.bowjanglecrafts.co.uk*, True -*.bowlasonic.co.uk*, True -*.bowman-decor.com*, True -*.bowmansarrow.us*, True -*.bowmp3.com*, True -*.bowralrugby.com.au*, True -*.bowtieegg.com*, True -*.bowx.co.uk*, True -*.box24.info*, True -*.box28.com.br*, True -*.boxat23.info*, True -*.boxathome.co.uk*, True -*.boxathome.net*, True -*.boxcargo.cl*, True -*.boxcuatro.cl*, True -*.boxestime.com.ar*, True -*.box-gk.com*, True -*.boxiq.com*, True -*.boxiq.eu*, True -*.boxiy.com*, True -*.boxjusnet.com*, True -*.boxonly.org*, True -*.boxpi.net*, True -*.boxprint.com.my*, True -*.boxsistemas.com.br*, True -*.boxsupport.cl*, True -*.boxtv.co.za*, True -*.boxwhores.com*, True -*.box-wk.com*, True -*.box.wtf*, True -*.boxxnhac.com*, True -*.boyacikupu.biz*, True -*.boyank.tk*, True -*.boyboyhk.com*, True -*.boycottbpnow.org*, True -*.boycottmicrosoft.net*, True -*.boydbriese.com*, True -*.boyd.cl*, True -*.boydti.com*, True -*.boyercountry.com*, True -*.boyernet.net*, True -*.boykayamasha.ru*, True -*.boyprincess.ca*, True -*.boyrhaus.cf*, True -*.boysandgirlschamps.com*, True -*.boz1986.net*, True -*.bozacvetkovic.net*, True -*.bozhori.com.ar*, True -*.bozicnejc.tk*, True -*.boznedoy.cf*, True -*.bozzograo.net*, True -*.bozzograo.org*, True -*.bozzzo.ro*, True -*.bp2server.com*, True -*.bpandey.com.np*, True -*.bp-brokers.com.ar*, True -*.bpbrokers.com.ar*, True -*.b-p.ca*, True -*.bphosting.eu*, True -*.b-photo.ro*, True -*.bpit.com.au*, True -*.bp-iuris.cl*, True -*.bpjsk-bpn.org*, True -*.bpk-irk.ru*, True -*.bpkpenabur.info*, True -*.bpkpenaburjakarta.or.id*, True -*.bpkpenabur.org*, True -*.bpkpenabur.sch.id*, True -*.bpksrv.pl*, True -*.b-plurkers.com*, True -*.bpmarketing.net*, True -*.bpoadvisor.com*, True -*.bpo.ro*, True -*.bposamp.com*, True -*.bpphp8.org*, True -*.bpsntb.web.id*, True -*.bps-split.com*, True -*.bps.web.id*, True -*.bpwy.com*, True -*.bqc.co.za*, True -*.br0k3n.tk*, True -*.br0ken.ga*, True -*.br0kenwaystudios.co*, True -*.br0kenwaystudios.info*, True -*.br1414.com*, True -*.br2.cl*, True -*.br3gman.com*, True -*.br40ck.org*, True -*.br4dley.com*, True -*.br522.com*, True -*.brabaria.ch*, True -*.braceiro.com.br*, True -*.brackmountain.com*, True -*.brackmountainwine.com*, True -*.brackmountainwinecompany.com*, True -*.bradam.org*, True -*.bradar.cl*, True -*.bradcramer.com*, True -*.braddworak.com*, True -*.braddydaniel.org*, True -*.bradfieldglobal.com*, True -*.bradfieldglobal.com.au*, True -*.bradfordaldenadams.com*, True -*.bradfordharley.com*, True -*.bradfordhenson.com*, True -*.bradipoparkinsoniano.org*, True -*.bradleyandjulia.com*, True -*.bradleyjsnyder.com*, True -*.bradleykimbrell.com*, True -*.bradleysessions.com*, True -*.bradli.tk*, True -*.bradmorrison.ca*, True -*.brad.tk*, True -*.bradtleonard.com*, True -*.bradtreadwell.com*, True -*.bradwiser.com*, True -*.bragamedicalcentre.pt*, True -*.braggbobcats.org*, True -*.braghini.com.ar*, True -*.braginskiy.net*, True -*.bragshall.com*, True -*.brainalleakage.net*, True -*.brainbox.com.mx*, True -*.brainclan.com*, True -*.braincloudvpn.com*, True -*.braincontrol.co.uk*, True -*.braindead.mobi*, True -*.braineco.com*, True -*.brainfucked.com*, True -*.brainpimps.com*, True -*.brainresearchco.in*, True -*.brains.co.id*, True -*.brainslug.nl*, True -*.brainsoft.cl*, True -*.brainsoftware.com.br*, True -*.brainsop.com.ar*, True -*.brainspinach.org*, True -*.braintec.ch*, True -*.braintechnologies.com*, True -*.braintrust.ro*, True -*.braintruststudios.com*, True -*.braintruststudios.net*, True -*.braintruststudios.org*, True -*.brainwavy.com*, True -*.brainworks.com.np*, True -*.braisbarreiro.es*, True -*.brais.com.br*, True -*.bralrenov.be*, True -*.bramhulman.web.id*, True -*.bramsart.be*, True -*.bram-van-beek.ch*, True -*.branchoutpr.com*, True -*.branchwhisperer.com*, True -*.brancolabs.com*, True -*.brandbuilders.com.my*, True -*.brandconnect.biz*, True -*.brandedcontentreel.com*, True -*.brandedmra.org*, True -*.brandimichelle.com*, True -*.brandinis.ch*, True -*.brandiron.co.za*, True -*.brand-navigation.de*, True -*.brandonbayclassic.com*, True -*.brandonbouncycastles.ca*, True -*.brandonginn.net*, True -*.brandonglatz.com*, True -*.brandonrcampbell.com*, True -*.brandonslywka.com*, True -*.brandonsolo.com*, True -*.brandonzwicker.tk*, True -*.brandperformance.se*, True -*.brands-of-friends.si*, True -*.brandsoffriends.si*, True -*.brands.si*, True -*.brandtrg.com.ar*, True -*.brandul-preferat.ro*, True -*.brandwithit.ca*, True -*.brandwithit.com*, True -*.branhamaquafarms.com*, True -*.braniewo.one.pl*, True -*.braniganresearch.in*, True -*.brankart.com*, True -*.brannans.org*, True -*.brannonsview.com*, True -*.bransomcomputers.com*, True -*.brantner.biz*, True -*.brantonsgroup.com*, True -*.braraujo.tk*, True -*.brasaorosa.pt*, True -*.brasas.com.ar*, True -*.braschi.name*, True -*.brascon.eu*, True -*.brascon.net*, True -*.bras-edu.net*, True -*.brasilchat.org*, True -*.brasilconfeccoes.com.br*, True -*.brasilperfectcity.com*, True -*.brasilshopcar.com.br*, True -*.brassis.com*, True -*.brassoi-turista-egyesulet.eu*, True -*.brassoi-turista-egyesulet.ro*, True -*.brasstech.net*, True -*.brasswave.com.au*, True -*.brassyb.com*, True -*.brasx.org*, True -*.bratik.com*, True -*.bratina-mb.si*, True -*.bratitsis.gr*, True -*.brat-patrol.com*, True -*.bratten.org*, True -*.braunshedd.com*, True -*.bravocarlos.tk*, True -*.bravodvd.com*, True -*.bravoexperience.com.au*, True -*.bravostore2.com*, True -*.brawlcustommusic.com*, True -*.brawlcustommusic.net*, True -*.brawltools.com*, True -*.braxusavoleidepraia.com.br*, True -*.braydenhutchinson.com*, True -*.brazeau.me*, True -*.brazendata.com*, True -*.braziltracks.com*, True -*.brazmail.net*, True -*.brazucany.com*, True -*.brazucany.tv*, True -*.brbcable.com*, True -*.brbpolymer.com*, True -*.brbradford.com*, True -*.brburckarji.si*, True -*.brburns.com*, True -*.brcconstruction.co.za*, True -*.brdev.ca*, True -*.brdshw.net*, True -*.breadbox.us*, True -*.breadtemper.com*, True -*.breakbeat-team.com*, True -*.breakfastproductions.com*, True -*.breakherthewang.com*, True -*.breakingbad.com.ar*, True -*.breakingpar.com*, True -*.breakingzed.net*, True -*.brebes-host.com*, True -*.brecca.net*, True -*.brechostella.com.br*, True -*.bredbandsbox.se*, True -*.bredboard.com*, True -*.bredkrum.com*, True -*.breeann.org*, True -*.breedclub.ru*, True -*.breeses.com*, True -*.breewel.eu*, True -*.breezdesign.com*, True -*.breezedentalclinic.co.uk*, True -*.breezy.nu*, True -*.bregma.net.au*, True -*.breitsch.be*, True -*.brelandmiley.com*, True -*.brellis.com*, True -*.bremercleaning.com.au*, True -*.bremertec.mx*, True -*.bremmer.ca*, True -*.brendaberstein.com.ar*, True -*.brenda-mae.com*, True -*.brendanmeadows.co.uk*, True -*.brenna-and-al.com*, True -*.brennaandal.com*, True -*.brennanmh.com*, True -*.brennanpundersonlaw.com*, True -*.brenndorf.ro*, True -*.breno.adm.br*, True -*.brenolima.com*, True -*.brentgeery.com*, True -*.brentlipke.com*, True -*.brentsbikes.ca*, True -*.bressanin.com.br*, True -*.bresthostel.com*, True -*.bretonmeadowfarm.org*, True -*.brettejones.com*, True -*.brettgoss.ca*, True -*.brettgoulder.me*, True -*.bretthollon.com*, True -*.brettrowley.com*, True -*.bretzeliquide.info*, True -*.brewandbiscuit.co.uk*, True -*.brewbeckitservices.com*, True -*.brewcasion.com*, True -*.brewcityradio.com*, True -*.brewcitythunderbikes.com*, True -*.brewcitythunderbikes.net*, True -*.brewcitythunderbikes.org*, True -*.brewcraftbeer.co.za*, True -*.brewerybusinessplan.com*, True -*.brewingbeer.ca*, True -*.brexa.com.ar*, True -*.brezovec.si*, True -*.brez.si*, True -*.brfryssjan.se*, True -*.brftp.com*, True -*.brfx.co.uk*, True -*.brhost.net.br*, True -*.briales.com.ar*, True -*.briana.ca*, True -*.brianbentson.com*, True -*.brianco.ch*, True -*.briancox.biz*, True -*.briandelano.com*, True -*.briandian.com*, True -*.brianfryd.com*, True -*.brianfu.org*, True -*.briangus.com*, True -*.briankhaney.com*, True -*.briannathaniel.com*, True -*.brianneburnell.com*, True -*.brianniessen.com*, True -*.briannipper.com*, True -*.briannoone.com*, True -*.brianpuppy.com*, True -*.brianroney.com*, True -*.briansdirtbikes.com*, True -*.briansookhai.com*, True -*.brianstack.net*, True -*.brianstevens.com.au*, True -*.briantorreyscott.com*, True -*.brianturley.com*, True -*.brianwardlow.com*, True -*.brianwhigham.com*, True -*.briarwooddowns.com*, True -*.briarybottom.com*, True -*.bricemciver.com*, True -*.brickboiler.com*, True -*.brickboxspace.com*, True -*.brickbunny.co.uk*, True -*.brick.com.ar*, True -*.bricklayertraining.com.au*, True -*.brickmac.com*, True -*.brickman.com.ar*, True -*.brickpropiedades.com.ar*, True -*.bricman.si*, True -*.bridalmakeupvancouver.ca*, True -*.bridecamp.com*, True -*.bridgebuildersint.com*, True -*.bridgebuildersint.org*, True -*.bridge-club-hannover.de*, True -*.bridgecore.info*, True -*.bridgefieldcottage.org.uk*, True -*.bridgemorevillage.com*, True -*.bridgenote.com*, True -*.bridges-arkansas-homes.com*, True -*.bridges-bentonville.com*, True -*.bridgesbentonville.com*, True -*.bridgesbrokerage.com*, True -*.bridges-fayetteville.com*, True -*.bridgesfayetteville.com*, True -*.bridges-for-sale.com*, True -*.bridges-fort-smith.com*, True -*.bridgesfortsmith.com*, True -*.bridges-homes.com*, True -*.bridges-little-rock.com*, True -*.bridges-management.com*, True -*.bridgesmanagement.com*, True -*.bridgesnwa.com*, True -*.bridgespropertymanagement.com*, True -*.bridges-real-estate.com*, True -*.bridgesreality.com*, True -*.bridgesrealtors.com*, True -*.bridges-realty.com*, True -*.bridgesrealtynwa.com*, True -*.bridgesrentals.com*, True -*.bridgesrogers.com*, True -*.bridgestone-baa.com*, True -*.bridgestones.org*, True -*.bridges-tulsa.com*, True -*.bridgestulsa.com*, True -*.bridgetmayo.info*, True -*.bridgetti.com*, True -*.bridgetti.co.za*, True -*.bridgewaterengineering.com*, True -*.brief-fb.com*, True -*.brief-fb.me*, True -*.briefyourmarket.co.za*, True -*.brierley.ga*, True -*.briete.de*, True -*.brigadeiro.cl*, True -*.brigadeirodacris.com.br*, True -*.brigadeirodamaria.cl*, True -*.brighamcityevents.com*, True -*.brightcondorentals.com*, True -*.bright-eyedpups.com*, True -*.brightmindsit.com*, True -*.brightnet.com.au*, True -*.brightnet.net.au*, True -*.brightnetworks.net.au*, True -*.brightred.org*, True -*.brightskyservices.com*, True -*.brightstar-group.cl*, True -*.brightstargroup.cl*, True -*.brightstar-group.com.ar*, True -*.brightstyle.ru*, True -*.bright-up.net*, True -*.brightville.com*, True -*.brightwash.ml*, True -*.brigitteundreto.ch*, True -*.brikers.com*, True -*.brikers.lv*, True -*.brikson-engr.com*, True -*.brilhopiso.com.br*, True -*.brilliantcarwash.co.za*, True -*.brilliantcode.com*, True -*.brilliantrix.com*, True -*.brimit.ch*, True -*.bringsang.com*, True -*.bringthepopcorn.net*, True -*.brinoxvedacoes.com.br*, True -*.brinquedosouvenir.com.ar*, True -*.brinzart.com*, True -*.briochile.cl*, True -*.brionbuffet.com.br*, True -*.brionews.com*, True -*.brisalls.com*, True -*.brisandistributors.co.za*, True -*.brisbanechiro.com.au*, True -*.brisbanefurniturestore.com.au*, True -*.brisbanemassagebooking.com*, True -*.brisbaneorganicdelivery.com.au*, True -*.brisgemach.com*, True -*.brisk.com.np*, True -*.briskibusiness.com*, True -*.briskoysilvestre.com*, True -*.briskula.si*, True -*.bristolcityfansfc.co.uk*, True -*.bristoldc.com*, True -*.brit03.ru*, True -*.britaniamorelia.com*, True -*.britech.com.ar*, True -*.britech.io*, True -*.brite.ro*, True -*.britgrocer.com*, True -*.british-bike.ch*, True -*.britishcarclub.ch*, True -*.british-tinker.com*, True -*.britneyspears4.ru*, True -*.britodelpino.com*, True -*.brits-list.com*, True -*.britslist.com*, True -*.brittabrandbijoux.com*, True -*.brittainlawfirm.net*, True -*.brittanybdesigns.com*, True -*.brittanyhopping.com*, True -*.brittonbox.com*, True -*.brixbrum.ru*, True -*.briya.co.il*, True -*.brklyn.org*, True -*.brkng.ca*, True -*.brl.fi*, True -*.brmercantile.com*, True -*.brmred.fr*, True -*.broadbandconsulting.se*, True -*.broadbandfixit.com*, True -*.broadbent.cc*, True -*.broadcasting.hk*, True -*.broadcastmychannel.com*, True -*.broadcom.com.my*, True -*.broadground.com*, True -*.broadlands-pottery.co.uk*, True -*.broadspectrumvsa.org*, True -*.broadwaybrew.info*, True -*.broalliance.com.br*, True -*.brobert.eu*, True -*.broberts.org*, True -*.brocchi.tk*, True -*.brockbot.com*, True -*.brockm.id.au*, True -*.brockturner.com*, True -*.broco.li*, True -*.broddling.com*, True -*.broder.com.br*, True -*.brod.es*, True -*.brodeydover.ca*, True -*.broethers.ch*, True -*.broforapp.com*, True -*.brogle.co*, True -*.brogliserrurerie.ch*, True -*.brogrammer.org*, True -*.broh.co.uk*, True -*.brok-cupid.com*, True -*.brokeassnig.ga*, True -*.brokehoe.co*, True -*.brokelink.com*, True -*.brokenairsoft.com*, True -*.brokenangel.in*, True -*.brokenarmy.com*, True -*.brokenfuture.com*, True -*.brokenstring.org*, True -*.brokentoys.ca*, True -*.brokervn.com*, True -*.brokfam.net*, True -*.broking.com.ar*, True -*.brollea.org*, True -*.bromatologiaufmg.com.br*, True -*.brombomb.com*, True -*.bromley.co.za*, True -*.bromotrans.co.id*, True -*.brompton.com.ar*, True -*.bromser.com*, True -*.broncesprisma.com*, True -*.bronchitisrespiratoryinfo.com*, True -*.broncohio.com*, True -*.broncomarc.com*, True -*.bron-inf.ch*, True -*.bronislaw.ro*, True -*.bronks.net*, True -*.bronstein.com.ar*, True -*.bronty.org*, True -*.bronxba.com.ar*, True -*.bronxboxing.com.ar*, True -*.bronymapia.ru*, True -*.bronze10s.com*, True -*.bronzeshield.cf*, True -*.bronze-tech.com*, True -*.bronzfederation.org.nz*, True -*.bronzwellington.org.nz*, True -*.broodjeroyaal.nl*, True -*.broodjesroyaal.nl*, True -*.brookandbyrne.com.au*, True -*.brookecopeland.com*, True -*.brooklynhire.in*, True -*.brooklynhollaway.com*, True -*.brooklynmotorsport.com*, True -*.brooklynmusicarchive.com*, True -*.brooklynmusicarchive.net*, True -*.brooklynmusicarchive.org*, True -*.brooklynplumbers.co.za*, True -*.brooklynzoo.org*, True -*.brooks107.me*, True -*.brooks-enterprises.com.au*, True -*.broot.com*, True -*.bropowersports.com*, True -*.brosela-on.com*, True -*.broshan.com.np*, True -*.broske.com*, True -*.brost.ca*, True -*.brota.to*, True -*.brotesdelsur.cl*, True -*.brother-hood.org*, True -*.brotherhosting.info*, True -*.brotherhosting.net*, True -*.brotherproof.com*, True -*.brotherproof.org*, True -*.brotherscafe.com*, True -*.brothervps.tk*, True -*.brownandcohen.ca*, True -*.browncoats.ml*, True -*.brownfalcon.com*, True -*.brownintheusa.com*, True -*.browniom.com*, True -*.brownland.web.id*, True -*.browno.com*, True -*.brownspoint.me*, True -*.browntec.biz*, True -*.browntec.com*, True -*.browntechnicalsolutionsatl.com*, True -*.browntechnicalsolutionsintl.com*, True -*.browntechnicalsolutionsltd.com*, True -*.browntechnicalsolutionsnyc.com*, True -*.browntechnicalsolutionsusa.com*, True -*.browntechsolutions.info*, True -*.browntechsupport.com*, True -*.browntec.info*, True -*.browntec.net*, True -*.browntec.org*, True -*.browsecode.org*, True -*.browsetraining.cl*, True -*.brox.es*, True -*.broxsonhandymanservice.com*, True -*.brox.su*, True -*.brpsoez.com*, True -*.brpx.net*, True -*.brqxhome.com*, True -*.br-repacks.com*, True -*.brsp.co.za*, True -*.brtracks.com*, True -*.brtracks.com.br*, True -*.brtrax.com*, True -*.brtrax.com.br*, True -*.brucehickey.com*, True -*.brucekingphoto.com*, True -*.brucestclair.us*, True -*.brueckenwaage.ch*, True -*.bruestel.net*, True -*.brugere-jardin.ch*, True -*.bruggersa.ch*, True -*.bruijn.nu*, True -*.bruiloftdjboeken.com*, True -*.bruinsmafamily.org*, True -*.brujulajuridica.cl*, True -*.brumarte.cl*, True -*.brumble.me.uk*, True -*.brummer.eu*, True -*.brummer.sk*, True -*.brunchinsd.com*, True -*.bruncreek.com*, True -*.brunellefamily.ca*, True -*.brunhilda.tk*, True -*.brunobrito.net*, True -*.brunocanti.com*, True -*.brunocorreia.com*, True -*.brunocorreia.com.au*, True -*.brunocorreia.net*, True -*.brunocorreia.net.au*, True -*.brunoejb.ml*, True -*.brunoesposito.com.ar*, True -*.brunoespositofoto.com.ar*, True -*.brunoestrozi.com.br*, True -*.bruno-kaegi.ch*, True -*.brunol.com*, True -*.brunoluz.tk*, True -*.brunomars.in*, True -*.brunoribis.it*, True -*.brunoro.org*, True -*.brunosbestbathrooms.com*, True -*.bruno-traxler-maurerhandwerk.ch*, True -*.brunovidela.com.ar*, True -*.brunoxe.com*, True -*.bruns.tk*, True -*.brupak.com.np*, True -*.brushfireapps.com*, True -*.brushless.com.ar*, True -*.brusin.net*, True -*.brussie.com*, True -*.brusten.net*, True -*.brutalworld.ru*, True -*.brutariaeldi.ro*, True -*.bruulsema.com*, True -*.bruvic.cl*, True -*.bruyere.ca*, True -*.brvar.com*, True -*.brvgger.com*, True -*.brvideonyc.com*, True -*.brwnd.com*, True -*.brwni.es*, True -*.bryanapellanes.com*, True -*.bryandecker.com*, True -*.bryandoeslife.com*, True -*.bryanford.info*, True -*.bryanh.me*, True -*.bryan-hood.com*, True -*.bryanjam.es*, True -*.bryanlyon.com*, True -*.bryanmoulton.com*, True -*.bryanruiz.com*, True -*.bryansplace.net*, True -*.bryantlarsen.com*, True -*.bryantreyes.com*, True -*.bryantville.net*, True -*.bryanyudkin.com*, True -*.bryanzavala.com*, True -*.brybot.com*, True -*.bryceinc.com*, True -*.brycemoody.com*, True -*.bryceothomas.com*, True -*.bryce.ws*, True -*.bryguy.org*, True -*.bryjen.ch*, True -*.brynlewis.com*, True -*.brynrhosyn.com*, True -*.bryongaskin.net*, True -*.brywhi.com*, True -*.brzsistemas.com.br*, True -*.bs-1.cf*, True -*.bsas.com.ar*, True -*.bsasinformal.com.ar*, True -*.bs-astro.com*, True -*.bsatroop137.us*, True -*.bsbc.cl*, True -*.bsbc.com.ar*, True -*.bsburbano.com.br*, True -*.bsc17.com*, True -*.bschoone.com*, True -*.bscpropiedades.cl*, True -*.bsdchaser.net*, True -*.bsd.or.id*, True -*.bsf59.com*, True -*.bsf79.com*, True -*.bsgroup.org*, True -*.bsh-7cheker.gq*, True -*.bsin.us*, True -*.bskcraft.us*, True -*.bsl-adamdighi.com*, True -*.bslawyers.net*, True -*.bslogistics.com.br*, True -*.b-smart.ru*, True -*.bsmart-solutions.com*, True -*.bsmart-tech.com*, True -*.bsmart-technology.com.my*, True -*.bsmibali.or.id*, True -*.bsmp.me*, True -*.bsodpc.com*, True -*.bspartner.lv*, True -*.bsprod.net*, True -*.bsraudio.ch*, True -*.bsr.me*, True -*.bssinc.ro*, True -*.bss-one.com*, True -*.bss-one.ro*, True -*.bstarquitectos.cl*, True -*.bsucape.com.br*, True -*.bsuka.com*, True -*.bsurents.com*, True -*.btarena.net*, True -*.btav.ml*, True -*.btbtrading.it*, True -*.btccave.com*, True -*.btcdoor.com*, True -*.btcg.ro*, True -*.btchints.com*, True -*.btcidn.com*, True -*.btcloudsync.com*, True -*.btcog.ca*, True -*.btc.one.pl*, True -*.bt-cpd.com*, True -*.btcsoup.com*, True -*.bteam.cf*, True -*.btebteachers.com*, True -*.btech.mx*, True -*.btechnique.ch*, True -*.btec.net*, True -*.btels.com*, True -*.bteworkedhours.tk*, True -*.bthenderson.com*, True -*.btivirtual.com*, True -*.btizet.pl*, True -*.btkom.info*, True -*.btlab.co.uk*, True -*.btm.co.il*, True -*.btmore.com*, True -*.btmu.ir*, True -*.btnet.ro*, True -*.btnordic.ca*, True -*.btorresconstruction.com*, True -*.btraut.com*, True -*.btrfenetre.com*, True -*.btr.im*, True -*.btrippy.com*, True -*.btronix.com*, True -*.bts21.com*, True -*.btslink.com*, True -*.bts-sio.info*, True -*.bttoro.com.ar*, True -*.btttargoviste.ro*, True -*.bttxpto.pt*, True -*.btwbing.com*, True -*.btw-home.org*, True -*.buahbibirnews.com*, True -*.buah.org*, True -*.buat2lisan.com*, True -*.buatanak.tk*, True -*.buatduityoutube.my*, True -*.buatngebokep.tk*, True -*.bubbachinos.com.au*, True -*.bubbagimp.com*, True -*.bubble-net.info*, True -*.bubbleq.hk*, True -*.bubblesgestion.com.ar*, True -*.bubblestuff.com.au*, True -*.bubbletunnel.com*, True -*.bubendorf-pluess.ch*, True -*.buber.org.ar*, True -*.bubiklopmutmedia.pw*, True -*.bubuga.ga*, True -*.bubu.hk*, True -*.buburuza.info*, True -*.bucatarel.ro*, True -*.buchagile.com*, True -*.bucharestlimo.ro*, True -*.bucharestrentaflat.com*, True -*.buchhaltung-sauter.ch*, True -*.buchner.cl*, True -*.bucholtz.pl*, True -*.buckbergsoftware.com*, True -*.bucketmouse.net*, True -*.buckeyememories.com*, True -*.buckleupradio.com*, True -*.bucknine.com*, True -*.bucksfrominternet.com*, True -*.buckwild.ca*, True -*.bucse.ro*, True -*.bucu.pl*, True -*.buda.info*, True -*.buda.nl*, True -*.budapestlakaskezeles.com*, True -*.budbeautyacademy.com.np*, True -*.buddespizza.com*, True -*.buddhigrg.com.np*, True -*.buddyfitn.us*, True -*.buddyinnovations.com*, True -*.buddyinnovations.net*, True -*.buddyinnovations.us*, True -*.buddysoftware.com.au*, True -*.budehin.ru*, True -*.budengalas.tk*, True -*.budetgromko.ru*, True -*.budgetcanvas.co*, True -*.budgetcanvas.pl*, True -*.budgetcourier.co.za*, True -*.budgetdeck.co*, True -*.budgetdeck.pl*, True -*.budiarifw.com*, True -*.budjettravel.net*, True -*.budokaiteam.com*, True -*.budorensei.fi*, True -*.budoville.com*, True -*.budzdorv.ru*, True -*.buebrank.tk*, True -*.buechioptik.ch*, True -*.buehler-it.ch*, True -*.buehlerundzoller.ch*, True -*.buellhomecoming.com*, True -*.buenaboda.com*, True -*.buenaspropiedades.cl*, True -*.buenaspropiedades.com*, True -*.buenaventuragroupllc.com*, True -*.buenosairesatea.com.ar*, True -*.buenosairescall.com.ar*, True -*.buenosairesrealty.com*, True -*.buenosaires-sa.com.ar*, True -*.buenostangos.ru*, True -*.buenosvientossa.com.ar*, True -*.buergergemeinde-steinhausen.ch*, True -*.buerki-missura.ch*, True -*.buero101.ch*, True -*.buerse.cl*, True -*.buerse.com*, True -*.buezi-rueschegg.ch*, True -*.buf9.com*, True -*.buffalotraceranch.com*, True -*.buffetbox.com.br*, True -*.buffet-monkey.com*, True -*.bugaloop.com*, True -*.bugfree.com.br*, True -*.buggan.com*, True -*.buggycode.info*, True -*.bughi.com.br*, True -*.bughuntress.com*, True -*.bughuntress.net*, True -*.bughuntress.org*, True -*.bughuntress.us*, True -*.bugishost.com*, True -*.bugleys.com*, True -*.bug.lu*, True -*.bugpedia.ir*, True -*.bug-solutions.de*, True -*.bugstorm.pt*, True -*.bugstrapper.com*, True -*.bugtracker.tk*, True -*.buhajeruk.com.ar*, True -*.buhao37.com*, True -*.buhatem.com.br*, True -*.buhichan.net*, True -*.buholzer.com*, True -*.buildatubeamp.com*, True -*.buildconnect.com.au*, True -*.builddom.com*, True -*.builderchileinversiones.cl*, True -*.buildercountry.org*, True -*.builderkingdom.com*, True -*.builderkingdom.org*, True -*.buildermode.com*, True -*.builderrealm.com*, True -*.buildersblunders.com*, True -*.buildersemporium.co.uk*, True -*.builderstateline.com*, True -*.builderstates.com*, True -*.builderstates.org*, True -*.builderstatessj.com*, True -*.buildforge.net*, True -*.buildhub.cf*, True -*.buildhubmc.cf*, True -*.buildingasthirdteacher.com*, True -*.buildingasthirdteacher.com.au*, True -*.buildingasthirdteacher.net.au*, True -*.buildingcc.org*, True -*.buildingsatrisk.com*, True -*.buildkings.com*, True -*.buildmyoffer.com*, True -*.buildmysmarthome.org*, True -*.buildstuff.lt*, True -*.buildyourpatent.com*, True -*.built1st.com.au*, True -*.builtrightdevelopments.ca*, True -*.buisnessgroup.in*, True -*.bujanoci.net*, True -*.buk5.com*, True -*.bukandia.com*, True -*.bukankamu.com*, True -*.bukanuntukdewasa.net*, True -*.bukerk.com*, True -*.bukn.org*, True -*.bukova-sparovka.com*, True -*.bukove-rezivo.cz*, True -*.bukovinsky.si*, True -*.bukowa.info*, True -*.bukowiec.one.pl*, True -*.bukselj.com*, True -*.buksna.net*, True -*.bukuobat.com*, True -*.bukupanduanmengajartpq.asia*, True -*.bukutulis.co.id*, True -*.bulach.org.uk*, True -*.bulamiyorum.net*, True -*.bulentdanis.com*, True -*.bulentyusuf.com*, True -*.bulevares.org.ar*, True -*.bulg.in*, True -*.buliklub.hu*, True -*.bulkcontinental.com.ar*, True -*.bulkiewicz.com*, True -*.bulkrc.net*, True -*.bulky.co.za*, True -*.bullclan.org*, True -*.bulldogfishingcharters.com*, True -*.bulldogsqro.com*, True -*.bulletpointgaming.com*, True -*.bulletsailing.co.uk*, True -*.bulle-zen-attitude.ch*, True -*.bullforge.com*, True -*.bullfrogbungee.com*, True -*.bullgo.com*, True -*.bullguard.tk*, True -*.bullonieriso.ch*, True -*.bull-optic.ch*, True -*.bulls-eye-designs.com*, True -*.bullseyedistribution.com*, True -*.bullwebhk.com*, True -*.bullying.ru*, True -*.bulnology.cl*, True -*.bulshit.info*, True -*.bulubabi-seribu.com*, True -*.bulukumbakab.net*, True -*.bulumanislor.in*, True -*.bulumanislor.net*, True -*.bumblebee.com.br*, True -*.bumblesandjumbles.com*, True -*.bumbokla.at*, True -*.bumbu.me*, True -*.bumbungngawi.com*, True -*.bumi22.cf*, True -*.bumi22.ga*, True -*.bumi22.gq*, True -*.bumi22.ml*, True -*.bumi22.tk*, True -*.bumiindahgroup.com*, True -*.bumilintang.co.id*, True -*.bumitek.net*, True -*.bumi.web.id*, True -*.bumomud.com*, True -*.bumpsetspike.ca*, True -*.bunaka.com*, True -*.bunaziuacopii.ro*, True -*.bunda.ga*, True -*.bundan57.com*, True -*.bundanoonmed.com.au*, True -*.bunditparmai.com*, True -*.bundleofnoise.co.uk*, True -*.bundyphotographer.com*, True -*.bundyphotographer.id.au*, True -*.bundyworld.com*, True -*.bunea.eu*, True -*.bunfunvan.com*, True -*.bungaclub.com*, True -*.bunga.co.id*, True -*.bungertstrasse.ch*, True -*.bungkal.com*, True -*.bungsu-1.com*, True -*.bungsujayaonline.com*, True -*.bungzhu.web.id*, True -*.bunker.id*, True -*.bunlatot.ro*, True -*.bunny.blue*, True -*.bunnyboxstudios.com*, True -*.bunnycraft-hun.tk*, True -*.bunnycrafthun.tk*, True -*.bunnysantachi.com*, True -*.bunotti.ro*, True -*.bunvenitinromania.ro*, True -*.bunzilla.ga*, True -*.buomhoang.net*, True -*.buonbannhadat.com*, True -*.buquevoador.com.br*, True -*.buradayiz.biz*, True -*.buradayiz.com*, True -*.burakaydogan.name.tr*, True -*.buran-baikal.ru*, True -*.burattoecavassana.com.br*, True -*.burclaralemi.com*, True -*.burdayiz.biz*, True -*.burdurdataksi.com*, True -*.burdurtaksi.com*, True -*.bureaua.com*, True -*.bureaua.net*, True -*.bureauautomoviles.com.ar*, True -*.bureauguild.com*, True -*.burellodesign.com*, True -*.burgemeestre.net*, True -*.burgerbook.ch*, True -*.burgercom.co.za*, True -*.burgermap.org*, True -*.burgesscreativeventures.com*, True -*.burgessfamily.info*, True -*.burghboy.com*, True -*.burgonfamily.org*, True -*.burgosarquitecto.cl*, True -*.burgosarquitectos.com*, True -*.burgos.org.ve*, True -*.burhanturkel.com*, True -*.burin-florist.com*, True -*.burkefreelance.com*, True -*.burkeharper.com*, True -*.burken.biz*, True -*.burkencattle.com*, True -*.burken.fi*, True -*.burkhalterrayson.com*, True -*.burlenbaker.com*, True -*.burmabums.cf*, True -*.burnbraeolivegrove.com*, True -*.burnedoutdev.com*, True -*.burnedtoast.co.za*, True -*.burningaether.com*, True -*.burningbarrelbrewery.ca*, True -*.burningbarrelbrewery.com*, True -*.burningblue.net*, True -*.burningmanseattle.com*, True -*.burningpyre.com*, True -*.burningsensations.co.uk*, True -*.burningsteel.net*, True -*.burnos.net*, True -*.burnoutsracing.com*, True -*.burns.cc*, True -*.burnslide.com*, True -*.burntbytes.com*, True -*.burnthebooks.co.uk*, True -*.burnthelmets.ca*, True -*.burny.co.uk*, True -*.burny.uk*, True -*.burobonkers.nl*, True -*.burov.eu*, True -*.burrardview.com*, True -*.burrito-sword.com*, True -*.burrows.net.nz*, True -*.burrtrustlimited.com*, True -*.bursaakuhastanesi.com*, True -*.bursaarhitectilor.ro*, True -*.bursa-aur.ro*, True -*.bursabearing.com*, True -*.bursabenih.com*, True -*.bursadownload.com*, True -*.bursalagu.fm*, True -*.bursa-lagump3.com*, True -*.bursamasak.co.id*, True -*.bursamobilpasuruan.com*, True -*.bursamotorraya.com*, True -*.burse-transport.ro*, True -*.bursus.ru*, True -*.bursztynowypasaz.pl*, True -*.burtslist.com*, True -*.burunduks.lv*, True -*.buruns.us*, True -*.burvano.com.ar*, True -*.buryatia.tv*, True -*.burz.ro*, True -*.busanbusi.com*, True -*.busbyfeed.com*, True -*.buscagps.com*, True -*.buscentre.co.za*, True -*.buschromania.ro*, True -*.buschwusch.tk*, True -*.buscolook.com*, True -*.buscomidestino.com*, True -*.busdigiacinto.it*, True -*.bushe.co.uk*, True -*.bushelbox.com.au*, True -*.bushlinkcampertrailers.com.au*, True -*.bushmissile.com*, True -*.bushor.net*, True -*.busho.tk*, True -*.bushwalkers.com*, True -*.bushwookiegaming.com*, True -*.bushytail.org.uk*, True -*.busico.com.ar*, True -*.businespro.ru*, True -*.business-accord-africa.co.za*, True -*.business-apartment-basel.ch*, True -*.businesscom.cl*, True -*.business-cosmote.ro*, True -*.business-europa.eu*, True -*.businessexpressplus.org*, True -*.businessezine.net*, True -*.businesshelvetica.ch*, True -*.businessintelligencecentral.com*, True -*.businessintelligenceportal.com*, True -*.businesskickstart.co.za*, True -*.businesslive.ca*, True -*.businesslogic.pro*, True -*.businessmall.ro*, True -*.business-marketing247.tk*, True -*.businessmoose.com.au*, True -*.businessnightrelay.co.za*, True -*.businessolve.net*, True -*.businessplanetmarketing.it*, True -*.businessprocessoutsourcing.ro*, True -*.businessrelay.co.za*, True -*.business-risc.com*, True -*.businessservices.ro*, True -*.businessurist.ru*, True -*.buskoblato.org*, True -*.buskul.se*, True -*.busroig.com*, True -*.busroig.es*, True -*.busse.li*, True -*.bustedknuckle.biz*, True -*.bustinloose.co*, True -*.bus-vucko.com*, True -*.busy-mail.co.uk*, True -*.b-u-s-y.ml*, True -*.busy.us*, True -*.butchblues.net*, True -*.butchmanhome.net*, True -*.buteplaza.com.ar*, True -*.butiktalaga.com*, True -*.butinet.org*, True -*.butler.cf*, True -*.butlerfamily.ca*, True -*.butlergroup.ca*, True -*.butoijo.tk*, True -*.but-pneumaticjakarta.com*, True -*.buttarazzi.info*, True -*.butt.care*, True -*.buttcointhegame.com*, True -*.butterblume.tk*, True -*.butterflygiving.org*, True -*.butterflywhitehosting.com*, True -*.butterweasel.com*, True -*.butteryourbacon.com*, True -*.butting.com.br*, True -*.buttkraken.net*, True -*.buttlegend.com*, True -*.buttonholeelastic.com*, True -*.butuhkopi.com*, True -*.butzinc.com*, True -*.buucruz.cl*, True -*.buvettelescroisettes.ch*, True -*.buxo.ml*, True -*.buxtonspice.com*, True -*.buxus.com.ar*, True -*.buyads.biz*, True -*.buy-art-online.us*, True -*.buyat.me*, True -*.buy-ba.xyz*, True -*.buybestpractices.com*, True -*.buybiz.ch*, True -*.buybiz.co.za*, True -*.buy-bluepill.com*, True -*.buycaphill.com*, True -*.buycpanel.org*, True -*.buydealstoday.com*, True -*.buy-doxycycline.net*, True -*.buyers1st.com.au*, True -*.buyersbrokerswanted.com*, True -*.buyerschoicelive.com*, True -*.buyerstoresite.com*, True -*.buygaspass.com*, True -*.buyhemat.com*, True -*.buy.im*, True -*.buyimport.com.br*, True -*.buylightingsa.com*, True -*.buylobstereasy.com*, True -*.buy-medications.net*, True -*.buymens-pills.com*, True -*.buymojatom.com*, True -*.buymotor.tw*, True -*.buymybeat.com*, True -*.buymybeat.net*, True -*.buynowpaylatercatalog.net*, True -*.buynowstl.com*, True -*.buyplantfood.co.uk*, True -*.buypokenaustralia.com*, True -*.buypokenaustralia.com.au*, True -*.buyproxy.info*, True -*.buyrepoedhomes.com*, True -*.buyribbon.ca*, True -*.buysellrent.hk*, True -*.buyselna.com*, True -*.buys.ru*, True -*.buythattruck.com*, True -*.buytition.com*, True -*.buyvillaadella.com*, True -*.buywater.tw*, True -*.buywmz.com*, True -*.buyyes.com*, True -*.buz777.com*, True -*.buzair.eu*, True -*.buzanfest.ru*, True -*.buzapps.com*, True -*.buzavirag.ro*, True -*.buzios.com.ar*, True -*.buzlylabs.com*, True -*.buzzco.org*, True -*.buzzkillradio.com*, True -*.buzznova.net*, True -*.buzzphotography.com*, True -*.buzz.web.id*, True -*.bveroofing.co.uk*, True -*.bvghome.tk*, True -*.bvincent.co*, True -*.bvisiongroup.com*, True -*.bvmacademy.com*, True -*.bvminc.net*, True -*.bv.org.ru*, True -*.bvvlworld.com*, True -*.bvvlworld.org*, True -*.bwaaa.net*, True -*.bwalker.com*, True -*.bwbinvest.ch*, True -*.bwcenter.ch*, True -*.bw-gaming.net*, True -*.bwinab.com*, True -*.bwinstal.ro*, True -*.bwp.my*, True -*.bwrliquor.com*, True -*.bwsec.com*, True -*.bwyouth.tw*, True -*.bxi.fi*, True -*.by5678.com*, True -*.byattsystems.co.uk*, True -*.bybcosmetica.com.ar*, True -*.bybfinanzas.com.ar*, True -*.bycabogados.com.ar*, True -*.bycycle.co.za*, True -*.bydanydwi.ga*, True -*.by-dc.eu*, True -*.bydness.com*, True -*.byetcoc.com*, True -*.byexample.info*, True -*.bygakoff.com*, True -*.bygakoff.ru*, True -*.bygayle.com*, True -*.byggrobban.se*, True -*.bykisautomoveis.com.br*, True -*.by-k.ru*, True -*.byme.ga*, True -*.byondhlp.com*, True -*.byonics.web.id*, True -*.byrapaneni.com*, True -*.byrjtec.com*, True -*.byrnedo.com*, True -*.byrnesite.com*, True -*.byronbolton.com*, True -*.byrondowns.com.au*, True -*.byronfoodtours.com.au*, True -*.bytch.net*, True -*.byte4byte.com*, True -*.byteadmin.ch*, True -*.bytec.co.il*, True -*.bytecontrol.com.ar*, True -*.bytecraft.se*, True -*.byteloc.com*, True -*.bytenet.net*, True -*.bytesentry.com*, True -*.byteshopstyles.com*, True -*.bytesnbikes.com*, True -*.bytespace.co.uk*, True -*.byteworks.pl*, True -*.bytex.ro*, True -*.byul.tk*, True -*.byv.co.za*, True -*.by-y.com*, True -*.bz1.ir*, True -*.bz54.biz*, True -*.bzaborow.org*, True -*.bzbyte.com*, True -*.bzcomedy.com*, True -*.bzfolk.com*, True -*.bzg39.ru*, True -*.bzintel.com*, True -*.bzpo.ru*, True -*.bz-vpn.tk*, True -*.bzz777.com*, True -*.c063n.com*, True -*.c0d3r3d.com*, True -*.c0m47053.co.uk*, True -*.c0nfus3d.biz*, True -*.c0ng-on.net*, True -*.c0ps.com*, True -*.c0r3.com*, True -*.c0y.de*, True -*.c1p.org*, True -*.c20xh2.org*, True -*.c21h30o2.ru*, True -*.c2gb.net*, True -*.c2today.com*, True -*.c300g.net*, True -*.c3baysidechurch.com.au*, True -*.c3cnvt.com*, True -*.c3po.ga*, True -*.c417.cf*, True -*.c4.ee*, True -*.c4home.us*, True -*.c4n.eu*, True -*.c4rt-girl.es*, True -*.c4tek.com*, True -*.c4ui2u.com*, True -*.c4ui2u.net*, True -*.c5h.pw*, True -*.c5neuquen.com.ar*, True -*.c5software.com.ar*, True -*.c60.tw*, True -*.c-625.com*, True -*.c64.ca*, True -*.c7rocks.com*, True -*.c8h10n4o2.ga*, True -*.c9-b9.com*, True -*.c9svc.net*, True -*.caa66.com*, True -*.caa777.com*, True -*.caa88.com*, True -*.caas.in*, True -*.caba35.com*, True -*.caba.gen.tr*, True -*.cabal17.com*, True -*.cabalelysium.com*, True -*.caballeriaaraucana.cl*, True -*.caballi.com.ar*, True -*.caballisa.com.ar*, True -*.cabalteca.cl*, True -*.cabanaobarsialotrului.ro*, True -*.cabanaslostroncos.cl*, True -*.cabaniasanantonio.com*, True -*.cabaniascerroleones.com.ar*, True -*.cabargas.cl*, True -*.cabarros.com*, True -*.cabbit.eu*, True -*.cabehias.com*, True -*.cabehiasdanunik.com*, True -*.cabeloscortespenteados.com.br*, True -*.cabeltatu.com.ar*, True -*.cabepelangi.com*, True -*.caberspace.com*, True -*.cabewarnawarni.com*, True -*.cabilcar.com.ar*, True -*.cabinetdenaturopathie.com*, True -*.cabinetdenaturopathie.org*, True -*.cabinetgheorghiu.ro*, True -*.cabinetlessentiel.ch*, True -*.cabinn.ru*, True -*.cabirio.de*, True -*.cabito.us*, True -*.cablaje.com*, True -*.cableglandelectric.com*, True -*.cablegland-lbp.com*, True -*.cableninjas.net*, True -*.cablesignwired.com*, True -*.cablesquirrel.com*, True -*.cableties-lbp.com*, True -*.cabletvdesplateaux.com*, True -*.cablingteks.com*, True -*.cabluri-de-date.com*, True -*.cabodaroca.ru*, True -*.c-abogados.com.ar*, True -*.cabotine.ch*, True -*.caboverde-vakantie.tk*, True -*.cabprom.ru*, True -*.cabrejafamily.com*, True -*.cabricop.com*, True -*.cabrita.org*, True -*.cabsharer.com*, True -*.cabsi.com.ar*, True -*.cabsiouxfalls.com*, True -*.cab-tek.com.au*, True -*.cabtek.com.au*, True -*.cabul.net*, True -*.caccese.com*, True -*.cachacascan.cl*, True -*.cachecomm.com*, True -*.cachephrase.com*, True -*.cacheregister.net*, True -*.cachia.com*, True -*.cachillan.cl*, True -*.cachoramotosports.com*, True -*.cacia4show.net*, True -*.cacicsv.com.ar*, True -*.cacioppos.com*, True -*.cactusbin.com*, True -*.cactusgro.co.za*, True -*.cactusmaipu.cl*, True -*.cacvirtual.com.ar*, True -*.cacyp.com.ar*, True -*.cadapt.net*, True -*.cadasbahia.com.br*, True -*.cadas.la*, True -*.cadastrugrup.ro*, True -*.cadavod-k12.ru*, True -*.cad-cool.com*, True -*.cadd.net.au*, True -*.caddrawingagent.com*, True -*.cadeagito.com.br*, True -*.ca-de-bo.ru*, True -*.cadecollins.com*, True -*.cademoore.com*, True -*.cadengineering.pl*, True -*.cadevra.net*, True -*.cadez.si*, True -*.cadgile.com.au*, True -*.cadillacheaven.com*, True -*.cadit.com.au*, True -*.cad-it.net*, True -*.cadiverse.com*, True -*.cadize.net*, True -*.cadlecreekmarina.com*, True -*.cadmium.tk*, True -*.cad-net.org*, True -*.cadng.co.uk*, True -*.cadohair.com*, True -*.cadosalon.com*, True -*.cadosch.info*, True -*.cadoudeziuamea.ro*, True -*.cadoudeziuata.ro*, True -*.cadourishop.ro*, True -*.cadovod-k12.ru*, True -*.cadpro.ro*, True -*.cadrender.it*, True -*.cadres-a-montreux.ch*, True -*.cadr.md*, True -*.caduri.co.il*, True -*.caeli.ca*, True -*.caelis.cl*, True -*.caelumobjects.com*, True -*.caerorosario.com.ar*, True -*.caesar.cf*, True -*.caesarconsultoria.com.br*, True -*.caesim.ga*, True -*.caesim.tk*, True -*.caesimts.tk*, True -*.caexxi.com.ar*, True -*.cafe33.net*, True -*.cafebacon.com*, True -*.cafebiotecnologico.com.ar*, True -*.cafecariappa.com*, True -*.cafecoldbrew.com*, True -*.cafecombiscoitos.com*, True -*.cafeconversations.co.za*, True -*.cafedelindenboom.be*, True -*.cafedemategnin.ch*, True -*.cafedumarcheportugais.ch*, True -*.cafeduvieil-ouchy.ch*, True -*.cafeelgringo.com*, True -*.cafeer.tw*, True -*.cafeeti.com.br*, True -*.cafegourmetclub.com.br*, True -*.cafeguru.co.il*, True -*.cafeicon.ir*, True -*.cafeislam.org*, True -*.cafeistanbul.ca*, True -*.cafejos.org*, True -*.cafekelas.com*, True -*.cafe-ladiligence.ch*, True -*.cafelink.ir*, True -*.cafemeridiano.com.br*, True -*.cafenealiterara.ro*, True -*.cafeneaualiterara.ro*, True -*.cafeneauamodei.ro*, True -*.cafeneru.net*, True -*.cafenico.com.mx*, True -*.cafesplat.com.au*, True -*.cafeteriabusiness.cl*, True -*.cafetricotstudio.com*, True -*.cafevinilo.com.ar*, True -*.caffe.geek.nz*, True -*.caffeinatedcpp.com*, True -*.caffeinatedsolutions.com*, True -*.caffein.ch*, True -*.caffenero.com.br*, True -*.caffe.nz*, True -*.caffety.in*, True -*.cafrica.net*, True -*.cagrizzlybear.com*, True -*.cagsa.com*, True -*.cahayabangunsejahtera.com*, True -*.cahayabatualam.com*, True -*.cahayabungur.co.id*, True -*.cahayadiesel.co.id*, True -*.cahayakecantikan.com*, True -*.cahayakumalaaudio.com*, True -*.cahaya-maju.com*, True -*.cahaya-selang.com*, True -*.cahb.net*, True -*.cahpekalongan.cf*, True -*.cahpule.com*, True -*.caicho.com*, True -*.caidat.org*, True -*.caiis.ca*, True -*.caillava.com.ar*, True -*.caillet-bois.ch*, True -*.cailo.com.ar*, True -*.cainecaldwell.com*, True -*.cainele.ro*, True -*.cainero.it*, True -*.cainplumbing.com*, True -*.caione.com.ar*, True -*.caira.tk*, True -*.caissemdn.com*, True -*.caitlinwalsh.net*, True -*.caiusajiz.com*, True -*.caius-marinescu.ro*, True -*.cai-yang.com*, True -*.cajabpba.com.ar*, True -*.cajamue.com*, True -*.cajaprovidencia.com*, True -*.cajaprovidencia.com.mx*, True -*.cakeboat.com*, True -*.cake-king.com*, True -*.cakelover.ca*, True -*.cakep.cf*, True -*.caketopworkshop.com*, True -*.cakk.us*, True -*.caklut.com*, True -*.cakradroid.tk*, True -*.cakraonline.com*, True -*.cakrawala-ugm.com*, True -*.calabrano.cl*, True -*.calafateexport.cl*, True -*.calafa.tk*, True -*.calafiabmt.com.mx*, True -*.calafiabmt.mx*, True -*.calafiabmt.org.mx*, True -*.calafia.org.mx*, True -*.calagaz.net*, True -*.calapiata.ro*, True -*.calcara.com.ar*, True -*.calcatoriadarius.ro*, True -*.calcenorte.com.br*, True -*.calchacura.cl*, True -*.calciumcraft.ml*, True -*.calculatorieftin.ro*, True -*.calculatorking.com.au*, True -*.calderonyabogados.cl*, True -*.caleb-pharm.com*, True -*.calebsotelo.com*, True -*.calebspare.com*, True -*.caleb.tk*, True -*.caledoncoal.com.au*, True -*.caledonianlab.cl*, True -*.caledonianlab.com*, True -*.calefactores.es*, True -*.calegion.events*, True -*.calenergy.info*, True -*.calenergy.us*, True -*.calenpick.com*, True -*.calentamientosocial.net*, True -*.calentamientosocial.org*, True -*.caletbak.com*, True -*.calfled.com*, True -*.calfucura.cl*, True -*.calgaryaudioproduction.com*, True -*.calgaryguitarlessons.com*, True -*.calgaryplanninggm.com*, True -*.calhavenfarms.net*, True -*.calibra-le.co.uk*, True -*.calificaripentrusanatate.ro*, True -*.californiabancarrota.com*, True -*.californiaclarks.com*, True -*.californialaborlawattorney.com*, True -*.californiamalaise.com*, True -*.california-red.com*, True -*.californiaremix.com*, True -*.california-stores.ch*, True -*.calimanesti.ro*, True -*.calincrisan.eu*, True -*.calin.pro*, True -*.calipsostudios.com*, True -*.calistobags.tk*, True -*.calisto.com.br*, True -*.calistri5.org*, True -*.calitrow.com*, True -*.caliyu.cl*, True -*.call-113.info*, True -*.call2.co.uk*, True -*.callatishigh.info*, True -*.callcentere.ro*, True -*.call-centers.ro*, True -*.callcenters.ro*, True -*.callcentersromania.ro*, True -*.call-centre.ro*, True -*.callcentre.ro*, True -*.call-centres.ro*, True -*.callcentres.ro*, True -*.callconstrutora.com.br*, True -*.calle2.com.ar*, True -*.callevienna.tk*, True -*.callfortrip.in*, True -*.calligravity.com*, True -*.callinstalldone.com*, True -*.callmark.cl*, True -*.callmearica.cl*, True -*.callmebae.asia*, True -*.callmuffin.com*, True -*.callmuffin.net*, True -*.callmuffin.org*, True -*.call-of-war.tk*, True -*.calloway.co.nz*, True -*.callstore.eu*, True -*.callstore.nl*, True -*.calltaxi.ro*, True -*.calltech.com.ar*, True -*.call.to*, True -*.callumtodd.net*, True -*.callworldwide.co.uk*, True -*.callystabridal.com*, True -*.callysta.web.id*, True -*.calmarortopedia.com.ar*, True -*.calmovil.com*, True -*.calocopo.com.ar*, True -*.calori.com.br*, True -*.calpet.de*, True -*.calripley.com*, True -*.calsup.com.ar*, True -*.caltabiano.ch*, True -*.calugareni176.ro*, True -*.caluliber.ro*, True -*.calumtomeny.co.uk*, True -*.calusagraphics.com*, True -*.caluzi.me*, True -*.calvaryduncan.com*, True -*.calvaryfellowship.org*, True -*.calvaryhomestexas.com*, True -*.calvaryhomestx.com*, True -*.calvaryseattle.com*, True -*.calverley.me.uk*, True -*.calvinandcindy.com*, True -*.calvinchelberg.com*, True -*.calvin.li*, True -*.calvisi.com.ar*, True -*.calypta.com.au*, True -*.calyser.com.ar*, True -*.calzadochabelo.com.mx*, True -*.calzadochabelo.mx*, True -*.calzadoreyval.com.mx*, True -*.calzatodo.com.ve*, True -*.calzaturificiobaccaglini.it*, True -*.cam724.com*, True -*.camacho.cl*, True -*.camacho.rs*, True -*.camaleonjuguetes.cl*, True -*.camaleostudio.com.mx*, True -*.camalot.com.ar*, True -*.camaqua.rs*, True -*.camaracosmetica.cl*, True -*.camaradart.ro*, True -*.camaraempresaria.com.ar*, True -*.camara-letizia.ch*, True -*.camaraworks.se*, True -*.cama-rea.com*, True -*.camarea.com*, True -*.camberleycricket.com*, True -*.cambicirculo.com*, True -*.cambioschile.cl*, True -*.cambioyemociones.es*, True -*.camboriu.com.ar*, True -*.cambott.com*, True -*.cambridgepro.com*, True -*.camcecil.com*, True -*.camcoelevator.com*, True -*.cameamaster.com*, True -*.cam.ee*, True -*.cameleon.si*, True -*.camelialazar.ro*, True -*.camelias.pt*, True -*.camelot.cf*, True -*.camelot-homes.com*, True -*.camelot.ml*, True -*.cameltoe-cash.com*, True -*.cameltoecash.com*, True -*.cameracctvhd.com*, True -*.cameragoprohero3.com.br*, True -*.cameratext.com*, True -*.cameronbaby.com*, True -*.cameroncoyne.com*, True -*.camerondrywall.com*, True -*.camfrogbatamcommunity.com*, True -*.camfroger.ga*, True -*.camilabarassi.com.ar*, True -*.camilozeta.com*, True -*.caminobooks.com*, True -*.caminodoamor.org*, True -*.caminogroup.com*, True -*.caminohk.com*, True -*.caminohz.com*, True -*.caminolafusta.cl*, True -*.caminosprotegidos.com.ar*, True -*.caminotoys.com*, True -*.caminousb.com*, True -*.camioneroscba.org.ar*, True -*.camiscia.com.ar*, True -*.caml.in*, True -*.camnotifier.com*, True -*.camo4ek.net*, True -*.camoa.ga*, True -*.camorales.com.ar*, True -*.campa.com.ar*, True -*.campanarrhh.com.ar*, True -*.campanavirtual.com.ar*, True -*.campaniaimmobiliare.it*, True -*.campaniambiente.it*, True -*.campaniapolitica.it*, True -*.campaniaservizi.it*, True -*.campaniasviluppo.it*, True -*.campano.cl*, True -*.campano.info*, True -*.campass.org*, True -*.campbellfamily.cf*, True -*.campedersen.com*, True -*.camperdownhotel.com.au*, True -*.campinapolis.com*, True -*.camping-fuerstenfeld.at*, True -*.campinggearsurplus.com*, True -*.campinglatuque.com*, True -*.campingmarinelle.it*, True -*.camping-simuni.si*, True -*.campionebuilders.com*, True -*.campminnetonka.com*, True -*.campminnetonka.us*, True -*.campminnetonka.ws*, True -*.camponovo-impianti.ch*, True -*.camponovors.com.br*, True -*.camposbastos.es*, True -*.campo-sports.com*, True -*.campotodo.com*, True -*.campurlagu.com*, True -*.campursari.tk*, True -*.campuschat.co*, True -*.campusescalada.com.ar*, True -*.campusformacionyempleo.es*, True -*.campusprosegur.cl*, True -*.campusshare.org*, True -*.campustube.in*, True -*.campwisdom.net*, True -*.camrockz.tk*, True -*.cams4sex.info*, True -*.camtech3.com.ar*, True -*.camtech4.com.ar*, True -*.camux.cl*, True -*.camuzzichini.com.ar*, True -*.canaanfarm.com*, True -*.canachiro.com.br*, True -*.canadabeerfest.ca*, True -*.canadakorean.net*, True -*.canadamortgagesolutions.com*, True -*.canadaribbon.com*, True -*.canadianblindnessservices.com*, True -*.canadianreader.ca*, True -*.canadianreader.com*, True -*.canadiansandbox.tk*, True -*.canadiantwigfurniture.com*, True -*.canagot.fi*, True -*.canal2.com.ar*, True -*.canal5mc.com*, True -*.canalaebrasil.com*, True -*.canalbio.com*, True -*.canalbio.tv*, True -*.canalcafe.com.au*, True -*.canal.cl*, True -*.canalfamiliar.cl*, True -*.canalh2.com*, True -*.canalh2.com.br*, True -*.canallinux.ga*, True -*.canalminorista.cl*, True -*.canalpreto.cl*, True -*.canapele-decoratiuni.ro*, True -*.canariasopensource.es*, True -*.canarieofferte.it*, True -*.canberrageeks.com.au*, True -*.canberrarosecroix.org.au*, True -*.canberravillagevet.com*, True -*.canbu91.com*, True -*.cancamusos.com*, True -*.cancarixhortipro.com*, True -*.cancercomalegria.com.br*, True -*.cancercure.nl*, True -*.cancerdupoumon.ca*, True -*.cancerillness.gq*, True -*.cancerpoumon.ca*, True -*.cancerpoumon.com*, True -*.cancerpoumon.net*, True -*.cancerpoumon.org*, True -*.cancerpulmonaire.ca*, True -*.cancerpulmonaire.com*, True -*.cancerpulmonaire.net*, True -*.cancerpulmonaire.org*, True -*.cancerpulmonar.ro*, True -*.cancerwithoutgod.com*, True -*.canchamp.com*, True -*.cancianimoretti.it*, True -*.cancionesimpuras.com.ar*, True -*.can-cmrd.com*, True -*.cancunvillages.com*, True -*.candacechao.com*, True -*.candaco.com*, True -*.candcinsurancebrokers.com*, True -*.candcsys.com*, True -*.candiaalternativa.info*, True -*.candia.co.za*, True -*.candibyaa.com*, True -*.candicole.com*, True -*.candidnan.com*, True -*.candlelightleftovers.com*, True -*.candootech.com*, True -*.candorentals.com*, True -*.candra-ganteng.com*, True -*.candsroofing.ie*, True -*.candydulces.com.ar*, True -*.candyhug.com*, True -*.candytorahs.com*, True -*.candytorahs.net*, True -*.candzala.tk*, True -*.canecafina.com.br*, True -*.canegallo.com.ar*, True -*.canelonni.com*, True -*.caner.fi*, True -*.canessence.hk*, True -*.cangihoianh.com*, True -*.cangkr.us*, True -*.cangkrus.com*, True -*.cangnen.com*, True -*.canhkg.com*, True -*.canidees-vacances.ch*, True -*.canifrisbee.com*, True -*.canilwolfbraz.com.br*, True -*.canineconnectionpetcenter.com*, True -*.canineresort.ca*, True -*.caninosargentina.com.ar*, True -*.canji.ca*, True -*.cannabisaddiction.info*, True -*.cannabiscrier.com*, True -*.cannabisdependence.com*, True -*.cannabis-seeds-auction.com*, True -*.cannameds.us*, True -*.cannata.com.ar*, True -*.cannball.org*, True -*.cannedcodes.com*, True -*.can-net.com*, True -*.cannonmovies.us*, True -*.cannytrophic.com*, True -*.cannytrophic.net*, True -*.cannytrophic.org*, True -*.canopy-kain.com*, True -*.canopykaryarahayu.com*, True -*.canopylight.com*, True -*.canovanda.com*, True -*.canpcs.com*, True -*.canpromote.com*, True -*.canresist.tk*, True -*.cansagrinusa.com*, True -*.canseco.me*, True -*.cantalup.com*, True -*.cantarini.ch*, True -*.cantecedeleagan.ro*, True -*.canteceleagan.ro*, True -*.canterburyinstitute.com.ar*, True -*.canthonyhughes.com*, True -*.cantiello.ch*, True -*.cantikitukamu.com*, True -*.cantikmulus.com*, True -*.cantikqu.com*, True -*.cantik.so*, True -*.cantinera.com.ar*, True -*.cantlock.info*, True -*.canto.cl*, True -*.cantollacocina.cl*, True -*.canton-safe.com*, True -*.cantosparamissa.com.br*, True -*.cantusiuvenis.at*, True -*.canvasmeup.com*, True -*.canview.ru*, True -*.canweld.com.au*, True -*.canyourandroidtabletdothis.com*, True -*.caoba.org*, True -*.caocao.es*, True -*.caodac.com*, True -*.caodac.org*, True -*.caodano.info*, True -*.caoni.ml*, True -*.caoruoxi.com*, True -*.caothuvolam.pro*, True -*.capa-advogados.com*, True -*.capacitaciones.cl*, True -*.capacitacionssp.com.ar*, True -*.capaproduction.co.uk*, True -*.capatres.com.ar*, True -*.cap-bt.com*, True -*.capcoastre.com.au*, True -*.capecodsevens.com*, True -*.capecoralparkway.com*, True -*.capecoralurology.com*, True -*.capeingenieria.com.ar*, True -*.capeitskills.co.za*, True -*.capeitskills.org*, True -*.capeletto.com.br*, True -*.capella-sys.com*, True -*.capellasys.com*, True -*.capella-systems.com*, True -*.capella-technologies.com*, True -*.capesoftwarefactories.org*, True -*.capetownnation.co.za*, True -*.capetownonfoot.co.za*, True -*.capeverde.co.za*, True -*.capfrut.com.ar*, True -*.cap-go-meh.tk*, True -*.caphector.com*, True -*.capherang.com*, True -*.capilca.com*, True -*.capilca.ru*, True -*.capit.al*, True -*.capitalaircraftfinance.com*, True -*.capitalaxess.com.ar*, True -*.capitaldb.com*, True -*.capitaldb.hk*, True -*.capitaldodge.ca*, True -*.capitalfiat.ca*, True -*.capitalgreen.net*, True -*.capitalgroupsl.org*, True -*.capitalharbour.ch*, True -*.capitalist-direct.com*, True -*.capital-soundproofing.com*, True -*.capitalssg.com*, True -*.capitalsteering.com.au*, True -*.capitaltechsupport.ca*, True -*.capitalwaste.com.au*, True -*.capitanescu.ro*, True -*.capitolssg.com*, True -*.caploonba.co.uk*, True -*.capnhat.net*, True -*.capnobase.org*, True -*.capnorthshore.org*, True -*.caponk.tk*, True -*.capo.nz*, True -*.capricetheatres.com*, True -*.caprichosdepiel.com.ar*, True -*.caprocksolutions.com*, True -*.capsabanting.com*, True -*.capsagm.com.ar*, True -*.capsaicindesign.com*, True -*.capsbeer.ru*, True -*.capsinanu146.cf*, True -*.capslock.com.ar*, True -*.capson.info*, True -*.capsule.cl*, True -*.captador.cl*, True -*.captainbills.net*, True -*.captchamonster.tk*, True -*.captec.com.br*, True -*.captgurvindersingh.com*, True -*.captivateyourbeauty.com*, True -*.capture1.hk*, True -*.capturedbythemoment.com*, True -*.capturethehappiness.com*, True -*.capturingessence.com.au*, True -*.capucinematti.ch*, True -*.caracho.eu*, True -*.caracolciudadano.cl*, True -*.caracolesvillafrancadelasierra.com*, True -*.caracolesvillafrancadelasierra.es*, True -*.caractercompany.hk*, True -*.caragua.be*, True -*.caraherbal.web.id*, True -*.caraibes.ca*, True -*.caralia.com*, True -*.carasaya.tk*, True -*.carasegalanya.com*, True -*.carasehat.co.id*, True -*.carat.com.tw*, True -*.cara-terbaru.me*, True -*.caraterbaru.web.id*, True -*.car-avant.com*, True -*.carballo.us*, True -*.carbonari.com.ar*, True -*.carbonfootprintfarse.com*, True -*.carbonfootprintfarse.net*, True -*.carbonix.ca*, True -*.carbon.tk*, True -*.carbuyinginfo.org*, True -*.carcano.me*, True -*.carcelenasesores.com*, True -*.carcloud.com.my*, True -*.carconsultores.cl*, True -*.cardbankph.com*, True -*.cardboardcuttingtable.com*, True -*.cardello.com.ar*, True -*.cardenasuribe.cl*, True -*.cardias.adv.br*, True -*.cardiobasel.ch*, True -*.cardioinfo.ch*, True -*.cardiovillamercedes.com.ar*, True -*.cardsign.net*, True -*.carduum.com*, True -*.care4it.com.ar*, True -*.carecat.net*, True -*.career-canadians.ca*, True -*.careercollegehelp.com*, True -*.careercontractors.net*, True -*.careercounseloronline.com*, True -*.career.ga*, True -*.careerinc.ca*, True -*.careerit.ro*, True -*.careerkit.ro*, True -*.careernetherlands.net*, True -*.careersmadeeasy.com*, True -*.careerstorage.in*, True -*.carefree-computersolutions.com*, True -*.carenhuman.co.za*, True -*.caresys.com.tw*, True -*.caretw.com.tw*, True -*.carew.ca*, True -*.cargamovil.com.mx*, True -*.cargas.com.my*, True -*.cargo-dv.com*, True -*.cargol.cat*, True -*.cargomag.cl*, True -*.cargoplay.com*, True -*.cargoshina.ru*, True -*.caribarang.my*, True -*.caribay.org.ve*, True -*.caribbeanhouse.nl*, True -*.caribbeanhouses.nl*, True -*.caribbeanpremierehotels.com*, True -*.caribbeanpremierhotels.com*, True -*.caribdeals.com*, True -*.caribe.com.br*, True -*.caribgonewild.net*, True -*.cariboolife.ca*, True -*.caridata.tk*, True -*.caridisplay.com*, True -*.caridroit.net*, True -*.carieraocolis.ro*, True -*.carigeotek.com*, True -*.cariin.ga*, True -*.carijanda.tk*, True -*.carikereta.my*, True -*.carilagu.de*, True -*.carilagu.in*, True -*.carimp3ku.tk*, True -*.carimusik.pw*, True -*.carinaogjonolavsbryllup.no*, True -*.carinfo.info*, True -*.caring4nicole.co.uk*, True -*.caringwithheart.com.au*, True -*.carinnecote.com*, True -*.cariocadevolei.com.br*, True -*.caririzki.co*, True -*.carishardware.com*, True -*.carissasboutique.com*, True -*.caritas.tk*, True -*.caritauhp.info*, True -*.carkifelekyarisma.com*, True -*.cark.info*, True -*.carlacalvo.cl*, True -*.carladutra.com.br*, True -*.carlafierro.cl*, True -*.carlbrings.se*, True -*.carlcates.com*, True -*.carley.info*, True -*.carlier.fr*, True -*.carlige-auto-remorcare.ro*, True -*.carlingfordpodiatry.com.au*, True -*.carlinhabrigadeiro.com.br*, True -*.carlisleaccessories.com.au*, True -*.carlisle.com.au*, True -*.carlisleserver.com*, True -*.carliston.com*, True -*.carlkrystiandthree.com*, True -*.carlo.cf*, True -*.carlo.ga*, True -*.carlo.ml*, True -*.carlosbudman.com.ar*, True -*.carlosdipalma.com.ar*, True -*.carlosedwards.cl*, True -*.carlosferguson.com.ar*, True -*.carlosferuglio.com.ar*, True -*.carlosmagno.info*, True -*.carlosmarval.com.ve*, True -*.carlospazalquiler.com*, True -*.carlosseca.com*, True -*.carlostoxtli.com*, True -*.carlregan.info*, True -*.carlsbags.com*, True -*.carlstonservices.in*, True -*.carltonparagon.com.au*, True -*.carlyandbun.com*, True -*.carmak.cl*, True -*.carmaster.mx*, True -*.carmelambikapur.org*, True -*.carmel.cf*, True -*.carmel.ch*, True -*.carmin.ro*, True -*.carmon.org.il*, True -*.carnavaadigoss.ch*, True -*.carnavaledivendetta.com.ar*, True -*.carnaval.ro*, True -*.carnavalsurreal.com*, True -*.carnback.se*, True -*.carneargentina.com.ar*, True -*.carneyassociates.com.au*, True -*.carnivore.pl*, True -*.car-ocn.com*, True -*.carodej.si*, True -*.caroil.ro*, True -*.carolehungerford.com*, True -*.carolgaydosh.com*, True -*.carolhazel.com*, True -*.carolinagutu.md*, True -*.carolinalorca.cl*, True -*.carolinaromano.com*, True -*.carolinewhite.net*, True -*.carolle.dj*, True -*.carolmeneses.com*, True -*.carolvaladares.com*, True -*.carolyeh.com*, True -*.carolyn51.ch*, True -*.carolyneanddan.com*, True -*.caronei.ro*, True -*.caronte.cl*, True -*.caron.tw*, True -*.caroplanet.ch*, True -*.carovnik.si*, True -*.carozzo.cl*, True -*.carpark.hk*, True -*.carparking.co.za*, True -*.carparking.hk*, True -*.carparksale.hk*, True -*.carparksales.hk*, True -*.carparks.hk*, True -*.carpart.co.il*, True -*.carpartspros.net*, True -*.carpasdelsur.cl*, True -*.carpauto.ca*, True -*.carpe.com.ar*, True -*.carpentersmetalshaping.com*, True -*.carpentersmetalworking.com*, True -*.carpenterswoodworking.com*, True -*.carpetandbricks.com*, True -*.carphonewarehiuse.com*, True -*.carphonewarehoise.com*, True -*.carphpnewarehouse.com*, True -*.carpinteriabiasoni.com.ar*, True -*.carplay.co.za*, True -*.carpul.cl*, True -*.carpworld.hu*, True -*.carquitectos.com.ar*, True -*.carrano.com.ar*, True -*.carrard.org*, True -*.carregatudo.com.br*, True -*.carrelage-design.ch*, True -*.carremagique.be*, True -*.carrental2u.my*, True -*.carrentkerala.com*, True -*.carrerasyfotos.com.ar*, True -*.car-restoration.co.uk*, True -*.carriagereturnsoftware.com.au*, True -*.carrick.me*, True -*.carrickmortimer.com*, True -*.carrierscapital.ru*, True -*.carrinhosdetransporte.com.br*, True -*.carrinhosparatransporte.com.br*, True -*.carrion.com.ar*, True -*.carrizo.cl*, True -*.carrocuritiba.com.br*, True -*.carrolcollection.com*, True -*.carromotoecia.com.br*, True -*.carroriopreto.com.br*, True -*.carroscertos.com.br*, True -*.carrosderepasse.com.br*, True -*.carrosparticulares.com.br*, True -*.carrosserie-de-gingins.ch*, True -*.carrosseriedelapallanterie.ch*, True -*.carrosserie-denervaud.ch*, True -*.carrosserie-des-ducats.ch*, True -*.carrosserieferrari.ch*, True -*.carrosserieferreira.ch*, True -*.carrosserie-geissler.ch*, True -*.carrosserielehmann.ch*, True -*.carrosserie-mesot.ch*, True -*.carrosseriemoderne.ch*, True -*.carrosserie-moor.ch*, True -*.carrozzeria-adautostyle.it*, True -*.carrusel.cl*, True -*.carryway.com*, True -*.carryways.com*, True -*.carsaday.com*, True -*.carsandothers.tk*, True -*.car-service.co.il*, True -*.carservicedeals.com.au*, True -*.carservice.net.au*, True -*.carshowplates.co.uk*, True -*.carsistema.pt*, True -*.carsoncarp.ca*, True -*.carsonpestcontrol.com*, True -*.carsons.net.au*, True -*.carspa.biz*, True -*.carspa.info*, True -*.carspa.org*, True -*.carspricelist.info*, True -*.carssport.info*, True -*.carstech.info*, True -*.carsystemsgt.com*, True -*.carta-de-marinheiro.pt*, True -*.carta-de-patrao-local.pt*, True -*.cartedebucate.ro*, True -*.carteled.com.ar*, True -*.cartel.pl*, True -*.carterchristmashouse.com*, True -*.carterfuelpumps.com*, True -*.carteri.com.br*, True -*.carteriveiculos.com.br*, True -*.carterross.tk*, True -*.carteruniverse.com*, True -*.cartes.cl*, True -*.cartewright.com*, True -*.cartex.com.mx*, True -*.carticele.ro*, True -*.carticupovesti.ro*, True -*.cartideas.com*, True -*.cartidecolorat.ro*, True -*.cartiercorp.com*, True -*.cartime.cl*, True -*.cartivirtuale.ro*, True -*.cartocraftmaps.com*, True -*.cartoncollector.cl*, True -*.cartonofmobile.com*, True -*.cartool.web.tr*, True -*.cartooncity.in*, True -*.cartorionotarial.info*, True -*.cartrace.ru*, True -*.cartuchoexpress.com.ar*, True -*.carturia.ro*, True -*.cartwheelimages.co.nz*, True -*.cartyonline.net*, True -*.caruban.ga*, True -*.carucioare3in1.ro*, True -*.carucioare-copii-ieftine.ro*, True -*.carucior-copii.ro*, True -*.carunalnik.org*, True -*.carun.cl*, True -*.carvalhodocesesalgados.com.br*, True -*.carvanfamily.com*, True -*.carven.hk*, True -*.carvereliteteamsite.com*, True -*.carve.ro*, True -*.caryoffice.in*, True -*.carza.cl*, True -*.carz.co.nz*, True -*.carzoo.org*, True -*.casa504.com.ar*, True -*.casaatelier.it*, True -*.casaautoshow.ro*, True -*.casabellaremodeling.com*, True -*.casabelproperties.com*, True -*.casabenedetti.ch*, True -*.casablancaestates.co.za*, True -*.casabonitasul.com.br*, True -*.casabota.ro*, True -*.casacda.org*, True -*.casachic.ro*, True -*.casacommoda.com*, True -*.casacrismo.ro*, True -*.casacupomi.ro*, True -*.casacupoveste.ro*, True -*.casadajia.com.br*, True -*.casadasrodas.com*, True -*.casadechavez.com*, True -*.casa-de-knuckles.com*, True -*.casadeoracionmaranatha.com*, True -*.casa-dintre-salcii.ro*, True -*.casadotricolor.com.br*, True -*.casaenmontoya.com*, True -*.casaespanola.ru*, True -*.casafiladelfia.ro*, True -*.casagamma.ro*, True -*.casagrande.cf*, True -*.casa-group.co.il*, True -*.casa-hofer.ch*, True -*.casajoline.ro*, True -*.casalacheie.com*, True -*.ca-sal.com*, True -*.casalicchio-home-media-server.tk*, True -*.casamario.ro*, True -*.casamata.es*, True -*.casamea.org*, True -*.casaministerial.cl*, True -*.casa-mojatom.info*, True -*.casandopormenos.com.br*, True -*.casanostragina.it*, True -*.casanova.cl*, True -*.casa-pandora.ro*, True -*.casapiti.com.ar*, True -*.casa-raul.com.ar*, True -*.casaraul.com.ar*, True -*.casaro.com.br*, True -*.casarokar.com*, True -*.casarotto.com.ar*, True -*.casarsa.net*, True -*.casasenpachuca.net*, True -*.casashampoo.com.ar*, True -*.casasmart.ro*, True -*.casasnahia.com.br*, True -*.casatakiy.com.br*, True -*.casatricolor.com.br*, True -*.casaupdesign.com.br*, True -*.casaveche.ro*, True -*.casayjardinmx.net*, True -*.casb2u.com*, True -*.casb2u.net*, True -*.cascadesterling.com*, True -*.casco2011.ro*, True -*.cascognc.com.ar*, True -*.casco-rca.ro*, True -*.casdel.com*, True -*.casdgifted.com*, True -*.casebrain.com*, True -*.caseirosuper.pt*, True -*.caserita.com.ar*, True -*.casesdemallorca.com*, True -*.casesicule.it*, True -*.casetext.com.au*, True -*.casetta.co.uk*, True -*.caseybergeron.com*, True -*.caseyjbryant.com*, True -*.caseywoods.com*, True -*.cash168.org.ru*, True -*.cash2line.com*, True -*.cashadvancesxpaydayloansq.org*, True -*.cashadvancesxpaydayloansy.org*, True -*.cashbrocker.com*, True -*.cashbuy.co.uk*, True -*.cashcowkid.com*, True -*.cashface.ru*, True -*.cashflow.ml*, True -*.cashfortips.us*, True -*.cashfunds.eu*, True -*.cashfwd.com*, True -*.cashinaflash.org*, True -*.cashit.info*, True -*.cashondrive.com*, True -*.cashproxy.net*, True -*.casimpan.com*, True -*.casino777.nu*, True -*.casinoairconditioning.info*, True -*.casino-royale.co.za*, True -*.casino-support.info*, True -*.casinotitanlp.com*, True -*.casio-ho.com*, True -*.casiomexico.com.mx*, True -*.casis.ro*, True -*.casivaagustin.com.ar*, True -*.caslan.be*, True -*.caslaw.ca*, True -*.casonalampa.cl*, True -*.casper911ca.com*, True -*.casper.com.au*, True -*.casperpharmacy.com*, True -*.cassain.com.ar*, True -*.cassanova.biz*, True -*.casscade.net*, True -*.casselmanvet.ca*, True -*.casselmanvet.com*, True -*.cassiaconstructions.com.au*, True -*.cassidikay.com*, True -*.cassidyd.com*, True -*.cassidygillett.com*, True -*.cassieandforrest.com*, True -*.cassieandtyler.com*, True -*.cassisvirtual.com.br*, True -*.cassolcaminhoes.com.br*, True -*.cas-store.org*, True -*.castawaysinn.com*, True -*.castblog.com*, True -*.casteck.net*, True -*.castejon.com.br*, True -*.castellari-asesores.com.ar*, True -*.castelli-gonfiabili.ch*, True -*.castelloserpe.tk*, True -*.castellucci.com.ar*, True -*.casteloludico.com*, True -*.castiga-bani.net*, True -*.castiga-de-acasa.com*, True -*.castilho.org*, True -*.castleford.pl*, True -*.castlefur.com*, True -*.castleman.net*, True -*.castleotttis.org*, True -*.castlewoodholdings.com*, True -*.castmogacademyinternational.ga*, True -*.castmogng.ga*, True -*.castracion.com.ar*, True -*.castrojefferson.com*, True -*.castrophotos.com.ar*, True -*.castroyasociados.cl*, True -*.castrumtelecom.com.br*, True -*.casu.al*, True -*.casualcall.com*, True -*.casualcall.ru*, True -*.casualtubeporn.pw*, True -*.casu.com.ar*, True -*.casutecostinesti.ro*, True -*.casvl.ro*, True -*.cat101.org*, True -*.cat5e.tk*, True -*.cat6network.com*, True -*.cataba.tk*, True -*.cataclysm.im*, True -*.cataclysm.su*, True -*.catacombsradio.com*, True -*.catalandr.es*, True -*.catalaxi.com*, True -*.catalaxi.com.au*, True -*.catalinascoppa.com.ar*, True -*.catalink.com.br*, True -*.catalisis.cl*, True -*.catalogimaging.com*, True -*.catalogoenlinea.mx*, True -*.catalogoff.ru*, True -*.catalogometalurgico.com*, True -*.catalogoweb.com.ar*, True -*.catalogoxinternet.com.ar*, True -*.catamaranes.cl*, True -*.catandbird.net*, True -*.catandfiddle.com.au*, True -*.catandfiddlehotel.com.au*, True -*.catanzaroacoustics.tk*, True -*.catanzarorobotics.tk*, True -*.catatanpakhambali.web.id*, True -*.catbesi-mjsa.com*, True -*.catbit.cl*, True -*.catbit.net*, True -*.catbombmusic.com*, True -*.catcapitals.com*, True -*.catch22ultimate.co.za*, True -*.catchgod.net*, True -*.catchmypain.ch*, True -*.catchmypain.fr*, True -*.catchphrasegames.com*, True -*.catchphrasegames.net*, True -*.catchthegorilla.com*, True -*.catedrafilippis.com.ar*, True -*.catedraldeneiva.org*, True -*.catenarysystemsdesign.com.au*, True -*.cateringdelnorte.com*, True -*.cateringospatari.ro*, True -*.catfact.info*, True -*.catfight2014.tk*, True -*.catfive.org*, True -*.catharinejoyce.com*, True -*.cathedralchoir.net*, True -*.cathedralcricket.com*, True -*.catherine-carlisle.ca*, True -*.catherine.net.nz*, True -*.cathiam.ca*, True -*.catholicdemocratsofnebraska.org*, True -*.catholicpatriots.com*, True -*.catholicpatriots.org*, True -*.cathousecustoms.com*, True -*.cathyshi.info*, True -*.cati.cat*, True -*.catiejoyce.com*, True -*.catinabioromania.ro*, True -*.cating.tw*, True -*.catio.eu*, True -*.catip.cat*, True -*.catjpg.com*, True -*.catlogger.com*, True -*.cat-loves-racoon.com*, True -*.catmaid.co.uk*, True -*.catnapstudios.com*, True -*.ca-top.com*, True -*.catrapratama.com*, True -*.catril.com*, True -*.catros.com*, True -*.catrudy.ru*, True -*.cats101.org*, True -*.cat-sa.com.mx*, True -*.catsanddogsdotcom.com*, True -*.catsoncrack.com*, True -*.catsy.org*, True -*.cattide.net*, True -*.cattieshack.com*, True -*.cattmobile.com*, True -*.cattmobile.pt*, True -*.cattpi.com.ve*, True -*.caturelang.co.id*, True -*.caturkhitapersada.com*, True -*.catwalk.ro*, True -*.catzdog.com*, True -*.caucionar.com*, True -*.caucionar.com.ar*, True -*.caudelcargol.com*, True -*.caudex-audit.ru*, True -*.cauduongutc.com*, True -*.cauduongvn.net*, True -*.caulfielddentist.com.au*, True -*.causasdobem.com.br*, True -*.causewayvenue.com*, True -*.cautalegepro.ro*, True -*.cautalege.ro*, True -*.cautionbrewingco.com*, True -*.cautivatech.com*, True -*.cautservice.ro*, True -*.cavabotechezami.ch*, True -*.cavar.ch*, True -*.cavemanmojo.com*, True -*.cavfer.com.br*, True -*.cavi.mx*, True -*.caving.com.au*, True -*.cavnicar.eu*, True -*.caw66.com*, True -*.caw77.com*, True -*.caw88.com*, True -*.cawapps.com*, True -*.caxata.com*, True -*.caxella.com*, True -*.cayahome.tk*, True -*.cayaserver.tk*, True -*.cayirova.bel.tr*, True -*.caz57.com*, True -*.caz87.com*, True -*.caz97.com*, True -*.cazalladelasierra.es*, True -*.cazarecostinesti.us*, True -*.cazaredelta-dunarii.ro*, True -*.cazarelasovata.ro*, True -*.cazarelitoralsimunte.ro*, True -*.cazaresulina.ro*, True -*.cazcall.com*, True -*.cazes.us*, True -*.cazimirovici.ro*, True -*.cazomic.co.uk*, True -*.cazulcristiancioaca.ro*, True -*.cazzo.me*, True -*.cb15.ru*, True -*.cbaforrajes.com.ar*, True -*.cbarnette.com*, True -*.cbassett1.tk*, True -*.cbautomoveis.com.br*, True -*.cb-best.com*, True -*.cbcbowling.com*, True -*.cbcgroup.com.ar*, True -*.cbcjonesville.org*, True -*.cbcng.ch*, True -*.cbek.com*, True -*.cbenefit.net*, True -*.cbergerson.net*, True -*.cbes.net*, True -*.cbijen.com.np*, True -*.cbknet.ch*, True -*.cbn333.com*, True -*.cbneter.com*, True -*.cbnss.ca*, True -*.cbra.net*, True -*.cbraun.co*, True -*.cbraun.com.ar*, True -*.cbraun.me*, True -*.cbreason.com*, True -*.cbreason.info*, True -*.cbreason.net*, True -*.cbrooker.ca*, True -*.cbrooker.com*, True -*.cbrooker.info*, True -*.cbrsanfernando.cl*, True -*.cbsa38.net*, True -*.cbsau.com*, True -*.cbsb.com.ar*, True -*.cbsc.org.au*, True -*.cbsfacility.ro*, True -*.cbs-office.ro*, True -*.cbtech.ch*, True -*.cbtstuff.com*, True -*.cbu.net*, True -*.cbvv17.com*, True -*.cbvv17.net*, True -*.cb-wo.com*, True -*.cb-woo.com*, True -*.cbx.ro*, True -*.cc9j.com.ar*, True -*.ccado.ro*, True -*.ccaelectrical.com.au*, True -*.ccarquitectossa.com*, True -*.ccarquitectossa.com.ar*, True -*.ccarswell.com*, True -*.ccbanie.ro*, True -*.ccbcseattle.com*, True -*.ccc-999.com*, True -*.cccbid.com*, True -*.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc.cc*, True -*.cccccn.com*, True -*.cccd.us*, True -*.c-c-combo.ru*, True -*.cccomputersolutions.com*, True -*.ccc.org.mx*, True -*.cccpro.co.id*, True -*.cccruises.com*, True -*.cccsrl.com.ar*, True -*.ccdanimalhealth.com.au*, True -*.cce78.com*, True -*.cce84.com*, True -*.ccenter.cl*, True -*.ccfl-auto.com*, True -*.ccflow.com.au*, True -*.ccgg.cl*, True -*.cchxqp518.com*, True -*.cciegold.com*, True -*.ccimageit.com*, True -*.ccity.com.ar*, True -*.ccjlda.com*, True -*.cckv.co.za*, True -*.cclb.com.ar*, True -*.cclccl.org*, True -*.ccleal.com*, True -*.cclevel.com.au*, True -*.ccluzhiyi.cn*, True -*.ccmail.com.mx*, True -*.ccmcr.com.au*, True -*.ccmissoula.com*, True -*.ccmm.ro*, True -*.cc.net.br*, True -*.ccnzrugby.com*, True -*.ccode.ml*, True -*.ccolhos.com.br*, True -*.cconsulting.cl*, True -*.cconsult.ir*, True -*.ccope.net*, True -*.ccotamil.cl*, True -*.ccounseling.com*, True -*.ccpartners.hk*, True -*.ccpesnparia.org.ve*, True -*.ccpr.cl*, True -*.ccprovincia.cl*, True -*.ccr56.com*, True -*.ccr79.com*, True -*.ccr85.com*, True -*.ccr92.com*, True -*.ccradiatorsadelaide.com.au*, True -*.ccromseap.com*, True -*.ccrowther.co.uk*, True -*.ccservices.biz*, True -*.ccs-hawaii.com*, True -*.ccsh.us*, True -*.ccs-labs.com*, True -*.ccsmd.org*, True -*.ccsmegaserver.com*, True -*.ccsofnashville.com*, True -*.ccsolarsolutions.com*, True -*.ccsomt.com*, True -*.ccs.pl*, True -*.ccsservice.ro*, True -*.ccti.org.mx*, True -*.cctraining.co.za*, True -*.cctv700.com*, True -*.cctvcbn.com*, True -*.cctvmicrosite.com.ar*, True -*.cctvtracker.com*, True -*.ccudocumana.com.ve*, True -*.ccv76.com*, True -*.ccv87.com*, True -*.ccvchurch.info*, True -*.ccvpn.gq*, True -*.ccwhc.ca*, True -*.ccyf.cl*, True -*.cda.md*, True -*.cdavidbush.net*, True -*.cdb-lingvo.com*, True -*.cdbotelho.com*, True -*.cdcarriche.com*, True -*.cdcarriche.es*, True -*.cdcinstal.ro*, True -*.cdcote.ca*, True -*.cdcote.com*, True -*.cdcrawford.ca*, True -*.cdctechno.com*, True -*.cdctechno.net*, True -*.cdd74.com*, True -*.cdd89.com*, True -*.cddo.cf*, True -*.cde3.net*, True -*.cde3.org*, True -*.cdecor.ir*, True -*.cde.jp*, True -*.cde.net.au*, True -*.cdesigns.com.au*, True -*.cdg-it.mx*, True -*.cdheatherxxx.net*, True -*.cdibes.pt*, True -*.cdipietro.com.ar*, True -*.cdl-driver-employment-opportunity-application-online.com*, True -*.cdl-peinture.ch*, True -*.cdlt.com.ar*, True -*.cdngeonode.com*, True -*.cdn.org.ar*, True -*.cdns-node1.me*, True -*.cdns-node2.me*, True -*.cdns-node3.me*, True -*.cdonh.com*, True -*.cdosrun.net*, True -*.cdotfree.com*, True -*.cdpa.cc*, True -*.cdpcomics.com*, True -*.cdrbenefits.com*, True -*.cdrental.eu*, True -*.c-droid.tk*, True -*.cdshuaba.com*, True -*.cdsisa.com.ar*, True -*.cds-it.com*, True -*.cdsmineral.com*, True -*.cdso.ru*, True -*.cdsphotos.com*, True -*.cdspr.net*, True -*.cdstorrent.org*, True -*.cdvi.ro*, True -*.cdvitaiwan.com*, True -*.cd-xh.com*, True -*.ceaconsultores.cl*, True -*.cebelarstvo-nemec.si*, True -*.cebelca.si*, True -*.cebhalifax.ca*, True -*.cebiciclete.ro*, True -*.cebir.com.tr*, True -*.cebollero.com*, True -*.ceca.cf*, True -*.cecdata.com*, True -*.cecewok.ga*, True -*.cecicm.org.mx*, True -*.cecilia-feng.com*, True -*.ceciliamontero.cl*, True -*.ceciliaromanella.com.ar*, True -*.cecilia.to*, True -*.cecilking.com*, True -*.cecilwhiteguitarpicker.com*, True -*.ceclacom.com*, True -*.ceconcordia.com.br*, True -*.cecscakes.com.au*, True -*.cecurut.com*, True -*.cedar-road.co.uk*, True -*.cedarsedge.co.uk*, True -*.cedarshedcreations.com*, True -*.cedehm.org.mx*, True -*.cederfeldt.se*, True -*.cedicom-it.com.ar*, True -*.cedin-sa.com*, True -*.cedpu.ro*, True -*.cedricmoullet.com*, True -*.cedsip.org*, True -*.ceeb.sk*, True -*.ceebusiness.co.uk*, True -*.ceed.se*, True -*.ceelatam.com*, True -*.cefi.org.ar*, True -*.cefora.com.ar*, True -*.ceforless.com*, True -*.ce-frumoasa-esti-atunci-cand-zambesti.com*, True -*.ce-frumoasa-esti-atunci-cand-zambesti.co.uk*, True -*.cefsk.ca*, True -*.ceftin.net*, True -*.cefumamazi.ro*, True -*.cegenesis-sc.com.br*, True -*.ceholek.ca*, True -*.ceholek.com*, True -*.ceidem.com*, True -*.ceilingacid.com*, True -*.ceilingcatplex.com*, True -*.ceisonline.com.ar*, True -*.cekaihatsu.com*, True -*.cekal.org*, True -*.cek.am*, True -*.cekdarwis.tk*, True -*.ceksource.com*, True -*.cektagihan.com*, True -*.celazime.eu*, True -*.celber.pl*, True -*.celcabs.com*, True -*.celcabs.net*, True -*.celcabs.org*, True -*.celebonlinetube.com*, True -*.celebra.ru*, True -*.celebrationhorns.com*, True -*.celebritycruises.ru*, True -*.celebrityhairstylistmag.com*, True -*.celebrityheightapp.com*, True -*.celebritymakeuplooks.net*, True -*.celebrity-moviez.com*, True -*.celebrity-picturez.com*, True -*.celebsexonline.net*, True -*.celebsplay.com*, True -*.celebtubesex.net*, True -*.celebtubesexonline.com*, True -*.celeliminators.com*, True -*.celestereviews.com*, True -*.celestialchurch.ie*, True -*.celest.in*, True -*.celestineconsulting.co.uk*, True -*.celesybru.com.ar*, True -*.celiagould.co.uk*, True -*.celiberion.eu*, True -*.celieraviation.co.za*, True -*.celimitevertical.com.br*, True -*.celixdesign.ca*, True -*.celixdesign.com*, True -*.cell1.co.za*, True -*.cella.co.za*, True -*.cellcenterdelsureste.com*, True -*.cellcircuit2014.com*, True -*.celldates.co.za*, True -*.celldating.co.za*, True -*.celle.co.za*, True -*.cellerino.com.ar*, True -*.cellini-residence.ro*, True -*.cellini.ro*, True -*.cellkore.ro*, True -*.cellmovie.co.za*, True -*.cellophaneslinger.net*, True -*.cellotelecom.com*, True -*.cellotelecom.net*, True -*.cellsat.co.za*, True -*.cells-nnm.ru*, True -*.cellsols.com*, True -*.cellstop.org*, True -*.celltoken.com*, True -*.cellularservice.com.ar*, True -*.cellulartextmessaging.ca*, True -*.cellule-staminali.in*, True -*.cellulitecreamreport.org*, True -*.cellulittoral.ch*, True -*.cellvideo.co.za*, True -*.celmaibunsoferdecamion.ro*, True -*.celnaya-natura.com*, True -*.celnaya-natura.info*, True -*.celnaya-natura.ru*, True -*.celsian.tv*, True -*.celsinoimpex.ro*, True -*.celtametal.cl*, True -*.celtametal.com*, True -*.celticcarma.com*, True -*.celticevo.com*, True -*.celticnorse.com*, True -*.celticrelax.com.ar*, True -*.celulareslibres.com.ar*, True -*.celv.in*, True -*.cem123.com.ar*, True -*.cemabi.ch*, True -*.cemandino.com.ve*, True -*.cemarketonline.ro*, True -*.cemarriott.com*, True -*.cemaydin.com.tr*, True -*.cembu.ru*, True -*.cemburu.net*, True -*.cementmachines.com*, True -*.cementoselmolino.com*, True -*.cemprovin.com.ar*, True -*.cems.com.my*, True -*.cenaturo.com.br*, True -*.cencib.com*, True -*.cencib.com.br*, True -*.cencib.org*, True -*.cencorn.com*, True -*.cencra.org*, True -*.cendra.com.ar*, True -*.cenicsa.com*, True -*.cenilec.si*, True -*.cenilstvo.si*, True -*.ceni-rdc.org*, True -*.cenirdc.org*, True -*.cenligne.com*, True -*.censorology.com*, True -*.centaineconsultants.com*, True -*.centaineconsultants.com.au*, True -*.centaruo.com.br*, True -*.centarzahemoroide.com*, True -*.centarzahemoroideproktena.com*, True -*.centaurian.net*, True -*.centauri.co*, True -*.centauri.us*, True -*.centavoip.com.ar*, True -*.centennialsouthern.com*, True -*.centerbox.com.ar*, True -*.centerit.pro*, True -*.centerofawesomeness.tk*, True -*.center-potolok.ru*, True -*.centerstageaudio.com*, True -*.centiare.pt*, True -*.centimia.com*, True -*.centinela.com.ar*, True -*.centipede.ca*, True -*.centit.net*, True -*.centor.pl*, True -*.centos-bg.com*, True -*.centos-homelab.info*, True -*.central64.com*, True -*.central64.net*, True -*.centralcitybaptistchurch.org*, True -*.centralcoastworkboots.com.au*, True -*.centralcool.co.id*, True -*.centraldealarme.srv.br*, True -*.centraldeseguros.com*, True -*.centraldeturnos.com.ar*, True -*.centraldorock.com*, True -*.centraldorock.net*, True -*.centralgrosir.net*, True -*.centralhive.net*, True -*.centralinvest.si*, True -*.centrallondon-escorts.net*, True -*.centralmag.co*, True -*.centralmag.org*, True -*.centralmn.net*, True -*.centralnex.us*, True -*.centraloffshore.com.br*, True -*.centralpacificprima.com*, True -*.centralpadjentertainment.com*, True -*.centralperiodical.org*, True -*.centralplazabacau.ro*, True -*.centralpointsolutions.com*, True -*.central-profit.com*, True -*.centralpto.com*, True -*.centralpublication.org*, True -*.central-servers.org*, True -*.centraltehnik.com*, True -*.centraltelefonica.com.ar*, True -*.centraltelefonicaip.cl*, True -*.central-trigenius.tk*, True -*.centralvigia.com.ar*, True -*.centrecomptablelavila.com*, True -*.centrefuck.id.au*, True -*.centre-medico-chirurgical.ch*, True -*.centrication.com*, True -*.centricmag.org*, True -*.centricpublication.org*, True -*.centriment.com*, True -*.centrixmedia.com*, True -*.centro27.com*, True -*.centro2.pt*, True -*.centroarts.net*, True -*.centroaudiologico.com.pe*, True -*.centrocasio.cl*, True -*.centrodamulher.com*, True -*.centrodeculturaifmg.com*, True -*.centrodeculturaifmg.com.br*, True -*.centrodeculturamg.com*, True -*.centrodontologicomutxamel.com*, True -*.centroeduca2.es*, True -*.centroentomologicodelsur.cl*, True -*.centroepilepsia.org.ar*, True -*.centroequestredascachoeiras.com*, True -*.centroespacioazul.cl*, True -*.centrojim.cl*, True -*.centrokaley.com.ar*, True -*.centrolatinoamericanodemusica.org*, True -*.centrolemu.cl*, True -*.centromedicopaz.com*, True -*.centromedicovr.com.br*, True -*.centronic.ir*, True -*.centropro.com.ve*, True -*.centropsicopedagogico.cl*, True -*.centroremoto.cl*, True -*.centrosbz.com*, True -*.centrosdeski.com.ar*, True -*.centroseroja.com*, True -*.centrudeasigurari.ro*, True -*.centruklass.ro*, True -*.centrulanvelopa.ro*, True -*.centruldeinformatica.ro*, True -*.centrulmedicaltheodor.ro*, True -*.centrul-stomatologic-german.ro*, True -*.centrulvascularvenus.ro*, True -*.centrumbudowy.pl*, True -*.centrummlociny.pl*, True -*.centurionalquileres.com.ar*, True -*.centuriontel.com*, True -*.centuriontelcom.com*, True -*.centuriontelcom.net*, True -*.centuriontelcom.org*, True -*.centuriontel.net*, True -*.centuriontel.org*, True -*.century21premiumhouse.com*, True -*.century21property.co.id*, True -*.century21saikungproperty.com*, True -*.centurychambers.hk*, True -*.ceo2.cl*, True -*.ceoffice.com.ar*, True -*.ceoffices.com.ar*, True -*.ceop.com.ar*, True -*.ceoponline.com.ar*, True -*.ceosinfo.us*, True -*.cepac-imagem.com.br*, True -*.cepac-pi.com.br*, True -*.cepcontrol.com.br*, True -*.cepercreative.com*, True -*.ceper.zone*, True -*.cepestore.com*, True -*.ceppijp.ch*, True -*.cepugakure.tk*, True -*.cerac.eu*, True -*.cerah.tk*, True -*.ceramic1.com*, True -*.ceramicaplastica.com*, True -*.ceramic-glass.eu*, True -*.ceramicsclay.com*, True -*.cerato3.ru*, True -*.cercaac.org.mx*, True -*.cercadel.com*, True -*.cercadelmetrobus.com*, True -*.cercadelrio.com*, True -*.cerdascermat.co*, True -*.cerdas.co.id*, True -*.cerdena.me*, True -*.cerealesviel.com.ar*, True -*.cerebrum.ch*, True -*.ceremony.com.my*, True -*.ceresolutions.cl*, True -*.cerevisia.org*, True -*.cerewet.cf*, True -*.ceria-club.tk*, True -*.ceriaclub.tk*, True -*.ceria.tk*, True -*.ceritaasahan.com*, True -*.cerita-dewasa.co.uk*, True -*.ceritadewasahot.ml*, True -*.ceritakain.my*, True -*.cerminkereta.my*, True -*.cernachedobonjardim.pt*, True -*.cerolsem.ro*, True -*.cerone.com.ar*, True -*.cerpan.tk*, True -*.cerpen-english.tk*, True -*.cerradovivo.net.br*, True -*.cerrajeriajulian.com.ar*, True -*.cerrajeriatrenque.com.ar*, True -*.cerrajerossegovia.com*, True -*.cerrocastor.com.ar*, True -*.cerrocatedral.com.ar*, True -*.cerrodasmos.tk*, True -*.cerroestetica.com*, True -*.cerromedic.com.ar*, True -*.certably.com*, True -*.certapropainters.pt*, True -*.certesgroup.eu*, True -*.cert-grvsc.org*, True -*.certificacaojava.com.br*, True -*.certificadores.com.mx*, True -*.certificadores.mx*, True -*.certificarearomilor.ro*, True -*.certificateco.org*, True -*.certificatecorporation.org*, True -*.certificateit.ro*, True -*.certificatenergetic24ore.ro*, True -*.certificateofcompletion.net*, True -*.certifiedappraisers.biz*, True -*.certified.cl*, True -*.certify.ro*, True -*.certssl.it*, True -*.ceruleanblue.info*, True -*.cerveceria.gr*, True -*.cervecerosdf.mx*, True -*.cervera.cl*, True -*.cervetoria.pt*, True -*.cervezakume.com.ar*, True -*.cervezasanmartin.com.ar*, True -*.cervezasm.com.ar*, True -*.cesararaque.com.ve*, True -*.cesarpedro.com*, True -*.cesenaotto.it*, True -*.cesiconta.ro*, True -*.cesik.one.pl*, True -*.cesoc.ro*, True -*.cesouc.cl*, True -*.cespedes-asociados.com*, True -*.cessat.info*, True -*.cessnaforsale.com.au*, True -*.cess.tk*, True -*.cester.info*, True -*.cestpas.net*, True -*.cet89.com*, True -*.cetaca.com.ar*, True -*.cetaca.org.ar*, True -*.cetakanprecast.com*, True -*.cetakcd-vcd.com*, True -*.cetakkanvas.web.id*, True -*.cetaknota.com*, True -*.ceteck.com.ar*, True -*.cetiga.xyz*, True -*.cetmdp.com.ar*, True -*.cetresita.ro*, True -*.ceuforless.com*, True -*.ceuldi.com.mx*, True -*.cevadezis.ro*, True -*.cevapking.com.au*, True -*.cevilarinho.pt*, True -*.cevi.si*, True -*.cev-iz.com.tr*, True -*.cevovodi.si*, True -*.cewe.ninja*, True -*.ceyro.com.ar*, True -*.cfabian.ro*, True -*.cfactorcreativo.com*, True -*.cfaktor.com*, True -*.cfaktor.co.za*, True -*.cfamily.info*, True -*.cfa.net.ru*, True -*.cfavalles.org*, True -*.cfc-kolibri.ru*, True -*.cfcomputing.com*, True -*.cfc.org.np*, True -*.cfdintegral.com*, True -*.cfdiweb.com.mx*, True -*.cfdiweb.mx*, True -*.cff95.com*, True -*.cfi.ca*, True -*.cfiotto.com.ar*, True -*.cfjservices.ch*, True -*.cflmba.org*, True -*.cfmworship.org.uk*, True -*.cfo-o.com*, True -*.cfordnet.com*, True -*.cfos.com.au*, True -*.cfpconsulting.co*, True -*.cfpp01-01.co*, True -*.cfpp01-06.co*, True -*.cfrotary.org*, True -*.cf.rs*, True -*.cfs-advisory.com*, True -*.cfstarsl.com*, True -*.cftc-devoteam.one.pl*, True -*.cftv.tk*, True -*.cftv.xyz*, True -*.cfulmerstpete.com*, True -*.cfvallegrande.cl*, True -*.cfz-fiduciaire.ch*, True -*.cgaindia.org*, True -*.cganx.org*, True -*.cgartwork.com*, True -*.cgbike.com*, True -*.cgboards.com*, True -*.cgcom.cl*, True -*.cgdesarrollos.com.ar*, True -*.cgg47.com*, True -*.cgg59.com*, True -*.cgg79.com*, True -*.cghkmis.com*, True -*.cgipro.net*, True -*.cgi-proxy.org*, True -*.cgizone.ga*, True -*.cgkb1.ru*, True -*.cgland.net*, True -*.cgmprop.cl*, True -*.cgn-sa.cl*, True -*.cgnsa.cl*, True -*.cgn.web.id*, True -*.cgranjero.com*, True -*.cgsgroup.com.ar*, True -*.cgsmexico.mx*, True -*.cgsonipr.com*, True -*.cgsweetdesign.com.ve*, True -*.cgt-hp.com*, True -*.cgt-null.org*, True -*.cgtutor.com*, True -*.ch131.so*, True -*.ch-2010.com*, True -*.ch39.ru*, True -*.ch3.com.ve*, True -*.ch3.us*, True -*.cha0.tk*, True -*.chaapaarak.ir*, True -*.chaarkhoone.ir*, True -*.chabbi.co.id*, True -*.chacana.com.ar*, True -*.chacaraparaaniversarios.com.br*, True -*.chacaraparacasamentos.com.br*, True -*.chacha-liker.com*, True -*.chacmol.com*, True -*.chacmol.com.ar*, True -*.chaco.ml*, True -*.chacopsicosocial.com.ar*, True -*.chacradonjose.com.ar*, True -*.chacrasdeljabali.com.ar*, True -*.chacrasenabbott.com.ar*, True -*.chacratawanda.com.ar*, True -*.chadandsamira.com*, True -*.chadbox.tv*, True -*.chadclites.com*, True -*.chaddoncooper.co.uk*, True -*.chaddooley.com*, True -*.chadi.ca*, True -*.chadssmiles.com*, True -*.chadstonechiro.com*, True -*.chage.cc*, True -*.chai72.ru*, True -*.chaifai.ru*, True -*.chailen22.com.ar*, True -*.chailihe.cn*, True -*.chainitnow.com*, True -*.chainitnow.net*, True -*.chainitnow.org*, True -*.chaintrust.com*, True -*.chaiomanot.com*, True -*.chaircar-gps.ir*, True -*.chaitanya.com.np*, True -*.chaitea.com.ar*, True -*.chaithanyaayurcare.com*, True -*.chaka.ch*, True -*.chalamserver.tk*, True -*.chaletcantonsdelest.com*, True -*.chalet-cassiopeia.ch*, True -*.chaletdegrangeneuve.ch*, True -*.chaletlususa.co.uk*, True -*.chaletshare.net*, True -*.chalet-topas.ch*, True -*.chalet-vermietung.ch*, True -*.chalito.com.ar*, True -*.challengeit.pt*, True -*.challenge.pt*, True -*.challengepursuit.com*, True -*.challengetax.com*, True -*.challengetax.com.au*, True -*.challen.org*, True -*.challonerelectronics.com.au*, True -*.chalveratgerardsa.ch*, True -*.chamberscan.com*, True -*.chamblin.info*, True -*.chamdex.com*, True -*.chameoeletricista.com.br*, True -*.chamleypipe.com*, True -*.chamnessangus.com*, True -*.chamon9.com*, True -*.chamonix-nannies.com*, True -*.champagnewishesandrvdreams.com*, True -*.champcallcenter.com*, True -*.champhotpot.hk*, True -*.championevents.com*, True -*.championgames.co.uk*, True -*.championschoiceproshops.com*, True -*.champy.ch*, True -*.chamtheatre.ru*, True -*.chan1.com*, True -*.chan-afterhours.net*, True -*.chan-afterhours.org*, True -*.chanakamitraabadi.com*, True -*.chanceforlife.ro*, True -*.chanchodesign.com.ar*, True -*.chancorp.com.au*, True -*.chancorp.net.au*, True -*.chandmani.com*, True -*.chandnani.hk*, True -*.chandrabindu.com*, True -*.chandrakiran.in*, True -*.chandramagar.com.np*, True -*.chandra.or.id*, True -*.chandra-thapa.com.np*, True -*.chandrismachinery.gr*, True -*.changamuka.com*, True -*.changan-motor.com*, True -*.changan-motor.tw*, True -*.changchangying.com*, True -*.changchangying.net*, True -*.changepencils.com*, True -*.changesmanaged.com.au*, True -*.changken.gq*, True -*.changnan.com*, True -*.changnan.org*, True -*.changop.com*, True -*.changtum.com*, True -*.channel2.co.za*, True -*.channel3.co.za*, True -*.channel5.co.za*, True -*.channel6.co.za*, True -*.channelkcw.tk*, True -*.channellahore.tk*, True -*.channel-w.in*, True -*.channify.com*, True -*.channings.me*, True -*.chan-w.xyz*, True -*.chanyinkee.hk*, True -*.chaoku4.com*, True -*.chaosattractor.com*, True -*.chaosblast.com*, True -*.chaosco.ca*, True -*.chaosgames.tk*, True -*.chaospage.com*, True -*.chaos.ro*, True -*.chaostheory.co.nz*, True -*.chaostime.co.uk*, True -*.chaoticmind.tk*, True -*.chaowlecture.com*, True -*.chaoxuprime.com*, True -*.chapada.com.br*, True -*.chapelclerk.co.uk*, True -*.chapelcreekhomes.org*, True -*.chapelet.eu*, True -*.chapeudepalha.pt*, True -*.chapko.com*, True -*.chaplin.info*, True -*.chapo.es*, True -*.chappellscakebox.tk*, True -*.chapter11dreamteam.com*, True -*.chapter13sacramento.com*, True -*.chapter7or13.com*, True -*.chapter7sacramento.com*, True -*.chaptermacquarie.org.au*, True -*.characta.com*, True -*.characteristicofzodiacsign.net*, True -*.charactersonthego.com*, True -*.charalamposkarousos.gr*, True -*.chardange.com*, True -*.chardonnens.me*, True -*.charged-arson.tk*, True -*.chargedmaster.com*, True -*.chargentina.com.ar*, True -*.chargeplus.com*, True -*.chargerboy.com*, True -*.chargerdad.com*, True -*.chargergirl.us*, True -*.chargol.com*, True -*.chargol.ir*, True -*.charimirror.info*, True -*.charismasatria.co.id*, True -*.charity-delegate.org*, True -*.charityshopgamer.co.uk*, True -*.charlascreando.cl*, True -*.charlesdavidkelley.com*, True -*.charlesguscott.com*, True -*.charlesjanis.com*, True -*.charleson.se*, True -*.charlesrbrown.com*, True -*.charleston.ro*, True -*.charlestowndive.com*, True -*.charlestownfamilydoctors.com.au*, True -*.charlesworth.nom.za*, True -*.charleswright.co*, True -*.charliebar.com.au*, True -*.charlieegleston.com*, True -*.charliehebdo.gq*, True -*.charlie-prod.com*, True -*.charlieuk.tk*, True -*.charlotteerdmann.com*, True -*.charlottemiles.co.uk*, True -*.charlottepainting.com.ar*, True -*.charlottesanderson.co.uk*, True -*.charlz.me*, True -*.charmedbyme.com*, True -*.charmingcunt.com*, True -*.charmingwhite.com*, True -*.charmoffensive.com.au*, True -*.charmsty.com*, True -*.charngnoi.com*, True -*.charnystamps.com*, True -*.charriere-valentin-terrassment.ch*, True -*.charry.org*, True -*.chartadeiconsumatori.ch*, True -*.chartmybrand.com*, True -*.chartwell-academy.com*, True -*.chartwellacademy.com*, True -*.chartwell-academy.co.za*, True -*.chartwellportal.com*, True -*.chartwellportal.org*, True -*.charuhas.in*, True -*.charuwan.org*, True -*.chasafelix.com*, True -*.chaseinator.com*, True -*.chasetools.com*, True -*.chasinggold.net*, True -*.chasingleads.com*, True -*.chasonchoate.com*, True -*.chastainwoodfloors.com*, True -*.chat4u.ml*, True -*.chat-adictoz.tk*, True -*.chatanoga.com.my*, True -*.chatbaieti.cf*, True -*.chatbooks.cf*, True -*.chatbuzzer.com*, True -*.chatcave.com*, True -*.chatcave.net*, True -*.chatchu.com*, True -*.chatcrazy.co.uk*, True -*.chateau.tk*, True -*.chateauvaptzarov.com*, True -*.chatfete.cf*, True -*.chatfieldfamily.co.uk*, True -*.chatfrat.com*, True -*.chatgo.gq*, True -*.chathit.ml*, True -*.chatkre.ws*, True -*.chatlemos.net*, True -*.chatlibs.com*, True -*.chatlove.ro*, True -*.chatnbike.com*, True -*.chatnetic.com*, True -*.chatpinoy.ml*, True -*.chatreal.ml*, True -*.chatree.net*, True -*.chatsingles.org*, True -*.chatta.co.za*, True -*.chatterbox.ml*, True -*.chatter-box-sprl.com*, True -*.chatterplot.com*, True -*.chattha.ca*, True -*.chattmaze.cf*, True -*.chattomate.com*, True -*.chattyhome.com*, True -*.chaturvedi.me*, True -*.chatx.in*, True -*.chauffage-de-beauce.com*, True -*.chauncey.tk*, True -*.chauwong.eu*, True -*.chavesasoc.com.ar*, True -*.chavezrojas.com.ar*, True -*.chavezvive.info.ve*, True -*.chavo.biz*, True -*.chay.cl*, True -*.chay-monost.tk*, True -*.chaza.com*, True -*.chazanbraun.com*, True -*.chazenind.net*, True -*.chbuch.ch*, True -*.chcameras.net*, True -*.chcdalby.com.au*, True -*.chcemnosit.sk*, True -*.chch34.com*, True -*.cheam.eu*, True -*.cheapairsoftm16.com*, True -*.cheap-ass-domain.info*, True -*.cheap-car-rental.com*, True -*.cheapcars2015.co*, True -*.cheapchartcds.com*, True -*.cheapcheapdomains.com.au*, True -*.cheap-electronics-discount.com*, True -*.cheapest.co.il*, True -*.cheapestinstock.com*, True -*.cheapestloadofrubbish.com.au*, True -*.cheap-flightsair.com*, True -*.cheaphostelinistanbul.com*, True -*.cheapiphone5.co*, True -*.cheaplivestreaming.com*, True -*.cheaplivestreaming.net*, True -*.cheapmacbook.co*, True -*.cheap-personal-credit.com*, True -*.cheappph.com*, True -*.cheapsildenafil.net*, True -*.cheaptaxliens.com*, True -*.cheapthings.org*, True -*.cheaptoaster.info*, True -*.cheat-c0c.cf*, True -*.cheat-c0c.ga*, True -*.cheat-c0c.ml*, True -*.cheatercoc.biz*, True -*.cheat-sheet.co*, True -*.chebicon.org*, True -*.chebicon.ru*, True -*.cheburek.org*, True -*.check-cc.club*, True -*.checker007.club*, True -*.checkerayam.com*, True -*.checkerch.com*, True -*.checkerschapel.co.uk*, True -*.check-ip.com*, True -*.checkitday.com*, True -*.checkmate3001.com*, True -*.checkmybills.gr*, True -*.checkmymenu.com*, True -*.checkmyvinyl.com*, True -*.checknzb.com*, True -*.checkpon.com*, True -*.checks.mx*, True -*.checkup.pro*, True -*.checkyourc.com*, True -*.checkyoursix.net*, True -*.chedda.com.au*, True -*.cheekent.com*, True -*.cheeprey.ro*, True -*.cheersforseniors.org*, True -*.cheersmofo.com*, True -*.cheesecommunity.com*, True -*.cheesedanish.org*, True -*.cheesefish.net*, True -*.cheesemobile.com*, True -*.cheesygrits.com*, True -*.cheetahhotshot.com*, True -*.cheetar.com*, True -*.cheetux.org.il*, True -*.cheezies.hk*, True -*.chefalrescate.com*, True -*.chefcoders.com*, True -*.chefdeletat.com*, True -*.chef-express.hk*, True -*.cheffatass.com*, True -*.chefmadeeasy.com*, True -*.cheftony.net*, True -*.cheglevici.ro*, True -*.chehov-lex.ru*, True -*.cheileoltetului.ro*, True -*.cheirodecampinas.com.br*, True -*.chekanov.net*, True -*.chekoala.com*, True -*.cheko.cl*, True -*.cheloformodelismo.com.ar*, True -*.chelseafpd.tk*, True -*.chelseaherbert.com*, True -*.chelseaherbert.co.nz*, True -*.chelseahollis.com*, True -*.chelseaschallenges.com.au*, True -*.cheluntan.com*, True -*.chem101.com*, True -*.chem101.org*, True -*.chemcis.ir*, True -*.chemetall.com.ar*, True -*.chemexnewengland.com*, True -*.chemic.al*, True -*.chemicalbox.com*, True -*.chemicis.ir*, True -*.cheminees-berger.ch*, True -*.cheminsviajes.com.ar*, True -*.cheminsviajes.tur.ar*, True -*.cheminv.com*, True -*.chemistbench.com*, True -*.chemistry4all.org*, True -*.chemsupplying.com*, True -*.chemsystemsltd.com*, True -*.cheneval.com*, True -*.chengfeng.org*, True -*.chengrenjp.com*, True -*.chengshaobo.cn*, True -*.cheninvestmentgroup.com*, True -*.chenlabiste.com*, True -*.chenu.com.ar*, True -*.chenxingren.com*, True -*.chen-yang.tw*, True -*.chenyuhengyuan.com*, True -*.cheonghar.com*, True -*.cheope.ca*, True -*.chepati.com*, True -*.chepati.net*, True -*.chepati.org*, True -*.chequetaxi.eu*, True -*.chequetaxi.fr*, True -*.cherchio.com*, True -*.cherepanov.pro*, True -*.cherhanauaveche.ro*, True -*.cherington.co*, True -*.cherkesiya.ru*, True -*.chernovtsi.ru*, True -*.cherokeros.com.ar*, True -*.cherryhandyman.com*, True -*.cherrymail.tk*, True -*.cherrymyle.pt*, True -*.cherryninja.ga*, True -*.cherryninja.tk*, True -*.cherryrebel.ga*, True -*.cherryrebel.tk*, True -*.cherryshop.ru*, True -*.cherrytaiwan.com*, True -*.cherryvkoko.com*, True -*.chers.com.au*, True -*.chery.co.il*, True -*.chesan.com*, True -*.chesapeakehedgehogs.com*, True -*.chescorp.com.au*, True -*.cheshirejoineryservices.com*, True -*.cheshirejoineryservices.co.uk*, True -*.cheslett.id.au*, True -*.chessorion.cf*, True -*.chesta.com*, True -*.chestionare-auto-drpciv.ro*, True -*.chestionaredrpciv.net*, True -*.chestionareonline.ro*, True -*.chetangowda.com*, True -*.chetbc.ca*, True -*.chetbc.com*, True -*.chetchez.com*, True -*.chett.ru*, True -*.cheukpang.com*, True -*.cheuks.hk*, True -*.chevyck.com*, True -*.chewan.net*, True -*.chewingwax.com*, True -*.chewlong.com*, True -*.cheyennelabs.com*, True -*.cheyennelabs.net*, True -*.cheyenne-mountain.net*, True -*.cheynes.org*, True -*.chezcarolaine.com*, True -*.chezcraft.tk*, True -*.cheznico.ch*, True -*.chhcplus.com*, True -*.chia.be*, True -*.chianglaiwan.hk*, True -*.chiangmaibus.org*, True -*.chiang.tw*, True -*.chiao.us*, True -*.chia.sexy*, True -*.chibacityblues.org*, True -*.chibiliker.com*, True -*.chicago360factor.com*, True -*.chicagoblacksox.com*, True -*.chicagobrowqueen.com*, True -*.chicagocatholics.com*, True -*.chicagocondosites.com*, True -*.chicagocornerchurch.org*, True -*.chicagoface.com*, True -*.chicago-houses-for-sale.com*, True -*.chicagomeshnetwork.com*, True -*.chicagorealestate.info*, True -*.chicagorealestatesearch.com*, True -*.chicattle.com*, True -*.chic-canteen.tw*, True -*.chicchocolatecc.com.br*, True -*.chic-cityrats.com*, True -*.chicflowers.ro*, True -*.chichot.info*, True -*.chickenbarrel.org*, True -*.chickeneye.co.uk*, True -*.chickenkiller.com*, True -*.chickenshit.ml*, True -*.chickenskinners.co.uk*, True -*.chiddlers.co.uk*, True -*.chiedo.com*, True -*.chiefstaff.com*, True -*.chiefsystem.com*, True -*.chienfu.cf*, True -*.chienhong.cn*, True -*.chierre.com*, True -*.chiesanuova.info*, True -*.chiewz.gq*, True -*.chigadink.ml*, True -*.chig.ga*, True -*.chihping.com*, True -*.chihtao.cc*, True -*.chikalicia.com*, True -*.chikico.cl*, True -*.chikiyan.cl*, True -*.chiknie.ga*, True -*.childbirthmelodies.com*, True -*.childcarebookkeeper.com.au*, True -*.childdoctor.asia*, True -*.childefenders.com*, True -*.childefenders.gr*, True -*.childmonitorweb.com*, True -*.childpatch.com*, True -*.childpatch.co.uk*, True -*.childrensblanks.com*, True -*.childrensmap.com.au*, True -*.chile4rent.cl*, True -*.chilealimentosproducelimpio.cl*, True -*.chilechips.cl*, True -*.chilecolor.cl*, True -*.chiledata.cl*, True -*.chiledelivery.cl*, True -*.chileganadero.cl*, True -*.chilehabla.com*, True -*.chilehub.cl*, True -*.chilemeats.cl*, True -*.chilenitotv.cl*, True -*.chilepork.cl*, True -*.chilepork.com*, True -*.chilepoultry.com*, True -*.chileshift.cl*, True -*.chilesuites.cl*, True -*.chiletoons.cl*, True -*.chilevr.cl*, True -*.chilibroste.com.ar*, True -*.chilicum.com*, True -*.chilikovi.com*, True -*.chilingjj.org*, True -*.chilin.hk*, True -*.chili-peppers.co.il*, True -*.chilitriathlon.com*, True -*.chillanantiguo.cl*, True -*.chillat.net*, True -*.chillercode.de*, True -*.chillerindonesia.com*, True -*.chille.se*, True -*.chillfm.in*, True -*.chillhouse.com.ar*, True -*.chill.in*, True -*.chillnau.net*, True -*.chillwhere.com*, True -*.chilly-dawg.com*, True -*.chilobak.com*, True -*.chiloenet.cl*, True -*.chimbay.net*, True -*.chimehuinsafaris.com.ar*, True -*.chimioterapie.ro*, True -*.chimmychurry.com*, True -*.chimneybuttelandfill.com*, True -*.chimneyfishduo.com*, True -*.chimsley.net*, True -*.china-atv-parts.com*, True -*.chinabrickmachinery.com*, True -*.chinacandlelight.org*, True -*.chinacig.com*, True -*.chinaclothmarket.com*, True -*.chinaforex.info*, True -*.china-g-investments.com*, True -*.chinahomegift.com*, True -*.china.is*, True -*.chinalangshun.com*, True -*.chinamintex.tk*, True -*.chinanet.ch*, True -*.chinaplate.com.au*, True -*.chinapmp.tk*, True -*.chinapoem.org*, True -*.chinascgzc.com*, True -*.chinasfailedtibetpolicies.org*, True -*.chinashop.gq*, True -*.china-stationery-supply.com*, True -*.china-steel-doors.com*, True -*.chinatbr.com*, True -*.chinatibetfriendship.org*, True -*.chinawealproperty.com*, True -*.chinawtcindonesian.com*, True -*.chinchon.cl*, True -*.chinchulancha.co*, True -*.chinesebirdname.com*, True -*.chinese.hk*, True -*.chinese-leaders.org*, True -*.chingtyan.com*, True -*.chinlauwongfoo.com.my*, True -*.chinmaster.tw*, True -*.chinnconsulting.com*, True -*.chinnconsulting.net*, True -*.chinnconsulting.org*, True -*.chinn.org*, True -*.chinshow.net*, True -*.chintal.in*, True -*.chinta.web.id*, True -*.chiodi.com.ar*, True -*.chi-pig.com*, True -*.chipmeup.com*, True -*.chippingnortoncricket.com*, True -*.chip-pulsa.com*, True -*.chipsakti.co*, True -*.chipscountrybunker.com*, True -*.chipweber.com*, True -*.chiquete.com.mx*, True -*.chiquitasbayhostal.com*, True -*.chirchikago.tk*, True -*.chirilavasile.ro*, True -*.chirobes.com*, True -*.chirolegal.com*, True -*.chirto.com.ar*, True -*.chirurgic.al*, True -*.chirurgie-bachmann.ch*, True -*.chirurgietoracica-spitalulmilitar.ro*, True -*.chistesafull.com*, True -*.chitaids.net*, True -*.chitambira.com*, True -*.chito.com.mx*, True -*.chitwanbhumi.com.np*, True -*.chitza.ro*, True -*.chiusir.net*, True -*.chiw.tk*, True -*.chizvpn.com*, True -*.chkmyip.com*, True -*.chlablak.com*, True -*.chlorofor.me*, True -*.chlutud.tk*, True -*.chmel-consult.com*, True -*.chmel-consult.ru*, True -*.chncool.com*, True -*.chnook.net*, True -*.chnsky.cn*, True -*.chnsky.com*, True -*.choaseplace.com*, True -*.choateplace.org*, True -*.chocant.com.br*, True -*.chochai.ch*, True -*.chochlik.eu*, True -*.chockfullacharms.com*, True -*.chococg.com.ar*, True -*.choco-lade.ch*, True -*.chocolatebouquets.net.au*, True -*.chocolatecouture.com.au*, True -*.chocolate-doom.org*, True -*.chocolatefantasygirls.com*, True -*.chocolatemicroscopes.org*, True -*.chocolatespicacho.com*, True -*.chocomeal.com*, True -*.chocopicacho.com*, True -*.chocosapien.com*, True -*.chocoshoesstore.com*, True -*.chocshopdirect.com*, True -*.chocshopdirect.co.uk*, True -*.chodos.com.ar*, True -*.chodyniecki.com*, True -*.choego.com*, True -*.choeonline.com*, True -*.choho77.com*, True -*.choicespace.net*, True -*.choicharlie.com*, True -*.choigameon.com*, True -*.choigameso.com*, True -*.choiselocation.com*, True -*.choiseplace.com*, True -*.choiseplace.org*, True -*.choiseplaces.com*, True -*.choiseplaces.org*, True -*.choisesite.com*, True -*.choisesite.org*, True -*.choisespot.com*, True -*.choisespot.org*, True -*.choisestand.com*, True -*.choisestand.org*, True -*.choisestation.com*, True -*.choisestation.org*, True -*.cholakova.bg*, True -*.cholaky.cl*, True -*.cholesterolhigh.net*, True -*.cholloled.com*, True -*.cholloled.es*, True -*.chombunghospital.com*, True -*.chompey.com*, True -*.choo.id.au*, True -*.choonsiklee.com*, True -*.choopa.ga*, True -*.chooseacruise.co.za*, True -*.choosechapter13.com*, True -*.choosechapter7.com*, True -*.choosenclick.com.au*, True -*.chooseveritas.com*, True -*.choperascabodefrio.com.ar*, True -*.chopexz-msg.ga*, True -*.choptanktribteam.net*, True -*.choresindoors.co.uk*, True -*.chorinterkultur.com*, True -*.chorome.net*, True -*.chortet.com*, True -*.chorus.si*, True -*.choshuencochile.cl*, True -*.chosmile.com*, True -*.chothuemaydinhvi.com*, True -*.chothuemaytoandac.com*, True -*.chouchou.nu*, True -*.chouseplace.com*, True -*.chouseplace.org*, True -*.chouza.com.ar*, True -*.chouzakeil.com.ar*, True -*.chowder.net.au*, True -*.chowny.net.au*, True -*.chowpatty.com*, True -*.choycc.com*, True -*.chpan34.com*, True -*.chpf.com.au*, True -*.chphilli.net*, True -*.chpwner.org*, True -*.chraebi.ch*, True -*.chratzbaum.ch*, True -*.chratzbaumwaerchstatt.ch*, True -*.chrbolka.net.au*, True -*.chrestos.com*, True -*.chrfamily.com*, True -*.chrigius.net*, True -*.chrinan.co.uk*, True -*.chrinan.uk*, True -*.chrisachille.com*, True -*.chrisada.co.uk*, True -*.chrisandkatiekelley.com*, True -*.chrisandlaurel.com*, True -*.chrisandneg.info*, True -*.chrisandtinas.com*, True -*.chrisattack.com*, True -*.chrisbb61.com*, True -*.chrisbelyea.com*, True -*.chriscalandro.com*, True -*.chriscantwell.co.uk*, True -*.chrischaffee.net*, True -*.chris-charles.com*, True -*.chriscykert.com*, True -*.chrisdeckard.com*, True -*.chrisdiamondimages.com*, True -*.chrisegeland.com*, True -*.chrisfriend.us*, True -*.chrisgilbertart.com*, True -*.chris-golden.us*, True -*.chrisgoyette.com*, True -*.chrishardy.net*, True -*.chrishartearthworks.com.au*, True -*.chrishorning.com*, True -*.chrisinfante.com*, True -*.chrisje.org*, True -*.chrisjlunn.co.uk*, True -*.chriskabakov.tk*, True -*.chrisking.us*, True -*.chrismac.org*, True -*.chrismatthias.com*, True -*.chrismccartney.co.uk*, True -*.chrismcdowell.net*, True -*.chrismortega.com*, True -*.chrisn.name*, True -*.chrisohanlon.co.uk*, True -*.chrisohanlon.org*, True -*.chrispark.co.uk*, True -*.chris-perry.me*, True -*.chrisrowin.com*, True -*.chrissena.com*, True -*.chrissheppardplumbing.com*, True -*.chrisstevens.us*, True -*.chrissyandsean.com*, True -*.christamusic.com*, True -*.christanto.web.id*, True -*.christiaan008.tk*, True -*.christiaanrossouw.co.za*, True -*.christian-action.org*, True -*.christianactionuk.com*, True -*.christian-activity-central.org*, True -*.christianarae.com*, True -*.christiancouplecounseling.com*, True -*.christiandevelopers.co.uk*, True -*.christianespinosa.cl*, True -*.christianfaure.com*, True -*.christianilunga.net*, True -*.christianinfante.com*, True -*.christianitygift.com*, True -*.christianpawlak.com*, True -*.christianpereira.com.ar*, True -*.christian-rapp.tk*, True -*.christianrapp.tk*, True -*.christianroa.cl*, True -*.christianstegmann.com*, True -*.christianstudents.co.uk*, True -*.christiantestimony.org.au*, True -*.christianwestbrook.com*, True -*.christie.ws*, True -*.christinacoiffure.ch*, True -*.christinajohansson.se*, True -*.christina-shop.ru*, True -*.christinashop.ru*, True -*.christinbusiness.com*, True -*.christinecare.com*, True -*.christinescrystals.com.au*, True -*.christineundjari.ch*, True -*.christjah.net*, True -*.christjah.org*, True -*.christjah.org.br*, True -*.christmasatthecross.info*, True -*.christmas-offers.com*, True -*.christnach.lu*, True -*.christofaro.com.br*, True -*.christoffel-raumplanung.ch*, True -*.christofmoser.ch*, True -*.christophbierielektro.ch*, True -*.christopherbau.com*, True -*.christopher-berry.com*, True -*.christopherbisset.com.au*, True -*.christophercrowther.co.uk*, True -*.christophergentle.com*, True -*.christopherharmon.net*, True -*.christopherjackson-ash.com*, True -*.christophermessick.com*, True -*.christophernguyen.net*, True -*.christopherthomason.com*, True -*.christophertice.com*, True -*.christophgraupner.info*, True -*.christophoros.eu*, True -*.christophotronics.net*, True -*.christo-tires.co.il*, True -*.christstabernacle.org*, True -*.christyscottage.com*, True -*.chrisweb.net*, True -*.chriswhitehead.co.uk*, True -*.chrisxp.eu*, True -*.chr.mx*, True -*.chrodriguez.com.ar*, True -*.chromedpork.net*, True -*.chromefiddle.com*, True -*.chromodoris.com*, True -*.chromoink.com*, True -*.chroniclesoftimes.com*, True -*.chronize.io*, True -*.chronogames.com*, True -*.chronos00.com.ar*, True -*.chronos.co.za*, True -*.chronotime.ro*, True -*.chro.tk*, True -*.chrpa.eu*, True -*.chrsmck.com*, True -*.chrs.me.uk*, True -*.chrysalis-dreams.co.za*, True -*.chrysalisphoto.com*, True -*.chrysanthe.co.za*, True -*.chrysellia.net*, True -*.ch-sc.de*, True -*.chschtsch.ml*, True -*.chsh.us*, True -*.chsrobotics.tk*, True -*.ch-start.ch*, True -*.ch-to7.com*, True -*.chtss.com*, True -*.chuanyuan.com*, True -*.chubbun.com*, True -*.chubby.ga*, True -*.chubbyspizza.net*, True -*.chubnuts.com*, True -*.chuchubeauty.net*, True -*.chuchusecret.net*, True -*.chuckpvp.com*, True -*.chucksboy.com*, True -*.chuckstuff.co*, True -*.chucktam.com*, True -*.chuda.ch*, True -*.chudai.tk*, True -*.chud.ch*, True -*.chudskoe.eu*, True -*.chuenma.com*, True -*.chugumoto.tk*, True -*.chuinen.com*, True -*.chuip.net*, True -*.chuk.cc*, True -*.chuladebonita.mx*, True -*.chumfinder.com*, True -*.chunchetes.cf*, True -*.chunghyewon.com*, True -*.chunhaichilichina.com*, True -*.chunjian.tk*, True -*.chunlam.hk*, True -*.chuntey.com*, True -*.chupryna.info*, True -*.churapchy.ru*, True -*.church4chicks.com*, True -*.churchbanners.com.au*, True -*.churchbasedtraining.com*, True -*.churchdebugger.com*, True -*.churchforchicks.com*, True -*.churchincapetown.co.za*, True -*.churchinpretoria.co.za*, True -*.churchinroodepoort.co.za*, True -*.churchofmammals.org*, True -*.churchofsupergravity.com*, True -*.churchoftheheartland.com*, True -*.churchrez.org*, True -*.churchunites.com*, True -*.churchunites.com.au*, True -*.churchunites.net*, True -*.churchunites.net.au*, True -*.churchunites.org*, True -*.churchunites.org.au*, True -*.chur.ru*, True -*.chushinkan.ro*, True -*.chutes.co.id*, True -*.chutichhochiminh.net*, True -*.chutz.ch*, True -*.chxc.se*, True -*.chz.mobi*, True -*.ci2s.com.ar*, True -*.ciaccio.com.ar*, True -*.ciacinformatica.com*, True -*.ciadamodamulher.com.br*, True -*.ciaexperts.com*, True -*.cia.li*, True -*.cialisbrand.com*, True -*.cialisoft.com*, True -*.ciapat.com*, True -*.ciaradiary.com*, True -*.ciardoangelosagl.ch*, True -*.ciascenter.ro*, True -*.ciateam.be*, True -*.ciayouth.co.za*, True -*.cibercorp.cl*, True -*.ciberius.ga*, True -*.ciberne.com.ar*, True -*.ciberpunk.es*, True -*.cib-ventures.com*, True -*.cicap.co.za*, True -*.cicapglobal.com*, True -*.cicapglobal.co.za*, True -*.cicas.org*, True -*.cicedh.com*, True -*.ciclesformatius.info*, True -*.ciclesformatius.net*, True -*.cicles.info*, True -*.ciclicasrl.com.ar*, True -*.cicloplas.cl*, True -*.ciclotron.com.ar*, True -*.cicoabogados.com.ar*, True -*.cicof.net*, True -*.ciconstrucciones.cl*, True -*.cicu.org.mx*, True -*.cidadesmineiras.com.br*, True -*.cidadeurgente.com.br*, True -*.cide.es*, True -*.cidelotts.se*, True -*.ciderspace.ch*, True -*.cidico.com.br*, True -*.cidm.be*, True -*.ciecob.cl*, True -*.cieditions.com*, True -*.ciefap.com.ar*, True -*.cieh.mx*, True -*.cieh.org.mx*, True -*.cielosvirtuales.com.ar*, True -*.cien.biz*, True -*.cienciaconcristina.com.ar*, True -*.cienciaparalela.com.br*, True -*.cienciascannabis.cl*, True -*.cieniek.com*, True -*.cieniek.pl*, True -*.cienovejas.com.ar*, True -*.cieplinski.pl*, True -*.cierzniak.ml*, True -*.cierzniakowski.ml*, True -*.cieslawscy.eu*, True -*.cifag.cl*, True -*.cifi-on.net*, True -*.cifra1.tv*, True -*.cig.al*, True -*.cigarro.org.br*, True -*.cigarsforaustralia.com*, True -*.cigarsofaustralia.com*, True -*.cigarsoz.com*, True -*.cigarworld.tk*, True -*.cight.co.uk*, True -*.cig.pt*, True -*.cigran.com.br*, True -*.ciguenia.com*, True -*.ciideas.com*, True -*.cikananga.tk*, True -*.cikande.com*, True -*.cikitoz.com*, True -*.cikopi.ga*, True -*.cikpeah.com*, True -*.cilacapweb.com*, True -*.cilandcraft.ml*, True -*.cileuh.pw*, True -*.cilia.ch*, True -*.cilikis.com*, True -*.cilimus.com*, True -*.cimaca.pt*, True -*.cima-diagnosticos.com.mx*, True -*.cimamedicinadental.com.ar*, True -*.cimametalurgica.com.ar*, True -*.cimar.pt*, True -*.cimarronesamalaya.com.ar*, True -*.cimaweb.net*, True -*.cimbage.com.ar*, True -*.cimic-khm.be*, True -*.cimidi.org*, True -*.cimolini.si*, True -*.cimprosrl.com*, True -*.cimula.com*, True -*.cinaed.be*, True -*.cina.hu*, True -*.cincinku.com*, True -*.cincon.com*, True -*.cincoya.com*, True -*.cindyana.com*, True -*.cindyclinton.com*, True -*.cinechat.com.ar*, True -*.cine-drones.net*, True -*.cinema-azadi.ir*, True -*.cinemacomcritica.com.br*, True -*.cinema-mellat.ir*, True -*.cinemang.com*, True -*.cinema-soft.ru*, True -*.cinemaspart.ro*, True -*.cinemix.nu*, True -*.cinepredador.net*, True -*.cineruasete.com.br*, True -*.cinesie.com.br*, True -*.cinetoid.com*, True -*.cinevivo.com.ar*, True -*.cingkaria.net*, True -*.cinirix.com.ar*, True -*.cinnabarcreek.com*, True -*.cinnabarcreek.net*, True -*.cinnamoncaterers.cf*, True -*.cinos.tk*, True -*.cinotrade.cn*, True -*.cinotrade.com*, True -*.cinotrade.hk*, True -*.cinro.com.mx*, True -*.cinsur.com.ar*, True -*.cintafhy.cf*, True -*.cintamu.cf*, True -*.cintamu.ga*, True -*.cintamusic.com*, True -*.cinthetix.com*, True -*.cintrafer.pt*, True -*.cio16.com*, True -*.cio16.org*, True -*.cioacademy.co.za*, True -*.cioconsultores.cl*, True -*.cio-corner.com*, True -*.cioforum.co.za*, True -*.cioforum.org.za*, True -*.cioforumsa.co.za*, True -*.cioforumsa.org*, True -*.ciohall.com*, True -*.cio-iac.org*, True -*.cioinstitute.co.za*, True -*.cipherfin.com*, True -*.ciplanutrition.com.au*, True -*.cipme.com*, True -*.cipok.net*, True -*.cippalippa.net*, True -*.ciprianman.net*, True -*.ciprianpascu.ro*, True -*.cipriantarta.ro*, True -*.ciprobuy.net*, True -*.ciprofloxacinhcl.net*, True -*.cipsecurity.us*, True -*.ciptaprimaguna.com*, True -*.ciptaunitpartservice.com*, True -*.ciptausahamakmur.co.id*, True -*.cirack.com*, True -*.circledevelopments.com*, True -*.circledevelopments.co.za*, True -*.circlefun.cf*, True -*.circlesolar.com.au*, True -*.circlesysinc.com*, True -*.circlesystemsinc.com*, True -*.circlesystems.net*, True -*.circlezero.net*, True -*.circodaparro.be*, True -*.circosdesigns.com*, True -*.circuitdesignplus.com*, True -*.circuitdesignplus.info*, True -*.circuitlab.org*, True -*.circuitoselectronicos.net*, True -*.circuitstew.com*, True -*.circula.ro*, True -*.circulodewebs.com*, True -*.circulosproducoes.com.br*, True -*.circusforarts.org*, True -*.circusslaves.com*, True -*.cirebon4rt.com*, True -*.cireboncrew.net*, True -*.cirill.com*, True -*.cirilli.org*, True -*.ciroahomewares.com*, True -*.cirquest.ro*, True -*.cirriform.net*, True -*.cirrusapart.com*, True -*.cirrusapart.com.ar*, True -*.cirruslaslenas.com.ar*, True -*.cirsalud.com.ar*, True -*.cirstei.ro*, True -*.cirsysinc.com*, True -*.cisa-ch.ch*, True -*.cisarka.cz*, True -*.cisatalian.com*, True -*.cisb.com.ar*, True -*.cisccom.com*, True -*.ciscovery.com*, True -*.ciska.co.za*, True -*.cislariu.ro*, True -*.cisnova.com*, True -*.cispeaks.com*, True -*.cisqua.hk*, True -*.cissi.com.ar*, True -*.cissp.or.id*, True -*.cista-narava.net*, True -*.cisum.org*, True -*.ciszak.net*, True -*.citacaliente.ga*, True -*.citadelcarecentre.com*, True -*.citcreativenewscom.co*, True -*.citdesignnewscom.co*, True -*.citdigitalnewscom.co*, True -*.citedsources.com*, True -*.citeidx.com*, True -*.citemuar.com.ar*, True -*.cite.ro*, True -*.citibus.co.za*, True -*.citicafe.co.za*, True -*.cities.org.au*, True -*.citifringe.com.au*, True -*.citimcudrag.ro*, True -*.citistore.ru*, True -*.citizen1.co.za*, True -*.citizen1portal.com*, True -*.citizen1portal.org*, True -*.citizen1services.org*, True -*.citizenbroadband.com*, True -*.citizenbroadband.co.za*, True -*.citizencollective.co.za*, True -*.citizenjournalism.co.za*, True -*.citizenjournalist.co.za*, True -*.citizenjournals.com*, True -*.citizenone.co.za*, True -*.citizensdns.com*, True -*.citizentravel.co.za*, True -*.citizenwifi.com*, True -*.citmediadispatchcom.co*, True -*.citmediagossipcom.co*, True -*.citmediainformationcom.co*, True -*.citmedianewscom.co*, True -*.citmediareportcom.co*, True -*.citopay.com*, True -*.citproductionsnewscom.co*, True -*.citrahalal.co.id*, True -*.citramarga.com*, True -*.citricsalta.com.ar*, True -*.citrino.com.ve*, True -*.citrixmonkey.com*, True -*.citrixoffline.com*, True -*.citroen-taxi.ru*, True -*.citronellasoap.com*, True -*.citrus-well.ru*, True -*.city24h.pl*, True -*.city2city.ro*, True -*.city77.net*, True -*.cityangels.com.au*, True -*.cityaquaworldsurabaya.com*, True -*.cityaround.com*, True -*.citybugs.it*, True -*.citychatter.com*, True -*.citycomonline.com*, True -*.citydeals.co.za*, True -*.citydoors.ro*, True -*.cityentree.com*, True -*.cityflair.in*, True -*.citygit.ru*, True -*.cityguidezofingen.ch*, True -*.cityhunter.ga*, True -*.citylifemedia.net*, True -*.city-lights.ro*, True -*.citylive.com.au*, True -*.city-med.info*, True -*.citynations.net*, True -*.citynieruchomosci.eu*, True -*.citynight.net*, True -*.cityofgreen.com.my*, True -*.cityoflankhmar.info*, True -*.cityofstyle.hk*, True -*.cityofstyle.net*, True -*.cityofstyle.org*, True -*.cityofversa.com*, True -*.city-photos.org*, True -*.cityprosecutordoughaubert.com*, True -*.cityrehab.se*, True -*.cityrooster.com*, True -*.citysearch.cl*, True -*.citystudent.ca*, True -*.citytaxiexpress.com*, True -*.citytheater.eu*, True -*.citytheater.nl*, True -*.citytime.cl*, True -*.citytravelhawaii.com*, True -*.cityutime.com*, True -*.city-vault.com*, True -*.citywatchpmb.org.za*, True -*.cityweb.cc*, True -*.ciubotaru.tk*, True -*.ciudadalternativa.com.ve*, True -*.ciudadled.com*, True -*.ciudadled.com.ar*, True -*.ciudadvota2015.com.ar*, True -*.ciudadvota2015.org.ar*, True -*.ciudati.ro*, True -*.ciudatu.ro*, True -*.ciuleanu.ro*, True -*.ciumarosie.ro*, True -*.ciummo-git.com*, True -*.civicprovisions.com*, True -*.civicwireless.net*, True -*.civilizationdesign.com*, True -*.civilizationdesign.org*, True -*.civilpro.cl*, True -*.civilsovereign.com*, True -*.civita.ro*, True -*.civproject.org*, True -*.civsa.com.br*, True -*.civvic.ro*, True -*.civx.org*, True -*.ciwit.cl*, True -*.cizgifilmonline.com*, True -*.cjanes.tk*, True -*.cja-systems.com*, True -*.cjbs.ch*, True -*.cjcyclesandmarine.com*, True -*.cj-developments.co.uk*, True -*.cjdnscloud.com*, True -*.cjearges.ro*, True -*.cjebacau.ro*, True -*.cjfoley.com*, True -*.cjgolden.net*, True -*.cjhitchcock.com*, True -*.cjil.ca*, True -*.cjleaf.com*, True -*.cjmax.com.ar*, True -*.c-jocuri.ro*, True -*.cjohns.co*, True -*.cjohnsontech.com*, True -*.cjournal.ir*, True -*.cjpike.co.uk*, True -*.cjptest.com*, True -*.cjs.id.au*, True -*.cjspaintballpark.com*, True -*.cjspaintballpark.net*, True -*.cjxu.tk*, True -*.cjznet.com*, True -*.ck-4u-82.de*, True -*.ck-98.com*, True -*.cka77.com*, True -*.cka87.com*, True -*.ckahome.net*, True -*.ckck.com.ar*, True -*.cke999.com*, True -*.ckellywright.com*, True -*.ckido4.ga*, True -*.ckidoch.ga*, True -*.ckidsrock.com*, True -*.ckip.com.ru*, True -*.ckk65.com*, True -*.ckk74.com*, True -*.ckk83.com*, True -*.ckk95.com*, True -*.ckk.org.tr*, True -*.cklaw.ml*, True -*.ckloidt.de*, True -*.cklone.com*, True -*.cklonehome.com*, True -*.ckm.cl*, True -*.ckokaras.gr*, True -*.ckssyk.org.tr*, True -*.ckthunder.com*, True -*.cku1.waw.pl*, True -*.cky.cl*, True -*.claasharvestcenter.com.au*, True -*.claasharvestcentre.com.au*, True -*.claashc.com.au*, True -*.clacpedales.cl*, True -*.cladireverde.ro*, True -*.clairebear.us*, True -*.clairebeck.com*, True -*.clairecaherty.com*, True -*.clairecaherty.us*, True -*.claireingram.com*, True -*.clairereid.org*, True -*.clairestjohn.com*, True -*.clairestjohn.net*, True -*.clamer.es*, True -*.clamtastic.net*, True -*.cla.my*, True -*.clan92.ml*, True -*.clanalexander.net*, True -*.clanarena.ru*, True -*.clanarg.com*, True -*.clancro.co.uk*, True -*.clancumming.ca*, True -*.clandestina.org*, True -*.clanfog.ru*, True -*.clangfa.com.br*, True -*.clanimpact.org*, True -*.clanmccracken.com*, True -*.clanoconnor.ca*, True -*.clanpacer.com*, True -*.clanrichards.com*, True -*.clanstuart.com*, True -*.clapclapbear.tk*, True -*.claptop.com*, True -*.claracapital.com.ar*, True -*.claramaria.ro*, True -*.clarapastrybakery.com*, True -*.claredart.com*, True -*.clareflanagan.com*, True -*.clareharding.com.au*, True -*.claremiller.com.au*, True -*.claremorris.info*, True -*.clarencecoasttheatricalsociety.org.au*, True -*.claret.cl*, True -*.clarety.hk*, True -*.clarine.com.br*, True -*.clarisbiochem.com*, True -*.clarkm.com*, True -*.clarkstock.com*, True -*.clarktheshark.net*, True -*.clarocorporativa.com.ar*, True -*.claroempresa.com.ar*, True -*.clarogratis.ml*, True -*.claromontt.cl*, True -*.claromujer.cl*, True -*.claroovalle.cl*, True -*.clarusdigital.com*, True -*.clarvi.com.mx*, True -*.clarvi.mx*, True -*.clasesdeportugues.cl*, True -*.clasherhacks.ml*, True -*.clash-hackgenerator.tk*, True -*.clash-of-clans-cheats.cf*, True -*.clasificadosam.com*, True -*.clasificadostdf.com.ar*, True -*.clasificando.com.ar*, True -*.clasificor.tk*, True -*.class-action.co.za*, True -*.classaction.co.za*, True -*.class.cf*, True -*.classe90.ch*, True -*.classearcheologiaecultura.it*, True -*.classia.com*, True -*.classical-jazz.com*, True -*.classicallearningacademy.com*, True -*.classicallearningacademy.net*, True -*.classicallearningacademy.org*, True -*.classicallearningacademy.us*, True -*.classicalmusicfortheworld.com*, True -*.classicalmusicfortheworld.org*, True -*.classic-builders.com*, True -*.classiccoinops.com*, True -*.classiccorral.com*, True -*.classice.com.au*, True -*.classicevolutions.com.au*, True -*.classicmagazine.com.br*, True -*.classicmc.tk*, True -*.classicmoveis.com.br*, True -*.clas-sic.ro*, True -*.classicswisswatch.com*, True -*.classictransport.biz*, True -*.classictransport.info*, True -*.classified.co.za*, True -*.classique.org.za*, True -*.claudegervais.com*, True -*.claude-lament.ch*, True -*.claudiacojocar.com*, True -*.claudiafuentealba.cl*, True -*.claudiagaspar.com.br*, True -*.claudialabarca.cl*, True -*.claudiamatteo.com*, True -*.claudiaundphilipp.ch*, True -*.claudicy.me*, True -*.claudiocollantes.com*, True -*.claudiocolt.com*, True -*.claudioesquivel.com.ar*, True -*.claudiojpaz.com.ar*, True -*.claudiomattos.com.br*, True -*.claudiup.ro*, True -*.clauslorenzo.com.ar*, True -*.claussenonline.de*, True -*.clauverdental.com.ar*, True -*.claveimportadores.cl*, True -*.clawmap.com*, True -*.clawsontailoring.com*, True -*.clay.cf*, True -*.claymationgames.com*, True -*.claypotfrog.com*, True -*.claysprinters.com*, True -*.clayster.cl*, True -*.clays-work.com*, True -*.claytoncollins.com*, True -*.claytonlandscapes.com.au*, True -*.claytonmurray.com*, True -*.clck.cc*, True -*.clc.sk*, True -*.cld.my*, True -*.cleanandclearbestfriends.com*, True -*.cleanandgleam.com.my*, True -*.clean-and-tidy.com*, True -*.cleanbits.org*, True -*.cleancuttreeservices.com*, True -*.cleanercarpetnow.com*, True -*.cleanershp.co.il*, True -*.cleanfuelnetworks.info*, True -*.cleanharddrive.eu*, True -*.cleanhouse.cl*, True -*.cleanlightusa.com*, True -*.cleanlove.ro*, True -*.clean-mary.com*, True -*.cleanme.co.il*, True -*.cleanpdm.com*, True -*.clean-renewable.com*, True -*.cleansex.ro*, True -*.cleantechsummit.fi*, True -*.cleanwatermovement.com*, True -*.cleanwatermovement.org*, True -*.cleanx.cl*, True -*.clearasglass.com.au*, True -*.clear.cf*, True -*.clearcommunicationsusa.com*, True -*.clearenergyindonesia.com*, True -*.clearenglishediting.com*, True -*.clearenglishediting.co.uk*, True -*.clear-lighting.ro*, True -*.clearnumbers.com.au*, True -*.clearos.ru*, True -*.cleartalkinternet.nl*, True -*.clearviewcma.com*, True -*.clearvisionoffice.in*, True -*.clearwaterdude.com*, True -*.clearwater-photographer.net*, True -*.clearwater-photographer.org*, True -*.cleburu.com*, True -*.cleburu.net*, True -*.cleburu.org*, True -*.cleeton.ca*, True -*.clefisg.cf*, True -*.clefs-du-savoir.ch*, True -*.clem.com.ar*, True -*.clemsolutions.ro*, True -*.clemty.com*, True -*.cleodivine.com*, True -*.cleoputri.com*, True -*.clepratique.com*, True -*.cleveland-crafters.com*, True -*.clevelandexhaust.com*, True -*.clevelandexhaust.com.au*, True -*.cleverbaires.com.ar*, True -*.cleverbuya.com*, True -*.clevercrow.org*, True -*.cleverdomain.net*, True -*.cleverheresy.org*, True -*.cleverico.com*, True -*.cleverinvesting.net*, True -*.cleverley.us*, True -*.cleverlittleideas.com*, True -*.cleverspace.org*, True -*.clever.tw*, True -*.cleymans.be*, True -*.clfapps.info*, True -*.clgv.tv*, True -*.clibracara.pt*, True -*.clicgame.com*, True -*.click2.com.br*, True -*.clickamazonia.com.br*, True -*.clickandmortar.ca*, True -*.clickers.com.my*, True -*.clickfeed.cf*, True -*.clickforhosting.com*, True -*.clickfreeads.tk*, True -*.clickindex.com*, True -*.clickingbad.net*, True -*.click-it.ca*, True -*.clickit.com*, True -*.click-ninja.com*, True -*.click-ninja.net*, True -*.click-ninja.us*, True -*.clickopt.biz*, True -*.clickreativo.cl*, True -*.clicksmetrics.com*, True -*.clicksms.com.ar*, True -*.clicksoftware.co.uk*, True -*.clicktoplay.co.za*, True -*.clicrisona.com*, True -*.client14.com*, True -*.clientblock.com*, True -*.clientforex.com*, True -*.clienturl.net*, True -*.cliffandteri.com*, True -*.cliff.hk*, True -*.cliffhk.net*, True -*.cliffmorgan.org*, True -*.clifton.org.uk*, True -*.climaexit.com*, True -*.climaexit.es*, True -*.climaexit.eu*, True -*.climaexit.net*, True -*.climahrp.cl*, True -*.climaref.cl*, True -*.climb.ro*, True -*.climbup.me*, True -*.climol.org*, True -*.clingstone.com.au*, True -*.cliniboost.com.au*, True -*.clinicabergesi.com*, True -*.clinicabocca.cl*, True -*.clinicadeinternacaobh.com.br*, True -*.clinicalaspiedras.cl*, True -*.clinicale.cl*, True -*.clinicaleville.com.br*, True -*.clinical-hypnosis-brighton.co.uk*, True -*.clinicamangabeiras.com*, True -*.clinicamarshaka.com*, True -*.clinicamarshaka.ru*, True -*.clinicasaritamartins.com*, True -*.clinicasregionales.cl*, True -*.clinica-stomatologica.md*, True -*.clinicaunicorp.com.br*, True -*.clinic.hk*, True -*.cliniclinux.com*, True -*.clinics.tw*, True -*.clink.biz*, True -*.clintbellanger.net*, True -*.clint.cf*, True -*.clint.ga*, True -*.clinthenegar.com*, True -*.clintified.com*, True -*.clint.ml*, True -*.clinton.io*, True -*.clintonshepard.name*, True -*.clinux.in*, True -*.clioclub.com.ar*, True -*.cliovirtual.cl*, True -*.cliowelt.de*, True -*.clip24h.net*, True -*.clipandtalk.si*, True -*.clipclap.info*, True -*.clipdog.co.uk*, True -*.clippersquay.com*, True -*.clipran.ru*, True -*.cliprun.ru*, True -*.clipsieuhot.com*, True -*.cliptecnologia.com*, True -*.cliquecompany.com*, True -*.cliquecompre.com.br*, True -*.clithappens.com*, True -*.clix.co.za*, True -*.clixinformatica.com.ar*, True -*.clix.ml*, True -*.clk4porn.com*, True -*.clkc.cc*, True -*.cl-media.tk*, True -*.clmfleet.com.au*, True -*.clny8.net*, True -*.cloakthis.me*, True -*.clockcomunicacion.com.ar*, True -*.clockler.com*, True -*.clockr.be*, True -*.clockworkheads.ru*, True -*.clockworkits.com*, True -*.clockworkits.se*, True -*.clockwork.nu*, True -*.clodion.ch*, True -*.clodobox.net*, True -*.cloe-jade.org*, True -*.c-logger.com*, True -*.clogo.ir*, True -*.clog.ro*, True -*.clonedvapors.com*, True -*.clonestore.it*, True -*.clooso.net*, True -*.c-lopez.com.ar*, True -*.clorise.info*, True -*.closingtag.co.uk*, True -*.clothbag.in*, True -*.cloud44.ch*, True -*.cloud4g.com*, True -*.cloud9coffeehouse.com*, True -*.cloud-9-services.com*, True -*.cloud9virtualization.com*, True -*.cloudaaron.net*, True -*.cloudalbania.com*, True -*.cloudathome.org*, True -*.cloudbg.tk*, True -*.cloudboot.biz*, True -*.cloudbroker.at*, True -*.cloudbubble.com.au*, True -*.cloudbursting.at*, True -*.cloudclippertea.com*, True -*.cloudcoinex.com*, True -*.cloudcont.mx*, True -*.clouddatashop.ca*, True -*.clouddatashop.com*, True -*.clouddatashop.net*, True -*.clouddevices.xyz*, True -*.clouddha.com*, True -*.clouddr.com.my*, True -*.clouddr.my*, True -*.cloudelastic.com*, True -*.cloudemd.com*, True -*.cloudflair.ws*, True -*.cloudfolio.cf*, True -*.cloudfunction.cf*, True -*.cloudhackix.com*, True -*.cloudian.pl*, True -*.cloudifysoft.com*, True -*.cloudlab.cl*, True -*.cloudlearner.com*, True -*.cloud-learning.net*, True -*.cloudlinux.ro*, True -*.cloudn9ne.org*, True -*.cloud-office.ro*, True -*.cloud-one.ca*, True -*.cloudpirate.com*, True -*.cloudpixel.org*, True -*.cloudpro.cl*, True -*.cloudranger.net*, True -*.cloudresources.co.uk*, True -*.cloudrock.co.uk*, True -*.cloudsandrouters.com*, True -*.cloudsandrouters.co.za*, True -*.cloudsandrouters.net*, True -*.cloudscombined.com*, True -*.cloudservers2lease.tk*, True -*.cloudseverywhere.com*, True -*.cloudshopper.mobi*, True -*.cloudsoftx.com*, True -*.cloudss.pl*, True -*.cloudstorage.ro*, True -*.cloud-sync.tk*, True -*.cloudsystems.cl*, True -*.cloudthinking.net*, True -*.cloud-tip.com*, True -*.cloudtrum.xyz*, True -*.cloudtv.cf*, True -*.cloudtvgallery.tk*, True -*.clouducate.com*, True -*.cloud-ulrich.de*, True -*.cloudvalley.com.au*, True -*.cloudwall.io*, True -*.cloudwars.tk*, True -*.cloudwatch.net*, True -*.cloudwest.ca*, True -*.cloudworkonline.com*, True -*.cloudworkonline.net*, True -*.cloudysummer.info*, True -*.clouldit.com*, True -*.clouxio.com*, True -*.cloverbreakers.com*, True -*.cloverburgers.com*, True -*.cloverdalecomputers.ca*, True -*.cloverrose.info*, True -*.clownshark.co.uk*, True -*.clpsa.com.ar*, True -*.cls-audio.com*, True -*.clspharmacygroup.com.au*, True -*.club16.org*, True -*.clubandeventpromotions.com*, True -*.club-apollo.ro*, True -*.clubarteria.ru*, True -*.clubberz.ru*, True -*.clubbones.com*, True -*.clubcapra.com*, True -*.clubcaritas.com*, True -*.clubdebaile.cl*, True -*.clubdecarte.ro*, True -*.clubdefoto.tk*, True -*.clubdeluxe-id.com*, True -*.clubdemotosbaguales.cl*, True -*.clubedaferrugem.com.br*, True -*.club-ego.com*, True -*.clubenortex4.com*, True -*.club-erti.ga*, True -*.clubesgrimavalencia.com*, True -*.clubetirojf.com.br*, True -*.clubgaming.ro*, True -*.clubgana.com*, True -*.clubgchacabuco.com.ar*, True -*.club-gogos.com*, True -*.clubhotcel.com*, True -*.clubhouse.com.ar*, True -*.clubhousevalledelsol.cl*, True -*.club-italia.ru*, True -*.clubkit.biz*, True -*.clublosplaceres.cl*, True -*.clubmac.org.au*, True -*.clubmanagement.ro*, True -*.clubmembershipauction.com*, True -*.clubmoutonnoir.com*, True -*.clubnamunkura.com.ar*, True -*.cluboferton.com*, True -*.club-ok.org.ru*, True -*.cluboliver.ro*, True -*.clubone.hk*, True -*.cluboptions.com*, True -*.clubpatinajesantaponsa.com*, True -*.clubpatinajesantaponsa.es*, True -*.clubreminisce.co.uk*, True -*.clubrex.tk*, True -*.clubr.ru*, True -*.clubrubber.com.br*, True -*.clubsecret.ro*, True -*.clubshrine.ro*, True -*.clubshrineromania.ro*, True -*.clubsportivdanubius.ro*, True -*.clubsportivnavodari.ro*, True -*.clubtoluca.com.mx*, True -*.clubtricot.ie*, True -*.clubulcopiilornasaud.ro*, True -*.clubulsocial.ro*, True -*.clubvectra.cl*, True -*.clubworldcalendar.com*, True -*.club-xm.co.uk*, True -*.clu.bz*, True -*.clucknlovers.com*, True -*.clue.cz*, True -*.cluedapp.co.za*, True -*.clug.net.ve*, True -*.clujcowork.ro*, True -*.clujulcrestin.ro*, True -*.clumpo.com*, True -*.clumsydyn.ch*, True -*.cluneyelectric.com*, True -*.cluod.tk*, True -*.clusterstorm.org*, True -*.clut.com.au*, True -*.clux.com*, True -*.clvrly.com*, True -*.clydejr.com*, True -*.clyden.co.za*, True -*.cm2.com.br*, True -*.cm2urgentes.com.br*, True -*.cm3.at*, True -*.cm777.net*, True -*.cmains.com*, True -*.cmang.org*, True -*.cmap.ir*, True -*.cmartin.tk*, True -*.cmatec.es*, True -*.cmbazan.com.ar*, True -*.cmbetz.com*, True -*.cmblajan.ro*, True -*.cmbserver.com*, True -*.cmc.co.id*, True -*.cmd0.net*, True -*.cmdelparque.com*, True -*.cmdgl.com.ar*, True -*.cmd.sx*, True -*.cmdt.com.au*, True -*.cmdx.org*, True -*.cmedical.com.mx*, True -*.cmed.us*, True -*.cmemedianewscom.co*, True -*.cmenk.tk*, True -*.cmesss.com*, True -*.cmgschool.com*, True -*.cmhdesignworks.co.uk*, True -*.cmhipokrates.pl*, True -*.cmisidro.com*, True -*.cmjansen.com*, True -*.cmmansilla.com.ar*, True -*.cmm.com.ve*, True -*.cmm-indonesia.com*, True -*.cmms.med.br*, True -*.cmnc.org.au*, True -*.cmng.ro*, True -*.cmokep.one.pl*, True -*.cmp190.com*, True -*.cmp191.com*, True -*.cmplogistica.com*, True -*.cmpufxr.com*, True -*.cmr.com.ar*, True -*.cmrepairs.com.au*, True -*.cm-repair.tk*, True -*.cmrizea.ro*, True -*.cmroll.com*, True -*.cmsa.com.ar*, True -*.cmsalbacete.es*, True -*.cmsa.pt*, True -*.cmservice.us*, True -*.cmslex.com*, True -*.cms-products.co.za*, True -*.cmspublicidad.com*, True -*.cmswiki.ir*, True -*.cmsxapp.com*, True -*.cmtest.tk*, True -*.cmtn.cl*, True -*.cmudairycow.org*, True -*.cmusb.com*, True -*.cmyartwork.com*, True -*.cmyk-studio.com*, True -*.cn365365.com*, True -*.cnaalfredopujol.com.br*, True -*.cnaaltodepinheiros.com.br*, True -*.cnaaltodesantana.com.br*, True -*.cnaaltodoipiranga.com.br*, True -*.cnabaraogeraldo.com.br*, True -*.cnabomretiro.com.br*, True -*.cnabragancapaulista.com.br*, True -*.cnacambuci.com.br*, True -*.cnacidadeuniversitaria.com.br*, True -*.cnacumbica.com.br*, True -*.cn-advertising.ro*, True -*.cnaguarulhos.com.br*, True -*.cnainterlagos.com.br*, True -*.cnaitapegica.com.br*, True -*.cnajangela.com.br*, True -*.cnajuliobuono.com.br*, True -*.cnamandaqui.com.br*, True -*.cnamarilia.com.br*, True -*.cnam.cc*, True -*.cnamoema.com.br*, True -*.cnamooca.com.br*, True -*.cnan.com.tr*, True -*.cnaparaiso.com.br*, True -*.cnaperdizes.com.br*, True -*.cnapompeia.com.br*, True -*.cnarepublica.com.br*, True -*.cnasacoma.com.br*, True -*.cnasa.com.br*, True -*.cnasantana.com.br*, True -*.cnasaocaetano.com.br*, True -*.cnaumuarama.com.br*, True -*.cnauto.lv*, True -*.cnbaforo.com.ar*, True -*.cnbedy.com*, True -*.cnblue.cl*, True -*.cnc7777.com*, True -*.cnc8888.com*, True -*.cnc-drehen.ch*, True -*.cnckv7.com*, True -*.cncmillspec.com*, True -*.cnconstruct.net*, True -*.cncshop.ro*, True -*.cncwed.co.za*, True -*.cnczone.ro*, True -*.cnd-chanoinessesrdc.org*, True -*.cneet.tk*, True -*.cneio.ru*, True -*.cnetms.info*, True -*.cnetwork.ro*, True -*.cneupdate.co.za*, True -*.cnew.ir*, True -*.cnfmr.ro*, True -*.cngmalaysia.org*, True -*.cnih.ro*, True -*.cnjcorp.org*, True -*.cnk77.com*, True -*.cnk99.com*, True -*.cnlodobescu.ro*, True -*.cnotepad.com*, True -*.cnprsv.ro*, True -*.cnr.com.pk*, True -*.cnscm.ro*, True -*.cnsquare.hk*, True -*.cnstefancelmare.ro*, True -*.cnstl.ml*, True -*.cntelecomunicaciones.net*, True -*.cntlaltdel.tk*, True -*.cnttshare.com*, True -*.cnw66.com*, True -*.cnw77.com*, True -*.cny06.com*, True -*.cnyweatherlab.org*, True -*.coachart.cl*, True -*.coach.ee*, True -*.coachingactually.ro*, True -*.coaching-baum.de*, True -*.coachingbaum.de*, True -*.coaching-sichtbar-klar.ch*, True -*.coachingsichtbarklar.ch*, True -*.coaching-tour.com*, True -*.coachinstitute.net*, True -*.coachmajor.co.il*, True -*.coachmyloan.com*, True -*.coachtawfiq.my*, True -*.coachtutorials.com*, True -*.coacomic.com*, True -*.coagency.com.my*, True -*.coalgebraic.com*, True -*.coalgoddess.net*, True -*.coalnet.ru*, True -*.coalusa.es*, True -*.coastal-remodeling.net*, True -*.coastalsweeps.com.au*, True -*.coastgis.com.br*, True -*.coastlinefsg.com*, True -*.coastline.net*, True -*.coasttocoastcruises.com*, True -*.cobaesenlinea.com*, True -*.cobanaz.com*, True -*.cobatebak.ga*, True -*.cobbhillcomputer.com*, True -*.cobbschoolcalendar.com*, True -*.cobbservers.com*, True -*.cobbyweb.com*, True -*.cobenthea.com*, True -*.cobenthea.net*, True -*.cobenthea.tk*, True -*.cobentube.cf*, True -*.cobentube.ml*, True -*.cobenvpn.cf*, True -*.cobenvpn.tk*, True -*.cober.si*, True -*.cobito.com*, True -*.cobos.mx*, True -*.cobra200.net*, True -*.cobracomunicaciones.com.ar*, True -*.cobra-museum.eu*, True -*.cobramuseum.eu*, True -*.cobramuseum.nl*, True -*.cobraonthenet.my*, True -*.cobraproject.com*, True -*.cobrasystem.ir*, True -*.cobungo.de*, True -*.cobweb.gr*, True -*.cocabin.net*, True -*.cocaramonyfernet3d.com.ar*, True -*.cocaramonyfernet.com.ar*, True -*.cocat.co*, True -*.cocatconsulting.com*, True -*.coccert.org*, True -*.cocchu.com*, True -*.coc-coc.ml*, True -*.coccoc.ru*, True -*.cocgenerator.gq*, True -*.cocherasjr.tk*, True -*.cochise.ca*, True -*.cochrane.com.br*, True -*.cocinandoconrr.cl*, True -*.cockroft.me*, True -*.cockroft.tv*, True -*.cocksalad.net*, True -*.cocksinyourmouth.com*, True -*.cocktail-leftovers.de*, True -*.coclea.cl*, True -*.cocoaching.be*, True -*.cocoacraft.co*, True -*.cocoaetc.com*, True -*.cocohb.com*, True -*.cocomaya.net*, True -*.coconet.us*, True -*.coconut.or.id*, True -*.coconutserver.com*, True -*.cocoongroup.net*, True -*.cocorhotelspa.ro*, True -*.cocox7.org*, True -*.cocquio.ch*, True -*.cocrivelli.com.br*, True -*.cocteleriatemuco.cl*, True -*.coc-tool.cf*, True -*.coc-tool.ml*, True -*.code3systems.com*, True -*.code3thic.ga*, True -*.code4days.com*, True -*.codeastur.com*, True -*.codebloc.com*, True -*.codebrewery.ch*, True -*.codebrew.in*, True -*.codebuilder.org*, True -*.codecafe.com*, True -*.codecafe.org*, True -*.codedefender.de*, True -*.codedreamers.co.uk*, True -*.codeethicvpn.cf*, True -*.codefather.se*, True -*.codefile.net*, True -*.codefile.org*, True -*.codefinity.com*, True -*.codefinity.ro*, True -*.codefix.com.ar*, True -*.codeflow.co.za*, True -*.codeformer.com*, True -*.codegis.com.ve*, True -*.code-house.org*, True -*.codeien.com*, True -*.codeinside.net*, True -*.codeit.in*, True -*.codeit.sg*, True -*.codekinesis.com*, True -*.codekit.org*, True -*.codeland.se*, True -*.codelife.us*, True -*.codelift.ro*, True -*.codeluxe.de*, True -*.codemix.ga*, True -*.codemnkey.com*, True -*.codemode.cl*, True -*.code-monkey.de*, True -*.codemy.com.ve*, True -*.codencorp.com*, True -*.codeneater.com*, True -*.codeneater.net*, True -*.codeology.ca*, True -*.codeopen.pl*, True -*.codephyle.com*, True -*.codephysics.com*, True -*.codephysics.org*, True -*.codepocket.com*, True -*.codepool.cf*, True -*.codepost.io*, True -*.codequest.co.za*, True -*.coderation.com*, True -*.codered.ro*, True -*.coderi.com.br*, True -*.coderi.ro*, True -*.coderisk.com*, True -*.coderisks.com*, True -*.codernism.com*, True -*.coders.cl*, True -*.coders.cz*, True -*.coder.si*, True -*.coderszone.net*, True -*.coderz.cc*, True -*.coderz.ir*, True -*.codes4wapego.ml*, True -*.codesanity.com*, True -*.codeskraps.com*, True -*.codevn.net*, True -*.codevu.com*, True -*.codewarp.net*, True -*.codewarp.org*, True -*.codexbit.co.uk*, True -*.codexpressed.com*, True -*.codexpression.com*, True -*.codice.cf*, True -*.codi.com.ar*, True -*.codigociudadano.cc*, True -*.codigoseguro.com.ve*, True -*.codigoseguro.tk*, True -*.codingdrama.com*, True -*.coding.es*, True -*.coding-revolution.to*, True -*.coding.ro*, True -*.codingtheworld.com*, True -*.codingtheworld.eu*, True -*.codisolutions.com*, True -*.codotz.cf*, True -*.codyandkate.com*, True -*.codygemmer.com*, True -*.codyhalovich.com*, True -*.codzienniepewnasiebie.pl*, True -*.coecu.ch*, True -*.coeg.cf*, True -*.coeg.gq*, True -*.coelho.fi*, True -*.coelmodica.it*, True -*.coe-norby.net*, True -*.coe.pt*, True -*.coetzer.nom.za*, True -*.cofbfck.org*, True -*.cofelca.com*, True -*.cofeng.org*, True -*.cofes.ru*, True -*.cofetaria-tosca.ro*, True -*.coffeeaddict.net*, True -*.coffeecakecomputers.com.au*, True -*.coffeecoldpress.com*, True -*.coffeehogs.com*, True -*.coffeeland.com*, True -*.coffeestation.ml*, True -*.coffey.com.ar*, True -*.coffragescgb.com*, True -*.coffsaircomfort.com.au*, True -*.coffscashexchange.com*, True -*.coffscashexchange.com.au*, True -*.coffsharbourfence.com*, True -*.coffsrccarclub.com*, True -*.cofko.dj*, True -*.cofrese.com.ve*, True -*.cofyrco.com.ar*, True -*.cogenart.com*, True -*.cogenpro.ro*, True -*.cogentmode.com*, True -*.cogfront.net*, True -*.cogl.ca*, True -*.coglio.net*, True -*.cognescent.com*, True -*.cognescent.net*, True -*.cognet.pl*, True -*.cognitivecentre.com*, True -*.cognitiveways.com*, True -*.cognitiveways.org*, True -*.cognus.cl*, True -*.cogollo.cl*, True -*.cogvis.co*, True -*.cogwerks.com*, True -*.cohan.ca*, True -*.cohens.org.il*, True -*.coherentsupply.com*, True -*.coiffeur-hair-flair.ch*, True -*.coiffeur-siesta.ch*, True -*.coiffeurvision.ch*, True -*.coiffureanitaaerni.ch*, True -*.coiffure-ascher.ch*, True -*.coiffure-mathys.ch*, True -*.coiffuremens.ch*, True -*.coiffureno7.ch*, True -*.coiffure-piccolo366.ch*, True -*.coiffure-xs.ch*, True -*.coiffure-zenattitude.ch*, True -*.coif-untempspoursoi.ch*, True -*.coin2play.com*, True -*.coinbox.se*, True -*.coincheckbox.com*, True -*.coinco.in*, True -*.coin-dig.ga*, True -*.coinf.com.mx*, True -*.coinfor.es*, True -*.coinminerpool.com*, True -*.coinpo.com.ar*, True -*.coip.com.ar*, True -*.cokecontrol.com*, True -*.cokelatndalem.co.id*, True -*.cokhimayxaydung.com*, True -*.colabra.com.br*, True -*.colabra.net.br*, True -*.colaciones.cl*, True -*.colacu.ro*, True -*.colangelogroup.com.au*, True -*.colaric.si*, True -*.colasono.net*, True -*.colban.com.ar*, True -*.colbatic.tk*, True -*.colchones-oconnor.com.ar*, True -*.coldata.com.br*, True -*.coldcarbonic.cl*, True -*.coldeternity.tk*, True -*.coldfire.org*, True -*.coldfusiondesignsonline.com*, True -*.coldfusionusa.com*, True -*.coldmode.com*, True -*.coldreboot.se*, True -*.coldworksteel.co.za*, True -*.colebarnes.net*, True -*.colectare.ro*, True -*.colectivominerva.org*, True -*.colega.ga*, True -*.colegio705.com.ar*, True -*.colegioabogadostuc.org.ar*, True -*.colegioaldebaran.cl*, True -*.colegiobrown.com.ar*, True -*.colegiodoctorfleming.es*, True -*.colegiolaudare.cl*, True -*.colegiolohermida.cl*, True -*.colegiolondon.com.br*, True -*.colegiomarinadechile.cl*, True -*.colegiomontesclaros.es*, True -*.colegionovel.com.mx*, True -*.colegionovel.mx*, True -*.colegionovel.org.mx*, True -*.colegioparque.es*, True -*.colegiopenalar.es*, True -*.colegiopenalar.net*, True -*.colegiopenalar.org*, True -*.colegiopenalvento.es*, True -*.colegiopestalozzi.com.ar*, True -*.colegiopeumayenmontesori.cl*, True -*.colegiopeumayenmontessori.cl*, True -*.colegiosenlanube.com.ar*, True -*.colegiosil.com.ar*, True -*.colegiosnahuel.cl*, True -*.colegiotamandare.g12.br*, True -*.colegiotorrevilano.es*, True -*.colegiovaldefuentes.es*, True -*.colegiowallmapu.cl*, True -*.colegiulcarol.ro*, True -*.colegiulsportivnadiacomaneci.ro*, True -*.colejv.com*, True -*.coleman.ml*, True -*.colendres.com*, True -*.colerio.com.ar*, True -*.colescreations.com.au*, True -*.coletime.co.uk*, True -*.coletivo308.com*, True -*.colfe.com.ar*, True -*.colgatebrush.com*, True -*.colibri-management.ca*, True -*.colibri-management.com*, True -*.colibris.org.ve*, True -*.colindancer.com*, True -*.colindancer.co.uk*, True -*.colindancer.net*, True -*.colinomurchu.com*, True -*.colins.ro*, True -*.colinwu.ca*, True -*.collabintelligence.com*, True -*.collaborate-africa.org*, True -*.collaborationsupport.com*, True -*.collaborativecourses.com*, True -*.collabority.com*, True -*.collabra.com.br*, True -*.collabra.net.br*, True -*.collecca.com*, True -*.collecdev.net*, True -*.collecdev.org*, True -*.collectionlocker.com*, True -*.collectiveimpact.co.il*, True -*.collectiveit.com.au*, True -*.collectivemining.com*, True -*.collectiveworship.uk*, True -*.collectmythoughts.com*, True -*.collectonhouse.com.au*, True -*.collectors-cove.com*, True -*.colleenbooth.me*, True -*.colleenbryan.com*, True -*.colleenhendrick.com*, True -*.collegeandcareers.org*, True -*.collegebiblestudies.com*, True -*.collegedesaussure.ch*, True -*.collegehockeyrecruits.com*, True -*.collegehomeschool.com*, True -*.collegeofmarinestudies.com*, True -*.collegiateinnapartments.com*, True -*.collegiateinn.com*, True -*.collezioneantonello.ch*, True -*.collezion.ru*, True -*.colliehost.com*, True -*.collier-consulting.com*, True -*.collierflatrate.com*, True -*.collinares.net*, True -*.collincampbell.tk*, True -*.collings-home.com*, True -*.collinschang.com*, True -*.collins.io*, True -*.collins.net*, True -*.collisave.org*, True -*.colloidalsilvergenerating.com*, True -*.colloky.cl*, True -*.collonil.cl*, True -*.colloque-malang.com*, True -*.collura.ch*, True -*.collur.com.ar*, True -*.colmar.cl*, True -*.colmar.ro*, True -*.colmercedtuc.com.ar*, True -*.colmexjaworzno.pl*, True -*.colneech.co.uk*, True -*.colobuilder.com*, True -*.colocaciondearitos.com.ar*, True -*.coloccini.com.ar*, True -*.colodeamerica.com.ar*, True -*.colongo.ch*, True -*.coloniabrasil.net*, True -*.colonialbrewingco.com*, True -*.colonialbrewingcompany.com*, True -*.coloniccleansing.org*, True -*.colonmiramar.com*, True -*.color4love.com*, True -*.color7.org*, True -*.coloradohorsetrainer.com*, True -*.coloradojcl.org*, True -*.colorado-photo.com*, True -*.coloradoprobateleads.com*, True -*.coloradorvdamage.com*, True -*.colorago.fi*, True -*.coloran.com.ar*, True -*.colorcade.com*, True -*.colorcreativo.com.ar*, True -*.coloredfb.org*, True -*.colorfully.me*, True -*.colorjobs.com*, True -*.colors4.us*, True -*.colorshopneuquen.com.ar*, True -*.colorstrike.pw*, True -*.colortango.com.ar*, True -*.color.to*, True -*.colorws.co*, True -*.colorws.com*, True -*.colossalband.me*, True -*.colossalcoyote.com*, True -*.colourexp.com*, True -*.colourform.com.au*, True -*.colourleaflets.com*, True -*.colourmeembroidery.com*, True -*.colourmersa.co.za*, True -*.co-ltd.hk*, True -*.coltemerinovaldivia.cl*, True -*.colts.cf*, True -*.colts.ga*, True -*.columbiahauntedhouse.com*, True -*.columbiasportspark.net*, True -*.columbineaviation.com*, True -*.columpio.com.ar*, True -*.coluy.com*, True -*.colvillecustoms.com*, True -*.colyada.net*, True -*.com889.com*, True -*.comapatecoman.gob.mx*, True -*.comardauto.ro*, True -*.comatvrancea.ro*, True -*.combatovich.tk*, True -*.combineworld.com.au*, True -*.combonatura.com*, True -*.combonatura.net*, True -*.com-br.biz*, True -*.combuscor.com.ar*, True -*.combustible.org*, True -*.combustiblevegetal.cl*, True -*.comby-vs.ch*, True -*.comca2014.cl*, True -*.comcerealsibiu.ro*, True -*.comcomtv.com*, True -*.comebacktodal.net*, True -*.comecomorey.cl*, True -*.comedy.tw*, True -*.comefromhk.com*, True -*.comelike.org*, True -*.comercialdelestesrl.com.ar*, True -*.comercialhydropol.cl*, True -*.comercializa.ro*, True -*.comercialmontenegro.cl*, True -*.comercialnacional.cl*, True -*.comercialzavi.cl*, True -*.comerciostdf.com.ar*, True -*.comertmareaneagra.ro*, True -*.cometelotodo.tk*, True -*.cometoworld.com*, True -*.comet-server.com*, True -*.comewo.at*, True -*.comex10.com.br*, True -*.comexkadosh.com.br*, True -*.comf-hk.com*, True -*.comfortchamomile.com*, True -*.comfortclick.com*, True -*.comfortinntherose.com.au*, True -*.comfortinserts.com*, True -*.comibsa-data.com.ar*, True -*.comic-nation.com*, True -*.comic.tw*, True -*.comidacomoesporte.com.br*, True -*.comisiondefestejos.com.ar*, True -*.com-it.ro*, True -*.comlinkgroup.com.au*, True -*.comlinkit.com.au*, True -*.comlinks.com.au*, True -*.comm3.com.br*, True -*.commact.org*, True -*.commaeventos.com.ar*, True -*.commandcentr.com*, True -*.commandlinegames.com*, True -*.commando.web.id*, True -*.commendatore.com.ar*, True -*.commerce2u.net*, True -*.commerci.al*, True -*.commercialairconditioningadelaide.com.au*, True -*.commercialcapitalforbusiness.com*, True -*.commercialimprovements.com.au*, True -*.commercialindustries.net.au*, True -*.commercialone.in*, True -*.commercialrealestatesuccess.com*, True -*.commertek.com*, True -*.comm.hk*, True -*.committed.com.my*, True -*.committeeoftheislands.org*, True -*.committeeofvigilance.org*, True -*.commlighting.com*, True -*.commodigi.com*, True -*.commoditycrop.com*, True -*.commojim.com*, True -*.commonaction.net.au*, True -*.commonaction.org.au*, True -*.common-challenge.com*, True -*.commongoodssupply.com*, True -*.commongroundcollaborativecare.ca*, True -*.commongroundcollaborativecare.com*, True -*.common-home.org*, True -*.commonhuman.net*, True -*.commonproblems.com.au*, True -*.commonworkspace.ru*, True -*.commpoint.in*, True -*.communeit.co.za*, True -*.communitybuildingworks.org*, True -*.communitybuyer.com*, True -*.communityfinder.org*, True -*.communityindex.org*, True -*.communitylivingconsultants.ca*, True -*.communitylivingconsultantscanada.com*, True -*.communitymaritimepark.com*, True -*.communityprotectionassociation.org*, True -*.communitysolutions.com.ar*, True -*.community-spirit.uk*, True -*.community-wow.eu*, True -*.commwebworks.com*, True -*.com--news.tk*, True -*.comocaracol.cl*, True -*.comodo.com.ar*, True -*.comohacer.tk*, True -*.com-one97.gq*, True -*.comonsa.ec*, True -*.comorecycling.com*, True -*.companhiaderevisao.com.br*, True -*.compania3x3.com.ar*, True -*.companiaargentinasa.com.ar*, True -*.companiadetransport.ro*, True -*.companiafaro.com.ar*, True -*.companionandrespite.com*, True -*.companionhomerespite.com*, True -*.companions4women.com*, True -*.companyforyou.eu*, True -*.companymagic.com*, True -*.companymagic.net*, True -*.companyportal.com.au*, True -*.companysafa.biz*, True -*.companyspb.ru*, True -*.companytoolsattack.tk*, True -*.comparacompras.com.br*, True -*.comparaprecios.cl*, True -*.compareandsavemore.co.uk*, True -*.comparefibre.net*, True -*.comparehealthplan.org*, True -*.comparemymeraki.com*, True -*.compareprintsolutions.com.au*, True -*.compartirfoto.com*, True -*.comp-as22.ru*, True -*.compasscraft.net*, True -*.compassionatecomposting.com*, True -*.compasstour.cl*, True -*.compatibilityzodiac.com*, True -*.compce.com*, True -*.compeco.co.uk*, True -*.compeco.pl*, True -*.comperu.net*, True -*.competenciarobotica.cl*, True -*.competente-antreprenoriale.ro*, True -*.competetubeporn.pw*, True -*.competingcooperation.com*, True -*.comp-exp.ru*, True -*.compfixplus.com*, True -*.compforce.info*, True -*.compidemili.es*, True -*.complejoamewil.com.ar*, True -*.complejolahuella.com.ar*, True -*.complejoreis.com.ar*, True -*.comp-lekar.ru*, True -*.complementhealth.com*, True -*.completedesign.ro*, True -*.completehealth.com*, True -*.completeidiots.org*, True -*.completeimagingcorp.com*, True -*.completelyga.ga*, True -*.completeshreddingservices.com.au*, True -*.completext.com*, True -*.completrs.com*, True -*.compliance.hk*, True -*.complicated.biz*, True -*.componentsandblasting.com*, True -*.componentseller.com*, True -*.components-online.eu*, True -*.componentsonline.eu*, True -*.componentsystems.com*, True -*.componetech.com*, True -*.componetwork.com*, True -*.componto.tk*, True -*.compooter.ga*, True -*.comporter.ro*, True -*.composite-hose-supplier.com*, True -*.compositgroup.com*, True -*.compound17.us*, True -*.compradasorte.com.br*, True -*.compragua.cl*, True -*.compraringressos.com.br*, True -*.comprarplaystation.tv*, True -*.comprarplaystationtv.com*, True -*.compratievenduti.it*, True -*.compremotos.com.br*, True -*.compremuitomais.com*, True -*.compreporaqui.com.br*, True -*.compresormineria.com.ar*, True -*.compressor-ac.com*, True -*.compressorac.com*, True -*.compressoracs.com*, True -*.compressor-copeland.com*, True -*.compressorsurabaya.com*, True -*.comprevende.com.br*, True -*.compris.com.br*, True -*.compservinformatica.com.br*, True -*.comptape.net*, True -*.comptape.org*, True -*.comptonsshoerepair.com*, True -*.compuair.com*, True -*.compuair.net*, True -*.compuamiga.com.ve*, True -*.compuarteg.net.ve*, True -*.compubeard.com*, True -*.compucase.com*, True -*.compucenterargentina.com*, True -*.compucloud.biz*, True -*.compudaseri.com.mx*, True -*.compudelmar.cl*, True -*.compudia.com.ar*, True -*.compudocnc.com*, True -*.compueducacionpuebla.com*, True -*.compu-express.com.ve*, True -*.compugurutulsa.com*, True -*.compuhaven.org*, True -*.compuhelp.com*, True -*.compuinter.com*, True -*.compulife.com.pk*, True -*.compulitoral.com.ar*, True -*.compu-net.com.ar*, True -*.compunetworks.com.py*, True -*.compusar.com.ar*, True -*.compusec.ro*, True -*.compuspire.co.uk*, True -*.computeconline.es*, True -*.computek-wi.com*, True -*.compu-tek.ws*, True -*.computerambulance.org*, True -*.computerarchive.org*, True -*.computercentralmissoula.com*, True -*.computerchaotix.com*, True -*.computerdaves.ca*, True -*.computerdoctorofnc.com*, True -*.computer-doctor.ro*, True -*.computerdreams.es*, True -*.computerfoxdesign.com*, True -*.computerhospice.com*, True -*.computermonteur.nl*, True -*.computerninja.net*, True -*.computerprogrammingjobs.net*, True -*.computerprogrammingtuition.com*, True -*.computerprogrammingtuition.co.uk*, True -*.computerpunk.ca*, True -*.computerrepairsheerness.co.uk*, True -*.computerrepairsolutions.com*, True -*.computerresearchlab.com*, True -*.computersbythesea.net*, True -*.computerserviceli.net*, True -*.computerserviceli.us*, True -*.computer-services.gq*, True -*.computersforpeace.net*, True -*.computersloveus.com*, True -*.computersolutions.com.ve*, True -*.computersrfun.org*, True -*.computersthatwork.ca*, True -*.computersxpress.net*, True -*.computersystemsconsulting.us*, True -*.computertd.com*, True -*.computertec.com.ar*, True -*.computertechli.com*, True -*.computertechli.net*, True -*.computertechli.us*, True -*.computer-techs.gq*, True -*.computertechus.com*, True -*.computer-warrior.com*, True -*.computerwhiz.com.au*, True -*.computerworksaz.com*, True -*.computerworksconsulting.com*, True -*.computerworkx.com*, True -*.computerworkx.info*, True -*.computerworkx.net*, True -*.computerworkx.org*, True -*.computerworx.info*, True -*.computex.us*, True -*.compuvia.com.br*, True -*.compuwizz.net*, True -*.compy.ca*, True -*.comservice.ro*, True -*.comsis.cl*, True -*.comsisinstal.ro*, True -*.comstech.com.my*, True -*.comtek.com.ar*, True -*.comtel-shop.ch*, True -*.comulo.com*, True -*.comunefiessoro.it*, True -*.comunicacionmr.com*, True -*.comunicado.se*, True -*.comunican2.com*, True -*.comunicas.com.ve*, True -*.comunicauc.cl*, True -*.comunidadcristianademexico.mx*, True -*.comunidaddelcordero.cl*, True -*.comunidade-israelita-porto.org*, True -*.comunidadespeloboto.org.br*, True -*.comunidadeterapeuticamg.com.br*, True -*.comunidadeterapeutica.org.br*, True -*.comunidadggc.tk*, True -*.comunidadmobile.com.ar*, True -*.comunidadmujerbella.com.ar*, True -*.comunidadpestalozzi.com.ar*, True -*.comunidadsegura.cl*, True -*.comunidadweb.com.ar*, True -*.comunika.cl*, True -*.comuniland.cl*, True -*.comunis.com.ar*, True -*.comunismo.info*, True -*.conactive.ch*, True -*.conalcaby.net*, True -*.conansub.com*, True -*.conartist.co.uk*, True -*.concasaimoveis.com.br*, True -*.concellodevalga.com*, True -*.concellodevalga.es*, True -*.concellodevalga.net*, True -*.concentricpublications.net*, True -*.conceptconstructions.net.au*, True -*.conceptcreations.com.au*, True -*.conceptex.net*, True -*.concept-i.ro*, True -*.concept-of-the-mind.com*, True -*.conceptprod.ro*, True -*.concepttag.com.br*, True -*.concept-trans.com*, True -*.concerco.com*, True -*.concertina.se*, True -*.concesionariorenault.com*, True -*.concordiapescaeturismo.com.br*, True -*.concordiasocial.com.ar*, True -*.concrectus.cl*, True -*.concretecutter-rammer-stamper-babyroller.com*, True -*.concretepoetry.se*, True -*.concretewebdesign.com*, True -*.concretus.com.ar*, True -*.concursulvideoart.ro*, True -*.condensedmatters.org*, True -*.condesys.ch*, True -*.condesys.info*, True -*.condext.com*, True -*.condirom.com*, True -*.condisur.com.ar*, True -*.conditionmanager.co.uk*, True -*.condocoalharbour.com*, True -*.condocom.info*, True -*.condointernet.com.br*, True -*.condominio.com.br*, True -*.condominiodonalaura.cl*, True -*.condominionet.cl*, True -*.condominioolimpic.com.br*, True -*.condominiosierrazul.com.mx*, True -*.condomini.us*, True -*.condorconnect.net*, True -*.condortech.com.ar*, True -*.condortech-services.com.ar*, True -*.condo-wizard.com*, True -*.conductoressanosvaldo.cl*, True -*.condutagua.com*, True -*.conectaconsultores.es*, True -*.conectapp.mx*, True -*.conektra.cl*, True -*.coneng2.tk*, True -*.conetic.org*, True -*.conexao-br.net*, True -*.conexar.com.ar*, True -*.conexas.com.ar*, True -*.conexionpublicitaria.com.mx*, True -*.conexo.mx*, True -*.confabulary.com*, True -*.confarbled.net*, True -*.confartigianatofvg.it*, True -*.confcall.com.ar*, True -*.confeccionespame.cl*, True -*.confederatio.ch*, True -*.confeitariaquerencia.com.br*, True -*.conferencetime.com.au*, True -*.conference.to*, True -*.conferenciabasagliargentina.org*, True -*.conferenciapx.cf*, True -*.confessionsofashidduchdater.com*, True -*.configlinux.com*, True -*.config-receh.tk*, True -*.config-systems.com*, True -*.configvpn.gq*, True -*.confimed.com.br*, True -*.confiserie-rieben.ch*, True -*.confluencias.tk*, True -*.conflu.tk*, True -*.confortsicaldura.ro*, True -*.confort-total.com*, True -*.confrontationtuesday.com*, True -*.confudech.cl*, True -*.confusedprogrammer.com*, True -*.confusedprogrammer.info*, True -*.confusedprogrammer.net*, True -*.confusedprogrammer.org*, True -*.congchua.org*, True -*.congci.info*, True -*.congdanh.info*, True -*.congdongdotnet.tk*, True -*.congeladosartico.com*, True -*.congelifans.ch*, True -*.congfandi.com*, True -*.congofourct.com*, True -*.congosat.net*, True -*.congres-cqsr.ca*, True -*.congrescqsr.ca*, True -*.congresoeconomicas.com.ar*, True -*.congresohcn.com*, True -*.congresoingenieria.cl*, True -*.congresorh.mx*, True -*.congresoveterinaria.cl*, True -*.congrespneumo2014.ro*, True -*.conhoanggia.com*, True -*.conievallese.com*, True -*.conisoft.ro*, True -*.conjunction.net*, True -*.conklinfamily.com*, True -*.conlex.com.mx*, True -*.conley.ca*, True -*.conlinelectricalteesside.co.uk*, True -*.conmatic.eu*, True -*.connaughtenergy.ca*, True -*.connaughtsportsday.co.uk*, True -*.connectandsolve.com*, True -*.connectflour.com*, True -*.connectify.asia*, True -*.connection18.com*, True -*.connectionitnow.com*, True -*.connectitnow.com*, True -*.connectitnow.net*, True -*.connectitnow.org*, True -*.connectiva.com.au*, True -*.connectmediaprint.ro*, True -*.connectorltd.com*, True -*.connecttheworld.co.za*, True -*.connermcd.com*, True -*.connettiti.ch*, True -*.connexionconcepts.com*, True -*.conniewolverton.com*, True -*.connordickson.com*, True -*.connord.ro*, True -*.connorliam.com*, True -*.connware.com.br*, True -*.conorhackett.com*, True -*.conoscenza.tk*, True -*.conquercontabil.com.br*, True -*.conquerthesound.com*, True -*.conquienviajo.com.ar*, True -*.conquistarmarvao.pt*, True -*.conradbf.com*, True -*.conradi.name*, True -*.conradi.org*, True -*.conroc-technik.ch*, True -*.consautototal.ro*, True -*.conscientes.com.br*, True -*.conscientizeacao.com.br*, True -*.conseinsol.com*, True -*.conseinsol.com.mx*, True -*.conseinsol.mx*, True -*.conseinsol.org.mx*, True -*.consejosparatodos.com*, True -*.conselheirodigital.com*, True -*.conselheirodigital.net*, True -*.conselheirosdigitais.com*, True -*.conselheirosdigitais.com.br*, True -*.consemargroup.com.ve*, True -*.consensuscoin.org*, True -*.conservados.com.ar*, True -*.conservatoriodemusica.com.br*, True -*.con-server.com*, True -*.considerate.ch*, True -*.consiliereonline.ro*, True -*.consiliumgroup.biz*, True -*.conslav.com*, True -*.consol69.com*, True -*.console.cf*, True -*.consolehack.net*, True -*.consolibite.com*, True -*.consolibites.com*, True -*.consolibytes.com*, True -*.consolitechsolutions.com.au*, True -*.consonant.co.uk*, True -*.consorcioabierto.com.ar*, True -*.consorciosantacatarina.com*, True -*.consorcioslaplata.com.ar*, True -*.consorziovillagerosazza.it*, True -*.consoul.ro*, True -*.conspiracybrotha.com*, True -*.conspiracyornot.org*, True -*.conspiracypredictions.com*, True -*.conspiratii.ro*, True -*.conspirator.tk*, True -*.conspiron.com*, True -*.const54.ru*, True -*.constable.tk*, True -*.constant3d.com.au*, True -*.constanta-hub.ro*, True -*.constantiafiredept.org*, True -*.constantinsarbulescu.ro*, True -*.constantinsilviu.ro*, True -*.constant-pistonpumps.com*, True -*.constantruntime.com*, True -*.constellation7.org*, True -*.constnt.ru*, True -*.constrict.com.br*, True -*.construborges.com.br*, True -*.construccionaldia.cl*, True -*.construcciones.cf*, True -*.construccionesflf.cl*, True -*.construcciones.ga*, True -*.construccioneslycsa.com.ar*, True -*.construccionespenalopez.cl*, True -*.construccionyobrasciviles.cl*, True -*.constructii10sef.ro*, True -*.constructiongeneralebj.ch*, True -*.constructioninspections.co*, True -*.constructionwebcam.net*, True -*.constructoraalgarrobo.cl*, True -*.constructoracdu.cl*, True -*.constructoradelvalle.com*, True -*.constructoraidea.cl*, True -*.constructoramg.cl*, True -*.constructoranuevanos.cl*, True -*.constructorasada.mx*, True -*.constructora-sff.cl*, True -*.constructville.ro*, True -*.construgua.com*, True -*.construiestecuspor.ro*, True -*.construjosa.com*, True -*.construptive.com*, True -*.construtoracontrato.com.br*, True -*.construtoradantas.com.br*, True -*.construtoralarfabri.com.br*, True -*.construtoraplanex.com.br*, True -*.consuelocollao.cl*, True -*.consulgenia.com*, True -*.consulmexclg.com*, True -*.consulmexvan.com*, True -*.consultacostos.com.ar*, True -*.consultair.com.ar*, True -*.consultancy.si*, True -*.consultantacredite.ro*, True -*.consultantarchitecture.com*, True -*.consultantfiscaloradea.ro*, True -*.consultantoriflame.ro*, True -*.consultapsico.com.ar*, True -*.consultarla.info*, True -*.consultatecnica.es*, True -*.consultatii-ginecologice.ro*, True -*.consultatributos.com.br*, True -*.consultingandservice.cl*, True -*.consulting-as.com*, True -*.consulting-octopus.co.uk*, True -*.consulting-solutions.ro*, True -*.consultjm.com*, True -*.consultoracima.cl*, True -*.consultoradomino.com.ar*, True -*.consultoragb.com.ar*, True -*.consultorahrs.com.ar*, True -*.consultoraportas.com.ar*, True -*.consultorasuiza.cl*, True -*.consultoresbg.com.ar*, True -*.consultores.cl*, True -*.consultorescompras.com.ar*, True -*.consultorescorp.com*, True -*.consultoresemprender.cl*, True -*.consultoriasap.cl*, True -*.consultorioinforma.tk*, True -*.consultoriospiler.com.ar*, True -*.consultproperties.be*, True -*.consultrh.com.br*, True -*.consultservrh.com.br*, True -*.consumer.ch*, True -*.consumerclub.org*, True -*.consumerdiscount.org*, True -*.consumerlifestylereport.com*, True -*.consumerliteracy.co.za*, True -*.consumerprotectionlawyer.co.uk*, True -*.consumersalliance.org*, True -*.consumersrule.org*, True -*.consumer-voice.ro*, True -*.consumervoice.ro*, True -*.contab-asoc.cl*, True -*.contabilandrade.com.br*, True -*.contabilitate-autorizata.ro*, True -*.contabilitateautorizata.ro*, True -*.contacmail.com.mx*, True -*.contactbox.com.my*, True -*.contactme.cl*, True -*.contactocarrefour.com.ar*, True -*.contactojusto.com*, True -*.contactormurah.com*, True -*.contactostelefonicos.com*, True -*.contactplus.com.pk*, True -*.contactpoint7.in*, True -*.contactslinks.net*, True -*.contactswitch.com*, True -*.containersurabaya.com*, True -*.contano.com*, True -*.contanota.com.br*, True -*.contardo.cl*, True -*.contatti.info*, True -*.contattiproibiti.biz*, True -*.contattiproibiti.info*, True -*.contattiproibiti.net*, True -*.contem.bz*, True -*.contempoconcept.com*, True -*.contempo.org.au*, True -*.contentatplace.com*, True -*.contentdd.net*, True -*.contespi.com*, True -*.contexo.com.ve*, True -*.contexo.web.ve*, True -*.contextualise.com*, True -*.contiguo.us*, True -*.contimel.pt*, True -*.continentconstruct.md*, True -*.continent.kz*, True -*.continet.ch*, True -*.continuo.co.nz*, True -*.continuousdelivery.sg*, True -*.contodorespeto.cl*, True -*.contoh-rumah.com*, True -*.contohtenda.com*, True -*.contra-check.com*, True -*.contra-checker.com*, True -*.contracrise.com*, True -*.contracrise.net*, True -*.contract-assistant.com*, True -*.contractorspro.ca*, True -*.contradeditalia.eu*, True -*.contradeditalia.it*, True -*.contralasectas.com.ar*, True -*.contrans.cl*, True -*.contraprivatizacao.com.br*, True -*.contraser.cl*, True -*.contras.ro*, True -*.contre.ro*, True -*.contribute.sg*, True -*.contric.com*, True -*.contric.pl*, True -*.contrillion.com*, True -*.contrillion.xyz*, True -*.control2.com.ar*, True -*.control4sucks.com*, True -*.controlallrobots.com*, True -*.controlcentres.com*, True -*.controlclim.com.ar*, True -*.controldata.ro*, True -*.controlflow.com.mx*, True -*.controlit.tk*, True -*.controllaneo.it*, True -*.control-net.pl*, True -*.controlpc.com.ve*, True -*.controlphreaks.com*, True -*.controlprint.ro*, True -*.controlseneca.com*, True -*.controltotal.com.ar*, True -*.controlweb.com.ve*, True -*.controlzetaradio.com.ar*, True -*.convectores.es*, True -*.convenor.com.ar*, True -*.conventia-primarilor.ro*, True -*.conventiaprimarilor.ro*, True -*.convergenta.ro*, True -*.converging.info*, True -*.conversee.com*, True -*.convert-unix-time.com*, True -*.conveyancingmonkey.com*, True -*.conveyancingmonkey.com.au*, True -*.conveyormanufacture.com*, True -*.conveyormurah.com*, True -*.convierta.cl*, True -*.convivio.ch*, True -*.convocadosxelfutbol.com*, True -*.convocatoriaabierta.org*, True -*.convoj.se*, True -*.convos.co.za*, True -*.conwayautos.co.uk*, True -*.conway-farrell.co.uk*, True -*.co-occurring-directory.com*, True -*.co-occurring-intervention.com*, True -*.co-occurring-rehab.com*, True -*.cooccurringtreatment.com*, True -*.cooccurringtreatment.org*, True -*.cook4.ru*, True -*.cookberg.com*, True -*.cookbook-recipes.org*, True -*.cookeatdrinks.com*, True -*.cookerman.com*, True -*.cookerman.org*, True -*.cookhome.ch*, True -*.cookieaustin.com*, True -*.cookieclickergame.com*, True -*.cookiecraze.net*, True -*.cookiemonster.si*, True -*.cookiesanantonio.com*, True -*.cookiesday.com*, True -*.cookiests3.info*, True -*.cookingcalamities.com*, True -*.cookingrecipecentral.com*, True -*.cookingshenanigans.com*, True -*.cookinwithjulia.com*, True -*.cookmeshop.ru*, True -*.cookng.net*, True -*.cooksonranch.org*, True -*.cookwareinc.net*, True -*.cookwitheman.com*, True -*.cookworld.ru*, True -*.cooladai.com*, True -*.coolblingblingfood.com*, True -*.coolblog.gq*, True -*.coolchristmas.net*, True -*.coolcole.net*, True -*.cool.com.my*, True -*.coolcomputerguy.com*, True -*.coolcomputers.info*, True -*.coolcraft.org*, True -*.cooldessin.net*, True -*.coolery.com*, True -*.coolgeeks.co.nz*, True -*.coolgold.com.my*, True -*.coolhk.tk*, True -*.coolierobb.be*, True -*.coolindeed.com*, True -*.coolipodauctions.com*, True -*.coollink.org*, True -*.coolmagnets.co.il*, True -*.coolmaker.ru*, True -*.coolmarketing.ro*, True -*.coolmoviez.com*, True -*.coolmoviez.org*, True -*.coolnessinc.com*, True -*.coolobjective.com*, True -*.coolosphere.com*, True -*.cool-proxy.net*, True -*.coolschools.eu*, True -*.coolservername.cf*, True -*.coolsigns.org*, True -*.coolski.tk*, True -*.cooltechsurabaya.com*, True -*.cooltravelstuff.com*, True -*.cooltravelstuff.mobi*, True -*.coolwaterjewelry.com*, True -*.coolwaterjewelry.net*, True -*.coomber.co.za*, True -*.coompacto.cl*, True -*.cooo.li*, True -*.coop13dejulio.com.ar*, True -*.coopecaminantes.com.ar*, True -*.cooperativabeiraserra.pt*, True -*.cooperativadealbanchez.com*, True -*.co-operativ.ro*, True -*.cooper-first.com*, True -*.coopergay.cl*, True -*.coopergayenergy.cl*, True -*.cooperlisa.com*, True -*.coopersoft.in*, True -*.coopgiagnoni.com.ar*, True -*.coophigueras.com.ar*, True -*.coop-plc.pw*, True -*.co-opportunities.com*, True -*.cooproriz.pt*, True -*.coopsolidarite.org*, True -*.coopstu.com*, True -*.coopware.com.ar*, True -*.coopz.com.au*, True -*.coordinadoradelcorto.org*, True -*.coordinateit.com*, True -*.coorgcoffee.in*, True -*.coosbaynorthbend.info*, True -*.coosemansla.com*, True -*.coosen.nl*, True -*.cootamundrapokermachinebases.com*, True -*.cootamundrapokermachinebases.com.au*, True -*.cootes.org*, True -*.copacafepipa.com.br*, True -*.copaceticsoftware.com*, True -*.copaipa.org.ar*, True -*.copal.net.au*, True -*.copas.ml*, True -*.cop.dj*, True -*.copernicus.cl*, True -*.copflack.com*, True -*.copii-carucioare.ro*, True -*.copii-jucarii.ro*, True -*.copii-patuturi.ro*, True -*.copii-triciclete.ro*, True -*.copissaurio.com*, True -*.copolt.com*, True -*.copperandtools.com*, True -*.copperdragonbrewery.com*, True -*.copperdragon.co.uk*, True -*.coppergroupanama.com*, True -*.coppergroupcr.com*, True -*.coppergroupint.com*, True -*.coppergrouppanama.com*, True -*.coppergroup.us*, True -*.coppergroupusa.com*, True -*.copperphotography.net*, True -*.coppertools.com*, True -*.coppola.me.uk*, True -*.coprin.ch*, True -*.coprin.net*, True -*.copro.cl*, True -*.copro.com.ar*, True -*.coprosamen.org.ar*, True -*.copse.de*, True -*.copycon.es*, True -*.copyfighter.org*, True -*.copyjack.info*, True -*.copyloft.com*, True -*.copyprint.com.ar*, True -*.copyred.com.ar*, True -*.copyrightwatch.ca*, True -*.copytrading.ro*, True -*.copy-up.com*, True -*.coqueterialalola.cl*, True -*.coracaoadorador.com.br*, True -*.coradir.com.ar*, True -*.coral-shop.ro*, True -*.coras.com.ar*, True -*.corasgroup.com*, True -*.corazondenino.com.ar*, True -*.corbanet.com.br*, True -*.corbangt.com*, True -*.corbec.net.id*, True -*.corbelle.com*, True -*.corbelle.net*, True -*.corbinwedding.com*, True -*.corcaribe.com*, True -*.corderoseguros.cl*, True -*.cordilleradelmaipo.com*, True -*.cordisma.com*, True -*.cordobadigital.com.ar*, True -*.cordobel.com*, True -*.cordy-online.com*, True -*.core-1-analytics.com*, True -*.core4training.com*, True -*.corea.is*, True -*.corebox.se*, True -*.corecloud.org*, True -*.core-dev.com*, True -*.core-dumped.info*, True -*.corega.ro*, True -*.coreitservices.com.au*, True -*.corelabs.net*, True -*.corelinux.tk*, True -*.corelogics.de*, True -*.corepanic.com*, True -*.corepanic.net*, True -*.coresaas.com*, True -*.coreshadows.com*, True -*.coresoft.ro*, True -*.coresporttherapy.co.uk*, True -*.core-stack.cl*, True -*.corestack.cl*, True -*.core-stack.com*, True -*.core-stack.net*, True -*.coretan-kecil.com*, True -*.coretan-mambang.my*, True -*.coretegy.co.kr*, True -*.corex.se*, True -*.coreyblair.com*, True -*.coreyblair.net*, True -*.coreyblair.us*, True -*.coreycallis.com*, True -*.coreyclarkphd.com*, True -*.coreyfro.com*, True -*.coreyjew.com*, True -*.coreytech.com*, True -*.corfu-corfu.com*, True -*.corfudaily.gr*, True -*.corgicam.com*, True -*.coricraft-mail.co.za*, True -*.corinacervejas.com.br*, True -*.corinatruck.cl*, True -*.corine-david.ch*, True -*.coriolis.co.il*, True -*.corio.si*, True -*.corkwireless.com*, True -*.corlat.com*, True -*.corme.eu*, True -*.cormierphotography.com*, True -*.cormierphotography.net*, True -*.cormiersa.com*, True -*.cormiers.name*, True -*.corndaddy.com*, True -*.cornejo.cl*, True -*.cornel.co.za*, True -*.cornellponds.tk*, True -*.cornerdrawers.com*, True -*.cornerdrawers.com.au*, True -*.cornerstoneautosys.co.uk*, True -*.cornhouseconsulting.com*, True -*.cornishandco.co.uk*, True -*.cornudellalopez.cat*, True -*.corodecamaramozart.cl*, True -*.corodesdeelalma.com.ar*, True -*.coro-matrimonio.cl*, True -*.coro-matrimonios.cl*, True -*.coronadoquesada.com.ar*, True -*.coronarycare.com*, True -*.coronelhq.org*, True -*.corovon.net*, True -*.coroyorquesta.ga*, True -*.corp-aapl.com*, True -*.corpasi.com*, True -*.corpasin.com.mx*, True -*.corpcare.com.au*, True -*.corpdbsystems.com*, True -*.corpforces.com*, True -*.corpo-divino.si*, True -*.corpofname.pw*, True -*.corporacionamarillo.com*, True -*.corporacionatel.com.ve*, True -*.corporatebackup.co.uk*, True -*.corporatedining.biz*, True -*.corporatediningconcepts.biz*, True -*.corporatediningconcepts.net*, True -*.corporateforces.com*, True -*.corporater.ro*, True -*.corporatetravelacademy.ru*, True -*.corporationofthings.com*, True -*.corporationofthings.info*, True -*.corporationofthings.net*, True -*.corporationofthings.org*, True -*.corporativoomega.com*, True -*.corpres.info*, True -*.corptechserv.co.za*, True -*.corptransmaq.com.ve*, True -*.corpuslibros.com*, True -*.corpuslibros.com.ar*, True -*.corralcarnes.com*, True -*.correiadesa.com.br*, True -*.correodigital.com.ar*, True -*.correo.ga*, True -*.correo.im*, True -*.correotegra.com*, True -*.correotegra.net*, True -*.correotegra.org*, True -*.corrersa.com*, True -*.corrersa.com.ar*, True -*.corrgsenterprise.tk*, True -*.corribcelticfc.net*, True -*.corridatribuna.com.br*, True -*.corrieredirigutino.tk*, True -*.corrieribari.it*, True -*.corrigan.tk*, True -*.corrigatrix.ch*, True -*.corruptedqc.com*, True -*.corrupt.ga*, True -*.corrupt.ml*, True -*.corruptplanet.com*, True -*.corrupt.tk*, True -*.corsaire-chaparal.org*, True -*.corsale.ru*, True -*.corsani.ch*, True -*.corseccofandahuaylas2015.com*, True -*.corsicath.be*, True -*.cortex.gr*, True -*.cortez.ro*, True -*.corticalstim.ca*, True -*.corticomuliasejahtera.com*, True -*.cortinadosmartini.com.ar*, True -*.coruhlu.com*, True -*.coruia.ro*, True -*.corum.com*, True -*.corvax.lv*, True -*.corve.ca*, True -*.corvettegadgetman.com*, True -*.corvetti.com*, True -*.cory.ch*, True -*.coryreid.tk*, True -*.corzinejax.com*, True -*.corzntin.fr*, True -*.cosap.co*, True -*.cos.as*, True -*.cosasdechicas.co*, True -*.coseprosa.com*, True -*.cosmaped.ro*, True -*.cosmetek.com.au*, True -*.cosmeticeparfumuri.ro*, True -*.cosmetic.is*, True -*.cosmetics.hk*, True -*.cosmeticstar.ru*, True -*.cosmicbans.ga*, True -*.cosmicduck.net*, True -*.cosmicmystic.org*, True -*.cosmic.net.br*, True -*.cosmicoutpost.net*, True -*.cosmicperformance.com*, True -*.cosmicwarlords.com*, True -*.cosminilie.ro*, True -*.cosmin-matei.tk*, True -*.cosminpop.ro*, True -*.cosmoage.com*, True -*.cosmoc-design.com*, True -*.cosmocomet.com*, True -*.cosmofest.ru*, True -*.cosmopal.com*, True -*.cosmopulse.net*, True -*.cosmosglass.gr*, True -*.cosmosgrandeur.com*, True -*.cosmosis.org*, True -*.cosmosmariner.com*, True -*.cosmoso.net*, True -*.cosmosonline.com.ar*, True -*.cosmosproperties.gr*, True -*.cosmos.zone*, True -*.cosmote-partener.ro*, True -*.cosodablast.com*, True -*.cospandy.com*, True -*.cosper.cl*, True -*.cosplaybr.com.br*, True -*.cosplaybr.net*, True -*.cossa-cottingsa.ch*, True -*.cossutta.com.ar*, True -*.costaaguacates.com.ar*, True -*.costainteriors.com*, True -*.costalevanovich.com.ar*, True -*.costanera241.tur.ar*, True -*.costarockane.nl*, True -*.costasky.co.uk*, True -*.costasur.cl*, True -*.costelantohi.com*, True -*.costofliving.co.za*, True -*.costruzioni-galvani.com*, True -*.costumanzevenete.net*, True -*.costumebotez.ro*, True -*.costume-nationale.ro*, True -*.costumenationale.ro*, True -*.costumeportfolios.co.uk*, True -*.costumesweetie.com*, True -*.costurice.com.br*, True -*.co-systems.com.ar*, True -*.cosytimes.com*, True -*.cotacaoecompra.com*, True -*.cotatca.net*, True -*.cotbm.com*, True -*.coteboheme.ch*, True -*.cote.cf*, True -*.cotefga.cf*, True -*.cotham.tk*, True -*.coth.tv*, True -*.cotisalazar.com.ar*, True -*.cotizadorexecutive.com.ar*, True -*.cotizadorggcc.com.ar*, True -*.cotizadoronline.com.ar*, True -*.cot.lt*, True -*.cotmakers.com*, True -*.cotnyl.com.ar*, True -*.cotoperi.net.ve*, True -*.cotreco.it*, True -*.cottagecontrol.co.uk*, True -*.cottam.net.au*, True -*.cottamrealty.com.au*, True -*.cottle2015.com*, True -*.cotton-art.pt*, True -*.cottonwoodpictures.com*, True -*.couda.ch*, True -*.couderc.eu*, True -*.couleurs-nature.ch*, True -*.coulibaly.ch*, True -*.council1372.org*, True -*.counsellinginmelbourne.com.au*, True -*.countall.info*, True -*.counterstrike16.ml*, True -*.counter-strike.ca*, True -*.counterstrike.ca*, True -*.counterstrikego.tk*, True -*.countingteeth.com*, True -*.countonbob.com*, True -*.countryhillsrentals.com*, True -*.countrykitchenbuffet.com*, True -*.countrypinesmotel.com*, True -*.countrypinesmotel.com.au*, True -*.countryproduce.com.au*, True -*.countrysidecurbappeal.com*, True -*.country-story.com*, True -*.countrywholesalegroup.com.au*, True -*.countymarquees.co.uk*, True -*.countyohio.biz*, True -*.countyohio.com*, True -*.countyohio.info*, True -*.countyohio.net*, True -*.countyohio.org*, True -*.coup-decoeur.ch*, True -*.couples-ideas.com*, True -*.couponscanada.com*, True -*.coupontong.com*, True -*.courageouscooking.com*, True -*.courantalumni.org*, True -*.courchevelnannies.com*, True -*.courier-it.co.za*, True -*.courierquote.co.za*, True -*.couriertechnologies.net*, True -*.couroecologico.com.br*, True -*.coursefree.cf*, True -*.coursesandtrainingaustralia.com*, True -*.coursesandtrainingaustralia.net.au*, True -*.coursexchange.me*, True -*.courtenaybaptist.com*, True -*.courteye.com*, True -*.court-jester.org*, True -*.court.sg*, True -*.courtstonga.to*, True -*.courttavern.com.au*, True -*.coutino.org*, True -*.couvreurseverest.com*, True -*.covalency.com.au*, True -*.covenantofkernunnos.org*, True -*.coverdalelocalmarket.com*, True -*.covered-bases.com*, True -*.cover-sagi.co.il*, True -*.covertpost.com*, True -*.covertusa.com*, True -*.coverview.ca*, True -*.covezut.cf*, True -*.covi.com.ar*, True -*.covivalism.com*, True -*.covivalist.org*, True -*.cow1.tw*, True -*.cowanfamily.com.au*, True -*.cowboymayor.com*, True -*.cowboys.si*, True -*.cowboyupforchrist.org*, True -*.cowfields.uk*, True -*.cowher.com*, True -*.cowher.net*, True -*.cowietax.com*, True -*.cowin-eng.com*, True -*.cowjokes.org*, True -*.cowofinder.com*, True -*.cowo.ninja*, True -*.coworkingcartagena.com*, True -*.coworkingcartagena.es*, True -*.coworkingconsultores.cl*, True -*.coworkingprojectrc.it*, True -*.cowvstrain.com*, True -*.cowyell.com*, True -*.coxfamilymedia.com*, True -*.coxincider.co.uk*, True -*.coxinscider.com*, True -*.coxleyplayers.uk*, True -*.coxmetrics.com*, True -*.coxnetworks.co.uk*, True -*.coybu.com*, True -*.coylefamily.co.uk*, True -*.coyotecave.us*, True -*.coyoterw.com*, True -*.cozanick.co.za*, True -*.coza.ro*, True -*.cozasolutions.ro*, True -*.coziet.com*, True -*.cozinhadosdaza.com*, True -*.cozonacicalzi.ro*, True -*.cozorganic.com*, True -*.cozumelminisub.com*, True -*.cozzarolosnc.it*, True -*.cp8wiki.com*, True -*.cpabright.com*, True -*.cpacapture.com*, True -*.cpakay.com*, True -*.cpanelbackups.net*, True -*.cpanel.sh*, True -*.cpanel-x.club*, True -*.cpanel-x.com*, True -*.cpanel-x.org*, True -*.cpanhq.org*, True -*.cpasbruocmw.be*, True -*.cpatch.org*, True -*.cpbrand.com.my*, True -*.cpburnz.name*, True -*.cpc401k.com*, True -*.cpcemdz.org.ar*, True -*.cpcemza.org.ar*, True -*.cpc-sa.com.ar*, True -*.cpct.com*, True -*.cpcvpn.ml*, True -*.cpd-bt.com*, True -*.cpd-go.com*, True -*.cpdialoga.com*, True -*.cpd-tt.com*, True -*.cpdwell.co.za*, True -*.cpd-y2k.com*, True -*.cpe-online.ro*, True -*.cpetw.tk*, True -*.cpfyd.com.ar*, True -*.cpgnews.info*, True -*.cpgratis.com*, True -*.cpia.org.ar*, True -*.cpichile.cl*, True -*.cpjmedford.org*, True -*.cpl0.net*, True -*.cplatam.com*, True -*.cpleft.com*, True -*.cplimpezas.com*, True -*.cplust.com*, True -*.cpma.cc*, True -*.cpmecatronica.cl*, True -*.cpmeduca.com*, True -*.cpmeyer.net*, True -*.cpmoloto.co.za*, True -*.cpms.imb.br*, True -*.cpnn-usa.org*, True -*.cpnorte.cl*, True -*.cpocelearning.com.my*, True -*.cportal.ir*, True -*.cpp77.com*, True -*.cppse.nl*, True -*.c-programmer.co.uk*, True -*.c-programmer.pro*, True -*.cpsi-rescue.us*, True -*.cps-retail.ru*, True -*.cpss.com.ar*, True -*.cptelco.com*, True -*.cptnyc.com*, True -*.cpts.me*, True -*.cpub.ir*, True -*.cpublication.ir*, True -*.cpumd.info*, True -*.cpvinmobiliaria.cl*, True -*.cpya.cl*, True -*.cqara.org.au*, True -*.cqbike.org*, True -*.cq.co.kr*, True -*.cqmq.com*, True -*.cqrite.com*, True -*.cquality.ir*, True -*.cquick.ca*, True -*.cr00t.cc*, True -*.cr1tterp0wer.com*, True -*.cr34.com*, True -*.cr3ew.hk*, True -*.craban.de*, True -*.crabdance.com*, True -*.crabdancemc.com*, True -*.crabdevel.org*, True -*.crabriones.com.ar*, True -*.crabtrace.com*, True -*.craciun.ca*, True -*.crackcats.com*, True -*.crackdb.ro*, True -*.crackedsidewalks.com*, True -*.crackman.net.au*, True -*.crackpottechnologies.com*, True -*.crackthenut.net*, True -*.craftbay.tk*, True -*.craftedbyauntyem.com*, True -*.craftit.xyz*, True -*.craftlj.tk*, True -*.craftmafia.nl*, True -*.craft.net.br*, True -*.craftunturned.tk*, True -*.craftyanarchy.net*, True -*.craftyhour.com*, True -*.craftykatie.org*, True -*.craftyknitters.co.uk*, True -*.crafty-mamas.com*, True -*.craftynotions.co*, True -*.craftysourcing.com*, True -*.crai-elba.it*, True -*.craigboas.com*, True -*.craigedgar.com*, True -*.craightonhess.co.uk*, True -*.craigie.tk*, True -*.craigjohnson.org*, True -*.craigkeen.com*, True -*.craigkoster.org*, True -*.craigkrauss.us*, True -*.craiglandthemeparks.com*, True -*.craigmont.co.uk*, True -*.craigsho.me*, True -*.craincontrols.com.au*, True -*.crama.com.br*, True -*.cramapietroasa.ro*, True -*.cramer-family.com*, True -*.cramnet.fi*, True -*.cranbest.com*, True -*.cranbury.info*, True -*.cranfan.ru*, True -*.crankycycles.com*, True -*.crantime.org*, True -*.craponomy.com*, True -*.crappyanswers.com*, True -*.crappysoftware.com*, True -*.c-r-a.ru*, True -*.crasherfox.eu*, True -*.crashpecas.com*, True -*.crashsite.com.ar*, True -*.cratergames.com*, True -*.cravat-club.com*, True -*.cravecookies.com.au*, True -*.craventest.tk*, True -*.craveopolis.com*, True -*.cravingsbakery.in*, True -*.cravology.com*, True -*.cravopolis.com*, True -*.crawfishcam.com*, True -*.crawfordhouse.org.uk*, True -*.crawlcast.com*, True -*.crazetube.net*, True -*.crazyboyzz-designs.com*, True -*.crazycat.ro*, True -*.crazycoders.cf*, True -*.crazygiant.net*, True -*.crazyhipster.ml*, True -*.crazyirish.ca*, True -*.crazyjimsauto.com*, True -*.crazyowen.com*, True -*.crazypixie.net*, True -*.crazyscoot.ch*, True -*.crazyserver.net.au*, True -*.crazysoft-software.tk*, True -*.crazyspaces.net*, True -*.crazytech.co*, True -*.crazyviny.ru*, True -*.crbaucom.com*, True -*.crcompeticion.com*, True -*.crcomputers.com.ar*, True -*.crconsultor.cl*, True -*.crcrv.ca*, True -*.crctvn.org*, True -*.crddedic.cc*, True -*.crdtech.com*, True -*.cre8tions.co.za*, True -*.creaddo.ro*, True -*.creaesthetic.com*, True -*.creaform3d.cl*, True -*.creamofcrop.com*, True -*.creandobaires.com.ar*, True -*.creanga.ro*, True -*.crearbuenosaires.com*, True -*.crearpintando.com.ar*, True -*.crearunblogfacil.es*, True -*.creasannah.ch*, True -*.creatablemusic.com.au*, True -*.createalogoforfree.net*, True -*.createawards.com.au*, True -*.createdin.asia*, True -*.create-org.com*, True -*.createsoftware.gr*, True -*.creatichile.cl*, True -*.creatinggreatsmiles.ca*, True -*.creatingsmiles.ca*, True -*.creationguild.com*, True -*.creationsflorales.ch*, True -*.creations.ro*, True -*.creativeacademy.us*, True -*.creativebooster.ro*, True -*.creativecape.co.za*, True -*.creativecloud.xyz*, True -*.creativecommunityliving.org*, True -*.creativeconnexion.co.za*, True -*.creativecookies.net*, True -*.creativecrap.com*, True -*.creativeedgesigns.net*, True -*.creativeenvironments.com*, True -*.creativeexplorers.com*, True -*.creativefriday.ro*, True -*.creativegt.ml*, True -*.creativekimmie.com*, True -*.creativekimmie.com.au*, True -*.creativelight.com.br*, True -*.creativelighting.co.za*, True -*.creativemarketid.com*, True -*.creativemedia.ir*, True -*.creativemoneyservices.com*, True -*.creative-people.it*, True -*.creativetourism.org*, True -*.creatividadhd.com.ar*, True -*.creativtorten.ch*, True -*.creatrixevent.com*, True -*.creatureswiki.net*, True -*.creatureswiki.org*, True -*.creavit.cl*, True -*.crecermetan.com.ar*, True -*.crediario.com.ar*, True -*.crediexpress.com.ar*, True -*.credintasilumina.org*, True -*.credintasilumina.ro*, True -*.creditcall.eu*, True -*.creditcart.org*, True -*.credit-cluj.ro*, True -*.creditcom.hu*, True -*.creditepersoanefizice.ro*, True -*.creditgroup.ro*, True -*.creditinfoguide.com*, True -*.creditir.com*, True -*.crediti.su*, True -*.creditmaking.com*, True -*.credit-mgmt.biz*, True -*.creditpark.net*, True -*.creditperfect.md*, True -*.creditscorerelease.com*, True -*.creditwmz.com*, True -*.creditzone.ru*, True -*.credivip.com.ar*, True -*.credo-holidays.com*, True -*.credwallet.com*, True -*.cr-eed.com*, True -*.creedscorner.com*, True -*.creedsphone.tk*, True -*.creemers.eu*, True -*.creeperbegone.com*, True -*.creeperbyproxy.com*, True -*.creepersbegone.com*, True -*.creepycute.co.za*, True -*.creer-app.ga*, True -*.creers-films.md*, True -*.creery.org*, True -*.creeye.com*, True -*.cre.gs*, True -*.creionulfermecat.ro*, True -*.cremcomm.com.au*, True -*.cremerius.com.ar*, True -*.cremerius.com.br*, True -*.cremnet.ru*, True -*.cremolinea.com*, True -*.cremonasa.ch*, True -*.crenshawmaildepot.com*, True -*.crerar.io*, True -*.crescendo-ro.com*, True -*.crescentoaksapartments.com*, True -*.crespo.org.ve*, True -*.cresso.org*, True -*.cresswickgardensholidayunits.com*, True -*.cresta.se*, True -*.crestcorp.in*, True -*.crestpoint.in*, True -*.cretaestate.nl*, True -*.crete-crete.com*, True -*.crevanbradshaw.com*, True -*.crewelworld.tk*, True -*.crewkong.com*, True -*.crewvalue.cl*, True -*.c-rex.biz*, True -*.crexexport.com.ar*, True -*.crf-firstchoice.com*, True -*.crglobalbusiness.com*, True -*.criaderolospicasos.com.ar*, True -*.criaderosantarosa.com.ar*, True -*.criaderosargentinos.com*, True -*.criamor.cl*, True -*.criancafeliz.net.br*, True -*.criandomu.net*, True -*.criaracaixas.com.br*, True -*.criarfazergratis.com*, True -*.criarfazervideos.com*, True -*.criarinstagram.com.br*, True -*.cribbble.com*, True -*.cribsbacau.ro*, True -*.cricboard.tk*, True -*.crichard.tk*, True -*.crico.com.ar*, True -*.cric.tk*, True -*.crimen.cl*, True -*.crimescene.ro*, True -*.crimin.al*, True -*.criminal.cf*, True -*.criminalistica.cl*, True -*.crimson-cap.com*, True -*.crimsontideguild.com*, True -*.crinart.ro*, True -*.crio-lipolisis.cl*, True -*.criollomarket.tk*, True -*.cris654.com*, True -*.crisdantas.com.br*, True -*.crisfe.org*, True -*.crisiscourier.net*, True -*.crisiscourier.org*, True -*.crismiranda.net*, True -*.crispexi.com*, True -*.crispexi.net*, True -*.crispianconsulting.com*, True -*.crispolasso.com*, True -*.crispybbq.net*, True -*.crispybbq.nz*, True -*.cristache.tk*, True -*.cristaleriacrib.es*, True -*.cristalprint.ro*, True -*.cristianandino.com.ar*, True -*.cristianemagalhaes.adv.br*, True -*.cristianezri.ro*, True -*.cristiangallo.com.ar*, True -*.cristianmachado.com.ar*, True -*.cristianmarquez.com.ar*, True -*.cristianpinto.cl*, True -*.cristianrodriguez.com.ar*, True -*.cristianvelozo.cl*, True -*.cristids.ro*, True -*.cristinaalexe.ro*, True -*.cristinacentenaro.com.ar*, True -*.cristinamalhao.pt*, True -*.cristinanarvaez.com.ar*, True -*.crististreulea.ro*, True -*.cristobalmartinez.cl*, True -*.criswal.ro*, True -*.criterioseguros.com.ar*, True -*.criticalcommunications.us*, True -*.criticalengineering.org*, True -*.critici.ro*, True -*.critterranch.com*, True -*.crivellicarvalho.com.br*, True -*.crivellico.com.br*, True -*.crivelli.com.br*, True -*.crivelli.info*, True -*.crivelli.me*, True -*.crlear.me*, True -*.crlemailer.com*, True -*.crlemailer.org*, True -*.cr-lf.tk*, True -*.crm2015.ir*, True -*.crm2go.net*, True -*.crmbest.ru*, True -*.crmcontracting.ca*, True -*.crmexk.com*, True -*.crmexpress.ir*, True -*.crm-net.ru*, True -*.crmpathways.com*, True -*.crmx.us*, True -*.crnamacka.si*, True -*.crnitro.com*, True -*.cro-123.com*, True -*.croakerhome.com*, True -*.croata.cl*, True -*.croatianholidays.eu*, True -*.croatievacances.net*, True -*.crobson.ca*, True -*.crocante.cl*, True -*.croftersmail.co.uk*, True -*.crofters.me.uk*, True -*.croftmail.com*, True -*.croitoriasiladi.ro*, True -*.crolev.com*, True -*.cromartyfirthservices.co.uk*, True -*.cromer.us*, True -*.cromix.com.ar*, True -*.crommus.com.br*, True -*.cromoduro.com.mx*, True -*.cronamail.se*, True -*.crona-sjostedt.se*, True -*.cronicasdelperu.com*, True -*.cronist.cf*, True -*.cronolecco.org*, True -*.cronometre.ro*, True -*.cronoscomputacion.com.ar*, True -*.cronosconsult.com.br*, True -*.cronusag.de*, True -*.crookedfang.org*, True -*.crooksandstraights.com*, True -*.crops.ro*, True -*.croqomiel.com*, True -*.croqueau.ch*, True -*.croradiosydney.com.au*, True -*.crosbie1.cl*, True -*.crosmed.cl*, True -*.crosoie.net*, True -*.crosph.net*, True -*.crossan007.com*, True -*.crossdate.se*, True -*.crossfitkonka.co.nz*, True -*.crossfitlogic.com.au*, True -*.crossgym.ro*, True -*.crossharbour.com*, True -*.crossiapp.com.ar*, True -*.crossingoverland.com*, True -*.cross-manager.com*, True -*.crossmanconstruction.ca*, True -*.crossofchange.org*, True -*.crossovertech.asia*, True -*.crossproduction.net*, True -*.crosssoldiers.org*, True -*.crosswap.tk*, True -*.crosswayshotel.com.au*, True -*.crosswire.com.my*, True -*.crosswordchurch.org.za*, True -*.crossworldtel.com*, True -*.crovettoabogados.com.ar*, True -*.crowbarland.com*, True -*.crowdcam.cl*, True -*.crowded.in*, True -*.crowdedspace.com.au*, True -*.crowdharmony.com*, True -*.crowdofgoons.com*, True -*.crowdsauce.me*, True -*.crowesabode.com*, True -*.crowlazy.es*, True -*.crownaceuk.com*, True -*.crownandbridgecentre.com*, True -*.crown-coin.com*, True -*.crownprints.co.uk*, True -*.crown-sales.com*, True -*.crowscience.com*, True -*.crozet.com.ar*, True -*.crp66.com*, True -*.cr-pl.com.pk*, True -*.crq.com*, True -*.crrcgc.club*, True -*.crr.co.za*, True -*.crris.info*, True -*.cr.rs*, True -*.crs-1004.com*, True -*.crs-1515.com*, True -*.crs-2014.com*, True -*.crs-77.com*, True -*.crs-7979.com*, True -*.crs-8585.com*, True -*.crs-90.com*, True -*.crs-999.com*, True -*.crsales.net.au*, True -*.crstransport.com*, True -*.crt0x-team.tk*, True -*.crt.bz*, True -*.crucialcomputing.com*, True -*.crucialtechs.com*, True -*.crudcubucurie.ro*, True -*.crudus.org*, True -*.cruel.ml*, True -*.cruise4sex.com*, True -*.cruiseagainstcancer.org*, True -*.cruisecontrolcloud.com*, True -*.cruisedemo.ru*, True -*.cruiseholidaysgc.com.au*, True -*.cruise-online-portal.com*, True -*.cruiseryacht.eu*, True -*.cruise-thailand.com*, True -*.cruma.org.au*, True -*.crumbcakes.com.au*, True -*.crumpton.tk*, True -*.crumz.ca*, True -*.crunchtown.co*, True -*.crunchy-frog.org*, True -*.crunchyhead.com*, True -*.crunchyuser.co.uk*, True -*.crusable.com*, True -*.crushaf.net*, True -*.crushfarm.cf*, True -*.crushglass.ca*, True -*.crushsoccer.net*, True -*.crushthefarm.cf*, True -*.crusoesolutions.com*, True -*.crusoesolutions.com.au*, True -*.cruwer.com.br*, True -*.cruzandinazapalasa.com.ar*, True -*.cruzeiros.com.br*, True -*.cruzenonline.com*, True -*.cruz-family.ws*, True -*.cruzinmackay.com.au*, True -*.crweb.ca*, True -*.cr-web.info*, True -*.crx.nu*, True -*.crypt1k.com*, True -*.cryptellegram.com*, True -*.crypticvoyage.com*, True -*.cryptocard.com.br*, True -*.cryptocurrencyid.org*, True -*.cryptolect.net*, True -*.cryptomagnet.com*, True -*.cryptonet.tk*, True -*.cryptonote.biz*, True -*.cryptonote.eu*, True -*.cryptparty.com*, True -*.cryptter.com*, True -*.crypt.to*, True -*.crypturtl.com*, True -*.cryptyc.nl*, True -*.cryst.al*, True -*.crystalbercario.com.br*, True -*.crystalcityhotel.com.my*, True -*.crystalconsulting.eu*, True -*.crystaldev.cl*, True -*.crystalfilmy.com*, True -*.crystalfontz.hk*, True -*.crystaljuggler.com*, True -*.crystalrealm.org*, True -*.crystalsanddreams.com*, True -*.crystal-system.ch*, True -*.crystal-system.md*, True -*.crystalsystem.ro*, True -*.crzygk.com*, True -*.csabygaby.ga*, True -*.csait.ch*, True -*.csatpk.com*, True -*.csb52.tk*, True -*.csbg.ga*, True -*.csbu.com*, True -*.csc22.com*, True -*.csch.com.ar*, True -*.csci.ch*, True -*.csdarturoprat.cl*, True -*.csdconsulting.ca*, True -*.csdeportivomerlo.com*, True -*.csdeportivomerlo.com.ar*, True -*.csdgroup.ca*, True -*.csdhome.info*, True -*.csdue.it*, True -*.csfr-inside.com*, True -*.csgesolutions.com*, True -*.csgopool.com*, True -*.csgovn.tv*, True -*.csgtopsupplychain.ro*, True -*.csharp.in*, True -*.csherring.com*, True -*.c-s.hk*, True -*.cshopbd.com*, True -*.csh.ro*, True -*.cshwv.com*, True -*.csigear.com*, True -*.csikihirlap.ro*, True -*.csinvestigators.com*, True -*.csirocareclayton.org.au*, True -*.csis-elca.org*, True -*.csky-itguy.net*, True -*.csl-infra.co.uk*, True -*.csmulti.tk*, True -*.csmv.cl*, True -*.csnaccountants.com*, True -*.csnate.com*, True -*.csnet.gq*, True -*.csnetwork.web.id*, True -*.csnw.us*, True -*.csocorp.com*, True -*.csosbee.com*, True -*.cspantidaki.gr*, True -*.cspcorp.com*, True -*.cs-pro.biz*, True -*.csproject.org*, True -*.csproj.net*, True -*.cspro.pk*, True -*.csqlplus.org*, True -*.csraclassifieds.com*, True -*.csrclub.info*, True -*.csrclub.ru*, True -*.csr-rio.com*, True -*.css-button-generator.com*, True -*.cssdesign.info*, True -*.css-kr.com*, True -*.csstech.co.uk*, True -*.cst39.com*, True -*.cstang.hk*, True -*.c-stb.ru*, True -*.cst-ltda.cl*, True -*.cstn.us*, True -*.cstoilandgas.com*, True -*.cstonemedical.biz*, True -*.cstrainingmotors6.com*, True -*.cstrainingmotors7.com*, True -*.cstrainingmotors8.com*, True -*.cstrainingmotors9.com*, True -*.csttogo.org*, True -*.csudo.com*, True -*.csunoffcampus.com*, True -*.csust.tk*, True -*.csvbrant.ca*, True -*.csvconstructora.cl*, True -*.csvobjects.org*, True -*.csw.co.za*, True -*.cswift.tk*, True -*.ct1.us*, True -*.ctalicuza.ro*, True -*.ctat.co.za*, True -*.ctb74.com*, True -*.ctb95.com*, True -*.ctcraft.com*, True -*.ctechmedianewscom.co*, True -*.ctechmediareportcom.co*, True -*.ctegp.com.br*, True -*.cteolaw.com*, True -*.cth42.net*, True -*.cthatmedianewscom.co*, True -*.cthchile.cl*, True -*.cthchile.com*, True -*.cthismedianewscom.co*, True -*.cthulhu.li*, True -*.ctice.net*, True -*.ctillustrated.com*, True -*.cti-ship.org*, True -*.ctm.com.ar*, True -*.ctmine.tk*, True -*.ctmls.com*, True -*.ctmnordeste.com.br*, True -*.ctmsrl.com.ar*, True -*.ct-nc.com*, True -*.ctotw.tw*, True -*.ctowns5.com*, True -*.ctpcordoba.com.ar*, True -*.ctrac.biz*, True -*.c-trade.com.au*, True -*.ctremote123.com*, True -*.ctrl-c.io*, True -*.ctrl-c.us*, True -*.ctrlp.ro*, True -*.ctrlr.us*, True -*.ctrown.com*, True -*.ctrown.net*, True -*.ctrw.net*, True -*.ctsantabarbara.com*, True -*.ctscement.com.au*, True -*.ctscement.net.au*, True -*.ctseabees.net*, True -*.cts.hr*, True -*.ctsrapidsetcement.com*, True -*.ctsrapidset.com*, True -*.ctsrapidset.com.au*, True -*.ctvnet.ch*, True -*.ctvnet.com.br*, True -*.ctvoicer.com.br*, True -*.ctvs.md*, True -*.ctwebstudios.com*, True -*.ctx.cl*, True -*.ctzbrasil.com*, True -*.cua44.com*, True -*.cua55.com*, True -*.cua66.com*, True -*.cua77.com*, True -*.cua99.com*, True -*.cuack.cl*, True -*.cuack.org*, True -*.cuadernodecampoygastos.com*, True -*.cuadernosenblanco.com*, True -*.cualeselseitan.es*, True -*.cualesmistock.com*, True -*.cuandomevino.com*, True -*.cuantik.ga*, True -*.cuantoreclamo.cl*, True -*.cuantotengoquepagar.com.ar*, True -*.cuartetonumen.com.ar*, True -*.cuartosyparedes.com*, True -*.cuatrocumbres.cl*, True -*.cuatrofdigital.info.ve*, True -*.cubaofferte.it*, True -*.cube147.com*, True -*.cube147.net*, True -*.cube-77.com*, True -*.cubecast.ro*, True -*.cubeclan.ch*, True -*.cube-gg.com*, True -*.cube-oo.com*, True -*.cubepost.co.kr*, True -*.cuberootent.com*, True -*.cubespaincraft.es*, True -*.cubesphere.net*, True -*.cubeupload.com*, True -*.cubierta-mi-piscina.es*, True -*.cubinium.org*, True -*.cubitics.com*, True -*.cucax.ml*, True -*.cucek.net*, True -*.cucimulut.com*, True -*.cucinato.info*, True -*.cucograph.com*, True -*.cuculik.tk*, True -*.cucumbererror.com*, True -*.cucunguxs.ml*, True -*.cudalumping.com*, True -*.cuddles.ga*, True -*.cudetoate.eu*, True -*.cudleecreekbnb.com.au*, True -*.cudleecreekbnb.net.au*, True -*.cuebow.com*, True -*.cuecat.com*, True -*.cueds.org*, True -*.cuek.gq*, True -*.cuencadelplatabsas.com.ar*, True -*.cuennet-fromages.ch*, True -*.cuentaconmigobijou.com.ar*, True -*.cuenta-maya.com*, True -*.cueros-roblans.com.ar*, True -*.cuesplit.com*, True -*.cuetara.name*, True -*.cuetips.com*, True -*.cuhkemba.net*, True -*.cuibulcuvipere.ro*, True -*.cuicoterapia.cl*, True -*.cukierman.net*, True -*.cukiermans.com*, True -*.cukimai.net*, True -*.cukka.com.tr*, True -*.cukratko.cz*, True -*.culain.tk*, True -*.culby2.com*, True -*.culcairnbakery.com.au*, True -*.culinarium-lisboa.pt*, True -*.culinarte.ro*, True -*.cullam.com*, True -*.cullasanmarcoamici.ch*, True -*.cultdecor.ru*, True -*.cultin.es*, True -*.cultofspeed.us*, True -*.cultofthebrewmaster.com*, True -*.culturacaipira.com.br*, True -*.culturacuritiba.com.br*, True -*.cultur.al*, True -*.culturalancestral.com*, True -*.culturalancestral.com.mx*, True -*.culturalancestral.mx*, True -*.culturanautica.org.br*, True -*.cultura-tayrona.ch*, True -*.culture-generale.ch*, True -*.culturenetwork.tk*, True -*.cultusmechanic.us*, True -*.cuma.in*, True -*.cumana.info.ve*, True -*.cumaniseng.net*, True -*.cumbering.tk*, True -*.cumbredecoaching.cl*, True -*.cumbredecoaching.com*, True -*.cumbredecoaching.info*, True -*.cumbredecoaching.net*, True -*.cumbredecoaching.org*, True -*.cumbresa.cl*, True -*.cumbrevirtualdecoaching.cl*, True -*.cumbrevirtualdecoaching.com*, True -*.cumbrevirtualdecoaching.info*, True -*.cumbrevirtualdecoaching.net*, True -*.cumbrevirtualdecoaching.org*, True -*.cumbu.ml*, True -*.cumeche.com.ar*, True -*.cumners.net*, True -*.cumparacomod.ro*, True -*.cumparama.com*, True -*.cumparaturi-ieftine.ro*, True -*.cumsafac.eu*, True -*.cumsejoaca.ro*, True -*.cumshaw.org*, True -*.cumstay.com*, True -*.cumuluscompany.com*, True -*.cun7.net*, True -*.cunghocnauan.com*, True -*.cunigher.ro*, True -*.cunning-linguistics.com*, True -*.cuntari.com.ar*, True -*.cunung.eu*, True -*.cuongs.com*, True -*.cuoredicasa.mx*, True -*.cupabloggerilor.ro*, True -*.cupacarasului.ro*, True -*.cupalica.com*, True -*.cupalica.com.ar*, True -*.cupaprestige.ro*, True -*.cupcakecanyon.com*, True -*.cupcake.cl*, True -*.cupcake-elegance.com.au*, True -*.cupcakefx.com*, True -*.cupc.co.uk*, True -*.cupidate.de*, True -*.cuplaygroup.com*, True -*.cuplay.info*, True -*.cupofchina.com*, True -*.cupofit.com*, True -*.cupomlisto.com.br*, True -*.cupru.ro*, True -*.cuptorulcald.ro*, True -*.cupu-crew.org*, True -*.cura.co.id*, True -*.curamaldeojo.com.ar*, True -*.curatarecovoare.ro*, True -*.curbmackay.com.au*, True -*.curdsnwhey.net*, True -*.curenet.co.kr*, True -*.curhx.com*, True -*.curimba.cf*, True -*.curimba.ga*, True -*.curimba.ml*, True -*.curimba.tk*, True -*.curiosities.co.za*, True -*.curls2go.com*, True -*.curlstogo.com*, True -*.curlysweet.com*, True -*.curlyswoodworks.com*, True -*.curocorp.com*, True -*.currency.hk*, True -*.curries.ch*, True -*.curryonthego.com.au*, True -*.currytogo.com.au*, True -*.cursodecurimba.cf*, True -*.cursodecurimba.ga*, True -*.cursodecurimba.ml*, True -*.cursodecurimba.tk*, True -*.cursodecursos.com*, True -*.cursodemanicure.com.br*, True -*.cursodeoga.cf*, True -*.cursodeoga.ga*, True -*.cursodeoga.ml*, True -*.cursodeogan.cf*, True -*.cursodeogan.ga*, True -*.cursodeogan.ml*, True -*.cursodeogans.cf*, True -*.cursodeogans.ga*, True -*.cursodeogans.ml*, True -*.cursodeogans.tk*, True -*.cursodeogan.tk*, True -*.cursodeogas.cf*, True -*.cursodeogas.ga*, True -*.cursodeogas.ml*, True -*.cursodeogas.tk*, True -*.cursodeoga.tk*, True -*.cursor.co.il*, True -*.cursotamandare.g12.br*, True -*.curs-toaletaj-canin-curs-frizer-canina-curs-cosmetica-canina.ro*, True -*.cursuribistrita.ro*, True -*.cursuridansconstanta.ro*, True -*.cursuriuniversitarebraila.ro*, True -*.cursurivalutare.ro*, True -*.curtfinnegan.com*, True -*.curtisa.com*, True -*.curtisanderson.com*, True -*.curtmoore.info*, True -*.curtsworld.com*, True -*.curvan.com.ar*, True -*.curve7.com*, True -*.curvetech.web.id*, True -*.curvyasianwife.com*, True -*.curvysoft.se*, True -*.cusilelfu.cl*, True -*.cusms.org*, True -*.custermd.com*, True -*.custo-barcelona.info*, True -*.custodiodealmeida.com*, True -*.custom3d.eu*, True -*.custombabyitems.com*, True -*.custombisolutions.com*, True -*.customcasing.co.id*, True -*.customcharly.com.ar*, True -*.customcollarsboutique.com*, True -*.customcraftcreations.com*, True -*.customdipping.com*, True -*.customductcleaning.com*, True -*.customedgellc.com*, True -*.customer-lookups.com*, True -*.customeyesllc.com*, True -*.customfarmer.com*, True -*.custom-gaming.net*, True -*.customies.com*, True -*.customies.gr*, True -*.customintegrator.info*, True -*.customintegrator.org*, True -*.customiseta.com.br*, True -*.customizedshirts.eu*, True -*.customlowcost.es*, True -*.custommediagroup.com*, True -*.custommonkey.org*, True -*.customnameshirt.com*, True -*.custompolis.com*, True -*.customprintdesigns.com*, True -*.customsbroker.co.za*, True -*.customshooting.com*, True -*.customsoda.ca*, True -*.customtraining.com.au*, True -*.custom-truck.net*, True -*.customtrucks.com*, True -*.customwebsitedesignatlanta.com*, True -*.customyachtcharters.com*, True -*.cut3.name*, True -*.cutechinc.com*, True -*.cutecu.be*, True -*.cutecuteattack.com*, True -*.cute.lc*, True -*.cutenicknamesforboyfriends.net*, True -*.cutepoison.com*, True -*.cutetimer.com*, True -*.cutevil.tk*, True -*.cutfog.cf*, True -*.cuthost.com*, True -*.cuticula.org*, True -*.cutie.ga*, True -*.cuttep.ru*, True -*.cuttingedgeneurosurgeon.com*, True -*.cuttysark.org*, True -*.cut.vn*, True -*.cutyourpropertytax.com*, True -*.cuutuyet.com*, True -*.cuvantulgorjean.ro*, True -*.cuvantulparintelui.be*, True -*.cuvaxi.ch*, True -*.cuwitesb.cf*, True -*.cuwobert.cf*, True -*.cuyahogavalleyterminal.org*, True -*.cuyocard.com.ar*, True -*.cuys-kasefuckuda.tk*, True -*.cuzproduction.com*, True -*.cv1sa.com.ar*, True -*.cv20.org*, True -*.cv32.com*, True -*.cv4.ir*, True -*.cv8.pw*, True -*.cvberry.com*, True -*.cvc76.com*, True -*.cvc87.com*, True -*.cvc98.com*, True -*.cvclinemarking.com.au*, True -*.cvdllc.us*, True -*.cvelectricidad.cl*, True -*.cvenetto.com.ar*, True -*.cvetlice.si*, True -*.cvgroup.com.ar*, True -*.cvidaltransporte.com.ar*, True -*.cvios.org*, True -*.cvisionhk.com*, True -*.cvitanic.cl*, True -*.cvk.ca*, True -*.cvlimasaudaramandiri.com*, True -*.cvlt45.com*, True -*.cvm1.ru*, True -*.cvmediawacana.com*, True -*.cvpatriot.com*, True -*.cvp-laufental.ch*, True -*.cvpurnomoborepileindonesia.com*, True -*.cvr.co.id*, True -*.cvrdvindoprint.com*, True -*.cvremaja.com*, True -*.cvrkni.si*, True -*.cvsafetyparking.com*, True -*.cvsestudiocontable.com.ar*, True -*.cvx.ro*, True -*.cvya.com.ar*, True -*.cw03.ru*, True -*.cw1998.tk*, True -*.cwassall.co.uk*, True -*.cwbase.com*, True -*.cwbbp.net*, True -*.cwcm.net*, True -*.cwdsk.ca*, True -*.cwf1.com*, True -*.cw-ge.net*, True -*.cw-ge.org*, True -*.cw-ge.tv*, True -*.c-whatsapp.asia*, True -*.cwhs.ga*, True -*.cwieka.pl*, True -*.cwis.my*, True -*.cwk9.com*, True -*.cwke.info*, True -*.cwke.net*, True -*.cwke.org*, True -*.cwl.com.my*, True -*.cwmalan.co.za*, True -*.cwn55.com*, True -*.cwn66.com*, True -*.cwn77.com*, True -*.cwn88.com*, True -*.cwn99.com*, True -*.cwne.biz*, True -*.cwnet.com.br*, True -*.cwnp.biz*, True -*.cwqso.net*, True -*.cwsiii.com*, True -*.cwtsservers.us*, True -*.cwu.co.id*, True -*.cwvzuidpoort.org*, True -*.cx1.pw*, True -*.cxcsoftware.com*, True -*.cxcvan.com*, True -*.cxdock.com*, True -*.cxgame.ru*, True -*.cxhk.cf*, True -*.cxhk.ga*, True -*.cxhk.gq*, True -*.cxhk.ml*, True -*.cxn72.com*, True -*.cxn76.com*, True -*.cxn85.com*, True -*.cxn92.com*, True -*.cxn94.com*, True -*.cyatca.org*, True -*.cyb3rassasin.com*, True -*.cybard.me*, True -*.cybatron.com*, True -*.cybatron.net*, True -*.cybdyn.com*, True -*.cybelesoft.com.br*, True -*.cybeletech.com*, True -*.cyber0ne.com*, True -*.cyber1product.com*, True -*.cyber74.com*, True -*.cyberadio.tv*, True -*.cyberauditweb.co.za*, True -*.cyberb2b.com.au*, True -*.cyber-bazar.com*, True -*.cyberbeatnation.net*, True -*.cyber-bit.ch*, True -*.cyberbondi.com.au*, True -*.cyberbreak.club*, True -*.cyberbulusweet.in*, True -*.cybercaliber.com*, True -*.cybercaliber.org*, True -*.cybercastle.cl*, True -*.cyberchango.com.ar*, True -*.cybercoben.com*, True -*.cybercpu.org*, True -*.cybercrime.club*, True -*.cyberdetectives.eu*, True -*.cyberdine.ca*, True -*.cyberdreams.com.ve*, True -*.cyberdynellc.com*, True -*.cybereasternsuburbs.com.au*, True -*.cyberekman.com*, True -*.cyberekman.info*, True -*.cyberestates.tk*, True -*.cyberewt.com*, True -*.cyber-force.us*, True -*.cyberforums.org*, True -*.cyberfreight.com.au*, True -*.cyberfusion.biz*, True -*.cyberfusion.com.au*, True -*.cybergate.co*, True -*.cyberhack.cf*, True -*.cyberhug.ro*, True -*.cyberiddant.com*, True -*.cyberjayaview.com*, True -*.cyber-joki.us*, True -*.cyberkidzone.com.au*, True -*.cyberkinetx.com*, True -*.cyberlauncher.com*, True -*.cyberlawlist.com*, True -*.cyber-linx.us*, True -*.cyberlocker.co.il*, True -*.cyberlove.us*, True -*.cybermadriguera.com.ar*, True -*.cybermagesllc.com*, True -*.cybermedia.sch.id*, True -*.cybermerlin.com*, True -*.cybermoped.eu*, True -*.cybermusic.com.br*, True -*.cyberneticindustries.com*, True -*.cybernetics.ro*, True -*.cybernetx.org*, True -*.cybernia.biz*, True -*.cybernia.com.mx*, True -*.cybernia.mobi*, True -*.cybernia.mx*, True -*.cybernorge.com*, True -*.cybernorge.org*, True -*.cyberp4ti.mx*, True -*.cyberp4ti.nu*, True -*.cyberpaddo.com.au*, True -*.cyberpati.cz*, True -*.cyberpati.in*, True -*.cyberpedia.info*, True -*.cyberphreakingindonesia.com*, True -*.cyberpun.ga*, True -*.cyberpunkco.de*, True -*.cyberpunkcode.com*, True -*.cyberpunkme.com*, True -*.cyberpunkmovies.net*, True -*.cyberquaduav.com*, True -*.cyberquaduav.com.au*, True -*.cybersghost.cf*, True -*.cybershare.info*, True -*.cybershido.com*, True -*.cybershido.net*, True -*.cybersmartcomputers.com*, True -*.cybersouth.com.au*, True -*.cyberspinning.com*, True -*.cyberspreakskidz.cf*, True -*.cyberstacja.com*, True -*.cyberstacja.pl*, True -*.cyberstreampc.com*, True -*.cybersydney.com.au*, True -*.cybertechtonic.com*, True -*.cybertegaltaman.tk*, True -*.cyberterrorist.us*, True -*.cybertrikers.ml*, True -*.cybertv.tv*, True -*.cyberveio.co.uk*, True -*.cybervuelos.com*, True -*.cyberz-blue.ga*, True -*.cyberz-it.ml*, True -*.cybhacks.com*, True -*.cybionshop.cf*, True -*.cybion.tk*, True -*.cybitzix.ninja*, True -*.cyborgcode.ninja*, True -*.cyborgelt.com*, True -*.cyborgos.com*, True -*.cybrnode.info*, True -*.cyclechallenge-mail.co.za*, True -*.cyclefriendly.com*, True -*.cyclelife.com.br*, True -*.cycle.ml*, True -*.cycleourcity.org*, True -*.cyclesmobile.com*, True -*.cycles-motos.ch*, True -*.cyclingresourcecentre.com*, True -*.cyclingresourcecentre.com.au*, True -*.cyclingresourcecentre.info*, True -*.cyclingresourcecentre.net*, True -*.cyclingresourcecentre.net.au*, True -*.cyclingresourcecentre.org*, True -*.cyclonegun.com*, True -*.cyclone-radio.com*, True -*.cyclone.web.tr*, True -*.cyclus.com.br*, True -*.cycsa.biz*, True -*.cycsa.com.ar*, True -*.cydonia.co*, True -*.cydor.org*, True -*.cydpublicidad.com.ar*, True -*.cyfive.ru*, True -*.cygcomputacion.com.ar*, True -*.cyglet.com*, True -*.cygnae.com*, True -*.cygnusitgroup.com.ar*, True -*.cyka.tk*, True -*.cyk.hk*, True -*.cylab.org*, True -*.cylone.net*, True -*.cyminmobiliaria.cl*, True -*.cymiysih.com.mx*, True -*.cympak.biz*, True -*.cympl.com*, True -*.cympl.net*, True -*.cympl.org*, True -*.cynaver.com*, True -*.cynematics.com*, True -*.cynthiaruehlig.com*, True -*.cynwolf.com*, True -*.cyolife.com*, True -*.cyosanjo.ga*, True -*.cyperling.com*, True -*.cyphonic.net*, True -*.cypis.org*, True -*.cypok.org*, True -*.cypressriveradvisors.com*, True -*.cypressvalley.com.my*, True -*.cyprusleague.com*, True -*.cyprusownersdirect.co.uk*, True -*.cyprusvillageproperties.com*, True -*.cyraxpainting.com*, True -*.cyrilaw.cf*, True -*.cyrilaw.ml*, True -*.cyrilaw.tk*, True -*.cyris-dream.com*, True -*.cyrustechno.com*, True -*.cys.ru*, True -*.cytag.net*, True -*.cyt-ar.com.ar*, True -*.cytech.ro*, True -*.cytecko.com*, True -*.cyterentayvende.com*, True -*.cytosys.com*, True -*.cytrick.com*, True -*.cyxapeff.org*, True -*.cyy77.com*, True -*.cyy99.com*, True -*.cyyang.org*, True -*.cyymu.com*, True -*.czasit.pl*, True -*.czcopperjewelry.com*, True -*.czelakowski.pl*, True -*.czepo.com*, True -*.czerak.com*, True -*.czerpak.pl*, True -*.czesiek.net*, True -*.czlrb.ru*, True -*.czth.com*, True -*.czth.net*, True -*.czytmnik.pl*, True -*.d0t.pl*, True -*.d0xq.net*, True -*.d11.se*, True -*.d1c478b210.pw*, True -*.d1cor.tk*, True -*.d1ox.in*, True -*.d20portal.com*, True -*.d2brus.com*, True -*.d2cp.com.ar*, True -*.d2llontario.ca*, True -*.d2o2.net*, True -*.d2w.asia*, True -*.d2w.biz*, True -*.d33.co*, True -*.d3e.ru*, True -*.d3f.me*, True -*.d3latam.com*, True -*.d3methods.net*, True -*.d3nsus.ga*, True -*.d3.ro*, True -*.d3sharp.com*, True -*.d3uk.net*, True -*.d3v01d.org*, True -*.d3v.eu*, True -*.d3v.org*, True -*.d4b.sk*, True -*.d4fidz.com*, True -*.d4f-official.biz*, True -*.d4fofficial.biz*, True -*.d4f-official.com*, True -*.d4fofficial.com*, True -*.d4f-official.info*, True -*.d4fofficial.info*, True -*.d4fofficial.net*, True -*.d4f-official.org*, True -*.d4fofficial.org*, True -*.d4is-gatineau.com*, True -*.d4rk1t.tk*, True -*.d4rkit.tk*, True -*.d4rk.one.pl*, True -*.d4vid.eu*, True -*.d5150.com*, True -*.d5a.net*, True -*.d6f67bc92bbaf06ec44b828d0da4eda9.com*, True -*.d7css.com*, True -*.d7x.org*, True -*.d90forall.cf*, True -*.d90forall.ga*, True -*.d90forall.gq*, True -*.d90forall.ml*, True -*.d90forall.tk*, True -*.da66.com*, True -*.daahyeon.com*, True -*.daba.com.my*, True -*.dabanquyphucbao.com*, True -*.dabase.cf*, True -*.dabax.net*, True -*.dabblecraft.com*, True -*.dab.ca*, True -*.dabhome.net*, True -*.dablo.net*, True -*.dabne.es*, True -*.dabo7979.com*, True -*.dabon73.com*, True -*.dabpunk.com*, True -*.dabre.ch*, True -*.dab.ro*, True -*.dabros.net*, True -*.dabti.me*, True -*.dachboxen-kremer.tk*, True -*.dachboxenkremer.tk*, True -*.dachbud-iwaniak.pl*, True -*.dachdecker-reis.tk*, True -*.dacia69.ro*, True -*.dacil-schwerte.de*, True -*.daclubcalendar.com*, True -*.daclub.tk*, True -*.da-core.net*, True -*.da-costa.ch*, True -*.dacotrans-honduras.com*, True -*.dacruz.com.ar*, True -*.dacsankhanhhoa.com.vn*, True -*.dacsanlamdong.com*, True -*.dadace-menajere.ro*, True -*.dada-concept.ro*, True -*.dadamail.tk*, True -*.dadanfirmansyah.gq*, True -*.dadashbaradar.cf*, True -*.dadasoft.com.mx*, True -*.dadcloud.com.au*, True -*.daddiego.com.ar*, True -*.daddigital.com*, True -*.daddigital.com.au*, True -*.daddywuvsmommy.com*, True -*.dadejob.com*, True -*.dade.ninja*, True -*.dade.si*, True -*.dade.web.id*, True -*.dadi-b.si*, True -*.dadiscodicks.com*, True -*.dadishoo.com*, True -*.dadolara.org*, True -*.dadr-sm.ro*, True -*.dadurdays.uk*, True -*.dadyal.pk*, True -*.daechi.web.id*, True -*.daedals.com*, True -*.daedelum.com.au*, True -*.daedilus.com*, True -*.dael.com.mx*, True -*.daemonology.org*, True -*.daena.ca*, True -*.daesung.ru*, True -*.daev.ca*, True -*.dafa88.mobi*, True -*.dafc.co.za*, True -*.daferol.com*, True -*.dafiarisma.com*, True -*.dafinfurnindo.com*, True -*.dafral.com.mx*, True -*.daftaragentopup.com*, True -*.daftardomain.us*, True -*.dafucobienhoa.com*, True -*.dafucosaigon.com*, True -*.dafuq.ru*, True -*.dagang.es*, True -*.dagenais.co*, True -*.daggg.ga*, True -*.dagitta.lu*, True -*.daglarda.com*, True -*.dagroup.pro*, True -*.dagworthy.com*, True -*.dagz.ru*, True -*.dahanstore.com*, True -*.dahey.com*, True -*.dahizzle.com*, True -*.dahlen.ws*, True -*.dahlia.com.my*, True -*.dahlia.my*, True -*.dah.my*, True -*.dahnz.net*, True -*.dahord.com*, True -*.da-house.net*, True -*.daibe.com*, True -*.daichenindonesia.com*, True -*.dailey1.net*, True -*.dailybelle.com*, True -*.dailycenter.ml*, True -*.dailycoder.com*, True -*.dailydose.pk*, True -*.dailydripper.com*, True -*.dailyfashion.ro*, True -*.daily.hk*, True -*.dailyholycrap.com*, True -*.dailymail.sg*, True -*.dailyrecoverylog.com*, True -*.dailysport.co.za*, True -*.dailystory.gr*, True -*.dailytasks.ru*, True -*.dailytraining.eu*, True -*.d-a.im*, True -*.dainal.cl*, True -*.dainghia.net*, True -*.dairhouse.com*, True -*.dairhouse.org*, True -*.dairymountain.ca*, True -*.daiste.com*, True -*.daisyday.net*, True -*.daisywheeljs.org*, True -*.daisywhiting.com*, True -*.daitoryu.gr*, True -*.dajmitopor.pl*, True -*.dakara.com.ar*, True -*.dakidak.ru*, True -*.daking-dom.com*, True -*.dakingdom.com*, True -*.dakingdom.info*, True -*.dakotalist.ga*, True -*.dakotascientific.com*, True -*.daksangroup.com*, True -*.daksangrup.com*, True -*.dalailama80.com*, True -*.dalailama80.org*, True -*.dalandalan.com*, True -*.dalang.com.au*, True -*.dalbosco.net*, True -*.daleconway.com*, True -*.dale.org.il*, True -*.dales-sports-media.com*, True -*.daleugazio.com*, True -*.daleunavuelta.cl*, True -*.dalianexpat.cn*, True -*.dalisufuneralservices.co.za*, True -*.dalken.co.za*, True -*.dalk.ru*, True -*.dallaire.xyz*, True -*.dallapria.com.br*, True -*.dallasbeats.cf*, True -*.dallasecho.com*, True -*.dallasmasters.net*, True -*.dalloca.com*, True -*.dalmasen.se*, True -*.dalmors.md*, True -*.dalnet.ca*, True -*.dalnet.dj*, True -*.dalnetforever.com*, True -*.dal.net.id*, True -*.dalnet.id*, True -*.dalnet.in*, True -*.dalnet.xyz*, True -*.dalockr.com*, True -*.dalpizza.tk*, True -*.dalurist.ru*, True -*.daluz.ro*, True -*.dalwinaudio.com.au*, True -*.dalyfamily.co.uk*, True -*.damanpost.com*, True -*.damar-muhisa.com*, True -*.damashinta.net*, True -*.damel.com.ar*, True -*.damelinwestrand.co.za*, True -*.da-men.com*, True -*.damendoza.com*, True -*.damiansj.com*, True -*.damico.adv.br*, True -*.damienhollier.com*, True -*.damiensolley.com*, True -*.dami.li*, True -*.daminci.ro*, True -*.damlong.com.ar*, True -*.damlongsrl.com.ar*, True -*.dammasch.ch*, True -*.damnation.tk*, True -*.damnitstog.com*, True -*.damol.ch*, True -*.damon-baker.com*, True -*.damonmittleider.com*, True -*.dams.cf*, True -*.damutten.ch*, True -*.damvl.us*, True -*.danahard.ro*, True -*.danajaminanbpkb.com*, True -*.danalanding.biz*, True -*.danal.info*, True -*.danandmarilyn.com*, True -*.danarish.ru*, True -*.danatamasyariah.co.id*, True -*.danaugust.com*, True -*.danbroz.com*, True -*.danca-art-studio.ro*, True -*.dancas.pt*, True -*.dance.com.ar*, True -*.dance-land.ch*, True -*.dancepot.my*, True -*.dancers.cf*, True -*.dancing-rainbow.ru*, True -*.dan-cloud.com*, True -*.danco.bg*, True -*.dancow.info*, True -*.dancweb.com*, True -*.dandamc.tk*, True -*.dandcmotorcycles.com.au*, True -*.danddcyclesalvage.com*, True -*.danddstables.com*, True -*.dande.ch*, True -*.dandi.se*, True -*.dandl.tk*, True -*.dandolevuelta.com*, True -*.dandolo.com*, True -*.dandr.org*, True -*.dandtllc.com*, True -*.dandtllc.net*, True -*.daneau.net*, True -*.danec.de*, True -*.danemaric-ssrs.com*, True -*.danfarst.com*, True -*.danfoley.net*, True -*.danfrei.me*, True -*.danfrydman.co.uk*, True -*.dangdut.web.id*, True -*.dangel.co.uk*, True -*.dangelo.mobi*, True -*.dangenonline.com*, True -*.dangerpeanut.net*, True -*.danggia.net*, True -*.dangkygoogleadsense.net*, True -*.danhallock.com*, True -*.danhbaanuong.com*, True -*.danhbacamdo.com*, True -*.danhbacokhi.com*, True -*.danhbacuahangdienthoai.com*, True -*.danhbadienlanh.com*, True -*.danhbadienmay.com*, True -*.danhbadogo.com*, True -*.danhbagao.com*, True -*.danhbahoatuoi.com*, True -*.danhbainox.com*, True -*.danhbamancua.com*, True -*.danhbamatkinh.com*, True -*.danhbamypham.com*, True -*.danhbanhomkinh.com*, True -*.danhbanoithat.com*, True -*.danhbasatthep.com*, True -*.danhbashopthoitrang.com*, True -*.danhbasonnuoc.com*, True -*.danhbathammyvien.com*, True -*.danhbathietbidien.com*, True -*.danhbathucpham.com*, True -*.danhbavanphongpham.com*, True -*.danhbavattu.com*, True -*.danhbavietmy.com*, True -*.danhbavoinuoc.com*, True -*.danhbaxaydung.com*, True -*.danhbaxemay.com*, True -*.danhbaxeoto.com*, True -*.daniaellesimonsen.com*, True -*.daniandriyanz.cf*, True -*.danibrunner.ch*, True -*.dani-careri.com.ar*, True -*.danichris.co.uk*, True -*.dani.cl*, True -*.dani.com.ve*, True -*.danidigo.com*, True -*.danielaabrantes.com*, True -*.danielaanderson.me*, True -*.danielacampisi.com.ar*, True -*.daniela.com.br*, True -*.danieladrugus.ro*, True -*.danielaedennis.com.br*, True -*.danielaga.com*, True -*.danielagonzalez.cl*, True -*.danielanedovescu.ro*, True -*.daniela-vieli.ch*, True -*.danielavillaverde.com.ar*, True -*.danielb.com.br*, True -*.danielben.com*, True -*.danielbetting.com*, True -*.danielbispo.com.br*, True -*.danielblinker.com*, True -*.danielbrenner.com.ar*, True -*.danielbyrnes.net*, True -*.danielcastilho.com*, True -*.danielchandler.me*, True -*.danielcleaning.com.au*, True -*.danielclearwater.com*, True -*.danielcons.eu*, True -*.danielcormierphotography.com*, True -*.danielcormierphotography.net*, True -*.danielcyc.com*, True -*.daniel-drubin.com*, True -*.danieletrading.ro*, True -*.danielfox.ie*, True -*.danielgibbs.org*, True -*.danielgranda.com*, True -*.danielhabib.co.il*, True -*.danielharrelson.com*, True -*.danielharrelson.info*, True -*.danielhur.com*, True -*.danielitis.cl*, True -*.danieljdavies.me.uk*, True -*.daniella.org*, True -*.daniellaporter.cl*, True -*.danielmanning.info*, True -*.danielmedina.com.ar*, True -*.danielmessana.com*, True -*.danielmoreno.com.br*, True -*.danielmunteanu.ro*, True -*.danielnas.tk*, True -*.danielparedes.com.ar*, True -*.danieltran.co*, True -*.daniel-tremblay.ca*, True -*.danieltrueblood.com*, True -*.danieltrueblood.net*, True -*.danielwheatfall.com*, True -*.danielwilkins.org*, True -*.daniette.ch*, True -*.danigribi.ch*, True -*.danihavarneanu.ro*, True -*.danilleandjeff.com*, True -*.dani.one.pl*, True -*.danishbagadia.com*, True -*.danisia.md*, True -*.danissia.md*, True -*.danitf.tk*, True -*.dani-vagner.com*, True -*.daniyfacu.com.ar*, True -*.danjavasiliev.com*, True -*.danjavasiliev.net*, True -*.danjod.com*, True -*.dankaart.com*, True -*.dankinhte.vn*, True -*.dankirk.co.uk*, True -*.dankpoint.com*, True -*.danland.info*, True -*.danland.net*, True -*.danleahu.com*, True -*.danleevogler.com*, True -*.danleevogler.net*, True -*.danleevogler.org*, True -*.danmcinerney.com*, True -*.danmurphyford.ca*, True -*.danmurphyinc.com*, True -*.dannacha.com.br*, True -*.dannielle.co.uk*, True -*.dannizone.com*, True -*.dannyboyimob.ro*, True -*.danny-crow.com*, True -*.dannydale.net*, True -*.dannydip.com*, True -*.dannyd.xyz*, True -*.dannyjpalmer.com*, True -*.dannyjpalmer.info*, True -*.dannyjpalmer.net*, True -*.dannysdrivingschool.com*, True -*.dannyslinks.tk*, True -*.danofhermitage.com*, True -*.danpelonis.com*, True -*.danrell.co.nz*, True -*.danrell.nz*, True -*.danriley.net*, True -*.dansbilservice.se*, True -*.dans-condos.com*, True -*.danscondos.com*, True -*.danshui.com*, True -*.dansjaya.com*, True -*.dansouther.com*, True -*.dansted.org*, True -*.danstelian.ro*, True -*.dantabet.com*, True -*.dantaysweet.ca*, True -*.dantedileo.com.ar*, True -*.dantehost.us*, True -*.dantel-fisto.com*, True -*.dantenet.es*, True -*.danthaigroup.com*, True -*.dantrumanmusic.com*, True -*.dantsang.com*, True -*.danty08.com*, True -*.danuke.ru*, True -*.danull.com*, True -*.danuperfecto.com*, True -*.danycatering.ro*, True -*.danycloutier.com*, True -*.danyelphotography.pl*, True -*.danyelphotography.tk*, True -*.danyshirgazin.ru*, True -*.danzbook.com*, True -*.danzesenzafrontiere.it*, True -*.danziman.com*, True -*.daohangabc.com*, True -*.daohang.asia*, True -*.daohangba.com*, True -*.daohang.cf*, True -*.daohang.club*, True -*.daohang.es*, True -*.daohang.eu*, True -*.daohang.hk*, True -*.daohang.in*, True -*.daohang.la*, True -*.daohang.ml*, True -*.daohang.pro*, True -*.daohang.pw*, True -*.daohang.so*, True -*.daohang.space*, True -*.daohang.tw*, True -*.daohang.us*, True -*.daohangye.com*, True -*.daohitech.com*, True -*.daophaygo.com*, True -*.daoplat.cc*, True -*.daovien.com*, True -*.daphim.net*, True -*.daphim.org*, True -*.daphroze.tk*, True -*.dapinvest.com.br*, True -*.dapinvestimentos.com.br*, True -*.dapit.net*, True -*.dappermusic.com*, True -*.daprapp.com*, True -*.daprlabs.com*, True -*.daprojects.co.za*, True -*.dapsirius.be*, True -*.darabi.org*, True -*.darabi.us*, True -*.darcan.com*, True -*.darcheinoamglenbrook.com*, True -*.darcheinoamglenbrook.net*, True -*.darcheinoamglenbrook.org*, True -*.darciebell.com*, True -*.darconst.cl*, True -*.darconsultores.com.mx*, True -*.darconsultores.mx*, True -*.darcos.pt*, True -*.darcovainc.com*, True -*.darc-rc.co.uk*, True -*.dardanmustafaj.al*, True -*.daredio.ga*, True -*.daretothinkdifferent.com*, True -*.dargis.me*, True -*.dariacoman.ro*, True -*.daringlight.com*, True -*.darinmohr.com*, True -*.dariofiore.ch*, True -*.darios.com.ar*, True -*.darirodid.com*, True -*.dariusz.one.pl*, True -*.dariuz.tk*, True -*.dariymajosecasan.com.ar*, True -*.darkamd.tk*, True -*.darkapec.com*, True -*.darkapec.net*, True -*.darkapostles.net*, True -*.darkartika.com*, True -*.darkblogz.ga*, True -*.darkblue.ch*, True -*.dark-byte.net*, True -*.darkcortex.com*, True -*.darkcube.net*, True -*.dark-design.ro*, True -*.darkduelers.tk*, True -*.darkevil.net*, True -*.darkfall.org*, True -*.darkfirelight.com*, True -*.darkfox.id.au*, True -*.darkfrayn.in*, True -*.darkfrog.me*, True -*.darkfusion.co.za*, True -*.darkgate.ch*, True -*.darkhorsesurveillance.net*, True -*.darkiesonline.com*, True -*.darkjarek.com*, True -*.dark-lady.org*, True -*.darklayz.com*, True -*.darklunakennel.com*, True -*.darkmatterprogrammer.com*, True -*.dark-mirror.com*, True -*.dark-moon.ml*, True -*.darkn3ss.com*, True -*.darkness.com.ar*, True -*.darkness.ninja*, True -*.darknett.com*, True -*.darknigger.com*, True -*.darkon.cl*, True -*.darkone.co.uk*, True -*.darkone.uk*, True -*.darkopiopixjatim.ml*, True -*.darkpoolgames.net*, True -*.dark.ro*, True -*.darkroom-lang.org*, True -*.darksair.org*, True -*.darkshadow.cf*, True -*.darksix.org*, True -*.darkskydev.com*, True -*.darksnow.es*, True -*.darksrp.com*, True -*.darkstarfun.com*, True -*.darkstarmcp.com*, True -*.darkstorm.nl*, True -*.darksunlight.com*, True -*.darktech.ca*, True -*.darktech.info*, True -*.darkti.me*, True -*.darktime.ru*, True -*.darkwolf.ca*, True -*.darkworlds.org*, True -*.darkz.eu*, True -*.darkz.net*, True -*.darlenebutts.com*, True -*.darlson.com*, True -*.darolershad.org*, True -*.daro.sg*, True -*.darphin.bg*, True -*.darphin-bg.com*, True -*.darquemusic.com*, True -*.darquemusic.com.au*, True -*.darrell.in*, True -*.darrelllua.sg*, True -*.darrenbrust.com*, True -*.darren-johnson.co.uk*, True -*.darren.pro*, True -*.darrenstorsley.com*, True -*.darriondemelo.com*, True -*.darrundono.net*, True -*.darsin.ir*, True -*.darsis.com.ar*, True -*.dartech.io*, True -*.darter.org*, True -*.darthtitan.com*, True -*.dartsdesign.hu*, True -*.darulqurro.com*, True -*.darurrobbani.com*, True -*.darvella.ch*, True -*.darvin.one.pl*, True -*.darwinpowersports.com*, True -*.darxworld.com*, True -*.daryll-heneke.net*, True -*.darzanhanan.web.id*, True -*.dasay.ru*, True -*.dascor.org*, True -*.dasdre.tk*, True -*.dasekun.tk*, True -*.dashen007.com*, True -*.dashize.com*, True -*.dashmesh.com.br*, True -*.dashtext.com*, True -*.dashti.ca*, True -*.dashti.com.br*, True -*.dashti.name*, True -*.dashuhn.at*, True -*.dasi.co.id*, True -*.dasilvas.ch*, True -*.dasjak.net*, True -*.daskdesign.com*, True -*.dasnet.cl*, True -*.dasnetz.info*, True -*.dassasia.com*, True -*.dasserver.pw*, True -*.dasseville.be*, True -*.dassindoabadi.com*, True -*.da-statul-in-judecata.ro*, True -*.dastatulinjudecata.ro*, True -*.dasttech.com.ar*, True -*.dasweetpillow.my*, True -*.dasy2k1.co.uk*, True -*.dat89.com*, True -*.dataappraisal.com*, True -*.databackupsite.net*, True -*.databasecleanertool.com*, True -*.database-tips.com*, True -*.databasex.eu*, True -*.databehavior.com*, True -*.databiz.co.id*, True -*.datablab.com*, True -*.databutler.ca*, True -*.datacentermed.com*, True -*.datacenterstore.cl*, True -*.datacentertotalsolution.com*, True -*.datachaos.net*, True -*.datacircle.us*, True -*.datacommunicationsinc.com*, True -*.dataconnect.co.za*, True -*.dataconnexion.net*, True -*.datadad.com.au*, True -*.datadata.ca*, True -*.datadesignstudio.eu*, True -*.dataempowered.com*, True -*.dataenter.com.ar*, True -*.data-entry.hk*, True -*.data-express.com.ar*, True -*.datafault.net*, True -*.datafly.mobi*, True -*.datageek.com.ve*, True -*.datahexportal.com*, True -*.datahighlight.com*, True -*.datahighlight.com.ar*, True -*.datahosting.mx*, True -*.datahubfinland.com*, True -*.dataizih.com*, True -*.datajetty.com*, True -*.datalore.in*, True -*.dataluola.net*, True -*.datamining.cl*, True -*.datamontana.com*, True -*.datanas.com*, True -*.datanetworks.info*, True -*.dataneu.com.ar*, True -*.dataoikeus.fi*, True -*.dataon.cl*, True -*.data.org.tr*, True -*.data-politics.com*, True -*.dataposta.com.ar*, True -*.data-processing.hk*, True -*.datasatlink.com*, True -*.datasatlink.net*, True -*.datasat.ro*, True -*.datascene.net*, True -*.datascience.hk*, True -*.datasecurity.cl*, True -*.datasegura.cl*, True -*.dataservers.org*, True -*.dataserv.net*, True -*.datasets.tk*, True -*.datasoft.web.id*, True -*.datasource.ro*, True -*.dataspawn.com*, True -*.data-spreading.tk*, True -*.datasquid.net*, True -*.datasrv.org*, True -*.datastore.fi*, True -*.datasystem.ch*, True -*.datasystemsdesign.ro*, True -*.datatechstx.com*, True -*.datatuning.hu*, True -*.datavend.eu*, True -*.datavetaren.se*, True -*.dataweapons.tk*, True -*.datcoargentina.com.ar*, True -*.datcom.com.ve*, True -*.dateeasily.com*, True -*.dateeasily.net*, True -*.dateno1.com*, True -*.datenschrott.ch*, True -*.datetonight.co.za*, True -*.datezone.co.za*, True -*.datinaromaneasca.ro*, True -*.datingajew.com*, True -*.datingcafe.ro*, True -*.datingparty.nl*, True -*.datingtop.info*, True -*.datingtop.org*, True -*.datlecheria.net.ve*, True -*.datordakters.lv*, True -*.datoriem.info*, True -*.datorservice.eu*, True -*.datospegasus.com.ar*, True -*.datosysistemas.com*, True -*.dattein.com*, True -*.dauer.info*, True -*.daultonfaure.com*, True -*.daumiller.eu*, True -*.dauphinweather.ca*, True -*.dauphu.biz*, True -*.dauprinz.de*, True -*.d-austin.com*, True -*.daustin.com*, True -*.d-austin.net*, True -*.dauth.me*, True -*.davai.ee*, True -*.davaishop.tk*, True -*.davantalus.com*, True -*.davar.mx*, True -*.daveaaronoff.com*, True -*.daveamenta.com*, True -*.daveandhal.com*, True -*.daveattila.com*, True -*.davebarrettconstruction.com*, True -*.daveb.ca*, True -*.davecobbmusic.com*, True -*.davecobbproducer.com*, True -*.davecushing.ca*, True -*.davedoesandroid.biz*, True -*.davedoesandroid.com*, True -*.davedoesandroid.net*, True -*.davedoesandroid.org*, True -*.davedoty.com*, True -*.daveduran.com*, True -*.daveengine.com*, True -*.daveengineer.com*, True -*.davef.info*, True -*.daveflix.net*, True -*.davef.us*, True -*.daveharker.com*, True -*.daveh.ch*, True -*.davehensley.net*, True -*.daveit.me*, True -*.davejenn.co.uk*, True -*.davekhoury50sguy.com*, True -*.davelewis.name*, True -*.daveoc64.co.uk*, True -*.davepatrone.com*, True -*.daveraux.pl*, True -*.daveshomeseer.com*, True -*.daveslink.com*, True -*.davesmotorsma.biz*, True -*.davewain.com*, True -*.davewut.ca*, True -*.davianiart.ro*, True -*.davi.cl*, True -*.davidacharya.com.np*, True -*.davidagusk.com*, True -*.davidandersen.nl*, True -*.davidandirina.com*, True -*.davidandjacquelinebarbee.com*, True -*.davidandkelly.net*, True -*.davidastevenson.com*, True -*.davidbarrera.cl*, True -*.davidbeck.com.au*, True -*.davidbian.com*, True -*.davidblakeman.com*, True -*.david-brown.biz*, True -*.davidbrownenterprises.com*, True -*.davidbrownofficial.com*, True -*.davidbutler.xyz*, True -*.davidcarr.co.uk*, True -*.davidchapman.xyz*, True -*.david-clarke.id.au*, True -*.daviddelossan.com*, True -*.daviddiaz.es*, True -*.david-dixon.us*, True -*.daviddk.nom.za*, True -*.davidedalessandro.eu*, True -*.davidflack.co*, True -*.david-fletcher.com*, True -*.david-gannon.com*, True -*.davidgould.ca*, True -*.davidhillman.co.uk*, True -*.davidholdsworth.co.uk*, True -*.davidianlandis.com*, True -*.davidjforsyth.co.uk*, True -*.davidkerr.org*, True -*.davidkiraly.com*, True -*.davidkiss.com*, True -*.davidlancour.com*, True -*.davidlivne.com*, True -*.davidmarin.cl*, True -*.davidmayo.eu*, True -*.davidmcorn.com*, True -*.davidm.es*, True -*.davidmiller.guru*, True -*.davidmolhoek.com*, True -*.davidnet.org*, True -*.davidov1208.ml*, True -*.davidovski.ch*, True -*.davidovski.info*, True -*.davidovski.net*, True -*.davidovski.org*, True -*.davidow.fi*, True -*.davidpare.info*, True -*.davidpatron.com*, True -*.davidpatrone.com*, True -*.davidpayless.info*, True -*.davidpetrone.com*, True -*.davidportales.com*, True -*.davidrbow.com*, True -*.davidrobins.com*, True -*.davidrobins.net*, True -*.davidrockin.com*, True -*.davidryan.com.au*, True -*.davidryan.net.au*, True -*.david-samuel.ml*, True -*.davidschlachter.com*, True -*.david-servers.ga*, True -*.davidsilveira.me*, True -*.davidsluka.com*, True -*.davidsparkes.ca*, True -*.david-spicer.com*, True -*.david-studio.ro*, True -*.davidsuarez.com.ar*, True -*.davidsweb.tw*, True -*.davidwbirch.co.uk*, True -*.davidx.nl*, True -*.davidx.org*, True -*.davidyakovich.com*, True -*.davidysusicasa.tk*, True -*.daviez.com*, True -*.davina.co.za*, True -*.davina.eu*, True -*.davincenzo.tk*, True -*.da-vin.com*, True -*.davisapiary.com*, True -*.daviscosmetica.cl*, True -*.davisempresas.cl*, True -*.davis-house.net*, True -*.davisonorserward.com*, True -*.davitall.biz*, True -*.davitechsteel.ro*, True -*.davivienda.bz*, True -*.davmaster.ca*, True -*.davmie.com*, True -*.davo.li*, True -*.davsys.net*, True -*.davtech.eu*, True -*.davtnnorthport.org*, True -*.davtn.org*, True -*.davux.com*, True -*.daw666.com*, True -*.daw99.com*, True -*.dawartz.com*, True -*.dawid.com.ar*, True -*.dawidmazur.pl*, True -*.dawnrisedeath.com*, True -*.dawntilldusksafaris.com*, True -*.dawseyshideout.tk*, True -*.daxuexiaohua.com*, True -*.daxumi.net*, True -*.day5.me*, True -*.dayaimagi.com*, True -*.dayani.co.id*, True -*.dayathacker.cf*, True -*.daybite.com*, True -*.daybite.pl*, True -*.day.com.br*, True -*.daydayup.net*, True -*.daydreamers.com*, True -*.dayfamily4.us*, True -*.dayoffproductions.com*, True -*.dayofremembranceutah.com*, True -*.daypal-service.com*, True -*.daytona955.net*, True -*.daytonabeachsidecondos.com*, True -*.daytonabrewing.com*, True -*.daytonadeepsea.com*, True -*.daytonadiving.com*, True -*.daytona.dj*, True -*.daytraderwannabe.com*, True -*.dazacultural.com.br*, True -*.dazedmedia.net*, True -*.dazikep.cf*, True -*.dazzos.com*, True -*.db2web.ch*, True -*.dba.gs*, True -*.dbalas.ru*, True -*.dband.sk*, True -*.dbaselj.com*, True -*.dbasenow.com*, True -*.dbaseworld.com*, True -*.dbcircle.us*, True -*.dbcore.tk*, True -*.dbdonlinebar.com*, True -*.dbdonlinebar.info*, True -*.dbesancon.com*, True -*.dbikchentaev.ru*, True -*.dbinvest.com.br*, True -*.dbi.si*, True -*.dblasesorias.cl*, True -*.dblink.cc*, True -*.dblock.tk*, True -*.dblushskincare.com*, True -*.dblware.com*, True -*.dbman.ca*, True -*.dbman.cc*, True -*.dbmemory.com*, True -*.dbnguyen.com*, True -*.dbnsystems.com*, True -*.dbobrov.com*, True -*.dbones.tk*, True -*.d-booster.com*, True -*.db-otp.com*, True -*.dbserviceudine.it*, True -*.dbsieders.com*, True -*.db-systems.nl*, True -*.dbt-dulovo.tk*, True -*.dbus.co*, True -*.dbworks.info*, True -*.dbwt.net*, True -*.dbyd.ch*, True -*.dbz-777.com*, True -*.dc0.in*, True -*.dc2go.ca*, True -*.dcaf-security.org*, True -*.dcamz.web.id*, True -*.dcb.com.np*, True -*.dcc68.com*, True -*.dcc78.com*, True -*.dcc88.com*, True -*.dcc98.com*, True -*.dcconnect.com.au*, True -*.dcescortservice.net*, True -*.dcfcustomhomes.com*, True -*.dcfinancialservice.com*, True -*.dcflores.com*, True -*.dcgrid.biz*, True -*.dcgrid.com*, True -*.dcgrid.info*, True -*.dchang.ca*, True -*.dcigroupmexico.com.mx*, True -*.dciservicios.com.mx*, True -*.dcitsolutions.ch*, True -*.dclayman.com*, True -*.dclegacy.com*, True -*.dcluxuryescorts.com*, True -*.dcmixs.com*, True -*.dcmusic.ca*, True -*.dcnv.com*, True -*.dconz.ca*, True -*.dc-otp.com*, True -*.dcp92-tamvan.gq*, True -*.dcp.nu*, True -*.dcpp.ru*, True -*.dcrbeloit.us*, True -*.dcrdns.tk*, True -*.dcservicesandfabrication.com*, True -*.dcsil.ca*, True -*.dct77.com*, True -*.dct87.com*, True -*.dctccc.com*, True -*.dc-tech.com*, True -*.dcte.com.ar*, True -*.dctmanga.com*, True -*.dctpublish.com*, True -*.dcunix.com*, True -*.dcunix.net*, True -*.dcunix.org*, True -*.dcuong.net*, True -*.dcvipescorts.com*, True -*.dcw.cz*, True -*.dd0c.com*, True -*.dd0c.net*, True -*.dd0s.net*, True -*.ddaapp.com*, True -*.ddanciu.ro*, True -*.ddaval.com.ar*, True -*.ddbritt.com*, True -*.dd-bt.com*, True -*.ddcmp.net*, True -*.ddc.net.au*, True -*.dddkkk.net*, True -*.dddprintserver.co.uk*, True -*.ddechert.de*, True -*.ddedications.com*, True -*.ddenning.com*, True -*.dderby.net*, True -*.ddh3.org*, True -*.ddi-consulting.dk*, True -*.ddimpex.com.np*, True -*.ddizdar.com*, True -*.ddj.co.za*, True -*.ddjenterprisesllc.com*, True -*.ddjjls.com*, True -*.ddl-beats.org*, True -*.ddl-board.org*, True -*.ddl-music.org*, True -*.ddl-network.org*, True -*.ddl-warez.in*, True -*.ddmmotorsports.biz*, True -*.ddnmailsvr.de*, True -*.ddnorton.com*, True -*.ddns.org.uk*, True -*.ddns-sd.de*, True -*.ddoomus.com*, True -*.ddos.im*, True -*.ddosnet.tk*, True -*.ddos-online.cf*, True -*.ddoswiz.net*, True -*.ddot.tw*, True -*.ddr-a4.com*, True -*.ddrinformatica.es*, True -*.ddr.web.id*, True -*.ddsconsultores.cl*, True -*.ddudin.ru*, True -*.ddvsoft.com*, True -*.de24h.com*, True -*.de2n-j.com*, True -*.de4ris.co.uk*, True -*.deadbabecafe.com*, True -*.deadbabecafe.net*, True -*.deadbabecafe.org*, True -*.deadbadgers.com*, True -*.deadbeef.ch*, True -*.deadbody.biz*, True -*.deadbunnies.net*, True -*.deadcities.info*, True -*.deadcities.us*, True -*.deadcode.net*, True -*.deadcows.org*, True -*.dead.ga*, True -*.deadholiday.cf*, True -*.deadlock.com.ar*, True -*.deadlypixels.com*, True -*.deadmandontcry.com*, True -*.deadmenshoes.com*, True -*.deadpencildesign.com.au*, True -*.deadpersonssociety.co.uk*, True -*.deadplanet.net*, True -*.deadreturns.net*, True -*.deadroot.tk*, True -*.dead.so*, True -*.deadstars.tk*, True -*.deadstockrock.com*, True -*.deadtheory.com*, True -*.deadvirus.tk*, True -*.deadwomenwriters.com*, True -*.deadwomenwriters.net*, True -*.deadwomenwriters.org*, True -*.deakinsports.com.au*, True -*.dealbreaking.com*, True -*.dealenfolie.com*, True -*.dealerforums.com.au*, True -*.dealerpelumas.com*, True -*.dealhour.com*, True -*.dealideal.nl*, True -*.dealingrooms.net*, True -*.deal-machine.de*, True -*.deal-maschine.de*, True -*.de-almeida.org*, True -*.deals-hk.com*, True -*.dealsrebates.com.au*, True -*.dealswed.com*, True -*.dealunix.net*, True -*.dealz.sg*, True -*.deance.com*, True -*.deance.com.mx*, True -*.deance.mx*, True -*.deance.org.mx*, True -*.deancor.com.ar*, True -*.deanfamily.id.au*, True -*.deanfredrickson.com*, True -*.de-a.org*, True -*.dearabba.org*, True -*.dearalec.com*, True -*.deardrs.net*, True -*.dearlifefuckyou.com*, True -*.dearnara.com*, True -*.dearn.pl*, True -*.deartie.com*, True -*.deartota.com*, True -*.deartpix.com.ar*, True -*.deartumipictures.co.za*, True -*.deasynatalia.com*, True -*.death-by-monkeys.com*, True -*.deathbytreewalk.com*, True -*.death.cl*, True -*.deathcloset.com*, True -*.death-squad.org*, True -*.deathstar.tk*, True -*.deathtoani.me*, True -*.deathwing.ca*, True -*.debark-vlieland.nl*, True -*.debaron.com.au*, True -*.debaryvoyages.com*, True -*.debashistosh.net*, True -*.debattista.info*, True -*.debelleval.com*, True -*.debentureauction.com*, True -*.debever.be*, True -*.debian-ms.org*, True -*.debian.org.ve*, True -*.debiaseabogados.com.ar*, True -*.debitandcreditapp.com*, True -*.debiworley.com*, True -*.deblackorchidflorist.com.my*, True -*.deboe.com*, True -*.debora.gq*, True -*.deborahkelly.com.au*, True -*.deborahnairn.com*, True -*.deborahswebsite.com*, True -*.debortoli.co.za*, True -*.debrabanconne.be*, True -*.debsistemas.com.ar*, True -*.debstudio.com.ar*, True -*.debtfreeindy.com*, True -*.debugging.ninja*, True -*.debugroom.com*, True -*.debug.su*, True -*.debutanta.ro*, True -*.debutanti.ro*, True -*.debuteaza.ro*, True -*.deca.com.my*, True -*.decadencecomics.com*, True -*.decadencecomics.co.uk*, True -*.decadence.me*, True -*.decarlofamily.com*, True -*.decarlofamily.net*, True -*.decaturpetcremation.com*, True -*.deccanleatherfashions.in*, True -*.december12.net*, True -*.decentec.com*, True -*.dechiridas.com*, True -*.decider.su*, True -*.decidicasar.com.br*, True -*.decine.org*, True -*.decipherindia.com*, True -*.deck17.ch*, True -*.deckardaudio.com*, True -*.deckerlevy.com*, True -*.dec.lt*, True -*.deco-ambient.ro*, True -*.decoartesanos.cl*, True -*.decoartis.ro*, True -*.decoblog.com.ar*, True -*.decocactus.cl*, True -*.decocarpets.cl*, True -*.decocreacion.net*, True -*.decodetalles.com.ar*, True -*.decolida.ro*, True -*.decolores.cl*, True -*.deconcha.es*, True -*.de-coninck.net*, True -*.decoracao-de-viaturas.pt*, True -*.decoracionesvalle.com*, True -*.decorartevirtual.com.ar*, True -*.decoratiuni-cofetarie.ro*, True -*.decoratiunifructe.ro*, True -*.decorecasaup.com.br*, True -*.decorelli.cl*, True -*.decorgp.com*, True -*.decorhomefurniture.co.uk*, True -*.decorlux.it*, True -*.decormedica.com.ar*, True -*.de-corso.com.au*, True -*.decorum.cl*, True -*.decosuflet.ro*, True -*.decowski.com*, True -*.decoytag.com*, True -*.de-craecker.be*, True -*.decresenzo.com*, True -*.decrone.com*, True -*.decrypted.org*, True -*.decryptic.com*, True -*.decsei.com*, True -*.decsei.net*, True -*.decube.ga*, True -*.ded1.net*, True -*.deddy.tk*, True -*.dedekuntoro.uk*, True -*.dede-mia.ml*, True -*.dedemit.net*, True -*.dedgar.com*, True -*.dedibox.us*, True -*.dedicados.biz*, True -*.dedicadosgps.com*, True -*.dedicadosmexico.com*, True -*.dedicados.tv*, True -*.dedicadosvpn.com*, True -*.dedicasse.com*, True -*.dedicated-free-trial-servers.org*, True -*.dedijak.com*, True -*.ded.mx*, True -*.deduksi.com*, True -*.dedyyusuf.com*, True -*.deeblers-oran.eu*, True -*.deedleapps.com*, True -*.deedymotion.com*, True -*.deejayfx.info*, True -*.deejayjerome.com*, True -*.deejayjerome.nl*, True -*.deejays.it*, True -*.deejaysteel.ml*, True -*.deejtech.com*, True -*.deelay.me*, True -*.deelizalde.com.ar*, True -*.deemarcus.com*, True -*.deepakchalise.com.np*, True -*.deepakpokhrel.com.np*, True -*.deepanshumehndiratta.com*, True -*.deepbleu.tk*, True -*.deepblueaudio.com*, True -*.deepconcord.com*, True -*.deepen.tw*, True -*.deephack.com*, True -*.deeplumina.com*, True -*.deepmp3.net*, True -*.deepretreat.co.za*, True -*.deepsaidwhat.biz*, True -*.deepsaidwhat.info*, True -*.deepseacosmetics.hk*, True -*.deepspace.net.au*, True -*.deepsurface.tk*, True -*.deepthots.com*, True -*.deepwebproxy.com*, True -*.deer.ch*, True -*.deerfieldpalms.com*, True -*.deerpine.ml*, True -*.deesaid.com*, True -*.deesaid.net*, True -*.deesaid.org*, True -*.deetlef.net*, True -*.deevee1982.pl*, True -*.deevid.net*, True -*.deexign.com*, True -*.deezfn.com*, True -*.defacer-tersakiti.com*, True -*.defamationmedia.net*, True -*.defaultmanagementautomation.com*, True -*.defav.lt*, True -*.defcon4.net*, True -*.defcon-industries.com*, True -*.defconone.us*, True -*.defconseries.com*, True -*.defdc.com*, True -*.defectedtv.com*, True -*.defencekings.com*, True -*.defender24hs.com.br*, True -*.defendmymetadata.com*, True -*.defendmymetadata.com.au*, True -*.defendthe.us*, True -*.defensaverde.org*, True -*.defenseofgaymarriageact.com*, True -*.defensoria-nsjp.gob.mx*, True -*.defensornet.com*, True -*.defeo.ch*, True -*.defeo.org*, True -*.deferred.io*, True -*.defeyeent.com*, True -*.defeyeentertainment.com*, True -*.definicionyque.es*, True -*.defirex.ro*, True -*.defiti.com.br*, True -*.defloured.co.za*, True -*.defneuysal.com.tr*, True -*.defnull.tk*, True -*.defrianto.tk*, True -*.deftfinger.com*, True -*.defthemes.com*, True -*.deft.us*, True -*.defulane.tk*, True -*.degagne.net*, True -*.degendevelopment.com*, True -*.degey.org*, True -*.degle75.ga*, True -*.deglucion.cl*, True -*.degopalace.net*, True -*.degprime.com*, True -*.degradableplasticbag.com*, True -*.degraw.cc*, True -*.degraw.net*, True -*.degreef.ro*, True -*.degreesfinder.net*, True -*.degreesprogram.org*, True -*.degreesprograms.net*, True -*.degreesprograms.org*, True -*.degrowth.fi*, True -*.degubytes.com*, True -*.deguldenmijn.eu*, True -*.dehainaut.org*, True -*.dehart.cf*, True -*.dehart.ga*, True -*.dehart.gq*, True -*.dehart.tk*, True -*.deheldersebakker.com*, True -*.deheldersebakker.nl*, True -*.dehme.com*, True -*.dehoney.org*, True -*.dehormigon.com.ar*, True -*.dehoyos.me*, True -*.deickman.com*, True -*.deiconsultores.com.ar*, True -*.deigualaigual.net*, True -*.deimenweb.co.za*, True -*.deinebrodi.it*, True -*.deinmoipa.com.ve*, True -*.deiramac.com*, True -*.deitloff.com*, True -*.deiure.ro*, True -*.deiv.cl*, True -*.deividcorreia.com*, True -*.deiynsheda.com*, True -*.dejabrew.ca*, True -*.dejalo.cl*, True -*.dejava.info*, True -*.dejavu60.it*, True -*.dejoglo.com*, True -*.dejoglo.net*, True -*.dejonghoists.com.au*, True -*.dekalo.net*, True -*.dekalox.de*, True -*.dekap.com*, True -*.dekaritae.com*, True -*.dekaronrising.com*, True -*.dekaronuprising.com*, True -*.dekermac.com*, True -*.de-kerstman.nl*, True -*.dekhil.ru*, True -*.dekimolmediatraf.com*, True -*.dekimolmediatraf.net*, True -*.dekko.net.au*, True -*.dekkt.ro*, True -*.dekleinebhshop.be*, True -*.dekleinebhshop.eu*, True -*.deklerk.co.za*, True -*.dekleta.si*, True -*.dekode.co.nz*, True -*.dekoker.net*, True -*.dekonsolutions.co.uk*, True -*.dekorasitendaonline.com*, True -*.dekorasyonlari.com*, True -*.dekorativni-pleskar.si*, True -*.dekormarketi.com*, True -*.dekor-plesk.si*, True -*.dekotama.com*, True -*.dekun.uk*, True -*.dekznialyah.ml*, True -*.delaaalaz.net*, True -*.delafuentefunerales.cl*, True -*.delakorda.com*, True -*.delala.ml*, True -*.delalastra.cl*, True -*.delamaris.si*, True -*.delan.ch*, True -*.delaveauproteccion.cl*, True -*.delazon.com*, True -*.delcafe.com.ar*, True -*.delcarmen.cl*, True -*.delcentric.com*, True -*.delchino.co.za*, True -*.delcoautopartes.com*, True -*.delectare.org*, True -*.deledible.com.au*, True -*.deleesportsmedicine.com*, True -*.delendacarthago.eu*, True -*.deletedsource.com*, True -*.deletedsystem32.com*, True -*.deletesource.com*, True -*.deletras.es*, True -*.delfisdent.ru*, True -*.delfox.com.ar*, True -*.delfran.com.ar*, True -*.delgadonet.com*, True -*.delgremio.com.ar*, True -*.delhandley.com*, True -*.delhiexpress.net*, True -*.deliashopline.com*, True -*.deliatudose.com*, True -*.deliatudose.ro*, True -*.del-iberations.com*, True -*.delibest.cl*, True -*.delibury.co.uk*, True -*.delicaca.com.br*, True -*.delicatodesign.com.br*, True -*.delice-expert.com*, True -*.delicia.com.mx*, True -*.deliciasdepilar.cl*, True -*.deliciousicily.it*, True -*.deliciousmenumeals.com*, True -*.delightful-design.com*, True -*.delightfuldesignsjewelry.com*, True -*.delightfullysapphire.com*, True -*.delikventii.ro*, True -*.delinator.net*, True -*.deliriumdive.co.uk*, True -*.delistyle.net*, True -*.deliverance-gaming.com*, True -*.della.co.il*, True -*.dellaluce.ch*, True -*.dellsale.ru*, True -*.delma.be*, True -*.delmal.cl*, True -*.delonauro.si*, True -*.deloprom.ru*, True -*.delorenzo.mobi*, True -*.delovoe.net*, True -*.delovoimir.com*, True -*.delovoimir.kz*, True -*.delphiku.info*, True -*.delphirestaurant.de*, True -*.delpiero.biz*, True -*.delpunta.com.ar*, True -*.delquillan.com*, True -*.delreal.cl*, True -*.delsaler.com*, True -*.delset.net*, True -*.delssa.com*, True -*.delsur.xyz*, True -*.delta86.tk*, True -*.delta9-tetrahydrocannabinol.org*, True -*.deltaakademi.com.tr*, True -*.deltacompy.com.br*, True -*.deltacrome.ro*, True -*.deltadiscoverygroup.com*, True -*.deltadiscoverygroup.ru*, True -*.deltafoxtrot.com*, True -*.deltahospital.com.tr*, True -*.deltahotelro.com*, True -*.deltako.com*, True -*.delta-link.ir*, True -*.deltanomics.com*, True -*.deltantor.info*, True -*.deltasalud.com.ve*, True -*.deltashells.net*, True -*.deltasoftdominicana.com*, True -*.deltastreamenergy.ca*, True -*.deltasydney.com*, True -*.deltaveche.ro*, True -*.deltomatemayorista.com.ar*, True -*.delucacontabil.com.br*, True -*.delusi.eu*, True -*.deluxbygagula.com*, True -*.deluxeappetizers.com*, True -*.deluxemodel.com.mx*, True -*.delvinosalta.com.ar*, True -*.delwest.ch*, True -*.delwymn.com*, True -*.delwymnserver.net*, True -*.demaerschalck.eu*, True -*.demafiacrat.com*, True -*.demahinson.com*, True -*.demak.org*, True -*.demaliquors.ro*, True -*.demamlagump3.xyz*, True -*.demandingelctrical.com*, True -*.demandtw.com*, True -*.demangan-regency.net*, True -*.demanufactured.com*, True -*.demariafamily.net*, True -*.demartiis.com*, True -*.demartinhnos.com.ar*, True -*.demartinhormigones.com.ar*, True -*.demartinsrl.com.ar*, True -*.dementiev.eu*, True -*.demenyattila.ro*, True -*.demerits.co.za*, True -*.demerzel.org*, True -*.demicula.com*, True -*.demidenko.net*, True -*.demifinca.com.ar*, True -*.demiles.cl*, True -*.demilitarised.zone*, True -*.demimadre.com*, True -*.demiplan.pt*, True -*.demirar.cl*, True -*.demiurg.pl*, True -*.demo-axa.tk*, True -*.democ.ch*, True -*.democrace.com*, True -*.demo-haus.ro*, True -*.demojuan.com.ar*, True -*.demondim.net*, True -*.demonelvs.info*, True -*.demonio.cl*, True -*.demonk-1992.cf*, True -*.demonkenny.pw*, True -*.demonkerji403.tk*, True -*.demonsdxers.es*, True -*.demon-server.com*, True -*.demonwav.com*, True -*.demorea.com*, True -*.demo-site.gq*, True -*.demos-vag.com.ar*, True -*.demoteam.ch*, True -*.demotod.tk*, True -*.demotywator.biz*, True -*.demounit.com.ar*, True -*.dempseyandbaxter.com*, True -*.demsar.com.ar*, True -*.demunckconsulting.com*, True -*.demuth.us*, True -*.denalt.ru*, True -*.denani.si*, True -*.denaros.com.au*, True -*.dena-sudrajat.us*, True -*.dencoliensales.com*, True -*.dendi-cyber.org*, True -*.dendox.org*, True -*.dendroart.ro*, True -*.dendy.tk*, True -*.deneme12.cf*, True -*.deneot.com*, True -*.denevolar.com.ar*, True -*.denfer.pt*, True -*.dengibystro.tk*, True -*.dengisra.ru*, True -*.dengjiong.com*, True -*.dengnen.com*, True -*.deng.ro*, True -*.denied.ro*, True -*.denier.ch*, True -*.denis-hotel.com*, True -*.denismullov.ru*, True -*.denisorlov.ru*, True -*.denisparatte.ch*, True -*.denisvostrikov.ru*, True -*.denisyasik.ru*, True -*.denivan.ru*, True -*.denizbuklet.com*, True -*.denizgunes.net*, True -*.denizliberberlerodasi.org*, True -*.denkata.com*, True -*.denkena.com*, True -*.denkiboard.com*, True -*.denkibot.com*, True -*.denki-box.com*, True -*.denkoren.ru*, True -*.denkowahanasakti.net*, True -*.dennisbethke.com*, True -*.dennisdalmas.com*, True -*.dennisdonohue.com*, True -*.denniseharris.com.au*, True -*.dennisjalbert.com*, True -*.dennisloren.com*, True -*.dennisneumann.nl*, True -*.dennisschuetteconstructionllc.com*, True -*.dennyandkevin.net*, True -*.denokmitrommedia.com*, True -*.denokmitrommedia.net*, True -*.denokmitrommedia.org*, True -*.denovodesign.eu*, True -*.de-nse.com*, True -*.densegaming.net*, True -*.densofuelpump.com*, True -*.denssusfap.ga*, True -*.dentalasthetics.com.au*, True -*.dentalbeautycenter.ro*, True -*.dentalesthetics.com.au*, True -*.dentalhouse.com.br*, True -*.dentalmalia.gr*, True -*.dentalpractice.ch*, True -*.dentalvox.info*, True -*.dentalvox.net*, True -*.dentalvox.org*, True -*.dentalw.com*, True -*.dentanacas.ro*, True -*.dentaplus.ro*, True -*.dentcare.com.au*, True -*.dentech.org.uk*, True -*.dentim.si*, True -*.dentismed.ro*, True -*.dentist4you.com.au*, True -*.dentista.si*, True -*.dentiste-kuhni.ch*, True -*.dentiste-oger.ch*, True -*.dentistforyou.com.au*, True -*.dentisthasdeu.ro*, True -*.dentistrybiological.net*, True -*.dentosan.ro*, True -*.dentysoft.net.ve*, True -*.denuncialatrata.org*, True -*.denunciaronline.com*, True -*.denure.info*, True -*.denusademarchi.com.br*, True -*.denveralternativehealing.com*, True -*.denveranalytics.com*, True -*.denverbums.ml*, True -*.denverchess.com*, True -*.denyco.ro*, True -*.deonkorb.com*, True -*.deopravin.com.np*, True -*.deore.one.pl*, True -*.deparra.cl*, True -*.departamentosalgarrobo.cl*, True -*.departamentosenmendoza.com*, True -*.depa-sport.ro*, True -*.depaulo.org*, True -*.depdungcach.com*, True -*.depechemodecoiffure.ch*, True -*.dependenciaquimica.org.br*, True -*.depending.in*, True -*.dependingonyourmouthtomorrow.com*, True -*.depetrising.com.ar*, True -*.depilacaoacera.com.br*, True -*.depilaser.org*, True -*.depine.com.br*, True -*.depi.xyz*, True -*.deplan.cl*, True -*.depletionmode.com*, True -*.deployit.com.br*, True -*.deploymentautomation.sg*, True -*.deployment.ch*, True -*.deploymentzone.com*, True -*.deplump.org*, True -*.depocen.com*, True -*.depodental.cl*, True -*.depokimiakonstruksi.com*, True -*.depolab-indonesia.com*, True -*.deporbike.com*, True -*.deportesastorga.es*, True -*.depotplumpang.com*, True -*.depotravel.com*, True -*.depozitcereale.ro*, True -*.depozit-en-gross.ro*, True -*.depozit.ru*, True -*.depozituldemasinute.ro*, True -*.deppcam.de*, True -*.depreeuwpaul.be*, True -*.depremsigortasi.com*, True -*.depression-anxiety-assessment.com*, True -*.deprezentare.ro*, True -*.depthsofbeauty.com*, True -*.deptoadmin.com*, True -*.deptosancle.com.ar*, True -*.depue.org*, True -*.dera.cl*, True -*.derailedanarchy.net*, True -*.derange.ro*, True -*.derbunker.ro*, True -*.derby3000.net*, True -*.derbyportal.com*, True -*.dercarlo.ch*, True -*.derdelus.ro*, True -*.derechoudec.cl*, True -*.dereferer.tk*, True -*.derekburt.com*, True -*.derekcturner.net*, True -*.derekfitzpatrick.com*, True -*.derekgillett.com*, True -*.derekleeth.com*, True -*.derekmfrank.com*, True -*.derekpeterson.ca*, True -*.derekpovah.com*, True -*.derekrodgers.info*, True -*.derekschartung.com*, True -*.dereksmom.com*, True -*.dereks-pcrepairs.co.uk*, True -*.derek-witt.com*, True -*.derementeria.cl*, True -*.derendanet.com*, True -*.derepente.com.br*, True -*.derepko.ru*, True -*.der-fuehrer.tk*, True -*.derge.net*, True -*.dergrunepunkt.com.ar*, True -*.deriana.com*, True -*.deridolls.com*, True -*.derinbilgiler.com*, True -*.dermalosophy.co.il*, True -*.dermatix.co.id*, True -*.dermatoblog.ro*, True -*.dermatolog-cluj.ro*, True -*.dermatologiaweb.cl*, True -*.dermatologija.si*, True -*.dermatologist.hk*, True -*.dermatology.hk*, True -*.dermatoscop.ro*, True -*.dermatoshop.ro*, True -*.derongqiche.com*, True -*.derorv1.tk*, True -*.derorx2.tk*, True -*.deroude.ro*, True -*.derpasaurusrex.com*, True -*.derpianist.ch*, True -*.derpianist.info*, True -*.derpianist.li*, True -*.derpianist.org*, True -*.derpteamgames.com*, True -*.derpwithme.org*, True -*.derpynet.com*, True -*.derricbrissette.com*, True -*.derrickdoss.com*, True -*.derrierescabaret.com*, True -*.dersizes.ru*, True -*.derspielraum.ch*, True -*.der-stuermer.com*, True -*.der-stuermer.org*, True -*.dertarr.info*, True -*.dervensrl.com.ar*, True -*.dervishler.com*, True -*.derwurm.ro*, True -*.desabit.com.ar*, True -*.desafiobeisbolvenezuela.com*, True -*.desafiodosreis.com.br*, True -*.desafioscrum.com*, True -*.desafiosdaenfermagem.com.br*, True -*.desafiosdeprogramacao.com.br*, True -*.desain-bangunan.com*, True -*.desantiago.com*, True -*.desario.com.br*, True -*.desarmaduriavehiculos.cl*, True -*.desarrollamexico.mx*, True -*.desarrollodgv.com.ar*, True -*.desarrolloeconomicolocal.cl*, True -*.desarrollolaboralcerrocolorado.cl*, True -*.desaryo.com*, True -*.desat.com.tr*, True -*.desatecno.com*, True -*.desaulniers.net*, True -*.desax.me*, True -*.desbg.com*, True -*.descantece.ro*, True -*.descargarmega.li*, True -*.descargarmega.org*, True -*.descartablesoeste.com*, True -*.descartelegal.com.br*, True -*.descensodelnalon.com*, True -*.descensodelnalon.es*, True -*.deschisacum.ro*, True -*.descort.co.uk*, True -*.descryptor.com*, True -*.descutuning.ro*, True -*.desdeelvestidor.com*, True -*.deseara.net*, True -*.desekilibra2.tk*, True -*.desencriptawhatsapp.com.ar*, True -*.desenedecoloratgratis.ro*, True -*.deseret.ac.za*, True -*.deseret.co.za*, True -*.deseret.org.za*, True -*.deserta.ro*, True -*.desertbobtur.co*, True -*.desert.cl*, True -*.desertjiltur.co*, True -*.desertkijuj.co*, True -*.desertkimom.co*, True -*.desertkitur.co*, True -*.desertnintur.co*, True -*.desertpiptur.co*, True -*.desertsagetaxidermy.com*, True -*.deserttekno.com*, True -*.deseuriferoase.ro*, True -*.desgraciadas.com.ar*, True -*.deshevokupi.ru*, True -*.de-siebenthal.ch*, True -*.desig.in*, True -*.design4futureliving.com*, True -*.design4futureliving.co.za*, True -*.designaholic.com.mx*, True -*.designart.ws*, True -*.designbrews.com*, True -*.designbrewz.com*, True -*.designbuilder.co.za*, True -*.designbyjess.co.za*, True -*.designbyred.net*, True -*.designbysusan.co.za*, True -*.designcrete.net.au*, True -*.designedforliving.co.za*, True -*.designelectrical.net.au*, True -*.designerhyunho.com*, True -*.designerimagesmd.com*, True -*.designerstorage.co.za*, True -*.designethosserver.co.uk*, True -*.design-fabrica.com*, True -*.designforliving.co.za*, True -*.designform.ro*, True -*.designforuse.com.au*, True -*.designgreen.co.za*, True -*.design-home.net*, True -*.designingspot.com*, True -*.designisdesign.eu*, True -*.designjds.ru*, True -*.designjobs.eu*, True -*.designlinc.co.uk*, True -*.designlogomurah.my*, True -*.designsforliving.co.za*, True -*.designsticker.my*, True -*.designterrarium.de*, True -*.designtexbd.com*, True -*.designtime.com*, True -*.designwheel.co.uk*, True -*.designwithcomputer.com*, True -*.designwyo.com*, True -*.desipartynyc.com*, True -*.desireables.net*, True -*.desired.ro*, True -*.desistufradio.info*, True -*.deskana.com*, True -*.desknow.cl*, True -*.desktechsolutions.com*, True -*.desktopthread.ga*, True -*.desktopthread.gq*, True -*.desktopthread.ml*, True -*.desk-tuning.com*, True -*.desktuning.com*, True -*.desmarais.nom.za*, True -*.desmoineshockey.com*, True -*.desmor.co.za*, True -*.desocraft.eu*, True -*.desoftware.com.mx*, True -*.desoftware.mx*, True -*.desolo.org*, True -*.desomere.net*, True -*.desonia.com*, True -*.desonia.org*, True -*.desousa.ch*, True -*.despachocardif.cl*, True -*.despair.ml*, True -*.despontar.com.br*, True -*.despotak.is*, True -*.despo.tk*, True -*.despreeducatie.ro*, True -*.despremainimic.tk*, True -*.dessinindustriel.ch*, True -*.destaka.cl*, True -*.deste.pt*, True -*.destinationmu.com*, True -*.destinationrentals.net*, True -*.destinationthailandnews.com*, True -*.destination.web.id*, True -*.destino-corrientes.com.ar*, True -*.destinolegal.com.br*, True -*.destinyping.com*, True -*.destinyremote.com*, True -*.destinystirling.com*, True -*.destroyer-community.org*, True -*.destroyerkisscover.com.br*, True -*.destroy.ro*, True -*.desu.tv*, True -*.desy75.tk*, True -*.desynch.one.pl*, True -*.detacs.com*, True -*.detailingbruxelles.be*, True -*.detailing-deluxe.be*, True -*.detar.tk*, True -*.detecta.ca*, True -*.detectivebg.com*, True -*.detectmobile.co.za*, True -*.detectoreschile.cl*, True -*.detelnetworks.com*, True -*.determindhost.com.au*, True -*.detest.ca*, True -*.detetiveweb.com.br*, True -*.detetiveweb.tk*, True -*.deti21.com*, True -*.detiklomba.com*, True -*.detiks.tk*, True -*.detintasypapeles.com.ar*, True -*.detistore.ru*, True -*.detlk.tk*, True -*.detonatenyc.com*, True -*.detprod.com*, True -*.detreaba.ro*, True -*.detribunales.com.ar*, True -*.detroitcomputerrepairexperts.com*, True -*.detroitcomputerrepairservices.com*, True -*.detro.ro*, True -*.detsadn1.ru*, True -*.detta.pw*, True -*.detted.com*, True -*.detwilers.me*, True -*.deucedaily.org*, True -*.deuja.com*, True -*.deumantec.com.ar*, True -*.deusdedit.com*, True -*.deusexmachina.org*, True -*.deuslife.com*, True -*.deutekom.eu*, True -*.deuteriumtech.com*, True -*.deutsch.com.au*, True -*.deutschklubindy.com*, True -*.deutschung.com*, True -*.dev121.com*, True -*.dev1.com.ve*, True -*.devaces.pro*, True -*.devaid.cl*, True -*.devairraymundo.com.br*, True -*.devalouwe54.nl*, True -*.devanshi.tk*, True -*.devansh.nom.za*, True -*.devartdesign.com*, True -*.devatron.com*, True -*.devblogi.pl*, True -*.devcent.pl*, True -*.devcentre.org*, True -*.devcoin.ch*, True -*.deveddy.com*, True -*.develeon.net*, True -*.develgrp.com.ar*, True -*.develnet.us*, True -*.developer1.net*, True -*.developer.se*, True -*.developersian.com*, True -*.developersian.ir*, True -*.developmentpartnership.ro*, True -*.developmentspot.com*, True -*.development-switzerland.ch*, True -*.developpement-suisse.ch*, True -*.devenam.com*, True -*.deveni.sh*, True -*.deverandcompany.com*, True -*.deverellinabluedress.net*, True -*.deverter.net*, True -*.deveser.com.br*, True -*.devevolv.com*, True -*.deveza.net*, True -*.devfortune.com*, True -*.devfuner.com*, True -*.dev.geek.nz*, True -*.devhub.club*, True -*.devi1.net*, True -*.devicars.com*, True -*.device.id*, True -*.devicesupport.co.uk*, True -*.device-support.dk*, True -*.devicks.com*, True -*.devigrosirtanahabang.com*, True -*.devilet.net*, True -*.devilmaycry.cf*, True -*.devil.me.uk*, True -*.devilpico.com.br*, True -*.devilwater.net*, True -*.devilzcloth.com*, True -*.devinder.net*, True -*.devindunlevy.com*, True -*.devink.ca*, True -*.dev-in.ml*, True -*.devinsio.hk*, True -*.devion.co*, True -*.devion.com*, True -*.devionmail.com*, True -*.devirgins.com*, True -*.devisolator.com*, True -*.devitraders.com*, True -*.devitrans.com*, True -*.de-vizita.ro*, True -*.devlabs.com.ar*, True -*.devlink.co*, True -*.devlink.pl*, True -*.devmedia.pl*, True -*.devmed.ru*, True -*.devmon.ru*, True -*.devnode.cl*, True -*.devnull.co.uk*, True -*.devoid.gr*, True -*.devolution.hu*, True -*.devoprevo.com*, True -*.devopsengineer.com*, True -*.devopsninja.com*, True -*.devops.sg*, True -*.devops.ws*, True -*.devourfood.ro*, True -*.devouring.us*, True -*.devourmedia.ro*, True -*.devour.ro*, True -*.devoursales.ro*, True -*.devprrt.ru*, True -*.devpytania.pl*, True -*.devreler.com*, True -*.devsaco.com*, True -*.devsarandi.com.ar*, True -*.devspeculations.com*, True -*.devsrv.info*, True -*.devstep.info*, True -*.devtop10.com*, True -*.devtopten.com*, True -*.dev-west.ro*, True -*.devwonders.com*, True -*.devworth.net*, True -*.dewacabul.com*, True -*.dewacabul.net*, True -*.dewaele.org*, True -*.dewa-likers.cf*, True -*.dewarefill.co.id*, True -*.dewbiez.org*, True -*.dewellup.at*, True -*.dewellup.com*, True -*.dewi-jempol.cf*, True -*.dewi-likers.cf*, True -*.dewin.me*, True -*.dewi.one.pl*, True -*.dewivideo.com*, True -*.dewo.cf*, True -*.dewo.ml*, True -*.dewr-home.com*, True -*.dexas.lt*, True -*.dexist.us*, True -*.dex-online.ro*, True -*.dexpanthenol.net*, True -*.dexrubio.com*, True -*.dextasoft.com*, True -*.dexteris.com*, True -*.dextm.ro*, True -*.dextonet.com*, True -*.deykoweec.cf*, True -*.deyvenement.fr*, True -*.dez4x4.ro*, True -*.dezcom.org*, True -*.dezelaigrac.si*, True -*.dezelak.si*, True -*.dezire.club*, True -*.dezmembrari.me*, True -*.dezvaluiri.ro*, True -*.d-fallen.com*, True -*.dfarfallaeventos.cl*, True -*.dfcv-indonesia.com*, True -*.dfdl.com*, True -*.dfdlmekong.com*, True -*.dfg.co.za*, True -*.dfgh.in*, True -*.dfisk.net*, True -*.dfmindonesia.com*, True -*.dfordogguchi.com*, True -*.dfs.co.za*, True -*.dfstorm.tk*, True -*.dfswkj.com*, True -*.dftcloud.com*, True -*.d-fuzion.be*, True -*.dfwbg.org*, True -*.dfx-eng.co.il*, True -*.dg3xp3rt.com*, True -*.dgafclan.tk*, True -*.dgame.me*, True -*.dgaspc5.ro*, True -*.dgaspcgr.ro*, True -*.dgaudys.com*, True -*.dgb-cpa.com*, True -*.dgby.org*, True -*.dgc.id.au*, True -*.dgcontexpert.ro*, True -*.dgdbrokers.co.za*, True -*.dgeimporex.com*, True -*.dgfnet.de*, True -*.dgiering.com*, True -*.dgiering.net*, True -*.dgit.com.ar*, True -*.dg-maconnerie.ch*, True -*.dgmeshop.com*, True -*.dgmeshop.co.uk*, True -*.dgnsp.si*, True -*.dgoconda.ru*, True -*.dgodns.net*, True -*.dgoodmanconsult.com*, True -*.dgpages.com*, True -*.dgparsa.ir*, True -*.dg-pic.tk*, True -*.dgraf.ch*, True -*.dgrfsa.com.ar*, True -*.dgriffith.com.au*, True -*.dgross.us*, True -*.dg-sc.co.uk*, True -*.dgs-services.com*, True -*.dgsystems.com.br*, True -*.dgusysnet.org*, True -*.dgvidros.com*, True -*.dh08nl.org*, True -*.dh2u.com*, True -*.dh3.com*, True -*.dhagrow.org*, True -*.dhakini-espace.ch*, True -*.dhammachaiyo.com*, True -*.dhanapalan.com*, True -*.dhanny.net*, True -*.dharmabusana.com*, True -*.dharma.cl*, True -*.dharmawan.net*, True -*.dharshanrasiah.com*, True -*.dharshiniassociates.com*, True -*.dhavalpatel.net*, True -*.dhcmarketing.co.nz*, True -*.dhconsulting.ch*, True -*.dhdigital.co.za*, True -*.dhedhe48.cf*, True -*.dhedhe48.ml*, True -*.dheoqkr.com*, True -*.dhewlett.com*, True -*.dhht.hu*, True -*.dhia-ulhaq.cf*, True -*.dhide.me*, True -*.dhiegofellipe.in*, True -*.dhiikaattacker.org*, True -*.dhikaofficial.org*, True -*.dhikapedia.com*, True -*.dhikkibru.ml*, True -*.dhillons.in*, True -*.dhilung.com.np*, True -*.dhitalroshan.com.np*, True -*.dhiva.me*, True -*.dhlaviationlk.com*, True -*.dhlawrencesocietyaustralia.com.au*, True -*.dhlexpress.co.za*, True -*.dhlinforma.com.br*, True -*.dhmfn.ro*, True -*.dhm.ro*, True -*.dhofer.ch*, True -*.dhoif.ml*, True -*.dhom.tk*, True -*.dhoooes.com*, True -*.dhos.me*, True -*.dhruvparth.com*, True -*.dht-design.com*, True -*.dhthomas.org*, True -*.dhtml.ml*, True -*.dhtuswkd.com*, True -*.dhubdigital.com*, True -*.dhuchile.cl*, True -*.dhugul.tk*, True -*.dhuik.eu*, True -*.dhuniv.tk*, True -*.dhuri.tk*, True -*.dhzlaw.ca*, True -*.dhz.me*, True -*.di6ital.tk*, True -*.dia10.com.br*, True -*.diablonet.ch*, True -*.diablo.si*, True -*.diabol.us*, True -*.diacel.cl*, True -*.diachi.tk*, True -*.diacomputers.com*, True -*.diaconadovalpo.cl*, True -*.diaconescu.info*, True -*.diaconesq.ro*, True -*.diacritice.ro*, True -*.diadelausabilidad.org.ar*, True -*.diaduit.ch*, True -*.diafilme.ro*, True -*.diaf.web.id*, True -*.diagence.com*, True -*.diagnosticoparasito.com.ar*, True -*.diagnosticoporimagen.net*, True -*.diagnosticpeiris.ro*, True -*.diagonalapartments.com*, True -*.diagonalcat.com*, True -*.diagprog.co.uk*, True -*.diahkharisma.com*, True -*.dial-a-disc.co.nz*, True -*.dialadisc.co.nz*, True -*.dial-a-disc.nz*, True -*.dialecticas.com.ar*, True -*.dialertrunks.com*, True -*.dialetto.info*, True -*.dialisis-bellville.com.ar*, True -*.dialisisbellville.com.ar*, True -*.dialisis-bv.com.ar*, True -*.dialisisbv.com.ar*, True -*.diallog.com.pk*, True -*.dialog.si*, True -*.dialogsibir.ru*, True -*.dialogus.com*, True -*.dialogus.cz*, True -*.dialogus.eu*, True -*.dialogus.net*, True -*.dialpeer.org*, True -*.dialysis-centers.info*, True -*.diamarket.ro*, True -*.diamati.com*, True -*.diammarket.com*, True -*.diamond.as*, True -*.diamondbsd.com*, True -*.diamond-club.us*, True -*.diamondcreekrealestate.com*, True -*.diamondcutcarpets.biz*, True -*.diamondparts.com*, True -*.diamondprice.co.za*, True -*.diamondsescorts.ca*, True -*.diamondtree.ru*, True -*.dianagerda.ru*, True -*.dianamartins.com.br*, True -*.dianarizky.com*, True -*.dianatintar.com*, True -*.diandpat.com*, True -*.dianeadores.com*, True -*.dianeme-tampan.com*, True -*.dianga.ru*, True -*.dianjaya.co.id*, True -*.dian-karya.com*, True -*.dianmarisa.com*, True -*.dianmarisa.com.br*, True -*.diannelorraine.com*, True -*.dianns.org*, True -*.dianyglas.com*, True -*.diariocero.com.ar*, True -*.diariodemorelos.mx*, True -*.diariodeunsilvestrista.com.ve*, True -*.diariodevuelo.ga*, True -*.diariosanfrancisco.com.ar*, True -*.diariotno.com*, True -*.diaspora1.tk*, True -*.diaspora2.tk*, True -*.diasporaortodoxa.ro*, True -*.diasp.ro*, True -*.diavolo.ga*, True -*.diazalberdi.com.ar*, True -*.diaz.com.ve*, True -*.diazd.com*, True -*.diazlonghi.com.ar*, True -*.diaztrada.com*, True -*.dibaisp.com*, True -*.dibashmagar.com.np*, True -*.dibathia-law-office.com*, True -*.dibattista-designs.biz*, True -*.dibattista-designs.co*, True -*.dibattista-designs.com*, True -*.dibattista-designs.info*, True -*.dibattista-designs.net*, True -*.dibattistadesigns.net*, True -*.dibattista-designs.us*, True -*.diblasio.it*, True -*.diblatto.ch*, True -*.diblatto.com*, True -*.dibokep.tk*, True -*.dicasfilme.com.br*, True -*.dicatrans.cl*, True -*.diccopsa.com.mx*, True -*.dichmay.net*, True -*.dichtiengviet.com*, True -*.dichtudong.com*, True -*.dichtudong.net*, True -*.dichvuketoanbienhoa.com*, True -*.dichvutructuyen.com*, True -*.dicihouse.com*, True -*.dicionar.io*, True -*.dicka-ammara-baturan-crew.com*, True -*.dickandbevroach.com*, True -*.dickens-stamps.be*, True -*.dickeyelectrical.com*, True -*.dickeyfam.com*, True -*.dickpunch.ca*, True -*.dicksin.space*, True -*.dickyince.co.uk*, True -*.dicoba.in*, True -*.dicoglass.cl*, True -*.dicomcloud.net*, True -*.dicosmo.com.au*, True -*.dictionardevise.ro*, True -*.dictionarsexual.ro*, True -*.dictionarvise.ro*, True -*.dicunt.com*, True -*.dicu.org*, True -*.didactino.ro*, True -*.di-da.net*, True -*.diddi87.de*, True -*.diddletv.com*, True -*.didgori2010.com*, True -*.didgu.com*, True -*.didikhs.tk*, True -*.didikos.com*, True -*.didin.asia*, True -*.didonato-peinture.ch*, True -*.didotajjah.org*, True -*.didovetsnetwork.com*, True -*.didz.com.au*, True -*.die-borg.de*, True -*.diecastarena.com*, True -*.diecastings.com.au*, True -*.diedrichson.de*, True -*.dieetradar.nl*, True -*.dieet-utrecht.nl*, True -*.dieetutrecht.nl*, True -*.die-falknerin.de*, True -*.diegoalorenzo.com.ar*, True -*.diegobilhalva.com*, True -*.diegoceldran.tk*, True -*.diegodemarco.com*, True -*.diegodosamba.com.ar*, True -*.diegogancedo.com.ar*, True -*.diegogualda.com.ar*, True -*.diegonascimento.net*, True -*.diegonascimento.net.br*, True -*.diegonunez.com.ar*, True -*.diegopublici.com.ve*, True -*.diegosanclemente.com.ar*, True -*.diegoscheinin.com.ar*, True -*.diegos-place.com*, True -*.diegoti.com.br*, True -*.diegoymariana.com*, True -*.diegus83.com.ar*, True -*.diehildebrands.de*, True -*.diehl.fi*, True -*.die-informatiker.info*, True -*.die-informatiker.org*, True -*.diekatzchen.org*, True -*.die-knoepfe.at*, True -*.dieletrica.com.br*, True -*.dielinke-riedstadt.de*, True -*.die-liste.org*, True -*.die.lv*, True -*.die-maz.tk*, True -*.diem.cl*, True -*.diemuzi.com*, True -*.diendandealsaigon.tk*, True -*.diendan-gta-rp.tk*, True -*.diendanhochiminh.net*, True -*.dieniederhausers.ch*, True -*.diennuocgiasi.com*, True -*.dienvip.tk*, True -*.dieouhuis.co.za*, True -*.dieppebigfish.com*, True -*.diercke-atlas.ch*, True -*.diering.ro*, True -*.die-schrages.de*, True -*.diesel59.com*, True -*.dieselbroker.ro*, True -*.dieselmafia.info*, True -*.diesterweg.ch*, True -*.die-tage-gehen-vorueber.ch*, True -*.dietanews.net*, True -*.dieterbulck.be*, True -*.dietetika.si*, True -*.dietmirror.com*, True -*.dietolozka.pl*, True -*.dietpunch.com*, True -*.dieulinh.net*, True -*.dieulinh.org*, True -*.dieuseclate.com*, True -*.diewolfs.tk*, True -*.differenti.al*, True -*.differenttypesofwarts.net*, True -*.differ.fi*, True -*.difficultyears.com*, True -*.diffused.org*, True -*.difmond.com*, True -*.dig0.com*, True -*.dig0.info*, True -*.dig0.net*, True -*.dig0.org*, True -*.digalocon.cl*, True -*.digash.com*, True -*.dig-down.com*, True -*.dig-down.net*, True -*.dig-down.org*, True -*.digdown.org*, True -*.digdown.us*, True -*.digerati.tv.br*, True -*.digeridoo.org*, True -*.digestivebread.com*, True -*.diggalerts.com*, True -*.diggbee.com*, True -*.diggerson.com.au*, True -*.digiacloud.fi*, True -*.digiacomos.com*, True -*.digiademo.fi*, True -*.digiatest.fi*, True -*.digibase.fi*, True -*.digicamrepair.com*, True -*.digi-com.ru*, True -*.digidevice.fi*, True -*.digidocscentral.com*, True -*.digigroup.co.id*, True -*.digihelp.fi*, True -*.digihlp.com*, True -*.digihome.lv*, True -*.digijuris.com*, True -*.digilabs.lv*, True -*.digilib-smkn2plg.com*, True -*.digilusion.com*, True -*.digimag.com.my*, True -*.digimaster.srv.br*, True -*.digimon.ga*, True -*.digineter.com*, True -*.digion.ga*, True -*.digirati.org*, True -*.digisoft8.com*, True -*.digisoft.ca*, True -*.digisoftvoip.com*, True -*.digi-solution.com*, True -*.digisoul.info*, True -*.digisport-live.eu*, True -*.digitaali.net*, True -*.digitaladaptation.net*, True -*.digitaladaption.net*, True -*.digitalagenda.ca*, True -*.digitalarena.tk*, True -*.digitalasset.co.za*, True -*.digitalassetmanagement.co.za*, True -*.digitalassets.co.za*, True -*.digitalaward.co.za*, True -*.digitalaya.com*, True -*.digitalberries.com*, True -*.digitalboxlab.com*, True -*.digitalbuzz.net*, True -*.digitalbytecomputing.com*, True -*.digitalcape.org*, True -*.digitalchild.net*, True -*.digitalcitizen.co.za*, True -*.digitalcom.com.ar*, True -*.digitalconvergence.com*, True -*.digitalconvergence.org*, True -*.digital-corps.com*, True -*.digitaldave.com.au*, True -*.digitaldavepayne.com*, True -*.digitaldeficit.com*, True -*.digitaldemographics.com*, True -*.digitaldesolation.com*, True -*.digitaldi.com.au*, True -*.digital-dimension.ru*, True -*.digitaldiplomacy.com*, True -*.digitalecho.ga*, True -*.digitalecosystems.asn.au*, True -*.digitalecosystems.biz*, True -*.digitalecosystems.com.au*, True -*.digitalecosystems.info*, True -*.digitalecosystems.net.au*, True -*.digitalecosystems.org.au*, True -*.digitale-demokratie.net*, True -*.digitaledisplay.com*, True -*.digital-electronice.ro*, True -*.digitale-progressive.de*, True -*.digitalestad.net*, True -*.digital-ethiopic.com*, True -*.digitalfairkurigram.com*, True -*.digitalfreezer.net*, True -*.digitalfrost.net*, True -*.digital-furnace.com*, True -*.digitalfurqan.com*, True -*.digital-fx.net*, True -*.digitalgroupe.com*, True -*.digitalgrup.ro*, True -*.digitalhealthcarejournal.com*, True -*.digitalhealthservices.ca*, True -*.digitalhemi.com*, True -*.digitalia.pt*, True -*.digital.info.ve*, True -*.digitalizacja-zbiorow.pl*, True -*.digitallifecarnival.hk*, True -*.digital-life.com.au*, True -*.digital-lifeline.ca*, True -*.digitallifetimeservices.com*, True -*.digitalliteracy.co.za*, True -*.digitalmarketing.si*, True -*.digital-max.com.ar*, True -*.digitalmediac.com*, True -*.digitalmedianut.net*, True -*.digital-minds.com.ar*, True -*.digitalminds.com.ar*, True -*.digitalnomadwannabe.com*, True -*.digital.org.ru*, True -*.digitalparking.asia*, True -*.digitalpd.com*, True -*.digitalpolicy.co.za*, True -*.digitalpostma.com*, True -*.digitalpractise.com*, True -*.digitalrat.org*, True -*.digitalsec.net*, True -*.digitalsentiment.com*, True -*.digitalshoppe.com.au*, True -*.digitalskills.co.za*, True -*.digitalsmedia.ro*, True -*.digital-spin.co.uk*, True -*.digitalstep75.tk*, True -*.digitalstereoguitar.com*, True -*.digitalstores.biz*, True -*.digitalstores.us*, True -*.digitaltax.info*, True -*.digitaltraining.co.id*, True -*.digitaltvhouston.com*, True -*.digital-users.net*, True -*.digital-verification.info*, True -*.digitalvortex.net*, True -*.digitalvspace.com*, True -*.digitalwaters.org*, True -*.digitech.com.my*, True -*.digitechsol.in*, True -*.digiticker.info*, True -*.digit-labs.web.id*, True -*.digito.co.nz*, True -*.digitraining.ca*, True -*.digitroncopiadoras.com.mx*, True -*.digiweed.com*, True -*.digiworkers.com*, True -*.digiworks.ro*, True -*.digixchange.com*, True -*.digix.co.il*, True -*.digliodo.com.ar*, True -*.dignidademedica.com.br*, True -*.dignito.pt*, True -*.dignitykids-indy.org*, True -*.digoodies.com*, True -*.digoody.com*, True -*.digresia.com.ar*, True -*.digtek.tk*, True -*.diguomu.com*, True -*.dihoff.com*, True -*.diif.co.uk*, True -*.diipl.com*, True -*.diipl.in*, True -*.diipl.net*, True -*.dijualdi.com*, True -*.dikawahyuni.com*, True -*.dikialhafiz.com*, True -*.dikki.co.uk*, True -*.diklatsulsel.or.id*, True -*.dikson-bg.eu*, True -*.diks.org*, True -*.dilabsa.com*, True -*.dilavoro.it*, True -*.dilbahadurkc.com.np*, True -*.dildes.com*, True -*.dileno.com.br*, True -*.dilettantebeer.com.au*, True -*.dilimot.ro*, True -*.dilisi.ch*, True -*.dillardhome.org*, True -*.dillmuth.net*, True -*.dillonhill.co.uk*, True -*.dillon-st.com.ar*, True -*.dilly-server.com*, True -*.dilmi.com.ar*, True -*.dilorenzohair.com.br*, True -*.dilservice.com.ar*, True -*.dilunasangria.rs*, True -*.dimachan.com*, True -*.dimaclean.cl*, True -*.dimaelectric.com.ar*, True -*.dimaggiolan.net*, True -*.dimagofman.co.uk*, True -*.dima-ira.com*, True -*.dimakeupin.com*, True -*.di-malaysia.tk*, True -*.dimana-oo-dimana.com*, True -*.dimanasaya.com*, True -*.dimang.club*, True -*.dimanosov.ru*, True -*.dimapanov.ru*, True -*.dimas14.tk*, True -*.dimasabimanyu.com*, True -*.dimasalfaridzi.me*, True -*.dimassatrio.web.id*, True -*.dimattia.com.ar*, True -*.dimatur.pt*, True -*.dimawebdesign.tk*, True -*.dimbass.tk*, True -*.dimehe.com*, True -*.dimenglish.com*, True -*.dimension16.ch*, True -*.dimensionalrift.net*, True -*.dimension.com.tr*, True -*.dimensioncraft.ml*, True -*.dimensionemusica.tk*, True -*.dimenzija.net*, True -*.dimequehora.es*, True -*.dimethocaineshop.co.uk*, True -*.dimitrij.de*, True -*.dimitrijones.com*, True -*.dimka-stroi.ru*, True -*.dimkastroi.ru*, True -*.dimka-stroy.ru*, True -*.dimkastroy.ru*, True -*.dimko-stroi.ru*, True -*.dimkostroi.ru*, True -*.dimko-stroy.ru*, True -*.dimmental.com*, True -*.dimosvoulgaridis.gr*, True -*.dimove.ru*, True -*.dimsk.com*, True -*.dimsumtrust.com*, True -*.dimtihan.com*, True -*.dinachile.cl*, True -*.dinamomania.ro*, True -*.dinastiablancadogos.com.ar*, True -*.dinasticomputer.com*, True -*.dinasty-mvm.tk*, True -*.dinator.com*, True -*.dincoco.tk*, True -*.dindu.ga*, True -*.dineras.bg*, True -*.dinerosmanagement.com*, True -*.dineshlakai.com.np*, True -*.dineshstha.com.np*, True -*.dineshtamang.com.np*, True -*.dingbat-tees.com*, True -*.dinghydonghy.com*, True -*.dingin.net*, True -*.dingmp3.com*, True -*.dingnu.com*, True -*.dingoskidneys.com*, True -*.dingostick.com*, True -*.dingshun.hk*, True -*.dingshun.org*, True -*.dingshunseenkoon.org*, True -*.dinhcao.net*, True -*.dinher.es*, True -*.diningguidelic.com*, True -*.dinix.com.ar*, True -*.dinjiso.com*, True -*.dinkescirebon.net*, True -*.dinkestangsel.org*, True -*.dinko.cl*, True -*.dinkybrashop.com*, True -*.dinkybrashop.eu*, True -*.dinkybrashop.nl*, True -*.dinkys.ws*, True -*.dinncoletto.com.ar*, True -*.dinobitcoin.com*, True -*.dinosaurio.pw*, True -*.dinossauro.net*, True -*.dinossauro.org*, True -*.dinpls.com*, True -*.dinqart.com*, True -*.dinshop.net*, True -*.dinsite.se*, True -*.dinsosmakassar.com*, True -*.dintaifung.jp*, True -*.dintaifung.us*, True -*.dinyanetraining.co.za*, True -*.dinzona.ro*, True -*.diocesedebanfora.org*, True -*.diod.com*, True -*.diohwm.com*, True -*.diopor.com*, True -*.dioseres.com.ar*, True -*.diovaud.com*, True -*.dipacoronline.com*, True -*.dipandang.com*, True -*.dipandu.com*, True -*.dipendrabhusal.com.np*, True -*.dipendrapokharel.com.np*, True -*.dipendrathing.com.np*, True -*.dipes.com.np*, True -*.dipeshsubedi.com.np*, True -*.dipeshwagle.com.np*, True -*.dipfee.com*, True -*.dipfee.me*, True -*.dipietronv.com*, True -*.diplines.com*, True -*.diplomacyonline.net*, True -*.dipremium.tk*, True -*.dipronor.com*, True -*.diputadosmisiones.gob.ar*, True -*.diqcotech.com*, True -*.dirabox.com*, True -*.dirac.org*, True -*.diragp.tk*, True -*.diralike.tk*, True -*.dirat.web.id*, True -*.dirba.net*, True -*.dirc.cl*, True -*.direccionsursa.com.ar*, True -*.direct2retail.com.au*, True -*.directiasilvicabn.ro*, True -*.directional-controlvalves.com*, True -*.directorio-de.com*, True -*.directoriologistico.com.mx*, True -*.directoriologistico.mx*, True -*.directoriologistico.net*, True -*.director-web.co*, True -*.directoryadmin.info*, True -*.directorysubmissions.org*, True -*.directpayclinics.com*, True -*.direct-payday-loans.com*, True -*.directpubliweb.com*, True -*.directpubliweb.info*, True -*.directpubliweb.net*, True -*.directsale.ch*, True -*.directssp.com*, True -*.directsupport.pt*, True -*.direitodoaposentado.com.br*, True -*.direitoemcartaz.com.br*, True -*.direitus.com*, True -*.diretiva.eu*, True -*.direto.cf*, True -*.dirgaip.com*, True -*.dirgaip.org*, True -*.dirkdirkclan.com*, True -*.dirkherrling.de*, True -*.dirkis.fr*, True -*.dirkvankampen.com*, True -*.dirla.ro*, True -*.dirnea.org*, True -*.dirtbikeursa.com*, True -*.dirtchicvt.com*, True -*.dirtchild.net*, True -*.dirteebreaks.com*, True -*.dirtsense.com*, True -*.dirtybomb.tk*, True -*.dirtydevildesigns.com*, True -*.dirtydog.no*, True -*.dirtyinode.me*, True -*.dirtynoun.net*, True -*.disabo.info*, True -*.disabo.name*, True -*.disabo.net*, True -*.disabo.org*, True -*.disabo.ru*, True -*.disadvantages.info*, True -*.disal.com.ar*, True -*.disanserv.ro*, True -*.disasterzone.net*, True -*.disbintalkesos.go.id*, True -*.disciple-all-nations.com*, True -*.disciplesinusa.com*, True -*.disciplina.fi*, True -*.discofoodstore.co.uk*, True -*.disconnected.tk*, True -*.disconzi.com.br*, True -*.discordial.com*, True -*.discountbankruptcylaw.net*, True -*.discountbankruptcylaw.org*, True -*.discountbooking.ml*, True -*.discountcenter.ru*, True -*.discountedbankruptcy.com*, True -*.discountguitarwarehouse.com*, True -*.discount-kamagra.com*, True -*.discountmarineequipment.asia*, True -*.discountmarineequipment.co.nz*, True -*.discountmarineequipment.info*, True -*.discountmarineequipment.net.nz*, True -*.discountmarineequipment.nz*, True -*.discount-marine-supplies.asia*, True -*.discount-marine-supplies.co.nz*, True -*.discountmarinesupplies.co.nz*, True -*.discount-marine-supplies.info*, True -*.discountmarinesupplies.info*, True -*.discount-marine-supplies.net.nz*, True -*.discountmarinesupplies.net.nz*, True -*.discount-marine-supplies.nz*, True -*.discountmarinesupplies.nz*, True -*.discountmedicalmart.com*, True -*.discourse.ir*, True -*.discoveredattack.com*, True -*.discovergdn.net*, True -*.discovermezcal.com*, True -*.discover.pl*, True -*.discoverum.com*, True -*.discservices.com*, True -*.disdikbud-papua.net*, True -*.disdikdki.info*, True -*.diseara.net*, True -*.diseci-volcin.si*, True -*.dise.com.mx*, True -*.diselec.com.ar*, True -*.disenomx.com*, True -*.disenoyproyectoscangas.cl*, True -*.disenrec.com*, True -*.disfracesparaadultos.cl*, True -*.disfusional.com*, True -*.disherbush.com*, True -*.dishidros.go.id*, True -*.dishpower.net*, True -*.dishubkominfopinrang.org*, True -*.dishut-jabar.go.id*, True -*.disia.org*, True -*.disiniaja.net*, True -*.disisleri.com*, True -*.diskblog.com*, True -*.dislexsick.com*, True -*.dislike.cf*, True -*.dislike.ga*, True -*.dislocationfracture.com*, True -*.disloyalconsumer.com*, True -*.dismarcor.com*, True -*.dismax.com.ve*, True -*.dismet.com.ar*, True -*.disneycruzeiros.com.br*, True -*.disneydev.com*, True -*.di-solutions.net*, True -*.disowned.org*, True -*.dispendasby.web.id*, True -*.dispersion-services.net*, True -*.dispoelec.com.ar*, True -*.dissembled.org*, True -*.dissoi.com*, True -*.distaff.com.au*, True -*.distanceone.com*, True -*.distantinstant.com*, True -*.distantshade.com*, True -*.distecgroup.cl*, True -*.distelfaro.com.ar*, True -*.distinctresources.com*, True -*.distlac.com*, True -*.distmahcorp.com*, True -*.distor.co*, True -*.distorsionfm.cl*, True -*.distortedandroid.org*, True -*.distortedcore.com*, True -*.distran.cl*, True -*.distressler.com*, True -*.distribucion412.com*, True -*.distribucionespa.com*, True -*.distribucionessoto.com*, True -*.distribuidoraleia.com.br*, True -*.distribuidoralospicasos.com*, True -*.distribuidoramadsen.com*, True -*.distribuidora-ronor.com.ar*, True -*.distribuidorasary.com*, True -*.distribuidoratwinscorp.com*, True -*.distribuidorawms.cl*, True -*.distributiondude.ca*, True -*.distributiondude.com*, True -*.distributoralatteknik.com*, True -*.distributorbahankimia.com*, True -*.distributorbajabesi.com*, True -*.distributorbalonudara.com*, True -*.distributorbesibaja.com*, True -*.distributorbongkahanbatu.com*, True -*.distributorbronjongkawat.com*, True -*.distributorcableties.com*, True -*.distributorcompressorac.com*, True -*.distributorfirealarm.com*, True -*.distributorfreonac.com*, True -*.distributorhager.com*, True -*.distributorinverter.co.id*, True -*.distributorkompresor.com*, True -*.distributorlampustrobo.com*, True -*.distributorlem.com*, True -*.distributormesinlas.com*, True -*.distributormosaic.com*, True -*.distributorpemadamapi.com*, True -*.distributorphilips.com*, True -*.distributorpipabesi.com*, True -*.distributorpipa.com*, True -*.distributorselang-connectors.com*, True -*.distributorselangconnectors.com*, True -*.distributorsocomec.com*, True -*.distributorsticker.com*, True -*.distributortendaterpal.com*, True -*.distributorterpal.com*, True -*.distributorthermocouple.com*, True -*.distributortrafo.com*, True -*.distributorups.com*, True -*.distributorvisalux.com*, True -*.districampo.com.ar*, True -*.districolor.com.ar*, True -*.district6wa.org*, True -*.district8wa.org*, True -*.districtwhite.com*, True -*.districtwhite.ro*, True -*.distrito2zona4.com.ar*, True -*.distrito3zona22.com.ar*, True -*.distritoaventura.cl*, True -*.distr.nl*, True -*.distro-card.com.ar*, True -*.distrocuyo1.com.ar*, True -*.distrogaz.com.ar*, True -*.disttranssrl.com.ar*, True -*.ditatap.com*, True -*.ditautama.com*, True -*.ditchgreen.com*, True -*.ditchgreen.co.uk*, True -*.ditconsultores.com.ve*, True -*.ditek.com.ar*, True -*.ditentec.com.ar*, True -*.dithbanjong.com*, True -*.ditnavpen.ga*, True -*.ditnhau.biz*, True -*.ditommaso.com.ar*, True -*.dittabongiovanni.it*, True -*.dittmer.cc*, True -*.diu.li*, True -*.div17.com*, True -*.divad.ga*, True -*.divadlolienka.sk*, True -*.divagatec.ml*, True -*.divakeramika.com*, True -*.divaniundivani.lv*, True -*.diva-star.ro*, True -*.divasystrar.se*, True -*.di-ve.com.ar*, True -*.divequest.net*, True -*.diverbob.com*, True -*.diverdarryl.net*, True -*.diverdarryl.org*, True -*.diverdown.cc*, True -*.divergenty.com*, True -*.diversityrandc.com*, True -*.divertednetworks.net*, True -*.divertednetworks.org*, True -*.divertisment-online.ro*, True -*.divethegreatlakes.com*, True -*.dividerrounder.com.au*, True -*.divinedivaskincare.com*, True -*.divinepropertysearch.com*, True -*.divinity-garden.com*, True -*.divipass.com.br*, True -*.divisionsoft.com.ar*, True -*.divmaxcarriers.co.za*, True -*.divort.ro*, True -*.divpassvaletransporte.com.br*, True -*.divrent.ch*, True -*.divvad.com*, True -*.divvyboard.com*, True -*.divx.se*, True -*.divya.com.np*, True -*.divzero.com.au*, True -*.dixero.de*, True -*.dixero.si*, True -*.dixieway.com*, True -*.dixo.net*, True -*.dixonweather.com*, True -*.dixxl.com*, True -*.diyabet.org*, True -*.diyboyz.com*, True -*.diydevicecloud.net*, True -*.diydrones.co.za*, True -*.diyillustrated.com*, True -*.diyon33.tk*, True -*.diyplans.org*, True -*.diyprojector.com*, True -*.diypropertytaxreduction.com*, True -*.diystorage.co.za*, True -*.dizbadx.org*, True -*.dizdiaz.com.ar*, True -*.dizius.ch*, True -*.dizposabletoolz.com*, True -*.diztinta.cl*, True -*.dizzyewok.com*, True -*.dizzytopia.com*, True -*.djakinta.tk*, True -*.djalma.blog.br*, True -*.djam.biz*, True -*.djamireh.com*, True -*.django.cf*, True -*.djaphia.com.br*, True -*.djarumjam.asia*, True -*.djarvi.com*, True -*.djatb.co.uk*, True -*.djaudio.co.id*, True -*.djavi.com*, True -*.djbinhex.com*, True -*.djboekendjhuren.nl*, True -*.djbomba.one.pl*, True -*.djbot.tk*, True -*.dj-bug.com*, True -*.djchriss.ro*, True -*.djclaudiopere.com.br*, True -*.dj-connections.com*, True -*.djcostelionescu.ro*, True -*.djdamon.com*, True -*.dj-dancefloor.com*, True -*.dj-dancefloor.de*, True -*.djdanger.eu*, True -*.djdangermouse.com*, True -*.dj-danger.tk*, True -*.djdavidguadagno.tk*, True -*.djdiegotorres.com.br*, True -*.djean.co.uk*, True -*.djedmonds.net*, True -*.djflopa.ro*, True -*.dj-gantarro.de*, True -*.djgrant.ca*, True -*.djie.st*, True -*.djiki.info*, True -*.djilko.eu*, True -*.djitoe.co.id*, True -*.dj-jero.ch*, True -*.djjewllers.com*, True -*.djkljee.com*, True -*.djknight247.com*, True -*.djkootan.com*, True -*.djkrisskii.com*, True -*.djkrisskii.net*, True -*.dj-land.ch*, True -*.djlb.net*, True -*.djlicker.tk*, True -*.djlpcrepair.com*, True -*.djmajoratoradea.ro*, True -*.djmarchant.cl*, True -*.djmasha.com*, True -*.djmgroup.com.my*, True -*.djmusic.ro*, True -*.djnbh.com*, True -*.djneo.eu*, True -*.djnuntaoradea.ro*, True -*.djonate.ml*, True -*.djovidiu.ro*, True -*.djpalmer.info*, True -*.djplasma.ch*, True -*.djp-metulj.org*, True -*.djrepeat.net*, True -*.djrichiep.com*, True -*.djrich.ru*, True -*.djroberthorvat.ro*, True -*.djsbx.com*, True -*.djscrew.org*, True -*.djshouse.com*, True -*.djsthr.ro*, True -*.djstudio.com.ar*, True -*.djtiez.co*, True -*.djtommy.com*, True -*.djtru.eu*, True -*.djtsylvester.com*, True -*.d-jumper.com*, True -*.djvanny.co.uk*, True -*.djvc.net*, True -*.djy.us*, True -*.dk714.net*, True -*.dka.co.za*, True -*.dkakd.us*, True -*.dkarduck.com*, True -*.dkc.com.np*, True -*.dk-condos.com*, True -*.dkcondos.com*, True -*.dkdgucbirligi.com*, True -*.dketapangchalet.com.my*, True -*.dkfranchise.com*, True -*.dkinfotech.net*, True -*.dkiyatkin.com*, True -*.dkk55.com*, True -*.dkk77.com*, True -*.dkk88.com*, True -*.dkk99.com*, True -*.dkmbelawan.com*, True -*.dkmini.com*, True -*.dkonstantinakis.gr*, True -*.dkostov.com*, True -*.dkportal.com*, True -*.dkportal.net*, True -*.dkportal.org*, True -*.dksolutions.cl*, True -*.dk-stores.com*, True -*.dk-toys.com*, True -*.dkvm.com.ar*, True -*.dk-wholesale.com*, True -*.dkwlihwpdidhiwdb249024hiods.org*, True -*.dl4t.com*, True -*.dlbit.tk*, True -*.dlc-team.com*, True -*.dlda.de*, True -*.dldx.org*, True -*.dleon.cl*, True -*.dler.org*, True -*.dlfd.eu*, True -*.dlfree.co*, True -*.dlfudine.it*, True -*.dlhines.net*, True -*.dlhost.ro*, True -*.dlingenieria.com.ar*, True -*.dljtt.com*, True -*.dljurek.com*, True -*.dlk.co.za*, True -*.dlmusic.co*, True -*.dlmusik.info*, True -*.d-loads.com*, True -*.dlphnvg.org*, True -*.dlsconsulting.info*, True -*.dlugosza25a.pl*, True -*.dluzite.cz*, True -*.dlvan.com.ar*, True -*.dlvoye.net*, True -*.dlxlighting.com*, True -*.dlya-noutbuka.com*, True -*.dlyoutube.net*, True -*.dlzz.net*, True -*.dm4.tw*, True -*.dmadblog.ga*, True -*.dmanet.co.id*, True -*.dmarkdata.com*, True -*.dmarkdata.net*, True -*.dmarket.co.il*, True -*.dmas.com.au*, True -*.dmasino.net*, True -*.dmasmas.com.ar*, True -*.dmasterpiece.us*, True -*.dmazzola.com*, True -*.dmb.hk*, True -*.dm-ca.com*, True -*.dmcchile.cl*, True -*.dmcomforthome.com.au*, True -*.dmdcompresores.com*, True -*.dmd-compresores.com.ar*, True -*.dmdistribution.net*, True -*.dmdsubs.me*, True -*.dmed.jp*, True -*.dmengineers.com*, True -*.dmequebec.ca*, True -*.dmequebec.com*, True -*.dmequebec.net*, True -*.dmfg.co.il*, True -*.dmfotografiacursos.com.ar*, True -*.dmgconsulting.com.au*, True -*.dmgi.com.ar*, True -*.dmhn.org*, True -*.dmitrowski.pl*, True -*.dmitrychaschin.ru*, True -*.dmitryserbin.com*, True -*.dmky.org*, True -*.dmmachinery.com*, True -*.dmmachinery.com.au*, True -*.dmnova.com*, True -*.dmoadab.com*, True -*.dmoh.ru*, True -*.dmoj.tk*, True -*.dmonga.com*, True -*.dmonik.com*, True -*.dmoraetes.com*, True -*.dmpordemas.com*, True -*.dmprint.ch*, True -*.dmsa.com.ar*, True -*.dm-sch04.ru*, True -*.dm-sch09.org.ru*, True -*.dm-survey.at*, True -*.dmt-crm.ro*, True -*.dmt-planner.ro*, True -*.dmtr.ru*, True -*.dmunn.us*, True -*.dmunoz.cl*, True -*.dmwinternational.com*, True -*.dm-z.ru*, True -*.dmz.se*, True -*.dmzup.ru*, True -*.dnadish.com*, True -*.dnagenealogy.org*, True -*.dna-media.com.mx*, True -*.dnarts.ch*, True -*.dnasystems.com.br*, True -*.dna-uutiset.fi*, True -*.dnba.ru*, True -*.dnchaudhary.com.np*, True -*.dn-co.net*, True -*.dndestudio.com*, True -*.dndestudio.tv*, True -*.dndom.ru*, True -*.dndshop.com.my*, True -*.dndsxm.com*, True -*.dndutilities.com*, True -*.dndutilities.info*, True -*.dneprodzerzhinsk.ru*, True -*.dneprorudnoe.ru*, True -*.dnet.hu*, True -*.dnetto.com.br*, True -*.dnet.tw*, True -*.dnetwork.ro*, True -*.dngcatering.com*, True -*.dnix.ch*, True -*.dnky.eu*, True -*.dnmcoffman.com*, True -*.dnnstack.com*, True -*.dns1.one.pl*, True -*.dnsalias.tk*, True -*.dnsbox.tk*, True -*.dnschk.info*, True -*.dnscraft.tk*, True -*.dnsd.ir*, True -*.dns-for-kore.ga*, True -*.d-ns.ga*, True -*.d-ns.gq*, True -*.dns-ip.org*, True -*.dnslibre.com.ar*, True -*.dnsmirror.org*, True -*.d-ns.ml*, True -*.d-n-s.name*, True -*.dnsnow.org*, True -*.dnsnz.com*, True -*.d-n-s.org.uk*, True -*.dnsreverso.cf*, True -*.dnsreverso.ga*, True -*.dnsromney.net.br*, True -*.dnsrouter.nl*, True -*.dnsserver.hk*, True -*.d-ns.tk*, True -*.dntec.com.mx*, True -*.dnvapor.com*, True -*.dnvgl.ro*, True -*.dnw66.com*, True -*.dnw77.com*, True -*.dnw87.com*, True -*.dnztfueguina.com.ar*, True -*.doan-consulting.com*, True -*.doanlong.com*, True -*.dobarao.com.br*, True -*.dobbels.com*, True -*.dobb.info*, True -*.dobbster.info*, True -*.dobb.us*, True -*.dobelis.com*, True -*.dob.jp*, True -*.doblecero.com.ar*, True -*.dobluone.com*, True -*.dobregierki.pl*, True -*.dobrianka.ru*, True -*.doc13.ru*, True -*.docdb.org*, True -*.docdrhaluksargin.com*, True -*.doceideiabrownies.com*, True -*.doceideiabrownies.com.br*, True -*.docentpartner.com*, True -*.docentsupport.com*, True -*.docest.ru*, True -*.docevale.com*, True -*.docfly.eu*, True -*.dochoitreem.biz*, True -*.dochoiusb.net*, True -*.docin60.com*, True -*.docinhosdavoolivia.com*, True -*.docinhosdavoolivia.tk*, True -*.doc-jack-daniel.de*, True -*.docklander.com*, True -*.docklander.net*, True -*.dockl.com*, True -*.dockstore.pl*, True -*.docloud.me*, True -*.docmail.co.uk*, True -*.docmedez.com*, True -*.doc-network.com*, True -*.docomo.hk*, True -*.docotel.co.id*, True -*.docseg.com.ar*, True -*.docsgourmet.com*, True -*.docshades.cf*, True -*.docteurvuillemin.ch*, True -*.doctor411.net*, True -*.doctoragoston.ro*, True -*.doctora-khv.ru*, True -*.doctorautomotive.com*, True -*.doctorazambuya.com*, True -*.doctorcecilioacosta.com.ve*, True -*.doctor-doc.org*, True -*.doctorfetch.com*, True -*.doctorforcada.com*, True -*.doctorhart.com*, True -*.doctorholland.com*, True -*.doctoriglesias.com.ar*, True -*.doctorjoseazambuya.com*, True -*.doctorofaircond.com*, True -*.doctor-oleinik.ru*, True -*.doctorpcni.com*, True -*.doctorpecec.ro*, True -*.doctorslab.pk*, True -*.doctorwhochile.cl*, True -*.docucax.com.ar*, True -*.documentoseguro.com.ar*, True -*.documentosseguros.com.ar*, True -*.docuonline.com.ar*, True -*.docuprint.com.ar*, True -*.docuvida.com*, True -*.doddyamiruddin.com*, True -*.dodgeball-catwoman.si*, True -*.dodgedeltejar.com.ar*, True -*.dodgesquare.com*, True -*.dodgevillevet.net*, True -*.dodmonster.com*, True -*.dodocomics.ch*, True -*.dodo.my.id*, True -*.dodrone.com.br*, True -*.doe-online.com*, True -*.doep.co.za*, True -*.doerendahl.ch*, True -*.doesnotsuck.me*, True -*.dof-it.com*, True -*.doftner.com*, True -*.dogaja.info*, True -*.dogalilaclar.net*, True -*.dog-almighty.co.uk*, True -*.dogarmour.com.au*, True -*.dog-bos.com*, True -*.dogbus.org*, True -*.dogdammit.com*, True -*.dogdictionary.net*, True -*.dogebit.ga*, True -*.dogeos.org*, True -*.dogforce.ru*, True -*.doggabone.com*, True -*.doggonerunning.com*, True -*.doggybiz.pw*, True -*.doggyties.com*, True -*.doghel.com.ar*, True -*.dogin.su*, True -*.dog-lte.com*, True -*.dogma-defenseofgaymarriageact.com*, True -*.dogmatic-podcast.info*, True -*.dogmatics.co.za*, True -*.dogonfire.com*, True -*.dogoodnik.net*, True -*.dogovor-vsem.ru*, True -*.dogra.ro*, True -*.dogrusoz.net*, True -*.dogrusoztelefon.com*, True -*.dogrusoz.web.tr*, True -*.dogs-guy.co.il*, True -*.dogshotel.tw*, True -*.dogsinmotion-berlin.de*, True -*.dogsinmotion-bruehl.de*, True -*.dogsoldierclan.net*, True -*.dog-t.co.il*, True -*.dogwalkersnewcastle.com.au*, True -*.dogwatchguild.com*, True -*.dogwoodoutreach.com*, True -*.dogwoodoutreach.org*, True -*.dogyball.tw*, True -*.dohop.tw*, True -*.doi5.tk*, True -*.doibarbatisiuncamion.ro*, True -*.doimek.com*, True -*.doinaleahu.com*, True -*.doinsoftware.com*, True -*.doit.cl*, True -*.doitdaily.ca*, True -*.doityourselfbooks.com.au*, True -*.doityourselfpropertytaxreduction.com*, True -*.dojinanime.com*, True -*.dojo.cf*, True -*.dojocroata.com*, True -*.dojolabs.com*, True -*.dojo-studios.com*, True -*.dokabuild.com*, True -*.dokgo08.com*, True -*.dokia.ro*, True -*.dokombobor.co*, True -*.dokomkolos.co*, True -*.dokommokot.co*, True -*.dokomtolos.co*, True -*.dokterjudi.com*, True -*.dokterlaptopkediri.com*, True -*.doktermahler.tk*, True -*.dokterterbang.com*, True -*.doktor.tc*, True -*.doku4you.net*, True -*.dokuboard.com*, True -*.dokuchaev.com*, True -*.dokuwiki.co.za*, True -*.dokvatej.cf*, True -*.dol82.net*, True -*.dolanhanson.com*, True -*.dolan.net.au*, True -*.dolatto.com.br*, True -*.dolbaeby.ru*, True -*.dolcearoma.com.ar*, True -*.dolcecasa.ch*, True -*.dolcefood.cl*, True -*.dolcenails.ro*, True -*.dolcesport-live.eu*, True -*.dolcestudio.ro*, True -*.dolha.in*, True -*.dolinogs.cf*, True -*.doliversilva.com.br*, True -*.dolkin.com.ar*, True -*.dollaradwordsscripts.com*, True -*.dollarfurado.mus.br*, True -*.dollarplace.biz*, True -*.dollyproperties.com*, True -*.dolot24h.com*, True -*.dolphinbox.net*, True -*.dolphiniumblues.com.au*, True -*.doly.com.pe*, True -*.dom41.com*, True -*.domace.si*, True -*.domain19.tk*, True -*.domaindo.co*, True -*.domaineaupointdujour.ch*, True -*.domaineleverney.ch*, True -*.domainfo.pw*, True -*.domaingratisan.tk*, True -*.domainlease.co.za*, True -*.domain-name-registration.co.za*, True -*.domainrate.net*, True -*.domains247.co.za*, True -*.domains360.co.za*, True -*.domains365.co.za*, True -*.domains48.net*, True -*.domainservicesforfree.tk*, True -*.domains-transfer.com*, True -*.domaintldmurah.biz*, True -*.domaintldmurah.com*, True -*.domaintldmurah.info*, True -*.domaintldmurah.net*, True -*.domaintldmurah.org*, True -*.domainvnd.com*, True -*.domainwhois.ru*, True -*.domain-whore.com*, True -*.domainzomg.com*, True -*.domar.net*, True -*.domashniykinoteatr.ru*, True -*.dombezzabot.com*, True -*.dombezzabot.ru*, True -*.dombold.com*, True -*.domeclassic.org*, True -*.domehome.tk*, True -*.domeintotaal.com*, True -*.domen23.com*, True -*.domenfirst.com*, True -*.domengolja1.tk*, True -*.domeniilestanescu.ro*, True -*.domenii-ro.biz*, True -*.domestic-violence-tests.com*, True -*.domfutrzakow.pl*, True -*.domiciliossinfronteras.com*, True -*.dom-ikri.com*, True -*.domin8.co.uk*, True -*.dominanthamsters.info*, True -*.dominat0r.eu*, True -*.domine.ga*, True -*.domine.tk*, True -*.dominican.com*, True -*.dominicarmen.com*, True -*.dominieshoek.com*, True -*.dominikhofer.ch*, True -*.dominikruettimann.ch*, True -*.dominikschoeni.ch*, True -*.dominodio.com*, True -*.domino.web.ve*, True -*.domiveto.ch*, True -*.domkantri.ru*, True -*.domlab.org*, True -*.dom-me.kz*, True -*.domme.kz*, True -*.dom-mi.kz*, True -*.dommi.kz*, True -*.dommus.cl*, True -*.dom.my*, True -*.domnanoch.ru*, True -*.domn.net*, True -*.domnugoe.ro*, True -*.domnuliso.ro*, True -*.domodent.ro*, True -*.domominecraft.org*, True -*.domoset.tk*, True -*.domossa.com.ar*, True -*.domot.cl*, True -*.domoticapanama.com*, True -*.domservices.cl*, True -*.domstroykomplekt.ru*, True -*.dom-sveta-rozalija.hr*, True -*.domswoodgoods.cf*, True -*.domswoodgoods.gq*, True -*.domswoodgoods.ml*, True -*.domswoodgoods.tk*, True -*.domusblog.org*, True -*.domuscalendars.org*, True -*.domuskids.com*, True -*.domusschools.org*, True -*.dom-vann.ru*, True -*.domyapp.ru*, True -*.donaalfian.com*, True -*.donaarquitetura.com.br*, True -*.donabranca.org*, True -*.donacarola.cl*, True -*.donaephigenia.com.br*, True -*.donaffc.com*, True -*.donahuesolutions.com*, True -*.donaignaciapa.cl*, True -*.donaldseher.com*, True -*.donaldsonrealestate.com.au*, True -*.donarsi.org*, True -*.donatas.com*, True -*.donate-esports.pw*, True -*.donatingfornepal.com*, True -*.do-nation.us*, True -*.donavia.org*, True -*.donavonbuchanan.com*, True -*.donbarbarroja.cl*, True -*.donbartolo.cl*, True -*.donbot.net*, True -*.donboton.com.ar*, True -*.donbrocker.com*, True -*.donbrocker.net*, True -*.donbrown.ca*, True -*.doncarlos.cl*, True -*.dondakeeee.org*, True -*.dondatos.cl*, True -*.dondatos.com*, True -*.dondeestaelbus.cl*, True -*.doneit.ro*, True -*.donek.info*, True -*.doneritebookkeeping.ca*, True -*.donesk.ru*, True -*.donfro.com*, True -*.donfroylvania.com*, True -*.dongbao-o.com*, True -*.dongdongsaid.net*, True -*.donghoplaza.com*, True -*.donghuongbacgiang.com*, True -*.donglud.tk*, True -*.dongpeople.org*, True -*.dongsin.me*, True -*.dongtopia.com*, True -*.dongxuled.com*, True -*.dongyilighting.com*, True -*.dongzeyuan.com*, True -*.donhaddock.com*, True -*.donholly.com*, True -*.donhoo.com*, True -*.donhoo.info*, True -*.donhoo.org*, True -*.donhuey.com*, True -*.doniedonie.com.br*, True -*.doniie-permana.com*, True -*.donis.md*, True -*.donkellyoutdoors.com*, True -*.donkeyhot.net*, True -*.donkoldun.com*, True -*.donlafferty.net*, True -*.donlafferty.org*, True -*.donmcphee.com*, True -*.donmiguelbar.ch*, True -*.donmills.tk*, True -*.donnabaltera.com*, True -*.donnablog.ro*, True -*.donna-lita.ru*, True -*.donnapoleon.com.ar*, True -*.donnaspa.net*, True -*.donneb.co*, True -*.donned.org*, True -*.donnellyclan.org*, True -*.donnotec.com*, True -*.donostiltm.es*, True -*.donothing.ga*, True -*.donotleaveblank.com*, True -*.donou.ro*, True -*.donovanhughes.com*, True -*.donovanviolin.com*, True -*.donpelayo.org*, True -*.donpituto.cl*, True -*.donsapo.net*, True -*.dontaeharris.com*, True -*.dont-be-evil-genius.com*, True -*.dontbefugly.com*, True -*.dontbefugly.net*, True -*.dontbefugly.org*, True -*.dontgivemegrief.com*, True -*.dontlove.gq*, True -*.dontlove.us*, True -*.dontmess.com*, True -*.don.to*, True -*.donuthype.tk*, True -*.donvogler.com*, True -*.donwaimarket.com*, True -*.donwestacottonline.com*, True -*.dony.co*, True -*.doobee.ca*, True -*.doobi.co.il*, True -*.doobloobl.com*, True -*.doodlemushi.com*, True -*.doodlesthepartyclown.com*, True -*.dooggy.ru*, True -*.dookiemonster.com*, True -*.doomedantcolonies.net*, True -*.doomed.cf*, True -*.doomsday.cl*, True -*.doomstuff.com*, True -*.doopler.com.ar*, True -*.dooplermag.com*, True -*.door.ee*, True -*.doorintosummer.ru*, True -*.door.ml*, True -*.doornberg.co.za*, True -*.doors.com.ar*, True -*.doorsglobe.com*, True -*.doorsnknobs.net*, True -*.doosom.com*, True -*.dooster.ro*, True -*.doozersden.com*, True -*.dope.fi*, True -*.dopegraph.com.ve*, True -*.dopestyles.ch*, True -*.dops-ppob.com*, True -*.dop-uri.ro*, True -*.doqk.ml*, True -*.dora77.com*, True -*.doraemon.ninja*, True -*.dorakitap.com*, True -*.dorange.info*, True -*.doremusiclessons.com*, True -*.dorffaescht-dielsdorf.ch*, True -*.dorffhome.com*, True -*.dorfgarage-ledergerber.ch*, True -*.dorholtconstruction.com*, True -*.dorifuto.ru*, True -*.dori.in*, True -*.dorimed-serv.ro*, True -*.dorine.info*, True -*.dori.ro*, True -*.doris-clearance.com*, True -*.doris-ind.com*, True -*.doris-safety.com*, True -*.doris-spa.ch*, True -*.doriswel.com*, True -*.dorivanmaia.com.br*, True -*.dorizo.com*, True -*.dorjan.si*, True -*.dorkchatter.com*, True -*.dorks.co*, True -*.dorma88.com*, True -*.dormashimport.com*, True -*.dormashimport.pro*, True -*.dormashimport.ru*, True -*.dormashimport.su*, True -*.dormirdecabeza.cl*, True -*.dorn-bader.ch*, True -*.dornercespedes.cl*, True -*.doronbc.com*, True -*.doronbrenner.com*, True -*.dorrus-net.pl*, True -*.dorsetphonesystems.com*, True -*.dorthel.com*, True -*.doruktayim.com*, True -*.doruktayim.net*, True -*.dorumihai.ro*, True -*.dosaaf-novo.ru*, True -*.dosam-agropecuaria.com.ar*, True -*.doscomp.co.za*, True -*.dose.io*, True -*.dosemedia.com*, True -*.doskapola.com*, True -*.doskapozora.com*, True -*.doskynet.com*, True -*.dosossos.com*, True -*.dosprompt.us*, True -*.dossantosmaconnerie.ch*, True -*.dosticorn.ml*, True -*.dostigaj.ru*, True -*.dosti.ml*, True -*.dostiwap.ml*, True -*.dostor.kg*, True -*.do-style.com*, True -*.dosug-nl.ru*, True -*.dosurveys.tk*, True -*.dot2.com.br*, True -*.dota2events.ro*, True -*.dota2vn.net*, True -*.dotacjezue.pl*, True -*.dota.id.lv*, True -*.dotatdot.net*, True -*.dotbot.us*, True -*.dotbox.ga*, True -*.dotcircle.co*, True -*.dotcomindia.com*, True -*.dotdotbeauty.com*, True -*.dotech.com.br*, True -*.dothecreep.org*, True -*.doths.com.ar*, True -*.dotid.ml*, True -*.dotisio.com*, True -*.dotix.me*, True -*.dot-kernel.com*, True -*.dotlab.com.ar*, True -*.dotnet.gr*, True -*.dotnetrocks.co.uk*, True -*.dotoz.com.au*, True -*.dotpeenator.com*, True -*.dotric.com.au*, True -*.dotslash.ca*, True -*.dotsomething.nl*, True -*.dotspoint.com*, True -*.dotsysteme.com*, True -*.dotsystems.net*, True -*.dotterian.ru*, True -*.dottlebot.com*, True -*.dotu.info*, True -*.dotwu.net*, True -*.doubleaint.com*, True -*.doubleblack.ca*, True -*.doubleblackout.com*, True -*.doublechins.ca*, True -*.doubled1979.com*, True -*.doublediskfailure.com*, True -*.doublekits.tk*, True -*.doublemomentum.com*, True -*.double.one.pl*, True -*.doubtyourlimits.com*, True -*.doucheoftheweek.com*, True -*.douda64.com*, True -*.dougauerbach.net*, True -*.dougbevan.com*, True -*.dougbevan.net*, True -*.dougclink.com*, True -*.douglasbubbletrousers.com*, True -*.douglasclan.ca*, True -*.douglashurst.ca*, True -*.douglaslander.com*, True -*.douglaslander.co.uk*, True -*.dougsheffer.com*, True -*.dougslaterfamily.com*, True -*.dougtreadwell.com*, True -*.dougwroberts.com*, True -*.dougwroberts.co.uk*, True -*.doupovec.cz*, True -*.dourus.eu*, True -*.doushiliren.com*, True -*.doust.net.au*, True -*.doutaz-fils.ch*, True -*.doutoresdaagua.com.br*, True -*.doutoresdagua.com.br*, True -*.doverly.com*, True -*.dovetail-dezign.com*, True -*.doviet.net*, True -*.dov-machinery.be*, True -*.dowgo.tw*, True -*.dowlingsonline.com*, True -*.downfile.cf*, True -*.downfile.ga*, True -*.downforce.ca*, True -*.downlinkmusic.com*, True -*.downlink.us*, True -*.downloadall.asia*, True -*.download-butler.ru*, True -*.download-cs16.biz*, True -*.download-cs16.eu*, True -*.downloadcs.eu*, True -*.downloades.ru*, True -*.downloadfilmbaru.web.id*, True -*.downloadfilms.ru*, True -*.downloadhere.asia*, True -*.downloadju.ga*, True -*.downloadlagump3terbaru.tk*, True -*.downloadlaguw.com*, True -*.download-moviefull.net*, True -*.downloadmovietoday.com*, True -*.downloadmp3baru.com*, True -*.downloadmusik.tk*, True -*.downloadsvideo.co*, True -*.downlod.co*, True -*.downperiscop.es*, True -*.downslam.com*, True -*.downsouthdave.com*, True -*.downspokerleague.com*, True -*.downstay.org*, True -*.downthehall.net*, True -*.downthestreet.co.uk*, True -*.downtimepatrol.org*, True -*.downtownatlanta.org*, True -*.downtube.biz*, True -*.downtube.cf*, True -*.downundertruckin.com*, True -*.dowork.co*, True -*.doxem.ml*, True -*.doxicobol.com.br*, True -*.doxillion.com*, True -*.doxma.com*, True -*.doxmit.com*, True -*.doxuaphuocsang.com*, True -*.doxuert.cf*, True -*.doy61.ru*, True -*.doylestownmidwifery.com*, True -*.doyletrinh.com*, True -*.doyourownpayroll.com*, True -*.dozainer.com*, True -*.dozd.eu*, True -*.dozleng.com*, True -*.dozodouzo.tk*, True -*.dp76.com*, True -*.dpaa.cl*, True -*.dpacsd68.ca*, True -*.dpa-taiwan.com*, True -*.dpcolorado.com*, True -*.dpdenton.com*, True -*.dpdev.tk*, True -*.dpdonahue.com*, True -*.dpglawyer.com*, True -*.d-photo.ro*, True -*.dpidgeon.net*, True -*.dpktjf.co.uk*, True -*.dpmterraria.com*, True -*.dpohvar.ru*, True -*.dpos.tk*, True -*.dpproduccion.com.ar*, True -*.dpp.si*, True -*.dprdsulsel.go.id*, True -*.dpsecurity.net*, True -*.dpshop.net*, True -*.dpswydminy.pl*, True -*.dptalchascomus.com.ar*, True -*.dptech.ch*, True -*.dptosavellaneda.com.ar*, True -*.dptr1988.com*, True -*.dpwise.com*, True -*.dquevillon.tk*, True -*.dquick.id.au*, True -*.dr0gs.tk*, True -*.dr0n.ru*, True -*.dr-7ball.com*, True -*.dr8.org*, True -*.draa.cl*, True -*.draalvarez.com.ar*, True -*.drabasablog.net*, True -*.dracarolpileggi.com.br*, True -*.dracula.ninja*, True -*.draculastore.in*, True -*.draculastory.info*, True -*.dradistribution.com*, True -*.draex.ca*, True -*.dr-afshinmajd.ir*, True -*.draftingservices.net.au*, True -*.draftingwest.com.au*, True -*.drafzalian.com*, True -*.drafzalian.ir*, True -*.drag0n.org*, True -*.draganovhouse.eu*, True -*.draghicioiu.ro*, True -*.dragmywords.com*, True -*.dragoesdoringue.com.br*, True -*.dragonauth.me*, True -*.dragonauth.net*, True -*.dragonballfc.com*, True -*.dragonbyte.eu*, True -*.dragonbyte.info*, True -*.dragonbyte.me*, True -*.dragoncall.me*, True -*.dragonchat.me*, True -*.dragondejade.com.ar*, True -*.dragondorks.org*, True -*.dragondraw.me*, True -*.dragonfanclub.tk*, True -*.dragonfirecs.net*, True -*.dragonfirelink.com*, True -*.dragonfiretsd.com*, True -*.dragonfli.org*, True -*.dragongame.me*, True -*.dragongracechina.com*, True -*.dragongracechina.hk*, True -*.dragongrace.com*, True -*.dragongrace.hk*, True -*.dragonhax.com*, True -*.dragonhide.me*, True -*.dragon.lc*, True -*.dragon.li*, True -*.dragonmc.net*, True -*.dragonnet.ga*, True -*.dragonplay.me*, True -*.dragonrealm.in*, True -*.dragonsandmithral.com*, True -*.dragons.ml*, True -*.dragonvenom.net*, True -*.dragonwing.us*, True -*.dragonxdev.tk*, True -*.dragosburcea.ro*, True -*.dragosciobanu.ro*, True -*.dragos.co.uk*, True -*.dragosiordan.ro*, True -*.dragosrusu.ro*, True -*.dragos-sile.ro*, True -*.dragos-stefanescu.ro*, True -*.dragostanasie.ro*, True -*.dragostecurata.ro*, True -*.dragostepentruadevar.ro*, True -*.dragota.ro*, True -*.dragrecords.com*, True -*.dragrecords.com.au*, True -*.drahohouse.info*, True -*.draintube.com*, True -*.drainzdarebel.com*, True -*.draiveda.lt*, True -*.draketech.us*, True -*.dramakorea.asia*, True -*.dramaku.net*, True -*.drama.tw*, True -*.dram.net.au*, True -*.dramontes.com.ar*, True -*.dram.org.au*, True -*.drangola.com*, True -*.draotth.com*, True -*.drapatriciavaranda.com.br*, True -*.drasa.eu*, True -*.drasner.com*, True -*.draugai.one.pl*, True -*.draughtsman.info*, True -*.drautomotive.com*, True -*.drawcans.com*, True -*.drawingtable.net*, True -*.draymorephotos.com*, True -*.drazambuya.com*, True -*.drbacos.ro*, True -*.drbealschiropractor.com*, True -*.drbeat.li*, True -*.drbike.co.il*, True -*.drboleta.cl*, True -*.drbrown.com.au*, True -*.drbudro.com*, True -*.drc91.com*, True -*.drcafeine.com*, True -*.drcaramitru.ro*, True -*.drcherir.com*, True -*.drchevalier.ca*, True -*.drchips.org*, True -*.drchu86.com*, True -*.drcooke.co.uk*, True -*.drdanilychev.com*, True -*.drdao.adv.br*, True -*.drdhcpdemo.com*, True -*.drdrane.com*, True -*.dreadfort.com*, True -*.dreadloch.com*, True -*.dreadserver.com*, True -*.dreamaan.ir*, True -*.dream-box.com.ar*, True -*.dreamcash.ru*, True -*.dreamcreateliveit.com*, True -*.dreamea.com*, True -*.dreamfight.ml*, True -*.dreamincdesign.com*, True -*.dreamisle.ca*, True -*.dreamland.ca*, True -*.dreamland.fi*, True -*.dreamland.gq*, True -*.dreamland.im*, True -*.dreamlife.fi*, True -*.dream.org.il*, True -*.dream-publish.com*, True -*.dreamround.com*, True -*.dreams-base.de*, True -*.dreamsinweb.net*, True -*.dreamslondon.com*, True -*.dreamspacearchitects.in*, True -*.dreamteamlegacy.com*, True -*.dreamvision.ro*, True -*.dreamwe.com*, True -*.dreamy.ga*, True -*.dreamyworld.pt*, True -*.dreamza.com*, True -*.dreamz-watch.com*, True -*.drearfuzzball.com*, True -*.dredon.net*, True -*.dred.ru*, True -*.dreesen.ch*, True -*.dreggnmail.org*, True -*.dregus.net*, True -*.drehmer.com.au*, True -*.drenken.lu*, True -*.dresajcainivanatoare.ro*, True -*.drespalavecino.com.ar*, True -*.dresssabina.com*, True -*.dresstherapy.co.uk*, True -*.dret.la*, True -*.dreunoctem.com*, True -*.drevo.si*, True -*.drewandlyndsay.com*, True -*.drewc.ca*, True -*.drewfrank.com*, True -*.drewharms.com*, True -*.drewloomer.com*, True -*.drewmcphee.com.au*, True -*.drewrobb.com*, True -*.dreyers-den.com*, True -*.dreyfussandco.cn*, True -*.dreyfussandco.co.id*, True -*.dreyfussandco.hk*, True -*.dreyfussandco.ru*, True -*.drf.co.za*, True -*.drgarrido.cl*, True -*.drhandman.com*, True -*.drharry.info*, True -*.drhoreca.ru*, True -*.drhouse.cl*, True -*.driannini.com.br*, True -*.drianovska.tk*, True -*.dribbling.org*, True -*.driedger.org*, True -*.driehost.ga*, True -*.driftbottle.org*, True -*.driftfixtures.com*, True -*.drift-in.co.uk*, True -*.drifting.la*, True -*.drikadesign.com.br*, True -*.drink2shrink.co.za*, True -*.drink-biitch-drink.com*, True -*.drinkit.si*, True -*.drinkthebleach.com*, True -*.drinkthebleach.net*, True -*.drinkthewater.com.au*, True -*.drint.ru*, True -*.drivelab.net*, True -*.drivemarket.ru*, True -*.drivemyschool.org*, True -*.driverangles.com.au*, True -*.driverboxs.com*, True -*.drive.ro*, True -*.driverqualification.us*, True -*.driver-risk-inventory2.com*, True -*.drivet.ru*, True -*.drivingtestcheck.com*, True -*.drivvvle.net*, True -*.drizzt.ws*, True -*.drjacobs.ca*, True -*.drjenniferashby.com*, True -*.drjofre.com.ar*, True -*.drkabakian.com.ar*, True -*.drkbit.ro*, True -*.drkco.in*, True -*.drklo.co*, True -*.drk-mannheim-stadt.de*, True -*.drkpchung.com*, True -*.drkseema.com*, True -*.drlatulane.org*, True -*.drleevisioncare.com*, True -*.drlena.com*, True -*.drlucianivan.ca*, True -*.drluna.net*, True -*.drmc.tk*, True -*.drm.hk*, True -*.drnathhome.com*, True -*.drnda.eu*, True -*.drogariasaodomingos.pt*, True -*.drogexpress.com.ar*, True -*.drogowapomoc.com*, True -*.drogueria-latina.com.ar*, True -*.drogueriatoledo.cl*, True -*.drogueriemure.ch*, True -*.drogu.es*, True -*.drogurietnobotanice.ro*, True -*.droidian.net*, True -*.droido.ga*, True -*.droidtech.it*, True -*.droid-void.com*, True -*.drojd.ga*, True -*.dromahair.com.au*, True -*.drometec.cl*, True -*.droneirc.net*, True -*.dronele.ro*, True -*.dronescol.com*, True -*.drones.systems*, True -*.dronetransport.com.au*, True -*.dronies.sk*, True -*.dronit.cl*, True -*.dronport.com*, True -*.droodl.com*, True -*.drool.at*, True -*.droolix.net*, True -*.droomkoffer.be*, True -*.dropboxx.ga*, True -*.dropfiles.net*, True -*.dropoutheroes.com*, True -*.droptopgames.com*, True -*.drosenbloom.com*, True -*.drosenbloom.info*, True -*.drosproxy.org*, True -*.droste.hk*, True -*.drottar.com*, True -*.drovdahl.com*, True -*.drownedindebt.com*, True -*.drownphotography.com*, True -*.dr-patricia-steckley.ca*, True -*.drpcni.com*, True -*.drpedroserrano.com*, True -*.drpex.com*, True -*.drpro.co.za*, True -*.drpuser.com*, True -*.drrobertonegrin.cl*, True -*.drsanjay.com.au*, True -*.drshearer.net*, True -*.drsunnylee.com*, True -*.drszprycha.pl*, True -*.drtelecom-ddns.com*, True -*.drthomson.ca*, True -*.drtimothysteel.com*, True -*.drtimothysteel.com.au*, True -*.drtsang.net*, True -*.druber.me*, True -*.druber.net*, True -*.drucom.ro*, True -*.drug-addicted.net*, True -*.drugdealer24.info*, True -*.drugfactsforkids.org*, True -*.druggedout.ml*, True -*.druglife.org*, True -*.drugoros.ru*, True -*.drugros.ru*, True -*.drugstore.is*, True -*.drugstoresonline.eu*, True -*.druguser.tk*, True -*.druidcitycomputers.com*, True -*.druidconsult.com*, True -*.druidweb.com.br*, True -*.drumana.cl*, True -*.drumandbass.co.nz*, True -*.drumbeat.co.il*, True -*.drumconnection.com.au*, True -*.drumdanceireland.com*, True -*.drumplastik.com*, True -*.drumproiect.ro*, True -*.drumshed.com*, True -*.drums.ro*, True -*.drunet.org*, True -*.drunk-beetle.org*, True -*.drunkengames.com*, True -*.drunkenknights.org*, True -*.drunkensailor.org*, True -*.drunksluts.net*, True -*.drupal4u.cn*, True -*.drupalfacil.com.br*, True -*.drupalhongkong.com*, True -*.drupalika.ir*, True -*.drupalpixels.com*, True -*.drupal.pt*, True -*.drusenija.com*, True -*.druzhkovka.com*, True -*.drvending.ro*, True -*.drvid.ca*, True -*.drvid.net*, True -*.drvograd-prerada.hr*, True -*.drwiks.com.au*, True -*.dryan.id.au*, True -*.dryday.in*, True -*.drydenbeef.com*, True -*.dryftco.net*, True -*.drying-machine.com*, True -*.drze.net*, True -*.drzwidymoszczelne.pl*, True -*.ds8.co*, True -*.dsaalliance.com*, True -*.dsa-drakensang.com*, True -*.ds.ai*, True -*.dsaint.tk*, True -*.dsalaj.com*, True -*.dsaorel.ru*, True -*.dsbtraining.com*, True -*.dscebook.com*, True -*.dschn.com*, True -*.dsclerkofcourt.org*, True -*.dscottbrown.com*, True -*.dscottphoenix.com*, True -*.ds.co.ve*, True -*.dscripts.co.uk*, True -*.dsdd.org*, True -*.dse.cl*, True -*.dseconsulting.net*, True -*.dsehibox-indonesia.com*, True -*.dset.ir*, True -*.dsex.se*, True -*.dsfm.org*, True -*.dsfoto.eu*, True -*.dshekin.tk*, True -*.dshoftheharriermozart.org*, True -*.dsi.net.nz*, True -*.dsips.co.uk*, True -*.dsitconcepts.com*, True -*.dsiusa.com*, True -*.dsivkov.ru*, True -*.dsk66.com*, True -*.dsk777.com*, True -*.dsldoctor.co.za*, True -*.dslmodems.co.za*, True -*.dslrday.ro*, True -*.dslstream.tk*, True -*.dsmfgltd.com*, True -*.dsm-froidevaux.ch*, True -*.dsmtek.com*, True -*.dsn-hkpr.ca*, True -*.dsntmg.com*, True -*.ds-official.net*, True -*.dsokeni.cf*, True -*.dspent.com*, True -*.dspt.ru*, True -*.dsquaredz.com*, True -*.dss67.com*, True -*.dss78.com*, True -*.dss87.com*, True -*.dssync.com*, True -*.dstamant.com*, True -*.dstand.com.au*, True -*.dstarr.ca*, True -*.dstarswitch.com*, True -*.dstefanov.com*, True -*.dstemp.com.ar*, True -*.dstewart.ca*, True -*.dstextiles.com*, True -*.dstvcenturion.co.za*, True -*.dstvdish.co.za*, True -*.dstvmidrand.co.za*, True -*.dstvsatellite.co.za*, True -*.dsur.ga*, True -*.dsusman.com.ar*, True -*.dsvisionpropiedades.cl*, True -*.dsv.tw*, True -*.dsweeterz.my*, True -*.ds-wiki.ru*, True -*.dsw.org.nz*, True -*.dsy.ch*, True -*.dsz.io*, True -*.dtacollectibles.com*, True -*.dtalk.tw*, True -*.dtamedia.info*, True -*.dtasks.com*, True -*.dtasks.ru*, True -*.dtbits.com*, True -*.dtcg.us*, True -*.dt-designs.com*, True -*.dtebd.eu*, True -*.dtech-schweiz.ch*, True -*.dteteachers.com*, True -*.dtfnet.com.ar*, True -*.dthsolutions.info*, True -*.dtip.tk*, True -*.dtjliker.com*, True -*.dtk.co.id*, True -*.dtlnetcapacitaciones.cl*, True -*.dtlnet.cl*, True -*.dtl-netsolutions.ca*, True -*.dtl-netsolutions.com*, True -*.dtl-networksolutions.com*, True -*.dtodito.co.ve*, True -*.dtomasiewicz.com*, True -*.dtonator.com*, True -*.dtrejo.com.ar*, True -*.dtrucharte.es*, True -*.dtrwos.com*, True -*.dtsimaging.biz*, True -*.dtsimaging.info*, True -*.dtsimaging.net*, True -*.dtsimaging.org*, True -*.dtsimaging.us*, True -*.dua2.cf*, True -*.dua2.ga*, True -*.duaanakmuda.com*, True -*.duablechinese.com*, True -*.duafabrics.com*, True -*.dualbit.com.ar*, True -*.dual-diagnosis-disorder.com*, True -*.dual-diagnosis-disorder.org*, True -*.dual-diagnosis-intervention.com*, True -*.dualdiagnosis-referral.org*, True -*.dualoilfield.co.id*, True -*.dualsim.com.au*, True -*.duannen.com*, True -*.duaputrajaya.co.id*, True -*.duaputramatahari.com*, True -*.duaputrapetir.co.id*, True -*.duartedasilva.com.br*, True -*.duarts.net*, True -*.duax.ru*, True -*.dubaiphp.com*, True -*.dubaiphp.org*, True -*.dubbeltallen.se*, True -*.dub.hu*, True -*.dubinkin.me*, True -*.dubiousicon.net*, True -*.dubla-inregistrare.ro*, True -*.dublainregistrare.ro*, True -*.dublin-dynamics.com.ar*, True -*.dubluvstudio.ro*, True -*.dubno.ru*, True -*.dubovac.net*, True -*.dubova-sparovka.com*, True -*.dubove-rezivo.cz*, True -*.dubrouski.com*, True -*.dubrovnikrun.com*, True -*.dubux.com*, True -*.dubwarriors.com*, True -*.ducalain.ch*, True -*.ducatiofottawa.ca*, True -*.ducatiofottawa.com*, True -*.ducklog.com*, True -*.duckmansworld.com*, True -*.duckshit.net*, True -*.ducksparadise.com*, True -*.duckspond.net*, True -*.duckybutts.com*, True -*.duckybutts.info*, True -*.ducrossplayadelcarmen.com*, True -*.ductingindonesia.com*, True -*.duc-tran.com*, True -*.ductran.com*, True -*.dudarazonable.co*, True -*.dudarazonable.com*, True -*.dudeboy.com*, True -*.dude.com.au*, True -*.dudegames.us*, True -*.dudeisthatgrobert.com*, True -*.dudeson.com*, True -*.dudewheresmyoilrig.com*, True -*.dudeyougottatrythis.com*, True -*.dudibublil.co.il*, True -*.dudi.ga*, True -*.dudi-lavi.co.il*, True -*.dudi.ml*, True -*.duduche.ch*, True -*.dududuo.com*, True -*.dudupan.com*, True -*.dudy.us*, True -*.dueenne.ro*, True -*.due-north.com.au*, True -*.duet.at*, True -*.dueti.com.br*, True -*.duewestec.co.za*, True -*.dufault.info*, True -*.duff.id.au*, True -*.dufflab.net*, True -*.dufour-family.eu*, True -*.dufwa.org*, True -*.dugera.com*, True -*.dugo.ro*, True -*.dugstew.net*, True -*.dugwoo.com.my*, True -*.du-hast-alles-richtig-gemacht.de*, True -*.duhocnhatban.biz*, True -*.duhtechnology.com.br*, True -*.dui-dwi-offender-test.com*, True -*.dui-dwi-tests.com*, True -*.duitmuilang.com*, True -*.duits.org*, True -*.duk66.com*, True -*.duk77.com*, True -*.duk84.com*, True -*.dukatpaper.sk*, True -*.dukeland.hk*, True -*.duktek.info*, True -*.dulaneys.net*, True -*.dulas.com.ar*, True -*.dulceespacio.mx*, True -*.dulcegarii-culinare.ro*, True -*.dulcepensar.com.ar*, True -*.dulcescaprichitos.com.ar*, True -*.dulce-tradicion.cl*, True -*.dulceytraviesa.cl*, True -*.dulcia.ro*, True -*.dulciebarnes.co.uk*, True -*.dulkes.com*, True -*.dulliomacedo.com.br*, True -*.dulongzuan.ml*, True -*.dulurk3d.com*, True -*.dulzurasartisticas.com*, True -*.dumansizizgaramodelleri.com*, True -*.dumbamerican.info*, True -*.dumbdogs.us*, True -*.dumbpanda.com*, True -*.dumcoelectric.ro*, True -*.dumdum.ga*, True -*.dumeximconstruct.ro*, True -*.dumile.co.za*, True -*.dumintai.com*, True -*.dumitrache.co*, True -*.dummycctv.biz.id*, True -*.dump.ch*, True -*.dumps.tw*, True -*.dunasdelfaro.com*, True -*.dunblanecraftmarket.co.uk*, True -*.duncraigproperty.com*, True -*.dundee-allegro.co.uk*, True -*.dundee-congress.co.uk*, True -*.dundeeroundtable.org.uk*, True -*.dundemworld.com*, True -*.dund.lv*, True -*.dundonaldmethodist.org*, True -*.dune-mission.net*, True -*.dune-space.ws*, True -*.dungarvanfeather.com*, True -*.dungeonball.net*, True -*.dungeonsource.com*, True -*.dunhamconsultassoc.com*, True -*.duniabargain.com*, True -*.dunia.club*, True -*.duniaelectrical.com*, True -*.dunia-kuloh.tk*, True -*.duniasexs.net*, True -*.dunia-unduhin.com*, True -*.duniavideo.net*, True -*.duniawarna.co.id*, True -*.duniaxxx.com*, True -*.dunin.org.ru*, True -*.dunnage.co*, True -*.dunndunn.hk*, True -*.dunwoodychurch.org*, True -*.duocrianza.ch*, True -*.duoctrungk14b.tk*, True -*.duoi.ga*, True -*.duongbay.com*, True -*.duoprop.se*, True -*.duorient.com*, True -*.duotechabadi.com*, True -*.duovac.ch*, True -*.dupagetech.com*, True -*.dupagetechnologygroup.com*, True -*.du.pe*, True -*.dupecheck.cz*, True -*.dupedb.com*, True -*.duphp.org*, True -*.duplainvasao.com.br*, True -*.duplikatkuncimobil.com*, True -*.duplinsky.sk*, True -*.dupontlifesafetydashboard.com*, True -*.dupontzermatt.ch*, True -*.dupres.ca*, True -*.dupuy.com.ar*, True -*.durabledogbeds.com.au*, True -*.durabledogbeds.net.au*, True -*.duran-art.com*, True -*.durandfamilychiropractic.com*, True -*.duran.gen.tr*, True -*.duranttravelingstudio.com*, True -*.duratech.biz*, True -*.duratio.net*, True -*.dur.co.za*, True -*.durendals-domain.com*, True -*.duretekstil.com*, True -*.durex.ml*, True -*.durgaappliances.tk*, True -*.durgagurung.com.np*, True -*.durham.ch*, True -*.durhamlandreform.org.uk*, True -*.durivage.me*, True -*.durolom.ru*, True -*.duropisos.com.ar*, True -*.du-ro.ro*, True -*.durovmn.ru*, True -*.durtydubdesigns.com*, True -*.durun.org*, True -*.dusbloggertrik.net*, True -*.dusche.cc*, True -*.dusenberryclub.com*, True -*.dushub.cf*, True -*.dusilda.tk*, True -*.dusintors.ro*, True -*.duskhead.com*, True -*.duss-janser.ch*, True -*.dustbite.se*, True -*.dustcovers.co.za*, True -*.dusteinsibug.com*, True -*.dustinautomotive.com*, True -*.dustinmoore.org*, True -*.dustinnewbold.com*, True -*.dustint.me*, True -*.dustless.club*, True -*.dus-t.net*, True -*.dust-t.com*, True -*.dusvol88.com*, True -*.duta.biz*, True -*.dutamuliacorp.com*, True -*.dutamusik.ga*, True -*.dutaomega.com*, True -*.dutapumpindustri.com*, True -*.dutasuryagelas.co.id*, True -*.dutch7.com*, True -*.dutchdecorations.com*, True -*.dutchdecorations.nl*, True -*.dutchdrapes.com*, True -*.dutchdrapes.nl*, True -*.dutchnuggets.com*, True -*.dutiesasassigned.com*, True -*.dutz.ro*, True -*.dutzzu.ro*, True -*.duvaud.ch*, True -*.duvaud.net*, True -*.duvets.com.mx*, True -*.duvium.com*, True -*.duwekecitra.tk*, True -*.duxe.ch*, True -*.duxpay.com*, True -*.dv0.org*, True -*.dv-119.com*, True -*.dvabita.ru*, True -*.dv-ask.com*, True -*.dvbingenieria.com*, True -*.dvbox.org*, True -*.dvbris.com*, True -*.dvbris.co.uk*, True -*.dvd2hand.com*, True -*.dvd-3d.com*, True -*.dvdcollection.ro*, True -*.dvdmediastar.com*, True -*.dvdoutlaw.com*, True -*.dvdtutorial.cf*, True -*.dvdvend.com*, True -*.dvg.pl*, True -*.dvgt.ml*, True -*.dvipmm.com*, True -*.dvirlevi.co.il*, True -*.dvirt.ru*, True -*.dvizh.biz*, True -*.dvjshow.com*, True -*.dvjshow.it*, True -*.dvjshow.net*, True -*.dvjshow.org*, True -*.dv-look.com*, True -*.dvlop.in*, True -*.dv-man.com*, True -*.dvnt.com*, True -*.dv-pop.com*, True -*.dvrkit.com.ar*, True -*.dvs.com.my*, True -*.dwarffortress.org*, True -*.dwats.net*, True -*.dwbi.ir*, True -*.dwdonline.co.za*, True -*.dwdraju.com.np*, True -*.dwelldoneinteriors.com*, True -*.dwharkey.com*, True -*.dwhb.com.au*, True -*.dwibcc.org*, True -*.dwightandsam.com*, True -*.dwightflix.com*, True -*.dwightrjohnson.com*, True -*.dwih.ru*, True -*.dwikarsatama.com*, True -*.dwikarya-cu.com*, True -*.dwikurniasurya.net*, True -*.dwimanunggalfilter.co.id*, True -*.dwim.me*, True -*.dwi-shop.ml*, True -*.dwitamaperkasa.com*, True -*.dwitunggalwisata.com*, True -*.dwmail.co.uk*, True -*.dworak.one.pl*, True -*.dwquotesandmemes.com*, True -*.dwrighthouse.net*, True -*.dwrk.in*, True -*.dwrksn.com*, True -*.dwsolutions.org*, True -*.dwunion.com*, True -*.dxamp.com.br*, True -*.dxar.com.ar*, True -*.dxbug.com*, True -*.dx.com.ar*, True -*.dxc.us*, True -*.dxdiag.co.uk*, True -*.dxfcommunity.com*, True -*.dxnt.fi*, True -*.dxtx-sordera.org*, True -*.dxxy.ga*, True -*.dyacor.com.br*, True -*.dya.im*, True -*.dyasociados.com.ar*, True -*.dybek.pl*, True -*.dyblocacoes.com.br*, True -*.dycconstrucciones.com.ar*, True -*.dycomplusx.com.my*, True -*.dydetech.com.au*, True -*.dydpres.com.ar*, True -*.dydresky.tk*, True -*.dydx.co.uk*, True -*.dydx.co.za*, True -*.dydx.de*, True -*.dyevault.com*, True -*.dyevault.net*, True -*.dyfka.net*, True -*.dyhconstrucciones.cl*, True -*.dyhimportaciones.cl*, True -*.dyh-informatica.com.ar*, True -*.dyingbreed.co*, True -*.dyinggiraffe.com*, True -*.dyka.in*, True -*.dyke.cf*, True -*.dyke.ga*, True -*.dyke.gq*, True -*.dyke.ml*, True -*.dyktel.com.ar*, True -*.dylanmarquez.com*, True -*.dylanraine.com*, True -*.dylanwaite.com*, True -*.dylanwaitegroup.com*, True -*.dylix.org*, True -*.dylon.ml*, True -*.dylon.tk*, True -*.dylu.tk*, True -*.dymoszczelna.pl*, True -*.dymoszczelne.pl*, True -*.dymov.info*, True -*.dymov.me*, True -*.dyna3c.com*, True -*.dynabotics.net*, True -*.dynabyte.ca*, True -*.dynacleaning.ca*, True -*.dynafilm.com*, True -*.dynaip.pw*, True -*.dynalinktech.com*, True -*.dynamai.com*, True -*.dyname.net*, True -*.dynamiccargo.co.za*, True -*.dynamicconsulting.cl*, True -*.dynamic-dns.tk*, True -*.dynamichomeloansaustralia.com.au*, True -*.dynamichomeloans.com*, True -*.dynamichomeloans.com.au*, True -*.dynamichvac.ca*, True -*.dynamic-i.com*, True -*.dynamiclaw.com.au*, True -*.dynamicmobile.co.za*, True -*.dynamicnetwork.ro*, True -*.dynamicroofingandrepair.com*, True -*.dynamicstorefront.com*, True -*.dynamic-styles.com*, True -*.dynamix.com.br*, True -*.dynamoit.com.ar*, True -*.dynaresearch.com*, True -*.dyna-store.com.au*, True -*.dynastorm.biz*, True -*.dynastyfools.com*, True -*.dynasty-solutions.com*, True -*.dynbhcs.net*, True -*.dyn.ch*, True -*.dyndnsbr.com.br*, True -*.dyndnsforme.com*, True -*.dynergy.ru*, True -*.dynet.com*, True -*.dynhost.ch*, True -*.dynhost.com.ar*, True -*.dynhost.ws*, True -*.dynip.pl*, True -*.dynip.pro*, True -*.dyn.mk*, True -*.dynoday.ch*, True -*.dynofu.me*, True -*.dynservers.net*, True -*.dyrassh.ga*, True -*.dyrloval.ec*, True -*.dyro.net*, True -*.dysartdaycare.com.au*, True -*.dysb.org*, True -*.dyschromatopsia.com*, True -*.dys-importadora.com*, True -*.dysmile.tw*, True -*.dyster.net*, True -*.dytgroup.cl*, True -*.dyunin.ru*, True -*.dyvniy.com*, True -*.dyvniy.ru*, True -*.dywicka.pl*, True -*.dywicki.pl*, True -*.dyx.com*, True -*.dyxy.com.br*, True -*.dyy33.com*, True -*.dyy66.com*, True -*.dzawinur.tk*, True -*.dzgfound.org*, True -*.dzhibuti.ru*, True -*.dzhurov.net*, True -*.dziadostwo.pl*, True -*.dziama.ca*, True -*.dziama.com*, True -*.dzighedby.com*, True -*.dz-mp3.net*, True -*.dzny.net*, True -*.dzoey.org*, True -*.dzoin.tk*, True -*.dzteslic.org*, True -*.e131.com*, True -*.e1fun.com*, True -*.e1n.pl*, True -*.e-1racecar.com*, True -*.e1-racecar.com*, True -*.e1racecar.com*, True -*.e-1race.com*, True -*.e1-race.com*, True -*.e1race.com*, True -*.e-1racer.com*, True -*.e1-racer.com*, True -*.e1racer.com*, True -*.e-1track.com*, True -*.e1-track.com*, True -*.e1track.com*, True -*.e20.ru*, True -*.e2cloud.ir*, True -*.e2id.ir*, True -*.e2mail.ir*, True -*.e2soft.co*, True -*.e30ftw.com*, True -*.e39.ca*, True -*.e-3design.pl*, True -*.e3r.co*, True -*.e3recruitment.com*, True -*.e3r.org*, True -*.e3solution.com.np*, True -*.e4consult.ch*, True -*.e4gmbh.ch*, True -*.e4p.ir*, True -*.e4services.ch*, True -*.e50nyc.com*, True -*.ea1giy.com*, True -*.ea1het.com*, True -*.eaa608.org*, True -*.eaas.com.au*, True -*.eabattle.cf*, True -*.eabibey.com*, True -*.ead63.com*, True -*.eadministrator.ro*, True -*.eadsa.com.ar*, True -*.eadsoft.com*, True -*.eadv.ro*, True -*.eafc.co.za*, True -*.e-agentonline.net*, True -*.eagle.cf*, True -*.eagleenergytrust.com*, True -*.eaglefm.ca*, True -*.eagle.gr*, True -*.eaglehtsctr.com*, True -*.eagleitech.co.za*, True -*.eagle-lair.com*, True -*.eagleplasticbags.com*, True -*.eaglepoint.us*, True -*.eagleridercairns.com.au*, True -*.eaglesland.org*, True -*.eaihelpdesk.com*, True -*.e-ajusrl.com.ar*, True -*.ealcuadrado.com.ar*, True -*.ealicensing.com*, True -*.ealis.ru*, True -*.ealm.tk*, True -*.ealnet.nl*, True -*.e-alon.com*, True -*.ealrari.com*, True -*.eamtrav.net*, True -*.eandeoptics.com*, True -*.e-angajat.ro*, True -*.eangajat.ro*, True -*.eani.net*, True -*.eannouncements.net*, True -*.eantunez.cl*, True -*.eanuncios.net*, True -*.eapi.tk*, True -*.earbleeding.nl*, True -*.eargot.org*, True -*.earhitect.ro*, True -*.earlgraytease.com*, True -*.earlmader.com*, True -*.earlylandcruiserspares.com.au*, True -*.earlyriserscoffeeshop.com*, True -*.earnest.gq*, True -*.earsea.com*, True -*.earthbouncemusic.com*, True -*.earthdies.com*, True -*.earthenwear.net*, True -*.earthfestival.ie*, True -*.earthforce.tk*, True -*.earthgirlfabrics.com.au*, True -*.earthgov.tk*, True -*.earthgrazer.ca*, True -*.earthlynature.com*, True -*.earthmaster.org*, True -*.earthrotation.net*, True -*.earthshare.tk*, True -*.earthsinfection.com*, True -*.earthtalks.tk*, True -*.earthtour.tk*, True -*.earthtrader.com.au*, True -*.e-artz.ru*, True -*.earve.ee*, True -*.easefun.hk*, True -*.easepains.com*, True -*.easibook.com.my*, True -*.easibook.my*, True -*.easibook.sg*, True -*.easic.ru*, True -*.easisend.com*, True -*.east43rd.com*, True -*.eastafricatenders.com*, True -*.eastalpsrainbow.net*, True -*.eastatelier.ro*, True -*.eastbody.fi*, True -*.eastcoastcarcarrying.com.au*, True -*.eastcoastgeckos.com*, True -*.eastcoastkits.com*, True -*.eastcoastpaddleboarding.com*, True -*.eastcoasttaxis.com*, True -*.easternauctions.com*, True -*.easterng.ro*, True -*.easternstamps.com*, True -*.easternstouch.co.za*, True -*.easterntypingplus.com.au*, True -*.easterntypingplus.net.au*, True -*.eastghost.org*, True -*.eastland.hk*, True -*.eastlondon-escorts.net*, True -*.eastonb.net*, True -*.eastonhome.net*, True -*.eastroadtrading.com*, True -*.eastsidekickers.org*, True -*.eastsidepianostudio.com*, True -*.eastwatchbythesea.com*, True -*.eastwhale.com*, True -*.eastwoodrugby.info*, True -*.easyamazon.net*, True -*.easybikestore.com*, True -*.easybizseek.com*, True -*.easyboard.ie*, True -*.easybtc.cf*, True -*.easycashpaydayloans2015.org*, True -*.easyceipt.cn*, True -*.easyceipt.com*, True -*.easycestas.com*, True -*.easycestas.com.br*, True -*.easychinese.hk*, True -*.easycompinamar.com.br*, True -*.easy-cookbook-recipes.com*, True -*.easycooktoday.com*, True -*.easydeal.com*, True -*.easydns.tk*, True -*.easyflores.com*, True -*.easyflores.com.br*, True -*.easyflores.net*, True -*.easyflores.pt*, True -*.easyforcefx.com*, True -*.easygames.cf*, True -*.easy-gate.info*, True -*.easyhajjnumrah.com*, True -*.easyhelp.cl*, True -*.easykits.com.br*, True -*.easylatch.com*, True -*.easyloansonline.net*, True -*.easylocation.com.ar*, True -*.easylockup.co.uk*, True -*.easymarket.pt*, True -*.easymediaconversion.com*, True -*.easynotify.com.au*, True -*.easyorderhk.com*, True -*.easypcmallorca.com*, True -*.easy-pdl24.co*, True -*.easypdls2014.org*, True -*.easy-pose.com*, True -*.easyrider.com.au*, True -*.easysailors.ch*, True -*.easytalkbd.net*, True -*.easyteaching.com.au*, True -*.easytourmadrid.com*, True -*.easytownhall.com*, True -*.easytrack.hr*, True -*.easyvcc.eu*, True -*.easy-wifi.ir*, True -*.easywine.cl*, True -*.eat1337.com*, True -*.eatbetapi.com*, True -*.eatbite.com*, True -*.eatelier.ro*, True -*.eater.tk*, True -*.eatgod.org*, True -*.eatjunkfood.ca*, True -*.eatmaipu.cl*, True -*.eatontrifles.co.uk*, True -*.eatrightbyme.com*, True -*.eatsleepcode.ca*, True -*.eauclaireusedcarsandtrucks.com*, True -*.eaudience.co.za*, True -*.eaudit.ro*, True -*.eautomobile.ro*, True -*.eautovehicule.ro*, True -*.eawedding.co.uk*, True -*.eazilayby.co.za*, True -*.eazmoon.com*, True -*.eazylivin.com*, True -*.eazypay.co.za*, True -*.eazzy.tk*, True -*.eb1tk.com*, True -*.ebaday.net*, True -*.ebanci.ro*, True -*.ebanispark.com*, True -*.ebanoapartments.com*, True -*.ebanohoteles.com*, True -*.ebarbie.ro*, True -*.ebashop.net*, True -*.ebb55.com*, True -*.ebb99.com*, True -*.ebbs.com.br*, True -*.ebconnect.com.au*, True -*.ebdojo.com*, True -*.ebe13c1f77.pw*, True -*.ebergassing.com*, True -*.ebiblio.ga*, True -*.ebid.cf*, True -*.ebiggs.com*, True -*.ebike.cl*, True -*.ebinaryone.com*, True -*.ebits-backup.ch*, True -*.ebking.com.au*, True -*.eblan.info*, True -*.eblan.net*, True -*.eble.com.br*, True -*.ebluemedia.com*, True -*.eboch.com*, True -*.e-body.ro*, True -*.ebola.org.br*, True -*.ebonynivory.com.au*, True -*.ebook-authors.com*, True -*.ebooklecture.com*, True -*.ebooknb.com*, True -*.ebooks-for-life.com*, True -*.ebourget.net*, True -*.ebox.com.au*, True -*.ebrahimi.ch*, True -*.ebrainte.com*, True -*.ebrandit.fi*, True -*.ebre-software.com*, True -*.ebridgewater.net*, True -*.ebroberson.com*, True -*.ebroconsultores.cl*, True -*.ebshellas.gr*, True -*.ebsinformatica.com*, True -*.eb-suite.com*, True -*.ebs-ww.com*, True -*.ebt-pc.ca*, True -*.ebt-pc.com*, True -*.ebtransportes.com.br*, True -*.ebu.co.za*, True -*.ebujie.ro*, True -*.ebulk.ro*, True -*.eburgnews.ru*, True -*.ebusiki.tk*, True -*.ebusiness-consulting.ch*, True -*.ebuss.cl*, True -*.ebutet.com*, True -*.ebuy.hk*, True -*.ebuziyar.cf*, True -*.ebwater.com*, True -*.ec-access.net*, True -*.ecaconsultores.com.ar*, True -*.ecadis.pl*, True -*.ecaipe.com.ar*, True -*.e-cancelarie.ro*, True -*.ecancelarie.ro*, True -*.ecancer.ro*, True -*.ecap.sg*, True -*.ecapsul.com*, True -*.ecareer.com.au*, True -*.ecatedra.ro*, True -*.ecavero.com*, True -*.ecbcltd.com*, True -*.ecc77.com*, True -*.ecc99.com*, True -*.eccenter.eu*, True -*.ecclesiastical.com.au*, True -*.eccoi.org*, True -*.eccpub.com*, True -*.ecegeek.com*, True -*.ecembilgisayar.com*, True -*.ec-f.ca*, True -*.ecg.co.za*, True -*.ecgg.com.ar*, True -*.ecgt.co.za*, True -*.echelonfinancialcorp.com*, True -*.echeloni.fi*, True -*.echemsemi.com*, True -*.echenard-sa.ch*, True -*.e-chestionare.ro*, True -*.echestionare.ro*, True -*.echilibio.com*, True -*.echinese.com.au*, True -*.echipatek.com*, True -*.echo23.net*, True -*.ech-o.ch*, True -*.echodiscos.com*, True -*.echoix.com*, True -*.echolima.net*, True -*.echomati.com*, True -*.ech-o.net*, True -*.echoparklake.com*, True -*.echorequest.info*, True -*.echy.biz*, True -*.echyn.com*, True -*.echy.org*, True -*.ecier.com.ar*, True -*.ecikapecika.com*, True -*.ecimcn.org.mx*, True -*.ecimleon.org.mx*, True -*.ecim.org.mx*, True -*.eckamyuen.hk*, True -*.eckmar.com*, True -*.eclace.com*, True -*.eclatant.cl*, True -*.eclectiko.com.ar*, True -*.ecleziastica.ro*, True -*.e-clinica.com.mx*, True -*.e-cloud.ch*, True -*.e-club2014.fr*, True -*.eclubbing.ro*, True -*.ecmac.co.za*, True -*.ecmemory.hk*, True -*.ecmi.ca*, True -*.ecmp2012.ro*, True -*.e-cnc.net*, True -*.ecnet.nl*, True -*.ecoaq.com*, True -*.ecoarquitecnia.com.mx*, True -*.ecobik.ro*, True -*.ecocentronatal.com.br*, True -*.ecochris.com*, True -*.ecocolourchem.com*, True -*.eco-comunitate.ro*, True -*.ecoconciencia.cl*, True -*.ecodry.cl*, True -*.eco-duo.com*, True -*.ecoduripostale.ro*, True -*.ecodyneuet.com.mx*, True -*.ecoeduc.cl*, True -*.ecoelectricidad.com*, True -*.ecofarmb2eden.co.za*, True -*.ecofast.ru*, True -*.ecofibras.cl*, True -*.ecofitness.com.ar*, True -*.ecohongkong.com*, True -*.ecoil.com.ar*, True -*.ecojur.com*, True -*.ecolabor.ch*, True -*.ecolandcraft.com*, True -*.ecolatexmattress.com*, True -*.ecolatexmattress.com.au*, True -*.ecolebeausoleil.ca*, True -*.ecoleboreale.ca*, True -*.ecolectric.com.au*, True -*.ecoledebellegarde.ca*, True -*.ecoleducharme.ca*, True -*.ecole-en-sauvy.ch*, True -*.ecolemgrlaval.ca*, True -*.ecolendv.ca*, True -*.ecolepm.ca*, True -*.ecoleprovidence.ca*, True -*.ecole-rajaadanse.com*, True -*.ecolesansfrontieres.ca*, True -*.ecolestisidore.ca*, True -*.ecolevalois.ca*, True -*.eco-light.hk*, True -*.ecoliving.org*, True -*.ecollaborate.us*, True -*.eco-malawi.pl*, True -*.ecomangroup.ro*, True -*.ecomgroup.co.za*, True -*.ecomhongkong.com*, True -*.ecomm911.org*, True -*.ecomon.cat*, True -*.ecompetenz.com*, True -*.ecomuffler.com*, True -*.ecomy.net*, True -*.econ-ecology.co.uk*, True -*.econoconcept.ch*, True -*.economia48.com*, True -*.economtrip.ru*, True -*.econtab.cl*, True -*.econtacts.ch*, True -*.econtrol.mx*, True -*.ecopapers.com.ar*, True -*.ecoparqueislasanjose.com*, True -*.ecoparqueislasanjose.net*, True -*.ecoparqueislasanjose.org*, True -*.ecopco.com.ar*, True -*.ecopetroleum.ro*, True -*.eco-plastic.com.ar*, True -*.ecoprasinos.my*, True -*.ecop.ro*, True -*.ecopronatura.ro*, True -*.ecoproplant.ro*, True -*.ecoray.co.nz*, True -*.ecosarj.com*, True -*.ecosarj.net*, True -*.ecosarj.org*, True -*.ecoscordoba.com.ar*, True -*.ecoselectare.ro*, True -*.ecosem.cl*, True -*.ecoshineslovakia.sk*, True -*.ecosource.cn*, True -*.ecosource.hk*, True -*.ecospa.cf*, True -*.ecostbay.com*, True -*.ecostbay.net*, True -*.ecostumbres.com.ar*, True -*.eco-style.org*, True -*.ecosys.eu*, True -*.ecosys.gr*, True -*.ecotechster.us*, True -*.ecoterminstal.ro*, True -*.ecoterm-navodari.ro*, True -*.ecotetera.cl*, True -*.ecotoxbrasil.org.br*, True -*.ecotravel.ro*, True -*.ecouriers.net*, True -*.ecoville.tv*, True -*.e.co.za*, True -*.ecreativekitchen.com*, True -*.e-creativeunion.com*, True -*.ecrive.net*, True -*.ec-sa.co.za*, True -*.ecsnyc.co*, True -*.ecswim.co.za*, True -*.ectopicpregnancy.info*, True -*.ecuacorreos.com*, True -*.ecuador.co.za*, True -*.ecubic.ro*, True -*.ecuguia.com*, True -*.ecvipgroup.ru*, True -*.ecvip.ru*, True -*.ecworkshopinc.com*, True -*.e-cycletechnologies.com*, True -*.e-cycletechnologies.org*, True -*.ecycletechnologies.org*, True -*.eczeemcure.nl*, True -*.ed04.com*, True -*.ed05.com*, True -*.ed1b.com*, True -*.eda85.com*, True -*.eda95.com*, True -*.edadame.com*, True -*.edah.us*, True -*.eda.nl*, True -*.edarkness.net*, True -*.e-data.com.tr*, True -*.edating.org.ru*, True -*.edbaranhi.com*, True -*.edbask.net*, True -*.edbtraining.com.au*, True -*.edbuypills.com*, True -*.edcalerts.com*, True -*.edcva.cl*, True -*.edcwm.com.au*, True -*.eddanconstruct.ro*, True -*.edderestoran.com*, True -*.edd-holding.de*, True -*.eddie-acoustic.net*, True -*.eddieprawira.com*, True -*.eddiermartinez.tk*, True -*.eddiq.com*, True -*.eddor.com.ar*, True -*.eddyfournier.ch*, True -*.edebali.net*, True -*.edelstein.me*, True -*.edelweissworld.ch*, True -*.edenbeer.com.br*, True -*.edengren.se*, True -*.edenlandcare.ca*, True -*.edenlodge.co.uk*, True -*.edenthegame.com*, True -*.edesal.com*, True -*.edes.net.ru*, True -*.edessa.com.ar*, True -*.edestesa.com.ar*, True -*.edge.cl*, True -*.edgedesign.com.au*, True -*.edgegenerator.com*, True -*.edgehomes.ca*, True -*.edgeindustries.co.uk*, True -*.edgelea.co.uk*, True -*.edgeofdecember.com*, True -*.edgeofthewest.net*, True -*.edgeproperty.net*, True -*.edgesistemas.com*, True -*.edgeton.com.au*, True -*.edgewoodcommlibrary.org*, True -*.edgex.ru*, True -*.edgimoco.com*, True -*.edgyhost.com*, True -*.edian.ch*, True -*.edible.io*, True -*.edicionesalmaden.com*, True -*.edicionsdel1979.cat*, True -*.ediculabebedouro.com.br*, True -*.edicybernotes.com*, True -*.ediete.ro*, True -*.edificaciondico.com*, True -*.edificare.cl*, True -*.edificioangles.com.ar*, True -*.edificiobit.cl*, True -*.edificiocirrus.com.ar*, True -*.edificiointecons.com.ar*, True -*.edificiomiradores.com.ar*, True -*.edificioportezuelo.com*, True -*.edificioportezuelo.com.ar*, True -*.edificiosanjose.com.ar*, True -*.edificiotolosa.com*, True -*.edificiotolosa.com.ar*, True -*.edileno.com.br*, True -*.edilfuturosnc.it*, True -*.edil-legno.net*, True -*.edimac.cl*, True -*.edimaprod.ro*, True -*.edinburghstudioorchestra.org*, True -*.edinfo.com.br*, True -*.edinsuka-laki.com*, True -*.ediparser.com*, True -*.edirect2.one.pl*, True -*.edirectslask.one.pl*, True -*.edisonave.net*, True -*.edisoni-spezialreinigungen.ch*, True -*.editastudio.ro*, True -*.edition-image.com*, True -*.editoradelplata.com.ar*, True -*.editoreal.net*, True -*.editoriallosrios.cl*, True -*.editpoint.hk*, True -*.editr.ca*, True -*.editthesis.co.za*, True -*.editura-amsibiu.ro*, True -*.edituraomra.ro*, True -*.edituraonline.ro*, True -*.edjoyen.com*, True -*.edlitmus.info*, True -*.edlu.me*, True -*.edmfoundation.org*, True -*.edmi.web.id*, True -*.edmontonwelsh.ca*, True -*.edmundcheng.com*, True -*.ednaryan.net.au*, True -*.ednatest.com*, True -*.edoccustodia.com.br*, True -*.edocere.cl*, True -*.edocere.com*, True -*.edocimaging.com.br*, True -*.edoras.tk*, True -*.edoy.cf*, True -*.ed-pahrmacy.com*, True -*.edpenwell.ca*, True -*.edpey.com*, True -*.edphotos.net*, True -*.edrennikov.ru*, True -*.edrishn.org*, True -*.edrisian.ir*, True -*.edrisian.net*, True -*.edrivenedu.com*, True -*.edrivenent.com*, True -*.edrivenhome.com*, True -*.edriveninventory.com*, True -*.edrivenproperties.com*, True -*.edrivenraffle.com*, True -*.edrivensolutions.com*, True -*.edrivensports.com*, True -*.edrivenstudios.com*, True -*.edrock.ir*, True -*.edsoftsystems.com*, True -*.edsonide.med.br*, True -*.edsonlopesguitar.com*, True -*.edson.net.br*, True -*.edssa.com.ar*, True -*.edsstuff.co.uk*, True -*.edt.vc*, True -*.edu-apps.ru*, True -*.eduardoguiremates.com.ar*, True -*.eduardomiron.net*, True -*.eduardorapoport.com.ar*, True -*.eduardosiri.com.ar*, True -*.eduardovaquerizo.com*, True -*.eduardoviveiros.com.br*, True -*.edubragabass.com.br*, True -*.educa21.com*, True -*.educacioncuracautin.cl*, True -*.educacionendolor.com.ar*, True -*.educacionfisicaenmexico.com*, True -*.educacionpccapital.cl*, True -*.educafacil.info*, True -*.educando.mx*, True -*.educareartebaby.com.br*, True -*.educare-it.com.br*, True -*.educarenlanube.com.ar*, True -*.educartec.cl*, True -*.educarteesarte.com.ve*, True -*.educartis.net*, True -*.educastle.net*, True -*.educatianoastra.ro*, True -*.educatica.com.ar*, True -*.educatiesexuala.ro*, True -*.education.al*, True -*.educationnet.com.au*, True -*.educationworld.ga*, True -*.educativaluces.com.ar*, True -*.educatorloan.com*, True -*.educatorperks.com*, True -*.edu-chavanne.ch*, True -*.edu-dmitrov.ru*, True -*.eduease.tk*, True -*.edugre.com*, True -*.eduinfoplaza.com*, True -*.edu-link.com.ar*, True -*.edumatica.cl*, True -*.edumaticanet.cl*, True -*.edunation.ca*, True -*.eduqella.com*, True -*.eduran.com.ve*, True -*.edurs.net*, True -*.edusol.ro*, True -*.edusolutions.ro*, True -*.eduspotinc.com*, True -*.edutots.co.za*, True -*.edutoys.ro*, True -*.edutrama.com.ar*, True -*.edutus.ro*, True -*.edwardelsom.com*, True -*.edwardhilsum.com*, True -*.edwardleblanc.com*, True -*.edwardliao.com.au*, True -*.edwardsalem.com*, True -*.edwardsjournal.com*, True -*.edwards-technique-alexander.ch*, True -*.edwertz.se*, True -*.edwingomez.com*, True -*.edwin.nom.za*, True -*.edwinphillips.net*, True -*.edy777.com*, True -*.edydarkopi.tk*, True -*.edy.la*, True -*.edyta.info*, True -*.edza101.co.uk*, True -*.eeacmteam.tk*, True -*.e-easy.ch*, True -*.eedo.com.au*, True -*.eedom.cf*, True -*.eeducatie.ro*, True -*.e-education.hk*, True -*.eee-222.com*, True -*.eeeazy.com*, True -*.eeecandy.com*, True -*.ee-elec.com*, True -*.eeeserver.co.uk*, True -*.eei.la*, True -*.eejc.org*, True -*.eekrano.com*, True -*.eelco.asia*, True -*.e-elka.com*, True -*.eeppi.ch*, True -*.eequalso2.com*, True -*.eequalso2.org*, True -*.e-erac-online.com*, True -*.eerenbeemt.net*, True -*.eeshk.net*, True -*.eesite.info*, True -*.eesite.net*, True -*.eesite.org*, True -*.eestiprojekt.com*, True -*.eestiprojekt.eu*, True -*.eetcompany.com*, True -*.eetkpeinture.ch*, True -*.eevalahtinen.fi*, True -*.efactory.com.ar*, True -*.efamilie.ro*, True -*.efax.br*, True -*.efax.com.br*, True -*.efbjr.com*, True -*.efdejot.pl*, True -*.efectobar.com.ar*, True -*.efekr.ir*, True -*.efekr.net*, True -*.efelicitari.org*, True -*.efeline.com.tr*, True -*.efendy.com.au*, True -*.efernandezperez.com.ar*, True -*.efesur.com.ar*, True -*.efetres.com.ar*, True -*.efeuran.com*, True -*.effectiveagencies.co.za*, True -*.effendie.web.id*, True -*.efficks.com*, True -*.effixient.com*, True -*.eficons.ro*, True -*.efifront.co.il*, True -*.efigueredo.com.br*, True -*.efita.ga*, True -*.efita.tk*, True -*.eflorist.hk*, True -*.eflower.hk*, True -*.e-flow.gr*, True -*.eflyersolutions.com*, True -*.efnet.at*, True -*.efnet.cf*, True -*.efnu.fi*, True -*.efocus.tk*, True -*.efootdr.net*, True -*.eforienett.ro*, True -*.efotografia.ro*, True -*.e-fotografii.ro*, True -*.efotografii.ro*, True -*.efqy.com*, True -*.efra.in*, True -*.efrainlugo.com*, True -*.efrati.org*, True -*.efr.cl*, True -*.e-freesia.com*, True -*.efrog.co.za*, True -*.efrog.org*, True -*.efstratiou.me.uk*, True -*.eftracker.ru*, True -*.e-fu.com*, True -*.eful-gama.cf*, True -*.efv.com.ar*, True -*.efxs.ca*, True -*.eg-7080.com*, True -*.egabinet.net*, True -*.e-ga.de*, True -*.egafcon.com*, True -*.egalitary.com*, True -*.egalitary.net*, True -*.egalitary.org*, True -*.eganews.com*, True -*.e-garaza.si*, True -*.e-ga.ru*, True -*.egate.com.my*, True -*.egatemessaging.com*, True -*.egate.my*, True -*.egb.space*, True -*.eg-cgv.com*, True -*.egconcept.ch*, True -*.e-generar.com.ar*, True -*.egesakha.su*, True -*.egestion.com.ar*, True -*.eggborn.com*, True -*.eggborn.ir*, True -*.eggchickchicken.com*, True -*.eggconsulting.hk*, True -*.eggdr0p.tk*, True -*.eggdrop.one.pl*, True -*.eggers-club.de*, True -*.egghelp.ro*, True -*.eggnog.me*, True -*.eggo.ind.br*, True -*.eggsache.tk*, True -*.eggvena.eu*, True -*.egida.org*, True -*.egift.hk*, True -*.egifts.sg*, True -*.egiscruzero.cl*, True -*.egitampan.tk*, True -*.egit-priatna.com*, True -*.eglass.cl*, True -*.e-glass.ro*, True -*.eglepalionyte.lt*, True -*.eglisehaitienne.org*, True -*.eglobaltravelmedia.asia*, True -*.eglobaltravelmedia.com*, True -*.eglobaltravelmedia.com.au*, True -*.eg-main.com*, True -*.egnsa.co.za*, True -*.eg-ocn.com*, True -*.egofree.ru*, True -*.egood-tw.com*, True -*.egorvlasov.ru*, True -*.egosa.mx*, True -*.egosur.com.ar*, True -*.egp6.net*, True -*.egrapsas.com*, True -*.e-greecetravel.com*, True -*.egrou.se*, True -*.egrouse.com*, True -*.egrouse.co.uk*, True -*.egrouse.net*, True -*.egtmedia.com*, True -*.egtmobile.com.ar*, True -*.eguavaplush.com.au*, True -*.eguavasigns.com.au*, True -*.egw-bernzentrum.ch*, True -*.egw-jugend.ch*, True -*.egxservicos.com.br*, True -*.e-gyaan.com*, True -*.e-gyaan.info*, True -*.egyetem.ro*, True -*.egypt1001.com*, True -*.egzotico.pl*, True -*.ehabreda.com*, True -*.ehappy.tw*, True -*.ehcw.ca*, True -*.ehdiwow2.gq*, True -*.ehdiwow3.gq*, True -*.ehdiwow.gq*, True -*.e-healthcaresystems.com*, True -*.ehealth.ir*, True -*.ehealth-today.com*, True -*.ehelion.com*, True -*.ehescheidung-dorsten.com*, True -*.ehkaisetukos.fi*, True -*.ehoth.net*, True -*.ehr-educativo.com*, True -*.ehrenberg.biz*, True -*.ehresist.co.uk*, True -*.ehsalumniassn.org*, True -*.ehsclassof76.org*, True -*.ehsdemocrats.org*, True -*.ehtesabi.com*, True -*.ehtesabi.ir*, True -*.ehtopia.com*, True -*.ehtrains.com*, True -*.ehub.com.mx*, True -*.ehxagun.nl*, True -*.eiao.tk*, True -*.eiasi.ro*, True -*.eicformacao.pt*, True -*.eickerman.com*, True -*.eicue.com*, True -*.eidenvall.se*, True -*.eieo.com*, True -*.eiep.com.ar*, True -*.eigenlicht.us*, True -*.eigenverbrauchsrechner.ch*, True -*.eight-ball.org*, True -*.eightbitandbeyond.com*, True -*.eightnine.ir*, True -*.eiigachile.org*, True -*.ei-lan.com.ar*, True -*.eileenfu.com*, True -*.eilong.com*, True -*.eilongshop.com*, True -*.eimertvink.nl*, True -*.eimirae.com*, True -*.einav.tk*, True -*.einclusion.hk*, True -*.ein.com.mx*, True -*.ein.ee*, True -*.einfach-toll.net*, True -*.einfofirme.ro*, True -*.einhammr.com*, True -*.einigkeit.ml*, True -*.einigkeit.tk*, True -*.einkaufspreise.ch*, True -*.einsof-haras.ca*, True -*.einsure.com.my*, True -*.einsure.my*, True -*.eio-lean.tk*, True -*.eipsistemas.com.ar*, True -*.eiraessenzen.ch*, True -*.eirasebeiras.com.br*, True -*.eiresol.com*, True -*.eisbein.cl*, True -*.eisenack.net*, True -*.eisenfamily.net*, True -*.eisnercayman.com*, True -*.eisneris.com*, True -*.eisnerresourcestaffing.com*, True -*.eisnerretirementsolutions.com*, True -*.eitanindustries.com*, True -*.eitanme.com*, True -*.eitaro.jp*, True -*.e-it.gr*, True -*.eitherkey.com*, True -*.eithermouse.com*, True -*.eits.co*, True -*.eivom.jp*, True -*.eize.net*, True -*.ejaculare.ro*, True -*.ejankowiak.pl*, True -*.ejb1123.tk*, True -*.ejecutivasoficinas.com.mx*, True -*.ejegg.com*, True -*.ejhonn.com*, True -*.ejik.ro*, True -*.ejit.com.au*, True -*.ejit.co.za*, True -*.ejkcreative.com*, True -*.ejlj.net*, True -*.e-joculete.ro*, True -*.ejocuritari.ro*, True -*.ejouis.co.uk*, True -*.ejrudy.com*, True -*.ejs-geologia.cl*, True -*.ejudge.gq*, True -*.e-junky.net*, True -*.ejuvo.com*, True -*.e-kaczy.pl*, True -*.ekagemilangmedika.com*, True -*.ekampme.co*, True -*.ekanry.fi*, True -*.ekart.ro*, True -*.ekasiwap.com*, True -*.ekauf.ch*, True -*.ekayanamultiparts.com*, True -*.e-kcal.com*, True -*.ekcal.com*, True -*.ekch.kz*, True -*.eke-nazareth.be*, True -*.ekermans.co.za*, True -*.ekerot.org*, True -*.ekhatri.net*, True -*.ekhbariya.tv*, True -*.ekimb.com*, True -*.ekini.info*, True -*.ekintibbiyayincilik.com.tr*, True -*.ekipejums.lv*, True -*.ekivotos.gr*, True -*.ekleiner.com.au*, True -*.eklipto.com*, True -*.eklovgroup.eu*, True -*.e-kmaras.com*, True -*.ekoaqua.ru*, True -*.ekocleaner.ro*, True -*.ekodolomit.pl*, True -*.ekohchang.com*, True -*.ekollar.com*, True -*.ekoluks.eu*, True -*.ekomediagroup.ro*, True -*.eko.my.id*, True -*.ekopapir.ro*, True -*.ekoperasi.my*, True -*.ekoplast.si*, True -*.ekoporta.si*, True -*.ekorshunova.ru*, True -*.ekosarj.net*, True -*.ekosarj.org*, True -*.ekos-consultores.cl*, True -*.ekosher.com.ar*, True -*.ekosit.si*, True -*.eko-svit.si*, True -*.ekotisk.si*, True -*.ekowiki.org*, True -*.ekp.ru*, True -*.ekren.org*, True -*.ekrepairs.com*, True -*.eks.com.mx*, True -*.eks.mx*, True -*.ekspedisisemarang.com*, True -*.ekspedisiudara.com*, True -*.ekspertizler.com*, True -*.ekspres-lojistik.com*, True -*.ekushagra.com*, True -*.ekzpert.com*, True -*.el3roy.com*, True -*.el8.ru*, True -*.elabcdelapesca.com.ar*, True -*.elabnet.ca*, True -*.elaborazionetesi.com*, True -*.elab.tk*, True -*.elafini.com*, True -*.elainelasticnes.com*, True -*.elalaela.com*, True -*.elalouf-philippe.ch*, True -*.elangtama.com*, True -*.elantiheroe.com.ar*, True -*.elartesanodelbyte.info*, True -*.elarum.com.tr*, True -*.elashi.ca*, True -*.elasombro.cl*, True -*.elasticchannel.com*, True -*.elastix.hk*, True -*.elatusapu.fi*, True -*.elaunchfund.ro*, True -*.elawnguy.com*, True -*.elbaloo.mx*, True -*.elbeis.de*, True -*.elbimas.com*, True -*.elbimas.com.tr*, True -*.elbiruindustries.com*, True -*.elbmig.com*, True -*.elcacatua.com*, True -*.elcafecubano.cl*, True -*.elcastillomazatlan.com*, True -*.elcast.ro*, True -*.elchemi.com*, True -*.elchinero.org*, True -*.elcmy.com*, True -*.elcollipullense.cl*, True -*.elcomel.com*, True -*.elcomel.com.ar*, True -*.elcondor.info*, True -*.elcontrast.org*, True -*.elcoscada.com*, True -*.elcotelecom.ro*, True -*.elctronicgames.ro*, True -*.elcupidestates.co.za*, True -*.eldenarmbrust.com*, True -*.elderfun.ch*, True -*.elder-geek.net*, True -*.elderien.cl*, True -*.elderlloyd.org*, True -*.eldho.com*, True -*.eldiamascorto.com*, True -*.eldiariodecuruzu.com.ar*, True -*.eldi.ro*, True -*.eldora.asia*, True -*.eldora.tw*, True -*.eldorrado.net*, True -*.eldorrado.org*, True -*.eldracher.ca*, True -*.eldridges.info*, True -*.eldritch.com.ar*, True -*.elduoyel.com.ar*, True -*.eleadernet.com*, True -*.eleafmacau.com*, True -*.elearningsa.co.za*, True -*.elearningsa.org*, True -*.eleccionesfeuc.cl*, True -*.elecdev.com.ar*, True -*.elecmas.cl*, True -*.elecris.ro*, True -*.elecstone.fi*, True -*.elecsys.ro*, True -*.election2012.ru*, True -*.electoral-acc.ro*, True -*.electribal.org*, True -*.electricahr.ro*, True -*.electricalpegasus.ru*, True -*.electrical-solutions-eu.com*, True -*.electrical-solutions-eu.co.uk*, True -*.electricants.net*, True -*.electric-boards.com*, True -*.electriccaptain.net*, True -*.electriccaptain.org*, True -*.electricchief.com*, True -*.electricchief.net*, True -*.electricchief.org*, True -*.electric-com.ro*, True -*.electric-guitars.eu*, True -*.electricidadautomotriz.cl*, True -*.electricidadesport.com*, True -*.electric-inst.ro*, True -*.electricitatesolara.ro*, True -*.electriclearn.com*, True -*.electriclearn.net*, True -*.electriclearn.org*, True -*.electricmaestro.org*, True -*.electricmaster.net*, True -*.electricmaster.org*, True -*.electricmasters.org*, True -*.electricmayhemls.com*, True -*.electricovenrepairs.com.au*, True -*.electric-pricelist.com*, True -*.electricrail.ro*, True -*.electricrose.com*, True -*.electricstoragepartners.com*, True -*.electricvrn.ru*, True -*.electro-arg.com.ar*, True -*.electroban.net*, True -*.electro-beta.ro*, True -*.electrocomp.ee*, True -*.electrocrispino.com.ar*, True -*.electrodata.com.ar*, True -*.electrodomesticosoutlet.com*, True -*.electroglobal.cl*, True -*.electrogonnet.com.ar*, True -*.electrohogaronline.es*, True -*.electrol.com.ar*, True -*.electrolightfestival.com*, True -*.electromasterhost.com.ar*, True -*.electromercio.com*, True -*.electrometer.us*, True -*.electromoljrm.com.ar*, True -*.electromontajescordoba.com*, True -*.electro-motor.ro*, True -*.electron2014.com*, True -*.electronicafacil.biz*, True -*.electronicafacil.eu*, True -*.electronicafacil.info*, True -*.electronicafacil.mobi*, True -*.electronicafacil.name*, True -*.electronicafacil.org*, True -*.electronicapopular.cl*, True -*.electronicsdoctor.tv*, True -*.electronik.ir*, True -*.electroniquelibre.org*, True -*.electron-microscopy.net*, True -*.electronshop.com.au*, True -*.electronstoragepartners.com*, True -*.electro-prom.com*, True -*.electrosale.ch*, True -*.electros.cl*, True -*.electroshack.com*, True -*.electrosos.ro*, True -*.electrosphere.name*, True -*.electrotex.net*, True -*.electrotrunk2.com.ar*, True -*.electrotupungato.com.ar*, True -*.electrovrn.ru*, True -*.eleds.com*, True -*.eleds.com.au*, True -*.eleet.me*, True -*.elefante.co.za*, True -*.elefante.org*, True -*.e-leganza.ch*, True -*.elegiyaplus.info*, True -*.elegiyaplus.ru*, True -*.el-egy.com*, True -*.elekarna.si*, True -*.elektrad.info*, True -*.elektribascenas.lv*, True -*.elektroluks.si*, True -*.elektronabava.tk*, True -*.elektroo.net*, True -*.elektrooppi.fi*, True -*.elektrosale.ch*, True -*.elemantech.com*, True -*.elemashine.org*, True -*.elemassageandbodywork.com*, True -*.elemente-fier-forjat.ro*, True -*.elementscraft.ch*, True -*.elementsmi.com*, True -*.elemporioonline.com.ar*, True -*.elenabaron.es*, True -*.elenamodels.info*, True -*.elenaporter.com*, True -*.elenasandu.com*, True -*.elenasl.com*, True -*.elena-tan.tk*, True -*.eleni.li*, True -*.elenoronline.net*, True -*.eleon.jp*, True -*.eleonoraconti.tk*, True -*.elephantass.com*, True -*.elephantdac.cl*, True -*.elephly.net*, True -*.elerium.ro*, True -*.elesnaovotammasnossim.com.br*, True -*.elesquinero.cl*, True -*.elestablozacapa.com*, True -*.elestro.si*, True -*.eletech.com.ar*, True -*.eletrica.eng.br*, True -*.eletrojgua.com.br*, True -*.eletrojumbo.com*, True -*.eletronicaprado.com.br*, True -*.eletrosardinha.com.br*, True -*.elettronicazulian.com*, True -*.elettro-pio.ch*, True -*.eleus.is*, True -*.e-leva.com.ar*, True -*.elevant.com.ar*, True -*.elevapartes.com.ve*, True -*.eleven.am*, True -*.eleven.co.za*, True -*.e-leven.hk*, True -*.eleventhpercentile.com*, True -*.elewyth.ch*, True -*.elfick.eu*, True -*.elf.li*, True -*.elfnet.ro*, True -*.elfotografo.cl*, True -*.elfurancho.com*, True -*.elga-ahmad.com*, True -*.elgasmktg.com.au*, True -*.elgasoffers.co.nz*, True -*.elgatec.ro*, True -*.elgger-alpakaweid.ch*, True -*.elginlearning.co.za*, True -*.elginlearning.org*, True -*.elgranerocentral.com*, True -*.el-granjero.com.ar*, True -*.elgransol.com.ve*, True -*.elgrillo.cl*, True -*.el-gu.com*, True -*.el.gy*, True -*.elhamdashti.ir*, True -*.elhidro.com.ar*, True -*.elhoplita.com.ar*, True -*.eli7.ca*, True -*.eliart.tk*, True -*.elibernstein.com*, True -*.elibollarmobilya.com*, True -*.elibrary-sbcc.org*, True -*.eli-deal.ru*, True -*.eliestlotto.biz*, True -*.elifkiral.com*, True -*.elifuysal.com.tr*, True -*.eligulord.tk*, True -*.elihost.com.br*, True -*.elijahclarke.com*, True -*.elijahhardin.com*, True -*.elijahtruth.me*, True -*.elim-at-home.com*, True -*.elina.cf*, True -*.elindomegajaya.com*, True -*.elinemartin.com*, True -*.elinfografistanocturno.com*, True -*.elinformadorlocal.com.ar*, True -*.e-liniers.com.ar*, True -*.elinktechnologies.net*, True -*.eliobastias.com.ar*, True -*.el-isa.com*, True -*.elisecosmetics.co.uk*, True -*.eliseoarraras.com*, True -*.eliseonardone.it*, True -*.elistratoff.tk*, True -*.elita.si*, True -*.eliteadvisorsconsulting.com*, True -*.elitecabs.com.au*, True -*.elitecarsrl.ro*, True -*.elitecirclerelocation.eu*, True -*.elitecirclerelocation.us*, True -*.elitedebtsettlement.com*, True -*.eliteescortemployment.com*, True -*.elite-fit.net*, True -*.elite-fit.si*, True -*.elite-gift.com*, True -*.elitehunters.com*, True -*.eliteitminds.com*, True -*.elitelegalforms.com*, True -*.elitem.com.au*, True -*.elitemortgagechoice.ca*, True -*.elitemortgagechoice.net*, True -*.elitenatural.com.au*, True -*.elitescope.ec*, True -*.eliteshivok.com*, True -*.elite-star-services.com*, True -*.elitesystemsca.com*, True -*.elitetex-bd.com*, True -*.elitetutores.cl*, True -*.eliteviraltraffic.com*, True -*.elite-voyage.info*, True -*.eliteyouth.hk*, True -*.elitter.net*, True -*.elitzadesign.com*, True -*.e-livepoker.com*, True -*.e-livepoker.net*, True -*.eliworks.com*, True -*.elixio.ro*, True -*.eliyakim.com*, True -*.elizabethselly.com*, True -*.elizachampagne.com*, True -*.elizachampagne.com.au*, True -*.elizaldeabogados.cl*, True -*.eljardin.co*, True -*.elkandbird.com*, True -*.elkandbird.com.au*, True -*.elke-apel.com*, True -*.elkharadly.com*, True -*.elkvalleyhomes.net*, True -*.ellachi.com*, True -*.ellafinediner.com*, True -*.ellaheemskerk.com*, True -*.ellakate.net*, True -*.ellakate.org*, True -*.ellakoon.com*, True -*.ellapfeil.cl*, True -*.ellasworldofgames.com*, True -*.elledichair.it*, True -*.ellege.id.au*, True -*.elle-gi.si*, True -*.ellenberg.cl*, True -*.ellen-ehv.nl*, True -*.ellenlim.com*, True -*.ellenna.info*, True -*.ellenscohen.com*, True -*.ellenscohen.net*, True -*.ellensjoberg.com*, True -*.ellert.co*, True -*.elliegray.co.nz*, True -*.elliemayo.com*, True -*.elliescpt.co.za*, True -*.ellinor.org*, True -*.ellinorsite.com*, True -*.ellinux.com.ar*, True -*.elliotshoe.com*, True -*.elliottandmelissa.com*, True -*.elliott.ca*, True -*.elliottfamilyhistory.com*, True -*.ellipsistechnology.com*, True -*.ellisandurry.com*, True -*.ellisarea.com*, True -*.ellisfarms.org*, True -*.ellison.ws*, True -*.ellmore.com*, True -*.ellnet.me*, True -*.ellweins.net*, True -*.elmaestropentagrama.com.ar*, True -*.elmaipo.com.ar*, True -*.elmarketweb.com.ar*, True -*.elmarquesado.com.ar*, True -*.elmarsupio.cl*, True -*.elmartillojudicial.com.ar*, True -*.elmbys.se*, True -*.elmemesser.ru*, True -*.elmer.pw*, True -*.elmeryes.tk*, True -*.elmevaenget6.dk*, True -*.elmicha.com.ar*, True -*.elmilligano.co.uk*, True -*.elmir.com*, True -*.el-mo.biz*, True -*.elmorsa.com.ar*, True -*.el-mottaheda.net*, True -*.elm-playground.org*, True -*.elmstedt.net*, True -*.elmundodelaaviacion.com.ar*, True -*.elmwoodcider.ca*, True -*.elmwoodcider.com*, True -*.elmwoodhardcider.ca*, True -*.elmwoodhardcider.com*, True -*.elnafaq.tk*, True -*.elnayal-technology.com*, True -*.elnietoideal.com.ar*, True -*.elninomaravilla.cf*, True -*.elnono.ca*, True -*.elnuevocolima.com*, True -*.elnuevosaber.com*, True -*.elobservadortdf.com.ar*, True -*.e-lockstore.com*, True -*.elogistic.web.id*, True -*.elojoesceptico.com.ar*, True -*.elok.gr*, True -*.elolabs.com*, True -*.elonatural.net.br*, True -*.eloro.mx*, True -*.eloy.al*, True -*.elpacto.cl*, True -*.elpagano.com.ar*, True -*.elperfume.cl*, True -*.elpimpollo.com.ar*, True -*.el-platform.org*, True -*.elportalmujer.com.ar*, True -*.elportico.com.ar*, True -*.elprincipe.com*, True -*.elproyectista.cl*, True -*.elpuntodeencuentro.com.ar*, True -*.el-rat.tk*, True -*.elrecolector.cl*, True -*.elrecreo.com.mx*, True -*.elretardoland.com*, True -*.elrincondeabril.com*, True -*.elro.club*, True -*.elrod.ws*, True -*.elros-vip.ru*, True -*.elroysullivanphd.com*, True -*.elsabeatriz.com*, True -*.elsaltodelaprincesa.cl*, True -*.elsalvadordelhogar.com.ar*, True -*.elsamessina.it*, True -*.elsamilano.it*, True -*.elsasiena.it*, True -*.elsaucequillon.cl*, True -*.elsewhere.in*, True -*.elsol-instalacje.pl*, True -*.el-sombra.com.ar*, True -*.elsombra.com.ar*, True -*.elsom.net.au*, True -*.elspirit.com.ar*, True -*.elstrom.ch*, True -*.elsubliman.com.ar*, True -*.eltallerdelaabuela.cl*, True -*.eltekat.gr*, True -*.elternforum-falletsche.ch*, True -*.elternforum-oberzil.ch*, True -*.elternrat-falletsche.ch*, True -*.elternverein-abgru.ch*, True -*.elticachile.cl*, True -*.eltica.cl*, True -*.eltiempo.si*, True -*.eltommi.tk*, True -*.eltommo.net*, True -*.eltransbt.ro*, True -*.eltratec.com*, True -*.eltratec.net*, True -*.eltrucodeldia.es*, True -*.e-luminus.com*, True -*.elusive-mind.com*, True -*.elvagoilustrador.cl*, True -*.elvalatif.tk*, True -*.elversiculodeldia.info*, True -*.elvesstudio.com*, True -*.elvillano.com.ar*, True -*.elvillano.net*, True -*.elvimmob.ch*, True -*.elvisalmeida.com.br*, True -*.elvisclan.com*, True -*.elyros.com*, True -*.elyseesonline.com*, True -*.elzattadauky.co.id*, True -*.elzecool.ch*, True -*.elziboys.tk*, True -*.elzindan99.tk*, True -*.elzw.com*, True -*.ema5.pl*, True -*.emad.com.ar*, True -*.emagnary.com*, True -*.emailebola.com*, True -*.emailing.to*, True -*.emailku.tv*, True -*.email-list-service.org*, True -*.emaillite.tk*, True -*.emailmaven.com*, True -*.emailmeat.co.uk*, True -*.e-m-a-i-l.org*, True -*.emailrail.com*, True -*.emails-matraxis.co.uk*, True -*.emailtemplates.ch*, True -*.emakc.ru*, True -*.e-mama.ro*, True -*.emama.ro*, True -*.emamhosseini.ir*, True -*.emankai.com*, True -*.emantek.com*, True -*.emanuelleundlucien.ch*, True -*.emanuelrugs.co.il*, True -*.emanuelsartor.com.ar*, True -*.emapel.com.br*, True -*.emarinar.ro*, True -*.emarket24.pl*, True -*.emarket.ml*, True -*.emasi-propiedades.com.ar*, True -*.emath.co.il*, True -*.emavn.com*, True -*.emaw.com.br*, True -*.embalajesllavallol.com.ar*, True -*.embalopack.com.br*, True -*.embaucha.com*, True -*.emba-vs.ch*, True -*.embedcontrols.com*, True -*.embedded-controls.com*, True -*.embeddedcontrolsinc.com*, True -*.embedded-controls.net*, True -*.embeddedcontrols.net*, True -*.embeddedcontrols.org*, True -*.embeddedonline.org*, True -*.embeddedsw.org*, True -*.embed.gq*, True -*.embedheadz.com*, True -*.emberstorm.eu*, True -*.embest.ru*, True -*.e-mbinfosys.com*, True -*.embiodea.com*, True -*.embnettech.com*, True -*.embnw.com*, True -*.embodied.ai*, True -*.embperuchina.com*, True -*.embresatechnologies.com*, True -*.embrunford.ca*, True -*.emby.tk*, True -*.emc1688.com*, True -*.emcgroups.biz*, True -*.emcgroups.net.my*, True -*.emcount.com*, True -*.emdisa.mx*, True -*.eme66.com*, True -*.eme77.com*, True -*.e-mecha.gr*, True -*.emedicalrecs.com*, True -*.emehermanos.com.ar*, True -*.emejing.net*, True -*.emelinegibbs.com*, True -*.emelya.pp.ru*, True -*.emem.ro*, True -*.emendatus.com*, True -*.emepamendoza.com*, True -*.emeraldbladesonline.com*, True -*.emerald.cf*, True -*.emeraldcoastrollerderby.com*, True -*.emerald.ml*, True -*.emergencyairlift.org*, True -*.emergency.kz*, True -*.emergencyshelternky.org*, True -*.emergingtravel.com*, True -*.emergingtravelinc.com*, True -*.emerix.ro*, True -*.emersonbehee.com*, True -*.emersonbrookforest.org*, True -*.emersongomes.com*, True -*.emerystore.com*, True -*.emesowum.com*, True -*.emetron.ru*, True -*.emf.com.ar*, True -*.emfconsulting.com.ar*, True -*.emfeszng.pl*, True -*.emi-ash.com*, True -*.emicdata.com*, True -*.emicdata.org*, True -*.emicorporation.ro*, True -*.emidengenharia.com.br*, True -*.emiebeto.com.br*, True -*.emigrante.com.ve*, True -*.emildavis.info*, True -*.emilecarrier.com*, True -*.emilianionascu.ro*, True -*.emilianopoblete.com.ar*, True -*.emiliano.ro*, True -*.emilianoschmid.com.ar*, True -*.emiliaostapowicz.pl*, True -*.emiliasavin.ro*, True -*.emilielam.ca*, True -*.emiliodecastbaleon.cl*, True -*.emilios.gr*, True -*.emiliostrailers.gr*, True -*.emilkaczmarek.net*, True -*.emillis.com*, True -*.emilsepaez.com.ar*, True -*.emilykerr.org*, True -*.emilyrimmer.com*, True -*.emimieshop.com*, True -*.eminence-it.co.za*, True -*.eminiclip.org*, True -*.emintech.ca*, True -*.emirates-eec.com*, True -*.emir-blogs.cf*, True -*.emirpasha.com*, True -*.emit.lv*, True -*.emk22.ru*, True -*.emk66.com*, True -*.emk77.com*, True -*.emk88.com*, True -*.emkarta.pl*, True -*.emldn.com*, True -*.emlprime.com*, True -*.emmablaw.com*, True -*.emmajamerson.com*, True -*.emmanhinguyen.com*, True -*.emmanuel-lauzon.com*, True -*.emmap.org*, True -*.emmapublishing.hk*, True -*.emmaustaiwan.org*, True -*.emmenau.ch*, True -*.emme.ro*, True -*.emmoholdings.com*, True -*.emmvpn.com*, True -*.emnet.ro*, True -*.emnp.eu*, True -*.emnt.ro*, True -*.emociones.com.ar*, True -*.emode.com.my*, True -*.emode.my*, True -*.emogul.ro*, True -*.emolog.org*, True -*.emondnet.com*, True -*.emoshow.com*, True -*.emotionar.com*, True -*.emotionjam.com*, True -*.e-move.cl*, True -*.emo-vere.ch*, True -*.empaderbal.tk*, True -*.empaforum.org*, True -*.empaqueydiseno.com.mx*, True -*.empcraft.com*, True -*.emperors-mail.co.za*, True -*.emphie.org*, True -*.empirecent.com*, True -*.empirecent.net*, True -*.empireco.in*, True -*.empiredesign.ro*, True -*.empire.ml*, True -*.empirenoodles.com*, True -*.empirepvp.net*, True -*.empiresoho.com*, True -*.empires-r.us*, True -*.empitri.mobi*, True -*.emplast.com.br*, True -*.empleoindependiente.com*, True -*.empleosonora.gob.mx*, True -*.employ-canadians.ca*, True -*.employeeresourcegroup.com*, True -*.employeevantage.com*, True -*.employers-canadian.ca*, True -*.emporiodelpaisano.cl*, True -*.emporiopatagonia.cl*, True -*.emporioum.com*, True -*.emposecurity.ro*, True -*.emprendamas.com*, True -*.emprendepais.com*, True -*.empresadeidolo.com.ar*, True -*.empresafacil.com.ar*, True -*.empresar-sys.com*, True -*.empresasdavis.cl*, True -*.empresasdavis.com*, True -*.empresasen.com*, True -*.empresasroig.es*, True -*.empresastaylor.cl*, True -*.empresastaylor.com*, True -*.empressballroom.us*, True -*.emprestimosconsignados.com.br*, True -*.empresystem.com.ar*, True -*.emprn.tk*, True -*.empsnb.com*, True -*.emptech.com.au*, True -*.emp-trains.com*, True -*.emptyfieldzendo.org*, True -*.empty.ga*, True -*.emptyjones.com*, True -*.emptyorchestraonline.com*, True -*.empulso.com*, True -*.empurany-fete-cerise.com*, True -*.emrex.net*, True -*.emrg.com.au*, True -*.emsbillmaster.com*, True -*.emseforest.com.ar*, True -*.emsolgroup.com*, True -*.emsracing.com.ar*, True -*.emssistemaslojavirtual.com.br*, True -*.emstune.com*, True -*.emstune.net*, True -*.emstune.org*, True -*.emt118surabaya.com*, True -*.e-mta.com*, True -*.emteem.si*, True -*.emt-paramedic.info*, True -*.emt-paramedic.org*, True -*.emu486.net*, True -*.emucater.com*, True -*.emutant.ru*, True -*.emycity.com*, True -*.emza.co.za*, True -*.emzar.co.za*, True -*.en12810-1.com*, True -*.en285.co*, True -*.enacconductores.cl*, True -*.enadji.me*, True -*.enajurov.com*, True -*.e-nameservers.com*, True -*.enaplus.eu*, True -*.enav.com.ar*, True -*.enblom.org*, True -*.enbrazos.com*, True -*.encalada.cl*, True -*.encaminafederation.tk*, True -*.encantadohumboldt.org.ve*, True -*.enchanta.net*, True -*.enchanted-arts.com*, True -*.enchantingphotography.org*, True -*.enchantress.ml*, True -*.encicle.com*, True -*.encipher.in*, True -*.encke.es*, True -*.enclose-my-pool.com*, True -*.encochinados.cl*, True -*.encontronapracinha.com.br*, True -*.encoregrouppr.com*, True -*.encoretraining.ca*, True -*.encore.tw*, True -*.encouragelife.com*, True -*.encrypted.cf*, True -*.encrypt.se*, True -*.encuentraentlaxcala.com*, True -*.encuentromascotas.com.ar*, True -*.encuentropirata.com.ar*, True -*.encuz.tk*, True -*.encuzt.tk*, True -*.encyclopedia69.com*, True -*.encyclopedia.tw*, True -*.endemusic.com*, True -*.endeonline.com*, True -*.endersai.tk*, True -*.endevourenergy.com.au*, True -*.endfamilyviolence.com.au*, True -*.endhie.net*, True -*.endian.co.id*, True -*.endlessaion.com*, True -*.endlessconference.com*, True -*.endlessmovie.com*, True -*.endofinfinity.com*, True -*.endofscott.com*, True -*.endogenic.ca*, True -*.endo-nutritie.ro*, True -*.endopretoria.co.za*, True -*.endorion.com*, True -*.endoseminar.com*, True -*.endrodp.tk*, True -*.endruta.com*, True -*.enduringguerila.com*, True -*.enduroextremo.com.ar*, True -*.eneascorrea.adv.br*, True -*.enec.cl*, True -*.enek.net*, True -*.enelec.com.ar*, True -*.enemyplanet.geek.nz*, True -*.enemyterritory.org*, True -*.e-neox.ro*, True -*.energain.se*, True -*.energa.se*, True -*.energeko.si*, True -*.energiaconsulting.com.au*, True -*.energiacritica.com.ar*, True -*.energiadelsur.com.ar*, True -*.energialiquida.info*, True -*.energiayjardines.cl*, True -*.energie-coiffure.ch*, True -*.energiedinnatura.ro*, True -*.energiewandler.ch*, True -*.energilon.com.br*, True -*.energistic.com.my*, True -*.energitatapersada.com*, True -*.energizer.nu*, True -*.energlobo.pt*, True -*.energoproduct.com*, True -*.energyac.com.br*, True -*.energyactionmag.com*, True -*.energyadvisors.cl*, True -*.energychangesinc.com*, True -*.energyharvesting.pl*, True -*.energymanpower.ir*, True -*.energyml.org*, True -*.energyresearchlabs.com*, True -*.energysemi.com*, True -*.energysemiconductor.com*, True -*.energysemiconductorcorp.com*, True -*.energysemicorp.com*, True -*.energystoragepartners.com*, True -*.energytalent.com.br*, True -*.energywarehousepartners.com*, True -*.energyworks123.com*, True -*.enerjerky.cl*, True -*.eneseifaszagyerekek.tk*, True -*.enfacorp.net*, True -*.enfecker.com*, True -*.enfermos.com.ar*, True -*.enfo.cf*, True -*.engageful.com.ar*, True -*.engavac.com*, True -*.engberg.co*, True -*.engefluy.com.br*, True -*.engels.lu*, True -*.engengraving.ca*, True -*.engenis.cl*, True -*.engensac.com*, True -*.engepack.com.br*, True -*.engepao.com.br*, True -*.enginearcba.com.ar*, True -*.enginear.com.ar*, True -*.engineeredstrategies.com*, True -*.engineerenterprises.com*, True -*.engineerindustries.com*, True -*.engineeringdatabasesolutions.com*, True -*.engineeringdatabasesolutions.co.uk*, True -*.engineeringsv.com*, True -*.enginesofentropy.com*, True -*.englific.me*, True -*.english89.co.uk*, True -*.english-as-you-need-it.com*, True -*.englishasyouneedit.com*, True -*.englishclubs.ch*, True -*.englishgate.com.ar*, True -*.english-icbcluj.ro*, True -*.englishkuran.com*, True -*.englishland.com.ar*, True -*.englishspeechandpronunciation.com*, True -*.englishspeechandpronunciation.co.uk*, True -*.engmark.name*, True -*.engraff.com.ar*, True -*.engrainedart.com*, True -*.engsafety.org*, True -*.enhancedit.com.au*, True -*.enia.net*, True -*.enigma3rd.co.za*, True -*.enigmacencert.pl*, True -*.enigma-dev.com*, True -*.enigma-dev.org*, True -*.enigmah.org*, True -*.enigma-motorsport.si*, True -*.eninvest.gr*, True -*.enjoy-101.com*, True -*.enjoyebook.com*, True -*.enjoy.gq*, True -*.enjoymob.com*, True -*.enjoywipeout.com*, True -*.enkem.us*, True -*.enket.info*, True -*.enko.net*, True -*.enkonto.ru*, True -*.enlace-gaming.tk*, True -*.enlacesaduaneros.com.mx*, True -*.enlacescaidos.com.ar*, True -*.enlaces-turisticos.com*, True -*.enlanota.com.ar*, True -*.enlasamericas.com.mx*, True -*.enlasamericas.mx*, True -*.enlentertainment.com*, True -*.enlighting.eu*, True -*.enlis.sk*, True -*.enluminari.com*, True -*.enmar.cl*, True -*.enmotoneta.com.ar*, True -*.enoesis.com*, True -*.enoportal.pt*, True -*.enorman.co.za*, True -*.enormousopinion.com*, True -*.enoscellars.com*, True -*.enosvineyards.com*, True -*.enotario.cl*, True -*.e-nous.com.ar*, True -*.enovatics.es*, True -*.e-novativ.ch*, True -*.enovativ.ch*, True -*.e-novative.ch*, True -*.enovative.ch*, True -*.enps.ch*, True -*.enquiry.hk*, True -*.enraged-bl.tk*, True -*.enrejasalta.com.ar*, True -*.enricoemarco.com.br*, True -*.enricribas.com*, True -*.enrious.info*, True -*.enriquegarciadelrio.com*, True -*.enriquegomez.org*, True -*.enriquemonsalve.cl*, True -*.ensamble.cc*, True -*.ensamgud.se*, True -*.ensat.com.ar*, True -*.enscasem.org*, True -*.ensel.com.ar*, True -*.ensembliere.ch*, True -*.ensklo.com*, True -*.enslavedbox.org*, True -*.enso.pt*, True -*.enssaocarlos.com.br*, True -*.enss.co.uk*, True -*.enss.uk*, True -*.enta.cl*, True -*.entanglement.co.za*, True -*.entaryport.info*, True -*.entelecta.com*, True -*.entelecta.co.za*, True -*.entelecta.org*, True -*.enterdown.com*, True -*.entergestion.com.ar*, True -*.entergod.com*, True -*.enteringenieria.com.ar*, True -*.entermypicks.com*, True -*.enterpriseinformationintegration.com*, True -*.enterpriseopensolutions.com*, True -*.enterprisereportingcentral.com*, True -*.enterprisereportingportal.com*, True -*.enterprisescorecardplatform.com*, True -*.entersection.com*, True -*.entersection.org*, True -*.entertainment-center.tk*, True -*.enterwebdesign.net*, True -*.entin.co.il*, True -*.entinfotech.com*, True -*.entinfotech.in*, True -*.entirelyorange.com*, True -*.entiris.com.ar*, True -*.entopiotis.gr*, True -*.entorno-empresarial.com.mx*, True -*.entornourgente.com.br*, True -*.entraction.com.au*, True -*.entraigas.com.ar*, True -*.entreapp.com*, True -*.entreconsultas.com*, True -*.entreconsultas.com.ar*, True -*.entregandosonrisas.cl*, True -*.entrepreneur.hk*, True -*.entreprenorsjakten.se*, True -*.entrepursuer.com*, True -*.entrerutas.com.ar*, True -*.entresabores.com.ar*, True -*.entripoin.com*, True -*.entroncamento.org*, True -*.entropicquanta.com*, True -*.entropy.com.ar*, True -*.entropy.net.nz*, True -*.entrust1.net*, True -*.entrustgroup.com*, True -*.ent-unlimited.com*, True -*.entunube.com.ve*, True -*.entuziazm.info*, True -*.entwicklung-schweiz.ch*, True -*.enuid.com*, True -*.enu.li*, True -*.enuvation.com*, True -*.envasesipt.cl*, True -*.envdiputadossantafe.gob.ar*, True -*.envelope-sender.com*, True -*.enviable.uk*, True -*.enviachile.cl*, True -*.enviacv.cl*, True -*.envidata.cl*, True -*.envinet.co.za*, True -*.enviosporlaweb.com.ar*, True -*.enviosxweb.com.ar*, True -*.enviral.co*, True -*.enviro-control.com.ar*, True -*.enviro-group.com.au*, True -*.environeerindonesia.com*, True -*.environmentalmaterials.net*, True -*.envirotree.ca*, True -*.enviro-web.com*, True -*.enviroworksmt.com*, True -*.envitreat.biz*, True -*.envitreat.info*, True -*.envitreat.net*, True -*.envitreat.us*, True -*.envizasoft.com*, True -*.envolta.com.br*, True -*.envoycorps.info*, True -*.envytations.com*, True -*.envytations.co.uk*, True -*.envytations.net*, True -*.enwyn.net*, True -*.enyong.tk*, True -*.enzian-china.ch*, True -*.enzkin.org*, True -*.enzocloud.com*, True -*.enzoftheearth.com*, True -*.e-oc.com.au*, True -*.eoci.or.id*, True -*.e-octopus.hk*, True -*.eoctopus.hk*, True -*.e-octopus.info*, True -*.eoctopus.info*, True -*.eof.cl*, True -*.eol.be*, True -*.eolibrary.com*, True -*.eolicatalinay.cl*, True -*.eolos.org*, True -*.eong.co.uk*, True -*.eongshells.com*, True -*.eonosis.com*, True -*.eopa.org.uk*, True -*.eorar.ro*, True -*.eorsauto.ro*, True -*.eoschool.com.mx*, True -*.eos.com.mx*, True -*.eosmania.sk*, True -*.eoss.co.nz*, True -*.eos.si*, True -*.eoyaku.com*, True -*.ep56.dk*, True -*.epa2poin.to*, True -*.epaka.eu*, True -*.epandit.org*, True -*.epanella.com.ar*, True -*.e-parcel.co.za*, True -*.eparcel.co.za*, True -*.eparhiachita.ru*, True -*.eparus.com*, True -*.eparus.ru*, True -*.epb.ro*, True -*.epbsoft.com*, True -*.epd3project.com*, True -*.epdata.com.tr*, True -*.epdata.net*, True -*.epedidos.com*, True -*.epedidos.es*, True -*.epeople.ch*, True -*.epeppe.com*, True -*.eperniagaan.com*, True -*.ephemeral.cf*, True -*.ephemeralpreserve.com*, True -*.ephere.com*, True -*.epiccampaign.ca*, True -*.epiccondo.co*, True -*.epicdeadpool.org*, True -*.epicfactory.com*, True -*.epicfactory.net*, True -*.epicgamer.org*, True -*.epicindia.com*, True -*.epic-it.lv*, True -*.epicmilk.com*, True -*.epicnets.ca*, True -*.epicorexpert.com*, True -*.epicquail.co.uk*, True -*.epictura.ro*, True -*.epicturi.ro*, True -*.epind.tk*, True -*.epiney-j-y.ch*, True -*.epi.org.za*, True -*.epipayday.com*, True -*.epipen.com.br*, True -*.epirusnet.gr*, True -*.episodes-online.info*, True -*.epis.tk*, True -*.epit.lv*, True -*.epitomepro.com*, True -*.epl889.com*, True -*.e-placaonline.com.br*, True -*.e-placaweb.com.br*, True -*.eplagiat.ro*, True -*.e-planethome.com*, True -*.eplatedcams.com*, True -*.eple.com.ar*, True -*.eploy.ml*, True -*.eplus.hk*, True -*.epm-websolution.pt*, True -*.epolet5.ru*, True -*.e-pool.net*, True -*.epopulara.ro*, True -*.epopular.ro*, True -*.epoquebrasserie.com.au*, True -*.epoquecammeray.com.au*, True -*.eposbus.co.za*, True -*.epoxy-floorcoating.info*, True -*.eppbphoto.com*, True -*.eppiquiz.com*, True -*.epp.to*, True -*.epregatire.ro*, True -*.epreis.ch*, True -*.epreneur.hk*, True -*.eprf.org.uk*, True -*.e-profoto.com*, True -*.eproiectant.ro*, True -*.e-projects.ro*, True -*.eproscada.com*, True -*.eprst.info*, True -*.epsilon.cf*, True -*.epsilon-equilibrium.com*, True -*.epsilontravel.com.ar*, True -*.eptrombone.com*, True -*.e-publica.pt*, True -*.epu.co.id*, True -*.e-putonghua.com*, True -*.e-putonghua.net*, True -*.epworthleather.com*, True -*.eq3.ru*, True -*.e-qc.pl*, True -*.eqgis.com*, True -*.eqlsquare.com*, True -*.eqoarevival.com*, True -*.eqp-host.uk*, True -*.eqtsa.tv*, True -*.equalgrid.com*, True -*.e-quality.pl*, True -*.equantification.com*, True -*.equata.com.au*, True -*.equestrin.com*, True -*.equilibria.com.ar*, True -*.equilibriobenesserenaturale.it*, True -*.equilibriumsas.com.au*, True -*.equinebodytherapy.co.uk*, True -*.equinems.com*, True -*.equipamientoguzman.com.ar*, True -*.equiparhotel.com*, True -*.equiparhotel.com.ar*, True -*.equipeboracorrer.com.br*, True -*.equipeboxethaitijuca.com.br*, True -*.equiphire.com.au*, True -*.equiphotel.com.ar*, True -*.equipokailea.cl*, True -*.equiponinja.com*, True -*.equiscentrico.com.ar*, True -*.equisconsultores.cl*, True -*.equiservi.com.br*, True -*.equivets.com.ar*, True -*.e-qure.com*, True -*.equusdesigns.net*, True -*.eqweb.hk*, True -*.eradio.ee*, True -*.eral.si*, True -*.erama.tv*, True -*.e-rang.si*, True -*.erang.si*, True -*.eranik.com*, True -*.eranik.ir*, True -*.e-raporty.pl*, True -*.erarosesolutions.com*, True -*.eraserhead.net*, True -*.erasmomorales.com*, True -*.erastro.org*, True -*.eraumavezprincesas.com.br*, True -*.ercanerol.com.tr*, True -*.ercsquad.net*, True -*.erctek.com*, True -*.erdavet.ro*, True -*.erdelyimagyarneppart.eu*, True -*.erdelyimagyarneppart.ro*, True -*.erdelyitarskereso.hu*, True -*.erdem.name.tr*, True -*.erdkonf.tk*, True -*.erdos.com.ar*, True -*.ere-bion.com.ar*, True -*.erebo.es*, True -*.ereb.us*, True -*.erebustechnologies.net*, True -*.erecreatie.ro*, True -*.erectyledysfunction.net*, True -*.eredb.de*, True -*.eredb.net*, True -*.eredb.org*, True -*.eremes.de*, True -*.eremina.net*, True -*.eremite.co.uk*, True -*.eremite.net*, True -*.eremite.org.uk*, True -*.erena.pt*, True -*.e-reteteculinare.ro*, True -*.e-rezervare.com*, True -*.erfahrungsmedizin-aigner.ch*, True -*.erfinfeluzy.com*, True -*.ergbiz.com*, True -*.ergi.ca*, True -*.erginyildirim.com*, True -*.ergio.com.ar*, True -*.ergoable.com*, True -*.ergoak.com*, True -*.ergodev.com*, True -*.ergohouse.com.au*, True -*.ergomuebles.com*, True -*.ergopouch.co.uk*, True -*.erguvantanitim.com*, True -*.erh88.com*, True -*.erh99.com*, True -*.erha.co.id*, True -*.erhainspiration.com*, True -*.erhanakis.com*, True -*.erhansermet.com*, True -*.erhansunar.name.tr*, True -*.erhard.cf*, True -*.eria-resort.gr*, True -*.ericabbyandalex.com*, True -*.ericagan.net*, True -*.ericamoraes.com.br*, True -*.ericblack.ca*, True -*.ericblack.com*, True -*.ericbozman.com*, True -*.ericbregan.com*, True -*.ericchang.com*, True -*.ericcheng.hk*, True -*.ericfox.hk*, True -*.ericgilkey.com*, True -*.eric-hicks.com*, True -*.ericjenkins.net*, True -*.ericjgagnon.com*, True -*.ericklose.com*, True -*.erickssmith.com*, True -*.eric-lau.com*, True -*.ericlebaron.com*, True -*.ericleonel.com*, True -*.ericliao.com.au*, True -*.ericmax.com*, True -*.ericmchristman.com*, True -*.ericnlaurel.net*, True -*.ericpeppe.com*, True -*.ericrobinson.net*, True -*.ericsender.com*, True -*.ericslezak.com*, True -*.eric.systems*, True -*.erictham.tk*, True -*.erictsang.com*, True -*.ericus.net*, True -*.eries.us*, True -*.erikal.es*, True -*.erikandcaitlin.com*, True -*.erikaochsner.ch*, True -*.erika-smith.com*, True -*.erikasmith.net*, True -*.erik-ellis.com*, True -*.erikhanson.co*, True -*.erikjohnson.ca*, True -*.erikkallberg.com*, True -*.erikkallberg.se*, True -*.erikmartinez.com.mx*, True -*.erikmartinez.mx*, True -*.erikwierschke.com*, True -*.erinome.us*, True -*.erinrupe.com*, True -*.eris-elliot.com*, True -*.erisma.net*, True -*.eristocrat.net*, True -*.erkan.nom.tr*, True -*.erke.biz.tr*, True -*.erkideb.cf*, True -*.erki.net*, True -*.erksis.com.tr*, True -*.erlipool.ch*, True -*.erl-sa.ru*, True -*.erluji.net*, True -*.ermispress.gr*, True -*.ermonetics.com*, True -*.erna1.cf*, True -*.er.name.tr*, True -*.ernanaguilera.cl*, True -*.ernational.cf*, True -*.ernestoandernesto.net*, True -*.ernestoarroyo.com*, True -*.ernestogore.com.ar*, True -*.ernet.com.ar*, True -*.ernet.info*, True -*.erniebornheimer.com*, True -*.ernstchristen.ch*, True -*.erochephoto.com*, True -*.erocom.com.ar*, True -*.erocsinad.ro*, True -*.erofood.ro*, True -*.erogum.de*, True -*.eroig.es*, True -*.erokos.ru*, True -*.ero-mail.ru*, True -*.eroman.com.ar*, True -*.erosblog.ro*, True -*.erosense.info*, True -*.eroticvibe.ro*, True -*.erotikload.at*, True -*.erotikplatz.at*, True -*.eroy.ca*, True -*.erpa.at*, True -*.erpc.com.ar*, True -*.erp-fenix.pt*, True -*.erpf.me*, True -*.erp-software.in*, True -*.erpstartup.com*, True -*.errepe.cl*, True -*.errorchecking.com*, True -*.errorcode67.com*, True -*.errorspace.org*, True -*.errorx3f.eu*, True -*.errtech.com*, True -*.ershkus.ru*, True -*.erste-hilfe.ch*, True -*.erstehilfe.ch*, True -*.ers.web.id*, True -*.ert26.com*, True -*.ert36.com*, True -*.ert53.com*, True -*.ert88.com*, True -*.ert99.com*, True -*.ertha.org*, True -*.ertiga.club*, True -*.ertiga.org*, True -*.ertl.com.ar*, True -*.ertmc.ro*, True -*.erudyte.net*, True -*.eruru.tw*, True -*.ervan.biz*, True -*.ervateiracatanduvas.com.br*, True -*.erwan.ninja*, True -*.erwinsajudi.com*, True -*.erwins.asia*, True -*.eryapi.com*, True -*.eryapi.com.tr*, True -*.eryceenterprises.com*, True -*.erzin.name*, True -*.es5.my*, True -*.esa79.com*, True -*.esaaustralia.org.au*, True -*.esafun.com*, True -*.esalatarasfz.ir*, True -*.esalatboghrat.ir*, True -*.esal.cl*, True -*.esanatate-arges.ro*, True -*.esanatate-buzau.ro*, True -*.esanatate-calarasi.ro*, True -*.esandsoft.com*, True -*.esargostoli.gr*, True -*.esas.pt*, True -*.esaz.ro*, True -*.esbohome.net*, True -*.escado.bz*, True -*.escaladaargentina.com.ar*, True -*.escapadeonline.com*, True -*.escapecore.cf*, True -*.escapereligion.com*, True -*.escaprat.cl*, True -*.escenograf.com.ar*, True -*.escentialmassage.com*, True -*.escfks.com*, True -*.eschauzier.org*, True -*.eschwey.net*, True -*.escline.co.il*, True -*.escm.ca*, True -*.escogidos.cl*, True -*.escoladecurimba.ga*, True -*.escoladecurimba.ml*, True -*.escoladecurimba.tk*, True -*.escoladeoga.cf*, True -*.escoladeoga.ga*, True -*.escoladeoga.ml*, True -*.escoladeogan.cf*, True -*.escoladeogan.ga*, True -*.escoladeogan.ml*, True -*.escoladeogans.cf*, True -*.escoladeogans.ga*, True -*.escoladeogans.ml*, True -*.escoladeogans.tk*, True -*.escoladeogan.tk*, True -*.escoladeogas.cf*, True -*.escoladeogas.ga*, True -*.escoladeogas.ml*, True -*.escoladeogas.tk*, True -*.escoladeoga.tk*, True -*.escoladovinho.com.br*, True -*.escolamanjon.com*, True -*.escolatwister.com*, True -*.escolhanatural.com.br*, True -*.escomer.com*, True -*.escondel.tk*, True -*.escortbg.com*, True -*.escortbg.net*, True -*.escortistanbulda.net*, True -*.escort-personals.com*, True -*.escortsforthedisable.com*, True -*.escortsforthedisabled.com*, True -*.escortsforthedisabled.mobi*, True -*.escortsonline.nl*, True -*.escortsparalosdescapacitodos.net*, True -*.escredevel.com.br*, True -*.escribaniacaputo.com.ar*, True -*.escribaniakirzner.com.ar*, True -*.escribanialonghi.com.ar*, True -*.escribaniamihura.com.ar*, True -*.escribaniarusso.com.ar*, True -*.escribaniayoung.com.ar*, True -*.escribanodigital.com.ar*, True -*.escriblog.com*, True -*.escuelaclic.com.ar*, True -*.escueladeamor.com.ar*, True -*.escueladefutbolhugobello.cl*, True -*.escueladeletras.com*, True -*.escuelademusicademercedesnorte.com*, True -*.escueladeyoga.cl*, True -*.escuelahurlingham.com.ar*, True -*.escuela-inclusiva.com.ar*, True -*.escuelainfantil-lacasaazul.com*, True -*.escuelamarcial.com.ar*, True -*.escuelamimundo.cl*, True -*.escuelaradimadi.cl*, True -*.escuelavirtualmunistgo.cl*, True -*.escuelavoces.cl*, True -*.esdan.nl*, True -*.esdelivery.us*, True -*.esd.lt*, True -*.esdota.com*, True -*.esdrmv.com*, True -*.esecretariat.ro*, True -*.eseevision.com.au*, True -*.esejur.ro*, True -*.esencell.com*, True -*.esencialis.cl*, True -*.esensebeauty.com*, True -*.esensebiolab.com*, True -*.esentis.ch*, True -*.eservice-motomel.com.ar*, True -*.e-service.pl*, True -*.esetdns.ir*, True -*.esetec.cl*, True -*.esfafe.pt*, True -*.esferasolidaria.pt*, True -*.esfgaming.com*, True -*.esforex.com*, True -*.esheldesign.co.il*, True -*.e-shell.com.ar*, True -*.eshep.net*, True -*.e-shop.md*, True -*.eshop.md*, True -*.esiawin.co*, True -*.esiclinic.com*, True -*.esiconta.com*, True -*.esignalpm.com*, True -*.esija.com*, True -*.esip.es*, True -*.esi-server.com*, True -*.esk67.com*, True -*.esk78.com*, True -*.esk87.com*, True -*.eskaton.ch*, True -*.eskayazilim.com.tr*, True -*.eskeema.com.br*, True -*.eskimichater.cf*, True -*.eskimichater.ga*, True -*.eskimichater.gq*, True -*.eskimo-wallet.co.uk*, True -*.esko.hk*, True -*.eskort-plus.ru*, True -*.eslilinkitakita.com*, True -*.eslovenia.si*, True -*.e-sluts.net*, True -*.esmadja.com*, True -*.esmaltesdeunha.com.br*, True -*.esmaltesonline.com.br*, True -*.esmeralda-institut.ch*, True -*.esmgroup.com.au*, True -*.esmikhani.ir*, True -*.esmiranda.com.ar*, True -*.esmp.mx*, True -*.esnet.lv*, True -*.esohilly.net*, True -*.esolare.ro*, True -*.esommelier.ru*, True -*.eson.cl*, True -*.esoquees.com*, True -*.esoquees.net*, True -*.esoteric-bardahl.ru*, True -*.esotericbardahl.ru*, True -*.esotero.org*, True -*.esotero.pw*, True -*.esoussa.com*, True -*.esoweno-home.com*, True -*.espaautomatic.ro*, True -*.espacecoiffureesthetique.ch*, True -*.espacecoiffure-solene.ch*, True -*.espacecreatif.ch*, True -*.espace-fontenette.ch*, True -*.espacioalpec.com.ar*, True -*.espaciobebe.com.ar*, True -*.espaciocristalsa.com.ar*, True -*.espaciosactuales.com.ar*, True -*.espaciospuebla.com*, True -*.espaciospuebla.com.mx*, True -*.espaciospuebla.mx*, True -*.espaciospuebla.org*, True -*.espaciossociales.es*, True -*.espacoextra.pt*, True -*.espacopinheiro.pt*, True -*.espacovirtuosa.com.br*, True -*.espaldrivers.com.ar*, True -*.espallargas.com*, True -*.espana.si*, True -*.e-spare.com.au*, True -*.especiesforestales.com*, True -*.especificoquiropraxia.com.br*, True -*.espectroautista.com.ve*, True -*.espega.com*, True -*.espeller.com*, True -*.esperanto.eu.org*, True -*.esperanzaeagles.com*, True -*.esperasatya.com*, True -*.espertise.com.ar*, True -*.esphaag.com*, True -*.espinosa.cl*, True -*.espinospizza.com*, True -*.espinozaf.cl*, True -*.espirale.cl*, True -*.espitronica.pt*, True -*.espongiformas.com*, True -*.espoonnuorisoasunnot.fi*, True -*.esport-serbia.net*, True -*.esposito.com.ar*, True -*.espo.tk*, True -*.espresso.ch*, True -*.espressowood.com*, True -*.esprit.net*, True -*.espro-sa.com.ar*, True -*.espyserv.com*, True -*.esquadraotricolor.com.br*, True -*.e-squaredmedia.com*, True -*.esquared.tk*, True -*.esquelario.tk*, True -*.esquel.com.ar*, True -*.esquinablanca.cl*, True -*.esquitx.net*, True -*.e-srvpl.pl*, True -*.essec-foundation.com*, True -*.essec-foundation.net*, True -*.essec-foundation.org*, True -*.essencedupapier.com*, True -*.essentiadigital.com*, True -*.essentialbutterfly.com*, True -*.essentialife.co.za*, True -*.essentialoilslibrary.com*, True -*.essentie.com.ve*, True -*.essep.com.pe*, True -*.esserene.com*, True -*.esserral.net*, True -*.essexgoth.co.uk*, True -*.essexnetworking.co.uk*, True -*.essexregional.org*, True -*.ess-host.co.uk*, True -*.essmnavy.com*, True -*.essolutions.ro*, True -*.esssing.tk*, True -*.esswift.com*, True -*.est44.com*, True -*.est55.com*, True -*.estabil.com.br*, True -*.estacadoslair.com*, True -*.estacaoecomed.com.br*, True -*.estaciondelnorte.com.ar*, True -*.estadiosanantonio.cl*, True -*.estama.fi*, True -*.estanciadelavilla.com.ar*, True -*.estancia-margarita.com.ar*, True -*.estando.com.ar*, True -*.estanker.com.ar*, True -*.estarli.com.ar*, True -*.estatetheofanus.gr*, True -*.estcomp.ro*, True -*.estebanraffo.com.ar*, True -*.estecma.com.ar*, True -*.estellelemire.com*, True -*.estell.es*, True -*.estenio.com.mx*, True -*.estepa.com.ar*, True -*.estepopulara.ro*, True -*.estepopular.ro*, True -*.estereolimena.com*, True -*.estereotempo.fm*, True -*.esterinova.com.mx*, True -*.estetfashionweek.ru*, True -*.esteticaduende.cat*, True -*.esteticafemina.com*, True -*.esteticaleilui.ch*, True -*.estetica.se*, True -*.esteticaybellezagloria.com*, True -*.esteticu.org*, True -*.esteve.cc*, True -*.estevez.ec*, True -*.estheria-shop.com*, True -*.esthost.net*, True -*.estiloleblon.com.br*, True -*.estire.lv*, True -*.estmon.ru*, True -*.estojodebeleza.com.br*, True -*.estoppey-chauffage.ch*, True -*.estoque10.com.br*, True -*.e-stovall.org*, True -*.estoymirando.com.ar*, True -*.estradaclan.com*, True -*.e-strada.ro*, True -*.estradatech.com*, True -*.estranses.gr*, True -*.estrategya.net*, True -*.estrateplan.com*, True -*.estreich.id.au*, True -*.estrellarojaweb.com.ar*, True -*.estrellinhas.com*, True -*.estructural.cl*, True -*.estudarcomputacao.com*, True -*.estudarnabelgica.com.br*, True -*.estudiante10.com*, True -*.estudiante10.com.ar*, True -*.estudio05.com.br*, True -*.estudio0db.com.br*, True -*.estudio656.com.ar*, True -*.estudioagm.cl*, True -*.estudioagnetti.com.ar*, True -*.estudioamodeo.com.ar*, True -*.estudioaps.com.ar*, True -*.estudioargul.com.ar*, True -*.estudioarqcontreras.com.ar*, True -*.estudioarrascaeta.com.ar*, True -*.estudioartese.com.ar*, True -*.estudioatoledo.com.ar*, True -*.estudiobartel.com.ar*, True -*.estudiobrunispota.com.ar*, True -*.estudio-buratti.com*, True -*.estudioburatti.com*, True -*.estudioburatti.com.ar*, True -*.estudiocaipe.com.ar*, True -*.estudiocarrero.com.ar*, True -*.estudiochaia.com.ar*, True -*.estudiocontablecg.com.ar*, True -*.estudiocontablevl.com.ar*, True -*.estudiocorallini.com*, True -*.estudiocps.com.ar*, True -*.estudiocukier.com*, True -*.estudiocunquero.com.ar*, True -*.estudiocz.com.ar*, True -*.estudiodalessio.com.ar*, True -*.estudiodattoliyasoc.com.ar*, True -*.estudiodborkin.com.ar*, True -*.estudiodebiaggi.com.ar*, True -*.estudiodegaetano.com.ar*, True -*.estudiodelrivero.com.ar*, True -*.estudioderiesgo.cl*, True -*.estudiodyr.com.ar*, True -*.estudioegan.com.ar*, True -*.estudioeoc.com.ar*, True -*.estudiofaraoni.com*, True -*.estudiofentanes.com.ar*, True -*.estudioflorio.com.ar*, True -*.estudiofriassj.com.ar*, True -*.estudiogajst.com.ar*, True -*.estudiogql.com.ar*, True -*.estudio-grosso.com.ar*, True -*.estudioguemes.com.ar*, True -*.estudiohum.cl*, True -*.estudioinaa.com.ar*, True -*.estudioindij.com.ar*, True -*.estudiojuridicomdp.com.ar*, True -*.estudiokoffman.com.ar*, True -*.estudioladigan.com.ar*, True -*.estudiolazen.com.ar*, True -*.estudiolodiaz.com.ar*, True -*.estudiomacchiavelli.com.ar*, True -*.estudiomach.com.ar*, True -*.estudiomanganiello.com.ar*, True -*.estudiomarbal.com.ar*, True -*.estudiomaro.com.ar*, True -*.estudio-marques.com.ar*, True -*.estudiomarquez.com.ar*, True -*.estudiomelet.com.ar*, True -*.estudiomenoyo.com*, True -*.estudiomorra.com.ar*, True -*.estudiomuler.com.ar*, True -*.estudiopasquali.com.ar*, True -*.estudiopazosivaldi.com.ar*, True -*.estudiopereda.com.ar*, True -*.estudiopiwke.cl*, True -*.estudioreta.com.ar*, True -*.estudiormg.com.ar*, True -*.estudiorodriguezmdp.com.ar*, True -*.estudioroque.com.ar*, True -*.estudio-rozzi.com.ar*, True -*.estudiosanchi.com.ar*, True -*.estudioscab.com.ar*, True -*.estudioscivetti.com.ar*, True -*.estudioserenozapala.com.ar*, True -*.estudiosintegrales.com.ar*, True -*.estudiosit.com.ar*, True -*.estudiosweb.com*, True -*.estudioszedlak.com.ar*, True -*.estudiotarzia.com.ar*, True -*.estudiotgma.com.ar*, True -*.estudiotramas.com.ar*, True -*.estudiourtubey.com.ar*, True -*.estudiovalenti.com.ar*, True -*.estudiozaleski.com.ar*, True -*.estudiozamboni.net*, True -*.estyle.ch*, True -*.esuceava.ro*, True -*.e-surveillance.com.au*, True -*.esviernes.com.ar*, True -*.esv.ro*, True -*.eswood.net*, True -*.esyon.ch*, True -*.esystem.my*, True -*.et00.com*, True -*.et0n.net*, True -*.et-158.com*, True -*.etafusion.com*, True -*.etaireia.gr*, True -*.etalonario.com*, True -*.etaxichile.cl*, True -*.etcen.ru*, True -*.e-t-c-h.de*, True -*.etch.one.pl*, True -*.etcwarehouse.com*, True -*.ete-afrique.ro*, True -*.e-techlogic.com*, True -*.e-techlogix.com*, True -*.etechnw.com*, True -*.eteen.ro*, True -*.eteens.ro*, True -*.etekpr.com*, True -*.eternaldarkness.org*, True -*.eternalfund.hk*, True -*.eternalgrowthpartners.com*, True -*.eternalgrowthpartners.com.au*, True -*.eternalimpressions.com*, True -*.e-ternals.com*, True -*.eternal-vale.com*, True -*.eternalvisions.com*, True -*.eternicode.com*, True -*.eternicode.net*, True -*.eternicode.org*, True -*.etestare.ro*, True -*.etgr.ru*, True -*.eth2.de*, True -*.eth3.de*, True -*.ethanbarron.com*, True -*.ethanbernard.com*, True -*.ethanmccourt.com*, True -*.ethanology.net*, True -*.ethanpease.com*, True -*.ethanschuster.com*, True -*.ethanscraft.com*, True -*.ethelwarbinek.com*, True -*.ethelwine.com*, True -*.ether3al.com*, True -*.etherlands.ru*, True -*.etherlink.net*, True -*.etheus.net*, True -*.ethic.al*, True -*.ethicalcurrency.hk*, True -*.ethiopianccc.org*, True -*.ethnicart.tk*, True -*.ethnique.net*, True -*.ethnobotanical.ca*, True -*.ethon.ch*, True -*.ethoscg.net*, True -*.ethouse.me*, True -*.ethuggery.com*, True -*.etibor.pt*, True -*.eticaysalud.com.ar*, True -*.etiennedoucet.com*, True -*.etikace.cf*, True -*.etimeweb.com*, True -*.etiopathie-tabakhoff.ch*, True -*.etitrans.com*, True -*.etk-internet.ru*, True -*.etk-resurs.ru*, True -*.e-tkt.ch*, True -*.etkt.ch*, True -*.etldba.com*, True -*.etlhelpdesk.com*, True -*.etlsupport.com*, True -*.etmassociatesllc.com*, True -*.etmodels.com*, True -*.etnacoffee.co*, True -*.etnacoffee.eu*, True -*.et-navigator.com*, True -*.etnies.pw*, True -*.etogems.cf*, True -*.etour.com.tw*, True -*.e-trade.ch*, True -*.e-trades.ch*, True -*.etradeworld.net*, True -*.etranslator.eu*, True -*.etranspatagonico.com*, True -*.etrg.rs*, True -*.e-troli.ro*, True -*.etronic.tk*, True -*.e-truhla.cz*, True -*.etruhla.cz*, True -*.e-trzebnica.com*, True -*.e-trzebnica.info*, True -*.e-trzebnica.net*, True -*.etsang.com*, True -*.ets-me.com*, True -*.etspowered.com*, True -*.ett62.com*, True -*.ett72.com*, True -*.ett85.com*, True -*.ett89.com*, True -*.ett94.com*, True -*.ettrad.co.uk*, True -*.etvshow.com*, True -*.e-tyche.com*, True -*.euadvice.eu*, True -*.euanm.eu*, True -*.euasazic.ro*, True -*.eu-beitritt.at*, True -*.eubonia.com*, True -*.eubusiness.at*, True -*.euchat.net*, True -*.eudemone.com*, True -*.eudemone.net*, True -*.eudokimos.gr*, True -*.euean.tk*, True -*.euevocefotografia.com.br*, True -*.euforbia.ro*, True -*.eugegayoso.com.ar*, True -*.eugeniomanocchio.com.br*, True -*.eugeniomanochio.com.br*, True -*.eugeniu.com*, True -*.eugenocide.org*, True -*.eugeny.org*, True -*.eugn.me*, True -*.euhallco.com*, True -*.euhallco.eu*, True -*.euhosting.us*, True -*.eujern.com*, True -*.euknetworks.com*, True -*.eulove.net*, True -*.eumx.eu*, True -*.eunny.com*, True -*.eunny.net*, True -*.eunny.org*, True -*.euphotic.ca*, True -*.eupla.com*, True -*.eupnative.com*, True -*.euprotejoboto.com.br*, True -*.euprotejoboto.org.br*, True -*.euprotejooboto.com.br*, True -*.euprotejooboto.org.br*, True -*.eur06.com*, True -*.eurachem.ro*, True -*.eurashe.be*, True -*.eurbe.ro*, True -*.eureca.ca*, True -*.eurekalodge.org*, True -*.euretig.com*, True -*.eurisko.org*, True -*.euroalem.com*, True -*.euroasiateknik.net*, True -*.eurobursatransport.ro*, True -*.eurocadexpert.ro*, True -*.eurocarcraiova.ro*, True -*.eurocarm1.ro*, True -*.eurocarm2.ro*, True -*.eurocarm3.ro*, True -*.eurocarm4.ro*, True -*.eurocarrelage.ch*, True -*.eurocarserv.ro*, True -*.euro-case.net*, True -*.eurocat.it*, True -*.eurociga.com*, True -*.eurocompany.fi*, True -*.eurodiamond.com*, True -*.eurodromio.gr*, True -*.eurodynamic.ro*, True -*.eurofish.cl*, True -*.eurofrig.ro*, True -*.eurofx.com*, True -*.eurogames.tk*, True -*.euroict.info*, True -*.euroistyle.info*, True -*.euroleap.com*, True -*.eurolek.com*, True -*.eurolibrariaiulia.ro*, True -*.eurolink.cl*, True -*.eurolv.com*, True -*.euromeat.ro*, True -*.euromesitiki.gr*, True -*.euronatura.pt*, True -*.euro-net.ro*, True -*.euroox24.com*, True -*.europakraft.ro*, True -*.europalalpin.ro*, True -*.europapeinture.ch*, True -*.europatur.ro*, True -*.europeadeespectaculos.com*, True -*.europeanbingo.net*, True -*.europeanpaintperformance.com*, True -*.europehalafim.co.il*, True -*.europrzelew24.pl*, True -*.eurorota.net*, True -*.euroscat.ro*, True -*.euroselling.com*, True -*.euroselling.nl*, True -*.eurosider-slo.com*, True -*.eurostroytorg.ru*, True -*.eurosun2012.org*, True -*.eurotank.ro*, True -*.euroteil.hr*, True -*.eurotrans-pks.pl*, True -*.eurotraveling.net*, True -*.eurotrip-06.com*, True -*.eurynome.ro*, True -*.eusoudecristo.com.br*, True -*.eutalia.ro*, True -*.e-utile.ro*, True -*.euvon.hk*, True -*.euwindow.com*, True -*.ev0.nz*, True -*.ev1lbl00d.org*, True -*.ev4g.org*, True -*.eva5.tk*, True -*.evaandering.com*, True -*.eva-brown.com*, True -*.evachenglikamfun.hk*, True -*.eva-che.ru*, True -*.evacipated.com*, True -*.evacomatlas.ro*, True -*.evacox.com.au*, True -*.evacuated-envelope.com*, True -*.evacuatedenvelopetechnologies.com*, True -*.evacuatedtech.com*, True -*.evado.gr*, True -*.evaeric.com*, True -*.eva.hk*, True -*.evalproiect.ro*, True -*.evaluari.ro*, True -*.eva-martin.com*, True -*.evanfrey.com*, True -*.evanrush.com*, True -*.evansfelipe.com.ar*, True -*.evansippel.com*, True -*.evansit.net*, True -*.evanstonfllw.com*, True -*.evantai.ro*, True -*.evantobac.com*, True -*.evanzagarment.com*, True -*.evanzzz.us*, True -*.evasion-peinture.ch*, True -*.evasms.com*, True -*.evatenny.com*, True -*.evatt.tk*, True -*.evaue.com*, True -*.evautotraders.com*, True -*.evavelazquez.com*, True -*.evazface.com*, True -*.evce.biz*, True -*.ev-dekorasyon.com*, True -*.eve-atmosphere.org*, True -*.evecr.com*, True -*.evelux.eu*, True -*.eveluxtech.ro*, True -*.evelynbeauty.com*, True -*.eve-marie.ca*, True -*.evencenter.com*, True -*.evenimentepromovare.ro*, True -*.event2u.ro*, True -*.eventango.ro*, True -*.eventbusinessmatchmaking.com*, True -*.eventcloud.com.my*, True -*.eventdecor.com.pk*, True -*.eventers.guru*, True -*.eventfilter.com*, True -*.eventing-team.si*, True -*.eventinvitation.co.za*, True -*.eventinvitations.co.za*, True -*.eventinvites.co.za*, True -*.eventist.ir*, True -*.eventlist.ir*, True -*.eventocompleto.com*, True -*.eventography.com.au*, True -*.eventomadeinbrazil.com.br*, True -*.eventosdeportivoscl.com.ar*, True -*.eventox.com.ar*, True -*.event-photopoint.com*, True -*.eventpianist.ch*, True -*.eventpp.com*, True -*.eventreg.co.za*, True -*.events4fun.net*, True -*.eventsandthecity.ro*, True -*.event-sound.es*, True -*.eventtuar.com.br*, True -*.event-tv.nl*, True -*.eventtv.nl*, True -*.eventzphotography.com*, True -*.eventzphotography.co.uk*, True -*.eveonline-au.net*, True -*.everbright.hk*, True -*.everchamp.com.my*, True -*.evercold.com*, True -*.evercore-uk.com*, True -*.everestkc.com.np*, True -*.everest-treuhand.ch*, True -*.everex.se*, True -*.evergladesbrand.com*, True -*.evergreenmackay.com.au*, True -*.everhome.ru*, True -*.everich-airfreight.com*, True -*.everidica.ro*, True -*.everjuneagle.com*, True -*.everlook.com.au*, True -*.evermath.ru*, True -*.evernote.com.br*, True -*.everpi.net*, True -*.everprosper.com*, True -*.evershome.nl*, True -*.everson.com.ve*, True -*.eversuri.ro*, True -*.everton.com*, True -*.evervision.org*, True -*.everybodytaps.com*, True -*.everyonedies.net*, True -*.everyonesgottaeat.org*, True -*.everythingknown.co*, True -*.everythinglouie.com*, True -*.everythingpensacola.com*, True -*.everythingrochester.com*, True -*.everythingscomingupmilhouse.com*, True -*.everythings-fine.net*, True -*.everythingsql.com*, True -*.evescout.tk*, True -*.evetest.com*, True -*.evgalicia.com.ar*, True -*.evgrapid.com*, True -*.eviddy.com*, True -*.evidi.me*, True -*.eviera.net*, True -*.eviga-inc.com*, True -*.evil0ne.co*, True -*.evilbs.com*, True -*.evilchop.ro*, True -*.e-v-i-l.info*, True -*.evillabs.net*, True -*.evilmag.com*, True -*.evilninjapirates.com*, True -*.evilo.net*, True -*.evilraids.tk*, True -*.evilraperz.net*, True -*.evilrouter.com*, True -*.evils.in*, True -*.evilsoul.net*, True -*.eviltech.net*, True -*.evinpapowitz.com*, True -*.e-visa.hk*, True -*.evision.com.au*, True -*.evitap.com*, True -*.eviv.io*, True -*.evivio.co*, True -*.ev-limo.com*, True -*.ev-limo.us*, True -*.evogamestore.com*, True -*.evoli.com.br*, True -*.evolioshop.ro*, True -*.evolucionit.com.ar*, True -*.evolutio.com.ar*, True -*.evolutionhelsinki.fi*, True -*.evolutionshowband.com.mx*, True -*.evolvedstrategies.com*, True -*.evolvedtech.com.au*, True -*.evolveordie.co.uk*, True -*.evolvingorbit.com*, True -*.evonomist.com*, True -*.evoprice.ro*, True -*.evostyle.com*, True -*.evostyle.com.au*, True -*.evostyle.net.au*, True -*.evotech.com.my*, True -*.evotechile.cl*, True -*.evote.cl*, True -*.evowest.com*, True -*.evrazia.info*, True -*.evripus.gr*, True -*.evron-carmel.com*, True -*.evronumizmatiki.eu*, True -*.evronumizmatiki.si*, True -*.evry-events.fi*, True -*.evsc.org.au*, True -*.evs.net.br*, True -*.e-vstopnice.si*, True -*.evstopnice.si*, True -*.evtec.net*, True -*.ev-traders.com*, True -*.ev-traders.us*, True -*.evtraders.us*, True -*.evtronix.com*, True -*.evugo.com*, True -*.evva.ro*, True -*.ev-vucak.si*, True -*.evyatar-parket.co.il*, True -*.ewasmile.ch*, True -*.ewasterecycle.ca*, True -*.e-we.ch*, True -*.ewertonazevedo.com.br*, True -*.ewetech.com.br*, True -*.ewh.co.za*, True -*.ewiseaggregation.com.au*, True -*.ewisemoneymanager.com.au*, True -*.e-wish.ro*, True -*.eworking.net*, True -*.e-works.com.ar*, True -*.eworks.com.ar*, True -*.ewrks.com.ar*, True -*.ewsd.tk*, True -*.ewytenek.cf*, True -*.ewyvikec.cf*, True -*.exabytes.com.ve*, True -*.exact.fm*, True -*.exactfm.com*, True -*.exactsolutionsinc.net*, True -*.exactsyntax.com*, True -*.examinedbytopmen.com*, True -*.examplelab.com.ar*, True -*.exampleletterofpersonalreference.com*, True -*.exampleoffuneralresolution.com*, True -*.example.org.il*, True -*.exar.ro*, True -*.exbodyinvest.com*, True -*.exbyte.ru*, True -*.excavacionsllofriu.com*, True -*.excelcex.com*, True -*.excelco-services.com.my*, True -*.excelez.ro*, True -*.excel-id.com*, True -*.excellencecaffe.ro*, True -*.excellentcruft.com*, True -*.excellentiaconsultores.cl*, True -*.excellentium.cl*, True -*.excellerater.com*, True -*.excelling.co*, True -*.excelplatinum.com*, True -*.excelsiorcraft.net*, True -*.excelsiortrade.ro*, True -*.exceltrainer.com.au*, True -*.exception.al*, True -*.exceptiononline.de*, True -*.excessdata.info*, True -*.excessive.li*, True -*.exchange2013.ch*, True -*.exchangeonline.co.za*, True -*.exchinfo.net*, True -*.excited.es*, True -*.exciterclub.com*, True -*.excitingdowntownpensacola.com*, True -*.exclubinvest.com*, True -*.exclusivejamaicatours.com*, True -*.exclusivekitchens.co.za*, True -*.exclusive-mobiles.com*, True -*.exclusive-mobiles.co.uk*, True -*.exclusivemobilesuk.com*, True -*.exclusivitesdunet.com*, True -*.excon.com.au*, True -*.excript.com*, True -*.excursions.gr*, True -*.excuseme.wtf*, True -*.excuse.ro*, True -*.executarehotarari.ro*, True -*.executaresentinte.ro*, True -*.executioner.ch*, True -*.executivebriefingcenter.com*, True -*.executivesuissepolice.ch*, True -*.executorcopuzeanu.ro*, True -*.executor-giurgiu.ro*, True -*.executorjust.ro*, True -*.executor.ro*, True -*.executorulroman.ro*, True -*.executorultau.ro*, True -*.executsilit.ro*, True -*.exeholding.ro*, True -*.exelanmusic.com*, True -*.exelens.com.ar*, True -*.exeliumpartners.co.uk*, True -*.exend.ro*, True -*.exentrius.com.ar*, True -*.exequielarona.com.ar*, True -*.exerciseandmind.com*, True -*.exerciseforcancersurvivors.com*, True -*.exercisetimetracker.com*, True -*.exergenix.com*, True -*.exergenix.co.za*, True -*.exergenix.net*, True -*.exergenix.org*, True -*.exesnepal.com.np*, True -*.exfuseseven.net*, True -*.exhaustbrisbane.com*, True -*.exhaustfankolowa.com*, True -*.exhaustsbrisbane.com*, True -*.exhaustsredlands.com*, True -*.exhauststore.eu*, True -*.exhg.tk*, True -*.exhibitech.com.au*, True -*.exiase.com.ar*, True -*.exibitech.com*, True -*.exibitech.com.au*, True -*.exifoto.cl*, True -*.exigo-capital.com*, True -*.exiled.biz*, True -*.exiledservers.net*, True -*.exilion24.pl*, True -*.exilregierung.at*, True -*.exima-stroy.ru*, True -*.eximiki.com*, True -*.eximmall.com*, True -*.exinpo.com*, True -*.exinpo.net*, True -*.exirium.com.ar*, True -*.existenciaplena.cl*, True -*.exitevents.ro*, True -*.exitmen.com*, True -*.exitweb.ro*, True -*.exiul.com*, True -*.exiul.net*, True -*.exiul.org*, True -*.exko.me*, True -*.exlifeinvest.com*, True -*.exlove.eu*, True -*.exmisa.info*, True -*.exmoorstargazers.co.uk*, True -*.e-xms.com.ar*, True -*.exnesscapital.com*, True -*.exnessinvestgroup.com*, True -*.exnessinvest.net*, True -*.exnessinvest.org*, True -*.exnessvested.com*, True -*.exnetwork.tk*, True -*.exnewz.ru*, True -*.exodusradio.ro*, True -*.exogate.net*, True -*.exogreen.in*, True -*.exonet.net*, True -*.exonydemo.com*, True -*.exonypartners.net*, True -*.exorcistfacegame.com*, True -*.exorcistscarymaze.com*, True -*.exoria.gq*, True -*.exotic.al*, True -*.exotic-band.com*, True -*.exoticshorthair.ro*, True -*.exotictits.com*, True -*.exp1.com.ar*, True -*.exp30.ru*, True -*.expandkancare.org*, True -*.expansionsource.com*, True -*.expathometv.com*, True -*.expator.ru*, True -*.expats-needs.com*, True -*.expatvpn.org*, True -*.expcontabil.ro*, True -*.expedicaoaventura.com.br*, True -*.expedicionesytrekking.com*, True -*.e-xpedientes.com.ar*, True -*.expendables-wi.com*, True -*.expendlog.com*, True -*.expen.se*, True -*.expensivemusic.com*, True -*.experiaction.com*, True -*.experianserasa.com*, True -*.experianserasa.net*, True -*.experiencedme.com*, True -*.experienciaenviajes.com.ar*, True -*.experiment.al*, True -*.expertarom.ro*, True -*.expertcontabilalba.ro*, True -*.expertenergy.net.au*, True -*.expert-e-t.com*, True -*.expertevents.ro*, True -*.expertfoodtrading.com*, True -*.expertibatsarl.ch*, True -*.expertido.com*, True -*.expertise.co.il*, True -*.expertissues.eu*, True -*.expertissues.org*, True -*.expertlanyards.com*, True -*.expertlanyards.co.uk*, True -*.expert.org.il*, True -*.expert-pvc.ro*, True -*.expert.sg*, True -*.expertsystems.hk*, True -*.expert-travel-romania.ro*, True -*.expion.co.uk*, True -*.expion.org*, True -*.explained.co.za*, True -*.exploitable.cf*, True -*.exploited.ga*, True -*.exploiterz.com*, True -*.exploits-bg.com*, True -*.exploits.me*, True -*.explomed.ro*, True -*.exploration.cf*, True -*.explore.web.id*, True -*.explosivedart.co.uk*, True -*.expobusinessmatchmaking.com*, True -*.expocarne.cl*, True -*.expodeportes.com.ar*, True -*.expofrig.ro*, True -*.expohand.com*, True -*.expomarketaliment.ro*, True -*.expomode.net*, True -*.exporadio.ro*, True -*.exportaciones-sur.com*, True -*.export-euro.nl*, True -*.exposito.net*, True -*.exposu.net*, True -*.exposurebench.com*, True -*.expotrader.com.br*, True -*.expotv.ro*, True -*.expowebshop.com*, True -*.exprescomputers.com*, True -*.exprescomputers.eu*, True -*.expresiaideii.ro*, True -*.expresnews.ro*, True -*.expresoarseno.com.ar*, True -*.expresosur.cl*, True -*.expresscargas.com*, True -*.expresscargo.cl*, True -*.expresscomputer.co.uk*, True -*.expresselectrique.com*, True -*.expresshotel.com.pk*, True -*.express-in-china.com*, True -*.expressinchina.com*, True -*.expressinchina.mobi*, True -*.expressosp.net*, True -*.expresstaxirichmond.com*, True -*.expresstnt.com.au*, True -*.expresstravel.co.id*, True -*.expresswoodturning.com.au*, True -*.exprezit.com.au*, True -*.exptserver.in*, True -*.ex-pvp.tk*, True -*.expvp.tk*, True -*.exquisitepiecesmo.com*, True -*.exroot.com*, True -*.exs-elm.ru*, True -*.exsovek.com.mx*, True -*.exsovek.mx*, True -*.extab.net*, True -*.ext-ca.com*, True -*.extendit.se*, True -*.extension8.com*, True -*.exteria.ru*, True -*.externalcloud.com.au*, True -*.externo.tk*, True -*.extex-project.org*, True -*.extinction-gaming.com*, True -*.extin-red.com.ar*, True -*.ext.io*, True -*.extjs.nl*, True -*.extjs-specialist.com*, True -*.extjs-specialist.nl*, True -*.extra-aviators.club*, True -*.extrabitter.com*, True -*.extrabucks.com.au*, True -*.extracraftx.tk*, True -*.extraction-solutions.co.uk*, True -*.extradefx.com*, True -*.extrafiles.net*, True -*.extragym.com*, True -*.extrahosting.info*, True -*.extrahot.org*, True -*.extramindcorp.com*, True -*.extranet.one.pl*, True -*.extraordinaryform.org*, True -*.extrarent-a-car.com*, True -*.extrasalt.se*, True -*.extraspace.tk*, True -*.extratechsolutions.com*, True -*.extremadurainformatica.com*, True -*.extreme404.us*, True -*.ex-treme.ch*, True -*.extreme-cyber.org*, True -*.extremeglobalwarming.com*, True -*.extremeimport.co.uk*, True -*.extremelyorange.com*, True -*.extremenetwork.biz*, True -*.extremeperformancereviews.com*, True -*.extremetanningofsarasota.com*, True -*.extremevideoxxx.com*, True -*.extremexports.com*, True -*.extrimisland.biz*, True -*.extrimisland.co*, True -*.extrimisland.com*, True -*.extrimisland.info*, True -*.extrimisland.me*, True -*.extrimisland.net*, True -*.extrimisland.org*, True -*.extrimpark.biz*, True -*.extrimpark.co*, True -*.extrimpark.com*, True -*.extrimpark.info*, True -*.extrimpark.me*, True -*.extrimpark.net*, True -*.extrimpark.org*, True -*.extrostilnovo.it*, True -*.exxpocar.com.br*, True -*.exylpo.ro*, True -*.eyanfun.com*, True -*.eyang.biz*, True -*.eyang.org*, True -*.eydingenieros.cl*, True -*.eydlish.net*, True -*.eye97.com*, True -*.eyeamkolor.com*, True -*.eyeasociados.cl*, True -*.eyelashextensionsandbeauty.com.au*, True -*.eyelashtastic.com*, True -*.eyeleds.co.za*, True -*.eyenaemia.com*, True -*.eyeness.com*, True -*.eyeportal.net*, True -*.eye.rs*, True -*.eyersgrove.us*, True -*.eyer.us*, True -*.eyesbaby.com*, True -*.eyesofstcharles.com*, True -*.eyesonfifth.net*, True -*.eyesonmecollection.com*, True -*.eyesound.net*, True -*.eye-specs.co.uk*, True -*.eyespies.info*, True -*.eyespots.tk*, True -*.eyetank-design.de*, True -*.eyittforum.xyz*, True -*.ey-law.co.il*, True -*.eylemculculoglu.com*, True -*.eymc.com*, True -*.eymc.net*, True -*.eymc.org*, True -*.ez2.us*, True -*.ezanbulgaria.tk*, True -*.ezbookings.com.au*, True -*.ezbuy.biz*, True -*.ezcall.tw*, True -*.ezchamba.com*, True -*.ezcome.org*, True -*.ezdating.eu*, True -*.ezdns.info*, True -*.ez-domain.com*, True -*.ezeas.com*, True -*.ezeetan.com*, True -*.ezeewipes.com*, True -*.ezen.eu*, True -*.eze-order.com*, True -*.eze-order.net*, True -*.ezeq.tk*, True -*.ezerom.com.ar*, True -*.ezesc.com*, True -*.ezfill.com*, True -*.ezformosa.com*, True -*.ez-group.it*, True -*.ezh.be*, True -*.ezhr.tw*, True -*.ezigparadies.com*, True -*.ezigparadies.de*, True -*.ezigparadies.net*, True -*.ezine.my*, True -*.ez-in-touch.com*, True -*.ezisonland.com*, True -*.ezitsolutions.co.za*, True -*.ezjob.co.za*, True -*.ezjob.it*, True -*.ezlearn123.com*, True -*.ezlink.sg*, True -*.ez.lv*, True -*.ezmacao.com*, True -*.ezmangaforums.com*, True -*.ezmodel.co.za*, True -*.ezodonto.com.ve*, True -*.ezonecr.com*, True -*.ezore.com.au*, True -*.ezparts.info*, True -*.ezportlet.com*, True -*.ezrays.com*, True -*.ezrenda.ru*, True -*.ezroot.com*, True -*.ezshopapp.com*, True -*.ez-simcha.com*, True -*.ezsimcha.com*, True -*.ezsimchalabels.com*, True -*.ezsite.co.za*, True -*.e-zup.com.au*, True -*.ezutronik.com.my*, True -*.ezuvim-amka.co.il*, True -*.ezwaytours.com*, True -*.ezwebsites.com*, True -*.ezxdev.org*, True -*.ezy2mail.com*, True -*.ezydomainregister.com*, True -*.ezypie.com*, True -*.ezypulsa.biz*, True -*.ezyregister.com*, True -*.ezyshop.ir*, True -*.ezyshop.us*, True -*.ezzytrade.com*, True -*.ezzytrade.co.uk*, True -*.f10.ca*, True -*.f18.cl*, True -*.f1-998.com*, True -*.f1copa.com*, True -*.f1inc.com.br*, True -*.f1portal.com.ar*, True -*.f3l1x.info*, True -*.f3r.dj*, True -*.f3w.net*, True -*.f41ry.co.uk*, True -*.f4cebook.ga*, True -*.f4.is*, True -*.f4ubcd.com*, True -*.f4xc.org*, True -*.f5cd.com*, True -*.f5parfum.ro*, True -*.f5star.com*, True -*.fa1.co.za*, True -*.fa1l.net*, True -*.fa78.ro*, True -*.faa33.com*, True -*.faa66.com*, True -*.faa77.com*, True -*.faa88.com*, True -*.faa99.com*, True -*.faalentijn.tk*, True -*.faany.ro*, True -*.faass.ch*, True -*.fabbroinstallazioni.it*, True -*.fabercapital.com.my*, True -*.fabian-buch.com*, True -*.fabian-buch.de*, True -*.fabiange.com*, True -*.fabiano.eng.br*, True -*.fabianofurtado.com.br*, True -*.fabienneproz.ch*, True -*.fabienneschmidli.ch*, True -*.fabifisio.ch*, True -*.fabinho.org*, True -*.fabioabreu.net*, True -*.fabioscala.ch*, True -*.fabiosoares.tk*, True -*.fabiovsilva.com*, True -*.fablabafta.cl*, True -*.fablabargentina.com.ar*, True -*.fablabbelem.org*, True -*.fabmatic.com*, True -*.fab.net.my*, True -*.fab-n-fit.com*, True -*.faborgift.com*, True -*.fabric8.io*, True -*.fabricacompresores.com.ar*, True -*.fabricadegeamuri.ro*, True -*.fabricadeideias.eu*, True -*.fabricadejuegosycastillosinflables.com*, True -*.fabricainterior.tk*, True -*.fabricajaguaribe.com.br*, True -*.fabriciolima.com.br*, True -*.fabrihouse.com.ve*, True -*.fabrikakids.com.br*, True -*.fabrikakino.ru*, True -*.fabrikam.com.ar*, True -*.fabrimak.cl*, True -*.fabrissin.com*, True -*.fabryka-urody.net*, True -*.fabulousdesignerjeans.com*, True -*.facaf.org.ar*, True -*.facaspaca.com.br*, True -*.facebasic.com*, True -*.facebeast.ml*, True -*.faceblockme.info*, True -*.faceboek.cz*, True -*.faceboek.in*, True -*.facebuik.com*, True -*.faceclues.co.za*, True -*.facecooked.com*, True -*.facecrack.net*, True -*.facefur.com*, True -*.faceleg.com*, True -*.facematch.co.za*, True -*.facemwuah.tk*, True -*.facenet.info*, True -*.faceporn.com.br*, True -*.facesales.com*, True -*.facetapu.com*, True -*.facetnate.com*, True -*.facetwitter.pw*, True -*.fachschaft-weil-stuve.de*, True -*.facialline.hk*, True -*.facilcomprasyvendes.com*, True -*.facilitandosonhos.com.br*, True -*.facilitator.ro*, True -*.facilite.in*, True -*.facilitiesmanagement.com.au*, True -*.fa-cility.com*, True -*.facilityforhotels.com*, True -*.facit.ro*, True -*.facomac.pt*, True -*.facsolucoes.com.br*, True -*.fact747.ru*, True -*.facte.mx*, True -*.facteurforce.com*, True -*.factforum.net*, True -*.factions-uniquemines.tk*, True -*.factor302-4.com.ar*, True -*.factoralfa.ro*, True -*.factorh.net*, True -*.factorkapital.cl*, True -*.factorkapital.com*, True -*.factorsolar.cl*, True -*.factor-x.net*, True -*.factorycoiffeurs.ch*, True -*.factoryphils.com*, True -*.factoryprice.se*, True -*.factory-services.com.ar*, True -*.facturabackup.com.mx*, True -*.facturacionrestaurante.com*, True -*.facturaelectronicaonline.cl*, True -*.facturamovil.pe*, True -*.facucosta.com.ar*, True -*.fadays.tk*, True -*.fadcom.com.br*, True -*.fade.cc*, True -*.fade.co.il*, True -*.fadedbluegenius.com*, True -*.fadhli.web.id*, True -*.fadi.li*, True -*.fadjen.com*, True -*.fadlanfurniture.com*, True -*.fadubusca.com.ar*, True -*.faefox.org*, True -*.faelund.com*, True -*.faenschi.ch*, True -*.faerie.tk*, True -*.faerydaephotography.co.uk*, True -*.faex.com*, True -*.fafo.cl*, True -*.fagall.de*, True -*.fagerho.lt*, True -*.fagoftricks.com*, True -*.fagor.cf*, True -*.fahnle.com.ar*, True -*.fahrlehrerin.ch*, True -*.fahrradwettbewerb.li*, True -*.fahtur.biz*, True -*.faiart.com.ar*, True -*.faidiga.com.br*, True -*.failfordrealestate.com.au*, True -*.failhub.net*, True -*.faims.net*, True -*.faine.cl*, True -*.faintv.com*, True -*.faintv.tv*, True -*.fain.us*, True -*.faiqbaihaqi.net*, True -*.fairfieldbay.org*, True -*.fairfieldcountyfair.com*, True -*.fairflirtdating.com*, True -*.fairmontmontana.com*, True -*.fairplayers.ru*, True -*.fairpole.com*, True -*.fairs.ro*, True -*.fairuse.org*, True -*.fairway.cl*, True -*.fairway.tw*, True -*.fairwayvillagehomeassn.com*, True -*.fairynail.ru*, True -*.fairytail.fi*, True -*.fairytaletree.com*, True -*.faiscas.tk*, True -*.faiscebook.fr*, True -*.faisholmjt.com*, True -*.faisol.web.id*, True -*.faithbaptistmanchester.org*, True -*.faithbywords.org*, True -*.faithere.jp*, True -*.faithful.hk*, True -*.faithfultesting.com*, True -*.faithinhumans.org*, True -*.faithkills.com*, True -*.faitlami.tw*, True -*.faivre.li*, True -*.faizalgokil.info*, True -*.faizperjuangan.com*, True -*.faizsix.com*, True -*.fajastopsecret.com.ve*, True -*.fajima.tk*, True -*.fake666.com*, True -*.fakebigtits.com*, True -*.fakeindustries.info*, True -*.fakeindustries.mobi*, True -*.fakeitout.com*, True -*.fakel-nn.ru*, True -*.fakemagpic.net*, True -*.fakeme.ga*, True -*.fake.ro*, True -*.fakestreet.com*, True -*.fakhraee.ir*, True -*.falacondominio.com.br*, True -*.falahzar.com*, True -*.falapreta.com.br*, True -*.falastrobooks.com*, True -*.fala.tw*, True -*.falbani.com.ar*, True -*.falcongreen.com*, True -*.falcongreenenergy.com*, True -*.falconrychess.com*, True -*.falconsys.net*, True -*.falconview-plugins.de*, True -*.falcyos.com*, True -*.faldorn.net*, True -*.falegnameriajacmolli.ch*, True -*.falegnameriamorleo.ch*, True -*.falezguvenlik.com*, True -*.falfer.com*, True -*.falfersa.com.ar*, True -*.falian-tech.com*, True -*.faliran.ir*, True -*.falix.de*, True -*.falk.co.za*, True -*.falki.pl*, True -*.falkonet.co.id*, True -*.falkville.org*, True -*.falkzone.com*, True -*.fallapparel.co.uk*, True -*.fall.cf*, True -*.fallenknotties.net*, True -*.falle.us*, True -*.falling-in-love.us*, True -*.falloutstat.us*, True -*.falmarsel.uk*, True -*.falsanarki.tk*, True -*.fam-base.net*, True -*.fam-berger.ch*, True -*.fambollenonline.info*, True -*.fambuergin.ch*, True -*.famellad.cl*, True -*.famemeridian.com.my*, True -*.fam-fuerst.eu*, True -*.famheimanns.de*, True -*.fami.com.au*, True -*.famicom.ro*, True -*.familiaayala.com.ar*, True -*.familiabustelo.com.ar*, True -*.familiafurlan.com.br*, True -*.familiagomide.com.br*, True -*.familiamarinho.com.br*, True -*.familiamichels.com.br*, True -*.familianacimiento.com.ar*, True -*.familianahum.cl*, True -*.familia-saavedra.es*, True -*.familia-sfanta.ro*, True -*.familiashalom.com*, True -*.familiashalom.org*, True -*.familiasilva.cl*, True -*.familiasoto.us*, True -*.familiawhite.com.ar*, True -*.familiebeniest.nl*, True -*.familie-hoehn.ch*, True -*.familielist.info*, True -*.familienkanzlei-dorsten.de*, True -*.familienrecht-dorsten.com*, True -*.familie-schaub.ch*, True -*.familiestogether.us*, True -*.familiestoute.nl*, True -*.familie-wulfert.de*, True -*.familjenfagerberg.se*, True -*.familjensundman.se*, True -*.familjenwidegren.nu*, True -*.familjenwidegren.se*, True -*.famille-garnier.ca*, True -*.famille-larsonneur.eu*, True -*.famillesmith.com*, True -*.familyally.com*, True -*.familybook.org.za*, True -*.familybook.web.za*, True -*.familybus.pt*, True -*.familycircles.tk*, True -*.familydance.com.ar*, True -*.familydeluxe.org*, True -*.familyfaces.net*, True -*.familyhart.com*, True -*.familyhistory.ro*, True -*.familyhomenetwork.com*, True -*.familyjam.es*, True -*.familylawcourse.com.au*, True -*.familymango.com*, True -*.familymatters.ch*, True -*.familymed.com.ar*, True -*.familyofsteele.org*, True -*.familyparty.org*, True -*.familyreber.ch*, True -*.familyreece.com*, True -*.familystation.org*, True -*.familyszmaj.pl*, True -*.familytreeandbrush.com*, True -*.familytreesite.co.uk*, True -*.familyvandenbrink.nl*, True -*.family-wuethrich.ch*, True -*.fam-laloum.net*, True -*.fammoney.net*, True -*.fam-nyberg.se*, True -*.famolesen.com*, True -*.famolesen.net*, True -*.famospa.com.br*, True -*.fam-ramisch.de*, True -*.famsenden.com*, True -*.famure.ch*, True -*.fanatickus.cl*, True -*.fanaticosfutbol.com.ar*, True -*.fanatyczni-chojnowianie.pl*, True -*.fanbaoba.net*, True -*.fanc.com.br*, True -*.fancoach.be*, True -*.fancycakes.ch*, True -*.fancypleasure.com*, True -*.fancy-studio.net*, True -*.fancytaco.net*, True -*.fanda88.com*, True -*.fandiingah.com*, True -*.fandomtshirts.com*, True -*.fandraka.eu*, True -*.fandroid.net*, True -*.fandykhan.in*, True -*.fanelectroserv.ro*, True -*.fanesia.com*, True -*.fanfare-vernier.ch*, True -*.fanfoot.ir*, True -*.fang12345.com*, True -*.fangsfirst.com*, True -*.fanli.gq*, True -*.fannymak.com*, True -*.fanpay.co*, True -*.fanpay.org*, True -*.fanqiu.co.uk*, True -*.fanshi.ru*, True -*.fans.ro*, True -*.fansubbers.ru*, True -*.fansub.cc*, True -*.fanszone.us*, True -*.fantabulous.ru*, True -*.fantasearch.com*, True -*.fantastic-edc.com*, True -*.fantasticfaviobros.com*, True -*.fantastic.org.il*, True -*.fantastic.pt*, True -*.fantasticraft.net*, True -*.fantastic-vps.com*, True -*.fantasy-baseball.tk*, True -*.fantasy-chess.co.uk*, True -*.fantasychess.co.uk*, True -*.fantasyone.co.uk*, True -*.fantasypoolandspa.com*, True -*.fantasysportslab.com*, True -*.fantasysquared.com*, True -*.fantasywood.it*, True -*.fantazymu.com*, True -*.fantezii.ro*, True -*.fantome.net*, True -*.fantomx.tk*, True -*.fanvaren.nl*, True -*.fap2.tk*, True -*.fapec.org*, True -*.fapgame.cf*, True -*.fapis.com*, True -*.fapop.me*, True -*.faporte.it*, True -*.fappened.com*, True -*.fapp.in*, True -*.faptoria.com.mx*, True -*.faptoria.mx*, True -*.fapuyeah.tk*, True -*.faqja-ime.com*, True -*.faradis.asia*, True -*.faraghat-kh.ir*, True -*.farahrambles.com*, True -*.faraitmall.ir*, True -*.farandulapp.com.ar*, True -*.faraonicatena.com.ar*, True -*.faraonsoft.com.ar*, True -*.faraonu.tk*, True -*.faratar.org*, True -*.faraznetwork.net*, True -*.farbiszewski.com*, True -*.farbmanagement.biz*, True -*.farbpunktur-beck.ch*, True -*.farca.com.ve*, True -*.farcarjaya.com*, True -*.farcreed.com*, True -*.fardayesabz.org*, True -*.farefamily.com*, True -*.farfromhome.us*, True -*.farhadhandmades.com*, True -*.farias.com.ar*, True -*.farinlaw.co.il*, True -*.farisais.com*, True -*.farisalmusic.net*, True -*.farisvb.com*, True -*.farjami.ir*, True -*.farjatehijos.com.ar*, True -*.farmaciaartesanal.com*, True -*.farmaciabiofarma.com.ar*, True -*.farmacia-cassarate.ch*, True -*.farmaciafacil.com*, True -*.farmacia-federale.ch*, True -*.farmaciagaspar.com*, True -*.farmaciagaspar.eu*, True -*.farmaciagaspar.pt*, True -*.farmaciapestoni.ch*, True -*.farmacija.si*, True -*.farmafe.com.ar*, True -*.farmasandiego.com.ve*, True -*.farmaservicios.co.ve*, True -*.farmasi-id.com*, True -*.farmasuper.tk*, True -*.farmazoo.com*, True -*.farmbld.ro*, True -*.farmcottage.me*, True -*.farmers-city.com*, True -*.farmersonly.club*, True -*.farmerspike.com*, True -*.farmerspikefestival.com*, True -*.farmerspike.net*, True -*.farmilla.fi*, True -*.farming-fish.com*, True -*.farm-m.ru*, True -*.farmr.com.au*, True -*.farmstreetchildcare.com.au*, True -*.farmstreet.com.au*, True -*.farmtrees.com.au*, True -*.farmvet.com.ar*, True -*.farmwarsgame.com*, True -*.faroc.com.au*, True -*.faro-comunicaciones.com.ar*, True -*.faroindonesia.co.id*, True -*.farooqhost.cf*, True -*.faropelaesquerda.org*, True -*.farorecruitmentindonesia.co.id*, True -*.farou.gr*, True -*.far-out.eu*, True -*.farpa.org.br*, True -*.farq.info*, True -*.farrellf.com*, True -*.farrington.id.au*, True -*.farroupilha.com*, True -*.farruggio.ch*, True -*.farsicamp.ir*, True -*.farstad.me*, True -*.farted.net*, True -*.fartisana.ch*, True -*.farvashani.ir*, True -*.faryne.at*, True -*.faryne.tw*, True -*.farzand.net*, True -*.fasad-k.ru*, True -*.fasadyognioodporne.pl*, True -*.fasadystalowe.pl*, True -*.fasc.ch*, True -*.faschat.ga*, True -*.fascinatingphoto.com*, True -*.fascn8.com*, True -*.fascordc.com*, True -*.faserromania.ro*, True -*.fashion360.pk*, True -*.fashion-ba.xyz*, True -*.fashionbazar.ro*, True -*.fashionbook.ir*, True -*.fashionbooks.ir*, True -*.fashioncanvasbags.com*, True -*.fashion-chair.com*, True -*.fashiondistributions.com*, True -*.fashionfair.co.za*, True -*.fashioninstep.com*, True -*.fashionist.com.ar*, True -*.fashionlist.ro*, True -*.fashion-ooops.com*, True -*.fashionprofinder.com*, True -*.fashionsalma.com*, True -*.fashionshops.nl*, True -*.fashionspark.com*, True -*.fashionspotter.com.au*, True -*.fashionswoman.ru*, True -*.fasl.info*, True -*.faso-pc.tk*, True -*.fassere.com.ar*, True -*.fassettfam.info*, True -*.fastahop.com.br*, True -*.fastandfurioustaxes.com*, True -*.fastappends.com*, True -*.fastbackpetroleum.com*, True -*.fastbackpetroleum.net*, True -*.fastbraceschesapeake.com*, True -*.fastbraceslouisiana.com*, True -*.fastbracesmississippi.com*, True -*.fastbracesmorgantown.com*, True -*.fastbracesmountpleasant.com*, True -*.fastbridgeserv.in*, True -*.fastcashloan.tk*, True -*.fastcontrolpanel.tk*, True -*.fastcpanel.tk*, True -*.fasteasytech.com*, True -*.fasteras.net*, True -*.fastercluck.com*, True -*.fasterwimax.com*, True -*.fastethernet.co.uk*, True -*.fastfileshare.com.ar*, True -*.fastflv.com*, True -*.fastga.com*, True -*.fasthost.pl*, True -*.fastigames.com.ar*, True -*.fastimusic.com.ar*, True -*.fastinga.com.ar*, True -*.fastintegrate.ru*, True -*.fastirc.net*, True -*.fastisearch.com.ar*, True -*.fastlan.com.ar*, True -*.fast-liker.net*, True -*.fastload.tk*, True -*.fastneco.com*, True -*.fastnstrong.com*, True -*.fastpay.cl*, True -*.fastpaydaycash.tk*, True -*.fastplus.hk*, True -*.fastrack.hk*, True -*.fastracktech.biz*, True -*.fastracktech.com*, True -*.fastsaude.com.br*, True -*.fastservice.cl*, True -*.fastshop.me*, True -*.faststories.com*, True -*.fast-tax-relief.com*, True -*.fasttrackacademy.net*, True -*.fasttrackignite.com*, True -*.fasttrack.im*, True -*.fasttrackim.com*, True -*.fasttractrans.com*, True -*.fastvideoshare.com.ar*, True -*.fastweb.hu*, True -*.fatalerroronline.com*, True -*.fatality.cc*, True -*.fatalityshow.com.ar*, True -*.fatalsoftware.com*, True -*.fatanduseless.com*, True -*.fatcatgigs.com*, True -*.fatcatgraphics.info*, True -*.fatdiary.org*, True -*.fatec2.com.ar*, True -*.fatec.com.ar*, True -*.fatecdocumentos.com.ar*, True -*.fategash.com*, True -*.fatemokid.com*, True -*.fatesperfection.com*, True -*.fatfree.net*, True -*.fath86.tk*, True -*.fatherdamonyc.com*, True -*.fathom13.com*, True -*.fathomcorps.com*, True -*.fathomfuel.com*, True -*.fathomgas.com*, True -*.fathulhidayah.sch.id*, True -*.fathul.tk*, True -*.fathur.club*, True -*.fathurdotid.club*, True -*.fathurdotid.co.uk*, True -*.fathurdotid.guru*, True -*.fathurdotid.org*, True -*.fatikhahistianah.gq*, True -*.fatima135.ir*, True -*.fatjambo.com*, True -*.fatjambo.net*, True -*.fatmansempire.de*, True -*.faton.ga*, True -*.fatorh.net*, True -*.fatortalento.com.br*, True -*.fatpanda.org*, True -*.fatpipi.com*, True -*.fatshark.net*, True -*.fatshark.si*, True -*.fattylovesfitness.com*, True -*.fatumgrup.ro*, True -*.faucheisti.eu*, True -*.faulken.com.au*, True -*.faultygate.co.za*, True -*.faulty.id.au*, True -*.faunalink.com.au*, True -*.fauron.tk*, True -*.fausch.li*, True -*.fausto.com.ar*, True -*.faustomorgado.es*, True -*.faustorodriguez.com.ar*, True -*.fauxcult.org*, True -*.fauxmacho.com*, True -*.fauzaan.com*, True -*.fauzildannofita.com*, True -*.favadi.com*, True -*.favarium.com*, True -*.favelaearte.com.br*, True -*.faverybishop.com*, True -*.favi.ch*, True -*.favoritauto.ro*, True -*.favoritehub.ro*, True -*.favorite-pets.ru*, True -*.favoritimobiliare.ro*, True -*.favortising.com*, True -*.favorul.ro*, True -*.favre.ch*, True -*.fawadkhan.pk*, True -*.fawasblog.com*, True -*.fawwazcell.net*, True -*.fax2email.ro*, True -*.faydark.co.uk*, True -*.fayknowles.com*, True -*.fayna.org*, True -*.fayrpg.eu*, True -*.fayruzova.ru*, True -*.fayruzov.ru*, True -*.fazani.tk*, True -*.fazendeirosonline.com.br*, True -*.fazergratis.com*, True -*.fazolky.cz*, True -*.fazzaripropiedades.com.ar*, True -*.fazzioli.com.ar*, True -*.fb6.org*, True -*.fbautopost.ga*, True -*.fbbaz.com*, True -*.fbca.com.br*, True -*.fbcmulberrygrove.com*, True -*.fb.co.id*, True -*.fbcosmetic.com*, True -*.fbfusion.org*, True -*.fbgreensburg.org*, True -*.fbh.ro*, True -*.fb-like.me*, True -*.fblog.es*, True -*.fbmega.com*, True -*.fbmoney.co.uk*, True -*.fbot.tk*, True -*.fbreviewcrew.com*, True -*.fb-room.com*, True -*.fbro.tk*, True -*.fbsdave.com*, True -*.fbsdbox.com*, True -*.fbsdbox.net*, True -*.fbsd.hu*, True -*.fbsd.in*, True -*.fbtextor.nu*, True -*.fbtk.ch*, True -*.fbtriankhachhang.com*, True -*.fc2.sg*, True -*.fcc77.com*, True -*.fcc89.com*, True -*.fcc97.com*, True -*.fcc99.com*, True -*.fcchc.us*, True -*.fccnschildcare.com*, True -*.fcdream.it*, True -*.fcfsa.cl*, True -*.fc-ghaem.com*, True -*.fclin.me*, True -*.fcn.me.uk*, True -*.fcntl.net*, True -*.fc-pack.com*, True -*.fcpittura.ch*, True -*.fcsamba.net*, True -*.fct.co.za*, True -*.fcteteks.com*, True -*.fdandan.com*, True -*.fdasoporte.com.ar*, True -*.fdbrokers.com.ar*, True -*.fdcelje.si*, True -*.fdd58.com*, True -*.fddns.ml*, True -*.fdeborjadd.es*, True -*.fdevicecloud.com*, True -*.fdgbacon.com.ar*, True -*.fdreier.ch*, True -*.fds7.ru*, True -*.fdss.info*, True -*.fe4rs.us*, True -*.feabogados.cl*, True -*.fearandfail.com*, True -*.feared.eu*, True -*.fearfactory.eu*, True -*.fearless.ga*, True -*.fearnetwork.net*, True -*.fearnoaudit.com*, True -*.fearpenguins.com*, True -*.fearsnet.com*, True -*.fearsrevenge.com*, True -*.fear-tech.co.uk*, True -*.feasa.com.br*, True -*.feastforthepen.com*, True -*.feastforthepen.net*, True -*.feasur.com.br*, True -*.featherston.com.ar*, True -*.featurecreepsoftware.com*, True -*.featurepieces.com.au*, True -*.feb-akuntansiunlam.ac.id*, True -*.febleo.ro*, True -*.febriana.cf*, True -*.febriana.ga*, True -*.febriana.gq*, True -*.febriana.ml*, True -*.febriana.tk*, True -*.febriandika.cf*, True -*.febriata.web.id*, True -*.febricotto.com*, True -*.fecalmint.com*, True -*.fecdoha.com*, True -*.fechner.cf*, True -*.feckers.net*, True -*.feclisenet.com.ar*, True -*.fedai.tk*, True -*.fedaris.cl*, True -*.fedatariodigital.com.ar*, True -*.fedatariopostal.com.ar*, True -*.fedea.com.ar*, True -*.fedefarma.org*, True -*.federacionpah.cl*, True -*.federacionpalestina.cl*, True -*.federalres.com*, True -*.federalres.net*, True -*.federalres.org*, True -*.federalrps.com*, True -*.federationtekservices.com*, True -*.federicocordoba.com.ar*, True -*.federicoescalada.com*, True -*.federiconoriega.com.ar*, True -*.federicosimonetti.com.ar*, True -*.federicospinosa.com.ar*, True -*.fedesimonetti.com.ar*, True -*.fedir.net*, True -*.fedmik.ru*, True -*.fedorclub.tk*, True -*.fedorki.net*, True -*.fedorki.pl*, True -*.fedoservers.tk*, True -*.fedst.se*, True -*.feedaddictapp.com*, True -*.feedba.ch*, True -*.feedbackca.com*, True -*.feedbackme.net*, True -*.feedia.co*, True -*.feedio.io*, True -*.feedmebro.com*, True -*.feedtheblackhole.com*, True -*.feelalivefitness.com*, True -*.feelfashion.com.br*, True -*.feelingood.hk*, True -*.feelingrapey.co.uk*, True -*.feelznetwork.tk*, True -*.feen.ca*, True -*.feer.org*, True -*.feesfamilytree.net*, True -*.feesthapjes.nl*, True -*.feetender.com*, True -*.feezor.net*, True -*.fefefefefe.com*, True -*.fefy.tk*, True -*.fehrmann.net.br*, True -*.fehungs.com*, True -*.feiraurbana.com.br*, True -*.feireen.ru*, True -*.feirelynsulamalisbibir.com*, True -*.feisbu.cl*, True -*.feisprincess.com*, True -*.feistyfoodies.com*, True -*.fejafint.se*, True -*.felanitxers.com*, True -*.felbel.com*, True -*.felcpeoria.com*, True -*.felcpeoria.org*, True -*.feldbaum.com.ar*, True -*.felettoumberto.it*, True -*.feliciazhang.com*, True -*.felicienropraz.ch*, True -*.felipealmeida.eng.br*, True -*.felipearruda.com.br*, True -*.felipeastorga.cl*, True -*.felipebalbi.com*, True -*.felipecamus.cl*, True -*.felipegm.cl*, True -*.felipeklein.com*, True -*.felipepereira.com*, True -*.feliperios.cl*, True -*.felipesilva.net*, True -*.felipetaxifortaleza.com.br*, True -*.felipeweason.cl*, True -*.feliuesteve.com*, True -*.felixcafe.co.nz*, True -*.felix-calonder.ch*, True -*.felixdomus.ca*, True -*.felixhome.us*, True -*.felixjendrusch.is*, True -*.felixjosehernandez.es*, True -*.felixrobertson.co.uk*, True -*.felixrock.co.uk*, True -*.felixstocker.ch*, True -*.felixtw.tw*, True -*.felixwu.com*, True -*.felizfimdomundo.com.br*, True -*.felizprovencefestas.com.br*, True -*.fella.tk*, True -*.fellowafricans.com*, True -*.fellowshipofthereef.com*, True -*.fellowshipusa.com*, True -*.fellowshipusa.org*, True -*.felrivglz.com.mx*, True -*.felsuegga.ch*, True -*.feltonwilliams.com*, True -*.felujitasok.hu*, True -*.fem26.com*, True -*.fem38.com*, True -*.fem43.com*, True -*.fem66.com*, True -*.fem73.com*, True -*.fem77.com*, True -*.fem82.com*, True -*.fem88.com*, True -*.female.gq*, True -*.femalesmall.com*, True -*.feman.com.br*, True -*.femi.ch*, True -*.feminaesthetique.ch*, True -*.feminis.tk*, True -*.feminity.ro*, True -*.femioso.com*, True -*.femi-stom.ru*, True -*.femmor.com.mx*, True -*.femmor.mx*, True -*.femotv.com*, True -*.fempromo.com*, True -*.fempromo.es*, True -*.femtobiz.cl*, True -*.femtobyte.tk*, True -*.fenceminneapolis.net*, True -*.fenceu.com.au*, True -*.fenc.me*, True -*.fenea.org*, True -*.fenelon.net*, True -*.fenesisu.moe*, True -*.fengbrothers.com*, True -*.fengkuangmai.cn*, True -*.fengkuangsong.cn*, True -*.fengshing.tw*, True -*.fengshui1689.com*, True -*.feng-shui-cadouri.ro*, True -*.fenixdeaf.com*, True -*.fenixdelosingenios.com*, True -*.fenixfanclub.ru*, True -*.fenix-gradnja.hr*, True -*.fenixnet.cl*, True -*.fenixservicios.com.ve*, True -*.fenninghistory.co.uk*, True -*.fennis.tk*, True -*.fenomenourandir.com.br*, True -*.fenoust.tk*, True -*.fentanes.com.ar*, True -*.fentysayang.me*, True -*.fenume.info*, True -*.feosoftware.net*, True -*.fepang.co.za*, True -*.fepangprotection.co.za*, True -*.fepate.org.br*, True -*.fepusanjuan.org.ar*, True -*.feralcloud.com*, True -*.feranepal.org.np*, True -*.ferca.com.ar*, True -*.ferdaus.my*, True -*.ferdaus.net*, True -*.ferdiansyah.web.id*, True -*.ferdionwebservices.ca*, True -*.ferdionwebservices.com*, True -*.feresteanu.ro*, True -*.ferfudem.cl*, True -*.fergalcullen.co.uk*, True -*.ferguson.org.au*, True -*.fergusonperkins.org*, True -*.fergusonresponse.com*, True -*.feria22.cf*, True -*.feria22.ga*, True -*.feria22.gq*, True -*.feria22.ml*, True -*.feria22.tk*, True -*.feriadearte.cl*, True -*.feriadelvinilo.cl*, True -*.feriasapp.com.ar*, True -*.feriascientificas.cl*, True -*.fericean.ro*, True -*.ferienhausandeer.ch*, True -*.ferienhaus-mimosa.ch*, True -*.ferienhaus-sizilien.net*, True -*.ferienwohnung-basel.ch*, True -*.ferkv.info*, True -*.ferlap.com*, True -*.ferlaycia.cl*, True -*.fermacontesti.ro*, True -*.ferma-k.ru*, True -*.fermasibioara.ro*, True -*.fermemachefer.ch*, True -*.fermietung.ch*, True -*.fermite.club*, True -*.fernan2.com.ar*, True -*.fernandafigueroa.com*, True -*.fernandesefreitas.adv.br*, True -*.fernandex.com.ar*, True -*.fernandezadrian.com*, True -*.fernandezcorona.com.ar*, True -*.fernandez-freres.ch*, True -*.fernandezgodinho.net*, True -*.fernandezgooch.com.ar*, True -*.fernandez-uliana.com.ar*, True -*.fernando-botero.biz*, True -*.fernando-botero.info*, True -*.fernandobotero.info*, True -*.fernandobotero.net*, True -*.fernando-botero.org*, True -*.fernandobotero.org*, True -*.fernando-botero-sculpture.com*, True -*.fernando-botero-sculpture.info*, True -*.fernando-botero-sculpture.net*, True -*.fernando-botero-sculpture.org*, True -*.fernando-botero-sculptures.com*, True -*.fernando-botero-sculptures.info*, True -*.fernando-botero-sculptures.net*, True -*.fernando-botero-sculptures.org*, True -*.fernando-botero-sculptures.us*, True -*.fernando-botero-sculpture.us*, True -*.fernando-botero.us*, True -*.fernandobotero.us*, True -*.fernandobucci.com.ar*, True -*.fernandocollova.com.ar*, True -*.fernandoduarte.ch*, True -*.fernandoferrero.com*, True -*.fernandomenoyo.com.ar*, True -*.fernandotoranzo.com.ar*, True -*.fernandovieira.net*, True -*.fernatex.com.ar*, True -*.fernhamconsulting.com*, True -*.fernhamconsulting.co.uk*, True -*.fernhamconsulting.net*, True -*.fernhout.info*, True -*.fernwoodwhc.com*, True -*.ferocom.ch*, True -*.feromag.net*, True -*.ferramenta.com.ar*, True -*.ferramentalp.com.ar*, True -*.ferranpegueroles.com*, True -*.ferranti.ch*, True -*.ferrariyasociados.cl*, True -*.ferrasur.cl*, True -*.ferregrupogc.com.ve*, True -*.ferreindustrialtocome.com.ve*, True -*.ferreira.ch*, True -*.ferreiralima.pt*, True -*.ferreteando-camaras.com.ve*, True -*.ferreteriadelhogar.com.ar*, True -*.ferreterialaslomas.cl*, True -*.ferreteriamas.cl*, True -*.ferreventas.com*, True -*.ferreya.com*, True -*.ferriagro.com.ar*, True -*.ferrini.mx*, True -*.ferrometal.biz.tr*, True -*.ferrometal.cl*, True -*.ferro-st.com*, True -*.ferrykohchang.com*, True -*.ferrytrain.com*, True -*.ferteste.com*, True -*.fertilitypinpoint.com*, True -*.ferusguild.com*, True -*.ferweb.com.ar*, True -*.ferywapper.tk*, True -*.fes-sakha.ru*, True -*.festalavista.com*, True -*.festinashop.si*, True -*.festincelestial.cl*, True -*.festivaldelacancionitaliana.com*, True -*.festivaldempb.com.br*, True -*.festivalnovabrasil.com*, True -*.festivalnovabrasilfm.com.br*, True -*.festivalprecario.cl*, True -*.feston.pw*, True -*.fetchmyjunk.com*, True -*.fetchnet.co.uk*, True -*.fete-des-clowns.ch*, True -*.fetedesmusiques.ch*, True -*.fetishdreaming.com*, True -*.fetsa.net*, True -*.fettflat.ru*, True -*.feuerwehr-embrachertal.ch*, True -*.fevcorp.com*, True -*.fe-ver.com*, True -*.feverleague.info*, True -*.fevzigandur.com*, True -*.fezfest.com*, True -*.ffafh.com*, True -*.ffdns.ga*, True -*.ffeineaddiction.com*, True -*.fffs.com.au*, True -*.ff-indonesia.com*, True -*.ffireprotect.com*, True -*.f-fix.fi*, True -*.ffkent.co.za*, True -*.ffld.at*, True -*.ffpropiedades.cl*, True -*.ffseguridadlaboral.com.ar*, True -*.ffww.ca*, True -*.ffy.ch*, True -*.fgate.co.za*, True -*.fgc.hk*, True -*.fggreenslade.info*, True -*.fg.gs*, True -*.fgh-hm.cl*, True -*.fgmlandscaping.com*, True -*.fgschaub.com*, True -*.fgstudios.com*, True -*.fgtest.co.za*, True -*.fgx.com.mx*, True -*.fharmony.com*, True -*.fhi.hk*, True -*.fhmasconstructoresasociados.com*, True -*.fhrfitness.com*, True -*.fhsthegovernor.com*, True -*.fhtagn-studios.co.uk*, True -*.fh-vie.at*, True -*.fhz.org.ar*, True -*.fiam.ch*, True -*.fianbakken.com*, True -*.fiat500.li*, True -*.fibarra.cl*, True -*.fiberdata.co.uk*, True -*.fibertech.co.id*, True -*.fibrared.cl*, True -*.fibresearch.com*, True -*.fibrofit.net*, True -*.fibrok.cl*, True -*.fibteam.tk*, True -*.ficacic.com*, True -*.ficciones.cl*, True -*.ficcuskids.cl*, True -*.fichaonline.cl*, True -*.ficiniwings.com*, True -*.fickinger.net*, True -*.fiction.al*, True -*.fictivelogics.com*, True -*.ficuschillan.cl*, True -*.fiddlefish.net*, True -*.fiddleheadconsultants.net*, True -*.fideicomisoactiva.com.ar*, True -*.fidelios.net*, True -*.fidelizacion.com.ar*, True -*.fidesconsulting.com.ar*, True -*.fido.be*, True -*.fidonet.be*, True -*.fidsnet.com*, True -*.fidzi.lv*, True -*.fiechter.co*, True -*.fieldflower.org*, True -*.fieldgatedataservices.co.uk*, True -*.fieldofstudy.com*, True -*.fieldsofeinherjar.com*, True -*.fieldsofhealth.net*, True -*.fiemsa.com.ar*, True -*.fiemusfortiores.info*, True -*.fierman.nl*, True -*.fiestadeldurazno.gob.ar*, True -*.fiesta-pasion.ch*, True -*.fiesta-plan.com*, True -*.fiestaymagia.cl*, True -*.fietronic.com*, True -*.fietsenindewoestijn.nl*, True -*.fifamericas.com*, True -*.fifaonline3.cf*, True -*.fifawin.com*, True -*.fi-forum.com*, True -*.fifteenfourtyone.com*, True -*.fifteenouts.com*, True -*.figdawood.cf*, True -*.fightclub.ir*, True -*.fightclubnorth.com*, True -*.fightdabite.com*, True -*.fighter.ga*, True -*.fighter.ml*, True -*.fightinbluehen.com*, True -*.fighting4sanity.com*, True -*.fightnews.ir*, True -*.fightstickasia.com*, True -*.fightstream.ca*, True -*.figless.net*, True -*.figleycomputing.cf*, True -*.figliolapropiedades.com.ar*, True -*.figuretalk.co.kr*, True -*.fiid.net*, True -*.fiiit.net*, True -*.fiiliskuva.fi*, True -*.fiirman.org*, True -*.fiji.lv*, True -*.fikerod.cf*, True -*.fiki.cf*, True -*.fikri-bot.tk*, True -*.fikri-server.net*, True -*.filakia.com.ar*, True -*.filauhim.uk*, True -*.filcor.ru*, True -*.fileadult.com*, True -*.fileaio.com*, True -*.filebase.eu*, True -*.filebits.org*, True -*.filebokep.info*, True -*.filecharge.com*, True -*.filedelivers.com*, True -*.filedownload24.com*, True -*.filegenerate.com*, True -*.fileku.ga*, True -*.filemp3.info*, True -*.filenova.tk*, True -*.filers.ru*, True -*.fileshark.web.id*, True -*.fileshuttle.biz*, True -*.fileshuttle.in*, True -*.filesmp3.ga*, True -*.filesmp3.net*, True -*.filestore365.com*, True -*.filewu.com*, True -*.fileyard.ru*, True -*.filhacks.com*, True -*.filial-kaschenko.ru*, True -*.filialkaschenko.ru*, True -*.filial-kashenko.ru*, True -*.filialkashenko.ru*, True -*.fil-i-gran.com*, True -*.filin8.ru*, True -*.filipegiusti.com*, True -*.filipegiusti.com.br*, True -*.filipegomes.com.br*, True -*.filippifarmar.com.ar*, True -*.filko.name*, True -*.filko.org*, True -*.fillaphobia.info*, True -*.fillyourcalendar.com*, True -*.filmandmoviereviews.com*, True -*.film-at-firle.com*, True -*.filmbeholder.com.ve*, True -*.filmbende.net*, True -*.filmdatabase.info*, True -*.filme2011.ro*, True -*.filmeclasice.ro*, True -*.filmecuporno.com*, True -*.filmehot.com*, True -*.filmehot.tk*, True -*.filmele2012.ro*, True -*.filme-online-hd.biz*, True -*.filmeonlinehdsubtitrate.com*, True -*.filmepenet.biz*, True -*.filmeregale.com*, True -*.filmeserialenoihd.com*, True -*.filmesiseriale.com*, True -*.filme-web.com*, True -*.filme-xxx-porno.net*, True -*.film-machine.com*, True -*.filmmeanings.com*, True -*.filmmeanings.net*, True -*.film-mentor.org*, True -*.filmnov.ru*, True -*.filmpendek.com*, True -*.filmseeky.com*, True -*.filmsound.ru*, True -*.filmsurinter.net*, True -*.filmtonmeister-berlin.com*, True -*.filmuleteporno.net*, True -*.filmwedding.ro*, True -*.filmysmotretonline.ru*, True -*.filnavet.se*, True -*.filoart.com.ar*, True -*.filodenetim.com*, True -*.filograna.info*, True -*.filometri.com*, True -*.filoxenoshotel.com*, True -*.filsafat-jawa.gq*, True -*.filsystem.ro*, True -*.filterairbekasi.com*, True -*.filtered-packets.net*, True -*.filth.ga*, True -*.filthyrich.cc*, True -*.filtroseuropa.com.br*, True -*.fima2013.com*, True -*.fimedi.com.ar*, True -*.fimijig.org*, True -*.fimo.org.il*, True -*.fimorev.cf*, True -*.fimoveis.com.br*, True -*.finadi.com.ar*, True -*.finalfilm.ru*, True -*.finalgenesis.org*, True -*.finali-ocepek.si*, True -*.finallitymu.com*, True -*.finaltestament.info*, True -*.financepros.org*, True -*.financetoyou.com*, True -*.financetoyou.com.au*, True -*.financeusainc.com*, True -*.financexpress.info*, True -*.financi.al*, True -*.financialadviserskent.com*, True -*.financialiq.com.ar*, True -*.financialkeys.com.au*, True -*.financieracreditcar.com.ar*, True -*.finansia.nu*, True -*.finansia.org*, True -*.finansproekt.ru*, True -*.finanzasonline.cl*, True -*.finanz.cl*, True -*.finanzenweb.org*, True -*.finbox.cl*, True -*.fincacalrei.com*, True -*.fincasangerardo.com.ar*, True -*.fincaslorenzo.es*, True -*.fincastorralba.com*, True -*.finchontour.co.uk*, True -*.fincore.bg*, True -*.fincore.biz*, True -*.findabook.com.au*, True -*.findacruisefriend.com*, True -*.findahealthyrecipe.com*, True -*.findajobnow.tk*, True -*.findandgo.net*, True -*.findaphoto.net*, True -*.findbook.ir*, True -*.findchinamanufacturer.com*, True -*.find-code.com*, True -*.finddebtadvice.com*, True -*.finder777.com*, True -*.findexadvertonux.pw*, True -*.findexbubjolkokmedia.pw*, True -*.findexbubkildesmedadv.pw*, True -*.findexdodbebgunmoladv.pw*, True -*.findexfedgeradvx.pw*, True -*.findexfledirtrok.pw*, True -*.findexloxecnuadvert.pw*, True -*.findexnontefhujkolpumedia.pw*, True -*.findexnungetxmedia.pw*, True -*.findexpromexmedia.pw*, True -*.findexquerguhlodmedia.pw*, True -*.findexrergonjokmedia.pw*, True -*.findexrirunedguhnom.pw*, True -*.findextegvedtumedia.pw*, True -*.find-find.com*, True -*.findhealthyrecipe.com*, True -*.findhotel.asia*, True -*.findian.fi*, True -*.findiapp.com.br*, True -*.findinglife.tk*, True -*.findingyourcalcutta.com*, True -*.find-it-equestrian.com*, True -*.findjess.com*, True -*.findjess.com.au*, True -*.findjobssearchwork.com*, True -*.findlaw.com.br*, True -*.find-me-a.biz*, True -*.findmeavax.com*, True -*.findmemyip.com*, True -*.findmybugs.com*, True -*.findmyjob.pl*, True -*.findsomehelp.com*, True -*.findsubdomain.com*, True -*.findthebestrecipe.com*, True -*.findthelead.com.ar*, True -*.findticks.com*, True -*.findu.pl*, True -*.findyourmatch.sg*, True -*.findyourpath.ca*, True -*.findyourspace.ca*, True -*.fineartphoto.com.br*, True -*.fineartsonweb.gr*, True -*.finecelticjewelry.com*, True -*.finejewelrystores.org*, True -*.finelights.mx*, True -*.finelinesbarbershop.com*, True -*.finepos.com*, True -*.finestead.com*, True -*.finetalent.hk*, True -*.fine-wallpaper.com*, True -*.finewinegiftbasket.com*, True -*.finewinegiftstore.com*, True -*.finger360.com*, True -*.fingerbox.es*, True -*.fingeret.com.ar*, True -*.fingerling.com.ar*, True -*.fingerskillz.net*, True -*.finini.org*, True -*.finishtime.co.za*, True -*.finisterreseguros.com*, True -*.finitelife.ca*, True -*.finitura.eu*, True -*.finixp.com*, True -*.finixp.eu*, True -*.finixp.fi*, True -*.finixp.info*, True -*.finixp.net*, True -*.finixp.org*, True -*.finlaw.fi*, True -*.finlaybull.co.uk*, True -*.finleynissa.com*, True -*.finnb.ml*, True -*.finn.hk*, True -*.finnie.me*, True -*.finniq.ru*, True -*.finnsk3.com*, True -*.finogle.net*, True -*.finogle.org*, True -*.finsco.ch*, True -*.finster.at*, True -*.fin-tech.com*, True -*.fintech-llc.com*, True -*.fintrading.com*, True -*.finucane.org*, True -*.finvercon.cl*, True -*.finvester.com*, True -*.finvox.cl*, True -*.fionaconlon.com.au*, True -*.fioramonti.ch*, True -*.fiordclub.ro*, True -*.fioridiitacoatiara.com.br*, True -*.fiorinis.com*, True -*.fioripalacehotel.com*, True -*.fiorora.com*, True -*.fiosdeouro.com.br*, True -*.fiosepontos.com.br*, True -*.fiosmetalicos.com.br*, True -*.fippu.ch*, True -*.fiprofi.ro*, True -*.fipscode.org*, True -*.fipure.com*, True -*.fiqihdotid.com*, True -*.fiqrahglobal.my*, True -*.firamalaysia.net*, True -*.firan.de*, True -*.firarumahbusana.com*, True -*.firdauszainal.my*, True -*.firdauszali.net*, True -*.firdman.com*, True -*.fireandstrings.com*, True -*.fireandvice.com*, True -*.firebay.cn*, True -*.firebot.cf*, True -*.firebox-host.net*, True -*.firebrands.se*, True -*.firecoral.com*, True -*.fire-credit.com*, True -*.firedragon.tw*, True -*.firedupaboutsafety.com.au*, True -*.firefighterperks.com*, True -*.fireflies.bz*, True -*.fire.gen.tr*, True -*.fireimen.ir*, True -*.fire-light.cf*, True -*.fire-light.ga*, True -*.fire-light.gq*, True -*.fire-light.ml*, True -*.firenight.ee*, True -*.firens.ca*, True -*.firerehab.org*, True -*.firesystem.eu*, True -*.firewoodbyrick.com*, True -*.fir.hk*, True -*.firica.ro*, True -*.firkesh.com*, True -*.firmalinda.cl*, True -*.firmanaja.tk*, True -*.firmavoz.com.ar*, True -*.firmax3asia.my*, True -*.firmdeco.ro*, True -*.firmowo.info*, True -*.firsamodegrosir.com*, True -*.first-aid.ch*, True -*.firstaid.ch*, True -*.firstaid.co.il*, True -*.firstaidforourtroops.biz*, True -*.firstaidforourtroops.net*, True -*.firstaidforourtroops.org*, True -*.firstaidsolutions.com.au*, True -*.firstbyte.ir*, True -*.firstchoicelimos.com.au*, True -*.firstconsult.in*, True -*.firstcry.sg*, True -*.firstfrontdesk.in*, True -*.firstimage.biz*, True -*.firstjobsforpilots.com.au*, True -*.firstmachineparts.com*, True -*.first-minute.si*, True -*.firstoccurrence.com*, True -*.firstoffice.com.br*, True -*.firstopenoffice.in*, True -*.firstpetinsurance.co.za*, True -*.firstrealtyresources.com*, True -*.firstsailorsbay.com.au*, True -*.firstsipzz.com.au*, True -*.firststartonline.com*, True -*.firsttechsys.org*, True -*.firsttelevisioninvented.com*, True -*.firsttradingusa.com*, True -*.firstunitgamingts.tk*, True -*.firstunix.net*, True -*.firstwatch.com.ar*, True -*.first-web-solutions.ro*, True -*.firstwebsolutions.ro*, True -*.firstworld.info*, True -*.fir-tree.ru*, True -*.fiscale.cf*, True -*.fiscalmatic.com*, True -*.fiscalmeteringconsultants.com*, True -*.fiscalmeteringconsultants.co.uk*, True -*.fiscalmetering.org.uk*, True -*.fiscalonline.com.br*, True -*.fiscalorg.com*, True -*.fischfamily.net*, True -*.fischibau.ch*, True -*.fishanatics.co.za*, True -*.fishbloggers.com*, True -*.fishbonesoftware.com*, True -*.fishbreeding.tw*, True -*.fishcracker.net*, True -*.fishdoger.com*, True -*.fisherabode.com*, True -*.fisherandlisa.com*, True -*.fisherevans.com*, True -*.fisheria.cl*, True -*.fisherman.pt*, True -*.fishesatthepoint.com.au*, True -*.fisheyemicro.com*, True -*.fishfingers.eu*, True -*.fishfortomorrow.org*, True -*.fishfriends.ch*, True -*.fishfx.com*, True -*.fishingcharterpanamacityflorida.com*, True -*.fishing-sofine.com*, True -*.fishlin.com*, True -*.fishmarket.md*, True -*.fishme.be*, True -*.fishnetstalking.com*, True -*.fishpl8.com*, True -*.fishpl8.co.uk*, True -*.fishsouthamerican.cl*, True -*.fishvarnet.com*, True -*.fishybumpmaps.us*, True -*.fisierulmeu.ro*, True -*.fisikateknik.org*, True -*.fisiomejor.com.ve*, True -*.fision.cl*, True -*.fiske.co.za*, True -*.fiskhamnens-akeri.se*, True -*.fissioncontrols.com.au*, True -*.fissiondivision.com*, True -*.fit22.cf*, True -*.fit22.ga*, True -*.fit22.gq*, True -*.fit22.ml*, True -*.fit22.tk*, True -*.fitcoin.fi*, True -*.fitforeverhk.com*, True -*.fitgid.ru*, True -*.fitmeal.org*, True -*.fitnessboxen.se*, True -*.fitness-companion.co*, True -*.fitnessdieta.com*, True -*.fitnessforums.net*, True -*.fitness-land.ch*, True -*.fitnesslink.kz*, True -*.fitotecnologia.cl*, True -*.fitriastylecianjur.web.id*, True -*.fitrighani.com*, True -*.fitrighani.my*, True -*.fitsofts.com*, True -*.fittingfinance.com*, True -*.fittingfinance.com.au*, True -*.fittter.co*, True -*.fitzard.com*, True -*.fitzgeraldgroup.net*, True -*.fitzgeralditgroup.com*, True -*.fitzgerald.tk*, True -*.fitzgerald-white.net*, True -*.fitzroyelectrical.com.au*, True -*.fiveboros.com*, True -*.fivedollarhelp.com*, True -*.fivehokies.com*, True -*.fivelive.co.za*, True -*.fivenorthmedia.com*, True -*.fivepals.com*, True -*.fivepathsandpitfalls.com*, True -*.fiveray.net*, True -*.fiverrbomber.ga*, True -*.fivesec.com.br*, True -*.fivestarfreak.com*, True -*.fivestars.com.my*, True -*.fivestarservices.com.au*, True -*.fivestars.lv*, True -*.fivestarstudio.ro*, True -*.fivetek.mx*, True -*.fivewaysdental.com.au*, True -*.fivian.ch*, True -*.fivtrans.ro*, True -*.fivva.net*, True -*.fix4pc.com*, True -*.fixable.ca*, True -*.fixamajig.com*, True -*.fixamajig.info*, True -*.fixamajig.net*, True -*.fixamajig.org*, True -*.fixanexismediaoko.pw*, True -*.fixbubikomediared.pw*, True -*.fixcecolkmediasgs.pw*, True -*.fixcreditscore.ga*, True -*.fixed.cl*, True -*.fixeensexdate.nl*, True -*.fixelixaxmediasxs.pw*, True -*.fixen.com.ar*, True -*.fixexecomkomediaoxs.pw*, True -*.fixhuniolmediaqxs.pw*, True -*.fixitcomputers.co.nz*, True -*.fixitnowmd.com*, True -*.fixit-shop.com*, True -*.fixjutoikmediasbs.pw*, True -*.fixkinkamediasxs.pw*, True -*.fixleakyshowerfaucet.com*, True -*.fixmed.net*, True -*.fixmyheatingandcooling.com*, True -*.fixnow.com.my*, True -*.fixnuikolmmediawew.pw*, True -*.fixpro.cl*, True -*.fixsis.com.ar*, True -*.fixtil.se*, True -*.fixtools.cl*, True -*.fixtubedkmediaseres.pw*, True -*.fixturlaser.cl*, True -*.fixunidosmediasis.pw*, True -*.fixunikosmediaexe.pw*, True -*.fixvevedmediacec.pw*, True -*.fizelle.org*, True -*.fizicamedicala.ro*, True -*.fizica.ro*, True -*.fiziocenter.ro*, True -*.fiziologie.ro*, True -*.fiz-math.ru*, True -*.fizmed.ro*, True -*.fizood.com*, True -*.fizzul.my*, True -*.fj0.se*, True -*.fj3k.com*, True -*.fjhsolutions.com*, True -*.fjordenbaby.com*, True -*.fjpl.es*, True -*.fjra.es*, True -*.fjsz.com.ve*, True -*.fjtth.com*, True -*.fk168.co*, True -*.fkalinka.ru*, True -*.fkas.info*, True -*.fkgfw.tk*, True -*.fkipunlam.ac.id*, True -*.fkk-online.de*, True -*.fkk-zone.de*, True -*.fkmpp.web.id*, True -*.fkps.ml*, True -*.fkspartak.com*, True -*.fkspartakzlatiborvoda.com*, True -*.fkx999.com*, True -*.flababa.com*, True -*.flababa.net*, True -*.fladds.tk*, True -*.flaesche.ch*, True -*.flag.fi*, True -*.flagrent.com*, True -*.flairforfabric.com*, True -*.flakamerica.com*, True -*.flakamerica.com.ar*, True -*.fla-keys.biz*, True -*.flakeys.biz*, True -*.fla-keys.info*, True -*.flakeys.info*, True -*.flako.cl*, True -*.flakthemighty.net*, True -*.flamefeed.net*, True -*.flamehaze.info*, True -*.flamencowomen.com*, True -*.flamer.eu*, True -*.flamex.hm*, True -*.flamingbaby.com*, True -*.flamingnaan.com*, True -*.flamingopark.tc*, True -*.flamingovolley.lt*, True -*.flammini.com.ar*, True -*.flammini.it*, True -*.flamurkasa.tk*, True -*.flank.com*, True -*.flapp.ga*, True -*.flappii.net*, True -*.flapps.com.ar*, True -*.flappy.club*, True -*.flarecorp.com*, True -*.flare.ga*, True -*.flarequest.tk*, True -*.flashcontrol.in*, True -*.flashfit.me*, True -*.flashgamesclip.com*, True -*.flashii.org*, True -*.flashleech.in*, True -*.flashscreamer.com*, True -*.flash-server.com*, True -*.flashservers.in*, True -*.flash-tech.ro*, True -*.flashwave.nl*, True -*.flat4free.com*, True -*.flatboys.com*, True -*.flatenyourbelly.com*, True -*.flatey.is*, True -*.flatlandfamily.com*, True -*.flatlandresources.com*, True -*.flatmando.com*, True -*.flatown.com*, True -*.flatscreentv.co.za*, True -*.flatworld.org.uk*, True -*.flaviaehilseartefloral.com.br*, True -*.flaviar.club*, True -*.flavyamutran.com.br*, True -*.flazzard.com*, True -*.flca.com.au*, True -*.fleebook.com*, True -*.flegontov.com*, True -*.flejtuchy.tk*, True -*.flemister.org*, True -*.flerida.cl*, True -*.flesjar.is*, True -*.fletcher.org.za*, True -*.fletcher.se*, True -*.fletescerrito.com.ar*, True -*.fletesymudanzas.cl*, True -*.flet.gq*, True -*.flexasistemas.com.ar*, True -*.flexbeltinfo.com*, True -*.flexibleconduitelectric.com*, True -*.flexible-demeanor.com*, True -*.flexiblegeeks.com*, True -*.flexicant.ro*, True -*.flexiguias.com*, True -*.fleximage.com*, True -*.fleximage.org*, True -*.flexis-ltd.com*, True -*.flexopack.cl*, True -*.flexopress.ru*, True -*.flexotech.in*, True -*.flexster.pl*, True -*.flexwebstore.com*, True -*.fliabarrigon.com.ar*, True -*.fliamarrero.com.ar*, True -*.fliapose.com.ar*, True -*.flibe.net*, True -*.flibnet.org*, True -*.flickmeanings.com*, True -*.flickmeanings.net*, True -*.flickmeanings.org*, True -*.flightbooker.co.za*, True -*.flightcom-msk.net*, True -*.flightcom-ru.net*, True -*.flightcomru.net*, True -*.flightsdelight.com*, True -*.flights-of-insight.com*, True -*.flightsonline.ro*, True -*.flightxpertlive.tk*, True -*.flimmyflan.com*, True -*.flindr.tk*, True -*.flink.cl*, True -*.flintham.net*, True -*.flintriverah.com*, True -*.flipa.co.uk*, True -*.flipbooks.cl*, True -*.flipleapp.com*, True -*.flippedclassroom.hk*, True -*.flipperbat.se*, True -*.flippergiggle.com*, True -*.flippersoft.in*, True -*.flipporntube.pw*, True -*.flippycat.com*, True -*.fliptw.com*, True -*.flirtnetic.com*, True -*.flirtologist.tk*, True -*.flirto.tk*, True -*.flirty.ml*, True -*.flirtz.cf*, True -*.flirtz.tk*, True -*.flisback.com*, True -*.flno.ga*, True -*.floater.one.pl*, True -*.float.tw*, True -*.floatworld.net*, True -*.flobamor.com*, True -*.flojin.cf*, True -*.flole-debian.tk*, True -*.floledeutschland.tk*, True -*.flolehost.tk*, True -*.floleserv.tk*, True -*.floleusa.tk*, True -*.flomar.com.br*, True -*.flonight.com*, True -*.floodmonitor.net*, True -*.floopy.ga*, True -*.flooringdecking.com*, True -*.flooring-melbourne.com*, True -*.floorpirates.com*, True -*.floower.ga*, True -*.floozy.ca*, True -*.floplus.com*, True -*.flora123.ru*, True -*.florafamily.com*, True -*.floraflowers.com.pk*, True -*.flor.al*, True -*.florariaclarisa.ro*, True -*.florariadymeg.ro*, True -*.florariaiza.ro*, True -*.floras.cl*, True -*.florbr.com*, True -*.flordekor.sk*, True -*.flordeldesierto.cl*, True -*.flordelisblanqueria.com.ar*, True -*.florenceandferarri.com*, True -*.florenceandferrari.com*, True -*.florence.hk*, True -*.florenceleon.com*, True -*.florenciarossi.com.ar*, True -*.florenciatrading.es*, True -*.florens.lv*, True -*.flores-bach.cl*, True -*.floresdebachchile.cl*, True -*.floresshantal.cl*, True -*.florian-blaettler.ch*, True -*.florian-einzinger.de*, True -*.florianocrivelli.ch*, True -*.floriano.me*, True -*.florianwalsh.com*, True -*.floridasmarthome.com*, True -*.floridastatefairauthority.com*, True -*.floridastatefairauthority.net*, True -*.floridastatefairauthority.org*, True -*.floridas-techniek.nl*, True -*.floridegradina.ro*, True -*.floridianstar.com*, True -*.florinchindea.ro*, True -*.florindinescu.ro*, True -*.florinmoldoveanu.ro*, True -*.florino.com.ar*, True -*.florinsalam.co.uk*, True -*.florinscutaru.ro*, True -*.floriography.info*, True -*.floripalondon.com*, True -*.floripentrugradina.ro*, True -*.florisicadouriinspirate.ro*, True -*.floristeriamarisol.com.ve*, True -*.florstrom.fi*, True -*.flosk.se*, True -*.flostonresources.in*, True -*.flota.cl*, True -*.flouid.ch*, True -*.flouret.com.ar*, True -*.floverity.com*, True -*.floverity.ru*, True -*.flowadvertising.ro*, True -*.flowbikesshop.cl*, True -*.flow-dividers.com*, True -*.flower2vietnam.com*, True -*.floweradvisor.cn*, True -*.floweradvisor.co.id*, True -*.floweradvisor.co.kr*, True -*.floweradvisor.com.au*, True -*.floweradvisor.com.my*, True -*.floweradvisor.co.uk*, True -*.floweradvisor.net*, True -*.flower-bar.ru*, True -*.flowerbridals.com*, True -*.flowerindehouse.com*, True -*.flowersbydonna.co.uk*, True -*.flowersdraught.com*, True -*.flowersend.co.il*, True -*.flowersgroup.com*, True -*.flowpool.cf*, True -*.flowtex.hu*, True -*.floyedlobo.com*, True -*.flphp.com*, True -*.flpturki.com*, True -*.flr.io*, True -*.flr-race-funone.info*, True -*.flsoccerscene.com*, True -*.flsquare.ga*, True -*.fltr.org*, True -*.fluck.com.ar*, True -*.fluctum.com*, True -*.fluegge-web.net*, True -*.fluero-heizungen.ch*, True -*.fluffinity.tk*, True -*.fluffyfiles.co.uk*, True -*.flughoehe.ch*, True -*.flu.id.au*, True -*.fluidbiz.biz*, True -*.fluidbiz.com*, True -*.fluidbiz.net*, True -*.fluidbiz.org*, True -*.fluimec.com.br*, True -*.flukiest.com*, True -*.flurstr17.de*, True -*.flusflis.com*, True -*.flushandfill.com*, True -*.flutterpony.org*, True -*.fluvial.ro*, True -*.flux.gq*, True -*.fluxit.com.ar*, True -*.fluxit-tools.com.ar*, True -*.fluxodesign.net*, True -*.fluxus.org*, True -*.fly365.co*, True -*.flyapachepass.com*, True -*.flyar.net*, True -*.flyb4.com*, True -*.flyb4ubuy.co.uk*, True -*.fly-bt.com*, True -*.flycro.ru*, True -*.flydewey.com*, True -*.flyermark.com*, True -*.flyer-shop.net*, True -*.flyes.ru*, True -*.flygklubbencumulus.fi*, True -*.flyingina.com*, True -*.flyingrhino.com*, True -*.flyingsloth.net*, True -*.flyingsquad.my*, True -*.flyingtonkatsu.com*, True -*.flyinsolo.cc*, True -*.flyinthepie.com*, True -*.flyintosky.tw*, True -*.flyjack.com*, True -*.flykev.info*, True -*.fly-land.ch*, True -*.flymeeting.ch*, True -*.flymk.com*, True -*.fly-net.ro*, True -*.flynet.ro*, True -*.flynncom.net*, True -*.flyovercities.com*, True -*.flyrtner.com*, True -*.flysky.ro*, True -*.flytech.ga*, True -*.flytecnam.com*, True -*.flyticket.ch*, True -*.fmautomoveis.com*, True -*.fmautomoveis.tk*, True -*.fmck.nu*, True -*.fmcuartocreciente.com.ar*, True -*.fmec.me*, True -*.fme.mx*, True -*.fmg.co.id*, True -*.fm-generation.ro*, True -*.fmgenesis.com.ar*, True -*.fmicloud.ch*, True -*.fmmagazine.com.au*, True -*.fmosarl.ch*, True -*.fmreports.com*, True -*.fmrp.com.my*, True -*.fmser993.com.ar*, True -*.fmshell.ml*, True -*.fmsl.com.ar*, True -*.fmv-kleinluetzel.ch*, True -*.fmzahra.com*, True -*.fn047.com*, True -*.fna66.com*, True -*.fna77.com*, True -*.fna87.com*, True -*.fnacc.com.br*, True -*.fnagel.com*, True -*.fnav.com.br*, True -*.fnca.com.br*, True -*.fndvd.com*, True -*.fnmr.ro*, True -*.fnord.com.ar*, True -*.fns-apia.ro*, True -*.fnsgr.com*, True -*.foamboard.hk*, True -*.fobel.net*, True -*.fobitukv.cf*, True -*.fobi.web.id*, True -*.fobos89eood.com*, True -*.foby.ca*, True -*.focalapps.com*, True -*.focirend.cf*, True -*.focusadventure.com.my*, True -*.focusbc.com.au*, True -*.focusec.com*, True -*.focus-fundraising.com*, True -*.focusgh.cl*, True -*.focushypnotherapyclinic.co.uk*, True -*.focusimm.ro*, True -*.focusit.com.ar*, True -*.focusmarketing.us*, True -*.focusships.com*, True -*.focust25shaunt.com*, True -*.focusthenation.org*, True -*.fodcast.com.br*, True -*.foe1957.com*, True -*.fofx.org*, True -*.fogcitybujinkan.com*, True -*.fogehu.es*, True -*.fogelman.com.ar*, True -*.foggydew.org*, True -*.fogoneros.org*, True -*.fogostop.es*, True -*.fog.pt*, True -*.foguckyourself.com*, True -*.fohmix.com*, True -*.foiles.org*, True -*.fok44.com*, True -*.fok66.com*, True -*.fok77.com*, True -*.fok88.com*, True -*.fok96.com*, True -*.fokin.pro*, True -*.fokus.co.za*, True -*.fokus.lv*, True -*.fokusmetalurgi.com*, True -*.fol.cl*, True -*.foldawaycuttingtable.com*, True -*.folder8.com*, True -*.foldingbikes4u.co.uk*, True -*.foldiz.com*, True -*.foldpaper.ch*, True -*.foleysbarinch.com*, True -*.folgueramaquinarias.com.ar*, True -*.folhadevotorantim.com.br*, True -*.folio.ga*, True -*.folkbibeln.nu*, True -*.folkeverything.com*, True -*.folkhit.com*, True -*.folklandmanagement.com*, True -*.folkmania.ro*, True -*.folksmade.com.br*, True -*.follow.cf*, True -*.followerforyou.org*, True -*.followergratiss.net*, True -*.followerindo.org*, True -*.followers4rt.com*, True -*.followers.com.ar*, True -*.followershipleadership.com*, True -*.followmotors.com*, True -*.followmotors.com.br*, True -*.followmotors.net*, True -*.followmotors.net.br*, True -*.followthebrowns.com*, True -*.follow-your-health.com*, True -*.folmail.cl*, True -*.folscher.co.za*, True -*.folscher.info*, True -*.fomcomm.ru*, True -*.fomentinvest.pt*, True -*.fometv.com*, True -*.fominykh.com*, True -*.fonarick.com*, True -*.fonarick.ru*, True -*.fondabsolut.ru*, True -*.fond-airr.ru*, True -*.fondantymas.com*, True -*.fondation-curling.ch*, True -*.fondazionebraglia.ch*, True -*.fon-ding.com*, True -*.fondodeolla.cl*, True -*.fondomar.com.ve*, True -*.fondomutuoonline.cl*, True -*.fondosonline.cl*, True -*.fondpodderjki.ru*, True -*.fonera.be*, True -*.fonesw.com*, True -*.fonglisu.com*, True -*.fongraf.cl*, True -*.fonoaudiologiasp.com.br*, True -*.fonsecaianniniadvocacia.com.br*, True -*.fonsecaiannini.com.br*, True -*.fons.org.np*, True -*.fonssluiter.nl*, True -*.fontagames.es*, True -*.fontana.com.ar*, True -*.fontelinux.com.br*, True -*.fonusaccessory.com*, True -*.foobarto.com*, True -*.food4bachelor.com*, True -*.foodbeauty.net*, True -*.foodcolor.ch*, True -*.foodeditorials.com.au*, True -*.foodfight.co.za*, True -*.foodie4.com*, True -*.foodiefamily.me*, True -*.foodies.ro*, True -*.foodking.hk*, True -*.foodmas.com*, True -*.foodpath.co.za*, True -*.foodplanner.com.au*, True -*.foodr.co*, True -*.foodrunsthelens.tk*, True -*.foodsmart.nu*, True -*.foodway.co.uk*, True -*.foodwithareason.com*, True -*.foojutsu.org*, True -*.fookanen.com*, True -*.fookhingchemical.com*, True -*.fookhinginc.com*, True -*.fookpan.com*, True -*.foolishfaith.com*, True -*.foolon.com*, True -*.foolwithnohill.com*, True -*.foolwithoutahill.com*, True -*.foolwithoutthehill.com*, True -*.fooproxy.com*, True -*.foosa.us*, True -*.fooshcbtf.com.au*, True -*.footb.al*, True -*.football-7.com*, True -*.footballgods.net*, True -*.footballmanagerdatabases.co.uk*, True -*.footballmatcher.co.uk*, True -*.footballpoint.ro*, True -*.footballtoaster.com*, True -*.footensalle.be*, True -*.foottyfootty.com*, True -*.footube.com*, True -*.footynews.info*, True -*.foo.waw.pl*, True -*.foponline.org*, True -*.foptoday.com*, True -*.foradaestrada.com.br*, True -*.foragecake.com*, True -*.foragerworld.com.au*, True -*.forapk.mobi*, True -*.forask.tk*, True -*.forbesconsultingusa.com*, True -*.forbeshobbies.com*, True -*.forbit.ga*, True -*.forbrains.com*, True -*.for-build.com*, True -*.force5.ro*, True -*.forcebravo.tk*, True -*.forcecorp.net.au*, True -*.forcedme.me*, True -*.forceforks.com.au*, True -*.forcelimited.com.au*, True -*.forcepoint.com*, True -*.forcetake.com*, True -*.fordays.com.au*, True -*.fordelm.com*, True -*.fordeniorden.no*, True -*.fordgt.com.au*, True -*.ford-herndon.com*, True -*.fordherndon.com*, True -*.fordherndon.net*, True -*.fordherndon.org*, True -*.fordlandau.com*, True -*.ford-reutov.ru*, True -*.fordsimone.com.ar*, True -*.foreignersinslovenia.si*, True -*.forelorn.com*, True -*.foremostgerm.com*, True -*.forensiclab.net*, True -*.forenza.com.br*, True -*.foresidechurch.org*, True -*.foresightdb.us*, True -*.foresightgroup.pl*, True -*.forestcityasp.net*, True -*.forestcove.info*, True -*.forestcreature.co.uk*, True -*.forestheathfurnishings.co.uk*, True -*.forestt.net*, True -*.forever-20.com*, True -*.forever-christa.ch*, True -*.foreverfine.com*, True -*.foreverfitwithkristin.com*, True -*.foreverforever.co.uk*, True -*.foreveronvideo.com*, True -*.foreverpetshop.ro*, True -*.foreverrich99.com*, True -*.foreverwind.com*, True -*.foreverwindtp.com*, True -*.forexacademy.co.id*, True -*.forexa.tk*, True -*.forexbursatil.com*, True -*.forexcopy-mocaz.com*, True -*.forexfreeinfo.ru*, True -*.forexgroupinc.com*, True -*.forexg.tk*, True -*.forexideas.info*, True -*.forexlivecharts.info*, True -*.forexreview.mobi*, True -*.forexsales.info*, True -*.forexsignalsreview.info*, True -*.forextraderprogram.info*, True -*.forex-trading-brokers.info*, True -*.forextradingguides.info*, True -*.forextradingrobots.info*, True -*.forextradingsystem.net*, True -*.forfunsociety.com*, True -*.forgeahead.in*, True -*.forgerymc.org*, True -*.forgetacne.co*, True -*.forgetitwasbroken.com*, True -*.forgetmenows.com*, True -*.forgettable.name*, True -*.forgingmytomorrow.org*, True -*.forgottenages.com*, True -*.forgottenbay.org*, True -*.forgottenexile.org*, True -*.forgotteniron.com*, True -*.forgottheaddress.com*, True -*.forgotyourname.com*, True -*.forinho.com*, True -*.foritospyp.tk*, True -*.forjadosgep.com.ar*, True -*.forjasudamericana.com.ar*, True -*.forjota.com.ar*, True -*.forkbomb.nl*, True -*.forkendorf.de*, True -*.forkendorf.net*, True -*.forkwhilefork.io*, True -*.forkwhilefork.me*, True -*.forlifesiam.com*, True -*.form7server.com*, True -*.formaguatemala.org*, True -*.formare-antreprenoriala.ro*, True -*.formas.ro*, True -*.format.cf*, True -*.formatfactoryproductions.com*, True -*.formatiaambient.ro*, True -*.formatiavatra.ro*, True -*.formation-privee-cgt.org*, True -*.formatoonline.com.br*, True -*.formatum.fi*, True -*.formazionelavoro.it*, True -*.formazioneoleodinamica.it*, True -*.formazioneprofessionale.it*, True -*.formazione-vendita.it*, True -*.formications.com*, True -*.formliker.cf*, True -*.formliker.ga*, True -*.formliker.tk*, True -*.formoffice.net*, True -*.formosaclub.com*, True -*.formpak.com*, True -*.formpak.co.za*, True -*.formslive.com*, True -*.formulacabelos.com.br*, True -*.formulador.com.ar*, True -*.formulaford.co.za*, True -*.formulaone.fi*, True -*.formula-wellness.com*, True -*.form-world.hk*, True -*.fornal.biz*, True -*.fornazinconsultoria.com.br*, True -*.foro.am*, True -*.forodeastrologia.com.ar*, True -*.forodecanosmercosur.com.ar*, True -*.forosocialamericas.org*, True -*.foro.su*, True -*.foroutannezhad.com*, True -*.forovet.com.ar*, True -*.forratti.com.br*, True -*.forsalebyowner.sg*, True -*.forsazh7a.cf*, True -*.forsazh7b.cf*, True -*.forsazh7c.cf*, True -*.forsazh7d.cf*, True -*.forshed.se*, True -*.forsheredmp3.com*, True -*.forss.to*, True -*.forsterholidayz.com.au*, True -*.forster-tuncurry.com.au*, True -*.forstertuncurryrealestate.com*, True -*.forstop.pt*, True -*.forsuref1.co.uk*, True -*.fortacivicasatumare.ro*, True -*.forta.co.id*, True -*.fortalezadelvalle.com.ar*, True -*.fortaweso.me.uk*, True -*.fortbendcountypropertytaxreduction.com*, True -*.fortcollinsmodernquiltguild.com*, True -*.fortcooke.com*, True -*.forteriehandgunclub.ca*, True -*.fortescu.com*, True -*.fortespeciale.ro*, True -*.forthewin.ga*, True -*.forthmusictherapy.com*, True -*.fortiman.com*, True -*.fortindeurquiza.com.ar*, True -*.fortinet.co.za*, True -*.fortini-forage.ch*, True -*.fortin.us*, True -*.fortiusflooring.com.au*, True -*.fortkickar.se*, True -*.fort-myers-seo.com*, True -*.fortnightmoon.tk*, True -*.fortpecktribesmni.org*, True -*.fortressco.com*, True -*.fortresscomputerpros.com*, True -*.fortsegpa.com.br*, True -*.fortsel.ga*, True -*.fortunatfroelich.com*, True -*.fortune-bet.com*, True -*.fortune-sports.com*, True -*.fortunki.pl*, True -*.fortus.com.tr*, True -*.fortytwo.fi*, True -*.forum4hk.com*, True -*.forumbanjaran.ga*, True -*.forumbinus.com*, True -*.forumcc.cc*, True -*.forumcode.com*, True -*.forumdangdut.com*, True -*.forumdetectiv.ro*, True -*.forumjualbeli.net*, True -*.forummodelism.ro*, True -*.forumnewbie.net*, True -*.forumoneassociation.com*, True -*.forumpopulardesaude.com.br*, True -*.forum-profit.com*, True -*.forumprofit.ru*, True -*.forumremix.com*, True -*.forumsrus.com*, True -*.forumvox.ro*, True -*.forwardairsolutions.info*, True -*.forwiz.ru*, True -*.forwiz.tk*, True -*.forza.xyz*, True -*.forzee.org*, True -*.fosfoto.com*, True -*.foskasse.org*, True -*.fosme.eu*, True -*.fosskultur.com*, True -*.fosterfarmsandnewmansown.net*, True -*.fosterra.co.nz*, True -*.fotbalalacluj.ro*, True -*.fotbalrezultatelive.ro*, True -*.fotcarmidale.org.au*, True -*.fotillon.cl*, True -*.foto-akademija.com*, True -*.fotobook.cc*, True -*.fotocam.cl*, True -*.fotocampanella.com.ar*, True -*.fotocatalogo.com.ar*, True -*.fotocikolata.com*, True -*.fotocloud.ch*, True -*.fotocolormanole.ro*, True -*.fotodepilacaoluzpulsada.com.br*, True -*.fotoestetik.ru*, True -*.fotogood.ru*, True -*.fotografiartestudio.cl*, True -*.fotografiasbb.cl*, True -*.fotografiaslubnabydgoszcz.info*, True -*.fotografieonline.ro*, True -*.fotografii-nunta.ro*, True -*.fotograflar.com*, True -*.fotogrzeszkowiak.pl*, True -*.fotokratia.ru*, True -*.fotokurs-reisen.ch*, True -*.fotolandia.com.ar*, True -*.fotoleu.ch*, True -*.foto-matrimonio.cl*, True -*.fotomika.ch*, True -*.fotoms.at*, True -*.fotopartybox.ch*, True -*.fotopla.net*, True -*.fotorzutnik.pl*, True -*.fotosaereasrs.com.br*, True -*.fotosbyart.com*, True -*.foto-scan.eu*, True -*.foto-server.ch*, True -*.fotospanas.com*, True -*.fotospanoramicas.org*, True -*.fotosvaquejada.com*, True -*.fotovideo-evenimente.ro*, True -*.fotovideonuntibotezuri.ro*, True -*.fotowar.ru*, True -*.fotoxpert.ro*, True -*.fots.org.np*, True -*.foubert.ca*, True -*.foubware.net*, True -*.fougly.com*, True -*.fouladkar.ir*, True -*.foundation.cz*, True -*.foundationhouse.org*, True -*.founder.lv*, True -*.founder-w.xyz*, True -*.fountainfestival.com*, True -*.fountainwoodhoa.com*, True -*.four2theizz0.com*, True -*.fouracesonline.com*, True -*.fourdawgs.com*, True -*.f-our.ga*, True -*.fourgiven.org*, True -*.fourie.co.uk*, True -*.fourie.uk*, True -*.fourmedical.pt*, True -*.fourmi.com.my*, True -*.fourplusmedia.net*, True -*.fourstatesgasket.com*, True -*.fourteam.web.id*, True -*.four-tech.co.id*, True -*.fouruzesh.com*, True -*.fourwindstechnology.com.au*, True -*.fourworldscollide.com*, True -*.fouska.com*, True -*.foveroracing.cf*, True -*.fowell.net*, True -*.fowlercentral.com.au*, True -*.fowlergo.org*, True -*.fowlerhomes.com.au*, True -*.fowlermonti.com.ar*, True -*.fowlernet.com*, True -*.foxbcx.net*, True -*.foxdhan.us*, True -*.foxeng.ca*, True -*.foxfix.co.il*, True -*.foxflox.ru*, True -*.foxitbokibigmedia.pw*, True -*.foxlan.ru*, True -*.foxmarketing.us*, True -*.foxtangolead.com*, True -*.foxterrierclubnsw.com*, True -*.foxwolfblood.me*, True -*.foxxbeauty.net*, True -*.foxx.cl*, True -*.foxxmag.com*, True -*.foxybox.ru*, True -*.foxyexposure.com*, True -*.foyelmapu.com.ar*, True -*.foznet.me*, True -*.fp-8585.com*, True -*.fp-9090.com*, True -*.fp-ace.com*, True -*.fpadrepier.cl*, True -*.fp-burg.ch*, True -*.fpburg.ch*, True -*.fp-cgv.com*, True -*.fpdoctor.com*, True -*.fpfi.cl*, True -*.fp-formacionprofesional.com*, True -*.fpgpensions.com*, True -*.fp-group.com.my*, True -*.fpino.cl*, True -*.fp-jj.com*, True -*.fp-king.com*, True -*.fp-legend.com*, True -*.fp-menziken.ch*, True -*.fpmenziken.ch*, True -*.fprint.ro*, True -*.fpt.mx*, True -*.fpuerlo.es*, True -*.fpv-race.ch*, True -*.fpvrace.ch*, True -*.fpv-racer.ch*, True -*.fqcash.com*, True -*.fr0z3n.cf*, True -*.fraanje.info*, True -*.fracasadaspoliticaschinasentibet.org*, True -*.fractalaudiovisuales.cl*, True -*.fractal.in*, True -*.fractalp.net*, True -*.fractionalfarthing.com*, True -*.fracturedphilosophy.com*, True -*.fracturedworlds.net*, True -*.fradelar.pt*, True -*.fradkin.com.ar*, True -*.fragaestampados.cl*, True -*.fragale.com.ar*, True -*.fraggedstuff.com*, True -*.fragil-world.ch*, True -*.fragmentary.info*, True -*.fragozo.com.br*, True -*.frag.space*, True -*.fragstore.org*, True -*.frags.us*, True -*.framboesadeouro.com.br*, True -*.fram.ch*, True -*.framemytrip.com.au*, True -*.framesdean.com*, True -*.framewire.org*, True -*.frameworkmedia.co.za*, True -*.frameworkplus.co.za*, True -*.frameworktelecom.co.za*, True -*.framingmatters.com.au*, True -*.framis.lv*, True -*.framtidstankar.se*, True -*.franc1994.tk*, True -*.francemacau.com*, True -*.francescaandjens.com*, True -*.francescaundjens.de*, True -*.francescograniglia.com*, True -*.francescograniglia.it*, True -*.franche.ca*, True -*.franchisecandidates.com*, True -*.francigenaturismo.com*, True -*.francinevieira.com.br*, True -*.franciscablesystems.com*, True -*.franciscoferreiraazevedo.com.br*, True -*.franciscomolina.net*, True -*.franciscosantamaria.me*, True -*.franciscovarela.cl*, True -*.francobocchio.com.ar*, True -*.francocanepa.cl*, True -*.francosoft.com.br*, True -*.frandana.or.id*, True -*.frandre.net*, True -*.franegredo.com.br*, True -*.frank-baum.de*, True -*.frankboh.de*, True -*.frankengels.net*, True -*.frankengels.org*, True -*.frankiedesign.de*, True -*.frankieg.co.za*, True -*.frankie-martin.co.uk*, True -*.frankiesek.eu*, True -*.frankmalfaraservice.ca*, True -*.frankmeise.com*, True -*.franknsoft.com*, True -*.frankoovalles.com*, True -*.frankseibel.com*, True -*.frankts.com*, True -*.fransizing.si*, True -*.frantzen.ch*, True -*.franzbaer.com*, True -*.franz-schubert.com*, True -*.frapell.com*, True -*.frappon.com*, True -*.fraqart.ru*, True -*.frasersharp.com*, True -*.fraserwentworth.ca*, True -*.fratautii-vechi.ro*, True -*.fratellisolano.com.ar*, True -*.fraternidadsmde.com.ar*, True -*.fraternita.com.br*, True -*.fratimeridiani.it*, True -*.frattonspark.co.uk*, True -*.fraudfax.com*, True -*.frauenfeld-garten.ch*, True -*.frauenforum-wetzikon.ch*, True -*.frawst.com*, True -*.fraydamian.org*, True -*.fraze.cz*, True -*.frazerjohn.com*, True -*.frazerjohn.co.uk*, True -*.freakas-server.tk*, True -*.freakas.tk*, True -*.freakbeacon.com*, True -*.frealty.net*, True -*.frebib.net*, True -*.frecksoftware.com*, True -*.frecuenciamalargue.com.ar*, True -*.fredcarno.tk*, True -*.freddydowsing.co.uk*, True -*.freddy.mx*, True -*.fredericcote.com*, True -*.frederickrpolli.com*, True -*.fredhome.net*, True -*.fredi.si*, True -*.fredrealone.com*, True -*.fredriklowenhamn.se*, True -*.fredsnet.us*, True -*.fredthesquirrel.com*, True -*.fredtiklompopmedia.pw*, True -*.fredwsmithinc.com*, True -*.fredwsmithinc.net*, True -*.fredymargairaz.ch*, True -*.fredynascimento.com.br*, True -*.fredytoscano.com.ar*, True -*.free0pulsaandkuota.ga*, True -*.free2cook.com*, True -*.free2cook.ru*, True -*.free2gb.ga*, True -*.free2tryit.ro*, True -*.free4business.org*, True -*.free4dating.eu*, True -*.free4dog.ch*, True -*.free4host.ga*, True -*.free4net.ch*, True -*.freeadak.org*, True -*.freeadschina.cn*, True -*.freeadwordsscripts.com*, True -*.freeagentnet.net*, True -*.freealbum.ro*, True -*.freealbums.ro*, True -*.freealloc.com*, True -*.freealloc.net*, True -*.freea.name*, True -*.freeartist.name*, True -*.free-as.tk*, True -*.freebetsforyou.com*, True -*.freeblogs.ro*, True -*.freeblogtutorial.tk*, True -*.freebnc.eu*, True -*.freebookspot.es*, True -*.freebox.ro*, True -*.freebsdhosting.tk*, True -*.freebsd.md*, True -*.freebsd-mexico.com*, True -*.freebsd.ml*, True -*.freebsd.net.au*, True -*.freebsd.ro*, True -*.freebtc.com*, True -*.freecall.net.au*, True -*.freecertificateofcompletiontemplate.com*, True -*.freechan.org*, True -*.freecloud.bg*, True -*.freecoffee.net.au*, True -*.freecom.cl*, True -*.freecpanel.gq*, True -*.freedbase.com*, True -*.freedeals.sg*, True -*.freedi.tk*, True -*.freediverindonesia.com*, True -*.freedombytes.us*, True -*.freedomdriver.com.au*, True -*.freedomforfelons.com*, True -*.freedomforip.org*, True -*.freedomit.co.za*, True -*.freedomofsoftware.org*, True -*.freedomsexshop.com.mx*, True -*.freedownloadfile.ru*, True -*.freedustin.com*, True -*.freeedi.ch*, True -*.freeenterpriseseguros.com.br*, True -*.freeexamproject.net*, True -*.freeflix.tk*, True -*.freefly.li*, True -*.freeformdesign.com.au*, True -*.freeformfit.com.au*, True -*.freeformfit.me*, True -*.freeformtent.com*, True -*.freeformtent.com.au*, True -*.freeformtents.com.au*, True -*.freeforums.ro*, True -*.freefri.es*, True -*.freehats.net*, True -*.freehold.io*, True -*.freeinvestmentinfo.com*, True -*.freeip.it*, True -*.free-iptv.eu*, True -*.freeit.inf.br*, True -*.freeklubxemiss.co*, True -*.freeklubxemisterapp.co*, True -*.freeklubxemisterart.co*, True -*.freeklubxemisterbox.co*, True -*.freeklubxemister.co*, True -*.freeklubxemisterlife.co*, True -*.freeklubxemisterpro.co*, True -*.freeklubxemistershop.co*, True -*.freeklubxemistertech.co*, True -*.freeklubxemisterweb.co*, True -*.free-lagump3.com*, True -*.freelancewise.com*, True -*.freemanfamily.info*, True -*.freemath.ch*, True -*.freemedicalconsentforms.net*, True -*.freemedicalexcuseforms.net*, True -*.freemeditation.ie*, True -*.freemusic.ga*, True -*.freemusik.net*, True -*.freemycents.com*, True -*.free-net.ro*, True -*.freengers.com*, True -*.freenode.cz*, True -*.freeofflu.com*, True -*.freeofvirus.com*, True -*.freeonlineaz.com*, True -*.freeonlinepokerinfo.com*, True -*.free-o.ru*, True -*.freepage.hu*, True -*.freepanchenlama.org*, True -*.freeparking.hk*, True -*.freepcg.net*, True -*.freepedia.ro*, True -*.freephysics.org*, True -*.free-pic.org*, True -*.freepkok.tk*, True -*.freepornpicsxxx.com*, True -*.freeportfutbol.com*, True -*.freeporttransportation.com*, True -*.freeprogrammi.ru*, True -*.freepropertymanagementbook.com*, True -*.freepublicvent.com*, True -*.freequeer.org*, True -*.freeradio.ro*, True -*.free-rangeeggs.com*, True -*.freerentalapplication.org*, True -*.freerideclub.com.ar*, True -*.freerider.cf*, True -*.freerox.tk*, True -*.freer.ru*, True -*.freerunwines.com*, True -*.freerworld.com*, True -*.freerworld.org*, True -*.freesailors.com*, True -*.freesa.org*, True -*.freesave.ga*, True -*.freeschool.co.uk*, True -*.freesector.ru*, True -*.free-server.co.uk*, True -*.freeservermonitoring.com*, True -*.freeserver.ro*, True -*.freeservers.ro*, True -*.freeshinythings.com*, True -*.freesidetrading.co*, True -*.free-sim.co.uk*, True -*.freesoftdownloader.com*, True -*.freesoftwares.ir*, True -*.freespin.eu*, True -*.free-standards.ro*, True -*.freestatecomputerservices.com*, True -*.freestuffed.net*, True -*.freestyle.dj*, True -*.freestylelive.co.uk*, True -*.freestyle-software.com*, True -*.freestyletent.com.au*, True -*.freesurfing.cf*, True -*.freetechweb.com*, True -*.freetelkomselspeed.cf*, True -*.freetenzindelek.org*, True -*.freethink.com.au*, True -*.freethinkerslive.com*, True -*.freethinkerslive.co.uk*, True -*.freetibetanheroes.org*, True -*.freetools.xyz*, True -*.freetruthordare.com*, True -*.freeuploadphotos.com*, True -*.freeutm.org*, True -*.freeview.ro*, True -*.freevouchers.com.my*, True -*.free-vpn.tk*, True -*.freevz.com*, True -*.freewayservice.eu*, True -*.freewebsite.ro*, True -*.freewebsites.ro*, True -*.freezfile.ga*, True -*.frehnerfoto.ch*, True -*.frehners-blingbling.ch*, True -*.frehners.ch*, True -*.freifeld.tk*, True -*.freifrei.ch*, True -*.frei-gesundheit.ch*, True -*.freightforce.co.uk*, True -*.freightwise.co.za*, True -*.frei-kunstschmiede.ch*, True -*.frei-pokorny.ch*, True -*.frei-service.ch*, True -*.freixido.com*, True -*.frela.org*, True -*.fremen.cl*, True -*.fremoda.com*, True -*.frenchalley.com*, True -*.frenchconnection.com.br*, True -*.frenchplaysinenglish.co.uk*, True -*.frenchpress.com.au*, True -*.frenchresources.info*, True -*.frenom.gq*, True -*.frentzgzesh.info*, True -*.frentz.net*, True -*.frequency23.com*, True -*.frequencydb.com*, True -*.freridein.nl*, True -*.f-rescure.cf*, True -*.freser-khv.ru*, True -*.freshatlanticseafood.com*, True -*.freshbookers.com*, True -*.freshcafes.com*, True -*.freshclouds.net*, True -*.freshcvv.us*, True -*.freshdeportocale.ro*, True -*.freshdns.com*, True -*.freshdrygarlic.com*, True -*.freshfaces.com.my*, True -*.freshingredients.asia*, True -*.freshingredients.net*, True -*.freshouse88.com*, True -*.fresh-perspectives-counseling.com*, True -*.fresh-space.ru*, True -*.freshstartsacramento.com*, True -*.freshtech.ir*, True -*.freshtechs.com.ve*, True -*.freshty.com*, True -*.freshvending.ro*, True -*.freshvermont.info*, True -*.freshwater-ip.com*, True -*.fresnels.tk*, True -*.fressen.ml*, True -*.fresspunkt.ch*, True -*.frestel.se*, True -*.fresti.pt*, True -*.fretale.com*, True -*.fretv.eu*, True -*.freund-schafft.ch*, True -*.frex.biz*, True -*.frhumannet.com*, True -*.friar-cba.com.ar*, True -*.fribergs.com*, True -*.frickalou.com*, True -*.frickelscheisse.de*, True -*.fridg.com*, True -*.fridgecow.com*, True -*.fridgesealers.co.nz*, True -*.fridgestickies.com*, True -*.fridgesticky.com*, True -*.friedcpu.com*, True -*.friedmanfamily.org*, True -*.friedmann.co.il*, True -*.friedpope.com*, True -*.friedtal.ch*, True -*.friendapp.me*, True -*.friendator.com*, True -*.friendface.us*, True -*.friendfamily.id.au*, True -*.friend.fi*, True -*.friend.id.au*, True -*.friendistan.com*, True -*.friendlyneighborhoodrepairshop.com*, True -*.friendshipsforlife.com*, True -*.friendship.tw*, True -*.friendsmo.tk*, True -*.friendsofdowntownpensacola.com*, True -*.friendsofforma.org*, True -*.friendsofinfotech.com*, True -*.friendsofjosephinelynn.org*, True -*.friendsofpensacolabeach.com*, True -*.friendsofthefrenchquarter.com*, True -*.friendsofthequarter.com*, True -*.friendsoftware.ro*, True -*.friendsvil.tk*, True -*.friendswithben.com*, True -*.friendswithben.net*, True -*.friendz4u.info*, True -*.friendzmesh.com*, True -*.frierdich.net*, True -*.friesian.org*, True -*.frigginjoe.com*, True -*.frightdome.hk*, True -*.frigment.com*, True -*.frigoara.com.br*, True -*.frigogreen.rs*, True -*.frii-music.com*, True -*.frikilinux.com.ar*, True -*.frimag.net*, True -*.friman.us*, True -*.frinal.com*, True -*.frinfomed.net*, True -*.fringemedia.com.my*, True -*.fripac.com*, True -*.fririki.net*, True -*.frischdraws.com*, True -*.frischholz.ch*, True -*.friseurdudy.de*, True -*.frishkorn.net*, True -*.frishkorn.org*, True -*.friska-deo.com*, True -*.fristineflores.com*, True -*.fritsandfriends.nl*, True -*.fritsche.org*, True -*.frittorp3.eu*, True -*.fritzload.tk*, True -*.frix.se*, True -*.frizerie-balotesti.eu*, True -*.frizerskistudio9.net*, True -*.frmovies.net*, True -*.frndclub.tk*, True -*.frndslove.ml*, True -*.frndszone.ml*, True -*.frnumero.com*, True -*.frobish.us*, True -*.frocat.com*, True -*.froelicher.org*, True -*.froggyheart.com*, True -*.frogherd.com*, True -*.frogmetrics.com*, True -*.frognikpodtrebmedia.pw*, True -*.frohsinn-china-thai.ch*, True -*.froissart.eu*, True -*.fromagerie-cottens.ch*, True -*.fromagerie-courtelary.ch*, True -*.from-brasil.com*, True -*.fromcrimetochrist.com*, True -*.fromhell.lv*, True -*.fromhome.ch*, True -*.from.io*, True -*.frommessengers.com*, True -*.frompaper.com*, True -*.from.tw*, True -*.fromwork2play.com*, True -*.fromyu.ru*, True -*.frontdesign.org*, True -*.frontdesk.cl*, True -*.frontdeskng.com*, True -*.frontends.net*, True -*.fronteranet.com*, True -*.frontier-apps.info*, True -*.frontyardlandscapingideas.com*, True -*.frostalertemail.com*, True -*.frostalf.net*, True -*.frostcatcher.com*, True -*.frostcraft.ca*, True -*.frostmartin.com*, True -*.frostmartinfinancial.com*, True -*.frosty-nee.net*, True -*.frotamix.com.br*, True -*.froukjemuller.nl*, True -*.frozenbear.com*, True -*.frozendevelopers.com*, True -*.frozenhearts.com*, True -*.frozensummer.co.uk*, True -*.frozen-team.com*, True -*.fr-pallet.com*, True -*.frpgroundsupport.com*, True -*.frpg.us*, True -*.frrm.de*, True -*.frsimon.uk*, True -*.fr.to*, True -*.frubal.com*, True -*.fruchtzauber.ch*, True -*.fruehwirth.cc*, True -*.frugem.ch*, True -*.fruimex.cl*, True -*.frukter.org*, True -*.frulimic.cl*, True -*.frussian.com.ar*, True -*.frutalinda.net*, True -*.frutascachorrita.com.ar*, True -*.frutoschilenos.cl*, True -*.fryed.org*, True -*.fryinglotus.com*, True -*.frytec.tk*, True -*.frzone.net*, True -*.frzone.org*, True -*.fsabogados.cl*, True -*.fsagc.org*, True -*.fsala.com.ar*, True -*.fsal.ru*, True -*.fsaude.com.br*, True -*.fsbartender.com.ar*, True -*.fsbolivar.com.ve*, True -*.fscking.org*, True -*.fsck.my*, True -*.fsckoff.tk*, True -*.fsck.ro*, True -*.fs.com.my*, True -*.fs-dl.net*, True -*.fseconomy.ga*, True -*.fsehk.com*, True -*.fselnl.net*, True -*.fsforums.ir*, True -*.fsgasket.com*, True -*.fsgi.web.id*, True -*.fsharp.ch*, True -*.fsimco.com*, True -*.fsimftp.com*, True -*.fsimonline.us*, True -*.fs-indo.com*, True -*.fsinspector.com*, True -*.fsjb.com.br*, True -*.fskamnik.si*, True -*.fskbbs.tk*, True -*.fsker.tk*, True -*.fskhai.net*, True -*.fskwd.tk*, True -*.fslainc.com*, True -*.fsl.mx*, True -*.fsm77.com*, True -*.fsm87.com*, True -*.fsmelllubxemister.co*, True -*.fs.net.ve*, True -*.fso.no*, True -*.fsosleeds.com*, True -*.fsps.or.id*, True -*.fsrc.ch*, True -*.fsremote.co.uk*, True -*.fsrinc.biz*, True -*.fsrs-trading.nl*, True -*.fstimer.org*, True -*.fstinklubxemister.co*, True -*.fsturzenegger.com.ar*, True -*.fsustentable.cl*, True -*.fszq.org*, True -*.ft-03.com*, True -*.fta-n-more.com*, True -*.fta-n-more.us*, True -*.ftarifa.com.ar*, True -*.ft-b.net*, True -*.ftc66.com*, True -*.ftc77.com*, True -*.ftc87.com*, True -*.ftcomp.ru*, True -*.f-tech.ro*, True -*.ftech-server.com.ar*, True -*.fteixeira.org*, True -*.fteks.com*, True -*.ft.lc*, True -*.ftl-dev.tk*, True -*.ftoons.com*, True -*.ftoranzo.com.ar*, True -*.ftouch.com*, True -*.ftouch.com.au*, True -*.ftouch.co.uk*, True -*.ftouch.info*, True -*.ftpartigeste.tk*, True -*.ftphd.com*, True -*.ftpinc.ca*, True -*.ftp.sh*, True -*.ftpwap.com*, True -*.ftp-welt.com*, True -*.ftthbeg.tk*, True -*.ft-toto.com*, True -*.ftw.net.au*, True -*.ft-worth.org*, True -*.fuad.com.au*, True -*.fubarr.net*, True -*.fubarsolutions.com*, True -*.fucheng-marble.com*, True -*.fuchsar.com.ar*, True -*.fuckablegirls.eu*, True -*.fuckabunchamonkeys.com*, True -*.fuck-art.com*, True -*.fuckchriskyle.com*, True -*.fuckencio.com*, True -*.fuckgender.com*, True -*.fuckingg.tk*, True -*.fuckingrags.com*, True -*.fuckingwhat.com*, True -*.fuckinwhores.net*, True -*.fuckitfriday.com*, True -*.fuckitfriday.net*, True -*.fuckitfriday.org*, True -*.fuckitgo.com*, True -*.fuckmaster.tk*, True -*.fuckmate.tk*, True -*.fuckmob.cf*, True -*.fuckoff-and-die.com*, True -*.fuckoff.ch*, True -*.fuckoffdawson.com*, True -*.fuckoffitty-land.info*, True -*.fuck-off-o.org*, True -*.fuckr.cf*, True -*.fucktard.tk*, True -*.fuckthepolice.pw*, True -*.fuckthetroll.ru*, True -*.fuckwikia.com*, True -*.fuckyoualsharpton.com*, True -*.fuckyoueveryone.com*, True -*.fuckyoueverything.com*, True -*.fudluv.com*, True -*.fudo.cl*, True -*.fuel5.com*, True -*.fuelfive.com*, True -*.fuel.org.il*, True -*.fuelpumps.com*, True -*.fuelpumps.org*, True -*.fuerafuera.com*, True -*.fuerhacker.at*, True -*.fuerkleinepfoten.ch*, True -*.fuerzachile.cl*, True -*.fufme.de*, True -*.fufu.hk*, True -*.fugas.pl*, True -*.fugate.cl*, True -*.fuggle.id.au*, True -*.fuglett.com*, True -*.fuglybucks.com*, True -*.fuglyforums.com*, True -*.fuglyfugly.com*, True -*.fuglymedia.com*, True -*.fuglyornot.com*, True -*.fuglystore.com*, True -*.fu-good.tw*, True -*.fuguang888.com*, True -*.fuhaw.com*, True -*.fuhaw.net*, True -*.fuhloizle.info*, True -*.fuhrer.ml*, True -*.fuihan.com*, True -*.fuirio.com*, True -*.fujicochan.com*, True -*.fujiinternational.co*, True -*.fujikura.ro*, True -*.fukumori.com.br*, True -*.fuli.in*, True -*.fullalbums.com*, True -*.full-auto.ro*, True -*.fullbeast.com*, True -*.fullblownkirk.com*, True -*.fullboy.com*, True -*.fullcharged.com*, True -*.fullcirclerecords.ca*, True -*.fullcirclestudio.com*, True -*.fullcolourprinters.com*, True -*.fullcomputerservice.com*, True -*.fullcoursesolutions.com*, True -*.fullcoveronline.com*, True -*.fulleb.com*, True -*.fullertoncompanies.com*, True -*.fullertonlumbercompany.com*, True -*.fullframe.com.ar*, True -*.fullgraf.com.br*, True -*.fullhousepub.ro*, True -*.fullikers.cf*, True -*.fullimgs.net*, True -*.fullin.com.ar*, True -*.fulliptv.org*, True -*.fulliptv.us*, True -*.fulllove.org*, True -*.fullman315.com*, True -*.fullmoonradio.com.ar*, True -*.fullmp3city.com*, True -*.fullofshapes.com*, True -*.fullplatefilms.com*, True -*.fullrisk.com.ar*, True -*.fullscalewebdesign.com*, True -*.fullsense.com.br*, True -*.fullspeedtechnology.com*, True -*.fullspeed.tv*, True -*.fullstack.cl*, True -*.fullstackdeveloper.be*, True -*.fullstackdeveloper.eu*, True -*.fullstackdevelopers.be*, True -*.fullstackdevelopers.eu*, True -*.fullstackdevelopers.nl*, True -*.fullstacktechnologies.com*, True -*.full-tilt4x4.com*, True -*.fulltimevillain.net*, True -*.fulltutorial.com*, True -*.fullyencrypt.me*, True -*.fulmerites.org*, True -*.fulpet.com.tr*, True -*.fulton.id.au*, True -*.fulwoodpreston.org*, True -*.fumi2.jp*, True -*.fumi2.net*, True -*.fumigadoresasoc.com.ar*, True -*.fumoff.com*, True -*.fun2map.com*, True -*.fun4dog.ru*, True -*.funaos-welt.de*, True -*.funaos-welt.tk*, True -*.funarchy.org*, True -*.fun-bin.com*, True -*.funbnc.com*, True -*.funboss-serveur.tk*, True -*.funcando.com.ar*, True -*.funchasing.com*, True -*.funcionarios-bna.com.ar*, True -*.funcionariosdelbna.com.ar*, True -*.funclub.co.il*, True -*.function64.com*, True -*.function64.net*, True -*.fund8.tk*, True -*.fundacaoromeningh.pt*, True -*.fundacija-avgustakuharja.si*, True -*.fundacionacarapua.org.ar*, True -*.fundacionagreste.org.ar*, True -*.fundacionalzaturostro.org*, True -*.fundacionaprendamos.cl*, True -*.fundacioncidea.org.ar*, True -*.fundacionciencomart.org.ar*, True -*.fundacioncopaipa.org.ar*, True -*.fundacionencuentro.org.ar*, True -*.fundaciongospa.com*, True -*.fundaciongospa.org*, True -*.fundacionhuesped.org.ar*, True -*.fundacionislasanjose.com*, True -*.fundacionislasanjose.net*, True -*.fundacionislasanjose.org*, True -*.fundacionlobal.org*, True -*.fundacionsimas.org.ar*, True -*.fundacionsipas.org.ar*, True -*.fundacionsointral.cl*, True -*.fundacionuaa.org.mx*, True -*.fundacionvicenciana.com.ve*, True -*.fundae.org.br*, True -*.fundap.med.br*, True -*.fundatiamir.ro*, True -*.fundatia-noroc.ro*, True -*.fundatiastrengari.ro*, True -*.fundatia-sundari.ro*, True -*.fundaumc.org.ve*, True -*.fundot.tw*, True -*.fundraisingconsulting.ro*, True -*.fundrun.us*, True -*.fundsantacruz.org*, True -*.fundsrecovered.com*, True -*.fundulus.tk*, True -*.funerarefortuna.ro*, True -*.fun-eventos.com.ar*, True -*.funevent.ro*, True -*.funfashioncases.com*, True -*.funfitnessandlearning.com.au*, True -*.fun-gate.ro*, True -*.fungineers.net*, True -*.funguii.com*, True -*.funitems-collector.de*, True -*.funkar.nu*, True -*.funk.co.za*, True -*.funkmachine.ro*, True -*.funkorporation.ro*, True -*.funktum.fi*, True -*.funkycracker.com*, True -*.funkycracker.net*, True -*.funkykidz.net*, True -*.funky-penguin.com*, True -*.funkyrecycling.com*, True -*.funkyskunky.ca*, True -*.funkyskunky.com*, True -*.funkyskunky.net*, True -*.funkyskunky.org*, True -*.funky.su*, True -*.funky.sx*, True -*.funkytorino.com.ar*, True -*.funmire.com*, True -*.funnychat.tk*, True -*.funny.cl*, True -*.funnypictures.ro*, True -*.funny-quotations.com*, True -*.funnyworker.tw*, True -*.funold.com*, True -*.funosaurus.com*, True -*.funphoto.com.br*, True -*.funphysics.eu*, True -*.funplatform.ro*, True -*.funprono.com*, True -*.funsites.org*, True -*.funtv.gq*, True -*.funtv.ru*, True -*.fununi.ir*, True -*.funwarez.ru*, True -*.funworks.ir*, True -*.funxd.in*, True -*.funz.cf*, True -*.furbano.cf*, True -*.fureh.se*, True -*.furest.ch*, True -*.furfolio.org*, True -*.furinet.net*, True -*.furkan.cf*, True -*.furness-cars.co.uk*, True -*.furnicar.ro*, True -*.furniturelaboratorium.com*, True -*.furnizorlemn.ro*, True -*.furno.net*, True -*.furorgas.ch*, True -*.furque.com*, True -*.furque.com.ar*, True -*.furrer-schaer.ch*, True -*.furriesare.sexy*, True -*.furryfacegifts.com*, True -*.furryfiction.com*, True -*.furrynom.tk*, True -*.furryplace.eu*, True -*.furtado.eti.br*, True -*.furtner.ca*, True -*.furweb.com*, True -*.furyspark.nl*, True -*.fuseone.com*, True -*.fuseserv.com*, True -*.fusion-algorithms.com*, True -*.fusioncolor.com.ar*, True -*.fusion-mail.com*, True -*.fusionnetworks.cf*, True -*.fusion.one.pl*, True -*.fusionsh.com.ar*, True -*.fusionsite.tk*, True -*.fusiovitrion.com.ar*, True -*.fusir.com*, True -*.fussymonkey.co.uk*, True -*.fustachira.org.ve*, True -*.futatraw.com.ar*, True -*.futbolamericano.com.ar*, True -*.futboldemiercoles.com.ar*, True -*.futbolist.info*, True -*.futbolitosanfernando.cl*, True -*.futch.org*, True -*.futch.us*, True -*.futilegames.com*, True -*.futonlounge.info*, True -*.futparcel.net*, True -*.futsalnesia.com*, True -*.futtrading.com*, True -*.futureapparatuslaboratories.com*, True -*.futurebatch.ml*, True -*.futuregadgetlab.net*, True -*.future-generation.tk*, True -*.futurehomeautomation.net*, True -*.futurehomeautomation.org*, True -*.futurehomeautomation.us*, True -*.futurelearning.org.tr*, True -*.futureliving.eu*, True -*.futurella.ru*, True -*.futuremarket.ro*, True -*.future-pen.com*, True -*.futureposers.net*, True -*.futuroanterior.com.ar*, True -*.futuroanteriorediciones.com*, True -*.futuroextremo.com.ar*, True -*.futurolegal.com.br*, True -*.futuromercado.com*, True -*.futurone.com*, True -*.futuware.com.br*, True -*.fuuz.us*, True -*.fuvo.com*, True -*.fuxion.us*, True -*.fuyuge.com*, True -*.fuyun.cl*, True -*.fuyuran.com*, True -*.fuzziecaterpillar.com*, True -*.fuzzier.net*, True -*.fuzzwuzzle.com*, True -*.fuzzyanimals.net*, True -*.fuzzycbr.com*, True -*.fuzzyfacetheater.com*, True -*.fuzzyfelt.net*, True -*.fuzzyflamingo.tk*, True -*.fuzzyhost.co.uk*, True -*.fuzzylactic.cl*, True -*.fuzzypickle.ca*, True -*.fuzzything.com*, True -*.fvdata.uk*, True -*.fvmed.ch*, True -*.fv-mob.de*, True -*.fvps.us*, True -*.fwcleecher.org*, True -*.fwcoaching.com*, True -*.fwmodular.com*, True -*.fwnet.ca*, True -*.fwschenkenbergertal.ch*, True -*.fwsolutions.com.ve*, True -*.fwsys.net*, True -*.fwsystems.com.ar*, True -*.fxbug.tk*, True -*.fx-cash.net*, True -*.fxci.com*, True -*.fxcoin.cl*, True -*.fxdj.co.uk*, True -*.fxdj.uk*, True -*.fx-ft-systemsag.com*, True -*.fxlongterm.com*, True -*.fxme.ch*, True -*.fxmisc.org*, True -*.fxner.tk*, True -*.fxnwd.tk*, True -*.fxnxs.com*, True -*.fxpers.net*, True -*.fxsend.com*, True -*.fxtransfer.net*, True -*.fx-und-ro.si*, True -*.fxvn.net*, True -*.fxxl.com*, True -*.fybochina.tk*, True -*.fyctransporte.com.ar*, True -*.fydv.cl*, True -*.fyfssm.com*, True -*.fygconsultoria.com.ar*, True -*.fyl.es*, True -*.fyles.com*, True -*.fylme.com*, True -*.fymsa.mx*, True -*.fyof.com*, True -*.fyoga.co.uk*, True -*.fyoga.tv*, True -*.fyreneiss.info*, True -*.fyrenrealms.com*, True -*.fyrsten.fi*, True -*.fyruz.my*, True -*.fysiomotion.se*, True -*.fzarc.me*, True -*.fzb-cercetare.ro*, True -*.fzconstrucoes.com.br*, True -*.fzhost.org*, True -*.fzhost.ro*, True -*.g0dd.com*, True -*.g10solutions.com.br*, True -*.g1en.com*, True -*.g1f.ru*, True -*.g1osphere.ch*, True -*.g24.ch*, True -*.g2it.co*, True -*.g33k.com.ve*, True -*.g3n.ru*, True -*.g3-projects.com*, True -*.g47.com.ru*, True -*.g4group.me*, True -*.g6.my*, True -*.g7tecnologia.com.br*, True -*.g7telecom.com.br*, True -*.g7world.biz*, True -*.g7world.com*, True -*.g83itb.org*, True -*.g8org.ru*, True -*.ga1566.com*, True -*.gaa59.com*, True -*.gaacbrokerage.com*, True -*.gaad.ro*, True -*.gaangle.in*, True -*.gaaspump.com*, True -*.gaaspump.net*, True -*.gaaspump.org*, True -*.gabbarsing.tk*, True -*.gabconstant.ro*, True -*.gabel-holzbau.ch*, True -*.gabeshouse.net*, True -*.gabezia.eu*, True -*.gabin.ro*, True -*.gabor.si*, True -*.gabo-stroi.eu*, True -*.gabrielachacinestrada.com.ve*, True -*.gabrielane.net*, True -*.gabrielbueno.com.ar*, True -*.gabrielcanepa.com.ar*, True -*.gabrielcartana.com.ar*, True -*.gabrielcarvajal.cl*, True -*.gabrieldasilva.com.br*, True -*.gabrieldufour.com*, True -*.gabrieleguia.com.ar*, True -*.gabrielleiva.com.ar*, True -*.gabrielmerino.com.ar*, True -*.gabriel.mu*, True -*.gabrielmutu.ro*, True -*.gabrielnobrega.com*, True -*.gabrielnwingyan.com*, True -*.gabrielorge.com.ar*, True -*.gabrielsaldivia.com*, True -*.gabriel.st*, True -*.gabriel-topala.com*, True -*.gabrielvilar.com.br*, True -*.gabriolacycle.ca*, True -*.gabroveanu.ro*, True -*.gabxxs.com*, True -*.gabyan.com*, True -*.gadee.mx*, True -*.gadgetboyj.com*, True -*.gadget-center.co.il*, True -*.gadgetexperts.com*, True -*.gadget.md*, True -*.gadgetz.net*, True -*.gadis.cf*, True -*.gadisdepok.tk*, True -*.gadisku.ml*, True -*.gadis.ninja*, True -*.gadi-tayar.co.il*, True -*.gadjahmada.info*, True -*.gadjet.md*, True -*.gadogadomusik.com*, True -*.gaertnerei-meili.ch*, True -*.gafhs.tk*, True -*.gaft.info*, True -*.gagegigogu.ga*, True -*.gage-leather.com*, True -*.gagescu.com*, True -*.gagged.ro*, True -*.gagigu.ga*, True -*.gagigugego.ga*, True -*.gag-moshlam.co.il*, True -*.gagnier.info*, True -*.gagor.pl*, True -*.gagu.ch*, True -*.gaguk.cl*, True -*.gagupa.com.br*, True -*.gaiabuenosaires.com.ar*, True -*.gaigerain.me*, True -*.gaijinmedia.ro*, True -*.gainao.biz*, True -*.gainao.co*, True -*.gainaoguoji.cn*, True -*.gainao.info*, True -*.gainao.mobi*, True -*.gaingon.net*, True -*.gairing.ch*, True -*.gaiwurugby.org*, True -*.gajahmadafm.co.id*, True -*.gajah.web.id*, True -*.gajel-nung.cf*, True -*.gajendra710.com.np*, True -*.gajic.rs*, True -*.gajo.us*, True -*.galacomputing.co.uk*, True -*.galacticfrontier.tk*, True -*.galactic.ml*, True -*.galagym.com.ar*, True -*.galaia.info*, True -*.galaia.pt*, True -*.galamb.com.ar*, True -*.galangliker.ml*, True -*.galangsukses.com*, True -*.galanolefki.com*, True -*.galapagosandcruises.com*, True -*.galatec.com.mx*, True -*.galaxiaiq.ro*, True -*.galaxicom.tk*, True -*.galaxion.com*, True -*.galaxion.net*, True -*.galaxi-pc.com*, True -*.galaxybuy.net*, True -*.galaxycenter2010.cl*, True -*.galaxyflower.com*, True -*.galaxy.my*, True -*.galaxy-neon.com*, True -*.galaxysangkar.com*, True -*.galaxysoft.ro*, True -*.galea.id.au*, True -*.galecki.us*, True -*.galecsy.com*, True -*.galei.com.ar*, True -*.galende.com.ar*, True -*.galeriadelosocho.cl*, True -*.galeriaslabon.com*, True -*.galeriasnejana.com*, True -*.galeriatallerdelmono.cl*, True -*.galeriehametner.at*, True -*.galeriez.ch*, True -*.galerilampuku.com*, True -*.galerimusik.ga*, True -*.galerisolehah.com.my*, True -*.galerymesinjahit.com*, True -*.galesvillepack61.com*, True -*.galette.com.ar*, True -*.galgoldshtein.co.il*, True -*.galibator.com*, True -*.gali.be*, True -*.galifep.cf*, True -*.galih2001.com*, True -*.galiksy.com*, True -*.galileogiftedschool.org*, True -*.galimberti.com.ar*, True -*.galimberti.me*, True -*.galiots.ch*, True -*.galipan.net.ve*, True -*.galipan.org*, True -*.galitec.es*, True -*.galit.ga*, True -*.gallagherphoto.com*, True -*.gallahad.net*, True -*.gallardosgrill.com*, True -*.gallatrade.ro*, True -*.gallatrans.ro*, True -*.gall-edv.com*, True -*.galleryaki.com*, True -*.galleryiliev.com*, True -*.galleryofdoors.ru*, True -*.galleryweekend.com*, True -*.galletasparati.cl*, True -*.gallifrey.es*, True -*.galliker.info*, True -*.gallipolihealth.com.au*, True -*.gallo955.com.ar*, True -*.gallores.com*, True -*.gallowaycomputers.co.uk*, True -*.gallowsmere.com*, True -*.galluccifoods.com*, True -*.galluccisitalianfoods.com*, True -*.gallweather.com*, True -*.gally.jp*, True -*.galmondo.ro*, True -*.galo.com.ar*, True -*.gal-online.ro*, True -*.galotar.de*, True -*.galponderopa.com*, True -*.galtara.ru*, True -*.galuke.com*, True -*.galvalume-ptmjsa.com*, True -*.galvezgoteam.com*, True -*.galyx.ro*, True -*.gama-digital.com*, True -*.gamaliel.us*, True -*.gamalytics.net*, True -*.gamaprado.adv.br*, True -*.gamasis.info*, True -*.gamatclothing.com*, True -*.gamatools.ro*, True -*.gamazon-store.com*, True -*.gambabot.com*, True -*.gambarbun.ga*, True -*.gambassicambia.it*, True -*.gamberorosso.com.br*, True -*.gambinc.com*, True -*.gambler-inside.com*, True -*.gamblersedge.com*, True -*.gamboa.info*, True -*.game2my.com*, True -*.gameblast.tv*, True -*.gamebox.tk*, True -*.gameboyparts.com*, True -*.gamebv.ro*, True -*.gamecack.com*, True -*.gamecash.cl*, True -*.gamecheats.eu*, True -*.gameclan.ro*, True -*.gamecrete.com*, True -*.gamedataeditor.com*, True -*.game-engineering.tk*, True -*.gamefan.la*, True -*.gamegeeks.ir*, True -*.gamegurushop.com*, True -*.game-hackers.com*, True -*.gamehayday.ga*, True -*.gameindonesiagratis.com*, True -*.game-interface.com*, True -*.gamelounge.cf*, True -*.gamemakerhelp.com*, True -*.gameno.com*, True -*.gamen.ro*, True -*.gameobmen.ru*, True -*.gameofthronesmerch.com*, True -*.gameonclub.com*, True -*.gameonestudios.com*, True -*.gameon.ga*, True -*.gameongame.co.uk*, True -*.game-pacul.gq*, True -*.gamepeesart.com*, True -*.gameph.ru*, True -*.gamepic3.tk*, True -*.gamepsychos.com*, True -*.gamerekber.com*, True -*.gamerepublic.ro*, True -*.gamer-gui.com*, True -*.gamerludus.com*, True -*.gameroommegastore.com*, True -*.gamers-online.net*, True -*.gamersuk.org*, True -*.gamersunitonline.net*, True -*.gamer-tag.info*, True -*.gamertechtalk.com*, True -*.gamertreff.com*, True -*.gamer.web.id*, True -*.games2k.net*, True -*.games2primusss.tk*, True -*.games4boys.org*, True -*.gamesandcheaters.org*, True -*.gamesandcheats.org*, True -*.gamesandroid.co.id*, True -*.gamescodes.cl*, True -*.gamescoeg.com*, True -*.gamescruts.com*, True -*.games-elite.tk*, True -*.gameshub.tk*, True -*.gamesterz.com*, True -*.gamesuite.com.ar*, True -*.gamesway.com*, True -*.games-with-brains.com*, True -*.games-with-brains.net*, True -*.gamesyoucanplayrightnow.com*, True -*.gametaiko.com*, True -*.gametheorylabs.com*, True -*.gamethrill.tk*, True -*.gamethuviet.cf*, True -*.gametop-android.com*, True -*.game-trader.co.uk*, True -*.gametronics.ca*, True -*.game-up.ch*, True -*.gamevil.ga*, True -*.gamevil.ml*, True -*.gamevip.hu*, True -*.gamewars.org*, True -*.gameway.ro*, True -*.gamezoo.org*, True -*.gamezters.com*, True -*.gamify.biz*, True -*.gamingandcasino.com*, True -*.gaming-center.cf*, True -*.gaming-cheater.cf*, True -*.gaming-cheater.tk*, True -*.gamingindia.in*, True -*.gamingsafari.net*, True -*.gamingstools.com*, True -*.gamingsystems.info*, True -*.gamingsystens.net*, True -*.gamingturtle.com*, True -*.gamingwebsite.eu*, True -*.gamjaserver.co.kr*, True -*.gammahydra4.com*, True -*.gammalikker.net*, True -*.gamopsi.cf*, True -*.gampell.com.br*, True -*.gampsolutions.com.ar*, True -*.gamslab.com*, True -*.gamusino.tk*, True -*.gamzov.com*, True -*.ganakasolutions.com.au*, True -*.gancedo.com.ar*, True -*.ganda86.tk*, True -*.gandadeltapersada.com*, True -*.gandai29.com*, True -*.gandcdepot.com*, True -*.gandesc.eu*, True -*.gandhidham.com*, True -*.gandhinagar.com*, True -*.gandhisiswanto.info*, True -*.gandhmn.com*, True -*.gandhmn.org*, True -*.gand-khujli.com*, True -*.gandkhujli.com*, True -*.gandt.co.il*, True -*.ganeshaespacioyoga.com.ar*, True -*.ganforhire.com*, True -*.gangavarapu.com*, True -*.gangburung.com*, True -*.ganghwaterminal.co.kr*, True -*.gangir98.com*, True -*.gangloff.eu*, True -*.gangnamvip.com*, True -*.gangs.ro*, True -*.ganimades.tk*, True -*.ganino.com*, True -*.ganino.it*, True -*.gani-peinture.ch*, True -*.ganja.nu*, True -*.ganjasongs.com*, True -*.ganjeii.com*, True -*.ganok-jenenge.tk*, True -*.gantarro.de*, True -*.gantechnologies.com.au*, True -*.ganteng-a.biz*, True -*.gantengg.tk*, True -*.ganteng.so*, True -*.ganu.ga*, True -*.ganyot.biz*, True -*.gan-ziva.co.il*, True -*.ganzweitweg.ch*, True -*.gaoxineducation.com*, True -*.gapakov.com*, True -*.gapeksindomajalengka.org*, True -*.gapera.com*, True -*.gaphoenixband.com*, True -*.gaplex.tk*, True -*.gappon.com*, True -*.gapre.com.au*, True -*.gap-sprl.com*, True -*.gaptek-cyber.com*, True -*.gar0t0.net*, True -*.garabedian.com.ar*, True -*.garage555.ch*, True -*.garage-almog.co.il*, True -*.garageautoleman.ch*, True -*.garagedescedres.ch*, True -*.garagedubrassus.ch*, True -*.garage-du-chateau.ch*, True -*.garagedupontbleu.ch*, True -*.garagefrossard.ch*, True -*.garage-lopes.ch*, True -*.garage-ms.ch*, True -*.garagenastasi.ch*, True -*.garagenwein.at*, True -*.garage-olivieri.ch*, True -*.garagepig.com*, True -*.garageroberto.com.ar*, True -*.garagesalekemang.net*, True -*.garagesport.ch*, True -*.gara.gq*, True -*.garantialibre.com*, True -*.garantialibre.com.ar*, True -*.garantidaturismo.com.br*, True -*.garant-sb.com*, True -*.garant-sb.ru*, True -*.garasisoft.com*, True -*.garasoft.com.ar*, True -*.garayfamily.com*, True -*.garazni.eu*, True -*.garberi.cl*, True -*.garbett.org*, True -*.garbinconstructora.com.ar*, True -*.garciadelapastora.cl*, True -*.garciagross.cl*, True -*.garciasuarez.com.ar*, True -*.gardamuda.com*, True -*.gardenbitch.co.uk*, True -*.gardencityfoods.in*, True -*.gardener1997.com*, True -*.gardenfood.rs*, True -*.gardeningwith.me*, True -*.garden-market.cl*, True -*.garden.net.ru*, True -*.gardenofblessings.com*, True -*.gardensaquilani.com.au*, True -*.gardsfolk.se*, True -*.gare.com.au*, True -*.garengtgok.tk*, True -*.garethmeadows.co.uk*, True -*.garethmusic.com*, True -*.garethtabandash.com*, True -*.garfordgroup.com*, True -*.gargg.com*, True -*.gargsale.com*, True -*.garhunt.com*, True -*.garion.us*, True -*.garizo.com*, True -*.garlandavenuelaundry.com*, True -*.garland-lab.com*, True -*.garlandwalton.com*, True -*.garlo.eu*, True -*.garmanage.com*, True -*.garneau-tennis.com*, True -*.garnerthefacts.com*, True -*.garnham.cl*, True -*.garnham.com.au*, True -*.garnier.inf.br*, True -*.garnizon.org*, True -*.garn-laden.ch*, True -*.garnladen.ch*, True -*.garoblogz.com*, True -*.garoufalisglass.gr*, True -*.garpetoiy.com*, True -*.g-arquitectura.cl*, True -*.garrard.net.au*, True -*.garretadventures.com*, True -*.garrettcastillo.net*, True -*.garrettlisti.com*, True -*.garrettrhodes.com*, True -*.garrettw.cf*, True -*.garrettwhoosh.com*, True -*.garrettw.ml*, True -*.garrettw.tk*, True -*.garrg.com*, True -*.garrin.nom.za*, True -*.gartek.cl*, True -*.garten-fest.ch*, True -*.gartexbassclub.org*, True -*.garthtander.com*, True -*.gartmeier.ch*, True -*.gartners.eu*, True -*.gartux.com.ar*, True -*.garudacyber.com*, True -*.garudahost.net*, True -*.garudajayatehnik.com*, True -*.garudaku.asia*, True -*.garudamp3.com*, True -*.garudapati.com*, True -*.garudazone.com*, True -*.garvita.in*, True -*.garykuwada.com*, True -*.garymcgill.ca*, True -*.gary.org.au*, True -*.garyshood.com*, True -*.garywestandco.com.au*, True -*.garyyeung.hk*, True -*.gasanik.ir*, True -*.gasatulen.com*, True -*.gasenstroom.com*, True -*.gasequipsys.com*, True -*.gasfuror.ch*, True -*.gas-geben.tk*, True -*.gasgus.com.ar*, True -*.gashashtec.com*, True -*.gashinsky.com*, True -*.gaskarov.info*, True -*.gaslight.us*, True -*.gasmont.com.br*, True -*.gasparacebo.com.ar*, True -*.gasperotti.info*, True -*.gasppi.com.ar*, True -*.gassing.co.uk*, True -*.gasspring.id*, True -*.gasstoverepair.com.au*, True -*.gastar.cl*, True -*.gastec.rs*, True -*.gastonchapeaurouge.com.ar*, True -*.gastonmm.com.ar*, True -*.gastons.lv*, True -*.gastontravel.net*, True -*.gastricsteps.com*, True -*.gastusapp.com*, True -*.gatago.com*, True -*.gatas.ch*, True -*.gateexpress.cc*, True -*.gatekeeper77.net*, True -*.gaters.tk*, True -*.gateshare.net*, True -*.gateshare.us*, True -*.gatesweb.info*, True -*.gatewaycommunity.org*, True -*.gatewaygunsusa.com*, True -*.gatewaymobile.com.ar*, True -*.gatewaysda.org*, True -*.gath.cl*, True -*.gatheringgallery.com*, True -*.gatlinhouse.com*, True -*.gatparty.co.za*, True -*.gatpp.com*, True -*.gatsbylee.com*, True -*.gattoterraplanagem.com.br*, True -*.gattoterraplenagem.com.br*, True -*.gauchitoonline.com*, True -*.gaudencio.net.br*, True -*.gaufredeliege.ro*, True -*.gaufre.ro*, True -*.gaum.ru*, True -*.gaunson.com.au*, True -*.gauravbahuguna.com*, True -*.gauravchaturvedi.in*, True -*.gauravpokhrel.com.np*, True -*.gauriprajapati.com.np*, True -*.gaustein.com.ar*, True -*.gautamsaroj.com.np*, True -*.gaux.com*, True -*.gavandi.com*, True -*.gavandi.net*, True -*.gavandi.org*, True -*.g-ave.com*, True -*.gavinandamy.com*, True -*.gavin-carey.me.uk*, True -*.gavin-chan.com*, True -*.gavingraham.com*, True -*.gavingraham.me*, True -*.gavinheaden.biz*, True -*.gavinheaden.com*, True -*.gavisoft.com*, True -*.gavlec.com.au*, True -*.gavradillahi.tk*, True -*.gavr.su*, True -*.gavshouse.com*, True -*.gawpoe.com*, True -*.gax73.com*, True -*.gax82.com*, True -*.gax85.com*, True -*.gax86.com*, True -*.gax96.com*, True -*.gaxu.cl*, True -*.gaxu.com*, True -*.gaxu.info*, True -*.gaxu.net*, True -*.gay-18.ru*, True -*.gayahidup.web.id*, True -*.gay-bar.ru*, True -*.gayero.co.il*, True -*.gay-galleries.com*, True -*.gaygayh.com*, True -*.gayhotelsgreece.com*, True -*.gaymarriedmen.org.uk*, True -*.gay.net.br*, True -*.gayphotos.ca*, True -*.gaypor.info*, True -*.gay-porn.cz*, True -*.gayreallife.com*, True -*.gay-sponsors.com*, True -*.gaytoonsh.com*, True -*.gaytravel-greece.com*, True -*.gaytravel-mykonos.com*, True -*.gaytxtbudzuk.co.uk*, True -*.gayuser.info*, True -*.gazduire-vps-romania.ro*, True -*.gazelian.com*, True -*.gazers.info*, True -*.gazetabistritei.ro*, True -*.gazet.com.ar*, True -*.gazetecilikbolumu.com*, True -*.gazguza.com*, True -*.gazmuri.cl*, True -*.gazobeton38.ru*, True -*.gazoved.ru*, True -*.gazzax.co.uk*, True -*.gazzerh.co.uk*, True -*.gb24nn.cf*, True -*.gbase.ro*, True -*.gbatd.org*, True -*.gb-come.com*, True -*.gb-cool.com*, True -*.gb-cup.com*, True -*.gbeaven.com*, True -*.gbecl.com*, True -*.gbervik.com*, True -*.gb-fun.com*, True -*.gbgromania.ro*, True -*.gbii.org*, True -*.gbipin.com.np*, True -*.gbitbox.com*, True -*.gbit.pw*, True -*.gblog.com.ar*, True -*.gbmmx.com*, True -*.gb-nba.com*, True -*.gbnews.ro*, True -*.gbn.net.au*, True -*.gb-now.com*, True -*.gbos.me*, True -*.gboxproductions.com*, True -*.gbpfoundation.com*, True -*.gbpfoundation.org*, True -*.gbpls.net*, True -*.gbreese.com*, True -*.gbruno.com.ar*, True -*.gbsnp.kz*, True -*.gbsro.ro*, True -*.gbtech.ro*, True -*.gbttexas.com*, True -*.gbusflix.com*, True -*.gc2pnm9.info*, True -*.gc8vtrading.co.za*, True -*.gcal.ch*, True -*.gcb-sa.ch*, True -*.gc-capital.com*, True -*.gc-clan.co.uk*, True -*.gcclan.co.uk*, True -*.gcclan.net*, True -*.gc-garland.us*, True -*.gcgseries.com*, True -*.g-cheat.com*, True -*.gci2.com.br*, True -*.gckb.ch*, True -*.g-com.cl*, True -*.gconnp001.com*, True -*.gcoop.com.ar*, True -*.gcosbucnasaud.ro*, True -*.gcpmedia.es*, True -*.gcproperty.info*, True -*.gcranjit.com.np*, True -*.gcrcomputers.com*, True -*.gcscc.com*, True -*.gcs-computers.net*, True -*.gcservices.net*, True -*.gcs.net.nz*, True -*.gctcomputers.net*, True -*.gcthings.org*, True -*.gd5gd.net*, True -*.gdait.com*, True -*.gdait.com.br*, True -*.gdaudio.cl*, True -*.gdavis.info*, True -*.gdayer.ch*, True -*.gdayx.cl*, True -*.gd-baccar.com*, True -*.gdcserv.com*, True -*.gdedios.com.ar*, True -*.gdelyn.com*, True -*.gdesdelat.com*, True -*.gdeudeffs.com.ar*, True -*.gdev.com.br*, True -*.gdg.com.ar*, True -*.gdheating.ie*, True -*.gdi.ninja*, True -*.gdinmobiliaria.cl*, True -*.gdisauro.com*, True -*.gdju.com.br*, True -*.gdllava.com*, True -*.gdlmobile.com*, True -*.gdlp.cl*, True -*.gdmatrix.net*, True -*.gdnicely.com*, True -*.gdnt.net*, True -*.gdocket.com*, True -*.gdocket.org*, True -*.g-doro.com*, True -*.gd-p1.com*, True -*.gd-ps1.com*, True -*.gdr365.com*, True -*.gdrm77.com*, True -*.gdsconstrucciones.com.ar*, True -*.gdsmithlaw.com*, True -*.gd-sp1.com*, True -*.gdsys.ro*, True -*.gdt.com.ve*, True -*.gdtre.com*, True -*.gdutton.com*, True -*.gdxtech.com*, True -*.gdz2324242.gq*, True -*.ge7.com.ar*, True -*.geampalia.ro*, True -*.geamurionline.ro*, True -*.geamuripvc.md*, True -*.geaonline.com.ar*, True -*.geared.info*, True -*.gearenergy.ca*, True -*.gearenergy.com*, True -*.gearhardtminecraft.com*, True -*.gearplanetary.com*, True -*.geasspvp.tk*, True -*.geban.com.br*, True -*.gebish.org*, True -*.geborgen-geboren.ch*, True -*.geborgengeboren.ch*, True -*.gebrbumann.ch*, True -*.gebyarmp3.com*, True -*.gecco.org.za*, True -*.geckobungalow.com*, True -*.geckocrew.com*, True -*.gecko.rs*, True -*.geckosolutions.rs*, True -*.gecogenicivilsa.ch*, True -*.gecontserv.ro*, True -*.gecoscrew.ch*, True -*.gedanyao.cn*, True -*.gedco.com.ar*, True -*.gedcosa.com.ar*, True -*.gedezign.com*, True -*.geecheegeek.com*, True -*.geeez.tk*, True -*.geefmijeeneuro.nl*, True -*.geegems.info*, True -*.gee-gogos.com*, True -*.geek123.cc*, True -*.geekaliens.com*, True -*.geekanerd.net*, True -*.geekanoid.co.uk*, True -*.geek.ch*, True -*.geekcommandos.com*, True -*.geekcreek.co.uk*, True -*.geekdergi.com*, True -*.geekdude.com*, True -*.geekerygal.com*, True -*.geekfeatures.com*, True -*.geekhardware.com*, True -*.geekhouse.ro*, True -*.geekinhard.com*, True -*.geekinteki.com*, True -*.geekis-kahn.com*, True -*.geekis-kahn.net*, True -*.geekis-kahn.org*, True -*.geekline.org*, True -*.geeklog.co.za*, True -*.geeko.tk*, True -*.geekreliance.com*, True -*.geeks4it.com*, True -*.geeksarecooltoo.com*, True -*.geeksarehot.com*, True -*.geekseals.ca*, True -*.geeks.la*, True -*.geeksquadmobile.co.uk*, True -*.geekstalkteck.ca*, True -*.geeksware.com*, True -*.geektown.cn*, True -*.geektronix.com.ar*, True -*.geekworks.tk*, True -*.geekyblob.com*, True -*.geekydodo.ch*, True -*.geelongcelebrants.com.au*, True -*.geelongparish.org.au*, True -*.geelongseo.com.au*, True -*.geertruidakrake.nl*, True -*.geesalon.co.uk*, True -*.geetika.ca*, True -*.geeweb.net*, True -*.geew.ru*, True -*.geezradio.com*, True -*.gefestfirm.ru*, True -*.geg5k.com*, True -*.gegpprudente.com.br*, True -*.gegsa.ch*, True -*.gegy1000.net*, True -*.geh-lassen-heit.ch*, True -*.geiar.eu*, True -*.geigenbau-scheifele.ch*, True -*.geilescheisse.ch*, True -*.geisha72.com*, True -*.geishahosting.net*, True -*.geissis.ch*, True -*.geje.tk*, True -*.gejman.com*, True -*.gelacio.com.mx*, True -*.gelande.ro*, True -*.gelapit.com*, True -*.gelatoqueen.ca*, True -*.gelatouniversity.ro*, True -*.gelber-ring.org*, True -*.gelcomtrans.cl*, True -*.geldbeleg.nl*, True -*.geldlexikon.com*, True -*.gelgui.com.ar*, True -*.gellemar.su*, True -*.gelo.gr*, True -*.geloraworld.org*, True -*.geloukodj.com.br*, True -*.gelrii.com*, True -*.gelso.com.ar*, True -*.gelsomina.me*, True -*.gem9ja.tk*, True -*.gemaheadwear.com.ar*, True -*.gemaherramientas.com.ar*, True -*.gema-nuryana-agung.info*, True -*.gema-nuryana-agung.me*, True -*.gemapiranti.com*, True -*.gemapp.tk*, True -*.gemarahmat.com*, True -*.gemas.com.my*, True -*.gematama.co.id*, True -*.gembel.in*, True -*.gembuzz.tk*, True -*.gemconsultora.com.ar*, True -*.gemgoldinc.com*, True -*.gemilanggrafika.com*, True -*.gemilangkredit.info*, True -*.gemlite.com.au*, True -*.gemmakightly.com*, True -*.gemmirror.com*, True -*.gempita.org*, True -*.gemscoc-free.tk*, True -*.gemscoc.info*, True -*.gemtextil.net*, True -*.gen3cis.com*, True -*.gendermatters.info*, True -*.genealogicaldna.org*, True -*.generacion2014.tk*, True -*.generalauto.ro*, True -*.generalbev.eu*, True -*.generalcomputingcompany.com*, True -*.generalcontractorspro.com*, True -*.generalgurko.com*, True -*.generalova.pp.ru*, True -*.generaloweb.com*, True -*.generals.si*, True -*.generalsys.eu*, True -*.generalsystems.eu*, True -*.generalturist.com*, True -*.generans.com*, True -*.generarsoft.com.ar*, True -*.generasiku.com*, True -*.generationsdecorating.com*, True -*.generatorcoc.ml*, True -*.generatorgame.ga*, True -*.generi.cc*, True -*.genericialis.net*, True -*.genericidentity.com*, True -*.genericists.com*, True -*.genericmud.com*, True -*.genericproscar.net*, True -*.generics-pill.com*, True -*.genericstudent.com*, True -*.genericviagrasoft.com*, True -*.genericzovirax.net*, True -*.genero.co.id*, True -*.genesbyjohn.info*, True -*.genesisalarms.ca*, True -*.genesiseating.com*, True -*.genesiseats.com*, True -*.genesisforlife.com*, True -*.genesishub.net*, True -*.genesishub.tk*, True -*.geneussery.com*, True -*.genexisinc.com*, True -*.genfaglobal.ru*, True -*.genghis.be*, True -*.genica.com.ar*, True -*.genicom.eu*, True -*.genicot.eu*, True -*.genied.com*, True -*.geniezone.co.uk*, True -*.geniodelaloteria.com.ar*, True -*.genionotes.com*, True -*.genitaldoctor.eu*, True -*.genito-maud.ch*, True -*.geniusgroup.pro*, True -*.genius-it.ro*, True -*.genius-its.ro*, True -*.genius-mds.ro*, True -*.geniusmedia.co.id*, True -*.geniusperks.com*, True -*.geniussoftware.com.br*, True -*.geniza.ru*, True -*.genkds.space*, True -*.genkee.com*, True -*.genki.si*, True -*.genlconcord.com*, True -*.genois.tk*, True -*.genomnomnom.com*, True -*.genotrance.com*, True -*.genovape.com*, True -*.genrefiction.info*, True -*.genrisc.com*, True -*.gens.cl*, True -*.gensecsys.ru*, True -*.gensokyoradio.co*, True -*.gensokyoradio.com*, True -*.gensokyoradio.info*, True -*.gensokyoradio.moe*, True -*.gensokyoradio.net*, True -*.gensokyoradio.org*, True -*.gensokyoradio.us*, True -*.gensonline.de*, True -*.gensys.ro*, True -*.gentech.at*, True -*.genteconsultoria.com*, True -*.gentefaztodosentido.com.br*, True -*.gentelman.cf*, True -*.gentengmetalcempaka.com*, True -*.gentengmetalsinarroof.com*, True -*.gentile.cc*, True -*.gentilemdq.com.ar*, True -*.gentiq.cl*, True -*.gentledot.net*, True -*.gentleman.ga*, True -*.gentlemensnightclub.ro*, True -*.gentoo-binhost.org*, True -*.gentsekropper.be*, True -*.genuineadv.ro*, True -*.genuin.ro*, True -*.genx.co.za*, True -*.genzh.cf*, True -*.genzh.ga*, True -*.genzh.ml*, True -*.geo2b.com.br*, True -*.geo2business.com*, True -*.geo2business.com.br*, True -*.geo2business.net*, True -*.geoannonce.tk*, True -*.geoapp.com.br*, True -*.geoarh.hr*, True -*.geobagnonwoven.com*, True -*.geobattery.com*, True -*.geocachetools.com*, True -*.geocargo.com.pk*, True -*.geocen.org*, True -*.geochile.cl*, True -*.geocoacher.com*, True -*.geocon.com.ar*, True -*.geocubo.cl*, True -*.geodesi.info*, True -*.geo-dns.com*, True -*.geofacil.net*, True -*.geoffcorey.net*, True -*.geoffdriscollarchitects.com.au*, True -*.geoffreid.ca*, True -*.geoffreytran.com*, True -*.geofftek.com*, True -*.geofinder.eu*, True -*.geofisika.id*, True -*.geofuzz.net*, True -*.geogeandmarry.com*, True -*.geohosting.com.br*, True -*.geohotnews.info*, True -*.geola.org.uk*, True -*.geologiaucn.cl*, True -*.geologi.id*, True -*.geologist.gr*, True -*.geology.cl*, True -*.geomark.cl*, True -*.geomatics.us*, True -*.geomobi.tk*, True -*.geomov.com*, True -*.geomov.com.ar*, True -*.geomov.net*, True -*.geopages.co.za*, True -*.geopol.ro*, True -*.geoponica.mx*, True -*.geoprint.ro*, True -*.geopuzzle.ro*, True -*.georedirect.net*, True -*.georgas.org*, True -*.georgebh.com*, True -*.georgebirchfiel.com*, True -*.georgebo.com*, True -*.georgebreese.com*, True -*.georgebushisdead.com*, True -*.georgecollins.com.au*, True -*.georgecrossfalcons.com*, True -*.georgedotcom.com*, True -*.georgekempassoc.com*, True -*.georgemaxim.ro*, True -*.georgenewell.com*, True -*.georgenitu.ro*, True -*.georgepecoraro.com*, True -*.georgepopovici.ro*, True -*.georgerapp.com*, True -*.georgeromanu.ro*, True -*.georgesak.com*, True -*.georgeshyavitz.info*, True -*.georgetsappis.co.uk*, True -*.georgiaflyers.org*, True -*.georgiagun.com*, True -*.georgiahitch.com*, True -*.georgianlimerick.com*, True -*.georgiapowerwashing.com*, True -*.georgieff.com*, True -*.georgikadrev.com*, True -*.georg.li*, True -*.geosapiens.com.br*, True -*.geoscienceanalysis.com*, True -*.geosfriends.com*, True -*.geosharing.info*, True -*.geosistema.com.ar*, True -*.geo-sistemas.com.ar*, True -*.geosoft-earthcube.org*, True -*.geospatial.sg*, True -*.geosql.net*, True -*.geotekne.com.ar*, True -*.geotobusiness.com*, True -*.geotobusiness.com.br*, True -*.geotobusiness.net*, True -*.geotor.ru*, True -*.geotuga.com*, True -*.geourbano.cl*, True -*.geovision.lv*, True -*.geozoon.com*, True -*.geozoone.com*, True -*.geozoosk.com*, True -*.gequip.com.br*, True -*.geraintwhite.co.uk*, True -*.geraisprei.com*, True -*.geraldinesalazar.org*, True -*.gerardconroy.co.uk*, True -*.gerarddiez.com*, True -*.gerardobeltran.mx*, True -*.gerardobeltran.net*, True -*.gerardo.cc*, True -*.gerardoruggiero.com.ar*, True -*.gerardosalorio.com*, True -*.gerart.ch*, True -*.gerash313.ir*, True -*.gerashf.ir*, True -*.gerashsc.com*, True -*.gerashtube.ir*, True -*.gerastar.ru*, True -*.gerberetgerber.ch*, True -*.gerber.ws*, True -*.gerc.pro*, True -*.gerdo.eu*, True -*.gerefalk.com*, True -*.geremia-antonio.ch*, True -*.geremy12.com*, True -*.gerenciandoblog1.tk*, True -*.geres.pt*, True -*.ge-revolt.uk*, True -*.gergen.us*, True -*.gergovass.com*, True -*.gergov.eu*, True -*.gerhardnydegger.ch*, True -*.germanbisogno.com.ar*, True -*.germanivancic.com.ar*, True -*.germanproperty.org*, True -*.germanriesco.com.ar*, True -*.germanrivera.net*, True -*.germanrocca.cl*, True -*.german-stoma.ro*, True -*.germerderds.com*, True -*.gerom-consulting.ro*, True -*.gerometta.ch*, True -*.gero-net.ch*, True -*.gerrardsingleton.co.uk*, True -*.gersagres.com*, True -*.gerscali.com*, True -*.gers.cl*, True -*.gers.co*, True -*.gers.com.mx*, True -*.ger-service.ru*, True -*.gersindustria.com*, True -*.gers.mx*, True -*.gersonferreira.com*, True -*.gerspower.com.mx*, True -*.gersusa.com*, True -*.gerszenszteig.com.ar*, True -*.gerts.net*, True -*.geruang.com*, True -*.gerwig.ch*, True -*.gerzer.net*, True -*.ge-santecommunes.ch*, True -*.gesbau.pt*, True -*.gesco.cl*, True -*.gescorp.cl*, True -*.geshan.com.np*, True -*.geslo.com.ar*, True -*.gesparza.com*, True -*.gestaltsolutions.net*, True -*.gestijoya.com*, True -*.gestionacademica.cl*, True -*.gestionadordeap.com.ar*, True -*.gestionavisa.com.ve*, True -*.gestionderiesgos.com.ar*, True -*.gestiondocumental.com.ve*, True -*.gestionenlinea.com.ve*, True -*.gestionintegrada.cl*, True -*.gestionradiologica.cl*, True -*.gestionrapida.cl*, True -*.gestionriesgocero.com.ar*, True -*.gestionwillart.ca*, True -*.gestionwillart.com*, True -*.gestionyentrenamiento.cl*, True -*.gestomedula.tk*, True -*.gestorbombeiro.com.br*, True -*.gestordoc.com.br*, True -*.gestores-inmobiliarios.cl*, True -*.gestorpatio.com.br*, True -*.gestorpesquisa.com.br*, True -*.gestorrural.com.br*, True -*.gestorviario.com.br*, True -*.gestservice.net*, True -*.gesualdosrl.com.ar*, True -*.gesundheitsmassagenbern.ch*, True -*.gesundzuhaus.ch*, True -*.gesvalfi.com*, True -*.get123.me*, True -*.get2nomi.com*, True -*.get3dz.com*, True -*.getable.ru*, True -*.getahitch.com*, True -*.getamonkey.com*, True -*.get-amped.net*, True -*.getanygirl.eu*, True -*.getanywoman.eu*, True -*.getaseat.ca*, True -*.getawaybargains.com*, True -*.getawebguru.ca*, True -*.getawebguru.com*, True -*.getbbs.com*, True -*.getbetterit.com*, True -*.get-blog.com*, True -*.getcashloantoday.tk*, True -*.getccnp.com*, True -*.getce.com*, True -*.getclassmanager.com*, True -*.get-crowded.net*, True -*.getdialed.in*, True -*.geteit.com*, True -*.getek.co.za*, True -*.getemergencycash.tk*, True -*.getfastpaydaycash.pw*, True -*.getfb-liker.com*, True -*.getfile4free.ml*, True -*.getfitlike.us*, True -*.getfittter.com*, True -*.getfreedomains.net*, True -*.getfsbo.com*, True -*.getfukt.net*, True -*.getglobalnow.com*, True -*.getgrouponcredit.com*, True -*.gethostss.com*, True -*.gethow.com*, True -*.getidn.asia*, True -*.getinmypc.com*, True -*.getitpro.biz*, True -*.getitpro.net*, True -*.getjobstoday.cf*, True -*.getjobstoday.tk*, True -*.get.lc*, True -*.get-likez.com*, True -*.getline.ru*, True -*.getloc.al*, True -*.get-logical.com*, True -*.get-logical.net*, True -*.getloyalster.com*, True -*.getmail.pw*, True -*.getmd5.com*, True -*.getmp3.us*, True -*.getnewproperty.my*, True -*.getnotebox.com*, True -*.getnutz.com*, True -*.get-out.co*, True -*.getout.gr*, True -*.getpaidforum.org*, True -*.getpaid.sg*, True -*.getpastnow.info*, True -*.getpdloansx.com*, True -*.getpicdownload.ru*, True -*.getpower.cl*, True -*.getprism.ca*, True -*.getrektscrub.ml*, True -*.getrestaur.co.il*, True -*.getrestored.net*, True -*.getreview.info*, True -*.getridenow.com*, True -*.getridenow.com.au*, True -*.getrocking.com*, True -*.getron.ch*, True -*.getron-prox.tk*, True -*.getron-zh.tk*, True -*.getset.pt*, True -*.getsignoff.io*, True -*.getsnob.com*, True -*.getsociety.org*, True -*.getstring.net*, True -*.getsuperiorservicenow.com*, True -*.getsystems.net*, True -*.get-the-book.com*, True -*.getthefacts.com.au*, True -*.getthis.pw*, True -*.gettingof.info*, True -*.gettonomi.com*, True -*.gettysburgmath.org*, True -*.getua.org*, True -*.getukgoreng.tk*, True -*.getupmkt.eu*, True -*.getwebmail.org*, True -*.getyourparker.com*, True -*.getyourride.com*, True -*.getyourride.info*, True -*.get-youtube-video.net*, True -*.getz.se*, True -*.gevaert.ca*, True -*.geve.cl*, True -*.gevon.com*, True -*.gewamed.de*, True -*.gewerbeverzeichnis.ch*, True -*.gewichtsconsulente-leidsche-rijn.nl*, True -*.gewichtsconsulente-leidscherijn.nl*, True -*.gewichtsconsulenteleidscherijn.nl*, True -*.gewichtsconsulentleidscherijn.nl*, True -*.gewoon-gezond-eten.nl*, True -*.gewoongezondeten.nl*, True -*.gextexpro.pt*, True -*.geye.me*, True -*.geyikler.com*, True -*.gezelgol.com*, True -*.gezihot.com*, True -*.gezinsbond-huldenberg.be*, True -*.gfe999.com*, True -*.gfernandez.net*, True -*.gfhomeserver.tk*, True -*.gfimail.us*, True -*.gfi-team.com*, True -*.gf-likez.net*, True -*.gfl.tw*, True -*.gfplace.com*, True -*.gfrauenfelder.ch*, True -*.gfrior.com*, True -*.gfscloud.com*, True -*.gftpd.org*, True -*.g-fun.com*, True -*.gfwh.tk*, True -*.gfxcafe.com*, True -*.gfx.com.ar*, True -*.ggammang.com*, True -*.gganu.com*, True -*.ggboys.com.br*, True -*.gg-developers.com*, True -*.ggema.com.ar*, True -*.ggfreelancer.info*, True -*.ggftp.biz*, True -*.gghosting.org*, True -*.ggirard.info*, True -*.ggogle.es*, True -*.ggppjj.com*, True -*.ggross.com.ar*, True -*.ggsa.cl*, True -*.ggtcc.com*, True -*.ggtorrent.com*, True -*.ggwbnkg.tk*, True -*.ghacontrol.com*, True -*.ghalameayandeh.ir*, True -*.ghallonline.com*, True -*.ghaly.ca*, True -*.ghambas.info*, True -*.ghanashyambhusal.com.np*, True -*.ghanashyampaudel.com.np*, True -*.ghar.ga*, True -*.ghar.gq*, True -*.gharian.ir*, True -*.ghasemkiani.ir*, True -*.ghassan.us*, True -*.ghastlyracket.com*, True -*.ghataura.com*, True -*.ghawk.co.uk*, True -*.ghayes.org*, True -*.ghazihome.tk*, True -*.ghc.cl*, True -*.ghcod.net*, True -*.ghcommunity.info*, True -*.ghcstmarys.com*, True -*.ghdgolf.net*, True -*.ghead.ml*, True -*.ghea.sg*, True -*.gherardi.com.ar*, True -*.gherase.ro*, True -*.ghes3.ir*, True -*.ghettoyouths.com*, True -*.ghfs.ro*, True -*.ghicitoarea-mihaela-ploiesti.ro*, True -*.ghicitori.ro*, True -*.ghid360.ro*, True -*.ghidcalatorie.ro*, True -*.ghidusi.ro*, True -*.ghidus.ro*, True -*.ghijs.com*, True -*.ghimiresuraj.com.np*, True -*.ghizdareanu.ro*, True -*.ghome.ch*, True -*.ghori.co.uk*, True -*.ghostbusker.info*, True -*.ghostcomputerhelp.com*, True -*.ghosternity.com*, True -*.ghostfrost.com*, True -*.ghosthack.com*, True -*.ghosting.com.ar*, True -*.ghostlike.me*, True -*.ghostnation.org*, True -*.ghost-pink.com*, True -*.ghostroot.org*, True -*.ghostsec-team.org*, True -*.ghostsofdixieband.com*, True -*.ghost-vip.com*, True -*.ghost-vvip.com*, True -*.ghostworks.ca*, True -*.ghotio.net*, True -*.ghrash.com*, True -*.ghrash.net*, True -*.ghrom.com*, True -*.ghsajid.com*, True -*.ghxst.com*, True -*.ghynson.com*, True -*.giacatructuyen.com*, True -*.gia-diamond.tw*, True -*.giadinhgamethu.tk*, True -*.giadinhvn.com*, True -*.giaidieuhanhphuc.info*, True -*.giaiphapxanh.com*, True -*.giaiphapxanh.org*, True -*.giaitrivn.net*, True -*.giakhang.xyz*, True -*.giammar.co*, True -*.giamsatdinhvi.com*, True -*.giandomenico.ca*, True -*.gianfranco.com.ve*, True -*.gianinazzielettrauto.ch*, True -*.giannacompagniadellebellezza.ch*, True -*.giannely.com*, True -*.giannipeg.it*, True -*.giantbich.info*, True -*.giantfunnel.com*, True -*.giant-power.com*, True -*.giantpower.net*, True -*.giantrobotfactory.com*, True -*.giantrubberband.com*, True -*.giantrv.ca*, True -*.giaoducconggiao.org*, True -*.giaricks.com*, True -*.giarrizzo.com.ar*, True -*.giar.tk*, True -*.giasiviet.com*, True -*.giasudatviet.org*, True -*.giavedoni.com.ar*, True -*.giavisach.com*, True -*.giaynhamgiahan.com*, True -*.giba.ir*, True -*.gibbfamily.com*, True -*.gibburgdorf.ch*, True -*.gibby.net.au*, True -*.gibddschool.ru*, True -*.gibelain.com*, True -*.gib.fi*, True -*.giblinux.com*, True -*.gicarricambi.com*, True -*.gicp.mx*, True -*.gidbox.ru*, True -*.gid.com.ar*, True -*.giddycat.com*, True -*.gideond.com*, True -*.gideonlaugs.com*, True -*.gidhys.com.ar*, True -*.gidi.com.ar*, True -*.gidjit.com*, True -*.gielamo.com.br*, True -*.gienapp.net*, True -*.giermasinski.com*, True -*.giertych.one.pl*, True -*.gierweb.nl*, True -*.giesnet.tk*, True -*.gies.tk*, True -*.gies.tw*, True -*.giesu.asia*, True -*.giffenpark.co.uk*, True -*.gifga.com*, True -*.gifstore.net*, True -*.gift4u.biz*, True -*.giftactivation.ml*, True -*.giftcrowding.com*, True -*.giftdraw.com*, True -*.giftflip.com*, True -*.giftmakers.org*, True -*.giftofappetite.com*, True -*.giftofgodclothing.com*, True -*.gifto.pl*, True -*.giftpanda.com*, True -*.giftpop.com*, True -*.giftregistrywording.com*, True -*.gift.rs*, True -*.giftsandpartymilsonspoint.com.au*, True -*.giftsland.ro*, True -*.giftstar.com.ar*, True -*.giftto.com*, True -*.giftwow.com*, True -*.giga69.co*, True -*.gigacomp.org*, True -*.gigafunk.co.uk*, True -*.gigagame.net*, True -*.giga-miner.com*, True -*.giganode.net*, True -*.giganticfaggot.com*, True -*.gigapizza.com*, True -*.gigaportal.pl*, True -*.gigapromo.co*, True -*.gigapromo.info*, True -*.gigapromo.me*, True -*.gigapromo.net*, True -*.gigapromo.si*, True -*.gigapromo.uk*, True -*.gigaworld.org*, True -*.gigblazer.com*, True -*.giggle.to*, True -*.gigi-shop.ru*, True -*.gigishop.ru*, True -*.gignation.com*, True -*.gigz.biz*, True -*.gigzzif.us*, True -*.gihonsentosaabadi.com*, True -*.giidi.com*, True -*.giigift.com*, True -*.giil.ro*, True -*.gijsvandewater.nl*, True -*.gilabs.co*, True -*.gilacave.com*, True -*.gilagu.in*, True -*.gilahost.biz*, True -*.gilakacang.my*, True -*.gilananomedical.com.mx*, True -*.gilangdandung.net*, True -*.gilangh-4rt.cf*, True -*.gilangrsm.name*, True -*.gilang.web.id*, True -*.gilben.com*, True -*.gilben.tw*, True -*.gilbertandgrim.com*, True -*.gilbertfam.info*, True -*.gilberthansen.us*, True -*.gilbertmeatlocker.com*, True -*.gilbertoneves.com.br*, True -*.gildingflake.info*, True -*.giles-saunders.net*, True -*.giles.tk*, True -*.gili-cohen.co.il*, True -*.giligenting.net*, True -*.gillamaten.nu*, True -*.gillamaten.se*, True -*.gillan.xyz*, True -*.gillesbossuyt.tk*, True -*.gilleslefebvre.com*, True -*.gillespiestudios.com*, True -*.gillian-ryan.com*, True -*.gillieron-freres.ch*, True -*.gillsart.com.au*, True -*.gilpaquette.ca*, True -*.gilquin.ch*, True -*.g-ils.com*, True -*.gilsinger.net*, True -*.gilt.sg*, True -*.gimnasiocumbres.cl*, True -*.gimo.net*, True -*.gimpelkammer.ch*, True -*.gimponsel.com*, True -*.gimpromed.com*, True -*.gimtkkr.com*, True -*.gin99.com*, True -*.gin99online.com*, True -*.gina-jourdan.com.mx*, True -*.ginarobhome.com*, True -*.ginascarnati.com*, True -*.ginasshop.com*, True -*.ginasticdancas.com.br*, True -*.gindungo.co.uk*, True -*.ginekologija-husar.hr*, True -*.ginekolog.si*, True -*.gingbos.com*, True -*.gingeho.com*, True -*.gingerdavis.com*, True -*.gingerjesus.net*, True -*.gingertom.com*, True -*.giniowiec.pl*, True -*.ginner.net*, True -*.ginnun.ga*, True -*.ginnycat.com*, True -*.ginoclin.com.br*, True -*.ginrom-invest.ro*, True -*.ginseguros.mx*, True -*.gioconaturale.com*, True -*.giorgiogiulio.cl*, True -*.giornale.ro*, True -*.giosalinas.com*, True -*.giostudio.ro*, True -*.giotinh.org*, True -*.giphtbase.org*, True -*.gipic.com.ar*, True -*.gi-propiedades.com.ar*, True -*.gipsitv.org*, True -*.gipsy.at*, True -*.giraid.net*, True -*.giranet.ch*, True -*.giranows.com*, True -*.girardettransports.ch*, True -*.girevicius.tk*, True -*.giriprakash.com.np*, True -*.giriwoyo.com*, True -*.girl36.com*, True -*.girlgamescity.com*, True -*.girlguidingrossendale.org.uk*, True -*.girl-hosting.club*, True -*.girlhype.com*, True -*.girlhype.co.za*, True -*.girlhype.org*, True -*.girllookslikeabitch.com*, True -*.girlpointoh.com*, True -*.girlschat.ml*, True -*.girlsecrets.hk*, True -*.girlsexyphoto.com*, True -*.girlslab.org*, True -*.girlsthai.co.uk*, True -*.girlyq-bbq.com*, True -*.giroautomoveis.com.br*, True -*.girofort.com.br*, True -*.gisantes.com*, True -*.giscon.pt*, True -*.giseleiriz.com.ar*, True -*.giseler.com*, True -*.giselleriescouture.ch*, True -*.gisellevitali.com*, True -*.gisladulce.com.ar*, True -*.gisnetwork.net*, True -*.gisoom.com*, True -*.gisromania.ro*, True -*.gistinfo.net*, True -*.giswebservice.com*, True -*.gitaarclub.nl*, True -*.gitart.org*, True -*.gitbye.info*, True -*.giteruralgyger.ch*, True -*.gitgps.ru*, True -*.githelper.net*, True -*.githelper.org*, True -*.githelpertools.net*, True -*.githelpertools.org*, True -*.git-rus.com*, True -*.git-rus.ru*, True -*.gits.ml*, True -*.gittardicpa.com*, True -*.gitt.com.mx*, True -*.gitt.mx*, True -*.giuadongdoi.net*, True -*.giukino.tk*, True -*.giuliogravili.it*, True -*.giuliospizza.com*, True -*.giuras.cl*, True -*.giuras.com*, True -*.giuras.org*, True -*.giveandfund.com*, True -*.giveawaylisting.com*, True -*.giveblooms.com*, True -*.givemefish.com*, True -*.givensisa.com*, True -*.giynacho.com.ar*, True -*.gizard.org*, True -*.gizlocker.com*, True -*.gizmo.my*, True -*.gizmopower.ro*, True -*.gizmos.cc*, True -*.gizmoview.com*, True -*.giz.se*, True -*.gizzmo.ml*, True -*.gjcareandtraining.co.uk*, True -*.gjconsulting.com.au*, True -*.gjermo.com*, True -*.gjmccarthy.co.uk*, True -*.gjzjly.com*, True -*.gkb-kkg.pw*, True -*.gkcert.com*, True -*.gkihalimun.org*, True -*.gkimex.com*, True -*.gkimex.com.mx*, True -*.gkipamulang.org*, True -*.gkolezakis.gr*, True -*.gkparkinson.ca*, True -*.gkubokawa.com.ar*, True -*.gku-gazk.ru*, True -*.glacier.me.uk*, True -*.gladiator-id.org*, True -*.gladiatorleague.tk*, True -*.gladshiemgaming.com*, True -*.gladshiemgaming.us*, True -*.gladtobeagirl.co.za*, True -*.glagola.ru*, True -*.glamberry.co.uk*, True -*.glamdicenn.com*, True -*.glammart.com*, True -*.glamorous.co.kr*, True -*.glamour-photos.org*, True -*.glamping.si*, True -*.glander.co.za*, True -*.glareoflight.ru*, True -*.glari.ch*, True -*.glasker.com*, True -*.glasner.cl*, True -*.glassandsons.net*, True -*.glassandwireart.com*, True -*.glassberg-powell.com*, True -*.glassduck.co.uk*, True -*.glasseguros.com.ar*, True -*.glassey.co.nz*, True -*.glassglobal.hk*, True -*.glassmoonlight.net*, True -*.glass-repairs-adelaide.com.au*, True -*.glass-service.com.ar*, True -*.glasstech.com.my*, True -*.glassware.fi*, True -*.glat.ro*, True -*.glattlinannini.ch*, True -*.glatz-bern.ch*, True -*.glaucomendes.com.br*, True -*.glazeball.com*, True -*.glazkovskoe.ru*, True -*.glazunoff.com*, True -*.glazurc.cf*, True -*.glbox.ro*, True -*.gl-cert.ro*, True -*.glconsult.ro*, True -*.glcrm2015.com*, True -*.gldrapeau.ca*, True -*.gldrapeau.com*, True -*.gldtlearningcenter.com*, True -*.gldt.net*, True -*.glears.com*, True -*.gleberdmedical.com.au*, True -*.gleencollection.com*, True -*.gleichsam.org*, True -*.gleitschirmjaeger.ch*, True -*.glej.name*, True -*.glenair.com.au*, True -*.glenalmond.com.au*, True -*.glenbrie.com*, True -*.glenbrookautomotive.com*, True -*.glenbrookchrysler.com*, True -*.glenbrookcommunityeruv.org*, True -*.glenbrookjeep.com*, True -*.glenbrookmikvah.org*, True -*.glencoevillabnb.com*, True -*.glencoevillabnb.co.uk*, True -*.glendaleresources.in*, True -*.glendalesoft.in*, True -*.glendalestorage.ca*, True -*.glendoone.com*, True -*.glengall.com*, True -*.glenjohn.com*, True -*.glenn2014.com*, True -*.glennads.tk*, True -*.glennbaptist.org*, True -*.glennheights.net*, True -*.glennsb.info*, True -*.glennscheideler.com*, True -*.glensol.com.ar*, True -*.glenwaverleychurches.org*, True -*.glicusa.com*, True -*.gli.kz*, True -*.glimle.com*, True -*.glinka.us*, True -*.glitches-it.com*, True -*.glitchmark.com*, True -*.glitzmo.com*, True -*.gllry.es*, True -*.global3dtalent.com*, True -*.globalcash.cl*, True -*.globalcash.com.pe*, True -*.globalchef.cl*, True -*.globaldata-21.pt*, True -*.global-dent.ro*, True -*.globaldent.ro*, True -*.globaldrum.com*, True -*.globaldweller.com*, True -*.globalfit.pt*, True -*.global-genset.com*, True -*.globalgoldventure.com*, True -*.globalhedge.net*, True -*.globalhome.ec*, True -*.globalinno.com*, True -*.global-inovasi.com*, True -*.globalinternettravel.com*, True -*.global-investors.com*, True -*.globallinks.com.np*, True -*.globalmctrading.pt*, True -*.globalmissionpartners.org*, True -*.globalmobtrack.co.id*, True -*.globalmobtrack.com*, True -*.globalmuslim.web.id*, True -*.globalnav.ru*, True -*.globalnetflixsearch.com*, True -*.globalnettelecom.com.br*, True -*.globalnoc.org*, True -*.globalpackagingmachinery.com*, True -*.globalpeople.co.za*, True -*.globalplakat.com*, True -*.globalpropertytv.com*, True -*.globalreach-partners.co.uk*, True -*.globalred.net*, True -*.global-scapes.com*, True -*.globalscience24.com*, True -*.globalsourceit.com.my*, True -*.globalstar-technology.com*, True -*.globalstateltd.com*, True -*.globalsurvey.ro*, True -*.globaltalks.tk*, True -*.globaltecnic.cl*, True -*.globaltelestore.com*, True -*.globaltelestore.net*, True -*.globaltelestore.org*, True -*.global-temp.com*, True -*.globaltrade.nl*, True -*.globaltransactionsnetwork.com*, True -*.globaltravelmedia.asia*, True -*.globaltravelmedia.com.au*, True -*.globaltravelnewsdaily.com*, True -*.globalvia.cl*, True -*.globalvietnam.com*, True -*.globalwarmingapparel.com*, True -*.globalwarningboard.com*, True -*.globalwar.ru*, True -*.globalwaveru.info*, True -*.globalwireandcable.com*, True -*.globalxchina.com*, True -*.globalx-solar.com*, True -*.globalxsolar.com*, True -*.gl-obe.com*, True -*.globenet.com.ar*, True -*.globeshotters.com*, True -*.globexinfotek.com*, True -*.globibus.ch*, True -*.globlocal.us*, True -*.globoarcompressores.com.br*, True -*.globomar.com.br*, True -*.globo.si*, True -*.globrax.com.br*, True -*.globster.info*, True -*.globuspp.pw*, True -*.globustravel.co.il*, True -*.glockstoreformyown007agent.net*, True -*.glodokbracket.com*, True -*.glomerex.com*, True -*.glon.ch*, True -*.gloppe.com*, True -*.gloriabuzau.ro*, True -*.gloriamarcon.com*, True -*.gloriasaavedra.cl*, True -*.gloriatextile.co.id*, True -*.glorydream.com*, True -*.glossysim.ro*, True -*.glosuje.pl*, True -*.gloucesterbaptist.com*, True -*.gloumeau.com*, True -*.glov.org*, True -*.glowacka.eu*, True -*.glowingpixel.com*, True -*.glowshells.net*, True -*.glpp.co*, True -*.gl-pulsa.com*, True -*.glservices.pk*, True -*.glskarate.co.uk*, True -*.glspkg.net*, True -*.glsys.ca*, True -*.glucosemonitor.co.uk*, True -*.glucyte.com*, True -*.gluetech-lemputih.com*, True -*.glufsa.no*, True -*.gluganeagra.ro*, True -*.glunion.org*, True -*.glups.ch*, True -*.glustein.com.ar*, True -*.gluzen.com*, True -*.glxglobal.com*, True -*.glxqga.com*, True -*.glyam.nl*, True -*.glycel.tw*, True -*.glynde-ltd.co.uk*, True -*.glytch.net*, True -*.glz9.com*, True -*.gm84.at*, True -*.gma15.com*, True -*.gmahk.net*, True -*.gmai1.ml*, True -*.gmamministrazioni.info*, True -*.gmangolfr.com*, True -*.gmanion.com*, True -*.gmanpctech.com*, True -*.g-mas.com.ar*, True -*.gmaslowski.com*, True -*.gmattice.com*, True -*.gmbmail.tk*, True -*.gmbnet.de*, True -*.gmc1.tk*, True -*.gmc3.tk*, True -*.gmcindustri.com*, True -*.gmclogistics.com*, True -*.gmcomputer.net*, True -*.gmconsulting.com.ar*, True -*.gmdgroup.com.au*, True -*.gmele.gr*, True -*.gmetric.ro*, True -*.gmf.cl*, True -*.gmfoundations.com*, True -*.gmgame.tk*, True -*.gmh.com.my*, True -*.gmike.com*, True -*.gmir.pl*, True -*.gmisionjakarta.or.id*, True -*.gmj4u.com*, True -*.gmk.cl*, True -*.gmm32.com*, True -*.gmm34.com*, True -*.gmm82.com*, True -*.gmm83.com*, True -*.gmoportal.com*, True -*.gmpg.com.br*, True -*.gm-sistemas.com.ar*, True -*.gmsotaku.com*, True -*.gmsplumbing.com.au*, True -*.gmsul36.com*, True -*.gm-t999.com*, True -*.gmtunerz.ca*, True -*.gmusic.asia*, True -*.gn0m.info*, True -*.gnanaselvam.ch*, True -*.gnbccarson.com*, True -*.gncrolon.com.ar*, True -*.gnet.hk*, True -*.gnfshop.com.ar*, True -*.gnidmoo.tk*, True -*.gnilron.se*, True -*.gnix.tk*, True -*.gn-law.co.il*, True -*.gnodal.com*, True -*.gnoia.org*, True -*.gnom-cham.com*, True -*.gnomon-oe.gr*, True -*.gnosis.co.za*, True -*.gnosisinvestments.com*, True -*.gnous.net*, True -*.gnpconsultancy.com*, True -*.gnpes.com*, True -*.gnro.xyz*, True -*.gnroyalsagro.com*, True -*.gnsa.us*, True -*.gns-legal.ro*, True -*.gntn.ml*, True -*.gnupanelvps.net*, True -*.gnusers.com.ar*, True -*.gnu.systems*, True -*.gnutella2.info*, True -*.gnyanasudhavidyalaya.org*, True -*.gnz.co.il*, True -*.go17go.com*, True -*.go2ty.com*, True -*.go2ui.com*, True -*.go2utopia.com*, True -*.go360host.com*, True -*.go4wifi.ro*, True -*.go5899.com*, True -*.go7676.com*, True -*.go-888.com*, True -*.goaexpositions.com*, True -*.goahead.com.ar*, True -*.goalbedo.net*, True -*.goalbnb.com*, True -*.goalcounter.com*, True -*.goalmarketing.com.au*, True -*.goals-studie.ch*, True -*.goatfuck.org*, True -*.goatgoggles.com*, True -*.goatsblood.net*, True -*.goatseyemedia.com*, True -*.goats.se*, True -*.goatsuckers.com*, True -*.goattomypc.com*, True -*.goawan.com*, True -*.goazis.hu*, True -*.gobag-drybag.com*, True -*.gobagintl.com*, True -*.gobags.com.br*, True -*.gobaksa.com*, True -*.gobble-fite.com*, True -*.gob.com.my*, True -*.gobi.co.za*, True -*.gobiernoabiertohonduras.org*, True -*.gobilogistics.co.za*, True -*.goblog.ml*, True -*.goblogz.ga*, True -*.goblue.ro*, True -*.gobruces.com*, True -*.gocarol.net*, True -*.gocars.me*, True -*.gocnhaviet.com*, True -*.gocvip.tk*, True -*.god-12.com*, True -*.goda77.com*, True -*.godaddysgirl.info*, True -*.godaspanskaviner.com*, True -*.godaspanskaviner.se*, True -*.godataflow.org*, True -*.godawfuldesign.com*, True -*.godbeychiro.com*, True -*.god-complex.info*, True -*.goddamnfactoryprototypes.li*, True -*.goddess.cf*, True -*.godewe.tk*, True -*.godgames.ro*, True -*.godgifts.us*, True -*.godhongkates.com*, True -*.godin.net.ru*, True -*.godin.tw*, True -*.godisministries.org.za*, True -*.godisministry.org.za*, True -*.godis.org.za*, True -*.godispace.ch*, True -*.godisprime.org.za*, True -*.god.jp*, True -*.godmee.com*, True -*.godo79.com*, True -*.godreammall.com*, True -*.godschildrenoutreach.org*, True -*.gods-country.org*, True -*.godseytech.net*, True -*.godshandsmoving.ga*, True -*.godspraisewic.co.za*, True -*.godswarroom.com*, True -*.godswood.com.au*, True -*.goecig.co.uk*, True -*.goed-koop-zonnepanelen.nl*, True -*.goednieuwsdag.nl*, True -*.goeler.lu*, True -*.goelitz.net*, True -*.goenk.cf*, True -*.goepfert.ch*, True -*.goerks.ch*, True -*.goesmart.com*, True -*.goethe1977.com.ar*, True -*.gofanonline.com*, True -*.gofatlossfactor.tk*, True -*.goffman.com.ar*, True -*.gofman.co.il*, True -*.go-for-linux.com*, True -*.gofteman-ard.ir*, True -*.gofullsystems.com.ar*, True -*.gofundjoaquin.cl*, True -*.gofuni.com*, True -*.goganau.ro*, True -*.gog.co.za*, True -*.gogocharter.com*, True -*.gogogasket.com*, True -*.gogogasket.com.au*, True -*.gogogasket.net.au*, True -*.gogogobaby12.com*, True -*.gogomedium.gr*, True -*.go-goparty.com*, True -*.gogo-s.com*, True -*.gogosi.net*, True -*.gogo-toto.com*, True -*.gogotunnel.com*, True -*.gogreenadventures.com*, True -*.goguendesign.com*, True -*.gohakuba.com*, True -*.goharzaman.com*, True -*.goharzaman.org*, True -*.gohok.me*, True -*.gohvac.net*, True -*.goianianet.com.br*, True -*.goico.cl*, True -*.go-ide.net*, True -*.goihoa.com*, True -*.goimg.net*, True -*.goingup.fr*, True -*.goinsblueberrylane.com*, True -*.goipradio.com*, True -*.goisfk.ml*, True -*.goitpc.info*, True -*.goja.tw*, True -*.gojava.ir*, True -*.goji-berry.bg*, True -*.gojigeje.me*, True -*.gojira.net*, True -*.goji.web.id*, True -*.gokbassbilop.com*, True -*.gokbassbilop.net*, True -*.gokbassbilop.org*, True -*.gokseldogan.net*, True -*.gokurallari.com*, True -*.golali.com*, True -*.gola.mx*, True -*.golandia.info*, True -*.golang.us*, True -*.golaram.com*, True -*.golard.ru*, True -*.golayadevushka.info*, True -*.goldbaer.ch*, True -*.goldbaerli.ch*, True -*.goldcoastchristmas.com*, True -*.goldcoastflats.com*, True -*.goldcoastmedia.ltd.uk*, True -*.goldcomputerservices.com*, True -*.golddieology.com*, True -*.gold-eggs.ru*, True -*.goldenbraders.com.ar*, True -*.goldenbug.me*, True -*.goldencarriers.com*, True -*.goldencupltd.com*, True -*.goldendale.ru*, True -*.goldeneye.mobi*, True -*.goldenflag.com.au*, True -*.goldenflag.co.uk*, True -*.goldenflag.us*, True -*.goldenfleeceliverpool.com.au*, True -*.goldengift.ru*, True -*.goldengrounds.co.za*, True -*.goldenhill.hk*, True -*.goldenhoneybear.com*, True -*.goldenkey.sg*, True -*.goldenkeywordtool.com*, True -*.goldenofmiami.com*, True -*.goldenproperti.com*, True -*.goldenratio.cf*, True -*.goldenseeds.si*, True -*.golden-staff.ru*, True -*.goldenstarltdmgmt.com*, True -*.goldentop.tw*, True -*.goldentravel.com.au*, True -*.goldenwatercapital.com*, True -*.goldenwheel.hk*, True -*.goldenwingsministry.com*, True -*.goldgym.org*, True -*.goldherramientas.com.ar*, True -*.goldietech.com*, True -*.golding.gen.nz*, True -*.goldion.co.id*, True -*.goldis.com.ar*, True -*.goldissue.com*, True -*.goldmanconsulting.com.au*, True -*.goldmandelbaerli.ch*, True -*.goldonihotel.com.br*, True -*.goldoscar.ch*, True -*.goldoskar.ch*, True -*.goldplate.co.uk*, True -*.goldps.net*, True -*.gold-setup.com*, True -*.goldshop-hk.com*, True -*.goldsin.ro*, True -*.goldsmid.com.ar*, True -*.goldtinkerrumson.com*, True -*.goldtrip.com.ar*, True -*.goldvipclub.info*, True -*.goldwingz.com*, True -*.goleadpro.com*, True -*.golekmp3.ga*, True -*.golesmundiales.com*, True -*.golfango.com*, True -*.golfarcade.com*, True -*.golfarcade.nl*, True -*.golfballen.com*, True -*.golfbrand.com.mx*, True -*.golf-club.ro*, True -*.golfdebenture.com*, True -*.golfdiscount.nl*, True -*.golfholland.eu*, True -*.golfistas.com.br*, True -*.golfmk4.com*, True -*.golfmk4.net*, True -*.golftantrums.com*, True -*.golftee.co.za*, True -*.golftravel.gr*, True -*.golias.mu*, True -*.goliker.net*, True -*.golinstra.com*, True -*.golivactive.com*, True -*.goljoosh.com*, True -*.goljoosh.ir*, True -*.golley.me*, True -*.goln.tk*, True -*.golondrinamala.cl*, True -*.golosbeslana.ru*, True -*.golosmoskvy.ru*, True -*.golowdomains.com*, True -*.golpebaixo.com.br*, True -*.golsindia.com*, True -*.golsmiles.net*, True -*.golubitsky.ru*, True -*.golubovic.com.ar*, True -*.golyedevchata.org*, True -*.gomba.com.br*, True -*.gombagomba.ir*, True -*.gomeansgo.com*, True -*.gomelskiy.com*, True -*.gomera.com.br*, True -*.gomet.ro*, True -*.gomezalzaga.com.ar*, True -*.gomezcancela.es*, True -*.gomezgonzalez.com.ar*, True -*.gomezmera.com*, True -*.gomezyciasrl.com.ar*, True -*.gomix.cf*, True -*.gomstudio.com*, True -*.gomstudio.net*, True -*.gomstudio.org*, True -*.gomwom.com*, True -*.gon-a4.com*, True -*.gon-ak.com*, True -*.goncaloguerreiro.com*, True -*.goncharova.pro*, True -*.goncharov.pro*, True -*.gondor.co.za*, True -*.gondus.com*, True -*.goneas.gr*, True -*.gonefishun.com*, True -*.gongjakso.com*, True -*.gong-xi-fa-cai.tk*, True -*.gonicompania.cl*, True -*.gonis-goneas.gr*, True -*.gonja19.com*, True -*.gonnadoo.com*, True -*.gonot.net*, True -*.gonotsyntaxjr.asia*, True -*.gonpetro.com.br*, True -*.gon-qq.com*, True -*.gonsette.be*, True -*.gonssicha.net*, True -*.gontaganti.com*, True -*.gontard.ch*, True -*.gonxas.com*, True -*.gonxas.com.ar*, True -*.gonzalezabogados.cl*, True -*.gonzalezarza.com*, True -*.gonzalez-lopez.com*, True -*.gonzalezramirez.com*, True -*.gonzalezresidence.tk*, True -*.gonzalezsampaio.com.ar*, True -*.gonzalezyco.cf*, True -*.gonzalezyco.cl*, True -*.gonzalezyco.ga*, True -*.gonzalezyco.gq*, True -*.gonzalezyco.ml*, True -*.gonzalezyco.tk*, True -*.gonzalezzapata.com.ar*, True -*.gonzaloarroyo.com.ar*, True -*.gonzaloazor.com.ar*, True -*.gonzalomoreno.cl*, True -*.gonzalosaez.cl*, True -*.gonzalosantos.com.ar*, True -*.gonzas.com.ar*, True -*.gonzoparents.com*, True -*.goobaiso.com*, True -*.goo-bio.com*, True -*.good2012.com*, True -*.good2you.cl*, True -*.goodecompanye.co.uk*, True -*.goodfaithschool.com*, True -*.goodfoodcatering.com.au*, True -*.goodgiving.org.za*, True -*.goodgnus.com.ar*, True -*.goodgoods.tw*, True -*.goodgrubnstuff.com*, True -*.goodguysneverwin.com*, True -*.goodideas.com*, True -*.goodizz.com*, True -*.goodjingle.com*, True -*.goodjobworld.com*, True -*.goodlifebiscuits.com.np*, True -*.goodlifeconfectionery.com.np*, True -*.goodlifegraphics.com*, True -*.goodlikethat.net*, True -*.goodlymedia.com*, True -*.goodmans.co.za*, True -*.goodnessgracie.com.au*, True -*.good-newz.org*, True -*.goodolddaysgang.com*, True -*.good.one.pl*, True -*.good-pharm.com*, True -*.good-quality.gq*, True -*.goodrecommendations.net*, True -*.goodsadmin.com*, True -*.goodseatapp.com*, True -*.goods-fwd.com*, True -*.goodsmoker.com*, True -*.goodstewardfinancial.com*, True -*.goodtimesgaming.com*, True -*.goodtimespartysupplies.com.au*, True -*.goodtoaster.com*, True -*.goodtogofast.com*, True -*.goodvibetribe.co.za*, True -*.goodview-gv.com*, True -*.goodwine.cl*, True -*.goodwinroof.ca*, True -*.goodworks.ch*, True -*.goodworth.id.au*, True -*.goody.ga*, True -*.goody.gq*, True -*.gooftroopers.com*, True -*.goog1e.ml*, True -*.google-it.info*, True -*.googlemp3.info*, True -*.googles-analytic.com*, True -*.googlesearchbot.org*, True -*.googlkw.com*, True -*.googlomat.com*, True -*.googoogaga.ga*, True -*.gookulu.net*, True -*.gookulu.org*, True -*.goole.es*, True -*.goomc.ga*, True -*.goongo.com*, True -*.goonline.ro*, True -*.goonsoft.com*, True -*.gooodshop.net*, True -*.gooqlemetrika.com*, True -*.gootman.ca*, True -*.gopala.blog.br*, True -*.gopalbabughimire.com.np*, True -*.gopaleorecipebook.tk*, True -*.gopara.ro*, True -*.gophq.com*, True -*.gopilocked.com*, True -*.goplanet.tv*, True -*.goplanettv.com*, True -*.gopoland.co*, True -*.gopromarketing.com.br*, True -*.goprorio.com*, True -*.goprotech.com*, True -*.gorankaracic.com*, True -*.gora-sobolinaya.ru*, True -*.gorazd.ru*, True -*.gordanabajurin.com*, True -*.gordencheng.com*, True -*.gordondafreeman.tk*, True -*.gordonkuhns.com*, True -*.gordonmilligan.co.uk*, True -*.gordons.co.il*, True -*.goread.it*, True -*.goreanus.com*, True -*.gorebrush.co.uk*, True -*.gorefundme.org*, True -*.gorelik.org*, True -*.gorentonline.com*, True -*.gorgeouscenter.com*, True -*.gorgovan.ro*, True -*.gorichev.com*, True -*.goriladarila.com*, True -*.gorila.ro*, True -*.gorillagraphics.org*, True -*.gorisubs.net*, True -*.goriva.si*, True -*.gorizur.com*, True -*.gorkis.es*, True -*.gornjak.si*, True -*.goroshko.ru*, True -*.gorportho.com*, True -*.gorst.me.uk*, True -*.gos-11.com*, True -*.gosammieandjoey.com*, True -*.gose338.ml*, True -*.goservicesgroup.biz*, True -*.goshali.com.np*, True -*.gosigmalogistics.com*, True -*.gos-kk.com*, True -*.gosmart.cl*, True -*.gososmed.com*, True -*.gosouth.com.ar*, True -*.gospelfoto.sk*, True -*.gospelmultimedios.com.ar*, True -*.gos.ro*, True -*.gossipcraze.com*, True -*.gossip.se*, True -*.gostareshbazar.biz*, True -*.gostareshbazar.com*, True -*.gostareshbazar.ir*, True -*.gostareshbazar.net*, True -*.gostaresh-shahed.ir*, True -*.gostep.us*, True -*.gostilnamatjasec.com*, True -*.gostilna.tk*, True -*.gostisce-prkosnik.com*, True -*.gostling.cl*, True -*.gostovanje1a.org*, True -*.gosurama.com.ar*, True -*.gosurfwaikiki.com*, True -*.got2buyit.com*, True -*.got2havit.com*, True -*.got2tryit.com*, True -*.gota.co*, True -*.gotbmx.com*, True -*.gotchagoin.com.au*, True -*.gotdns.us*, True -*.goteamviewer.net*, True -*.goteli.com*, True -*.gotepad.com*, True -*.goteye.co.za*, True -*.gothambill.com*, True -*.gothamleads.com*, True -*.gothampatterns.com*, True -*.gothamunion.com*, True -*.gothamware.com*, True -*.gothamware.org*, True -*.goth-chic.org*, True -*.gotheapplesno.com*, True -*.gothereok.com*, True -*.gothic-classifieds.com*, True -*.gotika.ro*, True -*.got-juped.cf*, True -*.gotketosis.com*, True -*.gotlaid.in*, True -*.gotlanning.se*, True -*.gotmary.ca*, True -*.gotmusic.us*, True -*.gotngoc.com*, True -*.gotobug.net*, True -*.gotocirebon.com*, True -*.gotoform.com*, True -*.gotoinfo.ch*, True -*.gotoitsolutions.com*, True -*.gotome.ml*, True -*.gotome.tk*, True -*.gotopless.com.ar*, True -*.gotpcdeals.com*, True -*.gotranslogistics.com*, True -*.gotritons.com*, True -*.got-root.cf*, True -*.gotrooted.org*, True -*.gotrum.ca*, True -*.gotslave.com*, True -*.gottabelievecharters.com*, True -*.gottegris.nu*, True -*.gottude.net*, True -*.gotvach.eu*, True -*.gotz.com.ar*, True -*.gould.mobi*, True -*.goulopoulos.com*, True -*.gourleypark.ca*, True -*.gourmet.co.id*, True -*.gourmetworld.co.id*, True -*.gourrich.com*, True -*.gourry.ru*, True -*.gour.tk*, True -*.gousb.net*, True -*.goutnet.com*, True -*.gov6.net*, True -*.govardhannathji.com*, True -*.goveg.com.ar*, True -*.govender.us*, True -*.governanceconnection.com*, True -*.governmentdebate.co.uk*, True -*.governovirtual.com*, True -*.governself.com*, True -*.govindathakur.com.np*, True -*.goviril.ml*, True -*.govorim.ga*, True -*.govt.hu*, True -*.gowa.ru*, True -*.gowild.ru*, True -*.goyacor.com.ar*, True -*.goyavision.com*, True -*.goyme.org*, True -*.gozdepamuk.com*, True -*.gozetto.com*, True -*.gozetto.com.br*, True -*.gozzee.com*, True -*.gp168.tw*, True -*.gpap.com.br*, True -*.gparente.com.br*, True -*.gparente.net.br*, True -*.gparkerjuiceplus.com*, True -*.gpateam.com.ar*, True -*.gpaviotti.com.ar*, True -*.gpdemo.ru*, True -*.gpg.ro*, True -*.gpinvent.ro*, True -*.gpk.si*, True -*.gplaza.cl*, True -*.gplbr.com.br*, True -*.gplhosting.com*, True -*.gpo.hk*, True -*.gpoibarra.com.mx*, True -*.gpp.org.ve*, True -*.gprieur.com*, True -*.gprsdatalogger.com*, True -*.gpsbud.net*, True -*.gps.com.ru*, True -*.gps-control.cl*, True -*.gpservices.co.za*, True -*.gpsgard.ir*, True -*.gps-gate.ru*, True -*.gps-help.ru*, True -*.gpsmizban.ir*, True -*.gps.my*, True -*.gpsnamoto.com.br*, True -*.gpsparamoto.com.br*, True -*.gpspos.ir*, True -*.gpsrealtime.tk*, True -*.gps-server.cl*, True -*.gps-servidor.cl*, True -*.gpstotal.cl*, True -*.gp-studios.com*, True -*.gpsutton.co.uk*, True -*.gpu4u.com*, True -*.gpv.com.my*, True -*.gqes.co.za*, True -*.gqx.me*, True -*.gr72.com*, True -*.gr88er.com*, True -*.gr8lks.us*, True -*.gra.al*, True -*.graaltotal.se*, True -*.graant.net*, True -*.grab8.com*, True -*.grababrand.com*, True -*.grabah.com*, True -*.grabeco.com*, True -*.grabert.com.br*, True -*.grabify.ga*, True -*.grabify.tk*, True -*.grabvps.com*, True -*.graceact.com*, True -*.gracechurchdowningtown.org*, True -*.graceintemporelle.com*, True -*.gracem.net*, True -*.gracemp.org*, True -*.graceoutreachministries.com*, True -*.graceredmore.co.uk*, True -*.gracesiefer.com*, True -*.gracetech-usa.com*, True -*.gracetrek.com*, True -*.graceunto.us*, True -*.gracielapalacio.com.ar*, True -*.gracielaporta.com.ar*, True -*.gracie-lewis.com*, True -*.gracie-lou.com.au*, True -*.gracon.org*, True -*.gradetributaria.com.br*, True -*.gradientking.com*, True -*.gradinitadobroesti.ro*, True -*.gradinitaemys.ro*, True -*.gradinitainocenta.ro*, True -*.gradinita-micul-print.ro*, True -*.gradinitaotiliacazimir.ro*, True -*.graditelj.org*, True -*.gradnja.si*, True -*.gradostroyka.ru*, True -*.gradu.fi*, True -*.graeleah.com*, True -*.graemeb.net*, True -*.graffcollection.com*, True -*.graffcollection.net*, True -*.graffenried-biel.ch*, True -*.graffenried-brig.ch*, True -*.graffenried.com*, True -*.graffenried-gruppe.ch*, True -*.graffenried-liegenschaftsvermittlungen.ch*, True -*.graffenried-recht.ch*, True -*.graffenriedrecht.com*, True -*.graffenried-treuhand.ch*, True -*.graff-faucets.com*, True -*.grafffaucets.com*, True -*.graff-faucets.net*, True -*.grafffaucets.net*, True -*.graffitomag.cl*, True -*.graffreps.com*, True -*.graficapro.com.br*, True -*.graficapurim.com.br*, True -*.grafichetoffoletti.com*, True -*.graficieni.ro*, True -*.graficnistudio.net*, True -*.graficodiario.com.br*, True -*.graficosedusans.cl*, True -*.graficus.com.ar*, True -*.grafika.si*, True -*.grafisdesain.com*, True -*.grafixnw.com*, True -*.grafostil.net*, True -*.graftonline.org*, True -*.gragode.com*, True -*.grahambotha.co.za*, True -*.grahambrooker.co.uk*, True -*.grahamdutton.com*, True -*.grahamreaper.com*, True -*.grahamultisarana.com*, True -*.grahateknik-indo.com*, True -*.gramabazita.com*, True -*.gramabazitaengineering.com*, True -*.gramabazita-tenaga.com*, True -*.gramaca.eu*, True -*.gramerbilisim.com*, True -*.gramialbpc.com.ar*, True -*.grampajims.com*, True -*.granaweb.ch*, True -*.grancanariaccesible.com*, True -*.granc.es*, True -*.grancha.com.ar*, True -*.granchaleks.com*, True -*.grandaveanimalhospital.com*, True -*.grandaveanimalhospital.net*, True -*.grand-bet.ru*, True -*.grand-domains.net*, True -*.grande.cf*, True -*.grandegame.net*, True -*.grandegaufre.ro*, True -*.grandehotelsantoantonio.com.br*, True -*.grand-enigma.com*, True -*.grandenigma.com*, True -*.grandesclassicosdocinema.com*, True -*.grande-societe-berne.ch*, True -*.grandesplumas.tk*, True -*.grandhotplate.com*, True -*.grandint.com*, True -*.grandmasgarden.biz*, True -*.grandmasgossip.com*, True -*.grandmode.org*, True -*.grandoso.com.ar*, True -*.grandpajims.com*, True -*.grandpajs.com*, True -*.grandreleve.com*, True -*.grandriversection.ca*, True -*.grandsm.com*, True -*.grandsource.com*, True -*.grandstream.hk*, True -*.grandtheftmc.net*, True -*.grandview107.com*, True -*.grandwashauto.com*, True -*.granelesmercedes.com.ar*, True -*.grangeia.pt*, True -*.grangnp.com*, True -*.granhotelparana.com.ar*, True -*.granite-mountain.com*, True -*.graniteshine.co.uk*, True -*.granite-specialists.com*, True -*.granitewebsolutions.com*, True -*.granitibionda.ch*, True -*.granivoro.us*, True -*.granjablog.com*, True -*.granjasnovas.com*, True -*.granlogia.com.ar*, True -*.gran-logia.org.ar*, True -*.granlogia.org.ar*, True -*.granmx.com*, True -*.grannay.com*, True -*.grannyaudio.com*, True -*.grannysbootantiques.ca*, True -*.grantaire.com.ar*, True -*.grantcarelse.co.za*, True -*.grantmaskell.com*, True -*.grantrproductions.com*, True -*.grants.lv*, True -*.grantt.cl*, True -*.granturi-corai.ro*, True -*.granular.com.au*, True -*.granular.net.au*, True -*.granul.ga*, True -*.graoepixelfilmes.com.br*, True -*.graomallboutique.com.br*, True -*.grape59.com*, True -*.grapeape.org*, True -*.grapesandwhines.com*, True -*.graphicbox.ro*, True -*.graphic-line.at*, True -*.graphic.sg*, True -*.graphicsign.ca*, True -*.graphicworld.cz*, True -*.graphiko.com.mx*, True -*.graphik.sg*, True -*.graphite.su*, True -*.graphologya.org.il*, True -*.graps4u.com*, True -*.grasaker.se*, True -*.gra-sc.co.id*, True -*.grasic.info*, True -*.grassfed.com.au*, True -*.grasso.com.ar*, True -*.grassvalleyautomation.net*, True -*.grate.ru*, True -*.gratia.cl*, True -*.gratian-calin.ro*, True -*.gratisanakjakarta.tk*, True -*.gratisan-crew.com*, True -*.gratisan.name*, True -*.gratisannonsersverige.se*, True -*.gratisin.tk*, True -*.gratisipad5.nl*, True -*.gratis-ordbok.se*, True -*.gratisterbaik.tk*, True -*.gratistrafico.com.ar*, True -*.gratisunda.com*, True -*.grattagembj.ch*, True -*.grav3s.com*, True -*.gravanudarbnica.lv*, True -*.grave.one.pl*, True -*.gravesidegreetings.com*, True -*.gravis.ca*, True -*.gravisdev.cl*, True -*.gravitacija.com*, True -*.gravityconsulting.co.uk*, True -*.gravityhammer.com*, True -*.gravityprops.com*, True -*.gravitytool.com*, True -*.gravura.ro*, True -*.grawiratama.com*, True -*.grawiratama.net*, True -*.grayareas.net*, True -*.grayfox.tk*, True -*.graylander.com*, True -*.graylander.net*, True -*.graylander.org*, True -*.graymalkin.us*, True -*.graymar.com.ar*, True -*.grayross.com*, True -*.graysgardening.co.uk*, True -*.grays.ro*, True -*.grayunit.com*, True -*.graywolfsolutions.com*, True -*.graziecraft.com*, True -*.grazzito.tk*, True -*.grazzt.com*, True -*.gr-bank.ch*, True -*.grciv.com*, True -*.grcmontana.com*, True -*.greading.org*, True -*.greaseballchallenge.com*, True -*.greaseballchallenge.org*, True -*.greasetheservos.gq*, True -*.greatconsult.in*, True -*.greatdysonia.tk*, True -*.greatexplorer.biz*, True -*.greatexplorer.net*, True -*.greatexplorer.org*, True -*.great-finder.biz*, True -*.greatfinder.biz*, True -*.greatfinder.co*, True -*.greatfinder.info*, True -*.greatfinder.me*, True -*.greatfinder.net*, True -*.great-finder.org*, True -*.greatfinder.org*, True -*.greatgiftlists.com*, True -*.greathomefinder.net*, True -*.great-hunter.net*, True -*.greatlakesdatatechs.com*, True -*.greatlakesunsalted.com*, True -*.greatlikes.net*, True -*.greatlittleisland.com*, True -*.greatnewstonight.com*, True -*.greatnowhere.com*, True -*.greatoffers.biz*, True -*.greatperu.com*, True -*.great-photo.net*, True -*.greatships.net*, True -*.greatsoft.com.br*, True -*.greatzhonghua.org*, True -*.grebler.ch*, True -*.grebnetor.com*, True -*.grecia-viaggi.it*, True -*.gredia.co.id*, True -*.greeceescorts.gr*, True -*.greeceschools.com*, True -*.greedfines.co.za*, True -*.greekcollection.com*, True -*.greekfiles.com*, True -*.greekfiloxenia.com*, True -*.greek-sculptor.gr*, True -*.greek-vacation.eu*, True -*.greek-vacation.net*, True -*.green0nion.com*, True -*.green-alien.biz*, True -*.green-alien.net*, True -*.greenandlight.net*, True -*.greenape.com*, True -*.greenape.org*, True -*.greenapplestudio.eu*, True -*.greenartcafe.co.uk*, True -*.greenaudio.ch*, True -*.greenbean.org*, True -*.greenberry.net*, True -*.greenbuildingsolutions.ro*, True -*.greenbutton.ml*, True -*.greencanyon.web.id*, True -*.greencart.ro*, True -*.greenchoicetexas.com*, True -*.greenclean.tk*, True -*.greencloudsa.ch*, True -*.green-club.ro*, True -*.greencobalt.tk*, True -*.greenconsult.cl*, True -*.greencrops.com.ar*, True -*.greend0t.com*, True -*.greenenergies.ro*, True -*.green-energy.ro*, True -*.greeneng.biz*, True -*.greenengineering.co.za*, True -*.greenerled.com*, True -*.greener-living-guide.com*, True -*.greenerlivingguide.com*, True -*.green-eyes.ro*, True -*.greenfieldslawyers.net*, True -*.greenforest.com.au*, True -*.greenfox-logistics.ro*, True -*.greengarden.net.br*, True -*.greenglass.cl*, True -*.greenhardware.ro*, True -*.greenhealth.hk*, True -*.green-heroes.com*, True -*.greenhilllocation.com*, True -*.greenhilllocation.org*, True -*.greenhillniche.com*, True -*.greenhillniche.org*, True -*.greenhillplace.org*, True -*.greenhillplaces.com*, True -*.greenhillplaces.org*, True -*.greenhillplaza.com*, True -*.greenhillplaza.org*, True -*.greenhillput.com*, True -*.greenhillput.org*, True -*.greenhillsite.com*, True -*.greenhillsite.org*, True -*.greenhillspot.com*, True -*.greenhillspot.org*, True -*.greenhillstand.com*, True -*.greenhillstand.org*, True -*.greenhillstation.com*, True -*.greenhillstation.org*, True -*.greenhomev2u.com*, True -*.greenhopetz.com*, True -*.green-icon.com*, True -*.greeningsystems.ca*, True -*.greenlandservices.com*, True -*.greenleaflandscape.net*, True -*.greenlightforbusiness.org*, True -*.greenlon.cn*, True -*.greenmantools.com*, True -*.greenmarket.ro*, True -*.greennova.cl*, True -*.green-n-pack.com*, True -*.greenoption.ro*, True -*.greenoto.co.id*, True -*.greenparkvillas.ro*, True -*.greenpc.in*, True -*.greenpc.ro*, True -*.greenpearl.ir*, True -*.greenpieces.com*, True -*.greenpixeldesign.com*, True -*.greenplan.co.za*, True -*.greenpowergoods.com*, True -*.green-powers.com*, True -*.greenprofile.com.ar*, True -*.greenquarterstudios.com*, True -*.greenresort.org*, True -*.greenridgepress.com.au*, True -*.greenroombilliards.com*, True -*.greensamuraiclan.com*, True -*.greenseer.com.ar*, True -*.greenservers.in*, True -*.greenshields.info*, True -*.greensocks.org*, True -*.greensoftware.ro*, True -*.greensolar.cl*, True -*.greensolutions.ro*, True -*.greensquarecenter.com*, True -*.green-star.co.il*, True -*.green-state.ca*, True -*.greenst.info*, True -*.greentable.co.il*, True -*.greentest.ro*, True -*.greentex.ru*, True -*.greentreenutrients.com*, True -*.greenukr.net*, True -*.greenvisionltd.com*, True -*.greenvolution.gr*, True -*.greenwahanaresources.com*, True -*.greenwaysrecycling.co.uk*, True -*.greenweald.net*, True -*.greenwoodenproduct.com*, True -*.greenwoodplentydental.com.au*, True -*.greetingsandsuckme.org*, True -*.greetscell.com*, True -*.gregbard.com*, True -*.gregbard.org*, True -*.gregbarnes.info*, True -*.gregbarnes.net*, True -*.gregbarnes.org*, True -*.gregblatz.com*, True -*.greg-d.fr*, True -*.gregdunn.net*, True -*.greget.us*, True -*.greghenson.co.uk*, True -*.greghorne.com*, True -*.gregjaworski.com*, True -*.greg-jones.ca*, True -*.gregmichael.co.uk*, True -*.gregoryandsunali.com*, True -*.gregorybennett.eu*, True -*.gregorybennett.me.uk*, True -*.gregorybrady.com*, True -*.gregoryclark.net*, True -*.gregoryfaust.com*, True -*.gregoryfoster.name*, True -*.gregoryjaworski.com*, True -*.gregorykieffer.eu*, True -*.gregorymcgarry.com*, True -*.gregorysaavedra.com*, True -*.gregsgreations.com*, True -*.gregsi.com*, True -*.gregsmall.com*, True -*.gregstiffler.net*, True -*.gregwalsh.net*, True -*.gregwenner.com*, True -*.gregzinselmeyer.com*, True -*.greig.biz*, True -*.gremion-peinture.ch*, True -*.greml.ru*, True -*.gremojadrat.si*, True -*.gremory.biz*, True -*.grems-family.com*, True -*.grenadeinmouth.org*, True -*.grep4error.com*, True -*.grep-in.com*, True -*.grep-in.net*, True -*.grep.ir*, True -*.gresjan.is*, True -*.greswoldeantiques.com*, True -*.greswoldeantiques.co.uk*, True -*.gretabende.com*, True -*.gretag.com.ar*, True -*.gretongers.ml*, True -*.gretongpols.tk*, True -*.gretz-idbte4m.net*, True -*.grevpodegallery.ca*, True -*.greybearclan.net*, True -*.greyblue9.net*, True -*.greycell.ca*, True -*.greycellmigrations.com*, True -*.greycoleman.com*, True -*.greyhurst.ca*, True -*.greyley.co.za*, True -*.greyling.org.za*, True -*.greymanlabs.com*, True -*.greyquill.com*, True -*.greysoft.ro*, True -*.greywire.tk*, True -*.greyworld.ch*, True -*.grgroup.ch*, True -*.grid2road.com*, True -*.grid2road.net*, True -*.grid2road.org*, True -*.grid47.com*, True -*.gridjunky.com*, True -*.gridtoroad.com*, True -*.grid-tronics.com*, True -*.grid-tronix.com*, True -*.gridwide.info*, True -*.griefandsuicide.org*, True -*.grief.cz*, True -*.grifenhagen.info*, True -*.griffinfamily.com.au*, True -*.griffinrobotics.org*, True -*.griffithfamilyhealth.com*, True -*.griggsinst.com*, True -*.griggsinst.net*, True -*.griggsinst.org*, True -*.grigna.com.ar*, True -*.grihalaxmi.com.np*, True -*.grikov.ru*, True -*.grilledcheesesingles.com*, True -*.grillgas.is*, True -*.grillo.com.br*, True -*.grillo.me*, True -*.grimagingaming.tk*, True -*.grimbrothers.tk*, True -*.grim.cc*, True -*.grim.ch*, True -*.grimdev.ch*, True -*.grimetimecleaningservices.com*, True -*.grimguardians.tk*, True -*.grimme.com.au*, True -*.grimmwit.com*, True -*.grimnotions.com*, True -*.grimpeur.lv*, True -*.grimsballs.com*, True -*.grimsbybb.org.uk*, True -*.grimsbypcsandconsoles.co.uk*, True -*.grimsleepers.net*, True -*.grimsreapers.com*, True -*.gringoh.com.ar*, True -*.gringousa.com*, True -*.grinovero.com.ar*, True -*.grinterns.ru*, True -*.gripsystems.in*, True -*.grire.net*, True -*.grisel.info*, True -*.grisella.info*, True -*.grish.de*, True -*.gr-it.ch*, True -*.gritoportibet.com*, True -*.grit.tk*, True -*.grivv.com*, True -*.grix.com.ar*, True -*.griyabunda.com*, True -*.grizmio.cl*, True -*.grizzlypharma.com*, True -*.grizzoll.com*, True -*.grk.si*, True -*.gr-law.gr*, True -*.gr-lieg.ch*, True -*.grmt.com*, True -*.grnmachine.com*, True -*.grnrecpro.com*, True -*.groauto.com*, True -*.grobovschik.ru*, True -*.grobstaubplakette-kss.de*, True -*.grocerize.com*, True -*.grocerybuzzer.com*, True -*.grocerygrub.com*, True -*.grodby.tk*, True -*.groganics.co.za*, True -*.grok.eu*, True -*.grolanda.se*, True -*.gromhellcrea.ml*, True -*.grom-hosting.com*, True -*.gromkovo.ru*, True -*.gronningseter.no*, True -*.groombridge.ws*, True -*.groomthegroom.com*, True -*.groomthegroom.net*, True -*.groovedown.me*, True -*.grooveon.tk*, True -*.groovesapp.com*, True -*.groovy.ch*, True -*.groovyinc.net*, True -*.gropro.co*, True -*.gros-constructionbois.ch*, True -*.groshev.net*, True -*.grosirjeanstanahabang.com*, True -*.grosir-jilbabsiana.com*, True -*.grosirleggingmotif.com*, True -*.grosirsepatubootap.com*, True -*.grossenbacherelectricite.ch*, True -*.grothnet.de*, True -*.grotto.ro*, True -*.grotz.com.ar*, True -*.groulxfamily.ca*, True -*.groundcaptain.com*, True -*.groundcaptain.org*, True -*.groundchief.com*, True -*.groundchief.net*, True -*.groundchief.org*, True -*.groundcloth.org*, True -*.groundedpaws.org*, True -*.groundlearn.com*, True -*.groundlearn.net*, True -*.groundlearn.org*, True -*.groundmaestro.com*, True -*.groundmaestro.org*, True -*.groundmaster.biz*, True -*.groundmaster.org*, True -*.groundmasters.net*, True -*.groundmasters.org*, True -*.groundrulez.tk*, True -*.groundskeeper.us*, True -*.groupacse.ro*, True -*.groupcall.pl*, True -*.groupdeals.sg*, True -*.groupe-lacouronne.com*, True -*.groupelectricautomatizari.ro*, True -*.groupemail.me*, True -*.grouper.cl*, True -*.groupetva.fr*, True -*.groupfive.ro*, True -*.groupmax.hk*, True -*.groupmorning.com*, True -*.groupmsl.co.uk*, True -*.groups-corp.com*, True -*.groupvn.net*, True -*.grouup.com.ar*, True -*.grouventures.com*, True -*.groveslosindios.com*, True -*.growatree.org.za*, True -*.growbig.info*, True -*.growingfutures.com.au*, True -*.growingin.com*, True -*.growingroots.hk*, True -*.growingupwithgijoes.com*, True -*.growmorefood.ca*, True -*.growpm.com.au*, True -*.growservices.com.mx*, True -*.growthsteel.com*, True -*.growthvalue.com.ar*, True -*.growtopiahack.cf*, True -*.growtopiaworldplanner.uk*, True -*.grow-up.ru*, True -*.grp-m.com*, True -*.grpn.ru*, True -*.gr-pratama.com*, True -*.grr.io*, True -*.grr.li*, True -*.grrx.tk*, True -*.gruasbarzola.com.ar*, True -*.gruas-melo.com.ar*, True -*.gruber-balgheim.de*, True -*.grudgo.com*, True -*.gruener.us*, True -*.grummen.net*, True -*.grumpybaron.com*, True -*.grumpybarongames.com*, True -*.grum.si*, True -*.grundig-shop.ro*, True -*.grundigshop.ro*, True -*.grundstedt.se*, True -*.grunhutl.com*, True -*.gruntmonkeys.com.au*, True -*.grupaje.eu*, True -*.gruphogar.com.ar*, True -*.grupo365.com*, True -*.grupoabastoinmuebles.com*, True -*.grupoaclarecer.com.ar*, True -*.grupoa.com.mx*, True -*.grupoagalme.com*, True -*.grupo-agm.mx*, True -*.grupoalliance.com.ar*, True -*.grupoalp.com.ar*, True -*.grupoapro.mx*, True -*.grupoaqs.mx*, True -*.grupoarcsa.com.ar*, True -*.grupoasa.com.ar*, True -*.grupo-bp.com.ar*, True -*.grupobrandao.com*, True -*.grupocalafia.mx*, True -*.grupocalafia.org.mx*, True -*.grupocomesa.com.mx*, True -*.grupocompre.com.br*, True -*.grupodaj.com.mx*, True -*.grupodax.cl*, True -*.grupodeapoio.org.br*, True -*.grupodmg.ec*, True -*.grupoeducare.es*, True -*.grupoedu.com.ar*, True -*.grupoesfera.com.ar*, True -*.grupoesisa.com.ar*, True -*.grupofana.com*, True -*.grupofarma.com.ar*, True -*.grupohorus.cl*, True -*.grupoimexsa.mx*, True -*.grupoinca.com.pe*, True -*.grupojoskes.com.mx*, True -*.grupokarsten.com.mx*, True -*.grupokimex.com*, True -*.grupolabrador.cl*, True -*.grupolampa.cl*, True -*.grupoled.com.ar*, True -*.grupomiasa.com.mx*, True -*.grupomiso.com*, True -*.grupomiso.com.mx*, True -*.grupomoebio.cl*, True -*.grupomolca.com.ar*, True -*.grupomoradacenter.com.br*, True -*.grupompr.com*, True -*.grupompr.com.ve*, True -*.grupo-n.com.ar*, True -*.gruponet.com.ar*, True -*.grupopeisa.es*, True -*.grupoperse.com*, True -*.grupopetrone.com*, True -*.grupopremiermotors.com.pe*, True -*.grupoprv.com.ar*, True -*.gruporym.cl*, True -*.gruposaenz.com.ar*, True -*.gruposaquarema.com.br*, True -*.gruposcarafia.com.ar*, True -*.gruposegurancamaxima.com*, True -*.gruposegurancamaxima.pt*, True -*.gruposico.com.ar*, True -*.gruposisco.com.mx*, True -*.gruposparaeventos.com.ar*, True -*.gruposzczech.com.ar*, True -*.grupotierrafertil.com.ar*, True -*.grupotop.com*, True -*.grupotrilho.com.br*, True -*.grupoudenio.com.ar*, True -*.grupoumano.mx*, True -*.grupounimagem.com.br*, True -*.grupouniprev.com.br*, True -*.grupovalro.mx*, True -*.grupovater.com.ar*, True -*.grupovocal.com.br*, True -*.grupoyaxche.com*, True -*.grupozapni.com.mx*, True -*.gruppenhaus-rinderberg.ch*, True -*.gruppuso.com*, True -*.gruppuso.net*, True -*.gruppuso.org*, True -*.grupulcafeluta.tk*, True -*.grupul-industrial-alca.ro*, True -*.grusicpropiedades.cl*, True -*.gruszynske.net*, True -*.grutzmacher.net*, True -*.gruzoviknn.ru*, True -*.gryksas.de*, True -*.grylka-finanzberatung.ch*, True -*.grymok.dk*, True -*.gryn.eu*, True -*.gryn.xyz*, True -*.grzebzi.waw.pl*, True -*.gsalvador.adm.br*, True -*.gsclainmaculada.es*, True -*.gscline.com*, True -*.gsdsar.com*, True -*.gserver.tk*, True -*.gsforce.net*, True -*.gsgprj.com*, True -*.gsi-balkani.com*, True -*.gsi.org.ve*, True -*.gsirhc.com*, True -*.gsking.co.uk*, True -*.gsl392.com*, True -*.gsmarena.gr*, True -*.gsmboxgroup.ro*, True -*.gsmcamp.com*, True -*.gsmint.hk*, True -*.gsmmadrid.com*, True -*.gsmontcabrer.org*, True -*.gsm-solutions.co.uk*, True -*.gsn66.com*, True -*.gsn74.com*, True -*.gsn88.com*, True -*.gsp3r.cf*, True -*.gspace.ro*, True -*.gsp.co.id*, True -*.gspedit.com*, True -*.gspenang.org*, True -*.gsponya.ga*, True -*.gs-s7942.com*, True -*.gssistemas.com.ar*, True -*.gsst.com.br*, True -*.gsturner.co.uk*, True -*.gsund-gh.ch*, True -*.gswcf.com*, True -*.gsy-ci.com*, True -*.gsystem.cl*, True -*.gs-z79z.com*, True -*.gt8askpxqit6kfl7.tk*, True -*.gta4-mods.co.uk*, True -*.gta5-mods.co.uk*, True -*.gtabadass.com*, True -*.gtabb.ca*, True -*.gtabb.com*, True -*.gtabb.net*, True -*.gtalarm.com.ve*, True -*.gtamovil.com*, True -*.gtaonlineforums.ml*, True -*.gta-sami.cf*, True -*.gtatecnologia.com.br*, True -*.gtbgroup.co.za*, True -*.gtcie.cl*, True -*.gtcomp.ga*, True -*.gtcomplay.com*, True -*.g-tea.cf*, True -*.g-t-f.co.il*, True -*.gtfo.io*, True -*.gthispanicalumni.org*, True -*.gthomebush.com.au*, True -*.gtinfo.com.ar*, True -*.gtk.cl*, True -*.gtm67.com*, True -*.gtm87.com*, True -*.gtmar.it*, True -*.gtmrdc.com*, True -*.gtnoturno.tk*, True -*.gtoke.com*, True -*.gtop.ro*, True -*.gtopstats.com*, True -*.gtork.com.br*, True -*.gtorresprop.com.ar*, True -*.gt-parts.pl*, True -*.gtprop.com.ar*, True -*.gtr-stream.com*, True -*.gtr-stream.us*, True -*.gtr-stream.xyz*, True -*.gtsrally.com*, True -*.g-tszabosag.ga*, True -*.gtube.gq*, True -*.gtug.com.ar*, True -*.gtvtech.com*, True -*.gtxcomputers.net*, True -*.gtxsphoto.com*, True -*.guabun.cl*, True -*.guacuzeushost.com.br*, True -*.guadalupemazza.com.ar*, True -*.guadalupe.pt*, True -*.guaihan.com*, True -*.gualardia.it*, True -*.guambo.cl*, True -*.guamcosmetic.ru*, True -*.guanacachesa.com.ar*, True -*.guapisima.cl*, True -*.guapo.ro*, True -*.guaracraft.com*, True -*.guardamuebless.com.ar*, True -*.guardanapodepapel.com.br*, True -*.guardianangel.ga*, True -*.guard-ins.com*, True -*.guardiola.com.ar*, True -*.guard.net.ru*, True -*.guardomorph.com*, True -*.guardtourpatrol.com*, True -*.guardz.ru*, True -*.guatesms.com*, True -*.guatexporta.com*, True -*.guaventas.com.ve*, True -*.guayanasexy.com.ve*, True -*.guazo.com.mx*, True -*.gubaiso.com*, True -*.gubaisou.com*, True -*.gubukgrafir.com*, True -*.guc.ch*, True -*.gucci0937.com*, True -*.gudangaudio.com*, True -*.gudangbahan.com*, True -*.gudang-bokep.org*, True -*.gudangkartu.com*, True -*.gudangkartu.net*, True -*.gudangmesinjahit.com*, True -*.gudangmotorraya.com*, True -*.gudangpipa.com*, True -*.gudangribbon.com*, True -*.gudangscript.co*, True -*.gudangtechno.com*, True -*.gudangtechno.web.id*, True -*.gudangwallpaper.com*, True -*.gudang.xyz*, True -*.guddversechert.lu*, True -*.gude.co*, True -*.gudelka.ru*, True -*.guderjan.ca*, True -*.gudgenet.com*, True -*.gudoff.ru*, True -*.gudtast.com*, True -*.gue-anak.pro*, True -*.guedel.eu*, True -*.guemaho.com*, True -*.gueq.com*, True -*.guerrierhome.com*, True -*.guestcollective.org*, True -*.guest-house.biz*, True -*.guestpress.org*, True -*.guestrecs.com*, True -*.guethsengenharia.com.br*, True -*.guevin.com*, True -*.gufaxetr.cf*, True -*.guff.ca*, True -*.gufo.name*, True -*.gugaiz.com.ar*, True -*.guggisberg.com.ar*, True -*.guggisberg-hochzeitsmusik.ch*, True -*.guiadecocinafacil.com*, True -*.guiadeservicios.tk*, True -*.guiaeventos.com.ar*, True -*.guiafama.com*, True -*.guiamaisvoce.com*, True -*.guiamaisvoce.com.br*, True -*.guiamibebe.com*, True -*.guiamicasamiento.com*, True -*.guiapp.com.ar*, True -*.guiarepsol.com.br*, True -*.guiaturista.com.ar*, True -*.guiaturista.com.mx*, True -*.guiaturista.es*, True -*.guiaturista.net*, True -*.guicearmory.ga*, True -*.guichetweb.com*, True -*.guide4peru.com*, True -*.guidercare.com*, True -*.guidertech.com*, True -*.guidinvest.ch*, True -*.guido.eng.br*, True -*.guidokovalskys.com*, True -*.guidomayersa.ch*, True -*.guidry.tk*, True -*.guifisants.net*, True -*.guihuamiao.org*, True -*.guild.gr*, True -*.guildofgamers.org*, True -*.guild-site.com*, True -*.guildwars2.ch*, True -*.guildwars2powerguide.com*, True -*.guile.cc*, True -*.guilhermefurlan.com.br*, True -*.guilhermelorifurlan.com.br*, True -*.guilhermetb.com.br*, True -*.guillaume.com.ar*, True -*.guillaumevanstrydonck.be*, True -*.guillen.com.ar*, True -*.guillerminanu.com.ar*, True -*.guillerminaweb.com.ar*, True -*.guillermobest.com*, True -*.guillermoestevez.com.ar*, True -*.guillermoselci.com.ar*, True -*.guillermosimone.com.ar*, True -*.guillex.info*, True -*.guiltycubicles.org*, True -*.guiman.ro*, True -*.guinchoalexania.com.br*, True -*.guinee.ch*, True -*.guiolife.cl*, True -*.guitarasia.com*, True -*.guitarcleaning.com*, True -*.guitardojo.fm*, True -*.guitarraenbelgrano.com.ar*, True -*.guitar.ro*, True -*.guitartown.tk*, True -*.gukidefb.cf*, True -*.gula.com.ar*, True -*.gulamor.com*, True -*.guldenfun.eu*, True -*.gulermak.com*, True -*.gulermak.com.tr*, True -*.gulfcoastgutter.com*, True -*.gulfcoasttec.com*, True -*.gulfpowerpt.com*, True -*.guliserver.com*, True -*.guljan.net*, True -*.gulmore.org*, True -*.gulongzhong.cc*, True -*.gulongzhong.co*, True -*.gulongzhong.me*, True -*.gulongzhong.mobi*, True -*.gulongzhong.so*, True -*.gulongzhong.tv*, True -*.gulou.org*, True -*.gumbi.si*, True -*.gumby-dammit.com*, True -*.gumbydammit.com*, True -*.gumchemical.com*, True -*.gumisie.net*, True -*.gumnazis.org*, True -*.gunaberdikarirotexindo.com*, True -*.guna.com.ar*, True -*.gunas.co.id*, True -*.gunawalet.com*, True -*.gunawan-zilla.org*, True -*.gunbi.ru*, True -*.gunboundx.cf*, True -*.gundersonmilitaria.com*, True -*.gundersonmilitary.com*, True -*.gundol.cf*, True -*.gundol.ga*, True -*.gundol.gq*, True -*.gundol.ml*, True -*.gunduz.ch*, True -*.guners.tk*, True -*.guneskrem.com*, True -*.gunguide.org*, True -*.gunhildhotte.ca*, True -*.guniversum.at*, True -*.guniversum.com*, True -*.gunlakecommunitychurch.org*, True -*.gunnar-krauss.de*, True -*.gunshop.ro*, True -*.gunslove.com*, True -*.gunsmithbros.com*, True -*.gunson.ca*, True -*.guntanakka.com*, True -*.gunturone.com*, True -*.gunturyogatama.com*, True -*.gunungmentari.co.id*, True -*.gunyahwh.net.au*, True -*.gunz.cf*, True -*.guodonglin.com*, True -*.gurbir.me*, True -*.gurcanersoy.com.tr*, True -*.gurcanozturk.com*, True -*.gurcanozturk.com.tr*, True -*.gurdger.com*, True -*.gurdit.com*, True -*.gurdjieff.org.za*, True -*.gurit.ru*, True -*.gurk.in*, True -*.gurniak.org*, True -*.gurruchaga2309.com.ar*, True -*.gurtej.net*, True -*.gurtnersarl.ch*, True -*.gurudaspaletas.com.br*, True -*.gurudreaming.com*, True -*.guru.es*, True -*.gurugroup.co.za*, True -*.guru.sg*, True -*.gurushree.com*, True -*.gusadelic.net*, True -*.gus-afreid.ga*, True -*.gusbag.com*, True -*.gusg.com.br*, True -*.gushmi.com*, True -*.gusmansworld.com*, True -*.gustavoalvarez.com*, True -*.gustavo.cc*, True -*.gustavok.com.ar*, True -*.gustavolsson.se*, True -*.gustavstrandberg.se*, True -*.guster32.tk*, True -*.gusteri.ro*, True -*.gustichrome.com*, True -*.gustihost.in*, True -*.gustodelivery.ro*, True -*.gustometro.com*, True -*.gusvy.net*, True -*.gutenberg.pro*, True -*.guterockbetting.tk*, True -*.guterockers.tk*, True -*.guti.cl*, True -*.gutierrezdequevedo.com*, True -*.gutterfunk.com*, True -*.gutu.tk*, True -*.gutzuki.com*, True -*.guus.ru*, True -*.guvasac.com*, True -*.guvernulromaniei.ro*, True -*.guyflix.net*, True -*.guyhome.net*, True -*.guylevin.co.il*, True -*.guyscancook.ca*, True -*.guysondrugs.com*, True -*.guyvanrijn.com*, True -*.guzhi10000.com*, True -*.guzik.com.ar*, True -*.guzmanrobotics.com*, True -*.guzmanweb.com.ar*, True -*.guzmanyasociados.com.mx*, True -*.guzzlers.ca*, True -*.gv24.ch*, True -*.gviegas.com.br*, True -*.gvlamadrid.com.ar*, True -*.gvljohnsons.com*, True -*.gvpcsaa.in*, True -*.gvpcsaa.org*, True -*.gv-poetry.com*, True -*.gwaffoer-jerry.ch*, True -*.gwainformatica.com.br*, True -*.gwarble.com*, True -*.gwatrading.hk*, True -*.gwcashwell.com*, True -*.gwdub.com*, True -*.gwhf.no*, True -*.gwigle.com*, True -*.gwind.ru*, True -*.gwinnett.com*, True -*.gwitee.com*, True -*.gwj.one.pl*, True -*.gw.lt*, True -*.gwood.info*, True -*.gwork.cl*, True -*.gwpdental.com.au*, True -*.gwrra-mnc.org*, True -*.gwrra-mnd.org*, True -*.gwrra-mnq.org*, True -*.gwrra-mnw.org*, True -*.gwsms.net.ve*, True -*.gws.org.au*, True -*.gw-spgv.com*, True -*.gwtechserv.com*, True -*.gyeben-net.tk*, True -*.gyergyoihirlap.ro*, True -*.gygpropiedades.cl*, True -*.gyimesy.cl*, True -*.gymbowling.com*, True -*.gymbox.com.br*, True -*.gymclassfinder.com*, True -*.gym-companion.com*, True -*.gymdirectory.net*, True -*.gymforce.ro*, True -*.gym-guide.com*, True -*.gymnasium.com.ar*, True -*.gymnastucuman.com.ar*, True -*.gymsa.com.au*, True -*.gymsalud.cl*, True -*.gymsport.biz*, True -*.gynekologbaerum.no*, True -*.gynekologbarum.no*, True -*.gyorffyaron.hu*, True -*.gypsyfestva.com*, True -*.gyrio.ch*, True -*.gyropodes-valais.ch*, True -*.gytt.com.mx*, True -*.gytt.mx*, True -*.gyuszi.ro*, True -*.gyx.ru*, True -*.gzabogados.tk*, True -*.gz-associates.com*, True -*.gzb.ro*, True -*.gz.com.my*, True -*.gzjyhotel.com*, True -*.gzmqsh.com*, True -*.gz.net.my*, True -*.gzoiw.pl*, True -*.gzone.co.kr*, True -*.gzphotography.com*, True -*.gzq.ir*, True -*.gzscuaa.com*, True -*.gzuranoyasoc.com.ar*, True -*.h00t.ca*, True -*.h00ters.info*, True -*.h0d.ir*, True -*.h0per.ru*, True -*.h0rde.info*, True -*.h0sting.us*, True -*.h0stname.net*, True -*.h0tb1t.eu*, True -*.h2houtlet.org*, True -*.h2hpickem.com*, True -*.h2kiosk.tk*, True -*.h2muebles.cl*, True -*.h2o2systems.com*, True -*.h2oplus.hk*, True -*.h2oplus.sg*, True -*.h2oplus.tw*, True -*.h2o-saver.com*, True -*.h2osystems.co.za*, True -*.h2out.pt*, True -*.h2u.biz*, True -*.h34.se*, True -*.h3ndra.com*, True -*.h3xtech.com*, True -*.h41.org*, True -*.h4ck.me*, True -*.h4x0r.co.za*, True -*.h4xxel.org*, True -*.h5n1.one.pl*, True -*.h9blog.com*, True -*.h9i.co.uk*, True -*.h9industries.com*, True -*.h9radio.com*, True -*.ha2.tw*, True -*.ha4t.net*, True -*.ha8.net*, True -*.haabase.com*, True -*.haabase.co.uk*, True -*.haadtianbeachresort.com*, True -*.haajrahs.com*, True -*.haassed.com*, True -*.haavar.com*, True -*.haaxjo.net*, True -*.habasu.de*, True -*.habawabatournament.com*, True -*.habeasdata.org.ar*, True -*.habeetat.com*, True -*.haberajan.net*, True -*.habere.ch*, True -*.haberesnet.com.ar*, True -*.haberleriz.biz*, True -*.habertahkik.com*, True -*.habiaunavezmontecaseros.com*, True -*.habibas.com*, True -*.habilisbest.com*, True -*.habinx.tk*, True -*.habird.tw*, True -*.habisoft.com*, True -*.habitacionalmagro.com.ar*, True -*.habitaser.cl*, True -*.habitek.ro*, True -*.hablardevino.cl*, True -*.hablatotal.cl*, True -*.haboonhotel.tk*, True -*.habrao.com.br*, True -*.habskilla.ca*, True -*.habyhotel.com*, True -*.haccpplan.ca*, True -*.haccpplan.info*, True -*.haccpplan.org*, True -*.haccpplan.us*, True -*.hacelobonito.com.ar*, True -*.hacetupin.com.ar*, True -*.haciendachamonate.cl*, True -*.hacienda.gob.ar*, True -*.haciendamisne.com*, True -*.haciendaonline.com.ar*, True -*.hacienda-pinilla.com*, True -*.haciendasantacruzloscabos.com*, True -*.haciendaspotosinas.com*, True -*.haciendocine.com.ar*, True -*.haciendoladiferencia.cl*, True -*.haciendovia.com.ar*, True -*.hack420.com*, True -*.hackaday.pw*, True -*.hackademia.cl*, True -*.hackavatar.mobi*, True -*.hackbarthcommunications.com*, True -*.hackbot.ru*, True -*.hackcf.biz*, True -*.hackdeeper.com*, True -*.hackdeeper.org*, True -*.hacked4115.cf*, True -*.hackedbox.net*, True -*.hacked.jp*, True -*.hacked.sx*, True -*.hackemueller.info*, True -*.hacker4rt.gq*, True -*.hackercomunity.com*, True -*.hacker.dj*, True -*.hackermail.tv*, True -*.hackermail.zone*, True -*.hackermonkey.com*, True -*.hackersclub.net*, True -*.hackerspace-ulm.de*, True -*.hackertalks.com*, True -*.hackertalks.net*, True -*.hackerzinc.com*, True -*.hackerzlair.org*, True -*.hackettministries.com*, True -*.hackfresse.ch*, True -*.hackgameviet.com*, True -*.hackgame.web.id*, True -*.hackgnosis.com.ve*, True -*.hackhd.com*, True -*.hack-house.com*, True -*.hacking-cheat.com*, True -*.hacking-cheat.org*, True -*.hackking.co.uk*, True -*.hacklab.lv*, True -*.hacklabs.nl*, True -*.hacknl.info*, True -*.hacknl.net*, True -*.hacknl.org*, True -*.hackno.org*, True -*.hackntrick.com*, True -*.hackpack.com*, True -*.hackquest.com*, True -*.hackquest.de*, True -*.hackrz.org*, True -*.hacks101.info*, True -*.hacksawtothethroat.com*, True -*.hackselector.com*, True -*.hackshop.cc*, True -*.hackspace.co.za*, True -*.hack-steiner.ch*, True -*.hacks.to*, True -*.hackthemainframe.tk*, True -*.hacktoolkit.com*, True -*.hacktr.net*, True -*.hackvui.com*, True -*.hacler.ro*, True -*.hacrew.com*, True -*.haddad.eti.br*, True -*.haddon.co.za*, True -*.hadepermataelectric.com*, True -*.hades.co*, True -*.hadeseffect.com*, True -*.hadeslee.tk*, True -*.hadinesine.com*, True -*.hadirus.ga*, True -*.hadithifupi.com*, True -*.hadjitracking.com*, True -*.hadleighswimmingclub.co.uk*, True -*.hadongclinic.com*, True -*.hadrian-alsakina.tk*, True -*.hadriel.net*, True -*.hadzikadic.com*, True -*.haeagles.org*, True -*.haeberlitv.ch*, True -*.haeckel-homeserver.de*, True -*.haedit.ch*, True -*.haell.com*, True -*.haellen.se*, True -*.haemes.com*, True -*.haenggi-eugen.ch*, True -*.haeselbarth.org*, True -*.haexebaese.ch*, True -*.hafc.co.za*, True -*.hafennutten.de*, True -*.haffizrazali.com*, True -*.hafifimasod.com*, True -*.hafizh.in*, True -*.hafizh.xyz*, True -*.hagakomputer.com*, True -*.hagax.se*, True -*.hagberg.cc*, True -*.hagelabwehr.at*, True -*.hagemann.me*, True -*.hagemejer.com*, True -*.haggleauctionnetwork.com*, True -*.haginara.net*, True -*.hagrid.one.pl*, True -*.hagurt.com*, True -*.hagyomany.ro*, True -*.hagz.tk*, True -*.hah66.com*, True -*.hahaha12.cf*, True -*.hahaha12.ga*, True -*.hahakiss.com*, True -*.hahameme.ru*, True -*.hahame.ru*, True -*.hahami.ru*, True -*.hahaproductions.net*, True -*.hahihuheho.tk*, True -*.hahling.ch*, True -*.hai2014.org*, True -*.hai5lab.com*, True -*.haico.be*, True -*.haicom.web.id*, True -*.haifang.cc*, True -*.haigetal.com*, True -*.haigetal.net*, True -*.haigetal.org*, True -*.haigsbags.com*, True -*.haiguivpn.net*, True -*.haiha.com.vn*, True -*.haiinn.org*, True -*.haikal-kun.com*, True -*.hailocorpn.com.my*, True -*.hailrepaircentral.com*, True -*.hainedama.com*, True -*.hainesfamily.org*, True -*.haineshanglia.ro*, True -*.hainutecrosetate.ro*, True -*.haipelitoral.ro*, True -*.hairdoctorsalon.com*, True -*.hairfairunisex.com*, True -*.hairie.net*, True -*.hairlossadvisory.org*, True -*.hairmart.ru*, True -*.hairsupplies.de*, True -*.hairtransplantthai.com*, True -*.hairwego.com.au*, True -*.hairyhuntsman.com.au*, True -*.hairypiano.com*, True -*.haisalon.web.id*, True -*.haisandiego.com*, True -*.haison.net*, True -*.haister2k.com*, True -*.haister2k.net*, True -*.haitao.gq*, True -*.haitian-americaninstitute.org*, True -*.haitijazz.net*, True -*.haivelo.com*, True -*.haivelo.net*, True -*.haiv.ro*, True -*.haiyangtrading.com*, True -*.haja45.com*, True -*.hakankoseoglu.com*, True -*.hakanloob.com*, True -*.hakar.net*, True -*.haki.hk*, True -*.hakimhabib.com*, True -*.hakim.web.id*, True -*.hakon.info*, True -*.hakon.mobi*, True -*.hakons.info*, True -*.hakop.me*, True -*.haktech.org*, True -*.hal9000.co*, True -*.hal9000systems.com.ar*, True -*.hal-9001.net*, True -*.halaja.com*, True -*.halalfoods.ro*, True -*.halalpages.com.my*, True -*.halaman.info*, True -*.halarona.com*, True -*.halat.cl*, True -*.halconesrojos.com.ar*, True -*.halcyonstatic.net*, True -*.haleloa.info*, True -*.halely.co.il*, True -*.haleymonroe.com*, True -*.haleymphotography.com*, True -*.halfbitstudios.com*, True -*.half-done.org*, True -*.halfjack.net*, True -*.halfling.org*, True -*.halfto.com*, True -*.halibs.com*, True -*.halifaxautozone.ca*, True -*.halifaxautozone.com*, True -*.halifaxroof.ca*, True -*.halifaxusedauto.ca*, True -*.halimali.com*, True -*.halimatus.tk*, True -*.haliq.com*, True -*.haliq.net*, True -*.hallammedical.com*, True -*.hallet.ir*, True -*.hallmannet.tk*, True -*.hallobitte.ch*, True -*.hallohotel.net*, True -*.hallowsmc.tk*, True -*.halnt.de*, True -*.halohalosites.com*, True -*.halo-lenovo.tk*, True -*.halonen.fi*, True -*.hal.se*, True -*.halterlein.net*, True -*.halukdogan.com.tr*, True -*.halukdogan.gen.tr*, True -*.halukleventhapistemi.tk*, True -*.halunken.at*, True -*.hama87.net*, True -*.hamakargich.com*, True -*.hamaliperfect.com*, True -*.hamaniyot.co.il*, True -*.hamblin-cpas.com*, True -*.hambodian.com*, True -*.hamburgueseria.com.mx*, True -*.hamcokro.com*, True -*.ham-dmr.es*, True -*.hameau.cl*, True -*.hamesnetwork.com*, True -*.ham.gd*, True -*.hamidabdollahi.ir*, True -*.hamidsoltani.name*, True -*.hamiltonprojects.co.za*, True -*.hamiltonswimming.com*, True -*.hamilton-travel.com*, True -*.hamirani.net*, True -*.hammasnukutus.fi*, True -*.hammerheadshark.info*, True -*.hammerschlag.com.br*, True -*.hammerstorm.com*, True -*.hammondcarpentry.com*, True -*.hammondjackson.com*, True -*.hammudeh.nl*, True -*.hamotech.com*, True -*.hamovniki-beer.ru*, True -*.hampersadelaide.net.au*, True -*.hampersbrisbane.net.au*, True -*.hampersmelbourne.net.au*, True -*.hamperssydney.net.au*, True -*.hamppu.fi*, True -*.hampsterblade.com*, True -*.hamptononline.com*, True -*.hamptonsbrewing.com*, True -*.hamptonshomebrew.com*, True -*.hamradioonline.net*, True -*.hamrickweb.com*, True -*.hamropadampur.com*, True -*.hamrunspartansfc.com*, True -*.hamsexy.net*, True -*.hamsexy.org*, True -*.hamshack.info*, True -*.hamvui.us*, True -*.hamyaran-acc.ir*, True -*.hanaco.us*, True -*.hananpacha.com.ar*, True -*.hanast.tk*, True -*.hanax.eu*, True -*.han-blog.com*, True -*.handan.name.tr*, True -*.handbagreviewgroup.com*, True -*.handbagsdiscount.org*, True -*.handcarri.com*, True -*.handfolding.com*, True -*.handfood.cl*, True -*.handinthetill.com*, True -*.handiyan.web.id*, True -*.handke.tk*, True -*.handla.se*, True -*.handlermusic.com*, True -*.handley.co.za*, True -*.handmadebydaisie.co.uk*, True -*.handmadebydani.ro*, True -*.handmadebyhelena.com*, True -*.handmadehk.com*, True -*.handmadesilkjewelry.com*, True -*.handofomega.com*, True -*.handpalletmurah.com*, True -*.handsofhealthmassage.net*, True -*.handsome.gq*, True -*.handsomegroup.com*, True -*.handsomegroup.hk*, True -*.handstasarim.com*, True -*.handtruckprestar.com*, True -*.handwork.ro*, True -*.handycraftcumjewelrysupplies.com*, True -*.handycruiser.com*, True -*.handyman-cpt.com*, True -*.handytrician.co.uk*, True -*.hangaroito.com*, True -*.hangkay.com*, True -*.hang-kei.com*, True -*.hangoutcraft.com*, True -*.hangover.ws*, True -*.hangquangchau.com*, True -*.hangtieudung.info*, True -*.hangtuahjakarta.com*, True -*.hang-yue.com*, True -*.hanifagungprasojo.com*, True -*.haniftriw.tk*, True -*.hanisch.com*, True -*.hanjaeisbig.com*, True -*.hanjikgu.co.kr*, True -*.hanknielsen.com*, True -*.hankunlaw-hk.com*, True -*.hanlvwang120.com*, True -*.hanlvwang.com*, True -*.hannahdvm.com*, True -*.hannahkilcoyne.com*, True -*.hannahsenesh.org.il*, True -*.hannersasphalt.com*, True -*.hanneschenk.ch*, True -*.hannes.mobi*, True -*.hanoiapt.com*, True -*.hanoipho.sg*, True -*.hanpo.tw*, True -*.hansafincon.com*, True -*.hansa-tmp.cn*, True -*.hanselmann.biz*, True -*.hanser.org*, True -*.hansesack.ch*, True -*.hanshuntech.tk*, True -*.hans-jansen.nl*, True -*.hansjoerg-jaeckel.de*, True -*.hansjoergjaeckel.de*, True -*.hansjoerg-jaeckel.info*, True -*.hansjoergjaeckel.info*, True -*.hanskim.net*, True -*.han-soft.net*, True -*.hanspiendhy.com*, True -*.hanssi.net*, True -*.hantu.xyz*, True -*.hanumancombatteamgroup.it*, True -*.hanusch.ch*, True -*.hanwa.com.mx*, True -*.hanwha-cme.com*, True -*.hanwha-cme.net*, True -*.hanyshk.ro*, True -*.hanyuinc.com*, True -*.hanyutelecom.com*, True -*.hao6666.info*, True -*.haobaobao.cc*, True -*.hao.com.ar*, True -*.haodaijia.net*, True -*.haohao.ru*, True -*.haoism.com*, True -*.haojoa38.com*, True -*.haokhi.info*, True -*.haokhi.us*, True -*.haomiao.us*, True -*.haoqij888.com*, True -*.haoshichina.com*, True -*.haoshuaba.com*, True -*.haos.org*, True -*.haos-project.org*, True -*.haosta.com*, True -*.haosuetru.com*, True -*.haotan.net*, True -*.haotianca.com*, True -*.haotu8.info*, True -*.haowanmu.com*, True -*.haowan.ru*, True -*.haparak.tk*, True -*.haparandaok.se*, True -*.ha-pint.com*, True -*.happiness.com.sg*, True -*.happiness-gifts.net*, True -*.happinessinmycheeks.com*, True -*.happy0.co.uk*, True -*.happybestdeal.com*, True -*.happybestdeal.es*, True -*.happycamper3000.ch*, True -*.happycandle.ro*, True -*.happycrow.net*, True -*.happydaybakeshop.com*, True -*.happydays.ro*, True -*.happyddk.com*, True -*.happydiwali2014wishes.tk*, True -*.happydongdong.com*, True -*.happy-end.ro*, True -*.happyfamily.com.mx*, True -*.happyfeetshop.com*, True -*.happyforever.com*, True -*.happyhana.nl*, True -*.happyhardcore.dj*, True -*.happyhourhosting.com*, True -*.happyhourhosting.net*, True -*.happyhouse4u.com*, True -*.happyhouselixouri.com*, True -*.happy-life.in*, True -*.happylittlecodes.com*, True -*.happymama.com.my*, True -*.happymeet.net*, True -*.happyminecraft.com*, True -*.happyminecraft.info*, True -*.happyminecraft.net*, True -*.happyminecraft.org*, True -*.happymule.com*, True -*.happypc.ca*, True -*.happyroad.ru*, True -*.happyrobotics.com*, True -*.happysmilehk.com*, True -*.happy-studio.tw*, True -*.hapser.net*, True -*.haragus.ro*, True -*.haraldssons.org*, True -*.harapanprestasi.com*, True -*.harapan.tk*, True -*.harasabril.com.ar*, True -*.harbercoatings.com*, True -*.harbisamuray.com*, True -*.harborneholistictherapies.co.uk*, True -*.harbortowncrossing.com*, True -*.harbos.fm*, True -*.harbourfund.com*, True -*.hardamine.be*, True -*.hardbass.org*, True -*.hardbooty.com*, True -*.hardchats.com*, True -*.hardchats.net*, True -*.hardcoder.ga*, True -*.harddrink.ru*, True -*.hardexpert.eu*, True -*.hardexpert.ro*, True -*.hardhatadmin.co.uk*, True -*.hardian.id*, True -*.hardian.or.id*, True -*.hardiansyaharts.com*, True -*.hardian.web.id*, True -*.hardikar.in*, True -*.hardinmt.com*, True -*.hardjob.ru*, True -*.hardosoft.ru*, True -*.hardporno.no*, True -*.hardstudio.ro*, True -*.hard-systems.com.ar*, True -*.hardtechno.ch*, True -*.hardware4bitcoins.com*, True -*.hardwarehacks.org*, True -*.hardway.org*, True -*.hardyralf.com*, True -*.harej.si*, True -*.haremeventos.com.br*, True -*.hargabatchingplant.com*, True -*.hargahpterbaru.web.id*, True -*.hargakameraterbaru.web.id*, True -*.hargakapalpesiarfiber.tk*, True -*.hargakapalpesiar.tk*, True -*.hargaminyak.my*, True -*.hargaretail.com*, True -*.hargaspeedboatfiber.tk*, True -*.hargaspeedboatjakarta.tk*, True -*.hargasupermarket.com*, True -*.hargatabletadvandroid.com*, True -*.hargatrafosurabaya.com*, True -*.harian-nasional.com*, True -*.haribhandari.com.np*, True -*.haribista.com.np*, True -*.haries.com.mx*, True -*.hariiz.at*, True -*.hariiz.info*, True -*.harijnandris.com.np*, True -*.harikakitaplar.com*, True -*.harikazen.ml*, True -*.harilo.com.np*, True -*.harimurti.web.id*, True -*.harinigs.co.id*, True -*.harinivc.in*, True -*.haripathak.com.np*, True -*.harisali.com*, True -*.haris-dp.info*, True -*.harisgrapher.com*, True -*.harita.co.il*, True -*.hari.web.id*, True -*.harjagebola.se*, True -*.harkerlabs.com*, True -*.harkerlabs.co.uk*, True -*.harkerlabs.net*, True -*.harkerlabs.org*, True -*.harkhome.com.au*, True -*.harlaut.tk*, True -*.harlemshake.su*, True -*.harley-custom.co.uk*, True -*.harleydavidsonpartsaustralia.com*, True -*.harleydavidsonpartsaustralia.com.au*, True -*.harley-news.com*, True -*.harley-news.info*, True -*.harleypartsaustralia.com*, True -*.harleypartsaustralia.com.au*, True -*.harleyshomeimprovements.com*, True -*.harliff.ru*, True -*.harmon.xyz*, True -*.harmonydragon.hk*, True -*.harmony-hypnose.ch*, True -*.harmonyinteriorsurabaya.com*, True -*.harmony-kaffee.ro*, True -*.harmonyoaksphotography.com*, True -*.harmonyst.net*, True -*.harmonyst.org*, True -*.harmonytravelingstudio.com*, True -*.harney.io*, True -*.harney.name*, True -*.harouters.com*, True -*.harpack.ro*, True -*.harpatech.com.br*, True -*.harpcreek.com*, True -*.harper-consultants.co.uk*, True -*.harpingchipmunk.me.uk*, True -*.harpriffs.com*, True -*.harriscountypropertytaxreduction.com*, True -*.harrisnj.net*, True -*.harrisoftware.ca*, True -*.harrisonarcher.info*, True -*.harrisonboettcher.com*, True -*.harrisoncarlos.com.br*, True -*.harrisonestate.net*, True -*.harrisonhandymanservices.ca*, True -*.harrisoninternational.us*, True -*.harrisons.net.au*, True -*.harros.wtf*, True -*.harruppark.com.au*, True -*.harrybowman.co.uk*, True -*.harrydennen.com*, True -*.harryfans.com*, True -*.harryishere.net*, True -*.harrykc.com.np*, True -*.harryleeandcompany.com*, True -*.harryovers.com*, True -*.harrysimonsolicitor.com.au*, True -*.harshhvac.com*, True -*.hartamd.com*, True -*.hartfordautoglass.net*, True -*.hartfordbrewingco.com*, True -*.hartfordbrewing.com*, True -*.hartfordbrewingcompany.com*, True -*.hartidigitale.ro*, True -*.hartis.si*, True -*.hartleyhousehold.com*, True -*.hartonians.com*, True -*.hartzog.name*, True -*.haruhi.ru*, True -*.harunyahyasays.com*, True -*.harunyondem.com*, True -*.haruwa.com*, True -*.harvananda.web.id*, True -*.harvardsquarebookstore.com*, True -*.harvare.com*, True -*.harvestageministries.com*, True -*.harvestcci.com*, True -*.harvestchurchonline.com*, True -*.harvestchurchonline.org*, True -*.harvesterworld.com.au*, True -*.harvestlands.com.au*, True -*.harvestmentproject.com*, True -*.harvestranch.com*, True -*.harvesturban.com*, True -*.harveycollins.org*, True -*.harveyfos.com*, True -*.harveynicholshkpress.com*, True -*.harvey-olson.org*, True -*.harv.me*, True -*.haryanto.id*, True -*.haryojackson.net*, True -*.harz.cl*, True -*.hasalmed.org*, True -*.hasbahkenya.com*, True -*.hasbiadam.me*, True -*.hasenhochzeit.net*, True -*.hasenkox.com*, True -*.hash0.com*, True -*.hashcube.com*, True -*.hash-mail.com*, True -*.hashmail.it*, True -*.hashman.co.uk*, True -*.hashmines.co.za*, True -*.hashtagcustomcase.com*, True -*.hashtagrare.com*, True -*.hashword.com.ar*, True -*.hasian.org*, True -*.hasilalamindo.com*, True -*.hasim.asia*, True -*.haske.org*, True -*.haslancefinishedhisthesis.info*, True -*.hasley.org*, True -*.hasnaae.tk*, True -*.hasni-sofyan.web.id*, True -*.hasoo2011.com*, True -*.hassansultan.com*, True -*.hasselby.nu*, True -*.hasslesavingexpert.com*, True -*.hassystuff.tk*, True -*.hastanaraja.com*, True -*.hasymarfish.com*, True -*.hasyour.info*, True -*.hatagi.co*, True -*.hatebedbugs.info*, True -*.hatenboer.org*, True -*.hatep.com*, True -*.hater.cat*, True -*.hate.ro*, True -*.hathakleen.com*, True -*.hathkakhana.in*, True -*.hatikva.co.za*, True -*.hatil.com.au*, True -*.hatimu.gq*, True -*.hat.info*, True -*.hatloey.net*, True -*.hatmara-ruhanit.com*, True -*.hatmartinhunger.ch*, True -*.hatras.co.za*, True -*.hatsan.net*, True -*.hatsune.gq*, True -*.hattingh.org.za*, True -*.hattrickhub.ro*, True -*.hattur.net*, True -*.hatumena.com*, True -*.hatzolah.com.au*, True -*.hatzor.com*, True -*.haua.tw*, True -*.hauckpcrepair.com*, True -*.hauganes.net*, True -*.hauganslekt.no*, True -*.haukmoor.org*, True -*.haul-s.com*, True -*.haumi.ch*, True -*.haune.com*, True -*.haunia.fi*, True -*.hauntlocator.com*, True -*.hauptzentrale.ch*, True -*.haurgeulis48.com*, True -*.haurgeulis-host.com*, True -*.haurgeulis-media.com*, True -*.hauri-art.ch*, True -*.hausler.ee*, True -*.hauspartner.ch*, True -*.haustechnik-adelboden.ch*, True -*.hauth.ch*, True -*.hautundmehr.ch*, True -*.havalandirmasistemleri.com.tr*, True -*.havasipositive.com*, True -*.havasmedia-bd.com*, True -*.havastara.com*, True -*.have2pee.com*, True -*.have-a-nice-day.tk*, True -*.havefun.ch*, True -*.haventn.com*, True -*.haverman.net*, True -*.havesome.ru*, True -*.haveyounoshame.org*, True -*.havfruen.org*, True -*.havivah.com.br*, True -*.havoc.ch*, True -*.havvaaktas.com.tr*, True -*.hawaiiki-roa.com*, True -*.hawconsulting.com.au*, True -*.hawk-driver.com*, True -*.hawkecablegland.com*, True -*.hawkeyeserver.com*, True -*.hawkinsr.co.uk*, True -*.hawklok.co.uk*, True -*.hawks.cf*, True -*.hawthornenetwork.com*, True -*.hawt.io*, True -*.hax0red.me*, True -*.hax.com.my*, True -*.haxlo.com*, True -*.haxoristict.org*, True -*.haxorlicense.com*, True -*.haxor.nz*, True -*.haxwithaxe.net*, True -*.haxx.ca*, True -*.haxzdirectaccess.net*, True -*.haxz.net*, True -*.hayaldefteri.net*, True -*.haydaybot.ga*, True -*.haydayku.ga*, True -*.haydoctruyen.com*, True -*.hayesey.co.uk*, True -*.hayeshelp.com*, True -*.hayg.com*, True -*.haylazkirpi.com*, True -*.hayleybentley.co.uk*, True -*.haymespaint.com*, True -*.haynestwins.com*, True -*.hayo-brulhart.ch*, True -*.hayvip.com*, True -*.hayvip.org*, True -*.hayvnn.com*, True -*.haywoods.info*, True -*.haywoods.org*, True -*.hazardous.me*, True -*.hazelgrovepac.ca*, True -*.hazelhk.biz*, True -*.hazelhk.net*, True -*.hazico.com*, True -*.hazirbeton.com*, True -*.hazleden.ca*, True -*.hazterisk.com*, True -*.haztusjoyas.cl*, True -*.hazuki.cf*, True -*.hb3yiw.ch*, True -*.hba33.com*, True -*.hba46.com*, True -*.hba49.com*, True -*.hba53.com*, True -*.hba66.com*, True -*.hbaum06.com*, True -*.hbbc.info*, True -*.hbbma.tk*, True -*.hbcmakeup.com*, True -*.hbcstaff.com*, True -*.hbessentials.com.tr*, True -*.hb-g.cl*, True -*.hbgroup.ru*, True -*.hbh7.com*, True -*.hbh7.tk*, True -*.hbinfraestructuras.com.ar*, True -*.hblbrasil.com.br*, True -*.hblnutrishop.com.br*, True -*.hbmc.net*, True -*.hbsharp.com*, True -*.hb-xintian.com*, True -*.hbx.us*, True -*.hbyfyxh.com*, True -*.hcac.net*, True -*.hcb-it.com*, True -*.hcdi.de*, True -*.hcelites.com*, True -*.hcf.org.za*, True -*.hcgenterprise.com.ar*, True -*.hclequipment.com*, True -*.hcnworld.com*, True -*.hcosmin.ro*, True -*.hcps.tk*, True -*.hcrtelecom.com*, True -*.hcse.ro*, True -*.hc-tahko.fi*, True -*.hcubed.org*, True -*.hc-workshop.com*, True -*.hd180.com*, True -*.hdcilog.com*, True -*.hdcity.li*, True -*.hdcorp.cl*, True -*.hde.co.il*, True -*.hdhlanggao.com*, True -*.hdiaz.cl*, True -*.hdj.club*, True -*.hdmusicvideo.ro*, True -*.hdom.tk*, True -*.hdphotoclub.com*, True -*.hdppcsvc.com*, True -*.hdrmail.com.ar*, True -*.hdrnals.net*, True -*.hdrportal.com.ar*, True -*.hdrsoft.com.ar*, True -*.hdrweb.com.ar*, True -*.hdrwindows.com.ar*, True -*.hdsoft.ro*, True -*.hdspeeddate.com*, True -*.hdstore.com.ar*, True -*.hdstudios.ro*, True -*.hdturismouy.com*, True -*.hdvideo.ca*, True -*.hd-v.tk*, True -*.hdxd.in*, True -*.hdzone.cc*, True -*.head2toes.org*, True -*.headenugz.org*, True -*.headfreak.com*, True -*.headfromthehills.com*, True -*.head-hunting.net*, True -*.headinthecloud.org*, True -*.headintheclouds.us*, True -*.headit.at*, True -*.head-it.ch*, True -*.headit.ch*, True -*.headit.com*, True -*.headit.de*, True -*.headit.eu*, True -*.headit.info*, True -*.headlesspoems.com*, True -*.headliongroup.com*, True -*.headquartersoutfitters.com*, True -*.headshotclan.net*, True -*.headshot.gq*, True -*.headskitchen.co.za*, True -*.headsup.hk*, True -*.headtotailonline.com*, True -*.headwater.ca*, True -*.heagtechnics.ch*, True -*.healingcirclemassage.com*, True -*.healingcirclenaturalhealth.com*, True -*.healinghands.ru*, True -*.healinglovebook.com*, True -*.health24.net*, True -*.healthadmin.ir*, True -*.health-and-fitness.gr*, True -*.healthandfitnesswithmelinda.com*, True -*.healthandhomelessness.com*, True -*.healthandstyle.ro*, True -*.healthedesk.com*, True -*.healthesoul.com.au*, True -*.healthgames.co*, True -*.healthilife-gh.com*, True -*.healthiseverything.us*, True -*.healthlife.hk*, True -*.healthlycare.info*, True -*.healthnews23.com*, True -*.healthplantender.com*, True -*.healthsalonbkk.com*, True -*.healthsavings.eu*, True -*.healthscience.ca*, True -*.healthserve.info*, True -*.healthshop-hk.com*, True -*.healthsupport.in*, True -*.healthtipsonline.cf*, True -*.healthtipsonline.ga*, True -*.healthwealthint.com*, True -*.healthy48.com*, True -*.healthybeautysolution.com*, True -*.healthybobo.com*, True -*.healthybox.my*, True -*.healthydailymail.com*, True -*.healthyfamiliesamerica.com*, True -*.healthy-guide.tk*, True -*.healthyhabbit.org*, True -*.healthykids.com.mx*, True -*.healthyrecipesfinder.com*, True -*.healthyswitch.com.au*, True -*.healthyweightchallenge.net*, True -*.healthywildlife.ca*, True -*.healthyzer.cf*, True -*.hean.com.ve*, True -*.heanortaichiclub.co.uk*, True -*.hearingaidsnaples.com*, True -*.hearingband.com*, True -*.hearingcenterofli.com*, True -*.hearnefinancial.com.au*, True -*.heartandcog.com*, True -*.heartbeatemr.com*, True -*.heartbeer.com*, True -*.heartfire.xyz*, True -*.hearthis.org.uk*, True -*.heartlanddataservices.com*, True -*.heartoftexashhs.com*, True -*.heartsleeve.net*, True -*.heartstohands.ca*, True -*.heatbook.hk*, True -*.heat-btc.ru*, True -*.heaterthai.com*, True -*.heathbanc.com*, True -*.heathbbs.net*, True -*.heathcotedentalsurgery.com.au*, True -*.heatheringram.com*, True -*.heathsanders.com*, True -*.heathtilevb.com*, True -*.heatmypool.com*, True -*.heatmypool.net*, True -*.heavenhands.ch*, True -*.heavenheart.ml*, True -*.heavenheart.tk*, True -*.heaven-mx.com*, True -*.heavyhotmail.tk*, True -*.heavymetalforums.com*, True -*.heavy-nacional.org*, True -*.hebergementmassawippi.ca*, True -*.hebergementmassawippi.com*, True -*.hebron-kb.org*, True -*.hebux.com*, True -*.hecat.es*, True -*.heckleandjive.net*, True -*.heck.li*, True -*.hec.to*, True -*.hectorfernandezfernandez.com*, True -*.hectorhector.com*, True -*.hectronic.ro*, True -*.hedda.ro*, True -*.hede-e.to*, True -*.hedgetrimmerreviewgroup.com*, True -*.hedmarks.com*, True -*.hedrolar.com*, True -*.heedless.tk*, True -*.heemro.com*, True -*.heerdter-feld.de*, True -*.heerenfamily.com*, True -*.heerlijkhalderberge.nl*, True -*.heerser.com*, True -*.hefeibazhong1979.com*, True -*.hefty3.com*, True -*.hegedusnet.tk*, True -*.hegevps.tk*, True -*.hegewald.ch*, True -*.heggie.me*, True -*.hegrasoft.com*, True -*.hegy.com*, True -*.hehechan.com*, True -*.hehoha.net*, True -*.hehuan-home.tw*, True -*.heiamoss.com*, True -*.heidel.ro*, True -*.heidfamily.net*, True -*.heidi-lee.com*, True -*.heidipeace.com*, True -*.heightrequirement.ca*, True -*.heihuan.com*, True -*.heiko.cf*, True -*.heiko.ga*, True -*.heilig.com*, True -*.heilpraktikerin-berlin.net*, True -*.heilpraktikerin-emsland.de*, True -*.heilpraktikerin-papenburg.de*, True -*.heilroot.com*, True -*.heimgartner-partner.ch*, True -*.heinekenpro.com*, True -*.heine-sth.net*, True -*.heinrichknoetze.co.za*, True -*.heinside.ch*, True -*.heiri.com*, True -*.heise.cl*, True -*.heisenburgers.com*, True -*.heitang.info*, True -*.hekelidees.co.za*, True -*.hekim.net*, True -*.hekim.tc*, True -*.helabima.ml*, True -*.heladoslanuova.com.ar*, True -*.heladostrappola.com.ar*, True -*.heland.ro*, True -*.helbert.net*, True -*.helcon.ro*, True -*.helenaaramendia.com*, True -*.helenagalvao.com.br*, True -*.helenandryan.co.uk*, True -*.helenaseguratorrella.com*, True -*.helen-hinshaw.com*, True -*.helenjonson.net*, True -*.helenpeppe.com*, True -*.helenpeppephotography.com*, True -*.helgamassetani.com.ar*, True -*.helgimv.pw*, True -*.heliaed.ee*, True -*.heliconbooks.co.il*, True -*.heliconbooks.com*, True -*.helicontech.co.il*, True -*.heliken.com*, True -*.helimediagroup.com*, True -*.heli-news.com.au*, True -*.heliomind.com*, True -*.heliumballoons.info*, True -*.heliumcola.com*, True -*.helivahing.eu*, True -*.helixc.com*, True -*.hellalive.com*, True -*.hellas-hellas.com*, True -*.hellasinside.com*, True -*.hellasinside.eu*, True -*.hellasinside.gr*, True -*.hellasinside.org*, True -*.hellenergy.ro*, True -*.hellenicspirit.tk*, True -*.hellenicvwclub.gr*, True -*.hellerhof.eu*, True -*.helleyhaven.com*, True -*.hellicontest.ir*, True -*.hellik.ee*, True -*.hellindo-lighting.com*, True -*.hell-ish.com*, True -*.hellknight.es*, True -*.helllab.org*, True -*.hellnation.cl*, True -*.helloam.ir*, True -*.hellocareer.md*, True -*.hellocq.cn*, True -*.helloholidays.eu*, True -*.helloiamarobot.org*, True -*.hellojin.com*, True -*.hellojyotish.com*, True -*.hellokorea329807.com*, True -*.hellopeople.mx*, True -*.hello.si*, True -*.helloslovenia.si*, True -*.hellosolao.com*, True -*.hellotelapp.tk*, True -*.hello-vietnam.tk*, True -*.hellowira.com*, True -*.hellsaints.com.ar*, True -*.hellspice.net*, True -*.hellstein.pl*, True -*.hellyer.info*, True -*.hellyna.com*, True -*.hellzrejectz.com*, True -*.helmesahtel.eu*, True -*.helmijaana.fi*, True -*.helmrido.com*, True -*.helmspdx.com*, True -*.helmy404.co*, True -*.helmy-yk.com*, True -*.helorouter.co.uk*, True -*.helotenorio.com.br*, True -*.help12.org*, True -*.help-2go.com*, True -*.help4rent.ru*, True -*.helpdesk.cl*, True -*.helpdesk.hk*, True -*.helpdeskreferencesite.ninja*, True -*.helpgeek.com*, True -*.helpingfriendlybooks.com*, True -*.helplife.tk*, True -*.helplz.com*, True -*.help-maths.com*, True -*.help-maths.ru*, True -*.helpme123.biz*, True -*.helpme123.us*, True -*.helpmesuporte.com*, True -*.helpmesuporte.com.br*, True -*.helpmykeys.com*, True -*.helpmylock.com*, True -*.helponline.ws*, True -*.helptec.com.mx*, True -*.helpwithcisco.com*, True -*.helpwithtaxreturns.co.uk*, True -*.helsinginproviisorikerho.fi*, True -*.helsinn.ch*, True -*.helstonehouse.com*, True -*.helton.ws*, True -*.helveticgroup.ch*, True -*.helveticon.ro*, True -*.helveticorchids.ch*, True -*.helveticservicesgroup.ch*, True -*.hemantacharya.com.np*, True -*.hemantadhikari.com.np*, True -*.hemb.us*, True -*.hemed76.com*, True -*.hemila.fi*, True -*.hemmali.com*, True -*.hemma.mobi*, True -*.hemma.org*, True -*.hemmelig.info*, True -*.hemmer.me*, True -*.hemmungslos-pur.com*, True -*.hemofilic.ro*, True -*.hemosbox.com*, True -*.hempenmail.tk*, True -*.hempen-online.tk*, True -*.hemprabbitnets.co.uk*, True -*.hemshrestha.tk*, True -*.hen83.com*, True -*.henadi.com*, True -*.henatazav.co.il*, True -*.hendelsystems.com*, True -*.hendersonconstruct.in*, True -*.hendracourse.web.id*, True -*.hendradeni.com*, True -*.hendrat.web.id*, True -*.hendricksonlawfirmpc.com*, True -*.hendricksonlawmt.com*, True -*.hendryciptakarya.com*, True -*.henglich.com*, True -*.henher.com*, True -*.henhoonline.net*, True -*.henhovn.com*, True -*.henk.web.id*, True -*.henley.id.au*, True -*.hennessey.cf*, True -*.hennessey.ml*, True -*.hennessey.tk*, True -*.hennig.net.br*, True -*.henningmn.com*, True -*.henningphoto.com*, True -*.henno.org*, True -*.henriclima.pt*, True -*.henriemail.com*, True -*.henri-inkinen.fi*, True -*.henrikchristiansen.com*, True -*.henrik.si*, True -*.henriq.com.br*, True -*.henriquealves.net.br*, True -*.henriquerodrigues.com*, True -*.henryarcher.co.uk*, True -*.henryaveiga.com*, True -*.henrycoopercomedy.com*, True -*.henrypm.cl*, True -*.henrypoon.com*, True -*.henry.sg*, True -*.henrythebeagle.com*, True -*.henrytiong.com*, True -*.henrytriumphs.com*, True -*.hentaidiscount.com*, True -*.hentaipro.com*, True -*.hentairank.com*, True -*.hentai-university.net*, True -*.henti.tk*, True -*.hentong-crew.xyz*, True -*.henyi.org*, True -*.henyjoun.com*, True -*.heolilom.com*, True -*.heovip.com*, True -*.heowns.me*, True -*.hepcats.net*, True -*.hepc.net.au*, True -*.hepdog.com*, True -*.hepicode.com*, True -*.hepseq.org*, True -*.her0.ga*, True -*.heraclion.co.uk*, True -*.heraclitos.tk*, True -*.heraldo.ml*, True -*.heramet.ro*, True -*.herbalhealthyh20.com*, True -*.herbalsolo.com*, True -*.herbec.net*, True -*.herbforrester.com*, True -*.herbhamlet.com.au*, True -*.herbie.tk*, True -*.herbislife.com*, True -*.herclima.cl*, True -*.hercore.com*, True -*.hercwork.com*, True -*.hercz.hu*, True -*.herdianto.web.id*, True -*.herdrugby.com*, True -*.herdy.la*, True -*.here4architecture.com*, True -*.here4art.com*, True -*.here4bike.com*, True -*.here4design.com*, True -*.here4fashion.com*, True -*.here4fitness.com*, True -*.here4games.com*, True -*.here4kitesurf.com*, True -*.here4pregnancy.com*, True -*.here4running.com*, True -*.here4skate.com*, True -*.here4startup.com*, True -*.here4sup.com*, True -*.here4surf.com*, True -*.here4sustainability.com*, True -*.here4tattoo.com*, True -*.here4travel.com*, True -*.here4us.com*, True -*.here4yoga.com*, True -*.herebedragons.to*, True -*.herecomesdajudge.com*, True -*.herecomesthepun.com*, True -*.hereintown.org*, True -*.hereinyourbedroom.net*, True -*.here.lv*, True -*.here.my*, True -*.herenvarno.com*, True -*.heriana.tk*, True -*.heribertomartinez.com*, True -*.heritagewilberforce.com.au*, True -*.herkeslunaparksever.com*, True -*.herlan-associates.ro*, True -*.hermanaji.com*, True -*.hermania.se*, True -*.hermanliang.cf*, True -*.hermanliang.tk*, True -*.hermanlucke.com*, True -*.hermantodardak.info*, True -*.hermesasesores.com.ar*, True -*.hermes-project.com*, True -*.hermies.net*, True -*.herminagrup.com*, True -*.herminahospitalgroup.com*, True -*.herminameily.com*, True -*.hermitageloscabos.com*, True -*.hernan.cl*, True -*.hernancomaschi.com.ar*, True -*.hernandezgomez.com*, True -*.hernandez.si*, True -*.hernanfoxs.com*, True -*.hernank.com.ar*, True -*.hernanpepe.com.ar*, True -*.hernawan.net*, True -*.herndonlawfirmpc.com*, True -*.herndonlawpc.com*, True -*.heroactionfigure.com*, True -*.heroesandwarlords.com*, True -*.heroesinahalfshell.ninja*, True -*.herogopro.com*, True -*.heroicdoses.com*, True -*.heroinewarrior.com*, True -*.heroken.com*, True -*.heronquays.com*, True -*.herowner.com*, True -*.herp.ga*, True -*.herp-house.com*, True -*.herp.id.au*, True -*.herrajes-argentinos.com.ar*, True -*.herrajesterada.com.ar*, True -*.herrera.org.mx*, True -*.herrinariadne.com*, True -*.hertis.si*, True -*.hertzweb.com.au*, True -*.heruprasetyo.com*, True -*.hervy.se*, True -*.herzverstand.ch*, True -*.hesa.co.id*, True -*.hesball.com*, True -*.hesler.ca*, True -*.hesmixology.com*, True -*.hessfamily2010.net*, True -*.hesspool.net*, True -*.hesterburger.co.za*, True -*.hestia.org.br*, True -*.hesti.net*, True -*.hesti.org*, True -*.hestonrough.in*, True -*.hesychia.co.uk*, True -*.hetano.com*, True -*.het-automobiel.nl*, True -*.heureuy.tk*, True -*.heurist.tk*, True -*.heuschen.co.za*, True -*.heviz1000.com*, True -*.heweifurniture.com*, True -*.hewico.com*, True -*.hewico.ir*, True -*.hewmet.eu*, True -*.hewmet.pl*, True -*.hewr.tk*, True -*.hexadrom.ru*, True -*.hexagon-engineering.ro*, True -*.hexagongroup.hk*, True -*.hexagon-systems.eu*, True -*.hexagr.am*, True -*.hexa-soft.com.ar*, True -*.hexbit.se*, True -*.hexen-fummel.de*, True -*.hexionsalt.com*, True -*.hexjumper.be*, True -*.hexora.com.ar*, True -*.hex-solutions.co.uk*, True -*.hextec.com.ve*, True -*.hextec.net*, True -*.hexylon.com*, True -*.hey245.com*, True -*.heyash.com*, True -*.heybarkeep.com*, True -*.heybryan.org*, True -*.heycomputerman.biz*, True -*.heycraigbot.com*, True -*.heyhey.es*, True -*.heymiles.com*, True -*.heypenny.co.za*, True -*.heys.co.uk*, True -*.heyskinny.com*, True -*.heythatsmy.name*, True -*.hezeproxy.tk*, True -*.hezhijin.tk*, True -*.hf0.com*, True -*.hfapparel.ca*, True -*.hff.mx*, True -*.hfllawgroup.com*, True -*.hfsistemas.com.br*, True -*.hfsolutions.com.ar*, True -*.hgbc.co.uk*, True -*.hgbc.info*, True -*.h-g.cl*, True -*.hghst.net*, True -*.hghst.org*, True -*.hglandman.co.za*, True -*.hglaw.net*, True -*.hgob.org*, True -*.h-grade.com*, True -*.hgsgroup.co.il*, True -*.hgsv.tk*, True -*.hhaltd.co.uk*, True -*.hhdev.info*, True -*.hhi7ssl.info*, True -*.hhintrsa.com*, True -*.hhl-consulting.com*, True -*.hhoiltools.com*, True -*.hhp55.com*, True -*.hhp77.com*, True -*.hhp88.com*, True -*.hhp98.com*, True -*.hhpro.tk*, True -*.hhrefacciones.com*, True -*.hhvl.us*, True -*.hhwhg.org*, True -*.hi10.co.uk*, True -*.hi5.ms*, True -*.hi5.si*, True -*.hi-9090.com*, True -*.hibernategroup.in*, True -*.hiboubleu.com*, True -*.hic24.com*, True -*.hi-cargo.com*, True -*.hiccupsoftware.com*, True -*.hickinson.co.uk*, True -*.hickinson.uk*, True -*.hiconlab.ro*, True -*.hidalcor.cl*, True -*.hidalgo.cl*, True -*.hidalgoyasociados.cl*, True -*.hidaramirai.ga*, True -*.hidcomic.com*, True -*.hiddencloud.me*, True -*.hiddencorner.net*, True -*.hiddencorner.org*, True -*.hiddennode.us*, True -*.hiddenspringsrv.com*, True -*.hiddentreazures.ca*, True -*.hiddentreazures.com*, True -*.hidemyassnet.net*, True -*.hidemyass-parser.tk*, True -*.hidemymetadata.com*, True -*.hidemymetadata.com.au*, True -*.hidemymoneysite.com*, True -*.hidenig.ga*, True -*.hides.ml*, True -*.hidetherainbow.com*, True -*.hidrain.com*, True -*.hidramec.com.br*, True -*.hidromontes.cl*, True -*.hidrotran.ro*, True -*.hidupsehat.asia*, True -*.hieber.cc*, True -*.hie.ch*, True -*.hiehting.com*, True -*.hielofiesta.cl*, True -*.hielofiesta.com*, True -*.hieloscordillera.cl*, True -*.hiephoihangkhong.com*, True -*.hietikko.net*, True -*.hifi-audiovideo.ro*, True -*.hificas.com*, True -*.hifiliving.com*, True -*.hi-fruehfoerderung.at*, True -*.higayon.com*, True -*.higeon.com*, True -*.higg7942.com*, True -*.higginsstuff.com*, True -*.higgr.com*, True -*.higgsservices.in*, True -*.highburyeng.com.au*, True -*.highburyengineering.com.au*, True -*.highclassdent.ro*, True -*.highdale.cc*, True -*.highdefinitionfestival.co.uk*, True -*.highdesertnetwork.com*, True -*.highdrain.com*, True -*.higherdimensions.tk*, True -*.higherhealth.net.au*, True -*.highernetworks.net*, True -*.higherpurposeofbusiness.com*, True -*.highfiveboys.com*, True -*.highflight.cl*, True -*.highlandna.com*, True -*.highlandparadise.com.my*, True -*.highly-classified.info*, True -*.highnoon.com.pk*, True -*.highoctane.net*, True -*.highperformingdaemon.org*, True -*.highpointmobilehomes.com*, True -*.highrocklake.org*, True -*.highspecpcit.com*, True -*.high-speed-wireless.com*, True -*.high-speed-wireless.net*, True -*.highspot.net*, True -*.highstrike.net*, True -*.highte.ch*, True -*.hightechelectrical.com*, True -*.highthizzmandy.com*, True -*.hightidebuceo.com.ar*, True -*.hightide.com.ar*, True -*.high-time-way.com*, True -*.highvillage.de*, True -*.high-ways.tk*, True -*.highwoodvt.org*, True -*.higrade.ro*, True -*.hihelper.co.kr*, True -*.hihelper.net*, True -*.hihiduck.info*, True -*.hihiyr.cf*, True -*.hihiyr.gq*, True -*.hihiyr.ml*, True -*.hihongkong.hk*, True -*.hiihoo.fi*, True -*.hijacker.cc*, True -*.hijaxdesigns.com*, True -*.hij.com.br*, True -*.hikamikamm.tk*, True -*.hikayeleralemi.com*, True -*.hikeset.com*, True -*.hiketheridge.net*, True -*.hikikomero.com*, True -*.hikingduck.co.uk*, True -*.hikvision-krd.ru*, True -*.hilarys.ca*, True -*.hilberink.us*, True -*.hildegardisreunie.info*, True -*.hilderbrook.com*, True -*.hiler.pl*, True -*.hiley.cx*, True -*.hilinknet.ir*, True -*.hilkkakemppi.fi*, True -*.hillaryihope.com*, True -*.hillaryihope.info*, True -*.hillaryihope.net*, True -*.hillaryihope.org*, True -*.hillbox.com*, True -*.hillbrick.net*, True -*.hillcrestdrystorage.info*, True -*.hilleberg.tw*, True -*.hillis.id.au*, True -*.hillnotary.com*, True -*.hillsbarn.com*, True -*.hillsleepers.com*, True -*.hillstonefarm.com*, True -*.hilman.ml*, True -*.h-ilmu.tk*, True -*.hilosytelas.com*, True -*.hilsberg.info*, True -*.hilstrom.net*, True -*.hilton-head-island-homes.com*, True -*.himapet.com*, True -*.himasaifi.com*, True -*.himbrr.ws*, True -*.himeko.ga*, True -*.himera.ro*, True -*.him-indonesia.com*, True -*.himlalghimire.com.np*, True -*.himzes.ro*, True -*.himzi.pw*, True -*.hinchapelota.com*, True -*.hinchapelotas.com*, True -*.hinchfamily.com*, True -*.hinch.org*, True -*.hineser.com*, True -*.hingfu.com*, True -*.hinglungfood.com*, True -*.hingtaitrading.com*, True -*.hinhanhso.com*, True -*.hinkmediabibjoklunu.pw*, True -*.hinkmediacemnughed.pw*, True -*.hinkmediafragesfet.pw*, True -*.hinkmediagutoportik.pw*, True -*.hinkmediakatuskolik.pw*, True -*.hinkmediakmnutredkil.pw*, True -*.hinkmedianutijkif.pw*, True -*.hinkmediaredgijkomuk.pw*, True -*.hinkmediaretegmol.pw*, True -*.hinkmediatutikmiked.pw*, True -*.hinkmediatuyhiknurmx.pw*, True -*.hinkmediaxevmunik.pw*, True -*.hinkmediaxuydenm.pw*, True -*.hinodelighting.com*, True -*.hinokaalsindo.com*, True -*.hin.tw*, True -*.hintz.org*, True -*.hioctanefuel.com*, True -*.hi-ola.mx*, True -*.hione555.com*, True -*.hior.org.ru*, True -*.hipaadatacloud.com*, True -*.hiperixat.com*, True -*.hiperjogos.com*, True -*.hiperjogos.info*, True -*.hiperled.es*, True -*.hipermay.com*, True -*.hipermay.com.ar*, True -*.hipersupply.com.br*, True -*.hipertansiyon.org*, True -*.hipfinger.at*, True -*.hiphim.org*, True -*.hiphopart.ro*, True -*.hiphoplive.tv*, True -*.hiphopstar.tv*, True -*.hip-hop.tv*, True -*.hiphoptv.info*, True -*.hipicoabril.com.ar*, True -*.hipmonkeys.com*, True -*.hipno.tk*, True -*.hipoconhipo.com.ar*, True -*.hipocrate.ro*, True -*.hipoputos.org*, True -*.hippiechicks.org*, True -*.hippiehacker.com*, True -*.hippiehacker.org*, True -*.hippob.com*, True -*.hippos.com.ar*, True -*.hippowise.com*, True -*.hipproduction.com*, True -*.hippula.fi*, True -*.hippyhacker.org*, True -*.hiprinter.com*, True -*.hipshinghk.com*, True -*.hipstamatic.ro*, True -*.hipsterkitty.ch*, True -*.hipstershirt.com*, True -*.hipstershirts.com*, True -*.hipsterstonixon.com*, True -*.hipstertshirts.com*, True -*.hi-qu.ru*, True -*.hiradimir.jp*, True -*.hirane.cl*, True -*.hire-a-team.com*, True -*.hireatradesman.com*, True -*.hireatradie.com*, True -*.hireatradie.com.au*, True -*.hireconrad.com*, True -*.hiremewal.es*, True -*.hireright.us*, True -*.hireseoguru.com*, True -*.hirewpguru.com*, True -*.hirin.net*, True -*.hirokuscript.com*, True -*.hirons.us*, True -*.hirose.com.au*, True -*.hirschauer.org*, True -*.hirsiger-gartenbau.ch*, True -*.hirsiger-garten.ch*, True -*.hirsiger-gartenpflege.ch*, True -*.hiruneko.com*, True -*.hirvikuiskaaja.fi*, True -*.hisato-hank.com*, True -*.hisdad.org.nz*, True -*.hish.ru*, True -*.hisi.hr*, True -*.hisolao.com*, True -*.hisolutions.cl*, True -*.hisosoccer.com*, True -*.hispanic-talk.com*, True -*.hispano-ruso.ru*, True -*.hissingdragon.net*, True -*.historiaroja.cl*, True -*.historiascruzadas.cl*, True -*.historystack.com*, True -*.hiswordbroadcasting.net*, True -*.hisyam.my*, True -*.hitachi-aircon.ro*, True -*.hitachiindonesia.com*, True -*.hitandmiss.ca*, True -*.hitched.my*, True -*.hitchins.tk*, True -*.hit-club.si*, True -*.hitcs.com.au*, True -*.hitechblog.ro*, True -*.hitech-faq.net*, True -*.hitechlife.ru*, True -*.hitechplus.biz*, True -*.hitekcenter.net*, True -*.hiteshleena.com*, True -*.hitformule.com*, True -*.hitgaranti.com*, True -*.hithelp.info*, True -*.hither-lands.net*, True -*.hithrough.com*, True -*.hithruapp.com*, True -*.hithru.co*, True -*.hithru.es*, True -*.hithru.org*, True -*.hithru.tv*, True -*.hitij.org*, True -*.hititgunesi.org*, True -*.hitkrrobotics.com*, True -*.hitomimarket.ru*, True -*.hitopcomm.asia*, True -*.hit-pro.com*, True -*.hitremixes.com*, True -*.hitsconsulting.com*, True -*.hit-sezona.ru*, True -*.hitslagu.biz*, True -*.hitslagu.in*, True -*.hitsong.co*, True -*.hiturialese.ro*, True -*.hitzschke.ch*, True -*.hiutkal.in*, True -*.hiva.biz*, True -*.hivazyr.cf*, True -*.hive-brain.net*, True -*.hivelink.us*, True -*.hivemanager.biz*, True -*.hiveminds.net*, True -*.hivemoms.com*, True -*.hiving.pt*, True -*.hiv-prep.com*, True -*.hiv-prep.org*, True -*.hiwi.com.ar*, True -*.hiwocve.cf*, True -*.hi-ya.club*, True -*.hiyavita.com*, True -*.hiyb.net*, True -*.hiyb.org*, True -*.hiy-po.com*, True -*.hizbut-tahrir.id*, True -*.hizbut-tahrir.or.id*, True -*.hizmat.ru*, True -*.hjemmenett.net*, True -*.hjkl.se*, True -*.hjmartinuzzi.com.ar*, True -*.hj-musikint.se*, True -*.hjort.nu*, True -*.hjpack.com*, True -*.hjpeter-gipsergeschaeft.ch*, True -*.hk168168.com*, True -*.hk222333.com*, True -*.hk6.co*, True -*.hk6.com*, True -*.hkabc.org*, True -*.hkaf.hk*, True -*.hk-ai.com*, True -*.hkaneyama.com*, True -*.hkbuy.cf*, True -*.hkbuy.ga*, True -*.hkbuy.gq*, True -*.hkbuy.ml*, True -*.hkbuy.tk*, True -*.hkcacelebration.hk*, True -*.hkcar.cf*, True -*.hkcar.ga*, True -*.hkcar.gq*, True -*.hkcar.ml*, True -*.hkcdshop.com*, True -*.hkchile.cl*, True -*.hkcoaching.org*, True -*.hkcopier.gq*, True -*.hkcopier.ml*, True -*.hkcopier.tk*, True -*.hk-daigou.hk*, True -*.hkd.me*, True -*.hkdrupal.com*, True -*.hkeauto.ro*, True -*.hkegg.org*, True -*.hkemail.com*, True -*.hk-energie.ch*, True -*.hkeventscalendar.com*, True -*.hkeventscalendar.hk*, True -*.hkflower.cf*, True -*.hkflower.ga*, True -*.hkflower.gq*, True -*.hkflower.ml*, True -*.hkflower.tk*, True -*.hkfreeweb.cf*, True -*.hkfreeweb.ga*, True -*.hkfreeweb.gq*, True -*.hkfreeweb.ml*, True -*.hkfreeweb.tk*, True -*.hkfsd.com*, True -*.hkgame.gq*, True -*.hkg.biz*, True -*.hkgolfers.com*, True -*.hkgxcc.hk*, True -*.hkhandmade.com*, True -*.hkhoitong.com*, True -*.hkhostel.cf*, True -*.hkhostel.ga*, True -*.hkhostel.gq*, True -*.hkhostel.ml*, True -*.hkhostel.tk*, True -*.hkhotspot.com*, True -*.hkhouse.cf*, True -*.hkhouse.ga*, True -*.hkhouse.gq*, True -*.hkhouse.ml*, True -*.hkhouse.tk*, True -*.hkhtml5.com*, True -*.hkict.net*, True -*.hkid.info*, True -*.hkieca.com*, True -*.hk-infinity.com*, True -*.hkink.cf*, True -*.hkink.ga*, True -*.hkink.gq*, True -*.hkink.ml*, True -*.hkink.tk*, True -*.hkinternetwebcentre.com*, True -*.hkis.hk*, True -*.hkitl.cf*, True -*.hkitl.com*, True -*.hkitl.ga*, True -*.hkitl.gq*, True -*.hkitl.ml*, True -*.hkitl.tk*, True -*.hkivc.com*, True -*.hk-koshin.com*, True -*.hkk-outdoor.com*, True -*.hklaw.hk*, True -*.hklcu.com*, True -*.hkleinschmidt.de*, True -*.hklink.org*, True -*.hkmagento.com*, True -*.hkmailbox.com*, True -*.hkmall.ga*, True -*.hkmall.gq*, True -*.hkmall.ml*, True -*.hkmne.org*, True -*.hkmotor.cf*, True -*.hkmotor.ga*, True -*.hkmotor.gq*, True -*.hkmotor.ml*, True -*.hkmotor.tk*, True -*.hkmtta.com*, True -*.hkmtta.org*, True -*.hkmusictherapy.hk*, True -*.hknetizen.com*, True -*.hknetizen.net*, True -*.hk-nk.com*, True -*.hk-nk.net*, True -*.hkoskela.co.uk*, True -*.hk-petanjci.com*, True -*.hkpos88.com*, True -*.hkposco.com*, True -*.hkpost.org*, True -*.hkprinter.cf*, True -*.hkprinter.ga*, True -*.hkprinter.gq*, True -*.hkprinter.ml*, True -*.hkprinter.tk*, True -*.hkreferee.com*, True -*.hkrenoman.com*, True -*.hkrental.cf*, True -*.hkrental.gq*, True -*.hkrental.ml*, True -*.hkrental.tk*, True -*.hkrent.ga*, True -*.hkrent.ml*, True -*.hksautomation.it*, True -*.hksec.hk*, True -*.hksell.cf*, True -*.hksell.ga*, True -*.hksell.gq*, True -*.hksell.ml*, True -*.hksell.tk*, True -*.hksensor.com*, True -*.hkshop.cf*, True -*.hkshop.ga*, True -*.hkshop.gq*, True -*.hkshop.ml*, True -*.hksp.hk*, True -*.hksprocesscontrol.it*, True -*.hksquote.com*, True -*.hktex.org*, True -*.hktoner.cf*, True -*.hktoner.ga*, True -*.hktoner.gq*, True -*.hktoner.ml*, True -*.hktoner.tk*, True -*.hktrustco.hk*, True -*.hktv.hk*, True -*.hkumbrella.com*, True -*.hk-van.com*, True -*.hkweb.gq*, True -*.hkwebhosting.gq*, True -*.hkwebinfo.com*, True -*.hkwebsite.gq*, True -*.hkwordpress.com*, True -*.hkx.pw*, True -*.hkyea.org*, True -*.hl0aeo.net*, True -*.hlawna.eu*, True -*.hlchen.info*, True -*.hlcsrl.com*, True -*.hlewisphoto.com*, True -*.hlguild.com*, True -*.hlink-labs.tk*, True -*.hlkyf.com*, True -*.hloris.eu*, True -*.hlshotels.com*, True -*.hlworld.tk*, True -*.hm-08.com*, True -*.hmail.us*, True -*.hmao.pro*, True -*.hmassociation.com*, True -*.hmay.com.ar*, True -*.hmb.com.ar*, True -*.hmbygg.se*, True -*.hmc.dj*, True -*.hmcsa.com.br*, True -*.hmemory.com*, True -*.hmethodos.gr*, True -*.hmfrecruitment.com*, True -*.hmh.ro*, True -*.hmilitar.com.ar*, True -*.hmong.ws*, True -*.hmongyp.com*, True -*.hmq.su*, True -*.hmronline.com.ar*, True -*.hmr.ro*, True -*.hmsc.com.my*, True -*.hms.com.my*, True -*.hmsmt.com*, True -*.hmsolucoes.com*, True -*.h-ms.org*, True -*.hmsrv.net*, True -*.hmt66.com*, True -*.hmt77.com*, True -*.hmt88.com*, True -*.hmt.com.br*, True -*.hmte.ru*, True -*.hmt.org.br*, True -*.hmuda.es*, True -*.hmv2.net*, True -*.hmv.pw*, True -*.hna.cl*, True -*.hndpckd.com*, True -*.hnet.in*, True -*.hnet.net.au*, True -*.hnfsw.net*, True -*.hnhp4.com*, True -*.hnidc.eu*, True -*.hnilica.net*, True -*.hn-mes.com*, True -*.hnp3.com*, True -*.h-n-s.ch*, True -*.hnt67.com*, True -*.hnt78.com*, True -*.hnw-cpa.com*, True -*.ho-1004.com*, True -*.ho-2020.com*, True -*.ho42.net*, True -*.hoahonggiay.net*, True -*.hoaluahaphuong.com*, True -*.hoamskool.net*, True -*.hoangkieu.com*, True -*.hoanglongvietnam.com*, True -*.hoangthanh.cz*, True -*.hoard.ca*, True -*.hoatuongvy.com*, True -*.hoatuongvy.net*, True -*.hobbyarena.ro*, True -*.hobbydirectory.co.za*, True -*.hobbylos.at*, True -*.hobbyoutlet.com.br*, True -*.hobbytech.com.my*, True -*.hobbytimestore.com*, True -*.hobby-world.ro*, True -*.hobiecat.co.il*, True -*.hobiku.co.id*, True -*.hobog.tk*, True -*.hocgioigiang.com*, True -*.hochladenbilder.com*, True -*.hochzeit-ellmauer.at*, True -*.hochzeitmartaundgerhard.com*, True -*.hockeybregaglia.ch*, True -*.hockeysnack.com*, True -*.hockeysub.ch*, True -*.hockinghawkgear.com*, True -*.hockingmedia.com*, True -*.hoclaixeoto.biz*, True -*.hoddesdonsales.co.uk*, True -*.hoddesdontruck.co.uk*, True -*.hod-guild.tk*, True -*.hodol070.com*, True -*.hodvab.eu*, True -*.hoedsch.de*, True -*.hoefgeest.com*, True -*.hoepfingers.com*, True -*.hoerandel.com*, True -*.hoerbuch.to*, True -*.hoerzer.org*, True -*.hofer3037.ch*, True -*.hofernetworks.ch*, True -*.hoffer.cx*, True -*.hoffmann-ac.de*, True -*.hoffmann-im-internet.de*, True -*.hoffnet.us*, True -*.hofmanbouw.be*, True -*.hofmann-gullotti.ch*, True -*.hofmann-la.ch*, True -*.hofmansafety.com*, True -*.hofx.ml*, True -*.hogopogo.me*, True -*.hogwartsnetwork.com*, True -*.hohesross.info*, True -*.hohlik.net*, True -*.hohlik.pl*, True -*.hohmann.com.ar*, True -*.hohsystems.co.za*, True -*.hoinville.com.au*, True -*.hoitmort.ro*, True -*.hojalai.com*, True -*.hojeesexta.com.br*, True -*.hokeness.com*, True -*.hoki.ee*, True -*.hokkien.tk*, True -*.hokku.co.kr*, True -*.hokku.net*, True -*.hokrain.ru*, True -*.hokspot.tk*, True -*.hokusnet.com*, True -*.holandoros.com.ar*, True -*.holdenenterprises.com*, True -*.holden.id.au*, True -*.holdenpaul.com*, True -*.holdenroad.info*, True -*.holdenroad.org*, True -*.holdenweb.us*, True -*.holding-rm.ru*, True -*.holdmyhand.co.za*, True -*.holdonforhope.com*, True -*.holeinone.cc*, True -*.holeinone.hk*, True -*.holes.sk*, True -*.holidayautosadriatic.si*, True -*.holiday-costinesti.ro*, True -*.holidayinncba.com.ar*, True -*.holidayinnwarwickfarm.com.au*, True -*.holidayinslovenia.si*, True -*.holiday-ro.com*, True -*.holidays-in-slovenia.si*, True -*.holidaysinslovenia.si*, True -*.holidayslovenia.si*, True -*.holidazesouthindia.com*, True -*.holistic-school.gr*, True -*.holiswiss.ch*, True -*.holkenbrink.com*, True -*.holkenbrink.us*, True -*.holken.info*, True -*.holkeri.fi*, True -*.holladayward.org*, True -*.hollandflowers.eu*, True -*.hollandhypnosiscenter.com*, True -*.hollandhypnosis.com*, True -*.hollands.id.au*, True -*.hollandweather.net*, True -*.holleyfuelpumps.com*, True -*.hollings.it*, True -*.hollisnhland.com*, True -*.hollow-ist.com*, True -*.hollybarton.com*, True -*.holly-hayward.co.uk*, True -*.hollymackintherapy.com*, True -*.hollypoint.org*, True -*.hollywoodpowersports.com*, True -*.holmberga.se*, True -*.holmblad.org*, True -*.holmes1350.info*, True -*.holmesandreynolds.com.au*, True -*.holmgren.id.au*, True -*.holmgren.xyz*, True -*.holmos.tk*, True -*.holobyte.com.au*, True -*.holst55.ru*, True -*.holstons.com*, True -*.holtaudioflorida.tk*, True -*.holtaudio.tk*, True -*.holtland.net*, True -*.holtonfs.co.za*, True -*.holtslag.me*, True -*.holtz.co.uk*, True -*.holverson.org*, True -*.holychild.ca*, True -*.holycrosskapa.com*, True -*.holyghosts.tk*, True -*.holylandshop.ru*, True -*.holyone.com.mx*, True -*.holyone.mx*, True -*.holypassionfirechurch.org*, True -*.holypuck.com*, True -*.holyspirithaitimission.org*, True -*.holy-trinity.org.au*, True -*.holytrinityorthodox.ca*, True -*.holytrinitysaintgeorge.org*, True -*.holywrath.com*, True -*.holzbau-ramsauer.ch*, True -*.homa88.ro*, True -*.homaei.ir*, True -*.homaxauto.com*, True -*.homaxcorp.com*, True -*.homealone.ro*, True -*.homeatwork.ca*, True -*.home-auctions.eu*, True -*.homebid.ca*, True -*.home-box.com.ar*, True -*.homebox.com.ar*, True -*.homebrewed.se*, True -*.homebrewer.com.au*, True -*.homebrewer.org*, True -*.homebrewer.ru*, True -*.homebrewology.org*, True -*.homebrewtoys.com*, True -*.homebusinessincubator.com*, True -*.homebuyers2000.com*, True -*.homebuyers2000.net*, True -*.homebyredesign.net*, True -*.homecarealternatives.net*, True -*.homecarebuddiesworld.com*, True -*.homecine.be*, True -*.homecomputerrepair.us*, True -*.homeconcept.com.ar*, True -*.homeconnect.ro*, True -*.home-control.io*, True -*.homedatacentre.com*, True -*.homeddns.com*, True -*.homedefinition.co*, True -*.homedegrees.org*, True -*.homedistiller.org.au*, True -*.homedyn.ml*, True -*.homeenergymanagerapp.com*, True -*.home-galaxy.de*, True -*.homeimprovementepisodes.com*, True -*.homeinpickens.com*, True -*.home-in-spain.es*, True -*.homeipfreddo.com.ar*, True -*.homeiswithyou.net*, True -*.home.kg*, True -*.homelabs.eu*, True -*.homelinux.ml*, True -*.homelinuxserver.org*, True -*.homeloansforveterans.com*, True -*.homelync.tw*, True -*.home-made-food.co.il*, True -*.homemade.hk*, True -*.homemadetale.com*, True -*.homematin.co.uk*, True -*.homenajespinetta.com.ar*, True -*.homenerdwwwservices.info*, True -*.homenet.org*, True -*.homenetwork.ml*, True -*.homenode.ca*, True -*.homeofthegeordies.com*, True -*.homeofthenest.com*, True -*.homeorder.com*, True -*.homepages4all.ch*, True -*.homepakistan.com.pk*, True -*.homeperfection.net*, True -*.homeperfection.org*, True -*.homeplex.org*, True -*.home-portal.co.uk*, True -*.homepridebaths.com*, True -*.homepridekitchens.com*, True -*.homepult.ru*, True -*.homeraisedaquatics.com*, True -*.homerec1.ir*, True -*.homeremote.xyz*, True -*.homerun.tw*, True -*.homeschooltables.co.uk*, True -*.homeschoolts.com*, True -*.homeschoolu.com*, True -*.homeschoolu.net*, True -*.homeserver.ro*, True -*.homessc.tk*, True -*.homestore.com.ar*, True -*.homestylemeals.ca*, True -*.homesupercomputers.com*, True -*.home-town-geek.com*, True -*.hometownsg.com*, True -*.homeunix.tk*, True -*.homeurbano.cl*, True -*.home-vs.com*, True -*.homewave-bbn.us*, True -*.homeworkwriting.com*, True -*.homiecloud.com*, True -*.homies20.tk*, True -*.homix.ro*, True -*.homnet.ch*, True -*.homoklady.cz*, True -*.homosexu.al*, True -*.hompimpastudio.com*, True -*.honahlee.net*, True -*.honbok.com*, True -*.h-on.co.uk*, True -*.hondaautoserang.com*, True -*.hondabayu.com*, True -*.hondabikepartsaustralia.com*, True -*.hondabikepartsaustralia.com.au*, True -*.hondaherreros.com*, True -*.hondamarinepartsaustralia.com.au*, True -*.honda-megapro.or.id*, True -*.hondamotorbikepartsaustralia.com*, True -*.hondamotorbikepartsaustralia.com.au*, True -*.hondamotorbikeparts.com.au*, True -*.honda-ms.si*, True -*.hondanord.ro*, True -*.hondaoutboardpartsaustralia.com*, True -*.hondaoutboardpartsaustralia.com.au*, True -*.hondaoutboardparts.com.au*, True -*.honda-padang.com*, True -*.hondapadang.com*, True -*.hondapartsaustralia.com*, True -*.hondascooterparts.com*, True -*.hondek.com*, True -*.hondofarm.com*, True -*.hondurashope.com*, True -*.hondurashope.net*, True -*.hondurasmorazanica.info*, True -*.hondz.com*, True -*.honeduvz.cf*, True -*.honestpirate.com*, True -*.honeybeegardens.net*, True -*.honeyflower.net*, True -*.honey.my*, True -*.honeypot.ro*, True -*.honeyshop.ro*, True -*.hongerke.be*, True -*.hongganae.com*, True -*.honghoa.tk*, True -*.honghutech.com*, True -*.hongjun-cfr.com*, True -*.hongkongallergy.org*, True -*.hongkongbanquet.info*, True -*.hongkongbanquet.net*, True -*.hongkongbanquet.org*, True -*.hongkongeventscalendar.hk*, True -*.hongkongflorist.com*, True -*.hongkongflower.com*, True -*.hongkonghandmade.com*, True -*.hongkonghockey.com*, True -*.hongkonghockey.info*, True -*.hongkongice.hk*, True -*.hongkongicehockey.com*, True -*.hongkongicehockey.info*, True -*.hongkongiceskating.com*, True -*.hongkongiceskating.info*, True -*.hongkongimmigration.com*, True -*.hongkongimplant.com*, True -*.hongkonglaw.cn*, True -*.hongkonglawcreditunion.com*, True -*.hongkonglawcu.com*, True -*.hongkonglaw.hk*, True -*.hongkongspy.com*, True -*.hongkongtrustcompany.com*, True -*.honglab.net*, True -*.hongliengr.com*, True -*.hongonguyenthanh.com*, True -*.honigmannegociosinmobiliarios.com*, True -*.honkeykong.org*, True -*.honkytonkchronicles.com*, True -*.honner.net*, True -*.hon.net.au*, True -*.honorablecrafts.com*, True -*.honositas.ro*, True -*.honsuit.com*, True -*.hontani.in*, True -*.honux.com.ar*, True -*.honyoam.com*, True -*.honz.biz*, True -*.hoodengineering.com*, True -*.hoodesystem.ir*, True -*.hoodworld.info*, True -*.hoohaamelbourne.com.au*, True -*.hookcraft.nl*, True -*.hookedoncaffeine.com*, True -*.hookedoncannabis.com*, True -*.hookipa.se*, True -*.hooligart.cl*, True -*.hoolmgreen.se*, True -*.hoomanise.com*, True -*.hoop.net.ru*, True -*.hoopstarsbasketball.com*, True -*.hooseki.com*, True -*.hopa.ru*, True -*.hopcomproject.com*, True -*.hopeairport.tk*, True -*.hope-bern.ch*, True -*.hopefulhobo.com*, True -*.hopeit.biz*, True -*.hopeit.com.ar*, True -*.hopemed.co.id*, True -*.hopeofjeremiah.org*, True -*.hopes.ir*, True -*.hopesped.ro*, True -*.hopetronic.com*, True -*.hopewill.com*, True -*.hopewill-imm.com*, True -*.hophamvietnam.org*, True -*.hophinggroup.com*, True -*.hopipoint.net*, True -*.hopkins-consulting.com*, True -*.hopkinsstudioonline.com*, True -*.hopkinsvilleatheist.org*, True -*.hopkirk.sk*, True -*.hopla.com.br*, True -*.hoposoft.net*, True -*.hoppinghodags.com*, True -*.hoppywood.com*, True -*.hoptime.com.br*, True -*.hopyatchurch.org*, True -*.hopyjern.cf*, True -*.horaciodillon.com.ar*, True -*.horaksite.net*, True -*.horalibre.cl*, True -*.horan.id.au*, True -*.horatiu.ml*, True -*.horc.net*, True -*.horcrux.ml*, True -*.hordalandvbk.net*, True -*.horee.web.id*, True -*.horek-orenburg.ru*, True -*.horgasztuning.hu*, True -*.horisana.ch*, True -*.horizonbusiness.cl*, True -*.horizondrop.net*, True -*.horizoninvestmentsolutions.com.au*, True -*.horizonlongdistance.com*, True -*.horizonpublishingllc.com*, True -*.horizonroofingandrenos.ca*, True -*.horizonroofingandrenos.com*, True -*.horizonteglobal.com.br*, True -*.horla.ca*, True -*.horlux.org*, True -*.hormes.co.nz*, True -*.hormocenta-kosmetik.com*, True -*.hornbillinteractive.com*, True -*.hornbillinteractive.net*, True -*.hornbillinteractive.org*, True -*.horner.me*, True -*.horng-bin.com*, True -*.hornkennedy.com*, True -*.hornyteensvideos.com*, True -*.horoscope4u.eu*, True -*.horoscopodelamor.com.ar*, True -*.horoscopodelsexo.com.ar*, True -*.horosoft.org*, True -*.horowitz.co.il*, True -*.horribleanime.com*, True -*.horroreyes.eu*, True -*.horrorfunok.tk*, True -*.horrorshowcrew.com*, True -*.horsecomposting.com*, True -*.horstdieblaskapelle.ch*, True -*.horticare.com.au*, True -*.hortijardim.com*, True -*.hortitechs.com*, True -*.hortusdesign.de*, True -*.horwathtechnologies.com*, True -*.horzdev.net*, True -*.hosemann.in*, True -*.hosepower.com.ar*, True -*.hoses4you.com*, True -*.hosfelt.us*, True -*.hoshuko.us*, True -*.hoskote-pa.in*, True -*.hospedajeelbacorrales.cl*, True -*.hospitalcampeche.com*, True -*.hospitald.com*, True -*.hospitalityclassics.co.za*, True -*.hospitalitytender.com*, True -*.hospitalmadreteresa.com.br*, True -*.hospitalmadreteresa.org.br*, True -*.hospitalmadretereza.com.br*, True -*.hospitalmadretereza.org.br*, True -*.hospitalmay.com*, True -*.hospitalonativia.gob.ar*, True -*.hospitaltrueta.cat*, True -*.hossainmotors.com*, True -*.hoss.dk*, True -*.hossein.cf*, True -*.hosseiniehershad.ir*, True -*.hoss.xyz*, True -*.host00.ru*, True -*.host14.net*, True -*.host167.tk*, True -*.host1.info*, True -*.host2go.net*, True -*.host5tl.ml*, True -*.hostalgatoazul.cl*, True -*.hostap.net*, True -*.host-ariesta4rt.com*, True -*.hostaweb.be*, True -*.hostbogor.com*, True -*.hostcibi.com*, True -*.hostclean.ro*, True -*.hostcrot.uk*, True -*.hostcyberid.tk*, True -*.hostdonk.co.uk*, True -*.hostdonk.in*, True -*.hostdonk.mx*, True -*.hostedge.tk*, True -*.hostedminers.com*, True -*.hostedservices.tk*, True -*.hostelandrei.ro*, True -*.hostellacasadelrio.com.ar*, True -*.hosteriaayelen.com*, True -*.hosteriapuentedelinca.com*, True -*.host-factory.co.uk*, True -*.hostfree.li*, True -*.hostfree.mx*, True -*.hostic.com.ar*, True -*.hostid.mobi*, True -*.hostid.name*, True -*.hostileperformance.com*, True -*.hosting123.co.za*, True -*.hosting14.me*, True -*.hosting14.net*, True -*.hosting2100.com*, True -*.hosting21.ch*, True -*.hosting22.biz*, True -*.hosting-anak.tk*, True -*.hostingdandomain.com*, True -*.hostingermuda.com*, True -*.hosting-foryou.eu*, True -*.hostingkampung.com*, True -*.hostingku.us*, True -*.hostinglotus.info*, True -*.hostingmambumentah.com*, True -*.hostingmon.com*, True -*.hostingratisan.tk*, True -*.hosting-services-bo.com*, True -*.hostingsquare.biz*, True -*.hostingvirtue.com*, True -*.hosting-vps.ro*, True -*.hostislesec.net*, True -*.hostlabor.com*, True -*.host-land.ch*, True -*.hostlander.es*, True -*.host-liedl-net.de*, True -*.hostmachine.tk*, True -*.host-maho.cf*, True -*.hostmania.cf*, True -*.hostmarpagos.com*, True -*.hostmonster.com.br*, True -*.hostmyqr.com*, True -*.h-o-s-t.name*, True -*.host-name.eu*, True -*.host-nerd.com*, True -*.hostress.de*, True -*.hostsurfing.ca*, True -*.hostsurfing.net*, True -*.hosttricks.com*, True -*.hosttricks.info*, True -*.hostueweb.eu*, True -*.hostuje.org*, True -*.hostweb.us*, True -*.hostyourservernow.com*, True -*.hotbar.mobi*, True -*.hot-cgv.com*, True -*.hotcheese.net*, True -*.hotdoghighway.com*, True -*.hotdojin.com*, True -*.hotel4kids.ch*, True -*.hotel8deoctubre.com.ar*, True -*.hotel-am-brillantengrund.at*, True -*.hotelandoria.com*, True -*.hotelarenales-vcp.com.ar*, True -*.hotelaries.com.ar*, True -*.hotelbeisha.com.ar*, True -*.hotelbelmar.com.mx*, True -*.hotelbender.com.ar*, True -*.hotelboeking.nl*, True -*.hotelcentral-vdt.ch*, True -*.hotelcerna.ro*, True -*.hotelceylon.com*, True -*.hoteldavide.it*, True -*.hoteldecebal.ro*, True -*.hoteles-mendoza.com*, True -*.hotelesmendoza.com.ar*, True -*.hotelesparana.com.ar*, True -*.hotelflamingo.web.id*, True -*.hotelfloresmdp.com.ar*, True -*.hotelgrasia.com*, True -*.hotelguemes.com.ar*, True -*.hotelhineni.com*, True -*.hoteliguazu.net*, True -*.hotelilhadecapri.com*, True -*.hotelindian.com*, True -*.hotelinparis.ro*, True -*.hotelinviena.ro*, True -*.hotellarissa.ro*, True -*.hotelmary.eu*, True -*.hotelniventus.com.ar*, True -*.hotelochodeoctubre.com.ar*, True -*.hotel-olympus.gr*, True -*.hotelorion.ro*, True -*.hotelpensionwilhelm.ch*, True -*.hotelpiscis.com.ar*, True -*.hotelplazatecoman.mx*, True -*.hotelpuntalara.com.ar*, True -*.hotelranca.ro*, True -*.hotelreginacb.com.br*, True -*.hotelrelaxbyala.com*, True -*.hotelrioaraguaia.com.br*, True -*.hotelsantaisabel.co*, True -*.hotelsantandermdq.com.ar*, True -*.hotelseconomici.it*, True -*.hotelsnanjing.com*, True -*.hotelsoftvn.com*, True -*.hotelsolutions.com.br*, True -*.hotelstravelle.com*, True -*.hotelsweeneys.com.au*, True -*.hoteltashidelek.com*, True -*.hoteltender.com*, True -*.hoteltilapia.com*, True -*.hoteltorinovcp.com.ar*, True -*.hotelunitednepal.com*, True -*.hotelupgrade.com*, True -*.hotelvaganza.com*, True -*.hotelvalcea.ro*, True -*.hotelwilliam.com.au*, True -*.hotfast.pl*, True -*.hotfrantz.com*, True -*.hot-gogos.com*, True -*.hothanhtuan.com*, True -*.hotheadsacoolsalon.com*, True -*.hot-hed.com*, True -*.hotinformer.com*, True -*.hotkost.tk*, True -*.hotlinemexico.com*, True -*.hotlx.us*, True -*.hotmeble.pl*, True -*.hotnerd.com*, True -*.hotnew.com.br*, True -*.hotnoodzdudez.com*, True -*.hotoilemess.com*, True -*.hotpad.us*, True -*.hotpornadult.com*, True -*.hotpornohub.com*, True -*.hotpot.hk*, True -*.hotproductsusa.com*, True -*.hotronhanquafb.com*, True -*.hotserver.tk*, True -*.hotsitesp.com.br*, True -*.hotspeed.ninja*, True -*.hotspothotpot.com*, True -*.hotstampingfoil.in*, True -*.hotstampingfoils.in*, True -*.hotstoneclasses.com*, True -*.hoturbanmodels.com*, True -*.hotvibes.org*, True -*.hotvitasoy.com*, True -*.hotwallet.my*, True -*.hotwaterpros.com*, True -*.hotworks.ro*, True -*.hotzona.bg*, True -*.hot-zone.co*, True -*.houde-it.com*, True -*.houdem.ca*, True -*.hour2fill.com*, True -*.hour2kill.com*, True -*.hourinc.com*, True -*.hourit.com.au*, True -*.hourn.me*, True -*.hourtofill.com*, True -*.housechurch.net.au*, True -*.houseforlease.eu*, True -*.housegosa.com*, True -*.househeads.org*, True -*.houseinvictus.com*, True -*.housekeepingunlimited.com*, True -*.houseline.co.za*, True -*.housenation.ca*, True -*.housenews.biz*, True -*.houseofdavids.net*, True -*.houseofloy.net*, True -*.houseofpet.co.id*, True -*.houseofpiehl.com*, True -*.houseofsyafana.com*, True -*.houseoftravis.com*, True -*.houseoftravis.net*, True -*.houserevenge.com*, True -*.houserevenge.ninja*, True -*.housewineitaly.com*, True -*.housewineitaly.it*, True -*.housingbuy.com*, True -*.housingreps.org.uk*, True -*.housleyhomes.com*, True -*.houstonclothingexchange.com*, True -*.houstonequitydeals.com*, True -*.houstongriffith.com*, True -*.houstonnexus.com*, True -*.houston-psychologist.net*, True -*.houston-therapist.net*, True -*.hovaszarjak.info*, True -*.hovensautomotive.com*, True -*.hoverdogs.com*, True -*.hovertop.com*, True -*.hovran.se*, True -*.how2buildpicnictable.info*, True -*.howardcompanies.net*, True -*.howardhospitality.com*, True -*.howardpaintingco.com*, True -*.howard-realty.com*, True -*.howareyoudriving.com*, True -*.howestreetvillageoptometry.ca*, True -*.howeville.com*, True -*.howeyun.com*, True -*.howgetrid.org*, True -*.howickmountainbiking.co.za*, True -*.howiewexler.com*, True -*.howitt.id.au*, True -*.howlingwolfwoman.com*, True -*.howmuchdoesitcosttobuyastar.com*, True -*.hownottoburnwater.com*, True -*.howotorg.ru*, True -*.howsherolls.net*, True -*.howtheway.com*, True -*.howtip.com*, True -*.howtobefatorthin.tk*, True -*.howtogetababytosleep.net*, True -*.howtogetexback.ml*, True -*.howtogetmagicpowers.com*, True -*.how-to-get-rid-of-acne-overnight.com*, True -*.howto.jp*, True -*.howtolabs.net*, True -*.howtoliveonmars.com*, True -*.howtoloan.co.kr*, True -*.howtomakeaspudgun.net*, True -*.howtomakecatapults.com*, True -*.howtomakehomemadesubmarines.com*, True -*.howtomakemoneyfromhouses.com*, True -*.howtomakepaperguns.net*, True -*.howtomania.gr*, True -*.howtopassiton.com*, True -*.howtophil.com*, True -*.howtosmart.net*, True -*.howtostartareikipractice.com*, True -*.howtotiescarves.net*, True -*.howtotravelnow.com*, True -*.hoyaa.ro*, True -*.hoycocinamariarosa.com.ar*, True -*.hoye.co*, True -*.hoyesnet.co.uk*, True -*.hoy-sa.com*, True -*.hoysalgo.cl*, True -*.hoytlink.net*, True -*.hoytvideo.com*, True -*.hoyuansoft.com*, True -*.hpa-bionum.org.uk*, True -*.hpai.web.id*, True -*.hpconsultores.com.ve*, True -*.hpc.tw*, True -*.hpcuisines.ch*, True -*.hpdis.net*, True -*.hpelectricservice.com*, True -*.hpeppe.com*, True -*.hpioxii.org.br*, True -*.hpjconsulting.co.za*, True -*.h-plus.ru*, True -*.hpmmsa.com.ar*, True -*.hpn54l.es*, True -*.hpoppo.info*, True -*.hppartes.cl*, True -*.hppr.co*, True -*.hpqeventum.ro*, True -*.hprid-official.asia*, True -*.hprid-official.me*, True -*.hprid-official.org*, True -*.hpr-official.net*, True -*.hprox.com*, True -*.hptech.com.au*, True -*.hp-user.tw*, True -*.hpvac.net*, True -*.hqcloud.de*, True -*.hq.com.au*, True -*.hqdates.com*, True -*.hqfriends.com*, True -*.hqncs.com*, True -*.hq.net.au*, True -*.hqs.pl*, True -*.hradcany.org*, True -*.hradvisoring.ro*, True -*.hrajabi.ir*, True -*.hranabio.ro*, True -*.hranacateisipisici.ro*, True -*.hranaeco.ro*, True -*.hrananaturala.ro*, True -*.hranaorganica.ro*, True -*.hrbord.com*, True -*.hrcenterplus.in*, True -*.hrchrysler.ca*, True -*.hrdiagnostics.net*, True -*.hr-diagnotics.com*, True -*.hrefoli.cf*, True -*.hrenov.net*, True -*.hrhfh.org*, True -*.hrinca.ro*, True -*.hristic-blagotic.ch*, True -*.hrjudo.ro*, True -*.hrlacessorios.com.br*, True -*.hrl.cl*, True -*.hrmax.net*, True -*.hrmotors.ro*, True -*.hroest.ch*, True -*.hrpcs.tk*, True -*.hrproductions.biz*, True -*.hrpro.hk*, True -*.h-r-services.ch*, True -*.hrstrategyworkbook.cl*, True -*.hr-systematic.com*, True -*.hr-systemics.com*, True -*.hr-systemics.net*, True -*.hr-uralsibneft.ru*, True -*.hrynek.com*, True -*.hsab.com.ar*, True -*.hsa.com.ar*, True -*.hsba.info*, True -*.hsbk.org*, True -*.hscb.ch*, True -*.hscbraunwald.ch*, True -*.hsensei.com*, True -*.hsepal.com*, True -*.hsew.org.uk*, True -*.hsf.co.za*, True -*.hsieh-chang.com*, True -*.hsindustrial.cl*, True -*.hsings.net*, True -*.hsjhouse.com*, True -*.hskll.org*, True -*.hsp21.com*, True -*.hspeed.ch*, True -*.hspizzeriasc.com*, True -*.hsplastic.co.kr*, True -*.hsq.hk*, True -*.hssm.co.za*, True -*.hsspace.org*, True -*.hsssllc.com*, True -*.hst-ltd.com*, True -*.hstranphu.com*, True -*.hsu.tw*, True -*.hs.vc*, True -*.hsvc.ch*, True -*.hsvlum.com*, True -*.hs-yachten.at*, True -*.htanew.net*, True -*.htcengineers.com*, True -*.htcisgood.com*, True -*.htclink.com*, True -*.htec.hk*, True -*.hthjabor.com*, True -*.hthkg.com*, True -*.htims.co.uk*, True -*.htjx.co*, True -*.htkentseltasarim.com.tr*, True -*.htkfinanse.pl*, True -*.html5k.net*, True -*.html5k.org*, True -*.html5websitedesign.com*, True -*.html.com.ar*, True -*.htmldebugger.com*, True -*.htn66.com*, True -*.htn77.com*, True -*.htn87.com*, True -*.htpc.cl*, True -*.htpg.de*, True -*.htrack.co.za*, True -*.httalot.fi*, True -*.http500.tk*, True -*.htv2.info*, True -*.htv3.info*, True -*.htweb.ro*, True -*.htw.pw*, True -*.htygrp.com*, True -*.huagang-stainlesssteel.com*, True -*.huaguan-fs.com*, True -*.huahinhotel.info*, True -*.huahinresort.info*, True -*.huajiangs.com*, True -*.hualienhouse.com*, True -*.huangbrothers.co.uk*, True -*.huangempowerment.com*, True -*.huangnen.com*, True -*.huanxingshan.com*, True -*.huaruichexiang.com*, True -*.huat-ah.com*, True -*.huaweisurabaya.com*, True -*.huaxiajiukang.com*, True -*.huaxiaspace.com*, True -*.huaxiaspace.net*, True -*.huaxia-yuanfang.net*, True -*.huaxinmusic.com*, True -*.huayanjiyu.com*, True -*.hubbhotel.ga*, True -*.hubblotech.com*, True -*.huberabq.com*, True -*.huberabq.net*, True -*.huber-gipser.ch*, True -*.huberins.com*, True -*.huber-it-solutions.ch*, True -*.huber-research.ch*, True -*.huberthenose.de*, True -*.hubertservices.in*, True -*.hubertyuan.com*, True -*.hublaa.club*, True -*.hubnerbrasil.com*, True -*.hubot.com.au*, True -*.hubrisk.com*, True -*.hubseverin.ro*, True -*.huburi.ro*, True -*.hucklive.com*, True -*.huda.cf*, True -*.huda.web.id*, True -*.huddersfieldcomputers.co.uk*, True -*.hudodobro.si*, True -*.hudopenhouseinutah.com*, True -*.hudo-poceni.si*, True -*.hudsonbuildingsupplies.com*, True -*.hudsonbuildingsupplies.com.au*, True -*.hudsonbuildingsupplies.net.au*, True -*.hudson-family.net*, True -*.hudsontechguy.com*, True -*.hudsonthrift.com*, True -*.huebiz.co.kr*, True -*.huebiz.com*, True -*.huebner.tk*, True -*.huement.com*, True -*.hueney-co.com.ar*, True -*.huepfisworld.at*, True -*.huepfler.com*, True -*.huerken.com*, True -*.huertosecreto.cl*, True -*.huertosesli.mx*, True -*.hues.ga*, True -*.huesliberg.ch*, True -*.huesoi.es*, True -*.hueteinterpreting.com*, True -*.huetemortgage.com*, True -*.huetemortgageinc.com*, True -*.hueting.info*, True -*.huffeys.com*, True -*.hugefil.es*, True -*.hugejobbie.com*, True -*.hugelist.mobi*, True -*.hugelist.net*, True -*.hugelist.org*, True -*.hugen.info*, True -*.huggyfee.net*, True -*.hughesspencer.co.uk*, True -*.hughjcatalano.com*, True -*.hugi-joliat.ch*, True -*.hugin.com.au*, True -*.hugocabral.com.ar*, True -*.hugoku.com*, True -*.hugomr.com*, True -*.hugoruscitti.com.ar*, True -*.hug.pl*, True -*.hugstheroot.com*, True -*.huija24.com*, True -*.huijgens-online.nl*, True -*.huiloksum.com*, True -*.huilokyin.com*, True -*.huisselectie.com*, True -*.huisselectie.eu*, True -*.huisselectie.nl*, True -*.huisselect.nl*, True -*.huitema.info*, True -*.huiyinghao.net*, True -*.hujak.org*, True -*.hujanhitam.web.id*, True -*.huklen.com*, True -*.hukset.fi*, True -*.hul9.com*, True -*.hulezone.ir*, True -*.hulichicken.com*, True -*.hulka.ch*, True -*.hulkperformance.com*, True -*.hulme.ca*, True -*.hultberg.ninja*, True -*.hulumanu.com*, True -*.hulu.pk*, True -*.humanasset.com*, True -*.humanclouding.com.mx*, True -*.human-coaching.com.mx*, True -*.humancoachingnetwork.cl*, True -*.humancoachingnetwork.com*, True -*.humancoachingnetwork.net*, True -*.humancoachingnetwork.org*, True -*.humanenigma.com*, True -*.humanet.tk*, True -*.humanfactors.ru*, True -*.humanforce.co.uk*, True -*.humanika-training.com*, True -*.humanint.co.za*, True -*.humanitiesprojects.tk*, True -*.humanitypvp.tk*, True -*.human.li*, True -*.humanresources.hk*, True -*.humanrightstibet.org*, True -*.humanservers.in*, True -*.humanspace.cl*, True -*.humanz.es*, True -*.huma.org.mx*, True -*.humas.org.mx*, True -*.humbaailulu.com*, True -*.humbug.com*, True -*.humbull.ca*, True -*.humby.co.za*, True -*.hum.co.uk*, True -*.humesfork.com*, True -*.humlicek.net*, True -*.hummocks.net*, True -*.humorvisite.ch*, True -*.humorvisite.eu*, True -*.humoryvideojuegos.com*, True -*.humpink.in*, True -*.hump-your-mom.tk*, True -*.humpythedog.com*, True -*.humtv.pk*, True -*.hundephysiotherapie-bruehl.de*, True -*.hund.net*, True -*.hundorfean.ro*, True -*.hundsupport.net*, True -*.hungarianhacker.com*, True -*.hungcu1valve.com*, True -*.hungfayi.com.br*, True -*.hungryhorse.com.au*, True -*.hungryrecipe.com*, True -*.hungryyetigames.com*, True -*.hung-thai.com*, True -*.hung.tw*, True -*.hunke.ws*, True -*.hunnur.com*, True -*.hunora.com*, True -*.hunsicker.net*, True -*.hunterbanner.com*, True -*.huntercraft.tk*, True -*.hunterfighter.net*, True -*.hunterhawkins.com*, True -*.hunterjm.com*, True -*.hunter.sh*, True -*.hunterspointchamber.com*, True -*.hunterspointchamber.org*, True -*.huntertennisresort.com.au*, True -*.huntervip.ro*, True -*.hunte.se*, True -*.huntsvillelumber.com*, True -*.huntused.co.za*, True -*.huo2015.com*, True -*.huo2016.com*, True -*.huotari.im*, True -*.hupam.com*, True -*.hups.ro*, True -*.hup.su*, True -*.hurami.com*, True -*.hurdlehouse.com*, True -*.hurfalewski.co.uk*, True -*.hurme.net*, True -*.hurmuri.fi*, True -*.hurosystem.biz*, True -*.hurosystem.com*, True -*.hurosystem.info*, True -*.hurosystem.net*, True -*.hurr.info*, True -*.hurstbridgerealestate.com*, True -*.hurstfamily.com*, True -*.hurtadodemendoza.net*, True -*.huscostablanca.se*, True -*.huseli.us*, True -*.husen.tk*, True -*.huset.fr*, True -*.huseyingulsun.com.tr*, True -*.huseyinkuscu.com*, True -*.hushmagic.com*, True -*.hushmagic.net*, True -*.hushpromos.com*, True -*.huskerwall.com*, True -*.huskybitch.com*, True -*.husnulbakery.my*, True -*.husnulhalwa.my*, True -*.hussar.com.au*, True -*.hustalow.com*, True -*.hustlehard.biz*, True -*.hustonfamily.org*, True -*.husum-movie.tk*, True -*.hutchbox.net*, True -*.hutch.id.au*, True -*.hutch.name*, True -*.huttulanpuutarhatila.fi*, True -*.hutz.ch*, True -*.huussi.eu*, True -*.huwy.ch*, True -*.huysamen.org*, True -*.huysamenwestraad.co.za*, True -*.huytk.xyz*, True -*.huytrucwedding.com*, True -*.huzmet.ro*, True -*.hv11.com*, True -*.hvaataichi.hk*, True -*.hvacphoenix.com*, True -*.hvarcarrental.com*, True -*.hvbhn.com*, True -*.hvgolfclub.net*, True -*.hviacolor.ro*, True -*.hviewtv.com*, True -*.hvlf.at*, True -*.hvm.ro*, True -*.hvtechnical.com*, True -*.hwardschools.com*, True -*.hwashing.com*, True -*.hw.com.au*, True -*.hwg.co.id*, True -*.hwiyess.com*, True -*.hw-lib.ch*, True -*.hwsolution.com.ar*, True -*.hwwebsite.com*, True -*.hxhzgfjlb.com*, True -*.hxrmn.net*, True -*.hxy.com.au*, True -*.hyakunime.net*, True -*.hyaltda.cl*, True -*.hybelmotors.com.ar*, True -*.hybridclub.tw*, True -*.hybridtechnology.in*, True -*.hybrisgame.com*, True -*.hybris-habbo.cf*, True -*.hybrismodz.gq*, True -*.hybrisrider.ch*, True -*.hyc.cl*, True -*.hycpackaging.cl*, True -*.hyderabad-adventures.com*, True -*.hyder.ga*, True -*.hyde.ws*, True -*.hydock.net*, True -*.hydranetwork.tk*, True -*.hydrant-wk.com*, True -*.hydra-pc.tk*, True -*.hydrateknik.com*, True -*.hydraulic-generators.com*, True -*.hydraulic-handpumps.com*, True -*.hydraulic-innovation.com*, True -*.hydraulic-orbitmotors.com*, True -*.hydraulicpump-technology.com*, True -*.hydraulic-technology.com*, True -*.hydraulic-valvetechnology.com*, True -*.hydraulik-drehdurchfuehrungen.com*, True -*.hydraulik-handpumpen.com*, True -*.hydraulik-schlauchaufroller.com*, True -*.hydraulique-treuthardt.ch*, True -*.hydrodns.tk*, True -*.hydroenv.ro*, True -*.hydroquebeclibre.com*, True -*.hydrotransmission-technology.com*, True -*.hyfy.ml*, True -*.hygeazul.pt*, True -*.hygedentindonesia.com*, True -*.hygie.cz*, True -*.hyh.cl*, True -*.hyipad.com*, True -*.hykw.info*, True -*.hylab.info*, True -*.hylsy.org*, True -*.hymnsinmyheart.com*, True -*.hymps.net*, True -*.hynapil.tk*, True -*.hyosungsource.com*, True -*.hyotyseminaari.fi*, True -*.hype.hk*, True -*.hyperbaha.com*, True -*.hyperbrickhd.tk*, True -*.hypercoop.tk*, True -*.hyper-craft.co*, True -*.hyperheadrecords.com*, True -*.hyper.inf.br*, True -*.hyperinf.inf.br*, True -*.hyperiongroup.ca*, True -*.hyperionmarine.gr*, True -*.hyperion.pw*, True -*.hyperjav.com*, True -*.hyperjs.com*, True -*.hyperlet.com*, True -*.hyperlithium.net*, True -*.hyperlog.gr*, True -*.hypernet99.com.ve*, True -*.hypernetics.org*, True -*.hyperneuro.com*, True -*.hyperscan3d.me*, True -*.hypertechsolutions.com.au*, True -*.hyper-v.at*, True -*.hypervguy.com*, True -*.hypervnetwork.it*, True -*.hyphun.com*, True -*.hypnobubble.co.uk*, True -*.hypnocake.com*, True -*.hypnosec.tk*, True -*.hypnose.si*, True -*.hypnotherapie-cf.ch*, True -*.hypotheticalsolutions.com*, True -*.hyppocloud.com*, True -*.hypsteragency.com*, True -*.hysonix.com*, True -*.hysweb.com.ar*, True -*.hyt44.com*, True -*.hyt77.com*, True -*.hytekonline.net*, True -*.hytekpcrepair.com*, True -*.hytw.cf*, True -*.hytw.ga*, True -*.hytw.gq*, True -*.hytw.ml*, True -*.hytw.tk*, True -*.hyundaicme.co.kr*, True -*.hyvernion.com*, True -*.hzabihi.ir*, True -*.hzarazaga.com.ar*, True -*.hzbe.ch*, True -*.hzdev.net*, True -*.hzuowen.gq*, True -*.i0i.io*, True -*.i10k.ru*, True -*.i2arabic.com*, True -*.i2bopomo.com*, True -*.i2cangjie.com*, True -*.i2cantonese.com*, True -*.i2clipart.com*, True -*.i2doc.com*, True -*.i2ie.com*, True -*.i2ocr.com*, True -*.i2pdf.com*, True -*.i2pi.com.ar*, True -*.i2picture.com*, True -*.i2pinyin.com*, True -*.i2speak.com*, True -*.i2style.org*, True -*.i2symbol.com*, True -*.i2ts.com.au*, True -*.i2type.com*, True -*.i386.co*, True -*.i386sx.net*, True -*.i3ce.cl*, True -*.i3omb.com*, True -*.i4031.com*, True -*.i4031.net*, True -*.i-46.ru*, True -*.i4ng.com*, True -*.i7ii.com*, True -*.i8.com.br*, True -*.i8ii.com*, True -*.iaac-ltd.co.uk*, True -*.iabloko.net*, True -*.i-access.com*, True -*.iac-cio.org*, True -*.iaci.com.ar*, True -*.iaconetti.com.ar*, True -*.iaeindonesia.com*, True -*.iaeindonesia.net*, True -*.iafc.co.za*, True -*.iaicu.org*, True -*.iaies.org.ar*, True -*.iainw.net*, True -*.iair.com.ar*, True -*.iairpro.com*, True -*.iakarra.net*, True -*.iakutsk.ru*, True -*.iales.com.br*, True -*.ialmi.ro*, True -*.iamablackgeek.com*, True -*.iamaj.net*, True -*.iamandi.ro*, True -*.ia-ma-nene.ro*, True -*.iamdavidbrown.com*, True -*.iameric.com*, True -*.iamhere.to*, True -*.iamh.im*, True -*.iamhuman-campaign.com*, True -*.iamirrational.com*, True -*.iamjade.tk*, True -*.iamjason.com*, True -*.iamkarl.co.uk*, True -*.iaml33t.com*, True -*.iamlateef.com*, True -*.iamlocal1487.net*, True -*.iamnothellcat.com*, True -*.iamnotwhoiam.net*, True -*.i-am-oberon.com*, True -*.iamoberon.com*, True -*.iampv.com.br*, True -*.iamsanjay.tk*, True -*.iamspotlight.com*, True -*.i-am-za.ch*, True -*.ian.cl*, True -*.iancrocker.co.uk*, True -*.iandianproject.tk*, True -*.ianglen.me*, True -*.ianhenderson.org*, True -*.ianhockaday.com*, True -*.iannuzzi.me*, True -*.ianoberst.com*, True -*.ianrossi.com*, True -*.iansantosphotography.com*, True -*.ianschoonover.com*, True -*.iansim.ca*, True -*.iantaylor.com*, True -*.iantaylor.pe*, True -*.iantayloryciasa.cl*, True -*.ianthiele.com*, True -*.iantu.ro*, True -*.iaob.ch*, True -*.iapeargentina.com.ar*, True -*.iapec.com.ve*, True -*.iapeccv.com*, True -*.iapp.biz*, True -*.iarpol.com.ar*, True -*.iartemis.cn*, True -*.iasbihar.org*, True -*.iasiapartamente.ro*, True -*.iasicase.ro*, True -*.iasiterenuri.ro*, True -*.iatse187.org*, True -*.iaustyn.com*, True -*.iaxia.cl*, True -*.iba.ac.id*, True -*.ibabyphone.com*, True -*.iball.biz*, True -*.iba-lux.com*, True -*.ibaneztravers.com.ar*, True -*.iban.org.uk*, True -*.ibarkowsky.ru*, True -*.ibbysdesigns.com.au*, True -*.ibc-125.com*, True -*.ibc658.com*, True -*.ibc658.net*, True -*.ibc6666.com*, True -*.ibc678.com*, True -*.ibc678.net*, True -*.ibcasadevalores.com*, True -*.ibcaustralia.info*, True -*.ibcc.co.id*, True -*.i-bc.com.ar*, True -*.ibdl.ga*, True -*.ibecameaddicted.com*, True -*.ibelieveicanfly.gr*, True -*.ibelieveicanfly.in*, True -*.ibelodc.cf*, True -*.iberica360.com*, True -*.ibericopatanegra.com*, True -*.iberik.com*, True -*.ibermusicas.org*, True -*.iberochile.cl*, True -*.iberotek.com*, True -*.ibethere.net*, True -*.ib-hagstotz.biz*, True -*.ibh.com.my*, True -*.ibiblio.ga*, True -*.ibito.net*, True -*.ibiuberlandia.com.br*, True -*.ibizainformatica.com*, True -*.ibiznw.com*, True -*.ibjardimbotanico.com.br*, True -*.ibk-ivk.fi*, True -*.i-bkk.com*, True -*.iblamar.org*, True -*.iblau.cl*, True -*.iblesstoday.com*, True -*.ibmcsi.com.br*, True -*.ibmmt.net*, True -*.ibmx.ro*, True -*.ibnb.hk*, True -*.ibnolhasan.ir*, True -*.ibnu-fajri.cf*, True -*.ibnuqoyyim.com*, True -*.iborgelt.com*, True -*.iborn.hk*, True -*.ibraim.ro*, True -*.ibrelgov.com.br*, True -*.ibrovic.net*, True -*.ibrovic.org*, True -*.ibsclan.com*, True -*.ibsengenharia.com*, True -*.ibservices.com.my*, True -*.ibsrgroup.com*, True -*.ibstemple.org*, True -*.ibstemple.us*, True -*.ibtech.com.my*, True -*.ibullieve.com*, True -*.ibutler.ml*, True -*.ibuyblack.co.za*, True -*.ibuylocal.co.za*, True -*.ibwcrue.tk*, True -*.ic3d-solutions.com*, True -*.ic4rus.com.au*, True -*.ica-coatings.hk*, True -*.ical.io*, True -*.ical.web.id*, True -*.icamtest.ga*, True -*.icandig.it*, True -*.icangus.com*, True -*.icanread.ir*, True -*.icanscore.com*, True -*.icantec.ca*, True -*.icanwan.com*, True -*.icanwin.ml*, True -*.icaramba.ru*, True -*.icare2u.com*, True -*.i-care.gr*, True -*.icar.nl*, True -*.icaroapps.com*, True -*.icarosochicar.cl*, True -*.icart.tw*, True -*.icarusdev.tk*, True -*.icarustelecom.ro*, True -*.i-case.co.id*, True -*.icase.co.id*, True -*.icat.fm*, True -*.icatfm.org*, True -*.icbarrosarana.cl*, True -*.icb-bumiputera.cf*, True -*.icbcluj.ro*, True -*.iccbrasil.com.br*, True -*.icceb.info*, True -*.iccloud.ro*, True -*.iccmcasarestauracion.cl*, True -*.icconsultants.ca*, True -*.icdmedia.co.uk*, True -*.iceage.com.my*, True -*.icebes.mx*, True -*.icebes.org.mx*, True -*.iceblaze.com*, True -*.icebolt.org*, True -*.iceb.org.br*, True -*.icecapadesreunion2015.com*, True -*.icechim-pd.ro*, True -*.icecondor.tk*, True -*.icecreamandcats.com*, True -*.icecreamqueen.ca*, True -*.icecreamqueen.com*, True -*.icedaq.ch*, True -*.icefoc.org*, True -*.iceframework.net*, True -*.icefumy.info*, True -*.ice.lc*, True -*.icello.in*, True -*.icemaiden.net*, True -*.icemail.me.uk*, True -*.icemar.org.mx*, True -*.icentry.com*, True -*.iceohio.com*, True -*.iceonet.net*, True -*.iceprojects.si*, True -*.icepuddles.com*, True -*.icern.ch*, True -*.icerock.com.ar*, True -*.iceskating.hk*, True -*.iceunix.com*, True -*.icevote.com*, True -*.icfar.com*, True -*.icfotografia.com.ar*, True -*.icfuel.com*, True -*.icfuture.com.br*, True -*.icg.hk*, True -*.icgmkt.com*, True -*.ichange.ch*, True -*.ichangeinc.com*, True -*.ichat.sg*, True -*.ichbinschwanger.ch*, True -*.ichealth-s.com*, True -*.ichill.org*, True -*.ichiro0z.net*, True -*.ichi.tk*, True -*.ichthusofficial.com*, True -*.icidweb.com*, True -*.icigar.com*, True -*.iciis.cl*, True -*.i-c.info*, True -*.icipharma.in*, True -*.icisleri.com*, True -*.icis.ws*, True -*.icjpg.cl*, True -*.icj.ru*, True -*.ickesgrading.com*, True -*.ickray.com*, True -*.iclassroom.com.au*, True -*.iclicktecnologia.com.br*, True -*.iclothing.ir*, True -*.icloud.sg*, True -*.i-cloud.tk*, True -*.iclsa.com*, True -*.icma.cl*, True -*.icman.co.za*, True -*.icmatch.com*, True -*.icms.com.my*, True -*.icms.my*, True -*.icnewcastle.com.au*, True -*.icn-services.asia*, True -*.icns.org.uk*, True -*.icoach.com*, True -*.icodefy.com*, True -*.icoelemu.cl*, True -*.icoin.ch*, True -*.icolumba.com*, True -*.i-com.cl*, True -*.icomhk.com*, True -*.icommerceseal.com*, True -*.icomputing.co.nz*, True -*.icomputing.nz*, True -*.i-comtex.pl*, True -*.iconcorp.tk*, True -*.iconcurs.ro*, True -*.i-con-engineering.ro*, True -*.icong.cf*, True -*.icongroupeast.com*, True -*.iconhelper.net*, True -*.iconicas.cl*, True -*.iconicstudio.ro*, True -*.iconsofourtime.com*, True -*.icontec.com.br*, True -*.icooking.cl*, True -*.icore.ro*, True -*.icosaedro.tv*, True -*.icos.ch*, True -*.icpbet.com*, True -*.icp-seigyo.com*, True -*.icrealestate.biz*, True -*.i-creativelearner.com*, True -*.icreativemedia.my*, True -*.icrsarl.ch*, True -*.i-c-solutions.ca*, True -*.ics.tw*, True -*.ict24.cc*, True -*.icta.org.ar*, True -*.icterm.net*, True -*.ictincubator.com.my*, True -*.ictpress.net*, True -*.ict.school.nz*, True -*.ictsupport.com.pe*, True -*.ictsupport.pe*, True -*.icuib.com*, True -*.icvet.ro*, True -*.icx.ro*, True -*.icywings.co.uk*, True -*.id10t69.com*, True -*.id84.me*, True -*.id84.tk*, True -*.idaan.be*, True -*.idacontrol.com*, True -*.idacontrol.gr*, True -*.idadedobloco.com.br*, True -*.idahohomesbuilder.com*, True -*.idaikokuya.com*, True -*.idaiwan.org*, True -*.idam.cl*, True -*.idancohen.com*, True -*.idanhpirzul.co.il*, True -*.idansbn.tk*, True -*.idap.cl*, True -*.idarkcy.com*, True -*.idartis.com*, True -*.idasoft.com.au*, True -*.idasvaljek.com*, True -*.idata.cl*, True -*.idav.info*, True -*.idayrus.org*, True -*.idbb.net*, True -*.idbelanja.co.id*, True -*.idbnc.in*, True -*.idbokep.com*, True -*.idbokep.in*, True -*.idbte4m.com*, True -*.idc-america.com*, True -*.id-ccn.ml*, True -*.idcduluth.com*, True -*.idcgroup.com.br*, True -*.idclan.eu*, True -*.idclp.com.ar*, True -*.idcompany.ro*, True -*.idcopas.com*, True -*.id-dz.gq*, True -*.idea-awards.com*, True -*.ideaawards.com.au*, True -*.ideabiznet.my*, True -*.ideactiva.com.mx*, True -*.ideafly-rc.com*, True -*.ideahard.com.ar*, True -*.idealab.gr*, True -*.idealandlife.com*, True -*.idealassist.com*, True -*.idealchrist.org*, True -*.idealna.si*, True -*.idealparty.ro*, True -*.idealpconline.es*, True -*.idealsoftware.com.ar*, True -*.idealsolutions.ro*, True -*.idealtailorsbd.com*, True -*.ideaman.hk*, True -*.ideas2liveby.com*, True -*.ideasa.com.ar*, True -*.ideasciviles.com*, True -*.ideasd2.com.ve*, True -*.ideasenfotos.com*, True -*.ideas-hosting1.com.ar*, True -*.ideas-hosting.com.ar*, True -*.ideas-informatica.com.ar*, True -*.ideasman.hk*, True -*.ideaswitch.com*, True -*.ideatech.ca*, True -*.ideaustry.sg*, True -*.ideawaves.ca*, True -*.idea-works.com.au*, True -*.idehia.com.br*, True -*.ideis.cl*, True -*.idejaplus.si*, True -*.idelconet.ro*, True -*.idemojedriti.hr*, True -*.idemonch.cl*, True -*.ident.com.tr*, True -*.id-enterprises.com*, True -*.identificalo.cl*, True -*.identifi-k.me*, True -*.identify.ga*, True -*.identitynws.com*, True -*.identiza.com*, True -*.ideoloft.com*, True -*.ideopod.com*, True -*.ideopolis.cl*, True -*.ideosphera.com*, True -*.ideoteca.com.br*, True -*.idermark.com*, True -*.ideveloperworld.com*, True -*.idev-ios.com*, True -*.idfashionblog.com*, True -*.id-fb.fm*, True -*.id-fete.ro*, True -*.idfl.web.id*, True -*.idgroup.ro*, True -*.idhome.com.br*, True -*.idhos.tk*, True -*.idialup.co.za*, True -*.idi.co.za*, True -*.idiete.ro*, True -*.idigo.org*, True -*.idila.com*, True -*.idila.eu*, True -*.idila.si*, True -*.idiomasglobal.com*, True -*.idioot.co.za*, True -*.idiot-attacker.com*, True -*.idiot.blue*, True -*.idiot-c0der.co*, True -*.idiotfootsteps.net*, True -*.idiots-coders.com*, True -*.idjob.info*, True -*.idjup.com*, True -*.id-koncept.hr*, True -*.idlagu.net*, True -*.idlechris.com*, True -*.idlemind.dj*, True -*.idlewarrior.com*, True -*.idlirik.tk*, True -*.idmic.ch*, True -*.idmplus.eu*, True -*.idnatest.com*, True -*.idnct.net*, True -*.idndev.com*, True -*.idnegocios.com.ar*, True -*.idolasig.ro*, True -*.idolphin.net*, True -*.idoltracer.com*, True -*.idomain.co.za*, True -*.idonati.it*, True -*.idontexist.me*, True -*.idopa.hk*, True -*.id-openvpn.ga*, True -*.idosa.com.ar*, True -*.idoweddingplanner.com.mx*, True -*.id-pesbuk.com*, True -*.idprofil.tk*, True -*.idraw.ro*, True -*.idreamofbeanie.com*, True -*.idriis.com*, True -*.idrivetaxi.com*, True -*.idsc.ch*, True -*.ids-chile.cl*, True -*.ids-crew.tk*, True -*.id-shopping.cf*, True -*.idsiegrist.ch*, True -*.idswarehouse.com*, True -*.idtapthat.ca*, True -*.id-teknologi.com*, True -*.id-twitter.us*, True -*.idu.la*, True -*.idunou.com*, True -*.iduzit.com*, True -*.id-wab.tk*, True -*.id.web.id*, True -*.idwebtv.com*, True -*.idxcode.com*, True -*.idxlocator.com*, True -*.idxn.ru*, True -*.idx.tw*, True -*.ieat.tk*, True -*.ieber.com*, True -*.iebox.com.br*, True -*.iecedu.org*, True -*.iecnepal.org.np*, True -*.ieconomics.ir*, True -*.iecstrategy.org*, True -*.ieditura.ro*, True -*.iedpoppy.com*, True -*.iedwrites.com*, True -*.ieee-aguascalientes.org.mx*, True -*.ieeegoldcyprus.org*, True -*.ieensc.tk*, True -*.ieerec.ir*, True -*.iefficient.ch*, True -*.ieftin-accesibil.ro*, True -*.iekb.ru*, True -*.iels.com.ve*, True -*.ieltd.co.nz*, True -*.i-emergency.com*, True -*.iemeta.com.ar*, True -*.i-endurance.com*, True -*.iennelopez.net*, True -*.ientech.es*, True -*.ienza.ca*, True -*.iepctech.com*, True -*.iepic.net*, True -*.iepsanluis.com.ar*, True -*.ier.ninja*, True -*.ie-romaneasca.ro*, True -*.ierusalim.org*, True -*.iescom.com.ve*, True -*.iesinclan.tk*, True -*.iesramblaprim.info*, True -*.iesvalleinclan.tk*, True -*.ietc.ru*, True -*.ieti.com.tw*, True -*.ieu.cl*, True -*.iexhibitions.com.my*, True -*.ieyd.org*, True -*.iezn.com*, True -*.ifac2013.com*, True -*.ifacesoft.ru*, True -*.ifactor.in*, True -*.ifdesk.de*, True -*.ifeellove.si*, True -*.ifeelmyself.eu*, True -*.ifeel.sg*, True -*.ifep.ro*, True -*.ifeth0.com*, True -*.iffi.com.my*, True -*.ifgmoney.net*, True -*.ifimportaciones.cl*, True -*.ifi-peer.tk*, True -*.ifit.ro*, True -*.ifixitmiami.com*, True -*.ifixstuff.co.za*, True -*.ifixthat.com*, True -*.i-flashdrivetr.com*, True -*.ifloosy.com*, True -*.ifloosy.eu*, True -*.ifoco.cl*, True -*.ifollow.web.id*, True -*.ifomedivinopolis.com.br*, True -*.i-food.co.za*, True -*.iforestwebsitedesign.co.uk*, True -*.i-forms.co.kr*, True -*.iforms.co.kr*, True -*.ifound4u.com*, True -*.ifoundyounow.com*, True -*.ifpc.hk*, True -*.ifreelance.co.il*, True -*.i-fresh.net*, True -*.ifrido.com*, True -*.ifriqiyah.com*, True -*.ifriqiyah-site.com*, True -*.ifsvstracking.com*, True -*.iftb.us*, True -*.iftribune.es*, True -*.ifuckedgarysdaughter.com*, True -*.ifuel.co.za*, True -*.ifv.co.za*, True -*.ifvoid.com*, True -*.ig42.org*, True -*.igachile.cl*, True -*.igambler.com*, True -*.igate.ro*, True -*.igccraft.net*, True -*.ige.es*, True -*.igeolog.com.br*, True -*.igetsa.cl*, True -*.igfoto.com.ar*, True -*.iggyonline.net*, True -*.ig-hib.ch*, True -*.i-gis.net*, True -*.igkufollow.ga*, True -*.igle.com.br*, True -*.iglesiasbruno.com.ar*, True -*.igliss.com*, True -*.iglooku.com*, True -*.iglyfrog.com*, True -*.iglyfrog.co.uk*, True -*.ignaciocastro.cl*, True -*.ignaciomendizabal.com.ar*, True -*.ignasio.org*, True -*.igneus.info*, True -*.ignite.ro*, True -*.ignitetheatre.net*, True -*.ignorelist.com*, True -*.ignotus.fi*, True -*.igoca.com.ve*, True -*.igoimpeks.com*, True -*.igood.ch*, True -*.igoodies.me*, True -*.igordavidovski.com*, True -*.i-go.ro*, True -*.igoroey11.tk*, True -*.igoroey1.tk*, True -*.igorpetan.com*, True -*.igor-roncevic.com*, True -*.igorstiskalov.com*, True -*.igotlaid.in*, True -*.igotwasted.com*, True -*.igpgroup.com.ar*, True -*.igraonicaminions.com*, True -*.igraprestolovavp.cf*, True -*.igraprestolovbwq.cf*, True -*.igraprestolovcxr.cf*, True -*.igraprestolovdys.cf*, True -*.igraprestolovezt.cf*, True -*.igraprestolovfau.cf*, True -*.igraprestolovgbv.cf*, True -*.igraprestolovhcw.cf*, True -*.igraprestolovidx.cf*, True -*.igraprestolovjey.cf*, True -*.igraprestolovkfz.cf*, True -*.igraprestolovlga.cf*, True -*.igraprestolovmhb.cf*, True -*.igraprestolovnic.cf*, True -*.igraprestolovojd.cf*, True -*.igraprestolovpke.cf*, True -*.igraprestolovqlf.cf*, True -*.igraprestolovsmg.cf*, True -*.igraprestolovtnh.cf*, True -*.igraprestolovuoi.cf*, True -*.igreat.com.br*, True -*.igrejadavila.com.br*, True -*.igricegames.com*, True -*.igro-teka.com*, True -*.igs.com.my*, True -*.igsgroup.cl*, True -*.igster.org*, True -*.iguaca.org*, True -*.iguacuro.com.br*, True -*.igualmentediferente.com.br*, True -*.iguana-it.net*, True -*.iguanlunastar-vedezevanje.si*, True -*.i-guard.hk*, True -*.iguatemala.com*, True -*.igumnov.com*, True -*.igun.web.id*, True -*.igusa.cl*, True -*.igxcontracting.com*, True -*.ihabiotech.com*, True -*.ihaggleapp.com*, True -*.ihandwrite.com*, True -*.ihanitse.fi*, True -*.ihappy.org*, True -*.ihappywed.com*, True -*.ihatemyamericanlife.com*, True -*.ihaterusssavage.com*, True -*.ihatetornadoes.com*, True -*.ihawkcs.com*, True -*.ihcraft.com*, True -*.i-heart-gifts.com*, True -*.ihearttibet.org*, True -*.iherb.fi*, True -*.ihopeinitiative.com*, True -*.ihopeinitiative.info*, True -*.ihopeinitiative.net*, True -*.ihopeinitiative.org*, True -*.ihopeinitiativepac.org*, True -*.i-horoscop.ro*, True -*.ihoroscop.ro*, True -*.ihorosho.ru*, True -*.ihromi.web.id*, True -*.ihtisas.biz*, True -*.ihutang.com*, True -*.iiapp.hk*, True -*.iig.net.au*, True -*.iigproy.com*, True -*.iihco.com.ve*, True -*.iiiii.info*, True -*.iiililililililililililiilllllllllllllllilillllllllllllllllllll.com*, True -*.iiin.ga*, True -*.iii.ninja*, True -*.iimahd-ernet.info*, True -*.iimahd.info*, True -*.iimdouiab.co.uk*, True -*.iinfo.cc*, True -*.iingles.cl*, True -*.iinvesting.com*, True -*.iioa.com.ar*, True -*.iiom.pk*, True -*.iisacc.net*, True -*.iiserk.net*, True -*.iitbmenu.tk*, True -*.iix.cl*, True -*.ij81.com*, True -*.ijcmart.com*, True -*.ijcreations.com*, True -*.ijemo.fr*, True -*.ijioyou.com*, True -*.ijocuri.org*, True -*.ijo.net*, True -*.ij-pc.com*, True -*.ijptesting.com*, True -*.ijtihad.eu*, True -*.ijtihad.us*, True -*.ijumperacademy.com*, True -*.ijvisahelp.com*, True -*.ijweb.co.nz*, True -*.ikalganteng.tk*, True -*.ikanbanonline.com*, True -*.ikar161.ru*, True -*.ikaslan.co*, True -*.ikasman10pku98.com*, True -*.ikatankeluarga.com*, True -*.ik-cloud.com*, True -*.ikcomposer.mus.br*, True -*.ikeh.guru*, True -*.ikhsanteknik.com*, True -*.ikhtiarnews.com*, True -*.ikido.ir*, True -*.ikido.org*, True -*.ikihean.com.ve*, True -*.ikilema.com.ar*, True -*.ikiliekki.org*, True -*.ikin.me*, True -*.ikiosk.me*, True -*.ikkehikkehkimochi.ml*, True -*.ikk.gr*, True -*.ikkos.asia*, True -*.ikkycraft.com*, True -*.iklanbariskota.com*, True -*.iklankecik.com*, True -*.iklanmatrix.com*, True -*.iklan.net*, True -*.iklan.ws*, True -*.iknowitworks.org*, True -*.iknowkhmer.com*, True -*.iknox.org*, True -*.ikolantaksit.fi*, True -*.ikoniaga.net*, True -*.ikonoa.com*, True -*.ikoona.com*, True -*.ikopilka.com*, True -*.ikrastev.net*, True -*.iksgroup.asia*, True -*.iksha24.ru*, True -*.ikuessnacht.ch*, True -*.ikuisuusprojekti.com*, True -*.ikut.ml*, True -*.ikwilje.nl*, True -*.ikwilook.tv*, True -*.ilab.or.id*, True -*.ilacami.cl*, True -*.ilakstad.se*, True -*.ilanga-is.co.za*, True -*.ilanitkoren.com*, True -*.ilaptopmalang.com*, True -*.ilawngmesiyas.ml*, True -*.ilbeforyou.com*, True -*.il-bu.ch*, True -*.ilealex.ro*, True -*.ilearnedtoprogram.com*, True -*.ilearntraininggroup.com*, True -*.ilearntraininggroup.com.au*, True -*.ilearntraininggroup.net.au*, True -*.ile.com.mx*, True -*.ileechen.info*, True -*.ilembetech.co.za*, True -*.ileon.co*, True -*.ilerney.com*, True -*.ilerney.ru*, True -*.ilesgo.net*, True -*.ilf-tw.com*, True -*.ilgabbianolimitada.cl*, True -*.ilg-ar.com*, True -*.ilgizvalinurov.ru*, True -*.ilgranemporio.it*, True -*.ilguday.com*, True -*.ilhansavas.com*, True -*.ilh.net.au*, True -*.ilibili.com*, True -*.ilidenta.ro*, True -*.iliensale.com*, True -*.ilievnet.com*, True -*.ilightmagic.com*, True -*.ilijadjokovic.com*, True -*.ilikeapps.info*, True -*.ilikemytaxi.com*, True -*.ilikenine.net*, True -*.ilikesoft.org*, True -*.iliketoargue.com*, True -*.ililil.tk*, True -*.iline.ch*, True -*.iline.ir*, True -*.ilin.me*, True -*.ilios.co.uk*, True -*.ilivetv.ga*, True -*.iliyamishchenko.com*, True -*.ilja.org*, True -*.ilkeen.com*, True -*.ilkkah.com*, True -*.ilkor.com*, True -*.ilkt.ru*, True -*.illeg.al*, True -*.illegalknowledge.com*, True -*.illianarosyada.com*, True -*.illico.ca*, True -*.illicotv.biz*, True -*.illicotv.info*, True -*.illicotv.net*, True -*.illmatic.ml*, True -*.illogic.al*, True -*.illskillz.net*, True -*.ill.sx*, True -*.illumation.net*, True -*.illumin8es.com.au*, True -*.illuminancesolutions.com.au*, True -*.illuminateisti.me*, True -*.illuminates-of-warcraft.tk*, True -*.illuminati-network.tk*, True -*.illuminatingthebest.com*, True -*.illuminator.web.id*, True -*.illuminatus.ro*, True -*.illusign.ru*, True -*.illusiondev.com*, True -*.illusionfantasy.com*, True -*.illusion.ninja*, True -*.illusion-spa.com*, True -*.il-lusion.tk*, True -*.illussion.in*, True -*.illustracom.com*, True -*.illustracom.org*, True -*.illustratedpenguin.com*, True -*.illvsion.co.id*, True -*.illyria.nl*, True -*.ilmailu.net*, True -*.ilmbloggers.com*, True -*.ilmoittaudun.fi*, True -*.ilmu.com.my*, True -*.ilmu-gratis.web.id*, True -*.ilmukomputerjaringan.com*, True -*.ilmusahid.web.id*, True -*.ilmusepti.tk*, True -*.ilogica-soluciones.cl*, True -*.ilonatomi.fi*, True -*.ilosno.cl*, True -*.ilostmyself.org*, True -*.iloto.com.br*, True -*.ilovaisk.ru*, True -*.ilovebalidogs.com.au*, True -*.ilovedaff.ru*, True -*.ilovehk.hk*, True -*.ilovejackdaniels.tk*, True -*.ilovelamp.us*, True -*.ilovelastminute.ro*, True -*.ilovepasta.tw*, True -*.ilovepizza.tw*, True -*.ilovesexymovies.com*, True -*.ilovetkd.com*, True -*.ilovewlo.net*, True -*.ilpfreight.com*, True -*.ilpiatto.com.au*, True -*.ilpoggettosrl.it*, True -*.ils732008.ml*, True -*.ilsedelange.nu*, True -*.ilshat.ru*, True -*.ilucid.com*, True -*.ilu.hk*, True -*.iluminatus.ro*, True -*.ilumtec.com.ar*, True -*.ilusions.ro*, True -*.ilusorium.com*, True -*.ilustracion.cl*, True -*.ilutulestik.eu*, True -*.ilutulestikud.eu*, True -*.ilutulestikukeskus.ee*, True -*.i-l-v.com.ar*, True -*.ilvestoveovenrepairs.com.au*, True -*.ilyiacookies.com*, True -*.im0x.co*, True -*.im2fly.com*, True -*.imaculadocoracaodemaria.org.br*, True -*.imadethisforyou.tk*, True -*.imag1n3.info*, True -*.image4ever.com*, True -*.imageclone.tk*, True -*.imagecustomhomes.com*, True -*.imagefastshare.com.ar*, True -*.imagehologram.com*, True -*.imagehosting.gr*, True -*.imageimpression.us*, True -*.imagemaerears.com.br*, True -*.imagemanipur.in*, True -*.imagemaster.ro*, True -*.imagendigital.com.ar*, True -*.imagenesandinas.com.ar*, True -*.imagepower.com*, True -*.images-et-photos.com*, True -*.imagesofus.biz*, True -*.imagesofus.com*, True -*.imagesofus.net*, True -*.imagesofus.org*, True -*.imagespost.com*, True -*.imagestogo.com.au*, True -*.imagetaggy.com*, True -*.imagetemplate.com*, True -*.imagetemplate.net*, True -*.imagetrans.net*, True -*.imagga.co.uk*, True -*.imagiatek.com*, True -*.imaginacaovideo.com.br*, True -*.imaginaction.net.br*, True -*.imaginandocolores.com.ar*, True -*.imaginaregalos.cl*, True -*.imaginebaron.com*, True -*.imagineiftoys.com*, True -*.imaginephoto.ru*, True -*.imaginesomething.net*, True -*.imaginestudio.ro*, True -*.imaginet.com.ar*, True -*.imaginetek.net.ve*, True -*.imag-in.pt*, True -*.imago-sa.ch*, True -*.imagos.org*, True -*.imagotag.ru*, True -*.imaiconsultoria.com.br*, True -*.imajikita.com*, True -*.imajine.com.au*, True -*.imanado.net*, True -*.imanageperth.com.au*, True -*.imanagesocialmedia.com.au*, True -*.imanufacturers.com.my*, True -*.ima-solutions.ro*, True -*.imass.name*, True -*.imates.co.za*, True -*.imatic.gr*, True -*.imatsufan.com*, True -*.imaxbd.eu*, True -*.imayorova.ru*, True -*.imbana.co*, True -*.imberbe.ws*, True -*.imboeschi.ch*, True -*.imbo.in*, True -*.imchats.com*, True -*.imchina.net*, True -*.imcof.ro*, True -*.imcomel.cl*, True -*.imcrb.ru*, True -*.imcu.ro*, True -*.imd.io*, True -*.imdmobile.com*, True -*.im-ec.com.ar*, True -*.imelbi.si*, True -*.imenkala.ir*, True -*.imerchant.tk*, True -*.imere.cl*, True -*.imes.cl*, True -*.imexsac.com*, True -*.imfrankie.net*, True -*.imgfiles.net*, True -*.imghos.com*, True -*.imgoingin.co.uk*, True -*.imgur.sg*, True -*.imhallin.ml*, True -*.imhnz.tk*, True -*.imhnz.xyz*, True -*.imhotep-online.de*, True -*.imhub.ga*, True -*.i-mind.cl*, True -*.iminecraft.se*, True -*.iminov.com*, True -*.imin.tk*, True -*.iminurnetz.com*, True -*.imissu.com*, True -*.imitatiedepiele.ro*, True -*.imitch.net*, True -*.imjoe.ir*, True -*.imkd.ir*, True -*.imkerei-zach.at*, True -*.imkot.com*, True -*.imlaurierlaw.hk*, True -*.imly.org*, True -*.immarang.com*, True -*.immediasoft.com*, True -*.immedia-solutions.com*, True -*.immedi.at*, True -*.immersionblenders.net*, True -*.immersion.ro*, True -*.immixers.com.au*, True -*.immkoapps.com*, True -*.immoblogue.ca*, True -*.immobroker.lu*, True -*.immocontact.ca*, True -*.immonet.ca*, True -*.immoplus.ca*, True -*.immortal.cf*, True -*.immortalpoet.com*, True -*.immortalz.net*, True -*.immovda.eu*, True -*.immunaid.com.au*, True -*.imnit.net*, True -*.imobgrup.ro*, True -*.imobilandconfort.ro*, True -*.imobiland.ro*, True -*.imobilcenter-is.ro*, True -*.imobiliare-park.ro*, True -*.imobiliariamoradacenter.com.br*, True -*.imobiliariasdopovo.com.br*, True -*.imobo.tk*, True -*.imode.jp*, True -*.imog.info*, True -*.imolesworth.info*, True -*.imonelli.co.za*, True -*.imonnetwork.com*, True -*.imon.nu*, True -*.imostrategy.ro*, True -*.imoteknikgrup.com*, True -*.imoto-1.net*, True -*.imove.tk*, True -*.imovid.com*, True -*.i-mp3.gq*, True -*.impaboy.com.ar*, True -*.impacare.ro*, True -*.impactall.ro*, True -*.impactbs.my*, True -*.impactdirect.net*, True -*.impactfmonline.ro*, True -*.impactfm.ro*, True -*.impactgaming.com*, True -*.impact-media.me.uk*, True -*.impactprompt.com*, True -*.impactsolution.co.uk*, True -*.impala-indonesia.com*, True -*.impalaindonesia.com*, True -*.impalainternasional.com*, True -*.impala-international.com*, True -*.impalainternational.com*, True -*.impalathinner.com*, True -*.impalathinnerindonesia.com*, True -*.impd.net*, True -*.impeesa.org*, True -*.impelsnc.net*, True -*.imperadorparticipacoes.com*, True -*.imperfectpiecemakers.com*, True -*.imperialceo.com*, True -*.imperialconsulting.com.au*, True -*.imperialcrest.com*, True -*.imperialcrest.com.au*, True -*.imperialcrest.net*, True -*.imperialgaming.net*, True -*.imperialherbs.tw*, True -*.imperial-war.com*, True -*.imperial-way.com*, True -*.imperial-way.se*, True -*.imperialyachtclub.co.za*, True -*.imperiocd.com.ar*, True -*.imperiogym.com.ar*, True -*.imperium.sg*, True -*.imperiumstore.com*, True -*.imperva.cz*, True -*.imperyal.com*, True -*.imperyal.net*, True -*.imperys.cl*, True -*.impetus.cl*, True -*.impetusweb.com*, True -*.impiantipestoni.ch*, True -*.implicitrust.com*, True -*.implodingworld.com*, True -*.impodes.com*, True -*.imporo.us*, True -*.importacionesramirez.pe*, True -*.importadoralolita.com*, True -*.important.cz*, True -*.importexportenterprises.com*, True -*.importexport.hk*, True -*.importing.cl*, True -*.importruck.cl*, True -*.impossibletraducciones.com*, True -*.impotecnologia.cl*, True -*.impotencecure-drug.net*, True -*.impoundmailer.com*, True -*.impregilo.cl*, True -*.imprentadruker.com.ar*, True -*.imprentalym.com.ar*, True -*.imprentamartinez.com.ar*, True -*.imprentaservices.com*, True -*.impresadipitturapennella.ch*, True -*.impresiituristice.ro*, True -*.impress11.com*, True -*.impressionlaval.ca*, True -*.impressiononehosting.com*, True -*.impressionrive-sud.ca*, True -*.impress.pt*, True -*.impresta.it*, True -*.imprima-linder.ch*, True -*.imprimirgratis.com*, True -*.imprisonment.org.uk*, True -*.improbity.com*, True -*.impromobile.si*, True -*.improof.biz*, True -*.improvapp.com*, True -*.improve-yourlife.com*, True -*.improvyourself.fr*, True -*.impulsdesign.ro*, True -*.impulse.cz*, True -*.impulsion.me*, True -*.impulsit.ro*, True -*.impulsive.ro*, True -*.impulsor-rock.com.ar*, True -*.impulsoti.com*, True -*.impumelelocomputers.co.za*, True -*.impunit.us*, True -*.imrankajee.nom.za*, True -*.imransoomro.co.uk*, True -*.imsexy.com.au*, True -*.imsidx.com*, True -*.imsnet.ro*, True -*.imsoftwarebox.com*, True -*.imsongroup.com*, True -*.imsuper.com*, True -*.imtgapp.com*, True -*.imtg.me*, True -*.imtg.org*, True -*.imthebest.ga*, True -*.imtiazwahmed.com*, True -*.im-toy.com*, True -*.imtrustedcpa.com*, True -*.imumma.com.au*, True -*.imunli.tk*, True -*.imupmyass.com*, True -*.imust.com.ar*, True -*.imut.xyz*, True -*.imvelo-consulting.tk*, True -*.imvr.co.uk*, True -*.imwatching.us*, True -*.imyu.tk*, True -*.imzm.net*, True -*.in2mold.pt*, True -*.in2pools.com.au*, True -*.in2recipes.com*, True -*.in2school.com.au*, True -*.in3.com.ar*, True -*.in9.me*, True -*.ina-1004.com*, True -*.ina-123.com*, True -*.ina-222.com*, True -*.inaction.ws*, True -*.inactis.com*, True -*.inactis.de*, True -*.inagawafamily.com*, True -*.inalaf-ltda.cl*, True -*.inaltue.cl*, True -*.i-nameserver.com*, True -*.i-nameserver.net*, True -*.i-nameservers.com*, True -*.i-nameservers.net*, True -*.inamfahreza.tk*, True -*.inamov.net*, True -*.inannhatrang.vn*, True -*.inanre.net*, True -*.inap.com.pe*, True -*.inap.pe*, True -*.inarp.net*, True -*.inartvision.com*, True -*.inaselecuador.com*, True -*.inasirares.ro*, True -*.inasoulvoid.tk*, True -*.inautom.ga*, True -*.inauto.ro*, True -*.inbalance.co.za*, True -*.inbicor.com*, True -*.inbloc.com*, True -*.inbox500.com*, True -*.inbox-aol.com*, True -*.inboxsky.com*, True -*.inboxwebmail.net*, True -*.inbrand.net.br*, True -*.inbtec.com.br*, True -*.inc.gs*, True -*.inca.com.ar*, True -*.incarsreview.info*, True -*.incasi.co.id*, True -*.incasursl.com*, True -*.incasursl.es*, True -*.incasys.com*, True -*.incatel.cl*, True -*.incel.cl*, True -*.incenplus.com.my*, True -*.incentivegolf.com*, True -*.incest-sex.ru*, True -*.inchanga.com*, True -*.inchat.ro*, True -*.inchirieriiasi.ro*, True -*.inchirieri-litoral.ro*, True -*.inchirierispatiigalati.ro*, True -*.inchone.com*, True -*.inchone.sg*, True -*.incidentalmusic.ca*, True -*.incitesafety.com.au*, True -*.incityfarms.com*, True -*.inclan.tk*, True -*.inclusion27.org*, True -*.incoasa.es*, True -*.incoas.com.ar*, True -*.incognihost.com*, True -*.incol.com.br*, True -*.incompanyedu.com.br*, True -*.incomunicado.me.uk*, True -*.incorpnow.cn*, True -*.incorpnow.net*, True -*.incorporatenow.cn*, True -*.incorporatenow.hk*, True -*.incotal.cl*, True -*.incq.com*, True -*.incraft.ru*, True -*.incredibleslovenia.si*, True -*.incremona.xyz*, True -*.incubbus.com*, True -*.indachiprima.co.id*, True -*.indaloalimentos.com.ar*, True -*.indalobus.com.ar*, True -*.indarungv.com*, True -*.indas.ro*, True -*.indassoft.ro*, True -*.indcastrol.com*, True -*.indcon.ro*, True -*.indecisos.net*, True -*.independentonline.ro*, True -*.independentsmovie.com*, True -*.indepes.org*, True -*.inderlinden.ch*, True -*.indesal.com.ar*, True -*.indesoft.org.ve*, True -*.index33.tk*, True -*.index931.net*, True -*.indexinvestorplus.com*, True -*.indexkerala.com*, True -*.index-of-mp3.cf*, True -*.indforever.net*, True -*.indiachina.tk*, True -*.indiadate.tk*, True -*.indiaguru.com*, True -*.india.is*, True -*.indiamines.tk*, True -*.indianalifesciences.com*, True -*.indianantiques.tk*, True -*.indianapolisbankruptcy.co*, True -*.indiancountrynews.net*, True -*.indiancountrytv.com*, True -*.indianheadinc.com*, True -*.indianocean.co.za*, True -*.indiansagainstrape.in*, True -*.indiansagainstrape.org*, True -*.indiansinparis.com*, True -*.indian-world.biz*, True -*.indianxxxtube.cf*, True -*.indianxxxtube.ga*, True -*.indianxxxtube.gq*, True -*.indianxxxtube.ml*, True -*.indianxxxtube.tk*, True -*.india.sh*, True -*.indiatodaylive.com*, True -*.indicadoresdegestion.org*, True -*.indicator.tw*, True -*.indiceuv.cl*, True -*.indiefuckmusic.com*, True -*.indiegamedevelopers.net*, True -*.indiegdc.net*, True -*.indie.my*, True -*.indigenu.com.au*, True -*.indignados.org*, True -*.indigocap.com.au*, True -*.indigocapital.com.au*, True -*.indigocapitalpartners.com.au*, True -*.indigoinvest.com.au*, True -*.indigoinvestmentgroup.com.au*, True -*.indigoinvestments.com.au*, True -*.indigoleap.com*, True -*.indigo.md*, True -*.indigos4.ga*, True -*.indigoventures.com.au*, True -*.indiporn.net*, True -*.indiradevkota.com.np*, True -*.indireggae.com*, True -*.indispus.ro*, True -*.individu.al*, True -*.indobajasurabaya.com*, True -*.indobanget.web.id*, True -*.indobanner.com*, True -*.indobiomandiri.com*, True -*.indobokep.cf*, True -*.indocoolbox.com*, True -*.indocopter.com*, True -*.indocosmictaichi.com*, True -*.indodaisuntrading.com*, True -*.indodota.net*, True -*.indofanfic.net*, True -*.indofastblog.tk*, True -*.indoferro.com*, True -*.indofiles.net*, True -*.indofiles.web.id*, True -*.indoheadlines.com*, True -*.indoherbal.co.id*, True -*.indohost.gq*, True -*.indohost.mobi*, True -*.indohotnews.com*, True -*.indokep.net*, True -*.indolagu.xyz*, True -*.indoliked.com*, True -*.indoliker.at*, True -*.indoliker.cf*, True -*.indoliker.cz*, True -*.indoliker.es*, True -*.indoliker.in*, True -*.indoliker.mx*, True -*.indoliker.pl*, True -*.indoliker.pro*, True -*.indolikers.gq*, True -*.indoliker.us*, True -*.indolloutdoll.com*, True -*.indolocker.com*, True -*.indolyrics.net*, True -*.indometaldownload.co.uk*, True -*.indomp3.asia*, True -*.indomulkom.com*, True -*.indo-musik.tk*, True -*.indonesiablogger.cf*, True -*.indonesiablogger.ga*, True -*.indonesiablogger.gq*, True -*.indonesiablogger.ml*, True -*.indonesiablogger.tk*, True -*.indonesiachat.net*, True -*.indonesia-cigarettes.com*, True -*.indonesiadrive.com*, True -*.indonesiainvestmentinstitute.com*, True -*.indonesiamabrur.co.id*, True -*.indonesia-messenger.com*, True -*.indonesianbirdsong.com*, True -*.indonesiandispenser.org*, True -*.indonesian.la*, True -*.indonesiantravel.info*, True -*.indonesiasalestraining.com*, True -*.indonesiasejati.com*, True -*.indonesiasukses.co*, True -*.indonesiavines.com*, True -*.indonesiawisatakulliner.com*, True -*.indonesienhotels.de*, True -*.indoneska.com*, True -*.indo-net.cf*, True -*.indonet.org*, True -*.indonetwork.in*, True -*.indoorapps.com*, True -*.indopi.co.id*, True -*.indoporn69.com*, True -*.indorekenamkeens.com*, True -*.indosap.com*, True -*.indosatnewera.tk*, True -*.indoserver.net*, True -*.indosextoy.com*, True -*.indo-share.tk*, True -*.indoshops.us*, True -*.indosms.info*, True -*.indotos.com*, True -*.indotravelreview.info*, True -*.indotube69.com*, True -*.indovashti.co.id*, True -*.indovb.com*, True -*.indowapper.com*, True -*.indowapporn.ga*, True -*.indoxp.com*, True -*.indoxp.net*, True -*.indozenic.com*, True -*.indsonline.com*, True -*.ind.st*, True -*.inducapackaging.com.ar*, True -*.indujain.us*, True -*.indumanmuthugala.com*, True -*.indusind.tk*, True -*.industri.al*, True -*.industrialbackups.ca*, True -*.industrialbackups.com*, True -*.industrialchubut.com.ar*, True -*.industrial-line.pt*, True -*.industrialmill.com*, True -*.industrialnetworks.ca*, True -*.industrialvalvesandpipes.com*, True -*.industrianacional.com.ar*, True -*.industri-anekarasa.com*, True -*.industriasmedicas.com*, True -*.industriasmedicas.com.ar*, True -*.industry-partnered-learning-initiative-africa.com*, True -*.industry-partnered-learning-initiative-africa.org*, True -*.indx.club*, True -*.indybuy.com.ar*, True -*.indynight.com*, True -*.inedelya.ru*, True -*.ineedfun.net*, True -*.ineedhack.com*, True -*.ineedmerchant.com*, True -*.ineedremotehands.com*, True -*.ineedyourlove.ml*, True -*.inelectricltda.cl*, True -*.inelex.ro*, True -*.inel-projekt.hr*, True -*.inergia.org*, True -*.inertiafitness.co.uk*, True -*.inet2.org*, True -*.inetdms.com*, True -*.inetone.gq*, True -*.inetrec.com*, True -*.inetsix.com*, True -*.inettv.ru*, True -*.i-network.co.za*, True -*.inetwork.sg*, True -*.inew.com.br*, True -*.inews4all.com*, True -*.inex.co*, True -*.inexodns.ca*, True -*.infantblanks.com*, True -*.infantex.com.br*, True -*.infantpromotions.com*, True -*.infaq.org.my*, True -*.infe.com.br*, True -*.inferno-pvp.com*, True -*.inferpse.tk*, True -*.infertilitycauses1.com*, True -*.infgeo.cl*, True -*.infidel.tk*, True -*.infiernometal.com.ar*, True -*.infigene.com*, True -*.infiltrate.ca*, True -*.infiltratednetworks.com*, True -*.infinicom.com.br*, True -*.infinight.biz*, True -*.infinight.com.au*, True -*.infinigy.pl*, True -*.infiniqa.com*, True -*.infiniquest.org*, True -*.infinisa.com*, True -*.infinitarium.cl*, True -*.infinitechaosinteractive.com*, True -*.infinite-connections.net*, True -*.infinitejester.com*, True -*.infinite-lives.com*, True -*.infinite.my*, True -*.infinitepodiatry.com*, True -*.infiniti-home-theatres.com*, True -*.infinitydental.co.uk*, True -*.infinitynoz.tk*, True -*.infinity-online.co.id*, True -*.infinityrobots.com*, True -*.infinitywirelessconsulting.com*, True -*.infis.net.ru*, True -*.infis.org.ru*, True -*.infis.pro*, True -*.inflables.com.ve*, True -*.in-flames.com*, True -*.inflancka.pl*, True -*.infleksa.com*, True -*.inflicted.org*, True -*.inflict.us*, True -*.infnet.ro*, True -*.info-agro.eu*, True -*.infoalli.com*, True -*.infoasuransimobil.com*, True -*.infobdg.web.id*, True -*.infobhs.com*, True -*.infobimbi.ch*, True -*.infobitcoin.in*, True -*.infobit.net.au*, True -*.infobus.tk*, True -*.infocallweb.com.ar*, True -*.infocalypse.org*, True -*.info-care.info*, True -*.info-care.mobi*, True -*.info-care.org*, True -*.info-care.pt*, True -*.infocentric.ca*, True -*.infocid.ro*, True -*.infocloud.co.za*, True -*.infocommthailand.com*, True -*.infodale.com*, True -*.infodale.net*, True -*.infodbase.us*, True -*.infodesk.hk*, True -*.infodir.org*, True -*.infodomestic.com*, True -*.infodunia.ga*, True -*.infoduri.com*, True -*.infoeasy.inf.br*, True -*.infoeasyonline.com.br*, True -*.infoex.cl*, True -*.infofilm.co.id*, True -*.info-galati.ro*, True -*.infogeotekstil.com*, True -*.info.gf*, True -*.infografistas.org*, True -*.infographicnews.us*, True -*.infoholic.tk*, True -*.infohosting.in*, True -*.infohosts.us*, True -*.infoinnova.net*, True -*.infojur.com*, True -*.infojur.ro*, True -*.infomantap.us*, True -*.infomantra.com.au*, True -*.infomapa.cz*, True -*.infomartial.ro*, True -*.infomasc.com.ar*, True -*.infomat-service.ro*, True -*.infomedan.tk*, True -*.infomedia5m5.com*, True -*.infomedplus.net*, True -*.infomed.waw.pl*, True -*.infonetcom.ch*, True -*.infoneto.co.il*, True -*.infonev.com*, True -*.infopalestina.com*, True -*.infoperitos.com.ar*, True -*.infopesta.com*, True -*.infopitesti.ro*, True -*.infoptima.co*, True -*.infopulsagratis.com*, True -*.infoq.com.br*, True -*.infoquick.ro*, True -*.inforapoio.com*, True -*.inforgs.com*, True -*.informatesalta.com.ar*, True -*.informatiamedicala.ro*, True -*.informaticamedica.cl*, True -*.informaticapalafrugell.com*, True -*.informaticavenado.com.ar*, True -*.informationaddiction.com*, True -*.information.al*, True -*.informatrix.com.br*, True -*.informatscp.com*, True -*.informatycy.org*, True -*.informatyka-przemyslowa.pl*, True -*.infor.org*, True -*.inforosario.com.br*, True -*.inforplay.com*, True -*.inforplay.es*, True -*.inforteletron.com.br*, True -*.inforytel.com*, True -*.infosage.ca*, True -*.infoscav.net*, True -*.infosec101.net*, True -*.infosecpros.cl*, True -*.infosecsoft.com*, True -*.info-server.com.ar*, True -*.infosfera.com.ar*, True -*.infosondas.com*, True -*.infostore.com.ve*, True -*.infostore.co.ve*, True -*.infosur.cl*, True -*.infosv.ro*, True -*.infosystem.cl*, True -*.infotapir.com.ar*, True -*.info-tec.com.ar*, True -*.infotechs3.com*, True -*.infotecmza.com.ar*, True -*.infotecno.com.ar*, True -*.infotekno.in*, True -*.infotendasarnafil.co.id*, True -*.infotest.fi*, True -*.info.tm*, True -*.infotomation.com*, True -*.infotor.com.ve*, True -*.infoudec.org*, True -*.infovizija.com*, True -*.infowars.fi*, True -*.infowebrrhh.cl*, True -*.infowide.net*, True -*.infowielun.pl*, True -*.infpro.cl*, True -*.infrabuve.lv*, True -*.inframedia.co.id*, True -*.infra.net.ru*, True -*.infratireamedgidia.ro*, True -*.infurno.net*, True -*.infytec.com.ar*, True -*.in-game.ro*, True -*.ingarden.pt*, True -*.ingatlanfelugyelet.com*, True -*.ingavanzada.com.ar*, True -*.inga-volkova.ru*, True -*.ingbiro.com*, True -*.ingeasy.cl*, True -*.ingecon.com.ar*, True -*.ingecon-sa.com.ar*, True -*.ingeho.cl*, True -*.ingeleon.com.ar*, True -*.ingemas.cl*, True -*.ingem.com.ar*, True -*.ingemen.com.ar*, True -*.ingenieriacape.com.ar*, True -*.ingenieriadomotica.cl*, True -*.ingenieriagbr.net*, True -*.ingenieriapositiva.cl*, True -*.ingenieriapositiva.com.ar*, True -*.ingenieriasgi.com.ve*, True -*.ingenieriayservicios.com.mx*, True -*.ingenieroagosta.com.ar*, True -*.ingenio3000.es*, True -*.ingenioit.com.ar*, True -*.ingenioushomes.com.au*, True -*.ingenioweb.cf*, True -*.ingenx1.com*, True -*.ingenxgroup.com*, True -*.ingeology.ru*, True -*.ingerencia.com.ve*, True -*.ingersollwatches.ir*, True -*.inggo.org*, True -*.ingilizceturkceceviriler.com*, True -*.ingimed.ro*, True -*.ingineru.info*, True -*.inglescercadecasa.com*, True -*.inglesimediato.com.br*, True -*.ingleslejosdecasa.com*, True -*.inglist.co.uk*, True -*.inglotaustria.com*, True -*.inglotromania.com*, True -*.ingmasmas.com.ar*, True -*.ingni.es*, True -*.ingnovagroup.com*, True -*.ingonyamaafc.co.za*, True -*.ingos.se*, True -*.ingprecon.com*, True -*.ingramschimneysweeps.com*, True -*.ingredientsplus.com.my*, True -*.ingredients.ro*, True -*.ingresistance.ch*, True -*.ingresistance.com*, True -*.ingressistance.com*, True -*.ingwersen.co*, True -*.ingwu.net*, True -*.ingz.com.ar*, True -*.ingzt.com.ar*, True -*.inhalator-nazal-sare.eu*, True -*.inhouselawyer.hk*, True -*.inhousepod.com*, True -*.inhumangames.com*, True -*.iniciativasdeviviendas.es*, True -*.inicityfarms.com*, True -*.inidade.com*, True -*.inilagu.info*, True -*.inilahtuhan.com*, True -*.inimabacaului.ro*, True -*.inimaromaniei.ro*, True -*.inimbus.me*, True -*.inimipentruinimi.ro*, True -*.inioon.net*, True -*.ini-rafii.xyz*, True -*.initative.su*, True -*.initec.com.mx*, True -*.inithelp.ru*, True -*.initherapy.com*, True -*.initiative.su*, True -*.initvm.com*, True -*.iniweb.biz*, True -*.inj3ct0rs.net*, True -*.inj3ct0r.zone*, True -*.injatn.com*, True -*.injectoarereparatii.ro*, True -*.injectoclean.com.mx*, True -*.injector.ml*, True -*.injoymusic.org*, True -*.injusa-romania.ro*, True -*.ink4schools.com*, True -*.ink6.com*, True -*.inkargo.com*, True -*.inkcatering.com*, True -*.inkcat.net*, True -*.inketc.co.za*, True -*.inkgenio.com.ar*, True -*.inkinoilfield.com*, True -*.inklud.net*, True -*.inkoonvihreat.fi*, True -*.inkosiserver.net*, True -*.inkrain.pt*, True -*.ink.si*, True -*.inkspeak.com*, True -*.inktonerparts.com*, True -*.inkyarns.com*, True -*.inladiesroom.cl*, True -*.inlander.mobi*, True -*.inland.ro*, True -*.inlandtracking.com*, True -*.inlifesciences.com*, True -*.inlineathens.gr*, True -*.inlinedownhill.ch*, True -*.inlineshop.gr*, True -*.inlineskating.gr*, True -*.inlov.cl*, True -*.inluan.com.mx*, True -*.inmaculadohighschool.com*, True -*.inmaijaus.com.ar*, True -*.inmateviolations.com*, True -*.inmat.si*, True -*.inmoballatore.com*, True -*.inmobiliariacaso.com*, True -*.inmobiliariacruzero.cl*, True -*.inmobiliariapullmanbus.cl*, True -*.inmobiliarios.cl*, True -*.inmomanzano.com*, True -*.inmoproa.es*, True -*.inmovision.com.ar*, True -*.inmovision.es*, True -*.inmycontrol.com*, True -*.inmyfamily.ru*, True -*.innabondari.ru*, True -*.innabondar.ru*, True -*.innasicard.com*, True -*.inncostabrava.com*, True -*.innda.net*, True -*.innercy.com*, True -*.innerexception.co.za*, True -*.innergr8.com*, True -*.innergreat.com*, True -*.innerpotential.co.za*, True -*.innerspacephilosophy.com*, True -*.innerwave.com*, True -*.innerwesternroofrepairs.com.au*, True -*.innerwheelbraila.ro*, True -*.innmotion.com*, True -*.innobate.com*, True -*.innocenti.com.au*, True -*.innocu.com*, True -*.innodium.com*, True -*.innograph.co.id*, True -*.innograph.com*, True -*.innoteksolutions.ca*, True -*.innovabusiness.ro*, True -*.innovacia-stroy.ru*, True -*.innovacionesaduaneras.com.mx*, True -*.innovacioneseducativas.com.mx*, True -*.innovacioneseducativas.mx*, True -*.innovacuum.com*, True -*.innovadef.cl*, True -*.innova-ds.com.ar*, True -*.innovads.com.ar*, True -*.innovagym.com.ar*, True -*.innovamine.cl*, True -*.innovaradio.net*, True -*.innovaretech.com.ve*, True -*.innovatec.cl*, True -*.innovativegovernance.com*, True -*.innovativeremote.me.uk*, True -*.innovo.co.il*, True -*.innowatt.com.br*, True -*.inntec.com.ve*, True -*.innvault.com*, True -*.inoa.cl*, True -*.inobook.jp*, True -*.inode.pp.ru*, True -*.inoferte.ro*, True -*.inoma.lv*, True -*.inoonan.com*, True -*.inoriza-racing.com.ar*, True -*.inos.co*, True -*.inote.me*, True -*.inot.pro*, True -*.inov4you.pt*, True -*.inovasi.co.id*, True -*.inovatek.ro*, True -*.inoveri.net*, True -*.inovia.com.br*, True -*.inovik.com.my*, True -*.inovtrad.com*, True -*.inoxdongnai.com*, True -*.inoxplasrl.com.ar*, True -*.inoxx.net*, True -*.inpac.com.au*, True -*.inpact.cl*, True -*.inpact.net*, True -*.inpar-ltda.cl*, True -*.inpayer.com*, True -*.inplenionmea.com*, True -*.inploid.com.tr*, True -*.inpoland.us*, True -*.inpost.org*, True -*.inpower.tw*, True -*.inps.pl*, True -*.inq.tw*, True -*.inramarca.com.ve*, True -*.inred.com.mx*, True -*.inredware.com.ar*, True -*.insamexico.com.mx*, True -*.insancendekia.id*, True -*.insancendekia.sch.id*, True -*.insane.com.ar*, True -*.insanitarium.org*, True -*.insanitize.com*, True -*.insanumingenium.com*, True -*.insate.ru*, True -*.insaurralde.com.br*, True -*.insausti.cl*, True -*.inscendrassos.net*, True -*.inschriften.at*, True -*.insde.org*, True -*.insect.hk*, True -*.insegna.com.ar*, True -*.insermase.net*, True -*.insertcoin.net.au*, True -*.inserthost.biz*, True -*.insertreality.com*, True -*.inservicezone.com*, True -*.inservo.ee*, True -*.inseti.cl*, True -*.insharetech.com*, True -*.insideelectronics.co.uk*, True -*.insidejest.com*, True -*.insidereview.com.au*, True -*.insidergazette.com*, True -*.insider.hk*, True -*.insidersguidetoadoption.com*, True -*.insidesysti.com.br*, True -*.insidewashington.net*, True -*.insightassured.co.uk*, True -*.insightcced.com*, True -*.insightcced.net*, True -*.insightconference.com.au*, True -*.insight-software.co.uk*, True -*.insilica.tk*, True -*.insilico.at*, True -*.insilico.ro*, True -*.insite2.tk*, True -*.insitu-online.net*, True -*.insleynas.com*, True -*.insm.cl*, True -*.insnuri.co.kr*, True -*.insnuri.com*, True -*.insodex.com.ar*, True -*.insoft.gr*, True -*.insolita.cl*, True -*.insomnelandia.com.ar*, True -*.insomnia.gq*, True -*.insomnihax.net*, True -*.insouciant.co.uk*, True -*.inspeccionesonline.com.ar*, True -*.inspec.cl*, True -*.inspecteng.com.br*, True -*.inspectionair.com*, True -*.inspir3.tk*, True -*.inspiracio.cat*, True -*.inspiradiamonds.com*, True -*.inspiralandscaping.ca*, True -*.inspiration-coiffure.ch*, True -*.inspirationist.net*, True -*.inspirationist.ro*, True -*.inspiration-partners.com*, True -*.inspiration-partners.eu*, True -*.inspirationpartners.eu*, True -*.inspiration-partners.pl*, True -*.inspirationq.com*, True -*.inspiration-space.com*, True -*.inspiration-space.pl*, True -*.inspired4life.com*, True -*.inspiredconstruction.hk*, True -*.inspiredweb.ch*, True -*.inspire-me.ru*, True -*.inspireview.ro*, True -*.inspond.com*, True -*.insport.lv*, True -*.inspromail.com*, True -*.instafie.com*, True -*.instagc.ga*, True -*.instalacija.si*, True -*.instal-arte.com.ar*, True -*.instalatiielectricebucuresti.ro*, True -*.instalatiipremium.ro*, True -*.instalatorul.ro*, True -*.installdstv.co.za*, True -*.instalprof.ro*, True -*.instantcorp.hk*, True -*.instantfbcash.com*, True -*.instantfleet.ro*, True -*.instantinfrastructure.org*, True -*.instantlagu.com*, True -*.instantreplayphotography.ca*, True -*.instant-thailand.biz*, True -*.instant-thailand.com*, True -*.instantwebsitevisitors.com*, True -*.instapagos.com*, True -*.instarun.cl*, True -*.insteciquique.cl*, True -*.instelhar.ro*, True -*.insteon.fi*, True -*.instibaires.com.ar*, True -*.instinctfx.net*, True -*.instincttech.ro*, True -*.institut-estetica.ch*, True -*.institut-kiara.ch*, True -*.institutmandarine.ch*, True -*.institutodentalfamilia.cl*, True -*.institutodeprotocolo.com.ve*, True -*.institutogalenico.pt*, True -*.institutolatino.com.ve*, True -*.institutoliverpool.com.ar*, True -*.institutopraxis.com.ar*, True -*.institutosinapsis.com.ve*, True -*.institutotecjoseochoaleoncm.ec*, True -*.institutovalerioluiz.org*, True -*.institutowarner.com.ar*, True -*.institutoyuguets.com.ar*, True -*.institut-solaria.ch*, True -*.instores.eu*, True -*.instrubyte.com.ar*, True -*.instructlab.com*, True -*.instruire.ca*, True -*.instrukcja.one.pl*, True -*.instrumactools.com*, True -*.instylemartialarts.com*, True -*.instylemartialarts.com.au*, True -*.insulationgasketsafety.com*, True -*.insulatours.si*, True -*.insumax.com.ar*, True -*.insurancebox.ru*, True -*.insurance-forcar.com*, True -*.insurance.is*, True -*.insurance-tricks.org*, True -*.insure.as*, True -*.insyncolour.com*, True -*.insystech.org*, True -*.insytec.es*, True -*.intasarn.com*, True -*.intdobrasil.com.br*, True -*.intecar.cl*, True -*.intec.es*, True -*.intechgroup.cl*, True -*.intecnova.es*, True -*.intediseno.com*, True -*.integra-associates.com*, True -*.integraequipoelectrico.com.mx*, True -*.integralauditores.cl*, True -*.integraltec.com.ar*, True -*.integraltecsa.com.ar*, True -*.integral-web.ru*, True -*.integramob.ro*, True -*.integrarsoluciones.com.ar*, True -*.integra-si.com.ar*, True -*.integra-solusi.com*, True -*.integrat3.com*, True -*.integratec.cl*, True -*.integra-technologies.net*, True -*.integratedbuilders.com.my*, True -*.integrated-grid.com*, True -*.integratedhcg.com*, True -*.integratedpower.com.au*, True -*.integratedsmsfsolutions.com.au*, True -*.integrated-za.com*, True -*.integretis.com*, True -*.integrity-tab.com*, True -*.integrosoft.ru*, True -*.intehefo.ga*, True -*.intehefo.tk*, True -*.inteknologi.com*, True -*.intekss.tk*, True -*.intelecto.inf.br*, True -*.intelegia.com*, True -*.intelegia.net*, True -*.inteleka.ru*, True -*.inteleksys.com*, True -*.inteleksys.es*, True -*.inteleksys.net*, True -*.intelektualnalastnina.si*, True -*.intelfx.name*, True -*.intelicoders.ro*, True -*.inteligenthome.eu*, True -*.inteligenthouse.eu*, True -*.intelis.cl*, True -*.intelisoa.com.ar*, True -*.inteliworks.mx*, True -*.intellectualcapital.com.au*, True -*.intelliautomatic.pl*, True -*.intelli-food.cl*, True -*.intelligence93.ir*, True -*.intelligenceorganization.com*, True -*.intelligenspace.com*, True -*.intelligent-bra.com*, True -*.intelligentcomputers.net*, True -*.intelligenthouse.ro*, True -*.intelligent-medical.com.ar*, True -*.intelligentstock.com*, True -*.intelligis.com.ar*, True -*.intellisoa.com*, True -*.intellisoa.com.ar*, True -*.intellix-fact.com*, True -*.intellixoft.com*, True -*.intellixoft.ro*, True -*.intelsoft.com.au*, True -*.intelsoft.com.mx*, True -*.intelux.asia*, True -*.intel-vision.com*, True -*.intemak.com*, True -*.int-ense.com*, True -*.intensivnik-broker.ru*, True -*.intensivnik-ltd.ru*, True -*.intentables.com*, True -*.interadasa.ro*, True -*.interarma.info*, True -*.interarsoft.com*, True -*.interas-network.ro*, True -*.interas.ro*, True -*.interbellum.cf*, True -*.interb.it*, True -*.interbiznw.com*, True -*.interboy.com*, True -*.intercapital.ch*, True -*.interc.com.mx*, True -*.intercitypaper.com*, True -*.interclinic.ro*, True -*.intercommdevelopment.com*, True -*.interconecta.info*, True -*.intercontinental-rattanware.hk*, True -*.intercontinuum.net*, True -*.intercop.de*, True -*.intercroiss.ru*, True -*.inter-cultura.com.ar*, True -*.intercuyosa.com.ar*, True -*.interden.com.ar*, True -*.interedis.com*, True -*.interestingsh.it*, True -*.interfarmacorp.com*, True -*.interfarmavetshop.com*, True -*.interflow.net*, True -*.interfrig1912.ro*, True -*.intergardens.com*, True -*.interglow.net*, True -*.inter-gold.co.il*, True -*.interierji.si*, True -*.interiodesign.ro*, True -*.interiordesigncabo.com*, True -*.interior-exterior.pro*, True -*.interior-logic.com*, True -*.interiorocho.com*, True -*.interkat.mx*, True -*.interkontrol.com.tr*, True -*.interlachotel.com*, True -*.interlegere.com.ar*, True -*.interlei.gr*, True -*.inter-like.us*, True -*.interlinc.com.ar*, True -*.interlinkhub.com*, True -*.interlinkla.com.ar*, True -*.interlitoral.com.ar*, True -*.interlockroc.net*, True -*.interlockroc.org*, True -*.interlogistic.co.ve*, True -*.interluz.net*, True -*.intermaq.cl*, True -*.intermedical.com.ar*, True -*.intermetro.co.za*, True -*.intermiro.com*, True -*.intermis.id*, True -*.intermulti.com.br*, True -*.internalcloud.com.au*, True -*.internal-tools.com*, True -*.internatebussiness.com*, True -*.internationalbeige.com*, True -*.internationalfurniturewholesale.com.au*, True -*.internationalhearthealth.org*, True -*.internationalislamicexpo.com*, True -*.internationalmarket.com*, True -*.internationaltehno.ro*, True -*.interneg.net.br*, True -*.interneit.com*, True -*.internepedia.tk*, True -*.internetactive.net*, True -*.internetdigitalsolutions.com*, True -*.internetearth.com*, True -*.internete.com.ar*, True -*.internet-express.co.za*, True -*.internetforeningen.se*, True -*.internetfreearcade.com*, True -*.internethabitat.com*, True -*.internet-hq.pl*, True -*.internethq.pl*, True -*.internetjuventus.com*, True -*.internetlab.info*, True -*.internetlujan.com.ar*, True -*.internetmodeling.tk*, True -*.internetscale.com*, True -*.internets.com.br*, True -*.internet-sicherheit.net*, True -*.internet-slackers.us*, True -*.internetstartupbooks.com*, True -*.internet-und-medienrecht.net*, True -*.internetunlimitedssh.com*, True -*.internetworking.com.br*, True -*.internetzninja.com*, True -*.interoleo.com*, True -*.interpass.ru*, True -*.interplan.com.mx*, True -*.interponic.com*, True -*.interpoolbar.co.il*, True -*.interportarg.com.ar*, True -*.interpraca.net*, True -*.interpretareaviselor.ro*, True -*.interpretarevise.ro*, True -*.inter-run.com*, True -*.interscada.com*, True -*.interscapes.com*, True -*.intershipping.com.ve*, True -*.intersoftsrl.co*, True -*.intersolarmarine.com.br*, True -*.interssl.ro*, True -*.interstateassetrecovery.biz*, True -*.intert3chmedia.net*, True -*.intertecno.cl*, True -*.intertradeinsurance.com.au*, True -*.interventionamerica.com*, True -*.interventionamerica.info*, True -*.interventionamerica.net*, True -*.interventionengine.com*, True -*.intervidaphilippines.org*, True -*.interviewwithcelebrity.com*, True -*.interwap.ro*, True -*.interwebs.in*, True -*.interwebvisions.com*, True -*.interwebvisions.com.au*, True -*.intezes.hu*, True -*.intezet.hu*, True -*.intheflesh.com.ar*, True -*.inthenameof.co.za*, True -*.inthephotobooth.com*, True -*.inthepress.org*, True -*.intiabadi.com*, True -*.intial.ga*, True -*.intiamplas.com*, True -*.inti.be*, True -*.intifadha.com*, True -*.intiglory.com*, True -*.intime-event.com*, True -*.intime-face.com*, True -*.intime-hot.com*, True -*.intime-power.com*, True -*.intime-sensazioni.ch*, True -*.intimesoftworks.com*, True -*.intimex.com.mx*, True -*.intimex.mx*, True -*.intimland.com*, True -*.intimtyumen.com*, True -*.intipers.net*, True -*.intisarituah.com*, True -*.intisolusi.co.id*, True -*.intistek.co.id*, True -*.intl-servicescenter.com*, True -*.intmed.ro*, True -*.intohiding.com*, True -*.intometal.co.za*, True -*.intothelightprod.com*, True -*.intprosys.net*, True -*.intrac.kg*, True -*.intracomm.org*, True -*.intraconnect.ro*, True -*.intra-dm.com.ar*, True -*.intraelec.cl*, True -*.intranetdm.com.ar*, True -*.intranetlocal.com.ar*, True -*.intranetwifi.it*, True -*.intratel.cl*, True -*.intravenousdata.net*, True -*.intreada.com*, True -*.intrepidsolution.co.za*, True -*.introcam.tk*, True -*.introleum.com.ve*, True -*.intronati.com.ar*, True -*.introspect-tech.net*, True -*.inttechno.ru*, True -*.intuit-tv.ru*, True -*.inuit-wallet.co.uk*, True -*.inuma.es*, True -*.inur.ch*, True -*.inurlchecker.com*, True -*.invales.com*, True -*.invariablydriven.com*, True -*.invasa.es*, True -*.invasaoanal.com.br*, True -*.inventi.lt*, True -*.inventious.us*, True -*.inventitlabs.com*, True -*.inventit.ro*, True -*.inventmarine.com*, True -*.inventmarine.com.au*, True -*.invento.cl*, True -*.inventorpool.ch*, True -*.inventorycoach.com*, True -*.invernalia.org*, True -*.inversi0n.org*, True -*.inversion.cl*, True -*.inversionescantabria.cl*, True -*.inversionesduri.com*, True -*.inversionesipsa.cl*, True -*.inversionesjhocir.com.ve*, True -*.inversionesjoan.cl*, True -*.inversionesmariaelena.tk*, True -*.inversionesmyh.cl*, True -*.inversionespitos.com*, True -*.inversionesrefricom.com.ve*, True -*.inversity.net.au*, True -*.invertienusa.com*, True -*.invesgrup.com.ar*, True -*.investasi-murah.com*, True -*.investasiombro.com*, True -*.investclubes.com.br*, True -*.investforfriends.com*, True -*.invest-forum.biz*, True -*.investhub.ro*, True -*.investigacaobr.com*, True -*.investingindonesia.co*, True -*.invest.io*, True -*.invest-max.com*, True -*.investo.ro*, True -*.investors1st.com.au*, True -*.investorsleadsource.com*, True -*.invexans.cl*, True -*.invexlab.com*, True -*.invf920.com.ve*, True -*.invibe.ch*, True -*.invic.tk*, True -*.invictus.co.id*, True -*.inviertaplus.cl*, True -*.invira.cl*, True -*.invisible.blue*, True -*.invisible-sense.com*, True -*.invisiblesense.com*, True -*.invisible-sense.net*, True -*.invisiblesense.net*, True -*.invisosystems.net*, True -*.invistaemvoce.com.br*, True -*.invitee.net*, True -*.invjulieta.cl*, True -*.invoiceclerks.com*, True -*.invoicedoctor.com*, True -*.involity.com*, True -*.in-wave.com*, True -*.inxs.com.ar*, True -*.inyx.com.au*, True -*.inzagreb.com*, True -*.inzannadeecreations.com*, True -*.inzone.ro*, True -*.ioanvranceanu.ro*, True -*.ioasgo.com.ar*, True -*.iodadre.com*, True -*.iodera.com*, True -*.iodns.cf*, True -*.ioefoss.org.np*, True -*.ioexpert.com*, True -*.iofusion.us*, True -*.ioiotrap.com*, True -*.ioleague.com*, True -*.ioltatrust.com*, True -*.ioly.com*, True -*.iomail.info*, True -*.iompostoffice.com*, True -*.ionexusa.com*, True -*.iongame168.com*, True -*.iongames168.com*, True -*.iongamex168.com*, True -*.iongamez168.com*, True -*.i-ongold.com*, True -*.ioniq.co.za*, True -*.ionirimie.ro*, True -*.ionistor.com*, True -*.ionscooter.com*, True -*.ionstorm.net*, True -*.i-onsystems.com*, True -*.ionutdiaconu.ro*, True -*.ionutvasile.ro*, True -*.ioomedia.com*, True -*.iop-009.com*, True -*.iopening.com.au*, True -*.ioq.me*, True -*.iordan.ro*, True -*.iosblog.com*, True -*.ioscube.com*, True -*.ioscube.it*, True -*.iosec.net*, True -*.iosgiftcode.com*, True -*.ioshack.info*, True -*.iosi.ru*, True -*.iosporn.com*, True -*.iostardata.com*, True -*.iosystems.pl*, True -*.iota-trading.com*, True -*.iotlink.com.br*, True -*.iou1.tk*, True -*.ioudas.net*, True -*.iowegn.com*, True -*.ioxs.com*, True -*.ipachuca.com*, True -*.ipaddr.com.ar*, True -*.ipagalati.ro*, True -*.ipa.hk*, True -*.ipalbiofive.com*, True -*.ipalbioseven.info*, True -*.ipalkcigreen.com*, True -*.ipanel.io*, True -*.ipank86.tk*, True -*.ipa.pt*, True -*.ipark-tsj.ru*, True -*.iparts.pw*, True -*.ipaxvoip.com.mx*, True -*.ipayhalf.com*, True -*.ipbul.tk*, True -*.i-pbx.com.ar*, True -*.ipcasa.net*, True -*.ipcauto.ro*, True -*.ipcctv.com.ar*, True -*.ipcportotecnica.su*, True -*.ipdesign.ro*, True -*.ipdist.eu*, True -*.ipdist.pl*, True -*.ipernuf.cf*, True -*.ip-gogos.com*, True -*.ipgtechnic.ro*, True -*.ipgue.ml*, True -*.ipgw6.eu*, True -*.iphide.pl*, True -*.iphistory.co.uk*, True -*.iphoneappthink.com*, True -*.iphone-feed.co.uk*, True -*.iphoneography.ro*, True -*.iphonepos.com*, True -*.iphoneproducts.eu*, True -*.iphonetailor.com.au*, True -*.iphonetc.net*, True -*.iphonio.com*, True -*.iphtamerira.ru*, True -*.ipicks.net*, True -*.ipilpunya.tk*, True -*.ipil.tk*, True -*.ipinas.biz*, True -*.ipinas.org*, True -*.ipinfood.com*, True -*.ipink.cf*, True -*.ipink.ga*, True -*.ipirategame.ru*, True -*.ipitable.eu*, True -*.ipkinfo.one.pl*, True -*.ipk.one.pl*, True -*.ipla.de*, True -*.iplawtender.com*, True -*.iplawyers.hk*, True -*.iplaycafe.net*, True -*.iplaytennis.com.au*, True -*.ipler-lecturas.com*, True -*.ipler-matematicas.com*, True -*.iplia.com*, True -*.iplia.co.za*, True -*.iplia.org*, True -*.ipma.co.id*, True -*.ipmakelaarssa.co.za*, True -*.ipmaus.com.au*, True -*.ipmc-apm.com.tr*, True -*.ipm-dev.ml*, True -*.ipmengineers.cl*, True -*.ipme.pt*, True -*.ipmmi.org.br*, True -*.ipmodo.com*, True -*.ipmsulsel.or.id*, True -*.ipodtotal.com.ar*, True -*.ip-openarena.tk*, True -*.iporn69.com*, True -*.ipositivead.com*, True -*.iposs-ky.com*, True -*.ipoterv.cf*, True -*.ippbx.co.id*, True -*.ippbx.tw*, True -*.ip-pro.eu*, True -*.ip-pro.pl*, True -*.ippydippy.com*, True -*.ippydippy.info*, True -*.ippydippy.net*, True -*.ippydippy.org*, True -*.ipquery.org*, True -*.iprefeitura.com*, True -*.iprellc.com*, True -*.ipriest.org.uk*, True -*.iprockbyte.pw*, True -*.iprofesional.pl*, True -*.ipr.pt*, True -*.iprsa.cl*, True -*.ipse.ro*, True -*.ipserver.tk*, True -*.ipslandscapes.com.au*, True -*.ipsleon.es*, True -*.ipsur.org*, True -*.ipsyarif.ml*, True -*.ipsyc.com.ar*, True -*.iptech-irk.ru*, True -*.ip-tek.net*, True -*.iptender.com*, True -*.ip-trigenius.tk*, True -*.ipts.com.br*, True -*.iptv4gr.com*, True -*.iptvclub.tv*, True -*.iptv-max.com*, True -*.iptvmax.tv*, True -*.iptvss.com*, True -*.iptvworld.biz*, True -*.ipul.es*, True -*.ipul-masih.tk*, True -*.ipulweb.com*, True -*.ipv4.pl*, True -*.ipv6-comm.net*, True -*.ip-v6.eu*, True -*.ipv6.la*, True -*.ipv6.me.uk*, True -*.ipv6net.ro*, True -*.ipv6portals.com*, True -*.ipv7.ru*, True -*.ipvsalta.gob.ar*, True -*.ipwned.ro*, True -*.ipxsistemas.com.ar*, True -*.iqaf.info*, True -*.iqbalabdulmalik.co*, True -*.iqbalalisofyan.com*, True -*.iqbalcakep.com*, True -*.iqbalcoder.com*, True -*.iqbalpajatapuih.com*, True -*.iqbal-sharing.com*, True -*.iqmag.ro*, True -*.iqrabrothers.my*, True -*.iqsecurity.com.ve*, True -*.iq-solutions.gr*, True -*.iqts.co*, True -*.iqubadora.info*, True -*.iqubadora.mx*, True -*.iq-x.com*, True -*.iraalborz.com*, True -*.iraalborz.ir*, True -*.irai.su*, True -*.iralborz.com*, True -*.iralborz.ir*, True -*.iramica.com*, True -*.iram.web.id*, True -*.iranairtours.com*, True -*.iranairtours.ir*, True -*.irancam.tk*, True -*.iranchentaichi.ir*, True -*.iranfdo.ir*, True -*.irangiscenter.com*, True -*.iranhr.net*, True -*.iranibuy.com*, True -*.iranmarja.com*, True -*.iranmmd.com*, True -*.iranparleman.com*, True -*.iranpku.ir*, True -*.iranport.net*, True -*.irantourtravels.com*, True -*.iranussd.ir*, True -*.irarzesh.com*, True -*.irasoshimzes.ro*, True -*.irat.ch*, True -*.iratonline.net*, True -*.iravany.com*, True -*.irayyanleather.com*, True -*.irbs.ro*, True -*.irc6net.de*, True -*.ircbg.com*, True -*.ircblast.us*, True -*.ircclouds.tk*, True -*.irc-crew.tk*, True -*.ircgeek.net*, True -*.irc-hispanet.ml*, True -*.ircii.org*, True -*.irclord.tk*, True -*.irclounge.net*, True -*.ircmania.com.br*, True -*.ircmania.ga*, True -*.ircmaniak.tk*, True -*.ircmania.tk*, True -*.ircn3t.de*, True -*.ircnet6.one.pl*, True -*.ircnet.biz*, True -*.ircnet.mobi*, True -*.ircnetworks.org*, True -*.ircnode.com*, True -*.ircnode.tk*, True -*.ircoholik.pl*, True -*.ircop.eu*, True -*.irc-peda.com*, True -*.ircr.info*, True -*.irc--server.ml*, True -*.irc.so*, True -*.ircsrvr.ml*, True -*.i-rc.tk*, True -*.irc.web.id*, True -*.ircweb.info*, True -*.ircweb.net*, True -*.irczilla.com*, True -*.irczilla.info*, True -*.irczilla.net*, True -*.irczilla.org*, True -*.i-recommend.co.za*, True -*.irefillhost.com*, True -*.iregans.com*, True -*.irekodi.club*, True -*.ireland.mx*, True -*.irelandyoga.org*, True -*.irelia.co*, True -*.irenebarry.com*, True -*.irene.com.au*, True -*.irenetam.com*, True -*.irenetam.net*, True -*.irenetam.org*, True -*.irepel.com*, True -*.irequest.ro*, True -*.irettke.info*, True -*.irfanasrullah.com*, True -*.irfanazizpratomo.com*, True -*.irfanshah.net*, True -*.irfdo.ir*, True -*.irfeasit.cf*, True -*.irfna.com*, True -*.irg-team.gq*, True -*.irhasfoto.com*, True -*.iriana.org*, True -*.iridium.one.pl*, True -*.irieconcept.cl*, True -*.iri.fi*, True -*.irigatiigradini.ro*, True -*.irinagingu.ro*, True -*.irinaroach.com*, True -*.irindom.ru*, True -*.irisanalysis.com*, True -*.irisecret.com*, True -*.irisgrup.ro*, True -*.irish-dragon.com*, True -*.irishguys.org*, True -*.irishpub.ro*, True -*.irishtelevision.info*, True -*.irisphotobooth.com*, True -*.irisphotography.web.id*, True -*.irisrental.web.id*, True -*.irissecret.com*, True -*.irisstom.ru*, True -*.irisyoscar.com*, True -*.irkant.com*, True -*.irk-beta.pl*, True -*.irkpromo.biz*, True -*.irlicense.ir*, True -*.irmari.ee*, True -*.irmed.ro*, True -*.irner.si*, True -*.irnis.org*, True -*.iro86.ru*, True -*.irockicks.com*, True -*.i-rock.ro*, True -*.irocz.one.pl*, True -*.irogers.org*, True -*.irohe.com*, True -*.iroiasi.ro*, True -*.iron124.ru*, True -*.ironcatstrength.com*, True -*.ironcouncil.net*, True -*.irondust.com*, True -*.i-rong.com*, True -*.ironic.org*, True -*.ironi.st*, True -*.ironliontit.com*, True -*.ironman4x4adventurechallenge.com*, True -*.ironroadlimited.com.au*, True -*.ironwoodflooring.com.au*, True -*.irorj.com.br*, True -*.irosobatrupon.com.ve*, True -*.irpp.ru*, True -*.irprobe.com.ar*, True -*.irq.ro*, True -*.irradiandoluz.com.br*, True -*.irrad.org*, True -*.irrc.ir*, True -*.irrelephants.net*, True -*.irrigationsupply.net*, True -*.irr.nu*, True -*.irssi.co*, True -*.irssi.gq*, True -*.irungaray.com.ar*, True -*.irvankadhafi.net*, True -*.irvan.or.id*, True -*.irvanvvip.com*, True -*.irvcorliss.com*, True -*.irvie.net*, True -*.irvingaraujo.com.br*, True -*.irwinreyes.com*, True -*.isaacbest.com*, True -*.isaacbest.org*, True -*.isaacbest.us*, True -*.isaaccasey.com*, True -*.isaacfrancisco.com*, True -*.isaacgourlayhutchison.com*, True -*.isaachutchison.com*, True -*.isaaclaughlin.com*, True -*.isaacobeirn.com*, True -*.isaacraes.com*, True -*.is-a-belu.ga*, True -*.isabelu.ga*, True -*.isact.org.au*, True -*.is-a-geek.ch*, True -*.isageek.net*, True -*.isaiahgilliland.com*, True -*.isaichkin.ru*, True -*.isak.ws*, True -*.isale.hk*, True -*.isalestore.com*, True -*.isalvat.es*, True -*.isamotherfucking.ninja*, True -*.isan.com.au*, True -*.i-santoso.com*, True -*.isarhospital.com*, True -*.isatsg1-m3.tk*, True -*.isattest.tk*, True -*.isavages.com*, True -*.isawgodtoday.info*, True -*.isaysabaj.cl*, True -*.isaziprop.co.za*, True -*.isbandrio.com*, True -*.isc2chapter-romania.ro*, True -*.isca-artificial.com.br*, True -*.ischglnannies.com*, True -*.ischrott.ch*, True -*.ischwab.tk*, True -*.iscity.com.my*, True -*.isc-ls.com*, True -*.is.com.my*, True -*.isconsultora.cl*, True -*.iscontabil.ro*, True -*.isc.or.id*, True -*.isdesned.org*, True -*.iseasy.tw*, True -*.isee.sg*, True -*.iseidou.com*, True -*.isenringen.ch*, True -*.iseoz.com*, True -*.iserversolutions.net*, True -*.i-sev.com*, True -*.isfacat.net*, True -*.isfahan360.com*, True -*.isfahankhodro.com*, True -*.isfd29merlo.com.ar*, True -*.isfedu2.ir*, True -*.isfedu4.ir*, True -*.isgyazilimi.net*, True -*.ishaansid.com*, True -*.ishareupload.com*, True -*.isharif.ir*, True -*.isharif.net*, True -*.ishdafish.ca*, True -*.ishells.tk*, True -*.ishevchenko.net*, True -*.ishome.ca*, True -*.ishopconsulting.com*, True -*.ishopinafrica.com*, True -*.ishoripokhrel.com.np*, True -*.ishoubiao.net*, True -*.ishuhozyaina.com*, True -*.isiam.net*, True -*.isidis.ru*, True -*.isidoripavimenti.ch*, True -*.isigonis.gr*, True -*.isigood.com*, True -*.isihia-exi.ro*, True -*.isiklik.net*, True -*.isikmuhendislik.com*, True -*.isinthecloud.com*, True -*.isisrecruited.me*, True -*.isitfriday.nu*, True -*.isitloadedyet.com*, True -*.isitmagfestyet.org*, True -*.isjewboymarriedyet.com*, True -*.isk8.ro*, True -*.is-kawasaki.ninja*, True -*.iskitim.org*, True -*.iskrice.si*, True -*.iskulbukol.com*, True -*.iskyen.org*, True -*.isladefaro.com.ar*, True -*.islademaipo.cl*, True -*.islamchat.tk*, True -*.islamicnetwork.com*, True -*.islamicnetwork.org*, True -*.islamicsocietyballarat.org*, True -*.islamislove.com*, True -*.island13.com*, True -*.island-arts.biz*, True -*.islandarts.biz*, True -*.island-arts.info*, True -*.islandarts.info*, True -*.islarrykingalive.com*, True -*.islarrykingdead.com*, True -*.isleofmancoins.com*, True -*.islife.com.br*, True -*.islsystem.it*, True -*.isltest.net*, True -*.ismad.co.uk*, True -*.ismaildagli.com.tr*, True -*.ismailsaleh.net*, True -*.ismartiptv.com*, True -*.ismartmeter.net*, True -*.ismartoys.com*, True -*.ismavatar.com*, True -*.ismco.cl*, True -*.isme.tk*, True -*.ismetyaksi.com.tr*, True -*.ismikecoding.com*, True -*.ism-invoicing-app.com*, True -*.ismith.ch*, True -*.ismoke.hk*, True -*.ism-wholesale.com*, True -*.is.my*, True -*.ismybeloved.com*, True -*.ismywebsiteonline.net*, True -*.isnad.net*, True -*.isnbrokerage.org*, True -*.isn.cl*, True -*.isnet.com*, True -*.isngroup.tk*, True -*.isnmail.tk*, True -*.iso8583.info*, True -*.isoaklandgentrified.com*, True -*.isocsec.com*, True -*.isoelast.eu*, True -*.isoffcampus.com*, True -*.isoftdev.co.uk*, True -*.isoftstudio.ro*, True -*.isojackal.co.uk*, True -*.isok.info*, True -*.isokrates.co.uk*, True -*.isoletromania.ro*, True -*.isoltesa.ch*, True -*.isolution.com.ar*, True -*.isolutionconcepts.com*, True -*.isomaly.com*, True -*.isoshnikov.com*, True -*.isotretinoinacne.com*, True -*.ispace-bs.com*, True -*.ispacepromo.ru*, True -*.ispeakuwin.com*, True -*.i-specs.co.uk*, True -*.is-photography.ch*, True -*.ispif.ro*, True -*.ispisp.sg*, True -*.ispos.com.ve*, True -*.isppfpv.com.ar*, True -*.ispsistemas.com.ar*, True -*.ispt360.com*, True -*.ispt360.ir*, True -*.ispt.ir*, True -*.israelborges.com.br*, True -*.israel-expedition.com*, True -*.israelisurveillance.com*, True -*.israelnationltours.co.il*, True -*.issgaming.eu*, True -*.issimo4u.ru*, True -*.issomarca.com.br*, True -*.issomed.cl*, True -*.issorad.com*, True -*.isstec.com*, True -*.is-sue.com*, True -*.issurroundedbyidiots.net*, True -*.ist24.ru*, True -*.istadisplays.com*, True -*.istakala.com*, True -*.istakalisa.com*, True -*.istanamusik.info*, True -*.istanareload.org*, True -*.istanbulfizik.net*, True -*.istanbulgookulu.com*, True -*.istanbulsafak.com*, True -*.istdp.fi*, True -*.istfilob.cf*, True -*.isthatanupgrade.com*, True -*.isthatreallytrue.com*, True -*.isthefieldcontrolsystemdown.com*, True -*.isthmusportrait.com*, True -*.isticomindo.com*, True -*.isticom.info*, True -*.istikbal-mobilya-modelleri.com*, True -*.istiqomp.net*, True -*.istituto-lady.ch*, True -*.istitutolinguaveneta.org*, True -*.istiyan.tk*, True -*.istmotech.com*, True -*.istock.com.ar*, True -*.istone.in*, True -*.istov.ro*, True -*.istraelectroset.ru*, True -*.istrapano360.com*, True -*.istrash.com*, True -*.ists.co.id*, True -*.istvanfodor.ro*, True -*.istyping.tk*, True -*.isuckatgaming.com*, True -*.i-sugar.com.my*, True -*.isuka.ml*, True -*.isukapalli.com*, True -*.isummer.it*, True -*.isumm.ro*, True -*.isuper.pt*, True -*.isupholstery.co.uk*, True -*.isvg.gr*, True -*.iswarm.net*, True -*.isylet.com.mx*, True -*.isylet.mx*, True -*.isyour.guru*, True -*.iszer.net*, True -*.it290.com*, True -*.it2c.be*, True -*.it4500.com*, True -*.it4africa.co.za*, True -*.it4all.ch*, True -*.it4business.com.ar*, True -*.it4e.co*, True -*.it4soho.info*, True -*.it7.es*, True -*.itadvisory.cl*, True -*.it-advisory.eu*, True -*.itafish.com.br*, True -*.itagit.com.au*, True -*.itagit.net.au*, True -*.itaipavafestas.com.br*, True -*.i-taiwan.tv*, True -*.itakeasy.com*, True -*.italbody.es*, True -*.italchemistinc.com*, True -*.italiandream.net.au*, True -*.italianiallestero.info*, True -*.italiatela.com*, True -*.italkticket.com*, True -*.italliance.com.ar*, True -*.italsed.it*, True -*.italsqualitablog.net*, True -*.italynoleggi.com*, True -*.itandc.ro*, True -*.itarea.org*, True -*.itargget.net*, True -*.itaxie.com*, True -*.itbalances.com.au*, True -*.itb-don.ru*, True -*.itbedrijfalkmaar.com*, True -*.itbedrijfalkmaar.nl*, True -*.itbig.ru*, True -*.it-bi.ru*, True -*.itceb.org*, True -*.it-celica.si*, True -*.itcertificate.ro*, True -*.itcertification.ro*, True -*.itc-games.ro*, True -*.itchile.com*, True -*.itcnashville.com*, True -*.it-communications.ro*, True -*.itcomp.ro*, True -*.itcomputers.com.np*, True -*.it-concept.ro*, True -*.itconcepts.me*, True -*.itconcepts.mx*, True -*.itconceptsmx.info*, True -*.itconceptsmx.net*, True -*.itconex.com.ar*, True -*.itconnector.com*, True -*.itcraiova.ro*, True -*.itcrltd.co.uk*, True -*.itc-sa.biz*, True -*.itcsmssatumare.ro*, True -*.itdistributions.co.za*, True -*.itdnyc.com*, True -*.it-dynamics.ro*, True -*.itechmount.com*, True -*.itechs.com.my*, True -*.itecono.com*, True -*.iteeesa.com.mx*, True -*.itekgroup.com*, True -*.it-ek.tk*, True -*.itela.info*, True -*.itelgua.info*, True -*.itelpat.org*, True -*.itelpatresearch.be*, True -*.itelpatresearch.tk*, True -*.itelpat.tk*, True -*.itelsoluciones.com.ve*, True -*.itemxp.net*, True -*.iteng.com.my*, True -*.i-tester.com.ar*, True -*.it-etc.com*, True -*.itfedora.com*, True -*.itf.es*, True -*.itfiredup.com*, True -*.it-firm.bg*, True -*.itfreelancer.ru*, True -*.itfrustrates.me*, True -*.itgang.ru*, True -*.it-garant.ru*, True -*.itgems.ru*, True -*.itglasses.com*, True -*.itgob.mx*, True -*.itgoods.eu*, True -*.itgr.uk*, True -*.itguitarguy.com*, True -*.itguru.co.za*, True -*.ithandsfree.com*, True -*.ithangar.com*, True -*.ithaqua.org*, True -*.it-head.ch*, True -*.ithead.ch*, True -*.it-heads.ch*, True -*.itheads.ch*, True -*.itheal.org*, True -*.ithelpsolutions.net*, True -*.i-themes.us*, True -*.ithera.com.ar*, True -*.ithesun.com*, True -*.ithjalp.com*, True -*.ithjalp.net*, True -*.ithjalp.se*, True -*.i-t.hk*, True -*.it-home.ro*, True -*.ithubcapetown.co.za*, True -*.itics.cl*, True -*.itierrasur.cl*, True -*.itiest.com*, True -*.itimemachine.net*, True -*.it-indonesia.com*, True -*.itinfo.pro*, True -*.itingenieria.com.ar*, True -*.itinmotion.com.au*, True -*.itinmotion.net.au*, True -*.it-instalacje.pl*, True -*.itinstitute.co.za*, True -*.itintels.com*, True -*.itirafduvari.net*, True -*.itiscream.com*, True -*.itis.ro*, True -*.it-kafe.com*, True -*.itlab.tw*, True -*.itlangcon.com*, True -*.itlaw.hk*, True -*.itlawtender.com*, True -*.itlawyers.hk*, True -*.itlbg.net*, True -*.itleague.com*, True -*.itlogistica.ru*, True -*.itlogistics.com.ar*, True -*.itlogistika.ru*, True -*.itmagic.us*, True -*.itmanaged.com.au*, True -*.itmanagercompany.com.ve*, True -*.itmanageronline.pl*, True -*.itmate.ru*, True -*.itm.com.tr*, True -*.i-t.me*, True -*.itmm.hk*, True -*.itmonger.com*, True -*.itmonit.ru*, True -*.itmotion.com.au*, True -*.itmotion.net.au*, True -*.itm-travel.de*, True -*.itna88.tk*, True -*.itnewhere.co.uk*, True -*.itnovar.com*, True -*.itnow.cl*, True -*.itns.ca*, True -*.itoenail.com*, True -*.itoitz.net*, True -*.itolimp.ru*, True -*.itomaldonado.com*, True -*.itomaz.com*, True -*.itomkovich.ru*, True -*.itonceagain.com*, True -*.it-one.com.ar*, True -*.it-peopleconnection.ru*, True -*.it-petschnek.at*, True -*.itphil.net*, True -*.itplus.com.np*, True -*.itpnet.com.ar*, True -*.itpony.us*, True -*.itpro.com.ar*, True -*.itprogress.cl*, True -*.it-progress.com*, True -*.itpromco.com*, True -*.itpropuebla.com*, True -*.it-proyectos.cl*, True -*.itq.ro*, True -*.itradefromhome.com*, True -*.itrades.co.za*, True -*.itrall.com*, True -*.it-ram.ru*, True -*.itransitconnect.com*, True -*.i-transportation.com*, True -*.itraveler.co.za*, True -*.itravel-go.com*, True -*.itremote.ca*, True -*.itresponsecenter.com*, True -*.itreviews.ro*, True -*.itrio.mx*, True -*.i-trip.com.ar*, True -*.itroncoso.cl*, True -*.it-room.eu*, True -*.itro.tk*, True -*.its4p.com*, True -*.its4p.net*, True -*.its4p.si*, True -*.itsadoteatdotworld.com*, True -*.itsainternacional.com.ar*, True -*.itsallrelative.info*, True -*.itsaspade.co.uk*, True -*.itsbdltd.com*, True -*.itsbecauseof.me*, True -*.its.co.ve*, True -*.itsc-tech.net*, True -*.itseasymate.com*, True -*.itsec-ro.ro*, True -*.itseric.com*, True -*.itservices.hk*, True -*.itsforthebirdsfreebies.com*, True -*.itsgrimupnorth.net*, True -*.itshare.eu*, True -*.it-share.ro*, True -*.itskun.ru*, True -*.itslaqueefa.com*, True -*.itslbd.net*, True -*.its-leskovac.com*, True -*.itslikenothere.com*, True -*.itslupus.com*, True -*.itsm101.com*, True -*.itsm101.com.ar*, True -*.itsmartisans.com*, True -*.itsmartisans.info*, True -*.itsmartisans.net*, True -*.itsmartisans.org*, True -*.itsmejamie.com*, True -*.itsnotmytree.co.za*, True -*.itsocket.co.uk*, True -*.it-sol.ch*, True -*.itsolid.com.au*, True -*.itsolution.com.au*, True -*.itsolutionshillsdale.us*, True -*.it-solution.web.id*, True -*.itsomax.com*, True -*.itsomax.org*, True -*.itspartyti.me*, True -*.itspay.com*, True -*.it-src.com*, True -*.itsr.ru*, True -*.itssa.com.au*, True -*.itssa.es*, True -*.it-ss.co*, True -*.it-stelle-ba.tk*, True -*.it-stelle.tk*, True -*.itstreet.ru*, True -*.itsupportessentials.com*, True -*.itsyourstorycontentediting.tk*, True -*.itsys.ro*, True -*.itsyummy.info*, True -*.ittcannon.com.au*, True -*.it-techconsulting.com*, True -*.ittechheads.org.uk*, True -*.it-technologies.com.mx*, True -*.ittechnology.com.mx*, True -*.ittelecom.pl*, True -*.ittemple.com*, True -*.itt-kubba.net*, True -*.itto.tk*, True -*.it-touch.com*, True -*.ittqc.com*, True -*.ittradehk.com*, True -*.ittybaby.com.au*, True -*.ituniversity.com.br*, True -*.itunivers.ro*, True -*.itur.si*, True -*.it-user.ru*, True -*.itvend.eu*, True -*.itverso.tk*, True -*.i-tv.ga*, True -*.i-tv.ml*, True -*.it-wahn.de*, True -*.itwasworking.com*, True -*.it-wct.com*, True -*.itworldtraders.com.np*, True -*.it-wtc.com*, True -*.itwusedtrucks.co.za*, True -*.itxcomp.com.br*, True -*.itx.com.ve*, True -*.itxgamer.com.br*, True -*.itxgames.com.br*, True -*.itxsolucoes.com.br*, True -*.itxtelecom.com.br*, True -*.itzg.me*, True -*.itzza-pizza.ru*, True -*.itzzm.com*, True -*.iu4ever.org*, True -*.iudc.ir*, True -*.iugaming.com*, True -*.iuis.info*, True -*.iulianbasescu.ro*, True -*.iulianneagu.ro*, True -*.iuliantanase.ro*, True -*.iuliantihan.ro*, True -*.iuliasirares.info*, True -*.iumc-dmitrov.ru*, True -*.iuoffcampus.com*, True -*.iuog.com.ar*, True -*.iupimg.com*, True -*.iupimgs.com*, True -*.iupockets.org*, True -*.iurga.ru*, True -*.iurischimanski.com*, True -*.iusnet.cl*, True -*.iustconstruct.ro*, True -*.iustitia.lt*, True -*.iuu.ch*, True -*.iuxpress.com*, True -*.iv50.com*, True -*.ivaluate.cl*, True -*.ivanajorge.com.br*, True -*.ivanbauer.com*, True -*.ivanff.com*, True -*.ivankabaivanov.com*, True -*.ivankabaivanov.net*, True -*.ivankabaivanov.org*, True -*.ivanledesma.com.ar*, True -*.ivanpoliakov.ru*, True -*.ivanprado.es*, True -*.ivanwalker.net*, True -*.ivaz.ro*, True -*.ivbv.club*, True -*.ivc.cc*, True -*.ivc.org.ar*, True -*.ivcorp.com.ar*, True -*.ivdata.net*, True -*.ives.tk*, True -*.ives.tw*, True -*.iview.com.ar*, True -*.iviewsec.co.za*, True -*.ivimesquita.com.br*, True -*.ivintik.ru*, True -*.ivi.pl*, True -*.iv.lc*, True -*.ivmeyapi.com.tr*, True -*.ivoiceover.net*, True -*.ivoryhair.com.au*, True -*.ivqs.com*, True -*.ivrix.org.il*, True -*.ivr.ro*, True -*.ivssa-detectar.com.ar*, True -*.ivybits.tk*, True -*.ivydesignhouse.com*, True -*.ivyhui.com*, True -*.ivykreasindo.co.id*, True -*.ivyu.net*, True -*.iw22.cf*, True -*.iw22.ga*, True -*.iw22.gq*, True -*.iw22.ml*, True -*.iw22.tk*, True -*.iwal.co.nz*, True -*.iwalk.tk*, True -*.iwansetya.web.id*, True -*.iwant2b.com.my*, True -*.iwant2b.net.my*, True -*.iwant2b.org.my*, True -*.iwantmorepay.com*, True -*.iwantsexymovies.com*, True -*.iwanttech.com*, True -*.iwantthisjunk.com*, True -*.iwillsellyou.cc*, True -*.iwilton.com*, True -*.iwishtheworldcouldhear.com*, True -*.iwonju.com*, True -*.iword.tw*, True -*.iwritestory.com*, True -*.iwsb.com.my*, True -*.iwss.com.au*, True -*.ix64.com*, True -*.ix86.cc*, True -*.ixabot.com*, True -*.ixanis.net*, True -*.ixomex.cf*, True -*.ixora.com.au*, True -*.ixta.ml*, True -*.ix.tc*, True -*.ixtent.net*, True -*.ixtsoft.com*, True -*.ixtsoft.ru*, True -*.ixxicdn.com*, True -*.ixxi.com.au*, True -*.ixx.io*, True -*.ixyo.com*, True -*.iyah.ga*, True -*.iyannet1.tk*, True -*.iyannet.tk*, True -*.iyantunvpn.tk*, True -*.iyb.ca*, True -*.iyci.net*, True -*.iyegha.com*, True -*.iyellowcabrichmond.com*, True -*.iyercloud.org*, True -*.iyerwall.com*, True -*.iyogi.org*, True -*.iyungtux.web.id*, True -*.iyusuf.com*, True -*.i-z-a.ch*, True -*.izaimarcin.info*, True -*.izam.my*, True -*.izamvpn.tk*, True -*.izangzakaria.tk*, True -*.iza-online.ro*, True -*.izaonline.ro*, True -*.izardnet.com*, True -*.izarlore.net*, True -*.izayoi.ga*, True -*.izayoi.ml*, True -*.izcatl.mx*, True -*.izegemkoers.be*, True -*.izetsleather.com*, True -*.izevbuwa.ca*, True -*.izge.com.tr*, True -*.izham.info*, True -*.iziliang.com*, True -*.izmaelis.com*, True -*.izmenenet.su*, True -*.izo-dom.ru*, True -*.izquierdasocialista.cl*, True -*.iz.rs*, True -*.izserious.biz*, True -*.izsrs.biz*, True -*.izu104.com*, True -*.izucleckscreative.com*, True -*.izuclecksdesign.com*, True -*.izuclecksdigital.com*, True -*.izuclecksgroup.com*, True -*.izuclecksmed.com*, True -*.izuclecksmedia.co*, True -*.izuclecksmedia.com*, True -*.izuclecksmediadesign.com*, True -*.izuclecksmedia.net*, True -*.izuclecksmedia.org*, True -*.izuclecksmediasolutions.com*, True -*.izuclecksproductions.com*, True -*.izuclecksstudios.com*, True -*.izukan.com*, True -*.izumart.com*, True -*.izung.com*, True -*.izvoade.ro*, True -*.izvorul.com*, True -*.izysolution.net*, True -*.izyum.in*, True -*.izz0.com*, True -*.izzitent.com*, True -*.izzysally7838.com*, True -*.j00nix.org*, True -*.j0hnson.com*, True -*.j2eebook.com*, True -*.j2e.nl*, True -*.j2eta.com*, True -*.j2megratuito.com.ar*, True -*.j2mevn.org*, True -*.j3gsoluciones.net.ve*, True -*.j3labs.net*, True -*.j3no.com*, True -*.j3y.net*, True -*.j3y.org*, True -*.j4m355.com*, True -*.j4mp.tk*, True -*.j4u.xyz*, True -*.j4zt-newbie.net*, True -*.j51corp.com*, True -*.j51corporation.us*, True -*.j7.se*, True -*.ja1472.com*, True -*.ja1l.net*, True -*.ja88.net*, True -*.jaaax.com*, True -*.jaakkoluttinen.fi*, True -*.jaanyu.com*, True -*.jaardvark.net*, True -*.jabacraft.net*, True -*.jabaliesrc.org*, True -*.jabalinarock.com.ar*, True -*.jabarliker.net*, True -*.jabarstone.com*, True -*.jabascript.org*, True -*.jabber80.com*, True -*.jabber.com.br*, True -*.jabber.net.nz*, True -*.jabb.ml*, True -*.jabeltinamitsocialproject.org*, True -*.jablud.com*, True -*.jacadigital.es*, True -*.jacadura.com*, True -*.jacandnels.com*, True -*.jaca.tv*, True -*.jaccardchristian.ch*, True -*.jacdesigns.net*, True -*.jacdom.net*, True -*.jaceapps.com*, True -*.jacegames.com*, True -*.jacetyler.com*, True -*.jaceverg.com*, True -*.jachinrupe.com*, True -*.jachinrupe.net*, True -*.jackaiko.tk*, True -*.jackandglory.com*, True -*.jackandlaura.com*, True -*.jackanugrah.com*, True -*.jackanugrahindonesia.com*, True -*.jackballas.com.br*, True -*.jackbarnes.net*, True -*.jackbarrett.com*, True -*.jackbarrett.org*, True -*.jackbo.cf*, True -*.jackbythehedge.co.uk*, True -*.jacker.ro*, True -*.jackferry.biz*, True -*.jackferry.net*, True -*.jack-followers.com*, True -*.jackghostine.com*, True -*.jackhaydock.co.uk*, True -*.jackhui.com*, True -*.jackiehuynh.com*, True -*.jackiesproule.com*, True -*.jackiesproule.co.uk*, True -*.jackjensendevelopment.com*, True -*.jackkaufmandds.com*, True -*.jack-lane.com*, True -*.jacklawtonwebbconventioncenter.com*, True -*.jackmaddox.com*, True -*.jackng.net*, True -*.jackoneill.me*, True -*.jackpothitter.com*, True -*.jackpot.lt*, True -*.jackpot.si*, True -*.jackraleegoldenretrievers.co.uk*, True -*.jack-roche.com*, True -*.jackschultz.net*, True -*.jackshill.com*, True -*.jacksonpub.ro*, True -*.jacksonvillephoto.com*, True -*.jacktup.com*, True -*.jackvine.com*, True -*.jacky31701.tk*, True -*.jacky.net.au*, True -*.jackyquiquerez.ch*, True -*.jacobantony.com*, True -*.jacob-cher.com*, True -*.jacobgaskell.me*, True -*.jacobhanshaw.com*, True -*.jacobhayes.su*, True -*.jacobherdmusic.com*, True -*.jacobi.com.ar*, True -*.jacobi.ninja*, True -*.jacobsens.us*, True -*.jacobsfam.com*, True -*.jacobs.nom.za*, True -*.jacon.co.za*, True -*.jacqandwillwentupthehill.com*, True -*.jacquelineharvey.com.au*, True -*.jacquemine.be*, True -*.jacquesantoine.me*, True -*.jacquesmenoud.ch*, True -*.jacquesretief.nom.za*, True -*.jacquiermichel.ch*, True -*.jad340.com*, True -*.j-addicts.com*, True -*.jade88oakdale.com*, True -*.jadeandnick.com*, True -*.jade-hamburg.de*, True -*.jadekwan.hk*, True -*.jade-tech.co.uk*, True -*.jadi.ir*, True -*.jaditoba.de*, True -*.jadoreunisex.ro*, True -*.jadranka.me*, True -*.jadwalkereta.web.id*, True -*.jadwallali.ga*, True -*.jaefitnesschallenge.com*, True -*.jafam-ict.com*, True -*.jafc.co.za*, True -*.jafconsultant.com*, True -*.jafdev.com*, True -*.jafonet.com*, True -*.jagau.cc*, True -*.jagdeepdhillon.ca*, True -*.jageil.com*, True -*.jageritaville.com*, True -*.jaggoowa.com*, True -*.jagoan.in*, True -*.jagoronbarta.com*, True -*.jagott-it.de*, True -*.jagsfacts.com*, True -*.jaguarcharitypanto.co.uk*, True -*.jaguargent.me.uk*, True -*.jaguar.so*, True -*.jagw.co.uk*, True -*.jahadi.net*, True -*.jahadreg.ir*, True -*.jahammondstrucking.com*, True -*.jahanii.ir*, True -*.jahani.me*, True -*.jahanradyab.ir*, True -*.jahovaos.com*, True -*.jahte.si*, True -*.jaichandrababu.com*, True -*.jaichandrababu.in*, True -*.jaijaijai.uk*, True -*.jail-bait.net*, True -*.jailbreak4free.com*, True -*.jaileewiser.com*, True -*.jaima.us*, True -*.jaipuriarschool.org*, True -*.jaivalores.com*, True -*.jajanan.com*, True -*.jajome.com*, True -*.jakarlilastik.com*, True -*.jakartaagaairsoftgun.com*, True -*.jakarta.dj*, True -*.jakartafotobooth.com*, True -*.jakartaladymassage.com*, True -*.jakartanets.com*, True -*.jakartapac.com*, True -*.jakartaselatan.net*, True -*.jakartastainless.co.id*, True -*.jake.eu*, True -*.jakegub.com*, True -*.jakeislord.com*, True -*.jakelei.ga*, True -*.jakeramirez.com*, True -*.jakmania.cf*, True -*.jakob-express.com*, True -*.jakobsukic.tk*, True -*.jakobtank.com*, True -*.jakowczyk.pl*, True -*.jaktvarvet.nu*, True -*.jakubchmura.pl*, True -*.jakubczyzewski.pl*, True -*.jaku.pe*, True -*.jaky.ro*, True -*.jalanfrozen.com*, True -*.jalapenoofdoom.com*, True -*.jalavionetusa.com*, True -*.jalcargolk.com*, True -*.jalcorn.com*, True -*.jalcorn.net*, True -*.jalderman.org*, True -*.jaleh.info*, True -*.jalfood.com.ar*, True -*.jaliff.com.ar*, True -*.jalinancintaku.com*, True -*.jaliys.com*, True -*.jalojash.org*, True -*.jal.org.br*, True -*.jam42.com*, True -*.jam49.com*, True -*.jam76.com*, True -*.jam92.com*, True -*.jamaicacitysearch.com*, True -*.jamaicanmangoandlime.co.za*, True -*.jamaicanmecrazysauces.com*, True -*.jamartgaren.com*, True -*.jambi.cf*, True -*.jambret.tk*, True -*.jamco.co.za*, True -*.jamerson.org*, True -*.jamesaclawson.com*, True -*.jamesandlacey.com*, True -*.jamesandmichelle.ca*, True -*.jamesangel.com*, True -*.jamesarthur.me*, True -*.jamesbark.com*, True -*.jamesbark.net*, True -*.jamesbencke.com*, True -*.james-cam.ca*, True -*.jamescam.ca*, True -*.james-cam.com*, True -*.jamescampbell.me.uk*, True -*.jameschen.hk*, True -*.jamesconstable.info*, True -*.jamescoote.co.uk*, True -*.jamescourtownhomes.com*, True -*.jamescourttownhomes.com*, True -*.jamescourttownhouses.com*, True -*.jamescyoung.com*, True -*.james-dibble.co.uk*, True -*.jamesdvdavidson.co.uk*, True -*.jamesericwong.com*, True -*.jamesferger.com*, True -*.jamesfette.com*, True -*.jamesfiltness.co.uk*, True -*.jamesg.co.nz*, True -*.jamesgimbi.com*, True -*.james-gold.ch*, True -*.james-gold.com*, True -*.jameshenson.net*, True -*.jamesivan.com*, True -*.jameskienle.me*, True -*.jameskirstylou.tk*, True -*.jameslogan.ca*, True -*.jameslowey.co.uk*, True -*.jamesmaciel.com.br*, True -*.james-maler.ch*, True -*.james-maslin.co.uk*, True -*.jamesmorgan.ca*, True -*.jamesmurtagh.com*, True -*.jamesonlee.com*, True -*.jamesplato.com*, True -*.jamesprotocols.info*, True -*.jamespwalker.com*, True -*.jamesreyes.me*, True -*.james-sanders.com*, True -*.jamesshelford.com*, True -*.jamesstewy.com*, True -*.jamessweet.co.uk*, True -*.jamesvannoord.com*, True -*.jameswhale.org*, True -*.jameswismer.ca*, True -*.jameswong.sg*, True -*.jamesyates.tk*, True -*.jamfoto.hu*, True -*.jamhappy.com*, True -*.jamiebeverly.com*, True -*.jamiebeverly.net*, True -*.jamiebrand.com*, True -*.jamiebrand.co.uk*, True -*.jamiebumsted.com*, True -*.jamiefisher.net*, True -*.jamielcs.co*, True -*.jamielcs.com*, True -*.jamielcs.net*, True -*.jamieos.eu*, True -*.jamie-powell.co.uk*, True -*.jamie-ryan.com*, True -*.jami.info*, True -*.jamminpickle.com*, True -*.jamnet.ro*, True -*.jamonesmata.es*, True -*.jampong.com*, True -*.jamtberg.se*, True -*.jamthicket.com*, True -*.jamulwireless.com*, True -*.jamuralbamas.com*, True -*.jamur.me*, True -*.jamuspendraeg.com*, True -*.jamv.com.my*, True -*.janakbhusal.com.np*, True -*.janakshrestha.com.np*, True -*.janalanvin.com*, True -*.jan-aleks.tk*, True -*.janaliscakes.ca*, True -*.janatarsangbad.com*, True -*.jan-brodbeck.ch*, True -*.jancok.com*, True -*.janda-yuk.ml*, True -*.jandjsitebuilders.com*, True -*.jandjutah.com*, True -*.jando.cl*, True -*.jandrcomputers.net*, True -*.jandric.com*, True -*.jandtwindmills.cn*, True -*.jandtwindmills.co.id*, True -*.jandtwindmills.hk*, True -*.jandtwindmills.ru*, True -*.jandy.io*, True -*.janeburn.ru*, True -*.janecake.com.mx*, True -*.janecake.mx*, True -*.jane-iredaleshop.ru*, True -*.janeiredaleshop.ru*, True -*.janellecaskie.com*, True -*.janenza.com*, True -*.janeshaw.net*, True -*.janet2planet.com*, True -*.janet.ir*, True -*.janetjoseph.com*, True -*.janetriera.com.ar*, True -*.janevim.cz*, True -*.janewyss.ch*, True -*.jangan-nga.co*, True -*.jangkariman.or.id*, True -*.jangsoovita.com*, True -*.jangstyle.tk*, True -*.janhelps.com*, True -*.janiheikkinen.fi*, True -*.janisaarinen.com*, True -*.janistcool.tk*, True -*.janit0r.info*, True -*.janjanin.si*, True -*.jan-kaminski.de*, True -*.janlubinski.pl*, True -*.janmahler.org*, True -*.jann.at*, True -*.janndemonium.com*, True -*.janne-jokinen.fi*, True -*.jannfam.com*, True -*.jannina.tk*, True -*.janonavarrete.cl*, True -*.janovo.ru*, True -*.janpittner.com*, True -*.janroyce.ch*, True -*.jansen-shop.ru*, True -*.jansenshop.ru*, True -*.janshairdressing.co.uk*, True -*.janskiwiart.com*, True -*.jansolo.com*, True -*.janssen-shop.ru*, True -*.janunddaniela.de*, True -*.januscamera.com*, True -*.januzzi.com.br*, True -*.japac.mx*, True -*.japan3x.com*, True -*.japane.se*, True -*.japanesegirlswithanimalears.com*, True -*.japanese-learning.net*, True -*.japanes.ga*, True -*.japan.is*, True -*.japansea.net*, True -*.japenin.com.ar*, True -*.japericias.com.br*, True -*.japorms.com*, True -*.japornzine.com*, True -*.japrem.com*, True -*.jaqualiaandjr.info*, True -*.jaquesylum.tk*, True -*.jara26.com*, True -*.jaradi.me*, True -*.jaramelagrani.com.ar*, True -*.jarbeau.net*, True -*.jarconsulting.com.ar*, True -*.jarconsultora.com.ar*, True -*.jardianukeops.ro*, True -*.jardimdasboasideias.com.br*, True -*.jardinbrown.com.ar*, True -*.jardin-dasie.ch*, True -*.jardindiris.ch*, True -*.jardine.me*, True -*.jardineservices.com*, True -*.jardin-mimundo.cl*, True -*.jardinoctopus.cl*, True -*.jardomatic.ch*, True -*.jaredaughenbaugh.com*, True -*.jaredbreland.com*, True -*.jaredcasper.com*, True -*.jared.net.nz*, True -*.jared.se*, True -*.jaredsretirementcountdown.com*, True -*.jaredthirsk.com*, True -*.jared.tw*, True -*.jaren.org*, True -*.jarios.org*, True -*.jarkeborn.se*, True -*.jarmin.tk*, True -*.jarmo.fi*, True -*.jar.ninja*, True -*.jarnjak.com*, True -*.jaromirbartman.pl*, True -*.jar-p.com*, True -*.jarunee.org*, True -*.jarvensivu.com*, True -*.jarvensivu.fi*, True -*.jarvensivu.net*, True -*.jarvo.com*, True -*.jas0r.com*, True -*.jasa24.web.id*, True -*.jasabuma.com*, True -*.jasacargodomestik.com*, True -*.jasakontraktorkolamrenang.com*, True -*.jasakreatifku.com*, True -*.jasalasercuting.com*, True -*.jasalinkadv.com*, True -*.jasalogam.com*, True -*.jasapadu.com*, True -*.jasaresmi.com*, True -*.jasareviewmurah.web.id*, True -*.jasaseo.tk*, True -*.jasasettingmikrotik.web.id*, True -*.jasaumrohafi.com*, True -*.jasawebpekanbaru.com*, True -*.jasegr8fic.com*, True -*.jasegraphic.com*, True -*.jasems.com*, True -*.jasenkorjaaja.fi*, True -*.jashinski.com*, True -*.jasko.org*, True -*.jasminecybervillage.com*, True -*.jasmine-garden.ch*, True -*.jasminundremo.ch*, True -*.jasmin-zingg.ch*, True -*.jason12.com*, True -*.jasonbayton.com*, True -*.jasoncox.ca*, True -*.jasoncoyne.com*, True -*.jasondemelo.com*, True -*.jasondiamond.com*, True -*.jasoneddins.com*, True -*.jason.fi*, True -*.jasonforbaltimore.com*, True -*.jasonjpalmer.com*, True -*.jasonkinkade.com*, True -*.jasonkomara.com*, True -*.jasonlsl.com*, True -*.jasonmcampbell.us*, True -*.jasonmelcher.com*, True -*.jasonmooreit.com*, True -*.jasonmor.net*, True -*.jasonmrowe.com*, True -*.jasonpowers.net*, True -*.jasonrshaver.com*, True -*.jasonrvance.com*, True -*.jasonsabala.com*, True -*.jasonsabala.net*, True -*.jasonsamiosuy.com*, True -*.jasonschuster.org*, True -*.jasonshaver.com*, True -*.jasonshepherd.net*, True -*.jasonsinclair.tk*, True -*.jasonskaraoke.com*, True -*.jasonsoo.com*, True -*.jasontresize.net*, True -*.jason.tw*, True -*.jaspervanveen.nl*, True -*.jast.cl*, True -*.jat77.com*, True -*.jatahy.adv.br*, True -*.jataja.ir*, True -*.jat.cl*, True -*.jatengwebhost.com*, True -*.jatikomputer.com*, True -*.jatipon.com*, True -*.jatrn.com*, True -*.jatstv.com.au*, True -*.jattsetgo.com*, True -*.jaturamitmongkol.com*, True -*.jatyler.ca*, True -*.jauhary.web.id*, True -*.jauntymustache.com*, True -*.jauriarts.com*, True -*.jaus.com.ar*, True -*.jauwing.tw*, True -*.javaa.com*, True -*.javaandjustice.com*, True -*.javacake.hk*, True -*.javaccm.com*, True -*.java-developer.be*, True -*.java.dj*, True -*.javaecotravel.com*, True -*.java-fantasy.com*, True -*.javafaq.nu*, True -*.javahoundcafe.com*, True -*.javahound.com*, True -*.javajobs.co.nz*, True -*.javaleader.com*, True -*.javamatte.com*, True -*.javandroid.in*, True -*.javanettes.se*, True -*.javanet.tk*, True -*.javanize.ml*, True -*.javanize.tk*, True -*.javasea.co.id*, True -*.javaserver.be*, True -*.javasia.net*, True -*.javasurya.com*, True -*.javatw.ga*, True -*.javawebdev.com*, True -*.javawebsolution.com*, True -*.javaworld.ro*, True -*.javcomm.com*, True -*.javelt.com*, True -*.javenc.com*, True -*.javenter.com*, True -*.javerianos78.info*, True -*.javidrichman.com*, True -*.javiercostanza.com.ar*, True -*.javierdv.com*, True -*.javierlobaton.com*, True -*.javiermedinaabogados.com*, True -*.javierpierrend.com*, True -*.javio.com.ar*, True -*.javoru.com.ar*, True -*.javsex.us*, True -*.javsolutions.com*, True -*.jawacomercial.com.br*, True -*.jawatankosongjohor.my*, True -*.jawatex.org*, True -*.jawcs.net*, True -*.jawcs.org*, True -*.jawi.ch*, True -*.jawnrah.com*, True -*.jawvinit.com*, True -*.jax2600.org*, True -*.jaxfmc.com*, True -*.jaxhome.nom.za*, True -*.jaximmo.ch*, True -*.jaxkpc.org*, True -*.jayaho.ch*, True -*.jayakarya.com*, True -*.jayandjess.biz*, True -*.jayasakti.co.id*, True -*.jayaterus.com*, True -*.jaybarth.org*, True -*.jaybee.in*, True -*.jaycarlson.net*, True -*.jaydenlaw.hk*, True -*.jayden.my*, True -*.jayde.xyz*, True -*.jayenelectronics.com.au*, True -*.jayexp.com*, True -*.jayharris.ca*, True -*.jayholtvalentine.com*, True -*.jayjair.com*, True -*.jaykasberger.com*, True -*.jaykuo.com*, True -*.jayleaper.com*, True -*.jaylen.com.ar*, True -*.jaymalhartechnologies.com*, True -*.jaymod-clan.tk*, True -*.jaymottz.com*, True -*.jaymz.org*, True -*.jaynecollinscasting.com*, True -*.jayou.ro*, True -*.jaypetroleum.com*, True -*.jayschuette.com*, True -*.jaysfinancial.com*, True -*.jays.to*, True -*.jaytex.ca*, True -*.jaytex.org*, True -*.jazar.org*, True -*.jaz.info*, True -*.jazzandbluesart.com*, True -*.jazzandbluesart.co.uk*, True -*.jazzbox.ch*, True -*.jazzguitarlessonsboulder.com*, True -*.jazzipools.com*, True -*.jazzuzzy.nl*, True -*.jba.org.uk*, True -*.jbaybuildit.co.za*, True -*.jbaymed.co.za*, True -*.jb-bot.ml*, True -*.jbcss.co.uk*, True -*.jbdiablo.com*, True -*.jbeyond.com*, True -*.jbeyond.net*, True -*.jbhandari.com*, True -*.jbluxurycarrental.com*, True -*.jbncs.com*, True -*.jbourassa.ca*, True -*.jboy.eu*, True -*.jbservice.eu*, True -*.jbsiri.us*, True -*.jbtransliner.com*, True -*.jbuncle.co.uk*, True -*.jbusiness.biz*, True -*.jbvinyl-lux.com*, True -*.jbvlojavirtual.com.br*, True -*.jb-webs.org*, True -*.jbworks.com*, True -*.jc4life.net*, True -*.jc7277.cn*, True -*.jcactier.com*, True -*.jcamdesigns.com*, True -*.jcampanello.com.ar*, True -*.jcandmanuela.co.za*, True -*.jc-automobiles.ch*, True -*.jcb.nom.za*, True -*.jcbrand.co.za*, True -*.jcc79.com*, True -*.jccassessoria.com.br*, True -*.j-c-c.ch*, True -*.jc-consultores.com.ar*, True -*.jccustomprint.com*, True -*.jcdbackup.ca*, True -*.jcfield.com*, True -*.jcforlife.com*, True -*.jcforlife.net*, True -*.j-channels.com*, True -*.jcho.com*, True -*.jchoffat.ch*, True -*.jckadames.com.br*, True -*.jckom.com*, True -*.jclendenin.com*, True -*.jcl-engineering.com*, True -*.jclengineering.com*, True -*.jcmart.ru*, True -*.jcnielsen.com.ar*, True -*.jcnsoluciones.com.ar*, True -*.jcoenen.com*, True -*.jcomputer.com*, True -*.jcomte.com*, True -*.jconnop.com*, True -*.jconsultores.com.ar*, True -*.jcor.ca*, True -*.jcorreadds.com*, True -*.jcphoto.ru*, True -*.jcplanet.net*, True -*.jcpr.info*, True -*.jcprintondemand.com*, True -*.jcrews.org*, True -*.jcsh.eu*, True -*.jcsss.com*, True -*.jctraders.com.au*, True -*.jcuken.com*, True -*.jcustomsmiami.com*, True -*.jcutenails.com*, True -*.jcx4ever.com*, True -*.jd4fh4eva.co.uk*, True -*.jdac.de*, True -*.jdancer.com*, True -*.jdcr.net*, True -*.jdelliott.org*, True -*.jdemarsh.com*, True -*.jdesk.ch*, True -*.jdiaz.io*, True -*.jdix.net*, True -*.jdj.hk*, True -*.jdkartsports.nl*, True -*.jdm.biz*, True -*.jdmcenter.com.au*, True -*.jdmcentre.com*, True -*.jdmcentre.com.au*, True -*.jdmcentre.mobi*, True -*.jdm.com.ru*, True -*.j-doradic.com*, True -*.j-doramanga.com*, True -*.jd-photos.com*, True -*.jdragones.com.ar*, True -*.jdrive.ru*, True -*.jdrlsc.com*, True -*.jdse.ru*, True -*.jd-server.co.uk*, True -*.jdsese.com*, True -*.jdubz.net*, True -*.jdwarne.com*, True -*.jdz.ro*, True -*.jdz.tc*, True -*.jeanschmid.ch*, True -*.jeantoledo.com.br*, True -*.jeanvranceanu.ro*, True -*.jebandthresa.com*, True -*.jebbarger.com*, True -*.jebcom.com.ar*, True -*.jebility.ga*, True -*.jeblab.com.ar*, True -*.jebois.ca*, True -*.jebuzbot.tk*, True -*.jeckels.com*, True -*.jecomsg.com*, True -*.jedc.tk*, True -*.jeddahma.com*, True -*.jedicurmudgeon.com*, True -*.jedigurl.com*, True -*.jedimaster.im*, True -*.jedimasters.net*, True -*.jedi.my*, True -*.jedisol.com*, True -*.jedmiller.org.uk*, True -*.jee666.com*, True -*.jeegrover.com*, True -*.jeemaket.com*, True -*.jeenetwork.ga*, True -*.jeepan.com*, True -*.jeepcenter.gr*, True -*.jeepnoob.com*, True -*.jeepsk8.com*, True -*.jeetatl.com*, True -*.jeffackler.com*, True -*.jeffbelleconman.com*, True -*.jeffbristow.com*, True -*.jeff-chan.tk*, True -*.jefferson-action.com*, True -*.jeffersonheights.org*, True -*.jefferywelch.com*, True -*.jeffheidel.com*, True -*.jeffhenkels.com*, True -*.jeff.id.au*, True -*.jeffkingonline.com*, True -*.jefflikesbagels.net*, True -*.jeffmarc.com*, True -*.jeffmezick.com*, True -*.jeffneufeld.org*, True -*.jeffo.ch*, True -*.jeffo.de*, True -*.jeffpliska.us*, True -*.jeffreyhamm.com*, True -*.jeffreyhamm.org*, True -*.jeffreysbayprimary.co.za*, True -*.jeffreyvandiggele.nl*, True -*.jeffrivettconsulting.com*, True -*.jeffroth.ca*, True -*.jeffshouse.us*, True -*.jeffspizza.net*, True -*.jeffweight.com*, True -*.jeftluis.com*, True -*.jegrumpe.com*, True -*.je-hancock.com*, True -*.jehovahnokotoba.net*, True -*.jehova-jireh.com*, True -*.jehryn.ca*, True -*.jeijjojanupi.fi*, True -*.jejephone.com*, True -*.jejmo-zdravo.si*, True -*.jejmozdravo.si*, True -*.jejmule.ch*, True -*.jeklo.si*, True -*.jekumvi.cf*, True -*.jelajahnews.com*, True -*.jelcoadamczyk.eu*, True -*.jelee.ca*, True -*.jeli.web.id*, True -*.jellygaming.ch*, True -*.jellyvilledesign.com.my*, True -*.jeloner.cf*, True -*.jelplatcamaras.com.ar*, True -*.jeluz.net*, True -*.jeluzonline.com*, True -*.jeluzonline.net*, True -*.jeluz.org*, True -*.jeluz.us*, True -*.jeluzweb.com*, True -*.jemad3.com*, True -*.jemail.es*, True -*.jembatan-timbang.co*, True -*.jemberiwong.tk*, True -*.jemcguffin.com*, True -*.jemmamillen.co.uk*, True -*.jemmazone.com*, True -*.jemmee.com*, True -*.jemmee.net*, True -*.jemreguladora.com.br*, True -*.jenanddanswedding.co.uk*, True -*.jenaro.tk*, True -*.jenblockmartin.com*, True -*.jen-chad.com*, True -*.jencihst.com*, True -*.jendela-hati.web.id*, True -*.jenghau.com*, True -*.jenhai.ga*, True -*.jenk.co.za*, True -*.jenkinsgems.com*, True -*.jenkinsgems.com.au*, True -*.jenkinsgems.net.au*, True -*.jennandscotttietheknot.com*, True -*.jennerberg.com*, True -*.jenniannj.com.au*, True -*.jennieandchris.com*, True -*.jenniferblockmartin.com*, True -*.jenniferfaure.com*, True -*.jenniferhong.tk*, True -*.jenniferlchou.com*, True -*.jennifertretina.ca*, True -*.jenniferwitkowski.com*, True -*.jenniperry.com*, True -*.jenosepas.com*, True -*.jenpc.cl*, True -*.jenpublicidad.com.ar*, True -*.jens.cl*, True -*.jensenff.com*, True -*.jensenpropertiesinternational.com*, True -*.jensh.net*, True -*.jentik.net*, True -*.jentzsg.tk*, True -*.jeongfamily.net*, True -*.jepage.net*, True -*.jeparaone.web.id*, True -*.jepema.com.br*, True -*.jeppson.org*, True -*.jeppsons.org*, True -*.jeremybay.com*, True -*.jeremyhughesart.com*, True -*.jeremyknowles.com*, True -*.jeremylparker.com*, True -*.jeremyrichardson.net*, True -*.jeremyrich.com*, True -*.jeremysaye.com*, True -*.jeremythacker.com*, True -*.jericocomputing.com*, True -*.jerker.fi*, True -*.jerkface.net*, True -*.jerk.tk*, True -*.jerl92.net*, True -*.jernejevo.com*, True -*.jernejevo.si*, True -*.jernejkalin.tk*, True -*.jeroenbonte.org*, True -*.jeromero.com.ar*, True -*.jerometam.com*, True -*.jeromethomas.ch*, True -*.jersar2016.com*, True -*.jerseygradeori.id*, True -*.jerukmedan-pisangbarangan.com*, True -*.jesde.com*, True -*.jesenko.si*, True -*.jesperappelberg.se*, True -*.jessandrob.us*, True -*.jessandsam.com*, True -*.jessarts.com*, True -*.jesseblehm.com*, True -*.jessed121.us*, True -*.jessediaz.com*, True -*.jessefh.com*, True -*.jessewilkinson.com*, True -*.jessewk.com*, True -*.jesseyzepeda.com*, True -*.jessica-davies.com*, True -*.jessicagomes.ca*, True -*.jessicaguthrie.com*, True -*.jessica-lee.com.au*, True -*.jessicamercer.com*, True -*.jessicas-blog.tk*, True -*.jessie.ch*, True -*.jessporter.com.au*, True -*.jessutopia.com*, True -*.jesterjesters.com*, True -*.jestermark.us*, True -*.jestre.org*, True -*.jesusangeles.com*, True -*.jesuschrisismyhero.com*, True -*.jesusesrey.org.ar*, True -*.jesusmariaejose.org*, True -*.jesusme.net*, True -*.jesus-question.com*, True -*.jesus-question.com.au*, True -*.jesusramos.es*, True -*.jesus.si*, True -*.jesusylorena.es*, True -*.jet2.co.za*, True -*.jetblaze.com*, True -*.jetboatzurich.ch*, True -*.jetbootzurich.ch*, True -*.jetgrouting.cl*, True -*.jetify.me*, True -*.jetights.com*, True -*.jetpresso.ch*, True -*.jetslacker.net*, True -*.jetsofa.com*, True -*.jetsurfvictoria.com.au*, True -*.jetwarbird.com*, True -*.jevoulaistedire.ch*, True -*.jewellery365.co.za*, True -*.jewellerycompany.co.za*, True -*.jewelnetwork.co.za*, True -*.jewelryluv.com*, True -*.jewelrystorecheap.com*, True -*.jewelsee.com*, True -*.jewlietta.com*, True -*.jewlietta.ro*, True -*.jextreme.pl*, True -*.jeycoffee.com*, True -*.jey.me*, True -*.jezebel.id.au*, True -*.jezercic.com*, True -*.jeziorski.me*, True -*.jfang.org*, True -*.jfbuilder.com*, True -*.jfcake.com*, True -*.jfccp.com*, True -*.jfchenier.ca*, True -*.jff.cl*, True -*.jfitzgerald.de*, True -*.jfitzgerald.info*, True -*.jfitzgerald.org*, True -*.jfitzgerald.us*, True -*.jfkdns.net*, True -*.jfkhastanesi.com*, True -*.jflinfo.ca*, True -*.jflnet.com*, True -*.jf-misericordia.pt*, True -*.jfnohrabusiness.com.au*, True -*.jfnohra.com.au*, True -*.jfolivar.cl*, True -*.jfpdecorating.co.uk*, True -*.jfperreault.ca*, True -*.jfsantosimoveis.com.br*, True -*.jfsp.ca*, True -*.jftrailers.com*, True -*.jf-tremblay.com*, True -*.jfwogernese.com*, True -*.jfwogernese.net*, True -*.jfwx.co.uk*, True -*.jg2studio.com*, True -*.jgallo.net*, True -*.jg-braunwald.ch*, True -*.jgent.net*, True -*.jgetty.com*, True -*.jglcorp.com*, True -*.jglcrm2015.com*, True -*.jglcrm.com*, True -*.jgmconstruct.be*, True -*.jgmelectrico.com*, True -*.jgreggae.com*, True -*.jgsdevel.com*, True -*.jh72.de*, True -*.jhandco.com*, True -*.jhank-ovpn.tk*, True -*.jharrigan.net*, True -*.jhartwell.co.uk*, True -*.jhay.me*, True -*.jhcooper.me.uk*, True -*.jhfafi.com.ar*, True -*.jh.fi*, True -*.jhlip.com*, True -*.jhmosaics.com.au*, True -*.jhms.com.br*, True -*.jhogan.tk*, True -*.jhony07.tk*, True -*.jhoppy.us*, True -*.jhot.me*, True -*.jhservicios.cl*, True -*.jhts.tk*, True -*.jhuwaniclrc.org.np*, True -*.jhyghsk.tk*, True -*.jiachenglawfirm.tk*, True -*.jiang.us*, True -*.jianshi.org*, True -*.jibheg.ml*, True -*.jibi.info*, True -*.jiboux.com*, True -*.jick.nl*, True -*.jidea.com*, True -*.jidn.biz*, True -*.jidn.info*, True -*.jidn.net*, True -*.jieesheng.com*, True -*.jielectric.org*, True -*.jierendeng.me*, True -*.jiff.cf*, True -*.jigglewattz.com*, True -*.jigocity.com.au*, True -*.jigodii.ro*, True -*.jigsawsmallbusiness.com*, True -*.jihad.cf*, True -*.jihadwatch.co.uk*, True -*.jihanreload.com*, True -*.jiinmei.com*, True -*.jii.tw*, True -*.jikdecyp.cf*, True -*.jikjr.com*, True -*.jikosiv.cf*, True -*.jila.com.br*, True -*.jilbabers.com*, True -*.jilime.ru*, True -*.jilinclubg.com*, True -*.jilincoffee.com*, True -*.jilinkafei.com*, True -*.jillandryan.us*, True -*.jillbatchelor.com*, True -*.jill.co.id*, True -*.jillybeanthreads.com*, True -*.jilnefor.cf*, True -*.jimbai.com*, True -*.jimbarwanahotel.net*, True -*.jimcheshire.com*, True -*.jimelders.com*, True -*.jimhanvelt.com*, True -*.jimhearn.com*, True -*.jimicat.com*, True -*.jimklumpp.com*, True -*.jimlhenson.com*, True -*.jimlichensguitarlessons.com*, True -*.jimmie.nu*, True -*.jimmorrisonline.com*, True -*.jimmyandsteph.com*, True -*.jimmyhantu.asia*, True -*.jimmylewis.ca*, True -*.jimmynet.co.uk*, True -*.jimmyscomics.com*, True -*.jimmyt.co.uk*, True -*.jimmythatsit.com*, True -*.jimoid.com*, True -*.jimpeluso.com*, True -*.jimsfirearms.net*, True -*.jimslists.net*, True -*.jimslists.org*, True -*.jimtonti.com*, True -*.jinachishiro.tk*, True -*.jinadvancedsystems.com*, True -*.jindalfoods.com*, True -*.jindalsarya.com*, True -*.jindian-stationery.com*, True -*.jindigo.net*, True -*.jing.com.ar*, True -*.jingella.tk*, True -*.jingking.net*, True -*.jingshi.li*, True -*.jingyuanwenhua.com*, True -*.jini.pw*, True -*.jinkit.net*, True -*.jinkit.org*, True -*.jinlihuai.com*, True -*.jinliyang-stainlesssteel.com*, True -*.jin-online.com*, True -*.jintin14.com*, True -*.jin.tw*, True -*.jinxan.se*, True -*.jinxin.me*, True -*.jinzasd.com*, True -*.jiongri.com*, True -*.jippiez.nl*, True -*.jiriki.us*, True -*.jirwin.me.uk*, True -*.jitr.ml*, True -*.jits.com.ar*, True -*.jitu.pw*, True -*.jiucheng.tm*, True -*.jiujiangyoude.com*, True -*.jiujitsucommune.com.au*, True -*.jiulele.com*, True -*.jiuweike.com*, True -*.jivota.org*, True -*.jiwajinda.com*, True -*.jiwa.name*, True -*.jiwanpani.com*, True -*.jiyuu-ni.com*, True -*.jiyuu-ni.net*, True -*.jizzradio.com*, True -*.jj2494.com*, True -*.jj88.org*, True -*.jjain.tk*, True -*.jj.am*, True -*.jjang1.name*, True -*.jjars.com*, True -*.jjavon.com*, True -*.jjbrothers.co.za*, True -*.jjcblanco.com.ar*, True -*.jj-crystal.com*, True -*.jjdawson.co.uk*, True -*.jjeta.com*, True -*.jj-gl.co.uk*, True -*.jjhs.com.ar*, True -*.jjk-779.com*, True -*.jjlnet.tk*, True -*.jjmak.com*, True -*.jjmcguire.com*, True -*.jjmomo55.com*, True -*.jjmultiservice.com*, True -*.jjpack.cl*, True -*.jjreddy.com*, True -*.jjrich.com*, True -*.jjsguesthousemirissa.com*, True -*.jjtrack.com*, True -*.jjuto54.com*, True -*.jk7co.tk*, True -*.jkeller4000.com*, True -*.jkgonline.net*, True -*.jk-horizont.si*, True -*.jkhosting.net*, True -*.jkim043.info*, True -*.jkindred.com*, True -*.jkjackson.com*, True -*.jkkweb.net*, True -*.jklab.us*, True -*.jkladesign.com*, True -*.jklopp.me*, True -*.jkminerais.com.br*, True -*.jkms.me*, True -*.jkorlow.com*, True -*.jk-powered.de*, True -*.jkpphoto.com*, True -*.jkrei.com*, True -*.jksol.net*, True -*.jkt48k3.com*, True -*.jktu.net*, True -*.jl461777b.co.uk*, True -*.jl.am*, True -*.jlborrett.com*, True -*.jlconsultonline.com*, True -*.jlearn.net*, True -*.jleibin.com*, True -*.jlengineering.se*, True -*.jleogonzalez.com.ar*, True -*.jleveux.com*, True -*.jlife.me*, True -*.jlkphotos.com*, True -*.jlnson.de*, True -*.jlrenard.com*, True -*.jlreyes.net*, True -*.jlsoftware.com.br*, True -*.jltane.org*, True -*.jlvator.fi*, True -*.jlwcc.com*, True -*.jlynx.net*, True -*.jl-zater.tk*, True -*.jm-25.com*, True -*.jmacosta.com.ve*, True -*.jmail.ro*, True -*.jmaker.com*, True -*.jmapa.com*, True -*.jmara.net*, True -*.jmarinoni.tk*, True -*.jm-arizadiaz.es*, True -*.jmatthewman.co.uk*, True -*.jmb-sport.si*, True -*.jmcardiff.com.ar*, True -*.jmcatalan.org*, True -*.jmcoudray.ch*, True -*.jmdec2.com.br*, True -*.jmdplay.tk*, True -*.jmeb.org*, True -*.jmeichle.us*, True -*.jmidkiff.com*, True -*.jminst.net*, True -*.jm-international.com*, True -*.jmirc.tk*, True -*.jmisiek.one.pl*, True -*.jmiusa.com*, True -*.jmkelly.co.uk*, True -*.jmmipequenomundo.com.ar*, True -*.jmmsroc.pt*, True -*.jmnoiseux.com*, True -*.jmoles.es*, True -*.jmon.net*, True -*.jmontana.org*, True -*.jmorganryan.com*, True -*.jmpascual.net*, True -*.jmpzero.com*, True -*.jms-audioware.com*, True -*.jmsds.com*, True -*.jmsoares.net*, True -*.jmsp.co.za*, True -*.jmstudios.com*, True -*.jmultihotspot.net*, True -*.jmultishop.com*, True -*.jmultitechnology.com*, True -*.jmw327.com*, True -*.j-n-b.co.uk*, True -*.jnblog.co.uk*, True -*.jnc66.com*, True -*.jnc77.com*, True -*.jnc87.com*, True -*.jnckpanels.com*, True -*.jnconstructions.ch*, True -*.jndnetwork.com*, True -*.jne66.com*, True -*.jne77.com*, True -*.jneco.tw*, True -*.jngranite.com*, True -*.jninmobiliaria.com.ar*, True -*.jnorombaba.com*, True -*.jnpdesign.co.uk*, True -*.jnrch.org*, True -*.jnrcs.org*, True -*.jnsusa.com*, True -*.jnusa.hk*, True -*.jnussbaum.com*, True -*.jo-ac.com*, True -*.joac.com.ar*, True -*.joadns.com*, True -*.joai68.com*, True -*.joalarquiteturaengenharia.com.br*, True -*.joandet.com.ar*, True -*.joanfit.ca*, True -*.joanmansfield.com*, True -*.joannah.net*, True -*.joannaphoenix.com*, True -*.joannazurek.pl*, True -*.joannesyrop.com*, True -*.joanpujol.cat*, True -*.joao29a.com*, True -*.joaoffs.com*, True -*.joaofilipe.com*, True -*.joaoluizmf.org*, True -*.joaopinho.adv.br*, True -*.joaopinho.net*, True -*.joaquindelazerda.tk*, True -*.joaquingarin.com.ar*, True -*.joaquintemes.com.ar*, True -*.job51.ca*, True -*.jobforstudents.in*, True -*.jobhomeimprovement.com*, True -*.jobical.com*, True -*.job-inter.com*, True -*.job-land.ch*, True -*.joblinsk.com*, True -*.joblisting.tk*, True -*.jobminutes.ch*, True -*.jobminutes.com*, True -*.jobncv.com*, True -*.jobnetinfo.com.br*, True -*.joboet.co.za*, True -*.joboets.co.za*, True -*.jobprestige.com*, True -*.jobrenew.com*, True -*.jobros.co.za*, True -*.jobru.ru*, True -*.jobsafari.ir*, True -*.jobsbank.ro*, True -*.jobsbyskill.com*, True -*.jobsegg.com*, True -*.jobsfor13yearolds.net*, True -*.jobs-frg.tk*, True -*.jobsinjapanforamericans.com*, True -*.jobslist.ro*, True -*.jobsswipe.com*, True -*.jobtaking.com*, True -*.jobvisagulf.com*, True -*.jobvn.com*, True -*.jobvolume.bg*, True -*.jobvolume.ru*, True -*.jochementerprises.nl*, True -*.joculet.ro*, True -*.jocumdarte.pt*, True -*.jocuri-barbie10.com*, True -*.jocuri-start.ro*, True -*.jodedkopi.tk*, True -*.jodieandthenormals.com*, True -*.jodiemonroe.com*, True -*.jodimontgomery.com*, True -*.jodishouse.ca*, True -*.jodoal.si*, True -*.jodylewis.com*, True -*.jodylewis.org*, True -*.jodymaroni.com*, True -*.jodysokoloff.com*, True -*.joebecknell.com*, True -*.joecampanaro.com*, True -*.joecampo.com*, True -*.joeccc.com*, True -*.joecloud.eu*, True -*.joederrigan.com*, True -*.joediesel.com*, True -*.joe.dj*, True -*.joeerror.com*, True -*.joeframing.com*, True -*.joefrance.org*, True -*.joefrenchslife.com*, True -*.joegibbs.info*, True -*.joehoboken.com*, True -*.joeisthebest.com*, True -*.joe-joubert.com*, True -*.joelcollection.com*, True -*.joeldario.com.ar*, True -*.joeldata.com*, True -*.joeldfortin.com*, True -*.joeliriano.com*, True -*.joelle.ro*, True -*.joel.my*, True -*.joelomando.com*, True -*.joelrussell.co.uk*, True -*.joelsteffen.com*, True -*.joelt.io*, True -*.joelyork.net*, True -*.joelytravel.com*, True -*.joemakeitgo.com*, True -*.joemaki.com*, True -*.joemooney.com*, True -*.joemullins.info*, True -*.joeprogram.com*, True -*.joeritterphoto.com*, True -*.joerivanespen.be*, True -*.joesapps.net*, True -*.joeseitz.com*, True -*.joestech.org*, True -*.joester.info*, True -*.joestrusz.com*, True -*.joetographer.com*, True -*.joetong.co.uk*, True -*.joeweibel.ch*, True -*.joeycraft.in*, True -*.joeylay.com*, True -*.joey.si*, True -*.joffes.org*, True -*.jofre-catoni.com*, True -*.jogent.com*, True -*.jogja.ml*, True -*.joglosemar.com*, True -*.johannesklaesson.se*, True -*.johannson.ca*, True -*.johanson.ee*, True -*.johansson.io*, True -*.john88.tk*, True -*.johnalbrolodge.com*, True -*.johnandbeccs.com*, True -*.johnanddenise.org.uk*, True -*.johnandmary.ro*, True -*.johnarmitagephotography.co.uk*, True -*.johnbartlett.us*, True -*.johnburton.org*, True -*.johnchancellor.com*, True -*.johncroth.com*, True -*.johncruise.com*, True -*.johndroach.com*, True -*.johndymond.net*, True -*.johnfaggard.com*, True -*.johngaltsystems.com*, True -*.johngayler.com*, True -*.johngeorgeracing.com*, True -*.johngvarga.com*, True -*.johnham.com*, True -*.johnham.net*, True -*.johnham.org*, True -*.john-hartzog.com*, True -*.johnheiler.com*, True -*.johninnessociety.org.uk*, True -*.johnjohnjohn.tk*, True -*.johnkasberger.com*, True -*.johnkendall.net*, True -*.johnlarson.us*, True -*.johnl.com*, True -*.johnlightfoot.net*, True -*.johnmadray.info*, True -*.johnman1.com*, True -*.johnmclaughlin.ca*, True -*.johnmlee.me*, True -*.john-montebello.ch*, True -*.johnnay.com*, True -*.johnniedaniel.com*, True -*.johnno.info*, True -*.johnnybwood.com*, True -*.johnnycache.ca*, True -*.johnnycarter.com*, True -*.johnnycheesedog.com*, True -*.johnnydrama.id.au*, True -*.johnnyknowsitall.com*, True -*.johnnylam.org*, True -*.johnnymeredith.com*, True -*.johnnypopo.com*, True -*.johnoturf.tk*, True -*.johnpo.com*, True -*.johnpoyntz.com*, True -*.johnrankine.com*, True -*.johnrappold.com*, True -*.johnregan.org*, True -*.johnrg.co.uk*, True -*.johnryding.com*, True -*.johnsbag.com*, True -*.johnsdealroom.com*, True -*.johnseaforth.com*, True -*.johnsonandjohnsonenterprisesintl.com*, True -*.johnsonch.net*, True -*.johnsonch-plex.com*, True -*.johnsonholscher.com*, True -*.johnsonjk.com*, True -*.johnsonserver.com*, True -*.johnsons.net.nz*, True -*.johnson.tk*, True -*.johntherigger.com*, True -*.johnthom.com*, True -*.johntor.com*, True -*.johnvsworld.com*, True -*.johnwarburton.com*, True -*.johnwaynegardner.com*, True -*.johnwpatton.com*, True -*.johnwu.cc*, True -*.joia-moto.ro*, True -*.joiavip.com.br*, True -*.joiche.tk*, True -*.joinb.org*, True -*.joinchat.in*, True -*.joiners.us*, True -*.joinerysurrey.co.uk*, True -*.joinresearch.pt*, True -*.joinseattle.com*, True -*.jointek-inc.com*, True -*.jojehzesht.ir*, True -*.jojobyo.ga*, True -*.jojo.com.ar*, True -*.jojogan.club*, True -*.jojonet.net*, True -*.joka.ca*, True -*.joke21.com*, True -*.joker59.tk*, True -*.jokerinfo.net*, True -*.jokertv.eu*, True -*.jokerwild.ca*, True -*.jokesys.net*, True -*.jokey.org*, True -*.jokijeni.us*, True -*.jokijokerx.com*, True -*.jokima.co*, True -*.jokingoff.net*, True -*.jokitrik.com*, True -*.jokoariyanto.com*, True -*.joko.ga*, True -*.joko.hk*, True -*.jokopenthol.biz*, True -*.joksnet.com.ar*, True -*.joktextil.com.ar*, True -*.jolallo.com*, True -*.jolashoes.com*, True -*.jola.sk*, True -*.jolee.org*, True -*.jolleybeef.com*, True -*.jollypad.com*, True -*.jollypebble.com*, True -*.jollyspharmacy.com*, True -*.jolucha.co.za*, True -*.jolyart.com.au*, True -*.jomafel.com*, True -*.jomanro.cl*, True -*.jomaselectronics.co.za*, True -*.jomasepoes.co.za*, True -*.jomaseprinters.co.za*, True -*.jombangan.com*, True -*.jomblo.asia*, True -*.jomblo.ga*, True -*.jomiobari.com*, True -*.jommakan.my*, True -*.jomoss.com*, True -*.jompu.fi*, True -*.jomra.es*, True -*.jonaharagon.net*, True -*.jonamaco.com.br*, True -*.jonathan-buch.de*, True -*.jonathancolls.co.uk*, True -*.jonathangf.com*, True -*.jonathangf.net*, True -*.jonathangreen.ca*, True -*.jonathanhearn.eu*, True -*.jonathanjconley.com*, True -*.jonathan-johansson.se*, True -*.jonathanmanchester.com*, True -*.jonathanmeier.ch*, True -*.jonathansadler.com*, True -*.jonathanshi.com*, True -*.jonathantyler.ca*, True -*.jonathanwsmith.com*, True -*.jonathanwsmith.net*, True -*.jonathanwsmith.org*, True -*.jonathon-chambers.com*, True -*.jonbates.net*, True -*.joncart.com*, True -*.jondowd.com*, True -*.jondred.com*, True -*.jonesarchivalservices.com*, True -*.jonesia.cf*, True -*.jonesinglass.ca*, True -*.jonesinglass.com*, True -*.jones.se*, True -*.jonezinglass.com*, True -*.jonferwerda.net*, True -*.jonferwerda.org*, True -*.jongashi.co.uk*, True -*.jongreenlee.org*, True -*.jongreen.us*, True -*.jonkeeter.com*, True -*.jonkent.co.uk*, True -*.jonline.ro*, True -*.jonmaier.tk*, True -*.jon-martrucking.com*, True -*.jonmartrucking.com*, True -*.jonmccarty.com*, True -*.jonmills.org*, True -*.jonnwu.com*, True -*.jonnykeogh.co.uk*, True -*.jonnyo.com*, True -*.jonny-taylor.com*, True -*.jonnytech.co.uk*, True -*.jono.la*, True -*.jono.tv*, True -*.jono.tw*, True -*.jonovw.me*, True -*.jonoyvind.com*, True -*.jonrobison.com*, True -*.jonry.com*, True -*.jonsbukkitserver.net*, True -*.jonsimsauctioneering.com*, True -*.jonsittner.com*, True -*.jontilma.com*, True -*.jontsang.com*, True -*.jonvik.com*, True -*.jonward.com*, True -*.jooeastsb.com*, True -*.joogle.co.il*, True -*.jooj.ml*, True -*.joojoo.info*, True -*.joomlahelp.de*, True -*.joomlaproject.net*, True -*.joondalup.net.au*, True -*.jootoo.tk*, True -*.jopa1234567.com*, True -*.j-operator.com*, True -*.jordandevine.com*, True -*.jordan-engineering.com*, True -*.jordangregonis.me*, True -*.jordanjacob.tk*, True -*.jordanspooner.com*, True -*.jordanyagaloff.com*, True -*.jordimatamales.com*, True -*.jordonwear.cn*, True -*.jordydw.cf*, True -*.jorgeantunes.com.br*, True -*.jorgebergoglio.com.ar*, True -*.jorgebozo.cl*, True -*.jorgechoy.com*, True -*.jorgeduarte.tk*, True -*.jorgefidel.com.ar*, True -*.jorgegonzalezvargas.com.ve*, True -*.jorgenajera.com*, True -*.jorgeoporto.cl*, True -*.jorgepascuale.com.ar*, True -*.jorgepileggi.com.ar*, True -*.jorgeprieto.cl*, True -*.jorgeramirez.cl*, True -*.jorgesaintjean.com.ar*, True -*.jorgesuarezch.com*, True -*.jorgevillalta.com*, True -*.jorig.pt*, True -*.jor-jae.com*, True -*.jormusica.cl*, True -*.jornadasatm.com.ar*, True -*.jornalistaslivres.net*, True -*.jornalistaslivres.org*, True -*.joruten.net*, True -*.josan.hk*, True -*.joschis.ch*, True -*.jose4000.info*, True -*.joseaugusto.eti.br*, True -*.josebaotero.com*, True -*.josecastro.cl*, True -*.jose.cat*, True -*.josecorrearivera.com*, True -*.josecounyo.com.ar*, True -*.josefinaforch.com*, True -*.josefinailustra.cl*, True -*.josefuentes.cl*, True -*.josemoreno.cl*, True -*.josepaolo.com*, True -*.josepaolo.info*, True -*.joseph-baldwin.co.uk*, True -*.josephconnell.ga*, True -*.josephd.net*, True -*.josephglen.com*, True -*.joseph-hong.com*, True -*.josephluk.com*, True -*.josephmegert.ch*, True -*.josephminadeo.com*, True -*.josephsmendoza.ga*, True -*.josephtse.com*, True -*.joserafaelperez.com*, True -*.josesoto.cl*, True -*.joseulloa.cl*, True -*.joshakognon.net*, True -*.joshbryans.me*, True -*.joshbudhi.cf*, True -*.joshbudhi.ga*, True -*.joshbudhi.ml*, True -*.joshbudhi.tk*, True -*.joshcore.com*, True -*.joshefson.com*, True -*.joshjamesphotos.com*, True -*.joshjeppson.com*, True -*.josh-laura.com*, True -*.joshmlwood.tk*, True -*.joshnagy.com*, True -*.joshnankin.com*, True -*.joshpanter.com*, True -*.joshrichardson.net*, True -*.joshrichet.com*, True -*.joshrochelle.com*, True -*.joshsroufe.com*, True -*.joshtam.me*, True -*.joshuaaz.com*, True -*.joshua-fisher.com*, True -*.joshuahandrich.com*, True -*.joshuameyers.com*, True -*.joshuamontgomery.com*, True -*.joshuaowens.info*, True -*.joshuarue.com*, True -*.joshuasproject.ca*, True -*.joshuatam.me*, True -*.joshyu.me*, True -*.josianeguss.com*, True -*.josimarleiloeiro.com.br*, True -*.josity.net*, True -*.josity.org*, True -*.josity.ro*, True -*.joslynwong.com*, True -*.josoft.com.ar*, True -*.jost.im*, True -*.josuoh.cl*, True -*.josycoiffure.ch*, True -*.jotabus.cl*, True -*.jotados.cl*, True -*.jotamax.com*, True -*.jott.so*, True -*.jottso.com*, True -*.jotv.co*, True -*.joupoes.co.za*, True -*.jourdenet.com*, True -*.journcy.net*, True -*.journeycoaching.co.za*, True -*.journeyevents.co.za*, True -*.journeyforward.com*, True -*.journeyoffaith.xyz*, True -*.journeyweddings.co.za*, True -*.journos.co.za*, True -*.jovan.com*, True -*.jovandesigns.com*, True -*.joveaustralia.com.au*, True -*.jovenescriticos.cl*, True -*.joveninventor.cl*, True -*.jovicwanadenadya.in*, True -*.jovigas.com*, True -*.jowojowo.com*, True -*.joworeview.com*, True -*.jow.xyz*, True -*.jox99.com*, True -*.joya.im*, True -*.joyascyg.com.ar*, True -*.joybyjoytaker.com*, True -*.joy.cat*, True -*.joyce.com.mx*, True -*.joycegrantsmith.com*, True -*.joycesoven.com*, True -*.joydesign.hk*, True -*.joyfood.org*, True -*.joylita.com*, True -*.joymaxschool.in*, True -*.joyofmassage.ca*, True -*.joyphoto.ro*, True -*.joyscompanions.com*, True -*.joytaker.com*, True -*.joytex-bd.com*, True -*.joywang.com*, True -*.jozvejoo.com*, True -*.jp2software.com*, True -*.jpaoletti.com.ar*, True -*.jparyani.com*, True -*.jpasound.com*, True -*.jpasskit.org*, True -*.jpbuy.com*, True -*.jpcbd.org*, True -*.jpco.org*, True -*.jpcosmesuper.hk*, True -*.jpdcavocat.com*, True -*.jpdsolutions.com*, True -*.jpeg-cba.com.ar*, True -*.jpenetwork.com*, True -*.jpfiles.eu*, True -*.jpg-cba.com.ar*, True -*.jpgunter.com*, True -*.j-phat.com*, True -*.jp-hk.com*, True -*.jpjp.at*, True -*.jpjp.biz*, True -*.jpkatkin.com*, True -*.jpleventos.cl*, True -*.jpm4j.org*, True -*.j-p-moon.net*, True -*.jpnbooks.com*, True -*.jpol.com*, True -*.jpolsonhomes.com*, True -*.jpopseedbox.xyz*, True -*.jposada.com*, True -*.jpress.tw*, True -*.jpsanab.com*, True -*.jpsantafe.com.ar*, True -*.jp-sa.org.za*, True -*.jpsa.org.za*, True -*.jpstewart.net*, True -*.jptate.net*, True -*.jpt.co.id*, True -*.jptopstore.hk*, True -*.jpudasaini.com.np*, True -*.j-pulsa.com*, True -*.jpuntofotografia.com.ar*, True -*.jq-products.com*, True -*.jquery.org.uk*, True -*.jr1.ca*, True -*.jraeder.com*, True -*.jramb.com*, True -*.jrblaakmeer.nl*, True -*.jrcarpentarius.com.ar*, True -*.jrc-core.com*, True -*.jrd-developers.com*, True -*.jrecy.tk*, True -*.jrelax.com*, True -*.jrferrari.com.br*, True -*.jrfilms.cl*, True -*.jrforrest.net*, True -*.jrgroup.ca*, True -*.jrhltd.co.uk*, True -*.jrhltd.net*, True -*.jrhplastering.co.uk*, True -*.jrinventors.com*, True -*.jritze.pw*, True -*.jrj.me.uk*, True -*.jrlambs.com*, True -*.jrnl.cf*, True -*.jrnl.ga*, True -*.jrnl.ml*, True -*.jrnl.tk*, True -*.jrockornot.com*, True -*.j-rocks.web.id*, True -*.jron.es*, True -*.jropgroup.com*, True -*.jroxg.org*, True -*.jrpconsult.com.br*, True -*.jrprnet.com*, True -*.jrpr.tk*, True -*.jrshark.com*, True -*.j-rsigns.co.uk*, True -*.jruehlig.com*, True -*.js87mu.com*, True -*.jsalfa.com.ar*, True -*.jsanderson.co*, True -*.jsc-liker.eu*, True -*.jscosmetics.com*, True -*.jsc.ro*, True -*.jsd87.com*, True -*.jsdebug.com*, True -*.jsdn.net*, True -*.jseo.ru*, True -*.jserver.cf*, True -*.jservers.in*, True -*.jsftinformatics.com*, True -*.jsfundforhope.org*, True -*.jsgroup.com.ve*, True -*.jshayden.com*, True -*.jshayden.info*, True -*.jshayden.net*, True -*.jshuttleworth.com*, True -*.js-ingenieria.com.ar*, True -*.jsk26.ru*, True -*.jskomplet.cz*, True -*.jsmaquinarias.cl*, True -*.jsnerd.com*, True -*.jsnet.si*, True -*.jsnod.com*, True -*.jso-group.com*, True -*.jspgroup.ca*, True -*.jspo.ac.id*, True -*.j-ssl.com*, True -*.jstelecom03.com*, True -*.jstilian.net*, True -*.jswhite.com*, True -*.jt27.net.ru*, True -*.jt27.tk*, True -*.jtacmail.tk*, True -*.jt-alpaste.com*, True -*.jtap.ru*, True -*.jta.ro*, True -*.jtarq.com.ar*, True -*.jtcm.ch*, True -*.jtcressy.net*, True -*.jtechhosting.net*, True -*.jthopesandbox.com*, True -*.jtia.hk*, True -*.j-tichelaar.nl*, True -*.jtimmigration.info*, True -*.jtischer.com*, True -*.jtizyl.net*, True -*.jtjsupplies.co.uk*, True -*.jtlavery.com*, True -*.jtlavery.org*, True -*.jtmaster.com*, True -*.jtmaster.ru*, True -*.jtnc.ca*, True -*.jtnsjmarketing.com*, True -*.jtowndev.ca*, True -*.jtrend-systems.com*, True -*.jtroystone.com*, True -*.jtsmail.com*, True -*.jtstrading.co.uk*, True -*.jttech.co*, True -*.jttechnet.ca*, True -*.jttechnet.net*, True -*.jttechsupport.ca*, True -*.jttechsupport.co*, True -*.jttechsupport.com*, True -*.jttechsupport.net*, True -*.jttm.us*, True -*.j-turn.com*, True -*.jtvrepairmichigan.com*, True -*.jtxrw.com*, True -*.jtyoungphotography.com*, True -*.jualacbagus.com*, True -*.jualacp.com*, True -*.jualalattest.com*, True -*.jualanmurah.my*, True -*.jualanscript.com*, True -*.jualarangbatokkelapa.com*, True -*.jualbahankimialaundrymurah.com*, True -*.jualbajugrosirtanahabang.com*, True -*.jualbataringanaac.com*, True -*.jualbatchingplant.com*, True -*.jualbautdanalatteknik.com*, True -*.jualbautstainless.com*, True -*.jualbeliforum.com*, True -*.jualbersama.com*, True -*.jualboat.tk*, True -*.jualcompressorac.com*, True -*.jualfitting.com*, True -*.jualflowmeter.com*, True -*.jualfurniturejatimustikasaptakencana.com*, True -*.jualgelangkaret.com*, True -*.jualglutathione.com*, True -*.jualhpbm.com*, True -*.jualjackbasedanuhead.com*, True -*.jualkapalpesiar.tk*, True -*.jualkapur.com*, True -*.jualkasurbusabergaransi.com*, True -*.jualkawatseling.com*, True -*.jualmejakursikantor.com*, True -*.jualmesin.biz*, True -*.jualmobilisuzu.com*, True -*.jualnet.com*, True -*.jualpaletkayu.com*, True -*.jualpipabesi.com*, True -*.jualpipa.co.id*, True -*.jualpipaseamless.com*, True -*.jualpipasumitomo.com*, True -*.jualpneumatic.com*, True -*.jualpompahydrant.com*, True -*.jualrakbesimurah.com*, True -*.jualsajalah.com*, True -*.jualscriptmmm.com*, True -*.jualscript.org*, True -*.jualspeedboat.tk*, True -*.jualsprei.tk*, True -*.jualtabungapar.com*, True -*.jualtasjakarta.com*, True -*.jualtemplate.com*, True -*.jualtemplatewordpress.com*, True -*.jualterpalmurah.com*, True -*.jualthermocouple.com*, True -*.jualtiangpju.com*, True -*.jualtiket.web.id*, True -*.jualtimbanganmurah.com*, True -*.jualtrafosintra.com*, True -*.jualudangpancetsegar.com*, True -*.juanalbertoyaria.com.ar*, True -*.juanamadio.tk*, True -*.juanaranovich.com.ar*, True -*.juanarques.com*, True -*.juancarloslopez.cl*, True -*.juancarlosmoral.es*, True -*.juancerono.com.ar*, True -*.juancostantini.com*, True -*.juancruzmedina.com*, True -*.juanfer.com.ar*, True -*.juangomez.com.ve*, True -*.juanignacioflores.com.ar*, True -*.juanjoseflores.com*, True -*.juanjoseflores.com.ar*, True -*.juanjuan.com.ar*, True -*.juanmanuelcastro.com.ar*, True -*.juanmaya.com*, True -*.juansanchezelectrician.com*, True -*.juarabiz.com*, True -*.juarezroldan.com.ar*, True -*.juari.eu*, True -*.juazeiroproducoes.com.br*, True -*.jubike.com*, True -*.jubilacionbapro.com.ar*, True -*.jubilando.cl*, True -*.jubileelodgenursinghome.com*, True -*.jublamoehlin.ch*, True -*.jubla-ursz.ch*, True -*.jucatorulmodern.ro*, True -*.juckel.net*, True -*.judgex.com*, True -*.judinak.com*, True -*.judisys.com.ar*, True -*.judithsullivan.net*, True -*.judsonmaria.net*, True -*.judyhung.com*, True -*.judysart.com*, True -*.juegosdesiempre.com.ar*, True -*.juegostripeques.cl*, True -*.juegosychorradas.com*, True -*.juergen-reis.com*, True -*.juergstaehli.ch*, True -*.jueri.ch*, True -*.juevesgay.com.ar*, True -*.jugaro.com*, True -*.jugendgruppe-gansingen.ch*, True -*.jugendratlyss.ch*, True -*.juggle.cf*, True -*.juggle.ga*, True -*.juggle.ml*, True -*.jugoo.co.uk*, True -*.juhani.fi*, True -*.juhas.sk*, True -*.juhgsha.com*, True -*.juicecritic.co.za*, True -*.juicedb.co.za*, True -*.juicedmuscle.net*, True -*.juiceitbox.com*, True -*.juicepluscanadaonline.com*, True -*.juicydata.com*, True -*.juicy-news.com*, True -*.jujamal.my*, True -*.jujitsu-bucuresti.ro*, True -*.jujman.ir*, True -*.jujugoodnews.com*, True -*.juk.fi*, True -*.jukini.com*, True -*.juleg.ch*, True -*.juleg.net*, True -*.jules8791.com*, True -*.juliacake.com.vn*, True -*.juliaeventos.com.br*, True -*.juliagomes.com.br*, True -*.juliakerr.org*, True -*.julialagou.com*, True -*.julialagou.gr*, True -*.julianacampbell.com.ar*, True -*.julianalexander.net*, True -*.julianamarconato.com.br*, True -*.julianastraat63.tk*, True -*.juliandelmoralabogados.es*, True -*.julianews.com*, True -*.julianity.com*, True -*.julian-klinck.de*, True -*.julianne.net*, True -*.julianojunqueira.com.br*, True -*.julia-zakharova.ru*, True -*.julicramer.com*, True -*.juliekayephotography.com*, True -*.julien77.com*, True -*.julienankin.com*, True -*.juliepapikova.com*, True -*.julifish.com*, True -*.julijabokova.lv*, True -*.juliocesar.in*, True -*.julioga.com*, True -*.julioromero.com.ve*, True -*.juliosantillan.com.ar*, True -*.juliosigns.com.au*, True -*.jullianapaulino.com.br*, True -*.julten.com*, True -*.juluca.ch*, True -*.julveg.cl*, True -*.july24th.ca*, True -*.jumado.com.ar*, True -*.juma.io*, True -*.jumarconato.com.br*, True -*.jumatateata.ro*, True -*.jumav.com*, True -*.jumbobot.com*, True -*.jumbocraft.org*, True -*.jumboduiven.nl*, True -*.jumbohalo.ml*, True -*.jumboshine.com*, True -*.jumbotransport.lv*, True -*.jumcar.net*, True -*.jumesniemi.fi*, True -*.jumiansyah.net*, True -*.jumico.com*, True -*.jumpingcrab.com*, True -*.jumpinggerry.co.za*, True -*.jumpoff.biz*, True -*.jumporn.com*, True -*.jump.pt*, True -*.jumpretail.com*, True -*.jumpship.to*, True -*.junau.com*, True -*.junco.com.ar*, True -*.jundy.org*, True -*.jungaus.pl*, True -*.jungbrewing.org*, True -*.jungesinfoniebern.ch*, True -*.jungglejhank.tk*, True -*.jungkurth.com*, True -*.jung-leithner.at*, True -*.jungles.co.kr*, True -*.junglesoft.com*, True -*.jungle.to*, True -*.jungsbeer.net*, True -*.jungschar-wangental.ch*, True -*.jungschi-eriswil.ch*, True -*.jungschispiez.ch*, True -*.jungshin.com.ar*, True -*.junhow.com*, True -*.juniorcontabil.com.br*, True -*.juniorek81.tk*, True -*.juniorfootyacademy.com*, True -*.juniorfootyacademy.com.au*, True -*.juniorfootyacademy.net.au*, True -*.juniorjobs.ro*, True -*.junior-kopaonik.com*, True -*.juniorr7.ru*, True -*.juniorstott.co.uk*, True -*.junior.tk*, True -*.junkie.cf*, True -*.junkshop.ro*, True -*.junk.tw*, True -*.junkyard.ws*, True -*.junliu.com*, True -*.juno.cl*, True -*.junonet.net*, True -*.junsoft.com.br*, True -*.juomavesi.net*, True -*.juped.ml*, True -*.jupe.ml*, True -*.jupiterns.org*, True -*.jupiter.pt*, True -*.jupitersnotebook.tk*, True -*.jupitertown.com*, True -*.juradoarte.com.ar*, True -*.juragansablonkaos.com*, True -*.juragansafety.com*, True -*.juragansafetylampung.com*, True -*.jurbarkoduona.lt*, True -*.jurgens.com.ar*, True -*.jurgita.com.au*, True -*.jurglic.si*, True -*.jurgwyss.ch*, True -*.juridico-virtual.com.ar*, True -*.juridictv.ro*, True -*.jurisconsulto.net.ve*, True -*.jurisdicionado.com.br*, True -*.jurisflex.com*, True -*.jurizilla.fi*, True -*.jurke.net.nz*, True -*.jurmes.tk*, True -*.jurmesx.tk*, True -*.jurnalantidrog.ro*, True -*.jurnaldecancer.ro*, True -*.jurnaleintime.ro*, True -*.jurnaleledianei.ro*, True -*.jurnalepersonale.ro*, True -*.jurnaliscun.com*, True -*.jurnalmanado.com*, True -*.jurnas.com*, True -*.jur-profi.com*, True -*.juruanet.com.br*, True -*.jurusanfarmasi.com*, True -*.jurzona.tk*, True -*.jusbookit.com*, True -*.jusbookit.com.au*, True -*.jusiak.net*, True -*.just-010.com*, True -*.just-1004.com*, True -*.just1689.co.za*, True -*.just-365.com*, True -*.just4kenya.tk*, True -*.just-707.com*, True -*.just-8080.com*, True -*.just-agung.com*, True -*.justanerd.net*, True -*.justanotherrabidreader.info*, True -*.justbatteries.com.au*, True -*.justbobthings.com*, True -*.justcheapchecks.com*, True -*.justdeanna.com*, True -*.justdoit.im*, True -*.justfix.it*, True -*.justfly.ch*, True -*.justforfunwear.com*, True -*.justforlaughs.ws*, True -*.justgaming.ml*, True -*.justgo.ro*, True -*.justhair.net*, True -*.justheart.me*, True -*.justhotwater.com*, True -*.justifiedbygrace.com*, True -*.justimo.pt*, True -*.justinandbethany.com*, True -*.justinandvalerie.com*, True -*.justinbogner.com*, True -*.justinchappuis.ch*, True -*.justincomputers.com*, True -*.justinemorgan.com.au*, True -*.justingineering.com*, True -*.justingoins.com*, True -*.justingoins.org*, True -*.justingreene.com*, True -*.justin.hk*, True -*.justinkehrli.com*, True -*.justinkusz.me*, True -*.justinmarcel.com*, True -*.justinotherguy.org*, True -*.justinpetrillo.ca*, True -*.justinpetrillo.com*, True -*.justinrich.com*, True -*.justinsabino.com*, True -*.justinscomputerplace.com*, True -*.justinsearle.ca*, True -*.justinshepherd.net*, True -*.justinsteiger.com*, True -*.justinsurances.com*, True -*.justintimberlake4.ru*, True -*.justisnett.com*, True -*.justitiajuvenila.ro*, True -*.justizverbrechen.net*, True -*.justjunkmail.com*, True -*.justkidding.hk*, True -*.justlearning.net*, True -*.justlostthegame.net*, True -*.justminecraft.com*, True -*.justmoolti.ru*, True -*.justodome.com.ar*, True -*.justoneminute.me*, True -*.justpanda.eu*, True -*.justpencet.com*, True -*.just-perfect.gr*, True -*.justpfab.com*, True -*.justrewind.co.uk*, True -*.justsaynorm.com*, True -*.just-say-why.com*, True -*.justsaywhy.com*, True -*.justsolarenergy.com.au*, True -*.justsolveit.gr*, True -*.juststuff.info*, True -*.justthetip.net*, True -*.justus.co.id*, True -*.justwait.co.uk*, True -*.justwulf.com*, True -*.justzine.com*, True -*.jutarnjarazmisljanja.net*, True -*.juteexport.net*, True -*.jutsu.ml*, True -*.jutta-schneiderei.ch*, True -*.juusela.fi*, True -*.juvenile-intervention-assessment.com*, True -*.juvenilesbk.com.ar*, True -*.juvenile-substance-abuse-profile.com*, True -*.juvientadventures.org*, True -*.juvient.com*, True -*.juvient.net*, True -*.juwangi.tk*, True -*.juxta.cf*, True -*.juyju.com.ar*, True -*.juyon.com*, True -*.juzidianshi.com*, True -*.jvalppu.fi*, True -*.jvbelectronics.com*, True -*.jvc-shop.ch*, True -*.jvdg.com.au*, True -*.jvdl.me*, True -*.jverissimo.tk*, True -*.jveron.com.ar*, True -*.jvgingenieria.cl*, True -*.jvncloud.com*, True -*.jvpgenesis.com*, True -*.jvpmelbourne.com*, True -*.jvsrus.com*, True -*.jw80.net*, True -*.jwayela.co.za*, True -*.jwbuz.com*, True -*.jweststudio.com*, True -*.jwinters.net*, True -*.jwlearning.co.uk*, True -*.jwong.hk*, True -*.jwork.ru*, True -*.jw.sg*, True -*.jwst.ru*, True -*.jwxicc.com*, True -*.jxavier.com*, True -*.jxeelab.com*, True -*.jxeelab.eu*, True -*.jxeelab.fr*, True -*.jxeelab.ro*, True -*.jxs.pt*, True -*.jycomputer.com*, True -*.jyeads.com*, True -*.jyjinsumos.cl*, True -*.jymserlecom.com*, True -*.jyrwa.com*, True -*.jyu.sx*, True -*.jz-aws.info*, True -*.jz-katagis.eu*, True -*.j-zornio.ch*, True -*.jzr-trikes.co.uk*, True -*.jzx7.net*, True -*.k0a1a.net*, True -*.k0dy.com*, True -*.k0tik.com*, True -*.k1318.com*, True -*.k1318.net*, True -*.k-178.net*, True -*.k1ll3r.tk*, True -*.k22.su*, True -*.k2energiavital.cl*, True -*.k2grillandwine.com*, True -*.k2iwr.net*, True -*.k2-karaoke-keluarga.co.id*, True -*.k2oq.com*, True -*.k34.se*, True -*.k3cot.org*, True -*.k3ng1991.net*, True -*.k3z.net*, True -*.k4dm.net*, True -*.k4ds.org*, True -*.k4school.com*, True -*.k4w411.net*, True -*.k6wyo.com*, True -*.k9s.in*, True -*.ka-50.net*, True -*.ka6ayan.tk*, True -*.ka800.co.uk*, True -*.kaa67.com*, True -*.kaa73.com*, True -*.kaa86.com*, True -*.kaa93.com*, True -*.kaaniku.eu*, True -*.kaan.tk*, True -*.kaasa5.com*, True -*.kaasnake.tk*, True -*.kaaspad.com*, True -*.kabaivanova.com*, True -*.kabaivanov.com*, True -*.kabaivanov.org*, True -*.kabar17.com*, True -*.kabarpagi.com*, True -*.kabarsore.com*, True -*.kabindrakajibajracharya.com.np*, True -*.kabirtalib.com*, True -*.kabkai.lv*, True -*.kacamurah.com*, True -*.kacaniku.info*, True -*.kacei.biz*, True -*.kaceybarnfield.com*, True -*.kachchh.com*, True -*.kachchh.net*, True -*.kacnep.ru*, True -*.kac.net.au*, True -*.kacnet.ch*, True -*.kacrut.ml*, True -*.kacsystems.com*, True -*.kacunk.tk*, True -*.kadagchenpo.org*, True -*.kadag.ir*, True -*.kadag.org*, True -*.kadaj.net*, True -*.kadcom.pl*, True -*.kademian.com.ar*, True -*.kadetschool.ru*, True -*.kadilack.org*, True -*.kadimatransport.co.za*, True -*.kadimaweb.com*, True -*.kadir-cell.com*, True -*.kadirpolat.net.tr*, True -*.kado-kiezer.nl*, True -*.kadoyi.tk*, True -*.kadrev.com*, True -*.kadr.md*, True -*.kadrotest.ru*, True -*.kadrovanje.si*, True -*.kadulski.com*, True -*.kaernten.ru*, True -*.kaesladen.at*, True -*.kafc.co.za*, True -*.kafecepte.com*, True -*.kaferveiculos.com.br*, True -*.kafe-service.ru*, True -*.kaffi.ro*, True -*.kaflesushant.com.np*, True -*.kag2d.nl*, True -*.kaganac.com*, True -*.kaganamerica.com*, True -*.kagbz.com*, True -*.ka.gd*, True -*.kagis.kz*, True -*.ka-gogo.com*, True -*.kahar.co.id*, True -*.kahfo.nl*, True -*.kahlilgibran.me*, True -*.kahrs.us*, True -*.kahunas.org*, True -*.kahvefalcisiapp.com*, True -*.kai2.info*, True -*.kaichononline.com*, True -*.kaidesa.us*, True -*.kaifai.com*, True -*.kaiketsubattle.asia*, True -*.kailasam.com*, True -*.kailasam.net*, True -*.kailuachat.com*, True -*.kailuo.tk*, True -*.kaimanakab.go.id*, True -*.kainewebcamstriper.cl*, True -*.kain.in*, True -*.kainwolf.com*, True -*.kaireppert.us*, True -*.kairupan.com*, True -*.kairys.net.au*, True -*.kaisergimmel.de*, True -*.kaisheng.tw*, True -*.kaitandmartin.com*, True -*.kaitur.com.ar*, True -*.kaitur.tur.ar*, True -*.kai.vg*, True -*.kaivonen.fi*, True -*.kaixi.org*, True -*.kaizen.bz*, True -*.kaizenusedclothing.com*, True -*.kajalkarer.com*, True -*.kajangtrainingcenter.com*, True -*.kajdel.pl*, True -*.kajee.nom.za*, True -*.kajiggers.ca*, True -*.kajihara.net.br*, True -*.kajobaji.com.ve*, True -*.kaju.ee*, True -*.kakabiz.tk*, True -*.kakabuzz.tk*, True -*.kakacuz.tk*, True -*.kakado.info*, True -*.kakaounakis.gr*, True -*.kakare.net*, True -*.kakaroto.tk*, True -*.kakasoft.com*, True -*.kakazzz.tk*, True -*.kakbayu.web.id*, True -*.kakchinggarden.tk*, True -*.kaki5.web.id*, True -*.kakimasak.my*, True -*.kakimedia.com.my*, True -*.kakimyvi.com*, True -*.kakkan.com.br*, True -*.kakleba.ch*, True -*.kak.si*, True -*.kakuro.com.br*, True -*.kakush.com*, True -*.kal6plus.com*, True -*.kal6plus.com.au*, True -*.kalaha.se*, True -*.kalajoenhelluntaiseurakunta.fi*, True -*.kalamangga.net*, True -*.kalamazooirish.org*, True -*.kalamenoor.ir*, True -*.kalaminsights.com*, True -*.kalamku.com*, True -*.kalandalusgroup.com*, True -*.kalasatamaan.fi*, True -*.kalbany.net*, True -*.kalbas.com.vn*, True -*.kalber.ir*, True -*.kalbfleis.ch*, True -*.kalebharrison.net*, True -*.kaleb.mx*, True -*.kalecelikkapi.com*, True -*.kaledio.nl*, True -*.kaleebso.com*, True -*.kalenderonline.info*, True -*.kaleonsports.com*, True -*.kaleservis.com*, True -*.kalgan.cc*, True -*.kalhozzz.ru*, True -*.kaliazin.ru*, True -*.kali.biz*, True -*.kalibrins.com*, True -*.kalibrins.ru*, True -*.kalilinux.ir*, True -*.kalimantan-selatan.com*, True -*.kalimdor.tk*, True -*.kalina.info*, True -*.kalingw.com*, True -*.kalinnikova.com*, True -*.kalivioti.gr*, True -*.kaliviotis.gr*, True -*.kalja.info*, True -*.kalk.ir*, True -*.kall.io*, True -*.kalmiatek.co.za*, True -*.kalnay.com*, True -*.kalon.com.ve*, True -*.kalong-co.tk*, True -*.kalonghosting.ch*, True -*.kalonghosting.im*, True -*.kalonghosting.mx*, True -*.kalonghosting.pro*, True -*.kalongmp3.com*, True -*.kalora.org*, True -*.kaloryczne.pl*, True -*.kalpa-pharmaceuticals.net*, True -*.kalpa-pharmaceuticals.org*, True -*.kalparila.com*, True -*.kalpikalogistic.co.id*, True -*.kal-ram.co.il*, True -*.kalsbuksbong.cf*, True -*.kalvinmizzi.com*, True -*.kalyanimediagroup.com*, True -*.kalyanimediagroup.org*, True -*.kalyoncularinsaat.com*, True -*.kalyvioti.gr*, True -*.kamaengineering.eu*, True -*.kamagraexpress.com*, True -*.kamagragold.net*, True -*.kamagraonline.biz*, True -*.kamaitachi55.com*, True -*.kamakiripuriscal.com*, True -*.kamaliakamal.com*, True -*.kamali.tk*, True -*.kamaltex.co.id*, True -*.kama.ro*, True -*.kamber-deitingen.ch*, True -*.kamberinf.ch*, True -*.kamber-informatik.ch*, True -*.kambinggulingsemarang.com*, True -*.kamcnally.co.uk*, True -*.kameba.co.za*, True -*.ka-mee-ba.co.za*, True -*.kameeba.co.za*, True -*.kameekaze.com*, True -*.kamegapolis.ru*, True -*.kamehamehaaa.org*, True -*.kamelialines.gr*, True -*.kameli.org*, True -*.kamenriderclub.ml*, True -*.kamensk-shakhtinskiy.ru*, True -*.kameraonline.net*, True -*.kameroesz.tk*, True -*.kamiljiwa.com*, True -*.kamilsukun.com*, True -*.kamin220v.ru*, True -*.kamineni.us*, True -*.kamleshgasva.tk*, True -*.kamliuk.com*, True -*.kamliuk.ru*, True -*.kamlok-hk.com*, True -*.kammakaregatan.nu*, True -*.kammakaregatan.se*, True -*.kamnik.tk*, True -*.kamoeba.co.za*, True -*.kamomileware.com*, True -*.kamomileware.es*, True -*.kamping.si*, True -*.kampoeng3d.com*, True -*.kampoos.net*, True -*.kampret-kc.tk*, True -*.kampretoasjat.tk*, True -*.kampunglele.com*, True -*.kampungmodel.ml*, True -*.kampung-nelayan.net*, True -*.kampushot.com*, True -*.kampuslopedi.net*, True -*.kampuslopedi.org*, True -*.kamskillsacademy.com*, True -*.kamuicm.tk*, True -*.kamui-subs.com*, True -*.kamu.sexy*, True -*.kamuzuka.com*, True -*.kamyrhouse.ro*, True -*.kamyuenenterprise.hk*, True -*.kamztek.com*, True -*.kanacad.org*, True -*.kanade01.tk*, True -*.kanagadhara.com*, True -*.kanagadhara.in*, True -*.kanaia.com*, True -*.kanakapura-pa.in*, True -*.kanakov.tk*, True -*.kanalweg.ch*, True -*.kanata.ro*, True -*.kanayadrumband.co.id*, True -*.kanayafood.com*, True -*.kanbando.co*, True -*.kanban.sg*, True -*.kanbullarinsaat.com.tr*, True -*.kanchanaburiresort.com*, True -*.kancil.com.my*, True -*.kancilja.si*, True -*.kanctovars.ru*, True -*.kanda.ru*, True -*.kandata.se*, True -*.kandbconstruction.com.au*, True -*.kandb.us*, True -*.kandco.com.au*, True -*.kandhfamily.com*, True -*.kandiiland.org*, True -*.kandis.se*, True -*.kandla.com*, True -*.kan-do.org*, True -*.kaneheia38.com*, True -*.kaneka.com.my*, True -*.kanera.be*, True -*.kanesilom.com*, True -*.kangakbar.com*, True -*.kang-aldi.com*, True -*.kangaroo-office.com*, True -*.kangdede.web.id*, True -*.kang-han.org*, True -*.kang-hendra.com*, True -*.kangkuk.com*, True -*.kangkuk.net*, True -*.kangmoezha.ga*, True -*.kangrio.tk*, True -*.kang-rony.com*, True -*.kang-yohan.com*, True -*.kaniamassageinjakarta.com*, True -*.kanitz.tk*, True -*.kanjidamage.com*, True -*.kanjomassage.com*, True -*.kankaristo.fi*, True -*.kankercure.nl*, True -*.kanonspel.se*, True -*.kanopibajaringantangerang.com*, True -*.kanos.com.ar*, True -*.kantila.in*, True -*.kantoorghijscuypers.be*, True -*.kantorgame.com*, True -*.kanuhead.com*, True -*.kanzashero.com*, True -*.kanzasheroes.com*, True -*.kanzasheroes.org*, True -*.kanzashero.org*, True -*.kanzasidol.com*, True -*.kanzasidol.net*, True -*.kanzasidol.org*, True -*.kanzassaint.com*, True -*.kanzoo.co.il*, True -*.kanzoshero.com*, True -*.kanzoshero.org*, True -*.kanzushero.com*, True -*.kanzushero.org*, True -*.kaohsiung.tv*, True -*.kaosallowed.info*, True -*.kao.sh*, True -*.kaoskrew.org*, True -*.kaostheory.net*, True -*.kaotisk-hund.tk*, True -*.kaotisk.tk*, True -*.kaovo.com*, True -*.kapadokya.net*, True -*.kapalaluminium.tk*, True -*.kapalboataluminium.tk*, True -*.kapalfiber.tk*, True -*.kapaliao.ga*, True -*.kapalikan.tk*, True -*.kapalmancingfiber.tk*, True -*.kapalmancing.tk*, True -*.kapalpenumpang.tk*, True -*.kapalpesiarbekas.tk*, True -*.kapalpesiarjakarta.tk*, True -*.kapalpesiarpribadi.tk*, True -*.kapalspeedboatfiber.tk*, True -*.kapalspeedboatmancing.tk*, True -*.kapanadze.de*, True -*.kaparthyinfo.com*, True -*.kapcom.gr*, True -*.kapeika.id.lv*, True -*.kapelle-zur-marlies.ch*, True -*.kaperusiten.com.ar*, True -*.kapgel.com.tr*, True -*.kapid.web.id*, True -*.kapilmanandhar.com.np*, True -*.kapit.al*, True -*.kaplan-myrth.ca*, True -*.kapla.pl*, True -*.kapoorfamily.us*, True -*.kapowpolitics.com*, True -*.kappasigmatxstate.com*, True -*.kappasigmatxstate.org*, True -*.kappasplace.eu*, True -*.kappeller.com*, True -*.kappeller.de*, True -*.kappeller.net*, True -*.kapsidonia.ro*, True -*.kapsler.ch*, True -*.kapstadtzufuss.co.za*, True -*.kaptainsunshine.com*, True -*.kapustin.ca*, True -*.kaqaz.net*, True -*.karacol.ch*, True -*.karadzhov.com*, True -*.karai-aceh.com*, True -*.karakanian.com.br*, True -*.karaktersiswa.com*, True -*.karamanlis-foundation.gr*, True -*.karam.com.mx*, True -*.karamgr.com*, True -*.karamonkey.ro*, True -*.karamyshova.ru*, True -*.karaokebus.com*, True -*.karaokestore.hu*, True -*.karaoke-tv.ro*, True -*.karaokezene.eu*, True -*.karaokezene.hu*, True -*.karas99.com*, True -*.kara-saman.ir*, True -*.kara-sanaat.com*, True -*.karasu.co.za*, True -*.karatebudokai.com*, True -*.karatecorato.it*, True -*.karate-dinamo.ro*, True -*.karate-do.si*, True -*.karategama.net*, True -*.karatekickn.com*, True -*.karatemen.com*, True -*.karate-tora.gr*, True -*.karate-vrtec.si*, True -*.karatz.org*, True -*.karawangblogger.com*, True -*.karazo.tk*, True -*.karbonit.com.au*, True -*.karbon.to*, True -*.kardakov.pro*, True -*.kardeval.com*, True -*.kardex.co.nz*, True -*.kardix.hr*, True -*.kardoin.com*, True -*.kardusen.tk*, True -*.karelghijs.be*, True -*.karel.web.tr*, True -*.karenball.com*, True -*.karenbickley.de*, True -*.karenghandilyan.com*, True -*.karengilbert.net*, True -*.kareninahalim.com*, True -*.karenleepilates.com.au*, True -*.karenmillen.co.nz*, True -*.karenvaler.com.ar*, True -*.karetindustri.com*, True -*.kargo-co.ru*, True -*.kariernisejem.si*, True -*.karikarisnack.com*, True -*.karim.my*, True -*.karinja.ninja*, True -*.karinstrelow.cl*, True -*.karitasms.si*, True -*.kariyna.com*, True -*.karkacinhas.com.br*, True -*.kark.ws*, True -*.karlen-sa.ch*, True -*.karlensbird.com*, True -*.karlensbirds.com*, True -*.karlitos.cl*, True -*.karlitos.info*, True -*.karlitos.org*, True -*.karlmohn.ch*, True -*.karlnoss.com*, True -*.karlosb.com*, True -*.karlow.pl*, True -*.karlsrue.ru*, True -*.karlw.com*, True -*.kar-ma.be*, True -*.karman-pc.net*, True -*.karmasucks.co.uk*, True -*.karmaxp.tk*, True -*.karmel.cl*, True -*.karmenci.tk*, True -*.karmic.ro*, True -*.karnad.us*, True -*.karnbo.com*, True -*.karolinalopez.es*, True -*.karolinjamartin.ee*, True -*.karoseriamanah.com*, True -*.karoseripialamas.com*, True -*.karoseri-skylift.com*, True -*.karoseri-tiarindo.com*, True -*.karotik.com*, True -*.karotik.ir*, True -*.karousel.ro*, True -*.karpetmobil.web.id*, True -*.karpos.com.ar*, True -*.karpowicz.net*, True -*.karserv.com*, True -*.karstelecteng.ca*, True -*.karsten.com.mx*, True -*.karstenmeyer.com*, True -*.karsten.mx*, True -*.kartenmanufaktur.ch*, True -*.karthikjain.in*, True -*.kartinkivtomske.ru*, True -*.kartiny35.ru*, True -*.kartled.com*, True -*.kartoos.ml*, True -*.karttracks.eu*, True -*.karturi-pedale.ro*, True -*.karuaiviajes.com.ve*, True -*.karuca.com.ar*, True -*.karu.io*, True -*.karunglagu.com*, True -*.karungterpalplastik.com*, True -*.karungwaringterpal.com*, True -*.karuniaseluler.com*, True -*.karuniatravel.com*, True -*.karupu.tk*, True -*.karwasz.pl*, True -*.karyamusi.com*, True -*.karyapemudakampung.com*, True -*.karyaraya.net*, True -*.karyatid.net*, True -*.karynd.tk*, True -*.kasai.ga*, True -*.kasakkamedia.fi*, True -*.kasakkusuk.org*, True -*.kasanms.com*, True -*.kasan.se*, True -*.kasberger.com*, True -*.kasear.net*, True -*.kaselsports.com*, True -*.kasep.ga*, True -*.kasganosora.moe*, True -*.kashefcompany.ir*, True -*.kashfunds.com*, True -*.kashirskaya.com*, True -*.kashyap1.com*, True -*.kasihandresta.com*, True -*.kasihsun.com*, True -*.kasir.lv*, True -*.kaskaskia.org*, True -*.kaskjer.org*, True -*.kasko58.ru*, True -*.kasko.web.tr*, True -*.kasko-zavarovanje.si*, True -*.kaskozavarovanje.si*, True -*.kaskuser.pro*, True -*.kaskusforum.com*, True -*.kaspars.lv*, True -*.kasperheyndrickx.be*, True -*.kasperskykampanya.com*, True -*.kasperskykazandiriyor.com*, True -*.kaspersky-turkiye.com*, True -*.kassandracunningham.com*, True -*.kassandra-properties.gr*, True -*.kassandraproperties.gr*, True -*.kassawagen.info*, True -*.kassel.id.au*, True -*.kassemos.com*, True -*.kassemsite.tk*, True -*.kassemweb.tk*, True -*.kastad.nu*, True -*.kastamode.com*, True -*.kastlersteinhauser.com*, True -*.kasurbusadanstyrofoam.com*, True -*.kasurbusakesehatan.com*, True -*.kaswell.tk*, True -*.kataba.tk*, True -*.katabijak.org*, True -*.katakunci.co.uk*, True -*.katalogilmu.com*, True -*.katamari.one.pl*, True -*.katapika.pl*, True -*.katarinalendjel.com*, True -*.kataton.com*, True -*.katawanmusic.com*, True -*.kateandstu.com*, True -*.katebsara.ir*, True -*.katecullen.com*, True -*.katedmcguire.com*, True -*.katedonaldsonrealestate.com.au*, True -*.katereganoconnor.com*, True -*.katerinakaras.com*, True -*.katerinalavr.com*, True -*.kateringbykat.com*, True -*.katewertheimer.com*, True -*.katharina-and-ed.com*, True -*.katharinavalent.cl*, True -*.kathekindred.com*, True -*.katherinehollaway.com*, True -*.katherinejanca.com*, True -*.kathleen360.com*, True -*.kathmandubiz.com*, True -*.kathrinebrandt.dk*, True -*.kathrinwoodtli.com*, True -*.kathycomputer.com*, True -*.katieandcarl.co.uk*, True -*.katieandchriskelley.com*, True -*.katieandjeremy.net*, True -*.katieandnick.com.au*, True -*.katieanyaphotography.com.au*, True -*.katiebea.co.uk*, True -*.katiedanielwedding.com*, True -*.katiedid.us*, True -*.katiesoltysiak.com*, True -*.katieveno.com*, True -*.katigaonline.com*, True -*.katinpaakkelssit.fi*, True -*.katjabayer.ch*, True -*.katjagarkushko.com*, True -*.katnip.org.uk*, True -*.katrien-demare.be*, True -*.katrilli.ch*, True -*.katspencer.us*, True -*.katsurap.tk*, True -*.katswansey.com*, True -*.kattming.com*, True -*.katt.net*, True -*.katyachernyakova.com*, True -*.katyestetica.ch*, True -*.katzenaugen.ch*, True -*.kaufmann-dufour.com*, True -*.kaukau.xyz*, True -*.kaukawala-group.info*, True -*.kauneusstudiosoma.fi*, True -*.kaushalchaudhary.com.np*, True -*.kaustubhjoshi.com*, True -*.kauzlaric.eu*, True -*.kauzlaric.net*, True -*.kauzlaric.org*, True -*.kava.cl*, True -*.kavb.co.il*, True -*.kavdz.com*, True -*.kaveh8.ir*, True -*.kave.me*, True -*.kavestone.com*, True -*.kavih.com*, True -*.kavkasionisat.com*, True -*.kavoshbeton.com*, True -*.kawahiro.com*, True -*.kawaiiarts.com*, True -*.kawaii-hentai.net*, True -*.kawaiisquid.com*, True -*.kawaii.su*, True -*.kawakib.net*, True -*.kawa-kun.com*, True -*.kawalbansos.com*, True -*.kawanua.in*, True -*.kawasakipartsaustralia.com*, True -*.kawasakipartsaustralia.com.au*, True -*.kawatan.co.id*, True -*.kawatgigi.web.id*, True -*.kawatharmonika-mjsa.com*, True -*.kawaz-bros.com*, True -*.kawazoe.org*, True -*.kawiagungkencana.com*, True -*.kay78.com*, True -*.kay87.com*, True -*.kayaalamlestari.com*, True -*.kayaba24.ru*, True -*.kayakdomain.com*, True -*.kayakingphilippines.com*, True -*.kayanganmedia.com*, True -*.kayawe.ro*, True -*.kayeann.com*, True -*.kayeee.info*, True -*.kay-family.org*, True -*.kayimbo.com*, True -*.kaylakaze.com*, True -*.kaylamacaulayphotography.ca*, True -*.kayleighliu.us*, True -*.kaylynbrocker.com*, True -*.kaymontenergy.com*, True -*.kaynayantencere.org*, True -*.kayru.org*, True -*.kayuasriindonesia.com*, True -*.kayujatibelandah.com*, True -*.kayukeras.com*, True -*.kayzone.tw*, True -*.kazak40.ru*, True -*.kazakisfamily.com*, True -*.kazekid.com*, True -*.kazembchina.com*, True -*.kazeshini.net*, True -*.kaziandassociates.com.au*, True -*.kazinduzidev.tk*, True -*.kazino.si*, True -*.kaznets.com*, True -*.kazoodle.com*, True -*.kaz.ro*, True -*.kazun.ro*, True -*.kazuple.co.uk*, True -*.kazuya.ml*, True -*.kb2faf.net*, True -*.kb3mun.us*, True -*.kbarg.com*, True -*.kbb-79.com*, True -*.kbc89.com*, True -*.kbdallas.com*, True -*.kbdl.us*, True -*.kbdrehab.com*, True -*.kb.hk*, True -*.kbk99.com*, True -*.kblok.tk*, True -*.kbms-smansa.org*, True -*.kbo-top.com*, True -*.kbo-top.net*, True -*.kboyda.net*, True -*.kbr-invest.ru*, True -*.kbrownconsulting.com*, True -*.kbrownconsulting.net*, True -*.kbse.org*, True -*.kbtrans.ru*, True -*.kc2lsn.com*, True -*.kc2lsn.info*, True -*.kc2lsn.net*, True -*.kc2lsn.org*, True -*.kc2lsn.us*, True -*.kcalumni.org.my*, True -*.kcatlab.com*, True -*.kcbinvesting.com*, True -*.kcbleeker.nom.za*, True -*.kcbm.ch*, True -*.kcchouette.tk*, True -*.kc-cpa.com*, True -*.kc-felty.net*, True -*.kcic.org.uk*, True -*.kc.id.lv*, True -*.kck-saratov.ru*, True -*.kckserver.com*, True -*.kckt.asia*, True -*.kclms.org*, True -*.kcm96.com*, True -*.kcmac.ca*, True -*.kcmc.ro*, True -*.kcngcpa.com*, True -*.k-consulting.ch*, True -*.kcornell.com*, True -*.kcrenovationwarehouse.ca*, True -*.kcstore.hk*, True -*.kc-time.com*, True -*.kcvcom.com.br*, True -*.kcy73.com*, True -*.kcy79.com*, True -*.kcy85.com*, True -*.kcy94.com*, True -*.kd6oji.com*, True -*.kd8glc.net*, True -*.kd8lcv.com*, True -*.kdbalcony.co.il*, True -*.k-designs.ch*, True -*.kdesigns.ch*, True -*.kdeuja.com*, True -*.kdfurniture.com.au*, True -*.kdhhydraulics.co.za*, True -*.kdits.ca*, True -*.kdm85.com*, True -*.kdmart.hk*, True -*.kd-m.ru*, True -*.kdphoto.to*, True -*.kdrama-torrents.com*, True -*.kdroofing.ie*, True -*.kdsortak.net*, True -*.kds.ro*, True -*.kdta.com.au*, True -*.kdtriglav.com*, True -*.kdujelukic.com*, True -*.kdu.ro*, True -*.kdyn.de*, True -*.keanet.tk*, True -*.keao.gr*, True -*.keat.es*, True -*.kebabtral.la*, True -*.kebutuhanhalal.com*, True -*.kebutuhanindustri.com*, True -*.kebveiculos.com.br*, True -*.kece.ga*, True -*.kece.pw*, True -*.kecik.ga*, True -*.kecoak.net*, True -*.kedagital.com*, True -*.kedahict.com*, True -*.kedaiapp.com*, True -*.kedawoncity.com*, True -*.kedawoncity.tk*, True -*.kedehatanhidup.com*, True -*.kedron7-properties.com*, True -*.kedrov.org*, True -*.kedsrus.com*, True -*.kee66.com*, True -*.kee77.com*, True -*.keecha.com*, True -*.keelung3c.com*, True -*.keemark.ro*, True -*.keen314.com*, True -*.keenahn.com*, True -*.keenahnjung.com*, True -*.keeneating.com*, True -*.keenergrinderpumps.com*, True -*.keengeek.com*, True -*.keenmonkey.com*, True -*.keepguardusa.com*, True -*.keepingupwithlife.ca*, True -*.keepjagsinjax.com*, True -*.keepjagsinjax.org*, True -*.keeplisted.net*, True -*.keeplisted.org*, True -*.keeplisted.pt*, True -*.keeplocated.com*, True -*.keepmail.it*, True -*.keepmyhorse.com*, True -*.keepridinbikes.tk*, True -*.keepridingbikes.tk*, True -*.keep.se*, True -*.keepservice.ru*, True -*.keepwalking.com.au*, True -*.keera.co.uk*, True -*.keera.es*, True -*.keetatco.com*, True -*.keffcheng.com*, True -*.kefield.ca*, True -*.kefigel.com*, True -*.kefi.me*, True -*.kefirsoft.com*, True -*.keggemeyer.com*, True -*.keg.li*, True -*.kegmanscave.com*, True -*.kehaty.com*, True -*.keifman.com.ar*, True -*.keigoed.com*, True -*.keikai.web.id*, True -*.keikendo.com*, True -*.keilty.com.ar*, True -*.keimlinge.net*, True -*.keinblablabla.de*, True -*.keine-panik.net*, True -*.kein.hk*, True -*.keinname.net*, True -*.keithgreer.ie*, True -*.keithhart.co.uk*, True -*.keithhultman.com*, True -*.keithlayton.com*, True -*.keithlinsell.com*, True -*.keith.pro*, True -*.keithslater.net*, True -*.keithswenson.com*, True -*.keitson.com.br*, True -*.kejian.gq*, True -*.kejipi.com*, True -*.kejuindocraft.tk*, True -*.kek66.com*, True -*.kek77.com*, True -*.kek88.com*, True -*.keka.si*, True -*.kekec.biz*, True -*.keketec.com*, True -*.keko.net*, True -*.kekpvp.com*, True -*.keks.li*, True -*.kelasmengajiquran.my*, True -*.keldoraz.com*, True -*.kelebekyazilim.net*, True -*.keleko.io*, True -*.kelemenarpad.ro*, True -*.kellercontrol.com*, True -*.keller-hedem.de*, True -*.kellerz.ch*, True -*.kellerz.com*, True -*.kellerz.net*, True -*.kellieadrian.com*, True -*.kellner.li*, True -*.kellock.com.au*, True -*.kellonjohnson.com*, True -*.kelltechservices.com*, True -*.kellus.ca*, True -*.kellyanddavidwedding.com*, True -*.kellyandjasonma.com*, True -*.kellycaptures.com*, True -*.kellyhollaway.com*, True -*.kellyjanice.com*, True -*.kellyrasmussen.name*, True -*.kellyshop.gr*, True -*.kellytansing.com*, True -*.kelly.tw*, True -*.kel.mn*, True -*.kelocube.com*, True -*.kelolabistari.com*, True -*.kelownathoracic.com*, True -*.kelseyandandy.us*, True -*.keltec.co.za*, True -*.keltum-1.ru*, True -*.keluargareski.net*, True -*.kelveu.com*, True -*.kelvin.com.ar*, True -*.kelvindigital.com*, True -*.kelvineu-climatizacion.com*, True -*.kelvineu.com*, True -*.kelvineu-refrigeracion.com*, True -*.kelvingroup.com*, True -*.kelvinlam.hk*, True -*.kemalaktas.com.tr*, True -*.kemal.com.tr*, True -*.kemarinsore.com*, True -*.kemeter.ch*, True -*.kemi2.tk*, True -*.keminet.ru*, True -*.kemloas.cf*, True -*.kemosabe.in*, True -*.kempao.com.br*, True -*.kempconnect.com.au*, True -*.kempenfeltbuilders.com*, True -*.kempet.cf*, True -*.kemtest.ru*, True -*.kemuditimur.com.my*, True -*.kenab.us*, True -*.kenangan-terindah-hanyalah-bersamamu.com*, True -*.kenapa.si*, True -*.kenarok.com*, True -*.kenatkins.net*, True -*.kencanajayateknik.com*, True -*.kenceng.info*, True -*.kendapei.com*, True -*.kendarihost.com*, True -*.kendart.ro*, True -*.kender.hu*, True -*.kendimas.com*, True -*.kendra-spencer.com*, True -*.kendua.ml*, True -*.kendua.tk*, True -*.kenetec.com*, True -*.kengao.tw*, True -*.kenhgtv.com*, True -*.kenhprivate.cf*, True -*.kenhprivate.ga*, True -*.kenigma.org*, True -*.keniplex.tv*, True -*.kenji.sx*, True -*.kenjuta.com*, True -*.kenmaz.com*, True -*.kennedytaxgroup.com*, True -*.kennedytool.net*, True -*.kennesawglass.com*, True -*.kennethedmunds.com*, True -*.kennethelamb.com*, True -*.kennethkimvineyards.com*, True -*.kennettconstruction.com*, True -*.kennybok.com*, True -*.kenny-chiang.com*, True -*.kennydih.com*, True -*.kennyhn.info*, True -*.kennyix.com*, True -*.kenny-labs.net*, True -*.kennymallard.com*, True -*.kennyteng.com*, True -*.kenow.com.au*, True -*.kenozashop.com*, True -*.kenpoliran.com*, True -*.kensaundry.com*, True -*.kensawesomefirehoseapp.info*, True -*.kenshin-eve.com*, True -*.kensingtonplace.co.za*, True -*.kenstella.com*, True -*.kentathome.com*, True -*.kentcoronet.ca*, True -*.kenthinson.com*, True -*.kenthir.tk*, True -*.kenthu.cx*, True -*.kentmanagement.co.uk*, True -*.kent-movie.com*, True -*.kentners.com*, True -*.kentners.net*, True -*.kent-network.club*, True -*.kent-officialsite.org*, True -*.kentrealestate.com.au*, True -*.kent-software.info*, True -*.kentuckyplatingworks.com*, True -*.kentu.in*, True -*.kentuniforms.com*, True -*.kentuzenog.nl*, True -*.kenx.com.au*, True -*.kenyaeandre.com.br*, True -*.keops.tv*, True -*.kep66.com*, True -*.kep77.com*, True -*.keplax.ga*, True -*.keppedih-cam.gr*, True -*.keprinet.com*, True -*.kepri-rc.com*, True -*.kep.xyz*, True -*.ker888.com*, True -*.keraily-aitta.fi*, True -*.kerajinantas.web.id*, True -*.keralaholidays247.com*, True -*.keramat.net*, True -*.keramicarstvo-matoh.si*, True -*.keramid.as*, True -*.keramikart.ro*, True -*.keranjangkita.com*, True -*.kerastasecosmetic.ru*, True -*.kerb.al*, True -*.kerberos.hk*, True -*.ker.com.br*, True -*.kerekparbolt.eu*, True -*.kerekparok.eu*, True -*.kerena.biz*, True -*.kereninahalim.com*, True -*.kereta-mainan.com*, True -*.keriss.co.id*, True -*.kerjaonline.my*, True -*.kerjayahunt.my*, True -*.kerjayapensyarah.com*, True -*.kerlomz.ml*, True -*.kerman360.ir*, True -*.kermanhelishot.com*, True -*.kernan.ca*, True -*.kernelhacker.org*, True -*.kernel.id.lv*, True -*.kern-office.com*, True -*.keromuchi.net*, True -*.kero.ro*, True -*.kerr.asia*, True -*.kerrfamily.org*, True -*.kerschen.com.ar*, True -*.kerudung-meidiani.com*, True -*.kerule.es*, True -*.kerwinshaw.com*, True -*.kerzenoutlet.ch*, True -*.kerzenziehen.ch*, True -*.kerzing.tk*, True -*.kesc.gr*, True -*.keseco-ultra.ro*, True -*.kesehatanhidup.com*, True -*.keset-crew.ga*, True -*.kesharbhandari.com.np*, True -*.kesh.asia*, True -*.keshavbashyal.com.np*, True -*.keshev.ru*, True -*.keshfir.com*, True -*.keshie.com.au*, True -*.keskeki.gr*, True -*.kestavakasvu.fi*, True -*.kestebra.com.ve*, True -*.kesterfamily.org*, True -*.ket67.com*, True -*.ket77.com*, True -*.ket87.com*, True -*.ketabkhaane.ir*, True -*.ketanpkr.in*, True -*.ketchie666.com*, True -*.keth-han.de*, True -*.kethrine.tk*, True -*.keti.ga*, True -*.ketikan.info*, True -*.ketikdulu.com*, True -*.ketiksms.com*, True -*.ketir.net*, True -*.ketnoi.mobi*, True -*.ketoan-kiemtoan.org*, True -*.ketrubuk.biz*, True -*.kettlebellmafia.com*, True -*.ketubruk.biz*, True -*.ketunkorpi.fi*, True -*.keukenklok.eu*, True -*.keukenklokken.eu*, True -*.keunecosmetic.ru*, True -*.keursakola.tk*, True -*.keuswijzer.nl*, True -*.kevankeeler.com*, True -*.kevinandnell.com*, True -*.kevinberanek.com*, True -*.kevinchiang.co*, True -*.kevindodge.me*, True -*.kevinerdmann.com*, True -*.kevingibbons.com*, True -*.kevinhaase.com*, True -*.kevinhawk.com*, True -*.kevin.hk*, True -*.kevinkerber.com*, True -*.kevinktang.com*, True -*.kevinleon.tk*, True -*.kevinloveamy.com*, True -*.kevinmoens.com*, True -*.kevin-schmidt.com*, True -*.kevinshayloft.com*, True -*.kevinsiddique.ca*, True -*.kevinstonerlaw.com*, True -*.kevinwalder.ch*, True -*.kevinyu.org*, True -*.kevkearney.com*, True -*.kevlake.co.uk*, True -*.kevong2.tk*, True -*.kevs-computer-repairs.com*, True -*.kevspace.com*, True -*.kewanshunn.com*, True -*.ke-wincasino.com*, True -*.ke-wingame.com*, True -*.ke-wingames.com*, True -*.ke-winkasino.com*, True -*.ke-winpoker.com*, True -*.keyblade.jp*, True -*.keyboardwarrior.co.uk*, True -*.key-bt.com*, True -*.keybusinessconnection.com*, True -*.keybusiness.pt*, True -*.keycap.com*, True -*.keycodemninmbe.pw*, True -*.keycomputacion.com.ar*, True -*.keydudmertitexkoljod.pw*, True -*.keyfix.pt*, True -*.keyfrenbujkoutrmedia.pw*, True -*.key-gen.co.uk*, True -*.keyimage.ru*, True -*.keyjack182.tk*, True -*.keyjack1995.tk*, True -*.key-jack.tk*, True -*.keymag.co*, True -*.keymagic.net*, True -*.keymag.org*, True -*.keymediabobkolmurtot.pw*, True -*.keymurighotixnubed.pw*, True -*.keynitkoutrewdebmedia.pw*, True -*.keyolanisxmediayes.pw*, True -*.keyoung.biz*, True -*.keyoung.com*, True -*.keyoung.hk*, True -*.keyoung.info*, True -*.keyoung.net*, True -*.keyperiodical.org*, True -*.keypublication.org*, True -*.keyquestarcade.com*, True -*.key-rho.com*, True -*.keysmoneyphone.org.uk*, True -*.keyson.mx*, True -*.keystaxis.co.uk*, True -*.keystonearchitects.com.au*, True -*.keystonearchitects.in*, True -*.keystonesystems.ec*, True -*.keystoneuniformcap.com*, True -*.keysystems.ro*, True -*.keytotmonixmedia.pw*, True -*.keytto.com*, True -*.keytutrixmonmedia.pw*, True -*.keyused.co.za*, True -*.keywastedgoknnends.pw*, True -*.keywayclinic.com*, True -*.key-west.biz*, True -*.key-wines.com*, True -*.keywowikmedia.pw*, True -*.keyxendormedia.pw*, True -*.kezaclinique.ro*, True -*.keza.ro*, True -*.kezdirefi.ro*, True -*.kezya-shop.com*, True -*.kezzie.cf*, True -*.kfarm.tk*, True -*.kfcn.org*, True -*.kfco.net*, True -*.kfdewijngaard.be*, True -*.kfunc.com*, True -*.kgb.mn*, True -*.kghm.cl*, True -*.kgimports.com.au*, True -*.kglug.org*, True -*.kgori.co.za*, True -*.kg-rakican.si*, True -*.k-group.cl*, True -*.kgvi-property.com*, True -*.khabarovsk.tk*, True -*.khabbaby.com*, True -*.khabbaby.ru*, True -*.khabdha.com*, True -*.khabdha.org*, True -*.khaberz.org*, True -*.khabvir.ru*, True -*.khachdiem.com*, True -*.khach-san.com*, True -*.khadonov.ru*, True -*.khagendraraj.com.np*, True -*.khairilbersatu.com*, True -*.khairulummahinternasiona.com*, True -*.khajeali.ir*, True -*.khalid48.cc*, True -*.khaltura.ru*, True -*.khandehclub.com*, True -*.khanemashroote.ir*, True -*.kha-net.org*, True -*.khanhbangnet.tk*, True -*.khanhlang.com*, True -*.khani.co*, True -*.khaoto.ch*, True -*.kharchakat.com*, True -*.kharidbikri.info*, True -*.kharismachemindo.com*, True -*.kharismamadani.com*, True -*.khastat.org*, True -*.khatha.com*, True -*.khatulistiwaindonesia.org*, True -*.khatushyam.info*, True -*.khavounitis.eu*, True -*.kha.web.id*, True -*.khbjd.com*, True -*.kheaks.com*, True -*.khelsinki.ru*, True -*.khemraj.com.np*, True -*.khenzi.cf*, True -*.kheops-lrj.ro*, True -*.khesa.org*, True -*.khg.com.pk*, True -*.kh.id.au*, True -*.khilafah.or.id*, True -*.khipu.com.tr*, True -*.khit.eu*, True -*.khizigaming.net*, True -*.khkgroup.net*, True -*.kh-klosterneuburg.at*, True -*.khmerschool.com*, True -*.khmerschool.org*, True -*.khmersite.net*, True -*.khocviem.org*, True -*.kholidwidarmana.com*, True -*.kholiq.ga*, True -*.kholmogori.ru*, True -*.khoobha.net*, True -*.khorinsk.ru*, True -*.khosa.tk*, True -*.khouja.com*, True -*.khouja.org*, True -*.khq.la*, True -*.khref.org*, True -*.khrisnaprodusenbag.com*, True -*.k--h.ru*, True -*.khughes.com*, True -*.khumnath.com.np*, True -*.khurram.org*, True -*.khurumin.com*, True -*.khvalynsk.ru*, True -*.khv.net.ru*, True -*.khvn.ru*, True -*.khwwave.com*, True -*.kiafinans.se*, True -*.kiagengjalu.com*, True -*.kiani.com*, True -*.kianinny.com*, True -*.kiarash-korki.ir*, True -*.kiatrading.com*, True -*.kibbet.com*, True -*.kibh.club*, True -*.kibind.com*, True -*.kibind.com.ar*, True -*.kicchip.cc*, True -*.kicchip.com*, True -*.kicchip.eu*, True -*.kicchip.net*, True -*.kicchip.org*, True -*.kichche.ru*, True -*.kichenko.com*, True -*.kickassmath.com*, True -*.kickdog.tk*, True -*.kick-go.com*, True -*.kick-j.com*, True -*.kickkat.net*, True -*.kick-k.com*, True -*.kick-kt.com*, True -*.kick-mm.com*, True -*.kick-net.com*, True -*.kickoff2worldcup.com*, True -*.kickoffapp.hk*, True -*.kick-pk.com*, True -*.kickradio.co.uk*, True -*.kickscondor.com*, True -*.kicksix.org*, True -*.kick-su.com*, True -*.kickswithspurs.com*, True -*.kick-to.com*, True -*.kickto.net*, True -*.kick-tt.com*, True -*.kick-vo.com*, True -*.kidcastle.com*, True -*.kidcriticz.com*, True -*.kiddphunk.com*, True -*.kidgame.ru*, True -*.kidgeniustutoring.com*, True -*.kidinacandyshop.us*, True -*.kidminder.info*, True -*.kidnet.com.br*, True -*.kidneyresearchuk.com*, True -*.kidonin.net*, True -*.kidpower-argentina.org*, True -*.kids-aerobics.com*, True -*.kidscancode.com.au*, True -*.kidscancode.org.au*, True -*.kidschool-epaper.com*, True -*.kidshells.net*, True -*.kids-land.ch*, True -*.kidslinks.com*, True -*.kidsmagazineclub.com*, True -*.kidsncare.com.au*, True -*.kidsqt.com*, True -*.kidstreasurehuntclues.net*, True -*.kidstreff-hochdorf.ch*, True -*.kidsubs.com*, True -*.kidsworldfilia.com*, True -*.kidventures.fi*, True -*.kidybus.cl*, True -*.kidzzone.ca*, True -*.kiechina.com*, True -*.kiedere.com.mx*, True -*.kieferorthopaedie-effretikon.ch*, True -*.kiekkopesa.fi*, True -*.kielcorwin.com*, True -*.kielrules.com*, True -*.kiengiangvn.com*, True -*.kientructia.com*, True -*.kieqi.tk*, True -*.kieranbelkus.co.uk*, True -*.kieserling.net*, True -*.kiesling.co*, True -*.kietzman.org*, True -*.kiev.fi*, True -*.kiev.ro*, True -*.kiewiet.biz*, True -*.kiezcup.de*, True -*.kifbuy.com*, True -*.kigelman.com.ar*, True -*.kihgokilmediaprolight.co*, True -*.kihgokilmediaprolight.mobi*, True -*.kihgokilmediaprolights.co*, True -*.kihtap.com*, True -*.kij0corp.com*, True -*.kijai.net*, True -*.kijai.org*, True -*.kika-apartmani.hr*, True -*.kik.cl*, True -*.kikitech.com*, True -*.kikki.fi*, True -*.kikotte.tk*, True -*.kik.sg*, True -*.kikumasa.tv*, True -*.kil13r.info*, True -*.kilangbeg.com.my*, True -*.kilchsperger.com*, True -*.kilgoma.com*, True -*.kilinski.co.uk*, True -*.kiljaden.com*, True -*.killaz.tk*, True -*.killbill.ml*, True -*.kill-death45.tk*, True -*.killdust.com*, True -*.killed.ga*, True -*.killer-bee.net*, True -*.killergames.com.br*, True -*.killerofshadows.net.nz*, True -*.killer.ro*, True -*.killers.ninja*, True -*.killerspaz.com*, True -*.killkurtreifler.com*, True -*.killm3.com*, True -*.killwithme.cf*, True -*.kilobanana.com*, True -*.kilosa.tk*, True -*.kiltondass.com*, True -*.kimandcami.com*, True -*.kimate.co.kr*, True -*.kimba.co*, True -*.kim-bagley.com*, True -*.kimberlylancaster.com*, True -*.kimbers.info*, True -*.kimchi.is*, True -*.kimcil-jahat.org*, True -*.kimciljahat.tk*, True -*.kimcil.ws*, True -*.kimeints.com*, True -*.kimenet.ca*, True -*.kimeros.cl*, True -*.kimex.com.mx*, True -*.kimexireland.com*, True -*.kimianab.com*, True -*.kimiatambangemas.com*, True -*.kimiko.ch*, True -*.kimilsarl.com*, True -*.kimjongmin.org*, True -*.kimkelen.com.ar*, True -*.kimkimdir.org*, True -*.kimlay.info*, True -*.kimleppi.tk*, True -*.kimlongltd.com*, True -*.kimmeynetworks.com*, True -*.kim.mx*, True -*.kimnhat.org*, True -*.kimoapparel.com*, True -*.kim-offshore.com*, True -*.kimorango.com.br*, True -*.kimsmata.ga*, True -*.kimsufi.cf*, True -*.kimtan.tv*, True -*.kimt.tk*, True -*.kim.web.id*, True -*.kimwhite.co.za*, True -*.kimwhite.nom.za*, True -*.kinabalustudios.com*, True -*.kinacon.com*, True -*.kinaps.com*, True -*.kinations.com*, True -*.kindell.se*, True -*.kinderdiner.be*, True -*.kinderdiner.com*, True -*.kinderdiner.eu*, True -*.kinder-diner.nl*, True -*.kinderfield.cf*, True -*.kindergeburtstagstorte.ch*, True -*.kinderkookwinkel.eu*, True -*.kinderopvang-barchem.nl*, True -*.kindersidehomehealthservices.com*, True -*.kindgerechte-grundschule-herrlingen.de*, True -*.kindonime.tk*, True -*.kindredfamily.com*, True -*.kindredonline.com*, True -*.kindy4kids.com.au*, True -*.kinemara.cl*, True -*.kineon.net*, True -*.kinesaludlaserena.cl*, True -*.kinesika.com*, True -*.kinetec.ru*, True -*.kinetica-ns.co.uk*, True -*.kineticdissent.com*, True -*.kineticip.com*, True -*.kingaby.com*, True -*.kingbooger.com*, True -*.kingbot.cf*, True -*.kingbot.ml*, True -*.kingcf.net*, True -*.kingcoffee.tw*, True -*.kingdem.com.au*, True -*.kingdombound.net*, True -*.kingdomofgeek.com*, True -*.kingdomseek.com*, True -*.kingdomstore.us*, True -*.king-followers.com*, True -*.kinghou.com*, True -*.kingkabuz.com*, True -*.kinglan.co*, True -*.kinglan.mobi*, True -*.kinglan.org*, True -*.kingmusik.biz*, True -*.kingofdata.com*, True -*.kingofthebay.co.za*, True -*.kingoftheworld.tk*, True -*.kingpine.info*, True -*.kingpine.org*, True -*.kingragnarok.com*, True -*.kingshair.ch*, True -*.kingshitdeluxe.com*, True -*.kingshomeservices.com*, True -*.kingsict.com*, True -*.kingsown.net*, True -*.kingstonestucco.com*, True -*.kingstownschool.cl*, True -*.kingtigermusic.com*, True -*.kingwebproxy.com*, True -*.kingwood-vpn.pw*, True -*.kinhcn.com*, True -*.kinkyromania.com*, True -*.kinmantech.org*, True -*.kinmedics.com*, True -*.kin-net.com*, True -*.kinnetix.com*, True -*.kino.co.za*, True -*.kinodubl.ru*, True -*.kinokinoxa.ru*, True -*.kinokomediy.ru*, True -*.kinomanya.su*, True -*.kinomgn.ru*, True -*.kino-smotret-online.ru*, True -*.kino-theatre.ru*, True -*.kinotheatre.ru*, True -*.kinpros.com*, True -*.kins.sg*, True -*.kionom.com*, True -*.kiosbatavia.tk*, True -*.kioshelm.com*, True -*.kioskads.info*, True -*.kiostenda.com*, True -*.kiosvin.ga*, True -*.kipepeosolutions.com*, True -*.kipermufit.com*, True -*.kipgebhardt.com*, True -*.kiptrak.com*, True -*.kipukysely.fi*, True -*.kir22.ru*, True -*.kirac.tk*, True -*.kiralaal.com*, True -*.kiralaveal.com*, True -*.kiralyfamily.org*, True -*.kiranails.co.il*, True -*.kiran.com.ar*, True -*.kiranda.ch*, True -*.kiranjoshi.com.np*, True -*.kiranstha.com.np*, True -*.kirbyandrebecca.com*, True -*.kirbyfamily.com.au*, True -*.kirelli.net*, True -*.kirillmaltsev.ru*, True -*.kirillvlasyuk.ru*, True -*.kirimcara.com*, True -*.kirimsms.com*, True -*.kirizki.com*, True -*.kirjapuntari.com*, True -*.kirkjacobs.com*, True -*.kirkner.com.ar*, True -*.kirkrhodesdesign.com*, True -*.kirkrobinsoninsulation.com.au*, True -*.kirkyskustoms.ca*, True -*.kironv.net*, True -*.kirra.net*, True -*.kirsco.id.au*, True -*.kirstenlindell.se*, True -*.kirstynall.tk*, True -*.kirtanadhikari.com.np*, True -*.kirthaul.com*, True -*.kirton.id.au*, True -*.kirwinnet.us*, True -*.kirzner.com.ar*, True -*.kiseki.cc*, True -*.kisekiproject.org*, True -*.kiseryv.cf*, True -*.kisgroup.be*, True -*.kishankc.com.np*, True -*.kishimototatuagens.com.br*, True -*.kisida.com*, True -*.kiskanet.com*, True -*.kiskiscupcakes.com*, True -*.kiskisventures.com*, True -*.kiskiswuwu.com*, True -*.kismotk.com*, True -*.kisni.ml*, True -*.kisni.tk*, True -*.kisogawa.net*, True -*.kisokos.tk*, True -*.kisrow.nl*, True -*.kiss-90.com*, True -*.kiss999.com*, True -*.kiss-99.com*, True -*.kissane.ie*, True -*.kissanime.tk*, True -*.kiss-chat.ml*, True -*.kisshajos.hu*, True -*.kissimmee.com.ar*, True -*.kissingweirdos.com*, True -*.kissit.co*, True -*.kissit.hk*, True -*.kisslink.biz*, True -*.kissmah.com*, True -*.kissmyass.ml*, True -*.kiss-ocn.com*, True -*.kisspanzio.ro*, True -*.kisstown.com*, True -*.kissyd.com*, True -*.kissyd.com.au*, True -*.kita-berti.ga*, True -*.kitagawa.org.uk*, True -*.kitamesum.com*, True -*.kitaptarama.com.tr*, True -*.kitashinsaku.com*, True -*.kitaura.com.ar*, True -*.kitayori.cl*, True -*.kitchan.org*, True -*.kitchencupboard.co.za*, True -*.kitchenfittingservice.co.uk*, True -*.kitchensinkrecovery.com*, True -*.kitchenstudio.com.au*, True -*.kitchentableenterprise.com*, True -*.kiterise.com*, True -*.kitformdiy.com.au*, True -*.kitm.co.id*, True -*.kitora.net*, True -*.kitor.pl*, True -*.kitpk.ru*, True -*.kitsfamilylaw.com*, True -*.kitsuhana.org*, True -*.kitsw-wind.tk*, True -*.kittehcraft.net*, True -*.kittie.eu*, True -*.kittieswithkapes.ca*, True -*.kitting.ca*, True -*.kittlefamily.com*, True -*.kittyanarchy.net*, True -*.kittycatty.com*, True -*.kittyisgood.com*, True -*.kittykill.com*, True -*.kittyricco.co.uk*, True -*.kittytimbo.com*, True -*.kitty.to*, True -*.kittyvamp.cf*, True -*.kitzhomeservice.at*, True -*.kitzinger.hu*, True -*.kiuss.ml*, True -*.kivakiva.fi*, True -*.kivinentiekirjailijaksi.fi*, True -*.kivu.co.uk*, True -*.kivunim-nosafim.co.il*, True -*.kiwicameron.com*, True -*.kiwichris.net*, True -*.kiwicounsellor.co.nz*, True -*.kiwimedia-hk.com*, True -*.kiwisoft.co.nz*, True -*.kiwisoft.nz*, True -*.kiwispot.net*, True -*.kiwwwi.com.ar*, True -*.kixxlube.com.my*, True -*.kizh.ch*, True -*.kizilelma.ch*, True -*.kizyert.cf*, True -*.kjabel.net*, True -*.kjappfot.com*, True -*.kjblaw.co.za*, True -*.kjem.org*, True -*.kje.us*, True -*.kjli.fi*, True -*.kjos.se*, True -*.k-jtv.com*, True -*.kjwaja.com.my*, True -*.kka64.com*, True -*.kka74.com*, True -*.kk-cb.com*, True -*.kkdas.info*, True -*.kkessler.net*, True -*.kkg68.com*, True -*.kkg78.com*, True -*.kkg88.com*, True -*.kkg98.com*, True -*.kki-mel.org*, True -*.kkk7-gd.com*, True -*.kkkk99.net*, True -*.kkkot.com*, True -*.kkk.sg*, True -*.kklmu.com*, True -*.kkn29.com*, True -*.kkn32.com*, True -*.kkn46.com*, True -*.kkn73.com*, True -*.kkn82.com*, True -*.kkn83.com*, True -*.kkpi.or.id*, True -*.kkrz.cf*, True -*.kkrz.eu*, True -*.kkrz.tk*, True -*.kkspromo.com*, True -*.kktperformancehorses.com*, True -*.kkt.ro*, True -*.kky79.com*, True -*.klaarphotography.com*, True -*.k-lab.tk*, True -*.kladroid.com*, True -*.klangklang.com*, True -*.klansmith.net*, True -*.klapa.eu*, True -*.klaptravel.tur.ar*, True -*.klaracosmetics.com*, True -*.klarizaclayton.co.uk*, True -*.klarsicht-visuals.ch*, True -*.klarsonneur.eu*, True -*.klasse3r.ch*, True -*.klasse4r.ch*, True -*.klassebeer.ch*, True -*.klassebuech.ch*, True -*.klasselengacher.ch*, True -*.klassentreffen2012.ch*, True -*.klassieker.net*, True -*.klater.co.za*, True -*.klausdorf.net*, True -*.klauto.ch*, True -*.klaveness.me*, True -*.klcitygallery.com*, True -*.kledingplaza.com*, True -*.kledingplaza.eu*, True -*.kledingplaza.nl*, True -*.kleding.ws*, True -*.kleek.es*, True -*.klegridge.com.au*, True -*.kleinebhshop.be*, True -*.kleinebhshop.eu*, True -*.kleingmain.at*, True -*.kleinkaroofrailcare.co.za*, True -*.kleintech.ca*, True -*.kleiva.net*, True -*.kleo.cl*, True -*.kleral-romania.ro*, True -*.kleshnina.com*, True -*.klesik.info*, True -*.kletterfranz.ch*, True -*.kletterhalle-winterthur.ch*, True -*.kleva.us*, True -*.klever-system.ro*, True -*.klibb.com*, True -*.klibbtools.com*, True -*.klienux.org*, True -*.klih.cz*, True -*.klikandro.info*, True -*.klikbtm.com*, True -*.k-like.eu*, True -*.kliker.co*, True -*.kliker.eu*, True -*.kliker.org*, True -*.klikmjc.com*, True -*.klikmobi.info*, True -*.kliknwin.com*, True -*.kliksense.com*, True -*.klik-solutions.com*, True -*.klikwebdesign.com*, True -*.klimaka.gr*, True -*.klimanovsky.com*, True -*.klimat.cl*, True -*.klimovsk-rosnou.ru*, True -*.klimtpeter.net*, True -*.klimuc.de*, True -*.klingler.us*, True -*.klinikadiwira.com*, True -*.klintimo.com*, True -*.klint.se*, True -*.klinvestment.com.au*, True -*.klippe.org.za*, True -*.klipp.su*, True -*.klipsler.com*, True -*.klkr.org*, True -*.klmok.com*, True -*.klnguyen.com*, True -*.klnl.info*, True -*.klnwcity.org*, True -*.klochwork.com*, True -*.klockars.com*, True -*.klodia.ru*, True -*.klokobetz.com*, True -*.klondikevbg.co.za*, True -*.klong-prao-resort.com*, True -*.klongyaw.net*, True -*.klonopin.ml*, True -*.klosefamily.com*, True -*.kloudpass.com*, True -*.kloudvirtual.net*, True -*.kloudz.org*, True -*.klovers.net*, True -*.kloxo.web.id*, True -*.klphp.org*, True -*.klpop.com*, True -*.klpop.my*, True -*.klsg.com*, True -*.klsg.net*, True -*.kls.inf.br*, True -*.klstover1.org*, True -*.klubsehat.com*, True -*.klubtop.si*, True -*.klugeworks.io*, True -*.klukec.net*, True -*.klumba.me*, True -*.klumpat.eu*, True -*.klxpress.com.my*, True -*.klyaksa.eu*, True -*.klynimage.com*, True -*.km20.ru*, True -*.km42.pro*, True -*.km4aln.com*, True -*.km4bhx.com*, True -*.km560.com*, True -*.km-72.com*, True -*.kmanonline.com*, True -*.kmarstructures.com*, True -*.kmartin.fr*, True -*.kmbajoclub.com*, True -*.kmbb.uk*, True -*.kmcero.cl*, True -*.kmcsrb.com*, True -*.kmetija-cigut.si*, True -*.kmetijskamehanizacija.si*, True -*.kmetijska-oprema.si*, True -*.kmg.sk*, True -*.kmiag.ch*, True -*.kmicallef.com*, True -*.kmiliz.com*, True -*.kmindustria.com*, True -*.kmm89.com*, True -*.kmm99.com*, True -*.kmm.ro*, True -*.kmn2.com*, True -*.kmnvhai.com*, True -*.kmodem.org*, True -*.kmpars.com*, True -*.kmppsemarang.com*, True -*.km-print.one.pl*, True -*.kmshop.ru*, True -*.kms.me*, True -*.kmszone.com*, True -*.kmtoverseas.tw*, True -*.kmtravel.ro*, True -*.kmvrodnik.ru*, True -*.kn0x.com*, True -*.kn4ck.net*, True -*.kn8.ch*, True -*.knaggsy-vps.co.uk*, True -*.knalkot.be*, True -*.knalpot.org*, True -*.knappserver.de*, True -*.knaptonandrasti.com*, True -*.knblok.tk*, True -*.knb.one.pl*, True -*.knd66.com*, True -*.knd77.com*, True -*.knd87.com*, True -*.knewmedia.com*, True -*.knick.tw*, True -*.knifethrowing.ru*, True -*.knightedcomix.com*, True -*.knight.gr*, True -*.knighthome.de*, True -*.knightlust.com*, True -*.knightmare.gq*, True -*.knightprotective.ca*, True -*.knightprotectiveservices.ca*, True -*.knight-rider.org*, True -*.knightsofgryphon.com*, True -*.knightsofkarbala.com*, True -*.knightsoflegend.net*, True -*.knightsofmurdoc.com*, True -*.knightsofragnarok.net*, True -*.knightsofreason.net*, True -*.knightsonline.net*, True -*.knightssolar.com.au*, True -*.kniitmu.ru*, True -*.knilon.com*, True -*.knitcloud.com*, True -*.knit-machines.com*, True -*.knit-me.ch*, True -*.knitme.ch*, True -*.knitsbybridget.com*, True -*.knitsi.ru*, True -*.kniznik.org*, True -*.knj21.com*, True -*.knkplane.tk*, True -*.knnkons.com*, True -*.knoacc.org*, True -*.knob.it*, True -*.knobtiger.com*, True -*.knockin.ch*, True -*.knockoffdesignerpurse.net*, True -*.knoest.cf*, True -*.knoest.ga*, True -*.knoest.gq*, True -*.knoest.tk*, True -*.knoker.tk*, True -*.knome.ru*, True -*.knosis.com.ar*, True -*.knotsandsawlines.com*, True -*.knottedleathers.net*, True -*.know24.net*, True -*.knowhower.com.ar*, True -*.knowledgeabilitist.com*, True -*.knowledge-tools.ga*, True -*.knowlesjoinery.co.uk*, True -*.knownbad.com*, True -*.knowthyself.org*, True -*.knowwaymore.com*, True -*.knowyourplace.tv*, True -*.knoxaccounting.co.uk*, True -*.knoxeh.com*, True -*.knoxi.ch*, True -*.knoxvillefamilylawyer.com*, True -*.knpm.net*, True -*.kntz.ml*, True -*.knuchel-gartenbau.ch*, True -*.knuples.net*, True -*.knutton.org*, True -*.knyte.org*, True -*.knz77.tk*, True -*.knzo.com.ar*, True -*.knz-phreakz.ml*, True -*.koakh.com*, True -*.koalisigaranggaring.com*, True -*.koall.tk*, True -*.koay.my*, True -*.kobalay.tk*, True -*.kobef.com*, True -*.kobelt.pro*, True -*.kobenas.com*, True -*.kobfetyr.cf*, True -*.koblenz.com.mx*, True -*.koblenz-electric.com*, True -*.koblenz-energia.com.mx*, True -*.kobliha.com.ar*, True -*.kobridge.com*, True -*.kobzar.biz*, True -*.kocaek.tk*, True -*.koce.ca*, True -*.koceng.net*, True -*.koceng.web.id*, True -*.kochab.com*, True -*.kochers.be*, True -*.kochfamily.us*, True -*.kochiwalker.tk*, True -*.kochkell.de*, True -*.koch-land.ch*, True -*.kochlaw.us*, True -*.kochobstacles.com*, True -*.kochundbring.ch*, True -*.kockmagazine.com*, True -*.kocoten1992.com*, True -*.koctascloud.com*, True -*.kocvagie.cf*, True -*.kodera.tk*, True -*.kodiakservices.ca*, True -*.kodiakservices.com*, True -*.kodiakwireline.ca*, True -*.kodiakwireline.com*, True -*.kodiakws.com*, True -*.kodim0308prm.mil.id*, True -*.kodirectory.com*, True -*.kodlar.im*, True -*.kodr.info*, True -*.kodypromocyjne.info*, True -*.kodyriker.com*, True -*.koeff.com*, True -*.koe.fi*, True -*.koellreutter.com*, True -*.koenignet.se*, True -*.koenigsberg.tk*, True -*.koenig.se*, True -*.ko-fam.com*, True -*.kofcmonroe.org*, True -*.koftecidukkani.com*, True -*.kogamas.at*, True -*.koguicloud.com*, True -*.kohanngoh.com*, True -*.koharu.asia*, True -*.kohchangprivilege.com*, True -*.koh-chang-resort.net*, True -*.koh-kood.com*, True -*.kohla.co.uk*, True -*.kohl.bz*, True -*.kohliabhi.tk*, True -*.kohlmeise.ch*, True -*.kohlschmidt.tk*, True -*.kohmakisland.com*, True -*.kohncloud.tk*, True -*.kohnevents.com*, True -*.kohnserver.tk*, True -*.kohnsports.com*, True -*.koh-samet.org*, True -*.koifin.com*, True -*.koile.com.ar*, True -*.koingratis.ga*, True -*.kointex.com*, True -*.koiralasaroj.com.np*, True -*.koivupera.fi*, True -*.kokebottlemodels.com*, True -*.koki-koli.ru*, True -*.kokiminang.net*, True -*.k-okny.com*, True -*.kokood.com*, True -*.kokosboll.com*, True -*.kokozone.com*, True -*.kokuakatsfarm.com*, True -*.koku.gr*, True -*.kolaborasi.com*, True -*.kolacz.ch*, True -*.kolahsefid.com*, True -*.kolala.cl*, True -*.kolb.mx*, True -*.kolchanov.tk*, True -*.koleksikelbo.web.id*, True -*.koleksiku.net*, True -*.kolesa.co*, True -*.kolkko.us*, True -*.kollektivfranz.ch*, True -*.kollikerfrers.com.ar*, True -*.kolmeseiska.fi*, True -*.kolody.net*, True -*.kolorbandit.web.id*, True -*.kolorpink.com*, True -*.koloskov.su*, True -*.kolowa-jkt.com*, True -*.kolpino.fm*, True -*.koltunski.pl*, True -*.kolya.org*, True -*.kom2.ru*, True -*.komalasari.tk*, True -*.komangkrisnanda.com*, True -*.komaroff.net*, True -*.kombeer.com.br*, True -*.kombier.com*, True -*.kombista.com*, True -*.kom.hu*, True -*.komirempalata.ru*, True -*.komisi-anda.com*, True -*.komisi-harian.com*, True -*.kommerc-mailings.ru*, True -*.komme-was-wolle.ch*, True -*.kommtnoch.com*, True -*.kommtnoch.org*, True -*.kommunar.info*, True -*.kompaniet.nu*, True -*.kompaso.com.br*, True -*.komper.us*, True -*.kompetenzzentrum-stiftungen.ch*, True -*.kompetisisaham.com*, True -*.kompile.net*, True -*.kompletepropertymanagement.com.au*, True -*.komponent.ro*, True -*.kompostiranjecloveskegagnoja.com*, True -*.komprise.de*, True -*.komputeo.com*, True -*.komputermurah.asia*, True -*.komputerowcy.org*, True -*.komputor.ml*, True -*.komshilook.net*, True -*.komugitonton.com*, True -*.komuka.net*, True -*.komunitasphreakerindonesia.tk*, True -*.komunitiimp.org*, True -*.komzias.gr*, True -*.kon42.com*, True -*.konak.ga*, True -*.konarkveg.in*, True -*.kona.ro*, True -*.konata.eu*, True -*.konata.fi*, True -*.konataworks.com*, True -*.konavijen.com*, True -*.konazero.co.uk*, True -*.konceptgroup.ro*, True -*.kondalex.net*, True -*.kondicijski.com*, True -*.kondicijski.eu*, True -*.kondicijski.net*, True -*.kondicijski.org*, True -*.kondicijski.si*, True -*.kondicijskitrener.com*, True -*.kondicijskitrener.eu*, True -*.kondicijskitrener.net*, True -*.kondicijskitrener.org*, True -*.kondicijskitrener.si*, True -*.konditionenvergleich.ch*, True -*.kondombocor.com*, True -*.kondratenko.org*, True -*.konforfurniture.co.uk*, True -*.kongrataumbayar.tk*, True -*.kongting.net*, True -*.konkarijohtaja.fi*, True -*.konkurssipesa.com*, True -*.konlabs.tk*, True -*.konnektomate.com*, True -*.konner.co.id*, True -*.konnichiwa-indonesia.com*, True -*.konopljapomaze.hr*, True -*.konradmills.com*, True -*.konradszarek.com*, True -*.konsaltakuatorial.com*, True -*.konsaltpro.net*, True -*.konslet.in*, True -*.konslet.net*, True -*.konsorsiumtravel.com*, True -*.konst-80.ru*, True -*.konstruksibangunan.com*, True -*.konstruksijalan.com*, True -*.konstruksilapanganfutsal.com*, True -*.konstruktion.co.uk*, True -*.konstruktivnsk.ru*, True -*.konsultansmartdetox.net*, True -*.konsultplus.com*, True -*.kontakbandartis.com*, True -*.kontaktlinsen.ch*, True -*.kontjokenthel.com*, True -*.konto-legitimation.de*, True -*.kontraktordanperalatankolamrenang.com*, True -*.kontraktorkolam.com*, True -*.kontraktor-kolamrenang.com*, True -*.kontraktor-kolomrenang.com*, True -*.konveksidekortenda.com*, True -*.konveksipalembang.com*, True -*.konveksiperlengkapanpesta.com*, True -*.konvett.com*, True -*.konvett.tk*, True -*.konzashero.com*, True -*.konzashero.org*, True -*.koocompany.com*, True -*.koodeker.com*, True -*.kookeatery.uk*, True -*.koopanet.com*, True -*.koopanet.net*, True -*.koopanet.us*, True -*.kooranagym.com*, True -*.kooranagym.com.au*, True -*.kooranagym.net.au*, True -*.kopame.com*, True -*.kopassus.org*, True -*.koperca.com*, True -*.koperhost.tv*, True -*.koperhost.us*, True -*.kopianujatim.tk*, True -*.kopichelsea.tk*, True -*.kopi.co.id*, True -*.kopihitam.ga*, True -*.kopi-ireng.cf*, True -*.kopimi.cf*, True -*.kopkar-kudus.com*, True -*.kopkom.nl*, True -*.koplarexzuu.tk*, True -*.koplax.net*, True -*.kopler.ga*, True -*.koplin.com.br*, True -*.koploidmp3.com*, True -*.koppel.com.ar*, True -*.koqi.co*, True -*.korablino.ru*, True -*.koralyrics.com*, True -*.koranplus.com*, True -*.koraybirand-backup.com*, True -*.koraybirand-home.com*, True -*.koraybirand.net*, True -*.koraybirand-office.com*, True -*.koray.biz*, True -*.koray.gen.tr*, True -*.koreacms.tk*, True -*.koreacult.com*, True -*.korealtors.com*, True -*.koreja.ga*, True -*.korenov.info*, True -*.korinf.ru*, True -*.korinthos.com.br*, True -*.korkeenkoirahoitola.fi*, True -*.korlyakov.ru*, True -*.korneev.su*, True -*.kornera.net*, True -*.kornet.co*, True -*.korneyev.su*, True -*.koroliova.ru*, True -*.korosfo.ro*, True -*.korpatsch.de*, True -*.korpelainen.eu*, True -*.korp.net.ru*, True -*.korprint.eu*, True -*.kor.pw*, True -*.korsi.com.ar*, True -*.kortingkaart.nl*, True -*.kortnacker.de*, True -*.korukoglu.com*, True -*.korvemaker.ca*, True -*.korvenmaa.net*, True -*.korvenoja.info*, True -*.koryphaee.at*, True -*.korywiesner.com*, True -*.kosaarts.co*, True -*.kosaarts.com*, True -*.kosalathip.com*, True -*.kosama.com.au*, True -*.kosandras.ro*, True -*.kosa-oakland.co*, True -*.koseoglu.org*, True -*.koshigi.com*, True -*.koshigi.ru*, True -*.koshka87.me*, True -*.koshki-dom.ru*, True -*.kositreat.com*, True -*.kos-kos.com*, True -*.kosmatos.net*, True -*.kosmetik-ateliernsurenmann.ch*, True -*.kosmetikgood.ch*, True -*.kosmetik-wajah.com*, True -*.kosmi.pl*, True -*.kosmogroup.my*, True -*.kosmosmusic.org*, True -*.kosnet.xyz*, True -*.koson-sf.ro*, True -*.kosphotography.be*, True -*.kostadinov.ch*, True -*.kostasfish.ro*, True -*.kostiw.eu*, True -*.kostyay.name*, True -*.koszyk.org*, True -*.kot154.ru*, True -*.kotakcurhat.com*, True -*.kota.ninja*, True -*.kot-divuar.ru*, True -*.kotelniki.net*, True -*.kotence.net*, True -*.kotiki-narkotiki.ru*, True -*.kotikolo.me*, True -*.kotintube.com*, True -*.kotipantti.fi*, True -*.kotipesu.fi*, True -*.kotkowski.net*, True -*.ko.tl*, True -*.kotobuki.ga*, True -*.kotomo.com*, True -*.kotsiou-tours.com*, True -*.kouellet.info*, True -*.koujalgikitebidar.org*, True -*.koukopoulos.eu*, True -*.koulouki.com*, True -*.koulouty.com*, True -*.kounavis.gr*, True -*.kouponkraze.com*, True -*.koutech.com*, True -*.koutlis.eu*, True -*.koutlis.net*, True -*.koutlis.org*, True -*.koutsouris.net*, True -*.kouzaikaori.com*, True -*.kouzinaki.gr*, True -*.kovacsauto.ro*, True -*.kovalev.tk*, True -*.koval.pro*, True -*.kovinoplastika-benda.si*, True -*.kovkyr.ru*, True -*.kovland.com*, True -*.kovrovmedia.ru*, True -*.kowaileet.com*, True -*.kowalczyki.eu*, True -*.kowale.net*, True -*.kowar.info*, True -*.kowloon.ml*, True -*.koyammapu.cl*, True -*.kozinski.ca*, True -*.kozionov.tk*, True -*.kozmeticni-salon.tk*, True -*.kozmozinc.com*, True -*.kozmubg.net*, True -*.kozos.com*, True -*.kozradio.biz*, True -*.kozuchowska7.tk*, True -*.kp33.ru*, True -*.kp3.co.id*, True -*.kp911.com.ar*, True -*.kp-bhusal.com.np*, True -*.kpcompany.be*, True -*.kpe-co.com*, True -*.kpeppe.com*, True -*.kperuns.cf*, True -*.kpeter.com*, True -*.kpkteam.ml*, True -*.kpl.com.np*, True -*.kplusconcepts.com*, True -*.kpophost.com*, True -*.kpopk.info*, True -*.kpoudel.com.np*, True -*.kpova.ru*, True -*.kpparajuli.com.np*, True -*.kppi.or.id*, True -*.kprindo.com*, True -*.kprogs.com*, True -*.kprp.net*, True -*.kprsaya.com*, True -*.kptnews.ch*, True -*.kpts.com.ar*, True -*.kpud-agamkab.go.id*, True -*.kpu-pinrangkab.go.id*, True -*.kqpublishing.net*, True -*.kqpublishing.org*, True -*.kraal.se*, True -*.krabbyindonesia.com*, True -*.krabi-hotel.info*, True -*.krabi-trips.com*, True -*.krabs.de*, True -*.kradeca.com*, True -*.kraftdental.ro*, True -*.krahl.com.br*, True -*.krakensoft.net*, True -*.krakensreach.com*, True -*.krakhofer.org*, True -*.kralin.su*, True -*.kralj.org*, True -*.krampek.net*, True -*.krangkring.com*, True -*.krankensoftware.com*, True -*.krapek-team.net*, True -*.krasae.org*, True -*.krash.net*, True -*.krasiangelov.com*, True -*.kraski-germetiki.ru*, True -*.krasne-saty.cz*, True -*.krasne-saty.sk*, True -*.krasnesaty.sk*, True -*.krasnoff.info*, True -*.krasnyyliman.ru*, True -*.krasnyysulin.ru*, True -*.krasrest.ru*, True -*.krassoft.ru*, True -*.krastel.com*, True -*.krastins.eu*, True -*.kratz.com.br*, True -*.kraventology.com*, True -*.kray.ca*, True -*.kraytul.com*, True -*.kraz3d.com*, True -*.kraz3d.net*, True -*.krazycraig.com*, True -*.krcosmo.com*, True -*.kreadi.cl*, True -*.krealo.cl*, True -*.kreasi-fb.us*, True -*.kreasikamu.co*, True -*.kreasi.ml*, True -*.kreasisemestanusa.com*, True -*.kreasiundangan.com*, True -*.kreathor.ro*, True -*.kreatif-berbagi.com*, True -*.kreativ-consulting.cl*, True -*.kreativconsulting.cl*, True -*.kreativ-consulting.com.ve*, True -*.kreativ-consulting.net*, True -*.kreativeslernen.ch*, True -*.kreativ-portal.com*, True -*.kreativum.pl*, True -*.krebelj.net*, True -*.kreditmurah.com*, True -*.kredytlinia.pl*, True -*.kreider.org*, True -*.k-rei.eu*, True -*.krein.net*, True -*.krein.org*, True -*.kreisrot.at*, True -*.krejzi.si*, True -*.krenger.ch*, True -*.krenkler.ninja*, True -*.kreoweb.cl*, True -*.kres.ca*, True -*.kressimusic.ru*, True -*.kretamare.gr*, True -*.kreten.si*, True -*.krian.org*, True -*.kribestereo.com*, True -*.kridapujimulyolestari.com*, True -*.kridhamultiniagaprima.com*, True -*.kriegville.com*, True -*.kriewitz.de*, True -*.kriewitz.eu*, True -*.kriewitz.info*, True -*.kriewitz.name*, True -*.kriewitz.org*, True -*.kriger.co.za*, True -*.krig.fi*, True -*.krigon.tk*, True -*.krikorian.ca*, True -*.krimel.com*, True -*.krimsonwear.com*, True -*.kringstad.biz*, True -*.krinner.gr*, True -*.kriogamer.com*, True -*.kri.or.id*, True -*.kripl.org*, True -*.kripton.org*, True -*.kripul.ga*, True -*.krisfeltrin.tk*, True -*.krishakandel.com.np*, True -*.krishnagroups.net*, True -*.krishnaguragain.com.np*, True -*.krishnapranav.com*, True -*.krishorsman.com*, True -*.krishorsman.com.au*, True -*.krishpatel.co.uk*, True -*.kriskobinz.tk*, True -*.krisna.asia*, True -*.krisnaonline.com*, True -*.krisoijn.com*, True -*.kristal-sentjernej.si*, True -*.kristaps.id.lv*, True -*.kristatortora.com*, True -*.kristenduvall.com*, True -*.kris-tiyan.com*, True -*.kristiyandobrev.eu*, True -*.kristiyanto.com*, True -*.kristjankuzma.com*, True -*.kristyandaaron.com*, True -*.kritee.com.np*, True -*.kritho.com*, True -*.kritical.info*, True -*.kritical.org*, True -*.kritingbanget.tk*, True -*.krityu.tk*, True -*.krl.com.np*, True -*.k-rlitos.com*, True -*.krlitos.com*, True -*.krmac.si*, True -*.krmar.net*, True -*.krnc.biz*, True -*.krneki.biz*, True -*.krnjevic.com*, True -*.kroah.net*, True -*.krobath-brunner.ch*, True -*.krochmal.co.il*, True -*.kroeger-corp.com*, True -*.krohnir.com.ar*, True -*.kroks.co.za*, True -*.kroky.org.ru*, True -*.kroncong.co*, True -*.krones.net*, True -*.kronheffer.se*, True -*.kronosgo.com*, True -*.kronosoft.ca*, True -*.kron-vet.ro*, True -*.kropf-transport.ch*, True -*.krotish.com*, True -*.krowenlaw.co.uk*, True -*.krskminus.ru*, True -*.krs.me*, True -*.kr-trans.ru*, True -*.kruathai108.com*, True -*.krubsack.us*, True -*.krugerlabs.us*, True -*.krugertech.co.za*, True -*.kruglov.org*, True -*.krumin.com*, True -*.krungely.com*, True -*.krusemarks.com*, True -*.krush4me.com*, True -*.kruszynski.info*, True -*.kruzerrecruitment.com.au*, True -*.krwhitney.net*, True -*.kryksyh.org*, True -*.kryoniikka.fi*, True -*.kryptonitecomputing.ca*, True -*.kryptonitecomputing.com*, True -*.krystalgamer.cf*, True -*.krystalitsolutions.com*, True -*.krystalpc.com*, True -*.krystaltek.com*, True -*.krystinshipsthroughtheworld.me*, True -*.krystosterone.com*, True -*.krzalic.com*, True -*.krzysztof.eu*, True -*.ksatria-hafidz.com*, True -*.ksb66.com*, True -*.ksb78.com*, True -*.ksb87.com*, True -*.ksb.co.id*, True -*.ksbradio.cl*, True -*.ksc91u.info*, True -*.ks-cube.tk*, True -*.kse66.com*, True -*.ksenchy.org*, True -*.kseneman.si*, True -*.ksenia.ro*, True -*.kseveru.ru*, True -*.ksevrakotes.com*, True -*.ksfos.net*, True -*.ksglove.com*, True -*.kshealthjobs.net*, True -*.kshetriamrit.com.np*, True -*.kshitizpaudel.com.np*, True -*.ksided-dice.com*, True -*.ksideks.com*, True -*.ksii.org*, True -*.ksingh.net*, True -*.ksin.me*, True -*.ksjent.com*, True -*.ksk.co.id*, True -*.ksk-saratov.ru*, True -*.ksl-elrahma.com*, True -*.ksmets.be*, True -*.ksmillett.net*, True -*.ksml.hk*, True -*.ksn2k.tk*, True -*.ksocial.net*, True -*.kspartner.com.au*, True -*.ksp.lt*, True -*.kspro.biz*, True -*.ks-psy.ru*, True -*.ksrichi.com*, True -*.ksrv.net*, True -*.kssry.fi*, True -*.kstar.us*, True -*.ks-toolz.de*, True -*.kst.ru*, True -*.ks-ua.tk*, True -*.ksupport.ru*, True -*.ksys.com.ar*, True -*.ksyu.net*, True -*.ksze-ifi-netradio.tk*, True -*.kt345.com*, True -*.ktandruss.com*, True -*.ktandsal.com*, True -*.ktb.adv.br*, True -*.ktc66.com*, True -*.ktc77.com*, True -*.ktc87.com*, True -*.ktdidllc.com*, True -*.ktgps.org*, True -*.kthstationery.com*, True -*.kthx.biz*, True -*.ktk.si*, True -*.ktkteamspeak.com*, True -*.ktonga.com.ar*, True -*.ktos.tk*, True -*.kts25.com*, True -*.kts79.com*, True -*.ktsaty.kz*, True -*.ktslogisticsltd.com*, True -*.ktsolutions.us*, True -*.ktt77.com*, True -*.ktt87.com*, True -*.ktt88.com*, True -*.ktt98.com*, True -*.ktvphil.com*, True -*.ktw.one.pl*, True -*.ktx-7788.com*, True -*.ktx-8282.com*, True -*.ktx-8585.com*, True -*.kty01.com*, True -*.kty33.com*, True -*.kty54.com*, True -*.kty77.com*, True -*.kty84.com*, True -*.ktzone.org*, True -*.ku4oy.us*, True -*.kuaibo222.com*, True -*.kuaibo333.com*, True -*.kuaibo444.com*, True -*.kuaibo666.com*, True -*.kuaibo888.com*, True -*.kuamati.com*, True -*.kuanglong.biz*, True -*.kuangyang.com.tw*, True -*.kuanndah.com*, True -*.kuarikas.gq*, True -*.kuasahijau.com.my*, True -*.kuasarakyat.net*, True -*.kubahwisata.com*, True -*.kubany.ru*, True -*.kubas.biz*, True -*.kubayar.com*, True -*.kubbagroup.net*, True -*.kubel.com.au*, True -*.kubera.ro*, True -*.kubik.ro*, True -*.kubit.ro*, True -*.kuboo.com.br*, True -*.kucerdas.com*, True -*.kuchimall.com*, True -*.kuchniatajska.pl*, True -*.kucing.net*, True -*.kudaba.com*, True -*.kuddlecoat.com*, True -*.kudoint.com*, True -*.kudos.cf*, True -*.kudos.ga*, True -*.kudos.ml*, True -*.kuede.info*, True -*.kuehlers.de*, True -*.kuelblaz.com*, True -*.kuenzle-massagen.ch*, True -*.kueritips.com*, True -*.kuffar.tk*, True -*.kugadai.com*, True -*.kuhinjeles.hr*, True -*.kuhlix.tk*, True -*.kuittitoimisto.fi*, True -*.kujai.com*, True -*.kujamin.com*, True -*.kujansuu.fi*, True -*.kujemput.com*, True -*.kukibet.com.ar*, True -*.kukin.net*, True -*.kukkonen.ca*, True -*.kukova.com*, True -*.kukov.com*, True -*.kukuhdwi.tk*, True -*.kul1g.net*, True -*.kul1g.org*, True -*.kulakoski.com*, True -*.kulamani.com.np*, True -*.kulavruttant.in*, True -*.kulelang.com*, True -*.kuli4.ru*, True -*.kulicki.com*, True -*.kulloonkaihdin.fi*, True -*.kulonku.tk*, True -*.kultmedia.it*, True -*.kulturimshop.ch*, True -*.kulturinitiativezurich.ch*, True -*.kulturraub.ch*, True -*.kultwiki.net*, True -*.kumachan.asia*, True -*.kumara48.tk*, True -*.kumax.ru*, True -*.kumli.ch*, True -*.kumofiles.com*, True -*.kumory-band.ml*, True -*.kump.si*, True -*.kumpulankata-kata.tk*, True -*.kumpulanlagu.info*, True -*.kumpulanterbaru.info*, True -*.kunacel2009.hu*, True -*.kunambuta.net*, True -*.kunc-dc.cz*, True -*.kuncen.ml*, True -*.kundasang.my*, True -*.kunder.sk*, True -*.kundupapa.com*, True -*.kungfuactiongrip.com*, True -*.kungfukatie.com*, True -*.kunglin.com*, True -*.kuni93.moe*, True -*.kuniaki.com*, True -*.kunioplay.tk*, True -*.kunjungiindonesia.com*, True -*.kunstlauf.ch*, True -*.kunstrelief.ch*, True -*.kunstsaite.ch*, True -*.kuntic.net*, True -*.kunyuk.ga*, True -*.kunzashero.com*, True -*.kunzsamuel.ch*, True -*.kuo1.tk*, True -*.kuori.net*, True -*.kuosmanen.me*, True -*.kupandai.com*, True -*.kupandang.com*, True -*.kupandu.com*, True -*.kupastikan.com*, True -*.kupiantivirus.ru*, True -*.kupibu.ru*, True -*.kupipodjetje.si*, True -*.kupisega.com*, True -*.kupitrend.ru*, True -*.kupka-rv.de*, True -*.kuponmarket.si*, True -*.kuponstore.ru*, True -*.kuppingercabin.com*, True -*.kupujceneje.si*, True -*.kupujmoceneje.si*, True -*.kupyansk.ru*, True -*.kurabi-ye.com*, True -*.kurakinen.cl*, True -*.kura-kura.ninja*, True -*.kurandanaciklamalar.com*, True -*.kurantek.com*, True -*.kuraoficial.com.br*, True -*.kurchatovez.ru*, True -*.kurdtcoba.in*, True -*.kurgan-telecom.ru*, True -*.kurikulum2013.info*, True -*.kurikulum2013.net*, True -*.kurima.co.za*, True -*.kurir.web.id*, True -*.kuriva.si*, True -*.kurmastudio.com*, True -*.kurnath.com*, True -*.kurniabuana.com*, True -*.kurnia-meubel.com*, True -*.kurniawan-shop.ml*, True -*.kuroimatan.info*, True -*.kurokitten.tk*, True -*.kuroyukihi.me*, True -*.kurp.co.uk*, True -*.kurpiel.waw.pl*, True -*.kurtreifler.com*, True -*.kurup.guru*, True -*.kururu.asia*, True -*.kururu.info*, True -*.kurzfilmfestival.ch*, True -*.kurztest.com*, True -*.kusambung.com*, True -*.kushagragour.in*, True -*.kushbiz.com*, True -*.kushout.org*, True -*.kush.tk*, True -*.kustom-garage.ro*, True -*.kustomrig.fi*, True -*.kusu.com.my*, True -*.kusumo.web.id*, True -*.kusut.net*, True -*.kusweet.com*, True -*.kutak.rs*, True -*.kutatap.com*, True -*.kutchomine.ca*, True -*.kutique.web.id*, True -*.kutti.ch*, True -*.kuttlers.com*, True -*.kuwaitfeel.com*, True -*.kuwaitzone.com*, True -*.kuwera.biz*, True -*.kuyuen.net*, True -*.kuzaku.us*, True -*.kuzina.co.il*, True -*.kuzmancoiffure.ch*, True -*.kuzovnikov.com*, True -*.kuzselimre.info*, True -*.kv22.ru*, True -*.kv25.ru*, True -*.kv700.com*, True -*.kvanspb.ru*, True -*.kvantorlab.ru*, True -*.kvarnsvedjan.se*, True -*.kvca.com.au*, True -*.kvhcloud.de*, True -*.kvikshaug.no*, True -*.kvlasov.ru*, True -*.kvlrbalicloth.com*, True -*.kvlt.info*, True -*.kvn.com.au*, True -*.kvr-postojna.com*, True -*.kvs-consult.ru*, True -*.k.vu*, True -*.kw217.com*, True -*.kw920.pl*, True -*.kwa66.com*, True -*.kwa88.com*, True -*.kwach.org*, True -*.kwaibox.com*, True -*.kwaichungplaza.com*, True -*.kwan.ac*, True -*.kwangho.com*, True -*.kwantumleap.sg*, True -*.kwarkrecords.com*, True -*.kwchicago.com*, True -*.kwcp.com*, True -*.kwcp.hk*, True -*.kwendekefentse.ca*, True -*.kwendekefentse.com*, True -*.kweon.tk*, True -*.kwgranitecountertops.com*, True -*.kwiaciarnia-piotrmarzec.pl*, True -*.kwickbid.com*, True -*.kwickservers.com*, True -*.kwirita.com*, True -*.kwitrick.com*, True -*.kwojn.tk*, True -*.kwonic.com*, True -*.kworx.ru*, True -*.kwrmc.net.au*, True -*.kwshh.com*, True -*.kxdocs.com*, True -*.kxp.ru*, True -*.ky80.net*, True -*.kyal.pl*, True -*.kyau.net*, True -*.kychawanelectric.com*, True -*.kycwc.com*, True -*.kydallas.com*, True -*.kydev.ru*, True -*.kyerussell.net*, True -*.kykjy.co.za*, True -*.kylacolvin.com.au*, True -*.kyleconstance.com*, True -*.kyled2012.info*, True -*.kyledettman.com*, True -*.kyledew.com*, True -*.kylegp.com*, True -*.kylehase.com*, True -*.kyleklemmer.com*, True -*.kylelemarbe.com*, True -*.kyleloves.us*, True -*.kylemckernon.com*, True -*.kylepaas.com*, True -*.kyleroden.com*, True -*.kyle-sandilands.org*, True -*.kyleswisdom.com*, True -*.kylewilson.info*, True -*.kylewisdom.com*, True -*.kylie.hk*, True -*.kylo.one.pl*, True -*.kylr.net*, True -*.kymic.co.za*, True -*.kymppi.org*, True -*.kynetonweather.info*, True -*.kyniema8.com*, True -*.kyojin.jp*, True -*.kyojp.com*, True -*.kyol.com.ar*, True -*.kyoni.tw*, True -*.kyorisu.net*, True -*.kyos.es*, True -*.kyraya.com*, True -*.kyrgyzstan.kg*, True -*.kyrgyzweb.org*, True -*.kyriazis.org*, True -*.kyro.co*, True -*.kyttaro.cl*, True -*.kyubico.com*, True -*.kyu.cc*, True -*.kyungbok.org*, True -*.kyuseki.net*, True -*.kyuubi.cf*, True -*.kyuubi.ga*, True -*.kyuubi.ml*, True -*.kyuubi.tk*, True -*.kyver.com*, True -*.kzc29.com*, True -*.kzc58.com*, True -*.kzc.kz*, True -*.kzcraft.com*, True -*.kznbadminton.co.za*, True -*.kznmtb.co.za*, True -*.kzone.co*, True -*.k-zone.com*, True -*.k-zone.hk*, True -*.kzone.hk*, True -*.k-zone.net*, True -*.kz-porno.ru*, True -*.l0calh0st.info*, True -*.l0ser.ml*, True -*.l0w.us*, True -*.l1l21.org*, True -*.l1nux.cf*, True -*.l2aepvp.net*, True -*.l2dawn.net*, True -*.l2gw.ru*, True -*.l2hellgate.com*, True -*.l2hideaway.com*, True -*.l2merak.com*, True -*.l2merak.net*, True -*.l2olimpio.net*, True -*.l2open.net*, True -*.l2relapse.com*, True -*.l2streetmachine.com*, True -*.l2t6m.com*, True -*.l2tp.org*, True -*.l2vintage.cl*, True -*.l2wargate.com*, True -*.l301.us*, True -*.l33tb33ns.com*, True -*.l33th34v3n.net*, True -*.l33t.ro*, True -*.l3tp.org*, True -*.l4k3t3.com*, True -*.l5.ca*, True -*.l8d.org*, True -*.l99.us*, True -*.la1taxi.com*, True -*.laadnetwork.com*, True -*.laaldinger.co.uk*, True -*.laalparifilm.org*, True -*.laarenosa.biz*, True -*.la-artspace.com*, True -*.laasparrenaquequeremos.es*, True -*.laazioo.fi*, True -*.lab1407.com*, True -*.lab911.com*, True -*.labagualaviajera.com.ar*, True -*.labanderablanca.com.ar*, True -*.lab-btdn.com*, True -*.labcrypto.org*, True -*.labdecorarte.it*, True -*.labdeideas.si*, True -*.labdiagnotest.com*, True -*.labdiagnotest.com.ar*, True -*.labdiana.com*, True -*.labeautedesanges.ch*, True -*.la-beaute-pure.be*, True -*.label.lv*, True -*.labelnuit.org*, True -*.la-beta.ro*, True -*.labetulla.ch*, True -*.labgarreguevara.com.ar*, True -*.labgest.com*, True -*.labgest.pt*, True -*.labhw.com*, True -*.labidraugi.lv*, True -*.labint.com.ar*, True -*.labitas.com.ar*, True -*.labmatematika.com*, True -*.labo.ch*, True -*.labogenilloud.ch*, True -*.laboheme.ru*, True -*.labo-huwiler.ch*, True -*.labonnepart.org*, True -*.laboratorioace.com.ar*, True -*.laboratoriodafe.pt*, True -*.laboratoriodeloeste.com.ar*, True -*.laboratoriojuvenil.cl*, True -*.laboratoriorc.com.ar*, True -*.laboratoriosdavis.cl*, True -*.laboratoriosprolac.com*, True -*.laboratoriovetue.com*, True -*.laboratoriovetue.com.ar*, True -*.labormedia.cl*, True -*.laborterapia.com.br*, True -*.labosistema.pt*, True -*.labourersministry.org*, True -*.laboutiqueauxlampes.ch*, True -*.laboyitatrust.com.ar*, True -*.labpps.ru*, True -*.labpromo.com*, True -*.labrabanconne.be*, True -*.la-braderie.ch*, True -*.labradorbakery.com*, True -*.labraki.gr*, True -*.labruschetta.ch*, True -*.labrysandcross.net*, True -*.labsurlab.org*, True -*.labtagle.com*, True -*.labtecno.tk*, True -*.labulesca.it*, True -*.labulledesavon.ch*, True -*.la-bulle-precieuse.ch*, True -*.labuta.ro*, True -*.labyc.com.ar*, True -*.labyrinthtech.tk*, True -*.labzin.net*, True -*.lacadmin.com*, True -*.lacagnina.ch*, True -*.lacak.info*, True -*.lacamaractes.com.ar*, True -*.lacanastadematilde.cl*, True -*.lacan.sk*, True -*.lacarpa.cl*, True -*.lacasaclos.cl*, True -*.lacasaclublatino.com.ar*, True -*.lacasacomics.com*, True -*.lacasadehr.com.ar*, True -*.lacasadejana.com.ar*, True -*.lacasadelfungo.com*, True -*.lacasadelguisado.com*, True -*.lacasadelmambo.cl*, True -*.lacasadelmarmol.com.ar*, True -*.lacasadibacco.it*, True -*.lacasaenelaire.cl*, True -*.lacasaverde.cl*, True -*.lacashina.com*, True -*.laccordeurdupiano.ch*, True -*.lacer.tk*, True -*.lachicadeltaxi.com*, True -*.lachirigringa.com*, True -*.lachirigringa.net*, True -*.lachirigringa.org*, True -*.lachirigringaproject.com*, True -*.lachlandewaard.org*, True -*.lachona.co.uk*, True -*.lachouve.ch*, True -*.lacie-unlam.org*, True -*.lacipres.org*, True -*.lackma.mx*, True -*.lackneets.tw*, True -*.lacko.com.au*, True -*.lackste.in*, True -*.lackstein.com*, True -*.lacocinadegarci.es*, True -*.lacolombesarl.ch*, True -*.lacomarcabritish.com.ar*, True -*.lacomarcacattery.com.ar*, True -*.lacomunidad.com.ar*, True -*.laconianherbsociety.gr*, True -*.lacramioara-raileanu.ro*, True -*.lacroixs.net*, True -*.lactanciadiferida.cl*, True -*.lacteoslauca.cl*, True -*.lacunza.com.ar*, True -*.lacurts.com*, True -*.lacustre.cl*, True -*.lacustredelsud.com.ar*, True -*.ladatap.com*, True -*.lad-consult.be*, True -*.lad-consult.lu*, True -*.ladderman.com*, True -*.ladecoiffe.com*, True -*.ladecuero.com*, True -*.ladehusgruenig.ch*, True -*.la-dentblanche.ch*, True -*.ladeseada.org.ar*, True -*.ladewigfortrustee.com*, True -*.ladiariasv.com*, True -*.ladiesequivalent.com*, True -*.ladiesflyfirst.com*, True -*.ladina.com.au*, True -*.ladinaphotography.com*, True -*.ladinaphotography.com.au*, True -*.ladi.ro*, True -*.ladiscutii.ro*, True -*.ladlab.org*, True -*.ladmo.net*, True -*.la-documentation-moderne.fr*, True -*.ladrillostandil.com.ar*, True -*.ladskitchen.com*, True -*.ladugnanese.it*, True -*.ladulceseguros.com.ar*, True -*.lady-ba.xyz*, True -*.ladybeast.com.au*, True -*.ladybecky.co.uk*, True -*.ladyboy.ca*, True -*.ladyboy.com.br*, True -*.lady-land.ch*, True -*.ladylikedeals.com*, True -*.ladymell.com*, True -*.ladypeculiar.co.za*, True -*.ladypharoh.com*, True -*.ladyship.com.au*, True -*.ladyship.co.nz*, True -*.ladysmithapteek.co.za*, True -*.ladyzine.com*, True -*.laely.web.id*, True -*.laensenadatela.com*, True -*.laep.ch*, True -*.laepp.ch*, True -*.laeppen.ch*, True -*.laepp-maschinenag.ch*, True -*.laeppmaschinenag.ch*, True -*.laepp-maschinen.ch*, True -*.laeppmaschinen.ch*, True -*.laesquinamotos.com.ar*, True -*.laeutanasia.com.ar*, True -*.la-ex.com*, True -*.lafamiglia.com.my*, True -*.lafamilia.ro*, True -*.lafarmacia.com.ar*, True -*.lafasofane.com*, True -*.lafbilaf.ir*, True -*.lafc.co.za*, True -*.lafcosa.com*, True -*.lafemmemecca.com.au*, True -*.lafermetal.cl*, True -*.lafiacarock.com.ar*, True -*.laficelle.com.au*, True -*.lafiel.net*, True -*.lafinu.ro*, True -*.laflorarie.ro*, True -*.lafontainewhitby.ca*, True -*.laforgaxia.com*, True -*.laforgaxia.es*, True -*.lafpad.org*, True -*.lafsystem.tk*, True -*.lafuria.co*, True -*.lag2.us*, True -*.lagam.net*, True -*.lagana.com.ar*, True -*.lagcraft.com*, True -*.lageer.com*, True -*.lagermex1.com.mx*, True -*.lagi2.cf*, True -*.lagi2.gq*, True -*.lagi2.ml*, True -*.lagimodiere.ca*, True -*.lagoshurtado.cl*, True -*.lagosistemas.com.br*, True -*.lagranda.ro*, True -*.laguacha.cl*, True -*.lagubaru.ml*, True -*.laguerradelossexos.com.ar*, True -*.lagugaul.com*, True -*.laguhits.us*, True -*.laguin.cf*, True -*.lagu-indo.com*, True -*.lagukita.org*, True -*.lagukita.xyz*, True -*.lagu-laguhits.com*, True -*.lagulagump3.com*, True -*.lagump3faus.com*, True -*.lagump3.ru*, True -*.lagunadelosrobles.com.ar*, True -*.lagunegeri.com*, True -*.lagupilihan.com*, True -*.lagu-top.net*, True -*.laguvideo.com*, True -*.lahimatka.fi*, True -*.lahipotenusa.com.ar*, True -*.lahna.com*, True -*.lahorechannel.com*, True -*.lahorechannel.ml*, True -*.lahore.ga*, True -*.lahoya.com.ar*, True -*.lahtachev.ru*, True -*.laidigs.com*, True -*.lai-hk.info*, True -*.lailaw.us*, True -*.laillisettorrentit.net*, True -*.lai.my*, True -*.laina-automaatti.fi*, True -*.lainatalo.fi*, True -*.lain.ch*, True -*.laingcorp.co.uk*, True -*.laintech.com.ar*, True -*.lainternationalautosales.com*, True -*.laintranet.es*, True -*.laipak.com*, True -*.lairmore.net*, True -*.laisvalaikioprojektai.info*, True -*.laitinmaki.fi*, True -*.laiyifa.ml*, True -*.laiyipao.ml*, True -*.laiyipao.tk*, True -*.lajaulasinpuerta.cl*, True -*.laj.ca*, True -*.lajecapital.pt*, True -*.lajka.si*, True -*.lajtar.ro*, True -*.la-juana.com.ar*, True -*.lajuandomingotuc.com.ar*, True -*.lakasfelugyelet.com*, True -*.lakaskezelo.com*, True -*.lake-balls.be*, True -*.lakeballs.nl*, True -*.lakedistrictballroom.com*, True -*.lakeerieunsalted.com*, True -*.lakeforestdrive.info*, True -*.lakegeorgezone.com*, True -*.lakehuronunsalted.com*, True -*.lakelegends.com*, True -*.lakengrenlaserfest.com*, True -*.lakeontariounsalted.com*, True -*.lake-ozark-condo-rental.com*, True -*.lakeozarks-kofc.org*, True -*.lakeshoretavern.com*, True -*.lakesidemotorsblm.com*, True -*.lakespeed.com*, True -*.lakesuperiorunsalted.com*, True -*.laketahoechalet.com*, True -*.lakewaystorage.com*, True -*.lakewriters.com*, True -*.lakioi.info*, True -*.lakisoft.hu*, True -*.lakomdol.com*, True -*.lalalauk.com*, True -*.lalani.com*, True -*.lalani.us*, True -*.lalaplo.com*, True -*.lalee.org*, True -*.lalignedor.com*, True -*.lalloni.com.ar*, True -*.lalumondier.com*, True -*.laluneta.com.ar*, True -*.lalupara.com*, True -*.laluxassurances.lu*, True -*.lamadrina.cl*, True -*.lamagdeleine.com*, True -*.lamailleplissage.com*, True -*.la-maison-bleue.ch*, True -*.lamamamare.ro*, True -*.lamandala.cl*, True -*.lamandragore.ch*, True -*.lamanoediciones.cl*, True -*.lamarchepearson.com*, True -*.lamarck.hk*, True -*.lamasdorada.com*, True -*.lamatrizmdp.com.ar*, True -*.lama.tw*, True -*.lambda.cf*, True -*.lambdacomplex.org*, True -*.lambdacore.org*, True -*.lambdatelcom.cl*, True -*.lambdax.net*, True -*.lambeletherve.ch*, True -*.lambermon.eu*, True -*.lambocarparts.com*, True -*.lambolounge.net*, True -*.lamborghinimods.com*, True -*.lambrou.me*, True -*.lamedas.com*, True -*.lamedecine.net*, True -*.lamega.fm*, True -*.lameladieva.biz*, True -*.lametool.us*, True -*.lamfhada.com*, True -*.lamici.ro*, True -*.lamiflex.cl*, True -*.lamilagrosa.cl*, True -*.lamiral.ch*, True -*.lamivolt.com*, True -*.lamivolts.com*, True -*.lamm-info.com*, True -*.lamnguyen.com.vn*, True -*.lamodadelaindia.cl*, True -*.lamo.ro*, True -*.lamosca.cl*, True -*.lampubis.com*, True -*.lampuglodok.com*, True -*.lampuindustrimurah.com*, True -*.lampuledlighting.com*, True -*.lampung.cf*, True -*.lampung.jp*, True -*.lampung.ml*, True -*.lampungtranz.com*, True -*.lampupju.com*, True -*.lampupolisi.com*, True -*.lampurotari.com*, True -*.lampurotary.com*, True -*.lampurotator.com*, True -*.lampustudio.com*, True -*.lampustudiofoto.com*, True -*.lamscr.com*, True -*.lamusicalirica.com*, True -*.lamusicalirica.net*, True -*.lamusicalirica.org*, True -*.lan22.tk*, True -*.lanabittencourt.com.br*, True -*.lanaconda.ch*, True -*.lana-liker.cf*, True -*.lanarkco.ca*, True -*.lanas.cl*, True -*.lanasdemiel.cl*, True -*.lanasnahum.cl*, True -*.lanaspot.com*, True -*.lana-waper.cf*, True -*.lancar.ml*, True -*.lancastersportsmassage.co.uk*, True -*.lancasterthunder.ca*, True -*.lancastertransit.org*, True -*.lancehasfinishedhisthesis.info*, True -*.lancemesser.com*, True -*.lanceray.co.uk*, True -*.lancerix.com*, True -*.lancerix.net*, True -*.lancerlegacyfoundation.org*, True -*.landa.com.ar*, True -*.landagipuzkoa32.net*, True -*.landak.tk*, True -*.landbanc.com.my*, True -*.landbg.com*, True -*.land-design.com.au*, True -*.landdpipeandcable.com*, True -*.landescapes.com.au*, True -*.landfillsthai.com*, True -*.landforsalecostarica.com*, True -*.landgasthof-krone.ch*, True -*.landice.ml*, True -*.landkunst.ch*, True -*.landlords1st.com.au*, True -*.landlubberyachtclub.com*, True -*.landmarks.net.br*, True -*.landmaster.org*, True -*.landontheawesome.net*, True -*.landpower.com.au*, True -*.landpowerparts.com.au*, True -*.landpowerservice.com.au*, True -*.landprom.ru*, True -*.landrethbox.info*, True -*.landrethhomelab.com*, True -*.landrover-ranch.com*, True -*.landryphotography.com*, True -*.landsberger.com*, True -*.landscapearchitecture.gr*, True -*.landscapecapital.com*, True -*.landstudio.co.id*, True -*.landten.tw*, True -*.landwer.co.il*, True -*.lanecorealty.com*, True -*.lanesplit.com*, True -*.lanesplitmotorsports.com*, True -*.lanfon.net*, True -*.lanfsman.cl*, True -*.lanfusion.me*, True -*.langbug.com*, True -*.langcomputers.com*, True -*.langcomputerservices.net*, True -*.langd.de*, True -*.lange-edv.com*, True -*.langernet.net*, True -*.langfors.fi*, True -*.langgengmudosari.ml*, True -*.langgengmudosari.tk*, True -*.langhorne.ws*, True -*.langitmusik.org*, True -*.langkloofbricks.co.za*, True -*.langnet.ru*, True -*.langsablogger.com*, True -*.langshyttan.com*, True -*.langshyttan.nu*, True -*.langthangonline.com*, True -*.langtind.com*, True -*.langtind.no*, True -*.languageaffairs.com.ar*, True -*.languagebuddy.com.au*, True -*.languageofflowers.net*, True -*.language.ws*, True -*.langworthyweb.com*, True -*.lanitacolorada.com.ar*, True -*.lankanmemes.com*, True -*.lanka.sk*, True -*.lanland.ru*, True -*.lanmark.us*, True -*.lan-mb.si*, True -*.lannet.ro*, True -*.lannybarby.ml*, True -*.lanochedelmetal.com.ar*, True -*.lanochemascorta.com*, True -*.lansdownehotel.com.au*, True -*.lanser.lv*, True -*.lanshenho.com.ar*, True -*.lansingpediatrics.com*, True -*.lanspeedgames.com*, True -*.lantalanta.com*, True -*.lantard.com*, True -*.lantastic.pt*, True -*.lantzranch.com*, True -*.lanun.ga*, True -*.lanware.pt*, True -*.lanzone.net*, True -*.laobrauc.cl*, True -*.laoficinadehoy.cl*, True -*.laogedu.com*, True -*.laollaproducciones.com.ar*, True -*.laorquestaalcaloide.com.ar*, True -*.laos-airlines.com*, True -*.laos-airlines.net*, True -*.laoshimen.net*, True -*.laotraperspectiva.cl*, True -*.laowanglager.com*, True -*.laowboiz.com*, True -*.laowboy.com*, True -*.lapachamama.com.ar*, True -*.lapa.com.ve*, True -*.lapakcablegland.com*, True -*.lapaklaundry.com*, True -*.lapalteria.cl*, True -*.lapappy.ro*, True -*.la-pas.ro*, True -*.lapcrestore.com*, True -*.lapel.net.au*, True -*.lapetitechipie.com*, True -*.lapflounder.us*, True -*.lapicpi.co.id*, True -*.lapinremonttimaalaus.fi*, True -*.lapintietohallinto.fi*, True -*.la-pirouette.ch*, True -*.lapis.hk*, True -*.lapizzaiola.com.ar*, True -*.laplatacomputer.com*, True -*.laplatacomputers.com*, True -*.lapmangcmc.org*, True -*.la-porta.com.ar*, True -*.lapphuong.com*, True -*.lapphuong.com.vn*, True -*.laproductoramedios.com.ar*, True -*.laproductorasj.com.ar*, True -*.laprospe.com*, True -*.laprosperesiste.com*, True -*.laprudence.ch*, True -*.laptevoleg.com*, True -*.laptop.fi*, True -*.laptoprepairbelfast.com*, True -*.laptoprepairmissoula.mobi*, True -*.laptoprepairsheerness.co.uk*, True -*.lapuerta.ch*, True -*.lapurd.net*, True -*.laqq79.com*, True -*.laqueefa.com*, True -*.laquilalp.com.ar*, True -*.larahost.co.za*, True -*.larakaras.com*, True -*.laramonti.com*, True -*.lara-net.com.ar*, True -*.laras.id*, True -*.laravel.com.mx*, True -*.laravelvet.com*, True -*.laravenezia.com*, True -*.larctest.com.ar*, True -*.lardemariape.com.br*, True -*.larebajavirtual.com*, True -*.lareducere.eu*, True -*.lareferencedentaire.com*, True -*.lareida.org*, True -*.laremidola.com.ar*, True -*.larendesign.com*, True -*.laresdecordoba.com.ar*, True -*.laresortera.com.mx*, True -*.largent.org*, True -*.largerhope.org*, True -*.lari123.tk*, True -*.larindapeterson.com*, True -*.larios.cl*, True -*.larisaglass.gr*, True -*.larisaif.ru*, True -*.laris-co.com*, True -*.laris-co.ir*, True -*.larismanis.web.id*, True -*.larnpra.com*, True -*.laroche-shop.ru*, True -*.larocheshop.ru*, True -*.laroneria.com.ve*, True -*.larooy.info*, True -*.laroquod.com*, True -*.laroquodexperiment.com*, True -*.larosehome.com*, True -*.laroutedusavoir.org*, True -*.laroyba.sch.id*, True -*.larpaz.com*, True -*.larramendy.net*, True -*.larregay.com*, True -*.larregay.com.ar*, True -*.larryerdmann.com*, True -*.larryfinkelstein.com*, True -*.larryfthompson.com*, True -*.larry-herman.com*, True -*.larrykbrown.com*, True -*.larryni.com*, True -*.larryvc.com*, True -*.lars-carl.ch*, True -*.larsencustomfurniture.com*, True -*.lars-erik-andersson.se*, True -*.larsoft.com.pe*, True -*.larsonm.com*, True -*.larsotto.com*, True -*.larssongames.com*, True -*.larsson.id.au*, True -*.larssonmarine.net*, True -*.larssonmotors.com*, True -*.lartbelle.cl*, True -*.lartop50.org*, True -*.laruku.tk*, True -*.la-rustica.ro*, True -*.lar.web.ve*, True -*.las4esnakis.com*, True -*.lasallemerida.org.ve*, True -*.lasboleras.com*, True -*.lasboleras.com.ar*, True -*.lasca.ml*, True -*.laselva.cl*, True -*.lasemaine.ca*, True -*.lasentina.com*, True -*.lasercad.ru*, True -*.laserfirst.com.ar*, True -*.laserloungebym.com*, True -*.lasermex.com.mx*, True -*.lasernayasoc.com.ar*, True -*.lasersoft.com.au*, True -*.lasersoftware.ru*, True -*.lasfloresdetomas.cl*, True -*.lasgrutasalquileres.com.ar*, True -*.lashmar.nom.za*, True -*.la-sigur.ro*, True -*.las-joyas.com.ar*, True -*.laskar-kristus.ga*, True -*.laskettelevi.fi*, True -*.laslenas.com.ar*, True -*.laslenasverano.com.ar*, True -*.lasmajadas.cl*, True -*.lasso.cl*, True -*.lastage.ru*, True -*.lastalk.com*, True -*.lastappstore.com*, True -*.lastcall.ninja*, True -*.last-frontier.co.nz*, True -*.lastgame.ro*, True -*.lastheatre.com*, True -*.lastin82.com*, True -*.lastingimpressionsbluewater.com*, True -*.lastkindstudiopromotion.info*, True -*.lastminute.ga*, True -*.lastminutesoundandlighting.com*, True -*.last-money.com*, True -*.lastnightgirl.ru*, True -*.lastoccurrence.com*, True -*.lastpixel.co.uk*, True -*.lastplayer.tk*, True -*.lastra.com.ar*, True -*.lasvegasanonymous.com*, True -*.lasvegasanonymous.org*, True -*.lasvegasartslodge.org*, True -*.lasvegashempfest.com*, True -*.lasvegaszone.us*, True -*.latampool.com*, True -*.latanska.ru*, True -*.latanskiy.biz*, True -*.latanskiy.com*, True -*.latanskiy.info*, True -*.latanskiy.net*, True -*.latanskiy.org*, True -*.latanskiy.ru*, True -*.latansky.info*, True -*.latansky.ru*, True -*.latatia.com*, True -*.lataxi.com*, True -*.latecnoradio.com.ar*, True -*.latenightattractions.com*, True -*.lateniteattractions.com*, True -*.lateralgm.org*, True -*.laterceraroma.com.ar*, True -*.laterrazateatro.com.ar*, True -*.latestblognews.com*, True -*.latestnewsbd24.com*, True -*.latexgift.net*, True -*.latex-it.eu*, True -*.latexopony.pl*, True -*.la-tief.biz*, True -*.la-tief.net*, True -*.latiief-official.com*, True -*.latinchemical.com.ar*, True -*.latin-data.com*, True -*.latine.ca*, True -*.latinexo.com*, True -*.latinflex.net*, True -*.latingress.com*, True -*.latinjazzradio.com*, True -*.latinjazzradio.net*, True -*.latinjazzradio.org*, True -*.latinliturgy.com*, True -*.latinobusinessloan.com*, True -*.latinonetroots.net*, True -*.latinosmallbusinessloan.com*, True -*.latinosmallbusinessloans.com*, True -*.latitudscuba.cl*, True -*.latranquera.org.ar*, True -*.latrans.me*, True -*.latre.ru*, True -*.latteart.fi*, True -*.laturka.ch*, True -*.latzo.net*, True -*.lau-aa.ro*, True -*.laucarautomoveis.com.br*, True -*.lauchanet.com.ar*, True -*.laudare.cl*, True -*.lauener.info*, True -*.laughingravensoftware.com*, True -*.laughparty.com*, True -*.laughtroupe.com*, True -*.lauha.hk*, True -*.laultimamorada.com.ar*, True -*.laultimapla.ga*, True -*.lauming.com*, True -*.laum.ro*, True -*.launchesu.ro*, True -*.launchorganize.com*, True -*.laundy.com.au*, True -*.laundyhotels.com*, True -*.launionnoticias.cl*, True -*.lauracastleman.com*, True -*.lauracha.hk*, True -*.laurachirita.ro*, True -*.lauradesign.com.au*, True -*.lauragalic.com*, True -*.lauragalic.ro*, True -*.lauragallo.com.ar*, True -*.lauragrieser.com*, True -*.lauralynn.ca*, True -*.lauramamina.com*, True -*.lauramaravankin.com.ar*, True -*.lauraradu.ro*, True -*.laurareina.com*, True -*.laurarokey.com*, True -*.lauratognina.ch*, True -*.lauravidal.com.ar*, True -*.lauravpf.info*, True -*.laurawilley.com*, True -*.laurba.es*, True -*.laureltaylor.net*, True -*.laurengillett.com*, True -*.laurenhawkins.net*, True -*.laurenkrohn.com*, True -*.laurenmpeterson.com*, True -*.laurentandjenae.com*, True -*.laurent.id*, True -*.laurentiucozma.ro*, True -*.laurentiusoica.ro*, True -*.laurentpaschecarrelage.ch*, True -*.laurentzi.eu*, True -*.laurieherschman.com*, True -*.laurieknell.com*, True -*.lauriemillotte.com*, True -*.laurin-felder.at*, True -*.laurix.com.br*, True -*.laurodepaula.com.br*, True -*.lautanwarnasari.com*, True -*.lautar.ro*, True -*.lautrec.ru*, True -*.lauwaihin.com*, True -*.lauwailok.com*, True -*.lavachamber.com*, True -*.lava.cl*, True -*.laval.cl*, True -*.lavalelectrique.ca*, True -*.lavalelectrique.com*, True -*.lavasec.ch*, True -*.lavaselfud.it*, True -*.lavaselli.com.ar*, True -*.lavasur.com.ar*, True -*.lavatanssi.fi*, True -*.lavdas.net*, True -*.lavellestudios.com*, True -*.lavendergardensbb.com.au*, True -*.laventurier.fr*, True -*.laverty.ws*, True -*.lavictoriaseguros.com.ar*, True -*.lavineda.com.br*, True -*.lavineda.net.br*, True -*.lavinia.se*, True -*.lavioleta.cl*, True -*.laviralizadora.com*, True -*.lavishers.com*, True -*.lavishscentsbydannii.com.au*, True -*.lavistaliving.com.au*, True -*.lavistaresidencial.com.br*, True -*.lavjigs.com*, True -*.lavka.us*, True -*.lavmaster.cl*, True -*.lavmaster.com*, True -*.lavmatic.cl*, True -*.lavmatic.com*, True -*.lavorini.com.br*, True -*.lavozdeiquique.cl*, True -*.lavozdeunagata.cl*, True -*.lavoz-ni.com*, True -*.lavraki.gr*, True -*.lavriple.tk*, True -*.lavr.lv*, True -*.lavrov.net*, True -*.lavs-check.co.uk*, True -*.lawcustodial.com*, True -*.lawdb.hk*, True -*.lawebdelcomprador.com*, True -*.lawebdelvendedor.com*, True -*.lawes.com.ar*, True -*.law-firm.si*, True -*.law-hongkong.com*, True -*.lawjames0062.com*, True -*.lawlorphoto.com*, True -*.lawmeanings.com*, True -*.lawmeanings.net*, True -*.lawmeanings.org*, True -*.lawndawg.net*, True -*.lawnmowerstobuy.com*, True -*.lawofgoodmoney.com*, True -*.lawofhongkong.com*, True -*.lawprofi.com*, True -*.lawrazor.com*, True -*.lawrencebloggers.com*, True -*.lawrenceliang.com*, True -*.lawrenceunderground.com*, True -*.law.si*, True -*.laws.my*, True -*.lawsofhongkong.com*, True -*.lawson-engineers.co.uk*, True -*.lawsonengineers.co.uk*, True -*.lawsonsgardenservices.com.au*, True -*.lawyerdb.hk*, True -*.lawyerforum.com.pk*, True -*.lawyermarketing.hk*, True -*.lawyersdb.hk*, True -*.lawyersfindlaw.tk*, True -*.lawyers-live.com*, True -*.lawyertender.com*, True -*.lawymotion.com*, True -*.lawymotion.net*, True -*.lawymotion.org*, True -*.lawzam.com*, True -*.laxdal.net*, True -*.laxmijewel.com*, True -*.layabamband.ru*, True -*.layananjualproperti.com*, True -*.layananjualtanah.com*, True -*.layer8wifi.com*, True -*.laymil.com*, True -*.laynos-lab.ru*, True -*.laytonenterprises.com*, True -*.laytonsvillelandscapes.com*, True -*.lazarmihail.net*, True -*.lazarov.org*, True -*.lazarwoolf.com*, True -*.lazerbuildingplans.co.za*, True -*.lazerdepo.com*, True -*.lazic.si*, True -*.lazor.ca*, True -*.lazy-at-home.de*, True -*.lazybasfordproductions.com*, True -*.lazydalmatian.com*, True -*.lazydalmation.com*, True -*.lazydoguk.org*, True -*.lazyelegance.com*, True -*.lazy-k-ranch.com*, True -*.lazykranch.org*, True -*.lazynightowl.com*, True -*.lazysusanshoerack.co.za*, True -*.lazzer.com.my*, True -*.lazzer.my*, True -*.lb25.com*, True -*.lbc.eti.br*, True -*.lbjid.com*, True -*.lbmn.tk*, True -*.lbombs.com*, True -*.lbrown.net*, True -*.lbrss.tk*, True -*.lbsharphome.com*, True -*.lcalibreria.com.ar*, True -*.lcars.us*, True -*.lcdata.com*, True -*.lcd-s03k.org*, True -*.l-cglobal.com*, True -*.lcg.net.ar*, True -*.lchan.hk*, True -*.lcicba.com.ar*, True -*.lcinternal.net*, True -*.lcofcu.com*, True -*.lcofdp.org*, True -*.lcplogistic.com*, True -*.lcprecision.com*, True -*.lcsprojectos.com*, True -*.lcstream.tk*, True -*.lczipper.com*, True -*.lczipper.hk*, True -*.lda.cl*, True -*.ldaley.com*, True -*.ldclass.com*, True -*.ld.com.mx*, True -*.lde-outfit.org*, True -*.ldequipos.cl*, True -*.ldine.co.uk*, True -*.ldistribuciones.com.ar*, True -*.ldlm.tk*, True -*.ldmosquera.com.ar*, True -*.ldmstechnologies.com*, True -*.ldn.lv*, True -*.ldoble.com*, True -*.ldog.us*, True -*.ldop.com*, True -*.ldotcomit.com*, True -*.ldpr10.ru*, True -*.ldscrossing.com*, True -*.ldscrossroads.com*, True -*.ldsmail.co.za*, True -*.ldsp.info*, True -*.ldsp.net*, True -*.ldtp.com*, True -*.ldtp.net*, True -*.ldtp.org*, True -*.leaddeal.net*, True -*.leaderpig.com*, True -*.leadershipclub.org*, True -*.leadersoftsrl.com.ar*, True -*.leaderv.com*, True -*.leadgrouppco.com*, True -*.leadingcateringequipment.com.au*, True -*.leadmas.ro*, True -*.leadprobot.com*, True -*.leadprodatasystems.com*, True -*.leadprolist.com*, True -*.leadpro.net*, True -*.leadseminars.com*, True -*.leadtofirelore.ml*, True -*.leadwell.tw*, True -*.leafceramics.com*, True -*.leaf.cl*, True -*.leafdata.net*, True -*.leagane-bebelusi.ro*, True -*.leagane-copii.ro*, True -*.leagueoflegends.bz*, True -*.leagueofswitzerland.ch*, True -*.leaguetwo.net*, True -*.leahpreston.com*, True -*.lealibros.cl*, True -*.leana.ch*, True -*.leandrinux.com.ar*, True -*.leandroditommaso.com*, True -*.leandroditommaso.com.ar*, True -*.leandrodoavelino.com.br*, True -*.leandroiriarte.com*, True -*.leandroreboucas.com*, True -*.leandrorueda.com.ar*, True -*.leandro.sh*, True -*.leandrosimonetti.com.ar*, True -*.leanet.org*, True -*.leangeder.tk*, True -*.leanstartup.sg*, True -*.leapdisk.com*, True -*.learn247.com.au*, True -*.learn2speak.eu*, True -*.learnaerobatics.com*, True -*.learnaliving.us*, True -*.learnbsd.org*, True -*.learningbuddy.my*, True -*.learningdimensions.pk*, True -*.learningweekend.com*, True -*.learningweekend.gq*, True -*.learningweekend.tk*, True -*.learnmore-seemore.com*, True -*.learnmusic.hk*, True -*.learnndt.ca*, True -*.learnsmart.me*, True -*.learnsomestuff.com*, True -*.learn-torah.com*, True -*.learnwithjade.com*, True -*.learp.com*, True -*.leasepartners.ca*, True -*.leasepartnersfinancial.com*, True -*.leasetorrent.com*, True -*.leasing-equip.ru*, True -*.leason.biz*, True -*.leatherboundbook.co.za*, True -*.leather-brands.ro*, True -*.leavens.ca*, True -*.leavingthedesk.com*, True -*.leavitt.us*, True -*.lebane.se*, True -*.lebaronlaw.org*, True -*.le-baux.com*, True -*.lebensberatung-hertl.at*, True -*.lebistronewport.com*, True -*.lebocabank.com*, True -*.leboca.com*, True -*.lebosse.org*, True -*.lebron.com.ar*, True -*.lebrun.com.ve*, True -*.lebrun.net.ve*, True -*.lebrun.nu*, True -*.lebulbe.org*, True -*.lebu.tk*, True -*.lecaferus.ru*, True -*.lecahierbleu.net*, True -*.lecaveaudesdixvins.ch*, True -*.lecc.org*, True -*.lecedreaikidodojo.ch*, True -*.lechantoniouszynski.ch*, True -*.lechaussyrestaurant.ch*, True -*.lechina8.com*, True -*.lech.ws*, True -*.leckeregeschenke.ch*, True -*.leckinger.com*, True -*.leclus.co.za*, True -*.lecnet.org*, True -*.lecompagnon.ch*, True -*.lecreativity.com*, True -*.lecreativity.com.au*, True -*.lectii-online.ro*, True -*.lecume.net*, True -*.ledboxs.ru*, True -*.ledcahaya.com*, True -*.ledcenter.mx*, True -*.ledcube.eu*, True -*.led-decoracion.es*, True -*.led-indonesia.com*, True -*.ledit.ro*, True -*.ledlight.tk*, True -*.led-media.ro*, True -*.ledonne.me*, True -*.leds.com.ar*, True -*.ledservice.com.br*, True -*.ledsignsanddesign.com*, True -*.ledsignscalgary.com*, True -*.led-signs.ro*, True -*.led-technik-berlin.com*, True -*.leduriauto.net*, True -*.ledwidge.net*, True -*.ledyanoevederko.ru*, True -*.lee007.com*, True -*.leecantu.com*, True -*.leechers.info*, True -*.leech.hk*, True -*.lee.co.id*, True -*.leeconcepts.com*, True -*.leed.com.mx*, True -*.lee-family.hk*, True -*.leeguscott.com*, True -*.leehack.com*, True -*.leehalldepot.org*, True -*.leekoh.com.my*, True -*.lee-labar.ch*, True -*.leemathers.com.au*, True -*.lee.mx*, True -*.leesgroup.com.au*, True -*.lees.im*, True -*.leetbox.eu*, True -*.leetrans.co.za*, True -*.leetwebs.co.uk*, True -*.leexiaolan.tk*, True -*.leeyanglaw.com*, True -*.leeyunxi.com*, True -*.lefamilies.com*, True -*.lefitys.tk*, True -*.le-francis.ch*, True -*.lefrigovert.com*, True -*.left4dead.ro*, True -*.leftbrainprojects.com*, True -*.lefteristaverna.com*, True -*.lefthandtraffic.com*, True -*.legacomputer.com*, True -*.legacyacres.ca*, True -*.legacyrecipes.com*, True -*.legacy-systems.co.uk*, True -*.legalasociados.com.ar*, True -*.legalbid.com.au*, True -*.legalbooks.cl*, True -*.legalcredit.ro*, True -*.legaleimpuestos.cl*, True -*.legalfeestender.com*, True -*.legalfeetender.com*, True -*.legalguatemala.com*, True -*.legality.io*, True -*.legalizenotlegallies.co.uk*, True -*.legallyspeaking.com.au*, True -*.legalmarketing.hk*, True -*.legalmaui.com*, True -*.legalmusicsearch.com*, True -*.legal-pc.ru*, True -*.legalregion.com*, True -*.legalsociety.ro*, True -*.legalstep.com*, True -*.legaltaxinsolv.co.za*, True -*.legaltystore.com*, True -*.legalwiz.com.au*, True -*.legarage-car-point.ch*, True -*.legault.us*, True -*.legbet.com*, True -*.legbrace.info*, True -*.legeaplicata.ro*, True -*.legein.ru*, True -*.legendaflorist.com*, True -*.legendarios.org*, True -*.legendart.co.za*, True -*.legendary.tw*, True -*.legendhack.com*, True -*.legendofpunch.com*, True -*.legendtheo.com*, True -*.le-genepi.com*, True -*.le-genepi.ru*, True -*.legere.info*, True -*.legerutengenser.com*, True -*.legge.org.nz*, True -*.leghari.ca*, True -*.legifoto.ro*, True -*.legiondemaria.cl*, True -*.legionofdeath.zone*, True -*.legionofzommoros.net*, True -*.legiontrade.com.au*, True -*.legitball.tk*, True -*.legitimations-verfahren.com*, True -*.legkostup.com*, True -*.legkostup.pro*, True -*.legmas.ro*, True -*.legolego.co*, True -*.legont.com*, True -*.legosathome.com*, True -*.legrandelectric.com.my*, True -*.legrandelectric-lbp.com*, True -*.legrand-philips-electrical.com*, True -*.legue.ca*, True -*.legume-bune.ro*, True -*.legume-romanesti.ro*, True -*.legumeromanesti.ro*, True -*.lehcloud.com*, True -*.lehel.in*, True -*.lehel.ro*, True -*.lehighurologist.com*, True -*.lehmann.im*, True -*.lehmbau-tischlerei.de*, True -*.lehoozeher.com*, True -*.lehosuckt.cf*, True -*.leibundgut.name*, True -*.leifcom.com*, True -*.leiflundgren.com*, True -*.leifwalsh.com*, True -*.leijonanosa.fi*, True -*.leinno.com*, True -*.leinno.de*, True -*.leinno.fi*, True -*.leiser-loosli.com*, True -*.leisuredaysrv.ca*, True -*.leisurescreen.com*, True -*.leisurevpn.net*, True -*.leithconsulting.com*, True -*.leitoreseleituras.com.br*, True -*.leitud.ee*, True -*.lejericho.ch*, True -*.lejm.cf*, True -*.lejm.ga*, True -*.lejm.gq*, True -*.lejm.ml*, True -*.lejon.us*, True -*.lekarna.bg*, True -*.lekarskierecepty.one.pl*, True -*.lekarzomseniorom.pl*, True -*.lekeitio.tk*, True -*.lekh.com.np*, True -*.lekigor.tk*, True -*.lekobits.com*, True -*.lekovic.ca*, True -*.lekshan.com*, True -*.lekve.org*, True -*.lelapinnain.com*, True -*.lelecifer.com*, True -*.lelokong.com*, True -*.lelouvrehotel.cl*, True -*.lelup.com.ar*, True -*.lelyanova.com*, True -*.le-lyrique.ch*, True -*.lema.cl*, True -*.lemale.com.br*, True -*.leman-marine.ch*, True -*.lemarbecomputers.com*, True -*.lemariage.co.il*, True -*.lemarkophotography.com*, True -*.lemauricia.ch*, True -*.lembitlees.com*, True -*.lemit.ro*, True -*.lemobiliere.com.ar*, True -*.lemo.com.au*, True -*.lemoinek.be*, True -*.lemonade-stand-tycoon.com*, True -*.lemonbeats.com*, True -*.lemonbit.cl*, True -*.lemon-boutique.com*, True -*.lemonet.ch*, True -*.lemonhost.tk*, True -*.lemonlaw.org.uk*, True -*.lemonnier.co.za*, True -*.lemonpot.com*, True -*.lemotekor.tk*, True -*.lemoucheur.ca*, True -*.lempeque.com.ar*, True -*.lempicki.com*, True -*.lemus.cl*, True -*.lenapo.com*, True -*.lenarcic.si*, True -*.lenarcissique.com*, True -*.lenart.tk*, True -*.lenberg.nu*, True -*.lenberg.se*, True -*.lencoserv.ro*, True -*.lenderhub.org*, True -*.lendix.ro*, True -*.lendmymovie.com*, True -*.lendr.org*, True -*.lendthem.ir*, True -*.lene.ro*, True -*.lengyuexuan.club*, True -*.lenial.com.ar*, True -*.len.io*, True -*.lenio.co*, True -*.lenioconsulting.com*, True -*.lenioconsulting.co.nz*, True -*.lenio.co.nz*, True -*.leniointernational.com*, True -*.leniointernational.com.au*, True -*.leniointernational.co.nz*, True -*.lenjerii-copii-lenjerie.ro*, True -*.lenkemannen.com*, True -*.lenmak.ca*, True -*.lennard.net.au*, True -*.lennox.cf*, True -*.lennox.ga*, True -*.lennox.gq*, True -*.lennox.ml*, True -*.lennuki.ga*, True -*.lenochki.club*, True -*.leno.si*, True -*.lensaterkini.web.id*, True -*.lensmarket.com.ar*, True -*.lentilka.cz*, True -*.lenton.id.au*, True -*.lentopaikat.fi*, True -*.lentopaikat.net*, True -*.lentzkids.com*, True -*.len.vn*, True -*.lenygrisel.com*, True -*.leo8bits.cl*, True -*.leo-chandra.net*, True -*.leochan.tk*, True -*.leodataonline.es*, True -*.leodragons.com*, True -*.leohordijk.nl*, True -*.leomil.com.br*, True -*.leonardhodgins.com*, True -*.leonardocastano.com.ar*, True -*.leonardofreitas.eti.br*, True -*.leonarski.pl*, True -*.leona-skincare.com*, True -*.leona-vip.com*, True -*.leonconsulting.com.mx*, True -*.leonelmartinstaxis.pt*, True -*.leoneti.com*, True -*.leongroup.com.ar*, True -*.leonibistrita.ro*, True -*.leonili.com*, True -*.leonisbg.com*, True -*.leon-medical.com*, True -*.leonpr.net*, True -*.leopattes.tk*, True -*.leopatte.tk*, True -*.leopaws.tk*, True -*.leopaw.tk*, True -*.leopold-lux.at*, True -*.leoquezada.cl*, True -*.leorodriguez.me*, True -*.leoroman.com.ar*, True -*.leoz.cl*, True -*.leozhu.com*, True -*.leozilla.com*, True -*.lepak.com.my*, True -*.lepecos.ch*, True -*.le-pep.com*, True -*.leperon.ch*, True -*.lepersmaxi.me*, True -*.le-petit-coin-gourmand.ch*, True -*.lepetitocean.ch*, True -*.lepetitprince.com.np*, True -*.lepicurien.ca*, True -*.lepiedrichard.ch*, True -*.lepont.org*, True -*.le-porter.com*, True -*.leppens.in*, True -*.leppihard.com*, True -*.leprixfixe.com*, True -*.leptians.com*, True -*.leptians.net*, True -*.leptitbouchon.ch*, True -*.leptitlilou.com*, True -*.leptopcentri.com*, True -*.lepurkki.com*, True -*.lepuso.com*, True -*.lepuso.ru*, True -*.leqoleqo.com*, True -*.lereco2001.ro*, True -*.lerheujardinier.fr*, True -*.lericain.com*, True -*.lerkoo.com*, True -*.lermus.net*, True -*.lernpodium.ch*, True -*.leromo.com*, True -*.leroyal.eu*, True -*.lerpes.com*, True -*.leruleru.com.ar*, True -*.lery.ca*, True -*.les6pointsvirtuels.net*, True -*.lesar.si*, True -*.lesavoie.ch*, True -*.lesbellesdenuit.ch*, True -*.lesberges.ch*, True -*.lescano.com.ar*, True -*.lescapricieux.com*, True -*.lescarabiniers.ch*, True -*.lescar.nl*, True -*.lescarsbernard.ch*, True -*.lescharles.com*, True -*.lesdeuxtetesdecochon.com*, True -*.lesfill.es*, True -*.lesgutierrez.com.ar*, True -*.leshets.com*, True -*.lesitedupharmacien.net*, True -*.lesk.si*, True -*.lesleygreen.ca*, True -*.leslie.com.au*, True -*.lesliejosaprons.com*, True -*.lesliemcdougall.com*, True -*.lesliepetersonbodywisdom.com*, True -*.lesmana.web.id*, True -*.lesmo.com.mx*, True -*.lesmuseesenwallonie.be*, True -*.lesnaczereda.pl*, True -*.lesny.one.pl*, True -*.lesongvi.ga*, True -*.leso-pis.com*, True -*.lesouffledudragon.ch*, True -*.les-patriot.tk*, True -*.les-pieds-sur-terre.ch*, True -*.les-ptitsloups.ch*, True -*.les-puzzles.ch*, True -*.les-resurs.ru*, True -*.les-rome2012.org*, True -*.lessmiths.com*, True -*.lessononline.org*, True -*.lessonswoborders.net*, True -*.lestada.com.br*, True -*.lestaricarpet.com*, True -*.lestariflorist.com*, True -*.lesterjnissley.com*, True -*.lesterlam.co.nz*, True -*.leszek.hu*, True -*.letala.si*, True -*.letalske-karte-vozovnice.si*, True -*.letamusic.ru*, True -*.letatbrut.com*, True -*.letbook.cn*, True -*.lete.ch*, True -*.lethalia.net*, True -*.lethalleisel.com*, True -*.lethalletham.com*, True -*.let.hk*, True -*.leticeneje.si*, True -*.leticiacarus.com*, True -*.leticiacruz.com.br*, True -*.letimo-ceneje.si*, True -*.letimoceneje.si*, True -*.letimo-poceni.si*, True -*.letimopoceni.si*, True -*.letipoceni.si*, True -*.letiteceneje.si*, True -*.letitepoceni.si*, True -*.letlink.hk*, True -*.letmebuyouadrink.com*, True -*.letmebuyuadrink.com*, True -*.letmebuyyouadrink.com*, True -*.letmebuyyouadrink.us*, True -*.letmereport.com*, True -*.letopis.net*, True -*.letrademusicacristiana.net*, True -*.letrebrasil.com.br*, True -*.letscode.pl*, True -*.letsfightback.org*, True -*.letsgo34.tk*, True -*.letsmakemusictogether.net*, True -*.letsplaysa.com.my*, True -*.letsrockcancer.co.uk*, True -*.letstaserthecops.com*, True -*.letstellatale.com*, True -*.lets-wat.ch*, True -*.letswatchtogether.com*, True -*.lettenmair.com*, True -*.letterdb.com*, True -*.letternet.net*, True -*.letterofrecommendationtemplate.net*, True -*.letter-x.net*, True -*.letthechurchsay.com*, True -*.lettre-cv.net*, True -*.letueurcache.com*, True -*.letussetuptheinternetforyou.com*, True -*.letvbox.tw*, True -*.letwork.com*, True -*.letyoudown.tk*, True -*.letzte.at*, True -*.levanovich.com.ar*, True -*.levantateycamina.cl*, True -*.levantineheritage.com*, True -*.leva.org.br*, True -*.levca.co.za*, True -*.levei3.net*, True -*.level10.org*, True -*.levelargentina.com.ar*, True -*.levelnet.tk*, True -*.leveloneclub.ro*, True -*.levensgraag.be*, True -*.leveragebusinesssystems.com*, True -*.leverage-solutions.ch*, True -*.lever.id.au*, True -*.leversetdujour.info*, True -*.levetsky.com*, True -*.levett.id.au*, True -*.leviathancomputer.com*, True -*.levibromberg.com.br*, True -*.levigon.com.ar*, True -*.levisoares.com*, True -*.leviweb.com.ar*, True -*.levoyoublond.com*, True -*.levrau.net*, True -*.levtech.ro*, True -*.lewatsini.com*, True -*.lewesmusicalexpress.com*, True -*.lewe.tk*, True -*.lewglick.com*, True -*.lewicki.com.ar*, True -*.lewisbenge.net*, True -*.lewiscenter.net*, True -*.lewisj.co.uk*, True -*.lewis-mail.com*, True -*.lewisphotostudio.com*, True -*.lexaclick.com*, True -*.lexas.com.ar*, True -*.lexev.org*, True -*.lexgardner.com*, True -*.lex-group.net*, True -*.lexicide.com*, True -*.lexiconmarketing.ca*, True -*.lexi.sx*, True -*.lexmate.ru*, True -*.lex.mn*, True -*.lex-net.net*, True -*.lexonline.net*, True -*.lexsup.cf*, True -*.lextarapaca.cl*, True -*.lexvoip.com*, True -*.lexvoip.net*, True -*.leyadolescente.org*, True -*.leyesdereforma.com.mx*, True -*.leymono.cl*, True -*.leyrey.com.mx*, True -*.leyth.de*, True -*.leyvanightlaw.com*, True -*.leyvhair.org*, True -*.lfclean.com.br*, True -*.lfhchurch.com*, True -*.lfi-funds.com.br*, True -*.lfjewellery.com*, True -*.lftrans.com.br*, True -*.lfwebpro.com*, True -*.lgame.ir*, True -*.lgbcs.com*, True -*.lgdent.ro*, True -*.lg-ericsson.web.tr*, True -*.lghimire.com.np*, True -*.lgrgroup.com.ar*, True -*.lgrweb.com.br*, True -*.lgs-rdc.com*, True -*.lgts.se*, True -*.lgtz.info*, True -*.lgvjobs.co.uk*, True -*.lhapsus.com*, True -*.lhartung.com*, True -*.lhca.com.ar*, True -*.lhcsoft.com*, True -*.lhfcyrus.com*, True -*.lhks.cf*, True -*.lhmai.com*, True -*.lhpauto.com*, True -*.lhssoftware.com.ar*, True -*.lhuerta.com*, True -*.lia89.tk*, True -*.liamaraeohara.com.br*, True -*.liamateztv.tk*, True -*.liamatkat.tk*, True -*.liamatprime.tk*, True -*.liamatrar.tk*, True -*.liamattpb.tk*, True -*.liamfromstatefarm.com*, True -*.liam.nu*, True -*.liamswebsite.co.uk*, True -*.liamwhite.net*, True -*.lian520mu.com*, True -*.liangjia.ml*, True -*.liangjia.tk*, True -*.liangsir.com*, True -*.lian.info*, True -*.lianis-as.ro*, True -*.liard.com.ar*, True -*.liaros-cleaner.gr*, True -*.liasantis.blog.br*, True -*.libbo.com*, True -*.libbywaterprojects.com*, True -*.libedns.tk*, True -*.liberalstudent.com*, True -*.liberatedproductions.ca*, True -*.liberilibris.com.br*, True -*.liberlandtelecom.tk*, True -*.libertaresidencial.com.br*, True -*.libertasmobile.com*, True -*.libertyfarmhorses.com*, True -*.libertyisle.com*, True -*.liberty.org.il*, True -*.libmill.org*, True -*.libpedia.com*, True -*.librairiedeschamps.com*, True -*.librairiedumidi.ch*, True -*.librariansmith.com*, True -*.librarie.ro*, True -*.librari.st*, True -*.librarybuilder.cf*, True -*.libraryoflife.com.au*, True -*.libraryofmichigan.org*, True -*.libredeaceite.com.ar*, True -*.libredegripe.com*, True -*.libregraphic.web.id*, True -*.librelab.org*, True -*.libre-mesh.net*, True -*.libre-mesh.org*, True -*.librepensador.cl*, True -*.libreriaentrelineas.es*, True -*.librerialaprida.com.ar*, True -*.librestock.tk*, True -*.libretadecomunicaciones.cl*, True -*.libretext.tk*, True -*.libreygratis.cl*, True -*.libroelectronico.es*, True -*.librominiatura.com*, True -*.librosdelsur.com*, True -*.librox.co.za*, True -*.libsmansa.com*, True -*.libygeorge.net*, True -*.licantro.com.br*, True -*.licchamber.com*, True -*.licchamber.org*, True -*.liccivic.org*, True -*.licenciadawitten.com.ar*, True -*.licenciamentomusical.com*, True -*.licensetoshill.org*, True -*.liceocautin.cl*, True -*.licetteacosta.cl*, True -*.liceuleminescubarlad.ro*, True -*.liceupecica.ro*, True -*.lichain.com*, True -*.lichtagentur.ch*, True -*.liciasite.com*, True -*.licitatienationala.ro*, True -*.licitatiimunca.ro*, True -*.lickd.me*, True -*.licki.com.au*, True -*.lickwid.net*, True -*.liclinic.es*, True -*.liconcepcion.cl*, True -*.licoreschile.cl*, True -*.licrim.cl*, True -*.licrim.com*, True -*.lidaexclusiv.ro*, True -*.lidahome.ro*, True -*.li-dar.com*, True -*.lidera.info*, True -*.liderauto.ro*, True -*.liderler.com*, True -*.liderprojetos.com.br*, True -*.lidertreinamentos.com*, True -*.lidiaingah.com*, True -*.lidiette.com*, True -*.lidme.com*, True -*.lidycool.com.tr*, True -*.liebender.eu*, True -*.liebepacific.co.id*, True -*.liebnet.ch*, True -*.liebretortuga.cl*, True -*.liefdecraft.net*, True -*.liegat.eu*, True -*.liekkipipot.net*, True -*.lielvardesjosta.lv*, True -*.lien-cheng.com*, True -*.lienenbert.com*, True -*.lienfeng.com*, True -*.lienthong07m.com*, True -*.lienwyn.com*, True -*.liettetremblay.com*, True -*.lieving.us*, True -*.lifebridgementoring.biz*, True -*.lifebridgementoring.com*, True -*.lifebridgementoring.org*, True -*.lifechangingexperiences.org*, True -*.lifecode-hk.com*, True -*.lifecomm.net*, True -*.lifecycle.ir*, True -*.lifedeal.tk*, True -*.life-dnevnik.ru*, True -*.lifeempowerment.hk*, True -*.lifeevents.ro*, True -*.life-for.me*, True -*.lifefoundation.tk*, True -*.lifehaircenter.com*, True -*.lifeinlossantos.com*, True -*.lifeinmotion.co.za*, True -*.lifeinorange.ro*, True -*.lifeinverse.com*, True -*.lifelonglegacy.com*, True -*.lifeltd.gr*, True -*.lifemadegreat.com*, True -*.lifenfood.com*, True -*.life-of-brian.co.za*, True -*.lifeofbrian.co.za*, True -*.lifeofreilly.us*, True -*.lifeon.com.br*, True -*.lifeontheranch.net*, True -*.lifepatterns.de*, True -*.lifepen.com.br*, True -*.lifeproject40.com*, True -*.lifequestwellness.com*, True -*.lifequotespage.com*, True -*.lifesafetyinspector2.com*, True -*.lifesafetyinspector.com*, True -*.lifescapesphotography.ca*, True -*.lifesessentialsdayspa.com*, True -*.lifeshare.ro*, True -*.lifesolution.com.br*, True -*.lifesolutions.com.br*, True -*.lifesongresources.org*, True -*.life-straw.ro*, True -*.lifestraw.ro*, True -*.lifestylegroup.hk*, True -*.lifestylekitchens.net.au*, True -*.lifestyleninety.com*, True -*.lifestylethailand.com*, True -*.lifetech-yemen.com*, True -*.lifetendencies.com*, True -*.lifetube.tv*, True -*.lifewaysystems.com*, True -*.lifewired.com.au*, True -*.lift18.ru*, True -*.liftads.rs*, True -*.liftcosurabaya.com*, True -*.liftoffteam.com*, True -*.liftroosterban.com*, True -*.lift-storitve.si*, True -*.liftyourgame.co.uk*, True -*.ligabmas.cl*, True -*.ligaca.com.ve*, True -*.liga-canopyawning.com*, True -*.ligadefutbollaplata.com.ar*, True -*.ligagourmet.cl*, True -*.ligalobensedefutbol.com.ar*, True -*.liga.md*, True -*.ligasabatinadefutbol.com.mx*, True -*.ligaw.cl*, True -*.liggaming.tk*, True -*.lightart.ro*, True -*.lightbulbout.com*, True -*.lightbydark.com*, True -*.lightchanneltv.com*, True -*.lightchanneltv.org*, True -*.lightdropstudios.com.au*, True -*.lightedge.ro*, True -*.lighterdark.com*, True -*.lighthousecommunitycare.com.au*, True -*.lighthousecorppr.com*, True -*.lighthouseenergytrust.com*, True -*.lighthouseusa.org*, True -*.lightingnorwest.com*, True -*.lightingonline.co.za*, True -*.lighting-safety.com*, True -*.lightintech.ru*, True -*.lightkuragari.com*, True -*.lightmicrosystems.com*, True -*.lightningbbs.com*, True -*.lightningcoders.com*, True -*.lightningrodlabs.com*, True -*.lightn.org*, True -*.light-plus.tw*, True -*.lightshows.de*, True -*.lightsonchristmas.com*, True -*.lightspeedcommunications.net*, True -*.lightstar.cf*, True -*.lightupmobilelighttowers.com.au*, True -*.lightway.co.za*, True -*.ligle.com.br*, True -*.lignotechbrasil.com.br*, True -*.lignotechbrazil.com.br*, True -*.lignotech.com.br*, True -*.ligos.pro*, True -*.ligowski.com*, True -*.ligru.cl*, True -*.ligugegl.ch*, True -*.lihansmotors.com.br*, True -*.liiberg.com*, True -*.lijiujiasports.com*, True -*.likaaam.cf*, True -*.likable.one.pl*, True -*.like.al*, True -*.likeguitar.net*, True -*.likehumansdo.net*, True -*.like.io*, True -*.likejr.com*, True -*.likelo.mx*, True -*.likelo.ws*, True -*.like-me.cf*, True -*.liker-beranda.us*, True -*.liker.pw*, True -*.likerterbaru2015.ga*, True -*.likesomethingelse.net*, True -*.likesusuibu.my*, True -*.like-yg.com*, True -*.like-yg.net*, True -*.like-you.cf*, True -*.likez.mobi*, True -*.likhach.ru*, True -*.likijardins.ch*, True -*.likoerqueen.ch*, True -*.likovni-material.si*, True -*.likudliberal.org*, True -*.lilacenter.eu*, True -*.lilai.hk*, True -*.lilain.co.il*, True -*.lilamoore.com*, True -*.lila-n.ru*, True -*.lili2d.com*, True -*.lilianagassiot.ch*, True -*.lilianaorsi.com.ar*, True -*.lilianchang.com*, True -*.lilian.ro*, True -*.liliapaz.com.br*, True -*.lilimp.co.uk*, True -*.lilith.com.au*, True -*.liliundmo.ch*, True -*.liljas.info*, True -*.lillalo.se*, True -*.lillibridges.com*, True -*.lillies.ru*, True -*.lilybluestore.com.ar*, True -*.lilycreekequine.com*, True -*.lilyessence.com*, True -*.lilyspadd.com*, True -*.limabravo.ca*, True -*.limabravo.com*, True -*.limaenam.com*, True -*.limanca.com.ve*, True -*.limani-gypserie.ch*, True -*.limao.me*, True -*.limbanda.com*, True -*.limbanda.co.za*, True -*.limbanda.org*, True -*.limbar.io*, True -*.limb-norris.com*, True -*.limefactor.com*, True -*.limesdacicus.ro*, True -*.limg.ch*, True -*.limiao.net*, True -*.limitatoareviteza.ro*, True -*.limitedloot.org*, True -*.limited-rescue.com*, True -*.limitn.com*, True -*.limmat-productions.ch*, True -*.limnet.org*, True -*.limnet.tk*, True -*.limobarcelona.cat*, True -*.limomerida.com*, True -*.limomex.com.mx*, True -*.limousinedrivers.sk*, True -*.limpec.co.za*, True -*.limpezata.com.br*, True -*.limpezatalimpeza.com.br*, True -*.limsico.com*, True -*.lims.sg*, True -*.lin3al.cl*, True -*.linamakeupartist.cl*, True -*.linanovianti.cf*, True -*.linards.net*, True -*.linave.fi*, True -*.lincahotel.com*, True -*.lincer.net*, True -*.lincocina.com.ar*, True -*.linco.cl*, True -*.lincolncaissie.com*, True -*.lincoln-consultancy.com.au*, True -*.lincolnconsultancy.net.au*, True -*.lincolnisland.com*, True -*.lincolnisland.si*, True -*.lincolntreecontrol.com.au*, True -*.lindadevries.com*, True -*.lindadevries-lebaron.com*, True -*.lindajwu.ca*, True -*.lindalinda.com.ar*, True -*.lindapp.com*, True -*.lindasbeauty.co.uk*, True -*.lindaspa.com.ar*, True -*.lindasuarez.com.ve*, True -*.lindeblads.com*, True -*.lindeblad.se*, True -*.lindemannen.se*, True -*.lindenboom.be*, True -*.lindesborg.se*, True -*.lindes.nu*, True -*.lindore.net*, True -*.lindsayball.com*, True -*.lindseydyer.com*, True -*.lindseyfamily.info*, True -*.linduxo.cf*, True -*.linea110.com.ar*, True -*.lineaamor.com*, True -*.linea-gay.com*, True -*.lineage2primusss.ml*, True -*.lineaglobito.com.ar*, True -*.linearpotential.com*, True -*.linearwear.com*, True -*.linenfieldsphotography.com*, True -*.lineofwork.eu*, True -*.linetele.com*, True -*.linettescookies.com*, True -*.linettescookies.org*, True -*.linettesgourmetcookies.com*, True -*.linfo.ch*, True -*.lingdao.hk*, True -*.lingodome.com*, True -*.lingofusion.com.ar*, True -*.lingomixer.com*, True -*.lingsmith.com*, True -*.lingua-franca.org*, True -*.linguridelemn.ro*, True -*.lingvinarium.ru*, True -*.linhaiyamaha.com*, True -*.linhasmcs.tk*, True -*.linibini.ch*, True -*.linigersolutions.ch*, True -*.liniumstaffing.us*, True -*.linium.us*, True -*.link2know.co*, True -*.linkapp.com.ar*, True -*.linkback.us*, True -*.linkcorto.com.ar*, True -*.linked8.com*, True -*.linked-data.at*, True -*.linked-data.eu*, True -*.linkedto.tk*, True -*.linkedu.tk*, True -*.linkfone.com*, True -*.linkgroup.cl*, True -*.linkinglizard.com*, True -*.linkin.tw*, True -*.linki.si*, True -*.linkitinstantly.com*, True -*.linkit.ml*, True -*.linkitnow.org*, True -*.linkmap.net*, True -*.linkmedya.com*, True -*.linkmoose.com*, True -*.linkode.org*, True -*.linkopingbudo.se*, True -*.linkopings-budoklubb.se*, True -*.linkpendidikan.com*, True -*.linkscroll.com*, True -*.linkserver.in*, True -*.linkshq.com.ar*, True -*.linkspanchos.com*, True -*.linkspire.net*, True -*.links.sg*, True -*.linkstream.ro*, True -*.linktechnow.com*, True -*.linktome2.com*, True -*.linktome2.nz*, True -*.linktome.eu*, True -*.linkvs.tk*, True -*.lin.mx*, True -*.linnatiiviste.fi*, True -*.linnavuori.fi*, True -*.linnemannstoens.com*, True -*.linnovate.com*, True -*.linofernandez.com*, True -*.linovonburg.ch*, True -*.linq.cc*, True -*.linsec.ch*, True -*.linsteadmarket.com*, True -*.lintaru.ro*, True -*.lintasnusapower.com*, True -*.lintexlinens.com*, True -*.linthay.info*, True -*.lin.to*, True -*.linton.me*, True -*.lintu.pro*, True -*.linusandersson.org*, True -*.linuskb.ch*, True -*.linuts.com*, True -*.linuts.org*, True -*.linux05.com*, True -*.linux70.ru*, True -*.linuxar.com*, True -*.linuxbabbel.be*, True -*.linuxbabbel.org*, True -*.linuxbox.cc*, True -*.linuxciv.co.uk*, True -*.linux-classes.com*, True -*.linuxconsole.ro*, True -*.linuxd1.com*, True -*.linuxdesignteam.com*, True -*.linuxdn.com*, True -*.linuxdn.net*, True -*.linuxdn.org*, True -*.linuxd.org*, True -*.linuxermadura.com*, True -*.linuxer.ninja*, True -*.linuxers.cl*, True -*.linuxfocus.net*, True -*.linuxgalaxy.org*, True -*.linux-geek.net*, True -*.linuxguy.tk*, True -*.linuxhosters.tk*, True -*.l-i-n-u-x.info*, True -*.linuxisit.com*, True -*.linuxkernel.tk*, True -*.linuxlabs.biz*, True -*.linuxlifts.com*, True -*.linuxlove.eu*, True -*.linuxnerd.me*, True -*.linux-net-x.net*, True -*.linux-ninjas.net*, True -*.linux-one.org*, True -*.linuxoz.net*, True -*.linuxpay.org*, True -*.linuxpei.com*, True -*.linux-programmer.co.uk*, True -*.linux-programmer.pro*, True -*.linuxsacommand.info*, True -*.linux-shitbox.com*, True -*.linuxstart.ca*, True -*.linuxvlife.tk*, True -*.linuxware.io*, True -*.linuxx.biz*, True -*.linuxx.org*, True -*.linuxzealots.com*, True -*.linuzo.com*, True -*.linuz.web.id*, True -*.linville.net*, True -*.linvilleproperties.com*, True -*.linx.ga*, True -*.linxlunx.info*, True -*.linxuetu.com*, True -*.linzizon1.co.kr*, True -*.linzone.co.kr*, True -*.lionbux.ru*, True -*.liondanceshop.net*, True -*.lionelcampoy.com.ar*, True -*.lionel.cl*, True -*.lionex.ro*, True -*.lionfire.ca*, True -*.lionfiregames.ca*, True -*.lionhearted.ca*, True -*.lion.hk*, True -*.lion-king.ml*, True -*.lions.cf*, True -*.lions.es*, True -*.lionshop.ir*, True -*.lionspaws.net*, True -*.lionsrd.ro*, True -*.lionsshare.ca*, True -*.lior.org*, True -*.lior-simchi.co.il*, True -*.lipan.ro*, True -*.lipartyclowns.com*, True -*.lipi.biz*, True -*.lipidar.com.ar*, True -*.lipinski.ca*, True -*.lipixs.com.ar*, True -*.lipizzan-register.com*, True -*.lipizzanregister.com*, True -*.lipizzanregistry.com*, True -*.liponoga.me*, True -*.liptov.ru*, True -*.liputansiji.com*, True -*.liquidateart.com*, True -*.liquid-bass.co.uk*, True -*.liquidblue.com.au*, True -*.liquid-brass.co.uk*, True -*.liquidcatering.com*, True -*.liquidelectric.co*, True -*.liquidelectric.mx*, True -*.liquidelectric.net*, True -*.liquid-evol.com*, True -*.liquidips.net*, True -*.liquidlogicdev.net*, True -*.liquidlogistic.ro*, True -*.liquidmetal.org*, True -*.liquido-reiden.ch*, True -*.liquidpixels.ca*, True -*.liquidsphere.com*, True -*.liramatic.com.ar*, True -*.lirsi.net*, True -*.lirsi.org*, True -*.liru-sec.org*, True -*.lis3k.eu*, True -*.lisa22.cf*, True -*.lisabose.ca*, True -*.lisadavelaar.com*, True -*.lisafranken.info*, True -*.lisak.one.pl*, True -*.lisandroautomoveis.com.br*, True -*.lisascrafts.com.au*, True -*.lisa-ueberbacher.at*, True -*.lisawedding.tw*, True -*.lisbs.com*, True -*.lis-con.com.au*, True -*.lisignoli.net*, True -*.lislon.ru*, True -*.lisnet.ec*, True -*.lison.com*, True -*.lisoni.cl*, True -*.lisp.cc*, True -*.lisper.ch*, True -*.lisp.su*, True -*.lisscom.ro*, True -*.lissetteandscott.com*, True -*.lissyanger.com*, True -*.listabanci.ro*, True -*.lista-civica.ch*, True -*.listacivica-pianezzo.ch*, True -*.listadb.com*, True -*.listados.cl*, True -*.listanozze.com.ar*, True -*.listanto2.tk*, True -*.lista.ro*, True -*.listas.com.pe*, True -*.listen-it.com*, True -*.listenmusic.ru*, True -*.listenradio.tk*, True -*.listentocountrymusic.net*, True -*.listentotheradio.fm*, True -*.liste-orange.tk*, True -*.listeorange.tk*, True -*.listerenterprises.hk*, True -*.lister.hk*, True -*.lister-shipping.com*, True -*.liste-verte.tk*, True -*.listlagu.us*, True -*.listmailshop.com*, True -*.listonamoblamientos.com.ar*, True -*.listproperty.com.au*, True -*.listrikdanteknik.com*, True -*.litame.cz*, True -*.litecoin.co.nz*, True -*.litecoin.net*, True -*.litecsys.com*, True -*.litefreefunapp.com*, True -*.lite-logistic.com*, True -*.lite.mx*, True -*.literacybuildingblocks.com*, True -*.literallee.com*, True -*.liteshik.ru*, True -*.litesource.co.za*, True -*.litesoutbrewery.com*, True -*.lithifold.com*, True -*.lithiumus.com*, True -*.liti.cl*, True -*.litoral-costinesti.ro*, True -*.litos.co.uk*, True -*.litsoft.ru*, True -*.littlebits.cl*, True -*.littlebuddhabackup.com*, True -*.littlebuddhadigital.com*, True -*.littlecarbon.info*, True -*.littlecitystudio.com.au*, True -*.littledust.net*, True -*.littleeasels.com*, True -*.littlefingercorner.com*, True -*.littlefishbellydance.com*, True -*.littleflowerdesign.com*, True -*.littleflowerenghighschool.com*, True -*.littlegaragesale.com*, True -*.littlegreycat.co.uk*, True -*.littlehouse1692.uk*, True -*.littlehumans.co.za*, True -*.littlejaco.com*, True -*.littlejamboree.sch.id*, True -*.littleladiesroom.com*, True -*.littleladybug.us*, True -*.littleleaguewa.com*, True -*.littleleaguewad7.org*, True -*.littleleaguewa.org*, True -*.littlematrix.net*, True -*.littlemountainguideservice.com*, True -*.little-object.com*, True -*.littleowldesigns.co.uk*, True -*.littleowlshouse.co.uk*, True -*.littlepipis.co.nz*, True -*.littlepochi.hk*, True -*.littlepoliticos.com*, True -*.littlepotato.net*, True -*.littleprintstore.com.au*, True -*.littlesisters.com.au*, True -*.littlesnook.com*, True -*.littlesquire.com.au*, True -*.littlesquires.com.au*, True -*.littlestyle.com.au*, True -*.littleumph.com*, True -*.littleville.com*, True -*.littlewoodhk.com*, True -*.litt.us*, True -*.litvinovich.ru*, True -*.liuboya.com*, True -*.liujun.com*, True -*.liuluna.com*, True -*.liuxiannian.cn*, True -*.lival.biz*, True -*.livarna.si*, True -*.livarstvo.si*, True -*.live4dive.com*, True -*.liveapp.co.kr*, True -*.live-beautifully.net*, True -*.livebidonline.com*, True -*.livebidonline.net*, True -*.livebox.co.za*, True -*.livechannels.pk*, True -*.live-coach.ch*, True -*.liveditty.com*, True -*.liveforme.it*, True -*.livefortrip.com*, True -*.live-funerals.com*, True -*.livegirls.li*, True -*.livehams.com*, True -*.livehotels.ro*, True -*.live-in-portugal.co.uk*, True -*.livelarge.ro*, True -*.livelectures.com*, True -*.livelip.ru*, True -*.livemen.ru*, True -*.livemusicclose.com*, True -*.livenights.ro*, True -*.liveout.gr*, True -*.livepu.com*, True -*.live-radio.ru*, True -*.live-results.net*, True -*.live-self.com*, True -*.liveshow4.tk*, True -*.livesoftlab.tk*, True -*.livesportstv.eu*, True -*.livestream24.ro*, True -*.livetennisclub.com.ar*, True -*.livetolearn.org*, True -*.live-trick.com*, True -*.livetv24.eu*, True -*.livetvchannels.pk*, True -*.livewave.ru*, True -*.livingeasy.us*, True -*.livinggenesis.com*, True -*.livingherstory.com*, True -*.livingherstory.info*, True -*.livingherstory.net*, True -*.livingherstory.org*, True -*.livingicon.com.my*, True -*.livinginmyshoes.co.uk*, True -*.living-interieur.nl*, True -*.livingitup.com.ar*, True -*.livingmapproject.com*, True -*.livingtogether.ch*, True -*.livingtolearn.org.uk*, True -*.livinonedge.com*, True -*.livintoride.com*, True -*.livioperissin.com.ar*, True -*.livisongs.com*, True -*.livitimpianti.it*, True -*.liviubanica.ro*, True -*.liviuharbuz.ro*, True -*.liviuserban.ro*, True -*.livne.co.il*, True -*.livnex.com*, True -*.livom.in*, True -*.livraisonspharma.com*, True -*.livrariasraiva.com.br*, True -*.livresdelespoir.ca*, True -*.livresdelespoir.net*, True -*.livro.net.br*, True -*.lixardoh.com*, True -*.lix.es*, True -*.lixinhui.com*, True -*.lixinran.com*, True -*.lix.to*, True -*.lizafarrell.com*, True -*.lizardsc.com.mx*, True -*.lizat.cz*, True -*.lizerd.net*, True -*.lizwestbynunn.com*, True -*.lizze.org*, True -*.lizzyinbrizzy.com*, True -*.ljack.com*, True -*.ljcomp.co.uk*, True -*.ljhb.se*, True -*.ljhconsult.com*, True -*.ljhssailing.org*, True -*.ljkcpa.com*, True -*.ljonesplumbing.com.au*, True -*.ljosheabanjos.com.au*, True -*.ljubeznipolnaskleda.si*, True -*.ljwdeserters.com*, True -*.ljwd.org*, True -*.lkarinjanet.tk*, True -*.lkattwinkel.de*, True -*.lkgo.tk*, True -*.lkhnet.co.uk*, True -*.lki8.org*, True -*.lkngo.tk*, True -*.lkseafood.com*, True -*.lkto.tk*, True -*.lkvs.tk*, True -*.llacolenvet.cl*, True -*.llamador.cl*, True -*.llamale.net*, True -*.llamastein.com*, True -*.llanocba.com.ar*, True -*.llanocordoba.com.ar*, True -*.llbnlycmp.com*, True -*.lldex.tk*, True -*.lllorg.ro*, True -*.llluis.ca*, True -*.llmail.com.ar*, True -*.llobera.com.au*, True -*.llontario.ca*, True -*.llorer3.tk*, True -*.llort.gq*, True -*.lloyddobler.com*, True -*.lloydjones.tk*, True -*.lloydsignco.com.au*, True -*.lloydspot.info*, True -*.llpal.com*, True -*.llquizserver.com*, True -*.lltouche.com.ar*, True -*.lluvia.tk*, True -*.llwis.com*, True -*.llworld.net*, True -*.llx.us*, True -*.lmacedo.eti.br*, True -*.lmasoc.com.ar*, True -*.lmbyad.com*, True -*.lmcomp.info*, True -*.lmdr.ch*, True -*.lmgbroker.com*, True -*.lmheng.ca*, True -*.lmhtmod.com*, True -*.lmir.info*, True -*.lmj-likerz.com*, True -*.lmj-likerz.eu*, True -*.lmj-likerz.net*, True -*.lmklam.com*, True -*.lml31.net*, True -*.lmmc.com.au*, True -*.lmm.pt*, True -*.lmn9.com*, True -*.lmnice.me*, True -*.lmp4d.tk*, True -*.lm-photography.net*, True -*.lmpprk.com*, True -*.lms-l.com*, True -*.lmt-corp.tk*, True -*.lnbphotography.net*, True -*.lnbphoto.net*, True -*.lndlrd.com*, True -*.lnh.me*, True -*.lnkgo.tk*, True -*.lnkg.tk*, True -*.lnkto.tk*, True -*.lnkt.tk*, True -*.lnkvs.tk*, True -*.lnkv.tk*, True -*.lnpm.net*, True -*.lntinter.com*, True -*.lnto.tk*, True -*.lnvs.tk*, True -*.lnwmovie.com*, True -*.lnxmad.com*, True -*.loadbitfiles.org*, True -*.loadfiles.us*, True -*.load-logistics.com*, True -*.loads.cf*, True -*.loadsfree.ru*, True -*.loadstar.ca*, True -*.loadup.com*, True -*.loa.gr*, True -*.loaizas.com*, True -*.loancity.org*, True -*.loaningzone.com*, True -*.loanprocessing.com.au*, True -*.loansexpress.info*, True -*.loanthiencung.com*, True -*.loarch.ch*, True -*.lobanovskiy.ru*, True -*.lobaton.es*, True -*.lobo.com.ar*, True -*.lobo.cx*, True -*.lobomarino.cl*, True -*.lobonyc.tv*, True -*.lobo.tv*, True -*.lobowing.org*, True -*.lobq.com*, True -*.lobsterbay.hk*, True -*.lobstercrab.net*, True -*.lobsterkita.com*, True -*.lobstertrace.com*, True -*.localazo.cl*, True -*.localbargainfinder.com*, True -*.localchurch.co.za*, True -*.localfm.us*, True -*.localghost.org*, True -*.localizationeditor.com*, True -*.localization.ee*, True -*.localizez.ro*, True -*.localjobfinder.net*, True -*.localjoblistings.tk*, True -*.localnet.ca*, True -*.localnetwork.ml*, True -*.localpages.us*, True -*.localsaint.com*, True -*.localsalesmap.com*, True -*.localsearchseomarketing.com*, True -*.local.si*, True -*.local-tour.com*, True -*.localtuckerbox.com*, True -*.localtuckerbox.com.au*, True -*.location-camping-car-usa.com*, True -*.locationnamefinder.co.uk*, True -*.loc-clair.com*, True -*.locco.info*, True -*.locerson.com*, True -*.lochit.com*, True -*.lochtech.biz*, True -*.loc.im*, True -*.locke.nom.za*, True -*.lockgamerz.com*, True -*.lockham.com*, True -*.locksmith10.com*, True -*.locksmithmalta.com*, True -*.locksmithsroma.com.au*, True -*.lockwoodpr.com*, True -*.loclimatizacion.cl*, True -*.locoaventura.com*, True -*.locojefe.com*, True -*.locossaurorex.com.br*, True -*.locovfx.com*, True -*.locovfx.co.za*, True -*.loculpotrivit.ro*, True -*.locusinn.com*, True -*.locvis.ro*, True -*.lodenfamily.com*, True -*.lodesusana.com.ar*, True -*.lodgegomantak.org*, True -*.loeloebandung.web.id*, True -*.loencontre.cl*, True -*.loepfe.biz*, True -*.loepfe.mobi*, True -*.loepfe.org*, True -*.loew-baumpflege.ch*, True -*.lofchick.com*, True -*.lofotnet.net*, True -*.lofscapes.cl*, True -*.loft507.com*, True -*.loftez.co.id*, True -*.loftez.com*, True -*.loftplaymunch.co.uk*, True -*.log4jwebtracker.com*, True -*.loganation.com*, True -*.logan-inc.info*, True -*.logan.li*, True -*.loganmathews.com*, True -*.loganmounts.com*, True -*.loganpacific.ca*, True -*.loganpacific.com*, True -*.loganp.com*, True -*.loganz.net*, True -*.logbook.ga*, True -*.logbus.ru*, True -*.logcalls.com*, True -*.logesta.cl*, True -*.logg.com.ar*, True -*.loggl.ch*, True -*.loggle.ch*, True -*.loghomelights.com*, True -*.logia.ca*, True -*.logia.com.ar*, True -*.logiamanager.com.ar*, True -*.logia.org.ar*, True -*.logiator.com*, True -*.logiator.net*, True -*.logiator.org*, True -*.logicalbranch.com*, True -*.logicalguru.com*, True -*.logical-hazard.ro*, True -*.logicalmetrics.com*, True -*.logicalnetwork.com.au*, True -*.logicalproducts.com*, True -*.logicalsmackdown.com*, True -*.logicauto.org*, True -*.logic.com.br*, True -*.logicdie.com*, True -*.logicdream.ro*, True -*.logichype.com*, True -*.logiciel.ro*, True -*.logicserv.org*, True -*.logicsimplicity.com*, True -*.logigate.net*, True -*.logisoft-cy.com*, True -*.logistica-amazon.com*, True -*.logisticachile.cl*, True -*.logistica.com.mx*, True -*.logisticapremiun.com*, True -*.logisticpeople.ru*, True -*.logisticsachieverawards.co.za*, True -*.logistic-shippment.nl*, True -*.logisticsnews.co.za*, True -*.logisticsrepublic.com*, True -*.logistique.ws*, True -*.logitechchallenge.com.ar*, True -*.loglp.com*, True -*.logntw.com*, True -*.logofatu.ro*, True -*.logofix.net*, True -*.logo-fun.com*, True -*.logohat.net*, True -*.logoinn.ru*, True -*.logojam.ru*, True -*.logolotto.com*, True -*.logomancy.net*, True -*.logoschilevector.cl*, True -*.logos.g12.br*, True -*.logouri.ro*, True -*.logowow.ir*, True -*.logowow.net*, True -*.logoz.tv*, True -*.log-poz.pl*, True -*.logular.com*, True -*.logyt.com.ar*, True -*.lohmander.org*, True -*.loichuctotdep.com*, True -*.loimos.com.ar*, True -*.loisa.fi*, True -*.loishconsulting.com.au*, True -*.loisnisha.com*, True -*.lojaartmanha.com.br*, True -*.lojacentraldamidia.com*, True -*.lojadasonia.com.br*, True -*.lojadearquitetura.com*, True -*.lojadebikini.com*, True -*.lojadobahea.com.br*, True -*.lojadoesquadraotricolor.com.br*, True -*.lojadosegurado.pt*, True -*.lojaesquadraodeaco.com.br*, True -*.lojaesquadraotricolor.com.br*, True -*.lojafenix.org.br*, True -*.lojahinode.net*, True -*.lojajuridica.com.br*, True -*.lojaoficialdobahia.com.br*, True -*.lojaoficialdoecbahia.com.br*, True -*.lojarotadomar.com.br*, True -*.lojasdourado.com.br*, True -*.lojaseries.com.br*, True -*.lojaseries.net*, True -*.lojaspioneira.com.br*, True -*.lojasunilar.com*, True -*.lojasupernatural.net*, True -*.loj.co.za*, True -*.lokalasn.tk*, True -*.lokasirumah.com*, True -*.lokasitempatwisata.com*, True -*.lokation.me*, True -*.lok-elochki.ru*, True -*.lokhup.com*, True -*.lokiestar.com*, True -*.lokiworld.org*, True -*.loko54.com*, True -*.loko.one.pl*, True -*.lokovei.tw*, True -*.lokyeebb.com*, True -*.lolaelektro.ch*, True -*.lolaesthetics.ca*, True -*.lolafrost.ca*, True -*.lolamarinoss.com*, True -*.lolaworld.org*, True -*.lolbalkan.org*, True -*.lolcat.no*, True -*.lolfggt.com*, True -*.lolinada.com*, True -*.lolinator.net*, True -*.lolipopmuzik.com*, True -*.lolisa.com.ar*, True -*.loli.su*, True -*.lolk.org*, True -*.lolkumar.com*, True -*.lollasfeet.com*, True -*.lolmod.com*, True -*.lolodesigns.com*, True -*.lolokolo.cf*, True -*.lolo.md*, True -*.lolomgwtfbbq.info*, True -*.lolo.pro*, True -*.lolotamvan.tk*, True -*.lol.sh*, True -*.lomantik.ru*, True -*.lomasdelmirador.com.ar*, True -*.lombardo-veneto.net*, True -*.lombardsinteriors.com*, True -*.lomejordel.com*, True -*.lomg.cl*, True -*.lomnica.ru*, True -*.lomware.com*, True -*.lonasplayasol.com.ar*, True -*.lonatural.cl*, True -*.lond0n.tk*, True -*.londee.info*, True -*.london32.com*, True -*.london.cat*, True -*.londoncomputerfix.com*, True -*.londonmusicalcenter.co.kr*, True -*.londonperfumeshop.com.my*, True -*.londonperfumeshop.my*, True -*.londonpolaris.com*, True -*.londontime.ro*, True -*.londonwebcams.com*, True -*.lonecat.co*, True -*.lo-nely.com*, True -*.lonelycrew.biz*, True -*.lonelydino.com*, True -*.lonelypoet.com*, True -*.lonelywolfsoftware.ro*, True -*.lone-magnolia.com*, True -*.longcat.tw*, True -*.longcifa.com*, True -*.longfordcanalservices.co.uk*, True -*.longhorn.co.za*, True -*.longhurst.ch*, True -*.longhurst.es*, True -*.longisland.dj*, True -*.longisland.tk*, True -*.longislandweddinghalls.com*, True -*.longjingclubg.com*, True -*.longjinglihua.com*, True -*.long-life.info*, True -*.longlonesomego.co.uk*, True -*.longstar.hk*, True -*.long-tran.com*, True -*.longviewyachtclub.org*, True -*.longvolatility.com*, True -*.longyee-fareast.com*, True -*.lonis.com.ar*, True -*.lonix.ca*, True -*.lonkerlawgroup.com*, True -*.lonngi.com*, True -*.lonstell.com*, True -*.lonstell.co.uk*, True -*.lookahead.co.za*, True -*.lookforueshop.com*, True -*.lookids.com*, True -*.lookinglotus.com*, True -*.lookitupongoogle.com*, True -*.looklist.com.br*, True -*.look-n-cook.de*, True -*.looknfeel.co.kr*, True -*.lookqr.com*, True -*.lookrio.com.br*, True -*.looktvlive.eu*, True -*.loomer.net*, True -*.loomer.org*, True -*.loomers.org*, True -*.loonen-muchin.com*, True -*.looneylizard.com*, True -*.looow.ru*, True -*.loopdedektor.com*, True -*.loopdedektor.net*, True -*.loopercabinet.com*, True -*.loopit.co.za*, True -*.loopkit.co*, True -*.looppuzzle.com*, True -*.lootti.ir*, True -*.looxperiments.com*, True -*.lop96.cf*, True -*.lopaat.com*, True -*.lo-pedis-lo-tenes.com.ar*, True -*.lopesferreira.com.br*, True -*.lopes.pt*, True -*.lopezbienesraices.com.ar*, True -*.lopez-diego.com.ar*, True -*.lopezfagundez.com.ar*, True -*.lopezsalvans.com.ar*, True -*.lopiou.com*, True -*.loppat.com*, True -*.loprobamos.com*, True -*.lopworks.com*, True -*.loquecreas.com*, True -*.loquemedalagana.info*, True -*.loquenuncafuimos.cl*, True -*.lorahernandez.com*, True -*.loralesings.com*, True -*.lorddfu.com*, True -*.lordepsylon.es*, True -*.lordhacks.ch*, True -*.lordhiggins.me*, True -*.lordkaisar.com*, True -*.lordmaident.ml*, True -*.lordmarty.com*, True -*.lordoffish.tk*, True -*.lord-project.com*, True -*.lordscales91-testing.tk*, True -*.lordsofchaos.org*, True -*.lords-of-godness.org*, True -*.lordsofthelevy.com*, True -*.lordsofvapor.us*, True -*.lordspcs.com*, True -*.lords-prairie.org*, True -*.lordsuricato.es*, True -*.lordvisionchurch.com*, True -*.lordwap.ga*, True -*.lordylordy.org*, True -*.lordzero.ml*, True -*.loredanacomanescu.ro*, True -*.loredancomp.com*, True -*.lorenatrica.ro*, True -*.lorenhoneycutt.com*, True -*.lorenstore.com.ar*, True -*.lorenz.biz*, True -*.lorenzobeccaria.com.ar*, True -*.lorenzomagazine.com*, True -*.loretocarmona.cl*, True -*.lorex.com.br*, True -*.lorgyke.cf*, True -*.loricontesting.com*, True -*.lorien.tk*, True -*.lorimatsumoto.com*, True -*.lornestax.com*, True -*.lortopedica.ch*, True -*.lortopedicagiubiasco.ch*, True -*.losaludableymas.cl*, True -*.losamigosdejuan.com.ar*, True -*.losangelesspy.com*, True -*.losantivillekwh.com*, True -*.losarang-cyber.org*, True -*.losbrotivoros.cl*, True -*.loscamioneta.com*, True -*.loscantarostemuco.cl*, True -*.loschinosdelarralde.com.ar*, True -*.loscopihues.cl*, True -*.losemiddleagedspread.co.uk*, True -*.loseweightexercise.cf*, True -*.losgansters.com*, True -*.losgeru.cf*, True -*.loshernandez.com.ar*, True -*.loshome.com*, True -*.losinsaciables.cl*, True -*.losko.com.ar*, True -*.loskoren.com.ar*, True -*.loskysoft.com.ar*, True -*.loslobos.us*, True -*.losmolles.com.ar*, True -*.losmolleshotel.com.ar*, True -*.losmorales.mx*, True -*.lospenitentes.com*, True -*.lospensamientos.cl*, True -*.losperrosprimero.com.ar*, True -*.losperrosviejos.com*, True -*.lospital.com.ar*, True -*.losprincipes.cl*, True -*.losresistentes.com.ar*, True -*.losreyesrestaurant.com*, True -*.lossimees.com*, True -*.lostandfoundyearslater.com*, True -*.lostartchains.com*, True -*.lostbay.org*, True -*.lostbays.com*, True -*.lostbays.org*, True -*.lostbytes.us*, True -*.lostcoastcomputer.com*, True -*.lostetas.cl*, True -*.lostforest.ml*, True -*.lostgenome.com*, True -*.lostgirlspirateacademy.com*, True -*.lostgulf.com*, True -*.lostgulf.org*, True -*.lostgumball.com*, True -*.lostinhollywood.no*, True -*.lostinhollywood.se*, True -*.lostinlet.com*, True -*.lostinlet.org*, True -*.lostlander.com*, True -*.lostlove.ca*, True -*.lostpet.hk*, True -*.lostpositive.org*, True -*.lost.si*, True -*.lostwaldo.net*, True -*.loszand.com*, True -*.loszeltas.com*, True -*.loteaduanero.cl*, True -*.lotech.net*, True -*.loteria2.com.ar*, True -*.loteriasf.com.ar*, True -*.loteriasmundiales.com.ar*, True -*.lotesenlujan.com.ar*, True -*.lothar.id.au*, True -*.lotossutra.at*, True -*.lotterm.org*, True -*.lottiecloud.uk*, True -*.lottie.fr*, True -*.lotto168.com*, True -*.lottostuff.net*, True -*.lotusbell.com*, True -*.lotuscloset.com*, True -*.lotusir.com*, True -*.lotusshipping.com*, True -*.lotus.tw*, True -*.lotusware.com.ar*, True -*.loubruno.info*, True -*.loucosportrilhas-rj.com*, True -*.loudifier.com*, True -*.loudsound.com.mx*, True -*.loudsound.mx*, True -*.loudyo.ga*, True -*.loufeng.ga*, True -*.louhbo.com*, True -*.louisaagate.com*, True -*.louisa.net.au*, True -*.louisawr.net.au*, True -*.louiscoke.ga*, True -*.louiscoke.ml*, True -*.louiscoke.tk*, True -*.louisedaviesyoga.com*, True -*.louisedaviesyoga.co.uk*, True -*.louisekings.com*, True -*.louisepryor.id.au*, True -*.louisetdavies.com*, True -*.louisetdavies.co.uk*, True -*.louisettepouliot.info*, True -*.louisewulandari.com*, True -*.louis-ip.com*, True -*.louislabs.com*, True -*.louisvillerotary.net*, True -*.loukin.eu*, True -*.loukin.net*, True -*.loungefeest.nl*, True -*.loungent.com*, True -*.loupatrick.net*, True -*.loupbrun.ca*, True -*.loureiroetfils.ch*, True -*.lou.sh*, True -*.louvresolutions.com.au*, True -*.lov3535.com*, True -*.lovanesia.org*, True -*.lovatogas.ro*, True -*.lovay.com.ar*, True -*.love12a4.net*, True -*.love4fm.com*, True -*.loveablehuggable.com*, True -*.lovebitco.in*, True -*.lovebusvn.com*, True -*.lovecarylife.com*, True -*.lovecity.ro*, True -*.lovecream36.com*, True -*.love-fadilah.com*, True -*.lovefamily.hk*, True -*.lovefilm.com.br*, True -*.lovehopeindia.com*, True -*.lovehopeindia.org*, True -*.lovehost.us*, True -*.loveindiaarts.ro*, True -*.loveis34.ru*, True -*.loveisforeve.com*, True -*.lovejb.com*, True -*.loveliestfoods.com*, True -*.loveline.ro*, True -*.lovelyday.net*, True -*.lovelydgal.com*, True -*.lovely.ga*, True -*.lovelygreen.org*, True -*.lovelymag.ru*, True -*.lovelymuslimah.com.my*, True -*.lovelymuslimah.my*, True -*.lovemeorleave.me*, True -*.lovemeorleaveme.eu*, True -*.lovemovies.co.za*, True -*.lovemusicclocally.com*, True -*.lovemyrp.com*, True -*.lovenestgifts.com.au*, True -*.lovenlabels.com*, True -*.lovepyar.com*, True -*.loverita.hk*, True -*.loverwap.com*, True -*.lovetest.ro*, True -*.lovethemama.com*, True -*.lovethevendee.co.uk*, True -*.lovethosetrains.com*, True -*.lovetornadoes.com*, True -*.lovetornadoes.net*, True -*.lovetoshop.ro*, True -*.lovevariety.co.uk*, True -*.loveviea.net*, True -*.lovey.ml*, True -*.loveyoudear.ru*, True -*.lovibuket.ru*, True -*.lovingdl.com*, True -*.lovinlifeindy.org*, True -*.lovis.cl*, True -*.lovisi.ch*, True -*.lovoni.net*, True -*.lovoni.org*, True -*.loware.com*, True -*.lowbankservices.com.au*, True -*.lowbuckhost.net*, True -*.low-calorie-diet.net*, True -*.low-carb-diet.cf*, True -*.lowehomeimprovement.net*, True -*.lowelltechservices.com*, True -*.lowerplentyrealestate.com.au*, True -*.loweservices.com*, True -*.lowfeemerchant.com*, True -*.lowgrey.com*, True -*.low.id.au*, True -*.lowinthesky.com*, True -*.lowmp3.com*, True -*.lowongan-kerja.ga*, True -*.lowongankerjajawatimur.com*, True -*.lowongankerjakaltim.info*, True -*.lowongankerjaterbaru2015.info*, True -*.lowpowertvstations.com*, True -*.lowtax.hk*, True -*.loxodontaafricana.com*, True -*.loxs.co.uk*, True -*.loyal-pacific.com*, True -*.loyconsystems.pl*, True -*.loyo.biz*, True -*.loza-galileusz.pl*, True -*.lozan.com*, True -*.lozinskiy.com*, True -*.lozovski.com*, True -*.lozpexmc.tk*, True -*.lp-agentur.se*, True -*.lparquitectos.cl*, True -*.lpcpower.com*, True -*.lpcq.com.ar*, True -*.lpdne.eu*, True -*.lpgis.com*, True -*.lpg.si*, True -*.lpkdev.net*, True -*.lplifegroup.com*, True -*.lpmc.io*, True -*.lprconsultores.com.ar*, True -*.lpscss-bm.ro*, True -*.lpsgrafica.com*, True -*.lpsolve.ru*, True -*.lqforyou.at*, True -*.lqlq.co*, True -*.lqtai.com*, True -*.lr-clan.com*, True -*.lr-kiev.tk*, True -*.lrnt.tk*, True -*.lrrr.us*, True -*.lrs.ca*, True -*.lrteam.es*, True -*.lr-ukraine.ga*, True -*.lrxmarketing.co.za*, True -*.lrxm.co.za*, True -*.lsakel.eu*, True -*.lsak.eu*, True -*.lsbb.ro*, True -*.lsci.us*, True -*.lscns.co.id*, True -*.lscomm.net*, True -*.lscs.info*, True -*.lsd.org.br*, True -*.lsephotography.com*, True -*.lsfma.org*, True -*.lsfs.de*, True -*.lsm111.com*, True -*.lsm2558.com*, True -*.lsm5555.com*, True -*.lsm8888.com*, True -*.lsm99.com*, True -*.lsm99.net*, True -*.lsmaxis.com*, True -*.lsmaxis.com.au*, True -*.lsmguns.com*, True -*.lsmhistory.com*, True -*.lsmusic.us*, True -*.lsne.tk*, True -*.lsn.my*, True -*.lsn-sewingmachines.com*, True -*.lsototal.ro*, True -*.lspvs.ro*, True -*.lssa.ch*, True -*.lss-studio.com*, True -*.lsupply.com.ar*, True -*.ltbombb.info*, True -*.ltc.cl*, True -*.ltcd.co.za*, True -*.ltcmedicine.org*, True -*.ltech.hu*, True -*.ltelink.at*, True -*.lth.ro*, True -*.ltlegl.com*, True -*.ltmnujombang.web.id*, True -*.ltn.cl*, True -*.ltnibr.ro*, True -*.ltsconsulting.ro*, True -*.ltsm.ro*, True -*.ltts-rpg.com*, True -*.ltu.one.pl*, True -*.ltv.co.za*, True -*.ltweese.com*, True -*.ltxscrapyard.co.za*, True -*.lu6fai.com.ar*, True -*.lu7fuf.com.ar*, True -*.lu7ys.com.ar*, True -*.lu8fau.com.ar*, True -*.lua.cz*, True -*.luadao.ga*, True -*.luafamily.sg*, True -*.luagimenes.com.br*, True -*.lua-inas.com*, True -*.luandcrew.com*, True -*.luanna.cl*, True -*.lubbock-food.com*, True -*.lubeck.com.ar*, True -*.lubinscy.pl*, True -*.lubmu.com*, True -*.lubny.ru*, True -*.lubukdropship.my*, True -*.lubukiklan.my*, True -*.lucario.org*, True -*.lucartec.es*, True -*.lucartec.org*, True -*.lucas719.info*, True -*.lucascarnero.com.ar*, True -*.lucascarpe.com.ar*, True -*.lucasdeni.com.ar*, True -*.lucasdoyle.com*, True -*.lucasdreher.com.br*, True -*.lucashannon.com*, True -*.lucasinfo.net*, True -*.lucasmari.com.ar*, True -*.lucasmrancez.com.ar*, True -*.lucaspc.com*, True -*.lucasprado.me*, True -*.lucbegas.nl*, True -*.lucbumaylis.ca*, True -*.luccamonti.com*, True -*.lucem.org*, True -*.lucerotech.com.ar*, True -*.lucgallant.com*, True -*.luchadormasks.net*, True -*.luchaencomun.org*, True -*.luchoh.net*, True -*.luchorossi.com.ar*, True -*.luchotrejo.com*, True -*.luciacosmeticos.pt*, True -*.luciaflamenca.com*, True -*.lucianafreire.com*, True -*.lucianelgi.ro*, True -*.lucian.info*, True -*.lucianmandru.ro*, True -*.lucianm.ro*, True -*.lucianoalmeida.pt*, True -*.lucianobar.com.ar*, True -*.lucianocismondi.com.ar*, True -*.luciantataru.com*, True -*.luciasmiling.com*, True -*.lucidchat.net*, True -*.lucidesign.ro*, True -*.luciemergenza.it*, True -*.luciliunegrila.com*, True -*.lucillemay.net*, True -*.lucindadryzek.com*, True -*.lucki.com.ar*, True -*.lucklist.com.br*, True -*.lucky-agri.com*, True -*.luckyblock.net*, True -*.luckycornerx.com*, True -*.luckyflowers.com*, True -*.luckyflowers.co.uk*, True -*.luckyfrog.co.uk*, True -*.luckymessage.com*, True -*.luckymusic.hk*, True -*.lucky.one.pl*, True -*.luckyweaving.com*, True -*.luconline.net*, True -*.lucreciaugena.com.ar*, True -*.luct.org*, True -*.lucvachon.com*, True -*.lucywright.me*, True -*.ludaire.com*, True -*.ludaluke.com*, True -*.ludaluke.co.uk*, True -*.ludarchia.org*, True -*.ludensgroup.com.ar*, True -*.lude.tk*, True -*.ludicrous-speed.com*, True -*.ludimax.pt*, True -*.ludimusic.pt*, True -*.luditic.com*, True -*.ludivgorode.ru*, True -*.ludobermejo.es*, True -*.ludo-lidia.ch*, True -*.ludo-lidia.com*, True -*.ludosex.com*, True -*.ludotecsrl.it*, True -*.luefher.com*, True -*.luellayoungfoundation.org*, True -*.luene.ch*, True -*.luersweb.com*, True -*.lufatorium.com*, True -*.lugansk.xyz*, True -*.lugardegato.com.br*, True -*.lugarnomarina.com.au*, True -*.lugaro.info*, True -*.lugo-edu.net*, True -*.lugud.com*, True -*.lugue.web.id*, True -*.luhash.net*, True -*.luhtaanmaki.fi*, True -*.luies.co.za*, True -*.luigibyte.com.ar*, True -*.luigigandi.info*, True -*.luigivalente.tk*, True -*.luisabarca.cl*, True -*.luisaeraphael.com.br*, True -*.luisanthonychavez.com*, True -*.luiscamus.cl*, True -*.luiscutino.com*, True -*.luisdeltell.com*, True -*.luisdv.com*, True -*.luismella.cl*, True -*.luismiguelboto.es*, True -*.luismiravalles.com*, True -*.luismoyano.net*, True -*.luisnyc.com*, True -*.luisoyarce.cl*, True -*.luisv.com.ar*, True -*.luisvinay.com.ar*, True -*.luizbandeira.com.br*, True -*.luizclaudiofotografia.com.br*, True -*.luizicalugara.ro*, True -*.lujanproductivo.com.ar*, True -*.lujaw.com.np*, True -*.lujovodopivec.com*, True -*.lukajakin.tk*, True -*.lukakorosec.tk*, True -*.lukasandshinta.com*, True -*.lukaschuk.com*, True -*.lukasdoor.se*, True -*.lukasever.tk*, True -*.lukasluis.com*, True -*.lukasmurer.ch*, True -*.lukaszbuduje.pl*, True -*.lukaszpietrzak.pl*, True -*.luka.waw.pl*, True -*.lukealderton.co.uk*, True -*.lukeheier.com*, True -*.lukekaalim.info*, True -*.lukesbrainchunks.com*, True -*.lukeseelenbinder.com*, True -*.lukeskywalk.com*, True -*.lukesmithvt.com*, True -*.lukesmousetrap.co.uk*, True -*.lukespeers.com*, True -*.lukewalsh.co.uk*, True -*.lukewhited.com*, True -*.lukewhitelock.info*, True -*.lukiny.com*, True -*.lukitour.ch*, True -*.lukoto.com*, True -*.lukschile.cl*, True -*.lukszafron.net*, True -*.lulf.us*, True -*.lulike.ch*, True -*.luluguinness.com.br*, True -*.luluz.tk*, True -*.lumac.com.ar*, True -*.lumarstore.com.br*, True -*.lumeaartei.ro*, True -*.lumea-mea.ro*, True -*.lumelibros.com*, True -*.lumenature.com*, True -*.lumen.cl*, True -*.lumenylux.es*, True -*.lumgroup.org*, True -*.lumi4ever.info*, True -*.lumiaforum-indonesia.cz*, True -*.lumi-grid.com*, True -*.lumina-desktop.org*, True -*.luminaverde.ro*, True -*.lumini.com.mx*, True -*.lumininunta.ro*, True -*.lumiox.com.au*, True -*.lumpywombat.com*, True -*.lumzird.cf*, True -*.lunaamora.my*, True -*.luna-cornelia.ch*, True -*.lunaliu.com*, True -*.lunarmage.com.ar*, True -*.lunarminingcorporation.com*, True -*.lunarsalt.com*, True -*.lunarspotlight.com*, True -*.lunarstudios.net*, True -*.lunarville.com*, True -*.lunatalise.com*, True -*.lunaticfridge.com*, True -*.lunch-box.info*, True -*.lunchies.info*, True -*.lunchies.me*, True -*.lunchking.com*, True -*.lunchmenu.fi*, True -*.lundquist.cz*, True -*.lun.id.lv*, True -*.lunix.org*, True -*.lunixtreme.net*, True -*.lunkit.com*, True -*.lunlunlunla.com*, True -*.lunnad.com*, True -*.lunnevik.net*, True -*.lunul.ch*, True -*.lunwen.gq*, True -*.luoa.de*, True -*.luocdodientu.com*, True -*.lupadilha.com.br*, True -*.lupariapachame.com.ar*, True -*.lupeler.com*, True -*.luph.ml*, True -*.lupina.com.ar*, True -*.lupusmateria.cf*, True -*.lurecoral.cf*, True -*.lurefish.net*, True -*.lurex.com.br*, True -*.lurl.tk*, True -*.lurqui.info*, True -*.lusciouslemonades.com*, True -*.lushlawnservice.com*, True -*.luskdns.com*, True -*.lussiers.us*, True -*.lusther.com*, True -*.lustig.to*, True -*.lustkolben.com*, True -*.lutein.tw*, True -*.lutemkrat.com*, True -*.lutgen.net*, True -*.lutgen.org*, True -*.lutgentech.net*, True -*.luthfiinewbie.gq*, True -*.luthyenterprises.co*, True -*.luthyenterprises.com*, True -*.luthyenterprises.info*, True -*.lutidxem.cf*, True -*.lutus.ir*, True -*.lutyk.com.ar*, True -*.lutzenheiser.com*, True -*.lutzlathan.de*, True -*.luubackstage.com*, True -*.luv67.com*, True -*.luv77.com*, True -*.luv87.com*, True -*.luv97.com*, True -*.luvboxerdogs.us*, True -*.luvbugz.net*, True -*.luvik.com.ar*, True -*.luvlock.com*, True -*.luvmekin.cf*, True -*.luvskinny.com*, True -*.luvwiz.com*, True -*.luwsnet.com*, True -*.luwuk59.com*, True -*.lux1st.com*, True -*.lux57.com*, True -*.lux67.com*, True -*.lux87.com*, True -*.lux97.com*, True -*.luxbox.us*, True -*.luxessens.ch*, True -*.luxitdevelopment.com*, True -*.luxmaris.com*, True -*.luxpanel.uk*, True -*.luxpromotion.com*, True -*.luxpromotion.net*, True -*.luxurycarsmallorca.com*, True -*.luxurycitycars.net*, True -*.luxurydayspa.pl*, True -*.luxuryflbeachhome.com*, True -*.luxuryfloridabeachhome.com*, True -*.luxury-gifts.net*, True -*.luxuryhotelsgreece.com*, True -*.luxurypeople.ru*, True -*.luxuryrentacar.ro*, True -*.luxuryroig.com*, True -*.luxuryroig.es*, True -*.luxuryshop.ga*, True -*.luyenkimbuon.info*, True -*.luzdebicho.com.ar*, True -*.luzeterna.mx*, True -*.luzi-2.ch*, True -*.luzige.net*, True -*.luzrapoport.com.ar*, True -*.lv5.in*, True -*.lvabogados.com*, True -*.lv-circuit.com*, True -*.lvcomponentes.com.br*, True -*.lvivmusiccollection.com*, True -*.lvkita.net*, True -*.lvov.in*, True -*.lv-tool.com*, True -*.lwebber.com*, True -*.lweb.tk*, True -*.lwh.hk*, True -*.lwitcsnt.tk*, True -*.lwl.tw*, True -*.lwma.co.uk*, True -*.lwts.ru*, True -*.lxanh.org*, True -*.lxd.com.au*, True -*.lxdluke.tk*, True -*.lxnch.ro*, True -*.lxndr.ru*, True -*.lxqb.pt*, True -*.lxrowe.com*, True -*.lxrowe.net*, True -*.lyaingenieria.com*, True -*.lyalev.com*, True -*.lyasoluciones.cl*, True -*.lyastovichegnezdo.com*, True -*.lycconstruccionessa.com.ar*, True -*.lychee3.com*, True -*.lychee3solutions.com*, True -*.lyghtpath.com*, True -*.lygreenlife.com*, True -*.lyhytpsykoterapia.fi*, True -*.lykkes.tk*, True -*.lylesingleton.com*, True -*.lylesnetwork.tk*, True -*.lynchent.me*, True -*.lynck.com.ar*, True -*.lyncne.ws*, True -*.lynco.ro*, True -*.lyndon-james.com*, True -*.lyndsayanddrew.com*, True -*.lyndsayloomer.com*, True -*.lynex.ro*, True -*.lynnhaynes.com*, True -*.lynqus.com*, True -*.lynqus.net*, True -*.lynux.ro*, True -*.lynxcube.com*, True -*.lynx-world.com*, True -*.lyon-marrian.com*, True -*.lyragestioninmobiliaria.cl*, True -*.lyrastrings.hk*, True -*.lyric.al*, True -*.lyric-music.net*, True -*.lyricsonmywall.com*, True -*.lysq.cc*, True -*.lyuexuan.tk*, True -*.lyzoft.cl*, True -*.m000.net*, True -*.m0n.org*, True -*.m0nsters.cf*, True -*.m0therfucking.name*, True -*.m0v0m.net*, True -*.m0ve-on.ga*, True -*.m127.tk*, True -*.m1388.tk*, True -*.m13.in*, True -*.m18.pt*, True -*.m19.net*, True -*.m1g0x.com*, True -*.m1nd-4rt.mx*, True -*.m1nd-4rt.web.id*, True -*.m1plumbing.com*, True -*.m230.org*, True -*.m25p.org*, True -*.m25.ro*, True -*.m2bit.co.il*, True -*.m2bit-insurance.co.il*, True -*.m2d.es*, True -*.m2estudio.cl*, True -*.m2gallery.com.au*, True -*.m2hosting.ca*, True -*.m2o.dj*, True -*.m2svpoint.tk*, True -*.m2t.mx*, True -*.m-303.cf*, True -*.m34l.la*, True -*.m34l.org*, True -*.m3nje.com*, True -*.m3nje.eu*, True -*.m3systems.org*, True -*.m3ta.co.uk*, True -*.m3ta.uk*, True -*.m3th1dz.com*, True -*.m44.ir*, True -*.m4e.cl*, True -*.m4f.es*, True -*.m4il.tk*, True -*.m4kr.tk*, True -*.m4ktub.cf*, True -*.m4me.de*, True -*.m4rc.io*, True -*.m4un.tk*, True -*.m4usolucoes.com.br*, True -*.m5plus.com*, True -*.m8api.org*, True -*.m8m.es*, True -*.ma3-r.ro*, True -*.ma8nify.com*, True -*.maaaci.org*, True -*.maaf.in*, True -*.maagar.co.il*, True -*.maarifa.ch*, True -*.maarten.ch*, True -*.maasa.co.za*, True -*.maasentertainment.com*, True -*.maasstad.info*, True -*.maaswinkeltuinontwerp.nl*, True -*.maatools.com*, True -*.mabato.ir*, True -*.mabelleepoque.ch*, True -*.mabest.ch*, True -*.mabit.cl*, True -*.mabkrich.com.ar*, True -*.mabokjanda.ml*, True -*.ma-box.net*, True -*.mabsolutix.ch*, True -*.macadmincc.co.za*, True -*.mac-an6el.ro*, True -*.macaofashiongallery.com*, True -*.macaolaw.net*, True -*.macao.net*, True -*.macao.org*, True -*.macarenatoro.cl*, True -*.macarioyasoc.com.ar*, True -*.macaugolfclub.com*, True -*.macauley.info*, True -*.macauley.us*, True -*.macaushibao.com*, True -*.macausupport.com*, True -*.macberg.net*, True -*.macbit.org*, True -*.macborneokl.com.my*, True -*.macbury.pl*, True -*.macclub.co.za*, True -*.mac-cs.com*, True -*.macdes.ca*, True -*.macduffpartners.com*, True -*.maceio.com.ar*, True -*.macelectricidad.cl*, True -*.mac-elite.tk*, True -*.macelite.tk*, True -*.maces.me*, True -*.maceysoftware.com*, True -*.macfinancialrecovery.ca*, True -*.macfinancialrecovery.com*, True -*.macfp.com.au*, True -*.macgeekforum.com*, True -*.macgruberlore.pw*, True -*.machadoteatro.com.ar*, True -*.machanics.com.my*, True -*.macha.sexy*, True -*.machenry.ch*, True -*.machica.cf*, True -*.machinae.io*, True -*.machinae.se*, True -*.machinalis.com.ar*, True -*.machines.asia*, True -*.machinezdesign.com*, True -*.machipin.com.ar*, True -*.machitte.com.br*, True -*.machostlink.net*, True -*.maciejmalesa.com*, True -*.maciejwyszomirski.com*, True -*.macimae.com*, True -*.macintheoffice.com*, True -*.macitsupport.org*, True -*.mackayphotos.org*, True -*.mackayshooters.com.au*, True -*.mackay.us*, True -*.mackay.ws*, True -*.mackiebricklaying.com.au*, True -*.mackinlay.cl*, True -*.macko.me*, True -*.mackowiak.name*, True -*.mackproductions.com*, True -*.macmall.co.za*, True -*.macmillangroup.ca*, True -*.macmini.co.za*, True -*.macoma.ch*, True -*.macomaha.com*, True -*.macombcountycomputerrepair.com*, True -*.macombcountycomputerrepairs.com*, True -*.macovich.cl*, True -*.macphong.com*, True -*.macpi.in*, True -*.macpservicos.com.br*, True -*.macrame-shop.com*, True -*.macrobuild.eu*, True -*.macrocap-la.com*, True -*.macroempires.com*, True -*.macrofitasaquaticas.com.br*, True -*.macrofox.com*, True -*.macrofox.org*, True -*.macrokpi.com*, True -*.macroplc.com*, True -*.macroplus.ru*, True -*.macroprint.co.il*, True -*.macrotour.cl*, True -*.macrum.net*, True -*.macsauto-indonesia.com*, True -*.macs-bot.net*, True -*.macsoft.com.br*, True -*.macsos.eu*, True -*.macsqlstudio.com*, True -*.macstarter.nl*, True -*.macstore.co.za*, True -*.mactrix.se*, True -*.macwh0re.com*, True -*.macworldau.com*, True -*.macworldau.com.au*, True -*.macworldaustralia.com*, True -*.macworldaustralia.com.au*, True -*.macyaesthetic.com*, True -*.macykube.us*, True -*.macyszyn.com*, True -*.madain.cl*, True -*.madalinamusic.com*, True -*.madalinux.ro*, True -*.madametricoteparis.com.tr*, True -*.madamliev.com*, True -*.madanchapagain.com.np*, True -*.ma-dang.com*, True -*.madankarki.com.np*, True -*.madant.gr*, True -*.madanthakur.com.np*, True -*.madapples.us*, True -*.madaw.net*, True -*.madbadger.co.uk*, True -*.madbot.im*, True -*.madcyberspace.com*, True -*.madcyberspace.net*, True -*.maddening.org*, True -*.maddieandbelle.com*, True -*.madeaditya.com*, True -*.madebykristine.com*, True -*.madeda55.com*, True -*.madeinash.com*, True -*.made-in-china.ro*, True -*.madeinitaly.xyz*, True -*.madeinusapettoys.biz*, True -*.madelan.com.ar*, True -*.madelinewishart.com.au*, True -*.madereramilano.com.ar*, True -*.ma-desarrollos.com.ar*, True -*.ma-deuce.us*, True -*.madewithmeat.org*, True -*.madhacker.biz*, True -*.madha-store.com*, True -*.madhax.net*, True -*.madhost.ml*, True -*.madhousecircus.com.au*, True -*.madiba-classic.co.za*, True -*.madinahfm.tk*, True -*.madis-computers.ro*, True -*.madisoncountyrecorderofdeeds.com*, True -*.madisoncountyso.com*, True -*.madisonoffcampus.com*, True -*.madjad.com*, True -*.madlittlecow.com*, True -*.madmoogle.com*, True -*.mad-pad.ru*, True -*.madparking.com*, True -*.madrasah-istiqlal.sch.id*, True -*.madreseh.org*, True -*.madresestresadas.com*, True -*.madreteresa.com.br*, True -*.madretereza.com.br*, True -*.madretereza.org.br*, True -*.madridcoworking.es*, True -*.mad-scientist.co.uk*, True -*.madscientistcreations.com*, True -*.madserverhome.com*, True -*.madskristoffersen.no*, True -*.madskvalsvik.com*, True -*.madster.info*, True -*.madtoro.com*, True -*.madtown.tk*, True -*.madtrade.org*, True -*.madualshifa.com*, True -*.maduam.com*, True -*.maduhitampahit.co.id*, True -*.madumanggis.com*, True -*.madu.ml*, True -*.madung.com*, True -*.madupahitpropolis.com*, True -*.madupahit.web.id*, True -*.madurski.net*, True -*.madvps.co.uk*, True -*.madware.eu*, True -*.madware.si*, True -*.madwayz.ru*, True -*.madymaes.com*, True -*.maedehinternet.ir*, True -*.maederbiel.ch*, True -*.maeders-katzentueren.ch*, True -*.maeidson.com*, True -*.maelie.org*, True -*.maengila.net*, True -*.maennerchor-therwil.ch*, True -*.maersoft.com.ar*, True -*.maesi-fotografie.ch*, True -*.maestroinfo.ch*, True -*.maestro-mebel.com*, True -*.maestrosdelcodigo.com.ve*, True -*.maestro-xstranger.cf*, True -*.maestrozaca.com.br*, True -*.maestrulculinar.ro*, True -*.mafc.co.za*, True -*.maferssa.com.ar*, True -*.mafia.com.mx*, True -*.mafiaonline.tk*, True -*.mafiashare.co.il*, True -*.mafia.sx*, True -*.mafioso.eu*, True -*.mafix.com.br*, True -*.maftuhi.web.id*, True -*.mafya.co.il*, True -*.mag1c.com.my*, True -*.mag1c.my*, True -*.mag2.info*, True -*.magadi-pa.in*, True -*.magain-mills.com*, True -*.magain.net*, True -*.magan7.ru*, True -*.magana.cl*, True -*.maganaki.com*, True -*.magangjepangnenkin.com*, True -*.magarsus.com.tr*, True -*.magarto.com*, True -*.magarto.ga*, True -*.magazalar.com*, True -*.magaziacuunelte.ro*, True -*.magazindioda.ro*, True -*.magazinecopii.ro*, True -*.magazinefeatures.co.za*, True -*.magazinmodelism.ro*, True -*.magazinulcudetoate.ro*, True -*.magazzin.info*, True -*.magazziniteatrali.it*, True -*.magbee.com*, True -*.magbee.net*, True -*.magcache.com*, True -*.magdaferreiralamas.com.mx*, True -*.magdalia.co.za*, True -*.magedev.pro*, True -*.mageline.com*, True -*.mageline.ro*, True -*.magellus.com*, True -*.magelore.de*, True -*.magentadesign.cl*, True -*.magento4u.cn*, True -*.magentocoder.net*, True -*.magento-spain.com*, True -*.magery.ru*, True -*.m-a-g.es*, True -*.magesti.cl*, True -*.magg0t.com*, True -*.maggazin.info*, True -*.maggiebears.com*, True -*.maggiebears.co.uk*, True -*.maggiefarms.com*, True -*.maggnolia.cl*, True -*.maghrabi-bus.com*, True -*.maghsoudi.com*, True -*.magibuild.com.au*, True -*.magicacid.com*, True -*.magicake.eu*, True -*.magical-gaming.com*, True -*.magicclean-nettoyage.ch*, True -*.magiceric.be*, True -*.magicgraf.com*, True -*.magichk987.com*, True -*.magicnetwork.ro*, True -*.magicnotepress.org*, True -*.magicpast.net*, True -*.magicpennystocks1.net*, True -*.magicpool.org*, True -*.magicpvp.ml*, True -*.magicshell.com*, True -*.magicsoft.cc*, True -*.magicstocks4.com*, True -*.magic-tictac.ro*, True -*.magic-touch-massage.ch*, True -*.magicturk.com.tr*, True -*.magicwandmedia.com*, True -*.magikal.tk*, True -*.magiko.cl*, True -*.magimedia.ro*, True -*.magister.pro*, True -*.magister.si*, True -*.magixnetworks.org*, True -*.magland.org*, True -*.maglid.com*, True -*.magma3.com*, True -*.magma3interactiva.com*, True -*.magmu.com*, True -*.magna-corp.com*, True -*.magna-corp.ru*, True -*.magnaepxyion.com*, True -*.magnaepxylon.com*, True -*.magnarider.com*, True -*.magnasoft.com.ar*, True -*.magnetix.co.il*, True -*.magnifiedhealing-chinese.com*, True -*.magnigyro.hk*, True -*.magnitostroy.com*, True -*.magn-it.ru*, True -*.magnolia.one.pl*, True -*.magnoshop.com*, True -*.magnotonus.com.ar*, True -*.magnumit.com.au*, True -*.magnuscrista.com*, True -*.magnusll.info*, True -*.magnuspetersson.com*, True -*.magomai.com*, True -*.magoro.ro*, True -*.magossi.tk*, True -*.magosten.com*, True -*.magri.ca*, True -*.magsuplementos.com.ar*, True -*.maguire1.com*, True -*.maguiymati.com.ar*, True -*.magul.ro*, True -*.magumbo.net*, True -*.magumbu.net*, True -*.magwazabrokers.co.za*, True -*.magyarmu.com*, True -*.magysushi.cl*, True -*.mahaasin.tv*, True -*.mahabeer.info*, True -*.mahajayaprint.com*, True -*.mahakam.net*, True -*.mahalnamahalkita.com*, True -*.maha-meru.tk*, True -*.maharani.fm*, True -*.mahardika.org*, True -*.mahasiswa.cf*, True -*.mahasiswa.info*, True -*.mahasiswi.info*, True -*.mahdagm.ir*, True -*.mahdas.com*, True -*.mahdas.ir*, True -*.mahdas.net*, True -*.mahdas.org*, True -*.mahdikhosravi.com*, True -*.mahdooneh.com*, True -*.mahendra.web.id*, True -*.mahertec.cl*, True -*.mahesaputra.com*, True -*.maheshbhusal.com.np*, True -*.maheshdahal.com.np*, True -*.maheshj.info*, True -*.maheshthegreat.com.np*, True -*.mahicks.org*, True -*.mahirakhan.pk*, True -*.mahjong-gbg.se*, True -*.mahjong.si*, True -*.mahkotaabadi.com*, True -*.mahkota.info*, True -*.mahoc0de.com*, True -*.mahollin.com*, True -*.mahoodoor.ir*, True -*.mahoodoors.ir*, True -*.mahumas.com.my*, True -*.mahzoun.ir*, True -*.maiaps.co.uk*, True -*.maichel.com.ar*, True -*.maiclasic.ro*, True -*.maid-1004.com*, True -*.maid2moplongisland.com*, True -*.maid-of-honor.net*, True -*.maie.net*, True -*.maierconsultingconstruction.com*, True -*.maihao.tk*, True -*.maiku.eu*, True -*.mail2archive.com*, True -*.mail2world.co.za*, True -*.mail666.com*, True -*.mail8.cf*, True -*.mail8.ga*, True -*.mail999.com*, True -*.mailanlis.com.ar*, True -*.mailatme.net*, True -*.mail-business.tk*, True -*.maildomain.tk*, True -*.mailerg.com*, True -*.mailfake.tk*, True -*.mailfr.ch*, True -*.mail-hygiene.net*, True -*.mailing001.tk*, True -*.mailinglistshop.com*, True -*.mailinglists.ml*, True -*.mailinh.ch*, True -*.mailjames.com*, True -*.mailmania.ro*, True -*.mail-mweb.co.za*, True -*.mailnavet.se*, True -*.mailnhi.com*, True -*.mailnri.com*, True -*.mailnwv.com*, True -*.mailof.me*, True -*.mailonclouds.com*, True -*.mailorderchrome.com*, True -*.mailorderchrome.net*, True -*.mailordertruck.com*, True -*.mailparagon-group.co.uk*, True -*.mailpipe.net*, True -*.mailso.tk*, True -*.mailspotseven.in*, True -*.mail-v.tk*, True -*.mailwarrior.net*, True -*.mailway.ro*, True -*.mailxchange.co.uk*, True -*.maimult.ro*, True -*.ma-inc.asia*, True -*.mainegeek.com*, True -*.mainejustice.org*, True -*.mainemds.com*, True -*.mainetenants.org*, True -*.mainfrontdesk.in*, True -*.mainhape.com*, True -*.mainlineholisticdoctor.com*, True -*.mainmag.co*, True -*.mainmag.org*, True -*.mainpaste.com*, True -*.mainperiodical.org*, True -*.mainpublication.org*, True -*.mainrdmedical.com.au*, True -*.mainsail.pt*, True -*.mainstreetwaverly.com*, True -*.maintenance-despont.ch*, True -*.mainvps.be*, True -*.mainwaymachinery.com*, True -*.maipografia.cl*, True -*.maisfamilialondrina.com.br*, True -*.maiskii.ru*, True -*.maisonborn.ch*, True -*.maisondelaliterie.ch*, True -*.maison-des-cerises.com*, True -*.maisondupasta.ga*, True -*.maison-en-paille.ch*, True -*.maisonenpaille.ch*, True -*.maison-riviere.hk*, True -*.maisquecuidar.com*, True -*.maisquecuidar.pt*, True -*.maistocadas.com*, True -*.mait.biz*, True -*.maitremenuiserie.ch*, True -*.maitreya.ru*, True -*.maitri.tk*, True -*.maix.info*, True -*.majahaeberling.ch*, True -*.majalahkartini.co.id*, True -*.majalahlelaki.ml*, True -*.majalahtante.com*, True -*.majalah-wanita.com*, True -*.majanayim.cl*, True -*.majaremote.nl*, True -*.majasvilla.com*, True -*.majataloloviisa.fi*, True -*.majatanzt.ch*, True -*.majavidmar.com*, True -*.majestypress.ro*, True -*.majf.net*, True -*.majkiboy.com*, True -*.majmun.tk*, True -*.maj.name*, True -*.majoitus.ee*, True -*.majometalkovosrot.sk*, True -*.major-a1.com*, True -*.major-a2.com*, True -*.majordiscount.ca*, True -*.majordiscountportland.ca*, True -*.majorharvey.com*, True -*.majorsforminors.com*, True -*.majorwap.com*, True -*.majuselangorfm.my*, True -*.majzeljgersak.com*, True -*.mak89.ch*, True -*.makacs.com*, True -*.makakikus.tk*, True -*.makanalar.com*, True -*.makannarsis.com*, True -*.makassar.cf*, True -*.makassarobatkuat.com*, True -*.makassarrunningfestival.com*, True -*.makassar.xyz*, True -*.makaveli.tk*, True -*.makdown.com*, True -*.makeadoc.org*, True -*.makeadreamstables.com*, True -*.makeamenu.com*, True -*.makeaminyan.com*, True -*.makeartnotwar.com.au*, True -*.makeawish.com.ar*, True -*.makeawish.org.my*, True -*.makebtc.tk*, True -*.make.com.ar*, True -*.makeitfappen.pw*, True -*.makeitsimple.hk*, True -*.makelifeeco.pl*, True -*.makementoringwork.com*, True -*.makemoney157.ga*, True -*.makenarae.me*, True -*.makenewme.com*, True -*.makenub.com*, True -*.makerdate.eu*, True -*.makerdate.se*, True -*.makers.gr*, True -*.maker-space.com*, True -*.makesocialcartography.com*, True -*.makesthi.web.id*, True -*.makethebestoflife.com*, True -*.makeupbuzz.co.uk*, True -*.make-up.cl*, True -*.makeup-pengantin.com*, True -*.makeupreviewonline.com*, True -*.makeupyourmind.ro*, True -*.makey.md*, True -*.makeyourcashcow.com*, True -*.makeyourownvirtualpet.net*, True -*.makhadi.com*, True -*.makhteshim-agan.ro*, True -*.makifamily.com*, True -*.makinaparcasi.com*, True -*.makineparcasi.com*, True -*.makinjaya.com*, True -*.makisupa.org*, True -*.makmos.com*, True -*.makmur-bersama.co.id*, True -*.makmurcomputerstationery.com*, True -*.makmurjayakimia.com*, True -*.makny.us*, True -*.makoto.gr*, True -*.makrotopia.org*, True -*.maksd.info*, True -*.maksd.ru*, True -*.maksimgradnja.rs*, True -*.maksim.pro*, True -*.maksimsorokin.com*, True -*.maksodor.eu*, True -*.maktabat-online.com*, True -*.maktubdance.com*, True -*.makuc.net*, True -*.makunz.ch*, True -*.makxs.com*, True -*.malabarbichette.fr*, True -*.malaclase.cl*, True -*.maladarte.pt*, True -*.malagarentacar.com.ar*, True -*.malahin.ro*, True -*.malaidea.cl*, True -*.malaikabeachresort.com*, True -*.malakcommunityshed.org.au*, True -*.malakoff-vinzel.ch*, True -*.malakta.fi*, True -*.malam.or.id*, True -*.malang.co.uk*, True -*.malang.in*, True -*.malapecora.net*, True -*.malapersona.cl*, True -*.malaquias.net*, True -*.malaysiachurches.org*, True -*.malaysiagazette.com.my*, True -*.malaysiagazette.my*, True -*.malaysiahotel.de*, True -*.malaysiahotels.de*, True -*.malaysiajobsite.com*, True -*.malaysiamuslim.com*, True -*.malaysianumber.com*, True -*.malaysianunderwater.com*, True -*.malaysiapcrental.com*, True -*.malaysiatourpackages.com.my*, True -*.malaysiatrainer.com*, True -*.malcho.net*, True -*.malcho.org*, True -*.malc.in*, True -*.malcolms.co.nz*, True -*.malczewski.com*, True -*.maldicoes.com.br*, True -*.malditonerd.com*, True -*.maldoror.tk*, True -*.maledetta.com*, True -*.maleficarum.mx*, True -*.maleimpotencepill.com*, True -*.malematorras.com.ar*, True -*.malepix.net*, True -*.malermeister.ml*, True -*.maler.ml*, True -*.malesunduh.com*, True -*.malewolf.com*, True -*.malez.ml*, True -*.malhuesli.ch*, True -*.malihaomair.com*, True -*.malikisblogger.net*, True -*.malingcode.ml*, True -*.maling.pro*, True -*.maliri.net*, True -*.maliweb.at*, True -*.maliyetformu.com*, True -*.mallagent.com*, True -*.mallick.pk*, True -*.mallicoat.net*, True -*.mallmaint.co.uk*, True -*.malloco.cl*, True -*.mallorcaluxurycars.com*, True -*.malloryag.com*, True -*.malloy.im*, True -*.malmo.cl*, True -*.malmost.it*, True -*.maln.co.uk*, True -*.maln.uk*, True -*.maloca.nl*, True -*.malossi.asia*, True -*.malossistore.jp*, True -*.malossi.tw*, True -*.malou.com.ar*, True -*.malphite.com.au*, True -*.maltebischoff.tk*, True -*.maltmug.com*, True -*.maluma.co.za*, True -*.maluma.info*, True -*.malu-malu.in*, True -*.maluwilz.lv*, True -*.maluwilz.ro*, True -*.malvazija.si*, True -*.malveira.com.br*, True -*.malverntrader.info*, True -*.malvinaborgelt.com*, True -*.malvinashop.com*, True -*.malvina.tv*, True -*.malwagwalior.com*, True -*.mamacollections.com*, True -*.mamaerecomenda.com.br*, True -*.mamah.cf*, True -*.mamakan.ru*, True -*.mamamehavenidolaregla.com*, True -*.mamanasydney.com*, True -*.mamandunet.com*, True -*.mamanli.ir*, True -*.mamanz.my*, True -*.mamapetytna.pl*, True -*.mama-porno.ru*, True -*.mamarosnoani.com.my*, True -*.mamba.ee*, True -*.mambamail.com*, True -*.mambaonline.co.za*, True -*.mambodev.com*, True -*.mambomail.com*, True -*.mamco.com.au*, True -*.mamds.com*, True -*.mame32.cl*, True -*.mame.cl*, True -*.mamicasicopilul.ro*, True -*.mamido.net*, True -*.mammonhills.com.ve*, True -*.mammothdv.ru*, True -*.mammutdivision.ro*, True -*.mammutproducciones.cl*, True -*.mamonhills.com.ve*, True -*.mampirbro.web.id*, True -*.mana-artistavisual.com.ar*, True -*.manabagus.com*, True -*.mana.co.id*, True -*.manado.ga*, True -*.manado.xyz*, True -*.manageddevices.tk*, True -*.managementbymedia.ch*, True -*.manager-365.com*, True -*.manageri.fi*, True -*.managerskalender.nl*, True -*.manageworks.com.tr*, True -*.managingb2b.com*, True -*.managingb2b.net*, True -*.manajemenhartaislami.com*, True -*.manakamanafancystores.com.np*, True -*.manalagu.net*, True -*.manapool.net*, True -*.manarat.com*, True -*.manasit.com.ar*, True -*.manasrajaram.com*, True -*.manaugh.net*, True -*.manauscenter.com.br*, True -*.manausclass.com.br*, True -*.manavella.com.ar*, True -*.manbuengkum.com*, True -*.mancaretaraneasca.ro*, True -*.manchesternmore.com*, True -*.manchesternmore.com.au*, True -*.manchester-united.club*, True -*.manchzhury.ru*, True -*.mancia.com.ar*, True -*.manciniconsulting.it*, True -*.mancinidigital.com.ar*, True -*.mancitycafe.com*, True -*.mancollado.es*, True -*.mancrusher.com*, True -*.mancur-olson.com.ar*, True -*.manczak.de*, True -*.mandafruta.com.ar*, True -*.mandailingnatal.com*, True -*.mandaranailspa.com*, True -*.mandarano.us*, True -*.mandarinacorp.com*, True -*.mandarjadhav.com*, True -*.mandelbaer.ch*, True -*.mandelbaer.li*, True -*.mandel-baerli.ch*, True -*.mandelbaerli.ch*, True -*.mandelbaerli.net*, True -*.mandelbaerli.org*, True -*.mandelengel.ch*, True -*.mandeleule.ch*, True -*.mandelhase.ch*, True -*.mandelherz.ch*, True -*.mandelkatze.ch*, True -*.mandelloewe.ch*, True -*.mandelmaendli.ch*, True -*.mandelmaus.ch*, True -*.mandelpferd.ch*, True -*.mandelsteinbock.ch*, True -*.mandelstern.ch*, True -*.mandeltuermli.ch*, True -*.mander.ca*, True -*.mandest.com*, True -*.mandhplum.net*, True -*.mandibolaku.com*, True -*.mandinga.com*, True -*.mandino69.com*, True -*.mandirijayateknik.co.id*, True -*.mandirimajumandiri.com*, True -*.mandiripay.com*, True -*.mandiriputrabangsa.com*, True -*.mandiriteknik.net*, True -*.mandiritendatanahabang.com*, True -*.mandl.me*, True -*.mandon.me*, True -*.mandrakenet.com*, True -*.mandrex.com*, True -*.mandylui.com*, True -*.mandymckenzie.com*, True -*.manecoautomoveis.com.br*, True -*.manekinekophoto.com*, True -*.maneletari.ro*, True -*.manenski.com*, True -*.manfrediasociados.com.ar*, True -*.manfredini.net.br*, True -*.manfredlanzsa.ch*, True -*.manfredonia.net*, True -*.manfrey.cl*, True -*.manfrindistribuidora.com.br*, True -*.mangabay.net*, True -*.mangadiscuss.info*, True -*.mangaflick.com*, True -*.mangageek.com*, True -*.mangaku.id*, True -*.manganaro.com.ar*, True -*.manganarorozas.com.ar*, True -*.mangan.tk*, True -*.mangasos.net*, True -*.mangasos.org*, True -*.mangdadangg.tk*, True -*.mange-at-tous.tk*, True -*.mangelesvargas.cl*, True -*.mange-machine.org*, True -*.manger.cl*, True -*.mangga2shop.com*, True -*.manggaraikab.go.id*, True -*.manggistech.com.my*, True -*.mangialsonic.com.ar*, True -*.mangoad.com.ar*, True -*.mangoemex.com*, True -*.mangofandango.com.au*, True -*.mango.org.ua*, True -*.mangosoftware.org*, True -*.mangosteenrd.com*, True -*.mangotank.com*, True -*.mangrovejacknoosa.com.au*, True -*.mangushov.ru*, True -*.manhattanescorts.org*, True -*.mani33.com*, True -*.mania2.net*, True -*.maniactattoo.com.ar*, True -*.maniahosting.org*, True -*.maniatecnocel.com.br*, True -*.manica.org*, True -*.manicresin.com*, True -*.manic.tk*, True -*.maniel.one.pl*, True -*.manieres.lv*, True -*.manifestodromo.es*, True -*.manikdjs.com.au*, True -*.manikdjs.net.au*, True -*.manilaautogas.com*, True -*.manilalink.com*, True -*.manipatlu.com*, True -*.manis.gq*, True -*.manishadhar.com*, True -*.manishakarki.com.np*, True -*.manishma.com.ar*, True -*.manishmj.com.np*, True -*.manishnene.com*, True -*.manisite.com*, True -*.maniso.info*, True -*.manivu.tk*, True -*.mankenskiold.se*, True -*.mankis.ch*, True -*.mankpp.com*, True -*.man-land.ch*, True -*.manlyvolleyball.asn.au*, True -*.mannacabanna.com*, True -*.manncloud.ca*, True -*.manncraft.co.nz*, True -*.manncraft.nz*, True -*.mannerpro.net*, True -*.manningmob.com*, True -*.mannlocal.tk*, True -*.mannmithut.ch*, True -*.mannundumwelt.ch*, True -*.mannyaslam.co*, True -*.manoahinvest.com*, True -*.manoalzada.net*, True -*.manocho.com.ar*, True -*.manocornuto.com*, True -*.manofmud.info*, True -*.manofraterna.com*, True -*.manojsapkota.com.np*, True -*.manolovici.ro*, True -*.manonhand.com*, True -*.mano-puslapis.tk*, True -*.manpower.cf*, True -*.manpower.ga*, True -*.manpower.ml*, True -*.manpowers.cf*, True -*.manpowers.ga*, True -*.manpowers.ml*, True -*.manpowers.tk*, True -*.man-ra.com.ar*, True -*.manray.bz*, True -*.manseguros.cl*, True -*.manshoorkashef.ir*, True -*.mansikkatila.fi*, True -*.mansionvalcea.ro*, True -*.mansmith.net*, True -*.mansour.ch*, True -*.mansuang.info*, True -*.mansuang.net*, True -*.mansuang.org*, True -*.mansurakarta.sch.id*, True -*.mansurengenharia.com.br*, True -*.mantambakberas.com*, True -*.mantavyagajjar.com*, True -*.mantavyagajjar.in*, True -*.mantej.co.uk*, True -*.mantenboshi.co.id*, True -*.mantenersoluciones.com.ar*, True -*.mantisbt.tk*, True -*.mantistrader.cl*, True -*.mantorny.com*, True -*.mantravadi.in*, True -*.mantripragada.com.br*, True -*.mantuanet.com*, True -*.mantua.us*, True -*.mantulenko.com*, True -*.mantyk.net*, True -*.manualhtml.ro*, True -*.manualscolarhtml.ro*, True -*.manualtherapie-wittlich.de*, True -*.manualusuario.com.ar*, True -*.manuela.co.za*, True -*.manuelcabada.com.ar*, True -*.manuelgarcia.com.ve*, True -*.manuelhernandez.com.ar*, True -*.manuelymariel.com.ar*, True -*.manukwalet.com*, True -*.manuli.com.ar*, True -*.manulife.cf*, True -*.manu-net.org*, True -*.manuromania.ro*, True -*.ma-nurulhuda.sch.id*, True -*.manuscapital.com*, True -*.manuscar.com.br*, True -*.manusiaindonesia.com*, True -*.manuu.ch*, True -*.manventory.co.uk*, True -*.manyacs.ro*, True -*.manyhandscollective.com*, True -*.manyu.tk*, True -*.manzanapple.com.ar*, True -*.manzanares.com.ve*, True -*.manzanillogps.com*, True -*.manzobros.com*, True -*.mao.fi*, True -*.maosativas.com.br*, True -*.mao.tv.br*, True -*.mapaconstruccion.org.ar*, True -*.map-administracion.com.ar*, True -*.mapaparaconversar.com*, True -*.mapaplace.com*, True -*.mapasynegocios.cl*, True -*.mapcom.com.ar*, True -*.mapetalaunib.or.id*, True -*.mapguide.ca*, True -*.mapleace.net*, True -*.maplefarms.ca*, True -*.maple-moose.ca*, True -*.maplesandcalder.hk*, True -*.mapleshadow.com*, True -*.maple.zone*, True -*.maposonic.com*, True -*.mappa.hk*, True -*.mapperley.net*, True -*.mapphoto.es*, True -*.mappingpro.cl*, True -*.mappuchan.com*, True -*.maps.md*, True -*.maps.org.il*, True -*.mapumandala.cl*, True -*.mapye.com*, True -*.mapye.net*, True -*.mapyton.fi*, True -*.maquitec.com.ar*, True -*.mar99tin.com.ar*, True -*.maracaibohosting.com*, True -*.maracineanu.ro*, True -*.marafioti.net.au*, True -*.marambioingenieros.cl*, True -*.maranathabus.com.ar*, True -*.maranatha-cog.org*, True -*.maraschino.tk*, True -*.marathongolfday.com*, True -*.marathonmatters.ca*, True -*.marathonrubicon.com*, True -*.marathonwarranty.ca*, True -*.maraton10k.com.ar*, True -*.maravedis.com*, True -*.marbilder.com.ar*, True -*.marbleheadsportsman.com*, True -*.marbleindonesia.com*, True -*.mar-b-poodles.com*, True -*.marby.se*, True -*.marc0.net*, True -*.marcano.net.ve*, True -*.marca-rojo.com.ar*, True -*.marcarojo.com.ar*, True -*.marcbudofsky.me*, True -*.marcelaciraudo.com.ar*, True -*.marcel-andree.de*, True -*.marcelbanvillearchitecte.com*, True -*.marceldevries.tk*, True -*.marceleira.com*, True -*.marcelloazambuja.com*, True -*.marceloancelmo.com*, True -*.marceloancelmo.com.br*, True -*.marceloautomoveisguapore.com.br*, True -*.marcelogattas.com.ar*, True -*.marcelogore.com.ar*, True -*.marceloguillen.com.ar*, True -*.marcelojorgelima.com.ar*, True -*.marcelolopes.com.br*, True -*.marceloroyo.com.ar*, True -*.marcelovercillo.com.ar*, True -*.marcelsmit.info*, True -*.marcenes.com.br*, True -*.marcgd.com*, True -*.marchd.ru*, True -*.marche-corsy.ch*, True -*.marcheggiani.ch*, True -*.marcheologo.tk*, True -*.marche-viret.ch*, True -*.marciademenezes.info*, True -*.marciapinho.com.br*, True -*.marcihawkins.com*, True -*.marcio.com.ar*, True -*.marciofalcao.com.br*, True -*.marcion.info*, True -*.marciopetry.com.br*, True -*.marciopetry.net.br*, True -*.marcluethi.ch*, True -*.marcman.eu*, True -*.marcman-perfume.com*, True -*.marcmk.nl*, True -*.marcnuri.com*, True -*.marcoalbornoz.com.ar*, True -*.marco-beuret.ch*, True -*.marcodigital.es*, True -*.marcodominguez.com.ar*, True -*.marcodonati.info*, True -*.marco-leong.com*, True -*.marcoloiodice.com*, True -*.marcomol.com.ve*, True -*.marconunes.pt*, True -*.marcopadang.com*, True -*.marco-poppies.com*, True -*.marcoranieri.tk*, True -*.marcoscleri.com.ar*, True -*.marcoscontador.com.br*, True -*.marcostorino.com.ar*, True -*.marcovera.cl*, True -*.marcovizcarra.com*, True -*.marcphillips.net*, True -*.marcraiova.ro*, True -*.marcschnyder.ch*, True -*.marcu.ro*, True -*.marcusallergies.com*, True -*.marcusleandro.com.br*, True -*.marcusnyberg.com*, True -*.mardecreta.com.mx*, True -*.mardelplatait.com.ar*, True -*.marduk.tv*, True -*.marein-re.com*, True -*.mareintex.com.ar*, True -*.marek.ca*, True -*.marekzagol.com*, True -*.marenas.cl*, True -*.marengo.kz*, True -*.mare.nom.za*, True -*.m-arera.gq*, True -*.margarekhadaily.com.np*, True -*.margaretann.net*, True -*.margaretriverhampers.com.au*, True -*.margaride.es*, True -*.margasari.tk*, True -*.margaseta.com*, True -*.margeopro.com*, True -*.margiel.eu*, True -*.margingangs.net*, True -*.margitech.ro*, True -*.margocovington.com*, True -*.margon.fi*, True -*.margorochelle.com*, True -*.margot.ro*, True -*.margrop.com*, True -*.marhayu.info*, True -*.marhitectura.ro*, True -*.mariaalexe.ro*, True -*.mariabernardita.com*, True -*.mariaestaloca.cl*, True -*.mariagabriel.ro*, True -*.mariage-vrn.ru*, True -*.mariajael.com.ar*, True -*.mariajoserodriguez.es*, True -*.mariajuana.cl*, True -*.maria-mengwasser.de*, True -*.mariamisterios.cl*, True -*.marianadelfrari.com*, True -*.marianagestoria.com.ar*, True -*.mariana-iatagan.ro*, True -*.marianamente.com*, True -*.marianapierrot.com*, True -*.marianaydiego.com*, True -*.marianduma.com*, True -*.marianeladri.com.ar*, True -*.marianlein.de*, True -*.marianne-braunschweiler.ch*, True -*.mariannesmagic.com*, True -*.marianobatista.com.ar*, True -*.marianoheredia.com.ar*, True -*.marianomacri.com.ar*, True -*.marianomarcos.com.ar*, True -*.marianomotto.com.ar*, True -*.marianowahlmann.net*, True -*.mariaoe.com*, True -*.mariapostu.ro*, True -*.mariapoyatos.com*, True -*.mariareadewords.com*, True -*.mariasa.com.br*, True -*.mariasarz.com.ar*, True -*.mariavandijk.nl*, True -*.mariavioleta.ro*, True -*.mariax.ru*, True -*.maribelajar.org*, True -*.maricsek.tk*, True -*.maricult.no*, True -*.marieblazek.com*, True -*.marie-favre.ch*, True -*.marieflanagan.co.uk*, True -*.mariemillerart.com*, True -*.marigoldnaturalhealth.ca*, True -*.marigoldnaturalhealth.com*, True -*.marigoldpharmacy.ca*, True -*.mari.id.au*, True -*.marijuanadependence.com*, True -*.marikinacgi.com*, True -*.marikoshack.com.my*, True -*.marilungo.com.ar*, True -*.marilynhotes.com*, True -*.marinachandlery.com*, True -*.marinaeventos.com.ar*, True -*.marinamagnani.com.ar*, True -*.marinasalgar.com*, True -*.marinasokcic.com*, True -*.marinclub290.cl*, True -*.marineandleisure.asia*, True -*.marineandleisure.co.nz*, True -*.marineandleisure.info*, True -*.marineandleisure.net*, True -*.marineandleisure.net.au*, True -*.marineandleisure.net.nz*, True -*.marineandleisure.nz*, True -*.marinediscountsupplies.asia*, True -*.marinediscountsupplies.co.nz*, True -*.marinediscountsupplies.info*, True -*.marinediscountsupplies.net*, True -*.marinediscountsupplies.net.nz*, True -*.marinediscountsupplies.nz*, True -*.marineequipment.asia*, True -*.marineequipment.co.nz*, True -*.marineequipment.info*, True -*.marineequipment.net.nz*, True -*.marineequipment.nz*, True -*.marinemaju.com*, True -*.marinetetis.com*, True -*.marinetraining.lv*, True -*.marinico.mx*, True -*.marinlarm.se*, True -*.marin.li*, True -*.marinu666.co.uk*, True -*.marinvito.tk*, True -*.mario24horas.com*, True -*.marioadami.com.br*, True -*.mariocollin.com*, True -*.mariodon.tk*, True -*.mariogalea.co.uk*, True -*.mario-lopes.pt*, True -*.mariomartinez.cl*, True -*.mariomontoto.com.ar*, True -*.marionnaud-parfumerie.ro*, True -*.marionrdusedcars.com.au*, True -*.mariopopa.ro*, True -*.mariosjewellers.com*, True -*.mariosjewellers.co.za*, True -*.mariosloganholme.com*, True -*.mariosloganholme.com.au*, True -*.mario-uecker.de*, True -*.mariowilke.com*, True -*.mariozahra.com*, True -*.mari-pablo.es*, True -*.maripablo.es*, True -*.mariquitacoqueta.com*, True -*.marisalinfang.com*, True -*.marisdatabase.ro*, True -*.marisiamuseum.ro*, True -*.marisibrothers.com*, True -*.marith.com*, True -*.maritimecomputer.com*, True -*.maritimetrading.fi*, True -*.maritimetradingfinland.fi*, True -*.mariuli.com*, True -*.mariusbaras.ro*, True -*.mariusl.com*, True -*.mariusogrean.ro*, True -*.mariusvatamanu.ro*, True -*.mariuszostapowicz.com*, True -*.markathing.cf*, True -*.markavis.info*, True -*.markbrophy.com*, True -*.markcantin.com*, True -*.markcates.com*, True -*.markconcreteproducts.com*, True -*.markdoran.com*, True -*.markduckworth.com*, True -*.markeby.net*, True -*.markerot.com*, True -*.marketaccessllc.com*, True -*.marketdata.ir*, True -*.marketdrift.com*, True -*.marketeg.se*, True -*.marketing4love.com*, True -*.marketing-aventura.com*, True -*.marketingeinovacao.com.br*, True -*.marketingenlinea.info*, True -*.marketing-group.com.mx*, True -*.marketinginovacao.com.br*, True -*.marketingnewsouthwales.com*, True -*.marketing-people.ru*, True -*.marketingplace.ro*, True -*.marketlens.com.ar*, True -*.marketos-apartments.gr*, True -*.marketpedia.org*, True -*.marketpedia.ru*, True -*.marketsightllc.com*, True -*.marketstreethouse.org*, True -*.marketvoc.com*, True -*.marketwatch.ch*, True -*.marketwood.com.au*, True -*.markhaden.com*, True -*.markhairstudio.com*, True -*.mark-hansen.com*, True -*.markholden.net*, True -*.markhome.info*, True -*.markisfullofshit.com*, True -*.markitos.com.br*, True -*.markitos.tk*, True -*.mark-kate.co.uk*, True -*.markkomel.tk*, True -*.markkwhelan.com*, True -*.marklawrencephotographers.com*, True -*.marklu.com*, True -*.markmile.tk*, True -*.markmoffat.com*, True -*.markmorow.com*, True -*.marknas.com*, True -*.markosoft.ro*, True -*.markovec.net*, True -*.markovec.org*, True -*.markov.net.ru*, True -*.markparsons.ca*, True -*.markparsons.com*, True -*.markperrymedia.com*, True -*.mark-properties.com*, True -*.markquartchev.com*, True -*.markquartchevrolet.com*, True -*.markquart.com*, True -*.markquartgm.com*, True -*.markquartlube-n-wash.com*, True -*.markquartmotors.com*, True -*.markquarttoyota.com*, True -*.markradler.us*, True -*.mark-roche.com*, True -*.marksiesplace.co.uk*, True -*.markspcrepair.co.uk*, True -*.markstdenis.com*, True -*.markstickel.com*, True -*.markstore.ir*, True -*.marksworld.org*, True -*.marktholomieu.com*, True -*.marktintegration.de*, True -*.marktluecke-berlin.de*, True -*.markusbaker.com*, True -*.markusb.ch*, True -*.markus.ca*, True -*.markus-gerber.ch*, True -*.markusglobal.com*, True -*.markus-kling.net*, True -*.markusoft.se*, True -*.mark-us.tk*, True -*.markusvuori.eu*, True -*.markuswidjayais.me*, True -*.markus-wutzler.de*, True -*.markwallis.org*, True -*.markwinter.net*, True -*.markwwallace.com*, True -*.marlenebossous.com*, True -*.marluan.com.br*, True -*.marmaras-nav.com*, True -*.marmitaco.com.mx*, True -*.marmoleriacravero.com.ar*, True -*.marmoleriascaminaci.com.ar*, True -*.marmotastudio.com*, True -*.marnoch.us*, True -*.marobo.com*, True -*.maroboscooters.com*, True -*.marogri.ro*, True -*.maroochydorefreshcafe.com*, True -*.maroochydorefreshcafe.com.au*, True -*.maroogle.co.za*, True -*.marosh.info*, True -*.marowscy.pl*, True -*.marowska.pl*, True -*.marowski.pl*, True -*.marrawudi.net*, True -*.marrfamily.ca*, True -*.marriancho.com*, True -*.marroquin.io*, True -*.marruni.eu*, True -*.marruni.pl*, True -*.marry-me.co.il*, True -*.marsayequipment.co.za*, True -*.marsbar.org.uk*, True -*.marseliglove.tk*, True -*.marsella.com.ar*, True -*.marsellos.eu*, True -*.marshwiggle.net*, True -*.marsil2008.com*, True -*.marsipanfigur.eu*, True -*.marslett.us*, True -*.marsraver.com*, True -*.marstallers.de*, True -*.marstech.ro*, True -*.martacecilia.com.ar*, True -*.marteinn.is*, True -*.martha08.com*, True -*.marthaspizza2.com*, True -*.marthawhiting.com*, True -*.martiago.com*, True -*.martidea.com*, True -*.martidea.hk*, True -*.martignonimaringa.com.br*, True -*.martinabazan.com.ar*, True -*.martinagorova.es*, True -*.martinallosa.com.ar*, True -*.martinasteiner.ch*, True -*.martinbarreiro.es*, True -*.martinbercovici.org*, True -*.martinberger.com.ar*, True -*.martinbest.com*, True -*.martinbn.info*, True -*.martinbn.net*, True -*.martinbraessas.com.ar*, True -*.martindavies.id.au*, True -*.martindb.com.ar*, True -*.martindiz.com.ar*, True -*.martindonnelly.com.au*, True -*.martinelli.com.au*, True -*.martinelli.net.au*, True -*.martinellisa.ch*, True -*.martinescu.com*, True -*.martinezcontabilidade.com.br*, True -*.martinezluis.com.ar*, True -*.martinez-perez.es*, True -*.martinfrancismedia.com*, True -*.martingilhooly.co.uk*, True -*.martin-humphries.com*, True -*.martin-humphries.co.za*, True -*.martinhumphries.co.za*, True -*.martinibh.com.br*, True -*.martinlucesole.com.ar*, True -*.martinluder.ch*, True -*.martinlys.com*, True -*.martinmock.com*, True -*.martinmuerza.com.ar*, True -*.martinochoa.com.ar*, True -*.martinovic.com.ar*, True -*.martinpascal.cl*, True -*.martinreyabogados.es*, True -*.martinseneves.com*, True -*.martinsineves.com*, True -*.martinsmarcelo.com*, True -*.martinspears.com*, True -*.martinstransporte.ch*, True -*.martintobing.com*, True -*.martintobing.web.id*, True -*.martinturnes.com.ar*, True -*.martinusadyh.web.id*, True -*.martinusso.com*, True -*.martin.web.id*, True -*.martyfordexperience.com*, True -*.martyluther.com*, True -*.martymurphy.com*, True -*.martymurphy.info*, True -*.martynbaker.co.uk*, True -*.martyria.com.br*, True -*.maruntiel.com*, True -*.marushinasia.com.my*, True -*.marusys.tk*, True -*.marvel-ideas.tk*, True -*.marvel.se*, True -*.marvels.tk*, True -*.marverde.cl*, True -*.marvex.tk*, True -*.marvhowell.com*, True -*.marvinonline.tk*, True -*.marychriswedding.com*, True -*.maryfloo.cl*, True -*.maryjane.tk*, True -*.maryjoepr.com*, True -*.maryjoepr.es*, True -*.marylandbass.com*, True -*.maryshagen.com*, True -*.marytheweaver.com.au*, True -*.marzanesteanu.info*, True -*.marzenaarciszewska.pl*, True -*.marzzzradio.info*, True -*.masactivos.com*, True -*.masadatech.com*, True -*.mas-adit.com*, True -*.masagas.es*, True -*.masajessanmiguel.com.ar*, True -*.mas-ali.com*, True -*.masalikussholihin.org*, True -*.masami.net*, True -*.masami.tk*, True -*.mas-angga.tk*, True -*.masanu.asia*, True -*.masau.com.ar*, True -*.masbagol.cf*, True -*.masbagus.web.id*, True -*.masbaloncesto.com*, True -*.masbo.com*, True -*.masboy.us*, True -*.masbro.eu*, True -*.mascables.com*, True -*.mascarenhas.inf.br*, True -*.maschenfunk.de*, True -*.mascialino.com.ar*, True -*.mascot.ga*, True -*.masdeporte.info*, True -*.masdil.tk*, True -*.masduje.cf*, True -*.masemamesin.com*, True -*.mas-endie.me*, True -*.masfebrie.com*, True -*.mashaldaran.com*, True -*.mashen.biz*, True -*.mashrafmuttonshop.com.pk*, True -*.mashtorgrb.ru*, True -*.mashunchik.ru*, True -*.mashyk.ru*, True -*.masigor.tk*, True -*.masihingusan.ml*, True -*.masih.pw*, True -*.masiniblog.ro*, True -*.masinute-electrice-copii.ro*, True -*.masiukiewicz.pl*, True -*.masjidalamin.or.id*, True -*.masjidalqalam.info*, True -*.masjidilaqso.com*, True -*.masjidku.info*, True -*.masjidku.org*, True -*.masjidku.tv*, True -*.masjikun.info*, True -*.maskatiya.com*, True -*.maskbuy.com*, True -*.masksnleather.ml*, True -*.masktmt.gq*, True -*.maskurniawan.my.id*, True -*.maslakova.com*, True -*.masli.net*, True -*.maslov.co*, True -*.masmedulatango.com.ar*, True -*.masnafood.com*, True -*.masnou.ws*, True -*.masnugie.com*, True -*.mason.cl*, True -*.masoneria-argentina.com.ar*, True -*.masoneriaargentina.org.ar*, True -*.masoneria.com.ar*, True -*.masoneriaenmendoza.com.ar*, True -*.masoneriamendoza.com.ar*, True -*.masoneria.org.ar*, True -*.masoneriatucuman.com.ar*, True -*.masones.com.ar*, True -*.masonican.com*, True -*.masonic-lodge.ca*, True -*.masonrycontractors.org.au*, True -*.masonsmill.co.za*, True -*.masplene.com*, True -*.masqu3rade.com*, True -*.masquemusica.com.ar*, True -*.masrani.in*, True -*.masrehabilita.cl*, True -*.masrudy.web.id*, True -*.massacre.web.id*, True -*.massage-by-markus.ch*, True -*.massage-milani.ch*, True -*.massagestones.co.za*, True -*.massagetherapy.ie*, True -*.massaka.tv*, True -*.massalin.com*, True -*.massalin.com.ar*, True -*.massanes.cl*, True -*.massclass.ru*, True -*.masscpps.us*, True -*.masseguros.com.ar*, True -*.masselink.cc*, True -*.mas-sena.pl*, True -*.massersal.com*, True -*.masservicios-web.com.ar*, True -*.massey-green.com*, True -*.massivebud.com*, True -*.massiveweed.com*, True -*.massloading.net*, True -*.massplastic.com*, True -*.massproductions.co.uk*, True -*.massugi.com*, True -*.mastah.co*, True -*.mastakey.net*, True -*.ma-startup.ru*, True -*.mastarun.com*, True -*.mastbarns.com*, True -*.masteinhauser.com*, True -*.master-53.ru*, True -*.masterady1986.biz*, True -*.masteraffairs.ro*, True -*.masteranime.com*, True -*.masterauto.ro*, True -*.masterbusinessmela.in*, True -*.mastercam-russia.ru*, True -*.mastercapsa.com*, True -*.masterchef.com.ar*, True -*.master-cleaning-service.com*, True -*.mastercleanseworks.org*, True -*.masterdatagt.it*, True -*.masterdi.com.ar*, True -*.master-dinding.com*, True -*.master.dj*, True -*.masterego.cf*, True -*.masterego.net*, True -*.masterenmasters.com*, True -*.masterexploder.com*, True -*.masterfamily.us*, True -*.masterfenster.ru*, True -*.masterfishshop.ru*, True -*.masterfleet.com.mx*, True -*.mastergolfasia.com*, True -*.mastergolf.hk*, True -*.mastergolf.info*, True -*.mastergolf.org*, True -*.mastergolfpro.com*, True -*.mastergolftan.com*, True -*.mastergolfworld.com*, True -*.mastergolfworld.hk*, True -*.masterimage.tk*, True -*.masteringsolution.ro*, True -*.masterjacky2014.ga*, True -*.masterjimberry.com*, True -*.masterjsm.com*, True -*.masterjulian.info*, True -*.mastermage.com*, True -*.mastermagic.co.za*, True -*.mastermineria.cl*, True -*.mastermnb.tk*, True -*.master.net.id*, True -*.master-news.com*, True -*.masterofreview.com*, True -*.masterpancake.com*, True -*.masterpolloexpress.mx*, True -*.masterpulsa.net*, True -*.masterserver.us*, True -*.masterservice.tk*, True -*.mastersofspace.com*, True -*.mastersonux.com*, True -*.mastertonux.ca*, True -*.mastertonux.com*, True -*.mastertour.co.id*, True -*.masterwap.pw*, True -*.masterwire.co.uk*, True -*.masterwood.ro*, True -*.masteryoda.tk*, True -*.mastminibarns.com*, True -*.mastrix.co.za*, True -*.mastrubasi.info*, True -*.mas-uda.com*, True -*.masuratoripram.ro*, True -*.masver.me*, True -*.masvideotutoriales.com.ar*, True -*.maswaper.com*, True -*.maswebsites.com*, True -*.maswi.cl*, True -*.matafuegosclasea.com.ar*, True -*.matafuegosgeorgia.com.ar*, True -*.matahari-indonesia.co.id*, True -*.mataharipagi.com*, True -*.mataheko.com*, True -*.mataka.com*, True -*.mataka.org*, True -*.matalino.web.id*, True -*.matamassa.org*, True -*.matana.com.ar*, True -*.matanga.com.ar*, True -*.matarrosabierzo.com*, True -*.mataylorfamily.net*, True -*.mataylorfamily.org*, True -*.matbello.cl*, True -*.matbroit.co.uk*, True -*.match2000.com*, True -*.match852.com*, True -*.matchbyskills.com*, True -*.mat-chem.co.za*, True -*.matchmypain.com*, True -*.matchreporter.net*, True -*.matconcorporation.com*, True -*.matcontrading.com*, True -*.mateando.com*, True -*.mateando.com.ar*, True -*.matelectricos.com*, True -*.mat-electricos.com.ar*, True -*.matelicanerazzurra.it*, True -*.matel-technik.ch*, True -*.matemakita.com*, True -*.matemakita.net*, True -*.matemarote.com.ar*, True -*.matematikamatematika.com*, True -*.matematika.us*, True -*.matenaers.com*, True -*.mateorodriguez.com.ar*, True -*.matepublica.com.ar*, True -*.materiaissistema.com.br*, True -*.materi.al*, True -*.materialereciclabile.ro*, True -*.materialeselectricosa.com*, True -*.materialeselectricos.org*, True -*.materialeselectricossa.com*, True -*.materialgrounding.com*, True -*.materiaro.com*, True -*.materiasistemas.com.ar*, True -*.materiauxdepotmc.ca*, True -*.materi-sma.com*, True -*.maternidadytrabajo.cl*, True -*.matertenebrarum.org*, True -*.mateslab.com.ar*, True -*.mateusmail.tk*, True -*.mateusz.info*, True -*.matevideos.com*, True -*.math-cloud.us*, True -*.mathcrackers.com*, True -*.mathebau.de*, True -*.mathematrader.com*, True -*.matherlee.com*, True -*.matheusfernandes.net*, True -*.matheusmarquezini.com*, True -*.matheusmarquezini.com.br*, True -*.matheus.ml*, True -*.matheusmonteiro.me*, True -*.mathewbergen.ca*, True -*.mathew.com.mx*, True -*.mathewparkin.com*, True -*.mathez-sarl.ch*, True -*.mathfillsmewithgreatjoy.com*, True -*.mathgenius0.com*, True -*.mathiasgaming.info*, True -*.mathicabenefits.ca*, True -*.mathieu-bernard.com*, True -*.mathisgeosciences.com*, True -*.mathomoengineering.co.za*, True -*.maths-help.ru*, True -*.mathshub.com.au*, True -*.mathstation.org*, True -*.mathtothescience.com*, True -*.mathtrainingcenter.com*, True -*.math.web.id*, True -*.mathworld.us*, True -*.mathzone.web.id*, True -*.matiasamelo.com.ar*, True -*.matiasblasi.com.ar*, True -*.matiasbrown.com.ar*, True -*.matiaschiodi.com.ar*, True -*.matiasgarciahuidobro.cl*, True -*.matiasgiunta.com.ar*, True -*.matiasjofre.cl*, True -*.matiaslaquidara.com.ar*, True -*.matiergrise.com*, True -*.matija.biz*, True -*.matik.us*, True -*.matikyan.am*, True -*.matildinha.net*, True -*.matir.pt*, True -*.matisul.pt*, True -*.matke.si*, True -*.matkomat.com*, True -*.mat-lek.eu*, True -*.matoesian.com*, True -*.matoledo.com.br*, True -*.matoushek.com*, True -*.matratzenreinung-potema.ch*, True -*.matriclick.cl*, True -*.matrinet.com.br*, True -*.matrixcoder.nl*, True -*.matrixdis.info*, True -*.matrixdocuments.com*, True -*.matrixdocuments.info*, True -*.matrixk.com*, True -*.matrixlogistics.com.pk*, True -*.matrix.net.ru*, True -*.matrixnetwork.org*, True -*.matsaonline.com*, True -*.matsberger.com*, True -*.matschulat.com.br*, True -*.matsolcoursesonline.com*, True -*.matsuoka.cl*, True -*.mattador.co.uk*, True -*.mattar.com.ar*, True -*.mattaymattapsc.com*, True -*.mattbell.com.au*, True -*.mattben.info*, True -*.mattbinda.com*, True -*.mattbramanti.com*, True -*.mattbrocklehurst.co.uk*, True -*.matt.cat*, True -*.mattchain.com*, True -*.mattcrandall.com*, True -*.mattdecarlo.com*, True -*.mattdo.es*, True -*.matteden.net*, True -*.mattekure.com*, True -*.matteria.cl*, True -*.mattern.mobi*, True -*.matteustace.co.uk*, True -*.mattfitzgeraldhockey.com*, True -*.mattg.com.ar*, True -*.mattgeneau.com*, True -*.mattgoldman.co.uk*, True -*.mattgoldwasser.com*, True -*.matthauck.com*, True -*.mattheere.com*, True -*.matthewaldous.net*, True -*.matthewandcaroline.com*, True -*.matthewandgunnar.com*, True -*.matthewbielecki.com*, True -*.matthewboevink.com*, True -*.matthewcingram.com*, True -*.matthewfranklin.ca*, True -*.matthewgroberts.co.uk*, True -*.matthewhicks.net*, True -*.matthewjmason.com*, True -*.matthewkitchener.com*, True -*.matthewsimone.tk*, True -*.matthewsloan.info*, True -*.matthewsloan.me*, True -*.matthewsloan.net*, True -*.matthewsloan.org*, True -*.matthewsloan.us*, True -*.matthews.sx*, True -*.matthewswebsite.tk*, True -*.matthewweir.com*, True -*.matthewwillsononline.com*, True -*.matthiasdohm.de*, True -*.matthiaskuenzi.ch*, True -*.matthias.se*, True -*.matthiasvb.com*, True -*.matthieuprojects.com*, True -*.mattie.com*, True -*.mattimeo.com*, True -*.mattinata.com.ar*, True -*.mattison.xyz*, True -*.mattjallo.com*, True -*.mattjrosenberg.com*, True -*.mattkelly.me*, True -*.mattkellyphotography.com*, True -*.mattknight.me*, True -*.mattlou.com*, True -*.mattmaguire.us*, True -*.mattmarshall.net*, True -*.mattmason.org*, True -*.mattmattern.com*, True -*.mattmock.com*, True -*.mattmolo.com*, True -*.mattm.pw*, True -*.matt-naomi.com*, True -*.mattn.me*, True -*.mattn.org*, True -*.mattolaituri.fi*, True -*.mattox.tk*, True -*.mattpye.com*, True -*.mattrans.com.ar*, True -*.mattr.com*, True -*.mattreadhome.tk*, True -*.mattress-carpet-label.co.id*, True -*.mattsamonek.com*, True -*.mattski.net.nz*, True -*.mattsservers.ml*, True -*.mattstoney.com*, True -*.mattstrauser.com*, True -*.mattt.cf*, True -*.mattviss.com*, True -*.mattwhiting.com*, True -*.mattyeazel.net*, True -*.maturball-winterthur.ch*, True -*.matureasssex.com*, True -*.maturefuckingporn.com*, True -*.maturemc.com*, True -*.matureminecraft.com*, True -*.maturemovietube.net*, True -*.matureoldslutsmovie.com*, True -*.maturepantyhosegirl.com*, True -*.maturesexymovie.net*, True -*.maturesexytube.net*, True -*.maturesexyvideo.net*, True -*.maturesubjectmatter.com*, True -*.matuszewski.it*, True -*.matutespicadas.com.ar*, True -*.maty-bs.com*, True -*.matybs.com*, True -*.matyoga.cl*, True -*.maudamai.ga*, True -*.m-audio.ro*, True -*.mau-ee.ga*, True -*.maueki.info*, True -*.m-au.ga*, True -*.maugames.com*, True -*.maugh.com*, True -*.maugiaoso10.com*, True -*.maui.li*, True -*.mauiyoga.ca*, True -*.mauiyoga.org*, True -*.maunatravel.ro*, True -*.maun.cf*, True -*.maungemail.ga*, True -*.maunyakamu.com*, True -*.maupka.nl*, True -*.maureenchris.ch*, True -*.maurete.com*, True -*.mauriceseen.net*, True -*.mauricioblanco.com.ar*, True -*.mauroaltamura.com*, True -*.maurobinda.com*, True -*.maurocampbell.com.ar*, True -*.mauro.ml*, True -*.mauropc.it*, True -*.mauropereira.com.br*, True -*.mauroux-sanitaire.ch*, True -*.maurwind.com*, True -*.mautauaja.net*, True -*.mautobu.com*, True -*.mauyi.com*, True -*.mavachso.com*, True -*.mavenpro.com.my*, True -*.mavenproconsultancy.com.au*, True -*.mavensk.tk*, True -*.maverickgaming.co.uk*, True -*.mavinar.com.tr*, True -*.mavisfok.com*, True -*.mavromatis-estate.gr*, True -*.mavs-travel.ru*, True -*.mavstravel.ru*, True -*.mawarkatering.com*, True -*.maw.ro*, True -*.mawyersmiles.com*, True -*.max302.me*, True -*.maxajen.com*, True -*.maxbleck.tk*, True -*.maxchallenge.se*, True -*.maxchan.info*, True -*.maxchgw.info*, True -*.maxcold.ru*, True -*.max-cole.com*, True -*.maxcolor.co.kr*, True -*.maxcorporation.ro*, True -*.maxdelreal.cl*, True -*.maxd.ru*, True -*.maxdzyubenko.com*, True -*.maxedouttech.com*, True -*.maxenko.com*, True -*.max-equity.com*, True -*.maxergy.co.za*, True -*.maxfiles.org*, True -*.maxh.me.uk*, True -*.maxh.tk*, True -*.maxiclin.pt*, True -*.maxi.gq*, True -*.maxigrafica.com.ar*, True -*.maxilofacialjlf.com.ar*, True -*.maximail.com.br*, True -*.maximas.co.id*, True -*.maximasolucao.com*, True -*.ma-xim.com*, True -*.maximcomms.com.au*, True -*.maximcommunications.com.au*, True -*.maximhost.net*, True -*.maximhost.ro*, True -*.maximilianou.com*, True -*.maximizate.com*, True -*.maximize.md*, True -*.maximopavez.cl*, True -*.maximua.com*, True -*.maximumownage.com*, True -*.maximumsports.tv*, True -*.maximusconsult.ro*, True -*.maxiprodfin.ro*, True -*.maxiscomputers.com*, True -*.maxitrans.com.ar*, True -*.maxiwear.net*, True -*.maxjamerson.com*, True -*.maxkunert.com*, True -*.maxmannino.com*, True -*.maxmedia.co.id*, True -*.maxmelcher.de*, True -*.maxmillerfaria.com.br*, True -*.maxmirelmann.com.ar*, True -*.maxmir.ru*, True -*.maxmorgan.org*, True -*.ma-xox.com*, True -*.maxpowersi.com.ar*, True -*.maxsafrinagency.com*, True -*.maxstoel.nl*, True -*.maxstyle.com.mx*, True -*.maxsyma.com*, True -*.max.to*, True -*.max-tools.tk*, True -*.maxu.fi*, True -*.maxview.com.ar*, True -*.maxwellanderson.com.br*, True -*.maxwell.ir*, True -*.maxwell.se*, True -*.maxwellstampltd.com*, True -*.mayaabtschmuck.ch*, True -*.mayacafe.ro*, True -*.mayak-invest.ru*, True -*.maya-komunikacijaoblik.com*, True -*.mayaministries.com*, True -*.mayaministry.com*, True -*.mayaministry.com.au*, True -*.mayanettoyages.ch*, True -*.mayantara.cf*, True -*.maya.se*, True -*.mayata.ro*, True -*.maybang.net*, True -*.maychu-bmt.net*, True -*.mayday.tw*, True -*.mayerbox.info*, True -*.mayfaironlineholdings.com*, True -*.mayfieldhouse.org.uk*, True -*.mayheart.com*, True -*.mayitalwaysbe.org*, True -*.maynards.net.au*, True -*.mayoristaelprincipe.com.ar*, True -*.mayosportsmarketing.com*, True -*.mayreshotel.ml*, True -*.mayrimport.es*, True -*.mayroptics.am*, True -*.maywehelp.org*, True -*.maywhistles.co.uk*, True -*.maza.info*, True -*.mazaocoop.org*, True -*.mazdacar.org*, True -*.mazdarx7.com*, True -*.mazelacorp.org*, True -*.mazeltoovproducciones.cl*, True -*.mazesurvive.gq*, True -*.mazglen.ml*, True -*.mazicloud.com*, True -*.mazoacoop.org*, True -*.ma-zoo.com*, True -*.maztejoe.com*, True -*.mazuma.cl*, True -*.mazvfx.co.uk*, True -*.mazyaddy.tk*, True -*.mazzafrigo.ch*, True -*.mazzaphotography.com*, True -*.mazzbeng.tk*, True -*.mazz-frio.com.ar*, True -*.mazzfrio.com.ar*, True -*.mazzoni.se*, True -*.mbabarcelona.com*, True -*.mbacademia.cl*, True -*.mbahdonk.com.mx*, True -*.mbahdonk.fm*, True -*.mbahdonkhost.co.uk*, True -*.mbahdonk.me*, True -*.mbahdonk.web.id*, True -*.mbahgarong.web.id*, True -*.mbakerhome.info*, True -*.mbalageti.com*, True -*.mbaonline.cl*, True -*.mbapps.ru*, True -*.mbaudet.cl*, True -*.mba.web.id*, True -*.mbclub.cl*, True -*.mbcraft.com*, True -*.mbd.me.uk*, True -*.mbeckettpt.co.uk*, True -*.mbezulia.com.ve*, True -*.mbfans.info*, True -*.mbg777.com*, True -*.mbicycle.co.il*, True -*.mbi-italia.com*, True -*.mbiselangor.com.my*, True -*.mb-meeting.com*, True -*.mboca.com*, True -*.mbofc.com*, True -*.mbokjem.tk*, True -*.mbo.si*, True -*.mbova.co.za*, True -*.mbow.co.uk*, True -*.mbpc.co.za*, True -*.mbppg.com*, True -*.mbpproveedores.com.ar*, True -*.mbpr.xyz*, True -*.mbr-kemayoran.org*, True -*.mbroadhurst.co.uk*, True -*.mbrosini.ch*, True -*.mbsanalytics.com*, True -*.mb-soft.ch*, True -*.mbsposhk.com*, True -*.mbt66.com*, True -*.mbt77.com*, True -*.mbt84.com*, True -*.mbtoylibrary.org.au*, True -*.mbtrasportisrl.com*, True -*.mbuddy.in*, True -*.mbuf.info*, True -*.m-burns.us*, True -*.mbutel.com.ar*, True -*.mbv-insolv.ro*, True -*.mbwforge.ro*, True -*.mbxs.tk*, True -*.mbyrne.net*, True -*.mc2xml.tk*, True -*.mc3024.com.ve*, True -*.mca-consulting.ro*, True -*.mcaetano.com*, True -*.mcalary.com.au*, True -*.mcallister.xyz*, True -*.mcamedical.net*, True -*.mcanet.com.ar*, True -*.m-carey.co.uk*, True -*.mcarquitectos.cl*, True -*.mcavideocom.ro*, True -*.mcbadger.com*, True -*.mc-bb.com*, True -*.mcbean.ch*, True -*.mcbeautysisters.ch*, True -*.mcbeta.cf*, True -*.mcbhome.org*, True -*.mc-bkc.co.uk*, True -*.mcbl.tk*, True -*.mcbridegolf.com*, True -*.mcbub.com.br*, True -*.mccabe.net.au*, True -*.mccandless.tk*, True -*.mccarthym.com*, True -*.mccbuettenberg.ch*, True -*.mccentre.org.au*, True -*.mcchampion.com*, True -*.mcchesney.me*, True -*.mccky.net*, True -*.mcclaw.me*, True -*.mcclimans.net*, True -*.mcclimont.id.au*, True -*.mcclub.cf*, True -*.mccoy.tv*, True -*.mccqld.com*, True -*.mccraney-and-associates.info*, True -*.mccraney.info*, True -*.mccreadys.net*, True -*.mccunefamily.com*, True -*.mc-dentaplus.ru*, True -*.mcdermot.id.au*, True -*.mcdesignsinc.net*, True -*.mcdonaghnet.com*, True -*.mcdonalddouglas.co.za*, True -*.mcdonnell.id.au*, True -*.mcdowellnet.com*, True -*.mc-electronica.com.ar*, True -*.mcemerald.ro*, True -*.mcemotors.com*, True -*.mcetziken.ch*, True -*.mcewan.info*, True -*.mcewans.info*, True -*.mcfamily.me*, True -*.mcfino.com*, True -*.mcfly.mx*, True -*.mcgamecraft.com*, True -*.mcgamesfr.tk*, True -*.mcgame.tk*, True -*.mcgedlefsen.com*, True -*.mcgehean.com*, True -*.mcgentry.com*, True -*.mcgregormedicalclinic.com*, True -*.mcgwynne.com*, True -*.mcharen.com*, True -*.mchdev.com*, True -*.mchini.com*, True -*.mchk.tk*, True -*.mchugh-family.org*, True -*.mcin.ro*, True -*.mcintyre-online.com*, True -*.mcjordan.com.br*, True -*.mckeeclan.net*, True -*.mckeesmills.ca*, True -*.mckellip.me*, True -*.mckennas.me*, True -*.mckenziemds.com*, True -*.mckibbenfamilyphotos.com*, True -*.mckinneyhomeserver.net*, True -*.mckinnonfamily.ca*, True -*.mckinziechelberg.com*, True -*.mclean.bz*, True -*.mcleanridgehoa.com*, True -*.mclermont.com*, True -*.mclife.info*, True -*.mc-lightningservers.cf*, True -*.mcloud.com.my*, True -*.mclure.tk*, True -*.mcm55.com*, True -*.mcmasesores.com*, True -*.mcm-host.com*, True -*.mcmillanandwife.com*, True -*.mcmmo.ru*, True -*.mcmullintribe.com*, True -*.mcmulti.com*, True -*.mcn28.com*, True -*.mcn49.com*, True -*.mcn73.com*, True -*.mcn83.com*, True -*.mcn85.com*, True -*.mcn92.com*, True -*.mcn94.com*, True -*.mcnamee.com.au*, True -*.mcnaughtonca.ca*, True -*.mcneillderm.com*, True -*.mcneillfamily.org*, True -*.mcnertz.net*, True -*.mcnett.net*, True -*.mcnetworkcloud.com*, True -*.mcnetworkcloud.net*, True -*.mcnijesanorth.ga*, True -*.mcnolan.ca*, True -*.mcns.cf*, True -*.mcnuggy.com*, True -*.mcoabogados.com.ar*, True -*.mcommerz.com.au*, True -*.mconsultores.cl*, True -*.mcontour.com*, True -*.mcot.tw*, True -*.mcpavocati.ro*, True -*.mcpe-pugcraft1.tk*, True -*.mcpe-pugcraft.tk*, True -*.mcperealms.tk*, True -*.mcphersonarc.com*, True -*.mcpixeldragon.com*, True -*.mcplaksin.org*, True -*.mcprint.ro*, True -*.mcqking.com*, True -*.mcquilkan.com*, True -*.mcrbt.org*, True -*.mcrenox.com*, True -*.mcrisorgive.it*, True -*.mcrobot24.ch*, True -*.mcruins.tk*, True -*.mcruz.cl*, True -*.mcruz.info*, True -*.mc-saban.com*, True -*.mcs.com.ve*, True -*.mcse2000trainer.com*, True -*.mcserveradmin.net*, True -*.mcsh.pl*, True -*.mcslab.co.za*, True -*.mcs-mycomputerservices.com*, True -*.mcsns.net*, True -*.mcsoft.org*, True -*.mcstudio.hk*, True -*.mcsummerfest.org*, True -*.mctecnica.com.ar*, True -*.mcuelectronica.com.ar*, True -*.mcv76.com*, True -*.mcv82.com*, True -*.mcv86.com*, True -*.mcv94.com*, True -*.mcvaynet.com*, True -*.mcvrides.com*, True -*.mcwhive.com*, True -*.mcwmetrobus.org.uk*, True -*.mcworld.com.au*, True -*.mcwrite.net*, True -*.mcyu.net*, True -*.mczombiecity.tk*, True -*.md0.ro*, True -*.md1rbc.org*, True -*.mda66.com*, True -*.mda77.com*, True -*.mda87.com*, True -*.mdacloud.com*, True -*.mdacomputer.com*, True -*.mdacomputers.com*, True -*.mdami.co*, True -*.mdanieltays.com*, True -*.mdatelecom.com.br*, True -*.mdbiotechinc.com*, True -*.mdbranco.net*, True -*.md-cc.org*, True -*.mdc.co.za*, True -*.mdclark.com*, True -*.mdcomputers.com*, True -*.mdcstore.com.ar*, True -*.mdc-web.co.uk*, True -*.mdda.org.my*, True -*.mddesignerkidz.com.au*, True -*.mddk.com.au*, True -*.mdfvvxq.tk*, True -*.mdhashem.com*, True -*.mdhhc.org*, True -*.mdhillman.net*, True -*.mdhome.info*, True -*.mdh.to*, True -*.mdickinson.ca*, True -*.mdingman.com*, True -*.mdisolutions.com.ar*, True -*.mdkelaninvest.ro*, True -*.mdki.pl*, True -*.mdlab.ru*, True -*.mdlabs.ru*, True -*.mdlm-pc.com*, True -*.mdma.in*, True -*.mdmsystems.ro*, True -*.mdosti.tk*, True -*.mdp38.com*, True -*.mdpaints.co.za*, True -*.mdpb.co.kr*, True -*.mdpromotional.co.uk*, True -*.mdq.com.ar*, True -*.mds-bruehl.de*, True -*.mds.com.tr*, True -*.mdscsi.com*, True -*.mds.ir*, True -*.mdsmith.info*, True -*.mdsnapshots.com*, True -*.md-ss.com*, True -*.mdtays.com*, True -*.mdtco.cl*, True -*.mdtiket.com*, True -*.mdtmotors.ro*, True -*.mdubey.com*, True -*.mdubey.net*, True -*.mdubey.org*, True -*.mdxe.com*, True -*.mdxx.ru*, True -*.me680.com*, True -*.me7974.com*, True -*.meacorde.com.ar*, True -*.meadcrown.cf*, True -*.meadowglade.com*, True -*.meadowglade.org*, True -*.meahogocine.com.ar*, True -*.mea-i.org*, True -*.mealheiro.com*, True -*.meal.ml*, True -*.meal-plan.co.uk*, True -*.mealsonwheels-rc.org*, True -*.meanmotorsport.com*, True -*.meanmotorsports.com*, True -*.meanracing.com*, True -*.meanstreak.net*, True -*.mearea.com*, True -*.measey.com*, True -*.meatbytes.com*, True -*.meatgazers.com*, True -*.meat.hk*, True -*.meatspace.net*, True -*.meatstd.ru*, True -*.meatworks.org*, True -*.mebatec.ch*, True -*.mebel4life.ru*, True -*.mebelson-market.ru*, True -*.mebelson.ru*, True -*.mebimabo.ch*, True -*.meblemardom.pl*, True -*.mebold.ch*, True -*.mecahacker.com.br*, True -*.mecanicavirtual.com.ar*, True -*.mecanse.com.ar*, True -*.mecasax.ch*, True -*.mecatech.cat*, True -*.mecatis.com*, True -*.mecatronica-udo.org*, True -*.mec-construtora.com.br*, True -*.mecctro.com*, True -*.mec-engenharia.eng.br*, True -*.mechanicalbear.ru*, True -*.mechanical-soul.com*, True -*.mechanic-posad.ru*, True -*.mechanicsofbusiness.com*, True -*.mechatron.gr*, True -*.mechatronics.maori.nz*, True -*.mechdrive.com.my*, True -*.mechenv.gr*, True -*.mechicalviello.com.ar*, True -*.mechi.tw*, True -*.mechtronics.net*, True -*.meciuri-live-hd.info*, True -*.meckz.net*, True -*.mecon.ro*, True -*.mecspa.cl*, True -*.mecu.ro*, True -*.medaconsult.ro*, True -*.medalie.ro*, True -*.medalistmarketing.com*, True -*.medan.ga*, True -*.medan.me*, True -*.medan.ml*, True -*.medan.tk*, True -*.medan.us*, True -*.medan.xyz*, True -*.medan.zone*, True -*.medarmpros.net*, True -*.medarovic.com*, True -*.medaviacion.com*, True -*.medaviacion.com.ar*, True -*.medbarca.ru*, True -*.medbill.com.au*, True -*.medbury.com*, True -*.medcc.ru*, True -*.medcomclinic.ru*, True -*.medcrm.eu*, True -*.meddeladem.nu*, True -*.meddeladem.se*, True -*.med-edu.ru*, True -*.meden-market.eu*, True -*.medenow.com*, True -*.medesys.ro*, True -*.medforme.ru*, True -*.medhapatkar.info*, True -*.medhous.com*, True -*.media4life.nl*, True -*.media54.com*, True -*.media8indonesia.com*, True -*.mediabelajaronline.web.id*, True -*.mediabox.co*, True -*.mediaboxlab.com*, True -*.mediaburst.pt*, True -*.mediacentre.net.au*, True -*.mediachannelco.hk*, True -*.mediacomputerjombang.com*, True -*.mediacomputer.org*, True -*.mediaconversionbelfast.com*, True -*.mediadesigner.com.ar*, True -*.mediaeco.es*, True -*.mediafilmcenter.ro*, True -*.media-future.eu*, True -*.mediagames.com.ar*, True -*.mediageniuses.com*, True -*.mediageniuses.net*, True -*.mediaglobalradio.com*, True -*.mediagrafix.com.au*, True -*.mediainsider.asia*, True -*.medialand.net*, True -*.medialogistics.ro*, True -*.medialoverz.com*, True -*.mediamensen.be*, True -*.media-mueller.ch*, True -*.media-net.eu*, True -*.mediaonline.my*, True -*.mediapers.com*, True -*.media-phile.com*, True -*.mediaplan.md*, True -*.mediarank.ro*, True -*.mediar.co*, True -*.mediaserver.cf*, True -*.mediaset.co.kr*, True -*.mediaset.us*, True -*.mediasit.ro*, True -*.mediasklad.com*, True -*.mediasmoothiestudios.com*, True -*.mediastin.net*, True -*.mediasudtv.ro*, True -*.mediatech.cn*, True -*.mediation-in-freiburg.ch*, True -*.mediation-sauter.ch*, True -*.mediatomobile.com*, True -*.mediatorbihor.ro*, True -*.mediatordianaelenadragomir.ro*, True -*.mediator-sv.ro*, True -*.mediatradesoftware.com.mx*, True -*.mediatradesoftware.mx*, True -*.mediatriumph.com*, True -*.mediatutorial.web.id*, True -*.mediaunduh.net*, True -*.mediaunikey.web.id*, True -*.mediavend.com*, True -*.mediavision.co.il*, True -*.mediawidz.com*, True -*.mediawing.de*, True -*.medicagohapmap.org*, True -*.medicalboardwiki.com*, True -*.medical-electives.com*, True -*.medicalhealthsolutions.net*, True -*.medicalhempcure.com*, True -*.medicalhempcure.nl*, True -*.medicaliservice.com*, True -*.medicalls.eu*, True -*.medicalmanes.com*, True -*.medicalpassdentalclinic.com*, True -*.medicalphysics.ro*, True -*.medicalshop.co.id*, True -*.medical-shop.gr*, True -*.medicalvet.co.il*, True -*.medicanoresteion.com.mx*, True -*.medicenfranito.com.ar*, True -*.medic.hk*, True -*.medicinadealtura.cl*, True -*.medicinafamiliar.com.ar*, True -*.medicin.al*, True -*.medicinaparaelalma.com.ar*, True -*.medicinejardesign.com*, True -*.medicirezidentigermania.ro*, True -*.medicom42.ru*, True -*.medicomp.fi*, True -*.medicosdered.com*, True -*.medicosencasa.cl*, True -*.medi-cost.org*, True -*.medicost.org*, True -*.medicris.ro*, True -*.medicstar.co.uk*, True -*.mediere-oradea.ro*, True -*.medievalcombat.net*, True -*.medievo.com.br*, True -*.medifest.ch*, True -*.medifonds.ch*, True -*.medigab.com.ve*, True -*.medigestao.com.br*, True -*.medikardi.com.tr*, True -*.medikopter.tk*, True -*.medina.com.br*, True -*.medinamanor.com*, True -*.medinasim.net*, True -*.medinasim.org*, True -*.medinexus.co.uk*, True -*.medioambiente.tk*, True -*.medio.info*, True -*.mediosmodernos.com*, True -*.mediosycomunicacion.com.ar*, True -*.medipath.com*, True -*.mediplanning.co.kr*, True -*.medipro.ro*, True -*.mediprowaste.com*, True -*.mediqconsultoriomedico.com.ve*, True -*.mediqsolucionesmedicas.com.ve*, True -*.medirs.com*, True -*.meditacionjudia.com*, True -*.meditacionkosher.com*, True -*.mediteck.com*, True -*.mediwait.com*, True -*.mediwietcure.nl*, True -*.mediyth.com*, True -*.mediyth.net*, True -*.medizinphysikexperte.at*, True -*.medlex.com.ar*, True -*.medolagosa.ch*, True -*.medplacepharmacy.com*, True -*.medquest.pk*, True -*.medra.si*, True -*.med-registratura.net*, True -*.medroid.in*, True -*.medsafe-indonesia.com*, True -*.meds.net.au*, True -*.medsol.ro*, True -*.medtech-cloud.com*, True -*.m-edukasi.web.id*, True -*.medveja-benko-apartmani.com*, True -*.medvida.cl*, True -*.medwedewa.cf*, True -*.medwedewa.ml*, True -*.medwedewa.tk*, True -*.medworthy.co.uk*, True -*.medyakartal.org*, True -*.medz.ninja*, True -*.meecrob.us*, True -*.meedns.com*, True -*.meegancoleman.com*, True -*.meegdes.info*, True -*.meegdes.org*, True -*.meekerchiropractic.com*, True -*.meekerchiropractic.info*, True -*.meekerchiropractic.net*, True -*.meekerchiropractic.org*, True -*.meeko.me.uk*, True -*.me-elecmetal.com.ar*, True -*.meeluray.ir*, True -*.meepgirls.com*, True -*.meepmeep.info*, True -*.meeps.us*, True -*.meeract.com*, True -*.meerarathod.com*, True -*.meerlindev.tk*, True -*.meersman.org*, True -*.meest24.pl*, True -*.meestarancagando.com*, True -*.meetchinaworldtrade.com*, True -*.meetdaniel.com*, True -*.meet-engineering.com*, True -*.meetingface.net*, True -*.meetmarket.co.za*, True -*.meetyoursweetie.com*, True -*.mefhigoseth.com.ar*, True -*.mefri.de*, True -*.megaalianca.com*, True -*.mega-antenne.ch*, True -*.megaantenne.ch*, True -*.megaawesome.com*, True -*.megabar.net*, True -*.megabitbox.net*, True -*.mega-bit.me*, True -*.megabits.ca*, True -*.megabs.hk*, True -*.megacapsa.com*, True -*.megacomponentes.com.br*, True -*.megaconetworks.co.id*, True -*.megaconstructor.ru*, True -*.megaconsultancy.com.au*, True -*.megacorpwars.com*, True -*.megacraft.mx*, True -*.megacyber7.tk*, True -*.megadiarista.com.br*, True -*.megadiscounts.ro*, True -*.megadjservice.nl*, True -*.megaelectric.cl*, True -*.megaexpansao.com*, True -*.megafilm.se*, True -*.megafon.ms*, True -*.megafors.ru*, True -*.megafuckyou.com*, True -*.megagama.ru*, True -*.megagames.xyz*, True -*.megagolf.be*, True -*.megagolf.nl*, True -*.megahbeauty.com*, True -*.megahost.it*, True -*.megahosts.it*, True -*.megaindo.tk*, True -*.megaingenieria.cl*, True -*.megaingenieria.com*, True -*.megajoule.fi*, True -*.megajournal.com*, True -*.mega-labs.com.ar*, True -*.megalabs.eu*, True -*.megaleecher.ml*, True -*.mega-link.cl*, True -*.megalogic-local.com.ar*, True -*.megalomartyr.com*, True -*.megamagnat.ru*, True -*.megamarket.si*, True -*.megame.jp*, True -*.megamor.com.br*, True -*.megamovs.com*, True -*.meganet.md*, True -*.meganoconnor.org*, True -*.megaokazii.ro*, True -*.megaphat.info*, True -*.megapower32.com*, True -*.megaputra.co.id*, True -*.mega-seguridad.com.ar*, True -*.megaskipbinsadelaide.com.au*, True -*.megasorb.org*, True -*.megasound.ro*, True -*.megasports.ro*, True -*.megasquirt.com.ve*, True -*.megastararena.com.my*, True -*.megastararena.my*, True -*.megastarena.com.my*, True -*.megastarena.my*, True -*.megastarr.com*, True -*.megastor.ru*, True -*.megastrojspb.ru*, True -*.megatamaprima.com*, True -*.megatele.ru*, True -*.megatomshow.com*, True -*.mega-top.eu*, True -*.megatron.in*, True -*.megatsitedel.ru*, True -*.megatunix.com*, True -*.megatux.com.ve*, True -*.megawarnalestari.com*, True -*.megeve-nannies.com*, True -*.meglic.com*, True -*.meglinofamily.com*, True -*.megproject.com*, True -*.meguronosanma.com*, True -*.mehe.co.za*, True -*.mehendale.in*, True -*.mehmetemek.com.tr*, True -*.mehmeteminbarsbey.com*, True -*.mehmetemretiryaki.com*, True -*.mehmetuysal.com.tr*, True -*.mehndiproducciones.com.ar*, True -*.meh.or.id*, True -*.mehradokht.ir*, True -*.mehrandishan.com*, True -*.mehrcargo.com*, True -*.mehrdeveloper.com*, True -*.mehrdeveloper.ir*, True -*.mehring.ch*, True -*.mehtasoftware.com*, True -*.mehtaz.in*, True -*.meidiani.com*, True -*.meidongliuxue.com*, True -*.meidow.hu*, True -*.meier-frei.ch*, True -*.meier.li*, True -*.meiermadness.com*, True -*.meierzimmerei.ch*, True -*.meifashionshop.com*, True -*.meigenmann.ch*, True -*.meigztechs.com*, True -*.meiluminacion.com.ar*, True -*.meincasino-bern.ch*, True -*.meincasinobern.ch*, True -*.meincasino.ch*, True -*.meindustrial.com.ar*, True -*.meinekraft.tk*, True -*.meinershome.com*, True -*.meinershost.com*, True -*.meingrandcasino-bern.ch*, True -*.meingrandcasinobern.ch*, True -*.meingrandcasino.ch*, True -*.meinkinderbild.com*, True -*.meinkinderbild.info*, True -*.meinkino.tk*, True -*.meinland.su*, True -*.meintjes.net*, True -*.meinverdienst.info*, True -*.meiseshipin.com*, True -*.meishi-do.com*, True -*.meistervarma.com*, True -*.meitouch.com*, True -*.meiway.ca*, True -*.mejoratuimagen.es*, True -*.mejoratuvision.cl*, True -*.mekakushi.tk*, True -*.mekiaskitchen.com*, True -*.mekongdiscovery.com*, True -*.mekorhabracha.com*, True -*.mekorhabracha.org*, True -*.mektroid.net*, True -*.melaffy.com*, True -*.melakaboy.com*, True -*.melandbri.net*, True -*.melaniebest.com*, True -*.melanietregenza.com*, True -*.melanietregenza.co.uk*, True -*.melanietregenza.net*, True -*.melanieyates.co.uk*, True -*.melanobit.com*, True -*.melanowicz.com*, True -*.melany.gr*, True -*.melbourneautoelectrician.com*, True -*.melbourneballoons.com*, True -*.melbournecement.com.au*, True -*.melbournefurniturestore.com.au*, True -*.melbournerail.net*, True -*.melbournewireless.net*, True -*.melbvans.com.br*, True -*.melcon.info*, True -*.melcorinc.com*, True -*.melda.com.au*, True -*.melectric.cl*, True -*.melendro.es*, True -*.melf.ch*, True -*.melfield.net*, True -*.melighting.com.ar*, True -*.melihaltin.com.tr*, True -*.me-likers.net*, True -*.melimou.com*, True -*.melindro.org*, True -*.melinzkim.com.au*, True -*.meliodex.com*, True -*.melisafernandez.com.ar*, True -*.melissa.cl*, True -*.melissahumble.com*, True -*.melissarainer.com*, True -*.melissatoh.com*, True -*.melivelocal.com*, True -*.melkouwen.be*, True -*.melliferahunt.co.za*, True -*.mellihost.ir*, True -*.mellihost.net*, True -*.mellinofamily.com*, True -*.mellyart.com*, True -*.melodee.co.uk*, True -*.melodeus.ro*, True -*.melodia.to*, True -*.melodi-nail.com*, True -*.melodiouspiano.com*, True -*.melodychile.cl*, True -*.melody.cl*, True -*.melodygroup.cl*, True -*.melody.so*, True -*.melodytowers.com*, True -*.melonconsulting.co.za*, True -*.meloupi.com*, True -*.melovelos.com*, True -*.melraidin.com*, True -*.meltdownsoft.com*, True -*.meltdownsoft.ru*, True -*.melthamwildliferescue.com*, True -*.melum.co*, True -*.melu.si*, True -*.melven.net*, True -*.melvillandmoon.ca*, True -*.melvinlusk.com*, True -*.memag-ag.ch*, True -*.memarica.ir*, True -*.membangunwebsite.com*, True -*.member-areas.info*, True -*.member.hacdc.org*, True -*.member.ninja*, True -*.memberpro.ga*, True -*.membership.ga*, True -*.membership.hk*, True -*.membersme.com*, True -*.membrino.net*, True -*.membuat.web.id*, True -*.memcmp.com*, True -*.meme-comic.ga*, True -*.memekz.ml*, True -*.memeletrica.com*, True -*.memeorigins.com*, True -*.memery.org*, True -*.memexi.com*, True -*.memeyou.net*, True -*.memiki.com*, True -*.mem-it.com*, True -*.mem-it.ro*, True -*.meml.net*, True -*.memnetworks.com*, True -*.memno.ch*, True -*.memomp3.com*, True -*.memorama.ru*, True -*.memoreks.co.uk*, True -*.memoriadepez.cl*, True -*.memorialfunerare.ro*, True -*.memorialuldeportarii.ro*, True -*.memoriapichilemina.cl*, True -*.memoriessa.co.za*, True -*.memoright.tk*, True -*.memorybit.co*, True -*.memoryguide.org*, True -*.memoryofgod.com*, True -*.memoryproject.info*, True -*.memory-up.com*, True -*.memotron.tk*, True -*.memphissoftware.com*, True -*.memyselfandi.co.za*, True -*.menage.co.za*, True -*.mendenhall.co*, True -*.mendesavelar.com.br*, True -*.mendonca.xyz*, True -*.mendozaesqui.com*, True -*.mendozaski.com.ar*, True -*.mendozasky.com*, True -*.mendozatur.com.ar*, True -*.mendung.us*, True -*.meneguci.com*, True -*.menesianosculipran.cl*, True -*.mengenteiler.com*, True -*.menggoda.fi*, True -*.menglq.com*, True -*.mengqianhonglou.tk*, True -*.meng-unduhmusic.com*, True -*.menichini.com.ar*, True -*.meningrey.net*, True -*.meningslos.info*, True -*.meninos.ch*, True -*.menintrunks.com*, True -*.menje-cah.tk*, True -*.menje.ga*, True -*.menje.tk*, True -*.menjonru.cf*, True -*.menjonru.ga*, True -*.menjonru.ml*, True -*.menjonru.tk*, True -*.menkingen.org*, True -*.menombomb.com*, True -*.menonsinwaxhaw.com*, True -*.menoracenter.org*, True -*.menora.fm*, True -*.menorahscrazyblog.com*, True -*.menora.info*, True -*.menorainternational.org*, True -*.menoraisrael.org*, True -*.menorashanghai.org*, True -*.menora.tv*, True -*.menpera.go.id*, True -*.mensajesestudiantiles.cl*, True -*.mensajesrecibidos.com.ar*, True -*.mensdaywednesday.com*, True -*.mensexpofortwayne.com*, True -*.menshikingshoes.info*, True -*.mensore.com.br*, True -*.mentalroots.com*, True -*.mentalsmash.org*, True -*.mentari.web.id*, True -*.mentelar.ga*, True -*.mentetransicao.com*, True -*.mentorhiphop.com*, True -*.mentoringdeventas.cl*, True -*.menttes.com*, True -*.mentul.tk*, True -*.mentzer.org*, True -*.menuiserie-bard.com*, True -*.menuiserieconti.ch*, True -*.menuiserie-fabbi.ch*, True -*.menuiseriegeiser.ch*, True -*.menuiserie-jaquet.ch*, True -*.menyolhost.tk*, True -*.menyolmusic.ga*, True -*.menza.co.il*, True -*.meorhatorah.org*, True -*.mep.cl*, True -*.mephistonet.nl*, True -*.mepinta.com*, True -*.mepinta.org*, True -*.meposting.com*, True -*.me-pra.com*, True -*.mer-1004.com*, True -*.mer-555.com*, True -*.mer-777.com*, True -*.merafong.co.za*, True -*.merakimom.com*, True -*.mera-sultan.ml*, True -*.mercaderia.cl*, True -*.mercaderias.cl*, True -*.mercadobit.com.ar*, True -*.mercadobit.net*, True -*.mercadobits.net*, True -*.mercadocoin.net*, True -*.mercadodeaguas.cl*, True -*.mercadomail.com.mx*, True -*.mercadosahora.com.ar*, True -*.mercanding.cl*, True -*.mercatinousatolapulce.it*, True -*.mercenarioselite.com.ar*, True -*.merchantbusinessloan.com*, True -*.merchant.hk*, True -*.merchant-store.net*, True -*.mercifullytravel.com*, True -*.mercoaguas.com.ar*, True -*.mercod.com.br*, True -*.mercom.pro*, True -*.merconetsrl.com*, True -*.mercurionline.com.br*, True -*.mercurisarl.ch*, True -*.mercury-fx.hk*, True -*.mercuryfx.hk*, True -*.mercuryheating.com.au*, True -*.mercuryl.co.za*, True -*.mercurystorm.co.za*, True -*.mercurytod.pw*, True -*.mercusuarjaya.com*, True -*.merdeka.pw*, True -*.merd.eu*, True -*.merecure.net.ve*, True -*.meremmelek.com*, True -*.mereotura.ro*, True -*.mereuactiv.ro*, True -*.merexca.com.ve*, True -*.mergiotti.com.ar*, True -*.mergosono.com*, True -*.meribassai.net*, True -*.meribio.com*, True -*.meridian-faucets.com*, True -*.meridiangrp.com*, True -*.meridianhouserecordings.com*, True -*.meridiano.com.br*, True -*.meridiasibutramine.com*, True -*.merila.net*, True -*.merinogroup.com.au*, True -*.merinomujica.cl*, True -*.merinosgallery.com*, True -*.merinosrugs.com.au*, True -*.meritia.com.ar*, True -*.merken-sa.cl*, True -*.merkenspa.cl*, True -*.merlinsweater.com*, True -*.merlitec.com*, True -*.merllot.tk*, True -*.merlyn.ro*, True -*.mermat.com.ar*, True -*.merniekszm.lv*, True -*.merolex.com*, True -*.merpati.web.id*, True -*.merriam.ca*, True -*.merriam.ch*, True -*.merrick.mx*, True -*.merrick.xyz*, True -*.merrison.co.uk*, True -*.merrison.uk*, True -*.mersbenz.ru*, True -*.mersifrumos.ro*, True -*.merspi.com.au*, True -*.meruba.co.il*, True -*.mervikujala.fi*, True -*.mervynokm.com*, True -*.mervyn.org*, True -*.mesanetwork.tk*, True -*.mesarhameed.info*, True -*.mesca.ro*, True -*.mesephone.com*, True -*.meservy.org*, True -*.mesespinal.com*, True -*.meshbannersdirect.com.au*, True -*.meshgin-taxi.ir*, True -*.meshn.com.au*, True -*.meshplant.com*, True -*.meshte.ch*, True -*.mesi7.com*, True -*.mesinabsensidiscount.com*, True -*.mesinakseskontrol.com*, True -*.mesinalatkantor.com*, True -*.mesingeneratorokinawa.com*, True -*.mesinlaundrykarpet.com*, True -*.mesinpenghitunguangmurah.com*, True -*.mesinpengolahmakanan.com*, True -*.mesin-pks.com*, True -*.mesinpressbatako.com*, True -*.mesin-ro.com*, True -*.mesleman.com*, True -*.mesmerize.one.pl*, True -*.mesopic.com*, True -*.mesothelioma-law-firmi.ga*, True -*.messagewatch.co.uk*, True -*.messagexchange.hk*, True -*.messbook.ro*, True -*.messengerlan.com*, True -*.messenger-plus.com*, True -*.messilot.co.il*, True -*.messoinsenergetiques.ca*, True -*.messouvenirs.info*, True -*.mesteshukar.ro*, True -*.mestesukar.ro*, True -*.mesudalaconcha.cl*, True -*.mesukan.com*, True -*.mesum.in*, True -*.mesumscandal.ga*, True -*.mesuresalternatives-mavn.ca*, True -*.meszolyviktor.hu*, True -*.meta9.info*, True -*.metachu.com*, True -*.metafinis.com*, True -*.metafoto.pl*, True -*.metahelper.net*, True -*.metahelper.org*, True -*.metahumano.org*, True -*.metal450.info*, True -*.metal-alloys.com*, True -*.metalarea.biz*, True -*.metalarea.info*, True -*.metalarea.mobi*, True -*.metalarea.net*, True -*.metalbible.tv*, True -*.metaldatasa.com.br*, True -*.metaldog.net*, True -*.metaleo.com.ar*, True -*.metalexchange.ro*, True -*.metal-freak.net*, True -*.metalghost.ro*, True -*.metalgroup.com.ve*, True -*.metalheadhosting.co.uk*, True -*.metallady.ru*, True -*.metallityokivela.fi*, True -*.metalmike.nl*, True -*.metalmiranda.com.ar*, True -*.metalmixpara.com.br*, True -*.metalnew.com.br*, True -*.metalogicus.com*, True -*.metalpartesesposito.com.ve*, True -*.metalrom.ro*, True -*.metal-soviet.tk*, True -*.metalsoviet.tk*, True -*.metaltv.cl*, True -*.metal-typer.info*, True -*.metalurgicaromar.com.ar*, True -*.metalurgicatorrez.ml*, True -*.metamail.tk*, True -*.metamenu.com*, True -*.metamorfoza.ro*, True -*.metamurks.org*, True -*.metamutate.com*, True -*.metamutate.org*, True -*.metanoiarse.com.ar*, True -*.metaphysicalninja.com*, True -*.metaphysipedia.com*, True -*.metapoint.co.kr*, True -*.metareads.com*, True -*.metasplo.it*, True -*.metasystem.com.br*, True -*.metathoughts.co.za*, True -*.metatrustengine.com*, True -*.metaure.com*, True -*.metawire.eu*, True -*.metbox.net*, True -*.metco.ro*, True -*.metecedin.com*, True -*.meteomanolo.es*, True -*.meteotodi.com*, True -*.meteotodi.it*, True -*.meterlink.com.ar*, True -*.meterproperty.com*, True -*.metgezel.be*, True -*.metgreen.in*, True -*.methexis-hotel.gr*, True -*.meth.ml*, True -*.methodist2mdn.sch.id*, True -*.methodz.net*, True -*.metida-vrn.ru*, True -*.metin2hosting.ro*, True -*.metin2xen.ro*, True -*.metinsan.com*, True -*.metissa.com.br*, True -*.metivier.fr*, True -*.metkom.su*, True -*.metlandcybercity.com*, True -*.metlandmenteng.com*, True -*.metlandtransyogi.co.id*, True -*.metlushko.ru*, True -*.metmp.com.au*, True -*.metochia.ro*, True -*.metonweb.net*, True -*.metrans-ciprox.ro*, True -*.metraznoblago.si*, True -*.metrobeatrecords.com*, True -*.metrobhakti.co.id*, True -*.metrobordelapartments.com*, True -*.metrocab.co.za*, True -*.metrocapital.com.ar*, True -*.metrock.ml*, True -*.metrocoach.co.za*, True -*.metrodetroitareacomputerrepair.com*, True -*.metrodetroitareacomputerrepairs.com*, True -*.metrodetroitareacomputers.com*, True -*.metrodetroitareacomputerservice.com*, True -*.metrodetroitcomputerrepairexperts.com*, True -*.metrodetroitcomputerrepairs.com*, True -*.metrodetroitcomputers.com*, True -*.metrodetroitcomputerservice.com*, True -*.metrodetroitpcrepair.com*, True -*.metrointeriormdn.com*, True -*.metroinvest.com.ar*, True -*.metroinvestsa.com.ar*, True -*.metrojoinery.com.au*, True -*.metrolinks.ro*, True -*.metromini.biz*, True -*.metromost.com*, True -*.metronet.se*, True -*.metronet-solution.com*, True -*.metroperth.com.au*, True -*.metropoleloisirs.ch*, True -*.metropoliorizaba.com*, True -*.metropouloslaw.com*, True -*.metro-pulsa.com*, True -*.metropulsa.net*, True -*.metropulsa.org*, True -*.metro-reload.info*, True -*.metrosex.ro*, True -*.metrosinu.com*, True -*.metrosphere.co.za*, True -*.metrotainha.com*, True -*.metrotaxi.co.za*, True -*.metrotech.co.nz*, True -*.metrotrain.co.za*, True -*.metrowar.net*, True -*.metrox.ga*, True -*.metroz.biz*, True -*.mets.si*, True -*.mett.ru*, True -*.metvora.lt*, True -*.meubelencoch.be*, True -*.meuh2.com*, True -*.meupalco.com.br*, True -*.meuplus2.tw*, True -*.meuporquinho.net*, True -*.meusexyshop.com.br*, True -*.meus-omnis.com*, True -*.meusprodutos.com.br*, True -*.mever-lasi.co.il*, True -*.mevo.ro*, True -*.mewbew.com*, True -*.mexcat.org*, True -*.mexicocity.si*, True -*.mexicoencomunidad.mx*, True -*.mexicofastbraces.com*, True -*.mexicommerce.com*, True -*.mexicommerce.com.mx*, True -*.mexicommerce.org*, True -*.mexlindo.com*, True -*.mexpress.cl*, True -*.mextron.com*, True -*.meyair.com*, True -*.meyer-kohlscheid.com*, True -*.meyermeyer.ro*, True -*.meyio.com.ar*, True -*.meyrekajita.com.br*, True -*.meyrinos.com*, True -*.mezackgroup.com*, True -*.meze.gen.tr*, True -*.mezelf.info*, True -*.mezick.net*, True -*.mezin.su*, True -*.mezzo-sopran.ch*, True -*.mf03.ru*, True -*.mfafb.com*, True -*.mfafbgames.com*, True -*.mfbohrer.com.br*, True -*.mfcazov.ru*, True -*.mfc-kamensk.ru*, True -*.mfc-krsulin.ru*, True -*.mfc-wp.org*, True -*.mfdfx.net*, True -*.mfence.co.za*, True -*.mflaniganmusic.com*, True -*.mfm-gitmo.com*, True -*.mfpockets.com*, True -*.mfporn.com*, True -*.mfrias.com*, True -*.mfswfk.net*, True -*.mftcamp.ir*, True -*.mftforum.com*, True -*.mftnarmak.com*, True -*.mftnet.com*, True -*.mftvanak.com*, True -*.mg15.net*, True -*.mg-2000.com*, True -*.mg-666.com*, True -*.mgbconsultants.com*, True -*.mgctisak.com*, True -*.mgdavenport.com*, True -*.mgfilms.biz*, True -*.mgillies.ca*, True -*.mgit.org*, True -*.mglenn.info*, True -*.mglgiu67.tk*, True -*.mg-likerss.ga*, True -*.mgmcraft.ga*, True -*.mgm.eng.br*, True -*.mgmicro.com.br*, True -*.mgmppaismpta.com*, True -*.mgmstar.ro*, True -*.mgmt-plus-software.com*, True -*.mgnqs.co.za*, True -*.mgns.be*, True -*.mgo.md*, True -*.mgpg.cl*, True -*.mgproperty.eu*, True -*.mgpst.com*, True -*.mgregson.co.uk*, True -*.mgrimm.org*, True -*.mgroup.mx*, True -*.mgroups.cl*, True -*.mgs17.ch*, True -*.mgsdl.com*, True -*.mgsolucioneslegales.com.ar*, True -*.mg-spain.com*, True -*.mgsystems.com.ar*, True -*.mg-tdc.com*, True -*.mgtgamer.com*, True -*.mgtgamer.net*, True -*.mgutz.com*, True -*.mgv.cl*, True -*.mh11.in*, True -*.mhahnconsultoria.com.br*, True -*.mhall2014.tk*, True -*.m-h-b.co.il*, True -*.mhcode.com.ar*, True -*.mhfg403.com*, True -*.mhibroker.co.id*, True -*.mhibroker.com*, True -*.mhka888.com*, True -*.mhlevy.net*, True -*.mhlu.tk*, True -*.mhm1932.ru*, True -*.mhmactech.com*, True -*.mhoi.net*, True -*.mhoi.org*, True -*.mhopps.com*, True -*.mhowes.info*, True -*.mhoyos.com.ar*, True -*.mhp.eti.br*, True -*.mhpnet.com*, True -*.mhrj.ca*, True -*.mhsalumniassociation.com*, True -*.mhseguros.cl*, True -*.mhserv.info*, True -*.mhumphries.co.za*, True -*.mh-villa.com*, True -*.mhvpt.org*, True -*.mi2fotkava.si*, True -*.mi6.ch*, True -*.mi6.pl*, True -*.miafp.cl*, True -*.miafp.com*, True -*.mialivne.com*, True -*.miami-apartment.net*, True -*.miamihood.com*, True -*.miammiam.ro*, True -*.miamonroe.com.au*, True -*.mianyangprison.org*, True -*.miaoyin.cc*, True -*.miapec.net*, True -*.miaplicacion.mx*, True -*.miaplicacionweb.mx*, True -*.miapv.cl*, True -*.miarsa.com.ar*, True -*.miautty.com*, True -*.miaux.com*, True -*.mibasededatos.mx*, True -*.mibebita.tk*, True -*.mibooks.com*, True -*.micaeladeltorto.com.ar*, True -*.micahduron.com*, True -*.micahshelton.com*, True -*.micahtopping.com*, True -*.micamara.us*, True -*.micanks.cf*, True -*.micasaeficiente.es*, True -*.micasita.tk*, True -*.micat.ch*, True -*.micatonetwork.net*, True -*.micb.cl*, True -*.mice4life.com*, True -*.miceforlife.com*, True -*.micehackers.com*, True -*.micek.ca*, True -*.miceli.id.au*, True -*.micenterprise.com*, True -*.micentroarmonia.com.ar*, True -*.micetravel.com.my*, True -*.miceux.com*, True -*.micgolee.tk*, True -*.mich7.com*, True -*.michaelandjenny.net*, True -*.michaelandrebeccagettingmarried.co.uk*, True -*.michaelbrady.net*, True -*.michaelcartmill.com*, True -*.michaelchamplin.com*, True -*.michaelcorleyvideography.com*, True -*.michaelcoyne.com*, True -*.michaelcpc.tk*, True -*.michaeldavies.org*, True -*.michaeldnovak.com*, True -*.michaeleallen.com*, True -*.michaelferguson.co.uk*, True -*.michaelferguson.net.au*, True -*.michaelfoody.com*, True -*.michaelgemme.com*, True -*.michaelgough.net*, True -*.michaelharrison.ca*, True -*.michael.id*, True -*.michaelkha.net*, True -*.michaelkorsoutletacs.net*, True -*.michaelkugler.de*, True -*.michaellevy.ml*, True -*.michaellui.com*, True -*.michaelmainier.com*, True -*.michaelmcclelland.com*, True -*.michaelmclaughlinstudios.com*, True -*.michaelnetwork.tk*, True -*.michaelniles.info*, True -*.michaeloatman.info*, True -*.michaeloatman.net*, True -*.michaelpercival.co.uk*, True -*.michaelrcarroll.com*, True -*.michael-schaer.ch*, True -*.michaelschranz.ch*, True -*.michaelschuler.de*, True -*.michaelshea.org*, True -*.michaelshome.net*, True -*.michaels.net.au*, True -*.michaelsrooms.com*, True -*.michaelsterling.me*, True -*.michaelstrong.org*, True -*.michaeltortora.net*, True -*.michaelturro.com*, True -*.michaelwirzarchitecture.ch*, True -*.michaelxia.com*, True -*.michaelziege.com*, True -*.michalgf.co.il*, True -*.micharreada.com.mx*, True -*.micharreada.mx*, True -*.michatirc.cl*, True -*.michaudmail.com*, True -*.michaudsite.com*, True -*.michavanaken.nl*, True -*.michbasa.co.il*, True -*.michelledelgiudice.com*, True -*.michel-leduc.com*, True -*.michellemartin.me*, True -*.michellenagy.ca*, True -*.michelleplaisance.com*, True -*.michelonarquitetura.com*, True -*.michelonarquitetura.com.br*, True -*.michelon.com*, True -*.michielsibel.nl*, True -*.michiels.nu*, True -*.michiganbowling.com*, True -*.michigancityparks.com*, True -*.michigan.cl*, True -*.michigan.com.ar*, True -*.michigancrafts.net*, True -*.michigan-tours.fr*, True -*.michigoid.com*, True -*.michiriqui.com*, True -*.michiriqui.info*, True -*.michiriqui.net*, True -*.michsan.web.id*, True -*.michyko.com*, True -*.miciinazdravani.ro*, True -*.miciipoznasi.ro*, True -*.miciistrengari.ro*, True -*.micinazdravani.ro*, True -*.micipoznasi.ro*, True -*.micistrengari.ro*, True -*.mickala.ir*, True -*.mickeystorage.com*, True -*.mickila.co.uk*, True -*.mickis.me*, True -*.mickp.net*, True -*.mickspocket.com*, True -*.mickstapes.com*, True -*.mickswork.com*, True -*.mickus.mobi*, True -*.mickx009.com*, True -*.mickykua.com*, True -*.micloudhost.com.ar*, True -*.micosmith.me*, True -*.micprog.com*, True -*.micresearch.net*, True -*.micrex.ca*, True -*.microacces.ro*, True -*.microadam.co.uk*, True -*.microbee.com.au*, True -*.microbee.net.au*, True -*.microbionews.cl*, True -*.microcarsiphone.com*, True -*.micro-center.com.ar*, True -*.microcomputers.ch*, True -*.microcontroller.ro*, True -*.microdnd.com*, True -*.microenigma.com.au*, True -*.microfisioterapiasorocaba.com*, True -*.microfotosinteticos.com.ve*, True -*.micrographicmohssurgery.com*, True -*.microintelligence-ph.com*, True -*.microitsolutions.org*, True -*.microkernel.cl*, True -*.microlabsoporte.com.ve*, True -*.microlighttraining.co.uk*, True -*.micrologic-da.md*, True -*.micromit.ir*, True -*.micromsp.ca*, True -*.micromsp.com*, True -*.micronet.ee*, True -*.micronianos.cl*, True -*.micro-pak.hk*, True -*.micropak.hk*, True -*.micro-paklimited.hk*, True -*.micropaklimited.hk*, True -*.micropakltd.ch*, True -*.micropakltd.co.uk*, True -*.micropakltd.de*, True -*.micropakltd.hk*, True -*.micropakltd.it*, True -*.micropakltd.jp*, True -*.microreal.com*, True -*.microscopy.tw*, True -*.microsense.in*, True -*.microsoft-info.biz*, True -*.microsoftinfo.net*, True -*.microsoft-office.com*, True -*.microsoftstores.co.uk*, True -*.microsquash.net*, True -*.microsun.ch*, True -*.microsun-tech.com*, True -*.microsun-tech.net*, True -*.microsux.biz*, True -*.microtrafh.com*, True -*.microtronics.us*, True -*.microtron.org.uk*, True -*.microvideo.com*, True -*.microworld.cl*, True -*.micrus.pl*, True -*.micsbooks.org*, True -*.micu.eu*, True -*.miculanunt.net*, True -*.miculmatematician.ro*, True -*.miculnazdravan.ro*, True -*.miculstrengar.ro*, True -*.micurrin.com.ar*, True -*.miczynski.org*, True -*.midabep.cf*, True -*.mi-da.com.mx*, True -*.mi-da-consulting.it*, True -*.midas-cola.com*, True -*.midatahosting.com*, True -*.midatech.cl*, True -*.midatech.cn*, True -*.midclouds.com*, True -*.midclouds.net*, True -*.midde.com.ar*, True -*.middeluxe.com*, True -*.middlefinger.com*, True -*.middleofnowhere.ro*, True -*.middleware.web.id*, True -*.middreamers.com*, True -*.mideaaircon.ro*, True -*.midea-electrocasnice.ro*, True -*.mideastsource.com*, True -*.mideconsultores.com*, True -*.midenius.se*, True -*.midesarrolloweb.mx*, True -*.midgetcat.info*, True -*.midgetworkshop.co.uk*, True -*.midjava.com*, True -*.midknightauer.com*, True -*.midksphoto.com*, True -*.midler.se*, True -*.midmag.co*, True -*.midmag.org*, True -*.midnightauer.com*, True -*.midnightcoins.com*, True -*.midnightexp.to*, True -*.midnightoker.co.uk*, True -*.midnightproductions.info*, True -*.midnightrunguild.com*, True -*.midnightsystems.net*, True -*.midperiodical.org*, True -*.midpublication.org*, True -*.midsons.com*, True -*.midsys.co.uk*, True -*.midtownlabs.com*, True -*.midulcelocura.cl*, True -*.midulzura.ml*, True -*.midwestagrifair.ca*, True -*.mid-westgroup.com*, True -*.midyscorp.com*, True -*.midzer.net*, True -*.mieiiga.com*, True -*.miel-laplata.com.ar*, True -*.mientayclub.com*, True -*.mientayfun.com*, True -*.mierenan.ro*, True -*.miernik.name*, True -*.miestenjuttu.com*, True -*.mietmobel.com.ar*, True -*.mifavor.com*, True -*.miftach.tk*, True -*.miganime.ga*, True -*.migbet.com*, True -*.migestion.com.ar*, True -*.mige.web.id*, True -*.mighosting.ga*, True -*.mightycolour.com*, True -*.mightycoronanation.com*, True -*.mightydrives.com*, True -*.mightyhost.ch*, True -*.mightypants.org*, True -*.mightysolutions.biz*, True -*.mightysolutions.net*, True -*.mightywisent.com*, True -*.migohost.com*, True -*.migom.ru*, True -*.migrate2bitrix.ru*, True -*.migratewebsite.com*, True -*.migratoryconnectivityproject.org*, True -*.miguelaflalo.com*, True -*.miguelangel.com.mx*, True -*.miguelangel.mx*, True -*.miguelarevalo.es*, True -*.miguelcarrasco.net*, True -*.miguelcatalano.com.ar*, True -*.miguelrsilva.com*, True -*.miguephoto.com*, True -*.miguras.cl*, True -*.mihablazic.tk*, True -*.mihai-popa.tk*, True -*.mihaiserv.ro*, True -*.mihaiush.ro*, True -*.mihaivlasceanu.eu*, True -*.mihaylovskoye.ru*, True -*.mihelcic.eu*, True -*.mihoramayorista.com.ar*, True -*.miielz.com*, True -*.miikarantanen.fi*, True -*.miikatomi.fi*, True -*.miinet.com.ar*, True -*.miinetserver.com.ar*, True -*.miini-bilder.net*, True -*.mijan.us*, True -*.mijaumijau.tk*, True -*.mijelshon.com.ar*, True -*.mijltda.cl*, True -*.mijor-7th.org*, True -*.mikachu.gq*, True -*.mikachu.tk*, True -*.mikaeil.ir*, True -*.mikaelkorpela.fi*, True -*.mikagura.tk*, True -*.mikalowsky.com*, True -*.mikalxavier.com*, True -*.mikata.ru*, True -*.mike480.com*, True -*.mikealesso.com*, True -*.mikeamoore.net*, True -*.mikeandmariebuzzetti.com*, True -*.mikebeil.com*, True -*.mikebert.co.uk*, True -*.mikeb.eu*, True -*.mikeblackphotographer.co.uk*, True -*.mikecramer.com*, True -*.mikecramer.co.uk*, True -*.mikec.si*, True -*.mikedenton.info*, True -*.mikedepaulo.com*, True -*.mikedogg.com*, True -*.mikeeckman.com*, True -*.mikefitz.com*, True -*.mikegrah.am*, True -*.mikehadler.com*, True -*.mikelaskey.ca*, True -*.mikelevinephotoart.com*, True -*.mikemanson.com*, True -*.mikemercau.com.ar*, True -*.miken.tk*, True -*.mikeolson.org*, True -*.mikeprior.tk*, True -*.mikerud.com*, True -*.mikerussellmck.com*, True -*.mikescheer.com*, True -*.mikesdesign.hu*, True -*.mikespiering.com*, True -*.mikespuhler.com*, True -*.mikesshop.net*, True -*.mikes-sports.com*, True -*.mikes-sports.co.za*, True -*.mike-taylor.net*, True -*.miketheinstructor.ca*, True -*.miketheinstructor.com*, True -*.miketoberfest.com*, True -*.miketonksphotography.co.uk*, True -*.miketsang.info*, True -*.mike-turner.biz*, True -*.miketurner.biz*, True -*.miketurro.com*, True -*.mikevarty.co.uk*, True -*.mikeyin.org*, True -*.mikeyzman.com*, True -*.mikgan.com*, True -*.mikhailspector.com*, True -*.mikhale.kz*, True -*.mikhale.ru*, True -*.mikhaylov.info*, True -*.mikhe.ru*, True -*.mikichiha.com*, True -*.mikidders.com*, True -*.mikie-and-co.com*, True -*.mikironen.com*, True -*.mikkila.se*, True -*.mikma-farm.ru*, True -*.mikma.su*, True -*.mikoblinds.com.my*, True -*.mikobytes.ca*, True -*.mikobytes.com*, True -*.mikobytes.net*, True -*.mikobytes.org*, True -*.mikramarine.gr*, True -*.mikrolink.one.pl*, True -*.mikromaja.fi*, True -*.mikropolis.gr*, True -*.mikrosid.com*, True -*.mikrosite.fi*, True -*.mikroskeem.cf*, True -*.mikrotik-tech.us*, True -*.mikvemenora.org*, True -*.mil.nf*, True -*.milad-ardabil.ir*, True -*.milady.com.ar*, True -*.milagresouth.org*, True -*.milagrosperez.com*, True -*.milahoetmer.nl*, True -*.milanleecher.us*, True -*.milansp.com*, True -*.mildstory.com*, True -*.mildurahub.com*, True -*.mileeclassroom.com*, True -*.milehighinfo.com*, True -*.mileschocolates.com*, True -*.milescorpaustralia.com.au*, True -*.milesey.com*, True -*.milesight.tk*, True -*.milesinthespring.com*, True -*.milestone-bikes.ch*, True -*.milesy.net*, True -*.miletwentyfour.com*, True -*.milf-pron.org*, True -*.milgrim.org*, True -*.milife.club*, True -*.milipen.com.ar*, True -*.milisalon.com*, True -*.milisauti.ro*, True -*.milius.cl*, True -*.milius.com.ar*, True -*.milkdog.net*, True -*.milk.ga*, True -*.milk.is*, True -*.millalen.cl*, True -*.millancura.cl*, True -*.millboro.net*, True -*.milleniumveiculos.com.br*, True -*.millennium-lc.tk*, True -*.millerandwhitworth.asia*, True -*.millerandwhitworth.com*, True -*.millerandwhitworth.co.nz*, True -*.millerandwhitworth.info*, True -*.millerandwhitworth.net*, True -*.millerandwhitworth.net.au*, True -*.millerandwhitworth.net.nz*, True -*.millerandwhitworth.nz*, True -*.millerchip.net*, True -*.millerit.com.au*, True -*.miller.org.au*, True -*.millthorn.com*, True -*.millycutenails.tk*, True -*.milmascotas.com.ar*, True -*.milocaobsesion.cl*, True -*.miloc.com*, True -*.milosavljevic.rs*, True -*.miloshmobile.com*, True -*.miloszikic.com*, True -*.milotech.co.id*, True -*.milo.tk*, True -*.milovanovic.net*, True -*.milrepuestos.com.ve*, True -*.mil-specaustralia.com.au*, True -*.milt0r.com*, True -*.miltoncoc.com*, True -*.miltoncoc.net*, True -*.milum.com.ar*, True -*.milventas.com.ve*, True -*.milwyn-jenkins.co.uk*, True -*.mim77.com*, True -*.mim88.com*, True -*.mim99.com*, True -*.miman-benin.org*, True -*.mimassi.org*, True -*.mimikeene.com*, True -*.mimima.net*, True -*.mimisister.com*, True -*.mimorcraft.com*, True -*.mimoviet.com*, True -*.mimurnisundra.sch.id*, True -*.mimus.tw*, True -*.minac.ro*, True -*.minaj.ga*, True -*.minaj.ml*, True -*.minaj.tk*, True -*.minamikeisuke.uk*, True -*.minasflorals.com.au*, True -*.minas.tk*, True -*.minbahadursingh.com.np*, True -*.mincesur.com*, True -*.minceu-ayu.net*, True -*.mindabuse.com*, True -*.mindabuse.net*, True -*.mindblown.be*, True -*.mindcraft--mcs.cf*, True -*.mindcyber00.com*, True -*.mindeasy.hk*, True -*.mindfacets.com*, True -*.mindfluxproductions.com*, True -*.mindfluxsociety.org*, True -*.mindfulise-app.com*, True -*.mindfuliser.com*, True -*.mindfulmusic.com*, True -*.mindhackers.org*, True -*.mindmade.org*, True -*.mindmods.org*, True -*.mindphysics.com*, True -*.mindplace.de*, True -*.mindplace.info*, True -*.mindplug.in*, True -*.mindscrape.net*, True -*.mindseyeit.ca*, True -*.mindshare.com.au*, True -*.mindsinmotion.net.au*, True -*.mindsoft.cl*, True -*.mindsplint.com*, True -*.mindtheorem.com*, True -*.minebag.tk*, True -*.mineball.net*, True -*.minebook.cz*, True -*.mineboyil.ml*, True -*.minebuilder.us*, True -*.minebush.tk*, True -*.mine.bz*, True -*.minecack.com*, True -*.minecleave.net*, True -*.minecraftcritical.tk*, True -*.minecraft-event.net*, True -*.minecraftnoob.com*, True -*.minecraftnz.co.nz*, True -*.minecraftservers64.tk*, True -*.minecraftserv.tk*, True -*.minecraftyoutube.tk*, True -*.mineforte.tk*, True -*.minefx.tk*, True -*.minegamba.com*, True -*.minegrita.tk*, True -*.minelandpe.tk*, True -*.mineland.su*, True -*.minequartz.tk*, True -*.minerack.co*, True -*.minerack.uk*, True -*.mineratoro.cl*, True -*.minerbras.com*, True -*.mineriacreativa.cl*, True -*.minermc.net*, True -*.minersplazamc.cf*, True -*.minersrealm.tk*, True -*.minerssociety.net*, True -*.minersworld.tk*, True -*.mines1970fund.org.za*, True -*.mineself.gq*, True -*.mineself.tk*, True -*.mineservers.tk*, True -*.minesoft.ru*, True -*.minespex.com.au*, True -*.mine-tech.us*, True -*.mineuniversemc.com*, True -*.mineview.ca*, True -*.mineworkers.com.au*, True -*.mingainformativa.org*, True -*.minghing.hk*, True -*.mingky2013.com*, True -*.mingkycool.com*, True -*.mingkydong.com*, True -*.mingkygirl.net*, True -*.mingkyhouse.com*, True -*.mingky.info*, True -*.mingkyjuso.com*, True -*.mingkymobile.com*, True -*.mingkymong.com*, True -*.mingkynara.com*, True -*.mingky.net*, True -*.mingkynet.com*, True -*.mingky.org*, True -*.mingkys.com*, True -*.mingkysesang.com*, True -*.mingkysite.com*, True -*.mingkyzoa.com*, True -*.mingmanphoto.com*, True -*.mingolabs.com.br*, True -*.mingtang.ca*, True -*.mingugge.com*, True -*.minhacasameuxodo.com.br*, True -*.minhaoperadora.com*, True -*.minhavilaleopoldina.com.br*, True -*.minhavpn.com.br*, True -*.minhhong.com*, True -*.minhlinh.com*, True -*.minhvuong.cf*, True -*.miniacre.com*, True -*.miniair.tw*, True -*.miniarcadethai.net*, True -*.minibarnsonline.com*, True -*.minibook.md*, True -*.minibooksworld.com*, True -*.miniclinic.cl*, True -*.miniclipgames.ro*, True -*.minicolo.it*, True -*.minicommashop.com*, True -*.minideco.com.my*, True -*.minidepositoslosruicessur.com*, True -*.minidepositos.net*, True -*.mini--games.com*, True -*.minigetaways.eu*, True -*.minigris.fi*, True -*.minigrou.fr*, True -*.miniholic.org*, True -*.mini-information.co.za*, True -*.mini-itx-pc.ro*, True -*.minik.ch*, True -*.minilan.ch*, True -*.mini-life.ir*, True -*.minilog.ml*, True -*.minimacao.com*, True -*.minimacau.net*, True -*.minimalscene.com*, True -*.minimanimo.com*, True -*.minimedica.pl*, True -*.minimir.ch*, True -*.miniml.tk*, True -*.minimul.ro*, True -*.mininginductions.com*, True -*.mininginductions.com.au*, True -*.minionsclan.com*, True -*.minioop.com*, True -*.miniora.cf*, True -*.minipinkshop.com*, True -*.minipossu.fi*, True -*.minipulator.com*, True -*.minipym.com*, True -*.miniq-et-marsupio.com*, True -*.miniscarbo.tk*, True -*.minisen.com*, True -*.miniserver.com.ar*, True -*.mini-shop.biz*, True -*.minisiteku.com*, True -*.minisivut.fi*, True -*.ministere-evangelique-emmanuel.org*, True -*.ministeriocarmencruz.com.br*, True -*.ministeriofila.com.br*, True -*.ministeriokadoshe.com.br*, True -*.ministerjay.com*, True -*.ministeruldansului.ro*, True -*.ministryreports.org*, True -*.ministrywife.com*, True -*.minkle.tk*, True -*.minkoze.net*, True -*.minkyu.me*, True -*.minnano.org*, True -*.minnecrapolis.com*, True -*.minnich.com.au*, True -*.minnich-mfg.com.au*, True -*.minnowboat.com.au*, True -*.minnow.eu*, True -*.minocongo.com*, True -*.minora.at*, True -*.minorleaguesites.com*, True -*.minotto.ch*, True -*.minoubot.org*, True -*.minplats.nu*, True -*.minplekke.be*, True -*.minresebok.se*, True -*.minsk.fi*, True -*.minskio.co.uk*, True -*.minstrelfoundation.ca*, True -*.minsun.org*, True -*.m-insurance.gq*, True -*.mint0.co.uk*, True -*.mintakaconciencia.net*, True -*.minted.be*, True -*.mintlab.com.ar*, True -*.mintnimal.com*, True -*.mint.org.ar*, True -*.mintt.ch*, True -*.minttecnologia.com*, True -*.minttecnologia.com.br*, True -*.mintz.cc*, True -*.minube.ga*, True -*.minukleeps.ee*, True -*.minum.es*, True -*.minuni.com.ar*, True -*.minutoaminuto.cl*, True -*.minutoemprestimo.com*, True -*.minutoemprestimo.com.br*, True -*.minvest.se*, True -*.minyaknabali.com*, True -*.minyakzaitun.web.id*, True -*.minzbox.com*, True -*.miocloud.net*, True -*.miodiseno.cl*, True -*.miodonski.ch*, True -*.mioespresso.cn*, True -*.miom.be*, True -*.mionica.ro*, True -*.miopia.cl*, True -*.miosdios.ch*, True -*.mipeng.com.br*, True -*.mipeopleandsafety.com.au*, True -*.mipiacethun.ch*, True -*.miplatform.co*, True -*.mipromo.cl*, True -*.mipromotoras.org*, True -*.mipsandroid.com*, True -*.mipsandroid.net*, True -*.mipsandroid.org*, True -*.miraaj.ro*, True -*.mirabello.org*, True -*.miracledrop.my*, True -*.miracleisreal.com*, True -*.miracleloops.com*, True -*.miracletouch.com.au*, True -*.miraculos.ro*, True -*.mirai-hikari.net*, True -*.mirak.fi*, True -*.mirakuru.gq*, True -*.mirakuru.tk*, True -*.mirandachinese.com.au*, True -*.mirandamarques.com*, True -*.mirandastarr.com*, True -*.mirasan.hk*, True -*.mirceacopaci.ro*, True -*.mirceasandu.ro*, True -*.mirceasobaru.ro*, True -*.mircforce.tk*, True -*.mirc.it*, True -*.mirc.xyz*, True -*.mireblog.ru*, True -*.miredbus.com.ar*, True -*.mireks.ru*, True -*.mirembe.com*, True -*.mirena.si*, True -*.mireporte.cl*, True -*.mireseinspirate.ro*, True -*.mireshop.ru*, True -*.mirexgroup.com*, True -*.miriama.net*, True -*.miriam-carrasco.com*, True -*.miriamquerol.com*, True -*.mirimob.ro*, True -*.miringames.com*, True -*.mirkov.info*, True -*.mirkwood.tk*, True -*.mirmooi.net*, True -*.mir-na.ru*, True -*.mirodeniisemintesifructeconfiate.ro*, True -*.mirol.com*, True -*.mirol.com.ar*, True -*.mirolnet.com*, True -*.mironinvestspain.com*, True -*.mirra-lux.lv*, True -*.mirror-sungkem.tk*, True -*.mirskitchen.com*, True -*.mirsolartech.ro*, True -*.mirta-troilo.com.ar*, True -*.mirteko.ru*, True -*.mirunasigeorge.ro*, True -*.mirusengineering.ca*, True -*.mir-vam.ru*, True -*.mirzac.com*, True -*.mirzhivotnyh.ga*, True -*.misaelcudek.com.ar*, True -*.misaliravianschool.com*, True -*.misantropi.se*, True -*.miscachureos.com*, True -*.miscarsamba.com*, True -*.miscellanet.com*, True -*.mischis.ch*, True -*.misco2015.com*, True -*.miscuesgrille.com*, True -*.mi-seguro-auto.com*, True -*.miservidor.mx*, True -*.mises.org.il*, True -*.misexamenes.cl*, True -*.misexpedientes.com.ar*, True -*.misf.me*, True -*.misfogones.es*, True -*.misforillos.com*, True -*.misfuck.com*, True -*.mishki.cl*, True -*.mishmash.com.ar*, True -*.mishorasdetrabajo.com.ar*, True -*.mishor.co.il*, True -*.mishpatlaam.co.il*, True -*.mis-inversiones.com.ar*, True -*.misitio.ml*, True -*.mislukitas.cl*, True -*.mismultas.com.ar*, True -*.misnietoscasaserrana.com*, True -*.misplacedbay.com*, True -*.misplacedbay.org*, True -*.misquince.cl*, True -*.misraicesentusaguas.cl*, True -*.misrea.com*, True -*.misreclamos.cl*, True -*.miss-cm.com*, True -*.missemily.ca*, True -*.missemilymoore.com*, True -*.missingbay.com*, True -*.missingbay.org*, True -*.missingpersons.ie*, True -*.missiodei.net.au*, True -*.missiodei.org.za*, True -*.mission3tc.com*, True -*.missioncitydesign.com*, True -*.missionmedia.com.np*, True -*.missionsilicon.com*, True -*.missiontesoro.com*, True -*.missionwg.ch*, True -*.missland.com*, True -*.missland.net*, True -*.missland.org*, True -*.miss-li.tk*, True -*.missouriprobate.biz*, True -*.missouririverauction.com*, True -*.missretail.com.au*, True -*.missrissa.net*, True -*.missucursales.cl*, True -*.missura.ch*, True -*.missysarah.com*, True -*.mistakes.eu*, True -*.mistapotta.com*, True -*.mist.blue*, True -*.mistech.ru*, True -*.mistechtalk.com*, True -*.misteraz.ru*, True -*.mistercorea.com*, True -*.mistereg.com*, True -*.misteregis.net*, True -*.misteregis.tk*, True -*.misterideas.cl*, True -*.misterijbroja.com*, True -*.misterio.cl*, True -*.misterius.org*, True -*.mistermarket.cl*, True -*.misterpokeylope.com*, True -*.misterteo.ro*, True -*.mistis.ga*, True -*.misty-myth.com*, True -*.mistymyth.com*, True -*.misukymi.ch*, True -*.misuper.com.ar*, True -*.mitanishen.cl*, True -*.mitaxiya.com*, True -*.mit-best.ro*, True -*.mitch.com.ar*, True -*.mitchellcameron.co.za*, True -*.mitchellclan.ca*, True -*.mitchell-tapping.com*, True -*.mitchellzsmith.com*, True -*.mitchelpoe.com*, True -*.mitchev.com*, True -*.mitchev.net*, True -*.mitcheywelch.com*, True -*.mitchill.com*, True -*.mitc.net*, True -*.mitco.cl*, True -*.mitcpw.org*, True -*.mitec.cl*, True -*.mitelco.com.au*, True -*.mitelco.net.au*, True -*.mitellab.com*, True -*.mitesis.ml*, True -*.mitheithel.net*, True -*.mithunbose.co.uk*, True -*.miticaproducciones.cl*, True -*.mitindia.tk*, True -*.mition.ro*, True -*.mitiu.ro*, True -*.mitjab.com*, True -*.mitkathi.com*, True -*.mitnet.com.ar*, True -*.mitos.space*, True -*.m-it.pro*, True -*.mitrabangunmandiri.com*, True -*.mitrabayarandal.com*, True -*.mitraca.com*, True -*.mitracaonline.com*, True -*.mitracorp.com*, True -*.mitradelta.web.id*, True -*.mitrafireprotection.com*, True -*.mitrahidrolikmandiri.com*, True -*.mitraintibangunnusa.com*, True -*.mitrajayadinamis.com*, True -*.mitralestari-trans.com*, True -*.mitramakmursahabat.com*, True -*.mitramandalajaya.id*, True -*.mitramandiritenda.com*, True -*.mitramultimedia.web.id*, True -*.mitrapancarabadi.com*, True -*.mitratex.co.id*, True -*.mitrausahamandiri.net*, True -*.mitree.net*, True -*.mitrihual.cl*, True -*.mitrofanoffaustralia.org.au*, True -*.mits.be*, True -*.mitseda.ac.id*, True -*.mitsidi.com.br*, True -*.mits-jp.com*, True -*.mitsubishivehicles.com*, True -*.mitsuya.com*, True -*.mitsuyuki.net*, True -*.mittoech.com*, True -*.mitv.biz*, True -*.mitwelt.cl*, True -*.miustconstruct.ro*, True -*.mivacem.ro*, True -*.mivaeliteconstruct.com*, True -*.mivalmach1.ro*, True -*.mivecino.cl*, True -*.mixat.fi*, True -*.mixbroadband.com*, True -*.mixbroadband.net*, True -*.mixcomms.com*, True -*.mixedcity.org.il*, True -*.mixedingredients.ca*, True -*.mixiotesmexico.com*, True -*.mixmasterdjservices.com*, True -*.mixnation.co.uk*, True -*.mixpel.com.br*, True -*.mixpel.net.br*, True -*.mixpro.cl*, True -*.mixspot.net*, True -*.mixtapefinland.fi*, True -*.mixt.it*, True -*.mixversor.ro*, True -*.mix.vn*, True -*.miyahara.in*, True -*.miya.tk*, True -*.mizan.com*, True -*.mizani.co.za*, True -*.mizani-sa.co.za*, True -*.mizanmag.com*, True -*.mizantube.com*, True -*.mizara.ro*, True -*.mizar-fm.com*, True -*.mizarstvojurkovnik.si*, True -*.mizarstvo-kolman.com*, True -*.mizarstvo-titan.si*, True -*.mizfar.com*, True -*.mizo.gq*, True -*.mizowebprogrammer.ga*, True -*.mizoziakmi.ml*, True -*.mizzi.com*, True -*.mj2p.co.uk*, True -*.mjaa.cl*, True -*.mjacksongroup.ca*, True -*.mjacksongroup.com*, True -*.mjanson.com.br*, True -*.mjbennett.net*, True -*.mjc1031.ml*, True -*.mjdb.cl*, True -*.mjdomainnames.com*, True -*.mjdpe.net*, True -*.mjfinancialservices.com*, True -*.mjhost.net*, True -*.mji.ro*, True -*.mjj.st*, True -*.mjmconnect.com*, True -*.mjnewportbeach.com*, True -*.mjorf.net*, True -*.mj-oss.com*, True -*.mjpservices.us*, True -*.mjqc.ca*, True -*.mjsnails.com.au*, True -*.mjs-net.de*, True -*.mj-spp.com*, True -*.mjtlink.com*, True -*.mj-tyy.com*, True -*.mjureta.cl*, True -*.mjuu.net*, True -*.mjuzik.si*, True -*.mjvcsanisidro.com.ar*, True -*.mj-wwe.com*, True -*.mjzfotografia.com*, True -*.mk211.net*, True -*.mk353.com*, True -*.mk3.ro*, True -*.mk88.hk*, True -*.mkaegi.ch*, True -*.mkahowes.com*, True -*.mka.in*, True -*.mkaufmann.com.ar*, True -*.mk-blog.ru*, True -*.mkbus.ru*, True -*.mke.lt*, True -*.mkf28.com*, True -*.mkf76.com*, True -*.mkf85.com*, True -*.mkf95.com*, True -*.mkgraham.net*, True -*.mk-hosting.ch*, True -*.mkhq.co.kr*, True -*.mking.hk*, True -*.mkiss.cc*, True -*.mkk75.com*, True -*.mklegaladvice.com*, True -*.mk-mac.ch*, True -*.mkm.com.tr*, True -*.mkol.ru*, True -*.mkostov.com*, True -*.mkprojectassist.com.au*, True -*.mkreder.com*, True -*.mk-samorog.com*, True -*.mks-creations.net*, True -*.mks-indo.com*, True -*.mkskagit.com*, True -*.mktg.ch*, True -*.mk-toolz.de*, True -*.mktv.cf*, True -*.mku-adv.com*, True -*.mkv4m.com*, True -*.m-k-w.net*, True -*.mladapodjetnica.si*, True -*.mladez.rs*, True -*.mladi-gasilec.si*, True -*.mlapierre.com*, True -*.mlaurence.com.ar*, True -*.mlb-77.com*, True -*.mlb-79.com*, True -*.mlb889.com*, True -*.mlb-b.com*, True -*.mlb-do.com*, True -*.mlb-hh.com*, True -*.mlb-hk.com*, True -*.mlb-jo.com*, True -*.mlb-ss.com*, True -*.mlbx.org*, True -*.mlcsoft.com.ar*, True -*.mldus.com*, True -*.mlearning.com.ar*, True -*.mlemus.cl*, True -*.mlevy94.ml*, True -*.mlgestudio.com.ar*, True -*.mliker.net*, True -*.m-likerz.net*, True -*.m-likerz.us*, True -*.mlj.mx*, True -*.mlktaxprep.com*, True -*.ml-liker.com*, True -*.mlmlm.ml*, True -*.mlocal.net*, True -*.mlpop.com*, True -*.mlreciclado.com*, True -*.mlscrapbooking.com*, True -*.mlseguros.cl*, True -*.mltnet.net*, True -*.mltravel.ru*, True -*.mltuxedo.com*, True -*.mlwartman.com*, True -*.mm4u.net*, True -*.mm9158.com*, True -*.mmabathoair.co.za*, True -*.mmacademyedu.com*, True -*.mmacfiles.net*, True -*.mmandrade.com.br*, True -*.mma-online.ro*, True -*.mmariano.net*, True -*.mmarthaler-music.com*, True -*.mmartinov.com*, True -*.mmas.com.mx*, True -*.mmb.fi*, True -*.mmca.pt*, True -*.mmconsulting.at*, True -*.mmcs.co.nz*, True -*.mmecaroline.ca*, True -*.mme.com.my*, True -*.mmega.net*, True -*.mmeng.ca*, True -*.mmgartenpflege.ch*, True -*.mmg-imanpower.org*, True -*.mmgp.tv*, True -*.mmidetention.com*, True -*.mmigroup.id*, True -*.mm-i.me*, True -*.mmingky.com*, True -*.mmingky.net*, True -*.mmingkynet.com*, True -*.mmjuridicocontable.com.ar*, True -*.mmm555.ru*, True -*.mmm-888.com*, True -*.mmmmcupcakes.com*, True -*.mm.my*, True -*.mmn.co.id*, True -*.mm.net.my*, True -*.m-mode.com.my*, True -*.mmode.com.my*, True -*.mmodemobile.com*, True -*.mmodemobile.com.my*, True -*.mmode.my*, True -*.mmog.com.ar*, True -*.mmograder.com*, True -*.mmolinaonline.com*, True -*.mmononen.com*, True -*.mmoret.com*, True -*.mmorpgvault.com*, True -*.mmorris.ca*, True -*.mm-otp.com*, True -*.mmotunnel.web.id*, True -*.mmowod.com*, True -*.mmp.com.my*, True -*.mmradvogados.com*, True -*.mmrent.fi*, True -*.mmrpulsa.com*, True -*.mmsalles.com.br*, True -*.mms-consult.ro*, True -*.mmsdn.com*, True -*.mmspr.net*, True -*.mms-projects.net*, True -*.mmswireless.com*, True -*.mmtasia.com*, True -*.mmtextiles.com*, True -*.mmtools.fi*, True -*.mmudforums.com*, True -*.mm-unlam.ac.id*, True -*.mm-unmul.com*, True -*.mmurphyccie.info*, True -*.mmusic.ch*, True -*.mnail.eu*, True -*.mnakane.com*, True -*.mncediproperties.co.za*, True -*.mncsoftware.com*, True -*.mnemolands.ru*, True -*.mnemonic.net.ru*, True -*.mng-art.com*, True -*.mngcloud.com*, True -*.mnieto.com.ar*, True -*.mnishchal.com.np*, True -*.mnlab.tk*, True -*.mnlan.net*, True -*.mnlive.net*, True -*.mn-mm.com*, True -*.mnode.net*, True -*.mnogodom.com*, True -*.mnp20.org*, True -*.mnpsl.tk*, True -*.mnql.com*, True -*.mnsnet.ca*, True -*.mnst.tw*, True -*.mntbighker.net*, True -*.mn-to.com*, True -*.mnwagles.net*, True -*.mnweb.co.uk*, True -*.mnwiki.ru*, True -*.mo138.com*, True -*.mo2.ca*, True -*.mo-365.com*, True -*.mo888.com*, True -*.moaalouisville.org*, True -*.moaa.net*, True -*.moabfilmfestival.org*, True -*.moabphoto.com*, True -*.moaint.com*, True -*.moas.ml*, True -*.mobadeleh.net*, True -*.mobadele.net*, True -*.mobalabs.com.ar*, True -*.mobcnc.com*, True -*.mobdroid.ml*, True -*.mobeatie.com*, True -*.mobexart.ro*, True -*.mobgre.com*, True -*.mobgrig.ro*, True -*.mobi2chat.ml*, True -*.mobi2fun.ml*, True -*.mobichater.tk*, True -*.mobicover.co.za*, True -*.mobifix.hk*, True -*.mobigateway.com.br*, True -*.mobiladf.ro*, True -*.mobilait.com*, True -*.mobilaorinel.ro*, True -*.mobilapentrucopii.ro*, True -*.mobilarte.com*, True -*.mobilcom-debitel-sicherheitszentrale.de*, True -*.mobilebrasil.ml*, True -*.mobile-bts.com*, True -*.mobilecampusdirectory.com*, True -*.mobilechatph.cf*, True -*.mobilechatph.tk*, True -*.mobilecitizencollective.co.za*, True -*.mobile.com.my*, True -*.mobileconf.com.br*, True -*.mobilecyclemechanic.ch*, True -*.mobiledynamic.co.za*, True -*.mobileessential.com*, True -*.mobilefleet.cl*, True -*.mobilehero.co*, True -*.mobileleisure.com.ar*, True -*.mobilelink.cl*, True -*.mobile-money.my*, True -*.mobile-node.net*, True -*.mobile-oil-service.co.uk*, True -*.mobilepaper.com.my*, True -*.mobilepaper.my*, True -*.mobilephonerepairs.net.au*, True -*.mobilephoneshop.nl*, True -*.mobileprosolutions.com*, True -*.mobilerapid.com.mx*, True -*.mobileris.ro*, True -*.mobilers.my*, True -*.mobilervservice4u.com*, True -*.mobile-somea.tk*, True -*.mobilestar.com.au*, True -*.mobiletap.eu*, True -*.mobiletaxpreparation.com*, True -*.mobile-tierakupunktur.ch*, True -*.mobile-twister.com*, True -*.mobilev2008.com*, True -*.mobilevideo.com.my*, True -*.mobilevideo.my*, True -*.mobilewellnessexperts.com*, True -*.mobilia-antiqua.tk*, True -*.mobilinava.ch*, True -*.mobilit-drc.com*, True -*.mobility-id.tk*, True -*.mobilizator.ro*, True -*.mobilka.net*, True -*.mobilmotor.web.id*, True -*.mobilna-myjnia.com*, True -*.mobilniplanet.si*, True -*.mobilomics.cl*, True -*.mobilordbok.se*, True -*.mobil-ray.ru*, True -*.mobilsms.ml*, True -*.mobilsurfer.com*, True -*.mobimov.com.br*, True -*.mobindo.org*, True -*.mobisia.com*, True -*.mobisrc.com*, True -*.mobistore.ro*, True -*.mobi-sushi.ru*, True -*.mobitag.biz*, True -*.mobiuspretzel.com*, True -*.mobiustheatre.com*, True -*.mobizcloud.net*, True -*.mobizone.com.pk*, True -*.mobkingbr.ml*, True -*.mobmania.ml*, True -*.mobmusik.com*, True -*.mobocafe.cf*, True -*.mobocafe.ga*, True -*.mobocafe.ml*, True -*.mobocafe.tk*, True -*.mobochat.gq*, True -*.moboface.tk*, True -*.mobofree.ml*, True -*.mobo.ml*, True -*.moborob.com*, True -*.mobotics.ca*, True -*.moboworld.cf*, True -*.mobporn.org*, True -*.mobshare.ml*, True -*.mobsoftselector.com*, True -*.mobvpn.net*, True -*.mobwave.com.br*, True -*.mobxdev.tk*, True -*.moby.cf*, True -*.moby.mx*, True -*.mobytech.ch*, True -*.mocadra.com*, True -*.mocase.org.ar*, True -*.moccaberry.com*, True -*.moc.ch*, True -*.mocelet.net*, True -*.mochamedia.us*, True -*.mochamir.com*, True -*.mocis.cn*, True -*.mocofanul.ro*, True -*.mo.com.my*, True -*.mocs.com.br*, True -*.mocxatur.cf*, True -*.modaco.com.mx*, True -*.modadanovela.com*, True -*.modadenovela.com*, True -*.modadenovela.net*, True -*.modadenovela.tv*, True -*.modalbrindes.com.br*, True -*.moda.net.br*, True -*.modargentina.cl*, True -*.modav.ro*, True -*.modburypress.com.au*, True -*.modding.tw*, True -*.modebeat.com*, True -*.modeccomputer.ro*, True -*.modec.ro*, True -*.modeemi.net*, True -*.modelacademy.be*, True -*.mode-land.ch*, True -*.modelcisi.com*, True -*.modeldeviata.ro*, True -*.modeleskincare.com*, True -*.model-genx.com*, True -*.modelheliclub.org*, True -*.modelindonesia.biz*, True -*.modelinfo.be*, True -*.modelismforum.ro*, True -*.modellhelis.ch*, True -*.modelrailwayelectronics.co.uk*, True -*.modemmanager.org*, True -*.modeplaza.com*, True -*.modernart.cl*, True -*.moderncaveman.us*, True -*.moderncomputing.com.au*, True -*.modernenlargerlamps.com*, True -*.moderngitarsolo.com*, True -*.modernpotterystudio.com*, True -*.modernschoolvashi.org*, True -*.modernsmoking.ru*, True -*.modernvespa.tw*, True -*.modiclub.ch*, True -*.modifikasi.ninja*, True -*.modifyandmaintain.com.au*, True -*.modin.nu*, True -*.modintech.com*, True -*.modionline.com*, True -*.modionline.net*, True -*.modireaval.com*, True -*.modivan.com.br*, True -*.modkhunglol.com*, True -*.modl.cc*, True -*.modmaplol.com*, True -*.modo.fm*, True -*.modok.ca*, True -*.modonutticeccotti.it*, True -*.modoo.ga*, True -*.modotexto.com.br*, True -*.modrijani.com*, True -*.modrijani.net*, True -*.modrijani.si*, True -*.mods4me.com*, True -*.modsforme.com*, True -*.modskinlol.vn*, True -*.modskinvietnam.com*, True -*.modskinyasuo.com*, True -*.modsvc.com*, True -*.modthis.tk*, True -*.modtuonglol.com*, True -*.moduation.co.uk*, True -*.modulan.eu*, True -*.modula-r.cl*, True -*.modulor.bg*, True -*.modulo.si*, True -*.modyrevb.cf*, True -*.moe123.cc*, True -*.moed01.tk*, True -*.moed31.tk*, True -*.moedpublic.tk*, True -*.moefoster.com*, True -*.moefs.cf*, True -*.moeiz.ml*, True -*.moeller1.com*, True -*.moeller.pw*, True -*.moemaumann.com*, True -*.moeri-family.ch*, True -*.moeri.name*, True -*.moeri.org*, True -*.moe-shit.com*, True -*.moetemplate.net*, True -*.mofletesbaby.com.ar*, True -*.moga-contadores.com*, True -*.mogejie.com*, True -*.mogh.ch*, True -*.mogoreanu.com*, True -*.moguemedia.us*, True -*.mohag.org*, True -*.mohanpandey.com.np*, True -*.mohdyusuf.com*, True -*.mohearn.co.uk*, True -*.mohiking.com*, True -*.mohsen6558.com*, True -*.mohuatang.com*, True -*.moibroker.kz*, True -*.moicpl.com*, True -*.moidom.us*, True -*.moirano.com.ar*, True -*.moitinhxua.info*, True -*.moitinhxua.org*, True -*.mojachmura.eu*, True -*.mojang.cz*, True -*.moj-kuhar.si*, True -*.mojope.com*, True -*.mojo.pk*, True -*.mojoro.ch*, True -*.mojotengah.tk*, True -*.mojrem.com*, True -*.mojspace.net*, True -*.mokaccino.cl*, True -*.mokamelplus.ir*, True -*.mokino.co*, True -*.mokku.la*, True -*.mokoka.nom.za*, True -*.moko.ro*, True -*.mokresh.com*, True -*.mokria.biz*, True -*.mokrycki.com*, True -*.molan.us*, True -*.molar.ro*, True -*.moldeointeractive.com.ar*, True -*.moldesparachocolate.com*, True -*.moldesprop.com.ar*, True -*.moldingtools.in*, True -*.moldovacredit.ro*, True -*.moldtesting.info*, True -*.moldysoup.com*, True -*.molecularaudio.com*, True -*.molecularstudios.com*, True -*.molee.me*, True -*.molen.ga*, True -*.molenkaart.nl*, True -*.molenveld.info*, True -*.molenveld.org*, True -*.mo-li.com*, True -*.moliendaareco.com.ar*, True -*.molinaingenieros.cl*, True -*.molinerosuarez.com.ar*, True -*.molinoelmodelo.com*, True -*.molinosdoncarlos.com*, True -*.molinoyarur.cl*, True -*.molissani.com.br*, True -*.moliveiratecnologia.com.br*, True -*.molkomplekt.ru*, True -*.mollberg.de*, True -*.mollercorrea.cl*, True -*.moller-norge.com*, True -*.molle-steiner.ch*, True -*.molligrub.org*, True -*.molliross.com*, True -*.mollo.com.ar*, True -*.molloyfamily.net*, True -*.molly917.tk*, True -*.mollypaddy.com*, True -*.molnarjozsias.ro*, True -*.molodets.tk*, True -*.moloiplumbers.co.za*, True -*.molonglo.net.au*, True -*.molonosov.me*, True -*.molotov-thought.net*, True -*.molthanconstruction.com*, True -*.molurus.com*, True -*.molwenitrailrun.co.za*, True -*.momandme.sg*, True -*.momatc.com*, True -*.moma.tk*, True -*.momega.com.au*, True -*.momenkasihsun.com*, True -*.moment22.com*, True -*.momentaryglory.com*, True -*.momentglukogen.com*, True -*.momentos.com.ar*, True -*.momentosmexico.com*, True -*.momentphotobooth.com*, True -*.momiroska.com*, True -*.momiroski.com*, True -*.momo486.com*, True -*.momoca.info*, True -*.momolog.com*, True -*.momoracingseats.com*, True -*.momorussia.com*, True -*.mompe.com*, True -*.momsavedit.com*, True -*.moms-ritzcracker.com*, True -*.momsspaghetti.tk*, True -*.momus.org*, True -*.mon-100.com*, True -*.mon-300.com*, True -*.mon600.com*, True -*.monaco.com.ar*, True -*.monacode.in*, True -*.monadorf.com.br*, True -*.monalishadhimal.com.np*, True -*.monar.ch*, True -*.monarchome.com*, True -*.monarh.eu*, True -*.monasteredegeronde.ch*, True -*.monas.tw*, True -*.monata.info*, True -*.mon-bet.com*, True -*.moncasino-bern.ch*, True -*.moncasinobern.ch*, True -*.moncoco.com*, True -*.moncorp.biz*, True -*.mondabel.ca*, True -*.mondayrose.eu*, True -*.monde.ro*, True -*.mondobdsm.net*, True -*.mondobdsm.org*, True -*.mondostreet.com*, True -*.mondoverde.my*, True -*.monebox.com*, True -*.monedanegra.com.ar*, True -*.monedareal.com*, True -*.monedesibancnote.tk*, True -*.monel.my*, True -*.monene.us*, True -*.m-oneplumbing.com*, True -*.moneplumbing.com*, True -*.monespecialties.com*, True -*.monet-interiors.com.au*, True -*.money-bet.ru*, True -*.moneycoach.ro*, True -*.moneyed.tk*, True -*.moneyempire.net*, True -*.moneyfit.com.br*, True -*.moneymakergroup.ru*, True -*.money-maker.xyz*, True -*.moneyone.es*, True -*.moneyoneexpress.com*, True -*.moneysaver.com*, True -*.moneysaver.com.au*, True -*.moneysaverdeals.com.au*, True -*.money-shot.net*, True -*.monfakira.com*, True -*.monftec.com*, True -*.monfu.com*, True -*.monfu.net*, True -*.mongkhonvanit.tk*, True -*.mongoose.ee*, True -*.mongos.org*, True -*.mongo.to*, True -*.mongow.com*, True -*.mongrandcasino-bern.ch*, True -*.mongrandcasinobern.ch*, True -*.mongrandcasino.ch*, True -*.mongul.net*, True -*.monicagrohmann.co.uk*, True -*.monicagullin.se*, True -*.monicagullins.nu*, True -*.monicalisbonrentals.com*, True -*.monicamcnab.com*, True -*.moni-llc.com*, True -*.monin.eti.br*, True -*.monique-centeno.ch*, True -*.monitgpstrans.ro*, True -*.monitoramentodealarme.srv.br*, True -*.monitor-hlds.ru*, True -*.monitoring-bydgoszcz.pl*, True -*.monitorme.com*, True -*.monitorme.co.uk*, True -*.monitormyshop.com*, True -*.monitoryourinternet.com*, True -*.monkadbroker.ro*, True -*.monkcave.com*, True -*.monkeybananaraffle.net*, True -*.monkeyconveyancing.co.nz*, True -*.monkeyconveyancing.net*, True -*.monkeyconveyancing.net.au*, True -*.monkeyconveyancing.org*, True -*.monkeydiy.com*, True -*.monkeylabz.org*, True -*.monkeylaw.com.au*, True -*.monkeymasters.co.nz*, True -*.monkeymind.it*, True -*.monkeymovie.it*, True -*.monkeyoffback.com*, True -*.monkeyplugs.co.uk*, True -*.monkeyproperty.com.au*, True -*.monkeyslistening.com*, True -*.monkeyspannered.com*, True -*.monkeystore.cl*, True -*.monkeytect.cl*, True -*.monkeywerks.net*, True -*.monkeywills.com*, True -*.monkeywills.com.au*, True -*.monkforpresident.com*, True -*.monkloveswoof.com*, True -*.monksltd.com*, True -*.mon-lol.com*, True -*.mon-mlb.com*, True -*.monmouthshirehousing.co.uk*, True -*.mon-nba.com*, True -*.monnier-installations.ch*, True -*.monobasin.net*, True -*.monoclesandmerkins.com*, True -*.monoco.com.ar*, True -*.monogramcovers.com*, True -*.mon-one.com*, True -*.mononina.com*, True -*.monopatis.com*, True -*.monopolecorp.com*, True -*.monopolepower.com*, True -*.monosenlacocina.cl*, True -*.monoxy.de*, True -*.monoxyde.info*, True -*.monoxyde.org*, True -*.monpetitange.eu*, True -*.monpetitange.fr*, True -*.monpetitprince.com.ar*, True -*.monplanhaccp.ca*, True -*.monroy.tk*, True -*.monsalve.cl*, True -*.monssa.com.ar*, True -*.monsterbaduk.com*, True -*.monster-bot.cf*, True -*.monsterbunnie.eu*, True -*.monstereat.me*, True -*.monster-liga.tk*, True -*.monstermp3search.com*, True -*.monstermunch.co.za*, True -*.monsterturbo.com*, True -*.monstervids.ca*, True -*.monstropedia.ru*, True -*.montagesoftware.com.au*, True -*.montaguegardensbusinessforum.co.za*, True -*.montajesranqueles.com.ar*, True -*.montajrigips.ro*, True -*.montana-awwa.org*, True -*.montanacitylaw.com*, True -*.montanaelkantler.com*, True -*.montanajuniper.com*, True -*.montanamensclinic.com*, True -*.montanamensclinic.net*, True -*.montanamensclinic.org*, True -*.montanamountaincabins.com*, True -*.montanapetroleum.org*, True -*.montanaroconsultores.com*, True -*.montandon.ch*, True -*.montanhanegra.com*, True -*.montblanciran.ir*, True -*.montecarlotans.com.au*, True -*.montecarloyachts.com.br*, True -*.montecaseros.tk*, True -*.montegrappa.mx*, True -*.montenegroagric.co.za*, True -*.monteolimpo.net.br*, True -*.monteoscuro.com.ve*, True -*.montepioexpress.com.mx*, True -*.montesantoengenharia.com.br*, True -*.montesmdq.com.ar*, True -*.montessorikindergarten.info*, True -*.monte-valle.sg*, True -*.montexmontadora.com.br*, True -*.montez.ro*, True -*.montgolfiere.ca*, True -*.montgomery-family.co.uk*, True -*.monthofsundays.com.au*, True -*.montoyaehijos.com.ar*, True -*.montra.fi*, True -*.montrealimpressions.ca*, True -*.montrong.ml*, True -*.montrosefc.com.au*, True -*.montuschi.cl*, True -*.monty.com.br*, True -*.montyconsulting.net*, True -*.montyjames.com*, True -*.montyjames.info*, True -*.montyjames.net*, True -*.monumente-funerare.md*, True -*.mon-vvp.com*, True -*.mon-win.com*, True -*.moobel24.ee*, True -*.moobemoo.com*, True -*.moobmoo.com*, True -*.moocasa.co.uk*, True -*.moocchile.cl*, True -*.moocchile.com*, True -*.moochurch.com*, True -*.moochurch.org*, True -*.mooc.li*, True -*.moocow.my*, True -*.moodall.com*, True -*.moodle-tutorial.info*, True -*.moodzphotography.co.uk*, True -*.moodzphotoimaging.com*, True -*.moodzphotoimaging.co.uk*, True -*.moogled.info*, True -*.moohow.info*, True -*.moojuk.cl*, True -*.mookserve.com*, True -*.mooktronics.com*, True -*.mool.ca*, True -*.mooloolahnewsagency.com.au*, True -*.moomusic.net*, True -*.moona.net*, True -*.moonangel.com*, True -*.moonart.ch*, True -*.moonbox.my*, True -*.mooncakes.com*, True -*.moonchatuk.com*, True -*.moonchatuk.net*, True -*.mooneroid.com*, True -*.moonflowersc.com*, True -*.moonlanders.net*, True -*.moonleaves.com*, True -*.moonlite.in*, True -*.moonrosegems.com*, True -*.moonshine.io*, True -*.moonsnails.ch*, True -*.moonsoftuk.com*, True -*.moonstruckusa.com*, True -*.moonsurfing.co.uk*, True -*.moonworld.org*, True -*.mooo.com*, True -*.mooo.info*, True -*.mooo.ml*, True -*.mooom.ru*, True -*.moorcroft-associates.com*, True -*.moorcroft-associates.co.uk*, True -*.moorcroft-associates.org*, True -*.moorea.io*, True -*.mooreconstructioninc.com*, True -*.mooreequipment.com.au*, True -*.moorelocal.com*, True -*.moore.ro*, True -*.mooreserv.com*, True -*.moorespares.com.au*, True -*.moores-r.us*, True -*.moorhunt.pl*, True -*.moorock.net*, True -*.moorooduc.com*, True -*.moosehuntbc.com*, True -*.moosnelly.com*, True -*.moot.es*, True -*.moot.ws*, True -*.moovi-iptv.ru*, True -*.mopar.cf*, True -*.mopechop.com*, True -*.mope.tw*, True -*.mopu.fi*, True -*.moraboutit.com*, True -*.moradadasflores-sbc.com.br*, True -*.morad.eu*, True -*.moradoventures.net*, True -*.morad.pl*, True -*.moradsystemer.com*, True -*.moradsystems.com*, True -*.moraesesilveira.com.br*, True -*.morafmotors.com*, True -*.moralesbrothers.com*, True -*.morante.eu*, True -*.moran.ws*, True -*.morax.se*, True -*.morayfieldseniors.com.au*, True -*.morczyk.pl*, True -*.mordeabunda.com.br*, True -*.mordekyle.net*, True -*.mordero.com*, True -*.mordicus.cf*, True -*.mordwir.cf*, True -*.morebamedia.co.za*, True -*.moreequipment.com.au*, True -*.morehertz.com*, True -*.morehertz.com.au*, True -*.morelandengineeringinternational.net.au*, True -*.moreliker.tk*, True -*.more-look.com*, True -*.morelynavarro.cl*, True -*.moremobs.com*, True -*.morenatropycana.com.br*, True -*.moreneta.com.ar*, True -*.morenglish.cl*, True -*.moreno-alexandre.fr*, True -*.morenoasesores.es*, True -*.morenteomega.com*, True -*.moreschisementina.ch*, True -*.morethanhuman.com.ar*, True -*.morethanjustaphoto.com*, True -*.moretonbaycarpet.com.au*, True -*.morette.com.br*, True -*.morettigiuseppe.com*, True -*.morfeus.biz*, True -*.morgado.ch*, True -*.morganhowland.com*, True -*.morganisageek.org*, True -*.morganritchings.com*, True -*.morganritchings.com.au*, True -*.morganstewart.org*, True -*.morganvenable.com*, True -*.morg.ca*, True -*.morgenstern-win.net*, True -*.morger-fensterservice.ch*, True -*.morguena.es*, True -*.morguni.com*, True -*.mori-baum.com*, True -*.moriconi.nl*, True -*.moriconi.org*, True -*.morigiworkshop.com*, True -*.morinaplafonds.ch*, True -*.morkmardens.se*, True -*.morlockaerospace.com*, True -*.morned.nom.za*, True -*.mornese.pe*, True -*.morningafter-pill.com*, True -*.morningside-aa.us*, True -*.morningsidecafe.net*, True -*.morningstar-sg.com*, True -*.moro3.de*, True -*.moro9215.com.ar*, True -*.morofabio.com.br*, True -*.moronvoley.com.ar*, True -*.moro.so*, True -*.morov.ch*, True -*.morphasis.co.za*, True -*.morphitonline.com*, True -*.morris278.co.uk*, True -*.morrisis.com*, True -*.morrisonmaierle.biz*, True -*.morrisonmaierle.com*, True -*.morry.ru*, True -*.morsedigital.com*, True -*.morsemysteries.com*, True -*.morsumer-freaks.tk*, True -*.mort11.com*, True -*.mort11.org*, True -*.mortadelo.net*, True -*.morta.ws*, True -*.mortbauer.com*, True -*.mortenfriis.info*, True -*.mortenovergaard.com*, True -*.mortgagefirminc.com*, True -*.moruafloral.com*, True -*.moruafloral.com.mx*, True -*.morwood.com.ar*, True -*.moryachula.com*, True -*.mory.cl*, True -*.mos10.tw*, True -*.mos1.tw*, True -*.mos2.tw*, True -*.mos3.tw*, True -*.mos4.tw*, True -*.mos5.tw*, True -*.mos6.tw*, True -*.mos7.tw*, True -*.mos8.tw*, True -*.mos9.tw*, True -*.mosaicodevidrio.com.ar*, True -*.mosamma.ir*, True -*.mosaq.com*, True -*.mosayo.com*, True -*.moscommunity.hk*, True -*.moscow-aleppo.org*, True -*.moscow-man.ru*, True -*.moscowshambhala.ru*, True -*.moscu.ro*, True -*.moseleyshoals.org.uk*, True -*.moserag.ch*, True -*.moseraudio.com*, True -*.mosfinexpo.com*, True -*.mosgeodezia.ru*, True -*.mosgeodeziya.ru*, True -*.moshavareunion.com*, True -*.moshaversystem.com*, True -*.moshbot.com*, True -*.moshfegin.org*, True -*.moshimoshi.com*, True -*.mosibet.com*, True -*.mosige.com*, True -*.mosley301.com*, True -*.mosogepdoki.ro*, True -*.mosquito-armor.com*, True -*.mosquitocorp.com*, True -*.mosquitosnyc.com*, True -*.mossbikes.com*, True -*.mossbikes.co.uk*, True -*.mossfern.ro*, True -*.mossperform.com*, True -*.most3.ml*, True -*.mostchic.com*, True -*.mosteirocarmelita.com.br*, True -*.mostlygibberish.com*, True -*.mostlyharmless.com*, True -*.mostlywrong.com*, True -*.mostlywrong.info*, True -*.mostown.club*, True -*.mostown.hk*, True -*.mostreadable.com*, True -*.mostvaluable.com*, True -*.mostviolent.com*, True -*.mosucu.ro*, True -*.mosur.com.ar*, True -*.mosyafik.cf*, True -*.mosyouth.hk*, True -*.motagest.pt*, True -*.motasrant.com*, True -*.motd.cl*, True -*.motellechenois.ch*, True -*.moten.com.my*, True -*.moten.my*, True -*.motherbot.com*, True -*.motherhats.com*, True -*.motherhats.com.au*, True -*.mothermouse.net*, True -*.mothersofmultiples.hk*, True -*.motherstore.sg*, True -*.mothsorchid.com*, True -*.moticonci.com*, True -*.motimoto.net*, True -*.motioncars.ro*, True -*.motiongarage.com*, True -*.motionzone.sk*, True -*.moti.tv*, True -*.motivalo.com*, True -*.motivationalpublications.com*, True -*.motivationundintelligenz.ch*, True -*.motivity.pro*, True -*.motoaccess.info*, True -*.motobardahl.com*, True -*.motobardahl.ru*, True -*.motobaterie.sk*, True -*.motocicleteblog.ro*, True -*.motoclas.ro*, True -*.motoclubolimpia.it*, True -*.motocorp.com.mx*, True -*.motocross-shop.ch*, True -*.motodewo.com*, True -*.motodopovo.com.br*, True -*.motofun.com*, True -*.motogusli.ru*, True -*.motohardware.com*, True -*.motohunter.ch*, True -*.motojuicy.com*, True -*.motojuicy.us*, True -*.motokultivator.net*, True -*.moto-land.ch*, True -*.motomandini.com*, True -*.motomaxshipping.com*, True -*.motomel-central.com.ar*, True -*.motomel-intranet.com.ar*, True -*.motomel-online.com.ar*, True -*.motomotov.com*, True -*.motorbay.ca*, True -*.motorbdp.es*, True -*.motorcomponents.ro*, True -*.motorfiets.net*, True -*.motor-games.com*, True -*.motorgp.cf*, True -*.motorgrup.ro*, True -*.motorisedboard.com*, True -*.motorisedboards.com*, True -*.motorklassiek.nl*, True -*.motorlaki.ml*, True -*.motormuis.org*, True -*.motornation.org*, True -*.motoromania.ro*, True -*.motor-skateboard.com*, True -*.motor-skateboards.com*, True -*.motorsportads.co.za*, True -*.motorsportfinance.com.au*, True -*.motorsportonline.com.au*, True -*.motorstyle.vn*, True -*.motortrafo.com.br*, True -*.motorwisemechanical.com.au*, True -*.motoscapes.com*, True -*.motoservice.ro*, True -*.motosicilia.it*, True -*.motoslaesquina.com.ar*, True -*.mototol.ro*, True -*.mototrust.cl*, True -*.moto-tschan.ch*, True -*.motoventions.com*, True -*.motoventions.net*, True -*.motovme.com*, True -*.motovodka.com*, True -*.motoway.tw*, True -*.motowords.com*, True -*.motoxz.com*, True -*.motrails.com*, True -*.motrhead.com*, True -*.motswiriconsult.co.za*, True -*.mottih.com*, True -*.mottos.org.ar*, True -*.moudle.net*, True -*.mougharbel.com*, True -*.mouj.net*, True -*.mouly.com.ar*, True -*.mouly.im*, True -*.mouly.io*, True -*.moumtzian.com.ar*, True -*.mounam.tk*, True -*.mountainbike-guide.ch*, True -*.mountainco.com.ar*, True -*.mountaingroveseed.com*, True -*.mountain.ml*, True -*.mountains.tw*, True -*.mountain.tw*, True -*.mountainwestmxpark.com*, True -*.mountainwilliambbq.com*, True -*.mountcottonconstructions.com.au*, True -*.mounthoodlodge.com*, True -*.mounthoodlodge.info*, True -*.mounthoodlodges.com*, True -*.mountofoliveschurch.com*, True -*.mountyang.com*, True -*.moure.com.ar*, True -*.mouregazet.com.ar*, True -*.moury.pp.ru*, True -*.mouse-hole.com*, True -*.mouse-hole.net*, True -*.mousematt.net*, True -*.mouse.md*, True -*.mousepercussion.de*, True -*.mouseshole.com*, True -*.moutaiwine.com*, True -*.mouthtoass.com*, True -*.mova.ga*, True -*.movdivx.com*, True -*.move2nz.com*, True -*.movefitnessfortaleza.com.br*, True -*.moveisadriao.pt*, True -*.moveisdobarao.com.br*, True -*.moveispifer.com*, True -*.moveispifer.com.br*, True -*.moveispiffer.com*, True -*.moveitsalerno.com*, True -*.movelbus.com.br*, True -*.movemberphotos.com*, True -*.movementandmaps.com*, True -*.moveone.hk*, True -*.movescripter.net*, True -*.moveto.ml*, True -*.movetovoip.com*, True -*.movewithmicah.com*, True -*.moveyorindotechmandiri.com*, True -*.movieclub24.eu*, True -*.movie.co.id*, True -*.moviedee.com*, True -*.moviefix24.de*, True -*.moviekind.com*, True -*.moviemonger.net*, True -*.movienool.com*, True -*.moviequizanswers.org*, True -*.movies300mb.com*, True -*.moviesexpornovideostube.net*, True -*.movies-fr.com*, True -*.movieshd19.tk*, True -*.moviestar.es*, True -*.moviestop.info*, True -*.movietrailers.ro*, True -*.movimento.co*, True -*.movimientomeca.com.ar*, True -*.movingerp.com*, True -*.movingviolationz.com*, True -*.movister.ru*, True -*.mowbotics.com*, True -*.mowiro.com*, True -*.moxielink.com*, True -*.moxware.com*, True -*.moyarraweather.cf*, True -*.moyat.net*, True -*.moyers32.ca*, True -*.moy.im*, True -*.moypotolok.club*, True -*.mozammal.com*, True -*.moza.pl*, True -*.mozarella.se*, True -*.mozart.ro*, True -*.mozena.com.br*, True -*.mozharov.org.ru*, True -*.mozquitoz.se*, True -*.mp1st.net*, True -*.mp25.ch*, True -*.mp3arsega.biz*, True -*.mp3atomic.net*, True -*.mp3berti.ga*, True -*.mp3bg.tk*, True -*.mp3boxs.ga*, True -*.mp3-cool.ga*, True -*.mp3danvideo.tk*, True -*.mp3dase.com*, True -*.mp3do.net*, True -*.mp3dow.com*, True -*.mp3drown.tk*, True -*.mp3fa.com*, True -*.mp3gaul.ga*, True -*.mp3go.me*, True -*.mp3gratis.us*, True -*.mp3gratis.zone*, True -*.mp3hitz.org*, True -*.mp3-indo.com*, True -*.mp3jos.com*, True -*.mp3lampung.ga*, True -*.mp3real.ru*, True -*.mp3rock.club*, True -*.mp3search.ro*, True -*.mp3skullindia.com*, True -*.mp3spider.tk*, True -*.mp3top.club*, True -*.mp3track.me*, True -*.mp3-wakwaw.com*, True -*.mp3well.tk*, True -*.mpalquileres.com.ar*, True -*.mpas.co.za*, True -*.mpawa.co.za*, True -*.m-pay.id*, True -*.mpbp.my*, True -*.mpcare.net*, True -*.mpcbarossa.com.au*, True -*.mpc-computacion.com.ar*, True -*.mpchester.info*, True -*.mp-c.org*, True -*.mpeak.net*, True -*.mpeger.com*, True -*.mpeger.net*, True -*.mpegfour.net*, True -*.mperhar.com*, True -*.mpestudio.com.br*, True -*.mpfive.com*, True -*.mpgtalk.com*, True -*.mphdaisyaward.com*, True -*.m-phonez.cf*, True -*.m-phonez.ml*, True -*.m-phonez.pw*, True -*.mphosting.com.br*, True -*.mphoto.com.au*, True -*.mpickblog.com*, True -*.mpick.gq*, True -*.mpick.net*, True -*.mpinfoms.com.br*, True -*.mpkemaman.my*, True -*.mpkx.de*, True -*.mplb.pl*, True -*.mplol.com*, True -*.mpl.waw.pl*, True -*.mpmdasrv.com*, True -*.mpoufos.gr*, True -*.mpp34.com*, True -*.mpp79.com*, True -*.mpp.com.au*, True -*.mpr.com.ve*, True -*.mproi.eu*, True -*.mproi.net*, True -*.mproi.pl*, True -*.mptcristales.cl*, True -*.mptesting.ca*, True -*.mpt-hk.net*, True -*.mptimilsina.com.np*, True -*.mpto.ir*, True -*.m-publicity.ch*, True -*.mpxt.info*, True -*.mqci.org.au*, True -*.mqtoffer.cf*, True -*.mquest.cl*, True -*.mr24.co*, True -*.m-r3.ga*, True -*.mr-afe.net*, True -*.mrakesh.com.np*, True -*.mrak-iptv.com*, True -*.mrall.info*, True -*.mramat.com.ar*, True -*.mr-apapedulimu.com*, True -*.mrasool.info*, True -*.mrasupport.com*, True -*.mrasupport.eu*, True -*.mrasupport.pt*, True -*.mr-badai.net*, True -*.mrbagus.info*, True -*.mrbambang.com*, True -*.mr-barad.co.il*, True -*.mrberry2k.com*, True -*.mrblack.pp.ru*, True -*.mrbok.com*, True -*.mrboomerangs.com.ar*, True -*.mrbox.org*, True -*.mrcain.net*, True -*.mrcashman.net*, True -*.mrcat.ninja*, True -*.mrcomputer.com.au*, True -*.mrconsulting.ca*, True -*.mrcork.com*, True -*.mrcreeper.co.uk*, True -*.mrcrot.tk*, True -*.mrcules.com*, True -*.mrdev.com.ar*, True -*.mrd.space*, True -*.mreinhold.org*, True -*.mrel.com.au*, True -*.mretch.de*, True -*.mretep-us.tk*, True -*.mrfakeid.us*, True -*.mrfen.com*, True -*.mrffflocked.net*, True -*.mrgaysa.co.za*, True -*.mrgaysouthafrica.co.za*, True -*.mrgreen.mn*, True -*.mrgshrimp.com*, True -*.mrhc.net.au*, True -*.mriphonefixer.co.uk*, True -*.mr-irc.com*, True -*.mrjoomla.com*, True -*.mrken.ga*, True -*.mrkirby153.tk*, True -*.mr-koo.com*, True -*.mrk-podshipnik.ru*, True -*.mrkraw.com*, True -*.mrkrier.info*, True -*.mrkseguros.ga*, True -*.mrlbookkeeping.com*, True -*.mrlbucuresti.ro*, True -*.mrleecher.com*, True -*.mrleecher.ir*, True -*.mrlewburger.com*, True -*.mrlophe.com*, True -*.mrlover21.org*, True -*.mrmadski.se*, True -*.mrmarket.info*, True -*.mrmeow.org*, True -*.mrmsoftit.cl*, True -*.mrobbo.co.uk*, True -*.mroczki.eu*, True -*.mrofcia.one.pl*, True -*.mromero.ca*, True -*.mr-opt.ru*, True -*.mrossello.com*, True -*.mrothwell.me*, True -*.mrovcon.com*, True -*.mrpat.info*, True -*.mrpieper.com*, True -*.mrpoe.net*, True -*.mrporneke.com*, True -*.mrpret.com*, True -*.mrpret.info*, True -*.mrq-mesh.ga*, True -*.mrr48.net*, True -*.mr-rixa.fi*, True -*.mrrocketman.com*, True -*.mrs2015.net*, True -*.mrsaladbowl.com*, True -*.mrsandmrsforever.com*, True -*.mrsazi.info*, True -*.mrsbd.com*, True -*.mrshydraulic.cl*, True -*.mrsnipnip.com*, True -*.mrsrl.com.ar*, True -*.mrstanish.com*, True -*.mrstevenallen.co.uk*, True -*.mrsugar.com*, True -*.mrsurok.ru*, True -*.mrsystemsengineering.co.uk*, True -*.mrtclub.ro*, True -*.mrtester.ru*, True -*.mrtrcd.com*, True -*.mrtsb.com.my*, True -*.mrtux.org*, True -*.mruk.tk*, True -*.mrunix.com*, True -*.mrunix.net*, True -*.mrunix.org*, True -*.mruz.me*, True -*.mrvautin.com*, True -*.mrw.ch*, True -*.mrxian.net*, True -*.ms01.com.ar*, True -*.ms117.cf*, True -*.msafiriexpeditions.com*, True -*.msagw.com*, True -*.msaodai.com*, True -*.msbox.com.ar*, True -*.mscase.net*, True -*.msc-expert.ru*, True -*.mschmiedel.com*, True -*.mscode.com.ar*, True -*.mscrm.ca*, True -*.msdcomputing.net*, True -*.msdesigns.com.au*, True -*.msecure.co.za*, True -*.msensk.ru*, True -*.mserrano.tk*, True -*.m-setek.com*, True -*.msex.asia*, True -*.msf.asia*, True -*.msf.hk*, True -*.msf-seasia.org*, True -*.msf.sg*, True -*.msfstainless.com.au*, True -*.msf.tw*, True -*.msg-fd.com*, True -*.msg-hot.com*, True -*.msg-kakao.com*, True -*.msgrus.ru*, True -*.msgu.at*, True -*.mshotgirl.com*, True -*.mshouse.co.za*, True -*.mshy.cf*, True -*.msicmco.com*, True -*.msieuboof.ch*, True -*.msispt.com*, True -*.m-sistem.com*, True -*.msj.ro*, True -*.mskd.net*, True -*.mskv.org*, True -*.mslcomputers.com.au*, True -*.ms-me.ru*, True -*.msmg.com.ar*, True -*.msmit.info*, True -*.ms-neftechimproject.ru*, True -*.msopen.com.br*, True -*.msp2p.com*, True -*.mspcomputacion.cl*, True -*.mspct.ca*, True -*.mspo.com*, True -*.msro.net*, True -*.mssl-hk.com*, True -*.mssp.my*, True -*.msstacy.com*, True -*.msstorestylefashion.com*, True -*.ms-stutz.ch*, True -*.mstrauser.com*, True -*.mstrauserhomes.com*, True -*.mstubbs.co.uk*, True -*.m-stuff.ro*, True -*.msty.ml*, True -*.msuattention.net*, True -*.msuoffcampus.com*, True -*.msw.ro*, True -*.msw-technologies.de*, True -*.msx125.tw*, True -*.msxmail.com*, True -*.msylb.ch*, True -*.msyno.com*, True -*.msystems.co.za*, True -*.mszop.hu*, True -*.mt0.com.ar*, True -*.mt-2015.com*, True -*.mt2-tools.com*, True -*.mt4live.com*, True -*.mt686.com*, True -*.mtacec.org*, True -*.mtagc.org*, True -*.mtaggolf.com*, True -*.mtandmg.com*, True -*.mta-radio.tk*, True -*.mtbawbaw.com*, True -*.mtbiker.co.za*, True -*.mtbio.ch*, True -*.mtboffers.com.ar*, True -*.mtb.pl*, True -*.mtcalvaryonline.net*, True -*.mtcarmeltutoring.net*, True -*.mtcholding.ro*, True -*.mtconsurabaya.com*, True -*.mtcouros.com.br*, True -*.mtdecoration.com*, True -*.mtdevans.com*, True -*.mtdevans.co.uk*, True -*.mtdev.tk*, True -*.m-technologies.ch*, True -*.m-tech.us*, True -*.mtek.ro*, True -*.mtelco.com.au*, True -*.mtelco.net.au*, True -*.mtfamilysupport.org*, True -*.mtgn.net*, True -*.mt-golliard-pagesjaunes.ch*, True -*.mtheft.cc*, True -*.mthoodlodges.com*, True -*.mtik.tk*, True -*.mtinternusa.com*, True -*.mtjw.net*, True -*.mtkpit.ru*, True -*.mtlhc.com*, True -*.mtmensclinic.com*, True -*.mtmensclinic.net*, True -*.mtmensclinic.org*, True -*.mtmioa.com*, True -*.mtmn.com.ar*, True -*.mtncloud.co.za*, True -*.mtnepo.com*, True -*.mtobler-tcm.ch*, True -*.mtomsystems.net*, True -*.mtpeakbuilders.com*, True -*.mtplic.com*, True -*.mtresh.ch*, True -*.mtrgood.com*, True -*.mtrshop.com*, True -*.mtrstore.com*, True -*.mtrstore.org*, True -*.mtsang.info*, True -*.mtsfriends.ro*, True -*.mtsmobile.ro*, True -*.mtsoftware.com.ve*, True -*.mtssalafiyahsiman.sch.id*, True -*.mttjaya.com*, True -*.mttotaltransportation.com*, True -*.mtu-it.tk*, True -*.mturro.com*, True -*.mtvema.tk*, True -*.mt-view.org*, True -*.mtwcc.hk*, True -*.mu0x.org*, True -*.mu8000.com*, True -*.mu8.biz*, True -*.mu998.com*, True -*.mu9.ch*, True -*.mua1s.net*, True -*.muabandat24h.net*, True -*.muabanmaydosau.com*, True -*.muabanmaykinhvy.com*, True -*.muabanonline365.com*, True -*.muabantrinh.com*, True -*.muach.tk*, True -*.muagh.com*, True -*.mualimsan.web.id*, True -*.muammar.me*, True -*.muanchoncoffee.com*, True -*.muaotogiatot.com*, True -*.muaraproperty.com*, True -*.mu-asgard.com*, True -*.muatlans.com.br*, True -*.mubinsyed.com*, True -*.muborak.info*, True -*.mu-cangri.com*, True -*.muchanadziko.pl*, True -*.muchangge.com*, True -*.muchangzhi.com*, True -*.muchlisfaroqi.me*, True -*.mucho-gusto.ru*, True -*.mucka.org*, True -*.muckenduck.com*, True -*.mucklephotography.com*, True -*.muckrun.co.za*, True -*.mucodien.com*, True -*.mudahnyatoneexcel.my*, True -*.mudahosting.tk*, True -*.mudamai.com*, True -*.mudaronline.pt*, True -*.mudchute.com*, True -*.muddup.net*, True -*.muddypupracing.com*, True -*.muden.com*, True -*.mudkipz.info*, True -*.mudo-main.com*, True -*.mudonghoi.org*, True -*.mudsharkstudios.com*, True -*.mudsharkstudios.org*, True -*.mudz.org*, True -*.mueblesgava.com*, True -*.mueblesgava.com.mx*, True -*.mueblesgerards.com*, True -*.mueblesrodriguez.com.ar*, True -*.mueblestomas.cl*, True -*.mueblestotal.es*, True -*.muehlemann-motorsport.ch*, True -*.muehlemann-schaumstoffe.ch*, True -*.muehlematter-couture.ch*, True -*.muelleha.org*, True -*.mueller-maler-lausen.ch*, True -*.mueller-war-schon-weg.de*, True -*.muenchencorp.com*, True -*.muesperanza.com.ve*, True -*.muet.ch*, True -*.muetong-tsukuba.com*, True -*.muevery.com*, True -*.mufamily.cn*, True -*.muffin-lady.tk*, True -*.mufg.biz*, True -*.muflihun.tk*, True -*.muforever.net*, True -*.mugentek.tk*, True -*.muggles.org*, True -*.mugpromotion.com*, True -*.mugshotzuk.com*, True -*.mugsmc.tk*, True -*.muguro.com*, True -*.muhadi.com*, True -*.muhadi.or.id*, True -*.muhammad.ga*, True -*.muhammadiqbal.info*, True -*.muhammadislamiyah.com*, True -*.muhammad-naval.com*, True -*.muhdsyafiq.com*, True -*.muh-fikri.me*, True -*.muhfi.us*, True -*.muhojir.ru*, True -*.muhungthinh.com*, True -*.muica.ro*, True -*.muimui.biz*, True -*.muinterar.net*, True -*.muintonline.com*, True -*.mujeressanjuaninas.com.ar*, True -*.mujermigrante.mx*, True -*.mujhechodo.tk*, True -*.mujizatitunyata.com*, True -*.mukenadistro.com*, True -*.mukena-meidiani.com*, True -*.mukenavip.com*, True -*.mukeshc.com.np*, True -*.mukhlas-rowi.web.id*, True -*.mukhtana.com.ar*, True -*.mukhy.com*, True -*.mukke.in*, True -*.mukk.info*, True -*.mukminniaga.my*, True -*.muktojobs.com*, True -*.mulai.ml*, True -*.mulangane.net*, True -*.mulator.pl*, True -*.mulcahy.info*, True -*.muler.com.ar*, True -*.mulesnews.com*, True -*.mulgoapastoral.net*, True -*.mulher.net.br*, True -*.mulianugraha.com*, True -*.mullerelectricite.ch*, True -*.mulligan.ch*, True -*.mulroytechnology.com*, True -*.multa-de-velocidad.com.ar*, True -*.multiagrokultura.co.id*, True -*.multiajudas.pt*, True -*.multiarcos.com.mx*, True -*.multiarcos.mx*, True -*.multiaroma.com*, True -*.multicare-dc.net*, True -*.multicare-info.net*, True -*.multichemical.co.id*, True -*.multicons.net*, True -*.multicop.com.ar*, True -*.multicopsa.com.ar*, True -*.multicsrh.tk*, True -*.multifinance.co*, True -*.multi.hk*, True -*.multijayaselaras.net*, True -*.multikreasibersama.com*, True -*.multilan.com*, True -*.multimar.com*, True -*.multimar.com.ar*, True -*.multimediacomtodos.pt*, True -*.multimediamarketing.si*, True -*.multimedianet.ro*, True -*.multimin.cl*, True -*.multimodos.com.mx*, True -*.multimote.ru*, True -*.multiopticaslucena.com*, True -*.multipare.ch*, True -*.multiple-pumpdrives.com*, True -*.multipletagsearch.com*, True -*.multiplex.io*, True -*.multiseat.com.my*, True -*.multiservice.ru*, True -*.multishop.ml*, True -*.multisolar.com.ar*, True -*.multisvcs.net*, True -*.multi-system.ru*, True -*.multitudine.cl*, True -*.multiventajas.com*, True -*.multivers3d.fr*, True -*.multiverso.info*, True -*.multi-vpn.us*, True -*.multivpn.us*, True -*.multix.ml*, True -*.multyliker.com*, True -*.mulvak.com*, True -*.mulyawan.net*, True -*.mumblefuss.com*, True -*.mumbletalk.com*, True -*.mumble-test.tk*, True -*.mumbug.co.za*, True -*.mumby-hibberd.co.uk*, True -*.muminaat.in*, True -*.mummasmilkbar.com*, True -*.mummasmilkbar.net*, True -*.mummymade.it*, True -*.mumsraspi.co.uk*, True -*.muna.com*, True -*.muna.org*, True -*.munaruto.net*, True -*.mundivisas.com.br*, True -*.mundivisas.net*, True -*.mundoacrilico.com.ar*, True -*.mundoascensonline.com.ar*, True -*.mundo-atleta.com*, True -*.mundo-atleta.com.ar*, True -*.mundoatleta.com.ar*, True -*.mundochat.com.ar*, True -*.mundodecolor.com*, True -*.mundodesabores.com.ar*, True -*.mundoepp.com.ar*, True -*.mundoexperience.ro*, True -*.mundoinpact.cl*, True -*.mundolux.es*, True -*.mundo-maquinas.com.ar*, True -*.mundomk.com.ar*, True -*.mundomp3.com*, True -*.mundopaintball.com.ar*, True -*.mundoraro.com.br*, True -*.mundoreiki.com*, True -*.mundoriente.cl*, True -*.mundotechi.com*, True -*.mundotechie.com*, True -*.mundra.com*, True -*.mundruc-mera.ro*, True -*.mund-und-zahn-gesundheit.com*, True -*.munerot.net*, True -*.munganga.org*, True -*.mungohq.net*, True -*.munhanhoa.com*, True -*.munichbarrestaurant.com.ar*, True -*.municipalidadtimaukel.cl*, True -*.municipalidadvgg.gob.ar*, True -*.municipiodecaucete.com.ar*, True -*.muni.co.za*, True -*.muniecoslaplata.com.ar*, True -*.munilaja.tk*, True -*.munin.ch*, True -*.munity.tk*, True -*.munki.cl*, True -*.munkiepus.com*, True -*.munks.org*, True -*.munoa.com.ar*, True -*.munro.cl*, True -*.munsterdancegallery.com*, True -*.munze.com.ar*, True -*.munzlinger.net*, True -*.muoncomputing.ru*, True -*.muonline.co.id*, True -*.muoti.ro*, True -*.muozi.org*, True -*.mup.co.il*, True -*.mupirata.net*, True -*.muppetastic.org.uk*, True -*.mupqua.com*, True -*.muprofeta.net*, True -*.muprofeta.org*, True -*.mupvai.com*, True -*.mura.cz*, True -*.muradal.com*, True -*.murakaminelson.com*, True -*.murasame.cl*, True -*.muratov.us*, True -*.murattasci.com*, True -*.murchie.ca*, True -*.murderclothing.cl*, True -*.murelax.com*, True -*.murer-sa.ch*, True -*.mureseni.ro*, True -*.muresmuzeu.ro*, True -*.murevenge.net*, True -*.murf-home.com*, True -*.murfreesborohousesforrent.com*, True -*.murgul.ro*, True -*.muri-bodal.com*, True -*.muriel-gabathuler.ch*, True -*.murliwala.tk*, True -*.muromachi-industries.info*, True -*.muropolis.com.ar*, True -*.muros.cl*, True -*.muros.com.ar*, True -*.murpe.com*, True -*.murphyelectrical.com*, True -*.murphyelectrical.ie*, True -*.murphyfamily.com.au*, True -*.murphy.im*, True -*.murphysbarnyc.com*, True -*.murphysbarny.com*, True -*.murphyslobstergrill.com*, True -*.murrayrun.com*, True -*.murrburgers.com*, True -*.murrellsmodels.co.uk*, True -*.murrp.com*, True -*.mursec.eu*, True -*.murtadho.com.br*, True -*.murwillumbahcommunitycentre.org.au*, True -*.musallar.com*, True -*.musavirbilgisayar.com*, True -*.musbx.com*, True -*.musbx.info*, True -*.musclebuildingfacts.info*, True -*.muscledynamix.com*, True -*.musclepotion.com*, True -*.musdi.web.id*, True -*.musedcreamery.com*, True -*.musefuze.com*, True -*.museodereynosa.org*, True -*.museohistoricodigital.org*, True -*.museosobrenada.com.ar*, True -*.musepianostudio.com*, True -*.museueusebio.com*, True -*.museueusebio.net*, True -*.museueusebio.org*, True -*.museumaboutnothing.com*, True -*.museumaboutnothing.com.ar*, True -*.museumwerkz.org*, True -*.museupanteranegra.com*, True -*.museupanteranegra.net*, True -*.museupanteranegra.org*, True -*.mushkana.com.ar*, True -*.mushroomblock.com*, True -*.mushroomkelly.com*, True -*.musibanyuasin.net*, True -*.music2dot0.com*, True -*.music45.com*, True -*.music4free.co*, True -*.music4ukraine.ch*, True -*.musicacrescendo.net*, True -*.musicaelectronica.cl*, True -*.musica-funeral.cl*, True -*.musicafuneral.cl*, True -*.musica-funerales.cl*, True -*.musicafunerales.cl*, True -*.musicagalega.eu*, True -*.musical-events.ro*, True -*.music-all.info*, True -*.musicalmanager.com*, True -*.musica-matrimonio.cl*, True -*.musicantenna.com*, True -*.musicaolicos.com*, True -*.musicasonlline.com*, True -*.musicbangla.ga*, True -*.musicfm.ro*, True -*.musicku.info*, True -*.musiclearning.hk*, True -*.musiclife.xyz*, True -*.musiclinks.nl*, True -*.musiclism.com*, True -*.musicluver1999.com*, True -*.musicmaker.ru*, True -*.musicmarmi.com*, True -*.music-menges.si*, True -*.musicolrecording.com*, True -*.musicpharm.com*, True -*.musicreader.co.uk*, True -*.musicrecordsnyc.com*, True -*.musicshop.cl*, True -*.musicstreams.tv*, True -*.musicthatdoesnotsuck.com*, True -*.musictherapyinscotland.com*, True -*.musicunyhu.com*, True -*.musicvault.sg*, True -*.musiczarpromos.com*, True -*.musiczealous.com*, True -*.musikdanvideo.biz*, True -*.musikdownload.tk*, True -*.musikgaul.net*, True -*.musikgesellschaft.ch*, True -*.musikindie.com*, True -*.musikjernih.com*, True -*.musik-lengkap.com*, True -*.musikmewah.com*, True -*.musikprojekte.ch*, True -*.musikterkini.com*, True -*.musikump3.com*, True -*.musiku.net*, True -*.musiku.us*, True -*.musikverein-stanz.at*, True -*.musixasix.tk*, True -*.muska-engineering.com*, True -*.muskaengsarl.com*, True -*.muskan.cf*, True -*.muskopf.de*, True -*.muslimah.info*, True -*.muslimku.cf*, True -*.muslimku.ml*, True -*.muslimtalkradio.net*, True -*.musmanno.com.ar*, True -*.musmo.com*, True -*.muso.io*, True -*.musolino.id.au*, True -*.musrenbang-jatim.net*, True -*.musrenbang-nunukan.net*, True -*.mussurunga.com.br*, True -*.mustabasic.ch*, True -*.mustafavelioglu.com*, True -*.mustalista.info*, True -*.mustaqimm.tk*, True -*.mustarie.ro*, True -*.mustauthentic.com*, True -*.musteata.ro*, True -*.mustelacosmetic.ru*, True -*.mustelacosmetics.ru*, True -*.mustela-shop.com*, True -*.musterihizmetleri.com*, True -*.mustinet.org*, True -*.musttour.net.br*, True -*.must-try.me*, True -*.mut8ed.com*, True -*.mu-thai.com*, True -*.muthanhthan.com*, True -*.muthugala.com*, True -*.mutiano.com.ar*, True -*.mutiaracininta.com*, True -*.muti.ro*, True -*.muti.us*, True -*.mutluay.com*, True -*.mutocdo.com*, True -*.mutput7.tk*, True -*.mutrap.com.ar*, True -*.mutrungnguyen.org*, True -*.mutsuura.com*, True -*.mutter-male.de*, True -*.mutters.info*, True -*.muttley.org*, True -*.mutualasis.com*, True -*.mutualasis.com.ar*, True -*.mutualbuenosaires.com.ar*, True -*.mutualdesign.com.ar*, True -*.mutualdouglas.com.ar*, True -*.mutualgraph.com*, True -*.mutualsanroman.com.ar*, True -*.mutugabriel.ro*, True -*.muvarq.cl*, True -*.muvcomercial.com.ar*, True -*.muviza.biz*, True -*.muviza.co*, True -*.muvme.cl*, True -*.muvo.tk*, True -*.muwarofclans.com.ve*, True -*.muya.co.nz*, True -*.muybienne.com*, True -*.muyhelados.com.ar*, True -*.muyproductos.com.ar*, True -*.muzan.tk*, True -*.muzan.web.id*, True -*.muzcgb-ural.ru*, True -*.muzeiq.com*, True -*.muzicadinreclame.ro*, True -*.muzicastar.tk*, True -*.muzik.hu*, True -*.muzikita.com*, True -*.muzozvon.ru*, True -*.muzukashi.tk*, True -*.muzzu.com.ar*, True -*.muzzupappa.com.ar*, True -*.mv190.com*, True -*.mv1980.com*, True -*.mv2345.com*, True -*.mvagustaforum.it*, True -*.mvarela.com.ar*, True -*.mvc4p.com*, True -*.mvc4p.net*, True -*.mvconsult.cl*, True -*.mvdlogistics.com*, True -*.mvdlogistics.info*, True -*.mvideo.com.my*, True -*.mvideo.my*, True -*.mv-ingenieria.com.ar*, True -*.mvingenieria.com.ar*, True -*.mvld.net*, True -*.mvle.com.ar*, True -*.mvmed.com.au*, True -*.mvnetwork.cl*, True -*.mvogrig.com.ar*, True -*.mvp-ho.com*, True -*.mvpitsolutions.com*, True -*.mvsnap.net*, True -*.mv-vm.ro*, True -*.mvvm.ro*, True -*.mvyd.ws*, True -*.mvyrmnd.com*, True -*.mwacrylic.com*, True -*.mwak.tk*, True -*.mwautomotriz.com*, True -*.mwavepy.org*, True -*.mwbbq.com*, True -*.mwds.co.za*, True -*.mweise.ch*, True -*.mwheller.com*, True -*.mwheller.co.uk*, True -*.mwinter.net*, True -*.mwltda.cl*, True -*.mwmaster.com*, True -*.mwmaster.net*, True -*.mwmdc.com.au*, True -*.mw.nom.za*, True -*.mwono.cl*, True -*.mwop.net*, True -*.mwsoftware.com*, True -*.mwtaylor.net*, True -*.mwuach.tk*, True -*.mwy.pw*, True -*.mxblue.net.au*, True -*.mx-ddo.com*, True -*.mxdynamic.com.my*, True -*.mxhandroid.com*, True -*.mxipvideo.com*, True -*.mx-low.com*, True -*.mx-lvde.de*, True -*.mx-ma.com*, True -*.mx-mma.com*, True -*.mx-p2p.com*, True -*.mx-pa.com*, True -*.mxr46.com*, True -*.mxr73.com*, True -*.mxr85.com*, True -*.mxr93.com*, True -*.mxr.ch*, True -*.mx-scan.com*, True -*.mx-top.com*, True -*.mxwheel.ch*, True -*.my105.com*, True -*.my105.com.au*, True -*.my2001.net*, True -*.my2cents.tw*, True -*.my3030.ir*, True -*.myabba.org*, True -*.my-acc.info*, True -*.myacct.biz*, True -*.myadvertisingpaystoday.com*, True -*.myalbum.net*, True -*.myalias.net*, True -*.myalohavacation.com*, True -*.myamazingproxy.cf*, True -*.myanaesthetic.com*, True -*.myanaesthetic.com.au*, True -*.m-yandex.ru*, True -*.myanesthetic.com*, True -*.myanesthetic.com.au*, True -*.myangy.ru*, True -*.myanh.net*, True -*.myanw.com*, True -*.myapexsys.com*, True -*.myapl.org*, True -*.myaprs.my*, True -*.my-aqua.ru*, True -*.myartbox.com*, True -*.myarvita.com*, True -*.myasoc.com*, True -*.myaspire.net*, True -*.myaxl.com*, True -*.myayeesha.com*, True -*.mybabyboo.net*, True -*.mybaju.net*, True -*.myballsareonfire.com*, True -*.mybasagent.com.au*, True -*.mybasementfullofpins.com*, True -*.mybasementgames.com*, True -*.mybathtime.com*, True -*.my-ba.ws*, True -*.mybb.co.il*, True -*.mybbdev.com*, True -*.mybeb.ml*, True -*.mybeer.com.ar*, True -*.mybenfranklinpta.org*, True -*.mybensfarm.com*, True -*.mybestdemo.com*, True -*.mybigworld.net*, True -*.mybikelane.to*, True -*.mybim.org.my*, True -*.mybits-stl.com*, True -*.myblackmarket.org*, True -*.myblackpoolhotels.co.uk*, True -*.mybluenet.com*, True -*.myblueweb.com*, True -*.myboat.com.au*, True -*.mybodymassindex.org*, True -*.mybokep.ml*, True -*.mybolee.pk*, True -*.mybookmarks.ro*, True -*.mybox.pt*, True -*.mybraids.co.za*, True -*.mybrain15.com*, True -*.mybrainoncode.com*, True -*.mybrainonline.net*, True -*.mybrewbuddies.com*, True -*.mybrownenvelope.com*, True -*.mybusinesshelpdesk.com*, True -*.mybytes.my*, True -*.mybzu.ch*, True -*.myc33.cl*, True -*.mycanadanumber.com*, True -*.mycarsound.com.au*, True -*.mycashk.com*, True -*.mycasino-bern.ch*, True -*.mycasinobern.ch*, True -*.mycasino.nu*, True -*.mycciestudy.com*, True -*.myc.com.my*, True -*.mychild.ug*, True -*.mychiriqui.com*, True -*.mychiriqui.info*, True -*.mychiriqui.net*, True -*.mychiriqui.org*, True -*.mycityport.com*, True -*.myclan.ro*, True -*.mycld.ru*, True -*.myclients.eu*, True -*.mycloud.com.my*, True -*.myclouddr.com.my*, True -*.myclouddr.my*, True -*.mycloudhome.tk*, True -*.mycloudkitchen.ch*, True -*.myclould.co.uk*, True -*.mycnews.com.my*, True -*.mycni.hk*, True -*.myco2output.com*, True -*.myco2output.info*, True -*.myco2output.net*, True -*.myco2output.org*, True -*.mycoco.tw*, True -*.myco-du-jorat.ch*, True -*.mycolli.be*, True -*.mycolli.com*, True -*.mycolli.co.uk*, True -*.mycolli.es*, True -*.mycolli.pl*, True -*.mycolli.se*, True -*.mycolli.us*, True -*.mycomit.net*, True -*.mycommunityconnect.com*, True -*.mycomputer.com.np*, True -*.mycomputerstore.biz*, True -*.mycomputerstore.co.uk*, True -*.mycomputerstore.me.uk*, True -*.mycomputerstore.name*, True -*.mycomputerstore.net*, True -*.mycomputerstore.org*, True -*.mycomputerstore.org.uk*, True -*.mycomputerstore.tv*, True -*.mycomputerstore.us*, True -*.mycomputerstore.ws*, True -*.my-condos.com*, True -*.myconos-myconos.com*, True -*.mycontrols.com.mx*, True -*.mycookingbuddy.com*, True -*.mycorpsafa.biz*, True -*.mycreamerick.com*, True -*.mycreativesa.ga*, True -*.mycrites.com*, True -*.mycrossfire.net*, True -*.mycry.me*, True -*.mydailyhooper.com*, True -*.mydamncar.net*, True -*.mydataflat.com*, True -*.mydata.li*, True -*.mydatasupport.com*, True -*.mydays.ru*, True -*.mydayton.info*, True -*.mydeen.com*, True -*.mydev.co.za*, True -*.mydiaspora.tk*, True -*.mydip.net*, True -*.mydirtyhobby.to*, True -*.mydisk.in*, True -*.mydiskstation.com*, True -*.mydj.ro*, True -*.mydomohome.eu*, True -*.mydom.to*, True -*.mydonc.com*, True -*.mydot.ml*, True -*.mydoublerefreshment.com.my*, True -*.mydreamloghouse.com*, True -*.mydynip.ru*, True -*.myecoin.net*, True -*.myeconomy.com.ar*, True -*.myedojo.net*, True -*.myedojos.com*, True -*.myedojos.net*, True -*.myedu.ro*, True -*.my-eip.com*, True -*.myekasiwap.com*, True -*.my-email.ml*, True -*.myers-mail.com*, True -*.myers-usa.com*, True -*.myerti.ga*, True -*.myeventguests.com*, True -*.myeventlabels.com*, True -*.myexception.ir*, True -*.myexim.com*, True -*.myeyeball.net*, True -*.myezlife.com*, True -*.myfalun.info*, True -*.myfaq.net*, True -*.myfattyrice.com*, True -*.myfdistribuidora.com.ar*, True -*.myfeed.ro*, True -*.myfei.com*, True -*.my-file.cf*, True -*.myfilter.ir*, True -*.myfin.ga*, True -*.myflakybaker.com*, True -*.myflixfinder.com*, True -*.myflora.me*, True -*.myfmac.tk*, True -*.myfoodcost.com*, True -*.myfoody.com.au*, True -*.myforknknife.com*, True -*.myfpdoctor.com*, True -*.myfragola.com*, True -*.myfree-email.com*, True -*.myfreezemail.co.uk*, True -*.myfreighttrain.com*, True -*.myfrenchcottage.com*, True -*.myfrenchcottage.co.uk*, True -*.myfriendswithben.com*, True -*.myfunhonda.com*, True -*.mygadgets.com.ar*, True -*.mygamingpackage.com*, True -*.mygardenias.com*, True -*.mygdz1111111.tk*, True -*.mygdz2222222.tk*, True -*.mygdz3534.tk*, True -*.mygeeklab.com*, True -*.mygesin.co.za*, True -*.mygin99.com*, True -*.myglyndwr.com*, True -*.myglyndwr.co.uk*, True -*.mygmail.co.za*, True -*.mygocloud.com*, True -*.mygrandcasino-bern.ch*, True -*.mygrandcasinobern.ch*, True -*.mygrandcasino.ch*, True -*.mygrateit.com*, True -*.mygrateit.co.uk*, True -*.mygreengrocer.com.au*, True -*.mygreen-life.com*, True -*.mygreenplace.com.br*, True -*.mygrife.com.br*, True -*.mygsi.eu*, True -*.mygsi.gr*, True -*.myhabeetat.com*, True -*.myhaccpplan.ca*, True -*.myhaccpplan.net*, True -*.myham.net*, True -*.myhapkido.org*, True -*.myhasvpn.eu*, True -*.myhealer.co.za*, True -*.myhealthierhabits.com*, True -*.myhelpers.org*, True -*.myhelsinki.ru*, True -*.myhome247.net.au*, True -*.myhomeonthe.com*, True -*.myhomeserver.info*, True -*.myhomeserver.ml*, True -*.myhongkongnumber.com*, True -*.myhongkongnumber.hk*, True -*.myhopetree.com*, True -*.my-hosted-cloud.de*, True -*.myhostedexchange.co.za*, True -*.myhotdog.gr*, True -*.myhousemate.net*, True -*.myhouse.ro*, True -*.myhousesetup.com*, True -*.myhsc.net*, True -*.myhtpc.org*, True -*.myhyperbook.com*, True -*.myidealprotein.info*, True -*.myig.lu*, True -*.my-images.ml*, True -*.myimeiunlock.tk*, True -*.myink.us*, True -*.myinnermonster.net*, True -*.myinsure.my*, True -*.myinternetclass.com*, True -*.myinternetromance.com*, True -*.myipcams.com*, True -*.myircnet.info*, True -*.myiservice.tk*, True -*.myitcp.com*, True -*.myix.net*, True -*.myjamesonline.info*, True -*.myjamesonline.net*, True -*.myjobseye.com*, True -*.myjourneydeeper.com*, True -*.mykadshopping.my*, True -*.mykcell.com*, True -*.mykdb.net*, True -*.mykidog.com*, True -*.mykloud.com.au*, True -*.mykol.com*, True -*.mykonos-accommodation.gr*, True -*.mykonos-mykonos.com*, True -*.mylabkennels.com.au*, True -*.mylablabradors.com.au*, True -*.myleadssite.com*, True -*.myleadsweb.com*, True -*.myleivina.net*, True -*.mylene.me*, True -*.mylene.pp.ru*, True -*.mylesmadness.com*, True -*.mylessteinhauser.com*, True -*.mylessteinhauser.name*, True -*.mylibraryanywhere.com*, True -*.my-lifebook.com.au*, True -*.mylife.ro*, True -*.mylifesnaps.com.au*, True -*.mylifewouldsuck.tk*, True -*.myliker.pw*, True -*.mylilipad.com*, True -*.mylingoapp.com*, True -*.my-linux.in*, True -*.my-list-of-handmade.tk*, True -*.mylittlelan.com*, True -*.mylittleponies.ro*, True -*.myliugina.lt*, True -*.myllyniemi.org*, True -*.mylnk.tk*, True -*.mylobits.com*, True -*.mylocalno.com*, True -*.mylogisoft.com*, True -*.mylog.ml*, True -*.myltsplace.com*, True -*.myluckymap.com*, True -*.mymaildepot.com*, True -*.mymaldonado.com*, True -*.mymcapacita.cl*, True -*.mymcsvr.info*, True -*.mymeek.info*, True -*.my-memori.es*, True -*.mymenufavorites.com*, True -*.mymesra.biz*, True -*.mymetal.com.my*, True -*.mymet.ro*, True -*.mymiddlebury.com*, True -*.mymobiletrends.net*, True -*.mymonitonig.tk*, True -*.mymoosic.com*, True -*.mymototrbo.com*, True -*.mymountainhouse.com*, True -*.mymsr.eu*, True -*.mymywant.com*, True -*.mynameis.gq*, True -*.mynametestdomain.tk*, True -*.mynanascasa.com*, True -*.mynasdrive.co.uk*, True -*.mynecs.com*, True -*.mynerdrage.com*, True -*.mynetblog.tk*, True -*.mynetscaler.com*, True -*.my-net.tw*, True -*.mynewssplash.com*, True -*.mynewstack.com*, True -*.mynogg.net*, True -*.mynooner.com*, True -*.mynotes.mobi*, True -*.mynuclo.com*, True -*.myob.ml*, True -*.myodfh.org*, True -*.myofferpage.com.au*, True -*.myofficepilot.com*, True -*.myogaya.jp*, True -*.myoilsstore.com*, True -*.myoilsstore.net*, True -*.myoilstore.net*, True -*.myonlinecampaign.com*, True -*.myonlinedocuments.net*, True -*.myonlineit.com*, True -*.myorganogold.ro*, True -*.myorthoview.com*, True -*.myos.pt*, True -*.myotools.net*, True -*.myovocloud.com*, True -*.myown4sale.com*, True -*.my-own-cloud.tk*, True -*.myownforsale.com*, True -*.myownhost.es*, True -*.myownlittlecloud.tk*, True -*.myown.ml*, True -*.myownsecondpc.com*, True -*.myownsecondpc.net*, True -*.myownsecondpc.org*, True -*.myowntag.com*, True -*.myowntag.hk*, True -*.myozersk.ru*, True -*.mypainmanagementtracker.net*, True -*.myparts.co.il*, True -*.mypartyguests.com*, True -*.mypcbox.tk*, True -*.mypcport.com.au*, True -*.mypcport.net.au*, True -*.mypcrepair.info*, True -*.mypcsuite.com*, True -*.mypdnt.com*, True -*.myperfectmatch.club*, True -*.myperfectmatchclub.com*, True -*.myperfectrack.com*, True -*.mypetally.com*, True -*.mypham-vivi.com*, True -*.myphamxachtay.info*, True -*.myphppa.de*, True -*.mypics.ca*, True -*.mypi.in*, True -*.mypitbullpro.com*, True -*.mypivots.ru*, True -*.mypixelsuite.com*, True -*.mypjnr.org*, True -*.mypochta.su*, True -*.mypoken.com.au*, True -*.mypoker.nu*, True -*.my-portal.de*, True -*.myportalservice.co.za*, True -*.myportalservices.com*, True -*.myportalservices.co.za*, True -*.myportalservices.org*, True -*.myposeq.com*, True -*.myposeq.nl*, True -*.myposeq.ru*, True -*.myprac.com*, True -*.myprac.com.au*, True -*.mypricetool.com*, True -*.myprivatecloud.co.za*, True -*.myprivateselfie.com*, True -*.my-profil.co*, True -*.my-profil.us*, True -*.myprojectsonline.net*, True -*.my-pulsa.net*, True -*.my-pv.info*, True -*.myquickdownload.com*, True -*.myraden.us*, True -*.myraroberts1940s.com*, True -*.myrdahl.se*, True -*.myrddyn.co.uk*, True -*.myreefs.com*, True -*.myrheintal.net*, True -*.myriadeas.com.my*, True -*.myriade.org*, True -*.myrichie.net*, True -*.myrooty.de*, True -*.myroundabout.org*, True -*.myrpaine.com*, True -*.myrserviciodigital.com.ar*, True -*.myrsoftware.com*, True -*.myrstrand.se*, True -*.myr-telcom.com.ar*, True -*.myrvang85.net*, True -*.my-s2000.ch*, True -*.mysafetyproducts.com.au*, True -*.mysafetytraining.com.au*, True -*.mysanctuary.biz*, True -*.mysanctuary.mobi*, True -*.mysanctuary.org*, True -*.mysanctuary.us*, True -*.mysaol.com*, True -*.mysave.ch*, True -*.myschoigt.net*, True -*.myschool.ug*, True -*.mysearch.net.au*, True -*.mysecrettube.com*, True -*.myselfasiam.com*, True -*.mysembang.com*, True -*.myservak.ru*, True -*.myservices.ro*, True -*.mysexycorner.com*, True -*.mysfytfyretrybe.com*, True -*.myshaggydogvet.com*, True -*.myshare.ga*, True -*.myshite.com*, True -*.myshop.ir*, True -*.myshow.co.il*, True -*.myside.info*, True -*.mysil.space*, True -*.mysimchalabels.com*, True -*.mysitedemo.gq*, True -*.myski.co.il*, True -*.myskypocket.com*, True -*.myslewth.com*, True -*.mysmallbusinessinsurance.com*, True -*.mysmartpowergrid.com*, True -*.mysmartsimcha.com*, True -*.mysmsapi.info*, True -*.mysoc.cl*, True -*.mysoftwarebox.com*, True -*.myspacefurniture.com.au*, True -*.myspark.ai*, True -*.mysportsbox.com.mx*, True -*.myspring.tk*, True -*.mysqldb.ca*, True -*.myssh-network.com*, True -*.mystagedoor.co.uk*, True -*.mystakidis.com*, True -*.mystakidis.gr*, True -*.mystargate.tk*, True -*.mysteevn.cf*, True -*.mysteevn.gq*, True -*.mysteevn.me*, True -*.mysteevn.tk*, True -*.mysterioustrash.net*, True -*.mysteryentertainment.be*, True -*.mysterysandbox.com*, True -*.mysticalconspiracy.info*, True -*.mysticaloasismc.com*, True -*.mystic-blog.tk*, True -*.mysticmaria.com*, True -*.mysticreviewers.com*, True -*.mysto.ga*, True -*.mystorage.cc*, True -*.mystorytimeline.com*, True -*.mystreetdirectory.net*, True -*.my-studio.co.il*, True -*.mystwing.com*, True -*.mystyleit.com*, True -*.mysubdom.tk*, True -*.mysubserver.de*, True -*.mysuffy.com.my*, True -*.my-suka.ga*, True -*.mysuka.ga*, True -*.mysweetasian.tk*, True -*.myt0.info*, True -*.mytacocat.com*, True -*.mytakeaway.com.au*, True -*.mytedom.com*, True -*.mytelbook.info*, True -*.mytelbook.net*, True -*.mytelbook.ru*, True -*.mytest.ru*, True -*.myth-bathrooms.com*, True -*.mythengineering.com*, True -*.mytherapist.com.au*, True -*.mythicaldevelopment.co.uk*, True -*.mythiccraft.tk*, True -*.mythikal.org*, True -*.mythincloud.com*, True -*.mythnick.com*, True -*.mythology.tk*, True -*.mythpunks.com*, True -*.mythtera.com*, True -*.mythtvbox.com*, True -*.mythuraya.com*, True -*.mythz.org*, True -*.mytier.com*, True -*.mytivolive.net*, True -*.mytlsb.com*, True -*.my.to*, True -*.mytoken.ml*, True -*.mytomato.tk*, True -*.mytonegroup.com.my*, True -*.mytonegroup.my*, True -*.mytoneplus.com.my*, True -*.mytoneplus.my*, True -*.mytonersupplies.com*, True -*.mytownscape.co.uk*, True -*.mytreeftp.tk*, True -*.mytrickbook.com*, True -*.mytrickbook.net*, True -*.mytrifilliatepaydayreview.com*, True -*.mytrilobites.com*, True -*.mytriptogreece.com*, True -*.myts.biz*, True -*.mytube.com.my*, True -*.mytvscheduler.com*, True -*.myudm.tv*, True -*.myunifiedmessaging.com*, True -*.myuniquecloud.com*, True -*.myupd.cf*, True -*.myupd.tk*, True -*.myur.tk*, True -*.myutm.us*, True -*.myuttranchal.com*, True -*.myvalentine.hk*, True -*.myvar.io*, True -*.myvarservernetwork.tk*, True -*.myventeprivee.com*, True -*.myventesprivees.com*, True -*.myvideoscheduler.com*, True -*.my-video-server.com*, True -*.myvietnam.org*, True -*.myvoipgo.com*, True -*.myw0rm.com*, True -*.mywall.at*, True -*.mywall.ch*, True -*.mywapblog.cc*, True -*.mywapblog-com.cf*, True -*.mywapblog-com.ga*, True -*.mywapblog-com.tk*, True -*.my-wape.ru*, True -*.mywarsawwedding.com*, True -*.mywebandtech.com*, True -*.mywebapps.net*, True -*.mywebclearance.com*, True -*.mywebcv.tk*, True -*.mywebdb.info*, True -*.mywebs.ml*, True -*.mywebspace.co*, True -*.my-webs.su*, True -*.mywebs.tw*, True -*.mywebsystem.net*, True -*.my-wificloud.com*, True -*.mywombat.com*, True -*.myworld2015.or.id*, True -*.myworld.fi*, True -*.myworldlllll.com*, True -*.myw.ro*, True -*.mywww.name*, True -*.myxomopx.ml*, True -*.myxomopx.ru*, True -*.myxop.com*, True -*.myyoutuber.com*, True -*.myyugo.com*, True -*.mza.com.ar*, True -*.mza-game-server.com*, True -*.mzanetti.com.br*, True -*.mzansifiles.com*, True -*.mzansifun.com*, True -*.mzar.co.za*, True -*.mzinformatica.com.ar*, True -*.mzkid.com.br*, True -*.mzoppi.com.ar*, True -*.mzpto.com*, True -*.mzsarko.com*, True -*.mzstudio.it*, True -*.mzuhdan.cf*, True -*.mzw.ch*, True -*.n0de.us*, True -*.n0is3r.ga*, True -*.n0ne.info*, True -*.n0paste.tk*, True -*.n0p.at*, True -*.n0wak.eu*, True -*.n0xff.com*, True -*.n17.ro*, True -*.n1ff.org*, True -*.n1nja.ga*, True -*.n1nja.tk*, True -*.n2k2.ch*, True -*.n2lv.net*, True -*.n2zo2.net.ru*, True -*.n3bu1a.com*, True -*.n3dev.org*, True -*.n3o.us*, True -*.n3r.com.ar*, True -*.n3rf.com*, True -*.n3tblog.tk*, True -*.n3th.tk*, True -*.n43.pw*, True -*.n4i2.es*, True -*.n4rth4r.tk*, True -*.n5331r.com*, True -*.n5gmj.com*, True -*.n5gx.com*, True -*.n5xit.us*, True -*.n622cf.com*, True -*.n634jt.com*, True -*.n6tri.com*, True -*.n7f.pw*, True -*.n8photos.com*, True -*.n8rka.us*, True -*.n8wagner.com*, True -*.n9bk.org*, True -*.n9hu.com*, True -*.na2re.ru*, True -*.na9.pw*, True -*.naad.cl*, True -*.naador.com*, True -*.naaier.nl*, True -*.naamanmiles.com*, True -*.naamasin.co.il*, True -*.naambooltop.tk*, True -*.naam.ml*, True -*.naamnei.cf*, True -*.naamnei.tk*, True -*.naan.net*, True -*.naanq.com*, True -*.nabarajg.com.np*, True -*.nabaza.info*, True -*.nabbu.co*, True -*.naberinc.net*, True -*.nabilabeautyshop.com*, True -*.nabinsharma.com.np*, True -*.nabozny.pl*, True -*.nabrankings.com*, True -*.nabuc.co*, True -*.nacaratto.com.ar*, True -*.nacgroup.com.au*, True -*.nachamiltonyouth.com*, True -*.nachasb.com*, True -*.nachasb.ir*, True -*.nachmore.com*, True -*.nachopedia.org*, True -*.nachosoft.com.mx*, True -*.nacija.lt*, True -*.nacimientohernan.com.ar*, True -*.nacisoloparaverte.com*, True -*.nackfamily.com*, True -*.nackshabandi.com*, True -*.naclidzi.lv*, True -*.nacofthai.com*, True -*.nacsllc.biz*, True -*.nacsllc.co*, True -*.nacsllc.info*, True -*.nacsllc.me*, True -*.nacsllc.mobi*, True -*.nacsllc.net*, True -*.nactws.com*, True -*.nad77.com*, True -*.nad88.com*, True -*.nadameu.com.br*, True -*.nada-rec.ch*, True -*.nadeko.moe*, True -*.nadertufail.com*, True -*.nadesico.asia*, True -*.nadezhdenko.ru*, True -*.nadiacolella.com.ar*, True -*.nadiacooks.co.uk*, True -*.nadig.li*, True -*.nadineundsandro.ch*, True -*.nadiyasul.com*, True -*.nadjabrun.ch*, True -*.nadjahaefeli.ch*, True -*.nadm.us*, True -*.nadolice.org*, True -*.nadolu.ro*, True -*.naepfer.ch*, True -*.naescola.info*, True -*.naesquadrias.com.br*, True -*.naezt.com*, True -*.nafc.co.za*, True -*.naffspace.com*, True -*.nafria.eu*, True -*.naftaservice.ru*, True -*.nagaihikari.net*, True -*.nagamasbisniscentre.com*, True -*.naganuma.info*, True -*.nageltech.net*, True -*.nagelweb.info*, True -*.nagmatic.com*, True -*.nagra.ro*, True -*.nagukajak.fi*, True -*.nagy.ca*, True -*.nagy.mx*, True -*.nagyokos.ro*, True -*.nahdinana.cc*, True -*.nahdinana.us*, True -*.naher.com.mx*, True -*.nahira.net*, True -*.nahsaideli.com.ve*, True -*.naidinescu.ro*, True -*.naijachatz.ml*, True -*.naijafinder.tk*, True -*.naiksepeda.com*, True -*.nailcosmetic.ru*, True -*.nailfoil.com.br*, True -*.nailsaver.com*, True -*.nailz.org*, True -*.nainggolan.biz*, True -*.naiot.cl*, True -*.nair.cl*, True -*.nairsadi.com.ar*, True -*.nair.tv*, True -*.naissurvey.com*, True -*.naizari.com*, True -*.najad.tk*, True -*.najafiprint.com*, True -*.najaga5.com*, True -*.najcenejse.si*, True -*.najeb.com*, True -*.najma.cf*, True -*.nakadaki.com*, True -*.nakavkaze.info*, True -*.nakavkaze.org*, True -*.naked-wings.com*, True -*.naken.guru*, True -*.naklik.com*, True -*.nakup-podjetja.si*, True -*.nakusan.com*, True -*.nalbantoglu.web.tr*, True -*.nalek.com*, True -*.nalin.com.np*, True -*.nallarason.com*, True -*.nalleysnards.org*, True -*.nalogo.us*, True -*.nalpathamkalam.com*, True -*.nalyk.ch*, True -*.nalyk.com*, True -*.namafarin.ir*, True -*.namazu.ro*, True -*.namduong.tk*, True -*.name4sale.co.za*, True -*.nameandimage.com*, True -*.namebot.ru*, True -*.namecoin.net*, True -*.namegenerator.ga*, True -*.namengottes.ch*, True -*.namenjesu.org*, True -*.nameofworld.eu*, True -*.nameourbabyfor.us*, True -*.namesofallflowers.net*, True -*.namierzanie.com*, True -*.namja78.com*, True -*.namja88.com*, True -*.namkaengice.com*, True -*.nam.nu*, True -*.namojamo.org*, True -*.nampol.net*, True -*.namrac.info*, True -*.namrac.org*, True -*.namsal.com.tr*, True -*.namulo.com*, True -*.namulo.net*, True -*.namulo.org*, True -*.namusic.org*, True -*.nanagonzalez.com.ar*, True -*.nanakauta.com.ar*, True -*.nanalia.com*, True -*.nananguyen.net*, True -*.nanang.web.id*, True -*.nanashaxor.com*, True -*.nanatic.com*, True -*.nanbean.net*, True -*.nanbellscianjur.web.id*, True -*.nancycook.com*, True -*.nandamovies.tk*, True -*.nande41.com*, True -*.nandg.tk*, True -*.nandisaevents.co.za*, True -*.nandotorres.com*, True -*.nandotorres.com.br*, True -*.nanen.org*, True -*.nangcuc.net*, True -*.nangkadua.com*, True -*.nanibon.com*, True -*.nani.se*, True -*.nannycreaciones.com.ar*, True -*.nannywanted.eu*, True -*.nanobiotec.cl*, True -*.nanobit.net*, True -*.nanobit.org*, True -*.nano-byte.org*, True -*.nanochip.pt*, True -*.nanoconceptos.com*, True -*.nanoconceptos.com.ar*, True -*.nanocontrol.com.ar*, True -*.nanodispersing.com*, True -*.nanogmail.com*, True -*.nanohits.com*, True -*.nanojanet.org*, True -*.nano-logic.ch*, True -*.nano-logic-gmbh.ch*, True -*.nanologic-gmbh.ch*, True -*.nanologicgmbh.ch*, True -*.nano-man.co.uk*, True -*.nanomonkey.ca*, True -*.nanomos.com*, True -*.nanomsg.org*, True -*.nanoparticle.com*, True -*.nano-pharmacy.com*, True -*.nanosoft.net.nz*, True -*.nanotec.cl*, True -*.nanouchile.cl*, True -*.nansuk.co.kr*, True -*.nan-sun.com*, True -*.nansun.uk*, True -*.nanu-nanu.com.ar*, True -*.na-nuvem.com*, True -*.naohan.com*, True -*.naomilazarus.com*, True -*.naoscuyuz.biz*, True -*.naosouobrigado.com.br*, True -*.nap48.cf*, True -*.napa.ai*, True -*.napa.ml*, True -*.napdesigns.com*, True -*.nape6207.ca*, True -*.napido.hu*, True -*.napiido.hu*, True -*.napijo.hu*, True -*.naplesaudiologist.com*, True -*.naples-gynecology.com*, True -*.naplespropertymanagement.com*, True -*.naplesreceiver.com*, True -*.naples-seo.com*, True -*.naplesvox.me*, True -*.napocaroots.ro*, True -*.napochivka.eu*, True -*.napolinews.it*, True -*.nappi-nathalie.ch*, True -*.naprawiamy.to*, True -*.naps.tk*, True -*.napwarnet.com*, True -*.naqshestan.com*, True -*.naqxa.com*, True -*.narasmom.com*, True -*.narayangiri.com.np*, True -*.nard.ca*, True -*.naredisladico.si*, True -*.nareshrohra.com*, True -*.narik.biz*, True -*.narisafari.com*, True -*.narisou.com*, True -*.narkop.biz*, True -*.narniaunlimited.com*, True -*.narnott.nom.za*, True -*.narod.pw*, True -*.narodshare.net.ru*, True -*.narodsredstva.ru*, True -*.naroof.com*, True -*.naroomaonline.com*, True -*.naroomawebhosting.com*, True -*.narovlya.ru*, True -*.narrapat.tk*, True -*.narrow.co.za*, True -*.nartea.ro*, True -*.narthar.it*, True -*.nartharsite.ga*, True -*.narubian.com*, True -*.naruszewicz.org*, True -*.naru.to*, True -*.naruto.cl*, True -*.narutosub.com*, True -*.naruto-zero.com*, True -*.naruvid.com*, True -*.naruvid.net*, True -*.narvina.ru*, True -*.nasareakcia.sk*, True -*.nasasi.com.ar*, True -*.nascimentoeassociados.com.br*, True -*.nascimento.net.br*, True -*.nascimentoturismo.com*, True -*.nasdom.pl*, True -*.nasehatin.com*, True -*.nasemo.com*, True -*.nasertech.com*, True -*.nasfamca212.com*, True -*.nashnash.us*, True -*.nas-ho.me*, True -*.n-ashop.com*, True -*.nashuayabatho.co.za*, True -*.nashvillerollergirls.com*, True -*.nasikuningibunur.com*, True -*.nas.im*, True -*.nasioluyo.com*, True -*.nasnimala.ru*, True -*.nasrul.web.id*, True -*.nasserly06.info*, True -*.nasspace.com*, True -*.nassrasieren.ch*, True -*.nasstyblog.com*, True -*.nastandart.com*, True -*.nastandart.ru*, True -*.nastrovje.ch*, True -*.nastur.com.br*, True -*.nastyname.com*, True -*.nasvit.ru*, True -*.nasyaana.info*, True -*.naszapolska.ml*, True -*.naszautyzm.pl*, True -*.natacho.com.ar*, True -*.natacionninos.com*, True -*.natagram.com*, True -*.natala-evo.com*, True -*.natal.com.ar*, True -*.nataleimpex.ro*, True -*.nataliadelossantos.com.ar*, True -*.nataliagrakova.ru*, True -*.nataliamora.cl*, True -*.nataliariopedre.com.ar*, True -*.natalie.id.au*, True -*.natalisport.com*, True -*.nataliyura.gq*, True -*.natallia.org*, True -*.nataly.ro*, True -*.natanael.pw*, True -*.nataschastern.com.ar*, True -*.natas.com.au*, True -*.natashabolos.com.br*, True -*.natashafrantz.com*, True -*.natashapanzera.ch*, True -*.natasha-skin.com*, True -*.natasyacollections.com*, True -*.natch20.com*, True -*.nat.com.mx*, True -*.natdroid.com*, True -*.natdroid.com.ve*, True -*.natecoagro.com.ar*, True -*.natehero.com*, True -*.nateserv.tk*, True -*.natesserver.cf*, True -*.natfon.com*, True -*.nathalielemarchand.ch*, True -*.nathanael.us*, True -*.nathanandanne.com*, True -*.nathanazzi.com*, True -*.nathanazzi.com.au*, True -*.nathanbowyer.com*, True -*.nathancheek.com*, True -*.nathancuendet.ch*, True -*.nathancuendet.com*, True -*.nathanhorne.org*, True -*.nathanlabrum.com*, True -*.nathanmullings.co.uk*, True -*.nathanplato.com*, True -*.nathanpodlich.com*, True -*.nathan.to*, True -*.nathantubb.com*, True -*.nathat.net*, True -*.nathon.org*, True -*.nationaladerock.ro*, True -*.nationalbazaar.com*, True -*.nationalendit.com*, True -*.nationaleventphotography.com*, True -*.national-garage.ch*, True -*.nationallistings.co.za*, True -*.nationalphysiquecommittee.es*, True -*.nationalufocon.com*, True -*.nationofthieves.com*, True -*.nations-conflict.tk*, True -*.nationstategame.com*, True -*.nationwidehomeloans.com.au*, True -*.nationwidemortgage.com.au*, True -*.natisa.eu*, True -*.natisa.it*, True -*.nativeamericantech.org*, True -*.native-client.com*, True -*.nativecrossbows.com*, True -*.nativehk.com*, True -*.nativesavannah.com*, True -*.nativia.ro*, True -*.nativ.pl*, True -*.natkina-ge.ch*, True -*.natoindustrial.cl*, True -*.natpro.tk*, True -*.n-atropicalarowana.com*, True -*.nat.so*, True -*.nattervillehost.info*, True -*.nattsudd.nu*, True -*.natuflor.com.ar*, True -*.natura360.ro*, True -*.natur-active.com*, True -*.naturalconsultoria.com.br*, True -*.naturalexperience.ro*, True -*.naturalfrequencies.it*, True -*.naturalgroup.com.br*, True -*.naturalhair.co.za*, True -*.naturalhealthmontana.com*, True -*.naturalhealthsolutions.nl*, True -*.naturalherbs2u.com*, True -*.naturalia.com.mx*, True -*.naturalliving.hk*, True -*.naturalmelt.com*, True -*.naturalnutritionadvisor.com*, True -*.naturalpower.cl*, True -*.naturalrush.com*, True -*.naturalstoneprotection.ca*, True -*.naturalwater.tk*, True -*.naturalwave.co.uk*, True -*.natura-shop.ru*, True -*.naturefriend.com*, True -*.naturefun.hk*, True -*.naturehandbook.net*, True -*.nature-hk.hk*, True -*.natureperu.com*, True -*.naturesechoes.com*, True -*.naturewellnessindia.com*, True -*.naturhouse.pt*, True -*.naturkarten.ch*, True -*.naturkosmetik-sylvia.ch*, True -*.naturo-perrier.ch*, True -*.naturstein.info*, True -*.naud.info*, True -*.naughtybaptistbrewery.com*, True -*.naughtybaptist.com*, True -*.naughtyhoneys.com*, True -*.naughtyplantfood.com*, True -*.nauplius.net*, True -*.nauseasnd.com*, True -*.nautilulz.tk*, True -*.nautilux.com.ar*, True -*.nau.us*, True -*.navachetana.in*, True -*.nava.com.np*, True -*.navalbattleapp.com*, True -*.navarajdhungana.com.np*, True -*.navarrainfo.tk*, True -*.navarredonda.es*, True -*.navarroaxel.com.ar*, True -*.navarrohogar.com.ar*, True -*.navarroinmo.com.ar*, True -*.navarrojavier.com.ar*, True -*.navarrolucas.com.ar*, True -*.nav.co.id*, True -*.navefamily.com*, True -*.navegadorzac.com*, True -*.naviaabogados.cl*, True -*.navigaro.se*, True -*.navigasyonmarketi.com*, True -*.navigateproperty.com.au*, True -*.navigation.ga*, True -*.navigation.gq*, True -*.navigation.hk*, True -*.navigation.im*, True -*.navigation.lv*, True -*.navigation.ml*, True -*.navigation.name*, True -*.navigation.pw*, True -*.navigation.so*, True -*.navigation.tw*, True -*.navigogroup.cl*, True -*.naviori.com*, True -*.navnirwana.com*, True -*.navodari-kavarna.ro*, True -*.navolato.com.mx*, True -*.navotrabanda.com*, True -*.navscape.tk*, True -*.navtrade.ru*, True -*.na-vy.com*, True -*.navyk.web.id*, True -*.nawiscool.com*, True -*.nawi.web.id*, True -*.na-world.net*, True -*.nawpakuna.com.ar*, True -*.naxelam.com*, True -*.naxidiete.com*, True -*.naya.com.mx*, True -*.nayaritplus.com*, True -*.nayasadak.com*, True -*.nayr.org*, True -*.nazara.org*, True -*.nazareconstruct.be*, True -*.nazari.org*, True -*.nazarov.ml*, True -*.nazbol.info*, True -*.nazdravanul.ro*, True -*.nazdravanu.ro*, True -*.nazi.net*, True -*.nazri.cf*, True -*.nazriel.tk*, True -*.nba-77.com*, True -*.nba-79.com*, True -*.nba.hk*, True -*.nbbowls.com.au*, True -*.nbc73.com*, True -*.nbc92.com*, True -*.nbc94.com*, True -*.nbcrecruitment.com*, True -*.nbellsp.gr*, True -*.nberger.com.ar*, True -*.nb.hk*, True -*.nbhv.ch*, True -*.nbittmann.tk*, True -*.nbltex.com*, True -*.nb-nice.com*, True -*.nbp-info.com*, True -*.nb-sos.com*, True -*.nb-wow.com*, True -*.nbyd.co.il*, True -*.nc30.com*, True -*.nc5p.com*, True -*.ncbroadleaf.com*, True -*.ncc-cucciari-arzachena.it*, True -*.ncclaonline.com*, True -*.nccscracing.com*, True -*.nccyberdcoderx.ml*, True -*.ncd-canada.ca*, True -*.ncd-canada.com*, True -*.ncdcanada.com*, True -*.ncdc.pt*, True -*.ncg.co.za*, True -*.ncgroup.tk*, True -*.nchealthcare.ga*, True -*.nchess.eu*, True -*.nchez.mx*, True -*.nchoice.eu*, True -*.ncitcollege.ml*, True -*.ncklug.org*, True -*.nclcloud.net*, True -*.ncli-design.com*, True -*.ncodamusic.com*, True -*.ncodamusic.org*, True -*.ncomaneci.ro*, True -*.nco-payu.ru*, True -*.ncprepswimming.com*, True -*.ncpz.ru*, True -*.ncshelterrescue.org*, True -*.ncslearningcenter.com*, True -*.ncteczone.com*, True -*.nctexasbirds.com*, True -*.nctlv.org*, True -*.nctt.us*, True -*.nctuiem.org*, True -*.ncuendet.ch*, True -*.ncuendet.com*, True -*.ncyber4rt.me*, True -*.ndacres.info*, True -*.nda.dj*, True -*.ndakita.tk*, True -*.ndandanov.tk*, True -*.n-day.tk*, True -*.ndccn.org*, True -*.ndcg.com*, True -*.nd-computer-services.co.uk*, True -*.ndermerwe.co.uk*, True -*.nderson.me*, True -*.ndhemo.com*, True -*.ndiscountstore.com*, True -*.ndliker.us*, True -*.ndnucleo.com.br*, True -*.ndnucleodiagnostico.com.br*, True -*.ndoffcampus.com*, True -*.ndoffcampushousing.com*, True -*.ndopart.com*, True -*.ndo.pl*, True -*.ndownloadlagu.com*, True -*.ndownloadmp3.com*, True -*.ndra.biz*, True -*.ndrigs.com*, True -*.ndrj.ml*, True -*.ndroadreport.info*, True -*.ndsignshop.com*, True -*.ndtchile.cl*, True -*.ndungndung.com*, True -*.ndv-law.co.il*, True -*.ndyanderson.com*, True -*.ne222.com*, True -*.ne333.com*, True -*.ne6.net*, True -*.neadistribuidor.com.ar*, True -*.nealmonroe.com*, True -*.nealnoble.net*, True -*.nealrauhauserwatch.com*, True -*.nealrauhauserwatch.org*, True -*.nealtacular.com*, True -*.neama.net*, True -*.nearlynomads.com*, True -*.nearys.co.uk*, True -*.neatandclean.ch*, True -*.neatbits.com*, True -*.neattogo.com*, True -*.nebain.com*, True -*.nebar.com.ar*, True -*.nebel.lv*, True -*.nebilim.net*, True -*.neblig.ch*, True -*.nebolo.com*, True -*.ne-books.co.uk*, True -*.nebrhd.com*, True -*.necada.org*, True -*.neckertal-spezialitaeten.ch*, True -*.neckertal-tourismus.ch*, True -*.necksbackssports.com.au*, True -*.necocheatotal.com.ar*, True -*.necosa-rdc.com*, True -*.necrarch.nl*, True -*.necroptica.com*, True -*.necrotechandbytch.com*, True -*.nectarte.com*, True -*.nedia.hk*, True -*.nedip.pt*, True -*.nedkov.us*, True -*.ned-news.com*, True -*.ned-news.org*, True -*.nedtennis.org*, True -*.nedtobin.com*, True -*.nedvighimost-sochi.ru*, True -*.needjob.cf*, True -*.needjob.tk*, True -*.needkey.com*, True -*.needsspeed.com*, True -*.needstory.com*, True -*.neek.gr*, True -*.neekhil.com.np*, True -*.neelalaya.com*, True -*.neemiasconstrucoes.com.br*, True -*.nefcanto.com*, True -*.neffets.com*, True -*.nefrf.org*, True -*.negarhak.com*, True -*.negariran.com*, True -*.negative-energy.com*, True -*.negativenumber.com*, True -*.negerboll.com*, True -*.negeriau.net*, True -*.negevcon.co.il*, True -*.neggs.co.uk*, True -*.negingps.ir*, True -*.neginjooyepak.ir*, True -*.negligible.space*, True -*.negociaronline.com*, True -*.negociateur.ch*, True -*.negoturismo.com.ar*, True -*.negoziocepparo.it*, True -*.negreasorin.ro*, True -*.negro-itano.tk*, True -*.neguevts.tk*, True -*.neguinhodescartaveis.com.br*, True -*.nehc.tk*, True -*.neighborhoodcloud.com*, True -*.neighbornear.me*, True -*.neighbourhoodscience.com*, True -*.neighbourhoodscience.net*, True -*.neighvadanights.com*, True -*.neilbhattacharya.com*, True -*.neillsnotions.com*, True -*.neimann.co.za*, True -*.nejc.cc*, True -*.nejlevnejsikabelky.com*, True -*.neki-s.ch*, True -*.nekka.co.uk*, True -*.nekoguchi.com*, True -*.nekokurokami.net*, True -*.nekomata.se*, True -*.nekroze.com*, True -*.nektarios.gr*, True -*.nekuriene.lv*, True -*.nelayanku.com*, True -*.neliop.com*, True -*.nellore.biz*, True -*.nellynoir.com*, True -*.nelman.cl*, True -*.nelsnelson.org*, True -*.nelsonexperience.net*, True -*.nelsonfam.info*, True -*.nelsonlove.com*, True -*.nelsonlowe.com*, True -*.nelsonshack.com*, True -*.neltume.com.ar*, True -*.nelvyra.lt*, True -*.nelyfrig.ro*, True -*.nemari.ml*, True -*.nemaz.it*, True -*.nemchinovka-park.com*, True -*.nemesa.mx*, True -*.nemesis.co.il*, True -*.nemex.com.au*, True -*.nemiko.com.ar*, True -*.nemlig.net*, True -*.nemonline.ro*, True -*.nemonster.com*, True -*.nemoralis.ch*, True -*.nemovox.com*, True -*.nemzetiminimum.eu*, True -*.nemzetiminimum.ro*, True -*.nenad.com.au*, True -*.nenadic.com*, True -*.nena.li*, True -*.nendoc.com*, True -*.nendoroid.my*, True -*.nenem.jp*, True -*.neng.cf*, True -*.nengx.info*, True -*.nentrainingstudios.com*, True -*.neoar.ro*, True -*.neobelle.mx*, True -*.neobiotech.cl*, True -*.neocogent.tk*, True -*.neodorks.com*, True -*.neodorks.net*, True -*.neodorks.org*, True -*.neoesperanza.com.ar*, True -*.neofor.net*, True -*.neogate.com.br*, True -*.neogene.ru*, True -*.neo-indo.com*, True -*.neoindustrial.com*, True -*.neojam.net*, True -*.neolagu.com*, True -*.neolandis.net*, True -*.neology.gr*, True -*.neoneptune.com*, True -*.neonet.cc*, True -*.neonguru.net*, True -*.neonissign.com.ar*, True -*.neon.org*, True -*.neonpolis.com*, True -*.neonpsychology.com*, True -*.neonsoup.com*, True -*.neophyle.org*, True -*.neopompoarismo.com.br*, True -*.neopractice.tk*, True -*.neosound.tk*, True -*.neoteknikprima.com*, True -*.neotf.de*, True -*.neotimberwolf.com*, True -*.neo-tix.com*, True -*.neourbe.com.pe*, True -*.neourbe-ingenieriaurbana.com.pe*, True -*.neowind.ru*, True -*.neoxom.eu*, True -*.neozeus.com*, True -*.nepalgazette.com*, True -*.nepalishows.com*, True -*.nepalitrick.ga*, True -*.nepalitrick.ml*, True -*.nepali.xyz*, True -*.nepo90.tk*, True -*.neppart.ro*, True -*.neprivateequity.com*, True -*.neprostoshina.ru*, True -*.nepr.si*, True -*.nepsis.com*, True -*.neptunolimpresort.ro*, True -*.ner7.com*, True -*.neraka.in*, True -*.neramarine.com*, True -*.nerblog.net*, True -*.nerd4life.com*, True -*.nerdandfood.com*, True -*.nerd.at*, True -*.nerdforums.net*, True -*.nerd.ga*, True -*.nerdhaus.de*, True -*.nerdhelp.com.br*, True -*.nerd-herd.org*, True -*.nerdlife.info*, True -*.nerdnub.com*, True -*.nerdology.org*, True -*.nerdosauria.cl*, True -*.nerd-patrol.ca*, True -*.nerdrage.biz*, True -*.nerdsen.net*, True -*.nerdskills.co.za*, True -*.nerdsstudios.com*, True -*.nerdstuff.com*, True -*.nerdybynature.ch*, True -*.neroanelli.ml*, True -*.neroanelli.tk*, True -*.nerosdomain.com*, True -*.neruda.ir*, True -*.nervedump.com*, True -*.nervionasesores.com*, True -*.nervnetworks.com*, True -*.nesehecat.com*, True -*.nesfeder.net*, True -*.neshitje.com*, True -*.neskoncno.eu*, True -*.neslite.ga*, True -*.nespiodin.ru*, True -*.nespk.com.ar*, True -*.nespta.com*, True -*.nessex.net*, True -*.nestemate.ro*, True -*.nestorddiaz.tk*, True -*.net10.ro*, True -*.net28.ro*, True -*.net2apps.com*, True -*.net2apps.net*, True -*.net2invoice.com*, True -*.net-2-sms.com*, True -*.net2survey.com*, True -*.net2survey.net*, True -*.net2surveys.com*, True -*.net2surveys.net*, True -*.net4me.ch*, True -*.net4ria.com*, True -*.net4u1.com*, True -*.net95.org*, True -*.netadmin.ga*, True -*.netadog.com*, True -*.netahoes.com.br*, True -*.netaim.co.il*, True -*.netallsoft.cl*, True -*.netalmight.com.ar*, True -*.netamici.net*, True -*.netarchivejob.com*, True -*.netast.com*, True -*.netathome.ch*, True -*.netatnet-sp.com*, True -*.netauditsrl.com.ar*, True -*.netazim.com*, True -*.netbeer.ch*, True -*.netbit.su*, True -*.netbouncer.ch*, True -*.net-buddy.com*, True -*.netbudur.com*, True -*.netburst.org*, True -*.netcaetera.ro*, True -*.net-call.com*, True -*.netcareinformationtechnology.com*, True -*.netcareit.net*, True -*.netcareit.org*, True -*.netcat.ro*, True -*.netcerta.com.br*, True -*.netchrome.de*, True -*.netclass.ir*, True -*.netcluster.my*, True -*.netcommand.co.uk*, True -*.netcompimphal.ml*, True -*.netcomputer.ro*, True -*.net-comservices.com*, True -*.netcore.ir*, True -*.net.co.za*, True -*.netcs.com.au*, True -*.netdefense.ca*, True -*.netdesign.es*, True -*.neteffect.us*, True -*.netekspress.com*, True -*.netelevison.ro*, True -*.neter.ga*, True -*.netfactory.com.mx*, True -*.netfactory.mx*, True -*.netfind.ch*, True -*.netfm.com.my*, True -*.netfusion.hk*, True -*.netgamer.cl*, True -*.netgate.co.za*, True -*.netgecko.co.za*, True -*.netgraphy.com*, True -*.netgti.com.ar*, True -*.nethenge.ro*, True -*.nethub.fi*, True -*.nethunters.mx*, True -*.netinsoluciones.com.ar*, True -*.netipanovs.lv*, True -*.netipas.com.au*, True -*.netip.tk*, True -*.net-isle.com*, True -*.netlex.ch*, True -*.netllaralicante.com*, True -*.netlord.de*, True -*.netmagnet.ro*, True -*.netmarket.gr*, True -*.netmask.ca*, True -*.netmetric.ch*, True -*.netmetric.eu*, True -*.netmite.com*, True -*.netmite.net*, True -*.netmonks.net*, True -*.n-e-t.name*, True -*.netofnets.ru*, True -*.netol.pl*, True -*.netoptio.com*, True -*.netor365.de*, True -*.neto.tk*, True -*.netpdf.co.uk*, True -*.netpet.ro*, True -*.netraj.net*, True -*.netranger.us*, True -*.ne-tratam.ro*, True -*.netrefmediaztraf.com*, True -*.netrefmediaztraf.net*, True -*.netroworx.com.au*, True -*.netrunner.mx*, True -*.netsearch.hu*, True -*.netsec.cl*, True -*.netsec-la.com*, True -*.netsec.pro*, True -*.netsecspec.co.uk*, True -*.netser.ro*, True -*.netsex.ro*, True -*.netsh.cl*, True -*.netshies.com.br*, True -*.netshopshop.com*, True -*.netskys.cn*, True -*.netsmart.net.au*, True -*.netsoftinc.biz*, True -*.net-sol.info*, True -*.netsoluciones.com.ar*, True -*.netspl0it.tk*, True -*.netstopper.org*, True -*.netstorming.com.ar*, True -*.net-style.com*, True -*.netsuye.net*, True -*.netsystems.cx*, True -*.nettalklive.com*, True -*.nett.com.ar*, True -*.nettekks.com*, True -*.nettelicom.cl*, True -*.nettrade.com.br*, True -*.netvi.com.ar*, True -*.netvio.com*, True -*.netvip3r.tk*, True -*.netvis.pl*, True -*.netvs.tk*, True -*.netwalls.cl*, True -*.netwatch.cl*, True -*.netwerk.cl*, True -*.netwerk.ro*, True -*.network6.net.au*, True -*.networkadminsh.it*, True -*.networkbreak.net*, True -*.networkcentral.co.za*, True -*.network-consulting.ro*, True -*.networkdesignteam.com*, True -*.networkdigital.net*, True -*.networked.com.br*, True -*.networkfailure.org*, True -*.networkforge.com.au*, True -*.networkguru.com*, True -*.networkindia.com*, True -*.networkinginnovationsllc.com*, True -*.networkinthai.net*, True -*.networkmarketingyes.com*, True -*.networkofdoom.ca*, True -*.networkofdream.tk*, True -*.networkoutpost.com*, True -*.networkparanoia.com*, True -*.networkprint.com.ar*, True -*.networkpro.tk*, True -*.networkrevolution.it*, True -*.networkspecialists.net.au*, True -*.network-tools.eu*, True -*.network-xxiii.net*, True -*.netxess.com*, True -*.netxtend.com*, True -*.netyoyo.com*, True -*.netzagentur.at*, True -*.netzost.ch*, True -*.netzy.ir*, True -*.neugiergarten.de*, True -*.neuhofer.com*, True -*.neujen.com*, True -*.neumaticosmarqueta.es*, True -*.neumeier.us*, True -*.neuminet.tk*, True -*.neu.my*, True -*.neuquenbuceo.com.ar*, True -*.neur0sis.com*, True -*.neuralinvest.ro*, True -*.neurali.ro*, True -*.neuro-designs.net*, True -*.neurogenesis-psy.ca*, True -*.neurogine.com*, True -*.neurologistoncall.com*, True -*.neuromanagement.cl*, True -*.neuromancer.es*, True -*.neuro.org.ar*, True -*.neuropenta.cl*, True -*.neurosafety.cl*, True -*.neuroscience.ro*, True -*.neurosoftware.ro*, True -*.neurosurgery-online.ru*, True -*.neurotranspl.ru*, True -*.neutral41.ch*, True -*.neutrino.com.br*, True -*.neutrinophysics.com*, True -*.neutronfreight.com.au*, True -*.neutroni.fi*, True -*.neuvo4u.com*, True -*.nevaehmanagement.com.au*, True -*.nevalain.ru*, True -*.neva-merch.ru*, True -*.nevanevesta.ru*, True -*.nevapipe.com*, True -*.nevapipe.ru*, True -*.nevapipe.tk*, True -*.nevarone.com*, True -*.nevar.tk*, True -*.nevawireless.com*, True -*.nevelcrb.ru*, True -*.never2far.pl*, True -*.never2far.tk*, True -*.never2much.info*, True -*.neverdawn.tk*, True -*.never-enough-time.com*, True -*.neverforgetadate.com*, True -*.neverlandsiberians.com*, True -*.nevermore.com.br*, True -*.neveron.ru*, True -*.never.pro*, True -*.neversiphonbymouth.com*, True -*.nevillealumni.org*, True -*.nevillest.com*, True -*.nevils.eu*, True -*.nev.in*, True -*.nevin.ch*, True -*.nevolution.ca*, True -*.nevolution.ch*, True -*.nevres.net*, True -*.nevrofizioterapija.si*, True -*.nevskayaratusha.ru*, True -*.new1.co.za*, True -*.newaeonservices.com*, True -*.newalternativemusic.org*, True -*.newarchi.tw*, True -*.neware.com.au*, True -*.newart.ga*, True -*.newartonline.ro*, True -*.newaskar.net*, True -*.newbie-artz.cf*, True -*.newbie.es*, True -*.newbieliker.tv*, True -*.newbiesukses.com*, True -*.newbieworks.org*, True -*.newbijou.ro*, True -*.newbn.ro*, True -*.newb.org.uk*, True -*.newbot.gq*, True -*.newbro.org*, True -*.newburyweather.org.uk*, True -*.newca.org*, True -*.newceg.ro*, True -*.new-china.ch*, True -*.newcombeenterprises.com*, True -*.new-crop.com*, True -*.newdatabridge.in*, True -*.newdawnnm.info*, True -*.newdawnnm.org*, True -*.newdayjapan.com*, True -*.newdecisions.com*, True -*.newdescendants.org.za*, True -*.newdestinyfellowship.org*, True -*.newdimensionartworks.com*, True -*.newdimensionresources.com*, True -*.newdns.eu*, True -*.newdress.net*, True -*.neweconomics.net.nz*, True -*.newefi.com*, True -*.newefizone.com*, True -*.newency.org*, True -*.newenergysources.eu*, True -*.newenglandsalts.com*, True -*.neweradjs.net*, True -*.newerasolutions.tk*, True -*.neweuropelaw.com*, True -*.neweuropelawgroup.com*, True -*.neweuropelg.com*, True -*.neweuropeprivateequity.com*, True -*.newfaster.com*, True -*.newfh.org*, True -*.newfinity.com*, True -*.newflit.com*, True -*.newfm.in*, True -*.newforce-pa.com.br*, True -*.newfrivgames.net*, True -*.newfuturohouse.com*, True -*.newgab.com*, True -*.newgensubs.com.au*, True -*.newgenswim.com*, True -*.newharvesthydro.com*, True -*.n-e-where.info*, True -*.newhlth.org*, True -*.newhopecoaching.com*, True -*.newhopefree.org*, True -*.newhopes.info*, True -*.newhorizonkidsquest.com*, True -*.newirc.org*, True -*.newkin.tk*, True -*.newkitchencupboards.com*, True -*.newkitchencupboards.co.za*, True -*.newlibro.com*, True -*.new-lifedesigns.com*, True -*.newlifemm2h.com*, True -*.newline.fi*, True -*.newlineimage.ro*, True -*.newmarketauroragreens.ca*, True -*.newmediastudies.ru*, True -*.newmooninvestments.com*, True -*.newmoonpropertiestx.com*, True -*.new.my*, True -*.newnetworks.dk*, True -*.newopen.org*, True -*.newoperation.ch*, True -*.newopportunitymedia.com*, True -*.neworion.com.ar*, True -*.newpaydayloans24hr.ninja*, True -*.newpekingduck.co.uk*, True -*.newphoneinfo.com*, True -*.newportsoftware.com.ar*, True -*.newportvotes.com*, True -*.newportvotes.org*, True -*.newpowergroup.com*, True -*.newpreakz.cf*, True -*.newpreakz.ml*, True -*.newprojecting.com*, True -*.newprojecting.pl*, True -*.newpromotion.com.ar*, True -*.newpro.pl*, True -*.newrealestateagent.com*, True -*.newroadtech.com*, True -*.newrosoft.com*, True -*.newroutee.com*, True -*.newrushchallenge.com*, True -*.news24.ga*, True -*.newsbiker.net*, True -*.newsbikernet.com*, True -*.news-blog.ro*, True -*.newscon.com.br*, True -*.newsdunia24.com*, True -*.news-ef.com*, True -*.newserverdomen.su*, True -*.newservice39.ru*, True -*.newservice.ru*, True -*.newseverblogger.com*, True -*.newsia.com.my*, True -*.newsia.my*, True -*.newsight.pt*, True -*.news-jk.com*, True -*.newsjs.me*, True -*.newslink.pk*, True -*.newslux.lu*, True -*.newsofmaricopa.com*, True -*.newsomefamilyreunion.org*, True -*.newsources.eu*, True -*.newspectrumelectric.com*, True -*.newspider.net*, True -*.newspod.ru*, True -*.news-pv.com*, True -*.news.ro*, True -*.news-sf.com*, True -*.newstartdesigns.com*, True -*.newstartdesigns.co.uk*, True -*.news-tecnology.com*, True -*.news-tg.com*, True -*.newstopic.net*, True -*.newstweek.com*, True -*.news-ufc.com*, True -*.newsupport.us*, True -*.newteashop.com*, True -*.newtechmc.com*, True -*.new-tek.info*, True -*.newtonarchitects.com*, True -*.newtonian.ca*, True -*.newtorrents.info*, True -*.newtownrepublicans.org*, True -*.newtoyoutexas.com*, True -*.newtoz.com*, True -*.newvilta.com*, True -*.newvisionsess.com*, True -*.newvisiontransport.net*, True -*.newworldwellness.com*, True -*.newyorkaptrent.com*, True -*.newyorkphp.com*, True -*.newyorkphp.net*, True -*.newyorkrecitals.com*, True -*.newzl.com*, True -*.newzler.com*, True -*.nex4tz.net*, True -*.nexesgrp.com*, True -*.nexes-universal.com*, True -*.nexesuniversal.com*, True -*.nexgen-logistics.com*, True -*.nexidc.com*, True -*.nex-it.com.ar*, True -*.nexobile.net*, True -*.nexom.com.au*, True -*.nexon.cl*, True -*.nexosalud.com*, True -*.nexrotec.com*, True -*.nextardallas.com*, True -*.nextbt.ro*, True -*.nextclick.ro*, True -*.nextcomm.com.ar*, True -*.nextdimension4.us*, True -*.nextdynasty.com.my*, True -*.nextech-brands.com*, True -*.nextechbrands.com*, True -*.nextenergetics.ca*, True -*.nexter.ro*, True -*.nextface.me*, True -*.nextgeninstincts.co.uk*, True -*.nextlevelcode.com*, True -*.nextnetworks.com.ar*, True -*.nextperks.com*, True -*.nextpure.com*, True -*.nextrealestate.com.au*, True -*.nextshift.ch*, True -*.nextsl.com.tr*, True -*.nextstore.vn*, True -*.nexttel.tk*, True -*.next-way.ro*, True -*.nexum.se*, True -*.nexuscom.com.ar*, True -*.nexuscomputer.com.np*, True -*.nexus-computing.com*, True -*.nexus-gaming.tk*, True -*.nexusk.net*, True -*.nexus-mc.tk*, True -*.nexus-models.cl*, True -*.nexus-network.co.uk*, True -*.nexuspartners.cl*, True -*.nexustablet.es*, True -*.nexustech.com.au*, True -*.nexusyouthsummit.com*, True -*.nexuuzkingzmc.eu*, True -*.nexvantage.com*, True -*.nexvantage.net*, True -*.nexxen.com.ar*, True -*.neydio.com*, True -*.neyestan.co*, True -*.neyshoes.com.br*, True -*.nezabudkatomsk.ru*, True -*.neznamapoda.sk*, True -*.nezzy.co.uk*, True -*.nfay.ru*, True -*.nfbox.com*, True -*.nfc-dinformaticos.com.ar*, True -*.nfermat.com.br*, True -*.nflix.co*, True -*.nflix.info*, True -*.nflix.pw*, True -*.nflplayersnetwork.com*, True -*.nfsconsulting.ro*, True -*.nfsi.ru*, True -*.nfulton.org*, True -*.ng6.pw*, True -*.ngabuburit.web.id*, True -*.ngampus.net*, True -*.nganhangkichban.com*, True -*.nganho.com*, True -*.ngawenhost.com*, True -*.ngdu.net*, True -*.ngeblog.web.id*, True -*.ngebokep.net*, True -*.ngedol.com*, True -*.ngeee.net*, True -*.ngefanslagu.com*, True -*.ngelayap.com*, True -*.ngelitik.org*, True -*.ngenarquitectos.cl*, True -*.ngen.com.ar*, True -*.ngenes.tk*, True -*.ngenghee.my*, True -*.ngentot.ga*, True -*.ngeprintyuk.co*, True -*.ngetrip.info*, True -*.ngga-boleh.ml*, True -*.nghethuatsangtao.com*, True -*.nghiahanh.cf*, True -*.nghichti.com*, True -*.ngh.me*, True -*.ngm.id.au*, True -*.ngnetworks.com.br*, True -*.ngobrol.net*, True -*.ngochaivmi.tk*, True -*.ngocok.li*, True -*.ngoducthao.com*, True -*.ngom.co.kr*, True -*.ngontaycai.com*, True -*.ngothanglong.com*, True -*.ngox.info*, True -*.ngr.bz*, True -*.ngubertwitter.tk*, True -*.ngumbarcrita.com*, True -*.ngunduhmp3.com*, True -*.nguoitq.com*, True -*.nguoiviettudo.ca*, True -*.nguyenbaohoang.net*, True -*.nguyeneternal.com*, True -*.nguyenhoaan.com*, True -*.nguyenhoabinh.biz*, True -*.nguyenhoabinh.net*, True -*.nguyenhoabinh.org*, True -*.nguyenthanhphuongvn.net*, True -*.nguyenvanhoang.com*, True -*.nguyenvanthuoc.com*, True -*.ng.web.id*, True -*.nh3.ro*, True -*.nhacbeat.com*, True -*.nhaccachmang.info*, True -*.nhachot.info*, True -*.nhackpop.com*, True -*.nhacquehuong.net*, True -*.nhacsong.biz*, True -*.nhacsong.org*, True -*.nhactruoc75.com*, True -*.nhacxua.info*, True -*.nhaima.com*, True -*.nhaima.net*, True -*.nhakhoa.asia*, True -*.nhakhoavinhsinh.com*, True -*.nhalacafe.tk*, True -*.nh-alt.com*, True -*.nhance.com*, True -*.nhanh.xyz*, True -*.nhatrangbynight.com*, True -*.nhatrangshop.com*, True -*.nhenderson.org*, True -*.nhent.org*, True -*.nhfc.com.mx*, True -*.nhiteo.net*, True -*.nhlimobiliare.ro*, True -*.nhlrealestate.com*, True -*.nhoc19.com*, True -*.nhpactv.com*, True -*.nhsa.cl*, True -*.nhscisco.com*, True -*.nhscisco.net*, True -*.nhscisco.org*, True -*.nhseclass8.ga*, True -*.nhsistemas.com.ve*, True -*.nhs.org.my*, True -*.nhug.org*, True -*.nhugweb.org*, True -*.ni2ip.co*, True -*.niagasinarsentosa.com*, True -*.niallmurphy.com*, True -*.niallscarradio.co.za*, True -*.niamhhill.co.uk*, True -*.niamhlewis.com*, True -*.niamhlewis.name*, True -*.nian-yeong.com*, True -*.nibared.cf*, True -*.nibble.hk*, True -*.nibelius.se*, True -*.nibiruftp.com*, True -*.nibuni.net*, True -*.niburu.tv*, True -*.nice1010.com*, True -*.niceandhealthy.com.mx*, True -*.nicedog.net*, True -*.nicegolfer.com*, True -*.niceloansx.org*, True -*.nicenaturally.com*, True -*.n-iceware.ch*, True -*.niceware.ch*, True -*.n-iceware.net*, True -*.nichedigital.com.au*, True -*.nichemedia.com.au*, True -*.nicher.cl*, True -*.nichiinterior.com*, True -*.nicholasjarnold.com*, True -*.nicholie.com*, True -*.nicholson.co.za*, True -*.nicholstribe.com*, True -*.nichtsdestotrotz.ch*, True -*.nichtsluz.ch*, True -*.nick231.net*, True -*.nickarnold.name*, True -*.nickbertrand.com*, True -*.nickbook.cf*, True -*.nickelsen.cl*, True -*.nickfuentes.cl*, True -*.nickgwood.com*, True -*.nickhudspeth.com*, True -*.nickjdyer.com*, True -*.nickkarwoski.com*, True -*.nickkuebler.com*, True -*.nickl89.com*, True -*.nicklaus.ru*, True -*.nicklowery.me*, True -*.nickmacinnis.com*, True -*.nicknak.net*, True -*.nickname.asia*, True -*.nickperry.co.uk*, True -*.nickpost.net*, True -*.nicksagenda.com*, True -*.nicksandow.com*, True -*.nicksbailbonds.com*, True -*.nicksbb.com*, True -*.nickschrand.com*, True -*.nickschulte.com*, True -*.nickthommen.ch*, True -*.nick-tv.ru*, True -*.nickv.me*, True -*.nickx.hu*, True -*.nickylian.info*, True -*.nicmedia.com.ar*, True -*.nicnero.ca*, True -*.nico2t.com*, True -*.nicoandrea.com.ve*, True -*.nicobrest.com.ar*, True -*.nicocercola.com.ar*, True -*.nico.co.za*, True -*.nicolaboonillustration.co.uk*, True -*.nicolaborra.com*, True -*.nicolaeguta.co.uk*, True -*.nicolagurgone.it*, True -*.nicolaogarcia.com.ar*, True -*.nicolas2010.ro*, True -*.nicolasbrahim.com.ar*, True -*.nicolascarreras.me*, True -*.nicolasciocchini.com.ar*, True -*.nicolascirigliano.com.ar*, True -*.nicolasdelrio.cl*, True -*.nicolasdemarco.com*, True -*.nicolasevans.org*, True -*.nicolasfernandez.ch*, True -*.nicolasfernandez.com.ar*, True -*.nicolas.gr*, True -*.nicolasi.com*, True -*.nicolasmendez.com.ar*, True -*.nicolassanguineti.com.ar*, True -*.nicolasstanchuk.com.ar*, True -*.nicolas-t.ru*, True -*.nicolaswitschi.com*, True -*.nicolbolas.org*, True -*.nicoleat.id.au*, True -*.nicolechamberscelebrancy.com.au*, True -*.nicoledial.com*, True -*.nicolegoodman.com*, True -*.nicolehenry.com*, True -*.nicolekajihara.com.br*, True -*.nicolekoutlis.com*, True -*.nicolemoras.jor.br*, True -*.nicolet.com.ar*, True -*.nicolex.cf*, True -*.nicoleymax.com*, True -*.niconipp.ga*, True -*.nicopaez.com.ar*, True -*.nicovide.jp*, True -*.nicsan.com.ar*, True -*.nictrucking.com*, True -*.nicubunicu.ro*, True -*.niculita.ro*, True -*.nicu.md*, True -*.nicutov.cf*, True -*.nidiadiaz.com*, True -*.nidig.com*, True -*.nidig.co.uk*, True -*.nidmauvilech.ch*, True -*.nidowa.ch*, True -*.niebo.org*, True -*.niebuhrgathering.com*, True -*.niedermaier.com.ar*, True -*.niedermaier.li*, True -*.niegle.com*, True -*.niehaus-usa.net*, True -*.nieldeklerk.co.za*, True -*.nielsepting.ch*, True -*.nielsonhomeimprovement.com*, True -*.niemisalo.fi*, True -*.niengrangthaolap.com*, True -*.niepodam.tk*, True -*.nietz.ca*, True -*.nieubethesda.biz*, True -*.nieu.com.au*, True -*.nievedecoco.info*, True -*.niezalezna.info*, True -*.nifgaming.eu*, True -*.nifira.com*, True -*.nif.web.id*, True -*.nigami.net*, True -*.nigc-ar.ir*, True -*.nige.com.au*, True -*.nigelpacker.me.uk*, True -*.nigelroach.com*, True -*.nigelross.com*, True -*.nigelswift.info*, True -*.nigelupchurch.com*, True -*.nigerianfinder.tk*, True -*.niggersquad.tk*, True -*.night24.info*, True -*.nightcity.us*, True -*.nightclubw.ru*, True -*.nightcore.club*, True -*.nightfighters-guild.com*, True -*.nightfury.co*, True -*.nightgen.com*, True -*.nightless.tk*, True -*.nightmarechess.com*, True -*.nightmare.so*, True -*.nightofthelivingpodcast.com*, True -*.nightpilot.ch*, True -*.nightsandweekends.im*, True -*.nightshadow.com*, True -*.nightsnack.cf*, True -*.niglite.com*, True -*.nigolian.com.ar*, True -*.ni-group.ru*, True -*.ni.gy*, True -*.nihad.org*, True -*.nihao.ir*, True -*.nihildum.com*, True -*.nihilistcat.info*, True -*.nihilriver.com*, True -*.nihilum.fi*, True -*.niichan.com*, True -*.niida.tv*, True -*.niigeo.ru*, True -*.niiice.com*, True -*.nikai.cl*, True -*.nikdar.com*, True -*.nikdog.net*, True -*.nikdog.su*, True -*.nikeinvest.ro*, True -*.nike.web.id*, True -*.nikhildesai.com*, True -*.nikhil.ws*, True -*.nikhome.net*, True -*.nikibizjak.tk*, True -*.nikiesha.id.au*, True -*.nikiey.tk*, True -*.niki.ga*, True -*.nikigary.com*, True -*.nikishae.com*, True -*.nikitakretov.com*, True -*.nikitaprotec.com*, True -*.nikiwrigg.com*, True -*.nikjey.com*, True -*.nikkelitous.com*, True -*.nikolawhallon.com*, True -*.nikoliceneje.si*, True -*.nikolkado.cf*, True -*.nikolo-martin.at*, True -*.nikoloskimk.com*, True -*.nikomo.fi*, True -*.nikos-georgiou.gr*, True -*.nikos.im*, True -*.nikospapadopoulos.gr*, True -*.nikosxp.com*, True -*.nikosxp.com.au*, True -*.nikotest.net*, True -*.nikr.com.br*, True -*.niksyamim.com*, True -*.nikuman.org*, True -*.nikvdp.com*, True -*.nikvostro.ru*, True -*.nikwalter.ch*, True -*.nikyan.com*, True -*.nikyregalos.cl*, True -*.nildabarros.com.ar*, True -*.nileshmanohar.com*, True -*.nil.hk*, True -*.nillsfurniture.co.uk*, True -*.nillsfurnituredesign.co.uk*, True -*.nilmop.org*, True -*.nilocatur.info*, True -*.nilogic.se*, True -*.nilopati.com*, True -*.nilp.it*, True -*.nilssonssten.se*, True -*.nimaai.com*, True -*.nimait.com*, True -*.nimali.net*, True -*.nimbia.co*, True -*.nimbinbackpackers.com*, True -*.nimbuscloud.de*, True -*.nimda.fi*, True -*.nimesilt.ee*, True -*.nimfa.ro*, True -*.nimmaj.co.uk*, True -*.nimman.com*, True -*.nimmsis.net*, True -*.nimportequoi.tk*, True -*.nimrodian.net*, True -*.nimux.eu*, True -*.nin1966.com*, True -*.ninabox.net*, True -*.nina-cleaners.co.uk*, True -*.ninaegon.com*, True -*.ninamarot.com*, True -*.ninefamily.net*, True -*.ninehells.com*, True -*.nineteenbar.com.au*, True -*.ninetytensnowboards.com*, True -*.nineworlds.com.au*, True -*.ning.my.id*, True -*.ninilab.com*, True -*.ninionavajo.com.ar*, True -*.ninjaarchivist.com*, True -*.ninjacoder.be*, True -*.ninjadevelopercloud.com*, True -*.ninjadisaster.com*, True -*.ninjamotorsports.com*, True -*.ninjapoodles302.biz*, True -*.ninjasaga-mart.com*, True -*.ninjawars2.com*, True -*.ninjawars2.net*, True -*.ninjawars.net*, True -*.ninja-widgets.com*, True -*.ninkasi.ca*, True -*.ninobozzi.cl*, True -*.ninofink.ch*, True -*.ninofink.com*, True -*.ninoit.eu*, True -*.ninosdecristal.org*, True -*.nintendochile.ws*, True -*.niobe.net*, True -*.niorkavasquez.com.ve*, True -*.nip-drink.com*, True -*.niphi.ch*, True -*.nipsu.fi*, True -*.niptus.com*, True -*.nipunthapa.com.np*, True -*.nique.com.ve*, True -*.nira.com.my*, True -*.nirajtrivedi-cs.com*, True -*.nirazpaudel.com.np*, True -*.nirdoshgautam.com.np*, True -*.niresh.com*, True -*.nirgle.net*, True -*.nirkabelku.com*, True -*.nirmalaandrajesh.com*, True -*.nirmalyadhrupad.org*, True -*.niroapp.com*, True -*.nirod.ro*, True -*.nirosdomaine.com*, True -*.nirosts.ro*, True -*.nirvana-craftbukkit.net*, True -*.nirvanahosting.tk*, True -*.nisanvedugunfotografcisi.com*, True -*.nisargjoshi.tk*, True -*.nisbie.com*, True -*.nischalkhanal.com.np*, True -*.nishadh.com.np*, True -*.nishajith.com*, True -*.nishantshrestha.com.np*, True -*.nisheshshakya.com.np*, True -*.nishionline.com*, True -*.nishtha.tk*, True -*.nislim.eu*, True -*.niso-mics.ru*, True -*.nispy.net*, True -*.nissenbaum.co.il*, True -*.nissichem.com*, True -*.nissinfoods.org*, True -*.nissisystems.com*, True -*.nisszi.hu*, True -*.nistomotor.com*, True -*.nitayjoffe.com*, True -*.nitekworks.net*, True -*.nitelsoft.ir*, True -*.niteroijoyas.com*, True -*.niteryder.net*, True -*.niteshrestha.com.np*, True -*.nith.in*, True -*.nitipanak.com*, True -*.nitipbos.com*, True -*.niti.sh*, True -*.nitorin.com*, True -*.nitrix.be*, True -*.nitroglobal.org*, True -*.nitronix.ir*, True -*.nitro-software.com*, True -*.nitrosurfer.com*, True -*.nitrothermspray.eu*, True -*.nitrothermspray.si*, True -*.nitrousexpress.info*, True -*.nitrural.info*, True -*.nit.web.id*, True -*.niunafanzine.com.ar*, True -*.nivel11.es*, True -*.nivel7.com.ar*, True -*.nivelc.com.ar*, True -*.nivi.org.uk*, True -*.niv.pw*, True -*.nix3.ru*, True -*.nixbox.li*, True -*.nixfor.us*, True -*.nixgeek.co.za*, True -*.nixgeex.org*, True -*.nixgeneration.com*, True -*.nixindo.com*, True -*.nixius.co.uk*, True -*.nixmacs.net*, True -*.nixserv.us*, True -*.nixstores.com*, True -*.niyari.org*, True -*.niyou.info*, True -*.nizkocenovci.com*, True -*.nizkocenovniki.com*, True -*.nizkocenovniki.si*, True -*.nizkocenovni-leti.si*, True -*.nizkocenovnileti.si*, True -*.nizu-yk35.com*, True -*.njaa.org.np*, True -*.njahaha.net*, True -*.njami.si*, True -*.njchristian.org*, True -*.njdiaz.net*, True -*.njhurst.com*, True -*.njhurst.org*, True -*.njingbaic.com*, True -*.njlg.info*, True -*.njl.lu*, True -*.njmtech.com.au*, True -*.njoerd.net*, True -*.njpads.com*, True -*.njpads.net*, True -*.njpg.org*, True -*.njpirgdata.com*, True -*.nj-projekt.sk*, True -*.njstthomas.org*, True -*.njtb.org*, True -*.njwebcorp.com*, True -*.njweds.com*, True -*.nk5.ru*, True -*.nka.se*, True -*.nkb.si*, True -*.nkd.su*, True -*.nkgx.eu*, True -*.nkias.co.uk*, True -*.nklima.com.br*, True -*.nkl.ro*, True -*.nkolanyane.nom.za*, True -*.nkss.eu*, True -*.nk-vq.com*, True -*.nk-vq.net*, True -*.nkweb.org*, True -*.nky.com.tr*, True -*.nlab.ch*, True -*.nlab.fr*, True -*.nlabs.info*, True -*.nldating.eu*, True -*.nl-gaming.info*, True -*.n-like.net*, True -*.n-likerz.net*, True -*.nlk.fi*, True -*.nlpd.net.au*, True -*.nlrm.org*, True -*.nlsdvirtualoffice.ca*, True -*.nlu.fi*, True -*.nm31.com*, True -*.nm7.cc*, True -*.nm7.moe*, True -*.nmbtrainrace.co.za*, True -*.nmcn.org*, True -*.nmcomar.com*, True -*.nmebel.net*, True -*.n-media.biz*, True -*.nmicewolves.com*, True -*.nmichaels.org*, True -*.nmi-law.co.il*, True -*.nmotive.ro*, True -*.nmplcpimenta.com*, True -*.nmprueba.tk*, True -*.nmroller.com.ar*, True -*.nmryans.com*, True -*.nms07.com*, True -*.nmspayroll.com*, True -*.nm-youth-entrepreneurs.com*, True -*.nm-youth-entrepreneurs.info*, True -*.nnb52.com*, True -*.nnb59.com*, True -*.nnb64.com*, True -*.nnb98.com*, True -*.nnb.com.ar*, True -*.nncorp.com.ar*, True -*.nnecchini.com.ar*, True -*.nn-foto.ru*, True -*.nnn-555.com*, True -*.nn-network.net*, True -*.n-novgorod.com*, True -*.nnrooth.com*, True -*.nnsb.ro*, True -*.nntheblog.com.ar*, True -*.nnyhome.com*, True -*.no65.info*, True -*.noack.us*, True -*.noacon.com*, True -*.noacon.net*, True -*.noacon.us*, True -*.noadns.org*, True -*.noadultsupervision.org*, True -*.noadware.org*, True -*.noahadler.com*, True -*.noah-ark.co.za*, True -*.noahjackson.co.uk*, True -*.noahsark-playgroup.co.uk*, True -*.noahtwjackson.com*, True -*.noahtwjackson.org*, True -*.noakland.com*, True -*.noaladventures.com*, True -*.noalvodesign.com.br*, True -*.noamank.com*, True -*.noapts.com*, True -*.nobadge.com*, True -*.nobeldev.info*, True -*.nobelhotel.md*, True -*.nobel-id.com*, True -*.nobephilsoc.com*, True -*.nobigdealct.com*, True -*.nobilchina.com*, True -*.nobilitas-web.com*, True -*.noblare.com*, True -*.noble-house.tk*, True -*.noble-macau.com*, True -*.noble-network.org*, True -*.nobody.guru*, True -*.nobodys-child.tk*, True -*.nobspatrick.ch*, True -*.nobushi.com.br*, True -*.nocarrier.nl*, True -*.nocashfromme.com*, True -*.noc.cl*, True -*.n-o-c.co.za*, True -*.noccy.com*, True -*.noch-int.com*, True -*.nocilis.tk*, True -*.nocoderequired.com*, True -*.no-copies.com*, True -*.nocrust.ru*, True -*.noct.com.br*, True -*.nocte107.name*, True -*.noctos.org*, True -*.noctua.cl*, True -*.nocturaware.com*, True -*.nodal.com.ar*, True -*.nodal.org.za*, True -*.node00.co.uk*, True -*.node0.ml*, True -*.node8.net*, True -*.nodebb.ir*, True -*.nodehaswell.ga*, True -*.nodejs.com.ar*, True -*.nodesoft.info*, True -*.nodie.cc*, True -*.nodisk.net*, True -*.nodistroti.tv*, True -*.nodle.co.nz*, True -*.nodnor.com*, True -*.nododetransporte.com.ar*, True -*.nodorum.com.br*, True -*.nodtech.net*, True -*.nodv.com*, True -*.noelabolong.tk*, True -*.noel.gr*, True -*.noeliabearodriguez.com.ar*, True -*.noelmcgrath.com*, True -*.noelmcgrath.com.au*, True -*.noelscompleteautoservice.com*, True -*.noen.cx*, True -*.noesberger.li*, True -*.noestorage.net*, True -*.noeticpenguin.com*, True -*.nofar.tk*, True -*.nofate.ro*, True -*.nofhai.com*, True -*.nofuckinaround.com*, True -*.nofussmedia.com*, True -*.nofussmedia.info*, True -*.nogaems.me*, True -*.nogfw.tk*, True -*.nognet.net*, True -*.nogoodshits.net*, True -*.nogo.si*, True -*.nogueira.com.ar*, True -*.nogueiras.com.ar*, True -*.nogy.de*, True -*.nohair.ga*, True -*.noha.ml*, True -*.nohuggingallowed.com*, True -*.noidellarte.it*, True -*.noisyno.com*, True -*.nokando.fi*, True -*.nokdess.us*, True -*.nokedli.org*, True -*.nokiaaa.ml*, True -*.nok.info*, True -*.nokiyem.tk*, True -*.nokz.ca*, True -*.nolabros.com*, True -*.no-lag.com*, True -*.nolancocat.com*, True -*.nolanexcavation.com*, True -*.nolanpro.com*, True -*.nolansmith.net*, True -*.noldor.ro*, True -*.nolencasa.com*, True -*.nolja.biz*, True -*.nolog.tk*, True -*.nolongerawageslave.org*, True -*.nomadcomputers.com*, True -*.nomadcontent.com*, True -*.nomaderrant.com*, True -*.nomadmechanic.com*, True -*.nomarcontabilidade.com.br*, True -*.nomefriv.cf*, True -*.nominafacil.info*, True -*.nominafacil.org*, True -*.nomind.co.il*, True -*.nomine17.ro*, True -*.nomismatrading.com*, True -*.nomnomchat.com*, True -*.nomorecheating.org*, True -*.nomotion.ch*, True -*.nomsdeguerre.com*, True -*.nomuggles.com*, True -*.no-name.cf*, True -*.nonamecraft.com*, True -*.noname-it.com.ar*, True -*.nonameprod.ch*, True -*.nonancho.com*, True -*.nonbiri-swing.org*, True -*.non-dairy-cream.com*, True -*.nondairycream.com*, True -*.nonde13.tk*, True -*.nondesign.tw*, True -*.nondestructivetesting.ca*, True -*.nonedistribution.com*, True -*.nonemergency.ca*, True -*.nongye.so*, True -*.non-ice.com*, True -*.nonmasters.com*, True -*.nonnaskitchen.com*, True -*.nonnber.com*, True -*.nonoo.biz*, True -*.nonoo.eu*, True -*.nonoseeumequine.com*, True -*.nonosoft.com.ar*, True -*.nonowhere.eu*, True -*.nonprofit-data.com*, True -*.nonrelevant.net*, True -*.nonretro.com*, True -*.nonretro.org*, True -*.nonsenseofahigherorder.com*, True -*.nonsingular.com*, True -*.nonstop-szerviz-debrecen.hu*, True -*.nonstress.ch*, True -*.nonthaburihorses.com*, True -*.nontonmulu.com*, True -*.nontrivialstudio.com*, True -*.nonullsessions.com*, True -*.nonwhiteheterosexualmalelicense.org*, True -*.nonwoven-geotextile.com*, True -*.nonze.ro*, True -*.noobbit.ru*, True -*.noobhands.com*, True -*.noobindo.tk*, True -*.noob.mobi*, True -*.noobownage.com*, True -*.noob-techno.com*, True -*.noodleking.ca*, True -*.noodlequeen.com*, True -*.noodl.es*, True -*.noognet.org*, True -*.nookas.com*, True -*.nookls.net*, True -*.nookls.org*, True -*.noomko.com*, True -*.nooneever.com*, True -*.noopy.org*, True -*.noorconcept.ro*, True -*.noosaheads.biz*, True -*.nopcea.ro*, True -*.nophenvs.cf*, True -*.nopitbullbans.com*, True -*.noppy.com*, True -*.noppy.org*, True -*.noq-app.com*, True -*.noq.com.au*, True -*.noracismoynosexismo.org*, True -*.noranpension.co.kr*, True -*.norans.com.au*, True -*.norbe.com.ar*, True -*.norbertnet.ro*, True -*.norblom.com*, True -*.norcalyouthhockey.com*, True -*.norcrosspawn.com*, True -*.nord133.net*, True -*.nordbrandt.se*, True -*.nordeximmvi.ro*, True -*.nordexim.ro*, True -*.nordickoivu.ru*, True -*.nordicstar.ro*, True -*.nordictimbersolutions.com*, True -*.nordines.com*, True -*.nordlander.tk*, True -*.nordman.fi*, True -*.nordprojekt.eu*, True -*.nordsieck.net*, True -*.nordstroy-ykt.ru*, True -*.nordter.ru*, True -*.noreal.info*, True -*.no-red-light-ticket.biz*, True -*.no-red-light-ticket.info*, True -*.noreplymarketing.com*, True -*.noriahotel.com.ar*, True -*.noriy.net*, True -*.norka.ml*, True -*.normablopez.com.ar*, True -*.normaiso8573-1.com.ar*, True -*.normalfinds.org*, True -*.normandalehouse.org*, True -*.normandie.com.ar*, True -*.normanjuniewic.com*, True -*.normanyeo.sg*, True -*.normasoft.si*, True -*.normaweese.com*, True -*.normbeattysautoelectrical.com.au*, True -*.normlamar.com*, True -*.normosporin.com*, True -*.normosporin.info*, True -*.noroceii.ro*, True -*.norocei.ro*, True -*.noro.ga*, True -*.norola.net*, True -*.noronha-velosa.pt*, True -*.norsinci.si*, True -*.norteremates.cl*, True -*.norteservice.com.ar*, True -*.northamericanlockandsafe.com*, True -*.northammitre10.com.au*, True -*.northamptonallotments.co.uk*, True -*.northantrim.org*, True -*.northboundfox.com*, True -*.northcoastblues.org*, True -*.northcoastresponseteam.org*, True -*.northcoogee.com.au*, True -*.northcottcarecentre.com*, True -*.northcroft.net*, True -*.northdaysimage.ca*, True -*.north-dorset.co.uk*, True -*.northeastdetailing.com.au*, True -*.northeastern.co.za*, True -*.northendchc.org*, True -*.northerncoloradocreditrepair.com*, True -*.northernearth.org*, True -*.northernlightsforecaster.com*, True -*.northernsynergy.com*, True -*.northernvirginiagoldteam.com*, True -*.northernwaters.com.np*, True -*.northfloridadivorcelawyer.com*, True -*.northisournature.com*, True -*.northlance.com*, True -*.northlance.co.uk*, True -*.north.li*, True -*.northmackaybowlsclub.com.au*, True -*.northpdxnpaa.org*, True -*.northpinedonkeys.com*, True -*.northpineequine.com*, True -*.northriveronline.com*, True -*.northriverwhitetail.com*, True -*.north-south.info*, True -*.northstarlc.com.au*, True -*.northstarnetworks.ca*, True -*.northtile.com*, True -*.northumberlandquiltguild.ca*, True -*.northwestautohaus.ca*, True -*.northwestcenter.net*, True -*.northwestnetworkers.com*, True -*.northwestwasabi.com*, True -*.northwoman.org*, True -*.nortiva.com*, True -*.nortrek.cl*, True -*.norulet.ro*, True -*.norushcharge.com*, True -*.norveska.net*, True -*.nos1.tk*, True -*.nosal.ca*, True -*.nosasquatch.ws*, True -*.nos-bit.co.uk*, True -*.noscasamos.si*, True -*.nos-differences.be*, True -*.nosdisparus.com*, True -*.nosellaudine.it*, True -*.nosfer-acid.biz*, True -*.nosfer-acid.com*, True -*.nosfer-acid.net*, True -*.no-shenanigans.com*, True -*.noshutdown.net*, True -*.nosim.to*, True -*.nosovitzky.com.ar*, True -*.nospam-mail.ru*, True -*.nosp.info*, True -*.nosquedamosenel73.com.ar*, True -*.nosretamos.com*, True -*.nossocandidato.com.br*, True -*.nossouvenirs.info*, True -*.nostalgians.com*, True -*.nostalgiawoodworking.com*, True -*.nostinpojat.fi*, True -*.nostradamis.com*, True -*.nostradamuschamber.com*, True -*.nostradamus.one.pl*, True -*.nostrajewellery.org*, True -*.not2day.tk*, True -*.not3.net*, True -*.not4sale.gq*, True -*.not99chan.org*, True -*.notabua.com*, True -*.notagun.com*, True -*.notahosting.com*, True -*.notaiocirota.it*, True -*.notaiopetroni.it*, True -*.notaiopetrosso.it*, True -*.notalone.co.za*, True -*.notamused.org*, True -*.notapanel.com*, True -*.notappob.com*, True -*.notaproof.com*, True -*.notaria77yucatan.com.mx*, True -*.notariamoralesvaldivia.cl*, True -*.notariat-bistrita.ro*, True -*.notariavaldivia.cl*, True -*.notariawinter.cl*, True -*.notaricluj.ro*, True -*.notarios.org.mx*, True -*.notariovirtual.cl*, True -*.notarisreinaldy.web.id*, True -*.notarisrita.co.id*, True -*.notar-lux.at*, True -*.notarpop.ro*, True -*.notaryace.com*, True -*.notarytracker.com*, True -*.notarztflensburg.de*, True -*.notawesome.org*, True -*.notconscio.us*, True -*.notdisclosed.tk*, True -*.notea.ir*, True -*.notebooks.fi*, True -*.notededge.com*, True -*.notern.com*, True -*.notesninjas.com*, True -*.notevenwrong.net*, True -*.notfallprofi.ch*, True -*.not-found.ga*, True -*.not-found.ml*, True -*.notfree.gq*, True -*.nothingbutbitches.com*, True -*.nothing-is-true.tk*, True -*.nothing-original.co.uk*, True -*.notho.me*, True -*.notice4england.co.uk*, True -*.notici.as*, True -*.noticiasfreak.cl*, True -*.noticiasrurales.com*, True -*.noticierog.com*, True -*.notidigital.com.ar*, True -*.notificaciondigital.com.ar*, True -*.notifikation.nu*, True -*.notifikation.se*, True -*.notif.ml*, True -*.notifythem.net*, True -*.notilogia.com.ve*, True -*.notilogia.co.ve*, True -*.notilogia.info.ve*, True -*.notilogia.net.ve*, True -*.notilogia.org.ve*, True -*.notilogia.web.ve*, True -*.notimarkus.ch*, True -*.notinept.me*, True -*.notinept.tk*, True -*.notionplex.com*, True -*.notjimcarrey.com*, True -*.notjustoils.com*, True -*.notkola.com*, True -*.notlp.com*, True -*.not.my*, True -*.notmyissue.org*, True -*.notnancy.cl*, True -*.notnotpat.com*, True -*.notorious.ch*, True -*.notoriously-white.co.uk*, True -*.noto.web.id*, True -*.notrebiere.com*, True -*.notredamearena.com*, True -*.notrin.ml*, True -*.notsh.org*, True -*.notsojane.com*, True -*.nottaken.net*, True -*.nottinghamaid.org*, True -*.notto.be*, True -*.notw.co.za*, True -*.notyouremail.com*, True -*.notyours.xyz*, True -*.nou9.ro*, True -*.noua1.com*, True -*.noumenonsoftware.com*, True -*.nounsoft.com*, True -*.nousapsis.net*, True -*.nousessence.com*, True -*.noutopantti.fi*, True -*.nouveaubop.com*, True -*.nova-az.sk*, True -*.novabase.se*, True -*.novabrasil.com*, True -*.novabrasilfm.com.br*, True -*.novadvice.cl*, True -*.novaela.cf*, True -*.novafactum.cl*, True -*.novafoundation.com.np*, True -*.nova-gns.com*, True -*.novahost.xyz*, True -*.novais.eng.br*, True -*.novakpianoservice.com*, True -*.nova-labs.ch*, True -*.nova-labs.tk*, True -*.novalug.ca*, True -*.novapintureria.com.ar*, True -*.novara.com.mx*, True -*.nova-star.ro*, True -*.novastylez.tk*, True -*.novatex.ca*, True -*.novatexudine.it*, True -*.novatioeng.com*, True -*.novatoriya.ru*, True -*.nova.web.id*, True -*.novay.one.pl*, True -*.novedadestech.com*, True -*.novel.com.my*, True -*.noveltysuites.co*, True -*.novelway.ru*, True -*.novembersoft.com*, True -*.novemusica.com.ar*, True -*.novgaz-rzn.ru*, True -*.novhak.com*, True -*.novidadesnanet.com.br*, True -*.novikoff.tk*, True -*.novikontas.lv*, True -*.novin-ara.ir*, True -*.noviolencia.com.ar*, True -*.noviolenciamoreno.com.ar*, True -*.novipla.com*, True -*.novipla.it*, True -*.novis.lv*, True -*.novitaskitchens.com.br*, True -*.novitrack.tk*, True -*.novitravnik.net*, True -*.novo-advisory.com*, True -*.novofuturo.org*, True -*.novohorizonte.pt*, True -*.novokhopersk.ru*, True -*.novoparagon-group.co.uk*, True -*.novoselkin.ru*, True -*.novotempoeletronica.com.br*, True -*.novotica.it*, True -*.novotika95.com*, True -*.novotnyco.com*, True -*.novotny.it*, True -*.novotnypropertytax.com*, True -*.novoukrainka.ru*, True -*.novpromtech.ru*, True -*.novusunion.com*, True -*.nowait.com.ar*, True -*.nowakmarcin.com*, True -*.nowaste.hk*, True -*.nowaymore.com*, True -*.nowdev.ro*, True -*.nowe.ch*, True -*.nowhearthis.co.uk*, True -*.nowhere-near.us*, True -*.nowicki.pw*, True -*.now.im*, True -*.now-incorporate.com*, True -*.nowostnojportal2014year.ru*, True -*.nowpcsms.com*, True -*.nowsmspc.com*, True -*.nox73.ru*, True -*.noxious.ninja*, True -*.no-x.org*, True -*.noxtechnologies.co.za*, True -*.noyona.ga*, True -*.noziglia.com.ar*, True -*.nozigliainsumos.com.ar*, True -*.noz.nz*, True -*.np3od.tk*, True -*.npa.in*, True -*.npbiac.co.uk*, True -*.npccs.org*, True -*.n-p.com.ar*, True -*.npc-tech.com*, True -*.npe.co.za*, True -*.npeep.com*, True -*.npenntech.com*, True -*.npfinfo.ru*, True -*.npflifang.com*, True -*.nph.co.za*, True -*.npj.co.za*, True -*.npmpt.com*, True -*.npmservices.mu*, True -*.npnardo.ru*, True -*.npokharel.com.np*, True -*.npra.me*, True -*.npro.it*, True -*.npurbe.com.np*, True -*.npw.co.za*, True -*.npwein.com*, True -*.npwein.ninja*, True -*.nqar.es*, True -*.nqserver.com*, True -*.nrckids.com*, True -*.nrdata.lv*, True -*.nreal.net*, True -*.nrfw.org*, True -*.nrgee.biz*, True -*.nrgee.us*, True -*.nri.ca*, True -*.nrice.co*, True -*.nrinternational.com.pk*, True -*.nrjlab.com*, True -*.nrkrecords.co.za*, True -*.nrnail.eu*, True -*.nrnparajuli.com.np*, True -*.nrollo.com*, True -*.nrp.com.np*, True -*.nrsteam.com*, True -*.ns22.ru*, True -*.nsautorecycling.com*, True -*.nsb.ro*, True -*.nscale.org.au*, True -*.nsc-pulsa.com*, True -*.nsdatasolutions.co.uk*, True -*.nse66.com*, True -*.nse77.com*, True -*.nse88.com*, True -*.nsearch.tk*, True -*.nsestudio.com.ar*, True -*.nseuropa.com*, True -*.nseuropa.org*, True -*.nseurope.org*, True -*.nsfire.ca*, True -*.nsfreehost.tk*, True -*.ns-front.info*, True -*.nsicscores.com*, True -*.nsip.com.ar*, True -*.nsix.net*, True -*.nsjvknsdvsdvjb.ml*, True -*.nskesfahan.ir*, True -*.nskesfahan.org*, True -*.nskk.ir*, True -*.nsl23.org*, True -*.nslabs.com.ar*, True -*.nslmotorsports.com*, True -*.nsmoc.co.uk*, True -*.nsnetworks.ca*, True -*.nsns.cf*, True -*.nsogfy.ca*, True -*.nspa.ir*, True -*.nspir8tion.net*, True -*.nsr-il.com*, True -*.nsseg.com.br*, True -*.nsshine.ca*, True -*.ns-store86.com*, True -*.nstcshooters.org*, True -*.nsteenis.nl*, True -*.nstrasser.com*, True -*.nstribuna.org*, True -*.nstruebel.com*, True -*.nst.web.id*, True -*.nsufilm.com*, True -*.nsworx.net*, True -*.nswpolicestate.com*, True -*.nswtiling.com.au*, True -*.nsystems.ro*, True -*.nt3r.net*, True -*.ntactical.tk*, True -*.n-taxis.gr*, True -*.ntd100.com*, True -*.ntdll.tk*, True -*.nt-gaming.com*, True -*.ntgg.com.au*, True -*.nthcomputer.net*, True -*.nthornton.org*, True -*.nthroot.org*, True -*.nti1.us*, True -*.ntic.com.mx*, True -*.ntilagoa.com*, True -*.ntit.tk*, True -*.ntlo.ga*, True -*.ntmprinting.com*, True -*.ntmtravel.com*, True -*.ntoas.com*, True -*.ntos.me*, True -*.ntos.tk*, True -*.ntowers.net*, True -*.ntpromo.ro*, True -*.ntpublicidade.com.br*, True -*.ntrac.org.uk*, True -*.ntrr.com*, True -*.ntsc.ir*, True -*.nts-electronics.com*, True -*.ntshxii.tk*, True -*.nts.mx*, True -*.ntuaa-gp.org*, True -*.ntulsy.com*, True -*.ntw66.com*, True -*.ntw77.com*, True -*.ntw87.com*, True -*.ntwrkatl.com*, True -*.nuaink.co*, True -*.nu-aink.com*, True -*.nuaink.me*, True -*.nuaink.xyz*, True -*.nuba.cl*, True -*.nubegan.com*, True -*.nubeindie.com*, True -*.nubelia.com*, True -*.nubes.nl*, True -*.nubetak.com*, True -*.nubis.se*, True -*.nublic.com*, True -*.nublic.me*, True -*.nuboogie.me*, True -*.nucaving.co.uk*, True -*.nuci-aluni.ro*, True -*.nuckandfuts.com*, True -*.nucleodecurimba.cf*, True -*.nucleodecurimba.ga*, True -*.nucleodecurimba.ml*, True -*.nucleodecurimba.tk*, True -*.nucleussports.com.au*, True -*.nuclo.in*, True -*.nude-18.ru*, True -*.nude-picturez.com*, True -*.nude-preteen.ru*, True -*.nude-young.ru*, True -*.nuecesenlaluna.com.ar*, True -*.nuehring.com*, True -*.nuestrafarmacia.com.ar*, True -*.nuevaeraaislantes.com.ar*, True -*.nuevaola.com.ar*, True -*.nuevaretc.com.ar*, True -*.nuevas-fronteras.com*, True -*.nuevas-fronteras.info*, True -*.nuevas-fronteras.org*, True -*.nuevasvias.cl*, True -*.nuevocristalino.cl*, True -*.nuevoenfoquesa.com.ar*, True -*.nuevoespacio.com.ar*, True -*.nuevogema.com.ar*, True -*.nuevolorenzo.com.ar*, True -*.nuevowebmail.com.ar*, True -*.nuexista.com*, True -*.nuezita.ro*, True -*.nuezpecanchile.cl*, True -*.nufer.biz*, True -*.nufer.org*, True -*.nuflick.com*, True -*.nuforest.net*, True -*.nufszone.com*, True -*.nu-gear.com*, True -*.nugnet.net*, True -*.nugrahashop.tk*, True -*.nugrahautama.com*, True -*.nugroup.hk*, True -*.nuhoglu.com*, True -*.nuip.eu*, True -*.nuk3.net*, True -*.nukecanada.com*, True -*.nukehost.tk*, True -*.nukenin.com*, True -*.nuke.pt*, True -*.nukta.cf*, True -*.nula8.com*, True -*.nula.rs*, True -*.nu-leaf.com.au*, True -*.nul.io*, True -*.nullexistence.net*, True -*.nullish.com*, True -*.nullish.net*, True -*.nullpointer.net*, True -*.nullpointerprojects.tk*, True -*.nullroot.tk*, True -*.nullroute.info*, True -*.null.rs*, True -*.nullstein.com*, True -*.nullsystems.eu*, True -*.null-t.org*, True -*.nullvoid.me*, True -*.nul.ms*, True -*.num88.com*, True -*.numberdance.com*, True -*.number.lv*, True -*.numbersandtheirmeaning.net*, True -*.numbertoos.co.nz*, True -*.numecopii.ro*, True -*.numedecopii.ro*, True -*.numerisationlesslie.com*, True -*.numero0.es*, True -*.numerocero.es*, True -*.numerozero.es*, True -*.numinarace.si*, True -*.numinex.at*, True -*.nummelanlentokeskus.fi*, True -*.numotive.com*, True -*.nunakakao.com*, True -*.nuncaoidos.com.ar*, True -*.nunc.se*, True -*.nunet.fi*, True -*.nunez.com.ar*, True -*.nungames.com*, True -*.nungvai.com*, True -*.nunix.net*, True -*.nunkeri.com*, True -*.nunks.org*, True -*.nunn.io*, True -*.nunnsby.com*, True -*.nunnsby.co.za*, True -*.nunocdesignlab.tk*, True -*.nunosousa.gq*, True -*.nunosousa.ml*, True -*.nunosousa.tk*, True -*.nunovelho.com*, True -*.nunovelho.eu*, True -*.nunti-diplomat.ro*, True -*.nuntidiplomat.ro*, True -*.nunti-ideale.ro*, True -*.nuntisv.ro*, True -*.nuntrakarnthailandtour.com*, True -*.nunut.ml*, True -*.nuochoaxehoi.vn*, True -*.nu-o.com*, True -*.nuovisconti.com*, True -*.nuoya2046.com*, True -*.nupils.info*, True -*.nurah.com.my*, True -*.nurardiansyah.org*, True -*.nurenunt.ro*, True -*.nurita.es*, True -*.nuriz.tk*, True -*.nurrahma.co.id*, True -*.nurro.net*, True -*.nursani.web.id*, True -*.nursecallsystem.in*, True -*.nurseceu4less.com*, True -*.nurseryart.ca*, True -*.nurseryrhymemass.org.uk*, True -*.nur-sph.org*, True -*.nursph.org*, True -*.nurulaisyah.com*, True -*.nurulaisyah.web.id*, True -*.nurv.com.ar*, True -*.nusa2.com*, True -*.nush.com.np*, True -*.nushor.net*, True -*.nussbaumer-paysagiste.ch*, True -*.nussbaum.it*, True -*.nuss.com.ar*, True -*.nussmusic.com.ar*, True -*.nusspasteleria.com.ar*, True -*.nutfing.tk*, True -*.nuthouz.com*, True -*.nutmeg-bakery.com*, True -*.nutricionenlared.com*, True -*.nutricionintegral.cl*, True -*.nutrient-guru.com*, True -*.nutrimax.si*, True -*.nutripunctureasia.com*, True -*.nutriviva.cl*, True -*.nutryoffice.com*, True -*.nuts4health.ca*, True -*.nutscape.com*, True -*.nutz4trucks.com*, True -*.nutznboltz-online.com*, True -*.nuumix.com*, True -*.nuvauto.com*, True -*.nuvedalearning.com*, True -*.nu-vista.com*, True -*.nuvra.ch*, True -*.nux.co.za*, True -*.nuxmedia.com*, True -*.nuxser.com*, True -*.nvchambers.co.uk*, True -*.nv.cl*, True -*.nvk999.com*, True -*.nvk.su*, True -*.nvlife.com*, True -*.nvl-team.net.ru*, True -*.nvnt.in*, True -*.nvo1.tk*, True -*.nvoids.com*, True -*.nvrealestate.cl*, True -*.nvsr.com.au*, True -*.nvteaparty.net*, True -*.nvz-4rt.com*, True -*.nv-z.com*, True -*.nwabridges.com*, True -*.nwacservice.com*, True -*.nwalacc.com*, True -*.nwaquafarms.com*, True -*.nwaquafarms.net*, True -*.nwathenaeum.org*, True -*.nwfierofest.org*, True -*.nwgjb.tk*, True -*.nwhist.co.za*, True -*.nwhoa.com*, True -*.nwipvideo.com*, True -*.nwisp.co.za*, True -*.nwla-occ.org*, True -*.nwliftproject.org*, True -*.nwnlexicon.com*, True -*.nwobll.org*, True -*.nwpl8s.com*, True -*.nwsoccerclub.com*, True -*.nwso.org*, True -*.nwtit.info*, True -*.nwtrail.ru*, True -*.nwtube.com*, True -*.nwulff.dk*, True -*.nxceventos.com.ar*, True -*.nxco.uk*, True -*.nxgen.ca*, True -*.nxgpli.ga*, True -*.nxkn.ru*, True -*.nxt.am*, True -*.nx.tc*, True -*.nxtcrypto.tk*, True -*.nxtface.com*, True -*.nxxzsp.com*, True -*.nyaaradio.ru*, True -*.nyabbai.com*, True -*.nya.gs*, True -*.nya.pub*, True -*.nybelladona.com*, True -*.nyble.com*, True -*.nybonlabs.net*, True -*.nycphpmeetup.org*, True -*.nycphp.org*, True -*.nycp.me*, True -*.nycr.tv*, True -*.nycunitedneighbors.org*, True -*.nycun.org*, True -*.nyegroup.org*, True -*.nyem.or.id*, True -*.nyemplak.ml*, True -*.nyesek.com*, True -*.nyeste.info*, True -*.nyffeler-maler.ch*, True -*.nyffenegger.info*, True -*.nyftp.com*, True -*.nyitottegyesulet.hu*, True -*.nykasenvalinta.com*, True -*.nylyn.com*, True -*.nylyn.ir*, True -*.nymk.com*, True -*.nymoen.com*, True -*.nynjtech.com*, True -*.nyobaint.tk*, True -*.nyonyasafety.com*, True -*.nyphp.com*, True -*.nyphpcon.com*, True -*.nyrental.com*, True -*.nysepho.pw*, True -*.nystagm.us*, True -*.nytelco.net*, True -*.nytjej.nu*, True -*.nyuti.tk*, True -*.nyxsus.com*, True -*.nyxsus.net*, True -*.nyxx.ru*, True -*.nyyuniverse.com*, True -*.nzbmonsterz.com*, True -*.nzff.tk*, True -*.nzgk.ru*, True -*.nzimmer.li*, True -*.nzluxuryservice.com*, True -*.nzrc.ca*, True -*.nzre.info*, True -*.nzsp.net*, True -*.nzvoipitsolution.co.nz*, True -*.o2-sicherheitszentrale.de*, True -*.o2tent.com*, True -*.o4w.ch*, True -*.oaats.net*, True -*.oafgb.com*, True -*.oai.asia*, True -*.oaklandcountycomputerrepair.com*, True -*.oaklandcountycomputerrepairs.com*, True -*.oaklandslodge.co.za*, True -*.oakleafwoodworking.com*, True -*.oakleighfarmcottages.com*, True -*.oaksatstoneycreek.org*, True -*.oakscollection.com*, True -*.oakwoodlakewaterdistrict.com*, True -*.oameniaibucurestiului.ro*, True -*.oanamea.ml*, True -*.oana-moraru.com*, True -*.oanasalongold.ro*, True -*.oapeyde.gr*, True -*.oar.si*, True -*.oase.web.id*, True -*.oasiscloud.co.kr*, True -*.oasishomewares.com*, True -*.oasisinitiative.net*, True -*.oasis-sl.com*, True -*.oasteadomnului.org*, True -*.oatba.com.br*, True -*.oatlandsgate.org.uk*, True -*.obacka.se*, True -*.obagi-au.com*, True -*.obagimedical.com.au*, True -*.obamasworld.com*, True -*.obarsialotrului.ro*, True -*.obashkov.ru*, True -*.obatkuat-alatbantusex.com*, True -*.obatpelangsing.asia*, True -*.obatvitalitaspasutri57.com*, True -*.obavestime.com*, True -*.obbexport.com*, True -*.obbosi.is*, True -*.obbsys.com.mx*, True -*.obdepot.com*, True -*.obedfot.cf*, True -*.obenabe.ch*, True -*.obenaus.com.br*, True -*.obenaus.eti.br*, True -*.oberaencortos.com.ar*, True -*.obermotz.org*, True -*.obe.rs*, True -*.obesca.com*, True -*.obeski.si*, True -*.obgynnaples.com*, True -*.obichiku.org*, True -*.obiectivvaslui.ro*, True -*.obihert.cf*, True -*.obi.li*, True -*.obioat.com*, True -*.obirimelvin.net*, True -*.obispadorqta.org.ar*, True -*.obiteljski-dom-pticek.hr*, True -*.objavimo.si*, True -*.objectcoders.com*, True -*.objective-c.ninja*, True -*.objectworkz.org*, True -*.objvimmer.com*, True -*.oblisc.co.il*, True -*.obmennikwm.ru*, True -*.obmenservice.com*, True -*.obmenservice.ru*, True -*.obn.my*, True -*.obo-bettermann.ir*, True -*.obobrasil.com.br*, True -*.obocia.ga*, True -*.oborot.org*, True -*.obraconsultores.cl*, True -*.obrasocialdelacarne.org.ar*, True -*.obrcenter.ru*, True -*.obrcentr.ru*, True -*.obrekanvps.cf*, True -*.obresca.com*, True -*.obrest.info*, True -*.obrinstitut.ru*, True -*.obriupas.net*, True -*.obscina.ro*, True -*.obscure.ch*, True -*.obscureit.com.au*, True -*.observatorantidrog.ro*, True -*.observatoriomamalluca.cl*, True -*.observatoriorrd.cl*, True -*.obsessionradio.ro*, True -*.obsessiveorange.cf*, True -*.obsidiancomputing.com*, True -*.obsoletegovernment.com*, True -*.obst.net.au*, True -*.obstom.com*, True -*.obuwietorebkibialystok.pl*, True -*.obviostore.com*, True -*.obvs.us*, True -*.oc0544.com*, True -*.oc3anic.info*, True -*.oc3anic.ro*, True -*.oca57.com*, True -*.oca76.com*, True -*.oca87.com*, True -*.oca98.com*, True -*.ocasas.cl*, True -*.ocasos.cl*, True -*.ocay.tk*, True -*.occ57.com*, True -*.occ67.com*, True -*.occ87.com*, True -*.occ97.com*, True -*.occamssolutions.com.au*, True -*.occasionalmoodz.co.uk*, True -*.occident.al*, True -*.occidental-travel.com*, True -*.occidentaltravel.net*, True -*.oc.com.ar*, True -*.occstrategy.hk*, True -*.occupiedberlin.de*, True -*.occupysf.org*, True -*.ocdsurvey.co.uk*, True -*.oceadge.com*, True -*.oceanacademynj.org*, True -*.oceanairproperties.com*, True -*.oceancares.com*, True -*.oceancares.org*, True -*.ocean-dreams.ec*, True -*.oceangroveosteopathy.com.au*, True -*.oceangrovepilates.com.au*, True -*.oceanican.org.mx*, True -*.oceanic.ro*, True -*.oceanmhs.com*, True -*.oceanmhs.org*, True -*.ocean-nation.co.il*, True -*.oceanofcum.net*, True -*.oceanografiaoperacional.com.br*, True -*.oceanografiaoperacional.net*, True -*.oceanos.co.za*, True -*.oceanparkcommunitychurch.com*, True -*.oceanpolice.com*, True -*.oceanpublishing.com.au*, True -*.oceanracingseries.co.za*, True -*.ocean.tw*, True -*.oceanusloscabos.com.mx*, True -*.oceanwashed.com*, True -*.ocehan.com*, True -*.ocelot.com*, True -*.ocenka-msk.net*, True -*.ocenovatel.cz*, True -*.ocg.pt*, True -*.ocheana.tk*, True -*.ochiuma.ro*, True -*.ochocki.org*, True -*.ochovio.com*, True -*.ochres.fi*, True -*.ochrona-obiektu.pl*, True -*.ochrona-powodziowa.pl*, True -*.ocioexperimental.com*, True -*.oclaje.org.br*, True -*.ocl-r.net*, True -*.ocna-mures.org*, True -*.oconnorattorney.org*, True -*.ocorreas.net*, True -*.ocpibr.ro*, True -*.ocp.ro*, True -*.oc-rapid.com*, True -*.ocroro.tk*, True -*.ocsingleadultconference.com*, True -*.ocs-network.com*, True -*.ocspots.com*, True -*.octagono.cl*, True -*.octahedron.in*, True -*.octaldigit.com*, True -*.octalstar.com*, True -*.octalstar.net*, True -*.octan.ch*, True -*.octant.xyz*, True -*.octaviabailbonds.com*, True -*.octaviano.com.ar*, True -*.octaviansfetcu.ro*, True -*.octavio.mx*, True -*.octobersoft.ru*, True -*.octocraft.net*, True -*.octodrip.com*, True -*.octoform.es*, True -*.octopodi.com*, True -*.octopusconsultores.cl*, True -*.octo-tiling.tk*, True -*.octouch.net*, True -*.octshop.ru*, True -*.oculusapertus.net*, True -*.ocuparepentrudezvoltare.ro*, True -*.ocuru.com*, True -*.ocxpressit.com*, True -*.odata.web.id*, True -*.oddbox.org*, True -*.oddheretic.com*, True -*.oddoye.org*, True -*.odec.me*, True -*.oded.sh*, True -*.odeqa.ro*, True -*.odesk-tests.com*, True -*.odettebijoux.cl*, True -*.odetteengland.com*, True -*.odeuondimensioneviaggio.it*, True -*.odiagam.eu*, True -*.odiaxxxx.tk*, True -*.odiaz.cl*, True -*.odies-network.com*, True -*.odilepeyron.ch*, True -*.odi-music.com*, True -*.odimusic.net*, True -*.odinochka.ru*, True -*.odino.com.ar*, True -*.odipe.com*, True -*.odiuken.com*, True -*.odkupvozila.si*, True -*.odliczanie.pl*, True -*.odmg.ru*, True -*.odnoklassnilxi.ru*, True -*.odnosev.name*, True -*.odod1475.com*, True -*.odometer-correction-forum.com*, True -*.odontologiasantana.com.br*, True -*.odontosorriso.com*, True -*.odoobooks.com*, True -*.odoomobile.com*, True -*.odowok.com*, True -*.odprava.si*, True -*.odprk.com*, True -*.odresomi.cf*, True -*.odservers.com*, True -*.od-tres.com.ar*, True -*.odtumezunlari.gen.tr*, True -*.odtz.com*, True -*.oduclos.com*, True -*.oduclos.com.ar*, True -*.odvetnik-skrinjar.si*, True -*.odvi.com.au*, True -*.odya.net*, True -*.odyn.ru*, True -*.odysol.com*, True -*.odysseussolutions.com*, True -*.oeber.com*, True -*.oeboentoe.co.za*, True -*.oeemateriaprima.com.ar*, True -*.oekolampad.ch*, True -*.oemahjowo.web.id*, True -*.oenjan.com*, True -*.oep.gr*, True -*.oes-eds.com*, True -*.oestman.se*, True -*.oesutnrosario.org*, True -*.oevi.com.ar*, True -*.ofad.cl*, True -*.ofborg.net*, True -*.ofbre.com*, True -*.ofek-eng.co.il*, True -*.ofek-ind.co.il*, True -*.ofeport.com*, True -*.ofertacasual.com.br*, True -*.ofertunity.com*, True -*.offalgore.com*, True -*.offbitch.com*, True -*.offbroadwayhotel.com.au*, True -*.offcenterpoetry.com*, True -*.offcolorapp.com*, True -*.offensivelab.ro*, True -*.offer101.info*, True -*.offgamer.com.my*, True -*.offgamer.my*, True -*.offgamers.com.my*, True -*.offgamers.my*, True -*.offgroup.ru*, True -*.offibackup.com*, True -*.officeaudit.biz*, True -*.officebet.com*, True -*.officecabinets.co.za*, True -*.officecruncher.com*, True -*.office-octopus.co.uk*, True -*.office-online.tk*, True -*.officesolutions.pt*, True -*.officesupercomputers.com*, True -*.offici.al*, True -*.officialcp1.in*, True -*.official-draftingc.com*, True -*.officialgabi.com*, True -*.official-monsterbot.ga*, True -*.officialresources.my*, True -*.officialsena.com*, True -*.official-sounding.com*, True -*.official.web.id*, True -*.officinacrea.com*, True -*.officinadetexto.com.br*, True -*.offiplanet.com*, True -*.off.li*, True -*.offline.lt*, True -*.offlinewiki.com*, True -*.offpedia.com*, True -*.off-red.com*, True -*.offresparmail.com*, True -*.offr.hk*, True -*.offsiteassistants.com*, True -*.offsitesolutions.com.ar*, True -*.off-sp.com*, True -*.offthefritz.net*, True -*.offtothecloud.com*, True -*.off-tt.com*, True -*.offwiththepixies.com*, True -*.oficentroplus.com*, True -*.oficer.eu*, True -*.oficinab.cl*, True -*.oficinacarioca.com.br*, True -*.oficinadamoda.net.br*, True -*.oficinadamodaplus.com.br*, True -*.oficinadamodaplussize.com.br*, True -*.oficinahorizontes.com*, True -*.oficinanaval.com.br*, True -*.oficinarelgov.com.br*, True -*.oficinasfisicas.com.mx*, True -*.oficinasportalriesco.cl*, True -*.oficinasrenta.mx*, True -*.ofigirls.com*, True -*.ofirent.cl*, True -*.ofman.com.ar*, True -*.ofmdirect.com*, True -*.ofm.hk*, True -*.ofmrivaslorenz.com.ar*, True -*.ofoliver.com*, True -*.oftalmolog.si*, True -*.ofthehawke.com*, True -*.oftimeps.cf*, True -*.of-war.com*, True -*.ogadeumbanda.cf*, True -*.ogadeumbanda.ga*, True -*.ogadeumbanda.ml*, True -*.ogadeumbanda.tk*, True -*.ogan.cf*, True -*.ogandeumbanda.cf*, True -*.ogandeumbanda.ga*, True -*.ogandeumbanda.ml*, True -*.ogandeumbanda.tk*, True -*.oganilirkab.go.id*, True -*.ogan.ml*, True -*.ogans.cf*, True -*.ogansdeumbanda.cf*, True -*.ogansdeumbanda.ga*, True -*.ogansdeumbanda.ml*, True -*.ogansdeumbanda.tk*, True -*.oganseverinosena.cf*, True -*.oganseverinosena.ga*, True -*.oganseverinosena.ml*, True -*.oganseverinosena.tk*, True -*.ogans.ga*, True -*.ogans.ml*, True -*.ogan.tk*, True -*.ogas.cf*, True -*.ogasdeumbanda.cf*, True -*.ogasdeumbanda.ga*, True -*.ogasdeumbanda.ml*, True -*.ogasdeumbanda.tk*, True -*.ogaseverinosena.cf*, True -*.ogaseverinosena.ga*, True -*.ogaseverinosena.ml*, True -*.ogaseverinosena.tk*, True -*.ogas.ga*, True -*.ogas.ml*, True -*.ogautomobile.ch*, True -*.ogautomobiles.ch*, True -*.og-cs.hr*, True -*.ogecca.net*, True -*.oggifacciolaspesa.it*, True -*.oggsync.org*, True -*.oghamenterprises.com*, True -*.oginni.com*, True -*.oglasoglasi.com*, True -*.oglesbypm.com*, True -*.ogmios.tk*, True -*.ognemojikilommeshmedia.co*, True -*.ognemojikilomnetmedia.co*, True -*.ognemojikilomnetworkmedia.co*, True -*.ognemojikilomtrafficacademy.co*, True -*.ognemojikilomtraffic.co*, True -*.ognemojikilomtrafficlawyer.co*, True -*.ognemojikilomtrafficschool.co*, True -*.ognemojikilomtrafficticket.co*, True -*.ognemojikilomtraffictickets.co*, True -*.ognemojikilomwebmed.co*, True -*.ognemojikilomwebmedia.co*, True -*.ognemojikilomwebmediagroup.co*, True -*.ognemojikilomwebmediamarketing.co*, True -*.ognemojikilomwebmediaservices.co*, True -*.ognemojikilomwebmediasolutions.co*, True -*.ognikuzbassa.ru*, True -*.ognioodporna.pl*, True -*.ogniowa.pl*, True -*.ogniowe.pl*, True -*.ogradysguesthouse.com*, True -*.ogreenergy.ru*, True -*.ogrigas.eu*, True -*.ogrinformatica.com.br*, True -*.ogs.ro*, True -*.ogum.cf*, True -*.ogum.ga*, True -*.ogum.ml*, True -*.ogumseteondas.cf*, True -*.ogumseteondas.ga*, True -*.ogumseteondas.ml*, True -*.ogumseteondas.tk*, True -*.ogun.cf*, True -*.ogun.ga*, True -*.ogun.ml*, True -*.oguro.com.br*, True -*.oh2nora.fi*, True -*.ohalloranms.com.au*, True -*.ohara.cl*, True -*.ohaynhi.com*, True -*.ohbabyonlinehk.com*, True -*.ohbah.com*, True -*.ohbsa.cl*, True -*.ohduh.info*, True -*.ohel16.co.il*, True -*.ohhfuck.me*, True -*.ohhi.com*, True -*.ohi.co*, True -*.ohioemployeeattorney.com*, True -*.ohiofreenet.org*, True -*.ohiohealthsimulation.com*, True -*.ohioriverbridges.com*, True -*.ohioticketpayments.info*, True -*.ohioticketpayments.net*, True -*.ohio.zone*, True -*.ohi.tw*, True -*.ohjain.fi*, True -*.ohlalatube.com*, True -*.ohmascaras.com.br*, True -*.ohmnet.ro*, True -*.ohmyboss.ru*, True -*.ohmygeek.com.au*, True -*.ohmyglob.ml*, True -*.ohmyguide.com.ar*, True -*.ohpsoft.com.br*, True -*.oh-shi.ru*, True -*.ohshitisfernandon.cl*, True -*.ohzer.com*, True -*.oicbiggy.net*, True -*.oieriivlahi.ro*, True -*.oij.me*, True -*.oikodomo.gr*, True -*.oiktv.com*, True -*.oilandgasjobshop.com*, True -*.oilcombustibles.com*, True -*.oilcompeticion.com*, True -*.oilfree.com.ar*, True -*.oil-sfu.ru*, True -*.oim-inc.net*, True -*.oip.cc*, True -*.oiregionalconnect.com*, True -*.oislagarde.com.ar*, True -*.oisolucoespramepresas.com.br*, True -*.oispasia.com*, True -*.oitcl.com*, True -*.oitentaedois.com.br*, True -*.oitsc.com*, True -*.oivallinen.fi*, True -*.ojalehto.fi*, True -*.ojcouto.com.br*, True -*.ojedaesteybar.com.ar*, True -*.ojler.ru*, True -*.ojob.ro*, True -*.ojopiojo.cl*, True -*.ojt44.com*, True -*.ojt55.com*, True -*.ojt66.com*, True -*.ojt77.com*, True -*.ojt99.com*, True -*.okamobi.net*, True -*.okay.com.tr*, True -*.okaziimega.ro*, True -*.okbigfootsymposium.com*, True -*.okboomer.com*, True -*.okcdeaf.com*, True -*.okcomputersolutions.ca*, True -*.okcomputersolutions.com*, True -*.okcs.ca*, True -*.okdjmusic.com*, True -*.oke020.com*, True -*.okeefefamilycenter.org*, True -*.oke.io*, True -*.okemasbro.tk*, True -*.okephone.com*, True -*.okesolo.ml*, True -*.okey.gen.tr*, True -*.okfm91.com*, True -*.okiargentina.com.ar*, True -*.okiedokers.com*, True -*.okitrust.com*, True -*.okk35.com*, True -*.okk48.com*, True -*.okk52.com*, True -*.okk79.com*, True -*.okk94.com*, True -*.okke.org*, True -*.okmag.tk*, True -*.okmemory.com*, True -*.oknoaluminiowe.pl*, True -*.okoloko.one.pl*, True -*.okpeinture.ch*, True -*.okservice.ro*, True -*.ok-studio.com.ar*, True -*.okta.gq*, True -*.oktandry.com*, True -*.oktiabr.ru*, True -*.okto.cf*, True -*.oktogon.ro*, True -*.oktravel.ro*, True -*.okudan.org*, True -*.okwebhard.net*, True -*.okwhatson.com*, True -*.okwhatson.co.uk*, True -*.okwhatson.uk*, True -*.okz999.com*, True -*.okzk.com*, True -*.olacs.com*, True -*.olacs.net*, True -*.olacs.us*, True -*.olafitoweb.com.ar*, True -*.olaf-roeder.de*, True -*.olaphelpdesk.com*, True -*.olaponcall.com*, True -*.olare.se*, True -*.olasoft.ru*, True -*.olathenativities.com*, True -*.olaylarakarisma.com*, True -*.olbiz.net*, True -*.olcaykrkmz.com*, True -*.olceseabogados.com.ar*, True -*.olcese.com.ar*, True -*.olcl.com*, True -*.olcllc.com*, True -*.olcottfamily.com*, True -*.old-device.ru*, True -*.olddevice.ru*, True -*.olddreamteam.ch*, True -*.oldelizabethansrfc.co.uk*, True -*.oldfart.com.au*, True -*.oldgod.org*, True -*.oldhankstradingcompany.com*, True -*.oldjetty.com.my*, True -*.oldjetty.my*, True -*.oldmachinesband.com*, True -*.oldmancloud.com*, True -*.old-member.com*, True -*.oldmillstation.org*, True -*.oldpigeonbooking.com*, True -*.old-project.com*, True -*.oldquad.org*, True -*.oldriponians.org.uk*, True -*.oldrussianmagic.com*, True -*.oldsadsongs.com*, True -*.oldschool-slo.com*, True -*.oldserver.net*, True -*.oldskoolclublands.co.uk*, True -*.oldsmarsoccerboys.com*, True -*.oldsmokeandcarol.com*, True -*.oldsoftwarelibrary.com*, True -*.oldsouthmarlinclub.com*, True -*.oldtcity.net*, True -*.oldwillow.co.za*, True -*.ole-brum.net*, True -*.oleg888.ru*, True -*.oleg.info*, True -*.olegp.ru*, True -*.olegshilov.com*, True -*.olegtaktarov.org*, True -*.oleholehcimahi.com*, True -*.oleholehgunungkidul.com*, True -*.oleksi.fi*, True -*.olelukoie.ru*, True -*.oletu.net*, True -*.olgatarasova.ru*, True -*.olgcfashionshow.org*, True -*.olife.org*, True -*.oligra.com.ar*, True -*.olikasvang.com*, True -*.olimpidus.com.ar*, True -*.olistrut.de*, True -*.oliucanit.com.ar*, True -*.olivedalemontessori.co.za*, True -*.oliver.adm.br*, True -*.oliverclarke.co.uk*, True -*.olivercressey.co.uk*, True -*.oliverexorna.co.uk*, True -*.oliverjcole.co.uk*, True -*.oliverlorenz.com*, True -*.oliver-schmidt.ch*, True -*.olivers.com*, True -*.oliverscreek.com*, True -*.oliversill.de*, True -*.olivesin.com*, True -*.olivesoapbar.com*, True -*.olivia-ernest.com*, True -*.olivierbeaulieu.ca*, True -*.olivinelabs.com*, True -*.olivinelabs.net*, True -*.olivinelabs.org*, True -*.oljka.com*, True -*.olker-family.com*, True -*.ollemans.com*, True -*.ollieshome.net*, True -*.ollipietikainen.fi*, True -*.olly577.com*, True -*.ollys.to*, True -*.olmedo.cl*, True -*.olmedopastor.com*, True -*.olmos.cl*, True -*.olmug.pl*, True -*.ololololol.net*, True -*.olomp.org.au*, True -*.olos.gr*, True -*.olovsson.se*, True -*.olsem.ro*, True -*.olsgaard.net*, True -*.olshosting.com.ar*, True -*.olsonds.com*, True -*.olszak.tk*, True -*.oltali.com.tr*, True -*.oltcollege.com*, True -*.olt.im*, True -*.olt.me*, True -*.olt.net*, True -*.ol-training.com*, True -*.oltraining.com*, True -*.ol-training.net*, True -*.oltraining.net*, True -*.oltschool.com*, True -*.oltschool.net*, True -*.oltschool.org*, True -*.olujohn.tk*, True -*.oluman.co.uk*, True -*.oluroyle.com*, True -*.oluyide.com*, True -*.olympia.pk*, True -*.olympicdraft.com*, True -*.olympicnails.com*, True -*.olympictiles.com.au*, True -*.omaestate.com*, True -*.omaforos.com.ar*, True -*.omahadynamicauto.com*, True -*.omah.com.au*, True -*.omahony.id.au*, True -*.omahqwedding.com*, True -*.omakis.com*, True -*.omamah.com*, True -*.omanix.com*, True -*.omanuela.com*, True -*.o.maori.nz*, True -*.om-ari.cf*, True -*.omarloveschristina.com*, True -*.omaservice.ro*, True -*.omax-marine.com*, True -*.omaygroup.com*, True -*.ombikramkhadka.com.np*, True -*.ombilicalo.org*, True -*.ombley.com*, True -*.ombligos.cl*, True -*.omcmedialcare.com*, True -*.omco.org*, True -*.omdekaap.com*, True -*.omega552003.com*, True -*.omegacrewing.ro*, True -*.omegaentertainmentnetwork.tk*, True -*.omegaflee.com*, True -*.omegalogistics.net*, True -*.omeganull.com*, True -*.omega-radio.tk*, True -*.omegasoft.com.ve*, True -*.omega-sprl.ro*, True -*.omegatech.tw*, True -*.omeisudi.com*, True -*.omekimaishop.org*, True -*.omertacloud.cf*, True -*.omes.co.za*, True -*.omexey.com*, True -*.omfg.pl*, True -*.omgevingsplan.info*, True -*.omgilovetocook.com*, True -*.omgovinda.com.ar*, True -*.omgpwned.net*, True -*.omg.si*, True -*.omgwtf.cl*, True -*.omicroncity.com*, True -*.o-micron.com*, True -*.omicronplexus.com*, True -*.omidasayesh.com*, True -*.omidmoshaver.com*, True -*.omid-moshaver.ir*, True -*.ominous-latin-noun.com*, True -*.omisysinc.net*, True -*.ommani.ro*, True -*.ommidvar.ir*, True -*.om-natura.ro*, True -*.omniamanagement.ro*, True -*.omniasolucoes.com.br*, True -*.omnibitgrupa.hr*, True -*.omnibyte.net*, True -*.omnicam.pt*, True -*.omnicasino.co.za*, True -*.omnicoin.net*, True -*.omnidrives.com*, True -*.omnifoc.us*, True -*.omniget.com*, True -*.omnigrafix.net*, True -*.omnigruntware.com*, True -*.omnilogic.com.my*, True -*.omnimac.com.au*, True -*.omnimodusconsulting.com*, True -*.omnion.biz*, True -*.omniondigital.com*, True -*.omnion.in*, True -*.omnioninteractive.com*, True -*.omnionmedia.com*, True -*.omnionmobile.com*, True -*.omnion.org*, True -*.omnionphoto.com*, True -*.omnionpremedia.biz*, True -*.omnionpremedia.net*, True -*.omnionpremedia.org*, True -*.omnionstudio.com*, True -*.omnionstudios.com*, True -*.omnionsystems.com*, True -*.omniscientcloud.com*, True -*.omnisib-sms.tk*, True -*.omnivoreaudio.com*, True -*.omnivoro.us*, True -*.omopliutmedia.pw*, True -*.omradio.ml*, True -*.omransabz.com*, True -*.omschool.org.uk*, True -*.omtexcr.com*, True -*.omt.org.ve*, True -*.omvaleom.com.ar*, True -*.omvirtual.es*, True -*.omytrip.com*, True -*.on1240.com*, True -*.o-n2.co.kr*, True -*.on79.net*, True -*.onachile.cl*, True -*.onahadg.com.ar*, True -*.onahotel.com.ar*, True -*.onair-ej.com*, True -*.onair-o.com*, True -*.onair-on.com*, True -*.onair-x.com*, True -*.onair-z.com*, True -*.onapon.com*, True -*.onapthietbidien.com*, True -*.onbehalf.com.br*, True -*.onc33.com*, True -*.onc44.com*, True -*.onc49.com*, True -*.onc56.com*, True -*.onc99.com*, True -*.on-call.ch*, True -*.onclearthur.com*, True -*.oncount.net*, True -*.ondablu.tk*, True -*.ondasonora.ch*, True -*.ondecomerebeber.com.br*, True -*.ondemandgeek.com*, True -*.ondemand.net.au*, True -*.ondeoventofazacurva.com*, True -*.ondetrabalhar.com*, True -*.ondetrabalhar.com.br*, True -*.ondudu.com*, True -*.one2tri4.com*, True -*.one2tri4.net*, True -*.one97.ml*, True -*.oneandco.ro*, True -*.onebeeu.com*, True -*.onebid.net*, True -*.onecut.com.au*, True -*.onederfultech.com*, True -*.onedoer.com*, True -*.onedollaradwordsscripts.com*, True -*.onedollarscripts.com*, True -*.onedot.co.uk*, True -*.onedrawgallery.com*, True -*.onedrawtwommj.com*, True -*.onefitmodel.com*, True -*.onefortheroaddiy.com*, True -*.oneget.org*, True -*.oneglobalsource.com*, True -*.onegolfclub.com*, True -*.oneguntheory.com*, True -*.onehealthdb.org*, True -*.oneheart.club*, True -*.oneheartproductions.com.au*, True -*.onehopestudio.com*, True -*.oneilusm.com*, True -*.oneindonesia.co.id*, True -*.oneinternational.com.my*, True -*.oneiroboros.com*, True -*.oneironautics.com*, True -*.oneirozoo.com*, True -*.onelastcast.com*, True -*.onelifeonechoice.com.au*, True -*.onelostfeather.com*, True -*.onelvoe.com*, True -*.onemantwowheels.info*, True -*.onemercado.net*, True -*.onemin.ru*, True -*.one-night.it*, True -*.onenight.it*, True -*.oneoutofthisworld.com*, True -*.oneovo.tk*, True -*.onepavlov.com*, True -*.onepiece.cl*, True -*.onepiecesub.com*, True -*.onepod.cn*, True -*.oneport.ru*, True -*.onepvp.com*, True -*.onereasonnottogetmarried.com*, True -*.onereport.com.au*, True -*.oneselnord.com*, True -*.oneserver.com.au*, True -*.onesidedbox.com*, True -*.onesimplehost.com*, True -*.onesixtyseven.com.au*, True -*.oneslowsi.com*, True -*.onesouthbeach.com*, True -*.onesouthbroadway.com*, True -*.onestopdir.com.my*, True -*.onestore.nl*, True -*.onestyles.com*, True -*.onesys.asia*, True -*.onesys.com.au*, True -*.onesys.info*, True -*.onesys.mobi*, True -*.onesys.net.au*, True -*.one-team.cl*, True -*.onetech.cn*, True -*.onetech.inf.br*, True -*.onethree.net*, True -*.onet.tw*, True -*.onetwodesign.com.ar*, True -*.oneundergroundradio.com*, True -*.oneunderground.ro*, True -*.oneup.fi*, True -*.onewayfishing.com*, True -*.onewoods.com*, True -*.onewoods.org*, True -*.oneworldcollection.com.au*, True -*.oneworldcollection.co.nz*, True -*.oneworldled.com*, True -*.oneworldled.com.au*, True -*.onexchanges.com*, True -*.onexoxprepaid.asia*, True -*.onexwcsssd.com*, True -*.onfb.ga*, True -*.ongcristal.ro*, True -*.ongian.com*, True -*.ongisnade.co.id*, True -*.ongles86.fr*, True -*.onglitude.be*, True -*.ongoers.com*, True -*.onhub.ga*, True -*.oniichan.me*, True -*.onionproxy.net*, True -*.onion-switch.com*, True -*.on-irc.ml*, True -*.onit.com.ar*, True -*.onity.ch*, True -*.onkelborgdns.com*, True -*.onkiup.com*, True -*.onl1ne.ml*, True -*.online247.com.mx*, True -*.online4g.ru*, True -*.onlineacademycharterschool.com*, True -*.onlineacademycharterschool.net*, True -*.onlineadvertisingworkshop.ca*, True -*.onlineaksesuar.com*, True -*.online-all.ro*, True -*.onlineaquarium.co.za*, True -*.online-books.co.il*, True -*.online-business-review.com*, True -*.onlinecashonline.com*, True -*.online-cashpaydayloans24hr.org*, True -*.onlinecashreview101.com*, True -*.onlinecash.ro*, True -*.online-casino-advisor.com*, True -*.online-catalog.ro*, True -*.onlinecertificate.org*, True -*.onlinecertificates.org*, True -*.onlinecheats.net*, True -*.onlinecheckregister.com*, True -*.onlinechess.ro*, True -*.onlinechildcareclass.com*, True -*.onlineclays.co.uk*, True -*.online-components.eu*, True -*.online-computer-training.com.au*, True -*.onlinedjfx.co.uk*, True -*.onlinedownload.ru*, True -*.onlineforextradingsoftware.info*, True -*.onlinegamefun.net*, True -*.onlinehosereels.com*, True -*.onlinehosereels.com.au*, True -*.onlinehosereels.co.nz*, True -*.onlinehosereels.co.uk*, True -*.online-infinity.net*, True -*.onlineinsurancecourses.com*, True -*.onlinekoll.com*, True -*.onlinekuryekargo.com*, True -*.online-lektorat.ch*, True -*.onlinelimosreservation.com*, True -*.onlinemanager.pl*, True -*.onlinemonitoring.web.id*, True -*.onlinenet.com.tr*, True -*.onlineopros.org*, True -*.onlinepaydayloannofax.com*, True -*.onlinepetstore.nl*, True -*.online-pharm.net*, True -*.onlinepokerisrigged.com*, True -*.online-porevo.net*, True -*.onlineradio.ro*, True -*.onlinerights.ca*, True -*.onlineryans.com*, True -*.online-school.co.il*, True -*.onlinesfilm.ru*, True -*.onlinestore.web.id*, True -*.onlineszerver.hu*, True -*.onlineteck.com*, True -*.onlinetherapyuser.org*, True -*.onlinetrack.com.ar*, True -*.onlinetrainingservices.com.au*, True -*.onlinetravel.cl*, True -*.onlinetravel.tur.ar*, True -*.online.tur.ar*, True -*.onlinetv.com.pk*, True -*.onlinetv.hk*, True -*.online-videokurse.ch*, True -*.onlineyoutube.com*, True -*.onlullaby.com*, True -*.onlyami.ga*, True -*.onlychange.com*, True -*.only-friends.ro*, True -*.onlyhealth.co.za*, True -*.onlyhuman.cl*, True -*.onlykute.com*, True -*.onlythebestwork.in*, True -*.onlyu4ever.net*, True -*.onlyu4ever.org*, True -*.onlyyourhome.com*, True -*.onmedia.ro*, True -*.onmyroad.com*, True -*.onmywayhostel.com*, True -*.onnatranser.ro*, True -*.onnepank.ee*, True -*.onnetcall.com*, True -*.onn.name*, True -*.onnoboya.com*, True -*.onoapa.com*, True -*.onoderakosaki.net*, True -*.on-off.tw*, True -*.onogle.com*, True -*.ononu.com*, True -*.onopho.be*, True -*.onoranzefuebripellegriniperni.ch*, True -*.onoranzefunebricocchi.ch*, True -*.onoria.ch*, True -*.onotoko.com*, True -*.onplick.com*, True -*.onplick.pl*, True -*.onpointtechnologyinc.com*, True -*.onpremise.cl*, True -*.on-radio.com*, True -*.onretweet.com*, True -*.onsaleblackfridaydeals.com*, True -*.onsball.net*, True -*.onset.lv*, True -*.onsis.com.br*, True -*.onsite.lt*, True -*.onsitereport.com*, True -*.onsolution.com.br*, True -*.ontariohealthyvending.com*, True -*.onteorasoftware.net*, True -*.onte.se*, True -*.onthemove-relocation.net*, True -*.onthenetstorage.com*, True -*.ontherocksar.com.ar*, True -*.on-track.com.au*, True -*.ontruyen.com*, True -*.onudemy.ga*, True -*.onuragi.info*, True -*.onuris.com.ar*, True -*.onvenus.com*, True -*.onwechat.info*, True -*.onworldwide.com*, True -*.onymous.co*, True -*.onyoff.com.ar*, True -*.onz.hk*, True -*.onzionzi.com.br*, True -*.oo0oo.net*, True -*.oo10.co*, True -*.oocode.com*, True -*.ood.li*, True -*.oodz.com*, True -*.oo.fi*, True -*.oogabooga.se*, True -*.oohatoo.com*, True -*.oohlalamama.com*, True -*.oohsnap.net*, True -*.oo-mox.org*, True -*.oonboy.us*, True -*.ooopsmanagement.ro*, True -*.oopa.gr*, True -*.ooprogrammer.ir*, True -*.oops7.com*, True -*.oops-jj.com*, True -*.oort.tk*, True -*.oost.me*, True -*.oos.tw*, True -*.ooug.net*, True -*.oov7.com*, True -*.oovb.com*, True -*.ooyuki.org*, True -*.oozei.in*, True -*.op-588.com*, True -*.opacity.net.au*, True -*.opackmakine.com*, True -*.opackmakine.com.tr*, True -*.opakmakine.com*, True -*.opakmakine.com.tr*, True -*.opalex.info*, True -*.opaline.cl*, True -*.opalvision.com*, True -*.opanasenko.com*, True -*.opan.biz*, True -*.opan.cf*, True -*.opanlab.com*, True -*.opan.web.id*, True -*.opasc.net*, True -*.opatija-inzenjering.com*, True -*.opazo.cl*, True -*.op-battle.club*, True -*.opcionguik.com.mx*, True -*.opcion-libre.com.ar*, True -*.op.co.za*, True -*.opcpanama.com*, True -*.open18hs.com.ve*, True -*.open2investment.co.uk*, True -*.open365.cl*, True -*.open-arena.com*, True -*.openarenahelp.com*, True -*.openar.net*, True -*.openascendence.com*, True -*.open-auth.com*, True -*.openb2b.com.br*, True -*.openbase.ir*, True -*.openblocks.com*, True -*.openblog.ro*, True -*.openbots.com*, True -*.openbots.org*, True -*.openbox.cl*, True -*.opencaching.org*, True -*.openccd.com*, True -*.opencdn.com.br*, True -*.opencensus.org.za*, True -*.openchain.pt*, True -*.opencod.in*, True -*.opencomms.org*, True -*.opencomponentproject.org*, True -*.openconsultant.ch*, True -*.opencredentials.org*, True -*.opendata.cl*, True -*.opendoorteen.org*, True -*.openelections.org.za*, True -*.open-em.org*, True -*.openerpbook.com*, True -*.openflow.ru*, True -*.openfountain.cl*, True -*.opengames.com.ar*, True -*.opengbh.net*, True -*.opengovcanada.ca*, True -*.opengtspro.com*, True -*.openhandpittsburgh.org*, True -*.openhardware.co.za*, True -*.openhealth.org.za*, True -*.openhomekomi.ru*, True -*.openinnovations-inc.com*, True -*.openjob.hk*, True -*.openkaka.tk*, True -*.openkey-bagolf.com.ar*, True -*.openkey-elcentauro.com.ar*, True -*.openkey-informa.com.ar*, True -*.openkey-smdt.com.ar*, True -*.openkod.com*, True -*.openlug.com*, True -*.openly.se*, True -*.openmemex.com*, True -*.openmindgroup.eu*, True -*.openmindgroup.ro*, True -*.openmine.cl*, True -*.openmobilefree.net*, True -*.openoffcampus.com*, True -*.openpact.com.my*, True -*.openpaths.cc*, True -*.openphdguiding.org*, True -*.openpilates.com.ar*, True -*.openpolitics.org.za*, True -*.openpublicdata.com*, True -*.open-roads.ca*, True -*.openroadsrv.ca*, True -*.openservices.sk*, True -*.opensinergia.com.ve*, True -*.opensips.pro*, True -*.openskyline.ru*, True -*.opensoftpro.com*, True -*.opensourcecuring.com*, True -*.opensourcefarm.org*, True -*.opensourcequad.com*, True -*.opensrc.mx*, True -*.opens.ro*, True -*.open-star.net*, True -*.openstart.com*, True -*.openstop.com*, True -*.openstruct.eu*, True -*.openstruct.info*, True -*.openstruct.mobi*, True -*.openstruct.net*, True -*.openstruct.nu*, True -*.openstruct.se*, True -*.opensur.cl*, True -*.opensuse.ro*, True -*.openswirl.org*, True -*.opensynapses.net*, True -*.opentechconsulting.ro*, True -*.opentech.sk*, True -*.open-telecom.ro*, True -*.opentrademark.com*, True -*.opentransport.pl*, True -*.openttd.com.br*, True -*.openvds.ru*, True -*.openxltd.com*, True -*.openxsolutions.com*, True -*.operacaostop.pt*, True -*.operadongiustino.it*, True -*.operadoradecreditos.com*, True -*.operadorasantafe.com.ar*, True -*.operamini-sinhala.tk*, True -*.operamundo.ch*, True -*.opera-rdcpc.tk*, True -*.operaruba.com*, True -*.opera-sinhala.tk*, True -*.operationbim.com*, True -*.operativsystem.eu*, True -*.operatormasih.tk*, True -*.oper.ninja*, True -*.opersa.com.ar*, True -*.operwap.com*, True -*.opesite.web.id*, True -*.opfederales.com.ar*, True -*.ophre4k-id.cf*, True -*.ophtalmologue-verviers.be*, True -*.ophtalmos.com.br*, True -*.opie.at*, True -*.opiecreativeartsclub.com*, True -*.opik.gq*, True -*.opiliones.com*, True -*.opinari.net*, True -*.opiniaolteniei-gorj.ro*, True -*.opiniondigital.org*, True -*.opinoks.com*, True -*.opior.com*, True -*.opita-stroitelstva.net*, True -*.opium.cz*, True -*.opkkk-chat.tk*, True -*.opkode.co.za*, True -*.opkotingeel.be*, True -*.opkut.eu*, True -*.oplachise.com*, True -*.oplanob.com*, True -*.oplungiphone4.com*, True -*.oplustec.com*, True -*.opmholding.com*, True -*.opmmail3.com*, True -*.opmmail4.com*, True -*.opmmail5.com*, True -*.opmmail7.com*, True -*.opmmail8.com*, True -*.opm.si*, True -*.opontografico.com.br*, True -*.opoopoiso.com*, True -*.oportours.com*, True -*.oportuna.cl*, True -*.oposicionesa.com*, True -*.opovodeguimaraes.pt*, True -*.opovo.pt*, True -*.opp24.com*, True -*.oppaysoftshare.net*, True -*.oppexchange.com*, True -*.oppiartikkelit.fi*, True -*.oppimateriaali.fi*, True -*.oppimateriaalit.fi*, True -*.opportunity-canada.ca*, True -*.opportunity-canadians.ca*, True -*.oppsa.com.ar*, True -*.opqode.be*, True -*.opravanaraznika.sk*, True -*.opree.com.br*, True -*.oprek.net*, True -*.opris.at*, True -*.oprosonline.kz*, True -*.op-servers.tk*, True -*.opseu675.org*, True -*.opsinergi.co.id*, True -*.opsninja.com*, True -*.ops-tegaldlimo.com*, True -*.opstools.org*, True -*.ops.web.id*, True -*.opt.cl*, True -*.optiaustro.ec*, True -*.opticabattilana.com.ar*, True -*.opticabermudez.com.ar*, True -*.opticabox.com.br*, True -*.opticalconsultant.tk*, True -*.opticalize.com*, True -*.opticalninjas.gq*, True -*.opticalninjas.tk*, True -*.opticalosangeles.com.ar*, True -*.opticalotter.com*, True -*.opticalummer.com.ar*, True -*.opticamirasoles.com.ar*, True -*.optica-pro.ru*, True -*.opticapro.ru*, True -*.opticasbema.cl*, True -*.opticaslucena.com*, True -*.optichinagriculture.com*, True -*.opties.com*, True -*.optihost.eu*, True -*.optika-avsec.si*, True -*.optika-pro.ru*, True -*.optikapro.ru*, True -*.optikerutangranser.com*, True -*.optikerutangranser.nu*, True -*.optikerutangranser.org*, True -*.optikerutangranser.se*, True -*.optimal-living-center.com*, True -*.optimal-technology.co.uk*, True -*.optimalux.ca*, True -*.optima-mas.com*, True -*.optimanesia.com*, True -*.optima-pro.pl*, True -*.optimas.co.id*, True -*.optimawaterfilter.com*, True -*.optimeat.ro*, True -*.optimist-baleares.net*, True -*.optimist-under-siege.com*, True -*.optimistundersiege.com*, True -*.optimized-designs.com*, True -*.optimized-projects.com*, True -*.optimo.web.id*, True -*.optimumassetmanagement.ch*, True -*.optimumexpert.ro*, True -*.optimumlog.com*, True -*.optimus-games.com*, True -*.optimuswide.com*, True -*.optimuz-sector.cf*, True -*.optindatachambers.us*, True -*.optinvest.be*, True -*.optioinc.com*, True -*.optional.cf*, True -*.optional.ga*, True -*.optional.ml*, True -*.option-sante.ch*, True -*.optique-saconnex.ch*, True -*.optispace.net*, True -*.optispace.org*, True -*.optivoice.com*, True -*.optivoice.eu*, True -*.optivoice.net*, True -*.optivoice.ro*, True -*.optixconsulting.co.uk*, True -*.optizan.ro*, True -*.optland.com*, True -*.opto.ro*, True -*.optsoluciones.cl*, True -*.optube.com*, True -*.opuspecunia.ca*, True -*.opuspecunia.com*, True -*.opussanguinis.com.ar*, True -*.opuss.tk*, True -*.opzone.ga*, True -*.ora300.cl*, True -*.oraange.net*, True -*.oraclelab.mobi*, True -*.oral-contraception.com*, True -*.orallagos.pt*, True -*.oralse.cx*, True -*.oralsexual.info*, True -*.oralvida.cl*, True -*.orangeart.in*, True -*.orangeayso.org*, True -*.orangeblox.net*, True -*.orangecitycomputers.com.au*, True -*.orangecountychoppers.ru*, True -*.orangeroad.com*, True -*.orangerobot.com*, True -*.orangetweed.com*, True -*.orangeygreen.cl*, True -*.orangutandesigns.com*, True -*.oranzerija.si*, True -*.oraone.net*, True -*.orarscolar.ro*, True -*.oratech-solution.com.my*, True -*.oratixcreative.com*, True -*.orb2b.com*, True -*.orbed.co*, True -*.orbed.co.uk*, True -*.orbed.net*, True -*.orbicorp.cl*, True -*.orbiflex.co.za*, True -*.orbis-corp.com.ve*, True -*.orbitalfish.tk*, True -*.orbitalsoftware.com*, True -*.orbit-inc.net*, True -*.orboli.net*, True -*.orbvious.com*, True -*.orcafan.com*, True -*.ordanburdan.com*, True -*.orderble.com*, True -*.order-boy.com*, True -*.order-domain.com*, True -*.ordermaster.tw*, True -*.ordermotor.com*, True -*.ordermysmoothie.com*, True -*.orderofthenightfury.org*, True -*.orderworks.com*, True -*.ordinacija.si*, True -*.ordinaryradical.ca*, True -*.ordinateurs-anix.com*, True -*.ordo-rosarius-equilibrio.com*, True -*.ordo-rosarius-equilibrio.net*, True -*.oreidohardware.com*, True -*.oreilco.com*, True -*.oreilly.ro*, True -*.orejasdelefante.com.ar*, True -*.oremus.cl*, True -*.orenbayan.com*, True -*.orenbayan.com.tr*, True -*.orenbayandora.com.tr*, True -*.orenbayanesarp.com.tr*, True -*.orenbayanhavlu.com.tr*, True -*.orenbayannevresim.com.tr*, True -*.orenbayansal.com.tr*, True -*.orenbayanyazma.com.tr*, True -*.orenbayanyemeni.com.tr*, True -*.orenznakomstva.ru*, True -*.orestefiori.com.ar*, True -*.oresumodaopera.com.br*, True -*.oresz.pl*, True -*.orfanosmarine.gr*, True -*.orfordfoodservice.com*, True -*.orfordspareparts.com*, True -*.org1.gq*, True -*.org1.ml*, True -*.orgack.com*, True -*.organdeexecutare.ro*, True -*.organicallyorganic.com*, True -*.organicandnatural.asia*, True -*.organicconvert.com*, True -*.organicdabbrothers.com*, True -*.organicdabcup.com*, True -*.organicdatacuration.org*, True -*.organicdatapublishing.org*, True -*.organiclifestylefestival.com*, True -*.organicmag.ro*, True -*.organicnutrition.fi*, True -*.organicsales.ro*, True -*.organik.web.id*, True -*.organizacionpais.com.ar*, True -*.organizarenuntabotez.ro*, True -*.organosuperiordeparques.com.ve*, True -*.orgcolors.com*, True -*.orgsur-ford.com.ar*, True -*.orgwolf.com*, True -*.orienta.com.br*, True -*.orient.al*, True -*.orientalico.sk*, True -*.orientalism.ir*, True -*.orientalparts.ro*, True -*.orientaltechnaco.com*, True -*.orientare-ajoph.ro*, True -*.oriente.cl*, True -*.orientmills.com*, True -*.orientransport.ro*, True -*.oriezt-community.net*, True -*.oriflama.cl*, True -*.oriflamecom.ru*, True -*.oriflamemlm.ru*, True -*.oriflame-online.tk*, True -*.oriflame-uyelik.com*, True -*.origamimommy.com*, True -*.origamitea.com*, True -*.origendeco.cl*, True -*.origendinosaurio.tk*, True -*.origenfollowers.tk*, True -*.originality.ro*, True -*.originaltechguru.com*, True -*.originlog.com*, True -*.originnrg.com*, True -*.originovelty.com*, True -*.originsoft.co.uk*, True -*.oriidan.info*, True -*.orija.com.br*, True -*.oril.tk*, True -*.ori.md*, True -*.orinandcorporation.com*, True -*.oriondemo-ca.com*, True -*.oriondias.com*, True -*.orion.ec*, True -*.orionflame.com*, True -*.orionitsystems.co.uk*, True -*.orion-rts.com*, True -*.orion-station.com*, True -*.orionstella.co.uk*, True -*.orionsurf.com*, True -*.orionuk.ru*, True -*.orionx64.com*, True -*.orionxnova.com*, True -*.ori.ro*, True -*.orixa.cf*, True -*.orixa.ga*, True -*.orixa.ml*, True -*.orixas.cf*, True -*.orixas.ga*, True -*.orixas.ml*, True -*.orizonturisenine.ro*, True -*.orjexmodder.tk*, True -*.orks-sind.net*, True -*.orlando220.org*, True -*.orlandobsd.org*, True -*.orlandobsd.us*, True -*.orlandoforums.net*, True -*.orlandopaoletta.com.ar*, True -*.orla.org.uk*, True -*.orleansrv.ca*, True -*.orlease.ch*, True -*.orlic.us*, True -*.orlx.com.au*, True -*.orly.cf*, True -*.orly.ml*, True -*.orly.tk*, True -*.ormadeco.ch*, True -*.ormamex.com.mx*, True -*.ormamex.mx*, True -*.orm.com.my*, True -*.ormistonpark.org.uk*, True -*.ormstonfamily.com*, True -*.ormy.ru*, True -*.ornament-him.ru*, True -*.ornan.co.il*, True -*.ornepaint.com*, True -*.ornothingelse.com*, True -*.orobo.ro*, True -*.orodeschi.com.br*, True -*.orodoo.com*, True -*.oroesperanza.com.ar*, True -*.orok.org*, True -*.oroksegunk.ro*, True -*.oroneninja.com*, True -*.oroneninja.org*, True -*.oronseguros.cl*, True -*.oro.si*, True -*.oro-verde.ch*, True -*.oroverdehotels.com*, True -*.oroverdesa.com.ar*, True -*.orpacs.com*, True -*.orquesta.ga*, True -*.orquestautopica.com.ar*, True -*.orquestavictoria.com.ar*, True -*.orrdale.com*, True -*.orsania.es*, True -*.orsifacundo.com.ar*, True -*.orsiitaliani.com*, True -*.orskkino.ru*, True -*.orsoblusrl.it*, True -*.orsty.com*, True -*.ortemberg.com.ar*, True -*.orthoappsguru.com*, True -*.orthocareclinic.com*, True -*.orthodontix.biz*, True -*.orthodontix.org*, True -*.orthodoxchristiansociety.org*, True -*.orthomed-oradea.ro*, True -*.orthosens.ro*, True -*.ortho-smile.gr*, True -*.orth.ro*, True -*.ortizdezarate.cl*, True -*.ortizluna.com.ar*, True -*.ortizsantini.net*, True -*.ortodontiasaopaulo.com.br*, True -*.ortodoxantidrog.ro*, True -*.ortodoxia-adevaratacredinta.ro*, True -*.ortoosi.com*, True -*.ortopediacastro.com*, True -*.ortopediaperezgaldos.com*, True -*.ortopediasantos.com.br*, True -*.ortopedistadelosrios.cl*, True -*.ortus-inc.com*, True -*.ortz.org*, True -*.orvea.com*, True -*.orvip.ga*, True -*.orvip.ml*, True -*.or-vli.co.il*, True -*.or-yehudi.co.il*, True -*.os4pda.ru*, True -*.osaamispaaomasijoittaja.fi*, True -*.osaamispaaomasijoittajat.fi*, True -*.osaamispaaomasijoittaminen.fi*, True -*.osaamissijoittaja.fi*, True -*.osaamissijoittajat.fi*, True -*.osaamissijoittaminen.fi*, True -*.osagesoftware.com*, True -*.osaka.sexy*, True -*.osaku.com*, True -*.osanka31.ru*, True -*.osapsa.com.ar*, True -*.osapsalud.com.ar*, True -*.osa-serrurerie.ch*, True -*.osastrologos.com.br*, True -*.osbornequipment.com*, True -*.oscardelossantos.es*, True -*.oscarenoscar.be*, True -*.oscargutierrez.com.ar*, True -*.oscarmendiz.com.ar*, True -*.oscarshotels.com.au*, True -*.oscars.net.au*, True -*.oscarssportshotel.com.au*, True -*.oscarvalhos.com*, True -*.oscarypatrisecasan.es*, True -*.oscillate.eu*, True -*.osclabs.ro*, True -*.oscled.com*, True -*.oscometas.com.br*, True -*.oscopaipa.org.ar*, True -*.osc.org.za*, True -*.oscrx.tk*, True -*.osd.rs*, True -*.oseanografi.id*, True -*.osebno.net*, True -*.oseiasnautica.com.br*, True -*.osetiya-alaniya.ru*, True -*.osfiguroes.com*, True -*.osfpr.eu*, True -*.osgbyazilimi.net*, True -*.osg.net.ve*, True -*.osh2.de*, True -*.osh.hk*, True -*.oshibi.com*, True -*.o-shiny.com*, True -*.o-shiny.info*, True -*.o-shiny.net*, True -*.o-shiny.org*, True -*.oshnurov.ru*, True -*.osh.pt*, True -*.oshte.net*, True -*.oshurkova.name*, True -*.osi.cl*, True -*.osilo.net*, True -*.osing54.com*, True -*.osintsev.ru*, True -*.osisaksen.com*, True -*.ositedoandre.com*, True -*.ositedoandre.tk*, True -*.osiux.com*, True -*.osiux.com.ar*, True -*.oskarmalmwiklund.se*, True -*.oskay.web.tr*, True -*.o-s-k.com*, True -*.oskfilter.com.my*, True -*.oskpiastow.pl*, True -*.osliker.com*, True -*.oslikov.net*, True -*.osloeft.net*, True -*.osmileooofashop4312.com*, True -*.osm.org.ru*, True -*.osmp3.com*, True -*.osmsael.com.ar*, True -*.osnapnig.ga*, True -*.os-net.cl*, True -*.osnet.cl*, True -*.osoghoboken.tk*, True -*.osokina.com*, True -*.osolodkina.ru*, True -*.osom.is*, True -*.osos.ir*, True -*.ospachat.com*, True -*.ospa.fi*, True -*.osperkins.com.ar*, True -*.ospif.com.ar*, True -*.ospital.com.ar*, True -*.ospreycove.net*, True -*.ospreynet.info*, True -*.ospreyradio.org*, True -*.osrwss.org*, True -*.ossbd.org*, True -*.oss.cl*, True -*.oss-concept.ch*, True -*.ossem.my*, True -*.ossettchildcare.com*, True -*.ossetthaunt.co.uk*, True -*.ossnow.net*, True -*.ossoft.com.ar*, True -*.ossuck.net*, True -*.ostanime.com*, True -*.ostanpratkasi.fi*, True -*.ostapowicz.pl*, True -*.ostatka.net*, True -*.osteo-massagepraxis.ch*, True -*.osteopathiebern.ch*, True -*.osteopathie-canada.ca*, True -*.osteopathie-canada.com*, True -*.osteopathiecollege.com*, True -*.osteopathie-dekalbermatten.ch*, True -*.osteopathy.ca*, True -*.osteopathy-canada.ca*, True -*.osteopathy-canada.com*, True -*.osteo-schlachter.ch*, True -*.osteriaallacontadina.it*, True -*.osteriallacontadina.it*, True -*.osteriastendhal.it*, True -*.ostiedecaliss.com*, True -*.ostingroup.com.ar*, True -*.ostoholz.de*, True -*.ostr.fi*, True -*.ostroumov.org*, True -*.ostrovan.ro*, True -*.ostrovska.sk*, True -*.ostrovsky.sk*, True -*.ostv.ga*, True -*.osu3.com*, True -*.osub.tk*, True -*.osu.ro*, True -*.osvetlitev.si*, True -*.osvipl.com*, True -*.osvpaez.com.ar*, True -*.oswald.cf*, True -*.oswalminerals.in*, True -*.osyko.ru*, True -*.otakare.com*, True -*.otakukingdom.com*, True -*.otakuton.cl*, True -*.otaku-usach.cl*, True -*.otbalta.ru*, True -*.otbminc.com*, True -*.otbolta.ru*, True -*.otbuhta.ru*, True -*.otdelkaeuro.ru*, True -*.otdelka-forum.ru*, True -*.otdyh-sicilia.ru*, True -*.oteatehnic.ro*, True -*.otecjerez.cl*, True -*.otecod.cl*, True -*.otecuatsa.cl*, True -*.otegui.es*, True -*.oteri.us*, True -*.otero.ws*, True -*.oterr.com.ar*, True -*.otex.com*, True -*.otg-1004.com*, True -*.otg-333.com*, True -*.otg-888.com*, True -*.otg-cgv.com*, True -*.otgemchat.tk*, True -*.otgem.tk*, True -*.otgemzone.tk*, True -*.otg-main.com*, True -*.otg-ocn.com*, True -*.otherhumanerrors.com*, True -*.otherkinter.net*, True -*.othermalaysia.org*, True -*.otherreality.net*, True -*.othodof.ru*, True -*.otias.org*, True -*.oticasbetel.com.br*, True -*.oticasvisao.net.br*, True -*.o-times.com*, True -*.otimizemax.com.br*, True -*.otisgreen.com*, True -*.otito.info*, True -*.otito.org*, True -*.otito.ru*, True -*.otkachkajbo.ru*, True -*.otkrakow.pl*, True -*.otm.hk*, True -*.otobakimdunyasi.com*, True -*.otobike.ro*, True -*.otocar.net*, True -*.otod.com.au*, True -*.otofollower.com*, True -*.otoliker.be*, True -*.otolike.tk*, True -*.otomobilgenel.com.tr*, True -*.otomobil.org*, True -*.otomodification.tk*, True -*.otoparkbileti.org*, True -*.otoparkyonlendirmesistemleri.com*, True -*.otos.ro*, True -*.ototemizlik.net*, True -*.ototemizlik.web.tr*, True -*.otp33.com*, True -*.otp44.com*, True -*.otp52.com*, True -*.otp78.com*, True -*.otpkr.com*, True -*.otpoladopotolka.ru*, True -*.otr44.com*, True -*.otr55.com*, True -*.otr66.com*, True -*.otr88.com*, True -*.otr99.com*, True -*.otrocontexto.cl*, True -*.otropa.com*, True -*.otscanada.ca*, True -*.ottawacomputerguy.com*, True -*.ottawasoccercamp.com*, True -*.ottawayamaha.ca*, True -*.ottawayamaha.com*, True -*.otterbrau.com*, True -*.ottermaton.com*, True -*.otterskog.com*, True -*.ottomangallery.com*, True -*.ottone.cl*, True -*.ottpaxaem.ru*, True -*.otunbayeleakinrolabu.com*, True -*.otwebhosting.com*, True -*.otwebsoft.com*, True -*.otwkelekmediatraf.com*, True -*.otwkelekmediatraf.net*, True -*.otxodof.ru*, True -*.oubi.com*, True -*.ouhkmbaa.com*, True -*.oup.com.mx*, True -*.oupy.com*, True -*.ourbedrooms.com*, True -*.ourdeckspaces.com*, True -*.ourdevices.us*, True -*.ourdrobe.com*, True -*.ourfamilyaustralia.com.au*, True -*.ourfamily.sg*, True -*.ourfamilyzoo.net*, True -*.ourfirstdaughter.com*, True -*.ourfloorcovering.com*, True -*.ourfloorcoverings.com*, True -*.ourgamingaddiction.com*, True -*.ourgarages.com*, True -*.ourhkfoundation.hk*, True -*.ourhoaweb.com*, True -*.ourhomespace.net*, True -*.ourisabelle.com*, True -*.ourkitchenspace.com*, True -*.ourlic.com*, True -*.ourlic.tv*, True -*.ourlocaloffers.co.uk*, True -*.ourlongislandcity.com*, True -*.ourl.tk*, True -*.ourmailfilter.com*, True -*.ourmasjid.me*, True -*.ournas.net*, True -*.ournet.ch*, True -*.ournet.tk*, True -*.ournetwork.gq*, True -*.ouropretoautos.com.br*, True -*.ouropretoimobiliaria.com.br*, True -*.ouropretoveiculosmaringa.com.br*, True -*.ourshopspace.com*, True -*.ourstack.com*, True -*.ourtimes.info*, True -*.ourtownguttercleaning.com*, True -*.ourtownguttercleaning.com.au*, True -*.ourupgrade.com*, True -*.our-wedding-photos.org.uk*, True -*.ourwinery.com.au*, True -*.ouryards.com*, True -*.ousep.com*, True -*.outaa.com*, True -*.outaweb.com*, True -*.outboundonline.info*, True -*.outboundtour.com*, True -*.outcastsnipers.space*, True -*.outcode.es*, True -*.outcomedubious.im*, True -*.outdoorgearsearch.com*, True -*.outdoorgrillsreviewgroup.com*, True -*.outdoormaps.ro*, True -*.outdoorphotography.ca*, True -*.outdoor-photos.com*, True -*.outerheaven.cl*, True -*.outerlimits.cx*, True -*.outfishing.org*, True -*.outforce.com*, True -*.outfordessert.com.au*, True -*.outgamed.co.uk*, True -*.outglobe.com*, True -*.outingsunlimited.com*, True -*.outlanderly.com*, True -*.outlaws4x4.com*, True -*.outlet.hk*, True -*.outletkerzen.ch*, True -*.outletmurah.com*, True -*.out-let.ro*, True -*.outlet.si*, True -*.outletstock.co.il*, True -*.outlunching.com*, True -*.outlux-lowcost.pt*, True -*.outpatient-screen.com*, True -*.outpost24.cl*, True -*.outrage-app.mobi*, True -*.outrasmarias.com.br*, True -*.outshine-intl.com*, True -*.outsidetheboxblog.net*, True -*.outsidethecounter.com*, True -*.outsourcing.st*, True -*.outspace.cf*, True -*.outspokentoys.com*, True -*.outwander.ca*, True -*.ova.im*, True -*.oval.cl*, True -*.ovenbakednuts.my*, True -*.oveo.co.uk*, True -*.oveo.uk*, True -*.over40.tk*, True -*.over-cast.org*, True -*.overclockers.co.za*, True -*.overclockjcp.com.ar*, True -*.overcode.hk*, True -*.overdriven.ca*, True -*.overexposed.hk*, True -*.overgrowngarden.com*, True -*.overheadtech.info*, True -*.overhed.com*, True -*.overlandcorner.net*, True -*.overlijdenscentrum.be*, True -*.overlijdenscentrum.com*, True -*.overloadlab.com*, True -*.overlooknyc.net*, True -*.overlordacademy.com*, True -*.overlordmedia.com*, True -*.overpoort.com.ar*, True -*.over-powered-services.tk*, True -*.overpowering.net*, True -*.overseas-study.tw*, True -*.oversideproject.com*, True -*.overstars.com*, True -*.overtimecode.com*, True -*.over.tk*, True -*.overzenith.co*, True -*.ovfile.com*, True -*.oviedo.mx*, True -*.ovip.me*, True -*.ovoarb.sk*, True -*.ovolna.ru*, True -*.ov-om.com*, True -*.ovoxcloud.com*, True -*.ovox.co*, True -*.ovoxnetworks.info*, True -*.ovoxnetworks.net*, True -*.ovoxnetworks.org*, True -*.ovpnku.tk*, True -*.ovweb.ca*, True -*.ovz.biz*, True -*.owaper.tk*, True -*.owen1972.org*, True -*.owenap.com*, True -*.owenbioconsulting.com*, True -*.owi.cl*, True -*.owleon.com*, True -*.owlgirl.info*, True -*.owlish.co.uk*, True -*.owl-post.net*, True -*.ownage.biz*, True -*.ownco.net*, True -*.owned.ga*, True -*.owned.hu*, True -*.owned.xyz*, True -*.owningtheyouth.com*, True -*.ownmail.biz*, True -*.ownplace.info*, True -*.owns.tk*, True -*.ownsvr.tk*, True -*.ownsystem.org*, True -*.owrassist.ca*, True -*.owretail.com*, True -*.oxal.com.pk*, True -*.oxaprozin.ch*, True -*.oxbim.com*, True -*.oxcc.com.au*, True -*.oxdz.org*, True -*.oxelt.mx*, True -*.oxidize.net*, True -*.oxigenogema.com.ar*, True -*.oxituk.co.uk*, True -*.oxmynx.ch*, True -*.oxo-biodegradable.com*, True -*.oxo.pw*, True -*.oxor.com*, True -*.oxsexi.ru*, True -*.oxsnow.info*, True -*.oxtilo.net*, True -*.oxweld.my*, True -*.oxx96.com*, True -*.oxx97.com*, True -*.oxx98.com*, True -*.oxx99.com*, True -*.oyajikai.net*, True -*.oyarguti.com.ar*, True -*.oydabogados.cl*, True -*.oyd.ch*, True -*.oyecaribe.net*, True -*.oyelatino.org*, True -*.oyl.co.za*, True -*.oylcredit.com.ar*, True -*.oylcreditos.com.ar*, True -*.oynaburda.com*, True -*.oyngo.com*, True -*.oypabogados.cl*, True -*.oysterbayconstructions.com.au*, True -*.oysterfootwear.com*, True -*.oyuncetesi.com*, True -*.ozarkcabin.cc*, True -*.ozarklogcabin.com*, True -*.ozar.us*, True -*.ozbreeders.com*, True -*.ozcaliskan.name.tr*, True -*.ozcamlake.tk*, True -*.ozcigars.com*, True -*.ozden.co.uk*, True -*.ozdezign.net*, True -*.ozel.my*, True -*.ozganix.com.au*, True -*.ozgurey.com*, True -*.ozgurlukdunyasi.org*, True -*.ozgurruzgar.com*, True -*.ozibatla.com*, True -*.ozirc.net*, True -*.ozisik.gen.tr*, True -*.ozium1.org*, True -*.ozjacko.com*, True -*.ozkan.me*, True -*.ozkar.org*, True -*.ozlanka.com.au*, True -*.oz.lc*, True -*.ozmenpetrol.com.tr*, True -*.ozmor.cf*, True -*.ozpoultry.net*, True -*.ozpoultry.org*, True -*.ozracing.cl*, True -*.ozracing.mobi*, True -*.ozs.fi*, True -*.oztalismanonline.com.ar*, True -*.oztechdieselrepairs.com.au*, True -*.ozvardarli.net*, True -*.ozvpn.com.au*, True -*.ozvpn.net*, True -*.ozwebsitedesign.com*, True -*.ozwildlife.info*, True -*.ozziesworld.com*, True -*.ozz.lu*, True -*.ozz.ro*, True -*.p0lishop.com.br*, True -*.p0ns.org*, True -*.p14.su*, True -*.p173.de*, True -*.p1nkc0.de*, True -*.p1p0.tk*, True -*.p1slashp2.com*, True -*.p20m.org*, True -*.p28.pl*, True -*.p2backup.tk*, True -*.p2coalition.com*, True -*.p2ee.org*, True -*.p2j.net.au*, True -*.p2pool.eu*, True -*.p2pool.tw*, True -*.p2pyramid.com*, True -*.p307.one.pl*, True -*.p39ers.com*, True -*.p3d.org.uk*, True -*.p3t1.hu*, True -*.p4oloprete.tk*, True -*.p4pmma.ca*, True -*.p4t0.info*, True -*.p5882p.com*, True -*.p5nettech.com*, True -*.p71.ca*, True -*.p71interceptor.ca*, True -*.p7942p.com*, True -*.p8282p.com*, True -*.pa0aa.info*, True -*.pa-1004.com*, True -*.pa-2020.com*, True -*.pa-7788.com*, True -*.pa-888.com*, True -*.paa49.com*, True -*.paa59.com*, True -*.paa72.com*, True -*.paa76.com*, True -*.paa93.com*, True -*.paam2.tk*, True -*.paarden.be*, True -*.paardenburg.nl*, True -*.paardenpensionoscarenoscar.be*, True -*.paasivirta.net*, True -*.paasivirta.org*, True -*.paa.tw*, True -*.paayypaall-limited.com*, True -*.pabalubaju.tk*, True -*.p-abbasian.com*, True -*.pabbasian.com*, True -*.paberit.ee*, True -*.paberit.eu*, True -*.pabin.com.np*, True -*.pabitra.com.np*, True -*.pabloacevedo.com.mx*, True -*.pabloacevedo.mx*, True -*.pabloacevedo.net*, True -*.pabloballester.com*, True -*.pablocarmona.cl*, True -*.pablocasals.com.ar*, True -*.pablocm.es*, True -*.pablodc.com.ar*, True -*.pablodv.com*, True -*.pabloegonzalez.com.ar*, True -*.pablo.eng.br*, True -*.pablo.eti.br*, True -*.pablofontdevila.com.ar*, True -*.pablogallego.com.ar*, True -*.pablogentile.com.ar*, True -*.pabloprato.com.ar*, True -*.pablorusso.com.ar*, True -*.pablosalvado.com.ar*, True -*.pablosotomayor.cl*, True -*.pabloyever.es*, True -*.pabloylola.com.ar*, True -*.pabreau.ch*, True -*.pabrikacpsurabaya.com*, True -*.pabrikkartonplastik.com*, True -*.pabrik-scaffolding.com*, True -*.pabriktiang.com*, True -*.pabriktianglampu.com*, True -*.pabuaran.com*, True -*.pac64.com*, True -*.pac87.com*, True -*.pacbell.hk*, True -*.pacbelltel.com*, True -*.pacemakerpro.com*, True -*.pacemaker.tv*, True -*.pacetospace.com*, True -*.pachalive.com*, True -*.pachamamacontrol.com.ar*, True -*.pachecobass.com*, True -*.pachorodriguez.ch*, True -*.pachydermwear.com*, True -*.pacificbellinternational.com*, True -*.pacific-blue.nl*, True -*.pacificcollegesydney.com.au*, True -*.pacificdate.com*, True -*.pacificenergymanagement.ca*, True -*.pacific-group.in*, True -*.pacific-grove.org*, True -*.pacifichillscp.com*, True -*.pacificinformatics.com*, True -*.pacificoceanalliance.org*, True -*.pacificocean.co.za*, True -*.pacificsquaresydney.com.au*, True -*.pacificsystems.org*, True -*.pacifistgroup.com*, True -*.pacin.net*, True -*.paciran.tk*, True -*.paciwood.com*, True -*.packagemanagement.org*, True -*.packagescruise.com*, True -*.packagingprintmag.co.za*, True -*.packagingsachet.com*, True -*.packbrasil.com.br*, True -*.pack.cf*, True -*.packempreendimentos.com*, True -*.packempreendimentos.com.br*, True -*.packeted.ml*, True -*.packetfilter.org*, True -*.packetflood.net*, True -*.packeting.eu*, True -*.packet-lord.hm*, True -*.packets.gq*, True -*.packetsniffer.org*, True -*.packetstorm.tk*, True -*.packetted.tk*, True -*.packetwalk.net*, True -*.packetworks.org*, True -*.packinggaskettombo.com*, True -*.packingmaterial.co.za*, True -*.packonline.com.br*, True -*.packprojetos.com*, True -*.pacl.us*, True -*.paco.id.au*, True -*.paconnection-ltd.com*, True -*.pacoriviere.cat*, True -*.pacsdrive.com*, True -*.pacsoft.pl*, True -*.pactke.org*, True -*.pactohio.com*, True -*.pactros.com*, True -*.pactulprimarilor.ro*, True -*.padalpha.org*, True -*.padangsidimpuan.net*, True -*.padangu-arsenalas.lt*, True -*.paddingtondental.com.au*, True -*.paddletennis.biz*, True -*.paddlingexpeditions.com*, True -*.paddoport.com*, True -*.paddoport.com.au*, True -*.paddygold.com*, True -*.paddynewman.co.uk*, True -*.padecendo.co*, True -*.padecendo.net*, True -*.padecendo.org*, True -*.padilia.com.br*, True -*.padmanaba.web.id*, True -*.padomega.org*, True -*.padoo.net*, True -*.padraoinnova.com.br*, True -*.padski.co.uk*, True -*.padureacomorova.ro*, True -*.padureadelamalulmarii.ro*, True -*.padwick.se*, True -*.paediatricfeeding.com.au*, True -*.paegle.com.br*, True -*.paevapraed.com*, True -*.pa-extra.com*, True -*.pafc.co.za*, True -*.paffeibaking.com*, True -*.pafoonks.cf*, True -*.pafsoft.ch*, True -*.pafuin.ro*, True -*.pagaal58.ml*, True -*.pagamechile.com*, True -*.pagano.ch*, True -*.paganodietrecipes.com*, True -*.pagarbrc-mjs.com*, True -*.pagasit.io*, True -*.pagecity.tk*, True -*.pagehive.net*, True -*.pagendam-turner.org*, True -*.pagenoare.net*, True -*.pageranky.com*, True -*.pageswinford.co.uk*, True -*.pagez.com.ar*, True -*.paginadeprueba123.tk*, True -*.paginaswebyservidores.com.mx*, True -*.paginaswebyservidores.mx*, True -*.paginator.us*, True -*.paginaweb.biz*, True -*.paginawe.com*, True -*.pagodesparabaixar.org*, True -*.pagostepeapulco.gob.mx*, True -*.p-agua-porto.pt*, True -*.pagunpost.com*, True -*.pahallfam.net*, True -*.pahira.info*, True -*.paia-manual.co.za*, True -*.paigehays.net*, True -*.paijoe.com*, True -*.paijoe.us*, True -*.paillal.cl*, True -*.paincompanion.com*, True -*.painefieldcap.org*, True -*.painemilla.com*, True -*.paineunsa.ro*, True -*.painfulpvp.com*, True -*.paingankar.org*, True -*.paingasm.net*, True -*.painmaker.fi*, True -*.paintasalt.ro*, True -*.paintassault.ro*, True -*.paintball-berkshire.co.uk*, True -*.paintballclujnapoca.ro*, True -*.paintball-cluj.ro*, True -*.paintballdominicano.com*, True -*.paintballelbosque.com*, True -*.paintballrd.com*, True -*.paintbullkefalonia.gr*, True -*.paintguysinc.com*, True -*.paintiquity.co.uk*, True -*.paintmymutt.com*, True -*.paintpuzz.com*, True -*.painvictoire.com*, True -*.paisa.ir*, True -*.paisanet.com*, True -*.paisanet.net*, True -*.paislee.net*, True -*.pajakkita.com*, True -*.pajaritodemimbre.cl*, True -*.pajf.be*, True -*.pajotwatches.com*, True -*.pajura.ro*, True -*.pak2club.tk*, True -*.pak9yan.net.au*, True -*.pakar.or.id*, True -*.pakasaivo.fi*, True -*.pakasak.com*, True -*.pakbanang.com*, True -*.pakdeigor.tk*, True -*.pakdezaki.web.id*, True -*.paketcug.ga*, True -*.paketcug.ml*, True -*.pakettoyotamurah.com*, True -*.paketusahaonline.com*, True -*.pakeva.lt*, True -*.pakgembur.tk*, True -*.pakhong.hk*, True -*.pakistanchannel.net*, True -*.pakla.pl*, True -*.pakory.tk*, True -*.pakot.id.lv*, True -*.pakpneumatic.com*, True -*.paksof.com*, True -*.paktani.us*, True -*.pakuaglass.com*, True -*.pakupakis.com*, True -*.palach.pl*, True -*.palaciodossalgados.com*, True -*.paladin.cl*, True -*.paladintechnologies.com*, True -*.palandi.com.br*, True -*.palapalalta.fi*, True -*.palapudu.org*, True -*.palavecinoyasoc.com.ar*, True -*.palazzo-pitti.it*, True -*.paleblueuniverse.com*, True -*.palekaiko.com*, True -*.palembangcyber.org*, True -*.palembangcyber.or.id*, True -*.palembangkotakita.info*, True -*.paleoblog.ru*, True -*.paleoga.ch*, True -*.paleomushi.com*, True -*.palermoclub.net*, True -*.palermopizza.ro*, True -*.palermosworld.com*, True -*.palermozoo.com.ar*, True -*.palestine-info.com*, True -*.palestinemessage.net*, True -*.palestinemsg.net*, True -*.palestinos.net*, True -*.palewizard.com*, True -*.palfeis.com.mx*, True -*.palfeis.mx*, True -*.palgaprogramm.ee*, True -*.pali7x.com*, True -*.palibit.ru*, True -*.palich.biz*, True -*.palinfo.info*, True -*.palinfo.net*, True -*.palinfo.us*, True -*.palingseru.info*, True -*.palion.net*, True -*.palkat.fi*, True -*.palk.cat*, True -*.palladianpointe.com*, True -*.pallapa.us*, True -*.palletmeshjakarta.com*, True -*.palliserogc.ca*, True -*.palliserogc.com*, True -*.palmegiano.it*, True -*.palmeraie.org*, True -*.palmerfamily.id.au*, True -*.palmergroup.ca*, True -*.palmerica.com*, True -*.palmerini.info*, True -*.palmerini.net*, True -*.palmessage.net*, True -*.palmitoenano.com*, True -*.palmius.me.uk*, True -*.palmiyekozmetik.com.tr*, True -*.palmon.org*, True -*.palmsg.net*, True -*.palmyanoff.com*, True -*.palochki.info*, True -*.paloet.se*, True -*.paloma93.ro*, True -*.paloma.cl*, True -*.palominoscorrea.cl*, True -*.palpalich.ru*, True -*.palscholars.com*, True -*.palshack.org*, True -*.palsharing.net*, True -*.paltales.org*, True -*.paltrinieri.com.ar*, True -*.palubiski.com*, True -*.palvelin.net*, True -*.palz.co.il*, True -*.palzuntrust.org*, True -*.pa-mar.gr*, True -*.pamcom.org*, True -*.pametnije.com*, True -*.pametno.net*, True -*.pametno.si*, True -*.pampaballoons.com.ar*, True -*.pampafish.com*, True -*.pampered-chefs.com*, True -*.pamplonasi.cl*, True -*.pampobanz.com*, True -*.pamulang.ml*, True -*.pamulang.tk*, True -*.panaceahk.com*, True -*.panaceamobile.co.za*, True -*.panacea-project.ru*, True -*.panachehospitality.in*, True -*.panachemanage.com*, True -*.panadex.com.pe*, True -*.panagistics.com*, True -*.panagopoulou.com*, True -*.panaguiton.net*, True -*.panalko.rs*, True -*.panama4x4.com*, True -*.panamacityfloridafishingcharters.com*, True -*.panamacityfloridafishing.com*, True -*.pana-mea.ro*, True -*.panamericano.biz*, True -*.panarican.com*, True -*.panariotesis.tk*, True -*.panario.tk*, True -*.panasa.ec*, True -*.panashop.my*, True -*.panasistemas.net*, True -*.panatech.com.au*, True -*.panatrust.pw*, True -*.panax.ca*, True -*.panbreak.eu*, True -*.panbreak.it*, True -*.pancabudi.sch.id*, True -*.pancaharapan.org*, True -*.pancernik.info*, True -*.panchevnet.co.uk*, True -*.panchiz.com.ar*, True -*.panchosagredo.cl*, True -*.panchuz.com.ar*, True -*.pancingkehidupan.com*, True -*.pancoffeeservicesintl.ro*, True -*.pancorin.ro*, True -*.pancras.com*, True -*.panda96.com*, True -*.pandakiss.com*, True -*.pandandrum.com*, True -*.pandapictures.org*, True -*.pandapictures.ru*, True -*.pandaplanet.hk*, True -*.pandarian.com*, True -*.pandari.ir*, True -*.pandatune.com*, True -*.pandawill.com.br*, True -*.pandemicpig.tk*, True -*.pandemoni.us*, True -*.pandeyarun.com.np*, True -*.pandhegajaya.sch.id*, True -*.pandm.ru*, True -*.pandocksrv.net.ve*, True -*.pandora-hometree.com*, True -*.pandorahouse.com*, True -*.pandorasbreadbox.com*, True -*.pandoratransport.ro*, True -*.pandoratrans.ro*, True -*.pandorax.nl*, True -*.pandore-esthetique.com*, True -*.panduandomain.my*, True -*.pandu-geotextile.com*, True -*.panduricenter.ro*, True -*.pandyjoy.ro*, True -*.panedile.com.ar*, True -*.paneel.tk*, True -*.panelcapacitor.com*, True -*.paneldecor.cl*, True -*.paneldehombres.cl*, True -*.panele-bielsko.pl*, True -*.panel-electric.com*, True -*.panele-zywiec.pl*, True -*.panelku.com*, True -*.panel-laboralcj.gob.mx*, True -*.panelmasuk.in*, True -*.panelmcc.com*, True -*.panel.moe*, True -*.panelrojo.com*, True -*.panel.web.id*, True -*.panemona.ml*, True -*.panesi.com.br*, True -*.panevvet.sk*, True -*.panfaco.ir*, True -*.pang456.com*, True -*.pangeanamerican.org*, True -*.pangeran.net*, True -*.pangoni.com.br*, True -*.pangu.ga*, True -*.panhandleflyers.com*, True -*.panhandleflyers.info*, True -*.panhandleflyers.net*, True -*.panhandleflyers.org*, True -*.pa-nic.com*, True -*.panificadoraportales.cl*, True -*.panjangpendek.com*, True -*.panjinxh.com*, True -*.pankler.com*, True -*.pankration-bur.ru*, True -*.panlandes.com*, True -*.pannenkoeken.com*, True -*.panoji.si*, True -*.panonit.rs*, True -*.panor.am*, True -*.panorama40.ru*, True -*.panorama-village.gr*, True -*.panoramicas.eu*, True -*.panoramicviews.com.au*, True -*.panospapadopoulos.eu*, True -*.panouri-solare-ct.ro*, True -*.panozzogroup.com*, True -*.pansara.org*, True -*.panselnas.web.id*, True -*.pansi.co.id*, True -*.pansyshop.net*, True -*.pantaleev.tk*, True -*.pantaleon.tk*, True -*.pantallaspublicitarias.cl*, True -*.pantat.tk*, True -*.pantek.club*, True -*.panthera.ca*, True -*.panther-apps.com*, True -*.panther-fabric.com*, True -*.pantovcak-96.tk*, True -*.pantsarvagya.com.np*, True -*.panu.ninja*, True -*.panviro.ro*, True -*.panzerchile.cl*, True -*.paodequeijo.tk*, True -*.paolabueno.com*, True -*.paolaharwicz.com*, True -*.paolamolina.net*, True -*.paolinelli.com.br*, True -*.paolinelli.org*, True -*.paolozzifamily.ch*, True -*.paopaws.com*, True -*.papa8.net*, True -*.papabaer.net*, True -*.papacantameuna.com*, True -*.papahabla.com*, True -*.papah.cf*, True -*.papaisphoto.com*, True -*.papakev.de*, True -*.papamana.tk*, True -*.papamed.com.br*, True -*.papara.ro*, True -*.papatong.net*, True -*.papelariacultura.com*, True -*.papelera.tk*, True -*.papeleriamaragall.com*, True -*.papelier.com.br*, True -*.papeling.org*, True -*.papelylapiz.tk*, True -*.papenko.ru*, True -*.paper9ja.ml*, True -*.paperca.se*, True -*.paperchic.ca*, True -*.paper-designs.com*, True -*.paperexpress.com.au*, True -*.papergarland.net*, True -*.paper.is*, True -*.papermodel.hk*, True -*.papernet.web.id*, True -*.paperopoly.com*, True -*.paper-sacks.com*, True -*.papershoot-hk.com*, True -*.papetheme.com*, True -*.papilloncandles.com*, True -*.papilloncandles.com.au*, True -*.papillon.cl*, True -*.papinota.cl*, True -*.papi.one.pl*, True -*.papiraruhaz.hu*, True -*.pappaswayseafood.com.au*, True -*.pappenennathouden.nl*, True -*.paprik.ro*, True -*.papso.com*, True -*.papusland.net*, True -*.papw3pf.tk*, True -*.parabodas.org*, True -*.parabolaresear.ch*, True -*.paraclubtraisental.at*, True -*.paracosmo.cl*, True -*.paradademonteiros.com*, True -*.paradaideal.com.br*, True -*.parademoment.com*, True -*.paradigital.net*, True -*.paradigma-rg.ru*, True -*.paradigmusic.com*, True -*.paradisecommunity.tk*, True -*.paradise-ddl.com*, True -*.paradiseforpets.com*, True -*.paradisehealthandbeautywarehouse.com.au*, True -*.paradiseranchdvrdns.org*, True -*.paradiseroleplay.com*, True -*.paradis-lacollecte.com*, True -*.paradisullegumelor.ro*, True -*.paradisusloscabos.com*, True -*.paradisvrancean.ro*, True -*.paradoxicon.org*, True -*.parafernalhalocacoes.com.br*, True -*.parafusosdelta.com.br*, True -*.paragoncity.com.pk*, True -*.paragonpremiums.com*, True -*.paragon-technical.com*, True -*.parala.ch*, True -*.parallols.com*, True -*.paramedic-emt.com*, True -*.paramedic-emt.info*, True -*.paramedic-emt.org*, True -*.paramitadirect.com*, True -*.paramotores22.com.ar*, True -*.paramountballast.net*, True -*.paran01d.net*, True -*.paranasaude.com*, True -*.paranasaude.net*, True -*.paranoia.mobi*, True -*.paranoicobsas.com.ar*, True -*.paranoic.ro*, True -*.paranoidcloud.com*, True -*.paranoidlollipop.tk*, True -*.paranoid.pk*, True -*.paranormal.com.my*, True -*.paranormalgroup.com*, True -*.paranormalmist.com*, True -*.paranormalurandir.com.br*, True -*.parapentevillarrica.cl*, True -*.paraphr.asia*, True -*.parapir.eu*, True -*.paraplegicari.org*, True -*.para.ro*, True -*.parasect.org*, True -*.paratix.ch*, True -*.paratrix.net*, True -*.paraviaonline.com*, True -*.parawebic.com*, True -*.parazazo.org*, True -*.parceirosaon.com.br*, True -*.parcelapp.net*, True -*.parcele.si*, True -*.parceriabk.com.br*, True -*.parceriapublicidade.com.br*, True -*.parceriauto.com.br*, True -*.parcket-profi.ru*, True -*.parcuatro.cl*, True -*.pardazeshgostar.ir*, True -*.pardeamirkabir.com*, True -*.pardiseno.cl*, True -*.pardoseliiasi.ro*, True -*.pardussoft.com*, True -*.parec.org*, True -*.parejasenlinea.net*, True -*.parelkar.com*, True -*.parelkar.org*, True -*.parerejo.cf*, True -*.paresmapa.or.id*, True -*.parfum46.ru*, True -*.parfumdedouceur.tk*, True -*.parfumeriecollectioneclat.ch*, True -*.parhuniagram.com*, True -*.pariahservers.com*, True -*.paribanten.or.id*, True -*.parikh.net*, True -*.parikshit.com.np*, True -*.parilatab.com*, True -*.paris15.ro*, True -*.pariscassaundra.com*, True -*.parishometownrealty.com*, True -*.parisweb.it*, True -*.paritmastar6.com.my*, True -*.paritzky.co.il*, True -*.pariurisportivefotbal.ro*, True -*.pariwisatakomodo.com*, True -*.pariz-co.ir*, True -*.parkcrestlakewood.org*, True -*.parkett-welschen.ch*, True -*.parkfamily.ca*, True -*.parkfeld.ch*, True -*.parkhere.cl*, True -*.parkingplace.cl*, True -*.parkingweb.co.uk*, True -*.parkinhodobebe.com.br*, True -*.parklake.org*, True -*.parklanedental.hk*, True -*.parknbuild.net*, True -*.parkour.com.au*, True -*.parkpartner.pl*, True -*.parkseyoung.com*, True -*.parkshilltech.net*, True -*.parksoncredit.com.my*, True -*.parksvilletravel.com*, True -*.parksystems.ca*, True -*.parkview.cf*, True -*.parkviewhome.ca*, True -*.parkviewvillage.ca*, True -*.parmachecammina.it*, True -*.parmalen.com*, True -*.parm-avia.ru*, True -*.parmavia.ru*, True -*.parnakunj.com*, True -*.parnasocinema.cl*, True -*.parnik.ir*, True -*.parnsheewa.com*, True -*.parohia-acoperamantul-maicii-domnului-ferentari.ro*, True -*.parohiafoisor2.ro*, True -*.paroisse.info*, True -*.paroki-klaten.org*, True -*.paroletraducciones.com*, True -*.paroquiadeloures.pt*, True -*.paros-paros.com*, True -*.parquecaiza.com*, True -*.parquecerdeira.com*, True -*.parquechamonate.cl*, True -*.parquecidades-eim.pt*, True -*.parquededescanso.com*, True -*.parquesantafilomenadenos.cl*, True -*.parquinhodobebe.com.br*, True -*.parral.com.mx*, True -*.parramattacomputers.com.au*, True -*.parren.me.uk*, True -*.parrettbids.com*, True -*.parri-facil.com.ar*, True -*.parroquiasanpablo.cl*, True -*.parrot-friend.com*, True -*.parrylogistics.com.au*, True -*.parsawireless.net*, True -*.parship.co.za*, True -*.parshub.ir*, True -*.parsiangrp.com*, True -*.parsianshipping.com*, True -*.parsi-music.ir*, True -*.parsonseng.com.au*, True -*.part1design.com*, True -*.partasalan.is*, True -*.partbandc.com*, True -*.partcon.tk*, True -*.partenairepourlavie.com*, True -*.partener-allianztiriac.ro*, True -*.partfinder.gr*, True -*.parthagoswami.com*, True -*.parth.ca*, True -*.partica.com.br*, True -*.particlebuster.com*, True -*.particle.es*, True -*.particulino.com.br*, True -*.partimontage.eu*, True -*.partirviajes.tur.ar*, True -*.partis.club*, True -*.partisiinterior.com*, True -*.partisikartonbox.com*, True -*.partita.cl*, True -*.partnera.com.tr*, True -*.partneradestek.com*, True -*.partneredinnovations.com*, True -*.partnerh.cl*, True -*.partners.sg*, True -*.partners-xxi.pt*, True -*.partsdo.com*, True -*.partsdo.net*, True -*.partsmotion.com*, True -*.part-time-canadian.ca*, True -*.parttimeputers.com*, True -*.partusa.com*, True -*.partusapowersports.com*, True -*.party70.com*, True -*.partybag.com*, True -*.partyfarnsfield.co.uk*, True -*.partyfm.info*, True -*.party-hire-adelaide.com*, True -*.partyinvitation.co.za*, True -*.party-land.ch*, True -*.partyofsix.ca*, True -*.partyplace.nl*, True -*.partyprints.com.au*, True -*.partyradio.si*, True -*.partyrental.com.au*, True -*.partysballoons.com*, True -*.partyshirts.eu*, True -*.party-supplies-adelaide.com*, True -*.party-supplies-adelaide.com.au*, True -*.partytimecruises.com.au*, True -*.parujas.com*, True -*.parun.com.ar*, True -*.parungpanjang.net*, True -*.paruno.mx*, True -*.paruolomuebles.com.ar*, True -*.parvusmundi.cl*, True -*.pasache.cl*, True -*.pasajesbus.cl*, True -*.pasangiklanbarisgratistanpadaftar.com*, True -*.pasanglamasherpa.com.np*, True -*.pasarauto.com*, True -*.pasarmotorraya.com*, True -*.pasas.cl*, True -*.pascalau.com*, True -*.pascalau.ro*, True -*.pascal.ms*, True -*.pascalpower.com*, True -*.pascal-romanens.ch*, True -*.pascalvervest.nl*, True -*.pascasarjana-ptiq.ac.id*, True -*.pasche.cl*, True -*.paschimpatra.tk*, True -*.paschke.org*, True -*.paschke.tv*, True -*.pascual.co.nz*, True -*.pascualeresearch.in*, True -*.pascual.nz*, True -*.pascual-servicios.com*, True -*.pascual.sg*, True -*.pasdjp.com*, True -*.paseodelombligo.cl*, True -*.paseoenglobo.com.ar*, True -*.pasi.cf*, True -*.pasi.ga*, True -*.pasionati.ro*, True -*.pasionescompany.com*, True -*.pasio.ro*, True -*.pasirasyk.lt*, True -*.pasiune.tk*, True -*.paskahuussi.com*, True -*.paskibrapustek.com*, True -*.paskud.net*, True -*.paso1.cl*, True -*.pasoscalzados.com*, True -*.pasosonline.com.ar*, True -*.pasred.tk*, True -*.passanha.com.br*, True -*.passarando.com.br*, True -*.pass.fm*, True -*.passgamesto.me*, True -*.passing.ga*, True -*.passion4it.co.uk*, True -*.passionemusic.ro*, True -*.passportball.co.id*, True -*.passportoportugal.pt*, True -*.passport-to-portugal.pt*, True -*.passthelube.net*, True -*.pastaamericanamogi.com.br*, True -*.pastadura.ec*, True -*.pastebin.ga*, True -*.pastel.co.id*, True -*.pasteleo.com.ar*, True -*.pastelerianomeolvides.cl*, True -*.pastemain.com*, True -*.pastethis.net*, True -*.pastilla.cl*, True -*.pastiproperti.com*, True -*.pastisade.ch*, True -*.pastockland.com.au*, True -*.pastoralcarechaplainsofcolor.org*, True -*.pastoraldeturismo.org.ar*, True -*.pastorfide.com*, True -*.pastorit.co.za*, True -*.pastorit.org.za*, True -*.pastorschwittay.com.ar*, True -*.pastpresentfuture.org*, True -*.past.ro*, True -*.pastrypowered.com*, True -*.pastyfiend.com*, True -*.pasukanjihad.info*, True -*.pasuni.ro*, True -*.pata1.info*, True -*.patagoniahostel.cl*, True -*.patagoniaventures.cl*, True -*.patagonico.fm*, True -*.patagonyka.com.ar*, True -*.patakon.com.ar*, True -*.patanegrarestaurant.com*, True -*.pataslab.com*, True -*.patatabrava.es*, True -*.patavina.ro*, True -*.patchammethodistchurch.co.uk*, True -*.patchboard.ch*, True -*.patches.gr*, True -*.patchsteger.com*, True -*.patchwork-and-more.ch*, True -*.patchworkcreeation.ch*, True -*.patelmortgage.com*, True -*.patentattorney.si*, True -*.patentcorrect.com*, True -*.patent-gen.com*, True -*.patenttoday.cn*, True -*.patenttoday.net*, True -*.paterna.nl*, True -*.paterson.net.nz*, True -*.patesco.ca*, True -*.patf.com*, True -*.patf.net*, True -*.patful.com*, True -*.patful.net*, True -*.patfx.com*, True -*.pathindustries.com*, True -*.pathofexile.it*, True -*.pathrisetechnologysolutions.com*, True -*.patiaguilera.cl*, True -*.patibook.in*, True -*.patientlinktechnologies.com*, True -*.patil.us*, True -*.patil.ws*, True -*.patinia.eu*, True -*.patinia.gr*, True -*.patiodetransp.net.br*, True -*.patioesmeralda.cl*, True -*.patio-gardener.com*, True -*.patiogardener.com*, True -*.patiomunicipal.com.br*, True -*.patiopoliciacivilsp.net.br*, True -*.patiositran.com.br*, True -*.pat-kev.net*, True -*.patlacroix.com*, True -*.patlinktech.com*, True -*.patlite.co.id*, True -*.patmayrand.com*, True -*.patmcmahonracing.com*, True -*.patmeonline.com*, True -*.patocasagrande.com.ar*, True -*.patomojado.com.ar*, True -*.patovato.com*, True -*.patov.com*, True -*.patra.cl*, True -*.patrakiumbara.com*, True -*.patralimitada.cl*, True -*.patranescu.ro*, True -*.patrao.ninja*, True -*.patrasonline.gr*, True -*.patras-patras.com*, True -*.patriciabologna.com.ar*, True -*.patriciachamudis.com.ar*, True -*.patriciainez.com.br*, True -*.patriciolatini.com*, True -*.patrickclarke.com*, True -*.patrickemaher.com*, True -*.patrickengland.me*, True -*.patrickhearn.com*, True -*.patrick-lee.hk*, True -*.patrickleony.nl*, True -*.patrickminecraftserver.info*, True -*.patrickrota.ch*, True -*.patrickwiltrout.info*, True -*.patrickwross.com*, True -*.patrickxia.com*, True -*.patrickyeager.com*, True -*.patriothackers.org*, True -*.patriziatodicolla.ch*, True -*.patron-service.ru*, True -*.patrulator.ro*, True -*.patrulrinpoche.ch*, True -*.patrx.com*, True -*.patsanchez.com.ar*, True -*.patshin.com*, True -*.patsliensales.com*, True -*.patsquaredit.com*, True -*.pattayahotelthailand.com*, True -*.patternbased.com*, True -*.patternsmithing.com*, True -*.paturica.ro*, True -*.patuturi-bebelusi.ro*, True -*.patuturidinlemn.ro*, True -*.patuturi-lemn-bebelusi.ro*, True -*.patuturi-lemn-copii.ro*, True -*.patuturi-pentru-copii.ro*, True -*.patuturipentrucopii.ro*, True -*.patvx.com*, True -*.paugeryacht.com*, True -*.paukner.org*, True -*.paulacampbell.com.ar*, True -*.paul-agarici.ro*, True -*.paulamonroy.cl*, True -*.paulanddarcy.com*, True -*.paulandkana.com*, True -*.paul-anwandter.cl*, True -*.paulbirch.eu*, True -*.paulbulris.com*, True -*.paulbunyanhoney.org*, True -*.paulchorley.com*, True -*.pauldelongcpa.com*, True -*.pauletteandsean2015.com*, True -*.pauletto.com.ar*, True -*.paulgross.net*, True -*.paul-herrmann.net*, True -*.paulh.eu*, True -*.paulhopkins.id.au*, True -*.pauliesgym.com*, True -*.paulinenganpoling.hk*, True -*.paulinhaterra.com.br*, True -*.paulinhoimoveis.com*, True -*.paulinohh.com.br*, True -*.paulionescu.ro*, True -*.paulkelly.org*, True -*.paulkiggen.com*, True -*.paulkind.de*, True -*.paulll.cc*, True -*.paulmarchet.ch*, True -*.paulmathe.ws*, True -*.paulmcatear.tk*, True -*.paulmccune.com*, True -*.paulmellors.net*, True -*.paulmellorsphotography.co.uk*, True -*.paulmunn.net*, True -*.paulmurch.com*, True -*.paulnkay.com*, True -*.pauloalonso.net*, True -*.paulocesar.tk*, True -*.pauloimoveis.com.br*, True -*.paulojorgesantos.com*, True -*.paulonia.cl*, True -*.paulopedron.com*, True -*.paulscale.tk*, True -*.paulsfamilyhistory.com*, True -*.paulsmotorcycles.com*, True -*.paulsmotorcycles.com.au*, True -*.paultalbert.com*, True -*.paulthepirate.com*, True -*.paul-van-slobbe.nl*, True -*.paulzo.com*, True -*.paumard.com*, True -*.paunikkotrade.fi*, True -*.paus.co.id*, True -*.pa-utveckling.se*, True -*.pavajeieftine.ro*, True -*.pavajgermania.ro*, True -*.pavelkatrucking.com*, True -*.pavelkatruckinginc.com*, True -*.pavelwang.com*, True -*.pavesdeluxe.com*, True -*.pav.guru*, True -*.pavilhaodaagua.com*, True -*.pavilhaodaagua.pt*, True -*.paviliongrup.ro*, True -*.pavilnioslenis.tk*, True -*.paving-jasa-mnb.com*, True -*.pavlovas.ru*, True -*.pavlovsky.cc*, True -*.pavlov.su*, True -*.pavpal.ml*, True -*.pawelrzeznik.pl*, True -*.paweony.co.uk*, True -*.pawfind.co.za*, True -*.pawmom.tk*, True -*.paws-ltd.com*, True -*.pax-group.de*, True -*.paxona.ch*, True -*.paxvann.com*, True -*.payakumbuhkota.tk*, True -*.payamcctv.com*, True -*.payame.ir*, True -*.payamsms.ir*, True -*.payapolymer.ir*, True -*.payasosxlaidentidad.com.ar*, True -*.pay-cool.com*, True -*.paycrony.com*, True -*.paydaycashadvancewwiho.com*, True -*.paydayeasycashadvanceloans.com*, True -*.paydayloanconsultants.org*, True -*.paydayloans24hr-online.org*, True -*.paydayloans4anyone.com*, True -*.paydayloanshmn.org*, True -*.paydayloanshz.org*, True -*.paydayloansice.org*, True -*.paydayloansju.org*, True -*.paydayloanskuyx.com*, True -*.paydayloanslxa.org*, True -*.paydayloansmjo.org*, True -*.paydayloansonline60.com*, True -*.paydayloansonlinelks.org*, True -*.paydayloanspxm.ninja*, True -*.paydayloanstwx.org*, True -*.paydayloansusa-cash.org*, True -*.paydayloansusaonline2015.org*, True -*.paydayloansuys.org*, True -*.payebills.com*, True -*.payeplss.com*, True -*.payipaall.com*, True -*.payjoal.com*, True -*.paylessinstruments.com*, True -*.paymeone.com*, True -*.payok.cl*, True -*.payonspot.net*, True -*.payor.com.au*, True -*.payot.ca*, True -*.payotshop.ru*, True -*.paypaul.ca*, True -*.payperclickhelp.co.uk*, True -*.payperfect.com*, True -*.payperhead.biz*, True -*.pay-per-head-solutions.com*, True -*.pay-per-head-sports-book.com*, True -*.paypilll.com*, True -*.payplas.ga*, True -*.payple.es*, True -*.payple.me*, True -*.payple.net*, True -*.payple.us*, True -*.payradio.ro*, True -*.payriels.com*, True -*.payrolloutsourcing.id*, True -*.payroll.se*, True -*.payrpall.com*, True -*.paysagiste-kocev.ch*, True -*.paysagistes-marechal.ch*, True -*.paysto.tk*, True -*.paysuper.com*, True -*.payungpromosiperusahaan.com*, True -*.payungtaman.com*, True -*.payu-ping.ru*, True -*.payus.ga*, True -*.payus.gq*, True -*.payus.ml*, True -*.payuwallet.ru*, True -*.payweb.co.za*, True -*.payzy.ir*, True -*.pazdosenhor.com.br*, True -*.paziu.one.pl*, True -*.pazliber.cl*, True -*.pazmed.com.br*, True -*.pbaconsulting.com.au*, True -*.pballa.de*, True -*.pbassociates.biz*, True -*.pbbdna.co.nz*, True -*.pbcimports.com*, True -*.pbdjarum.info*, True -*.pbdjarum.net*, True -*.pbdpartners.com.au*, True -*.pb-eventgemscool.ml*, True -*.pbflooring.com*, True -*.pbgamefinder.com*, True -*.pbhs.com.au*, True -*.pblab.tk*, True -*.pbloprz.com*, True -*.pblprz.com*, True -*.pbnk.ru*, True -*.pbobet.com*, True -*.pbohara.com*, True -*.pbolte.de*, True -*.pb-online.org*, True -*.pbproperty.hk*, True -*.pbrakel.com*, True -*.pbrokers.com.ar*, True -*.pbsa.com.br*, True -*.pbsgeologiadeengenharia.com.br*, True -*.pbsoncall.com*, True -*.pbssport.com*, True -*.pbsuccess.ca*, True -*.pbtn.net*, True -*.pbuddy.de*, True -*.p-burri.ch*, True -*.pbu.su*, True -*.pbvip.ru*, True -*.pc2g.com*, True -*.pc2linux.com.ar*, True -*.pc2linux.com.mx*, True -*.pc-absturz.ch*, True -*.pcac.biz*, True -*.pca-express.com*, True -*.pca-express.org*, True -*.pca.ru*, True -*.pcasmadrid.es*, True -*.pcassistance.ro*, True -*.pcaudi.com.br*, True -*.pc-ba.xyz*, True -*.pcbug.eu*, True -*.pcbusted.us*, True -*.pc-care.cn*, True -*.pc-center.ro*, True -*.pccentro.com.ar*, True -*.pccordillera.cl*, True -*.pc-curat.ro*, True -*.pcdanco.com*, True -*.pcdoctorbelfast.com*, True -*.pcdomain.com*, True -*.pceasies.com*, True -*.pcebr.com.br*, True -*.pce-cihazlari.com.tr*, True -*.pceengenharia.com.br*, True -*.pce-instruments.cl*, True -*.pcelab.info*, True -*.pc-engine.cl*, True -*.pcfab.net*, True -*.pcfoundry.net*, True -*.pcgamer.com.ar*, True -*.pcgamewalkthrough.net*, True -*.pcg.com.ve*, True -*.pcgear.ca*, True -*.pcgenius.nl*, True -*.pchacon.com*, True -*.pcharest.ca*, True -*.pc-help24.ch*, True -*.pchelp-24.com*, True -*.pchero21.com*, True -*.pchm.net*, True -*.pchotrod.com*, True -*.pch.tw*, True -*.pcikc.com*, True -*.pc-insight.com*, True -*.pcistaging.com*, True -*.pciuyumluluk.com*, True -*.pcjeff.com*, True -*.pcjunk.net*, True -*.pckf.com*, True -*.pcleeds.co.uk*, True -*.pclosusers.com*, True -*.pcmak999.com*, True -*.pcm.bg*, True -*.pcmedix.co.za*, True -*.pcminuto.com.ar*, True -*.pcnaranja.com.ve*, True -*.pcnc.ru*, True -*.pcnet-web.it*, True -*.pcnsa.com.ar*, True -*.pcoffice.be*, True -*.pcotw.org*, True -*.pcpaja.fi*, True -*.pcparksandrec.com*, True -*.pcpermits.org*, True -*.pcpjlocal.org*, True -*.pcplacesupport.com*, True -*.pc-pro.eu*, True -*.pcpult.com*, True -*.pcrednet.com*, True -*.pc-repair-manchester.co.uk*, True -*.pc-resita.ro*, True -*.pcreview.ro*, True -*.pcs4u.com*, True -*.pcschematic.ru*, True -*.pcshost.com.mx*, True -*.pcsmartbuys.com*, True -*.pc-sms.hk*, True -*.pcsms.hk*, True -*.pcsmsnow.com*, True -*.pc-software.ro*, True -*.pcsos.tw*, True -*.pcspeedyfix.co.uk*, True -*.pcsupport.co.il*, True -*.pctalkweb.net*, True -*.pctallstar.com*, True -*.pctechnica.com.mx*, True -*.pctecnica.cl*, True -*.pctelnet.ch*, True -*.pcterra.org*, True -*.pc-toc.com*, True -*.pc-tools.com.ar*, True -*.pctools.info*, True -*.pc-toys.com*, True -*.pc-toys.net*, True -*.pctrelew.com*, True -*.pcvet.ca*, True -*.pcv-s520.tk*, True -*.pcvxd.nl*, True -*.pcxd.me*, True -*.pcxtreme.ro*, True -*.pd345.org*, True -*.pdagod.com*, True -*.pdamuseum.info*, True -*.pdash.net*, True -*.pdb.cl*, True -*.pdboathire.com.au*, True -*.pdce.com.au*, True -*.pdc.nu*, True -*.pdcomputer.net*, True -*.pddapp.ru*, True -*.pddovje-mojstrana.si*, True -*.pdeb.cl*, True -*.pde.co.id*, True -*.pdewhirst.co.uk*, True -*.pdfbooks.eu*, True -*.pdhelectrical.com.au*, True -*.pdiperjuangan.net*, True -*.pdiperjuangan.or.id*, True -*.pdjesenice-drustvo.si*, True -*.pdl-2015.com*, True -*.pdl-cash-advances.com*, True -*.pdlusa-2015.com*, True -*.pdlusa2015.com*, True -*.pdl-usa-online.com*, True -*.pdm.cl*, True -*.pdmcleaner.com*, True -*.pdm.com.pk*, True -*.pdq42.com*, True -*.pdqcity.com*, True -*.pd-rega.si*, True -*.pdvparapente.com.ar*, True -*.pdxnode.net*, True -*.pdxweb.net*, True -*.peaceablesolutionscs.com*, True -*.peaceandsafety.org*, True -*.peacefuldeliveriesdoula.com*, True -*.peaceful.org*, True -*.peacehotel-arusha.com*, True -*.peacehotelarusha.com*, True -*.peacehotelgroup.com*, True -*.peacehotel-tanzania.com*, True -*.peacehotel-tz.com*, True -*.peacemaker.pro*, True -*.peacemala4you.com*, True -*.peach-lainey.com*, True -*.peachsoft.co.uk*, True -*.peachyweb.com*, True -*.peacivist.org*, True -*.peakchallenge.org*, True -*.peakconsulting.com.au*, True -*.peakhurstasc.com*, True -*.peakmotors.net*, True -*.peakseason.ca*, True -*.peakstudio3.com*, True -*.peaktopeaksoccer.org*, True -*.peanbook.in*, True -*.pearcat.ca*, True -*.pearce.in*, True -*.peardrive.co.uk*, True -*.pearlhaus.com*, True -*.pearllink1823.com*, True -*.pearlneurology.com*, True -*.pearlrecruitmentgroup.com*, True -*.pearlstorehouse.net*, True -*.pearswj.co.uk*, True -*.peartreephotos.org.uk*, True -*.peartreeworld.co.uk*, True -*.peartreeworld.org.uk*, True -*.pebbe.net*, True -*.pebcac.net*, True -*.pebriana.web.id*, True -*.pecararilescolii.ro*, True -*.pecelmadiun.web.id*, True -*.pece-szanto.sk*, True -*.pechatnikov.com*, True -*.pecheenkayak.ch*, True -*.peckson.com.br*, True -*.pecosa.com.ar*, True -*.pec-poland.com*, True -*.pectra.tk*, True -*.peculiartravel.co*, True -*.pe-cuvant.ro*, True -*.pedagangkakilima.com*, True -*.pedalajeado.org.br*, True -*.pedalandcrank.net*, True -*.pedalarepreciso.com*, True -*.pedalclubolimpia.com*, True -*.pedaleman.tk*, True -*.pedalesyefectos.com.ar*, True -*.pedalez.ro*, True -*.pedalinx.com*, True -*.pedalpedalpedal.com*, True -*.pedapoint.fi*, True -*.peder-berggreen-clausen.se*, True -*.pedesign.tk*, True -*.pediainno.com*, True -*.pedia.tk*, True -*.pediatricapparel.com*, True -*.pediatricpromotions.com*, True -*.pediawan.web.id*, True -*.pedie.info*, True -*.pedipedturkey.com*, True -*.pedlog.com.br*, True -*.ped-man.com*, True -*.pedon.com.br*, True -*.pedrinhoracing.com.br*, True -*.pedroemanuel.com*, True -*.pedroleon.info*, True -*.pedropereira.pt*, True -*.pedrosantos.tk*, True -*.pedsofprovidence.com*, True -*.peduportal.tk*, True -*.pedzlegeek.ca*, True -*.pee77.com*, True -*.pee88.com*, True -*.peeezee.com*, True -*.peeinthesnow.com*, True -*.peel.co.za*, True -*.peeldsb.ca*, True -*.peel.nom.za*, True -*.peene.com.br*, True -*.peeramidspirits.com*, True -*.peerepresentacoes.com.br*, True -*.peermont-mail.co.za*, True -*.pee.vc*, True -*.pefykti.cf*, True -*.pegabemwap.ml*, True -*.pegahq.com.ar*, True -*.pegaofertas.com*, True -*.pegasone.com*, True -*.pegasusadvisory.fi*, True -*.pegasusamericas.com*, True -*.pegasusfaucets.us*, True -*.pegasusfrance.fr*, True -*.pegle.com*, True -*.pegu.com.ar*, True -*.pegyrem.cf*, True -*.pehatyc.ru*, True -*.pehdweld.ro*, True -*.peheo.net*, True -*.pehrs.com*, True -*.peicams.com*, True -*.peievents.com*, True -*.peifitness.com*, True -*.peimenus.com*, True -*.peiphones.com*, True -*.peiplaces.com*, True -*.peipoppingcorn.com*, True -*.peipus.eu*, True -*.peisaalicante.es*, True -*.peisabarcelona.es*, True -*.peisacastellon.es*, True -*.peisagandia.es*, True -*.peisaje.info*, True -*.peisalorca.es*, True -*.peisamadrid.es*, True -*.peisavalencia.es*, True -*.peisavalles.es*, True -*.peisinabienesraices.com.ar*, True -*.peitabam.com*, True -*.peitabam.ir*, True -*.peitalk.com*, True -*.peiupse.net*, True -*.pejantantambun.com*, True -*.pekaranganhijau.com*, True -*.pekinfirefighters.com*, True -*.pekistir.net*, True -*.pekkamustonen.fi*, True -*.pekwe.com*, True -*.pelaire.net*, True -*.pelaire.org*, True -*.pelangi-aviation.co.id*, True -*.pelangicahayasempurna.co.id*, True -*.pelatoca.com*, True -*.pelayan.net*, True -*.pelcastre.net*, True -*.pelenkin.ru*, True -*.peleshenko.org.ua*, True -*.pelicantanpasayap.com*, True -*.peliconluka.tk*, True -*.pelivre.org*, True -*.peliwood.com*, True -*.pelko.eu*, True -*.pellaconference.org*, True -*.pellepilot.se*, True -*.pellerweb.com*, True -*.pelletier-us.com*, True -*.pelltech.eu*, True -*.pelly.co*, True -*.pelly.co.nz*, True -*.pelly.org.uk*, True -*.pellyville.com*, True -*.pelofort.com*, True -*.peloponnese-peloponnese.com*, True -*.pelops.co.za*, True -*.peloterouge.cl*, True -*.peltokoski.fi*, True -*.peltsi.fi*, True -*.peludo.info*, True -*.peluqueriapatitas.cl*, True -*.pel.vc*, True -*.pemadamapimurah.com*, True -*.pemalangcybers.com*, True -*.pemalangcybers.net*, True -*.pemalang.eu*, True -*.pembayarantagihan.com*, True -*.pembemavishop.com.tr*, True -*.pembesarpenis-one.com*, True -*.pemburu.ninja*, True -*.pemex.com.br*, True -*.pemimpinplace.com*, True -*.pemimpinradio.com*, True -*.pemutihamanwajah.com*, True -*.penaall.com*, True -*.penaburbackup.com*, True -*.penabur-inter.sch.id*, True -*.penagapesona.com.my*, True -*.penalty.bz*, True -*.penandpiper.com*, True -*.penangfa.com*, True -*.penangkalpetirku.com*, True -*.penates-hostel.ru*, True -*.pen-blanks.us*, True -*.penblanks.us*, True -*.pencalc.org*, True -*.pencenmuda.my*, True -*.pencilbusters.com*, True -*.pendaki.net*, True -*.pendekar.ws*, True -*.pendinginikan.com*, True -*.pendrivereklamowe.info*, True -*.pendrivesolutions.com.br*, True -*.pendroid.hu*, True -*.penduduksungaipetani.my*, True -*.pendulumaudio.com*, True -*.penelle.ca*, True -*.peneta.info*, True -*.peneti.com*, True -*.pengajuankta.com*, True -*.pengama.com*, True -*.penghap.us*, True -*.penghasilantetap.web.id*, True -*.penghemattelepon.com*, True -*.pengin12.com*, True -*.pengin.ml*, True -*.pengirimanbarangindonesia.com*, True -*.pengostores.mx*, True -*.penguinmerah.org*, True -*.penguinsystems.net*, True -*.penhal.com*, True -*.penhal.co.uk*, True -*.peninsulaphysicaltherapy.com*, True -*.peninsula-property.ch*, True -*.peninsulapt.com*, True -*.peniwenchile.cl*, True -*.penjiong.com*, True -*.penjual.es*, True -*.penjualpulsa.com*, True -*.penkrat.ru*, True -*.penlinea.info*, True -*.pennachin.info*, True -*.pennaltda.cl*, True -*.penngreeks.com*, True -*.penniparty.com*, True -*.pennvint.com*, True -*.pennyantv.com*, True -*.pennysare.us*, True -*.penpen.my*, True -*.penrithcomputers.com.au*, True -*.penrithpoultry.com.au*, True -*.pensacam.com*, True -*.pensaimoveis.com.br*, True -*.pensamentoshumanistas.com*, True -*.pensandomendoza.com.ar*, True -*.pensat.hr*, True -*.penseurmalaysia.com*, True -*.pensionati.ro*, True -*.pension-basel.ch*, True -*.pensiondelparquelp.com.ar*, True -*.pensionlaw.hk*, True -*.pensionsskolan.se*, True -*.pension-villa-maria.ch*, True -*.pensiuneacarmesi.ro*, True -*.pensiunealaculstiucii.ro*, True -*.pensiuneaorhideeacluj.ro*, True -*.pensiuneatarina.ro*, True -*.pensiuneavalcea.ro*, True -*.pensiuneranca.ro*, True -*.pensiunibaiadefier.ro*, True -*.pensiuni-deltadunarii.ro*, True -*.pensiunigorj.ro*, True -*.pensiunioltenia.ro*, True -*.pensiunipolovragi.ro*, True -*.pensolut.com*, True -*.pensphreak.com*, True -*.pentaes.tk*, True -*.pentae.tk*, True -*.pentafon.com*, True -*.pentagon.ru*, True -*.pentaho.cl*, True -*.pentamar.com.ar*, True -*.pentametrix.com.ar*, True -*.pentautama.co.id*, True -*.pentaxfans.com*, True -*.pentes.pt*, True -*.pentest.ie*, True -*.pentric.biz*, True -*.pentric.com*, True -*.pentric.net*, True -*.pentric.org*, True -*.pentrics.com*, True -*.pentric.us*, True -*.pentrunoi.ro*, True -*.penulismuda.com*, True -*.penyedia-saranapendidikan.com*, True -*.penyiscola.tk*, True -*.penzarent.ru*, True -*.penzionsturovo.sk*, True -*.peo.ee*, True -*.peonvuelve.com.ar*, True -*.peonyrose.org*, True -*.peopleandsearch.cl*, True -*.peoplebond.co.id*, True -*.peoplecurry.tw*, True -*.peopleknow.me*, True -*.peopleprojects.co.za*, True -*.pepayon.com*, True -*.pepe90.com*, True -*.pepero12.com*, True -*.pepesonthebeach.com.au*, True -*.pepinieradinmicesti.ro*, True -*.pepino.io*, True -*.pepitafoto.hu*, True -*.pepper-and-salt.co.uk*, True -*.pepperell.net*, True -*.pepperis.me*, True -*.pepperjack.org*, True -*.peppinc.net*, True -*.peppi-nn.ru*, True -*.pepsi.tw*, True -*.pequenacompanhia.pt*, True -*.pequenoscantores.pt*, True -*.peralatankeamanan.com*, True -*.peralta.tk*, True -*.perantau-sepi.tk*, True -*.perapriar.com*, True -*.perbasasidki.com*, True -*.perberos.com.ar*, True -*.percetakan24jam.com*, True -*.perciavalle.com.br*, True -*.perciun.md*, True -*.percobaan.biz*, True -*.percolating.me*, True -*.perdaliker.tk*, True -*.perdanacollege.com*, True -*.perdanakimia.com*, True -*.perderpeso.pt*, True -*.pereaufoyer.ch*, True -*.peregrina.mx*, True -*.pereira.com.ar*, True -*.pereiradiaz.com.ar*, True -*.pereiraedelmenico.ch*, True -*.perekopsky.com*, True -*.perelmiter.adv.br*, True -*.peresaufoyer.ch*, True -*.pereskop.ch*, True -*.peresorianog.tk*, True -*.perevozki-po-moskve.ru*, True -*.perex.org*, True -*.perez-cotapos.cl*, True -*.perezdelafuente.com.ar*, True -*.perezllana.com*, True -*.pereznet.com.ar*, True -*.perezribeiro.com.br*, True -*.perfecbore.ch*, True -*.perfectad.net*, True -*.perfect-babes.com*, True -*.perfectbrake.co.id*, True -*.perfect-cars.co.uk*, True -*.perfect.cf*, True -*.perfectcode.info*, True -*.perfect-consulting.ro*, True -*.perfect-diet.com*, True -*.perfecthousing.ru*, True -*.perfecthq.co.uk*, True -*.perfectisdesign.ro*, True -*.perfectliving.ru*, True -*.perfectlivin.ru*, True -*.perfectnation.com*, True -*.perfectnic.com*, True -*.perfectofuentes.com*, True -*.perfectpas.co.uk*, True -*.perfectpetzzz.ro*, True -*.perfectpixelstudios.com*, True -*.perfectrackstore.com*, True -*.perfectrootserver.net*, True -*.perfekt.us*, True -*.perfilautomoveis.com.br*, True -*.perfilsexual.com*, True -*.perfilx.com.ar*, True -*.performancebrisbane.com*, True -*.performancebusinesssystems.com*, True -*.performanceexhaustcentre.com.au*, True -*.performancemanagementcentral.com*, True -*.performance.net.br*, True -*.performancenw.com*, True -*.performance-shop.ro*, True -*.perfumerialasvillas.net.ve*, True -*.perfumeriaybelleza.cl*, True -*.pergolasdelnorte.com*, True -*.per-head-price.com*, True -*.perheadprice.com*, True -*.perheadsite.com*, True -*.perhematka.fi*, True -*.perican.com*, True -*.perich.com*, True -*.periciamultimidia.com.br*, True -*.periferral.com*, True -*.perimetralesarg.com.ar*, True -*.perinetics.com*, True -*.periodicgames.com*, True -*.periodico.am*, True -*.periodicoam.mx*, True -*.periodismointegrado.com*, True -*.periodus.hu*, True -*.perioimplante.com.br*, True -*.peristeris.com.ar*, True -*.peritomed.com.br*, True -*.peritomed.med.br*, True -*.peritonlane.net*, True -*.perjaka.info*, True -*.perkinsblog.net*, True -*.perkiomenhoods.com*, True -*.perkova.ru*, True -*.perkscompany.com*, True -*.perksweb.net*, True -*.perladifiume.eu*, True -*.perlafilms.com.ar*, True -*.perledebeirut.ch*, True -*.perlem.com*, True -*.perlengkapandekorasitenda.com*, True -*.perlenparadies.cc*, True -*.perlik.cz*, True -*.perlimited.com*, True -*.perlmanrobison.com*, True -*.perlpowered.com*, True -*.permataniaga.com*, True -*.permesso.net*, True -*.permit-tracker.com*, True -*.permuteclothing.com*, True -*.pernakpernikbayi.com*, True -*.perolaclube.com.br*, True -*.peronggg.net*, True -*.perpetu.al*, True -*.perplex.at*, True -*.perpusgaul.ga*, True -*.perroencancha.cl*, True -*.perroseco.cl*, True -*.perroulaz.com*, True -*.perrycogop.com*, True -*.perrydillard.com*, True -*.perrygovier.com*, True -*.perryng.com*, True -*.perrysburgtownhomes.com*, True -*.perryscooters.com*, True -*.perrywoodvending.com*, True -*.persector.com*, True -*.persegiti.ga*, True -*.persib.org*, True -*.persocom.net*, True -*.persocom.pro*, True -*.persocom.ru*, True -*.personain.ru*, True -*.personajes24.com*, True -*.personett.org*, True -*.persoonlijkelifecoaching.nl*, True -*.persoy.com*, True -*.perspectives-edu.net*, True -*.pertaminadepot.com*, True -*.pertaminux.org*, True -*.perth-controls.com.au*, True -*.perthcontrols.com.au*, True -*.perthfurniturestore.com.au*, True -*.perthmanagement.com.au*, True -*.perthoilandgas.com.au*, True -*.perthorthodontist.com.au*, True -*.perthtestingandtagging.com.au*, True -*.perthtreelopping.com.au*, True -*.perthvideohire.com.au*, True -*.pertinent.ro*, True -*.perucinaturale.ro*, True -*.peruhogares.com*, True -*.peruhotelpro.com*, True -*.perukirja.fi*, True -*.perumbavoor.com*, True -*.pervers.ch*, True -*.perv.one.pl*, True -*.peryga.pl*, True -*.perytomy.tk*, True -*.pesangelangkaret.com*, True -*.pesanmadu.com*, True -*.pesantren.info*, True -*.pesawatgaruda.ga*, True -*.pesca.net.br*, True -*.peschmer.ga*, True -*.pesclubamerica.com*, True -*.pescuitladunare.ro*, True -*.pesikov.tk*, True -*.pesistv.fi*, True -*.pesona-bandung.web.id*, True -*.pesonaedu-asesmatik.com*, True -*.pesonaedu.id*, True -*.pesonaedu-institute.com*, True -*.pesonaedu-ontv.com*, True -*.pesonaedu-software.com*, True -*.pesonaedu-solution.com*, True -*.pesonaedu-store.com*, True -*.pesqueraalmar.cl*, True -*.pessalacia.com.br*, True -*.pessana.be*, True -*.pessk.ru*, True -*.pestalozzimail.com.ar*, True -*.pestalozzi.org.ar*, True -*.pestalozzischueler.com.ar*, True -*.pestalozzi-schule.com.ar*, True -*.pestaphotobooth.com*, True -*.pestarinosa.com.ar*, True -*.pestecademy.com*, True -*.pestemarin.ro*, True -*.pesticsalad.hu*, True -*.pestrepellents.com*, True -*.pestwave.com*, True -*.pesudamerica.com.ar*, True -*.petajalan.info*, True -*.petarda.ro*, True -*.petarumahjogja.com*, True -*.petbichoanimal.com.br*, True -*.pet-blog.ro*, True -*.petcare.gq*, True -*.petcher.net*, True -*.pete.com.ar*, True -*.petefield.com*, True -*.petelinsek.com*, True -*.petel.us*, True -*.petemoran.com*, True -*.peteness.com*, True -*.petenetlive.co.uk*, True -*.petepongball.com*, True -*.peter2.tw*, True -*.peterbedrosian.com*, True -*.peterbjorn.se*, True -*.peterbrough.com*, True -*.petercamps.nl*, True -*.peterdance.com*, True -*.peter-dieter.de*, True -*.peterduck.com.ar*, True -*.peterfecit.com*, True -*.peterfrase.org*, True -*.peterhans.me*, True -*.peterjamesgeorge.com*, True -*.peterjnew.co.uk*, True -*.peterjones.net*, True -*.peterkr.tk*, True -*.peterlo.org*, True -*.petermalbin.com*, True -*.peterman.ca*, True -*.petermasonagency.com*, True -*.peterm.tk*, True -*.peterquest.com*, True -*.peter-quintiens.be*, True -*.peterscott.id.au*, True -*.peterscrib.com*, True -*.peterski.com.au*, True -*.petersonfactory.in*, True -*.petersources.com*, True -*.petersuderman.net*, True -*.petervajda.com*, True -*.peter-wangs.ch*, True -*.peterweir.com.au*, True -*.peterweir.net.au*, True -*.peterwilbers.nl*, True -*.peteryoungchina.com*, True -*.peteryounghk.com*, True -*.petescomputer.com*, True -*.peteslandscaping.net*, True -*.petesoler.tk*, True -*.petetheswede.com*, True -*.peteunderwood.net*, True -*.peteut.ch*, True -*.petewhite67.com*, True -*.petfood.ro*, True -*.petguards.info*, True -*.pethailand.com*, True -*.petherapy.org*, True -*.petica-celik.hr*, True -*.petinelli.eti.br*, True -*.petiso.net*, True -*.petitcheval.co.nz*, True -*.petitciel.pt*, True -*.petitjapon.com*, True -*.petitpoblenou.cat*, True -*.petitti.com.ar*, True -*.petman.fi*, True -*.petnity.com.ar*, True -*.petoasis2007.com*, True -*.petoskeyadvertiser.com*, True -*.petoto.cl*, True -*.petpetplay.com*, True -*.petportal.info*, True -*.petra54.tk*, True -*.petrade.hk*, True -*.petra-gifts.co.il*, True -*.pet-ranch.com*, True -*.pet-ranch.com.ar*, True -*.petraxsoftware.com*, True -*.petree.ro*, True -*.petreomecanic.com*, True -*.petri4.be*, True -*.petria-automobile.ro*, True -*.petria-realestate.ro*, True -*.petrichor.name*, True -*.petrieopen.com*, True -*.petrigrove.ca*, True -*.petrigrove.com*, True -*.petrijanec.hr*, True -*.petriupt.ro*, True -*.petroconsult.my*, True -*.petrocont.ro*, True -*.petrogreensrl.com.ar*, True -*.petrojavacontainer.com*, True -*.petrolider.com.ar*, True -*.petrologis.com*, True -*.petrolservicesaustralia.com.au*, True -*.petrolservices.com.au*, True -*.petromax.tw*, True -*.petromine-energy.co.id*, True -*.petromine-energy.com*, True -*.petromitrasarana.com*, True -*.petromservice.ro*, True -*.petronoble.com*, True -*.petronoble.ir*, True -*.petronoble.net*, True -*.petronoble.org*, True -*.petrostorindo.com*, True -*.petrotdl.com.ar*, True -*.petroti.com.br*, True -*.petrotoos.ir*, True -*.petrova-art.com*, True -*.petrovskogo5.ru*, True -*.petrovsk-zabaykalskiy.ru*, True -*.petrov.ws*, True -*.petruh.in*, True -*.petrumaior.ro*, True -*.petruscopaci.ro*, True -*.petrus-nl.net*, True -*.petrykina.com*, True -*.petrykina.ru*, True -*.petrykin.ru*, True -*.petsahoy.com.au*, True -*.petsallover.com*, True -*.petsfan.com.br*, True -*.petsinspired.com*, True -*.petsithero.com*, True -*.petslogger.com*, True -*.petsmartherapy.com*, True -*.petsmarttherapy.com*, True -*.petspark.hk*, True -*.petsuppliessurplus.com*, True -*.petterisaak.com*, True -*.pettersen.com.ar*, True -*.pettica.com*, True -*.pettinato.net*, True -*.peuccos.com.mx*, True -*.peuhu.fi*, True -*.peumallen.cl*, True -*.peuperks.com*, True -*.peurmelemorometilor.ro*, True -*.pewen.tk*, True -*.pewww.ro*, True -*.pexacons.ro*, True -*.peyfon.com*, True -*.peymanelc.ir*, True -*.peyote.ml*, True -*.pezblanco.cl*, True -*.pezdios.com.ar*, True -*.pezhvak-andisheh.ir*, True -*.pezottibricks.com*, True -*.pezotti.com*, True -*.pfadi-moenchsberg.ch*, True -*.pfadipaul.ch*, True -*.pfadi-sa.ch*, True -*.pfctech.com.ar*, True -*.pfeifferinnenarchitektur.ch*, True -*.pfeilgeschwind.ch*, True -*.pfff.ru*, True -*.pfirter-pflegetech.ch*, True -*.pflanzl.at*, True -*.pflum.us*, True -*.pfly.net*, True -*.pfmc.co.za*, True -*.pfortner.co.za*, True -*.pfrybarger.com*, True -*.pfsensefirewall.com*, True -*.pfssrl.com.ar*, True -*.pfsystems.com.ar*, True -*.pfxue.cf*, True -*.pga-25.com*, True -*.pga-365.com*, True -*.pgamall.net*, True -*.pgardner.com.au*, True -*.pgco.ca*, True -*.pgc-yun.com*, True -*.pgd-barje.si*, True -*.pgd-dl.si*, True -*.pgdisplays.com.au*, True -*.pgd-log.si*, True -*.pgdotocec.org*, True -*.pgdprints.com.au*, True -*.pgdstickers.com.au*, True -*.pgd-tolmin.si*, True -*.pgd-vipava.si*, True -*.pgelhd.net*, True -*.pgerman.cl*, True -*.pg-family.com*, True -*.pggco.ir*, True -*.pghallam.com*, True -*.pghconnects.org*, True -*.pgitconsulting.com.ar*, True -*.pgmac.com*, True -*.pgmac.com.au*, True -*.pgmac.net*, True -*.pgpchat.com.br*, True -*.pgpchat.net*, True -*.pgp.cl*, True -*.pgp.com.mx*, True -*.pgp-group.com*, True -*.pgpthailand.com*, True -*.pgren.se*, True -*.pgsanchez.com.ar*, True -*.pgsr.com.au*, True -*.pgvn.net*, True -*.pgwhitetern.ir*, True -*.phaeron.ru*, True -*.phaet0n.net*, True -*.phagen.org*, True -*.phamhong.com*, True -*.phamtvdp.com*, True -*.phamvannghi.com*, True -*.phanmemgym.net*, True -*.phanphoilaptopcu.com*, True -*.phantastico.cf*, True -*.phantomdev.tk*, True -*.phantom-fpv.com*, True -*.phantom-investigations.com*, True -*.phantom-net.com.ar*, True -*.phantomtypists.com*, True -*.pharmaciahealth.com*, True -*.pharmaciedecourgenay.ch*, True -*.pharmaciedelaprairie.ch*, True -*.pharmacie-floreal.ch*, True -*.pharmacielhoteldeville.ch*, True -*.pharmaciepervenche.ch*, True -*.pharmaciestraphael.ch*, True -*.pharmacore.co.id*, True -*.pharmacoremedicals.com*, True -*.pharmacyhub.com*, True -*.pharma-erp.in*, True -*.pharmafit.gen.tr*, True -*.pharmagroup.com.ar*, True -*.pharmamis.com*, True -*.pharmasante.com.tr*, True -*.pharm-chenevert.ch*, True -*.pharmpeople.com*, True -*.phasa.co.il*, True -*.phaserbait.com*, True -*.phasys.com*, True -*.phatbot.net*, True -*.phatooine.net*, True -*.phatsilver.ca*, True -*.phattrienweb.net*, True -*.phazeddl.tv*, True -*.phazedgames.com*, True -*.phdavis.us*, True -*.pheckel.com*, True -*.pheiffer.net*, True -*.phelagon.com*, True -*.phenixap.com.br*, True -*.phenixbd.com*, True -*.phenomonotony.com*, True -*.phenomon.tk*, True -*.pheonixenterprise.info*, True -*.pherrie.dj*, True -*.pherrie.gq*, True -*.phgabrielvisintin.com.ar*, True -*.phg.com.mx*, True -*.phg.mx*, True -*.phhsalumni.org*, True -*.phialo.de*, True -*.phigit.al*, True -*.phigo.co.uk*, True -*.philandanne.com*, True -*.philaulie.info*, True -*.philaulie.org*, True -*.philayachtsquadron.org*, True -*.philayreserver.com*, True -*.philbendeck.com*, True -*.phildhall.com*, True -*.philflex.com*, True -*.philhnt.com*, True -*.philipchan.me*, True -*.philipe.info*, True -*.philipkingsley-shop.ru*, True -*.philipkingsleyshop.ru*, True -*.philipmarkowski.com*, True -*.philippeaxelsen.info*, True -*.philippedorsaz.ch*, True -*.philippeguillon.com*, True -*.philippe.li*, True -*.philippe-steiner.ch*, True -*.philippeworontzoff.name*, True -*.philipp-family.com*, True -*.philippinecargo.com*, True -*.philippittle.com*, True -*.philippmoeckli.ch*, True -*.philiprichardson.com*, True -*.philiproach.com*, True -*.philipryan.org*, True -*.philipwilliams.com*, True -*.philipworld.co.uk*, True -*.philkamerdrummer.com*, True -*.phillipdaw.com*, True -*.philliprhoades.com*, True -*.phillipsohio.com*, True -*.phillips-price-family.com*, True -*.phillipverdy.com*, True -*.philliskirk-tree.info*, True -*.phillynonsequitur.net*, True -*.phillytibetans.com*, True -*.philmware.com*, True -*.philord.tk*, True -*.philosophyonline.org*, True -*.philrigby.us*, True -*.philshpilberg.com*, True -*.philstover.com*, True -*.philtesting.de*, True -*.philtrem.com*, True -*.philzphil.ch*, True -*.phim102.com*, True -*.phim3x.biz*, True -*.phimheovl.net*, True -*.phimmu.org*, True -*.phimnoi.com*, True -*.phimsexaz.com*, True -*.phimsexok.com*, True -*.phimsexti.com*, True -*.phims.tv*, True -*.phimvideo.org*, True -*.phimx.es*, True -*.phin.ch*, True -*.phire.ca*, True -*.phishingpole.org*, True -*.phishsamich.com*, True -*.phishthis.com*, True -*.phis.ir*, True -*.phli.net*, True -*.phliware.com*, True -*.phmp3.cf*, True -*.phoenixassessoria.com.br*, True -*.phoenixcomputing.co.za*, True -*.phoenixeffect.fi*, True -*.phoenixfly.com*, True -*.phoenixignition.ca*, True -*.phoenixlabs.org*, True -*.phoenixmerahteknik.com*, True -*.phoenixtheatre.net.au*, True -*.phoenixwholesale.ca*, True -*.phoewin.co.uk*, True -*.pho.hk*, True -*.phokojebushlodge.com*, True -*.pholaumi.be*, True -*.phone1690.com*, True -*.phonecases.co.nz*, True -*.phonedating.co.za*, True -*.phonekey.co.il*, True -*.phonemobile.xyz*, True -*.phoneoximeter.org*, True -*.phongcachclub.tk*, True -*.phongdo.net*, True -*.phonilstore.com*, True -*.phonpoom.com*, True -*.phonui.org*, True -*.phopkins.org*, True -*.phosphorus.ch*, True -*.photinh.com*, True -*.photob2b.com*, True -*.photoboothbogor.com*, True -*.photoboothindonesia.com*, True -*.photoboothinstagram.com*, True -*.photoboothinstant.com*, True -*.photoboothmurah.com*, True -*.photoboothsouvenir.com*, True -*.photobyringo.com*, True -*.photochops.info*, True -*.photocity.ch*, True -*.photocopiersonline.com.au*, True -*.photo-cult.com*, True -*.photodojo.org*, True -*.photoexpressgeneve.ch*, True -*.photo-frame.com*, True -*.photogenic.hk*, True -*.photogleamer.com*, True -*.photographicastudio.ru*, True -*.photographicmemorygame.com*, True -*.photographiedenisbrunet.com*, True -*.photographs.gs*, True -*.photography-for-everyone.com*, True -*.photographyvisual.net*, True -*.photoiasi.ro*, True -*.photoindigo.co.za*, True -*.photojakarta.com*, True -*.photolol.net*, True -*.photolure.com*, True -*.photonz.ru*, True -*.photoor.co.il*, True -*.photoprops24.com*, True -*.photoprops24.co.uk*, True -*.photoreise.ch*, True -*.photosbygaelolympio.com*, True -*.photosentiment.com*, True -*.photoseven.ru*, True -*.photoslike.me*, True -*.photosmasters.com*, True -*.phototvs.pw*, True -*.phototypist.ru*, True -*.photowidget.com*, True -*.phox.org*, True -*.phpcard.com*, True -*.phpcode.biz*, True -*.phpcoin.co.za*, True -*.phpcompany.biz*, True -*.php-dev.net*, True -*.phpform.co.za*, True -*.phpfunctions.info*, True -*.php-fusion.co.za*, True -*.phpmeetup.org*, True -*.phpmycache.com*, True -*.phpreschool.com*, True -*.phprober.to*, True -*.phproxy87.tk*, True -*.phpstandards.org*, True -*.phpusers.org*, True -*.phpwebsite.co.za*, True -*.phra.gs*, True -*.phraseofday.ga*, True -*.phreakerandroid.com*, True -*.phreakerindonesia.com*, True -*.phreakerindonesia.net*, True -*.phreakz.cf*, True -*.phrearrugs.com*, True -*.phrearrugs.com.au*, True -*.phrecall.com*, True -*.phrowzen.com*, True -*.phsylife.ru*, True -*.phuard.ca*, True -*.phubuy.com*, True -*.phucked.net*, True -*.phucloc.tk*, True -*.phucthanhan.com*, True -*.phucthinh.cf*, True -*.phuketsearch.com*, True -*.phunkmasterz.com*, True -*.phun.ru*, True -*.phuong.tk*, True -*.phutramp3.com*, True -*.phux0red.net*, True -*.phuz.biz*, True -*.phvienna.at*, True -*.phy.ir*, True -*.phyrex.cl*, True -*.phyrworks.co.uk*, True -*.physic.al*, True -*.physioallschwil.ch*, True -*.physio-avenches.ch*, True -*.physioenergetik.cl*, True -*.physiotherapiewartau-hoengg.ch*, True -*.phytomedchile.cl*, True -*.pi4dec.org*, True -*.pi96.com*, True -*.piaggioservice.ch*, True -*.pianist.hk*, True -*.pianist.li*, True -*.pianjiong.com*, True -*.piano-cello.com*, True -*.pianoclasseswithgozel.co.uk*, True -*.pianojockl.org*, True -*.pianopiano.pt*, True -*.pianostudio.com.au*, True -*.pianpeng.com*, True -*.piarey.com.ar*, True -*.piargentina.com*, True -*.piassini.com.ar*, True -*.piatemoai.cl*, True -*.piatocreations.com*, True -*.piatranaturala.info*, True -*.picacho.com.ve*, True -*.piccolo.id.au*, True -*.picdee.com*, True -*.picdup.com*, True -*.picdup.info*, True -*.picdup.net*, True -*.picdup.org*, True -*.picerija.si*, True -*.pice.si*, True -*.picinel.ro*, True -*.pickaxeofdoom.com*, True -*.pickboot.com*, True -*.pickedup.net*, True -*.pickedup.org*, True -*.pickerings.us*, True -*.pickeringtechnicalservices.com*, True -*.pickerknowledge.com*, True -*.pickernation.com*, True -*.pickers.co.uk*, True -*.pickin.com.mx*, True -*.pickland.ru*, True -*.picklejuice13.com*, True -*.pickles.tk*, True -*.pickpocket.mobi*, True -*.pickso.hk*, True -*.pick-tech.ca*, True -*.pico1979.eu*, True -*.pico-biolab.com*, True -*.pico-lab.com*, True -*.picomm.si*, True -*.piconet.ro*, True -*.piconet.tk*, True -*.picorg.com*, True -*.picosbike.ch*, True -*.picpasteplus.com*, True -*.pics.mu*, True -*.picsoflife.se*, True -*.picsou.tk*, True -*.pictie.com*, True -*.pictogram.ro*, True -*.pictoru.ro*, True -*.picttt.com*, True -*.picturemoments.com*, True -*.pictureslots.com*, True -*.picturethrill.com*, True -*.pictureworks.co.za*, True -*.picturia.pl*, True -*.pictwall.com*, True -*.pidameq.cl*, True -*.pidarasnarkoman.net*, True -*.pidato.web.id*, True -*.pidmis.com*, True -*.piducantec.ml*, True -*.piecesgreen.com*, True -*.piechowski.net*, True -*.piedbridge.co.uk*, True -*.piedperler.info*, True -*.piedrabuena.com.ar*, True -*.piedrasymarmoles.cl*, True -*.pieee.org*, True -*.piegol.com*, True -*.piegowata.pl*, True -*.piekielni.tk*, True -*.pieknedlabogatych.pl*, True -*.piela.biz*, True -*.pielagoarquitectura.cl*, True -*.pielambr.be*, True -*.piel.co.za*, True -*.piemag.com*, True -*.piemonte.com.ar*, True -*.piengenharia.com.br*, True -*.piensaenmatematica.cl*, True -*.piensaprensaypega.com.mx*, True -*.piepin.com*, True -*.piepmeier.net*, True -*.piepmeier.org*, True -*.pieralisi.com.ar*, True -*.piercedmedia.com*, True -*.pierdetimpul.ro*, True -*.pierdol.to*, True -*.pierot.pl*, True -*.pierreaegerter.ch*, True -*.pierrebelvedere.com*, True -*.pierredupond.com*, True -*.pierremessiaux.ch*, True -*.pierrepercee.ch*, True -*.pierresplace.ca*, True -*.pierron.ca*, True -*.pierrou.org*, True -*.pierrson.ca*, True -*.pierwszeliceum.one.pl*, True -*.piese4x4second.ro*, True -*.pieseauto-injectoare.ro*, True -*.piesedetractor.ro*, True -*.pieseutilajelivrari.ro*, True -*.piese-yamaha.ro*, True -*.pietermaertens.eu*, True -*.pietermennes.be*, True -*.pietervanderbeck.com*, True -*.pietervanloon.tk*, True -*.pieties.net*, True -*.pietu.fi*, True -*.piezasgio.com*, True -*.pifag.ch*, True -*.pifermoveis.com*, True -*.pifermoveis.com.br*, True -*.piffermoveis.com*, True -*.piffermoveis.com.br*, True -*.pifs.hk*, True -*.piftuosv.cf*, True -*.pigarage.ca*, True -*.pighackers.com*, True -*.pighackers.co.uk*, True -*.pigidenl.cf*, True -*.pigmentweb.com*, True -*.pigscantswim.com*, True -*.pig.sg*, True -*.pigwa.net*, True -*.pihl.fi*, True -*.pihome.ga*, True -*.pii.at*, True -*.piilossa.com*, True -*.piinlife.com*, True -*.piinlife.tw*, True -*.pijace.si*, True -*.pikabollo.ru*, True -*.pikachat.fi*, True -*.pi-kan.ru*, True -*.pikavippix.fi*, True -*.pikeman327.com*, True -*.pikester.com*, True -*.piki.si*, True -*.pikislaser.gr*, True -*.pikka.co*, True -*.pikkupiironki.com*, True -*.pikolinos.md*, True -*.pikoroco.cl*, True -*.piktor-romania.ro*, True -*.pil58.co.uk*, True -*.pilarmot.com.ar*, True -*.pilas.biz*, True -*.pilas-engine.com.ar*, True -*.pilaten-shop.ru*, True -*.pilato.es*, True -*.pilat.tk*, True -*.pileofpencils.ca*, True -*.pileofpencils.com*, True -*.pileofpounds.com*, True -*.pileofpounds.co.uk*, True -*.pilesofcock.com*, True -*.pilestreatmentbd.com*, True -*.piletasdelsol.com.ar*, True -*.pilihbonusbaru.com*, True -*.pilikin.ru*, True -*.pili.one.pl*, True -*.pilith.com*, True -*.pilkingtech.com*, True -*.pillarcremations.com*, True -*.pillimpotence.com*, True -*.pilloud-michel.ch*, True -*.pillsdiet.net*, True -*.pills-ed.com*, True -*.pilmanradiant.fi*, True -*.pilmanventures.com*, True -*.pilot.hk*, True -*.pilots.tk*, True -*.pilottrainer.com*, True -*.pilotwisdom.co.uk*, True -*.pilpelkitchens.co.il*, True -*.pilr.me*, True -*.pilston.com*, True -*.piltovergaming.com*, True -*.pilz.li*, True -*.piman.com*, True -*.pimentasexshop.com.br*, True -*.pimentas.org*, True -*.pimentelfonseca.pt*, True -*.pimientosdepadron.es*, True -*.piminer.org*, True -*.pimotique.com*, True -*.pimpampum.eu*, True -*.pimpcase.cl*, True -*.pimp.co.za*, True -*.pimpim.es*, True -*.pimpmycar.ro*, True -*.pimpmypc.ro*, True -*.pinarkozanoglu.com*, True -*.pinarple.com*, True -*.pinazo.com.ar*, True -*.pinbeutel.org*, True -*.pincelesgoya.com.ar*, True -*.pinchtrading.com*, True -*.pindap.com*, True -*.pineappletopia.tk*, True -*.pinecountyabstract.com*, True -*.pinegrovemortgages.co.uk*, True -*.pineislandcomputers.com*, True -*.pinellasforeclosureoptions.com*, True -*.pineriversps.com.au*, True -*.pinero.com.ar*, True -*.pinerypointe.net*, True -*.pinetree.tk*, True -*.pinette.us*, True -*.pinetwork.ga*, True -*.pinewoodapartments.ca*, True -*.pinewoodapts.ca*, True -*.pinface.com.ar*, True -*.ping24.com*, True -*.pingafon.com*, True -*.pingan.sg*, True -*.pingaphone.net*, True -*.pinged.us*, True -*.pingflood.net*, True -*.ping-me.com.ar*, True -*.pingnetsolutions.com*, True -*.pingoneando.me*, True -*.pingpong.sg*, True -*.pingsoftware.com*, True -*.pingu-buchs.ch*, True -*.pingutella.de*, True -*.pingwin.be*, True -*.pingwin.es*, True -*.pingwin.info*, True -*.pinkamena.ru*, True -*.pink-banana.co.uk*, True -*.pinkblue.ro*, True -*.pinkerton.org.uk*, True -*.pink-games.net*, True -*.pinkisnotforme.ro*, True -*.pinklady.es*, True -*.pinkmeth.com*, True -*.pinknaturally.com*, True -*.pinkpantherauto.com*, True -*.pinkpleasuremodels.com*, True -*.pinkseda.com*, True -*.pinksubmarine.fi*, True -*.pinktank.us*, True -*.pinkvibrations.com*, True -*.pinkwrath.com*, True -*.pinload.com*, True -*.pinnaclefluids.com*, True -*.pinnacleoutback.com.au*, True -*.pinnacleservinc.com*, True -*.pinnel.com.ar*, True -*.pinner.com.au*, True -*.pinnerelite.com*, True -*.pinoshaw.com*, True -*.pinoyforums.tk*, True -*.pinoy.ml*, True -*.pinoytech.be*, True -*.pinoytips.cf*, True -*.pinoytips.ml*, True -*.pinoytips.tk*, True -*.pinphotobooth.com*, True -*.pinproject.net*, True -*.pinpunk.com*, True -*.pinsocialsites.com*, True -*.pintarkomputer.ga*, True -*.pintayborra.com.ar*, True -*.pintea.ro*, True -*.pintelectual.com.ar*, True -*.pintravel.ro*, True -*.pintsite.ca*, True -*.pintugarasisejati.com*, True -*.pintuhoki.com*, True -*.pintujati.co.id*, True -*.pintukacaaluminium.com*, True -*.pintukartu.com*, True -*.pinturasalbuerne.cl*, True -*.pinul.ro*, True -*.pinupsforacause.ca*, True -*.pinwheelpedigree.com*, True -*.pioneercovers.co.za*, True -*.pioneerprodj.ro*, True -*.pioneersands.com.au*, True -*.pio-pio.cl*, True -*.piori92.com*, True -*.piotrowski.com.ar*, True -*.pipagalvanis.com*, True -*.pipaindo.com*, True -*.pipametalconduit.com*, True -*.pipa-mjs.com*, True -*.pipanusantara.com*, True -*.pipappr.com*, True -*.pipapprmurah.com*, True -*.pipatembaga.com*, True -*.pip-boy.info*, True -*.pipboys.info*, True -*.pipboystore.info*, True -*.pipedalaw.ca*, True -*.pipedynamics.com*, True -*.pipeline.ee*, True -*.pipelinesystems.ro*, True -*.pipe-mate.co.za*, True -*.piperinaberdeen.co.uk*, True -*.pipeto.ws*, True -*.pip-guy.info*, True -*.pipguy.info*, True -*.pipipson.com*, True -*.pipitskincare.com*, True -*.pip-lad.info*, True -*.pippadog.com*, True -*.pippard.ca*, True -*.pippocket.com*, True -*.pip-positive.com*, True -*.pipub.net*, True -*.pipyouth.info*, True -*.piquecreative.com.au*, True -*.piragis.net*, True -*.piragz.id.lv*, True -*.piraino.net*, True -*.piramitad.com*, True -*.piranha.co.id*, True -*.pi-raspberry.com*, True -*.piratafilmeshd.com*, True -*.pirataloco.com*, True -*.piratebyproxy.ninja*, True -*.piratecentral.org*, True -*.pirate-factory.org*, True -*.piratesofwarcraft.com*, True -*.piratesofwarcraft.org*, True -*.piratesware.net*, True -*.piratetale.ro*, True -*.piratewired.com*, True -*.piratez-crew.com*, True -*.pire-hue.com.ar*, True -*.pirestem.com*, True -*.pirraglia.com.ar*, True -*.pirrone.com.ar*, True -*.pirsuprint.co.il*, True -*.pisa.com.br*, True -*.pisb.org*, True -*.piscineecologice.ro*, True -*.piscola.cl*, True -*.piskuno.com*, True -*.pismagrup.tk*, True -*.pismootdedamoroza.tk*, True -*.pisoca.com*, True -*.pisosflotantesku.cl*, True -*.pisostino.com.ar*, True -*.pissurno.com*, True -*.pisswasser.ch*, True -*.pissybeer.com*, True -*.pistachoychocolate.com.ar*, True -*.pistadebaile.cl*, True -*.pistonwristpin.net*, True -*.pis-vi.tk*, True -*.piszczac.pl*, True -*.pi-tagorin.com*, True -*.pitakill.net*, True -*.pitam.info*, True -*.pita-nilon-satin.com*, True -*.pitazofinal.com.ar*, True -*.pitbullgym.es*, True -*.pit.ee*, True -*.piterzub.ru*, True -*.pitfieldhomes.com*, True -*.pitkit.org*, True -*.pitlobra.ro*, True -*.pits.cl*, True -*.pit-server.us*, True -*.pittaro.com.ar*, True -*.pittentrepreneur.com*, True -*.pittetmachine.ch*, True -*.pittipalace.it*, True -*.pittipalazzo.it*, True -*.pittipitti.com*, True -*.pittistyle.it*, True -*.pittsburghwenches.com*, True -*.pitunghosting.com*, True -*.pitunghosting.net*, True -*.pityoka.ro*, True -*.pitzakhor.ir*, True -*.piuforte.com.ar*, True -*.piuwifi.com*, True -*.pivert.org*, True -*.pivet.de*, True -*.pivka.biz*, True -*.pivkap.com*, True -*.pivkap.si*, True -*.pivpn.tk*, True -*.piwka.tk*, True -*.piwollo.pl*, True -*.pixel8ed.org*, True -*.pixelatedmagazine.com*, True -*.pixelatedmag.com*, True -*.pixelengineered.com*, True -*.pixelfaucet.com*, True -*.pixelforyou.ru*, True -*.pixelfucker.com*, True -*.pixelfucker.org*, True -*.pixelhaven.com*, True -*.pixel-host.ir*, True -*.pixelknights.com.ar*, True -*.pixelmon-otarisland.co.uk*, True -*.pixelmountainstudio.com*, True -*.pixelsbloom.ro*, True -*.pixelstatic.net*, True -*.pixeltech.us*, True -*.pixtoria.com*, True -*.piyale.ir*, True -*.piyonir.si*, True -*.pizarradeportiva.net*, True -*.pizdoss.ru*, True -*.pizzabest12.ro*, True -*.pizzabox.fi*, True -*.pizzadellamamma.com*, True -*.pizzaepizza.co.il*, True -*.pizzaexpressonline.com.ar*, True -*.pizzaguyquest.com*, True -*.pizzakasbarg.com*, True -*.pizzalaatikko.net*, True -*.pizzamarket.co.il*, True -*.pizzamonster.org*, True -*.pizzapark.com.ar*, True -*.pizzaproblems.com*, True -*.pizzatkotiin.fi*, True -*.pizzeriacarlo.pl*, True -*.pizzeria-da-franco.ch*, True -*.pizzeriadelexpo.ch*, True -*.pizzeriaexpress.com.ar*, True -*.pizzerianapoli.ca*, True -*.pizzeriaroserouge.ch*, True -*.pizzerija-corner.com*, True -*.pizzinha.com.br*, True -*.pjabogados.com.ar*, True -*.pjap.in*, True -*.pjgaming.com*, True -*.pjhike.com*, True -*.pjmuir.com*, True -*.pjpautos.com*, True -*.pkandel.com.np*, True -*.pkdk-almuhammadi.com*, True -*.pkduong.net*, True -*.pkfeisner.com*, True -*.pkfeisner.us*, True -*.pkharel.com.np*, True -*.pkiconsultants.com*, True -*.pkiconsultants.net*, True -*.pkidesign.com*, True -*.pkiservices.co.uk*, True -*.pklog.tk*, True -*.pknet.us*, True -*.pkoretic.net*, True -*.pkrjk.org.my*, True -*.pksejahtera.net*, True -*.pksnet.com*, True -*.pkspiyungan.tk*, True -*.pkt66.com*, True -*.p--k.tk*, True -*.pkvanbuiten.co.uk*, True -*.plaba.org*, True -*.place-a-la-rue.eu*, True -*.placeboagency.it*, True -*.placementjunction.in*, True -*.place-of-start.jp*, True -*.placeresdelamesa.es*, True -*.placersocial.com*, True -*.places.sg*, True -*.placeswelove2go.nl*, True -*.plackers.tw*, True -*.placosona.com*, True -*.pladd.net*, True -*.plam2u.com*, True -*.plamec.ch*, True -*.plan22.com*, True -*.planas.cat*, True -*.planbltda.cl*, True -*.plancar.com.br*, True -*.plancuatro.com.ar*, True -*.planeseek.com*, True -*.planetabbshop.com.ar*, True -*.planetabocajuniors.com.ar*, True -*.planetafisico.com.br*, True -*.planetagua.net*, True -*.planetapro.com*, True -*.planetaprodental.com*, True -*.planetary-drives.com*, True -*.planetatoys.cl*, True -*.planetauita.com.ar*, True -*.planet-barclay.com*, True -*.planetbeachfowler.com*, True -*.planetblood.net*, True -*.planet-blue.in*, True -*.planetbookstore.hk*, True -*.planetcrafters.info*, True -*.planetf.net*, True -*.planet-hardwick.com*, True -*.planetharga.net*, True -*.planetjdk.org*, True -*.planetlowcarb.co.za*, True -*.planetmainan.co.id*, True -*.planetmainan.com*, True -*.planetmp3.net*, True -*.planetnzx.com*, True -*.planetofdeath.com*, True -*.planetonaut.com*, True -*.planetonautica.com*, True -*.planetonautica.net*, True -*.planetonautica.org*, True -*.planetonautica.ru*, True -*.planetonaut.net*, True -*.planetonaut.org*, True -*.planetonaut.ru*, True -*.planetonauts.com*, True -*.planetonauts.net*, True -*.planetonauts.org*, True -*.planetonauts.ru*, True -*.planetroute.com*, True -*.planet-safety.com*, True -*.planetsnet.co.uk*, True -*.planettoyz.com*, True -*.planetweb.net.au*, True -*.planhaccp.ca*, True -*.planhaccp.com*, True -*.planhaccp.info*, True -*.planhaccp.net*, True -*.planhaccp.org*, True -*.planificatuviaje.cl*, True -*.planindus.cl*, True -*.planit.su*, True -*.planktonboy.co.uk*, True -*.plannedinsurance.com*, True -*.planovi.info*, True -*.plansetter.com*, True -*.plansfromtitle.net*, True -*.plantah2oasis.cl*, True -*.plantaslamparassuculentasycactus.cl*, True -*.plantaslara.com*, True -*.plantationpalms.com.au*, True -*.planteatsun.com*, True -*.plantefolie.com*, True -*.plantheplan.com*, True -*.plants-in-pots.com.au*, True -*.plantsinpots.com.au*, True -*.plantsometime.com*, True -*.planuspeha.ru*, True -*.plaph.org*, True -*.plaranjeira.pt*, True -*.plarz.it*, True -*.plas.cl*, True -*.plaskart.ru*, True -*.plaslaiko.net*, True -*.plasmadisplays.co.za*, True -*.plasmasms.com*, True -*.plasmatv.co.za*, True -*.plassmann.com*, True -*.plasson.com.ar*, True -*.plastic321.com*, True -*.plasticbag.gr*, True -*.plasticoat.co.za*, True -*.plasticosjunin.com.ar*, True -*.plasticotaga.com*, True -*.plastic-packaging-machinery.com*, True -*.plasticproductmfg.com*, True -*.plasticutilitysystems.ro*, True -*.plastikajayarubber.com*, True -*.plastinki.info*, True -*.plastium.com.ar*, True -*.plastoiran.ir*, True -*.plast.one.pl*, True -*.plastparts.ind.br*, True -*.plastster.tk*, True -*.plastupan.com.br*, True -*.plasvi.cl*, True -*.plataformaam.com*, True -*.plataformaelmolino.cl*, True -*.plataformalianca.mx*, True -*.plataformaplasmatic.com.ar*, True -*.plataintretinere.ro*, True -*.platalappas.com.ar*, True -*.plataniasmare.gr*, True -*.platbajastainless.com*, True -*.platbiten.se*, True -*.plateauofleng.com*, True -*.plating.ru*, True -*.platinumappliancerepairs.com.au*, True -*.platinum.com.ar*, True -*.platinummad.com*, True -*.platinumnetworks.tk*, True -*.platinumpublications.co.za*, True -*.platinumtrusttax.com*, True -*.platjadaro.ru*, True -*.plato2011.com*, True -*.platollc.com*, True -*.platontr.com*, True -*.platoscave.ch*, True -*.platosfera.cl*, True -*.plawgo.pl*, True -*.play001.com*, True -*.play001.net*, True -*.play4free.org*, True -*.play4friends.nl*, True -*.play4fun.ro*, True -*.play9115.com*, True -*.play-aaa.com*, True -*.play-aa.com*, True -*.playafterdark.com*, True -*.playah.in*, True -*.play.ai*, True -*.playasian.com*, True -*.playco.cl*, True -*.playduda.com*, True -*.playersdiner.com*, True -*.playertag.net*, True -*.playertag.xyz*, True -*.playfit.com.ar*, True -*.playforex.cf*, True -*.playforex.ga*, True -*.playforex.ml*, True -*.playfullandwet.com*, True -*.playfv.com*, True -*.playgame247.net*, True -*.playgiga.com*, True -*.playgroundbh.com.br*, True -*.playingwithpower.com*, True -*.playit.dj*, True -*.playlist.com.ar*, True -*.playlist-jkt48.com*, True -*.playmedownload.tk*, True -*.playminecraft.tk*, True -*.playnaked.ro*, True -*.playneutrino.tk*, True -*.play-online-casino.co.za*, True -*.playop.net*, True -*.playpokeronline.cf*, True -*.playpro.ro*, True -*.playsmart.me*, True -*.playstationtv.co*, True -*.playstationtv.info*, True -*.playsteph310.tk*, True -*.playster.ru*, True -*.playt.tk*, True -*.playtut.com*, True -*.playz.ml*, True -*.plazadecredito.com.br*, True -*.plaza-h.com*, True -*.plazamukena.com*, True -*.plazamx.com*, True -*.plazapadelclub.com.ar*, True -*.plazapanoramica.com*, True -*.plazaterminal.cl*, True -*.plazik.pl*, True -*.plc100.info*, True -*.plc-assist.com.ar*, True -*.plc-consulting.com.ar*, True -*.plc-consultores.com*, True -*.plc-consultores.com.ar*, True -*.plc-help.com.ar*, True -*.plc-responde.com.ar*, True -*.plcscada.cl*, True -*.plc-seguros.com*, True -*.plc-seguros.com.ar*, True -*.plcseguros.com.ar*, True -*.pleasecome.in*, True -*.pleasureboaters.com*, True -*.pleasuresnow.ch*, True -*.pleb.ca*, True -*.pledgeitforward.org*, True -*.pleer68.ch*, True -*.pleiades-ti.net*, True -*.plein11b.be*, True -*.plenamente.cl*, True -*.plenario.com.ar*, True -*.plengeh-services.com*, True -*.plentet.dj*, True -*.plentygistdey.com*, True -*.plentyrealestate.com.au*, True -*.plescan.ro*, True -*.pleskanje.si*, True -*.plesnicar1.tk*, True -*.plexo.cc*, True -*.plex.pw*, True -*.plexus.pt*, True -*.plgd.org*, True -*.plgod.in*, True -*.plicosa.cl*, True -*.plinfo.ru*, True -*.plings.in*, True -*.plinto.cl*, True -*.plitomix.ru*, True -*.plm.com.ve*, True -*.plmmsd.com*, True -*.plmmsd.us*, True -*.plmm.tw*, True -*.plmp.com.my*, True -*.pln.ca*, True -*.plnntt.co.id*, True -*.plnntt.com*, True -*.pln.or.id*, True -*.plocki.me*, True -*.plomoelectro.com.mx*, True -*.plomoelectro.mx*, True -*.plop.co.za*, True -*.ploso.desa.id*, True -*.plot57.com*, True -*.plotar.org*, True -*.ploters.eu*, True -*.plotgraphs.com*, True -*.plotitsyn.net*, True -*.plotprint.com.ar*, True -*.plotter-ufa.ru*, True -*.plover.com.au*, True -*.plpi.pl*, True -*.plprojects.co.uk*, True -*.plprojects.net*, True -*.plr-payerne.ch*, True -*.plsyazilim.tk*, True -*.pltimes.net*, True -*.plu0.ga*, True -*.plugbox.org*, True -*.plugchatin.com*, True -*.plugget.org*, True -*.plugit.us*, True -*.plug.org.ve*, True -*.plugs.it*, True -*.pluizer.nl*, True -*.plumptonhotel.com.au*, True -*.pluri.ro*, True -*.plurk-de-dag.com*, True -*.plus2promos.com*, True -*.plus3dev.ca*, True -*.plusgadget.web.id*, True -*.plusherpixels.com*, True -*.plushessex.co.uk*, True -*.plushieco.com*, True -*.plusit.com.ar*, True -*.plusllp.com*, True -*.plusmanagement.com.ar*, True -*.plusmanagementsrl.com.ar*, True -*.plusnotes.pl*, True -*.plusphotography.co.uk*, True -*.plutostudios.co.il*, True -*.plux.fi*, True -*.pluz.com.ar*, True -*.pluz.es*, True -*.plwgroup.com*, True -*.plwgroup.com.ar*, True -*.plx.com*, True -*.plymouth.com.ve*, True -*.plzkthx.info*, True -*.plzkthx.net*, True -*.plzkthx.org*, True -*.pm4all.org*, True -*.pmail.com.br*, True -*.pmail.us*, True -*.pm-art.ru*, True -*.pmbcctv.co.za*, True -*.pmc-gotrust.com*, True -*.pmcgroup.com.ar*, True -*.pmconsultants.to*, True -*.pmeassist.com*, True -*.pmei.ch*, True -*.pmidkijakarta.or.id*, True -*.pmihunlam.ac.id*, True -*.pmis-m.be*, True -*.pmixins.com*, True -*.pmjn.co.id*, True -*.pmlunch.ro*, True -*.pmm.tw*, True -*.pmnb.net*, True -*.pmnth.tk*, True -*.pmp66.com*, True -*.pmp77.com*, True -*.pmpdoubleshot.com*, True -*.pmr.my*, True -*.pmspal.com*, True -*.pmtech.cl*, True -*.pmt.tw*, True -*.pmza.ch*, True -*.pmzo.com*, True -*.pneumaticdistributor.com*, True -*.pneumaticmurah.com*, True -*.pnit.ir*, True -*.pnl.net.au*, True -*.pnlovidiu.ro*, True -*.pnphanoi.com*, True -*.pnp-services.tk*, True -*.pnpvn.com*, True -*.pntl.tl*, True -*.pnwblanks.com*, True -*.pnwvapor.com*, True -*.pnzec.com*, True -*.po-007.net*, True -*.po-77.net*, True -*.poamz.ru*, True -*.pobieracz.net*, True -*.poblenet.info*, True -*.poblenet.mobi*, True -*.poblenet.net*, True -*.poblenet.org*, True -*.pobletetaborda.com.ar*, True -*.pocall.net*, True -*.pocej.com*, True -*.poceni-letalske-karte.si*, True -*.poceni-letalske-vozovnice.si*, True -*.poceniletalskevozovnice.si*, True -*.pocepoke.ml*, True -*.pocfm.ro*, True -*.pochetao.com.br*, True -*.pocho.cl*, True -*.pochol.org*, True -*.pocitif.com*, True -*.pocket-beatbox.com*, True -*.pocketinventory.net*, True -*.pocketlinesman.com*, True -*.pocketninja.co.uk*, True -*.pocknee.com*, True -*.po.cl*, True -*.pocoapoco.se*, True -*.pocongnuyul.net*, True -*.pocosoftware.com*, True -*.pocsys.com*, True -*.podalvendas.com.br*, True -*.podam.tk*, True -*.podbortura.com*, True -*.podcastee.com*, True -*.podcastit.fi*, True -*.poderosoesquadrao.com.br*, True -*.poderosoesquadraodeaco.com.br*, True -*.podgornikaljaz.tk*, True -*.podhaven.com*, True -*.podhorou.eu*, True -*.podilatespatras.org*, True -*.podil.cz*, True -*.podium.ru*, True -*.podnikanie-reality.sk*, True -*.podoabe.ro*, True -*.podologie-schlaeppi.ch*, True -*.podolski.org*, True -*.podovan.ru*, True -*.podpod.ml*, True -*.podterka.com*, True -*.podzah.fi*, True -*.podzarabotai.ru*, True -*.podziekuj.im*, True -*.poecantmine.com*, True -*.poehome.com*, True -*.poehouse.us*, True -*.poemsthatmakeyoucry.net*, True -*.poeticafotografica.ro*, True -*.poetra.asia*, True -*.poetra.club*, True -*.poetra.ninja*, True -*.poetrihouse.org*, True -*.poetrikhaznah99.tk*, True -*.poetrybox.us*, True -*.poetrymeanings.com*, True -*.poetrymeanings.net*, True -*.poetrymeanings.org*, True -*.poetsofthefall.fi*, True -*.poeziimd.com*, True -*.pogibbq.com*, True -*.pogorevc.com*, True -*.pogramkran.net*, True -*.pogranec.com*, True -*.pogranichnik.com*, True -*.pohchiat.com*, True -*.pohina.fi*, True -*.pohistvo-lig.si*, True -*.pohley.org*, True -*.pohydeli.ru*, True -*.poikontalkkari.fi*, True -*.poi.li*, True -*.poincianaparkelementary.com*, True -*.point2hk.com*, True -*.point4.ro*, True -*.point5.ch*, True -*.pointandina.com.pe*, True -*.pointandina.pe*, True -*.pointerinformatica.com.br*, True -*.pointer.lv*, True -*.point.me*, True -*.points.nu*, True -*.pointwebinternet.com*, True -*.pointyc.at*, True -*.poisk.ua*, True -*.poisonapple.net*, True -*.poisonedpc.com*, True -*.poitour.ch*, True -*.poj.ir*, True -*.pojokbola.asia*, True -*.pojokkita.com*, True -*.poka-poker.com*, True -*.pokedexmc.net*, True -*.pokegen.org*, True -*.pokehub.info*, True -*.pokemaniaticos.com.ar*, True -*.pokemonmegaman.net*, True -*.pokenaustralia.com*, True -*.pokenaustralia.com.au*, True -*.pokenbusiness.com.au*, True -*.pokenevent.com.au*, True -*.pokengine.org*, True -*.poken.net.au*, True -*.pokenoz.com*, True -*.pokenoz.com.au*, True -*.pokensocial.com.au*, True -*.poker1st.com*, True -*.poker-analytics.com*, True -*.pokerbbc.com*, True -*.pokerclub.cf*, True -*.pokerclub.pw*, True -*.pokerhero.hk*, True -*.poker.net.br*, True -*.pokerprotege.com*, True -*.poker-texas.ru*, True -*.pokesmot.org*, True -*.pokeyiff.net*, True -*.pokharelprabhat.com.np*, True -*.pokhvistnevo.ru*, True -*.pokiestools.com*, True -*.pokiestools.com.au*, True -*.pokkisenkokoomus.fi*, True -*.pokorny.tv*, True -*.pol77.ch*, True -*.polaco.pro.br*, True -*.polaczyk.com*, True -*.poland-geigenbau.ch*, True -*.polanek.ro*, True -*.polariband.com*, True -*.polarisbooks.net*, True -*.polarispartsaustralia.com*, True -*.polarispartsaustralia.com.au*, True -*.polatyolcloud.com*, True -*.polcaro.com.ar*, True -*.polco.cl*, True -*.polcsloco.tk*, True -*.polenes.com*, True -*.polente.mx*, True -*.polestar-astrology.com*, True -*.polestv.ru*, True -*.poleti.si*, True -*.polet-z-balonom.si*, True -*.poletzbalonom.si*, True -*.polgar.ro*, True -*.policeperks.com*, True -*.policlinicjbay.co.za*, True -*.policy.cz*, True -*.polidom.cl*, True -*.poliglo.io*, True -*.poliklinika.si*, True -*.polimedlab.ro*, True -*.polimont.com.br*, True -*.polinesia.com.ar*, True -*.poli-prod.ro*, True -*.polipropileno.cl*, True -*.poliroll.com.pe*, True -*.polischak.com*, True -*.polisradio.net*, True -*.polissya.eu*, True -*.politecommunications.com*, True -*.politicalsabotage.com*, True -*.politicaltensions.com*, True -*.politicalwomenus.com*, True -*.politicapp.com.ar*, True -*.politico.ch*, True -*.politicsglobal.com*, True -*.politistikocamping.gr*, True -*.politologie.ro*, True -*.politologues.org*, True -*.poli-toonnation.com*, True -*.polkabana.com*, True -*.polkadotpuppysale.com*, True -*.pollard.co.za*, True -*.pollen8studios.com*, True -*.pollicos.es*, True -*.polliensa.ch*, True -*.pollifeedchick.com*, True -*.pollinett.net*, True -*.pollion.ru*, True -*.polloselseven.com.ve*, True -*.polmed.web.id*, True -*.polnewstv.com*, True -*.poloairhk.com*, True -*.pololabrau.com.ar*, True -*.polonisgroup.com*, True -*.polonisgroup.ru*, True -*.polovic.si*, True -*.polskieseriale.org*, True -*.polslona.com*, True -*.poltekkes-malang.web.id*, True -*.polteksurabaya.ac.id*, True -*.poltergiest.net*, True -*.poltspics.com*, True -*.polttoainelaskuri.fi*, True -*.poluchit-dengi-nazad.ru*, True -*.polyagrocv.com.ar*, True -*.polygonproduction.com*, True -*.polyhedramath.com*, True -*.polymorphed.com*, True -*.polymorphed.net*, True -*.poly-success.com*, True -*.polytama.co.id*, True -*.polytama.com*, True -*.polytamapropindo.co.id*, True -*.polytamapropindo.com*, True -*.poly-tech.ir*, True -*.polytechnicnews.com*, True -*.polytonic.net*, True -*.polyverse.info*, True -*.polyvolley.com*, True -*.pom5.com*, True -*.pomade.my*, True -*.pomadu.com*, True -*.pombais.pt*, True -*.pomegranateatthemarket.com*, True -*.pomegranateatthemarket.info*, True -*.pomegranateatthemarket.net*, True -*.pomegranateatthemarket.org*, True -*.pomezny.ch*, True -*.pomezny.com*, True -*.pomhendo.com*, True -*.pomiarygeodezyjne.pl*, True -*.pommer.ch*, True -*.pommpie.com*, True -*.pomnibeslan.ru*, True -*.pompanoparadise.com*, True -*.pompereventos.com.br*, True -*.pompesfunebrescalame.ch*, True -*.pompeyasoundxtreme.com.ar*, True -*.pompoprom.ru*, True -*.pompyst.ro*, True -*.pomsny.com*, True -*.pomsys.biz*, True -*.pomsys.info*, True -*.pomsys.name*, True -*.pomsys.net*, True -*.pomsys.org*, True -*.pona.tw*, True -*.ponceconstrucciones.com.ar*, True -*.ponceconsulting.com*, True -*.poncepenalva.com.ar*, True -*.pondokciparay.com*, True -*.pondokgadget.web.id*, True -*.pondus.com.au*, True -*.ponerlearte.com.ar*, True -*.pone.us*, True -*.pong45.com*, True -*.ponja.com.ar*, True -*.ponowa.com*, True -*.ponowa.net*, True -*.ponr.fi*, True -*.pontaodeculturaguaicuru.org.br*, True -*.pontawireless.net*, True -*.pontelinda.cl*, True -*.pontianakseo.web.id*, True -*.pontoalimentar.com*, True -*.pontoeste.com.br*, True -*.pontoexe.net.br*, True -*.pontoexport.com*, True -*.ponton.pw*, True -*.pontu.ca*, True -*.ponyasha.ru*, True -*.ponyexpresstours.com*, True -*.ponyfurniture.ir*, True -*.ponyhost.xyz*, True -*.ponymedia.com.ar*, True -*.pony.org.ru*, True -*.poobbs.net*, True -*.poobbs.org*, True -*.poochiepalace.com.au*, True -*.poochypals.co.uk*, True -*.poohbear.name*, True -*.pook.net.au*, True -*.poolcontroller.com*, True -*.pooled-mining.com*, True -*.poolerbaldinos.com*, True -*.poo.li*, True -*.poolnoodl.com*, True -*.poolprofessor.com*, True -*.pooltex.co*, True -*.poolworldleague.com*, True -*.poonet.ga*, True -*.poonhk.com*, True -*.poopcloud.com*, True -*.poorbutproud.com*, True -*.poormanscow.com*, True -*.poormatt.com*, True -*.pooyaalavian.com*, True -*.popairina.ro*, True -*.popcon.io*, True -*.popculturefan.com*, True -*.popculturelab.ca*, True -*.popefrancismonitor.com*, True -*.popescu.biz*, True -*.popescu.co*, True -*.popescul.ro*, True -*.popeye.club*, True -*.popgare.pt*, True -*.popi.st*, True -*.popitonmetmedia.pw*, True -*.popmusicmp3.net*, True -*.popov-rv.ru*, True -*.poppasan.com*, True -*.poppen.pw*, True -*.poppertherabbit.com*, True -*.poppianddoc.com*, True -*.poppress.com.au*, True -*.popp.tk*, True -*.popro.fi*, True -*.popsamustdie.net*, True -*.popscoach.net*, True -*.popsiclesticks.cf*, True -*.popsilion.ro*, True -*.popsuniversity.net*, True -*.poptour.com.ar*, True -*.populix.net*, True -*.popupnet365.com*, True -*.pop-up-shop.cl*, True -*.popupstore.com.ar*, True -*.poq55.com*, True -*.poq77.com*, True -*.poq88.com*, True -*.poq99.com*, True -*.poradnik.org*, True -*.porcate.org*, True -*.porcherie.org*, True -*.porettiarredamenti.ch*, True -*.porfa.cl*, True -*.porgula.cl*, True -*.porik.net*, True -*.porjai.gq*, True -*.porjaikrub.tk*, True -*.porlasramas.net*, True -*.pormudarme.com*, True -*.porn2share.com*, True -*.porn-3gp.net*, True -*.pornbongo.com*, True -*.pornbyclick.com*, True -*.porncast.tv*, True -*.porndroll.com*, True -*.pornfactory-in.eu*, True -*.porngo.at*, True -*.pornleecher.org*, True -*.porno-05.ru*, True -*.porno2012.ru*, True -*.porno720hd.ru*, True -*.pornobanda.com*, True -*.pornodama.mobi*, True -*.porno-doyki.ru*, True -*.porno-i-sex.com*, True -*.porno-kopilka.ru*, True -*.pornoku.com*, True -*.pornolob.net*, True -*.pornomina.net*, True -*.porno-sasisa.ru*, True -*.pornosexstube.com*, True -*.pornosklad.org*, True -*.porno-teen.ru*, True -*.porno-tegos.ru*, True -*.pornovr.co*, True -*.porno-weprik.ru*, True -*.pornphase.com*, True -*.pornphase.net*, True -*.pornsiteads.com*, True -*.pornsitesurf.com*, True -*.pornsyte.com*, True -*.pornsytes.com*, True -*.pornvideosurf.com*, True -*.pornzz.su*, True -*.porodywwodzie.one.pl*, True -*.porolissumproject.ro*, True -*.porpoisepurpose.com*, True -*.porschehistory.ru*, True -*.porschespeed.com*, True -*.porschperformance.ch*, True -*.porseshkadeh.com*, True -*.porseshkadeh.ir*, True -*.porshnev.net*, True -*.port0.org*, True -*.port25.co.za*, True -*.port443.us*, True -*.port82.net*, True -*.portabicicletas.cl*, True -*.portablepi.com*, True -*.portacontainer.com.br*, True -*.portafolio.com*, True -*.portailpublic.org*, True -*.portal24.cl*, True -*.portalagu.com*, True -*.portalcollipulli.cl*, True -*.portalconsorcios.com*, True -*.portalconsorcios.com.ar*, True -*.portalcyber.us*, True -*.portaldeconsorcios.com*, True -*.portaldeexpensas.com.ar*, True -*.portaldosregistros.com.br*, True -*.portalesalsomaggiore.net*, True -*.portalexpensas.com*, True -*.portalfmonline.com.br*, True -*.portalgamesps3.com.ar*, True -*.portal-gtarailroad.ru*, True -*.portal-ima.ro*, True -*.portalinc.org*, True -*.portalindustries.org*, True -*.portal-iomc.ro*, True -*.portal-istiqlal.net*, True -*.portalmalleco.cl*, True -*.portalmed.ro*, True -*.portaloptima.co.id*, True -*.portal.pk*, True -*.portalpmp.com.br*, True -*.portalreservas.cl*, True -*.portalsg.com*, True -*.portalshare.us*, True -*.portalsukoharjo.com*, True -*.portaltablet.com*, True -*.portalweb.in*, True -*.portasia.com.pk*, True -*.portasmeg.com.br*, True -*.portavitae.cl*, True -*.portbagajeauto.info*, True -*.portbros.com*, True -*.portbros.com.au*, True -*.portdescanonge.net*, True -*.porteghalsabz.com*, True -*.porteghalsabz.ir*, True -*.portekengineering.com*, True -*.portek.net.au*, True -*.portela.ch*, True -*.portelapg.co.za*, True -*.portenisima-ba.com.ar*, True -*.portent.co.za*, True -*.porteous.us*, True -*.portepim.pt*, True -*.portezuelo.com.ar*, True -*.portfelipro.net*, True -*.portfoliobevec.com*, True -*.portfood.com.mx*, True -*.portheine.biz*, True -*.portheine.cc*, True -*.portkochi.in*, True -*.portkod.se*, True -*.portmacquariecitycomputers.com.au*, True -*.portmannundglueck.ch*, True -*.portobio.com*, True -*.portocanal.pt*, True -*.portoescondido.com.br*, True -*.portorangearea.com*, True -*.portorangehouse.com*, True -*.portorangehousing.com*, True -*.portoroski-zbor.net*, True -*.portorozan.si*, True -*.portostar.com*, True -*.portrait-photos.org*, True -*.portseven.ch*, True -*.portsmouthcamrabeerex.co.uk*, True -*.portsoft.com.ar*, True -*.portsoftus.com*, True -*.portugraal.net*, True -*.portugueseclub.ca*, True -*.portuzenkov.ru*, True -*.portwire.com*, True -*.portzero.net*, True -*.porukka.fi*, True -*.porumbeievenimente.ro*, True -*.porvia.cl*, True -*.porwisz.com*, True -*.porwisz.eu*, True -*.posa.biz*, True -*.posadasavisos.com.ar*, True -*.posad.com.my*, True -*.posapple.com*, True -*.poscribes.com*, True -*.posercam.de*, True -*.poshbaby.co.za*, True -*.poshcode.net*, True -*.poshmistress.com*, True -*.posidelkino.com*, True -*.posidelkino.info*, True -*.posiflow.com*, True -*.positano.tk*, True -*.position.hu*, True -*.positivebits.com*, True -*.positivemc.tk*, True -*.posix.in*, True -*.posmx.com*, True -*.posnetrio4.com.ar*, True -*.posnetriocuarto.com.ar*, True -*.posnetrioiv.com.ar*, True -*.pospandeglang.com*, True -*.possaveiculos.com.br*, True -*.possessed.us*, True -*.possumgrove.com.au*, True -*.postage.hk*, True -*.postanoua.md*, True -*.postapush.com*, True -*.postboxdigital.com*, True -*.posterscope.com.tw*, True -*.posterus.ca*, True -*.postgraduate2015.co.za*, True -*.posthardcore.ru*, True -*.post-hardcor.ru*, True -*.posthardcor.ru*, True -*.postid.ga*, True -*.postie.org*, True -*.posti.ga*, True -*.postinteractive.org*, True -*.post-islam.com*, True -*.postliker.me*, True -*.postojna.cn*, True -*.postojna-rooms-cehovin.si*, True -*.postojna.us*, True -*.posto.tk*, True -*.postow.com*, True -*.postow.net*, True -*.postoyalki.ru*, True -*.potapova8.ru*, True -*.potaso.co.uk*, True -*.potatoes.ch*, True -*.potato-gaming.com*, True -*.potatolane.co.uk*, True -*.potatoworld.com.au*, True -*.potcreamkosmetik.com*, True -*.poteica.com*, True -*.poten33.com*, True -*.potenteu.ro*, True -*.potentialspace.com*, True -*.potentialspace.com.au*, True -*.potenzblog.de*, True -*.potetball.net*, True -*.potomacbass.com*, True -*.potomacriversafetycommittee.org*, True -*.pot.pt*, True -*.potrerorc.cl*, True -*.potrios.com*, True -*.pottenkulam.com*, True -*.potterhome.net*, True -*.potterieshackspace.org*, True -*.pottersfarmcondos.com*, True -*.pottersoceansidemotel.com.au*, True -*.potterspride.net*, True -*.pottgaming.de*, True -*.pottm.com*, True -*.potvindover.ca*, True -*.potvin-levis.ca*, True -*.poudelbikash.com.np*, True -*.poundstone.co.uk*, True -*.poundsysadmins.com*, True -*.pouparina.cl*, True -*.pourar.com*, True -*.pourbaix.arq.br*, True -*.pourfarzam.ir*, True -*.pourganji.ir*, True -*.pourthing.com*, True -*.pousadagg.com.br*, True -*.pousadajoaodebarros.com.br*, True -*.pousadaodante.com.br*, True -*.poutiat.com*, True -*.povah.co*, True -*.povestiriadevarate.ro*, True -*.povestiri.ro*, True -*.powab.pl*, True -*.powah.gq*, True -*.powderbros.com*, True -*.powecraft.ga*, True -*.powellairplane.org*, True -*.powellitconsulting.com*, True -*.power4.asia*, True -*.poweradm.org*, True -*.powerbrownie.com.br*, True -*.powercatfan.com*, True -*.powerclique.com*, True -*.powercold.com.ar*, True -*.powercontrol.in*, True -*.powered-by-weed.org*, True -*.powereduplife.com*, True -*.powerfitnesstraining.co.uk*, True -*.powergraphx.net*, True -*.powergrim.nl*, True -*.powerhi.com*, True -*.powerhouse.gr*, True -*.powerhousegym.es*, True -*.powerinternetradio.com*, True -*.power-king.ga*, True -*.power-king.tk*, True -*.power-link.hk*, True -*.power-media.ro*, True -*.powermotors.com.br*, True -*.powernearme.com*, True -*.poweroverair.com*, True -*.power-promotion.ro*, True -*.powerranking.com*, True -*.powerriddle.com*, True -*.powerrising.hk*, True -*.powersat.org*, True -*.powersearcher.in*, True -*.powershell.co.za*, True -*.powershop.co.za*, True -*.powersland.org*, True -*.powersolutions.net.au*, True -*.powersportsandrvcanada.com*, True -*.powersportscanada.ca*, True -*.powersportscanada.com*, True -*.powerstock.eu*, True -*.powersynergy.in*, True -*.power-tech.pk*, True -*.powerwolf.ca*, True -*.powerxtreme.com.ar*, True -*.poweryouon.com.ar*, True -*.powhatanequestrian.com*, True -*.pownall.com.au*, True -*.powny.nl*, True -*.pow-travel.com*, True -*.powwowstudios.com*, True -*.pox33.com*, True -*.pox77.com*, True -*.pox88.com*, True -*.pox99.com*, True -*.poxet.com.ar*, True -*.poyu.su*, True -*.pozabljiv.si*, True -*.pozarowa.pl*, True -*.pozarowe.pl*, True -*.pozdronet.ga*, True -*.poze-bucuresti.ro*, True -*.pozebucuresti.ro*, True -*.poze-magice.ro*, True -*.pozemagice.ro*, True -*.poze-nunta.ro*, True -*.pozitii.ro*, True -*.pozkids.com*, True -*.poznasii.ro*, True -*.poznasi.ro*, True -*.poznasul.ro*, True -*.pozzulani.com*, True -*.pp25server.com*, True -*.pp680.com*, True -*.pp-7979.com*, True -*.pp820.com*, True -*.pp990.com*, True -*.ppalma.cl*, True -*.ppandac.com*, True -*.ppaperangel.com*, True -*.ppaper.net*, True -*.ppaudio.co.za*, True -*.ppautopart.com*, True -*.ppbats.com*, True -*.ppbb-vip.com*, True -*.ppcheck.in*, True -*.ppchyun.tk*, True -*.ppcis.org*, True -*.ppconsultingsrl.com.ar*, True -*.ppcpulsa.cf*, True -*.ppcv.co.za*, True -*.ppcwaper.com*, True -*.ppdb-bm400.com*, True -*.ppdbsolo.net*, True -*.ppdbsukoharjo.net*, True -*.ppddiasi.ro*, True -*.ppesa.org*, True -*.ppgroups.net*, True -*.ppiln.ml*, True -*.pp-itsolutions.ro*, True -*.ppj-palvelut.fi*, True -*.ppmdarulistiqomah.com*, True -*.ppmg.com.ar*, True -*.ppmonitor.info*, True -*.ppn333.com*, True -*.ppn555.com*, True -*.ppnorma.ru*, True -*.ppnpradio.com*, True -*.ppobkita.com*, True -*.ppp-24.com*, True -*.ppp-2580.com*, True -*.pppmis.com*, True -*.ppppp.eu*, True -*.ppql.cl*, True -*.pprint.com.my*, True -*.pprint.kz*, True -*.pprivasvaciamadrid.com*, True -*.ppw.cl*, True -*.ppy.ru*, True -*.pqn.cl*, True -*.pr0head.com*, True -*.pr0j3c7.co.uk*, True -*.pr0x.de*, True -*.pr3dnet.org*, True -*.pr7only.com*, True -*.prabalt.com.np*, True -*.pracht.cf*, True -*.practical-apps.com*, True -*.practica-simulata.ro*, True -*.practicehost.com*, True -*.practiceinnovations.com.au*, True -*.pradaweb.ch*, True -*.pradeepkafle.com.np*, True -*.pradocompany.ru*, True -*.pradol.cl*, True -*.praescire.org*, True -*.prafisakti.cf*, True -*.pragti.ch*, True -*.praia.com.au*, True -*.praiasdoporto.pt*, True -*.praile.eu*, True -*.praisejeeb.us*, True -*.praisepower.org*, True -*.prajeala.ro*, True -*.prakashghimire.com.np*, True -*.prakashsubedi.com.np*, True -*.prakashtiwari.com.np*, True -*.praklitim.net*, True -*.prakritideuja.com*, True -*.praksd.com*, True -*.praksis.com.my*, True -*.pralhadshrestha.com.np*, True -*.prambonwap.org*, True -*.prambors.tk*, True -*.pranagdata.in*, True -*.pranavfacts.com*, True -*.pranayama.cl*, True -*.pranic.co.za*, True -*.pranith.org*, True -*.prantojon.com*, True -*.prantojonmedia.com*, True -*.prantojonnews24.com*, True -*.prantojonsangbad.com*, True -*.pranzulsanatos.ro*, True -*.prapanca.net*, True -*.prapasca.com*, True -*.pr-arq.com.ar*, True -*.prasaja.web.id*, True -*.prasasti.web.id*, True -*.prasbharapolresbojonegoro.or.id*, True -*.prasetyo.us*, True -*.prashanticomputer.com.np*, True -*.prashantyogaschool.com.ar*, True -*.prasiddharanabhat.com*, True -*.prasojo.xyz*, True -*.prasp50.tk*, True -*.prast.web.id*, True -*.prasx.net*, True -*.pratamainspira.com*, True -*.pratama.us*, True -*.prateeksha.se*, True -*.prateektrading.com*, True -*.prater.ca*, True -*.pratikpatel.in*, True -*.pratik-poudel.com.np*, True -*.pratkarahaksi.fi*, True -*.pratneker.si*, True -*.pratodacasa.pt*, True -*.pratransbordar.com.br*, True -*.pravakarluitel.com.np*, True -*.pravdabeslana.ru*, True -*.pravindeo.com.np*, True -*.pravisani.it*, True -*.pravovid.com*, True -*.prawes.com.np*, True -*.praweshpathak.com.np*, True -*.prawnburrito.com*, True -*.prawokolejowe.eu*, True -*.praxarchy.us*, True -*.praxino.net*, True -*.praxishaenggi.ch*, True -*.praxisinvco.com*, True -*.praxislangmeier.ch*, True -*.praxis-natur.ch*, True -*.praxisportal.org*, True -*.praxis.pt*, True -*.praxis-p-zurlinden.ch*, True -*.praxis-schmerz.ch*, True -*.praxis-solutions.asia*, True -*.praxistech.gr*, True -*.prayerbook.com.au*, True -*.prayerforworldpeace.com*, True -*.prayforcities.co.id*, True -*.prayforcities.com*, True -*.prayforcities.org*, True -*.prayforcities.or.id*, True -*.prazerdiario.com*, True -*.prazerdiario.com.br*, True -*.prbluechip.com*, True -*.prchongkong.com*, True -*.prdforster.com.au*, True -*.preblecountyesc.com*, True -*.preblecountyesc.net*, True -*.prebot.org*, True -*.precedo.com.ar*, True -*.preciodigital.com*, True -*.precioenergia.com*, True -*.precio.ro*, True -*.preciouslittlegem.com*, True -*.preciousresources.com*, True -*.precisioncontractorsllctn.com*, True -*.precisionemailwebmarketing.com*, True -*.precorparts.com*, True -*.predator1550.ru*, True -*.predb.cz*, True -*.predial.cl*, True -*.prediccionmaritima.es*, True -*.predictivecallcenter.com*, True -*.predictivecallcenter.it*, True -*.predictivecallcenter.ro*, True -*.predictivedialer.hk*, True -*.predictlabs.tk*, True -*.prediksitogelsgp.net*, True -*.predplacnik.si*, True -*.predtech.su*, True -*.pree.cl*, True -*.preenom.gq*, True -*.preenom.tk*, True -*.prefect.net*, True -*.prefecturaolt.ro*, True -*.preferance.hu*, True -*.prefin.cl*, True -*.pregatire.ro*, True -*.pregnantmoms.tk*, True -*.preguicamental.com*, True -*.preguntaalpsicologo.cl*, True -*.prehranskadopolnila.si*, True -*.prehranski-dodatki.si*, True -*.preis-land.ch*, True -*.prekaljen-jezik.si*, True -*.preking.com*, True -*.prelabs.net*, True -*.preludeapps.com*, True -*.prelux.ru*, True -*.prem2-ekb.ru*, True -*.premacharya.com.np*, True -*.preman.co.za*, True -*.prematurforeningen.se*, True -*.prembun.com*, True -*.prembun.info*, True -*.prembun.net*, True -*.prembun.org*, True -*.premedia.in*, True -*.premergatoare-copii.ro*, True -*.premiados.com*, True -*.premierleagueassists.com*, True -*.premierleagueassists.hk*, True -*.premierleaguepoints.com*, True -*.premierleaguepoints.hk*, True -*.premierloc.com.br*, True -*.premierphysicianservices.com*, True -*.preming.si*, True -*.premioscita.com.ar*, True -*.premis.ro*, True -*.premiulpeloc.ro*, True -*.premiumdb.com.au*, True -*.premiumdb.net.au*, True -*.premiumdesignerbrands.com*, True -*.premiumdesignerbrands.com.au*, True -*.premiumdesignerbrands.net.au*, True -*.premiumlinks.ru*, True -*.premium.net.au*, True -*.premium-ovpn.tk*, True -*.premiumpaints.mx*, True -*.premiumpro.co.za*, True -*.premium.ro*, True -*.premiumservers.eu*, True -*.premiumsexy.com*, True -*.premiumsexy.com.br*, True -*.premium-tv.biz*, True -*.premo.com.mx*, True -*.premraj.org*, True -*.prendasinge.com.ar*, True -*.prendiloccasione.it*, True -*.prenosniki.net*, True -*.prenotare.net*, True -*.prensadigital.com*, True -*.prentul.com*, True -*.prepaid.sg*, True -*.prepaidtoneexcel.my*, True -*.prepareuran.us*, True -*.preparty.lt*, True -*.prepopotamus.com*, True -*.presapescurt.ro*, True -*.preschool-finder.net*, True -*.prescottirissociety.org*, True -*.presenceapp.net*, True -*.present-dv.ru*, True -*.presentedobebe.com.br*, True -*.presentes.tk*, True -*.presentme.co.uk*, True -*.present-rc.ru*, True -*.preshopping.net*, True -*.presidentclub.ro*, True -*.presidenthost.tk*, True -*.presidentialinvestments.com*, True -*.presjar.com*, True -*.presleytx.com*, True -*.presmachina.com*, True -*.prespim.cz*, True -*.pressedienst-argus.de*, True -*.pressing-mont-blanc.ch*, True -*.pressnet.ro*, True -*.presso-press.net*, True -*.pressurizacaodeescada.com.br*, True -*.pressurizacaodeescadas.com.br*, True -*.prestamodules.info*, True -*.prestamoempresarial.mx*, True -*.prestamoempresarialoportuno.com.mx*, True -*.prestamos-adelantos.com.ar*, True -*.prestamos-dinero.com.ar*, True -*.prestamosnova.com.ar*, True -*.prestigeclub.hk*, True -*.prestigeroofing.ca*, True -*.prestigeused.co.za*, True -*.prestigeusedtrucks.co.za*, True -*.prestigeww.net.au*, True -*.prestigio.cl*, True -*.prestilworld.com*, True -*.prestomax.com.br*, True -*.prestonmotorsport.club*, True -*.prestonmotorsport.co.uk*, True -*.prestonparktuition.co.uk*, True -*.pretor.es*, True -*.pretorian.com.ar*, True -*.pret.ro*, True -*.prettop.com*, True -*.prettygiulienne.ro*, True -*.prettypedestrian.com*, True -*.prettysmallbakery.com.my*, True -*.pretty-smile.tw*, True -*.prettythaibrand.com*, True -*.prettyweak.com*, True -*.pretulmeu.ro*, True -*.preumnoj.ru*, True -*.prevagenreview.com*, True -*.prevemseguros.com*, True -*.prevemseguros.com.mx*, True -*.prevemseguros.mx*, True -*.prevencao.org.br*, True -*.prevencionderiesgosymedioambiente.cl*, True -*.prevenciononline.cl*, True -*.prevodteksta.net*, True -*.prevoice.net*, True -*.preymnoj.ru*, True -*.preys.nl*, True -*.prez.net*, True -*.prezzoinsconto.it*, True -*.prezzotrasloco.it*, True -*.prgamevn.com*, True -*.prglab.com.ar*, True -*.pr-gm.com*, True -*.prhsnhs.ml*, True -*.pria.asia*, True -*.priamaakcia.sk*, True -*.priatna.com*, True -*.pribon.com*, True -*.priboy.biz*, True -*.pricaona.info*, True -*.pricebill.com*, True -*.priceguide.sg*, True -*.pricelaptop.ga*, True -*.pricemonitor.com.br*, True -*.pricemonkey.ca*, True -*.pricenepal.com*, True -*.priceone.com*, True -*.pricezone.tw*, True -*.prichard.info*, True -*.prichard.tk*, True -*.prichernomore.ru*, True -*.prickindel.ro*, True -*.pricootan.com*, True -*.pride01.com*, True -*.pridem.com.mx*, True -*.pridetobe.ru*, True -*.pridone.ru*, True -*.priistas.com*, True -*.prijs-zonnepanelen-alkmaar.nl*, True -*.prilov.cl*, True -*.primacred.com.br*, True -*.primadinalestari.com*, True -*.primalens.com.ar*, True -*.primalex.net*, True -*.primalnews.com*, True -*.primamuebles.cl*, True -*.prima-news.ro*, True -*.primapackages.com*, True -*.primaperkasagroup.com*, True -*.prima-pet.com*, True -*.prima-pets.com*, True -*.primariacernica.ro*, True -*.primaria-domnesti.ro*, True -*.primariamarasu.ro*, True -*.primaria-navodari.ro*, True -*.primariapischia.ro*, True -*.primariaromanu.ro*, True -*.primariatichilesti.ro*, True -*.primark.gq*, True -*.primasejahtera.cf*, True -*.primatatadaya.co.id*, True -*.primatechange.com*, True -*.primatemind.info*, True -*.primavera.hk*, True -*.primavisi.net*, True -*.primavision.com.ar*, True -*.prime8.net*, True -*.primeai.com*, True -*.primecitigroup.in*, True -*.primecorpbc.ca*, True -*.primedt.tk*, True -*.primeent.in*, True -*.primeflk.ch*, True -*.primegames.co.uk*, True -*.primeitskills.co.uk*, True -*.primelocadora.com*, True -*.primenetworksolutions.com*, True -*.primeops.net*, True -*.primepowerqld.com.au*, True -*.primerolagente.com.ar*, True -*.primesieve.com*, True -*.primesoftwaresystems.com.au*, True -*.primetimeserver.com*, True -*.primevaledge.com.au*, True -*.primidea.cl*, True -*.priming.com.br*, True -*.primitives.lv*, True -*.primolution.com*, True -*.primper.com.ar*, True -*.prims-kitchen.com.au*, True -*.primskitchen.com.au*, True -*.primulpasincarierata.ro*, True -*.primusschool.in*, True -*.primusschool.info*, True -*.primusschool.net*, True -*.primusschool.org*, True -*.primus-technology.com*, True -*.princ3ss.tk*, True -*.prince-d-egypte.ch*, True -*.princenas.com*, True -*.princeofnewyork.com*, True -*.princesaleia.cl*, True -*.princesinhafm.com.br*, True -*.princess-distribution.ro*, True -*.princesshairstyling.co.uk*, True -*.princesska.tk*, True -*.princesskhaznah99.tk*, True -*.princessmomo.com*, True -*.princessofworlds.com*, True -*.princessorganic.co.uk*, True -*.princetenis.com.tr*, True -*.princetonamg.com*, True -*.princetoncycling.com*, True -*.princeton.hm*, True -*.princetontrans.com*, True -*.princett.com*, True -*.princewzj.com*, True -*.principioscosmicos.com.br*, True -*.principletrust.com.au*, True -*.prinde-ma.ro*, True -*.pringy.com*, True -*.prink.md*, True -*.prink.ro*, True -*.prins.org.za*, True -*.printablefreebookmarks.com*, True -*.printablegridpaper.net*, True -*.printablehappybirthdaysigns.com*, True -*.printablekohlcoupons.net*, True -*.printablemapofusa.net*, True -*.printablewordpuzzles.net*, True -*.print-bird.com*, True -*.printcorporation.com.au*, True -*.printecgroup.biz*, True -*.printerbuddy.com*, True -*.printerphotobooth.com*, True -*.printers101.info*, True -*.printgraphicsdisplays.com*, True -*.printgraphicsdisplays.com.au*, True -*.printgraphics.tv*, True -*.print-land.ch*, True -*.printochka.ru*, True -*.printpop.biz*, True -*.printpop.ca*, True -*.printpopcustom.com*, True -*.printpop.in*, True -*.printpop.info*, True -*.printpop.net*, True -*.printpop.org*, True -*.printpop.tv*, True -*.printpop.us*, True -*.printshopforsale.net*, True -*.printshopsforsale.net*, True -*.printslim.com*, True -*.printstation.com.ve*, True -*.printsys.tk*, True -*.print-tek.ru*, True -*.print-time.net*, True -*.printview.com.ar*, True -*.prioanch.ro*, True -*.priorityleadership.com*, True -*.prior.tk*, True -*.prirodnisapuni.com*, True -*.priscachristina.com*, True -*.prismacatania.it*, True -*.prisma.cc*, True -*.prismaintelek.com*, True -*.prismalek.se*, True -*.prisma-soluciones.com.ar*, True -*.prismast.com.ar*, True -*.prism.gq*, True -*.prisock.net*, True -*.prisoftware.tk*, True -*.prisonland.com*, True -*.prisqo.co.za*, True -*.pristavakin.ru*, True -*.pristineauto.com.au*, True -*.pristinegraphene.com*, True -*.pristytools.com*, True -*.pritchard.org.au*, True -*.pritchett.ca*, True -*.priteamo.com.ar*, True -*.pritrznik.si*, True -*.pritta.net*, True -*.privaatti.net*, True -*.privacea.de*, True -*.privacip.com*, True -*.privacy.gq*, True -*.privare.net*, True -*.privatariatucana.org*, True -*.privatastra.sk*, True -*.privat-com.ru*, True -*.privatecloud.co.za*, True -*.privatecode.net*, True -*.privatedns.org*, True -*.privatedns.us*, True -*.private-economy.ru*, True -*.privatefitness.ch*, True -*.privategame.tk*, True -*.privateimport.jp*, True -*.privatelabellab.com.au*, True -*.privateonlinegaming.com*, True -*.privateprobation.com*, True -*.privateqa.com*, True -*.private-server.in*, True -*.privatesewer.com*, True -*.private-shop.co*, True -*.privatetorrent.org*, True -*.private-tracker.net*, True -*.privatex.org*, True -*.privat.gq*, True -*.privatlaerer.no*, True -*.privat-server.net*, True -*.privat-zapisi.ru*, True -*.privcheck.com*, True -*.privchecker.com*, True -*.privet.com.ar*, True -*.privilegeba.com*, True -*.privnet.se*, True -*.privus.pt*, True -*.privyet.me*, True -*.prixjeunesse.ch*, True -*.prizechecker.si*, True -*.prizehunter.ru*, True -*.pr-j.com*, True -*.prkl.org*, True -*.prmaholdings.com*, True -*.pro-2ti.com*, True -*.pro3vizion.net*, True -*.pro4nl.com*, True -*.proactive-technologies.com*, True -*.proalife.com*, True -*.proambiental.cl*, True -*.proarch.si*, True -*.proarq-arg.com.ar*, True -*.pro-arsenal.ru*, True -*.proaseotm.cl*, True -*.proatvmotorsports.com.ar*, True -*.proaud.com*, True -*.pro-automation.com*, True -*.proavantaj.ro*, True -*.probando.cl*, True -*.probe.ga*, True -*.probegauto.ru*, True -*.probill.info*, True -*.probio.tk*, True -*.problem-gambler-assessment.com*, True -*.pro-blister.ru*, True -*.problister.ru*, True -*.procare.co.id*, True -*.procemensa.com.ar*, True -*.processor-news.ru*, True -*.procetic.cl*, True -*.prociclism.ro*, True -*.proclaimamerica.net*, True -*.procleanhk.com*, True -*.procleanoxford.co.uk*, True -*.proclick.se*, True -*.procnator.com.my*, True -*.procode.cn*, True -*.procoin.cl*, True -*.procomputers.ro*, True -*.proconselectric.ro*, True -*.procon-water.com*, True -*.procopiodecarvalho.com.br*, True -*.procredits.info*, True -*.procself.info*, True -*.procureauto.com.br*, True -*.procureautos.com.br*, True -*.prodanov.biz*, True -*.prodcert.org*, True -*.prodcombilc.ro*, True -*.prodea.ru*, True -*.prodigyhomebuyers.com*, True -*.prodigyrenttoown.com*, True -*.prodigy-salud.com.ar*, True -*.prod-intl.com*, True -*.prodistedutama.com*, True -*.prodonis.com*, True -*.producatorflorava.ro*, True -*.produccion.cl*, True -*.produccionesfas.com.ar*, True -*.produccioneslachamana.com*, True -*.produccionesmsv.cl*, True -*.produceimportsolutions.com*, True -*.productionstempo.com*, True -*.productoselectricos.es*, True -*.productoselectricosindustriales.es*, True -*.productosplin.com.ar*, True -*.productsconnect.com*, True -*.productzz.net*, True -*.produk-ukm.com*, True -*.produsenkapalspeedboat.tk*, True -*.produsensarungtangan.com*, True -*.produsentongsampah.com*, True -*.produsentrafo.com*, True -*.produsin.ro*, True -*.produsunic.ro*, True -*.produtierra.com.ar*, True -*.prodxr.com*, True -*.proefis.de*, True -*.pro-electric.co.il*, True -*.proelectro-trm.ro*, True -*.proest.com.au*, True -*.proesteticmag.ro*, True -*.proest.net.au*, True -*.proevenimente.ro*, True -*.proexcelsports.co.za*, True -*.profane.in*, True -*.profcan.ro*, True -*.profdrakmfazlulhaque.com*, True -*.profearauco.cl*, True -*.profectum.pl*, True -*.profemin.ro*, True -*.profesionalescomunistas.cl*, True -*.profesorgeo.com.ve*, True -*.profesorlupa.com.ar*, True -*.profesoryas.org*, True -*.profess.ch*, True -*.profession.al*, True -*.professionalarms.com*, True -*.professionalcatering.com.au*, True -*.professionalconcepts.net*, True -*.professionalconcepts.org*, True -*.professionaldent.ro*, True -*.professional-power.ro*, True -*.professionalproducts.co.za*, True -*.professionalropeaccess.com.au*, True -*.professionaltrainingresourcesinc.com*, True -*.professione-telemarketer.it*, True -*.professorcafe.com*, True -*.professorsclinik.com*, True -*.profesyonel.com*, True -*.profesyonel.com.tr*, True -*.profesys.com.ar*, True -*.profete.ch*, True -*.profex.ro*, True -*.proficionetworks.com*, True -*.profil-brodyr.com*, True -*.profil-bud.com*, True -*.profildeco.ro*, True -*.profile-amprentate-fier-forjat.ro*, True -*.profile-id.pw*, True -*.profinet.ro*, True -*.profitlight.ru*, True -*.profitmaker.ru*, True -*.profit.sg*, True -*.profittelecom.ru*, True -*.profittrackersoftware.com*, True -*.proflist.co.za*, True -*.profloresta.com.br*, True -*.proflorists.co.za*, True -*.profobr-udm.ru*, True -*.proforms.my*, True -*.profoundbeauty.co.za*, True -*.profpodgotovka.ru*, True -*.proftel.cl*, True -*.profudegeogra.eu*, True -*.profumiscontati.it*, True -*.profx.net*, True -*.progete.com.br*, True -*.progitechdm.net*, True -*.progizmo.biz*, True -*.prog.org.ru*, True -*.progoz.ru*, True -*.progr.am*, True -*.programa-desarrollo-laboral.cl*, True -*.programadescarteconsciente.com.br*, True -*.programador.in*, True -*.programagol.cl*, True -*.programatorul.eu*, True -*.programedia.org*, True -*.programel.ro*, True -*.program-gestiune.ro*, True -*.programmerally.com*, True -*.programmerjake.cf*, True -*.programmingmappoint.net*, True -*.programsareproofs.com*, True -*.progresconstruct.ro*, True -*.progressioncs.com*, True -*.progressivecongressnews.org*, True -*.progresys.jp*, True -*.progsis.com.ar*, True -*.prohentai.net*, True -*.proheroeyewear.com*, True -*.prohostinghub.com*, True -*.prohostsp.com*, True -*.proiectapsiped.ro*, True -*.proiect-arad.ro*, True -*.proiect-arhitectura.ro*, True -*.proiect-medas.ro*, True -*.proiect-pace.ro*, True -*.proiectul-venus.ro*, True -*.proiectul-x.eu*, True -*.proimageandsupply.com*, True -*.proinversa.com*, True -*.pro-j.ch*, True -*.project20million.org*, True -*.project-2501.com*, True -*.projectalal.com*, True -*.project-alicebob.org*, True -*.projectart.cl*, True -*.projectbaconx.com*, True -*.projectcopter.ch*, True -*.projectcrash.net*, True -*.projectdata.ch*, True -*.projectdev.net*, True -*.project-eva.com*, True -*.projecteve.tk*, True -*.projectfallout.net*, True -*.projectfoodchain.org*, True -*.project-friends.com*, True -*.projectina.ch*, True -*.projectisizwe.com*, True -*.projectivegame.com*, True -*.projectkaname.com*, True -*.projectkutani.com*, True -*.project-lan.com*, True -*.project.li*, True -*.project-mind.info*, True -*.projectmori.com*, True -*.projectorcontrol.com*, True -*.projectorpsa.co.za*, True -*.projectos3d.com*, True -*.projectosmultimedia.com*, True -*.projectothree.com*, True -*.projectphoto.ch*, True -*.projectphoto.lu*, True -*.projectpoint.ca*, True -*.projectpolaris.eu*, True -*.projectrhyme.com*, True -*.projectsafety.be*, True -*.projectsamsara.com*, True -*.projectscaredmonkey.com*, True -*.projectsioux.com*, True -*.project-skyline.org*, True -*.projectsmanaged.com.au*, True -*.projectsolaris.com*, True -*.projects-on.info*, True -*.projecttsn.com*, True -*.projectucon.ch*, True -*.projectus-grupa.hr*, True -*.projectwall.net*, True -*.projectworksgroup.com*, True -*.projectww.cn*, True -*.projectzone.web.id*, True -*.projekt-optimum.ro*, True -*.projektybudowlane.tk*, True -*.projemerkezi.org*, True -*.projesul-itj.com.br*, True -*.projetoliberilibris.com.br*, True -*.projetoportaltv.com.br*, True -*.projetos3d.com*, True -*.projetos3d.pt*, True -*.projetotecsis.com.br*, True -*.projexe.co.za*, True -*.pro-jura.ch*, True -*.prokator.pro*, True -*.prokher.org*, True -*.prokher.pro*, True -*.prokher.ru*, True -*.prokinetics.com.br*, True -*.prokofjevs.lv*, True -*.prokol-master.ru*, True -*.proksi.ml*, True -*.prokyon.tk*, True -*.prolasa.cl*, True -*.prolaser.info*, True -*.proleadersacademy.com*, True -*.prolemn.com*, True -*.prolemn.ro*, True -*.prolimit.cl*, True -*.prolixeserver.com*, True -*.promaco.ro*, True -*.promailmarket.eu*, True -*.promapcorp.com*, True -*.promar.info*, True -*.promash.cl*, True -*.promasys.net*, True -*.promatcon.com*, True -*.promdeso.cl*, True -*.promedicalar.com*, True -*.promedika.cl*, True -*.promeint.mx*, True -*.promem.ro*, True -*.promesa.com.tr*, True -*.prometheussystems.ml*, True -*.promet-it.ru*, True -*.pro-mic.com*, True -*.promindogroup.com*, True -*.promindomakmur.com*, True -*.promixconcreto.com*, True -*.promkomb.com*, True -*.promline.org*, True -*.promo499.com*, True -*.promoanvelope.ro*, True -*.promo-blaster.com*, True -*.promobrand.pt*, True -*.promobrinde.pt*, True -*.promochain.ro*, True -*.promocionaya.cl*, True -*.promocionsrustiques.com*, True -*.promohub.ro*, True -*.promokristik.web.id*, True -*.promosposadas.com.ar*, True -*.promotie-rca.ro*, True -*.promotierca.ro*, True -*.promotion.hk*, True -*.promotionhk.com*, True -*.promotionshk.com*, True -*.promotionworld.ro*, True -*.promotoyotamurah.com*, True -*.promo-toyota-surabaya.com*, True -*.promoturi.com*, True -*.promovarebisericisecxix-xxtargoviste.ro*, True -*.promovarebisericisecxvitargoviste.ro*, True -*.promovendus.org*, True -*.promptcomputer.ch*, True -*.promptrans.com*, True -*.pronetaustralia.com.au*, True -*.pronetba.com.ar*, True -*.pronethealthpr.com*, True -*.proneti.com*, True -*.prone.tk*, True -*.pronetscorp.com*, True -*.pronor.com.br*, True -*.pronosticsportiv.tk*, True -*.pro-notify.com*, True -*.pro-notify.net*, True -*.pronps.com.br*, True -*.prontofinancial.com*, True -*.prontoviajes.com.ar*, True -*.prontoviajes.tur.ar*, True -*.proofassistant.ml*, True -*.proofform.com*, True -*.proofyourstuff.com*, True -*.proovd.com*, True -*.prop360.hk*, True -*.propalcabo.com*, True -*.pro-panel.net*, True -*.propatotest.com.ar*, True -*.propavaje.ro*, True -*.properjob.com.au*, True -*.propermattitude.com*, True -*.properportugal.co.uk*, True -*.propersold.com*, True -*.properspickle.com*, True -*.propertan.ro*, True -*.properti.cf*, True -*.propertybroker.com.au*, True -*.propertybusinessacademy.com*, True -*.propertycloud.com.my*, True -*.propertycomment.com*, True -*.propertymanagementsunbury.com*, True -*.propertymanagementsunbury.com.au*, True -*.propertynetwork.com.au*, True -*.propertynetworksalisbury.com.au*, True -*.propertynhomes.com*, True -*.propertynhomes.co.uk*, True -*.propertypartners.cl*, True -*.propertyplus.pl*, True -*.propertyshots.com*, True -*.propertyshots.net*, True -*.propertywanted.co.uk*, True -*.propharma.co.id*, True -*.prophetconsulting.net*, True -*.propheticsky.net*, True -*.prophet-tech.com*, True -*.prophotoexpress.com*, True -*.propicius.com*, True -*.propiedadesamoretti.com.ar*, True -*.propiedadesespinosa.com.ar*, True -*.propiedades.tk*, True -*.propiedadestk.cl*, True -*.propiedadesureta.cl*, True -*.pro-piping.cl*, True -*.propona.net*, True -*.proposition.com.au*, True -*.proprius.ca*, True -*.proproject.com.au*, True -*.proproject.net.au*, True -*.propsanluis.com.ar*, True -*.props.org*, True -*.proquest-west.com*, True -*.proquimin.cl*, True -*.proracquetsports.com.au*, True -*.pro-rang.si*, True -*.prorang.si*, True -*.proreccoracing.it*, True -*.prosatiptv.com*, True -*.prosblue.com*, True -*.proscaronline.com*, True -*.proscraft.ml*, True -*.prosemail.net*, True -*.proseowriting.com*, True -*.pro-server.biz*, True -*.prosex.co.il*, True -*.prosharetest.com*, True -*.proslotcars.pt*, True -*.prosmar.com.ar*, True -*.prosoftbv.ro*, True -*.prosoftgrup.ro*, True -*.prosopopeya.com*, True -*.prospekt38.ru*, True -*.prospere.kiwi.nz*, True -*.prospertrack.tk*, True -*.prostatsl.com*, True -*.prosthesisproject.com*, True -*.prosto-chestno.ru*, True -*.prosto-porno.net*, True -*.prostore.ru*, True -*.prostupllc.com*, True -*.prosuspension.com.ar*, True -*.prosysgrup.ro*, True -*.protcat.com.ar*, True -*.proteccioncelular.com.mx*, True -*.protechcoolingtowers.com*, True -*.protechmedlab.com*, True -*.protechserviceindonesia.com*, True -*.protechsi.com.ar*, True -*.protecno.com.ve*, True -*.protectedtech.co*, True -*.protectiamuncii-tm.ro*, True -*.protection.ga*, True -*.protectlink.ga*, True -*.protectmymetadata.com*, True -*.protectmymetadata.com.au*, True -*.protect.ru*, True -*.protegeteucoracao.com.br*, True -*.protegetucorazon.com.br*, True -*.proteinq.com.ar*, True -*.protelecon.com*, True -*.protelindo.co.id*, True -*.protelindo.net*, True -*.protenic.hu*, True -*.proteomics2.com*, True -*.proteo.net*, True -*.protestanten.com*, True -*.protesti.tv*, True -*.protex-systems.ch*, True -*.protexto.com.br*, True -*.protezionecivilefiesso.it*, True -*.protezionecivilenazionale.it*, True -*.prothesesdentairestousservice.ch*, True -*.protimo.gr*, True -*.protis.biz*, True -*.protocultura.net*, True -*.protogrid.ch*, True -*.protokoly.ru*, True -*.protoman.org*, True -*.protonail.com*, True -*.protonail.ru*, True -*.protona.ru*, True -*.protonclub.net*, True -*.protonet.gr*, True -*.protonode.com*, True -*.protopopiatulrupea.ro*, True -*.prototypethis.org*, True -*.protractive.com.au*, True -*.proudlydigital.com*, True -*.proudlydigital.co.za*, True -*.proudtopostit.com*, True -*.prou.st*, True -*.prout.org.uk*, True -*.provectusdsi.ca*, True -*.provectusdsi.com*, True -*.provedorcerto.com.br*, True -*.provelopers.net*, True -*.provendors.com.au*, True -*.provengim.ru*, True -*.provenra.com.ve*, True -*.proverbioweb.com.ar*, True -*.provice.co.uk*, True -*.provide500.com*, True -*.providencedevelopments.com*, True -*.provideo.cl*, True -*.provider.cf*, True -*.proville.ro*, True -*.provinciasunidas.com*, True -*.provisional.ca*, True -*.proviz3d.com*, True -*.provogunclub.com*, True -*.prowit.net*, True -*.proxeos.org*, True -*.proxime.im*, True -*.proxime.mx*, True -*.proxime.so*, True -*.proximity-graphics.ro*, True -*.proximusnext.com*, True -*.proxize.com*, True -*.proxmov.tk*, True -*.proxydns.co.uk*, True -*.proxygem.com*, True -*.proxy-insorg.org*, True -*.proxypromotion.com*, True -*.proxyxxnx.tk*, True -*.proxyz.biz*, True -*.proy3ct.com*, True -*.proy3ct.com.ve*, True -*.proyecta.ec*, True -*.proyectaestudio.com*, True -*.proyectoc.com.ar*, True -*.proyectociencia.org*, True -*.proyectodaedalus.com*, True -*.proyectoelremanso.cl*, True -*.proyectolobo.com.ar*, True -*.proyecto-nsd.com.ar*, True -*.proyectoportal.es*, True -*.proyectosahorroaire.com.ar*, True -*.proyectosjo.com*, True -*.proyectouvamerseguera.com*, True -*.proyounghk.com*, True -*.prozacmom.com*, True -*.prppedro.net.br*, True -*.pr-rp.net*, True -*.prs7.org*, True -*.prsrl.com.ar*, True -*.prt-amromeka.si*, True -*.prt-argentina.org*, True -*.prt-argentina.org.ar*, True -*.prtscn.me*, True -*.prudhvi.org*, True -*.pruebasdeconcepto.com.ar*, True -*.pruebasidt.tk*, True -*.prueba.xyz*, True -*.pruiett.me*, True -*.prujem.cz*, True -*.prunci.ro*, True -*.prunuspersica.net*, True -*.pruparagon-group.co.uk*, True -*.prusik.com.br*, True -*.prvca.eu*, True -*.prvjt.com*, True -*.pryanik.tk*, True -*.prym.cl*, True -*.pryorda.net*, True -*.pryorlees.com.au*, True -*.przeciwpozarowedrzwi.pl*, True -*.przedsiebie.net*, True -*.przegrodyogniowe.pl*, True -*.przemas.one.pl*, True -*.przybyla.one.pl*, True -*.przybylo.pl*, True -*.ps18.nl*, True -*.ps2bi.net*, True -*.ps3101462005.org*, True -*.ps3linux.eu*, True -*.ps48.cf*, True -*.psa66.com*, True -*.psa77.com*, True -*.psa84.com*, True -*.ps.ai*, True -*.psaltebrown.com.ar*, True -*.psamson.com*, True -*.psamson.org*, True -*.psanroquems.com.ar*, True -*.psarna.si*, True -*.psasm.biz*, True -*.pscenergy.com*, True -*.psco24.ir*, True -*.psconnect.me*, True -*.psctv1.com*, True -*.psdbpg.com.br*, True -*.pserveri.tk*, True -*.pservice.com.ru*, True -*.pseudocat.com*, True -*.pseudo-me.com*, True -*.pseudo.net.nz*, True -*.psher.com*, True -*.psia-ak.org*, True -*.psicoarmonia.cl*, True -*.psicofut.com*, True -*.psicologasaopaulo.com.br*, True -*.psicologiaeficaz.cl*, True -*.psicologobolzano.it*, True -*.psiconutro.com.br*, True -*.psicopedagogiainfantil.cl*, True -*.psicoterapiaestrategica.cl*, True -*.psicoterapieroma.it*, True -*.psiecology.com*, True -*.psifas.ml*, True -*.psihiatrija.si*, True -*.psihoactive.ro*, True -*.psihoanalizelatvija.lv*, True -*.psihopractika.ru*, True -*.psihosoft.com*, True -*.psilink.net*, True -*.psillos.gr*, True -*.psilonux.tk*, True -*.psimon.ca*, True -*.psinergybbs.com*, True -*.psi-net.net*, True -*.psinet.pw*, True -*.psionicsystems.com*, True -*.psio.org*, True -*.psjump.com*, True -*.psk-tepliydom.ru*, True -*.psl1ght.ru*, True -*.pslu.org*, True -*.psmcavalleggeridifabro.it*, True -*.psmlcloud.com*, True -*.psmorgan.co.uk*, True -*.psobject.com*, True -*.psole.com*, True -*.psoriasisanddiet.com*, True -*.psoriasiscure.nl*, True -*.psotc.org*, True -*.psotnic.org*, True -*.psotnic.tk*, True -*.pspk.my*, True -*.psp-moscow.com*, True -*.psrcorp.net*, True -*.psre.tk*, True -*.psrn.ro*, True -*.pss33.com*, True -*.pss99.com*, True -*.pssase.ro*, True -*.pssmalaysia.com*, True -*.psso.org*, True -*.psuiza.com.ar*, True -*.psuje.net*, True -*.psuoffcampus.com*, True -*.psup.cf*, True -*.psuverbal.cl*, True -*.pswcommunities.com*, True -*.pswdallas.com*, True -*.psweeney.com*, True -*.pswii60.co.uk*, True -*.pswrealestate.com*, True -*.psxpal.co.uk*, True -*.psybnc.org*, True -*.psybnc.ro*, True -*.psychanalyse-bretagne.org*, True -*.psychedelic.ga*, True -*.psychedelicwarrior.com*, True -*.psychedelicwarrior.info*, True -*.psychedelicwarrior.mobi*, True -*.psychedelicwarrior.net*, True -*.psychedelicwarrior.org*, True -*.psychedelicwarrior.us*, True -*.psychiatrist.hk*, True -*.psychiatryonline.ca*, True -*.psychiatry.ru*, True -*.psychmedicinetexas.com*, True -*.psychmedicinetexas.net*, True -*.psycholife.ru*, True -*.psychologenpraktijk-voor-autisme.nl*, True -*.psychologenpraktijkvoorautisme.nl*, True -*.psychologist-houston.com*, True -*.psychology48.com*, True -*.psychologyconsult.ru*, True -*.psychology.org.il*, True -*.psychology-tutor.co.uk*, True -*.psychomonkeymusic.com*, True -*.psychos.is*, True -*.psycho.so*, True -*.psychotherapie-savory-fernandes.ch*, True -*.psychservices.net.au*, True -*.psy.cl*, True -*.psyder.org*, True -*.psykoanalyysi.fi*, True -*.psykologiainopulkka.fi*, True -*.psykonas.dk*, True -*.psylonet.com*, True -*.psyr.ru*, True -*.psysonic.us*, True -*.ptab.de*, True -*.ptaco.hk*, True -*.pta-eng.com*, True -*.pta-eng.ir*, True -*.pta-eng.net*, True -*.pta-eng.org*, True -*.ptarenateknik.com*, True -*.pt-atps.co.id*, True -*.ptbag.co.id*, True -*.ptbmm.com*, True -*.ptbox.org*, True -*.ptbtm.com*, True -*.pt-cgm.com*, True -*.ptchat.net*, True -*.ptckin.gq*, True -*.pt-cmp.co.id*, True -*.ptdada.cf*, True -*.ptdada.tk*, True -*.pt-dsm.com*, True -*.pterodyne.com*, True -*.pterodyne.net*, True -*.pterodyne.org*, True -*.pt-gourmet.com*, True -*.ptguard.com.ar*, True -*.pti-architects.com*, True -*.ptica.net*, True -*.pti-interiors.com*, True -*.ptindomarine.com*, True -*.ptitgivre.be*, True -*.ptkautoservices.com*, True -*.ptkhalista.co.id*, True -*.ptkms.net*, True -*.ptkonsulterna.se*, True -*.ptl.cl*, True -*.ptlhsolutions.com*, True -*.ptmitraabadi.com*, True -*.ptmr1.in*, True -*.ptmts.co.id*, True -*.ptngi.co.id*, True -*.ptngi.com*, True -*.ptpapertan.com*, True -*.ptpnagar.com*, True -*.ptrace.su*, True -*.ptr.co.za*, True -*.ptrol.com.ar*, True -*.ptsatubolagemilang.com*, True -*.ptsinarsuria.com*, True -*.ptsites.info*, True -*.ptsmm.com*, True -*.ptsmn.co.id*, True -*.ptspae.com*, True -*.ptspektr.ru*, True -*.pt-s.ru*, True -*.ptstarindo.com*, True -*.ptsupport.net.au*, True -*.pttanja.fi*, True -*.pttproject.com*, True -*.ptutor.tk*, True -*.ptuui.com*, True -*.ptvervoer.co.za*, True -*.ptysa.com.mx*, True -*.puasa.gq*, True -*.puasa.info*, True -*.puasa.net*, True -*.puas.cl*, True -*.pubb.ch*, True -*.pubbit.com*, True -*.pubcrawl.co*, True -*.pub-finnegans.ch*, True -*.pubfx.com*, True -*.pubfx.net*, True -*.pubiwayliker.com*, True -*.publi.ch*, True -*.public.hk*, True -*.publicidadsms.mx*, True -*.publicidadycomercio.cl*, True -*.publicitatea-ta.ro*, True -*.publiclol.com*, True -*.publicmain.com*, True -*.publicnameservers.com*, True -*.publico.ca*, True -*.publicqa.com*, True -*.publicrealty.org*, True -*.publicserviceclub.com*, True -*.publicwifi.pw*, True -*.publify.ir*, True -*.publikuli.de*, True -*.publinedita.pt*, True -*.publionline.com.ar*, True -*.publishconnect.com*, True -*.pubpatrol.com*, True -*.pubpoetry.com*, True -*.pubradius.com*, True -*.pubsadelaide.com.au*, True -*.pubserver.tk*, True -*.puchesistemas.com.ve*, True -*.puchko.ru*, True -*.puckingsweet.com*, True -*.puconparagliding.cl*, True -*.pudan-siregar.com*, True -*.puddak.com*, True -*.puddledub.org*, True -*.puddlehunters.net*, True -*.pudim.info*, True -*.pueblobarber.com*, True -*.pueblosbarriosycoloniasendefensadeatzcapotzalco.org*, True -*.puentelegales.com.ar*, True -*.puercoespin.com.mx*, True -*.puertadigital.com*, True -*.puertolopez.info*, True -*.puertosorrento.com.ar*, True -*.pueyrredonrepuestos.com.ar*, True -*.pufa.co*, True -*.puffballofevil.com*, True -*.puffer.it*, True -*.pugachevsk.ru*, True -*.pug.com.my*, True -*.pugli.ru*, True -*.pugspace.com*, True -*.pugyuru.com*, True -*.puhac.com*, True -*.puik.co.za*, True -*.pujasubastas.com*, True -*.pujdeme.cz*, True -*.pukeyourselfpretty.com*, True -*.pukkagen.com*, True -*.pukyu.ml*, True -*.pulaubatu.com*, True -*.pulauintan.com*, True -*.pulavacations.ro*, True -*.puleit.co.za*, True -*.puliamonoi.ch*, True -*.pulithara.in*, True -*.pulitopurse.com*, True -*.pulle.me*, True -*.pullingshots.ca*, True -*.pullingtubes.com*, True -*.pullishy.ca*, True -*.pullmannortesur.cl*, True -*.pulpitpointweather.com*, True -*.pulsa-anb.com*, True -*.pulsa-elektrik.web.id*, True -*.pulsa-murah.web.id*, True -*.pulsanyamurah.com*, True -*.pulsapalingmurah.com*, True -*.pulsappob.org*, True -*.pulsapteka.com*, True -*.pulsareload.com*, True -*.pulsar-it.be*, True -*.pulsarits.com.ar*, True -*.pulsaritsolutions.com.ar*, True -*.pulsarplanet.com*, True -*.pulsar-systems.ro*, True -*.pulsaudio.ro*, True -*.pulsavto.ru*, True -*.pulsegate.net*, True -*.pulsegrp.in*, True -*.pulserifle.com*, True -*.pulsevet.co*, True -*.pulver-it.ch*, True -*.pulxo951.com.ar*, True -*.pulxo.com.ar*, True -*.pumateam.com.ar*, True -*.pumawifi.org*, True -*.pumkinpi.com*, True -*.pumpease.com.au*, True -*.pumpen-verteilergetriebe.com*, True -*.pumpkinpie.cf*, True -*.pumps-oil.com*, True -*.pumukygarden.com*, True -*.punatar.org*, True -*.punch.hk*, True -*.puncte-si-momente.ro*, True -*.punechka.net*, True -*.punit.in*, True -*.punkassgamers.com*, True -*.punk.dj*, True -*.punked.us*, True -*.punker.org*, True -*.punkoffice.com*, True -*.punkoffice.com.au*, True -*.punks.ro*, True -*.puntaeugenia.com.mx*, True -*.puntagordaurologist.com*, True -*.punto74.com.ar*, True -*.punto9.cl*, True -*.puntocumbre.com*, True -*.puntosicurezza.com*, True -*.puntosicurezza.it*, True -*.puntospronto.com.ve*, True -*.puntosyestampas.cl*, True -*.punyaarsega.com*, True -*.punyaku.web.id*, True -*.puopolo-ferronnerie.ch*, True -*.pup.co.za*, True -*.pupframe.org*, True -*.pupiracingteam.hu*, True -*.puppa.com.ar*, True -*.puppet-forum.com*, True -*.puppetkingdom.net*, True -*.puppet-place.com*, True -*.puppetpresident.com*, True -*.puppet-zone.com*, True -*.puppiesinapurse.com*, True -*.puppiesnearyou.com*, True -*.puppypoopiereport.com*, True -*.pupukalamraya.com*, True -*.pupus.name*, True -*.puputofficial.com*, True -*.puputs.com*, True -*.pupuya.cl*, True -*.puramiel.cl*, True -*.purapielweb.com*, True -*.purasca.ch*, True -*.purchashome.co.uk*, True -*.purdueieee.org*, True -*.purebuy.in*, True -*.puredna.cl*, True -*.puredrifter.com*, True -*.purejoycreative.com*, True -*.purelesque.com*, True -*.purelyforprofit.com*, True -*.puremagic.com.au*, True -*.pureofheartband.com*, True -*.puresales.ca*, True -*.puresammakorn.com*, True -*.pure-techs.com*, True -*.pure-vanilla.us*, True -*.purevitalitywebdesigns.com*, True -*.purge.ro*, True -*.purificadoreuropa.com.br*, True -*.purisafety.com*, True -*.purkinje.ml*, True -*.purkkapussi.com*, True -*.purnimafernando.com*, True -*.purnimafernando.com.au*, True -*.puroecuestre.com.ar*, True -*.purpleaki.com*, True -*.purplecctv.co.uk*, True -*.purplecloud.net.au*, True -*.purpledoggames.com*, True -*.purple-lin.com*, True -*.purple.one.pl*, True -*.purpleroomps.com*, True -*.purple-tentacle.de*, True -*.purpletentacle.de*, True -*.purpletreeonline.com.au*, True -*.purpureus.net*, True -*.purpureus.org*, True -*.pursuit-ims.co.za*, True -*.purwadi.web.id*, True -*.purwokerto.dj*, True -*.purwoko-edi.com*, True -*.purwoko-edi.net*, True -*.purwotm.com*, True -*.pusataksesoriskomputer.com*, True -*.pusatalatfitnes.com*, True -*.pusatalatsafety.com*, True -*.pusatanekagensetmurah.com*, True -*.pusatbatualamindonesia.com*, True -*.pusatbiji.com*, True -*.pusatbohlamled.com*, True -*.pusatbola.asia*, True -*.pusatbotolplastik.com*, True -*.pusatcompressorac.com*, True -*.pusatdownload.ga*, True -*.pusatexhaustfan.com*, True -*.pusatforklift.com*, True -*.pusatgame.net*, True -*.pusatgrosirgensetindonesia.com*, True -*.pusatinsulation.com*, True -*.pusatkuekering.com*, True -*.pusatlab.com*, True -*.pusatlampusorot.com*, True -*.pusat-manga.com*, True -*.pusatmarmer.com*, True -*.pusatpalletmesh.com*, True -*.pusatparfumoriginal.com*, True -*.pusatpintubesi.com*, True -*.pusatpompaindonesia.com*, True -*.pusatrakminimarket.com*, True -*.pusatrunningtext.com*, True -*.pusatscissorlift.com*, True -*.pusatsouvenirkaret.com*, True -*.pusatterpal.com*, True -*.pusatterpalmurah.com*, True -*.pusattopimurah.com*, True -*.pusattrafo.com*, True -*.pusattraining.tk*, True -*.puscifer.net*, True -*.pusheenbattle.net*, True -*.pushgroup.lv*, True -*.push-her.co.za*, True -*.pushitlive.net*, True -*.pushpathapa.com.np*, True -*.pusilkom.com*, True -*.puskel.net*, True -*.puspanjali.com.np*, True -*.pusparajbohora.com.np*, True -*.puspita-sari.cf*, True -*.pussmail.com*, True -*.pussybkk.com*, True -*.pussyx.tv*, True -*.pustakanime.com*, True -*.putadot.com*, True -*.putanas.ru*, True -*.putemfimaibuni.ro*, True -*.putera.com.my*, True -*.putera.net*, True -*.puteranian.com*, True -*.puterlagu.com*, True -*.putitonstuff.com*, True -*.putkis.com*, True -*.putnam-moorcroft.me*, True -*.puto.me*, True -*.putra12tanjung.tk*, True -*.putraadsense.com*, True -*.putra.id*, True -*.putraindonesiamalang.or.id*, True -*.putrajayaabadi.com*, True -*.putrapati.in*, True -*.putrasugest.com*, True -*.putr.co*, True -*.putri.web.id*, True -*.putsmarie.ch*, True -*.putsmarie.com*, True -*.puttibetbackonthemap.org*, True -*.puu55.com*, True -*.puu77.com*, True -*.puuhis.net*, True -*.puumiehet.fi*, True -*.puutarhakaluste.fi*, True -*.puyeshtajhiz.com*, True -*.puzzled.ru*, True -*.puzzlerproject.info*, True -*.puzzle.sg*, True -*.pv190.com*, True -*.pv770.com*, True -*.pv990.com*, True -*.pvcm10.tk*, True -*.pve.com.au*, True -*.pvex.net*, True -*.pvfb.org.nz*, True -*.pvp.co.il*, True -*.pvpcraft.ca*, True -*.pvpcrafter.ml*, True -*.pvpme.org*, True -*.pvpnepal.org.np*, True -*.pvsnp.co.za*, True -*.pvucare.com*, True -*.pvvnetwork.com*, True -*.pvytykac.net*, True -*.pw4.com*, True -*.pwass.com*, True -*.pwdblog.com*, True -*.pwdnews.com*, True -*.pweffects.com*, True -*.pweffects.co.uk*, True -*.pwm.hu*, True -*.pwmn.net*, True -*.pwnd.cf*, True -*.pwnproductions.com*, True -*.pwnutrition.com*, True -*.pwnz.org*, True -*.pwois.cf*, True -*.pwois.ga*, True -*.pwois.gq*, True -*.pwp.org.za*, True -*.pws.ec*, True -*.pws.io*, True -*.pwsir.tk*, True -*.pw-spa.fi*, True -*.pwtcity.com*, True -*.px17.cl*, True -*.pxa.ca*, True -*.p-xel.com*, True -*.pxplace.com*, True -*.pxq.ca*, True -*.pycclan.ru*, True -*.pyctobap.com*, True -*.pydabogados.com.ar*, True -*.pydio.tk*, True -*.pydose.com*, True -*.pyenta.co.il*, True -*.pyesetz.net*, True -*.pyhome.ir*, True -*.pyjeon.com*, True -*.pykett.info*, True -*.pyl-teachers.com.ar*, True -*.pylvasvuo.fi*, True -*.pymc.cl*, True -*.pynapple.cl*, True -*.pyoincheol.com*, True -*.pyopt.org*, True -*.pyorrhoea.org*, True -*.pypantojo.cl*, True -*.pyp.com.ar*, True -*.pypinmuebles.com.ar*, True -*.pypsrl.com.ar*, True -*.pyramidtemplechurch.com*, True -*.pyramyd.com.br*, True -*.pyrnet.com*, True -*.pyrochrome.com*, True -*.pyro.ee*, True -*.pyroelectric.net*, True -*.pyromaddog.net*, True -*.pyromaniacs.co.za*, True -*.pyrotec-ecologic.ro*, True -*.pyrotech.co.za*, True -*.pyroworks.us*, True -*.pyrrhous.com*, True -*.pytecdesign.com*, True -*.pythagorasweb.com.ar*, True -*.pyth.com.ar*, True -*.pyuas.net*, True -*.pyugmao.com.ve*, True -*.pze.co*, True -*.pztm.ru*, True -*.pzt.net.au*, True -*.pzycho.tk*, True -*.pzz68.com*, True -*.pzz78.com*, True -*.pzz88.com*, True -*.q0p.ru*, True -*.q10.com.ar*, True -*.q2000.it*, True -*.q2players.org*, True -*.q40q.com*, True -*.q5help.me*, True -*.q5mail.me*, True -*.q5.vg*, True -*.q6j.pw*, True -*.qah.org.au*, True -*.qalamun.com*, True -*.qalero.com*, True -*.qanovi.com*, True -*.qanovi.net*, True -*.qantax.sk*, True -*.qap-consulting.cl*, True -*.qarea.com*, True -*.qarea.info*, True -*.qariplayer.com*, True -*.qarotossi.com*, True -*.qasehwalid.com*, True -*.qasl.com.ar*, True -*.qatar2022bid.com*, True -*.qatro.com*, True -*.qaz52e.cf*, True -*.qaz52e.com*, True -*.qaz52e.ga*, True -*.qaz52e.gq*, True -*.qaz52e.ml*, True -*.qaz52e.net*, True -*.qaz52e.org*, True -*.qazaq.com*, True -*.qbeeurope.ch*, True -*.qbfsoluciones.com.ar*, True -*.qbgames.com.ar*, True -*.qbonita.com*, True -*.qbp.pw*, True -*.qbranchconsultants.co.za*, True -*.qbspartners.com.au*, True -*.qbuntu.com*, True -*.qbuntu.net*, True -*.qbuntu.org*, True -*.qchat.ml*, True -*.qchsag.ca*, True -*.qclab.ru*, True -*.qcon.com.br*, True -*.qcrist.tk*, True -*.qc.to*, True -*.q-cux.com*, True -*.qddashidai.com*, True -*.qdos.com.ar*, True -*.qdsystems.com.ar*, True -*.qdwujiang.com*, True -*.qdysyg.com*, True -*.qdzfgcjg.com*, True -*.qd-zxgc.com*, True -*.qeaed.com*, True -*.qeon.tk*, True -*.qerreti.ch*, True -*.qfastapp.com*, True -*.qfastapp.com.au*, True -*.qfc.co.za*, True -*.qfg.org*, True -*.qg5.com*, True -*.qgardens.ca*, True -*.qgen.in*, True -*.qgenix.com*, True -*.qhewstone.cl*, True -*.qhi.tw*, True -*.qhj-isat.com*, True -*.qhsemails.com*, True -*.qhycgg.com*, True -*.qiandaodoubing.com*, True -*.qiaoqiao.org*, True -*.qibl.at*, True -*.qidexuh.cf*, True -*.qidox.com*, True -*.qije.gq*, True -*.qije.tk*, True -*.qijytel.cf*, True -*.qilagallery.com*, True -*.qimolive.com*, True -*.qintet.com*, True -*.qintet.com.au*, True -*.qiosku.com*, True -*.qiphone.com*, True -*.qipower.pt*, True -*.qipy.ru*, True -*.qisolar.com*, True -*.qisolar.net*, True -*.qiubo.li*, True -*.qiuchangtong.cn*, True -*.qiut.ga*, True -*.qjguo.com*, True -*.qkzheng.info*, True -*.qlan.net*, True -*.qlbv.vn*, True -*.qldcrawford.id.au*, True -*.qlddesign.com*, True -*.qld-rural.info*, True -*.qldtsol.com*, True -*.qlex.com*, True -*.qlikview.ir*, True -*.qlippoth.com*, True -*.qlittlemonster.com*, True -*.qliu.org*, True -*.qljf.com*, True -*.qloud.cc*, True -*.qloudie.com*, True -*.qloudpass.com*, True -*.qlr.ro*, True -*.qmp.cat*, True -*.qmxmt.com*, True -*.qna77.com*, True -*.qna88.com*, True -*.qnas.com.ve*, True -*.qn.co.ve*, True -*.qnd.co.za*, True -*.q-net.com.au*, True -*.q-network.com*, True -*.qnoz.ml*, True -*.qnp.pw*, True -*.qolbiherbs.com*, True -*.qomsamsung.com*, True -*.qomsamsung.ir*, True -*.qomsetrv.cf*, True -*.qonerlos.cf*, True -*.qontinent.net*, True -*.qoojake.cf*, True -*.qookmark.com*, True -*.qootu.com*, True -*.qorkboard.com*, True -*.qos7.com*, True -*.qosmosclub.com*, True -*.qosmosclub.ru*, True -*.qoude.cl*, True -*.qpay99.com.my*, True -*.qpilates.es*, True -*.qplanner.cf*, True -*.qpltd.net*, True -*.qpmz.es*, True -*.qpress.hk*, True -*.qq171445051.tk*, True -*.qq260.com*, True -*.qq296491881.ml*, True -*.qq320.com*, True -*.qq610.com*, True -*.qqal.tk*, True -*.qqbuy.tk*, True -*.qq.com.my*, True -*.qqcz.info*, True -*.qqhit.net*, True -*.qqm49.com*, True -*.qqm59.com*, True -*.qqm73.com*, True -*.qqm89.com*, True -*.qq.my*, True -*.qqplay.info*, True -*.qqpro.net*, True -*.qqqkiss.com*, True -*.qqq.one.pl*, True -*.qqr26.com*, True -*.qqr44.com*, True -*.qqr77.com*, True -*.qqr99.com*, True -*.qqurl.tk*, True -*.qra.co.za*, True -*.qradmin.com.ar*, True -*.qrcode-app.co*, True -*.qr-code.co.za*, True -*.qrew.tk*, True -*.qrfolder.com*, True -*.qrify.in*, True -*.qrlnk.tk*, True -*.qrme.ru*, True -*.qrs2.com*, True -*.qrurl.tk*, True -*.qrwww.tk*, True -*.qsa.es*, True -*.qsaudiopro.com*, True -*.qsbook.com*, True -*.qseventeen.com*, True -*.qsisto.fi*, True -*.qsl.ro*, True -*.qsoftstudios.com*, True -*.q-station.net*, True -*.q-station.org*, True -*.qtcafe.us*, True -*.qtdaycareabbotsford.com*, True -*.qtech.cl*, True -*.qtechnica.gr*, True -*.qtemu.org*, True -*.qthedeveloper.com*, True -*.qthome.org*, True -*.qtip.co.uk*, True -*.qtng.uk*, True -*.qtpie.co*, True -*.qt-pro.net*, True -*.qtrp.tk*, True -*.qts-ar.com.ar*, True -*.qtscan.com*, True -*.qtscan.it*, True -*.qtservicios.com.ar*, True -*.quachtaibuu.com*, True -*.quadalkatreszek.sk*, True -*.quadcrowned.com*, True -*.quadcrowned.com.au*, True -*.quadoc.co.uk*, True -*.quadrantsolar.com*, True -*.quadricosi.it*, True -*.quadrigademo.com*, True -*.quaff.ca*, True -*.quagga.ca*, True -*.quag.ml*, True -*.quaitgor.com*, True -*.quaixy.net*, True -*.quake0day.com*, True -*.quakeargentina.com*, True -*.quake.cc*, True -*.quakenet.tk*, True -*.qualicareportal.com*, True -*.qualijetargentina.com.ar*, True -*.qualimart.co.za*, True -*.qualirede.com*, True -*.qualirede.com.br*, True -*.qualisto.com*, True -*.qualitech.co.za*, True -*.quality-electronics.com*, True -*.qualityexperts.com.ar*, True -*.qualityfactory.cl*, True -*.qualitymebel.ru*, True -*.qualitynet.com.br*, True -*.qualitynet.inf.br*, True -*.qualityoutdoorservices.com*, True -*.qualitypoolsboulder.com*, True -*.qualmelhortvcomprar.com*, True -*.qualtechnologies.com.au*, True -*.quamoc.com*, True -*.quanaotrecon.net*, True -*.quandoanphoto.com*, True -*.quanghung.org*, True -*.quangnam.tv*, True -*.quangninh360.net*, True -*.quangtrung9x.com*, True -*.quannhacvang.com*, True -*.quantasmetais.com.br*, True -*.quantatechnologicalcorporation.com*, True -*.quantbio.ca*, True -*.quantdev.se*, True -*.quantum2.tk*, True -*.quantumachine.net*, True -*.quantumchaos451.co.nz*, True -*.quantumcontracting.ca*, True -*.quantumdust.nl*, True -*.quantumfunction.org*, True -*.quantumhospitality.it*, True -*.quantumhost.cf*, True -*.quantum.io*, True -*.quantumion.net*, True -*.quantum.la*, True -*.quantum-labs.co.id*, True -*.quantumminerz.net*, True -*.quantumtelecom.asia*, True -*.quarantined.net*, True -*.quarion.one.pl*, True -*.quarkbuddha.org*, True -*.quarnos.org*, True -*.quarrymanshotel.com.au*, True -*.quartetodoce.com*, True -*.quartierdelmar.com.ar*, True -*.quartierdeoro.com.ar*, True -*.quartiersantelmo.com*, True -*.quasicomp.net*, True -*.quasited.com*, True -*.quasmo.net*, True -*.quatanggiovang.com*, True -*.quattrod.com.ar*, True -*.quattrogame.com*, True -*.quaywest.ca*, True -*.qube.com.br*, True -*.qube.net.br*, True -*.qubicprograms.tk*, True -*.qubit.ro*, True -*.qubits.co*, True -*.que77.com*, True -*.que84.com*, True -*.que87.com*, True -*.quebecanglos.ca*, True -*.quebec-canada.ru*, True -*.quebecemr.ca*, True -*.quebecemr.com*, True -*.quebeclasthope.com*, True -*.quebecpublic.gq*, True -*.quebonitoche.com.ar*, True -*.quebradoresdelsur.us*, True -*.quecomohoy.com.ar*, True -*.quedato.com*, True -*.queenephillips.com*, True -*.queenhoney.gr*, True -*.queenixasia.com*, True -*.queenkamillah.tk*, True -*.queenschool.ro*, True -*.queenscraiova.ro*, True -*.queenslandballoonart.com.au*, True -*.queensuccesstour.com*, True -*.queensway.co.za*, True -*.queenswaystables.co.za*, True -*.queenycameron.net*, True -*.queerline.de*, True -*.quehariassi.com*, True -*.quehuongmenyeu.com*, True -*.queijarianacional.pt*, True -*.queixalos.org*, True -*.quelata.cl*, True -*.quelch.net*, True -*.quelch.org*, True -*.quellidelfantacalcio.it*, True -*.queno.tk*, True -*.queon.tk*, True -*.quepasa.net.ve*, True -*.quercusrubra.info*, True -*.querinice.it*, True -*.queryada.com*, True -*.quesaen.cl*, True -*.quesogrill.com*, True -*.quesosuruguayos.com*, True -*.que.st*, True -*.quest4future.com*, True -*.questfordragonegg.tk*, True -*.questforjob.com*, True -*.questforzion.com*, True -*.quetzalbycar.com*, True -*.quevedodp.com*, True -*.quezon.com*, True -*.quickbooksphp.com*, True -*.quickbrownfox.com.ar*, True -*.quickcargo.com.pk*, True -*.quickcashloan.tk*, True -*.quickdesign.mx*, True -*.quickdos.com*, True -*.quickdraw-sw.com*, True -*.quickfab.net*, True -*.quickfixedloan.com*, True -*.quickhost.ch*, True -*.quickinfo.co.kr*, True -*.quicklink.co.id*, True -*.quick-money-transfer.com*, True -*.quickmove.ro*, True -*.quick-paydayloans24hr.org*, True -*.quickpaydayloanstoday.com*, True -*.quickpix.co.za*, True -*.quickresto.com*, True -*.quick-risk-screen.com*, True -*.quicksharenotes.tk*, True -*.quickvictory.com*, True -*.quick-web.ro*, True -*.quick-weight-loss.com.au*, True -*.quicquaro.com*, True -*.quidpro.com.ar*, True -*.quid.ro*, True -*.quierobagel.com.ar*, True -*.quierocrecer.es*, True -*.quierosmart.com*, True -*.quierouno.com*, True -*.quietbytes.com*, True -*.quietimblogging.com*, True -*.quietlydismantling.us*, True -*.quietresources.com*, True -*.quietsy.com*, True -*.quikr.sg*, True -*.quik.to*, True -*.quilbaalimentos.com.ar*, True -*.quilmes.gob.ar*, True -*.quilpe.com.ar*, True -*.quiltmyquilt.com*, True -*.quiltsuit.com*, True -*.quimbaya.me*, True -*.quimby4.com*, True -*.quimicaedna.cl*, True -*.quinconsult.my*, True -*.quincyco.com*, True -*.quinlivan.co.nz*, True -*.quinn50.tk*, True -*.quinn-family.net*, True -*.quinnspeak.com*, True -*.quinodoz.ch*, True -*.quinodozsports.ch*, True -*.quintaelparaiso.com.ar*, True -*.quintaestacion.com.ar*, True -*.quintafeira.com.br*, True -*.quint.al*, True -*.quintaljardins.com.br*, True -*.quintalvivo.com.br*, True -*.quinterno.com.ar*, True -*.quintessentialmax.com.au*, True -*.quintinos.cl*, True -*.quiqee.net*, True -*.quiro.be*, True -*.quiro.eu*, True -*.quiro.nl*, True -*.quiropraxialaplata.com.ar*, True -*.quiros.cat*, True -*.quiroskrum.com.ar*, True -*.quisco.cl*, True -*.quitaquecreekranch.com*, True -*.quitowebstyle.com*, True -*.quiui.es*, True -*.quixnet.net.br*, True -*.quixo.tk*, True -*.quockchichung.hk*, True -*.quocteadong.com*, True -*.quodvis.net*, True -*.quody.com.ar*, True -*.quotemeg.co*, True -*.quotenotes.com.au*, True -*.quoteunquotemedia.co.za*, True -*.quotevision.net*, True -*.quouo77.com*, True -*.quq3.com*, True -*.quran19.com*, True -*.quran19.net*, True -*.quran19.org*, True -*.quranref.info*, True -*.quran-sunnah-hadith.tk*, True -*.qureshi.pw*, True -*.q-url.co*, True -*.quuxy.com*, True -*.quynh-tom.com*, True -*.quyzbuk.net*, True -*.qvap.ru*, True -*.qvd.com.br*, True -*.qvphysiotherapy.com*, True -*.qw361.com*, True -*.qw9a.com*, True -*.qwa777.com*, True -*.qwanyi.com*, True -*.qwarex.com*, True -*.qwe.li*, True -*.qwikbeer.com*, True -*.qwxc.net*, True -*.qyiku.com*, True -*.qzer10.tk*, True -*.qzer-broken-heart.tk*, True -*.qzertelo.tk*, True -*.qz.lc*, True -*.r00t.ch*, True -*.r00ted.ga*, True -*.r00ted.ml*, True -*.r00t-servers.net*, True -*.r00x.dj*, True -*.r0b3rt.org*, True -*.r0by.info*, True -*.r0gu3ptm.tk*, True -*.r0ma.in*, True -*.r0n0.com*, True -*.r0nd.tk*, True -*.r0the.ch*, True -*.r1de.net*, True -*.r1v3n.net*, True -*.r2ci.com*, True -*.r2consult.com.br*, True -*.r2d1000.net*, True -*.r2pro.net*, True -*.r33tzke3.com*, True -*.r3broadcast.com.br*, True -*.r3digitalized.net*, True -*.r3lai.com*, True -*.r3volution.org*, True -*.r4808n.com*, True -*.r4d1um.org*, True -*.r4dstt.com*, True -*.r4ffy.info*, True -*.r4ffy.me*, True -*.r5t.ru*, True -*.r76.net*, True -*.r7perfumes.com.br*, True -*.r7r.info*, True -*.r8way.com*, True -*.ra0.pl*, True -*.ra3.us*, True -*.raa36.com*, True -*.raa42.com*, True -*.raa62.com*, True -*.raa74.com*, True -*.raa85.com*, True -*.raabk.com*, True -*.raamatupidamiseprogramm.ee*, True -*.raamatupidamisprogrammid.ee*, True -*.raatjes.org*, True -*.raatjes.us*, True -*.raavj.ro*, True -*.rabbett.co.uk*, True -*.rabbitgame.net*, True -*.rabbithill.org*, True -*.rabbithome.ru*, True -*.rabbitrabbit.tw*, True -*.rabbitsky.com*, True -*.rabbitt.in*, True -*.rabbitvcactus.eu*, True -*.rabee.cc*, True -*.rabeehkhani.com*, True -*.rabenbrot.ch*, True -*.rabimishra.com.np*, True -*.rabin.ca*, True -*.rabinoisaacsacca.com*, True -*.rabinovich.co.il*, True -*.rabinthapa.com.np*, True -*.rabotadnya.pw*, True -*.raboudsa.ch*, True -*.rabsacca.com*, True -*.rabujed.cf*, True -*.rabu.me*, True -*.rac3480.org*, True -*.raccah.net*, True -*.racebreakreplace.com*, True -*.raceforourcommunity.org*, True -*.raceless.org.za*, True -*.raceplace.org*, True -*.racerx.org*, True -*.racetectiming.com*, True -*.racetecweb.com*, True -*.racetek.ro*, True -*.racetimizer.com*, True -*.rachaelpollard.com*, True -*.rachaelwentworth.ca*, True -*.rachelbaskerville.com*, True -*.rachel-franck.com.br*, True -*.rachelgoth.com*, True -*.rachelgoth.co.uk*, True -*.rachel.ir*, True -*.rachelmcmahan.com*, True -*.rachelmcohen.com*, True -*.rachelneumeier.com*, True -*.rachelnicole.net*, True -*.rachelridge.org*, True -*.racheterfreres.ch*, True -*.racingfever.com*, True -*.racingfuelpumps.com*, True -*.racingmedia.ro*, True -*.racingseats.com*, True -*.racinjason.com*, True -*.racional.com.mx*, True -*.raciosilalimentos.cl*, True -*.raciosil.cl*, True -*.rac.is*, True -*.rackconsult.in*, True -*.rackelbelzil.ca*, True -*.rackingagent.co.id*, True -*.racklive-inc.com*, True -*.rackoletters.com*, True -*.rackshell.net*, True -*.rackworld.com.my*, True -*.raconsulting.com.ve*, True -*.raconteurcreativegroup.com*, True -*.racquetchat.com*, True -*.racunala.eu*, True -*.racutez.cf*, True -*.racving.com*, True -*.raczcomplex.com*, True -*.radaco.net*, True -*.radael.li*, True -*.radarbengkulu.web.id*, True -*.radarclub.org.au*, True -*.radareleitoral.com.br*, True -*.radarg.pw*, True -*.radar-off.ru*, True -*.radarspotters.eu*, True -*.radarvision.co.za*, True -*.radauti.ro*, True -*.radaware.com*, True -*.radcatgames.com*, True -*.radchem.tk*, True -*.radcloud.net*, True -*.rademacher.ch*, True -*.radenymous.eu*, True -*.radforex.org*, True -*.radi0.one.pl*, True -*.radialkolbenmotore.com*, True -*.radial-pistonmotors.com*, True -*.radiancelightingindonesia.com*, True -*.radiantedm.com*, True -*.radiator-indonesia.com*, True -*.radicalelectronics.net*, True -*.radicalhead.com*, True -*.radicalinteractive.com*, True -*.radical.io*, True -*.radicalio.ca*, True -*.radicalio.com*, True -*.radicalio.net*, True -*.radicalio.org*, True -*.radicat.co.za*, True -*.radice.com.ar*, True -*.radikom.co.id*, True -*.radio1alexandria.ro*, True -*.radio21.hu*, True -*.radioaguasformosas.com.br*, True -*.radioamator.ro*, True -*.radioarezzo.com*, True -*.radioarezzo.net*, True -*.radioarezzo.tk*, True -*.radiobest.ro*, True -*.radiobiblica.org.ar*, True -*.radiobomba.net*, True -*.radio-brasov.ro*, True -*.radiocarreen.com*, True -*.radiocaucete951.com.ar*, True -*.radiocautiva.cl*, True -*.radiocentral.com.br*, True -*.radiochapadaodigital.com*, True -*.radioclube.cf*, True -*.radioclube.ga*, True -*.radioclube.ml*, True -*.radioclube.tk*, True -*.radiocontent.ml*, True -*.radiocustom.es*, True -*.radiodata.co*, True -*.radiodistractie.ro*, True -*.radiodobrogea.ro*, True -*.radiodot.net*, True -*.radioelquina.cl*, True -*.radioerasitexnis.gr*, True -*.radioestacion.com.ar*, True -*.radioestilo.com.ar*, True -*.radioetruria.tk*, True -*.radiofavorit.ro*, True -*.radiofeel.com*, True -*.radiofenix.cl*, True -*.radiofingerprint.com*, True -*.radio-flyer.ro*, True -*.radiofuzzie.de*, True -*.radiogirl.fm*, True -*.radiogiurgiu.ro*, True -*.radiogratis.ro*, True -*.radiogratuit.ro*, True -*.radioguitar.ru*, True -*.radioh.com.ar*, True -*.radiohits1.net*, True -*.radio.id.lv*, True -*.radioimpactfm.ro*, True -*.radioindependiente.info*, True -*.radioindonesia.info*, True -*.radio-i.org*, True -*.radiokita.or.id*, True -*.radiolallave.cl*, True -*.radio-land.ch*, True -*.radiolaquintapata.com.ar*, True -*.radiolibre.co*, True -*.radio-light.ro*, True -*.radiologist.hk*, True -*.radiomanu.com.ar*, True -*.radiome.ga*, True -*.radiomoca.ro*, True -*.radiomoka.ro*, True -*.radiomp3.tk*, True -*.radionasarijecchicago.com*, True -*.radionasarijec.com*, True -*.radionasarijec.net*, True -*.radioncc.tk*, True -*.radionet.com.ar*, True -*.radionovabrasil.com.br*, True -*.radionovabrasilfm.com.br*, True -*.radioonline.ml*, True -*.radio.org.ru*, True -*.radio-pasiun3.com*, True -*.radioplaycentral.com*, True -*.radiopopularrufino.com.ar*, True -*.radioproyectos.com.ar*, True -*.radiopulse.co.kr*, True -*.radiopulxo.com.ar*, True -*.radioritmo.com.ar*, True -*.radiorueda.com.ar*, True -*.radiosaga.ga*, True -*.radioscribe.com*, True -*.radiosg.com.br*, True -*.radio-show.ro*, True -*.radiosolarkompass.org*, True -*.radiospoznan.pl*, True -*.radio-taxi-split.hr*, True -*.radiotoscana.cl*, True -*.radiourbanasf.com.ar*, True -*.radiouta.cl*, True -*.radiovecina.cl*, True -*.radiovivafm.ro*, True -*.radiovoces.com.ar*, True -*.radiowaveservice.co.uk*, True -*.radiows.org*, True -*.radio-zvez.info*, True -*.radityahn.net*, True -*.radix-site.com*, True -*.radjabov.name*, True -*.radjamobil.co.id*, True -*.radjamultikreasi.co.id*, True -*.radmanz.com*, True -*.radne.se*, True -*.rad-net.info*, True -*.radoslavnedkov.com*, True -*.radride.cl*, True -*.radsan.com*, True -*.radsan.com.tr*, True -*.radschinski.de*, True -*.radsone.us*, True -*.radsportschule-laegern.ch*, True -*.rad-style.tk*, True -*.raduga-clean.ru*, True -*.radugalab.com*, True -*.radusofronie.ro*, True -*.raduvranceanu.ro*, True -*.raduzhny.ru*, True -*.radwork.pt*, True -*.radyabeman.com*, True -*.radyabkhodro.ir*, True -*.radykalni.eu*, True -*.radzyn.one.pl*, True -*.rae.com.my*, True -*.rael.cc*, True -*.rael.ga*, True -*.rael.gq*, True -*.rael.info*, True -*.rael.ml*, True -*.rael.pw*, True -*.rael.so*, True -*.raeuberhotzenplotz.net*, True -*.rafadeprisma.es*, True -*.rafaelaegabriel.com.br*, True -*.rafaelaexport.cl*, True -*.rafaelanieves.com*, True -*.rafael-avila.com*, True -*.rafaelcamacho.com.br*, True -*.rafael.cl*, True -*.rafaelcury.com*, True -*.rafaelhernandes.com.br*, True -*.rafaelmellado.com*, True -*.rafaelo.com.br*, True -*.rafaelrubens.com.br*, True -*.rafaelsimoes.pt*, True -*.rafaeltorres.com.br*, True -*.rafaelzaldivar.com*, True -*.rafahernandez.es*, True -*.rafc.co.za*, True -*.raffcomm.my*, True -*.raffelsieper.net*, True -*.raffertygar.com*, True -*.raffinagita.id*, True -*.rafflesapp.com*, True -*.rafflesiagroup.com.my*, True -*.raffstdat.net*, True -*.rafiki.ml*, True -*.rafo-system.gr*, True -*.raftmalaysia.com*, True -*.raftonia.com*, True -*.raf-zone.ml*, True -*.ragamkarya-ap.com*, True -*.rageclash.net*, True -*.rageofmages.net*, True -*.raggatt.co.uk*, True -*.raggenbass.net*, True -*.ragiltriatmojo.id*, True -*.ragingbeauty.com*, True -*.ragnashare.com*, True -*.ragreen.ml*, True -*.ragsoft.com.au*, True -*.ragsr.us*, True -*.ragtopvintage.com*, True -*.ragutzke88.tk*, True -*.rahaa.ir*, True -*.raharja-motor.com*, True -*.raharjamotor.com*, True -*.raharjo.biz*, True -*.raharjo.tk*, True -*.raharjo.web.id*, True -*.rahasialangsing.info*, True -*.rahianesharif.ir*, True -*.rahiansharif.ir*, True -*.rahimi.ir*, True -*.rahina.net*, True -*.rahlentreff.de*, True -*.rahmaani.ir*, True -*.rahmadblog.com*, True -*.rahmadmahfud.com*, True -*.rahmadmail.com*, True -*.rahmadnotes.com*, True -*.rahmankyusa.com*, True -*.rahmanmx.tk*, True -*.rahmann.name*, True -*.rahmanonlineshop.com*, True -*.rahmatindra.com*, True -*.rahon.org*, True -*.rahsiaresumekerja.my*, True -*.rahsmann.de*, True -*.rahyanesharif.ir*, True -*.rahyansharif.ir*, True -*.raialivre.com.br*, True -*.raichihinsk.ru*, True -*.raidguild.org*, True -*.raidproject.com*, True -*.raidrush.to*, True -*.raienet.com*, True -*.raihaandy.org*, True -*.raiic.com*, True -*.raikia.com*, True -*.rail.ga*, True -*.railinfo.co.za*, True -*.rail-main.com*, True -*.railpage.com.au*, True -*.railpage.org*, True -*.rail-pm.eu*, True -*.rail-pm.pl*, True -*.railsadmin.com*, True -*.railsadmin.org*, True -*.railtelecom.me*, True -*.railtelecom.ru*, True -*.railwaysoundsystem.co.uk*, True -*.railwaystreet.net*, True -*.railway.web.id*, True -*.rainbat.net*, True -*.rainbowcreative.web.id*, True -*.rainbowcup.com*, True -*.rainbow-eagle.ch*, True -*.rainbow-engineering.nl*, True -*.rainbowgardensbookshop.org*, True -*.rainbowheart.ro*, True -*.rainbowpagesinc.com*, True -*.rainbowstarfish.com*, True -*.rainbowsta.rs*, True -*.rainbowweekend.co.nz*, True -*.rainerhemmelmann.cl*, True -*.rainfox.org*, True -*.rainhadapraia.com.br*, True -*.rainharelacionamentos.com.br*, True -*.raininglemons.com*, True -*.rainmakernetworks.com*, True -*.rainmakers.fi*, True -*.rainsims.com*, True -*.rainycitydesign.co.uk*, True -*.rainysunshine.com*, True -*.raisso.ml*, True -*.raistlan.com*, True -*.raisya.cf*, True -*.raithelhubers.ch*, True -*.raizcivica.com.ar*, True -*.raizenwap.tk*, True -*.raizesmoveis.com.br*, True -*.raizquinta.pt*, True -*.rajaatapplastik.com*, True -*.rajabokep.ga*, True -*.rajabokep.ml*, True -*.rajabokep.net*, True -*.raja-carcover.com*, True -*.rajacode.com*, True -*.rajakerja.com*, True -*.rajalagu.net*, True -*.rajalu.co.id*, True -*.rajanu.com.np*, True -*.rajanyapipa.com*, True -*.rajarakjakarta.com*, True -*.rajatapaus.net*, True -*.rajawaligrp.co.id*, True -*.raj.cl*, True -*.rajeevjha.com.np*, True -*.rajendrakarki.com.np*, True -*.rajendratamang.com.np*, True -*.rajeshprakash.com*, True -*.rajeshworyadav.com.np*, True -*.raj-group.com*, True -*.rajkandhari.com*, True -*.rajlesnika.pl*, True -*.rajnigeorge.com*, True -*.rajshahiedu.org*, True -*.rakanews.com*, True -*.rakarezz.ml*, True -*.rak.cl*, True -*.rakeshp.com.np*, True -*.rakopen.com*, True -*.rakshitdhar.com*, True -*.raktarozz.hu*, True -*.raktel.com*, True -*.rakuca.com*, True -*.rakunet.co.id*, True -*.rakusushibar.com*, True -*.rakyatsulsel.com*, True -*.raleigh-coc.org*, True -*.ralfepoisson.com*, True -*.ralf-mengwasser.de*, True -*.ralgo.com.ar*, True -*.ralinux.com*, True -*.rallscountyclockcompany.com*, True -*.rallydatabase.com*, True -*.rally-foundation.org*, True -*.rallyofturkey.com*, True -*.rallyroute.com*, True -*.rallyservice.it*, True -*.ralo.com.ar*, True -*.ralphs.com.au*, True -*.ralphsmeatcompany.com.au*, True -*.raluca-anghel.ro*, True -*.rama2.xyz*, True -*.ramacdn.tk*, True -*.ramadhanie.net*, True -*.ramadhan.us*, True -*.ramadns.tk*, True -*.ramadsl.tk*, True -*.ramafile.tk*, True -*.ramah.com.ar*, True -*.ramahost.tk*, True -*.ramail.co.za*, True -*.ramail.tk*, True -*.ramalhais.com*, True -*.ramalhosa.pt*, True -*.ramallo2251.com*, True -*.ramalvim.com*, True -*.ramanshrestha.com.np*, True -*.ramart.lv*, True -*.ramaserver.tk*, True -*.ramatest.tk*, True -*.ramaurl.tk*, True -*.ramautility.tk*, True -*.rambler.ro*, True -*.ramblingtravel.com*, True -*.ramblones.com*, True -*.ram-check.com*, True -*.ramclimat.ru*, True -*.ramcomputing.cl*, True -*.ramconsult.ro*, True -*.ramdeni.com*, True -*.ramdhunisaving.com.np*, True -*.ramdosaaf.ru*, True -*.ramdziana.my.id*, True -*.ramecoeg.com*, True -*.rameshbajgain.com.np*, True -*.ramfj.org*, True -*.ramftp.com*, True -*.ramhariregmi.com.np*, True -*.ramicevic.com*, True -*.ramicevic.net*, True -*.ramicevic.org*, True -*.ramimikhail.info*, True -*.ramin-zarei.ir*, True -*.ramirezserrano.cl*, True -*.ramirod.ro*, True -*.ramiromata.com.ar*, True -*.ramkumarelan.com*, True -*.rammag.ru*, True -*.ramnarine.com*, True -*.ramnelius.se*, True -*.ramonmedina.net*, True -*.ramono.us*, True -*.ram-os.net*, True -*.ramotmenashe.co.il*, True -*.rampage-tour.com*, True -*.rampeffect.org*, True -*.ramsete.com*, True -*.ramuacharya.com.np*, True -*.ran3.tk*, True -*.ran-army.com*, True -*.rancaguacultura.cl*, True -*.rancaguacultural.cl*, True -*.rancaguarentacar.com*, True -*.ranchodigital.com.ar*, True -*.ranchontherock.net*, True -*.rancidhome.net*, True -*.randallbrown.ca*, True -*.randemjoe.com*, True -*.randilynn-and-nick.com*, True -*.randin.ro*, True -*.randkujwarszawo.pl*, True -*.randolphd6.com*, True -*.randolphwan.com*, True -*.randomations.com*, True -*.randomazon.com*, True -*.randomb.it*, True -*.randomee.com*, True -*.random-food.tk*, True -*.randominseattle.net*, True -*.randomity.net*, True -*.randomlogo.com*, True -*.randomlyawkward.com*, True -*.randomnature.net*, True -*.random.one.pl*, True -*.randomosity.net*, True -*.randomresources.org*, True -*.randomrodder.com*, True -*.randomskies.com*, True -*.randrews.id.au*, True -*.randyalsup.com*, True -*.randydorian.com*, True -*.randyhollaway.com*, True -*.randyshouseofgames.com*, True -*.ranetmedia.ro*, True -*.ran-fix.com*, True -*.ranftl.org*, True -*.ra-nge.com*, True -*.rangelserver.net*, True -*.rangepunch.tk*, True -*.rangirangi.ir*, True -*.rangnhuacomposite.com*, True -*.rangoonairporttaxicab.com*, True -*.ranieripieper.com.br*, True -*.ranime.org*, True -*.raniworld.com*, True -*.ranjani.co.id*, True -*.ranjanshrestha.com.np*, True -*.ranjbaran.net*, True -*.ranjitlama.com.np*, True -*.rankingptc.com*, True -*.rankings.com.mx*, True -*.rankings.com.ve*, True -*.rank.so*, True -*.ranlien.com*, True -*.ranma.org.ve*, True -*.ranperhar.com*, True -*.ransack.org*, True -*.ranselectrical.com.au*, True -*.ransoft.info*, True -*.ransoft.net*, True -*.ransoft.us*, True -*.ranstadusa.in*, True -*.rantelec.cl*, True -*.ran-test.com*, True -*.rantingsofababyboomer.com*, True -*.rantster.com*, True -*.ran-tube.com*, True -*.ranu.com.ar*, True -*.rao.cl*, True -*.raoroot.com*, True -*.raoulschipper.nl*, True -*.raovat.me*, True -*.rapala-sa.co.za*, True -*.rapalasa.co.za*, True -*.rapatao.com*, True -*.rapebag.com*, True -*.rapeisfunny.com*, True -*.rapeis.sexy*, True -*.raphaelmaiopoulos.com*, True -*.raphaelschaaf.ch*, True -*.raphs.net*, True -*.rapid8.com*, True -*.rapidaccess.co.za*, True -*.rapidchemical.com*, True -*.rapid.co.id*, True -*.rapidcraft.net*, True -*.rapide.fi*, True -*.rapidexchanges.com*, True -*.rapidit.ru*, True -*.rapidlearning.biz*, True -*.rapidodelsud.com.ar*, True -*.rapidradio.co.za*, True -*.rapidshader.net*, True -*.rapidshare-king.info*, True -*.rapidstartups.com*, True -*.rapid-upload.com*, True -*.rapidxtech.com*, True -*.rapirespondercr.com*, True -*.raplanet.ru*, True -*.raporlar.com*, True -*.rapphim.org*, True -*.rappoldphotography.com*, True -*.rappold.us*, True -*.rappwedding.com*, True -*.raps.net.au*, True -*.rapstop.com*, True -*.raptor911.net*, True -*.rapunzelbeauty.com*, True -*.rapydscript.com*, True -*.raquelita.es*, True -*.rareenough.com*, True -*.rarefate.com*, True -*.raresupply.com*, True -*.rarii.com*, True -*.rarr.org.uk*, True -*.rasadnikgilic.com*, True -*.rasanayagam.com*, True -*.ra.sa.ro*, True -*.rasco-jl.com*, True -*.rasde.com*, True -*.rasdvatri.it*, True -*.rasenftinc.com*, True -*.rasgamingsolutions.ga*, True -*.rashmila.com.np*, True -*.rashuno.com*, True -*.rasic.rs*, True -*.rasic.si*, True -*.rasilojuice.com*, True -*.raskin.co*, True -*.raskin.name*, True -*.raslav.org*, True -*.rasmussenfamily.name*, True -*.rasova.ro*, True -*.raspbear.com*, True -*.raspberry4schools.co.uk*, True -*.raspberryarduino.co.uk*, True -*.raspberrybasic.co.uk*, True -*.raspberrycompiler.co.uk*, True -*.raspberryflowchart.co.uk*, True -*.raspberryhome.org*, True -*.raspberryip.com*, True -*.raspberryip.org*, True -*.raspberryshields.co.uk*, True -*.raspberrytools.co.uk*, True -*.raspberryweb.uk*, True -*.rasp-emile.tk*, True -*.raspezd.org*, True -*.raspiblog.com*, True -*.raspi.ga*, True -*.raspisan.com*, True -*.raspo.com.ar*, True -*.raspo.si*, True -*.rassegnaorganisticavalsassinese.it*, True -*.rastaval.com*, True -*.rastavarian.com*, True -*.rastgooyan.com*, True -*.rastgooyan.ir*, True -*.rastichineseart.com*, True -*.rastrojero.com*, True -*.rastrosolidario.org*, True -*.rasulls.com*, True -*.rasvpin.com*, True -*.rasvpn.com*, True -*.ratdivision.com*, True -*.rateaaronsbeer.com*, True -*.ratechno.com*, True -*.ratedplate.com*, True -*.ratedplate.co.uk*, True -*.ratedplate.uk*, True -*.rategh.com*, True -*.ratel.io*, True -*.ratemysketa.com*, True -*.ratemytea.com*, True -*.rateradar.co.uk*, True -*.rateradar.net*, True -*.ratermann.us*, True -*.rateyourtraffic.com*, True -*.rateyourtraffic.net*, True -*.rathel.net*, True -*.ratherhuman.com*, True -*.ratherwute.com*, True -*.rathlinenergy.co.uk*, True -*.rathodfamily.com*, True -*.rationalpeople.us*, True -*.ratnam.me*, True -*.ratnikov.com*, True -*.ratu-bigsale.com*, True -*.ratugaleri.com*, True -*.ratz.com.ar*, True -*.ratzer.com.ar*, True -*.rauberanton.ch*, True -*.rau-chaplin.ca*, True -*.rauchmeldershop.ch*, True -*.raudalat.com*, True -*.raudhatulmuhibbin.org*, True -*.rauen.net.br*, True -*.raulgarza.com*, True -*.raul-ramos.com*, True -*.raulsantamaria.com*, True -*.raum-fuer-gestalt.ch*, True -*.ravanbakhsh.com*, True -*.ravanrah-alavijeh.com*, True -*.ravensbookofshadows.com*, True -*.ravenspot.com*, True -*.ravenspot.info*, True -*.ravenspot.net*, True -*.ravenspot.org*, True -*.ravensystem.es*, True -*.rave.sexy*, True -*.ravi.ch*, True -*.ravinsoc.ir*, True -*.ravintolafino.fi*, True -*.rav-kraski.ru*, True -*.ravn.tk*, True -*.ravzin.com*, True -*.rawbite.ro*, True -*.rawdirect.com*, True -*.rawenerqi.com*, True -*.rawls.me*, True -*.raw-manga.com*, True -*.rawmediums.net*, True -*.rawnet.it*, True -*.raw-power.net*, True -*.rawrix.net*, True -*.rawsons.id.au*, True -*.raxbeauty.com*, True -*.raxcity.com*, True -*.raxtv.com*, True -*.rayanayash.com*, True -*.rayandemilie.com*, True -*.rayanet.com*, True -*.rayanetisp.ir*, True -*.rayanposhtiban.com*, True -*.rayanvision.com*, True -*.rayap.net*, True -*.rayborn.org*, True -*.raybriell.com*, True -*.raycraft.org*, True -*.raydiance.org*, True -*.rayen-co.cl*, True -*.rayfu.net*, True -*.raygach.net*, True -*.rayjogja.com*, True -*.rayk.us*, True -*.raylapeyre.com*, True -*.ray-lee.co.uk*, True -*.raym.ca*, True -*.raymerreason.com*, True -*.raymin.org*, True -*.raymondmenuiserie.ch*, True -*.raymondstyll.ro*, True -*.rayneman.com.au*, True -*.rayontex.com*, True -*.rayoverde.cl*, True -*.rayray.hk*, True -*.raystorm.co.uk*, True -*.rayvenworks.com*, True -*.rayvenworks.info*, True -*.rayyan4u.com*, True -*.rayyanglobal.com*, True -*.raza.gr*, True -*.razaksaja.com*, True -*.razalabs.gr*, True -*.razboin1.ro*, True -*.raz-dudi.com*, True -*.razerhost.net*, True -*.raze.su*, True -*.razgriz.es*, True -*.razigrani-unikati.tk*, True -*.raz-migun.co.il*, True -*.razorhack.org*, True -*.razorlan.info*, True -*.razornet.at*, True -*.razorsmart.com*, True -*.razrgroup.com*, True -*.razsvetljava.si*, True -*.razvan-birsan.ro*, True -*.razvanchirita.ro*, True -*.razy.ro*, True -*.razzard.ca*, True -*.razzard.com*, True -*.razzfdecor.com*, True -*.razzorro.tk*, True -*.rb30inside.com*, True -*.rba.com.ar*, True -*.rbask.com*, True -*.rbb.org*, True -*.rbculverstone.com*, True -*.rbculverstone.com.au*, True -*.rbculverstone.net.au*, True -*.rb-doo.hr*, True -*.rbef.org.za*, True -*.rbenson.net*, True -*.rbfempresas.cl*, True -*.rbit.fi*, True -*.rbkmania.ro*, True -*.rbmail.com.ar*, True -*.rbnews24.net*, True -*.rbog.net*, True -*.rbrcurtis.com*, True -*.rbrsolutions.com*, True -*.rbtech.com.ar*, True -*.rbtstech.com*, True -*.rbwh.com.au*, True -*.rc2.cl*, True -*.rc51.ru*, True -*.rca-2011.ro*, True -*.rcamgmt.com*, True -*.rcapenet.ro*, True -*.r-cars.be*, True -*.rcbits.com.au*, True -*.rc-bot.net*, True -*.rc-ca.ca*, True -*.rccons.info*, True -*.rcel.to*, True -*.rcfn.eu*, True -*.rcfor.me*, True -*.rcgraphic.cl*, True -*.rcgs.ca*, True -*.rchamberlinwoodworking.com*, True -*.rchapmandds.com*, True -*.rchat.nl*, True -*.rcheliguy.com*, True -*.rclewisenterprises.com*, True -*.rclightingasia.com*, True -*.rclivramento.com*, True -*.rcmedia.com.au*, True -*.rcnet.org.uk*, True -*.rcoil.net*, True -*.rcordeiro.pt*, True -*.rcor.ro*, True -*.rcosp.ru*, True -*.rcparker.co.uk*, True -*.rcpoudel.com.np*, True -*.rc-present.ru*, True -*.rcrcc.ca*, True -*.rcreations.com*, True -*.rc-reviews.co.uk*, True -*.rcs01.com*, True -*.rcs7.org*, True -*.rcs.gr*, True -*.rcsserver.com*, True -*.rc-suphan.com*, True -*.rcti.cf*, True -*.r-cube.ch*, True -*.rc-vip.com*, True -*.rcvmt.com*, True -*.rcx.cz*, True -*.rcyoyoclub.tk*, True -*.rdarkness.com*, True -*.rdaryan.com*, True -*.rdbilgisayar.com*, True -*.rden.co*, True -*.rdenham.co.uk*, True -*.rdesign.ro*, True -*.rdfsseealso.net*, True -*.rdfsseealso.org*, True -*.rdgroup-ltd.com*, True -*.rdhruva.com*, True -*.rdit.ch*, True -*.rdknb.com*, True -*.rdlqc.ca*, True -*.rdnchome.net*, True -*.rdns.tk*, True -*.rdogi.org*, True -*.rdombrock.net*, True -*.rdorte.org*, True -*.rdragons.com.br*, True -*.rdrssharepoint.com*, True -*.rdrtech.com*, True -*.rdrtracking.com.br*, True -*.rdsforum.ro*, True -*.rdshub.ro*, True -*.rd-solinar.net*, True -*.rdstech.co.za*, True -*.rdt2.co*, True -*.rd-team.ru*, True -*.rdvindoprint.com*, True -*.rdx.cl*, True -*.rdxtactical.com*, True -*.rdxtactical.co.uk*, True -*.re20b.com*, True -*.re54.ch*, True -*.reabilitare.eu*, True -*.reabra.com.br*, True -*.reabra.net.br*, True -*.reachcms.co.uk*, True -*.reachwaycorp.com*, True -*.react9.com*, True -*.reactfx.org*, True -*.re-activa.cl*, True -*.reactorx.co.za*, True -*.readable.us*, True -*.readabook.ml*, True -*.readiapps.com*, True -*.readinchinese.com*, True -*.readingputonghua.com*, True -*.readmatt.tk*, True -*.ready.cl*, True -*.readymadefamily.com*, True -*.readymind.com.ar*, True -*.readymindit.com.ar*, True -*.readymind.ms*, True -*.readymixalit.com*, True -*.readynow.com.ar*, True -*.readysettrot.com.au*, True -*.readysettrot.net.au*, True -*.readyspamstuff.com*, True -*.readytodrink.ro*, True -*.reaksiberantai.com*, True -*.real58.ru*, True -*.realassist.in*, True -*.realaussiebloke.com*, True -*.realcharger.com*, True -*.realcharger.net*, True -*.realclasses.com*, True -*.realcraftycreations.com*, True -*.realdads.net*, True -*.real-design.ro*, True -*.realestateadvisoryservices.co*, True -*.realestatedealroom.com*, True -*.realestatehaus.com*, True -*.realestatepeople.ru*, True -*.realestatepoint.com.au*, True -*.realestateprofessionals.net*, True -*.realestatereceiver.net*, True -*.realfire.co.za*, True -*.realfun.pw*, True -*.realgamingreview.com*, True -*.realgoodejuice.com*, True -*.realhotels.co.uk*, True -*.realhub.org*, True -*.realidademaromba.com.br*, True -*.realising.co.za*, True -*.realist.ir*, True -*.realiting.hu*, True -*.realityidentity.ml*, True -*.realityindentity.ml*, True -*.realitypoker.com*, True -*.reality-remax.sk*, True -*.realityremax.sk*, True -*.realityventures.com.my*, True -*.reallycoolengineering.com*, True -*.reallyfat.ninja*, True -*.reallygothic.com*, True -*.reallymisfit.com*, True -*.realms.pl*, True -*.realniggasdo.com*, True -*.realparty.org*, True -*.realpneus.net*, True -*.realrydercyklingstudio.com*, True -*.realtime.hk*, True -*.realtimerater.com*, True -*.realtimesms.net*, True -*.realtrust.biz*, True -*.realtvpools.com*, True -*.realtyconcepts.co.za*, True -*.realtydiscuss.com*, True -*.realtylancer.com*, True -*.realtyonweb.ca*, True -*.realvirtual.ro*, True -*.realware.ec*, True -*.realworldtruth.uk*, True -*.realwrestlingnews.com*, True -*.realza.cl*, True -*.reangd.cf*, True -*.reapergunsandammo.com*, True -*.reapods.com*, True -*.reapshifttwok.com*, True -*.reapshifttwok.com.ve*, True -*.reardonia.net*, True -*.reasonman.com*, True -*.reason.org.nz*, True -*.reasonsstudios.ca*, True -*.reassess.com.br*, True -*.rebase.com.ar*, True -*.rebbywebby.com*, True -*.rebeaud.ch*, True -*.rebelarmy.com.au*, True -*.rebelionsaga.com.ar*, True -*.rebelnet.gr*, True -*.rebelserver.net*, True -*.rebhaus.ch*, True -*.rebirth.cf*, True -*.reblexreviewer.com*, True -*.reboin.com*, True -*.rebol.info*, True -*.rebootcleveland.com*, True -*.rebootconsulting.com*, True -*.reboot.in*, True -*.rebootrepair.biz*, True -*.rebootreuserecycle.com*, True -*.rebootreuserecycle.org*, True -*.reborn.fi*, True -*.reboxed.net*, True -*.rebran.ch*, True -*.rebro.org*, True -*.rebusova.ru*, True -*.recalculando.mx*, True -*.recallpod.com*, True -*.recargadivipass.com.br*, True -*.recargadivpass.com.br*, True -*.recaudoute.com.ar*, True -*.receitasdaelaine.com.br*, True -*.receitasrapidasefaceis.net*, True -*.recetas-facil.com.ar*, True -*.recetasricas.com.ar*, True -*.recetasweb.com.ar*, True -*.rechiquitos.com.ar*, True -*.rechtsanwalt.si*, True -*.rechtschreiber.ch*, True -*.rechtslexikon24.net*, True -*.reciclabil.ro*, True -*.reciclajecristoro.cl*, True -*.reciclare.com.br*, True -*.recilla.com*, True -*.recipesandme.com*, True -*.recipescritic.com*, True -*.recipesfornoobs.com*, True -*.recipientevivo.com.br*, True -*.recipigo.com*, True -*.recivid.com*, True -*.re-club.ch*, True -*.recognitionteam.in*, True -*.recolocate.info*, True -*.recomand.md*, True -*.recomendame.com*, True -*.recomendame.com.ar*, True -*.recomendame.com.mx*, True -*.recomendame.mx*, True -*.recommendedbuildingmaintenance.net*, True -*.reconciledthief.net*, True -*.reconfigurablecomputing4themasses.net*, True -*.reconnects.co.za*, True -*.reconova.ro*, True -*.recordingmagazin.net*, True -*.recordm.com.ar*, True -*.recordmystories.com*, True -*.recordourstory.com*, True -*.record.ro*, True -*.record.su*, True -*.recreaccion.cl*, True -*.recreanice.fr*, True -*.recrearteentret.com.ar*, True -*.recreativosanchez.com*, True -*.recreativosgarsan.com*, True -*.recreatur.com.ar*, True -*.recreatur.tur.ar*, True -*.recruitment7.com*, True -*.recruitmentab.com*, True -*.recruitmentap.com*, True -*.rectecno.com*, True -*.rectificadoramotorcenter.cl*, True -*.rectijeva.com*, True -*.rector.com.ar*, True -*.rectorinformatica.com.ar*, True -*.reculez.be*, True -*.recuperarecreanteconstanta.ro*, True -*.recuperaribani.ro*, True -*.recursing.org*, True -*.recursiva.com.ar*, True -*.recursosactivos.com.ar*, True -*.recursosmendoza.com.ar*, True -*.recycledbrewing.com*, True -*.recyclerbags.com*, True -*.recyclesolutionsllc.com*, True -*.recycling2u.com*, True -*.recyclingbestdeal.com*, True -*.recyclingbestdeal.co.uk*, True -*.recyclingplymouth.org.uk*, True -*.red2.com.au*, True -*.red5.ro*, True -*.redaccionrosario.com*, True -*.redaccionrosario.com.ar*, True -*.redace.ro*, True -*.redadventure.com.my*, True -*.redarmy-guild.com*, True -*.redavanzadadeortodoncia.cl*, True -*.redbeast.tk*, True -*.redbloodedamericanbitch.com*, True -*.redboxdesigns.com.au*, True -*.redboxinteriors.com.au*, True -*.redbull-at.com*, True -*.redbull-uu.com*, True -*.redbull-v.com*, True -*.redbull-vip.com*, True -*.redbull-we.com*, True -*.redbull-wip.com*, True -*.redbus-larioja.com.ar*, True -*.redbus-recsta.com.ar*, True -*.redbus-tucuman.com.ar*, True -*.redcargobox.com*, True -*.redcarpetaffairs.co.uk*, True -*.redcei.es*, True -*.redcode.biz*, True -*.redcorp.info*, True -*.redcraft-mc.com*, True -*.redcraneconsulting.com*, True -*.redcrimson.net*, True -*.redcross092.be*, True -*.redcrucible.ga*, True -*.reddawn.co.nz*, True -*.reddax.co.uk*, True -*.reddeelfstedentocht.nl*, True -*.reddementes.net*, True -*.reddepruebas.com.ve*, True -*.reddesign.hk*, True -*.reddieseldyeremover.com*, True -*.reddingcollege.com*, True -*.redditarmy.com*, True -*.redditcast.com*, True -*.redditreserve.com*, True -*.reddituhc.com*, True -*.reddlr.com*, True -*.reddogs.ro*, True -*.reddokuraudo.com*, True -*.reddooryumcha.com*, True -*.reddragoncomputers.com.au*, True -*.reddreads.com*, True -*.reddykilowatt.us*, True -*.reddys.ch*, True -*.redeautoforte.com.br*, True -*.redecasadotricolor.com.br*, True -*.redecasas.com*, True -*.redecomargentina.com*, True -*.redect.com.br*, True -*.redeemia.ca*, True -*.redeideal.org*, True -*.redeina.es*, True -*.reden.com.br*, True -*.redenovabrasilfm.com.br*, True -*.redesdefe.com*, True -*.redesdefe.com.ar*, True -*.redesmundiales.com*, True -*.redetvmaisabc.com.br*, True -*.redexltda.cl*, True -*.redexplode.net*, True -*.redexterna.cl*, True -*.redezonautogestiva.com.ar*, True -*.redfactions.cf*, True -*.redfield.net*, True -*.redfox.tw*, True -*.redgiant-band.com*, True -*.redgreen.net*, True -*.redgti.com.ar*, True -*.redhaholdings.com.my*, True -*.redhair.gr*, True -*.redhandedinvestigations.com*, True -*.redhawklimited.co.uk*, True -*.redhawksolutions.co.uk*, True -*.redheadsinbed.co.uk*, True -*.redhouserivermile.co.za*, True -*.redhunter94.tk*, True -*.redicuality.com*, True -*.redids.com.ar*, True -*.redimec.com.ar*, True -*.redinfotel.com.ar*, True -*.redisain.com*, True -*.reditservices.ch*, True -*.redkobralabs.com*, True -*.redlatina.net*, True -*.redlemon.com.mx*, True -*.redlemon.mx*, True -*.redlen.co.za*, True -*.redlight.li*, True -*.redline.ch*, True -*.redlionhotel.net.au*, True -*.redlonbeauty.ca*, True -*.redmapleforge.ca*, True -*.redmapleforge.org*, True -*.redmayne.com.au*, True -*.redmind.ca*, True -*.redmine-st.ml*, True -*.redmitchell.co.uk*, True -*.redmouseconsulting.com*, True -*.rednep.info*, True -*.rednutricional.cl*, True -*.redomega.org*, True -*.redomip.com.ar*, True -*.redondi.com.ar*, True -*.redowlworks.com*, True -*.redpau.cl*, True -*.redpill.ml*, True -*.redpinecontracting.com*, True -*.redpointrags.com*, True -*.redproductiva.com*, True -*.redprometeo.com.ar*, True -*.redragon.net*, True -*.redrockconcepts.com*, True -*.redroom.me*, True -*.redrooms.ru*, True -*.redroot.org*, True -*.redrosette.co.za*, True -*.redrumhotsauce.com*, True -*.red-sais.com.ar*, True -*.redsand.net*, True -*.reds.co.nz*, True -*.red-scorpions.ro*, True -*.redscourge.cf*, True -*.redscourgestudios.cf*, True -*.red-seo.mx*, True -*.redsexy.info*, True -*.red-sky.ca*, True -*.redsoporte.cl*, True -*.redsquarehookers.com*, True -*.redss.biz*, True -*.redsteedstudios.com*, True -*.redsteve.com*, True -*.redstickscootersociety.com*, True -*.redstilettoartistry.com*, True -*.redthreadclothing.com*, True -*.redthreaddiy.com*, True -*.redtiger.cl*, True -*.redtonelle.de*, True -*.redtuberu.com*, True -*.redundundent.com*, True -*.redverus.com*, True -*.redvozvoip.cl*, True -*.redwood.asia*, True -*.redworm.net*, True -*.redy-share.ml*, True -*.redzulu.com*, True -*.reebee.ca*, True -*.reecelyons.com*, True -*.reecenotes.com*, True -*.reedanderson.net*, True -*.reedconsulting.ch*, True -*.reedrich.com*, True -*.reed.to*, True -*.reefaquaculture.com.au*, True -*.reefcentral.ro*, True -*.reefseacenter.co.il*, True -*.reehl.com*, True -*.reeksport.ru*, True -*.reekynet.tk*, True -*.reelcult.com*, True -*.reelforge.com*, True -*.reelrt.com*, True -*.reencuentra.net*, True -*.reepolee.com*, True -*.reesebroody.com*, True -*.reesehoward.co.uk*, True -*.reevteam.tk*, True -*.refan-newbie.net*, True -*.ref-buettner.ch*, True -*.referredbydavid.com*, True -*.referredbytravonda.com*, True -*.reff.tk*, True -*.refillengine.com*, True -*.refills.ca*, True -*.refillzone.ro*, True -*.refil.ro*, True -*.refindcampos.cl*, True -*.refivandys.tk*, True -*.reflux.org.au*, True -*.refly.ml*, True -*.reformat.cc*, True -*.reformer.su*, True -*.reftelsz.ro*, True -*.refugiodelalma.cl*, True -*.refugiodelamanchuela.es*, True -*.refugiodelcapitan.com.ar*, True -*.refuguest.com*, True -*.regabri.cl*, True -*.regaladohernandez.es*, True -*.regalafortuna.cl*, True -*.regalele.com*, True -*.regancgi.net*, True -*.regeana.com*, True -*.regeana.net*, True -*.regemp3.com*, True -*.regencybarber.com*, True -*.regencycompany.ro*, True -*.regencyco.ro*, True -*.regenerix.de*, True -*.regentblindsadelaide.com.au*, True -*.regentblinds.com.au*, True -*.regentgroupasia.com*, True -*.regentov.net*, True -*.regentvast.com*, True -*.reggiocar.com.ve*, True -*.reggio-emilia.info*, True -*.regiinax.com*, True -*.reginaldcharris.com*, True -*.reginamichelon.com.br*, True -*.reginaprairiewinds.ca*, True -*.reginaprimary.org.za*, True -*.reginfo.cc*, True -*.reginstitut.ru*, True -*.region81.ch*, True -*.regionalessanjuan.com.ar*, True -*.regioneautonomavalledaosta.it*, True -*.regionebasilicata.it*, True -*.regionepuglia.it*, True -*.regionet-nk.ru*, True -*.regiontech.ru*, True -*.register.im*, True -*.registration-firm.ru*, True -*.registrirajznamko.si*, True -*.registrulrenal.ro*, True -*.regita.lv*, True -*.regmi.com.np*, True -*.regmi.net.np*, True -*.reg.my.id*, True -*.regojo.es*, True -*.regr.cl*, True -*.regs.be*, True -*.regs-domen.ru*, True -*.reg-tech.ru*, True -*.regulabucher.ch*, True -*.regulaziege.ch*, True -*.regynaamelea.com*, True -*.rehab-alcohol.org*, True -*.rehabconnectionsmedia.com*, True -*.rehabforum.org*, True -*.rehabilitaestudio.com*, True -*.rehabilityexs.com.au*, True -*.rehabilitystudio.com*, True -*.rehan.com.pk*, True -*.reher.se*, True -*.rehmann.tv*, True -*.rehoboth-invest.com*, True -*.rehtaeh.com*, True -*.reiadmin.com*, True -*.reichow.net*, True -*.reider.com.ar*, True -*.reidit.ca*, True -*.reidling.org*, True -*.reidmail.com.au*, True -*.reidnimz.com*, True -*.reidsanford.com*, True -*.reierainhadapraia.com.br*, True -*.reihaneh-ardabil.ir*, True -*.reikibaires.com.ar*, True -*.reikigakku.com*, True -*.reikihealing.com.ar*, True -*.reimagine.my*, True -*.reimahuvim.co.il*, True -*.reimann.mx*, True -*.reinasofia.co*, True -*.reinforcedmusic.co.uk*, True -*.reinkemeyeracres.com*, True -*.reinol.ro*, True -*.reinopecados.cl*, True -*.reinsmarindo.ga*, True -*.reinstatement-review-inventoryii.com*, True -*.reinstein.ca*, True -*.reisdofutevolei.com.br*, True -*.reisner.co*, True -*.reissmann.uk*, True -*.reissussa.fi*, True -*.reiswel.nl*, True -*.rejekiplastindo.com*, True -*.rejo.in*, True -*.rekaescsabi.info*, True -*.rekaescsabi.tk*, True -*.rekatjuanteknik.com*, True -*.rekayasadesain.com*, True -*.rekbersilentreader.com*, True -*.rekenaar.ch*, True -*.rekkord.com*, True -*.reklamagratis.pl*, True -*.reklama-profi.ru*, True -*.reklamiranje.si*, True -*.rekreator.net*, True -*.rekrutmenbi.com*, True -*.rektel.com*, True -*.rekt.info*, True -*.rekwan.com*, True -*.rekworld.com*, True -*.rel8.is*, True -*.re-labs.net*, True -*.relaps-club.li*, True -*.relatech.org*, True -*.relationfm.com*, True -*.relations-team.info*, True -*.relaxingcupofcafe.com*, True -*.relaxsightandsound.com*, True -*.relaxyourlife.ch*, True -*.relaxzgotravel.com*, True -*.relayking.com*, True -*.reldas.com.ar*, True -*.releasesmanaged.com.au*, True -*.releasethesound.ro*, True -*.release.tk*, True -*.releaseyourphone.co.uk*, True -*.relectronic.si*, True -*.releenc.org*, True -*.releg.co.za*, True -*.relgarasiwina.com*, True -*.relhost.org*, True -*.reliableelectrics.com*, True -*.reliableelectrics.com.au*, True -*.reliableelectrics.net*, True -*.reliableelectrics.net.au*, True -*.relifefurniture.com*, True -*.relifetrainer.com*, True -*.religion247.net*, True -*.religion-is-a-disease.com*, True -*.religionisadisease.com*, True -*.religionofpeace.com.au*, True -*.religionsstudie.ch*, True -*.re-like.net*, True -*.reliker.net*, True -*.rellsystems.net*, True -*.relm.org.uk*, True -*.reloadclan.tk*, True -*.reloadnote.com*, True -*.reloadtech.com*, True -*.reload-x.info*, True -*.reluctant-writer.com*, True -*.remadecorp.com*, True -*.remajabogor.com*, True -*.remax-bratislava.sk*, True -*.remaxbratislava.sk*, True -*.remaxnoa.com.ar*, True -*.remax-reality.sk*, True -*.remaxreality.sk*, True -*.remax-slovensko.sk*, True -*.remaxslovensko.sk*, True -*.rembulan.tk*, True -*.rememberhawkins.com*, True -*.rememberjay.com*, True -*.remembermcclure.com*, True -*.rememberpurpose.com*, True -*.rememberseth.com*, True -*.rememberthemaine.com*, True -*.rememberus.co.za*, True -*.rememberwisdom.com*, True -*.remenih.si*, True -*.remenyi.com*, True -*.remers.net*, True -*.remesiana.org*, True -*.remexstyle.ru*, True -*.remilab.hu*, True -*.remilitia.com*, True -*.remindme.ro*, True -*.remingtonnorr.us*, True -*.remisapp.com.ar*, True -*.remixvidz.com*, True -*.remlem.info*, True -*.remlyk.tk*, True -*.remman.org*, True -*.remolab.com.br*, True -*.remontoid.ru*, True -*.remonttiremmi.com*, True -*.remoteaccess.me*, True -*.remotebase.org*, True -*.remotebusinessgroup.com*, True -*.remote-crypto.io*, True -*.remote-exploit.cf*, True -*.remote-it.co.za*, True -*.remotejd.us*, True -*.remotelisting.com*, True -*.remote.mx*, True -*.remoteotomasyon.com*, True -*.remoterepairs.ca*, True -*.remotessh.com*, True -*.remote-support.gq*, True -*.remotesvr.com*, True -*.remotesync.net*, True -*.remote-ztdroider25.tk*, True -*.remoto.in*, True -*.remoto-trigenius.tk*, True -*.removalistbrisbaneqld.com.au*, True -*.removalistmelbournevic.com.au*, True -*.removalistperthwa.com.au*, True -*.removalistsydneynsw.com.au*, True -*.removed-limited-verification-proccess.com*, True -*.removelimits.cf*, True -*.removelimits.gq*, True -*.removestock.com*, True -*.removethelimits.ml*, True -*.removingforce.com*, True -*.removingforce.co.uk*, True -*.rems.gr*, True -*.remstroy54.ru*, True -*.remulon.com*, True -*.remyavril.net*, True -*.remyfashionshk.com*, True -*.remzitekinci.gen.tr*, True -*.remzona40.ru*, True -*.renaca.com*, True -*.renaca.com.ar*, True -*.renac.cl*, True -*.rena-fashion.gr*, True -*.renafashion.gr*, True -*.renaford.com.au*, True -*.renaissancetattoo.com*, True -*.renaitre.ch*, True -*.renaldpro.ru*, True -*.renaps.ca*, True -*.renataribeiroarquitetura.com.br*, True -*.renatatripoli.com.br*, True -*.renatorod.com*, True -*.renautas.lt*, True -*.rencaiya.cn*, True -*.rencaiya.me*, True -*.ren.cl*, True -*.rencong.asia*, True -*.rencontre.in*, True -*.rend0g.cf*, True -*.rend0g.com*, True -*.rend0g.ga*, True -*.rend0g.gq*, True -*.rend0g.ml*, True -*.rend0g.tk*, True -*.rendangmaknyus.com*, True -*.rendaplas.com*, True -*.rendeci.com.tr*, True -*.rendereduseless.com.au*, True -*.rendeto.info*, True -*.rendler.org*, True -*.rendro.ch*, True -*.rendydwiprastyo.web.id*, True -*.renebrenner.ch*, True -*.reneemard.ca*, True -*.reneem.co.il*, True -*.renefavaloro.com.ar*, True -*.renegadepixels.com*, True -*.renehaeberling.ch*, True -*.renesansa.net*, True -*.renewakitchen.com*, True -*.renewakitchen.co.za*, True -*.renewtext.ru*, True -*.reneygusi.com.ar*, True -*.rengganis.net*, True -*.rengia.at*, True -*.ren-gin.com*, True -*.rengz.tk*, True -*.reniduplaa.com.ar*, True -*.reniesans.com*, True -*.renime.com*, True -*.renins.com.ru*, True -*.renjieskak.com*, True -*.ren-lkfa.tk*, True -*.renmarkbackpackers.com*, True -*.renmarkholiday.info*, True -*.rennen-ost.ch*, True -*.rennner.com.br*, True -*.reno-darkman.tk*, True -*.reno-experts.ga*, True -*.renoirdevelopment.com*, True -*.renoirdevelopments.com*, True -*.renoirmanagement.com*, True -*.renoirmortgage.com*, True -*.renoirrealty.com*, True -*.renoirsuites.com*, True -*.renova-holzkonservierung.ch*, True -*.renovalux.be*, True -*.renovatio-solutions.com*, True -*.renovatio-solutions.ro*, True -*.renovec-zm.com*, True -*.renoveishon.com.ar*, True -*.renovohill.com*, True -*.rensa-ut.se*, True -*.renson.pl*, True -*.renspandy.web.id*, True -*.rent60629.com*, True -*.rentabinscsw.cl*, True -*.rent-a-cam.ro*, True -*.rentaclassiccar.no*, True -*.rentagaromaq.cl*, True -*.rentalbd.com*, True -*.rentalita.cl*, True -*.rentalmobilcikarang.com*, True -*.rental-mobil.com*, True -*.rentamc.cl*, True -*.rentanet.com.mx*, True -*.rentapart.ro*, True -*.rentapiano.com*, True -*.rentaroom4u.ru*, True -*.rent-a-room.ru*, True -*.rentasantara.com*, True -*.rentatechservices.com*, True -*.rentboats.me*, True -*.rentcaphill.com*, True -*.rentd.ca*, True -*.rentdowning.com*, True -*.renteriasboxing.com*, True -*.rentmarion.com*, True -*.rentoff.ru*, True -*.rentperhead.com*, True -*.rentsell.hk*, True -*.renttomyfriends.com*, True -*.reokadhafi.ga*, True -*.reola.ru*, True -*.reo-oop.com*, True -*.re-operations.com*, True -*.repaircafe.cl*, True -*.repairfree.ru*, True -*.repairzone.mx*, True -*.reparacalculator.ro*, True -*.reparacioncompresor.com.ar*, True -*.reparacionpclanus.com.ar*, True -*.reparatii-az.ro*, True -*.reparatii-calculatoare-iasi.ro*, True -*.reparatii-frigidere.net*, True -*.reparatii-turbosuflante.eu*, True -*.reparaz.net*, True -*.reparelectrocasnice.ro*, True -*.reparotesolin.com*, True -*.repbarracaarmada.com.br*, True -*.rep.cl*, True -*.repeater.net*, True -*.repeat.pw*, True -*.reperf.cl*, True -*.repetoare.ro*, True -*.rephouseaustralia.com.au*, True -*.repich.us*, True -*.repisanintendo.cl*, True -*.replacementdevices.com*, True -*.replicadelreloj.com.ar*, True -*.replicator.cc*, True -*.replikacctv.com*, True -*.rep.net.ve*, True -*.repofulm.tk*, True -*.report2me.com.au*, True -*.report2you.com.au*, True -*.report2you.info*, True -*.report4you.com.au*, True -*.reportaig.com*, True -*.reportconversion.com*, True -*.reportesrealtime.com.ve*, True -*.reportingservicesportal.com*, True -*.reportingservicestraining.com*, True -*.reportsealife.com*, True -*.reportsealife.info*, True -*.reportsealife.net*, True -*.reportsealife.org*, True -*.repos.tv*, True -*.reppardwalker.com*, True -*.reprak.com*, True -*.reprap.pt*, True -*.repregister.co.za*, True -*.representative.com.br*, True -*.reptilegenetics.com*, True -*.repubblica.info*, True -*.repubblica.org*, True -*.republicadigital.org*, True -*.republicana.co*, True -*.republicaofertas.cl*, True -*.republicofgamers.net*, True -*.republicproperties.ca*, True -*.republicrealtyinc.com*, True -*.republik.ec*, True -*.repuestoamano.com.ve*, True -*.repuestosagricolas.com.ar*, True -*.repuestoslibertad.cl*, True -*.reputablestaffinginc.com*, True -*.reqres.io*, True -*.requiem.cz*, True -*.requitas.com*, True -*.re-resources-re.com*, True -*.rernsk.tk*, True -*.resahblog.web.id*, True -*.rescatalo.cl*, True -*.rescatededatos.cl*, True -*.reschiriso.it*, True -*.rescrf.com*, True -*.rescu911.com*, True -*.rescueandfire.com*, True -*.rescuedivers.com.mx*, True -*.rescuedivers.mx*, True -*.rescuegrandma.net*, True -*.rescuetech.it*, True -*.researchfunds.co.uk*, True -*.researchvertical.info*, True -*.resellergadget.com*, True -*.resepdapurindo.com*, True -*.resephot.com*, True -*.resepin.com*, True -*.resepkartini.com*, True -*.resepmasakanbunda.web.id*, True -*.reseptori.fi*, True -*.reservatuespacio.com*, True -*.reservatuespacio.es*, True -*.reserveonlinelimo.com*, True -*.resetarova36-44.com*, True -*.resetpassword.me*, True -*.res.gr*, True -*.reshaka.ru*, True -*.resheteva.net*, True -*.resheteva.org*, True -*.residences.co.id*, True -*.residence-wizard.com*, True -*.residencewizard.com*, True -*.residencialelmembrillo.cl*, True -*.residencialfetra.cl*, True -*.residencialvistaalta.com.br*, True -*.residenciasmedicas.ec*, True -*.residenciavitall.es*, True -*.residentadomedico.pe*, True -*.residentialcommercial.com.au*, True -*.residentialsupportservices.org*, True -*.resiflex.ch*, True -*.resign.ga*, True -*.resilient-systems.com*, True -*.resilient-systems.net*, True -*.resistance-zentralschweiz.ch*, True -*.resistor.com.ar*, True -*.resitemanager.com*, True -*.resky-anonymous.com*, True -*.reskycrew.com*, True -*.reskykuk.com*, True -*.resky-official.com*, True -*.reslu.com*, True -*.resolutionit.co.za*, True -*.resolution-photography.com*, True -*.resomultiservices.com*, True -*.reson8.org.au*, True -*.resonancestudios.com.ar*, True -*.resonatingmedia.com*, True -*.resoow.com*, True -*.resorthotels.co.za*, True -*.resortssuites.com*, True -*.resort-thailand.com*, True -*.resourcejournal.info*, True -*.respace.me*, True -*.respaldo.fi*, True -*.respect-chehov.ru*, True -*.respectcomputersolutions.com.au*, True -*.respectinc.net*, True -*.respi.ir*, True -*.responding.to*, True -*.responsiblecarnivore.ca*, True -*.responsived.com*, True -*.responsiveict.com*, True -*.restauraestudio.com*, True -*.restaurant-atheneum.ro*, True -*.restaurantbeta.ro*, True -*.restaurantcaroline.ch*, True -*.restaurant-cherne.ch*, True -*.restaurantebabette.com*, True -*.restaurantebabette.com.br*, True -*.restaurantelena.ro*, True -*.restaurantemanias.com.br*, True -*.restaurantgraf.ro*, True -*.restaurant-grand-vy.ch*, True -*.restauranthills.ro*, True -*.restaurant-lescale.ch*, True -*.restaurantmagazine.com.br*, True -*.restaurantmajestic.ro*, True -*.restiana.org*, True -*.restinpeace.com.au*, True -*.restoapp.com.ar*, True -*.restocantinedesrives.ch*, True -*.restoe.org*, True -*.restonrepair.com*, True -*.restonwood.in*, True -*.restorablerides.com*, True -*.restorativetherapeuticmassage.com*, True -*.restorebalance.co.za*, True -*.restring.net*, True -*.restubumibali.com*, True -*.resultadoshumbertoabrao.com.br*, True -*.resultadoversatil.pt*, True -*.resurrected-entertainment.net*, True -*.res.web.id*, True -*.retailaction.biz*, True -*.retail-business.ro*, True -*.retail-electronics.com*, True -*.retailrecruitment.ru*, True -*.retailsavings.com.au*, True -*.retaliate.co.uk*, True -*.retap-africa.org*, True -*.retardedpornstar.com*, True -*.reteawifi.ro*, True -*.retelewski.pl*, True -*.retetebucate.ro*, True -*.retetedecolectie.ro*, True -*.retete-mancare-reteta.ro*, True -*.retete-prajituri-reteta.ro*, True -*.reticence.com.au*, True -*.retina.cz*, True -*.retku.fi*, True -*.reto-barblan.ch*, True -*.retrack4me.com*, True -*.retrarte.com*, True -*.retrarte.net*, True -*.retratochile.cl*, True -*.retro64.info*, True -*.retro.com.ar*, True -*.retrogametrader.co.uk*, True -*.retrohm.com*, True -*.retroindex.com*, True -*.retrojugo.tk*, True -*.retrome.com.au*, True -*.retropizza.ru*, True -*.retroshare.es*, True -*.retroshare.net*, True -*.retrosteakhouse.ro*, True -*.retrowned.com*, True -*.rettys.ml*, True -*.returnpvp.net*, True -*.retval.tk*, True -*.reubenchew.com*, True -*.reun.de*, True -*.reussag.ch*, True -*.reut05.info*, True -*.reut-abras.co.il*, True -*.rev1ne.ch*, True -*.revaiz.com*, True -*.revalesco.be*, True -*.revansa.org*, True -*.revarinoz.net*, True -*.revechini.com.ar*, True -*.revenuehotelero.com.ar*, True -*.revere-gaming.com*, True -*.reverreciclagem.tk*, True -*.reverseenergy.biz*, True -*.reverse-engineer.in*, True -*.reversemonster.net*, True -*.reverseorder.net*, True -*.reversephonelookup.eu*, True -*.reversores.com.ar*, True -*.reves.cl*, True -*.revestimientos-ceramicos.com*, True -*.revieuws.nl*, True -*.reviewcamp.com*, True -*.reviewgamespot.com*, True -*.reviewit.pk*, True -*.reviewmp3.com*, True -*.reviewscraze.com*, True -*.reviewxboxgames.com*, True -*.revirtualprestamos.com.ar*, True -*.revision21.com*, True -*.revistaabrantes.com.br*, True -*.revistaaltasociedad.com*, True -*.revistabagual.cl*, True -*.revistacaoba.com*, True -*.revistaclinica.ro*, True -*.revistadelosrios.cl*, True -*.revistaeroschile.cl*, True -*.revistagradinitelor.ro*, True -*.revistaillustrada.com.br*, True -*.revistalex.com.ar*, True -*.revistamaiz.com.ar*, True -*.revistamarcial.cl*, True -*.revistamasnegocios.com*, True -*.revistamujeresreales.com*, True -*.revistaobiectiv.ro*, True -*.revistaonline.ro*, True -*.revistasciencomm.com.br*, True -*.revistasexual.com*, True -*.revistastrengari.ro*, True -*.revistatododeportes.cl*, True -*.revistazanganos.cl*, True -*.revistobras.com.ar*, True -*.revitcity.com*, True -*.revivedrpg.tk*, True -*.reviverlondrina.com.br*, True -*.revmedchir.ro*, True -*.revmic.org*, True -*.revoltgames.tv*, True -*.revolushii.ro*, True -*.revolutionary.gq*, True -*.revolution.com.my*, True -*.revolutionmarch2008.com*, True -*.revolution-net.tk*, True -*.revolutionwebdev.com*, True -*.revongames.com*, True -*.revstar.eu*, True -*.revtech.ca*, True -*.revtechnology.com*, True -*.revuecasgestion.org*, True -*.revvisa.com*, True -*.revvisa.com.br*, True -*.revvy.eu*, True -*.rev-x.com*, True -*.rewindingmotor.web.id*, True -*.rewsdfvcx.tk*, True -*.rewt.ga*, True -*.rexagena.com*, True -*.rexdio.com*, True -*.rexkat.nl*, True -*.rexknows.com*, True -*.rexometer.de*, True -*.reyco.us*, True -*.reyesruiz.cl*, True -*.reyhaneha.com*, True -*.reyhany.ir*, True -*.reynoldscountyrecorder.com*, True -*.rezasadat.ir*, True -*.rezelute.com*, True -*.rezp.com*, True -*.rezp.net*, True -*.rezp.org*, True -*.reztube.co.uk*, True -*.rezvanifar.com*, True -*.rezzinc.com*, True -*.rezznation.com*, True -*.rf3groupbiz.my*, True -*.rf-abogados.com.ar*, True -*.rf-cell.ml*, True -*.rf-crasus.ga*, True -*.rfcsecure.com*, True -*.rfcsoft.com.ar*, True -*.rf-galax.net*, True -*.rf-hexanoic.com*, True -*.rfidbasic.com*, True -*.r-film.ch*, True -*.rflavin.us*, True -*.rflphotography.com*, True -*.rfltools.com*, True -*.rfmma.ru*, True -*.rfns.cc*, True -*.rfr.com.my*, True -*.rfrederick.net*, True -*.rfrederick.org*, True -*.rf-vendemouz.com*, True -*.rg5imoveis.com.br*, True -*.rgasoc.com.ar*, True -*.rgbweaver.ir*, True -*.rg-designer.com*, True -*.r-gen.com.ar*, True -*.rghughes.com*, True -*.rg-kbza.com*, True -*.rglew.com*, True -*.rgloader.com*, True -*.rgmabogados.com.ar*, True -*.rgpsoluciones.cl*, True -*.rgpstark.net*, True -*.rgrconsulting.com*, True -*.rgrevolution.com*, True -*.rgrtelcom.com.ar*, True -*.rgshelicopters.co.uk*, True -*.rgshk.org*, True -*.rgt-likers.net*, True -*.rgt.me*, True -*.rguello.com.ar*, True -*.rgu-support.ru*, True -*.rgv.name*, True -*.rhabona.com*, True -*.rhadosvet.tk*, True -*.rhchoi.com*, True -*.rhchoi.net*, True -*.rhc.ro*, True -*.rheacamille.com*, True -*.rhegedus.com*, True -*.rheinfathia.com*, True -*.rheinlandplace.ml*, True -*.rhemaword.tv*, True -*.rheniumwolf.com*, True -*.rhetoriclub.com*, True -*.rhidge.org*, True -*.rhinenatura.hk*, True -*.rhings.net*, True -*.rhintegralconsulting.com*, True -*.rhmakeup.com.br*, True -*.rhodan.com.br*, True -*.rhodes-rhodes.com*, True -*.rhogan.net*, True -*.rholbenroad.me.uk*, True -*.rhoville.us*, True -*.rhpo.ca*, True -*.rhsoft.es*, True -*.rhtmxm70.com*, True -*.rhtmxm80.com*, True -*.rhtmxm90.com*, True -*.rhuman.cl*, True -*.rhw.pt*, True -*.rhyman18.ml*, True -*.rhythmantics.com*, True -*.rhythmoflifemusictherapy.com*, True -*.rhythmos.gr*, True -*.rhzh.ch*, True -*.ri46.ru*, True -*.riaanlouwattorneys.co.za*, True -*.riamof.com*, True -*.rianapearls.com*, True -*.rianz.cf*, True -*.riaspengantinluwes.com*, True -*.riaspengantin-yossie.com*, True -*.riaueventorganizer.com*, True -*.riazahammed.com*, True -*.ribackcereales.com*, True -*.ribaco.com.ar*, True -*.ribamatic.com*, True -*.ribanc.com*, True -*.ribanc.org*, True -*.ribas.com*, True -*.ribcentral.de*, True -*.ribe.si*, True -*.ribicic.si*, True -*.ribi-informatik.ch*, True -*.ribolov.lv*, True -*.ribosome.ch*, True -*.ribri.ch*, True -*.ribumac.cl*, True -*.ribvartp.cf*, True -*.rical.net*, True -*.rical.org*, True -*.ricardonajera.com*, True -*.ricardosilva.pt*, True -*.ricardozf.com.br*, True -*.ricaroeletro.com*, True -*.ricas.eu*, True -*.riccosolutions.com*, True -*.ricecambridge.org.uk*, True -*.rich9739lc.pw*, True -*.richadv.com*, True -*.richam.com.ar*, True -*.richandsam.net*, True -*.richardbakes.net*, True -*.richardbrownlow.com*, True -*.richardglenproperty.com*, True -*.richardhardesty.co.uk*, True -*.richardjones.name*, True -*.richardk.ca*, True -*.richardliong.com*, True -*.richardnhill.com*, True -*.richardnhill.net*, True -*.richardnhill.org*, True -*.richards.cl*, True -*.richardsoninsurance.org*, True -*.richardunger.at*, True -*.richardunger.net*, True -*.richardwaddingham.com*, True -*.richardweber.com*, True -*.richardwebley.co.uk*, True -*.richard-yaoyao.com*, True -*.richbelson.co.uk*, True -*.richcunningham.uk*, True -*.richgenius.com*, True -*.richharwood.co.uk*, True -*.richie.net.au*, True -*.richirocko.com*, True -*.richism.tk*, True -*.richjowett.com*, True -*.richkindle.com*, True -*.richkindle.net*, True -*.richland.hk*, True -*.richland.pro*, True -*.richlinetextiles.com*, True -*.richlorenz.com*, True -*.richmeglino.com*, True -*.richnig.ga*, True -*.richsfamilyonline.net*, True -*.richsrabbits.com*, True -*.richstock.co.uk*, True -*.richvt2k.com*, True -*.ricjac.com*, True -*.rickandsarah.tk*, True -*.rickaube.com*, True -*.rickcee.net*, True -*.rickeyrat.com*, True -*.rickgans.com*, True -*.rickhost.net*, True -*.ricklea.com*, True -*.ricknet.ch*, True -*.ricknet.net*, True -*.rickneves.com*, True -*.rickpringle-photography.com*, True -*.ricksbox.net*, True -*.ricksnydersucks.com*, True -*.rickygiritirtana.net*, True -*.ricosshop.com*, True -*.rictur.com.br*, True -*.ri-cyber.com*, True -*.ri-cyber.org*, True -*.ri-cyber.us*, True -*.rid2hjf.com*, True -*.riddim.com.ar*, True -*.riddish.com.np*, True -*.rideaunet.ch*, True -*.ride.cf*, True -*.rideexpress.com*, True -*.ride.ga*, True -*.ridekpov.cf*, True -*.ridelister.com*, True -*.ride.ml*, True -*.riderenew.ca*, True -*.riderenew.com*, True -*.ridershop.ro*, True -*.riders-supply.com*, True -*.riderush.com*, True -*.ridesharesuccess.com*, True -*.ridespirals.com*, True -*.ridetheemu.com*, True -*.ridezone.co.za*, True -*.ridgegardens.net*, True -*.ridgegardensupply.com*, True -*.ridgetechservices.com*, True -*.ridiculum.org*, True -*.ridilabs.net*, True -*.ridingmegastore.com*, True -*.ridingmovie.com*, True -*.ridmed.com*, True -*.ridwanrismanto.web.id*, True -*.rief.tk*, True -*.riegert.me*, True -*.rielstore.com*, True -*.riennevaplus.ch*, True -*.ries.asia*, True -*.rievaz.co.id*, True -*.rifero.com*, True -*.riffies.com*, True -*.riftcongohotel.com*, True -*.riftd.com*, True -*.riftd.net*, True -*.riftenterprises.com*, True -*.rigaero.com*, True -*.rigdb.com*, True -*.rigdirt.com*, True -*.rightcam.com*, True -*.rightcap.com*, True -*.rightlife.ru*, True -*.rightnowvip.com*, True -*.rightro.com*, True -*.rightrx.ca*, True -*.rightsm.ro*, True -*.rightsw.net*, True -*.rigneys.com*, True -*.rignote.com*, True -*.rigui.org*, True -*.rigutino.tk*, True -*.rigwig.org*, True -*.rihecomunicacion.com*, True -*.rihlaw.ca*, True -*.rihu.ir*, True -*.riight.com*, True -*.riightmail.com*, True -*.riight.net*, True -*.riight.org*, True -*.riisinnovation.co.za*, True -*.rijalsundar.com.np*, True -*.rijckebosch.nl*, True -*.rikarebel.tk*, True -*.rikenmann.ch*, True -*.rikimaru.name*, True -*.rikimred.es*, True -*.riki.si*, True -*.rikiya4rihyoshi.info*, True -*.rikosya.ga*, True -*.rikukoskelo.fi*, True -*.rilbaum.com*, True -*.rilbaum.ee*, True -*.rilbaum.eu*, True -*.rilbaum.info*, True -*.rileal.cl*, True -*.rileypcmd.com*, True -*.rileytree.org*, True -*.rilhas.com*, True -*.rilhasoss.com*, True -*.rillanon.net*, True -*.rilmonster.com*, True -*.rima.cl*, True -*.riman.cl*, True -*.rimay.ca*, True -*.rimbamaya.com*, True -*.rimhost.com*, True -*.rimkavich.com*, True -*.rimmmex.com*, True -*.rimoldi.cc*, True -*.rimongo.tk*, True -*.rimosa.com.pe*, True -*.rimosa.pe*, True -*.rimpo.us*, True -*.rimske-suge.info*, True -*.rinachu.tk*, True -*.rinaldus.ru*, True -*.rinanda.tk*, True -*.rinat-mshokolad.co.il*, True -*.rinaudo.net*, True -*.rinda.nom.za*, True -*.rindli.ch*, True -*.rindy.me*, True -*.ringate.tk*, True -*.ringcenter.ro*, True -*.ringetterocks.ca*, True -*.ringgatan.se*, True -*.ringgit.org*, True -*.ringgo41.com*, True -*.ringo-web.net*, True -*.ringthegack.com*, True -*.ringuetteboisbriand.org*, True -*.riniadianatanahabang.com*, True -*.rinneranta.com*, True -*.rinno.ml*, True -*.rinolfi.ch*, True -*.rinopras.web.id*, True -*.rinssaudaveis.com*, True -*.rintek.com.tr*, True -*.rinyulife.com*, True -*.rioadige.cl*, True -*.riodejaneirovoleiclube.com.br*, True -*.rio-de-sol.com*, True -*.riodesol.com*, True -*.riogatas.com.br*, True -*.riomote.com*, True -*.rioplomo.net*, True -*.riordan.eu*, True -*.riotporn.org*, True -*.ripco.co.uk*, True -*.ripcord.biz*, True -*.ripcordengineering.com*, True -*.ripcordsoftware.com*, True -*.ripdigital.com.ar*, True -*.rip-gamers.com*, True -*.ripoche.org*, True -*.rippelsales.com*, True -*.ripplebrookwinery.com.au*, True -*.ripponserv.co.uk*, True -*.ripravage.com*, True -*.ripservers.com*, True -*.ripteam.com*, True -*.risborough-rfc.com*, True -*.riscc-fileserver.co.uk*, True -*.riscis.com*, True -*.risdoffcampus.com*, True -*.riservasanmassimo.ch*, True -*.riseth.org*, True -*.rishelie.su*, True -*.rishiradhikari.com.np*, True -*.rishovd.net*, True -*.risingsan.com.my*, True -*.risingsan.my*, True -*.risj.com.br*, True -*.risk0.com.br*, True -*.riskiilahi04.tk*, True -*.riskkk.com*, True -*.risklane.com*, True -*.risknives.com*, True -*.riskofchange.org*, True -*.rismanagalihkrisviandi.com*, True -*.risonki.com*, True -*.risparmiareconviene.it*, True -*.rissmann.com.br*, True -*.rissmann.org*, True -*.ristorantedavito.it*, True -*.risviyandi.org*, True -*.rita-aprilianti.com*, True -*.rita-aprilianti.net*, True -*.ritas.ro*, True -*.ritastar.com*, True -*.ritchie.to*, True -*.ritdis.com*, True -*.ritechoice.ca*, True -*.ritesh.co.uk*, True -*.riteshp.com.np*, True -*.ritivcf.org*, True -*.ritma.ro*, True -*.ritterservices.net*, True -*.rittmeister.net*, True -*.ritzilaw.com*, True -*.riuson.info*, True -*.rivadaneira.com.ar*, True -*.rivalnations.com*, True -*.rivalnations.net*, True -*.rivard.info*, True -*.rivasgarcia.com.ar*, True -*.rivcolor.ro*, True -*.rivedroitecoiffure.ch*, True -*.rivendell.com.ar*, True -*.rivera-associates.net*, True -*.riveraraptors.com*, True -*.rivercat.ru*, True -*.rivercitybible.com*, True -*.rivercitybible.org*, True -*.rivercove.com.au*, True -*.rivercrestlodge.com*, True -*.rivergatemufflers.com*, True -*.river-haven.com*, True -*.riverinabookkeeping.com.au*, True -*.riverlandsigns.com.au*, True -*.rivermile.co.za*, True -*.rivernet.me*, True -*.rivernihil.com*, True -*.riveroakstudio.com*, True -*.riverrain.co.uk*, True -*.riversafetycouncil.org*, True -*.rivestimentiloris.net*, True -*.rivettsoft.com*, True -*.rivier.com.ar*, True -*.riviere.cat*, True -*.riviere.com.ar*, True -*.rivieri.com.ar*, True -*.rivnet.ro*, True -*.rivolifood.ro*, True -*.rivord.us*, True -*.rix.si*, True -*.rixtour.com*, True -*.riyancoday.com*, True -*.rizal.in*, True -*.rizalnobi.net*, True -*.rizbayoe.tk*, True -*.rizbayu.ga*, True -*.rizconsultant.com*, True -*.rizhal-a7x.cf*, True -*.rizhop.co.id*, True -*.rizka-arsil.com*, True -*.rizkianditanoviar.web.id*, True -*.rizkycot.tk*, True -*.rizkyrahmansyah.com*, True -*.rizkytravelku.com*, True -*.rizmanherbal.com*, True -*.rizqy-f.com*, True -*.rizz.ga*, True -*.rizz.gq*, True -*.r-izziv.si*, True -*.rizz.ml*, True -*.rizz.tk*, True -*.rj2.co.uk*, True -*.rj2.uk*, True -*.rjakbennett.com*, True -*.rjapk.com*, True -*.rjccomps.com*, True -*.rjcreatividad.es*, True -*.rjevent.com.my*, True -*.rjevents.com.my*, True -*.rjgu.net*, True -*.rjingenieria.net.ve*, True -*.rjkivc.com*, True -*.rjmoffatt.com*, True -*.rjpp.ro*, True -*.rjsanitarios.com.ar*, True -*.rjsavage.com*, True -*.rjsfgc.org*, True -*.rjvaughn.com*, True -*.rjwhiddon.us*, True -*.rjzx.com*, True -*.rk1.us*, True -*.rkaid.com*, True -*.rkapl.cz*, True -*.rkb.moe*, True -*.rkchat.tk*, True -*.rkc-stroy.ru*, True -*.rkfoto.co.za*, True -*.rkimport.com*, True -*.rkmservis.sk*, True -*.rktechbd.com*, True -*.r-kulhanek.tk*, True -*.rk-vodokanal.ru*, True -*.rlaaccom.com.au*, True -*.rlcbiz.pw*, True -*.rldcol.com*, True -*.rleary.com*, True -*.rlelectrical.co.za*, True -*.rlmn.ca*, True -*.rlntx.net*, True -*.rlow.org.uk*, True -*.rlporter.com*, True -*.rlrc.ro*, True -*.rlrossi.com.br*, True -*.rlstuff.net*, True -*.rltekshop.com*, True -*.rltk.org*, True -*.rltk.us*, True -*.rluc.com.ve*, True -*.rluv7.net*, True -*.rlyehstudio.com*, True -*.rlypagan.com*, True -*.rm6.org*, True -*.rmanisha.com.np*, True -*.rmbmotovr.ca*, True -*.rmbmotovr.com*, True -*.rmbrecreatif.ca*, True -*.rmcarrillo.com*, True -*.rmclabaugh.com*, True -*.rmcrb.ru*, True -*.rmd.es*, True -*.rmdnet.com.ar*, True -*.rmdra.com*, True -*.rmdvlc.in*, True -*.r-me.ga*, True -*.rm-f.org*, True -*.rmfserve.net*, True -*.rmg.com.ve*, True -*.rmit.com.ar*, True -*.rmit.ms*, True -*.rmkhost.net*, True -*.rmmotorsports.com*, True -*.rmnets.com*, True -*.rmove.com.ar*, True -*.r-mp3.tk*, True -*.rmpszfelso3szek.ro*, True -*.rms.moe*, True -*.rmstudio.tw*, True -*.rmsvhost.tk*, True -*.rmsvpn.com*, True -*.rmsynergie.ch*, True -*.rmt1.com.ar*, True -*.rmt2.com.ar*, True -*.rmultimarcas.com.br*, True -*.rmusings.com*, True -*.rncis.ro*, True -*.rn-computing.com*, True -*.rndmserver.net*, True -*.rndra.tk*, True -*.rn-fin.ru*, True -*.rnfin.ru*, True -*.rniemand.com*, True -*.rn-invest.ru*, True -*.rninvest.ru*, True -*.rnrussell.com*, True -*.rn-trust.ru*, True -*.rntrust.ru*, True -*.ro0t.hm*, True -*.roadbook.nl*, True -*.roadglider.co.za*, True -*.roadhouseradio.net*, True -*.roadkillontheinformationsuperhighway.com*, True -*.roadlandia.com*, True -*.roadramble.com*, True -*.roadramble.org*, True -*.roadshowfilms-mmfr.com*, True -*.roadtv.nl*, True -*.roadworksgear.com*, True -*.roai.ro*, True -*.roamtherealm.net*, True -*.roario.us*, True -*.roarphotography.com.au*, True -*.roautomobile.ro*, True -*.r-o-b-a.com*, True -*.robale.org*, True -*.robanabi.com*, True -*.robandmelanie.com*, True -*.robbertave.com*, True -*.robbieb.me.uk*, True -*.robbiedee.com*, True -*.robbiemott.co.uk*, True -*.robbietotten.com*, True -*.robbiezone.com*, True -*.robbins.ch*, True -*.robbinskwentus.com*, True -*.robbmitton.com*, True -*.robdean.com.au*, True -*.robdiesel.com*, True -*.robdog.co.uk*, True -*.robenheimer.com*, True -*.robertallenhouse.com*, True -*.robertbagany.com*, True -*.robertgarcialaw.com*, True -*.robertkuzma.com*, True -*.robertlabonte.com*, True -*.robert-m-cowan.com*, True -*.robertofreire.ca*, True -*.robertohashioka.com.br*, True -*.robertonicolas.com.ar*, True -*.robertopuma.it*, True -*.robertrawls.net*, True -*.robertsconsulting.ch*, True -*.robertshawcountryhouse.info*, True -*.robertsisland.com*, True -*.robertsmall.co.uk*, True -*.robertsontimesheets.com*, True -*.robertswanson.com*, True -*.roberttheiler.ch*, True -*.robertyeager.com*, True -*.robetzel.com*, True -*.robfitzgeraldmusic.com*, True -*.robfuscate.com*, True -*.robgarth.com*, True -*.robgoble.com*, True -*.robhackett.info*, True -*.robhelp.net.au*, True -*.robhillman.co.uk*, True -*.robin.com.au*, True -*.robin-du-bois.ch*, True -*.robinette.us*, True -*.robinhud.com*, True -*.robinluo.net*, True -*.robi.tv*, True -*.robjosdesign.com*, True -*.robmarshall.com*, True -*.roboart.net*, True -*.robofan.ro*, True -*.robogaming.ch*, True -*.robomaniac.ru*, True -*.robonauts.net*, True -*.roborough.org.uk*, True -*.robot-armies.com*, True -*.robotcandy.co*, True -*.robotdu.net*, True -*.roboticcreature.org*, True -*.robotnet.org*, True -*.robotoos.ir*, True -*.robotroadshow.com*, True -*.robotronika.si*, True -*.robotsdirectory.com*, True -*.robotslog.com*, True -*.robotsonfilm.com*, True -*.robotwithaplant.com*, True -*.robotyo.ga*, True -*.robovibes.com*, True -*.roboware.com.br*, True -*.robowindow.ch*, True -*.roboxy2015.ml*, True -*.robrandall.info*, True -*.robrobinette.com*, True -*.rob-roy.ca*, True -*.robstrib.com.au*, True -*.robsworld.us*, True -*.rob.tc*, True -*.robtro.com*, True -*.robvanberkel.info*, True -*.robweb.info*, True -*.robyn-green.com*, True -*.robynjackson.com.au*, True -*.robytech.com*, True -*.robz.se*, True -*.rocagris.cl*, True -*.rocagroup.cl*, True -*.rocco.li*, True -*.roccosrl.com.ar*, True -*.rocheclan.org*, True -*.roche.net.ve*, True -*.rochesterclassifiedsonline.com*, True -*.rochester-geeks.org*, True -*.rochiemireasadeinchiriat.ro*, True -*.rochus.ro*, True -*.rocio.ro*, True -*.rockandroller.ca*, True -*.rockandwork.com*, True -*.rockanrolad.com.ar*, True -*.rockcanvas.co.za*, True -*.rockclimbing.co.kr*, True -*.rocketbeach-hk.com*, True -*.rocket-dog.net*, True -*.rocketedu.com*, True -*.rocketemail.biz*, True -*.rocketguy.de*, True -*.rocketidea.com*, True -*.rocketidea.de*, True -*.rocketlinker.com*, True -*.rocketpcs.com*, True -*.rocketphysics.co.uk*, True -*.rocketpiper.com*, True -*.rocketpride.com*, True -*.rocketsfall.net*, True -*.rocketsuperbe.ro*, True -*.rockferrygroup.com*, True -*.rockford.im*, True -*.rockhamptonre.com.au*, True -*.rockingaranch.net*, True -*.rockingwranchinc.com*, True -*.rockit.sg*, True -*.rocklinger.com*, True -*.rocklinks.co.uk*, True -*.rockman.com.au*, True -*.rockmerch.no*, True -*.rocknrollradio.com.br*, True -*.rocknrollwebradio.com.br*, True -*.rock-n-rowl.com*, True -*.rocknwork.com*, True -*.rockradar.com*, True -*.rocksiteservices.in*, True -*.rocksolid.net.nz*, True -*.rockstaraudio.com*, True -*.rocksteadyagency.com*, True -*.rocksteadyevents.com*, True -*.rocksteadyevents.co.uk*, True -*.rockthedis.co*, True -*.rockwalleats.com*, True -*.rockwallwoundedwarriors.com*, True -*.rockwire.biz*, True -*.rockwire.org*, True -*.rockwork.ch*, True -*.rockxd.net*, True -*.rockybrass.com*, True -*.rockyfan.net*, True -*.rockymountaindirtriders.com*, True -*.rockymountainhighcolorado.com*, True -*.rockymountainlivestock.com*, True -*.rockymountain.ro*, True -*.rockymtnflycasters.com*, True -*.rockymtnrod.com*, True -*.rocky.my*, True -*.rockyshek.hk*, True -*.rockytopbg.com*, True -*.rockytoppers.net*, True -*.rocsc.org*, True -*.rodaco.cl*, True -*.rodadadopx.ga*, True -*.rodadadopx.ml*, True -*.rodadadopx.tk*, True -*.rodadopxvirtual.ga*, True -*.rodadopxvirtual.ml*, True -*.rodadopxvirtual.tk*, True -*.rodany.ro*, True -*.rodaosaka.com*, True -*.rodarius.ro*, True -*.rodaroda.com.my*, True -*.rodatrolley.com*, True -*.rodcars.cl*, True -*.rodcaurapan.cl*, True -*.rodeolive.com.ar*, True -*.rodeo.si*, True -*.rodewi.se*, True -*.rodgreening.com*, True -*.rodic.si*, True -*.rodighiero.ch*, True -*.rodlagero.ro*, True -*.rodmasters.org*, True -*.rodneypetersen.com*, True -*.rodojo.cl*, True -*.rodolfocolen.com*, True -*.rodolfocolen.com.br*, True -*.rodolfoedwards.com.ar*, True -*.rodosproperties.gr*, True -*.rodoyskole.no*, True -*.rodrigoalves.net*, True -*.rodrigocanas.com.ar*, True -*.rodrigoleao.pt*, True -*.rodrigolopezguerra.tk*, True -*.rodrigovazquez.com.br*, True -*.rodriguezfreire.com.ar*, True -*.rodriguezjunyent.com.ar*, True -*.rodriguezpenna.com.ar*, True -*.rodriguez-vazquez.com.ar*, True -*.rodzinaniezlomnych.pl*, True -*.rodzinnawiez.pl*, True -*.roedernallee.com*, True -*.roelbouwman.eu*, True -*.roeldeod.ml*, True -*.roelli.us*, True -*.roers.net*, True -*.roessli-baechli.ch*, True -*.roest.ch*, True -*.roetman.com*, True -*.ro-expert.ro*, True -*.rofilmeonline.net*, True -*.rofl-copter.com*, True -*.roflserver.com*, True -*.ro-free-host.com*, True -*.roganphotos.co.nz*, True -*.rogerautomoveis.com.br*, True -*.rogerblum.org*, True -*.rogerdidi.com*, True -*.rogeriohudson.com.br*, True -*.rogerthedog.com*, True -*.rogerts.cat*, True -*.rogerwyss.ch*, True -*.roginia-design.co.uk*, True -*.roguedev.com*, True -*.rogueinsight.net*, True -*.rogueluke.com*, True -*.roguenet.ca*, True -*.rogueserver.com*, True -*.roguespot.com*, True -*.roguser.tk*, True -*.rogzpetinsurance.co.za*, True -*.rohankapoor.us*, True -*.rohis36jkt.co*, True -*.rohitjain.info*, True -*.rohl.nom.za*, True -*.rohmanf.tk*, True -*.rohrcloud.com*, True -*.roidnet.com*, True -*.roidsbot.com*, True -*.roigbus.es*, True -*.roigbus.net*, True -*.roig.com*, True -*.roigpremium.com*, True -*.roigpremium.es*, True -*.roigpremium.net*, True -*.roigrentacar.com*, True -*.roigrentacar.es*, True -*.roigrentacar.net*, True -*.roigtaxi.com*, True -*.roigtaxi.es*, True -*.roigtaxi.net*, True -*.roi-investments.com*, True -*.roil.ch*, True -*.ro-image-host.com*, True -*.roirc.me*, True -*.rojak.cf*, True -*.rojona.com*, True -*.rokita.waw.pl*, True -*.rokitmuzik.co.uk*, True -*.rokkanet.org*, True -*.rokman.tk*, True -*.rokodo.moe*, True -*.rokosuper.tk*, True -*.rok-svab.si*, True -*.rokum.ro*, True -*.rolandhagemann.de*, True -*.rolandzueger.ch*, True -*.roldemesa.com*, True -*.rolecallapp.com*, True -*.roleros.cl*, True -*.rolevik.com*, True -*.rolexbook.com*, True -*.rolfnilsson.nu*, True -*.rolfoto.ch*, True -*.rolfschuercharchitekturbuero.ch*, True -*.rollagain.com.au*, True -*.rollandrock.fi*, True -*.rollawhiteox.net*, True -*.rollemasterplan.com*, True -*.rollerdome.com.au*, True -*.rollermatic.tw*, True -*.rollerskategreece.gr*, True -*.rollerspin.ca*, True -*.rollingstock.hu*, True -*.rollingtravel.com.ar*, True -*.rollingtravel.tur.ar*, True -*.roll-o-matic.ru*, True -*.rollslitters.net*, True -*.rolltree.com*, True -*.rolosworld.com*, True -*.rolotec.ro*, True -*.rolsoft.ro*, True -*.ro.lt*, True -*.romabcom.ro*, True -*.romaliver.com*, True -*.romanafranceza.ro*, True -*.romanatravel.ro*, True -*.romancampoy.com.ar*, True -*.romancloud.com*, True -*.romaniacallcenters.ro*, True -*.romaniaedu.ro*, True -*.romaniandance.ca*, True -*.romaniashrineclub.ro*, True -*.romanikatube.ro*, True -*.romaniuc.com*, True -*.romans1by1.com*, True -*.romansautocenter.com*, True -*.romanschwartz.com*, True -*.romanschwartz.net*, True -*.romanschwartz.org*, True -*.romanticoviajerotv.cl*, True -*.romanzo.ch*, True -*.romanzorosa.com*, True -*.romarchaeomet.ro*, True -*.romarent.net*, True -*.romarketplace.ro*, True -*.rom.com.ar*, True -*.romcook.net*, True -*.romdesign.ro*, True -*.romedoggia.com*, True -*.romeenterprises.com*, True -*.romel.lt*, True -*.romeninghhw.pt*, True -*.romeningh.pt*, True -*.romeninghsw.pt*, True -*.romeovansnick.be*, True -*.romeovillecommunitypantry.com*, True -*.romeovillecommunitypantry.org*, True -*.romeroconsultores.cl*, True -*.romhackers.org*, True -*.romhome.ru*, True -*.romifahriza.com*, True -*.romilivne.com*, True -*.rominatravel.ro*, True -*.romomarquez.us*, True -*.romproiect.ro*, True -*.romram.nu*, True -*.romram.se*, True -*.romseh.ro*, True -*.roms-place.com*, True -*.romsver.ro*, True -*.romx.name*, True -*.ronaca.pt*, True -*.ronalddistor.com*, True -*.ronaldfalcao.com.br*, True -*.ronan.io*, True -*.ronash.com.np*, True -*.ronash.ml*, True -*.roncancio.me*, True -*.rondanorte.tk*, True -*.rondhi.com*, True -*.rondho.ga*, True -*.rondo2.cf*, True -*.rondo2.ga*, True -*.rondo2.ml*, True -*.rondo2.tk*, True -*.rondo.cf*, True -*.rondon-services.ru*, True -*.rondowd.com*, True -*.roneria.com.ve*, True -*.roney.ca*, True -*.rongaupin.com*, True -*.rongclub.com*, True -*.rongclub.net*, True -*.ronimus.dk*, True -*.ronincloudservices.com*, True -*.ronin.com.ar*, True -*.ronindev.ru*, True -*.ronin.one.pl*, True -*.ronins.cl*, True -*.roninsushibar.com*, True -*.roni.web.id*, True -*.ron-jon.es*, True -*.ronnypol.com*, True -*.ronom.ro*, True -*.ronpaulradio.com*, True -*.ronpaulradio.net*, True -*.ronpaulradio.org*, True -*.ronscomputers.com*, True -*.ronsecco.cl*, True -*.rons-home.net*, True -*.ron.si*, True -*.ronsome.net*, True -*.ronsonsa.com.ar*, True -*.rons-photo.com*, True -*.ronvoy.com*, True -*.ronzullo-keramika.si*, True -*.roodabeh.com*, True -*.roodaka.net*, True -*.roodata.com*, True -*.roofingstrategies.net*, True -*.roofshare.ca*, True -*.rooftopmartialarts.com*, True -*.room316.net*, True -*.room4rent.cl*, True -*.roombooker.co.za*, True -*.roommate.ro*, True -*.roomsat102.com*, True -*.room-vip.com*, True -*.roosafamily.org*, True -*.roosgaarden.dk*, True -*.roostanews.ir*, True -*.roosterdesigns.fi*, True -*.root3.net*, True -*.root-alena.org*, True -*.rootarded.com*, True -*.rootbeeraddict.com*, True -*.rootblack69.net*, True -*.rootboard.pl*, True -*.rootboot.com.au*, True -*.rootcop.info*, True -*.rooted.gq*, True -*.rootedrevolution.com*, True -*.rootfie.org*, True -*.rootforce.ch*, True -*.roothome.de*, True -*.rootifera.xyz*, True -*.rootijo.com*, True -*.rootile.com*, True -*.rootinfotech.com*, True -*.rootkit.cf*, True -*.rootmaster.ru*, True -*.r-o-o-t.net*, True -*.rootns.com*, True -*.rootroom.com*, True -*.rootsapp.org*, True -*.rootsbobcat.com*, True -*.rootservers.in*, True -*.rootshell.cf*, True -*.rootsixband.com*, True -*.root.sx*, True -*.rootsy.nu*, True -*.rootthinks.com*, True -*.roovel.com.br*, True -*.rooyo.com*, True -*.ropace.co.za*, True -*.roperpumps-bentry.com*, True -*.ropewiki.com*, True -*.rop.org.au*, True -*.rorix.ro*, True -*.rorrim.net*, True -*.rorysullivan.net*, True -*.rosabelles.com.au*, True -*.rosadi.tk*, True -*.rosale.cl*, True -*.rosalesyasociados.com.ar*, True -*.rosaliarivera.com*, True -*.rosalilas.com.br*, True -*.rosannarealestate.com*, True -*.rosaprata.com.br*, True -*.rosariosastoria.com*, True -*.rosariospizzaofastoria.com*, True -*.rosariozapponi.com.ar*, True -*.rosavelasco.cl*, True -*.rosayonline.net*, True -*.roseandivory.com.au*, True -*.rosearch.ro*, True -*.rosebanditz.info*, True -*.rosebanditz.us*, True -*.rosebudjules.com*, True -*.rosebudsrosebuds.com*, True -*.rosehillstud.com*, True -*.roseiser.com.au*, True -*.rosemarry.asia*, True -*.rosemaryswritings.net*, True -*.rosen-carmeli.ch*, True -*.rosesonwest.co.nz*, True -*.rosetek.co.uk*, True -*.roseti.com.ar*, True -*.rosewoodhomes.com.au*, True -*.roseyunrealty.com*, True -*.roshanbhatta.com.np*, True -*.roshankari.com.np*, True -*.roshen.ro*, True -*.rosiebears.co.uk*, True -*.rosiere.org*, True -*.rosina.gr*, True -*.rosomak.net*, True -*.rospizza.ru*, True -*.rossadamson.net*, True -*.rossausten.com*, True -*.rossendale-recovery.co.uk*, True -*.rossiev.tk*, True -*.rossiyu.ru*, True -*.rossmccabe.com*, True -*.rossmccabe.co.uk*, True -*.rossmccabe.net*, True -*.rossneugeboren.com*, True -*.rossoferrari.it*, True -*.rossorubinoconsulting.it*, True -*.rosspb.net*, True -*.ross-serve.com*, True -*.ross-skinner.com*, True -*.ross.vc*, True -*.rosswell98.eu*, True -*.rostdos.ru*, True -*.rosteh.tk*, True -*.rosyidarni.web.id*, True -*.roszagorod.ru*, True -*.rotaatiovalu.fi*, True -*.rota.net.br*, True -*.rotaoeste.com*, True -*.rotaract4855.com.ar*, True -*.rotaryartnossa.com.br*, True -*.rotaryclubdaportela.pt*, True -*.rotary-couplings.com*, True -*.rotarycrowchild.com*, True -*.rotaryeclub3490.org*, True -*.rotaryicc.com*, True -*.rotarywatches.co.id*, True -*.rotarywatches.hk*, True -*.rotasdocangaco360.net*, True -*.rotast.ro*, True -*.rotateip.de*, True -*.rotatingshotgunrules.com*, True -*.rotationalmoulding.fi*, True -*.rotax-pl.ro*, True -*.rotax.ro*, True -*.roth.ca*, True -*.rothe.tk*, True -*.rothgroupinc.com*, True -*.rothkegel.cl*, True -*.rothnas.tk*, True -*.rothsteins.co.uk*, True -*.rotija.lv*, True -*.rotisseriedeclarens.ch*, True -*.rotolabs.com*, True -*.rotomoulding.fi*, True -*.rotorootie.net*, True -*.rototim.hr*, True -*.rotruck.net*, True -*.rottingdeancomputerservices.co.uk*, True -*.rotura.org*, True -*.roudenis.com*, True -*.rougea.com*, True -*.rougecloture.ch*, True -*.roughcollies.eu*, True -*.roughcut.co.za*, True -*.roughcuthair.co.za*, True -*.roughton.ro*, True -*.roundtripsgreece.com*, True -*.roupacaipira.com*, True -*.roupacaipira.com.br*, True -*.roupadelatex.com.br*, True -*.roupajunina.com*, True -*.roupascaipiras.com*, True -*.roupascaipiras.com.br*, True -*.roupasjuninas.com*, True -*.roupasjuninas.com.br*, True -*.rousehillit.com.au*, True -*.rouselegal.com.au*, True -*.route-20.com*, True -*.route2health.com.pk*, True -*.routemaster.net*, True -*.routemehome.com*, True -*.route.one.pl*, True -*.router19.com*, True -*.router19.org*, True -*.routers.cf*, True -*.routr.us*, True -*.rove.cl*, True -*.rove.co.za*, True -*.roveri.net.br*, True -*.rovermotel.com.au*, True -*.rovislider.ro*, True -*.rowanburry.com*, True -*.rowanhand.com*, True -*.rowa.tw*, True -*.rowdymonkey.com*, True -*.rowenascloset.co.za*, True -*.rowester.com*, True -*.rowicka.ca*, True -*.rowicki.ca*, True -*.rowingshed.co.za*, True -*.rowingshop.co.za*, True -*.rowleydesignstudios.com*, True -*.rowlinson.me*, True -*.rowls.net*, True -*.ro-wo.com*, True -*.roxanatoti.ro*, True -*.roxburybar.com.ar*, True -*.royalbonline.co.uk*, True -*.royalcafe.co.il*, True -*.royalclub.cc*, True -*.royaldsl.net*, True -*.royaldutchboxspring.nl*, True -*.royal-enfield.ch*, True -*.royalgamestm.tk*, True -*.royalgroup.ro*, True -*.royalhost.tw*, True -*.royal-life.ml*, True -*.royalmom.com*, True -*.royal-motors.co.il*, True -*.royaloyun.com*, True -*.royalpalmlodge.net*, True -*.royalphotobook.eu*, True -*.royalprison.ga*, True -*.royalstream.ch*, True -*.royaltec.com.ar*, True -*.royaltransportationtampa.com*, True -*.royanstemcell.com*, True -*.royelectric.com*, True -*.roykiyoshi.com*, True -*.roy.li*, True -*.royma.es*, True -*.royo.com.ar*, True -*.royord.com*, True -*.royserver2.com*, True -*.roystal.com*, True -*.roza.ga*, True -*.roza.gq*, True -*.rozan-liker.com*, True -*.rozara.com.my*, True -*.rozenbaum.com.ar*, True -*.rozenberg.com.ar*, True -*.rozfoz.cz*, True -*.roziekitchen.com*, True -*.rozklad-avtobusiv.com*, True -*.rozklad-poizdiv.com*, True -*.rozon.me*, True -*.rozstawsrub.pl*, True -*.rozte.com*, True -*.rpa-auto.ro*, True -*.rpa.no*, True -*.rpasfarda.tk*, True -*.rpcam.net*, True -*.rpcthai.com*, True -*.rpdhk.com*, True -*.rper.us*, True -*.rpescador.com.br*, True -*.rpgamer.ro*, True -*.rpgbh.com*, True -*.rpgchronicle.com*, True -*.rpgcordoba.com.ar*, True -*.rpg-guild.us*, True -*.rpgproject.tk*, True -*.rpgprojekt.tk*, True -*.rpgsystems.org*, True -*.rpgwatch.com*, True -*.r-pi.be*, True -*.rpibox.com*, True -*.rpisani.com*, True -*.r-pi.si*, True -*.rpjabogados.com.ar*, True -*.rpkworld.com*, True -*.rplace.com*, True -*.rplimitada.cl*, True -*.rpmjr.com*, True -*.rpmservices.ro*, True -*.rpmts.com*, True -*.rpop.tk*, True -*.rpri.me*, True -*.rpronin.ru*, True -*.rproxy.us*, True -*.rpruss.nl*, True -*.rpsb1.net*, True -*.rpsog.com*, True -*.rpssroc.pt*, True -*.rpvelectrics.com.au*, True -*.rpvn.net*, True -*.rpweb.com.ar*, True -*.rpwt.tk*, True -*.rpz.su*, True -*.rraplicaciones.com.ar*, True -*.rrblogs.com*, True -*.rrcruz.com*, True -*.rrdzone.com*, True -*.rread.co.uk*, True -*.rren.ch*, True -*.rrframework.com*, True -*.rrframework.net*, True -*.rrgc.ir*, True -*.rrgest.pt*, True -*.rrh63.com*, True -*.rrh79.com*, True -*.rrh84.com*, True -*.rrh93.com*, True -*.rrhhpy.com*, True -*.rrims.org*, True -*.rrjeti.al*, True -*.rrk59.com*, True -*.rrk74.com*, True -*.rrlink.com*, True -*.rrm.co.za*, True -*.rrnail.ru*, True -*.rrnetwork.ro*, True -*.rrodolfos.com.ve*, True -*.rrodolfos.org.ve*, True -*.rrohner.ch*, True -*.rronline.ro*, True -*.rronqui.com*, True -*.rronqui.net*, True -*.rrrf.in*, True -*.rrsolucoes.info*, True -*.rrsystemz.biz*, True -*.rrsystemz.com*, True -*.rrv.lt*, True -*.rryhope.com*, True -*.rsagrup.com*, True -*.rsavage63.com*, True -*.rsb2112.com*, True -*.rsbco.ir*, True -*.rsbiomedika.co.id*, True -*.rsbk-batam.co.id*, True -*.rsbk.co.id*, True -*.rsbmw.pl*, True -*.rsbnk.net*, True -*.rsbodyworks.com*, True -*.rsca.co.uk*, True -*.rschofield.com*, True -*.rscredito.com.br*, True -*.rsc.ro*, True -*.rsdenisa.com*, True -*.rsectora.com*, True -*.rsegebre.com*, True -*.rsfind.ro*, True -*.rsfree-download.com*, True -*.rsgalloway.com*, True -*.rsiclc.cl*, True -*.rsite.us*, True -*.rsmb.co*, True -*.rsmprestadores.com.ar*, True -*.rsnetwork.de*, True -*.rsoft-id.com*, True -*.rsperformancebikes.com*, True -*.rsquaredgame.com*, True -*.rsrachmidewi.com*, True -*.rssbot.org*, True -*.rssind.com*, True -*.rssradar.com*, True -*.rssr.tk*, True -*.rss.si*, True -*.rsstroomreader.com*, True -*.rstaats.com*, True -*.rs-technologies.ca*, True -*.rstephenb.com*, True -*.rstoplist.com*, True -*.rstringer.co.uk*, True -*.rstt-lan.ch*, True -*.rsucyber.com*, True -*.rsvfinance.com*, True -*.rsvlito.net*, True -*.rsvpit.com*, True -*.rsw.pt*, True -*.rsw-systemelect.pt*, True -*.rsyc.com.ar*, True -*.rsync.ws*, True -*.rt568.us*, True -*.rtae.in*, True -*.rtc.com.ve*, True -*.rtconsultores.com.ar*, True -*.rtd.cl*, True -*.rtdmotors.com.ve*, True -*.rtfmllc.com*, True -*.rtg.cl*, True -*.rtgonzalez.com.ar*, True -*.rtho.co.uk*, True -*.rti4.com.br*, True -*.rtiact.in*, True -*.rti-dnepr.com*, True -*.rt-it.tk*, True -*.rtl.si*, True -*.rtmq.ca*, True -*.rtmuller.net*, True -*.rt-net.net*, True -*.rto.com.au*, True -*.rtrassociation.net*, True -*.rtsanitarias.cl*, True -*.rtschoeke.com*, True -*.rts-nops.ru*, True -*.rts-prom.com*, True -*.rttcorp.com*, True -*.rttech.hk*, True -*.rtti.ru*, True -*.rtv.co.za*, True -*.rtware.ch*, True -*.rty-440.com*, True -*.ruangkamera.com*, True -*.ruangmusik.tk*, True -*.ruantavares.com.br*, True -*.rubacha.com.ar*, True -*.rubashki.su*, True -*.rubbe.net*, True -*.rubberconeyerrubberseidewallrubberloadingdockrubberlinning.com*, True -*.rubberfox.es*, True -*.rubberindustri.com*, True -*.rubberman.ca*, True -*.rubberprice.net*, True -*.rubbishhosting.co.uk*, True -*.rubblewebs.net*, True -*.rubelloimpianti.it*, True -*.rubenjuve.com*, True -*.rubenkotler.com.ar*, True -*.rubensillard.cl*, True -*.ruberti.ch*, True -*.rubettehair.com.au*, True -*.rubika.cl*, True -*.rubikdesignandprint.com.au*, True -*.rubilling.com*, True -*.rubizone.de*, True -*.rubricassn.com*, True -*.rubtsov.eu*, True -*.ruby2sday.net*, True -*.rubyonrails.tk*, True -*.rubyrama.com.ar*, True -*.ruc.fm*, True -*.rucitama.cl*, True -*.rucitel.cz*, True -*.ruckes.info*, True -*.rudartech.com*, True -*.rudd.dj*, True -*.ruddercontracting.com*, True -*.rudeboypromos.co.za*, True -*.rudebwoy.me.uk*, True -*.rudedmoroz.ru*, True -*.rude.li*, True -*.rudevelopments.com.au*, True -*.rudiesculturas.com.ar*, True -*.rudikovac.com*, True -*.rudi-novak.com*, True -*.rudito.web.id*, True -*.rudneva.net*, True -*.rudnia.ru*, True -*.rudnickipc.net*, True -*.rudnicki.to*, True -*.rudolphhuizinga.com*, True -*.rudtech.com*, True -*.rudvp.com.au*, True -*.rudy4rt.net*, True -*.rudycrespin.com*, True -*.rueda.guru*, True -*.ruedisuehli.com*, True -*.rufaida.com*, True -*.rufd.com*, True -*.rufenacht-charpente.ch*, True -*.ruferma.com*, True -*.rufez.org*, True -*.ruffroadmedia.com*, True -*.rufftek.com*, True -*.rufinocabrera.cl*, True -*.rugahng.com*, True -*.rugbyhero.com*, True -*.rugbytots.ie*, True -*.rugeleychessclub.co.uk*, True -*.ruggedgaming.com*, True -*.ruggieroav.net*, True -*.rugi.pl*, True -*.rugs.cf*, True -*.rugsund.net*, True -*.rugw.su*, True -*.ruida123.com*, True -*.ruido.pt*, True -*.ruilokhij.com*, True -*.ruimiranda.com*, True -*.ruitenburg.de*, True -*.ruiz-tagle.com*, True -*.ruk66.com*, True -*.rukario.org*, True -*.ruknigi.net*, True -*.rukodelka.ru*, True -*.rukor.org*, True -*.ruksis.com*, True -*.ruletka-videocat.ru*, True -*.rulfer.com*, True -*.rulfer.com.ar*, True -*.rullaupp.nu*, True -*.rullie.com*, True -*.rumagazin.ru*, True -*.rumahbatik.co.id*, True -*.rumahdijual-eraprospek.com*, True -*.rumahkaoskakiku.com*, True -*.rumah-minimalis.co.id*, True -*.ruma.mx*, True -*.rumangsaku.com*, True -*.rumaram.com*, True -*.rumbatan.com*, True -*.rumdude.ca*, True -*.rumimbiber.com*, True -*.rummanaz.com*, True -*.rummgp.ru*, True -*.rummg.ru*, True -*.rumoadisney.com.br*, True -*.rumorfile.com*, True -*.rumori.com.br*, True -*.rumplin.com*, True -*.rumplin.si*, True -*.rumpum.com.np*, True -*.rumpunnektar.com*, True -*.rumputfutsalsurabaya.com*, True -*.rum.si*, True -*.run24volts.com*, True -*.runara.com*, True -*.runa-rus.ru*, True -*.runa-soft.ru*, True -*.runaway.com.my*, True -*.rundell.org.uk*, True -*.rundis.com*, True -*.rundns.ir*, True -*.rundtur.com*, True -*.rundum-gemeinde.at*, True -*.rundumgemeinde.at*, True -*.runemo.se*, True -*.runesman.com*, True -*.runger.at*, True -*.runhe123.com*, True -*.runhome.net*, True -*.runi.ca*, True -*.run-in-heels.co.za*, True -*.runlovee.com*, True -*.runner.es*, True -*.runninball.com*, True -*.runningfoxes.com*, True -*.runningfoxes.net*, True -*.running-iron.com*, True -*.runolas.pl*, True -*.runstoprestore.ch*, True -*.runt9.com*, True -*.runtrans.ro*, True -*.runway10.com.ar*, True -*.runway-workshop.com*, True -*.runwgw.com*, True -*.runyeard.com*, True -*.ruokatiedotus.fi*, True -*.ruok.org*, True -*.ruouvangnhatrang.com*, True -*.ruoyuwo.com*, True -*.rup999.com*, True -*.rupakadhikari.com.np*, True -*.rupakbhattarai.com.np*, True -*.rupa.me*, True -*.rupc.info*, True -*.rupeshpradhan.com.np*, True -*.rupj.net*, True -*.ru-porn.ru*, True -*.ruralgenius.com*, True -*.ruralrefined.com*, True -*.ru-rc.ru*, True -*.rursolutions.com*, True -*.ruscioseguros.com.ar*, True -*.rus-cost.ru*, True -*.rusdomains24.ru*, True -*.ru-sex-tv.ru*, True -*.rusexznakomstva.com*, True -*.rus-girl.com*, True -*.rusgun.com*, True -*.rushazzled.com*, True -*.rusher.pro*, True -*.rushihashardwick.ca*, True -*.rusi.ch*, True -*.rusioan.ro*, True -*.ruskers.com*, True -*.ruslansokolov.com*, True -*.rusmmgp.ru*, True -*.rusnac.tk*, True -*.russandkt.com*, True -*.russbosch.ca*, True -*.russcam.ru*, True -*.russcams.ru*, True -*.russellchadwick.com*, True -*.russellconstable.co.uk*, True -*.russellv2.com*, True -*.russia-cam.ru*, True -*.russian-academy.ru*, True -*.russianbridesonly.com*, True -*.russian.cf*, True -*.russianproudcanadian.ca*, True -*.russkiy-patsient.ru*, True -*.russkoeumea.com*, True -*.russland-aktuell.net*, True -*.russlikes.com*, True -*.russmillerstories.com*, True -*.russo-herrera.com.ar*, True -*.russohrana.ru*, True -*.rustgameservers.com*, True -*.rustovar.com*, True -*.rustportal.gq*, True -*.rustyfoundation.com*, True -*.rustyhalo.org*, True -*.rusty-iron.ca*, True -*.rustyiron.ca*, True -*.rustyoptical.com*, True -*.rustyoptical.com.ar*, True -*.rusuz.ru*, True -*.rusvesna.ru*, True -*.rus-virt.ru*, True -*.rutahostal.cl*, True -*.rutaindigena.org.mx*, True -*.rutanjakpus.web.id*, True -*.rutanpku.tk*, True -*.rutapirata.com*, True -*.ruthor.net*, True -*.rutila.fi*, True -*.rutilus.net*, True -*.rutnerspazzacamino.ch*, True -*.rutoday.org*, True -*.rutovar.ru*, True -*.rutv.tk*, True -*.ruuvitracker.fi*, True -*.ruvoxhosting.com*, True -*.ruyatabirlerievi.com*, True -*.ruyitec.net*, True -*.ruznakomstva.com*, True -*.rv1.com*, True -*.rv55.com*, True -*.rv-auctions.com*, True -*.rvb.ro*, True -*.rvcanada.ca*, True -*.rvcanadaottawa.ca*, True -*.rvcanadasaintjohn.ca*, True -*.rvcan.ca*, True -*.rvfconsulting.com.br*, True -*.rvf.inf.br*, True -*.rvik.com*, True -*.rvineyardmn.com*, True -*.rvineyardmn.org*, True -*.rvision.si*, True -*.rvliquidators.ca*, True -*.rvltda.cl*, True -*.rvndn.com*, True -*.rv-wc.com*, True -*.rvwebconsulting.com*, True -*.rwbcode.com*, True -*.rwg.ro*, True -*.rwj.id.au*, True -*.rwlloyd.com*, True -*.rwmotloc.com*, True -*.rwp9.com*, True -*.rwtcomputing.ca*, True -*.rwtcomputing.com*, True -*.rwtracy.com*, True -*.rwww.tk*, True -*.rx-93dff.net*, True -*.rxora.com*, True -*.rxrconsulting.mx*, True -*.rx-sec.pl*, True -*.rxz.club*, True -*.ry81.com*, True -*.ryabikin.ch*, True -*.ryalsche.com*, True -*.ryanaghdam.com*, True -*.ryanamyko.nom.za*, True -*.ryanandjen.org*, True -*.ryanandjill.us*, True -*.ryanangelone.com*, True -*.ryanangelone.net*, True -*.ryanbarger.com*, True -*.ryanbauman.com*, True -*.ryanb.com*, True -*.ryanbootonphoto.com*, True -*.ryancjones.com*, True -*.ryanclark.me.uk*, True -*.ryancoley.ml*, True -*.ryancorp.in*, True -*.ryancorvetti.com*, True -*.ryanelders.com*, True -*.ryanfamily.me.uk*, True -*.ryanfort.com*, True -*.ryangipson.com*, True -*.ryanharrington.us*, True -*.ryanhirsch.me*, True -*.ryanh.org*, True -*.ryanjarvismusic.co.uk*, True -*.ryan-jenkins.net*, True -*.ryanjhirsch.com*, True -*.ryanjlowe.biz*, True -*.ryanjlowe.us*, True -*.ryanjosephmiller.com*, True -*.ryankramer.com*, True -*.ryanmartinneutrino.com*, True -*.ryanmcdonald.net*, True -*.ryanmead.co.uk*, True -*.ryanmeta.com*, True -*.ryanng.com*, True -*.ryanoffice.in*, True -*.ryanpd.me*, True -*.ryanpolite.com*, True -*.ryanpurcell.co.uk*, True -*.ryanroche.net*, True -*.ryansbanginserver.com*, True -*.ryanshotwell.com*, True -*.ryansilvester.com*, True -*.ryansommer.com*, True -*.ryansteeleshow.com*, True -*.ryanstephens.net*, True -*.ryanthink.com*, True -*.ryanthornton.net*, True -*.ryanthornton.org*, True -*.ryanweikert.com*, True -*.ryazany.ru*, True -*.rybak-nn.ru*, True -*.ryberg-electronics.com*, True -*.rybergelectronics.com*, True -*.ryberg-electronics.co.uk*, True -*.rybergelectronics.co.uk*, True -*.ryberg-electronics.net*, True -*.rybergelectronics.net*, True -*.ryca.com.ar*, True -*.rychly.pl*, True -*.rycom.nl*, True -*.rycweather.org*, True -*.rydekull.se*, True -*.ryderoofing.net.au*, True -*.rydik.net*, True -*.rydis.se*, True -*.rykun.net*, True -*.rylanjace.com*, True -*.ryliewhitfield.com*, True -*.ryltrilogy.com*, True -*.ryougi.com*, True -*.ryplogistica.com.ar*, True -*.ryteq.com*, True -*.ryterski.net*, True -*.ryu.cc*, True -*.ryuhyun.com*, True -*.ryuu-cyber.com*, True -*.ryuu.gq*, True -*.ryuuko.cl*, True -*.ryzerfab.ca*, True -*.rz9.de*, True -*.rzeczoznawstwo-budowlane.pl*, True -*.rzktech.web.id*, True -*.s0br.com*, True -*.s0cialpath.com*, True -*.s0cialpath.net*, True -*.s0nik.net*, True -*.s1000rr.pl*, True -*.s-1472.com*, True -*.s1m.org*, True -*.s1-yandex.ru*, True -*.s2aynetwork.org*, True -*.s2binus.com*, True -*.s2duo.com*, True -*.s2lbit.com*, True -*.s2lbyte.com*, True -*.s2ltech.com*, True -*.s2ltechnologies.com*, True -*.s3act.com*, True -*.s3contabil.com.br*, True -*.s4a.cl*, True -*.s4it.eu*, True -*.s4it.net*, True -*.s4w.us*, True -*.s51bj.eu*, True -*.s6-qua.info*, True -*.s-7979.net*, True -*.s7art.com*, True -*.s7ick.org*, True -*.s7ncyberteam.com*, True -*.s-8282.com*, True -*.saadsaleem.com*, True -*.saadsl.co.za*, True -*.saaepar.com.br*, True -*.saaepar.org.br*, True -*.saaj.co.za*, True -*.saak.co.za*, True -*.saakibains.com*, True -*.saa-law.com*, True -*.saal.co.za*, True -*.saan.co.za*, True -*.saanichcommunity.ca*, True -*.saanshu.com*, True -*.saap.co.za*, True -*.saar.co.za*, True -*.saartje-kinderkleding.nl*, True -*.saas.com.au*, True -*.saascuba.ml*, True -*.saasdesk.co.uk*, True -*.saas-fee-lehnhof.ch*, True -*.saasrobotics.com*, True -*.saat.co.za*, True -*.sabadeshoping.com*, True -*.sabaenergy.com*, True -*.sabahbar.org.my*, True -*.sabapne.com*, True -*.sabar.ga*, True -*.sabar.gq*, True -*.sabbaghian.ir*, True -*.sabbasyn.org*, True -*.sabbathmode.com*, True -*.sabdarianada.com*, True -*.sabdarianada.net*, True -*.sabdarianada.org*, True -*.saberenterprises.net*, True -*.sabhya.tk*, True -*.sabiduriadelavida.com.ar*, True -*.sabii-cutite.ro*, True -*.sabina.to*, True -*.sabinatransport.ro*, True -*.sabinedecor.ro*, True -*.sabinelilly.com*, True -*.sabinghimire.com.np*, True -*.sabinin.com*, True -*.sabinkc.com.np*, True -*.sablemanly.com.au*, True -*.sableoak.com*, True -*.sablexteam.ru*, True -*.saboia.me*, True -*.sabongarena.com*, True -*.saborculpable.cl*, True -*.saboresandinos.com*, True -*.saboresdecordillera.com*, True -*.saboresdecordillera.com.ar*, True -*.saborinternacional.com.ar*, True -*.saboten.us*, True -*.saboteur.ca*, True -*.sabouri.net*, True -*.sabrari.ro*, True -*.sabrebright.com*, True -*.sabrinagillett.com*, True -*.sacah.net*, True -*.sacalamagia.com*, True -*.sacaman.com*, True -*.sacanm.net*, True -*.sacatouille.com*, True -*.sacconeabogados.com.ar*, True -*.sace.cl*, True -*.sacharya.gq*, True -*.sachau.us*, True -*.sachdevainternationalschool.in*, True -*.sachhot.com*, True -*.sachikana.com*, True -*.sachikana.net*, True -*.sachin.at*, True -*.sach.ir*, True -*.sack-paper.com*, True -*.saclay.org*, True -*.sacproduction.com*, True -*.sacraa.co.za*, True -*.sacramentobankruptcyrepresentation.com*, True -*.sacramentobusinessbankruptcy.com*, True -*.sacramentocomputerpower.com*, True -*.sacramentocountybankruptcy.com*, True -*.sacramentodebtsolutions.com*, True -*.sacramentoemergencybankruptcyhotline.com*, True -*.sacramentorussianbankruptcy.com*, True -*.sacraweb.com.ar*, True -*.sacrebl.eu*, True -*.sactownbankruptcy.com*, True -*.sadap.com.mx*, True -*.sadap-morif.tk*, True -*.sadat.tw*, True -*.sadayuki.jp*, True -*.sad.bz*, True -*.saddy.org*, True -*.sades.com.ar*, True -*.sadimin.com*, True -*.sadiqbd.com*, True -*.sadje.si*, True -*.sadler.com.ar*, True -*.sadlernet.com*, True -*.sadnicevoca.org*, True -*.sadofashion.com*, True -*.sadovita.com*, True -*.sadovod-k12.ru*, True -*.sadozai.ch*, True -*.sadsong.eu*, True -*.saeba.xyz*, True -*.saedemo.cl*, True -*.saelectrica.com.ar*, True -*.saelon-eco.com*, True -*.saemchanif.com*, True -*.saer-emploi.com*, True -*.saerome.net*, True -*.sae.rs*, True -*.saetaproducciones.com.ar*, True -*.safaeian.com*, True -*.safairsoft.ro*, True -*.safakhastaneleri.com*, True -*.safakhastaneleri.com.tr*, True -*.safapasutri.com*, True -*.safaribirdfarm.com*, True -*.safcabinets.com.au*, True -*.safdv.com*, True -*.safe2click.ru*, True -*.safehavn.com*, True -*.safehome.gr*, True -*.safe-land.ch*, True -*.safe-link.cf*, True -*.safelinux.org*, True -*.safe-mail.ca*, True -*.safepen.com.br*, True -*.safepleasure.com*, True -*.safeport.com.br*, True -*.safer-networking.com*, True -*.safernet-working.com*, True -*.safernetworking.com*, True -*.safernet-working.net*, True -*.safernet-working.org*, True -*.safeserver.co.kr*, True -*.safesteprecovery.com*, True -*.safetrain.com.ar*, True -*.safetran.com.ar*, True -*.safe-transfer.com*, True -*.safets.net*, True -*.safetyinnumbers.com.au*, True -*.safetyjogger-ps.com*, True -*.safeurl.cf*, True -*.safevision.pt*, True -*.safexchile.cl*, True -*.saffariinvestments.com*, True -*.saffie.ca*, True -*.saffron-saffron.org*, True -*.safiisanatos.ro*, True -*.safilo.com.my*, True -*.safilonet.asia*, True -*.safipharmco.com*, True -*.safira.com.my*, True -*.safira.ro*, True -*.safitri-feb.cf*, True -*.safootwear.com.np*, True -*.safora.ru*, True -*.safro.info*, True -*.saftad.co.za*, True -*.saft-bars.ch*, True -*.saftbars.ch*, True -*.sagabone.info*, True -*.saga.co.id*, True -*.sagacomissaria.com.br*, True -*.sagalid.cl*, True -*.sagaradhikary.com.np*, True -*.sagarareload.com*, True -*.sagardhungel.com.np*, True -*.sagark.com.np*, True -*.sagarpandey.com.np*, True -*.sagarsubedi.com.np*, True -*.sagasonplastic.com*, True -*.sagatama.co.id*, True -*.sagaunity.cf*, True -*.sagaunity.ga*, True -*.sagaunity.gq*, True -*.sagaunity.ml*, True -*.sagaunity.tk*, True -*.saga.web.id*, True -*.sageata-navodari.ro*, True -*.sage.li*, True -*.sagelikefool.net*, True -*.sagenresearch.com*, True -*.sagesinst.org*, True -*.sagesystems.org*, True -*.sage-work.net*, True -*.saghehgroup.com*, True -*.sagittarius-systems.com*, True -*.sagosti.ch*, True -*.sagues.com.ve*, True -*.sahaabeh.com*, True -*.sahabatcctv.com*, True -*.sahabatislami.com*, True -*.sahabat-liker.com*, True -*.sahabat-liker.ga*, True -*.sahabatradio.tk*, True -*.sahadewi.com*, True -*.sahajayoga.ie*, True -*.sahanideepak.com.np*, True -*.sahapan.net*, True -*.saharabutik.com*, True -*.saharkhiz.com*, True -*.sahaseel.com*, True -*.sahe.tw*, True -*.sahiwal.cf*, True -*.sahumerio-importado.com.ar*, True -*.sahusilawane.web.id*, True -*.saia.tk*, True -*.saibateku.info*, True -*.saicepmb.co.za*, True -*.saidinational.co.za*, True -*.saidinational.org*, True -*.saidinational.org.za*, True -*.saidinsuboh.my*, True -*.saifet.it*, True -*.saifhameed.com*, True -*.saiful7000.tk*, True -*.saiful.biz*, True -*.saigon1deli.com*, True -*.saigon-net.org*, True -*.saigonvietexpress.cf*, True -*.saihane.info*, True -*.saiholyfaithhighschool.in*, True -*.sailadvertising.com.au*, True -*.sailawaypartners.com*, True -*.sailoranime.com*, True -*.sailproductions.org*, True -*.sailthepacific.org*, True -*.sailtheuniverse.com*, True -*.saintcloudapartment.com*, True -*.saintcoben.tk*, True -*.saintdem.org*, True -*.sainte-marie-solaire.com*, True -*.saintgroup.co.za*, True -*.saint-johns-lutheran.org*, True -*.saint-johns.net*, True -*.saintjosephradio.org*, True -*.saintsauveur.info*, True -*.saints-craft.tk*, True -*.saints-eagle.ru*, True -*.saintve.com.ve*, True -*.saipulbakri.com*, True -*.saisolutions.net.au*, True -*.saisonb2b.com*, True -*.saitan.me*, True -*.sajadinia.ir*, True -*.sajal.com.np*, True -*.sajatraktar.hu*, True -*.sajcra.co.za*, True -*.sajhe.org.za*, True -*.sakandolavuelta.cl*, True -*.sakaryam.tk*, True -*.sakau.ml*, True -*.saka.web.id*, True -*.sakbun.com*, True -*.sakerry.com*, True -*.sakhmedpom.ru*, True -*.sakilaserver.net*, True -*.saki.pt*, True -*.sakitjiwa.net*, True -*.sakitnyatuhdisini.com*, True -*.saktidwicahyono.name*, True -*.sakti.ga*, True -*.sakuradojo.cl*, True -*.sakuya.pl*, True -*.salaam.pl*, True -*.salaban.com*, True -*.salaban.info*, True -*.salaban.org*, True -*.salabrasileira.cf*, True -*.saladinpratogmbh.ch*, True -*.salado.me*, True -*.salaespejo.cl*, True -*.salaespejoms.cl*, True -*.salaheineken.com*, True -*.salamacchine.net*, True -*.salamequintero.gob.ar*, True -*.salarius.com.br*, True -*.salaspilsmms.lv*, True -*.salatovo.ru*, True -*.salawas.tk*, True -*.salazare.tk*, True -*.salc.org.au*, True -*.saldysaputra44.com*, True -*.saleb.ru*, True -*.salecheshire.co.uk*, True -*.salefutbolya.com.ar*, True -*.salehincomplex.ir*, True -*.saleinsurancegroup.com*, True -*.salemartgallery.us*, True -*.salem.mx*, True -*.salenhotel.com*, True -*.salenhotel.se*, True -*.salentointonaci.ch*, True -*.salesbutler.ch*, True -*.salesbuttler.ch*, True -*.salesconnect.in*, True -*.sales.hk*, True -*.sales-people.ru*, True -*.salesreport.co.za*, True -*.salestrakit.net*, True -*.salford-hall.co.uk*, True -*.saliba.com.au*, True -*.salieattorneys.co.za*, True -*.saliguri.com*, True -*.salimterryli.tk*, True -*.salimuslim.com*, True -*.salingsapa.in*, True -*.salir.cl*, True -*.salitamatthews.com*, True -*.sallad.fi*, True -*.sallard.info*, True -*.sallaway.com.au*, True -*.sallaway.info*, True -*.sallaway.net*, True -*.sallaway.org*, True -*.salles.cl*, True -*.sallshosting.com*, True -*.sallsworld.com*, True -*.sallydana.com*, True -*.sallyhaydengilmore.com*, True -*.sallyjonesflowers.com.au*, True -*.salman.pk*, True -*.salmensuu.fi*, True -*.salmeron.com.ar*, True -*.salmo115.com.ar*, True -*.salmonlakecenter.com*, True -*.salo.im*, True -*.salon-alisa.com*, True -*.salonalisa.com*, True -*.salon-beauty.org*, True -*.saloncalabazas.com.ar*, True -*.salondepiane.ro*, True -*.salonefantasy.ch*, True -*.salonengelhardt.dk*, True -*.salonfinish.co.za*, True -*.salon-helen.co.il*, True -*.salonladym.ro*, True -*.salonmaty.ro*, True -*.salonnet.info*, True -*.salosystems.fi*, True -*.saloy76.tk*, True -*.salpafuera.com*, True -*.salsacate.com.ar*, True -*.salsa-connexion.com*, True -*.salsamadrid.org*, True -*.salsateam.org*, True -*.saltapoloclub.com.ar*, True -*.saltateinforma.com.ar*, True -*.saltbush.com*, True -*.saltbush.org*, True -*.saltcoffee.cf*, True -*.saltele-copii-saltea.ro*, True -*.saltex.cl*, True -*.saltfoodphoto.com*, True -*.salth2ofish.com*, True -*.saltillogps.com*, True -*.saltlaketech.com*, True -*.saltlaketech.net*, True -*.saltlaketechnologies.com*, True -*.saltlaketech.org*, True -*.saltspa.hk*, True -*.saltuie.com*, True -*.saltwatersuds.com*, True -*.salty72.ca*, True -*.saltydh.net*, True -*.saltygiraffe.com*, True -*.saludcercana.com*, True -*.saludmentallegitima.com.ar*, True -*.salugi.net*, True -*.salutem.co*, True -*.salutesport.ch*, True -*.salut-oradea.ro*, True -*.salutoradea.ro*, True -*.salvaromero.com*, True -*.salveamazonia.com.br*, True -*.salvetis.com*, True -*.salviati.com.br*, True -*.salvi-recycling.ch*, True -*.salyani.org.np*, True -*.salzmann.biz*, True -*.sam46.com*, True -*.sam49.com*, True -*.sam76.com*, True -*.sam86.com*, True -*.sam96.com*, True -*.sama-55.com*, True -*.samaa.com.pk*, True -*.samace.ca*, True -*.samadha.net*, True -*.samadivk.com*, True -*.samaid.fi*, True -*.samandrobyn.com*, True -*.samanthad.com*, True -*.samanthamccartney.net*, True -*.samantharoth.ca*, True -*.samanthawestbynunn.com*, True -*.samariter-feldbrunnen-riedholz.ch*, True -*.samarskie.ru*, True -*.samasamajaya.com*, True -*.samatek.mx*, True -*.samaursa.com*, True -*.sambade.com*, True -*.sambalsambel.com*, True -*.sambasindoputra.co.id*, True -*.sambelmahkotaratu.com*, True -*.sambergs.se*, True -*.sambhu.com.np*, True -*.sambil.ml*, True -*.sambose.tk*, True -*.samboygraphics.com*, True -*.sambra-propiedades.com.ar*, True -*.sambrit.com*, True -*.samchhangte.cf*, True -*.samdelgado.com*, True -*.same2u.net*, True -*.samebiz.pw*, True -*.sameerpant.com.np*, True -*.samelarmain.com*, True -*.samerin.com*, True -*.sametband.com.ar*, True -*.samirani.com*, True -*.samirkhanal.com.np*, True -*.samislost.com*, True -*.samisrl.com*, True -*.samito.com.br*, True -*.samitoelectronics.com*, True -*.samjdavis.com*, True -*.samjd.me*, True -*.samk.ch*, True -*.samkograd.ru*, True -*.samkuljetus.fi*, True -*.samlconnect.com*, True -*.sammah.org*, True -*.sammarkham.co.uk*, True -*.sammygakuen.com*, True -*.sam.my.id*, True -*.sammy.web.id*, True -*.samoens-nannies.com*, True -*.samoied.org*, True -*.samokrutkin.ru*, True -*.samolechenie.ru*, True -*.samoobrona.one.pl*, True -*.samoobslu.ga*, True -*.samozzi.me*, True -*.sampah.club*, True -*.sa-mp.ir*, True -*.sampla.ch*, True -*.sampsanniemi.fi*, True -*.samralston.me*, True -*.samrrr.ro*, True -*.samscalise.com*, True -*.samschlesinger.com*, True -*.sam-shannon.id.au*, True -*.samshannon.id.au*, True -*.samsonconsulting.com*, True -*.samsung2u.com*, True -*.samsungmwc.com*, True -*.samsungstore.com.ar*, True -*.samsungtvforu.com*, True -*.samtekinstruments.com*, True -*.samtexinc.com*, True -*.samtolton.com*, True -*.samucoquimbo.cl*, True -*.samuelanderson.me*, True -*.samueleisenring.ch*, True -*.samuelgray.com.au*, True -*.samuellopes.com.br*, True -*.samuellopes.net*, True -*.samuelranta.fi*, True -*.samuelr.com*, True -*.samuelrosset.ch*, True -*.samuelstevens.net*, True -*.samuelwilliambrown.co.uk*, True -*.samuilisopescu.ro*, True -*.samurainetworx.com*, True -*.samuraiparadox.com*, True -*.samuraisan.com.br*, True -*.samuraisunday.com*, True -*.samvang.com.vn*, True -*.samwindley.com*, True -*.samyagan.com*, True -*.samyang.co.il*, True -*.samyog.com.np*, True -*.san1n.com*, True -*.san6.com*, True -*.sanabriarurales.com*, True -*.sanadoresholisticos.com*, True -*.sanalfonsoarriendos.cl*, True -*.sanampetri.com*, True -*.sana.my*, True -*.sanaodontologia.com.ar*, True -*.sanarae.tk*, True -*.sanatateinspitale.ro*, True -*.sanatoriobritanico.com.ar*, True -*.sanatoriodelrosario.com.ar*, True -*.sanaxa.com*, True -*.sanaxin.com*, True -*.sanbase.ru*, True -*.sanb.co.za*, True -*.sanbritanico.com.ar*, True -*.sancarlosborromeo.cl*, True -*.sanchestransportes.com.br*, True -*.sanchesveiculos.com.br*, True -*.sanchez5.net*, True -*.sanchezcornaglia.com.ar*, True -*.sancheznetwork.com*, True -*.sanchezromero.com.ar*, True -*.sanchezsm.com.ar*, True -*.sanchitatiwari.com*, True -*.sanchominano.com.ar*, True -*.sanclemente.cl*, True -*.sandalcomputers.co.uk*, True -*.sandalwoodwines.com.au*, True -*.sandaree.com*, True -*.sandbautos.co.uk*, True -*.sandbox.ro*, True -*.sandcherrysystems.com*, True -*.sandeepkhanal.com.np*, True -*.sandeep-neupane.com.np*, True -*.sandelin.org*, True -*.sanderspcsolutions.com*, True -*.sandes.com.au*, True -*.sandffoods.com*, True -*.sandgatebunch.org*, True -*.sandgrounds.com*, True -*.sandhofner.com*, True -*.sandhome.de*, True -*.sandiademo.com.ar*, True -*.sandidge.us*, True -*.sandiegohomeit.com*, True -*.sandigirsang.com*, True -*.sandiptripathi.com.np*, True -*.sandmaedchen.net*, True -*.sandmart.in*, True -*.sandmeiers.ch*, True -*.sandmill.org*, True -*.sandors.com*, True -*.sandovalseguros.cl*, True -*.sandraandmike.com*, True -*.sandraclases.com.ar*, True -*.sandrafinger.ch*, True -*.sandrahusser.ch*, True -*.sandra-rose.at*, True -*.sandra.si*, True -*.sandras-salon.at*, True -*.sandricaminhoes.com.br*, True -*.sandundglas.ch*, True -*.sandviken-vel.com*, True -*.sandwicheriasnacho.com.ar*, True -*.sandwichpanel.co.id*, True -*.sandwich-velokurier.ch*, True -*.sandwichvelokurier.ch*, True -*.sandyau.hk*, True -*.sandyrooney.com*, True -*.sanekala.org*, True -*.sanek.pro*, True -*.sanfelipeintranet.cl*, True -*.sanfoneiro.com*, True -*.sanfoneiro.com.br*, True -*.sanfordhome.net*, True -*.sanfranciscomgue.com.ar*, True -*.sang-alex.tk*, True -*.sang.co.za*, True -*.sange.es*, True -*.sangeetgurukul.com*, True -*.sanggarweb.com*, True -*.sanggul-kusumadewi.com*, True -*.sangitab.com.np*, True -*.sangkrah.web.id*, True -*.sangna.ml*, True -*.sang.ninja*, True -*.sangoma.co.uk*, True -*.sangreal.ro*, True -*.sang-sang.net*, True -*.sanguan.tk*, True -*.sanguche.org*, True -*.sangviedo.tk*, True -*.sangwoodiary.com*, True -*.sanh.co.za*, True -*.sanibelarms.com*, True -*.sanibelislandfloridarealestate.com*, True -*.sanidep.ch*, True -*.saninstruktor.ru*, True -*.sanisa.gr*, True -*.sanismart.com*, True -*.sanitaer-pianezzi.ch*, True -*.sanitarioselemporio.com.ar*, True -*.saniute-bebelusi.ro*, True -*.saniute-copii.ro*, True -*.saniutepentrucopii.ro*, True -*.sanjan.com.np*, True -*.sanjayabhandari.com.np*, True -*.sanjayasubedi.com.np*, True -*.sanjaykarki.com.np*, True -*.sanjayparajuli.com.np*, True -*.sanjeevadhikari.com.np*, True -*.sanje.info*, True -*.sanjesh-tajhiz.ir*, True -*.sanjitacharya.com.np*, True -*.sanjoaquincountybankruptcy.com*, True -*.sanjorge-sa.com.ar*, True -*.sanjoseaquarium.com*, True -*.sanjoseaquarium.net*, True -*.sanjoseaquarium.org*, True -*.sanjosescreens.com*, True -*.sanjuanmardelplata.com.ar*, True -*.sankon.ro*, True -*.sanktechnology.com*, True -*.sankus.net*, True -*.sanl.cf*, True -*.sanl.co.za*, True -*.sanluix.org*, True -*.sanmarc.sg*, True -*.sanmateoorthopaedics.com*, True -*.sanm.co.za*, True -*.sanmiguelbodas.com*, True -*.sanmiguelbodas.com.mx*, True -*.sanmiguelbodas.mx*, True -*.sannalehto.fi*, True -*.sannon-stamm.com*, True -*.sanoc.co.za*, True -*.sanok.one.pl*, True -*.sanotoviet.com*, True -*.sanovation.com*, True -*.sanpablosmog.com*, True -*.sanpabloyellowtaxi.com*, True -*.sanpedroinforma.com.ar*, True -*.sanphim.org*, True -*.sanphimtv.com*, True -*.san-pizza.ru*, True -*.sanr.co.za*, True -*.sanrish.co.id*, True -*.sansaeuropeana.ro*, True -*.sansamediurural.ro*, True -*.sansana.pt*, True -*.sansan.gq*, True -*.sanshbiotech.com.ar*, True -*.sansoft.com.ar*, True -*.sansprecept.com*, True -*.san-ss.com.ar*, True -*.sansumi.com*, True -*.sansumi.com.br*, True -*.sansz.ro*, True -*.santabarbara.org.ar*, True -*.santaceciliaoeste.com.ar*, True -*.santa.cl*, True -*.santaclararestobar.com*, True -*.santa-cruz.cl*, True -*.santacruz.com.ar*, True -*.santafegranfondo.com*, True -*.santafevr.com*, True -*.santagostini.com.ar*, True -*.santagostini.info*, True -*.santai.ml*, True -*.santaisidoraspa.cl*, True -*.santaizih.com*, True -*.santamlegal.co.za*, True -*.santamonicachile.cl*, True -*.santaritatelecom.tk*, True -*.santasdraw.com*, True -*.santaveiculos.com.br*, True -*.sant.com.ar*, True -*.sant.co.za*, True -*.santekim.com*, True -*.santiagodemarco.com*, True -*.santiagoinmobiliario.cl*, True -*.santiagomontoya.com.ar*, True -*.santiagopuertasadentro.cl*, True -*.santiagoschmidt.com.ar*, True -*.santiagovivacqua.com.ar*, True -*.santiber.es*, True -*.santicluke.com.ar*, True -*.santimedici.com*, True -*.santini-sa.ch*, True -*.santip.com.ar*, True -*.santiperforaciones.com.ar*, True -*.sant.ir*, True -*.santi.web.id*, True -*.santodescuento.com.ar*, True -*.santolina.biz*, True -*.santomabil.com*, True -*.santomabil.net*, True -*.santomabil.org*, True -*.santorinaios.gr*, True -*.santorineos.gr*, True -*.santorini-santorini.com*, True -*.santoscosta.tk*, True -*.santoshayoga.com.ar*, True -*.santoshlamichhane.com.np*, True -*.santoso-teknik.com*, True -*.santospatronos.org*, True -*.santossapkota.com.np*, True -*.santoss.web.id*, True -*.santosypatxi.com*, True -*.santrex.org*, True -*.santrigaul.ml*, True -*.santuariocristoredentor.com.br*, True -*.santuariocristoredentor.org.br*, True -*.sanu.co.za*, True -*.sanusikap.co.id*, True -*.sany.ir*, True -*.sanyocenter.ir*, True -*.sanyofix.ir*, True -*.sanzerep.co*, True -*.saobruno.pt*, True -*.saojorgedigital.info*, True -*.saosukien.net*, True -*.sapa.club*, True -*.sapage.net*, True -*.saparia.cz*, True -*.sapatekno.com*, True -*.sapaya.com.ar*, True -*.sapethemape.com*, True -*.sapf.co.za*, True -*.saphirepoodles.com*, True -*.saphirproduct.ch*, True -*.sapib.ca*, True -*.sapiensgroup.ru*, True -*.sapi.info*, True -*.sapit.co.uk*, True -*.sapkotadipak.com.np*, True -*.sapl.ch*, True -*.sap.md*, True -*.sap-net.ru*, True -*.sapninja.com*, True -*.sapozhkov.net*, True -*.sappa.com.au*, True -*.sapp.com.ve*, True -*.sapphire.one.pl*, True -*.sapp.org.ve*, True -*.sapsancud.cl*, True -*.saptagunautama.com*, True -*.saptx.com*, True -*.saqscrap.com*, True -*.sar7.com.ar*, True -*.saraandgreg.com*, True -*.saraandstephane.com*, True -*.saracarbonero.com*, True -*.sara-comunity.gq*, True -*.sarad.com.np*, True -*.sarafipars.ir*, True -*.sarahball.com*, True -*.sarahcanningphotography.co.uk*, True -*.sarahc.com*, True -*.sarahdavis.info*, True -*.sarahehunt.net*, True -*.sarahgiotto.com*, True -*.sarahgreenwoodschool.com*, True -*.sarahjhomedecor.com*, True -*.sarahjhomedecor.com.au*, True -*.sarah-lai.com*, True -*.sarahlai.com*, True -*.sarah-lawrence.com*, True -*.sarahost.tk*, True -*.sarahschiess.com*, True -*.sarahshields.co.nz*, True -*.sarahwallis.co.uk*, True -*.sarah-yves.ch*, True -*.sarahzussy.ch*, True -*.sarai-miquel.cl*, True -*.saralsourcing.com*, True -*.saralsourcing.in*, True -*.saramarina.com*, True -*.saramolina.net*, True -*.saranabanindo.co.id*, True -*.saranadwimakmur.com*, True -*.sarana-tehnik.com*, True -*.saranatravelbelitung.co.id*, True -*.saranaweldingsentosa.com*, True -*.sarangsafety.com*, True -*.saranhold.com*, True -*.saraoapp.com*, True -*.sarapanhati.com*, True -*.saraplusjustin.com*, True -*.sara-plus.tk*, True -*.sarasindo.com*, True -*.sarasofia.co*, True -*.saratogalakecam.com*, True -*.saraujo.com*, True -*.saravan-spring.com*, True -*.sarawize.co.za*, True -*.sarbagyastha.com.np*, True -*.sarbazi.us*, True -*.sarbsystems.com.ve*, True -*.sardar.org*, True -*.sardinhamunck.com.br*, True -*.sardonprop.com.ar*, True -*.sargeant-lee.com*, True -*.sarienah.tk*, True -*.sarietol.cf*, True -*.sarietol.net*, True -*.sariindahalam.com*, True -*.sarikoc.ru*, True -*.sarilikongdomain.tk*, True -*.sarilouis.com*, True -*.sarinaclinic.com.au*, True -*.sariola.net*, True -*.saritablog.com*, True -*.sarkanyok.tk*, True -*.sarkargroup.asia*, True -*.sarmiento.cl*, True -*.sarmisen.com*, True -*.sarnikgps.com*, True -*.sarny.at*, True -*.sa-roj.com.np*, True -*.sarojlama.com.np*, True -*.sarojpanthi.com.np*, True -*.sarojpoudel.com.np*, True -*.saronicboats.gr*, True -*.saronikostrans.gr*, True -*.saroswe.ro*, True -*.sarrieri.com*, True -*.sarrieri.ro*, True -*.sarrislaw.co.za*, True -*.sarservices.com*, True -*.sarswotishrestha.com.np*, True -*.sarten-x.com*, True -*.sartiecamiciai.ro*, True -*.sarungkursidekorasi.com*, True -*.sarungkursifutura.com*, True -*.sarungkursipesta.com*, True -*.sarungkursiplastik.com*, True -*.sarungkursitenda.com*, True -*.saryanllc.com*, True -*.sarychevy.ru*, True -*.sasaero.net*, True -*.sasaero.us*, True -*.sasakure.biz*, True -*.sasa.pl*, True -*.sasaze.com*, True -*.sasdi.org.za*, True -*.sasep.mx*, True -*.sas-ge.ch*, True -*.sasharailey.com*, True -*.sash.co.nz*, True -*.sashwh.co.uk*, True -*.sashwindowheritage.co.uk*, True -*.sasi.com.np*, True -*.sasikanth.info*, True -*.sasingleseaters.co.za*, True -*.saskadroid.cf*, True -*.saskaltaarc.ca*, True -*.saskaltarc.ca*, True -*.saska.tk*, True -*.saskawap.tk*, True -*.saslam.com*, True -*.saslarnews.com*, True -*.sasmitha.web.id*, True -*.saspen.com*, True -*.sas-sa.ch*, True -*.sassinak.net*, True -*.sass.nom.za*, True -*.sassypenguinbrew.com*, True -*.sassypenguinbrewery.com*, True -*.sassypenguinbrewery.info*, True -*.sassypenguinbrew.info*, True -*.sassysouschef.com*, True -*.sassysous.com*, True -*.sassywizard.com*, True -*.sastofurniture.com*, True -*.sastri.info*, True -*.sast.ro*, True -*.saswater.com.au*, True -*.sasze.ro*, True -*.satanic.in*, True -*.satanic.ro*, True -*.satcell.co.za*, True -*.sat-c.net*, True -*.satcomtrader.com*, True -*.sategede.com*, True -*.satejepang.com*, True -*.satelitaxi.com.ar*, True -*.sateliteisland.com.ar*, True -*.satell.com.ar*, True -*.satellitedishinstallation.co.za*, True -*.satexcomputers.com*, True -*.satgia.com*, True -*.satgia.net*, True -*.sat-hero.co.za*, True -*.sat-infotech.com*, True -*.satinfotech.com*, True -*.satinternet.com.br*, True -*.satirasativa.com*, True -*.satisfi.de*, True -*.satlex.it*, True -*.satlex.ro*, True -*.satmed.com.ar*, True -*.satmodel.com*, True -*.satnamfoods.com*, True -*.satnamfoods.in*, True -*.satnamnandra.co.uk*, True -*.satnhadat.com*, True -*.satnhadat.net*, True -*.satools.co.za*, True -*.satria-fu.net*, True -*.satriatehnik.com*, True -*.satsafriskt.se*, True -*.satshid.com*, True -*.satsu.cl*, True -*.satta.es*, True -*.sattva.com.br*, True -*.sattv.co.za*, True -*.satuakses.com*, True -*.satuanberita.com*, True -*.satuciteureup.web.id*, True -*.satumilyarsebulan.com*, True -*.saturdaybang.org*, True -*.saturdaynightgamers.com*, True -*.saturdaynightspecial.ca*, True -*.saturn39.dk*, True -*.saturnbell.com*, True -*.saturnip.com*, True -*.saturnip.net*, True -*.saturnstar.net*, True -*.satutujuh.co.id*, True -*.satyabayu.asia*, True -*.satyagraha.com.np*, True -*.sauceboro.com*, True -*.saucedchicago.com*, True -*.sauceking.co.za*, True -*.saucemail.com*, True -*.saucevm.tk*, True -*.saude-bem-estar.tk*, True -*.saudesuplementar.com*, True -*.saudesuplementar.com.br*, True -*.sauerbraten.cf*, True -*.saugatp.com.np*, True -*.saulfrancia.com*, True -*.saulofamily.org*, True -*.saulsfishmarket.com*, True -*.saultultimate.ca*, True -*.saungssh.net*, True -*.saurabhgaur.com*, True -*.sauropodus.pw*, True -*.sauryap.com.np*, True -*.sausage.ninja*, True -*.sauters.ch*, True -*.savageautomation.com*, True -*.savagedns.com*, True -*.savagehomenetwork.com*, True -*.savageleads.com*, True -*.savage.nu*, True -*.savasnamas.lt*, True -*.savasozer.com.tr*, True -*.savasys.com.ar*, True -*.savatech.ch*, True -*.sav-chile.cl*, True -*.saveafile.eu*, True -*.savealator.com*, True -*.savebest.mobi*, True -*.savebobbles.com*, True -*.savebonnevillespeedway.com*, True -*.savecomodo.com*, True -*.savedate.co.za*, True -*.saved.cf*, True -*.savedirect.net*, True -*.save-elderly-from-care.com*, True -*.savelight.cz*, True -*.savelinkme.tk*, True -*.savely.eu*, True -*.save-mp3.ru*, True -*.savemusic.co*, True -*.savenewport.com*, True -*.savenowclub.com*, True -*.saveopenspace.com*, True -*.save-org.com*, True -*.save-proxy.ru*, True -*.saver.ga*, True -*.savethedoodleproject.com*, True -*.savia3.com.ar*, True -*.saviajoven.com.ar*, True -*.savii.ro*, True -*.savingold.com*, True -*.savitz.org*, True -*.savoirnews.net*, True -*.savoryape.com*, True -*.savusankari.fi*, True -*.savu-unototale.ro*, True -*.savvasoft.com*, True -*.savveexpress.com.au*, True -*.savvybearcat.com*, True -*.savvycode.eu*, True -*.savvyfox.com*, True -*.savvyfox.net*, True -*.savvysnake.com*, True -*.savwhatsup.com*, True -*.savwhatsup.info*, True -*.savwhatsup.net*, True -*.savwhatsup.org*, True -*.sawander.se*, True -*.sawangpharma.com*, True -*.saweko.org*, True -*.saw.id.lv*, True -*.sawima.tk*, True -*.saw-online.com*, True -*.sawope.com*, True -*.sawsmithbook.com*, True -*.saxofonistboeken.nl*, True -*.saxonmyers.com*, True -*.say86.com*, True -*.sayacari.com*, True -*.sayadimana.com*, True -*.sayakutia.ru*, True -*.sayan007.com*, True -*.sayani.net*, True -*.sayan.us*, True -*.sayapastibisa.com*, True -*.saycheese.hk*, True -*.sayeh.cl*, True -*.sayitallgirl.com*, True -*.saynii.org*, True -*.saytostroy.ru*, True -*.sazan-aizu.eu*, True -*.sazanrjb.com.np*, True -*.sazava.com*, True -*.sazhenec.ru*, True -*.sba7.net*, True -*.sbadas.info*, True -*.sba-grp.co.id*, True -*.sbak.org*, True -*.sbaloan.org*, True -*.sbavpn.com*, True -*.sbbot.ru*, True -*.sbcarey.net*, True -*.sbenito.com.ar*, True -*.sbenito.org.ar*, True -*.sbentonmft.com*, True -*.sbest.org*, True -*.sbfhome.net*, True -*.sbhelper.com*, True -*.sbindy.com*, True -*.sbinflight.com*, True -*.sbinfo.com*, True -*.sbin.org*, True -*.sbiz.ro*, True -*.sbkhouse.com*, True -*.sbleader.com*, True -*.sb-market.hk*, True -*.sbma.ru*, True -*.sbme.com.br*, True -*.sbmh.com.au*, True -*.sbn.kz*, True -*.sbo991.com*, True -*.sbo99.tv*, True -*.sbofatlanta.com*, True -*.sborniateam.tk*, True -*.sbourget.net*, True -*.sbradshaw.co.uk*, True -*.sbragiaphoto.com.br*, True -*.sbrickwood.uk*, True -*.sbsuprimentos.com.br*, True -*.sbs.waw.pl*, True -*.sbta.com.au*, True -*.sbwildes.org*, True -*.sbxmini.net*, True -*.sbydev.me*, True -*.sby.me*, True -*.sc2gg.com*, True -*.sc4-h.org*, True -*.sc727.com*, True -*.scada.cl*, True -*.scadaexploit.com*, True -*.scadaexploits.com*, True -*.scadahackers.com*, True -*.scadahackers.us*, True -*.scadaingenieria.com.ar*, True -*.scadi.cl*, True -*.scaffolding-central.com*, True -*.scaffoldingjkm.com*, True -*.scaffolding-mjs.com*, True -*.scafftracker.co.uk*, True -*.scalamoosh.com*, True -*.scaldeddog.com*, True -*.scaleofferings.com*, True -*.scalexworld.com*, True -*.scaliante.net*, True -*.scallex.net*, True -*.scall.org*, True -*.scalpex.ru*, True -*.scalvage.me*, True -*.scaly.org*, True -*.sca-mt.org*, True -*.scan2email.co.za*, True -*.scanblock.com.br*, True -*.scandalvn.com*, True -*.scandiaeldercare.com*, True -*.scandura.com.br*, True -*.scanlantelevision.com*, True -*.scanlantelevision.net*, True -*.scan-me.tk*, True -*.scannerpilquinao.cl*, True -*.scanone.com.br*, True -*.scanone.inf.br*, True -*.scanone.net.br*, True -*.scanon.ru*, True -*.scanstone.com*, True -*.scanvx.com.my*, True -*.scanware.it*, True -*.scaphand.com*, True -*.scaphand.info*, True -*.scaphand.net*, True -*.scaphand.org*, True -*.scaramucci.com.br*, True -*.scarboroughgymelites.ca*, True -*.scarfacepileofblow.com*, True -*.scariinterioare.net*, True -*.scarinzi.ch*, True -*.scarletbeast.com*, True -*.scarlet.ch*, True -*.scarlet.co*, True -*.scarletpaintball.com*, True -*.scarllum.gq*, True -*.scarmakers.com*, True -*.scarpuscion.ch*, True -*.scaryflashgames.com*, True -*.scaryinter.net*, True -*.scaryzary.com*, True -*.scasanjuanvillargordo.com*, True -*.scasanjuanvillargordo.es*, True -*.scaune-auto-copii.ro*, True -*.scavhunt.net*, True -*.scawebsl.com*, True -*.scawn.co.uk*, True -*.scawn.info*, True -*.scawn.net*, True -*.scay.net*, True -*.sccapromo.com*, True -*.sc-coaching.net*, True -*.scd77.com*, True -*.scd88.com*, True -*.scda-simnic.ro*, True -*.scd.com.ve*, True -*.scdesign.org.br*, True -*.scd.hk*, True -*.s-cdn.tk*, True -*.scd.pp.ru*, True -*.scdu.ch*, True -*.scdwireless.com*, True -*.sceidaho.com*, True -*.scelestial.com*, True -*.scemn.org*, True -*.scenaristi.ro*, True -*.scenebox.info*, True -*.scene.cl*, True -*.scenefoundation.com*, True -*.scenenzb.com*, True -*.scenenzb.eu*, True -*.scene.pk*, True -*.sceniconline.com*, True -*.scentqueenqq.com*, True -*.scents.com.ar*, True -*.sc-error.ga*, True -*.scg-llc.co*, True -*.scg-llc.us*, True -*.schaadstoff.ch*, True -*.schachpunsch.ch*, True -*.schadrackandchapman.com*, True -*.schaeffer-chauffage.ch*, True -*.schaeffer-citernessa.ch*, True -*.schaer-michael.ch*, True -*.schaermichael.ch*, True -*.schala.de*, True -*.schallkoerper.info*, True -*.scharlet.com*, True -*.scharlet.ro*, True -*.sch-design.com.ar*, True -*.schedule.so*, True -*.schedule.web.id*, True -*.scheick.com*, True -*.scheidegger.info*, True -*.scheider.ch*, True -*.scheifeldhof.cl*, True -*.scheihing.cl*, True -*.scheinin.com.ar*, True -*.schematism.org*, True -*.schemerspace.com*, True -*.schenk.com.ar*, True -*.scherlypeinture.ch*, True -*.scherman.com.ar*, True -*.schiavinato.ga*, True -*.schibeschache.ch*, True -*.schielly.ch*, True -*.schiga.ch*, True -*.schiga.com*, True -*.schillerdubeck.com*, True -*.schillerxana.info*, True -*.schillingcompanies.com*, True -*.schimba-sistemul.ro*, True -*.schimb-de-carti.ro*, True -*.schimpfmaschine.ch*, True -*.schipro.ro*, True -*.schitters.com*, True -*.schizophrenia.ru*, True -*.schkoum.net*, True -*.schlachter.ca*, True -*.schlager.com.au*, True -*.schlagerjewellery.com*, True -*.schlagerjewellery.com.au*, True -*.schlaraffia-paulista.com.br*, True -*.schlegelmilch.org*, True -*.schmalle.ca*, True -*.schmalmack.net*, True -*.schmat.com*, True -*.schmaus.ch*, True -*.schmeisser.com*, True -*.schmid.es*, True -*.schmidschreinerei.ch*, True -*.schmidt-cisternas.net*, True -*.schmidt-riego.com.ar*, True -*.schmiri.ch*, True -*.schmitz-net.com*, True -*.schmonblasinstrumente.ch*, True -*.schnapperhof.com*, True -*.schnauzerargentina.com.ar*, True -*.schneider3.com*, True -*.schneider-gruyeres.ch*, True -*.schneiderhome.us*, True -*.schneller-dort.ch*, True -*.schnittke.tk*, True -*.schnocklake.ch*, True -*.schnocklake.com*, True -*.schnocklake.de*, True -*.schnorchel.li*, True -*.schnuffi.at*, True -*.schnyder-haustechnik.ch*, True -*.schnyder-markierungen.ch*, True -*.schoellerfamily.org*, True -*.schoeningh.ch*, True -*.schoentag.ch*, True -*.schoerlin.ch*, True -*.schofieldsautopro.com*, True -*.scholare.co.il*, True -*.scholteslu.eu*, True -*.scholtzatt.co.za*, True -*.schonaker.com.ar*, True -*.school54.org.ru*, True -*.schoolapp.hk*, True -*.school.cl*, True -*.schoolie.co.uk*, True -*.schoolmanagementsystem.com.pk*, True -*.schoolofengineering.co.za*, True -*.schoolofhops.com*, True -*.schoolofprivacy.cf*, True -*.school-of-privacy.com*, True -*.schoolofprivacy.ga*, True -*.schoolofprivacy.gq*, True -*.schoolofprivacy.ml*, True -*.schoolrun.net*, True -*.schoolsavingsclub.com*, True -*.schoolteam.hk*, True -*.schoonertravel.com*, True -*.schopito.com*, True -*.schoptkont.com*, True -*.schosti.ch*, True -*.schotman.eu*, True -*.schotrain.com*, True -*.schotte.com.au*, True -*.schovat.net*, True -*.schrammel.se*, True -*.schram.name*, True -*.schranz-racing.ch*, True -*.schreinerei-albin-meile.ch*, True -*.schreinerei-f-moser.ch*, True -*.schreinerei-nietlispach.ch*, True -*.schreiner-home.de*, True -*.schrierrentals.com*, True -*.schroedel.ch*, True -*.schrottspiele.de*, True -*.schucher.tk*, True -*.schuchin.ru*, True -*.schudnijszybko.com*, True -*.schuepbu.ch*, True -*.schuerch-knobel.com*, True -*.schuetz-kinesologie.ch*, True -*.schulbuchinfo.ch*, True -*.schulbuchshop.ch*, True -*.schule-duerrenroth.ch*, True -*.schule-giswil.ch*, True -*.schuler-it-consulting.de*, True -*.schulthesskerzen.ch*, True -*.schulznow.de*, True -*.schumi-trans.ch*, True -*.schutzzaun.biz*, True -*.schutzzaun.org*, True -*.schwab-guillod.ch*, True -*.schwabguillod.ch*, True -*.schwanenapo.ch*, True -*.schwang.eu*, True -*.schwarp.com*, True -*.schwarz.co.za*, True -*.schwarzeliste.ch*, True -*.schwatzkopf.ch*, True -*.schweizerfotografen.ch*, True -*.schwendimann.net*, True -*.schwerd.biz*, True -*.schwertech.com*, True -*.schwien.me*, True -*.schwtyl.com*, True -*.sci123.com*, True -*.sciadopitys.co.nz*, True -*.sciadopitys.nz*, True -*.scible.co.za*, True -*.scibot.me*, True -*.sci-bots.com*, True -*.scicoder.org*, True -*.scienceiseverywhere.com.au*, True -*.science-ncu.com*, True -*.sciencenews.us*, True -*.scienceofgrammar.com*, True -*.scienceonline.info*, True -*.science-technology-engineering-maths-industry-initiative.com*, True -*.science-technology-engineering-maths-industry-initiative.org*, True -*.scienex.com.br*, True -*.scientificimaging.cl*, True -*.scientistnow.com*, True -*.scientol.com*, True -*.scientrillogy.net*, True -*.scienza.xyz*, True -*.scijam.net*, True -*.sciku.org*, True -*.scimb.com*, True -*.scinclo.com*, True -*.sc-integra.com.mx*, True -*.scipedia.ro*, True -*.scirpjournal.org*, True -*.scissorfightmedia.com*, True -*.scissors61.co.uk*, True -*.scitru.com*, True -*.scity98.net*, True -*.scjr.ru*, True -*.sclelectrical.co.uk*, True -*.scleroseenplaques.net*, True -*.sclift.com.br*, True -*.scluncam.ro*, True -*.scmarshall.com*, True -*.scmcnc.org*, True -*.scm.com.au*, True -*.scmdatasolution.com*, True -*.scmh.eu*, True -*.scmobile.mobi*, True -*.sc-mold.com*, True -*.scnightline.com*, True -*.scnzb.eu*, True -*.scoala24-craiova.ro*, True -*.scoala2-ghermanesti.ro*, True -*.scoala309.ro*, True -*.scoala6resita.ro*, True -*.scoala9barlad.ro*, True -*.scoalagepiu.ro*, True -*.scoalaizvoarele.ro*, True -*.scoalamirceaeliadepitesti.ro*, True -*.scoalamobila.ro*, True -*.scoalarebrisoara.ro*, True -*.scoala-sanitara-satu-mare.ro*, True -*.scoalavalealupului.ro*, True -*.sco-beratung.ch*, True -*.scoday.com*, True -*.scoenergy.com*, True -*.scoffin.org*, True -*.scoken.com*, True -*.scolariada.ro*, True -*.scolarisa.ch*, True -*.scoliauto.ro*, True -*.scollon.co.uk*, True -*.scoolar.com.ar*, True -*.sco.org.za*, True -*.scooter-center.ro*, True -*.scooterpack.com*, True -*.scope.co.id*, True -*.scopeh.co.uk*, True -*.scopserv.co.za*, True -*.scopservice.co.za*, True -*.scoptel.co.za*, True -*.score5.org*, True -*.scorebard.com*, True -*.scorejournal.com*, True -*.score.pk*, True -*.score-times.co.kr*, True -*.score-times.com*, True -*.score-times.net*, True -*.scoreyourbestgoal.com.au*, True -*.scorfieldsandbox.net*, True -*.scorm.gr*, True -*.scorpionet.se*, True -*.scorpios2001.com*, True -*.scorpius.cf*, True -*.scorpnet.co.za*, True -*.scorpunix.eu*, True -*.scorry.net*, True -*.scortegagnaveiculos.com.br*, True -*.scortgirls.com.br*, True -*.scosync.com*, True -*.scotch-soda-hk.com*, True -*.scottabing.com*, True -*.scottalansmith.net*, True -*.scottallender.com*, True -*.scottandlissette.com*, True -*.scottblairforsheriff.com*, True -*.scottbradshaw.com*, True -*.scottclans.org*, True -*.scottconlee.com*, True -*.scottcramer.com*, True -*.scotteverson.info*, True -*.scottexteriors.com*, True -*.scottgang.com*, True -*.scottgoldrich.com*, True -*.scottishdiving.co.uk*, True -*.scottjstewart.com*, True -*.scottjungwirth.com*, True -*.scottjungwirth.net*, True -*.scottketelaar.com*, True -*.scottlewisonline.com*, True -*.scottmarchman.com*, True -*.scottmathews.tk*, True -*.scottmotyka.com*, True -*.scottprosser.com*, True -*.scottprosser.co.uk*, True -*.scottsays.com*, True -*.scottssharepoint.co.uk*, True -*.scottwrigg.com*, True -*.scottydosentknow.ca*, True -*.scouseweb.co.uk*, True -*.scout293.com*, True -*.scoutderesurreccion.com.ar*, True -*.scoutkennedy.com.ar*, True -*.scoutsaguadeoro.com.ar*, True -*.scoutsharkcheatsheets.com*, True -*.scoutsnadino.es*, True -*.scoutsoftyria.com*, True -*.scox.cl*, True -*.scozen.com*, True -*.scozone.com*, True -*.scp77.com*, True -*.scp87.com*, True -*.scqigong.com*, True -*.scrapbook.tk*, True -*.scrapheap.ru*, True -*.scrapitsoftware.com*, True -*.scrappaid.com*, True -*.scrappinchick.com*, True -*.scrapsandscribbles.com*, True -*.scrapshop.kz*, True -*.scratchbowling.com*, True -*.scratchcrib.com*, True -*.scratch.lv*, True -*.scratchy.nl*, True -*.scrcwhitelake.se*, True -*.screamindolly.com*, True -*.screamingsocks.com*, True -*.screaminsockets.com*, True -*.screenlets.org*, True -*.screenlog.net*, True -*.screenmaster.com.au*, True -*.screwrogers.com*, True -*.screwyou.fi*, True -*.scribblr.ca*, True -*.scribetown.com*, True -*.scrib.ro*, True -*.scripca.ro*, True -*.scriptbakerun.com*, True -*.script.cl*, True -*.script.com.ar*, True -*.scriptiklan.com*, True -*.scriptkiddie.eu*, True -*.scriptmmm.com*, True -*.scroggnet.net*, True -*.scrossgroup.com*, True -*.scrsac.com*, True -*.scruffy-bear.co.uk*, True -*.scruggs.me*, True -*.scrummaster.sg*, True -*.scrumpty.com*, True -*.scsi.com.mx*, True -*.scsomt.org*, True -*.sc-students.ch*, True -*.sctaichi.com*, True -*.sctdf.com.br*, True -*.sctv.ga*, True -*.sctzzj.com*, True -*.scubamemory.com*, True -*.scubanews.com.ve*, True -*.scucunet.com*, True -*.scuderia-calanda.tk*, True -*.scuderiaredwhite.com*, True -*.scuderiaredwhite.it*, True -*.scuderiart.com*, True -*.sculeather-gd.com*, True -*.sculpturi-lumanari.ro*, True -*.scumfunk.me*, True -*.scurma.ro*, True -*.scuroequadrato.tk*, True -*.scyo.com.au*, True -*.scyo.net.au*, True -*.scyo.org.au*, True -*.sczygelski.com*, True -*.sd0111.com*, True -*.sd5111.com*, True -*.sd6111.com*, True -*.sd7111.com*, True -*.sd8111.com*, True -*.sdatum.com*, True -*.sd-bbs.net*, True -*.sdcanuck.com*, True -*.sdcconsultores.com.ve*, True -*.sdchicks.com*, True -*.sdchung.com*, True -*.sde-depannage.ch*, True -*.sdelamorena.me*, True -*.sdemsm.com*, True -*.sdere.com*, True -*.sdesign.ro*, True -*.sdethess.gr*, True -*.sdhomeit.com*, True -*.sdhomepc.com*, True -*.sdhomepcrepair.com*, True -*.sdhotgirls.com*, True -*.sdhotties.com*, True -*.sdhts.com*, True -*.sdilejte.cz*, True -*.sdipeople.com.mx*, True -*.sdis.com.au*, True -*.sditalqolamsemarang.com*, True -*.sdktools.cf*, True -*.sdlglobal.com*, True -*.sdl-id.net*, True -*.sdmf.com.br*, True -*.sdmp3.tk*, True -*.sdm-tv.com*, True -*.sdmuhpurwo2yk.tk*, True -*.sdmusiccalendar.com*, True -*.sdn1sukorame.sch.id*, True -*.sdn66.com*, True -*.sdn77.com*, True -*.sdn87.com*, True -*.sdndukuh01salatiga.sch.id*, True -*.sdnet.biz*, True -*.sdnsimolawangkip.sch.id*, True -*.sdom.ml*, True -*.sdplafon.com*, True -*.sdp-mos.ru*, True -*.sdr-7272.com*, True -*.sdrats.com*, True -*.sdreiki.com*, True -*.sdrproject.com*, True -*.sdsdfwere.tk*, True -*.sdsgoglobal.com*, True -*.sdsi.com.ar*, True -*.sdska.tk*, True -*.sdslx.com*, True -*.sdsmanagement.cl*, True -*.sdsm.cl*, True -*.sdspivey.com*, True -*.sdsquick.com*, True -*.sds-ranking.ch*, True -*.sdsscram.com*, True -*.sdthaa.org*, True -*.sdti.tw*, True -*.sdw-net.com*, True -*.sdwnet.info*, True -*.sdw-net.net*, True -*.sd-xbmc.com*, True -*.sd-xbmc.info*, True -*.sd-xbmc.org*, True -*.sdyn.tk*, True -*.se12.org.za*, True -*.se30.se*, True -*.se7encyberteam.com*, True -*.se7en.ga*, True -*.se7en.gq*, True -*.se7l.com*, True -*.seaandhill.com*, True -*.seabreezemackay.com.au*, True -*.seacalf.lv*, True -*.seacoastsmiles.com*, True -*.seacoastvisions.com*, True -*.seacom.com.my*, True -*.seaenergy.com.ar*, True -*.seafoodhang.com*, True -*.seagreenonthepark.net*, True -*.seaheat.com.au*, True -*.seahorsenet.com*, True -*.seaiq.com*, True -*.seal4life.com*, True -*.sealesnet.com*, True -*.sealevelscience.com*, True -*.sealmax.ro*, True -*.sealswim.com.au*, True -*.sealtitesf.com*, True -*.sealx.net*, True -*.seamaidhouse.com*, True -*.seamarket.gr*, True -*.seamosmasfeuv.cl*, True -*.seamtoday.info*, True -*.seamusotasty.com*, True -*.sean409.com*, True -*.seanadams.com*, True -*.seanadamson.com*, True -*.seanandchrissy.com*, True -*.seanandnora.com*, True -*.seanandrach.co.uk*, True -*.seanblake.ca*, True -*.seanbox.me*, True -*.seanburner.com*, True -*.seandolism.com*, True -*.seandunn.com*, True -*.seanheffernan.me*, True -*.seanhill.ca*, True -*.seanlair.com*, True -*.seanmackesey.com*, True -*.seanmacpherson.co.uk*, True -*.seanmclean.net*, True -*.seannathanricks.com*, True -*.seanohoulihan.com*, True -*.seantdwilson.com*, True -*.searadeseara.ro*, True -*.searchdb.us*, True -*.searching3d.com*, True -*.searchingforshakespeare.org*, True -*.searchinjun.com*, True -*.searchkeeper.net*, True -*.searchlink.com.br*, True -*.searchmelive.com*, True -*.search-mp3s.com*, True -*.searchmystreet.com*, True -*.searchmystreet.co.uk*, True -*.searchpdf.info*, True -*.searchphoto.ru*, True -*.searchsmall.com*, True -*.searchsmaller.com*, True -*.searchxmlfeed.com*, True -*.searc.ru*, True -*.searma.com.ar*, True -*.searsfamilyme.org*, True -*.seas.com.my*, True -*.seasol.net*, True -*.seasol.org*, True -*.seasonalholidays.info*, True -*.seasondvn.pro*, True -*.season.tw*, True -*.seasunsky.co*, True -*.seasunsky.tk*, True -*.seatech.ir*, True -*.seatec.pt*, True -*.seattleaftermidnight.com*, True -*.seattlejapaneseschool.com*, True -*.seattlesuntimes.com*, True -*.seawolfexp.ch*, True -*.seawolf.su*, True -*.seba.cl*, True -*.sebaskates.gr*, True -*.sebastiaanjacobs.be*, True -*.sebastianartola.com.ar*, True -*.sebastiancordova.cl*, True -*.sebastiandagostino.com*, True -*.sebastian-dicke.eu*, True -*.sebastianenrique.com.ar*, True -*.sebastiangirona.com.ar*, True -*.sebastianleyton.cl*, True -*.sebastianlund.se*, True -*.sebastianruberalawyers.com.au*, True -*.sebastiansblog.com*, True -*.sebastianvera.com.ar*, True -*.sebastianvielmas.cl*, True -*.sebbi.tk*, True -*.sebert.info*, True -*.sebessegmero.ga*, True -*.sebgroves.co.uk*, True -*.sebifit.com*, True -*.sebigy.com*, True -*.sebigy.co.uk*, True -*.sebigy.se*, True -*.sebnil.se*, True -*.sebol.net*, True -*.sebol.org*, True -*.sebseb.tk*, True -*.seburn.net*, True -*.sebworks.com*, True -*.secara-tanc.ro*, True -*.secasia.com*, True -*.secby.me*, True -*.secby.us*, True -*.secciomuntanya.cat*, True -*.secdev.ch*, True -*.sececomunicaciones.com.ar*, True -*.sechk.com*, True -*.sechsaplus.ch*, True -*.seci.co.id*, True -*.secinfo.ro*, True -*.secinves.com.ar*, True -*.secksi.org*, True -*.seclinet.de*, True -*.seclinet.org*, True -*.seclogistic.com*, True -*.secnet.org*, True -*.secold.com*, True -*.secondincommand.net*, True -*.secondlookbook.com*, True -*.secondpage.in*, True -*.secondvariety.net*, True -*.secoyarittenberry.us*, True -*.secprog.org*, True -*.secr3t.net*, True -*.secretagent.tv*, True -*.secretaria24horas.com.br*, True -*.secretbits.com*, True -*.secretdebeaute.ch*, True -*.secretgirlstuff.com.au*, True -*.secretlegends.org*, True -*.secretosx.com*, True -*.secretulbucatarului.ro*, True -*.secrisys.com*, True -*.secrisys.de*, True -*.secrisys.eu*, True -*.secrisys.info*, True -*.secrisys.net*, True -*.secseq.com*, True -*.section77.de*, True -*.sectman.cl*, True -*.sectorzero.cl*, True -*.secubox.cl*, True -*.sec-u.com*, True -*.secular.org.nz*, True -*.secularpineapple.com*, True -*.secundaria.cat*, True -*.secundaria.eu*, True -*.secundaria.info*, True -*.securacall.com*, True -*.securacall.net*, True -*.secureip.org*, True -*.securesso.co.uk*, True -*.securitel.com*, True -*.securitynotes.ro*, True -*.securityservicesennis.com*, True -*.securus.net.br*, True -*.secvoip.com*, True -*.secyinc.info*, True -*.seddon.eu*, True -*.sedeport.com.ar*, True -*.sedgefieldumc.org*, True -*.sedighedolatabadi.org*, True -*.sedipenz.at*, True -*.seditionist.net*, True -*.sedman.us*, True -*.sedna.ro*, True -*.sedotstation.com*, True -*.seduction.hk*, True -*.seductiveapps.com*, True -*.sedyefiyatlari.com*, True -*.see-bt.com*, True -*.seedbit.ro*, True -*.seedflux.net*, True -*.seedhawk.com.au*, True -*.seedhub.ro*, True -*.seed-it.tk*, True -*.seedlingsshow.com*, True -*.seedoubleyou.org*, True -*.seedymelon.com*, True -*.seegraphics.me*, True -*.seekbuddy.us*, True -*.seek-e.com*, True -*.seekformacion.com*, True -*.seekmoretequila.com*, True -*.seekmymusic.net*, True -*.seelandmusical.ch*, True -*.seel.cl*, True -*.seelead.com*, True -*.seelo.com*, True -*.seelyze.com*, True -*.seemou4u.com*, True -*.seemyimgs.com*, True -*.seen.com.pk*, True -*.seeneed.com*, True -*.seen.lu*, True -*.seen.pk*, True -*.seepicphotoworks.com*, True -*.seerose-ev.de*, True -*.seesoft.ro*, True -*.seetal-carrosserie.ch*, True -*.seethelizard.com*, True -*.sefieme.com*, True -*.sefitek.com*, True -*.sefodopo.tk*, True -*.se-foundation.co.za*, True -*.se-fri.ch*, True -*.sefr.org*, True -*.sefta.web.id*, True -*.segarcadia.com*, True -*.segarra.cat*, True -*.segarra.com.ar*, True -*.segawon.net*, True -*.segelflugzeugunterhalt.ch*, True -*.segfault.es*, True -*.segfort-pa.com.br*, True -*.seginus.ru*, True -*.segjarseguros.tk*, True -*.segmentationfault.info*, True -*.segmentonux.pt*, True -*.segunet.com.mx*, True -*.segunet.mx*, True -*.segura.com.ar*, True -*.segurancamaximaescolasdeconducao.com*, True -*.segurancamaximaescolasdeconducao.pt*, True -*.segurancamaxima.pt*, True -*.seguretat-informatica.cat*, True -*.seguridadgsm.cl*, True -*.seguridadsistema.com.ve*, True -*.seguroanimais.com*, True -*.seguro-bicicletas.com*, True -*.seguro-cavalos.com*, True -*.segurocondominio.pt*, True -*.segurodeconsorcios.com.ar*, True -*.segurodoencasgraves.com*, True -*.seguro-embarcacoesrecreio.com*, True -*.seguro-erasmos.com*, True -*.seguro-estomatologia.com*, True -*.seguromediko.com.mx*, True -*.seguromedis.com*, True -*.seguro-mercadorias.com*, True -*.seguro-mercancias.com*, True -*.seguromulticare.com*, True -*.seguroppr.com*, True -*.seguroreforma.com*, True -*.segurosana.com.mx*, True -*.segurosonline.com.mx*, True -*.segurososes.com.ar*, True -*.segurossimples.com.br*, True -*.seguro-transitarios.com*, True -*.seguro-tu-auto.com*, True -*.segurovidacredito.com*, True -*.seguro-vida-metlife.com*, True -*.segurovidarisco.com*, True -*.seguy.cl*, True -*.segv.cc*, True -*.sehardinnwunionfire.org*, True -*.sehatkita69.tk*, True -*.sehatlah.ml*, True -*.sehat-pedia.com*, True -*.sehatsisi.com*, True -*.sehoole.nom.za*, True -*.se-house.ru*, True -*.seibertland.org*, True -*.seiche-power.com*, True -*.seidenkokon.ch*, True -*.seifert.com.ar*, True -*.seiffert-consulting.ch*, True -*.seigluecklichcoaching.ch*, True -*.seikukan.cl*, True -*.seimedical.com.mx*, True -*.seinchile.cl*, True -*.seindonesia.info*, True -*.seinig.ch*, True -*.seireitei.net*, True -*.seirin.gq*, True -*.seislander.me*, True -*.seismicstufftechnology.com*, True -*.seitan-authentique.fr*, True -*.seizer48.net*, True -*.sejahteratenda.com*, True -*.sejahterawahana.com*, True -*.sejak.tk*, True -*.sejarahkebudayaanislam.com*, True -*.sejatiresidences.com*, True -*.sejatiresidences.net*, True -*.sekargadung.club*, True -*.sekargadung.info*, True -*.sekarrokok.tk*, True -*.sekedarberbagi.info*, True -*.sekedartips.tk*, True -*.sekhar.net*, True -*.sekilas.tk*, True -*.sekiolabs.net*, True -*.sekipfm.dj*, True -*.seki-project.org*, True -*.sekkei-solutions.net*, True -*.sekmiadvancekolmediav.co*, True -*.sekmigokoldesignv.co*, True -*.sekmigokoldigitalv.co*, True -*.sekmigokolgroupv.co*, True -*.sekmigokolmediav.co*, True -*.sekmimovekolmediav.co*, True -*.sekmirunkolgroupv.co*, True -*.sekmirunkolmediav.co*, True -*.sekmitransitkolmediav.co*, True -*.sekmiwalkkolmediav.co*, True -*.sekmo.com*, True -*.sekolahku.co.id*, True -*.sekolahmenyenangkan.org*, True -*.sekretyzdrowia.com*, True -*.sekrop-duasriti.com*, True -*.sela.com.au*, True -*.selaive.cl*, True -*.selalujaya.com*, True -*.selamatulangtahunalfi.com*, True -*.selamat-ulangtahun.co*, True -*.selamet.web.id*, True -*.selamgiyim.com.tr*, True -*.selamtekstil.com.tr*, True -*.selangit.com*, True -*.selaput.la*, True -*.selaru.ro*, True -*.selatanjayaplastik.com*, True -*.selatanonline.net*, True -*.selatinfinite.com*, True -*.selberg.org*, True -*.selbstapotheose.de*, True -*.selbylife.co.uk*, True -*.selcinc.com*, True -*.selconllc.com*, True -*.selconsa.com*, True -*.seldocs.com.ar*, True -*.selectcraft.tk*, True -*.selectgas.co.za*, True -*.selectglas.nl*, True -*.selectnet.co.za*, True -*.selectseafoodscanada.biz*, True -*.selectseafoodscanada.com*, True -*.selectseafoodscanada.net*, True -*.selenec.com*, True -*.seleranusantara.co.id*, True -*.selfantasy.com*, True -*.selfasig.ro*, True -*.selfbook.com.au*, True -*.selfcentric.com*, True -*.self-financial.ro*, True -*.selfie.id.au*, True -*.selfip.tk*, True -*.selfi.si*, True -*.self-loadpv.com*, True -*.self-screen.com*, True -*.selfstore.hu*, True -*.selimgoktas.com.tr*, True -*.selina-models.ru*, True -*.selinamoon.com*, True -*.seljebu.no*, True -*.selkapolis.com*, True -*.sellam.co.uk*, True -*.sellars.us*, True -*.sellbitcoins.com*, True -*.selled.ru*, True -*.sellingcvv.com*, True -*.sellpub.ru*, True -*.selltohome.com*, True -*.sellwmz.com*, True -*.selnastore.com*, True -*.selohr.com*, True -*.seluco.ch*, True -*.selular.co.id*, True -*.selva-style.be*, True -*.selvita.com.ar*, True -*.sem78.com*, True -*.semangat-teknik.com*, True -*.semanticfirewall.com*, True -*.semanticum.com*, True -*.semarangblackhat.com*, True -*.semarangblackhat.or.id*, True -*.semarvpn.cf*, True -*.semashare.com*, True -*.sematoastmasters.org*, True -*.semax.ro*, True -*.sembiring.com*, True -*.sembiring.web.id*, True -*.sembon.cc*, True -*.sembon.net*, True -*.sembung.eu*, True -*.semdestino.org*, True -*.semeirasnembeiras.com.br*, True -*.semenelinmusic.com*, True -*.semenenko.com.ar*, True -*.sementescaicara.com*, True -*.semenuik.com*, True -*.semenzalaw.com*, True -*.semenzalawfirm.com*, True -*.semerufm.net*, True -*.semeruintisukses.net*, True -*.semestahotel.com*, True -*.semfosys.com*, True -*.semiconduct.com*, True -*.semi-conductors.eu*, True -*.semiconseller.com*, True -*.semillasdelino.org*, True -*.semillerorock.cl*, True -*.semionova.lt*, True -*.semioptimal.net*, True -*.semipackages.com*, True -*.semipkg.com*, True -*.semircioglu.com*, True -*.semislonov.info*, True -*.semlinkchecker.com*, True -*.semlitsch.at*, True -*.semn.al*, True -*.semongko.net*, True -*.semoxs.ga*, True -*.semperwifi.com*, True -*.sempiternalculture.com*, True -*.sempoi.com.my*, True -*.sempoi.my*, True -*.sempoi.net.my*, True -*.semrakat.us*, True -*.semuaberes.com*, True -*.semuainfo.com*, True -*.semuamusik.com*, True -*.semvakleopard.org*, True -*.senacandrampc.moe*, True -*.senamar.com.br*, True -*.senaputra.com*, True -*.senartogok.com*, True -*.senasentosa.com*, True -*.senate.sx*, True -*.senatorramirez.com*, True -*.senavn.com*, True -*.senbgroup.com*, True -*.sencha-specialist.com*, True -*.sencha-specialist.nl*, True -*.sencha-tr.com*, True -*.sencomasmuliajaya.com*, True -*.sendayan.net*, True -*.sendcourier.com*, True -*.senderosaraucania.cl*, True -*.senderosdelfolklore.cl*, True -*.senderosdepecan.com.ar*, True -*.sendfreesms.in*, True -*.sendtext.ca*, True -*.senegocia.cl*, True -*.seneka.org*, True -*.seneka.ro*, True -*.senevalveiculos.com.br*, True -*.senferdialt.cl*, True -*.sengelectric.com.my*, True -*.senggolngaceng.tk*, True -*.senhorx.com*, True -*.seni-budaya.org*, True -*.seni.com.my*, True -*.seniorexpress.org*, True -*.seniori365.com*, True -*.seniori365.fi*, True -*.seniori365.net*, True -*.seniori365.org*, True -*.seniors-4-hire.com*, True -*.seniorshousing.ru*, True -*.seniorsonlyservice.com*, True -*.senira.fi*, True -*.senja.gq*, True -*.senk.biz*, True -*.senna.id*, True -*.senno.ru*, True -*.sen.org.nz*, True -*.senretto.com*, True -*.senrique.com.ar*, True -*.sensefantasy.com*, True -*.sensehotel.asia*, True -*.senseiacademy.net*, True -*.senseiorozimbo.cl*, True -*.sensescams.net*, True -*.sensibleinvesting.com.au*, True -*.sensibletech.net*, True -*.sensidev.com*, True -*.sensiumvitals.com.au*, True -*.sensoh.com*, True -*.sensor.se*, True -*.sensoryoverload.nl*, True -*.sentchat.com*, True -*.sentidocomercial.com.mx*, True -*.sentjernej-turizem.com*, True -*.sentjernej-turizem.si*, True -*.sentosajayaabadi.com*, True -*.sentrabet88.com*, True -*.sentradigital.com*, True -*.sentradigital.net*, True -*.sentradroid.com*, True -*.sentra-edukasi.com*, True -*.sentrakaroseries.com*, True -*.sentron.in*, True -*.sentrypatent.com*, True -*.sentryuniformcap.com*, True -*.senttec.com*, True -*.sentwith.co.uk*, True -*.senuit-server.com*, True -*.senyum.org*, True -*.seo3o.ir*, True -*.seoexp.ir*, True -*.seofan.ir*, True -*.seofix.it*, True -*.seohack.it*, True -*.seo.id.lv*, True -*.seoly.it*, True -*.seomake.it*, True -*.seomizer.it*, True -*.seooptimizacija.si*, True -*.seo-patrol.ru*, True -*.seopatrol.ru*, True -*.seoprosecrets.com*, True -*.seoschool.com.pk*, True -*.seosecretsdeclassified.com*, True -*.seosecretsunleashed.com*, True -*.seosemconsultantservice.com*, True -*.seosemconsultantservices.com*, True -*.seoshandong.com*, True -*.seosierra.com*, True -*.seospawn.com*, True -*.seostart.ru*, True -*.seotechno.ir*, True -*.seotest.ml*, True -*.seotrainingtactics.com*, True -*.seotrain.ir*, True -*.seo-tricky.com*, True -*.seo-trik.com*, True -*.seoulqueen.info*, True -*.seouni.ir*, True -*.seowiz.ro*, True -*.sep42.com*, True -*.sep7.tk*, True -*.sepahvand.com*, True -*.separatysta.com*, True -*.sepatuolahra.ga*, True -*.sepatustyle.com*, True -*.sepent.net*, True -*.sephyr.org*, True -*.sepi.be*, True -*.seppalat.fi*, True -*.seppanenjaana.fi*, True -*.seprotec.net.br*, True -*.seproxies.com*, True -*.sepsihirdeto.ro*, True -*.sepsiszentgyorgy.ga*, True -*.septictankramahlingkungan.com*, True -*.septumtesseract.com*, True -*.septy.net*, True -*.septy.us*, True -*.sepu.cl*, True -*.sepurane-mas.tk*, True -*.seputarmobile.com*, True -*.seputar-youtube.info*, True -*.seqre.org*, True -*.sequencetree.org*, True -*.sequestering.org*, True -*.sequielo.com.ar*, True -*.sequoiapartners.com*, True -*.ser2net.tk*, True -*.seragamolahragaku.com*, True -*.seramaitalia.it*, True -*.serasaexperian.net*, True -*.serayu.co.id*, True -*.serbainformasi.com*, True -*.serbaorganik.com*, True -*.serbia.cf*, True -*.serbod.com*, True -*.serco.cl*, True -*.sercologistics.cl*, True -*.sercomm.com.au*, True -*.se-r.com.mx*, True -*.seregin.pro*, True -*.serei.com.br*, True -*.serelec.com.ar*, True -*.serenabellydance.com*, True -*.serenelimos.com*, True -*.serenityskies.com*, True -*.sergapnews.com*, True -*.sergeherren.ch*, True -*.sergeintsas.com*, True -*.serge-photo.ru*, True -*.sergeygarkushko.com*, True -*.sergeykatsev.com*, True -*.sergeymalyshev.biz*, True -*.sergeyosipov.ru*, True -*.sergey-spektor.co.il*, True -*.sergfein.com*, True -*.sergi.es*, True -*.sergioandyeny.com*, True -*.sergio-webdesign.com*, True -*.sergioyromyna.com*, True -*.sergiozarate.com.ar*, True -*.sergnese.com.ar*, True -*.serhiy.eu*, True -*.serialdysfunction.com*, True -*.serialeleonline.com*, True -*.serialez.com*, True -*.serialkiller.eu*, True -*.serials.ch*, True -*.seriam.cl*, True -*.seriealiker.com*, True -*.series.cat*, True -*.serino.com.ar*, True -*.seriousdispute.com*, True -*.seriously.ga*, True -*.seriouslymisled.ca*, True -*.seriouslymisled.org*, True -*.seriouslystylish.com*, True -*.seriouz.biz*, True -*.seriph.co.uk*, True -*.serizon.com*, True -*.serkanbulut.com*, True -*.serkandogrusoz.com*, True -*.serkan.web.tr*, True -*.sermatek.com*, True -*.sermilanlv.com.br*, True -*.seronline.com.br*, True -*.seroteca.com*, True -*.serparsenal.com*, True -*.serpdomains.com*, True -*.serpenk.ru*, True -*.serpentineroad.com*, True -*.serpentineroad.co.uk*, True -*.serpninja.com*, True -*.serpninja.net*, True -*.serpninja.org*, True -*.serpproxies.com*, True -*.serpreaper.com*, True -*.serpreaper.net*, True -*.serprise.com*, True -*.serproeventos.cl*, True -*.serp-team7.xyz*, True -*.serracloud.es*, True -*.serrado.net*, True -*.serramar.com.br*, True -*.serranaautomoveis.com.br*, True -*.serranoliva.com*, True -*.serras.de*, True -*.serrazina.com*, True -*.serrurier-tirone.be*, True -*.sersanchus.com*, True -*.sertakip.net*, True -*.sertanejas.net*, True -*.sertanejos.net*, True -*.serta.pt*, True -*.sertecruiz.cl*, True -*.sertevisa.com*, True -*.serunato.tk*, True -*.serupedia.com*, True -*.seruput.com*, True -*.serv125.com*, True -*.serv127.com*, True -*.serv1.info*, True -*.serva.cf*, True -*.serva.me*, True -*.servecentral.org*, True -*.servegame.gq*, True -*.servelbb.info*, True -*.servemc.tk*, True -*.serveminecraft.ga*, True -*.server24.ml*, True -*.serveradmin.tk*, True -*.serverbr.cf*, True -*.serverbr.tk*, True -*.servercontroller.co.uk*, True -*.server-dedicat.com*, True -*.serverdetect.com*, True -*.serverdiscuss.com*, True -*.servere-virtuale.ro*, True -*.serverhost.gq*, True -*.serverhost.org.uk*, True -*.server.id.lv*, True -*.serveridns.com*, True -*.serverinformatiquevpn.com*, True -*.serveris.id.lv*, True -*.servermarket.com.my*, True -*.servermarket.my*, True -*.server-mehdi.tk*, True -*.serverndspeed.tk*, True -*.servernux.com*, True -*.serveronthewall.com*, True -*.serverowners.org*, True -*.serverpark.hu*, True -*.serverpit.com*, True -*.servers4all.com*, True -*.serversex.com*, True -*.serverstuen.dk*, True -*.servertux.org*, True -*.serveruplink.net*, True -*.serververde.it*, True -*.servervpnku.cf*, True -*.server-vps.ro*, True -*.serverwallet.asia*, True -*.serverwallet.in*, True -*.serverx.ro*, True -*.serverz.us*, True -*.servetos.org*, True -*.serveur-tech.com*, True -*.servexvenezuela.com*, True -*.servfisio.com.br*, True -*.serviagua.pt*, True -*.servial.cl*, True -*.servicaja.mx*, True -*.serviceadmin.ch*, True -*.service--auto.ro*, True -*.servicecafe.ro*, True -*.servicedeskparagon-group.co.uk*, True -*.servicedesk.us*, True -*.servicegrup.ro*, True -*.service-husqvarna.ro*, True -*.serviceimport.com*, True -*.servicemix.pl*, True -*.servicenterpc.cl*, True -*.serviceone.hk*, True -*.servicepack.ch*, True -*.servicepre.com*, True -*.service-repair-manual.com*, True -*.servicesgp.com*, True -*.servicesit.ro*, True -*.serviceslimit.com*, True -*.servicetimbangan.com*, True -*.servicetransport.info*, True -*.servicewest-apac.com*, True -*.serviciiutile.ro*, True -*.serviciodetransporte.com.mx*, True -*.serviciomisantla.mx*, True -*.servicioreforma.com*, True -*.serviciosaeroespaciales.cl*, True -*.serviciosaltair.cl*, True -*.serviciosapelativos.net*, True -*.servicioscmat.cl*, True -*.serviciosgeologicos.com.ar*, True -*.serviciosmunicipales.com.mx*, True -*.serviciosperval.cl*, True -*.serviciosprofesionalesinformaticos.com.mx*, True -*.serviciostrememn.cl*, True -*.servidorbarato.net*, True -*.servidordedns.es*, True -*.servidorlocal.pt*, True -*.servidormail.ml*, True -*.servidorwifi.com*, True -*.serviexpress.com.ar*, True -*.servimensa.com.ar*, True -*.servimont.cl*, True -*.servisfarm.com*, True -*.servishop.com.br*, True -*.serviskoles.com*, True -*.serviskoles.net*, True -*.servi.us*, True -*.serviziinformativi.ch*, True -*.servome.com*, True -*.servome.co.uk*, True -*.servoni.eu*, True -*.servrx.ca*, True -*.servtelar.tk*, True -*.servu.ga*, True -*.servus-gemeinde.at*, True -*.servusgemeinde.at*, True -*.sesamath.ch*, True -*.sesame-oil.tw*, True -*.sesameoil.tw*, True -*.sesameschool.tw*, True -*.sesashi.com*, True -*.sesdethikolnemedia.pw*, True -*.seserver.ru*, True -*.seservices.ca*, True -*.sesesa9.com*, True -*.sesquisharp.com*, True -*.sestine.eu*, True -*.set-5882.com*, True -*.set-7942.com*, True -*.setaaann.gq*, True -*.setanding.com.my*, True -*.setarehabi-gerash.ir*, True -*.setater.ro*, True -*.setav.ru*, True -*.seteinfogv.com.br*, True -*.setgamers.com*, True -*.set-gogo.com*, True -*.set-gold.com*, True -*.set-good.com*, True -*.setiabakti.com*, True -*.setiabet.com*, True -*.setia.ga*, True -*.setiahosting.net*, True -*.setiamusik.info*, True -*.setic.ca*, True -*.seti.com.ar*, True -*.setikom.web.id*, True -*.setiquest.info*, True -*.set-kiss.com*, True -*.setlockone.com*, True -*.setmaster.ro*, True -*.setonsuccess.com*, True -*.se-topics.ir*, True -*.setorcomercialsul.com*, True -*.setter.lv*, True -*.setterstrend.com*, True -*.setthetoneapp.com*, True -*.setting-mikrotik.com*, True -*.settlesassoc.com*, True -*.setu444.com*, True -*.setuju.ga*, True -*.setupselfmanagedsuperfund.com.au*, True -*.seturan.web.id*, True -*.setyobudi.web.id*, True -*.setzy.com*, True -*.seucarrodevolta.com*, True -*.seucartaotelefonico.com.br*, True -*.seuh2.com*, True -*.seuhistoryplay.com*, True -*.seulifetime.com*, True -*.seul.in*, True -*.seumundoaqui.com*, True -*.seunghee.net*, True -*.seusprodutos.com.br*, True -*.sev3n.com*, True -*.sevanje.net*, True -*.sevendigitaltechnology.com*, True -*.sevenedu.com*, True -*.sevenprovedor.com.br*, True -*.sevenproxi.es*, True -*.sevenred.eu*, True -*.sevenseducation.com*, True -*.sevensoutsourcing.com*, True -*.sevenstaxsolution.com*, True -*.sevens.xyz*, True -*.seventeenfour.com*, True -*.seventwentythreeeleven.com*, True -*.sevenware.ro*, True -*.severed.us*, True -*.severin.cl*, True -*.severinosena.cf*, True -*.severinosena.ga*, True -*.severinosena.ml*, True -*.severinosena.tk*, True -*.severins.ch*, True -*.severinwinkler.ch*, True -*.sever-maribor.com*, True -*.sever-nk.ru*, True -*.seversk.tv*, True -*.sevi.ro*, True -*.sevitalochan.com*, True -*.sevstrojspb.ru*, True -*.sevtwo.com*, True -*.sevtwo.info*, True -*.sevvie.tk*, True -*.sewarentalmobil.com*, True -*.sewdvcas.net.au*, True -*.sewgcraft.ml*, True -*.sewpreciousbaby.com*, True -*.sewraj.co.za*, True -*.sewriteind.com*, True -*.sex18porno.com*, True -*.sex4ip.com*, True -*.sex4you.li*, True -*.sex7979.net*, True -*.sexboarding.com*, True -*.sexcamera.co.za*, True -*.sexcc.ru*, True -*.sexcet.net*, True -*.sexcuatui.com*, True -*.sexedem.com*, True -*.sexfilm.fi*, True -*.sexkontakte-community.com*, True -*.sexmirs.ru*, True -*.sexmistrz.pl*, True -*.sexoam.com.br*, True -*.sexoecompanhia.com*, True -*.sex-offender-tests.com*, True -*.sexoid.net*, True -*.sexoid.org*, True -*.sex-online24.ru*, True -*.sexopolis.es*, True -*.sexpanther.com.au*, True -*.sexremember.com*, True -*.sexshopbahia.com.br*, True -*.sexshopdagente.com.br*, True -*.sexshopemsalvador.com.br*, True -*.sexshopsalvador.com.br*, True -*.sex-sung.com*, True -*.sex-tales.net*, True -*.sex-tales.org*, True -*.sextales.org*, True -*.sextamarcha.cl*, True -*.sextube.ro*, True -*.sexualhealthtablet.com*, True -*.sexualmente.mx*, True -*.sexvatican.com*, True -*.sexvideochat.ro*, True -*.sexvidz.net*, True -*.sexvip.in*, True -*.sexvn.ga*, True -*.sexy69.ml*, True -*.sexyboa.net*, True -*.sexydesignershoes.com*, True -*.sexyfwd.com*, True -*.sexyhub.co*, True -*.sexyinstinct.com*, True -*.sexykoreangirlshd.com*, True -*.sexynakedfreedom.info*, True -*.sexyterapia.cl*, True -*.sexywash.pt*, True -*.sey73.com*, True -*.sey92.com*, True -*.seychellesbest.com*, True -*.seychellesheritage.sc*, True -*.seyidamili.com*, True -*.seyidamili.net*, True -*.seyidamili.org*, True -*.seyyah360.com*, True -*.sfa-cloud.ro*, True -*.sfacloud.ro*, True -*.sfanet-server.tk*, True -*.sfantusasa.com*, True -*.sfbbq.com*, True -*.sfbconstruction.com*, True -*.sfbdg.com*, True -*.sfe666.com*, True -*.sfenningphotography.co.uk*, True -*.sferaspb.ru*, True -*.sfflexsuiteweb.com*, True -*.sffoundation.co.za*, True -*.sfgoodridge.in*, True -*.sfindigo.com*, True -*.sfinxen.se*, True -*.sflims.com*, True -*.sflu.com*, True -*.sfmakeup.com.ar*, True -*.sfmauser.com*, True -*.sfmclinic.com*, True -*.sfmir.ru*, True -*.sf-n.org*, True -*.s-forum.ru*, True -*.sfpack7.org*, True -*.sfragale.com*, True -*.sfs-sweater.com*, True -*.sfta.sk*, True -*.sft-software.com*, True -*.sfumusic.com*, True -*.sfvideostudio.sk*, True -*.sfwines.com*, True -*.sfxscouts.org*, True -*.sg1703.com*, True -*.sga15.com*, True -*.sgananda.com*, True -*.sgananda.co.za*, True -*.sganov.com*, True -*.sg-as.net*, True -*.sg-as.ru*, True -*.sgbookkeeping.org.za*, True -*.sgbrickhouse.com*, True -*.sgbuildapp.com*, True -*.sgd168.com*, True -*.sgd688.com*, True -*.sgd789.com*, True -*.sgf-burg.ch*, True -*.sgf-menziken.ch*, True -*.sghairs.com.br*, True -*.sghosting.cf*, True -*.sghr.jp*, True -*.sgiri.com.np*, True -*.sgislandmirror.gs*, True -*.sgjournal.com*, True -*.sglead.com*, True -*.sgmassorder.com*, True -*.sgmlguru.org*, True -*.sgmun.ch*, True -*.sgnltd.com*, True -*.sgorshkov.ru*, True -*.sgpublications.gs*, True -*.sgranit.ru*, True -*.sg-rasselbandi.ch*, True -*.sgs2021.com*, True -*.sgsbet.com*, True -*.sg-seh.ch*, True -*.sgsutcliffe.co.uk*, True -*.sgtcodfish.com*, True -*.sgtcodfish.net*, True -*.sgusaftp.com*, True -*.sgwebcam.gs*, True -*.sg-ws.ru*, True -*.sgws.ru*, True -*.sh0.me*, True -*.sh1tbox.com*, True -*.sh3va.org*, True -*.sh518sm.com*, True -*.sh7s.com.au*, True -*.sha1969.com*, True -*.shaadhi.in*, True -*.shaadhi.org*, True -*.shaakhak.ir*, True -*.shabons.net*, True -*.shadeplants.com.au*, True -*.shadesandrays.com*, True -*.shadewe.com*, True -*.shadir.com*, True -*.shadowbrothers.info*, True -*.shadowcat.pw*, True -*.shadowdancer.co.za*, True -*.shadowguild.com*, True -*.shadowhands.net*, True -*.shadowlandz.net*, True -*.shadow-mu.com*, True -*.shadownet.biz*, True -*.shadownet.ro*, True -*.shadowshells.com*, True -*.shadowsracingteam.ro*, True -*.shadowstarllc.com*, True -*.shadow-team.org*, True -*.shadoxx.net*, True -*.shadu.gq*, True -*.shadyj.com*, True -*.shady-oakplace.com*, True -*.shadypeople.org*, True -*.shadyrepairs.com*, True -*.shaerpoint2016.ir*, True -*.shaffordarcher.com*, True -*.shaharlivne.com*, True -*.shahid-online.net*, True -*.shahih.biz*, True -*.shahnoor.ca*, True -*.shahram.ca*, True -*.shahrinfuzi.com*, True -*.shah-tek.com*, True -*.shahuwadi.in*, True -*.shailer.com*, True -*.shailesh.net*, True -*.shakaa.li*, True -*.shakasystem.cl*, True -*.shakedfamily.com*, True -*.shakedparts.co.il*, True -*.shakedparts.com*, True -*.shakemanor.com*, True -*.shakerattleandroll.net.au*, True -*.shakeydave.com*, True -*.shakez.ch*, True -*.shakilakhan.com*, True -*.shakinit4fun.com*, True -*.shala.net*, True -*.shal.at*, True -*.shalat.net*, True -*.shalbi.co.il*, True -*.shal-kir.co.il*, True -*.shalkovsky.cf*, True -*.shalkovsky.ml*, True -*.shamakheme.com*, True -*.shamam.net*, True -*.shamaniclightwork.com*, True -*.shamantechnology.org*, True -*.shamantechnologysl.com*, True -*.shamantechnologysl.org*, True -*.shambhavischoolofeducation.in*, True -*.shamcostair.com*, True -*.shameson.com*, True -*.shamrockconcepts.com*, True -*.shamrockheights.com*, True -*.shamrockheights.info*, True -*.shamrockwi.com*, True -*.shanagal.com*, True -*.shanagroup.ir*, True -*.shanbo.li*, True -*.shandaman.net*, True -*.shandiji.com*, True -*.shand.org*, True -*.shaneaf.info*, True -*.shanekeeffe.com.au*, True -*.shanelawrence.com*, True -*.shanelawrence.net*, True -*.shanesoft.com*, True -*.shanetrainfitness.com*, True -*.shanfood.co.uk*, True -*.shangchuang.ml*, True -*.shaniajkt48.com*, True -*.shanifa-watson.com*, True -*.shankarsharma.com.np*, True -*.shankillweather.com*, True -*.shanport.com*, True -*.shantanukulkarni.com*, True -*.shao-interiorz.com*, True -*.shaoring.com*, True -*.shaorma.net*, True -*.shao.su*, True -*.shapach.tk*, True -*.shapeart.ro*, True -*.shapedplanes.co.za*, True -*.shapoo.ch*, True -*.shaqed.com*, True -*.sharadkhatiwada.com.np*, True -*.sharadsharma.com.np*, True -*.sharapovaportugal.com*, True -*.shard.ml*, True -*.shardulm.net*, True -*.shardulm.tk*, True -*.share666.com*, True -*.sharebyte.ro*, True -*.shareisgold.net*, True -*.shareit247.com*, True -*.sharemania.net*, True -*.sharemobile.ro*, True -*.sharemp3.org*, True -*.shareonlinecv.info*, True -*.sharepdf.in*, True -*.sharepoint2013demo.com*, True -*.sharepointleaks.com*, True -*.sharepointserver.net*, True -*.shareroute.org*, True -*.sharesilent.com*, True -*.shareslides.com*, True -*.sharghtel.com*, True -*.sharifdaily.ir*, True -*.sharifiat.ir*, True -*.sharifreview.ir*, True -*.sharingandroid.com*, True -*.sharingdesign.biz*, True -*.sharing-design.com*, True -*.sharinggodsword.org*, True -*.sharing-sweets.com*, True -*.sharkagator.com*, True -*.sharkula.info*, True -*.sharkwolves.com*, True -*.sharky.co.uk*, True -*.sharmadhananjaya.com.np*, True -*.sharonspreschool.com*, True -*.sharpcode.co.uk*, True -*.sharpei-united.com*, True -*.sharpley.xyz*, True -*.sharpnet.com.br*, True -*.sharppress.com.ar*, True -*.sharp-soft.ir*, True -*.sharpsolutions.ch*, True -*.sharptext.org*, True -*.sharpthought.com*, True -*.sharpthought.net*, True -*.sharvinandmathuri.com*, True -*.shasai.net*, True -*.shatura.su*, True -*.shatzi.co.za*, True -*.shaulsails.com*, True -*.shaunith.com*, True -*.shaunkeenan.net*, True -*.shavi.net*, True -*.shavit.ru*, True -*.shavrina.pro*, True -*.shawcorp.net*, True -*.shawndesjardins.com*, True -*.shawnferry.com*, True -*.shawnkirk.com*, True -*.shawnleahey.com*, True -*.shawnlentz.com*, True -*.shawnmathews.tk*, True -*.shawnmharper.com*, True -*.shawnpresser.com*, True -*.shawnroering.net*, True -*.shawtech.com.au*, True -*.shax.biz*, True -*.shayaphansiprojects.co.za*, True -*.shazmir.my*, True -*.shcc.net.au*, True -*.sheamortgagebenefits.com*, True -*.shedevr.org.ru*, True -*.shediacbigfish.com*, True -*.shedplaysgames.tk*, True -*.sheduisloud.com*, True -*.sheep2.net*, True -*.sheepindonesia.org*, True -*.sheernesslaptoprepair.com*, True -*.sheesha.pk*, True -*.sheesk.tk*, True -*.sheetalpolypack.tk*, True -*.shehentai.com*, True -*.sheikhqalamrecords.com*, True -*.sheilaandbrian.info*, True -*.shein.ca*, True -*.shejipi.net*, True -*.shejipi.org*, True -*.shekinahphotography.com*, True -*.shekobandits.com*, True -*.shekocountryclub.com*, True -*.shekogolfclub.com*, True -*.shekogolf.com*, True -*.shelbymunsch.com*, True -*.shelbyrecorder.com*, True -*.shellaccount.info*, True -*.shellaccounts.info*, True -*.shellandrob.com*, True -*.shellar.ru*, True -*.shellcode.eu*, True -*.shellesbakes.co.uk*, True -*.shelleyburt.co.za*, True -*.shellforwindows.com*, True -*.shellhpg.co.za*, True -*.shellicio.us*, True -*.shellromania.net*, True -*.shellservice.net*, True -*.shells.ml*, True -*.shellsquad.net*, True -*.shellsquad.org*, True -*.shellx.eu*, True -*.shelter-games.com*, True -*.sheltertrek.com*, True -*.sheltoncomputers.com*, True -*.sheltonsonline.com*, True -*.shelves.ga*, True -*.shemaeducation.com*, True -*.shemaletoonh.com*, True -*.shemamedia.com*, True -*.shemariah.co.za*, True -*.shenaiai.com*, True -*.shenaniegans.com*, True -*.shen.cl*, True -*.shengchiao.com*, True -*.shenghei.com*, True -*.shenk.tk*, True -*.shenster.com*, True -*.shentrax.net*, True -*.shenzenexport.com*, True -*.shenzhenchiwan.com*, True -*.shepeleff.tk*, True -*.sheph.com*, True -*.shepherd.hk*, True -*.sheph.net*, True -*.sheph.org*, True -*.sherbertrealm.tk*, True -*.sherdani.com*, True -*.sherdani.ru*, True -*.sher-h.ca*, True -*.sherichseashells.com*, True -*.sherlockindo.web.id*, True -*.sherman-net.com*, True -*.shermanthedog.com*, True -*.sherpasgroup.cl*, True -*.sherrell.net*, True -*.sherryetrafton.com*, True -*.sherryfu.com*, True -*.sheswet.net*, True -*.shetlandspony.com*, True -*.shevahist.com*, True -*.shevchenko.co.uk*, True -*.sheylaindustrias.com*, True -*.sheyny.com*, True -*.shey.us*, True -*.shialove.com*, True -*.shiatsu.tw*, True -*.shibaidu.com*, True -*.shidduchdater.com*, True -*.shidex.or.id*, True -*.shidiq.ga*, True -*.shieldyourlegacy.com*, True -*.shienssh.tk*, True -*.shiflet.org*, True -*.shiftautosportonline.com*, True -*.shihadeh.com*, True -*.shihadeh.net*, True -*.shihlienenergy.com*, True -*.shikot.ru*, True -*.shilnet.com*, True -*.shimoji.info*, True -*.shimul.ga*, True -*.shinchan.asia*, True -*.shindogoshinkai.com*, True -*.shinglee.hk*, True -*.shinichiblind.com*, True -*.shinigami.nl*, True -*.shiningmedia.com*, True -*.shinjo.web.id*, True -*.shinmin.tw*, True -*.shinobi.net.ru*, True -*.shinobu.ninja*, True -*.shinsakukita.com*, True -*.shinshukan.com.ar*, True -*.shintetsu.com*, True -*.shinyeh.cn*, True -*.shipbroker.ee*, True -*.sh-ip.com*, True -*.shipin2015.com*, True -*.shipin44.com*, True -*.shipin4.com*, True -*.shipinhot.com*, True -*.shipinqqq.com*, True -*.shipintong.com*, True -*.shipit.cl*, True -*.shipkc.com*, True -*.shipkovica.al*, True -*.shipmytoner.com*, True -*.shipoozim4u.co.il*, True -*.shippinginc.co.uk*, True -*.shipping-logistic.nl*, True -*.shippod.com*, True -*.shipspark.com*, True -*.shiqin.li*, True -*.shirleycommunity.ca*, True -*.shirleycommunity.com*, True -*.shirleys.com.au*, True -*.shirokov.su*, True -*.shishenmu.com*, True -*.shitcunt.info*, True -*.shitgoddamnhellfuck.com*, True -*.shithappened.tk*, True -*.shitobonsai.cl*, True -*.shitserver.tk*, True -*.shittytimetravelers.com*, True -*.shit.vc*, True -*.shivagaire.com.np*, True -*.shivax.tk*, True -*.shizhangrong.tk*, True -*.shizukan0bie.cf*, True -*.shizukan0bie.tk*, True -*.shjunze.cn*, True -*.shklovski.net*, True -*.shkolasvk.ru*, True -*.shlatimbemila.co.il*, True -*.shl.com.ar*, True -*.shleprock.net*, True -*.shlomo.in*, True -*.shlstingers.com*, True -*.shltelecom.ro*, True -*.shlyam.biz*, True -*.shmagoo.com*, True -*.shmanage.in*, True -*.shmeepub.com*, True -*.shmeeter.com*, True -*.shmegaming.com*, True -*.shmwc.org*, True -*.shnako.com*, True -*.shoaibahmedshilledar.in*, True -*.shobith.com*, True -*.shockata.nl*, True -*.shocklo.cl*, True -*.shocktothesystem.tk*, True -*.shockwaver.it*, True -*.shoeboxheaven.com*, True -*.shoebridge.org.uk*, True -*.shoecabinet.co.za*, True -*.shoecornerid.com*, True -*.shoelesshorse.com*, True -*.shogarth.com*, True -*.shogun.ca*, True -*.shohair.com*, True -*.shohorjaya.com*, True -*.shoikan-grove.co.uk*, True -*.shokproof.com*, True -*.shokri.net*, True -*.sholdice.org*, True -*.sholihin.com*, True -*.shomodj.com*, True -*.shootbrass.com*, True -*.shootmovecommunicate.tk*, True -*.shootnup.com*, True -*.shop128.com*, True -*.shop360plus.com*, True -*.shop4all.nl*, True -*.shop4plan.com*, True -*.shop4plan.net*, True -*.shop4plans.com*, True -*.shop4plans.net*, True -*.shop-67.ru*, True -*.shopaholicindo.net*, True -*.shopaholicsa.com*, True -*.shopaholicsa.co.za*, True -*.shopamericanlegion.com*, True -*.shopamerica.ro*, True -*.shop-ang.ru*, True -*.shoparison.com*, True -*.shoparison.eu*, True -*.shoparison.net*, True -*.shopavatar.net*, True -*.shopavon.com.au*, True -*.shop-bg.tk*, True -*.shopbook.hk*, True -*.shopbuy.us*, True -*.shopcasa.com.br*, True -*.shopdigital.ro*, True -*.shopforplan.com*, True -*.shopforplan.net*, True -*.shopforplans.net*, True -*.shopgiaynam.net*, True -*.shop-indo.us*, True -*.shoping-mall.ro*, True -*.shopingmall.ro*, True -*.shopjf.com*, True -*.shopju.com*, True -*.shoplah.sg*, True -*.shopnichiduta.ro*, True -*.shoppagott.se*, True -*.shoppercity.com*, True -*.shoppingcreative.com*, True -*.shoppingdourado.com.br*, True -*.shoppingexpress.com.au*, True -*.shoppingpos.com*, True -*.shoppingronden.se*, True -*.shoppix.es*, True -*.shop-pj.com*, True -*.shopppping.com*, True -*.shop-prog.ru*, True -*.shopredondo.com*, True -*.shoprezz.com.my*, True -*.shopsmile.com.br*, True -*.shoptainha.com*, True -*.shoptasks.com.au*, True -*.shop.tm*, True -*.shop-toptop.ru*, True -*.shopwave.com.my*, True -*.shopwave.my*, True -*.shop.web.id*, True -*.shopwithnet.com.au*, True -*.shoraevaz.ir*, True -*.shor.ch*, True -*.shorelinefilm.com*, True -*.shorelinepermits.com*, True -*.shoricika.ro*, True -*.shorink.com*, True -*.shorn.nom.za*, True -*.shortdog.org*, True -*.shortenmy.info*, True -*.shortspecialbus.com*, True -*.shortspecialbus.net*, True -*.shortspecialbus.sexy*, True -*.short-trek.ru*, True -*.shoryuuken.com*, True -*.shostka.org*, True -*.shosyn.com*, True -*.shotforallseasons.com*, True -*.shotgunlan.com*, True -*.shotspeak.com*, True -*.shouldertap.fm*, True -*.shouldwehaveaparty.com*, True -*.shoulson.com*, True -*.shoupos.com*, True -*.showaprofit.com*, True -*.showcar.am*, True -*.showcase.com.np*, True -*.showcase-investments.com*, True -*.showcase-marketing.com*, True -*.showcause.net*, True -*.showclothesbyerin.com*, True -*.showcontrolit.com*, True -*.showcontrolthis.com*, True -*.showerfiltersystems.com*, True -*.showerscreen-box.com*, True -*.showingaide.com*, True -*.showingwang.tw*, True -*.showkolade.ch*, True -*.showmeanings.com*, True -*.showmeanings.net*, True -*.showmp3.com*, True -*.showmyhomes.com*, True -*.showon.cc*, True -*.showorking.es*, True -*.showpony.co.za*, True -*.show.pt*, True -*.showroomonline.com.ar*, True -*.show-run.com*, True -*.showtimefishingcharters.com*, True -*.show-time.sk*, True -*.showto.net*, True -*.showword.com*, True -*.shpik.info*, True -*.shrawan.com.np*, True -*.shreddedbacon.com*, True -*.shreddedpumpkin.com*, True -*.shredderhardrock.com.ar*, True -*.shredders.co.il*, True -*.shredfitness.com.au*, True -*.shredsnow.com*, True -*.shredstreet.com*, True -*.shredsurf.com*, True -*.shreedeeprayamajhi.com.np*, True -*.shren.info*, True -*.shresthaakash.com.np*, True -*.shresthaanil.com.np*, True -*.shresthakp.com.np*, True -*.shresthasanjay.com.np*, True -*.shresthasushil.com.np*, True -*.sh-retech.com*, True -*.shriekinggeeks.com*, True -*.shriekinggeeks.net*, True -*.shrimpsimprov.com*, True -*.shrineclubromania.ro*, True -*.shriyanchitturi.com*, True -*.shrpnt.com*, True -*.shrtn.cf*, True -*.shrwn.cf*, True -*.shsa.com.au*, True -*.shsoft.com.pk*, True -*.sht67.com*, True -*.sht77.com*, True -*.sht84.com*, True -*.shtf.in*, True -*.shtrenyov.tk*, True -*.shtu4ki.ru*, True -*.shtuchek.com*, True -*.shtuchki.info*, True -*.shtuff.it*, True -*.shtvan.ru*, True -*.shuaichuang.com*, True -*.shuaichuang.net*, True -*.shuaichuang.org*, True -*.shuaiscott.com*, True -*.shuangqitours.com.np*, True -*.shudai.info*, True -*.shudokan.com.ar*, True -*.shudy.info*, True -*.shue.biz*, True -*.shufflebee.ch*, True -*.shuffled-digits.com*, True -*.shufflincrew.com*, True -*.shuhaowu.com*, True -*.shuicihi.cf*, True -*.shujsajmo.si*, True -*.shukailov.ru*, True -*.shukaylov.ru*, True -*.shulyaka.org.ru*, True -*.shumilova.info*, True -*.shundatarakan.com*, True -*.shundi.us*, True -*.shuoshei.com*, True -*.shurom.net*, True -*.shushmail.tk*, True -*.shusil.com.np*, True -*.shustikov.net*, True -*.shuteru.com*, True -*.shutterdaddy.com*, True -*.shuttersandblindssolutions.com.au*, True -*.shutterstockmarket.com*, True -*.shuzent-exploit3r.net*, True -*.shuzr.com*, True -*.shvec.com*, True -*.shvedma.com*, True -*.shwa.info*, True -*.shwedagonairporttaxicab.com*, True -*.shwet.info*, True -*.shyamkumarkc20.com.np*, True -*.shyamprasadgiri.com.np*, True -*.shyguy.tk*, True -*.si0.com.br*, True -*.siaeit.com*, True -*.siafarm.com*, True -*.siafu.cc*, True -*.siagabencana.org*, True -*.siah.sg*, True -*.sialkot.tk*, True -*.siama.pro*, True -*.siamect.com*, True -*.siammede.com*, True -*.siammedee.com*, True -*.siamsquare.org.uk*, True -*.siamu.com*, True -*.siantarsafety.com*, True -*.siapa.info*, True -*.siarlocal.com*, True -*.siarsky.ch*, True -*.siasolution.com*, True -*.si-av.com*, True -*.sibbronycon.ru*, True -*.sibdolina.ru*, True -*.sibenergo.info*, True -*.siberianfox.ru*, True -*.siberianight.ch*, True -*.sibermail.com*, True -*.siberventures.com*, True -*.sibexzavod.ru*, True -*.sibirfito.ru*, True -*.sibkon.ru*, True -*.siblogistic.ru*, True -*.sibmag22.ru*, True -*.sibmed.org*, True -*.sibmed.org.ru*, True -*.sibx.ca*, True -*.sibylhaynes.org*, True -*.sicadi.com.br*, True -*.sicadimoveis.com.br*, True -*.siccrans.ch*, True -*.sichma.com.au*, True -*.sicily.co.uk*, True -*.sicilyholidayrentals.com*, True -*.sickassfacts.com*, True -*.sickels.org*, True -*.sickhealth.tk*, True -*.sick.one.pl*, True -*.sic-mariage.ro*, True -*.sicmariage.ro*, True -*.sicmexico.mx*, True -*.sicnarf.com*, True -*.sicoe.mx*, True -*.sicomoros.cl*, True -*.sicuradesigns.com*, True -*.sicurezza-nazionale.it*, True -*.sicurezzanazionale.it*, True -*.sidata.com.tr*, True -*.sidb.tk*, True -*.siddhivinayakcoils.com*, True -*.sidecole.ch*, True -*.sideline-lessons.com*, True -*.sidenet.org*, True -*.siderysbsn.com*, True -*.siderys.com.ar*, True -*.sidestreetempire.de*, True -*.sideways.ru*, True -*.sidis.org.ve*, True -*.sidlogic.net.au*, True -*.sidneycleidson.com.br*, True -*.sidneymichigan.com*, True -*.sidoarjogetar.com*, True -*.sidomampirseafood.com*, True -*.sidominews.com*, True -*.sidov.net*, True -*.sidra.cl*, True -*.sidsi.com.ar*, True -*.sidtra-ar.com.ar*, True -*.sidtra.com.ar*, True -*.sidusliber.com*, True -*.sidven.com.ve*, True -*.sidys.id.au*, True -*.siebert.cl*, True -*.siebertfamily.co.nz*, True -*.siecon.com.mx*, True -*.siecon.mx*, True -*.siedner.com*, True -*.siefk.as*, True -*.siegheil.info*, True -*.sieid.com*, True -*.siela.me*, True -*.sielunliaani.fi*, True -*.siemaas.com*, True -*.siemensexploit.com*, True -*.siemensexploits.com*, True -*.siemenslifesafetydashboard.com*, True -*.sien.is*, True -*.siens.com.br*, True -*.sienza.co.za*, True -*.sieparking.com.mx*, True -*.sier.com.ar*, True -*.siero.ru*, True -*.sierrasazulesfm.com.ar*, True -*.siessen.be*, True -*.sieucao.com*, True -*.sieuchipshop.com*, True -*.sieunhandothi.com*, True -*.sieuviet.info*, True -*.sifikilemarketing.co.za*, True -*.sifon-stereo.com.ar*, True -*.sifrovat.cz*, True -*.sifruj.cz*, True -*.sigaev.info*, True -*.sigdelbivek.com.np*, True -*.sigde.pt*, True -*.sigels.info*, True -*.sighofrelief.org*, True -*.sight10.com*, True -*.sight.cz*, True -*.sightread.com*, True -*.sightsee.hk*, True -*.sightseeingthailand.net*, True -*.sigi.li*, True -*.sigit.fm*, True -*.sigje.net*, True -*.sigje.org*, True -*.sigmacomputacion.com.ar*, True -*.sigmacom.ro*, True -*.sigmagordeninterior.com*, True -*.sigmainc.in*, True -*.sigmanest.jp*, True -*.sigmatechnologies.us*, True -*.sigmateklabs.com*, True -*.sigmgt.com*, True -*.sigmundtechnology.com*, True -*.signageworks.co.uk*, True -*.signal11.ro*, True -*.signalblend.com*, True -*.signalhut.com*, True -*.signalmixes.com*, True -*.signalmix.net*, True -*.signalmix.org*, True -*.signalos.org*, True -*.signatureframing.ca*, True -*.signatureframing.com*, True -*.signaturefs.com.au*, True -*.signbox.com.ar*, True -*.signia.sg*, True -*.signorelli.ch*, True -*.signos.net.br*, True -*.signskin.com*, True -*.signt.com*, True -*.sigortaevi.com*, True -*.sigortamnetutar.com*, True -*.sigtrans.cl*, True -*.sigueros.com*, True -*.sigueros.es*, True -*.siguetuproyecto.com.ar*, True -*.sigus.com.br*, True -*.sihabudinahmad.web.id*, True -*.sihan.li*, True -*.sihhatbul.com*, True -*.sihombing.gq*, True -*.siiguepex.com.ar*, True -*.siikajoenkokoomus.fi*, True -*.si-ion.web.id*, True -*.siio.tk*, True -*.sijanb.com.np*, True -*.sija.pl*, True -*.sijeffrey.co.uk*, True -*.sijet.si*, True -*.sika-grout.com*, True -*.sikanak.com*, True -*.sikemi.tk*, True -*.sikisciller.com*, True -*.sikkerhets.guru*, True -*.sikkerhets.info*, True -*.sikkerhets.ninja*, True -*.sikkin.com*, True -*.sikocan.com.au*, True -*.sikorski.it*, True -*.sikra.net*, True -*.sik.tw*, True -*.silco.cl*, True -*.sildenafilcitrate-tablets.com*, True -*.sildenafiljelly.biz*, True -*.sildis.com*, True -*.silenceabliss.net*, True -*.silencersolutions.com*, True -*.silentanontest.tk*, True -*.silentboy.net*, True -*.silentboy.us*, True -*.silent-clan.tk*, True -*.silentcomponents.com*, True -*.silentgiants.com*, True -*.silentius.ru*, True -*.silentluck.com*, True -*.silentreadervsn.com*, True -*.silent.sexy*, True -*.silexcorp.com.ar*, True -*.silfranske.ga*, True -*.silhouetteid.com.my*, True -*.silhouette-project.ga*, True -*.silicate.org*, True -*.silicon500.com.ar*, True -*.siliconbackalley.com*, True -*.silicongallen.ch*, True -*.siliconia.net*, True -*.siliconplus.com.au*, True -*.siliconsurfing.com*, True -*.silitan.ga*, True -*.silivan.ro*, True -*.silkato.net*, True -*.silkeyelash.com*, True -*.silkie.org*, True -*.silkpro.eu*, True -*.silkroadassociation.ro*, True -*.silkroadweb.com*, True -*.silksky.com*, True -*.silktank.co.uk*, True -*.silkventures.com*, True -*.silkyfootworld.com*, True -*.silkyhair.co.za*, True -*.sillamae.com*, True -*.sillamae.eu*, True -*.sillamae.net*, True -*.sillamae.org*, True -*.sillonart.com.ar*, True -*.sillonestilo.com.ar*, True -*.sillybeanuniques.com*, True -*.sillydolls.ca*, True -*.sillysdictionary.com*, True -*.sillytrade.com*, True -*.silma.tk*, True -*.silo.tk*, True -*.silozuribraila.ro*, True -*.silozuricereale.ro*, True -*.silpa.cl*, True -*.silppat.com*, True -*.silppuri.fi*, True -*.silsound.ro*, True -*.siluowenniya.si*, True -*.silvabonilla.cl*, True -*.silva-desinfection.ch*, True -*.silvagniautomobili.ch*, True -*.silvaharo.com*, True -*.silvanaramirez.com.ve*, True -*.silvanortica.at*, True -*.silverbay.ca*, True -*.silverbuggames.com*, True -*.silvercreekparkweddingchapel.com*, True -*.silvercroz.com*, True -*.silverfernbackpackers.com*, True -*.silverfernhostel.com*, True -*.silvergem.net*, True -*.silvergreys.org*, True -*.silvergy.com*, True -*.silverlighthosting.info*, True -*.silvermetalcoin.com*, True -*.silver-paz.co.il*, True -*.silverqueen.asia*, True -*.silversaint.cf*, True -*.silversaint.ga*, True -*.silversaint.gq*, True -*.silversaint.ml*, True -*.silversaint.net*, True -*.silversaint.tk*, True -*.silversaiph.com*, True -*.silverstreamit.net*, True -*.silversundries.com*, True -*.silversundry.com*, True -*.silvertime.eu*, True -*.silvertonradiatorsptanorth.co.za*, True -*.silvertonvbg.co.za*, True -*.silvervault.fi*, True -*.silverwax.ca*, True -*.silveryhk.com*, True -*.silvestriluca.it*, True -*.silvestro.com.ar*, True -*.silvestrodns.com.ar*, True -*.silviaciungu.ro*, True -*.silvic-nasaud.ro*, True -*.silvinaygustavo.com*, True -*.silvinaygustavo.com.ar*, True -*.silvioquadri.com.ar*, True -*.silviugheorghe.ro*, True -*.silxnet.com*, True -*.silxnet.org*, True -*.simac-computers.com*, True -*.simadi.com.ve*, True -*.simafor.net*, True -*.simalnomeequivoco.com.ar*, True -*.simanor.cl*, True -*.simans.uk*, True -*.simapas.com*, True -*.simaphone.ca*, True -*.simaq.cl*, True -*.simarhomes.com*, True -*.simarmata.cf*, True -*.simart.net*, True -*.simaski.com.ve*, True -*.simbioza.ro*, True -*.simbolonacional.com*, True -*.simbolonacional.net*, True -*.simbolonacional.org*, True -*.simbolospatrios.mx*, True -*.simbya.com.ar*, True -*.simcaster.net*, True -*.simce.ro*, True -*.simcoin.com*, True -*.simcoin.org*, True -*.simcomputing.co.uk*, True -*.simcor.ro*, True -*.simdepdatviet.com*, True -*.sime.cl*, True -*.simen.ir*, True -*.simepa.com.ar*, True -*.simetricaengenharia.com.br*, True -*.simexoriginal.com*, True -*.simexoriginal.rs*, True -*.simfamily.ca*, True -*.simgames.com.br*, True -*.simhard.com*, True -*.simin.me*, True -*.sim-kins.co.uk*, True -*.simlabs.com.br*, True -*.simlit.com*, True -*.simma.ro*, True -*.simmex.cl*, True -*.simming.co.za*, True -*.simmm.tk*, True -*.simmonds.co.za*, True -*.simmonssimmons.com*, True -*.simmscomputer.ro*, True -*.simms.ro*, True -*.simonaesoniareperimenti.it*, True -*.simonamirela.in*, True -*.simonandlaura.net*, True -*.simonandshell.com*, True -*.simonasselin.com*, True -*.simon.ca*, True -*.simondeng.me*, True -*.simondixey.co.uk*, True -*.simondlee.net*, True -*.simondonohue.com*, True -*.simoneautomotores.com.ar*, True -*.simone-et-thomas.com*, True -*.simoneguggisberg.ch*, True -*.simonelli.com.ve*, True -*.simonemaggi.com.br*, True -*.simonhillphotography.co.uk*, True -*.simonhome.us*, True -*.simonlane.com*, True -*.simonlane.co.uk*, True -*.simonlane.net*, True -*.simonmonroe.com*, True -*.simonpayne.id.au*, True -*.simonray.com*, True -*.simonrodriguez.org.ve*, True -*.simonschlegel.ch*, True -*.simonsharp.ch*, True -*.simonsservices.be*, True -*.simonthoby.tk*, True -*.simonv.ro*, True -*.simoon.tk*, True -*.simorghost.ir*, True -*.simoveis.com.br*, True -*.simpalean.ro*, True -*.simpanglima.net*, True -*.simpati.fm*, True -*.simpati.in*, True -*.simpatyagi.ru*, True -*.simpleactsofkindness.io*, True -*.simplebox.us*, True -*.simplecakes.com.ar*, True -*.simplecharity.com*, True -*.simpleelegance-us.biz*, True -*.simpleelegance-us.com*, True -*.simpleelegance-us.info*, True -*.simpleinfotech.com.au*, True -*.simplekaraokeplayer.com*, True -*.simplelayby.co.za*, True -*.simplementefutbol.cl*, True -*.simplementesonrisas.org*, True -*.simplenetworks.cl*, True -*.simpleplantdesign.com*, True -*.simples-dns.com*, True -*.simpletaxation.com*, True -*.simpletechsol.com*, True -*.simpletut.net*, True -*.simplewa.com*, True -*.simplewebmethodology.org*, True -*.simplexity.asia*, True -*.simplfone.net*, True -*.simplifyingbackup.com*, True -*.simpligreen.net*, True -*.simpligreen.us*, True -*.simplinx.com*, True -*.simplistic.tk*, True -*.simplit.pt*, True -*.simplydivinebakery.com*, True -*.simplyfreshroastery.ca*, True -*.simplygraces.com*, True -*.simplylayby.co.za*, True -*.simplylazyapps.com*, True -*.simplymake.ru*, True -*.simply-mindful-healing.co.uk*, True -*.simplynoah.me*, True -*.simplynorthpole.com*, True -*.simplynudist.com*, True -*.simplyphotository.com*, True -*.simplyvintagetiaras.co.uk*, True -*.simport.net.br*, True -*.simproproperty.com*, True -*.simprorealty.co.id*, True -*.simpsonraceproducts.com.au*, True -*.simpsons.com.ar*, True -*.simpsware.com*, True -*.simq.tk*, True -*.simranfurnitureraipur.com*, True -*.sims3planet.net*, True -*.sims4planet.net*, True -*.simsa.com.ar*, True -*.simsimi.me*, True -*.simso.tk*, True -*.simsu.com.ar*, True -*.simtho.ch*, True -*.simtubeporn.pw*, True -*.simulalabs.com*, True -*.simulamed.com.ar*, True -*.simurda.net*, True -*.simvina.vn*, True -*.simx.co.za*, True -*.simyo-sicherheitszentrale.de*, True -*.sin5665.com*, True -*.sinaga.info*, True -*.sinagaliker.cf*, True -*.sinaga.se*, True -*.sinaga.us*, True -*.sinaga.web.id*, True -*.sinamusic.ro*, True -*.sinan.org.tr*, True -*.sinanyuce.com*, True -*.sina.pt*, True -*.sinarhost.com*, True -*.sinarlagu.com*, True -*.sinartimurgroup.co.id*, True -*.sinax.com.ar*, True -*.sinaxmedica.com.ar*, True -*.sinayoservices.co.za*, True -*.sinca.com.br*, True -*.sincerejewelrytw.com*, True -*.sin.cl*, True -*.sincla.ir*, True -*.sinclairstudios.net*, True -*.sincotec-scs.org.br*, True -*.sindacodinapoli.it*, True -*.sindacomputing.com*, True -*.sindclub.com*, True -*.sinderman.com*, True -*.sindhulisaugat.com*, True -*.sindicat.info*, True -*.sindicatsps.com*, True -*.sindlinii.ro*, True -*.sindoh.com.ar*, True -*.sindro.me*, True -*.sindumetal.com*, True -*.sindutamateknik.com*, True -*.sindy.tk*, True -*.sineadmccarthy.com*, True -*.sinec.ch*, True -*.sine-express.net*, True -*.sinelnikovo.ru*, True -*.sinergiaestetica.com.ar*, True -*.sinergialsa.com.ar*, True -*.sinergiapilates.com.ar*, True -*.sinergiayoga.com.ar*, True -*.sinergit.com.ar*, True -*.sines.ga*, True -*.sinet3k.com*, True -*.sinettiarkisto.fi*, True -*.sinexis.com.ar*, True -*.sinfultroll.com*, True -*.singaporedeals.sg*, True -*.singaporelawyer-divorce.com*, True -*.singaporetaxi.sg*, True -*.singapurhotel.de*, True -*.singasoft.com*, True -*.singel-haus.com*, True -*.singelim.co.il*, True -*.singercortinajes.cl*, True -*.singhm.com*, True -*.singkil.web.id*, True -*.singko.net*, True -*.singleaesthetic.com*, True -*.singlefuerteventura.es*, True -*.singlem4a.com*, True -*.singlesupports.com*, True -*.singleton-family.org*, True -*.singlevietnam.com*, True -*.singsale.sg*, True -*.singularity-consulting.com*, True -*.singularnetwork.ca*, True -*.singular-pharma.com*, True -*.singularsystems.ca*, True -*.sing-way.com*, True -*.sinhala-operamini.tk*, True -*.sinhala-opera.tk*, True -*.sinharoy.com*, True -*.sinhockhong.com*, True -*.sinhthanhbio.tk*, True -*.sinhvienhost.net*, True -*.sinimmeuble.com*, True -*.siniritarit.fi*, True -*.sinktoob.com*, True -*.sinlc.tk*, True -*.sinlimites.com*, True -*.sinmarca.mx*, True -*.sinnfulbooks.com*, True -*.sinoconnections.com*, True -*.sinogael.cn*, True -*.sinogael.com*, True -*.sinogael.eu*, True -*.sinogael.info*, True -*.sinorenaissance-lausanne.ch*, True -*.sinostariptv.info*, True -*.sinotech.hk*, True -*.sino.tw*, True -*.sinsemilla.cl*, True -*.sinsemillas.cl*, True -*.sinsin.hk*, True -*.sintagesgiaantres.gr*, True -*.sintasammy.info*, True -*.sintesoluciones.co*, True -*.sintetica.info*, True -*.sinteticaweb.com*, True -*.sinteticaweb.it*, True -*.sinteticaweb.net*, True -*.sintong228.com*, True -*.sintrabajosocial.cl*, True -*.sintrap.com.ar*, True -*.sinun.fi*, True -*.sinuso.org*, True -*.sioservices.tk*, True -*.sipalki-chung-mu.com.ar*, True -*.sipart.ro*, True -*.sipela.com.br*, True -*.sipgate.su*, True -*.siphone.com.au*, True -*.sipminerios.com*, True -*.sip.mx*, True -*.sipoketv.com*, True -*.sipo.si*, True -*.sippa.net*, True -*.sippd-berau.net*, True -*.sippd-bontang.net*, True -*.sippd-bulungan.net*, True -*.sippd-jatim.net*, True -*.sippd-ktt.net*, True -*.sippd-minut.net*, True -*.sippd.net*, True -*.sippd-ntb.net*, True -*.sippd-poso.net*, True -*.sipr.nl*, True -*.sipro.com.br*, True -*.siq.ec*, True -*.sirbeef.com*, True -*.sir-bg.co.uk*, True -*.sircompo.com*, True -*.sirevision.com*, True -*.sirfelidae.de*, True -*.siribinhabeachhouse.com.br*, True -*.siri.sh*, True -*.sirius-online.ro*, True -*.sirix.com.br*, True -*.sirkkeli.fi*, True -*.sirloinstik.com*, True -*.sirmakesis.com*, True -*.sirmaxim.tk*, True -*.sirmuzz.com*, True -*.siroiruka.com*, True -*.sirrobertcam.info*, True -*.sirta46.com*, True -*.sirventalot.com*, True -*.sisadmin.pw*, True -*.sisaludnea.com.ar*, True -*.sisa-tech.com*, True -*.sisa-tech.com.au*, True -*.sisbun.com*, True -*.siscom.com.ar*, True -*.sisepe.com.ar*, True -*.sisgpstechnology.com.ve*, True -*.sismianto.com*, True -*.sismiopbdl.info*, True -*.sismonda.com*, True -*.sismonda.com.ar*, True -*.sismondi.ch*, True -*.sisnom.com.mx*, True -*.sisnom.mx*, True -*.siso.fi*, True -*.sispares.com*, True -*.sispatio.com.br*, True -*.sispcsystems.com*, True -*.sispc.us*, True -*.sisprojects.com*, True -*.sisquali.com*, True -*.sisrel.cl*, True -*.siss.ca*, True -*.sissie.ro*, True -*.sissyterapeuta.com.br*, True -*.sistelligent.com.mx*, True -*.sistema01.pt*, True -*.sistemaamigo.com.ar*, True -*.sistemadealarme.com.br*, True -*.sistemaergonomia.com.ar*, True -*.sistemaintegra.mx*, True -*.sistemamlc.com.ar*, True -*.sistemasadn.com.ar*, True -*.sistemas.com.mx*, True -*.sistemasdegestionintegrada.cl*, True -*.sistemas-diamante.com.ar*, True -*.sistemasinerciales.com.ar*, True -*.sistemas-junin.com.ar*, True -*.sistemasnonex.com*, True -*.sistemasofia.com.ve*, True -*.sistemasplenario.com.ar*, True -*.sistemas-sp.com.ar*, True -*.sistemaswismee.com.ar*, True -*.sistemasyprocesos.com.ar*, True -*.sisteme-eoliene.ro*, True -*.sistemeeoliene.ro*, True -*.sistemica-olivos.com.ar*, True -*.sistemipos.com*, True -*.sistemmasterkey.ro*, True -*.sister-smackdown.com*, True -*.sistersmackdown.com*, True -*.sistrum.com.br*, True -*.sistrunk.biz*, True -*.sisubabe.com*, True -*.sisustusoiva.fi*, True -*.sita.cf*, True -*.sitaci.com*, True -*.sitcom.ch*, True -*.sitec.cl*, True -*.sitecentrix.net*, True -*.sitechweb.com*, True -*.sitecreator.xyz*, True -*.sitedado.com*, True -*.sitedatamine.co.uk*, True -*.sitedemarde.org*, True -*.sitedemerde.org*, True -*.sitedemo.cf*, True -*.sitedezigner.com*, True -*.sitegoodies.com*, True -*.sitegoodies.net*, True -*.sitegoodies.org*, True -*.siteho.st*, True -*.sitehub.biz*, True -*.siteldi.mx*, True -*.site-life.ml*, True -*.site-life.tk*, True -*.sitemaster.cl*, True -*.sitesationalwebdesign.com*, True -*.sitestudio.co*, True -*.sitetheater.com*, True -*.siteup.info*, True -*.sitharete.com*, True -*.sith.co.kr*, True -*.sitheilmorchoille.com*, True -*.sith.su*, True -*.sithtrooper.com*, True -*.sitiozero.cl*, True -*.sitmeansit.net*, True -*.sito.ml*, True -*.sitqva.com*, True -*.sitradein.co.il*, True -*.sitsport.ch*, True -*.sittnet.com.ar*, True -*.situationroom.org*, True -*.situbondotv.biz*, True -*.situbondotv.com*, True -*.situbondotv.net*, True -*.situbondotv.org*, True -*.situbondotv.us*, True -*.situbondovision.com*, True -*.situmorang.net*, True -*.sit-up.ru*, True -*.situsdownloadlagu.asia*, True -*.situsislam.cf*, True -*.situsislam.ga*, True -*.situskita.net*, True -*.situsoft.com*, True -*.situspintar.net*, True -*.sitwa.info*, True -*.sivakoff.org*, True -*.sivalnistroji.si*, True -*.siviero.ws*, True -*.sivik.de*, True -*.sivoisgdo.tk*, True -*.sivoisg.tk*, True -*.sivoivpn.tk*, True -*.siwen.tw*, True -*.sixacts.com*, True -*.sixactsofreceiving.com*, True -*.sixcore.net*, True -*.sixfootfive.com*, True -*.sixgod.com*, True -*.sixgoodguy.co.uk*, True -*.sixms.com*, True -*.sixohquad.com*, True -*.sixpack.ml*, True -*.sixpiedssousterre.com*, True -*.sixsensemobile.com*, True -*.six-sigma.ru*, True -*.six-two.net*, True -*.sixtytwofifty.com*, True -*.sixx.ro*, True -*.siyachtcharters.com*, True -*.siyavumasports.com*, True -*.sjboscoministry.com*, True -*.sjcaeportal.tk*, True -*.sjcaportal.tk*, True -*.sj-cme.co.kr*, True -*.sjef.biz*, True -*.sje.mx*, True -*.sj-ingenieros.com*, True -*.sjjent.com*, True -*.sjjent.info*, True -*.sjjent.net*, True -*.sjjnet.com*, True -*.sjjnet.info*, True -*.sjjnet.net*, True -*.sjmorales.com*, True -*.sjnk.tv*, True -*.sjno.net*, True -*.sjocom.com*, True -*.sjoelund.se*, True -*.sjostadsesplanaden.se*, True -*.sjschroeder.com*, True -*.sjshoppe.com*, True -*.sjso.ca*, True -*.sk2dior.com*, True -*.skabeev.net*, True -*.skac.com.br*, True -*.skadu.se*, True -*.skaggsdeveloping.com*, True -*.skaggs-hosting.com*, True -*.skagius.se*, True -*.skala.co.id*, True -*.skalamini.com*, True -*.skalet.com*, True -*.skalet.net*, True -*.skalliance.net*, True -*.skalliance.org*, True -*.skamaria.co*, True -*.skamaria.com*, True -*.skamaria.net*, True -*.skam.co*, True -*.skane.tk*, True -*.skankface.com*, True -*.skankyclam.com*, True -*.skappa.ch*, True -*.skara-linen.com*, True -*.skardafamily.com*, True -*.skarga.tk*, True -*.skarpeid.com*, True -*.skate.lv*, True -*.skateprorole.com.br*, True -*.skate.sh*, True -*.skatsberrypi.tk*, True -*.skaz.us*, True -*.skc33.com*, True -*.skc44.com*, True -*.skc55.com*, True -*.skc66.com*, True -*.skc88.com*, True -*.skcleaners.com*, True -*.skconsultancys.com*, True -*.skc.su*, True -*.skedge.es*, True -*.skeedz.com*, True -*.skeefe.com*, True -*.skeep.ru*, True -*.skeldrak.com*, True -*.skeletons.cl*, True -*.skellam.org*, True -*.skeltonhome.net*, True -*.skelverdinge.be*, True -*.skenderaj.hr*, True -*.sketches.my*, True -*.sketoku.net*, True -*.sketoku.tk*, True -*.sketstore.com.br*, True -*.skg.com.np*, True -*.skhimji.com*, True -*.skiar.com.ar*, True -*.skicentral.tv*, True -*.skidealsummer.co.il*, True -*.skidm0re.com*, True -*.skidoch.ga*, True -*.skies.tw*, True -*.skillc.tk*, True -*.skilledwork.ru*, True -*.skill.ga*, True -*.skilllevel.ru*, True -*.skimanshop.it*, True -*.skimmilkfarm.org*, True -*.skincancerflorida.com*, True -*.skincareproductreviewgroup.com*, True -*.skincareproductreview.info*, True -*.skinhealth.ml*, True -*.skinking.ch*, True -*.skinlolmod.com*, True -*.skinn-shop.ru*, True -*.skinnshop.ru*, True -*.skinnydishes.com*, True -*.skinpreview.com*, True -*.skinsai.com*, True -*.skintm.com*, True -*.skippervics.com*, True -*.skippylawson.com*, True -*.skipthemail.com*, True -*.skiptwo.info*, True -*.sk.is*, True -*.skizone.org*, True -*.skladacka.cz*, True -*.skladoprom.ru*, True -*.skleroznik.ml*, True -*.skliarsky.com*, True -*.sklionsclub.com*, True -*.skobari.ru*, True -*.skoczylas.pl*, True -*.skogensro.tk*, True -*.skogh.org*, True -*.skokica.com*, True -*.skolkam.sk*, True -*.skolkovo13.ru*, True -*.skooch.com*, True -*.skoonle.com*, True -*.skopeconstructions.com.au*, True -*.skope.net.au*, True -*.skorinko.ru*, True -*.skorpionapartments.com*, True -*.skorpio-wiatrowki.pl*, True -*.skot.at*, True -*.skowvron.us*, True -*.skpi.cf*, True -*.skraba.co.uk*, True -*.skribblings.com*, True -*.skripsiku.com*, True -*.skrobotipartneri.hr*, True -*.skrubcraft.tk*, True -*.skrydata.com.au*, True -*.sks-architekten.ch*, True -*.sksarchitekten.ch*, True -*.sks-architekten.com*, True -*.sksolutions.in*, True -*.sktnn.com*, True -*.skuld.cl*, True -*.skulk-of-fox.net*, True -*.skullcandy.si*, True -*.skullkingclothing.com.br*, True -*.skullking.com.br*, True -*.skull-mp3.net*, True -*.skullrockfashion.com*, True -*.skullsbbs.com*, True -*.skulltoys.com*, True -*.skul.no*, True -*.skumarsilk.com*, True -*.skumarsilks.com*, True -*.skumphof.com*, True -*.skunk.one.pl*, True -*.skvarcius.com*, True -*.skwakesai.com*, True -*.sky-1004.com*, True -*.sky24.biz*, True -*.skyad.org*, True -*.skyautolamp.com*, True -*.sky-battle.tk*, True -*.skybattle.tk*, True -*.skyblock.tk*, True -*.skybridge.cf*, True -*.sky-chat.net*, True -*.sky-cinema.ru*, True -*.skydesign.com.my*, True -*.skydev.ch*, True -*.skydivedurban.co.za*, True -*.skydivekzn.co.za*, True -*.skydiverstuff.com*, True -*.skydivesergio.com*, True -*.skydive-tandem.co.za*, True -*.skydivethebeach.co.za*, True -*.skydiving-cape-town.co.za*, True -*.skydoesminecraft.org*, True -*.skydrones.es*, True -*.skyfilm.info*, True -*.skyfirebackup.ca*, True -*.skyfirebackup.com*, True -*.skyfirebackups.ca*, True -*.skyfirebackups.com*, True -*.skyfmradio.co.uk*, True -*.skyfortress.ir*, True -*.skyfullofbats.com*, True -*.skygin.net*, True -*.skyginonline.com*, True -*.skyidea.com*, True -*.skyid.org*, True -*.skykingho.me*, True -*.skylarlabs.com*, True -*.sky-leds.com*, True -*.skylinedesignstudio.com*, True -*.skylinedesignstudio.com.au*, True -*.skylinkme.com*, True -*.skyll.com*, True -*.skylot.ru*, True -*.skyloveforyou.tk*, True -*.skynav.cl*, True -*.sky.net.id*, True -*.skynetnetwork.ml*, True -*.skynet-research.us*, True -*.skynetsoluciones.com.ar*, True -*.skyngin.io*, True -*.sky-pc.ch*, True -*.skypc.ch*, True -*.skypce-sandbox.com*, True -*.skype-show.ru*, True -*.skypestreamer.com*, True -*.skyplazaonline.net*, True -*.skypro-cctv.com*, True -*.skyraptor.com*, True -*.skyring.cl*, True -*.skyscapecloud-demo.com*, True -*.skysec.net*, True -*.sky.sexy*, True -*.skystoring.com*, True -*.skyuniverse.net*, True -*.skywardvpn.tk*, True -*.skywars.cf*, True -*.sky-wars.tk*, True -*.skywatcher-telescop.ro*, True -*.skywave.me*, True -*.skyway.ro*, True -*.skyweb.gr*, True -*.skyz.tk*, True -*.skyz.xyz*, True -*.sl2.co.za*, True -*.sl8.net*, True -*.slaafke.be*, True -*.slaap7.com*, True -*.slabovidni.com*, True -*.slackcunt.info*, True -*.slacker.cf*, True -*.slackersmotivated.com*, True -*.slackoverflow.org*, True -*.slackware.org.ve*, True -*.slackwarepackages.com*, True -*.sladesatmanorhill.net*, True -*.sladesbrewhouse.com*, True -*.sl-aes.com*, True -*.slagare.ro*, True -*.slain.ca*, True -*.sla-itj.com.br*, True -*.slambaits.com.au*, True -*.slape.si*, True -*.slap.one.pl*, True -*.slaps.one.pl*, True -*.slash32.net*, True -*.slash.cl*, True -*.slasherbbs.com*, True -*.slasia.hk*, True -*.slatec.net*, True -*.slatertech.ca*, True -*.slatonmrs.org*, True -*.slave-bot.com*, True -*.slavesol.com*, True -*.slavesol.org*, True -*.slavewages.org*, True -*.slavicdragon.com*, True -*.slavicnet.com*, True -*.slavkopapler.si*, True -*.slavmebelkupe.ru*, True -*.slavonija.ga*, True -*.slawko.pl*, True -*.slayeroflight.ch*, True -*.slaz.me*, True -*.slbctripura.com*, True -*.slbnacimahi.net*, True -*.slb.org.br*, True -*.slckplt.com*, True -*.slechte-draak.nl*, True -*.sledsport.ru*, True -*.sleek.io*, True -*.sleepandgrow.co.uk*, True -*.sleepbeat.ca*, True -*.sleepbeat.com*, True -*.sleepgate.im*, True -*.sleepinnhbg.com*, True -*.sleepless.hk*, True -*.sleepless-in-mind.gq*, True -*.sleepnot.ro*, True -*.sleepnyaks.tk*, True -*.sleepsleep.co.za*, True -*.sleepybrains.net*, True -*.slegat.eu*, True -*.slemanroot.net*, True -*.sleve.cl*, True -*.slevuji.cz*, True -*.slews.net*, True -*.slfunny.ga*, True -*.slggti.com.br*, True -*.slgproks.co.za*, True -*.slicklotto.ro*, True -*.slideshare.sg*, True -*.slightlygeneric.com*, True -*.slikam.si*, True -*.s-liker.us*, True -*.s-lima.com*, True -*.slimak.org*, True -*.slimdownrecipes.com*, True -*.slimed.org*, True -*.slimfingers.net*, True -*.slimfingers.org*, True -*.slimsmcgee.com*, True -*.slimyservers.com*, True -*.sline.net*, True -*.slingerhouse.com*, True -*.slinging404.com*, True -*.slingshotfilmsasia.com*, True -*.slipjig.org*, True -*.slixnet.ro*, True -*.slkroad.ro*, True -*.slloyd.net*, True -*.slly.fi*, True -*.slmaccom.com.au*, True -*.slnkovsieti.sk*, True -*.slochess.com*, True -*.slocom.be*, True -*.slogbook.ch*, True -*.sloki.si*, True -*.slo-minecraft.si*, True -*.slomskov-vrtec.si*, True -*.sloppylinux.com*, True -*.sloppyproductions.org*, True -*.slosberg.net*, True -*.slos.net*, True -*.slossle.com*, True -*.slotlogic.eu*, True -*.slotsgame.eu*, True -*.slotsoffortunenew.im*, True -*.slotsonline.co.za*, True -*.slotspray.nl*, True -*.slovenac.com*, True -*.slovenia-travel.net*, True -*.slovenie.si*, True -*.slovenski-jezik.com*, True -*.slovenski-jezik.net*, True -*.slow.cz*, True -*.slow-dive.ro*, True -*.slowdive.ro*, True -*.slowenien.si*, True -*.slowfoodashevillefoothills.org*, True -*.slowfoodfoothills.org*, True -*.slowfoodsydney.com.au*, True -*.slowmachine.net*, True -*.slowpeoplesuck.com*, True -*.slowrabbits.com*, True -*.slowserver.tk*, True -*.slpdoc.net*, True -*.slpsys.com*, True -*.slpz.co*, True -*.slrm.net*, True -*.slscnc.com*, True -*.slscomponents.com*, True -*.slscorp.com*, True -*.sls-isp.de*, True -*.slsitebuilders.com*, True -*.slumbo.com*, True -*.slupicki.com*, True -*.slurp-ramen.com*, True -*.slurryhills.com*, True -*.slush-pile.org*, True -*.slutties.com*, True -*.sluys.eu*, True -*.slyer.net*, True -*.sly.io*, True -*.slynet.lu*, True -*.slythe.net*, True -*.slyvronline.com*, True -*.sm13.info*, True -*.sm4shedinteractive.com*, True -*.sm7070.com*, True -*.sm-9090.com*, True -*.sma2-purwokerto.tk*, True -*.sma-alazhar14.com*, True -*.smaalhikmahmuncar.com*, True -*.smabbs.sch.id*, True -*.smabopkri2yk.sch.id*, True -*.smaboy.com*, True -*.smaboy.sch.id*, True -*.smabusonline.ca*, True -*.smacmini.com*, True -*.smacs.net*, True -*.smada.com*, True -*.smadav.ga*, True -*.smakeronesinjai.cf*, True -*.smalabupi.sch.id*, True -*.sm-alcobaca.pt*, True -*.small-acts-resistance-tibetan.org*, True -*.smallbox.se*, True -*.smallbusinessbooks.net.au*, True -*.smallbusinesscapital.org*, True -*.smallbusinessfinance.org*, True -*.smallbusinessfinance.us*, True -*.smallbusinessfinancing.biz*, True -*.smallbusinessfinancing.info*, True -*.smallbusinessfinancing.org*, True -*.smallbusinessfinancing.us*, True -*.smallbusinessprotectors.com*, True -*.smallbusinessring.com*, True -*.smallbusinesssolutionsbelfast.com*, True -*.smalldata.ch*, True -*.smalldio.com*, True -*.smallersearch.com*, True -*.smallerwebs.com*, True -*.smallhost.ch*, True -*.smallhosting.ch*, True -*.smallie.org*, True -*.smallisfabulous.com*, True -*.smalljobcompany.co.uk*, True -*.smallq.net*, True -*.smalls-lab.cf*, True -*.smallslab.cf*, True -*.smalls-lab.ga*, True -*.smallslab.ga*, True -*.smalls-lab.gq*, True -*.smallslab.gq*, True -*.smalls-lab.ml*, True -*.smallslab.ml*, True -*.smalls-lab.tk*, True -*.smallslab.tk*, True -*.smalls-server.cf*, True -*.smallsserver.cf*, True -*.smalls-server.ga*, True -*.smallsserver.ga*, True -*.smalls-server.gq*, True -*.smallsserver.gq*, True -*.smalls-server.ml*, True -*.smallsserver.ml*, True -*.smalls-server.tk*, True -*.smallsserver.tk*, True -*.smallstores.com.au*, True -*.smalltask.net*, True -*.smallwillie.info*, True -*.smallworldgeneology.com*, True -*.smambl.com*, True -*.sman1boyolangu.sch.id*, True -*.sman1-mgl.sch.id*, True -*.sman1pilangkenceng.sch.id*, True -*.sman1purwantoro.sch.id*, True -*.sman1tanjung.sch.id*, True -*.sman1tulungagung.sch.id*, True -*.sman1yogya.sch.id*, True -*.sman3lumajang.sch.id*, True -*.smanjampangkulon.sch.id*, True -*.smanked.com*, True -*.smanra.sch.id*, True -*.smansala.tk*, True -*.smansasoo.com*, True -*.smarket.ro*, True -*.smaroflixocvedig.pw*, True -*.smarques.com*, True -*.smarques.com.br*, True -*.smartadmin.co.za*, True -*.smartadvertokilx.pw*, True -*.smartbidet.co.za*, True -*.smartbloodtest.com*, True -*.smartbloom.org*, True -*.smartbuy.pk*, True -*.smartcardiology.eu*, True -*.smartchalk.ru*, True -*.smartchile.cl*, True -*.smartcollab.org*, True -*.smartcommunities.biz*, True -*.smartcommunity.cl*, True -*.smart-community.co.za*, True -*.smartcommunity.co.za*, True -*.smartconnect.co.id*, True -*.smartcourier.co.za*, True -*.smartcube2u.com*, True -*.smartcubesoft.com*, True -*.smartdermatology.eu*, True -*.smartdiagnosis.net*, True -*.smartdiagnosis.org*, True -*.smartdiagnostics.eu*, True -*.smartdigitalasset.com*, True -*.smartdigitalasset.co.za*, True -*.smartdigitalassets.co.za*, True -*.smartdomain.co.za*, True -*.smartdomainmanager.co.za*, True -*.smartdone.ch*, True -*.smarteagle.ch*, True -*.smarteame.com*, True -*.smart-earn.com*, True -*.smartedfixedfoxit.pw*, True -*.smart-edu.web.id*, True -*.smartelectricity.co.za*, True -*.smarter-homes.com*, True -*.smarter-homes.co.uk*, True -*.smarterpowergrid.com*, True -*.smarterpowergrid.org*, True -*.smartertakeout.com.mx*, True -*.smartever.com*, True -*.smart-express.ru*, True -*.smartfits.co.uk*, True -*.smartforest.de*, True -*.smartfoxsolutions.com*, True -*.smartfox.us*, True -*.smartframe.co.za*, True -*.smartfran.com*, True -*.smartfran.com.ar*, True -*.smartgear.ch*, True -*.smartgreen.com.ar*, True -*.smartgridlinux.com*, True -*.smartgridlinux.info*, True -*.smartgridlinux.org*, True -*.smartgrids.co.za*, True -*.smartguide2credit.com*, True -*.smarth0me.com*, True -*.smarthealt.com*, True -*.smarth.net*, True -*.smart-homes.ro*, True -*.smarthotel.co.za*, True -*.smarthotels.co.za*, True -*.smartica.ro*, True -*.smart-idea.ro*, True -*.smart.id.lv*, True -*.smartinspections.info*, True -*.smartinspectionsnext.info*, True -*.smartiridology.com*, True -*.smartiridology.es*, True -*.smartiridology.eu*, True -*.smartiris.es*, True -*.smartiris.eu*, True -*.smartiriseye.com*, True -*.smartiriseye.es*, True -*.smartiriseye.eu*, True -*.smartit4schools.com*, True -*.smartit.us*, True -*.smartjournalism.com*, True -*.smartjournalism.org*, True -*.smartkikexfetlokpimok.pw*, True -*.smartl.gr*, True -*.smartlifeclub.ru*, True -*.smartline-be.ch*, True -*.smartlinkexchangeadv.pw*, True -*.smartlog.com.tr*, True -*.smart-logic.ro*, True -*.smart-logistic.com.tr*, True -*.smart-lojistik.com*, True -*.smart-lojistik.com.tr*, True -*.smartmation.com*, True -*.smartmation.com.ar*, True -*.smartmation.net*, True -*.smartmedicine.eu*, True -*.smartmesh.net*, True -*.smartnewectedadv.pw*, True -*.smartnezz.com*, True -*.smartnitkilpolotetef.pw*, True -*.smartnotes.us*, True -*.smartnutrition.co.za*, True -*.smartofficellc.com*, True -*.smartoo.net*, True -*.smartopenexdonbutr.pw*, True -*.smartopixtornet.pw*, True -*.smartos.net.br*, True -*.smartpack.cl*, True -*.smartpack.ro*, True -*.smartpetherapy.com*, True -*.smartpettherapy.com*, True -*.smartphone7.com*, True -*.smartphonejunkie.org*, True -*.smartphoto.ro*, True -*.smartplayclub.ro*, True -*.smartprogramming.co.uk*, True -*.smartproject.com.ar*, True -*.smartradar.ir*, True -*.smartsadvertonmiked.pw*, True -*.smartsehatdetox.com*, True -*.smartservices.com.ar*, True -*.smartshift.info*, True -*.smartshopbag.com*, True -*.smart-shoping.ro*, True -*.smartshoping.ro*, True -*.smartsimcha.com*, True -*.smartsimchah.com*, True -*.smartsimchaplanner.com*, True -*.smartsocksbd.com*, True -*.smartsonexdevfedgiyop.pw*, True -*.smart-sourcing.com.ar*, True -*.smart-spedition.com*, True -*.smarttelereditgedg.pw*, True -*.smarttimecheck.com*, True -*.smartto.info*, True -*.smartupholstery.com.au*, True -*.smartveritomadvert.pw*, True -*.smartveterinary.com*, True -*.smartveterinary.eu*, True -*.smart-vote.net*, True -*.smartwaysec.co.za*, True -*.smartwebs.co.za*, True -*.smartwebsite.co.za*, True -*.smartworkflow.co.za*, True -*.smartx.im*, True -*.smasacyberclub.net*, True -*.smashbeta.com*, True -*.smashbeta.co.uk*, True -*.smashico.com*, True -*.smashing.ws*, True -*.smashiptv.com*, True -*.smashmypi.com*, True -*.smashmypi.org*, True -*.smashranks.tk*, True -*.smashthenet.com*, True -*.smashthenet.co.uk*, True -*.smathis.com*, True -*.s-matte.hu*, True -*.smaxim.me*, True -*.smaxim.net.ru*, True -*.smaxim.pro*, True -*.smb3.com*, True -*.smbarker.co.uk*, True -*.smbb.ws*, True -*.smbgames.ro*, True -*.smbina.com*, True -*.smcdn.net*, True -*.smce.com.my*, True -*.smcmobile.ro*, True -*.smd1.cf*, True -*.smdahal.com.np*, True -*.sme-788.com*, True -*.smedia.info*, True -*.smegappliancerepair.com.au*, True -*.smekt.com*, True -*.smelly.cc*, True -*.smellycheesestudios.com*, True -*.smellychicken.com*, True -*.smerglbie.net*, True -*.smeweb.ro*, True -*.smg-financial.ro*, True -*.smg-game.com*, True -*.smh.com.my*, True -*.smh.my*, True -*.smhschamber.com*, True -*.smhschoirs.com*, True -*.smhschoirs.org*, True -*.smidarulbayan.net*, True -*.smii-brad.ro*, True -*.smijeh.tk*, True -*.smileblog.ro*, True -*.smilecnc.com*, True -*.smiledentalcareva.com*, True -*.smiledile.us*, True -*.smilefreak.com*, True -*.smilemag.ru*, True -*.smilenet.com.br*, True -*.smile-o-pack.net*, True -*.smileorthoshop.com*, True -*.smile.pt*, True -*.smilepvp.tk*, True -*.smilesdance.co.uk*, True -*.smilesgol.com*, True -*.smilesistemas.com.br*, True -*.smiletron.tk*, True -*.smillie.me*, True -*.smillie.xyz*, True -*.smillo.com*, True -*.sminted.com*, True -*.smirt.ch*, True -*.smish.com*, True -*.smitelman.ru*, True -*.smiteza.co.za*, True -*.smith-computing.co.uk*, True -*.smithfam.id.au*, True -*.smithgrovebaptist.org*, True -*.smithjon.com*, True -*.smithlawmt.com*, True -*.smith-netlab.org*, True -*.smithpowered.com*, True -*.smithsec.co.uk*, True -*.smithsservicesaxa.com*, True -*.smith-station.com*, True -*.smithstmedical.com.au*, True -*.smithtreks.com.np*, True -*.smitmans.cl*, True -*.smiyake.com*, True -*.smka.ru*, True -*.smkbisma.com*, True -*.smkdki.info*, True -*.smkdki.net*, True -*.smk-kartika1mks.sch.id*, True -*.smkn1situbondo.net*, True -*.smkn2lumajang.sch.id*, True -*.smkn3kimia-madiun.sch.id*, True -*.smkn4plg.sch.id*, True -*.smk-net.id*, True -*.smkngudo.sch.id*, True -*.smkperti58.sch.id*, True -*.smkpgrisookomojokerto.sch.id*, True -*.smkpgriwlingi.sch.id*, True -*.smktelematika.sch.id*, True -*.smktube.com*, True -*.smk-yadika-bangil.sch.id*, True -*.smldatacenter.com*, True -*.smlhost.info*, True -*.sm-liker.net*, True -*.smlsoft.com*, True -*.smm-678.com*, True -*.smmandre.tk*, True -*.smnhost.com*, True -*.smnliker.com*, True -*.smnsolution.co.id*, True -*.smoe.in*, True -*.smokeandgo.ru*, True -*.smokedchee.se*, True -*.smokegroupinternational.com*, True -*.smokemarket.ru*, True -*.smokeninjas.com*, True -*.smokeninjas.co.uk*, True -*.smoker.ga*, True -*.smokering.org*, True -*.smokey.ro*, True -*.smokeysbeaumont.com*, True -*.smokeyscorner.com*, True -*.smolarpc.com*, True -*.smoothasbeauty.com*, True -*.smooth.gq*, True -*.smoothiebot.com*, True -*.smoothsailingfac.com*, True -*.smorphine.com*, True -*.smoser.ch*, True -*.smoss.org*, True -*.smotretbesplatno.ru*, True -*.smotrety.ru*, True -*.smp1-panyabungan.com*, True -*.smp1sedayu.org*, True -*.s-mp3.com*, True -*.smp4wates.com*, True -*.smpaine.me*, True -*.smp-alazhar14.com*, True -*.smplabcibiru.sch.id*, True -*.smpn1-belinyu.com*, True -*.smpn7-pwk.sch.id*, True -*.smpn8cimahi.com*, True -*.smpn8cimahi.sch.id*, True -*.smpsimanjaya.sch.id*, True -*.smqkey.info*, True -*.smrad.org*, True -*.smri.io*, True -*.smrtnik-iptv.com*, True -*.smrtypnts.com*, True -*.smsafetysolutions.com.au*, True -*.smsbox.lv*, True -*.smsbus.se*, True -*.smservice.com.ve*, True -*.smsex.ch*, True -*.smsfaq.ru*, True -*.smsfnext.com*, True -*.smsfoundation.org*, True -*.smsgratisya.com*, True -*.smsguate.com*, True -*.smsjail.es*, True -*.sms-liebe.at*, True -*.smsmafia.in*, True -*.smsok.net.ve*, True -*.smson.ga*, True -*.smspay.co.za*, True -*.sms-pc.hk*, True -*.smspc.hk*, True -*.smspcnow.com*, True -*.smsreklama.lt*, True -*.smssoc.com*, True -*.smstech.co*, True -*.smstransport.net*, True -*.smstransport.org*, True -*.smsxtreme.net*, True -*.smt84.com*, True -*.smt87.com*, True -*.smtbox.com*, True -*.smt-claro.com.ar*, True -*.smtmarking.com*, True -*.smtmaz.ir*, True -*.smtotomasyon.com*, True -*.smucarija.si*, True -*.smummy.com.au*, True -*.smuns.ch*, True -*.smuplus.web.id*, True -*.s-musik.net*, True -*.smvb.net*, True -*.smvg.adv.br*, True -*.smvg.com.br*, True -*.smwilliams.com*, True -*.smxrwebsite.tk*, True -*.smyasociados.com.ar*, True -*.smyc.com.au*, True -*.snabbo.co.uk*, True -*.snae.com.ar*, True -*.snagaby.com*, True -*.snaggleboards.com*, True -*.snahswfs.pw*, True -*.snailvn.com*, True -*.snakebiteaust.com.au*, True -*.snakebiteaustralia.com.au*, True -*.snake.co.il*, True -*.snakelab.cc*, True -*.snallygaster.net*, True -*.snap-app.mobi*, True -*.snapcase.ca*, True -*.snape.ca*, True -*.snapframework.com*, True -*.snapnepal.com*, True -*.snapoffer.com*, True -*.snappas.net*, True -*.snappeh.com*, True -*.snappify.com.au*, True -*.snappybits.com.ar*, True -*.snapsaway.com*, True -*.snapstate.com*, True -*.snark.su*, True -*.snarkycloud.com*, True -*.snat.me.uk*, True -*.snb-bg.com*, True -*.snccc.co.uk*, True -*.snck.net*, True -*.snc.pro.br*, True -*.sneakybandit.com*, True -*.sneaky.ml*, True -*.sneeuwbeeld.nl*, True -*.snegana.com*, True -*.sneglebo.dk*, True -*.snehytta.com*, True -*.sne.jp*, True -*.sneksy.ru*, True -*.snesonora.gob.mx*, True -*.sneyers.org*, True -*.snfr.de*, True -*.sng.mn*, True -*.snhasani.tk*, True -*.snhdigitalstore.com*, True -*.snidytech.com*, True -*.sniezynski.pl*, True -*.sniffer.com.ar*, True -*.snifferquant.com*, True -*.sniffo.org*, True -*.snipely.com*, True -*.snipers.gq*, True -*.sniply.com*, True -*.snippetbeta.com*, True -*.sniver.ch*, True -*.snizhko.ru*, True -*.snkfoods.com*, True -*.snkrland.com*, True -*.snkrvillainz.net*, True -*.snmcbgk.in*, True -*.snme.ro*, True -*.snmj.net*, True -*.sn.my*, True -*.snobak.net*, True -*.snobu.org*, True -*.snoc.cl*, True -*.snoc.ir*, True -*.snocorlc.org*, True -*.snoek.tk*, True -*.snookincomputers.com*, True -*.snookys.net*, True -*.snoopdoggrollingpapers.com*, True -*.snoopys.cl*, True -*.snorkey.net*, True -*.snortfrog.com*, True -*.snovidcev.net.ru*, True -*.snowboardfaq.ru*, True -*.snowcosset.com*, True -*.snowforge.com*, True -*.snowguy.info*, True -*.snowhome.pl*, True -*.snowh.pl*, True -*.snowkiss.hk*, True -*.snowpatrol.ro*, True -*.snowpeakalpacas.com*, True -*.snowpick.co.il*, True -*.snowpi.org*, True -*.snowshelter.co.uk*, True -*.snozzi.com*, True -*.s-n-p.com.ar*, True -*.snpi.cf*, True -*.snsd-88.com*, True -*.snshero.com*, True -*.snsint.ch*, True -*.snsmedia.net*, True -*.snt-berd.ru*, True -*.sntglobal.com*, True -*.snto.cl*, True -*.snuggaboo.com*, True -*.snuggalites.com*, True -*.snuggiehumor.com*, True -*.snugglenets.com*, True -*.snuggletube.com*, True -*.snuker.ch*, True -*.snuten.net*, True -*.snvainafnifdsfasgehsrt.tk*, True -*.snxcdn.com*, True -*.snxcdn.net*, True -*.sny-001.com*, True -*.snyasociados.com.ar*, True -*.snyderbay.net*, True -*.snydercomputers.com*, True -*.snyderfamilypictures.com*, True -*.snyderonline.info*, True -*.so1.cc*, True -*.so1.name*, True -*.soanbai.vn*, True -*.soapagent.com*, True -*.soapboard.co.uk*, True -*.soapclient.com*, True -*.soapforums.co.uk*, True -*.soapnaturally.co.uk*, True -*.soapness.com*, True -*.soapspa.net*, True -*.soar4him.com*, True -*.soaring.com.br*, True -*.soarmp3.com.br*, True -*.sobadass.com*, True -*.sobamushi.com*, True -*.sobatanda.com*, True -*.sobczakm.pl*, True -*.sobeautysecrets.com*, True -*.sobettrondelex.com*, True -*.sobettrondelex.net*, True -*.sobeyit.com.au*, True -*.sobhe-tazeh.com*, True -*.sobhe-tazeh.ir*, True -*.sobolev.cc*, True -*.sobolev.net*, True -*.sobolewska.org*, True -*.soborailfan.com*, True -*.sobota.com*, True -*.sobr.co*, True -*.sobstel.com*, True -*.soc1.ir*, True -*.soc.al*, True -*.socalfishkillaz.com*, True -*.socalhydroponics.com*, True -*.socalprepper.com*, True -*.soca.si*, True -*.soccerclan.sg*, True -*.soccerclothing.eu*, True -*.soccercrack.com*, True -*.soccergeek.net*, True -*.soccerkickstart.com.au*, True -*.soccer-live.pl*, True -*.soccertoaster.com*, True -*.soccon.net*, True -*.sochacka.eu*, True -*.sochacki.pl*, True -*.sochat.io*, True -*.socialagency.ro*, True -*.socialcoders.org*, True -*.socialconspiracy.net*, True -*.socialfast.net*, True -*.socialfigures.com*, True -*.socialfigures.com.au*, True -*.socialfigures.com.br*, True -*.socialgest.com.ve*, True -*.socialhighlight.com*, True -*.socialhousemafia.com*, True -*.social-id.ga*, True -*.social-investing.ch*, True -*.socialistsushi.com*, True -*.socialleadgold.ga*, True -*.social-linked.com*, True -*.sociallyjustparenting.org*, True -*.socialmechile.cl*, True -*.socialme.cl*, True -*.socialmedia.cl*, True -*.socialmediaperth.com*, True -*.socialmediaperth.net.au*, True -*.socialmediawa.com.au*, True -*.socialphotos.net*, True -*.socialpm.ir*, True -*.socialshake.com*, True -*.socialsoundsproject.com*, True -*.socialthingsclub.com*, True -*.socialwarming.net*, True -*.socialwarming.org*, True -*.socianovation.com*, True -*.societyglitch.com*, True -*.socires.eu*, True -*.socires.net*, True -*.socires.org*, True -*.sockboy.org*, True -*.sockmonster.us*, True -*.sockshare.ws*, True -*.sockssh.com*, True -*.socks.usa.cc*, True -*.socksvip.ml*, True -*.sococoffee.com*, True -*.socontrileg.com*, True -*.socpravo.su*, True -*.socraticforum.org*, True -*.socser.com.ar*, True -*.soctoc.pt*, True -*.sodara.web.id*, True -*.sodasquid.com*, True -*.sodchuen.com*, True -*.sodesune.com*, True -*.sodesune.net*, True -*.sodimag.com*, True -*.sodoromania.ro*, True -*.so-download.net*, True -*.sodraledit.eu*, True -*.soecity.net*, True -*.soediq.ml*, True -*.soediq.tk*, True -*.soehne-manheims.de*, True -*.soeki.cf*, True -*.soela.org*, True -*.soemardi.com.au*, True -*.soenterprises.com*, True -*.soepeno.web.id*, True -*.sofabot.com*, True -*.sofainthesky.com*, True -*.sofaman.info*, True -*.sofare.tw*, True -*.sofasurfer.ch*, True -*.sofasurfer.org*, True -*.sofer.com.ar*, True -*.sofiabg.net*, True -*.sofiacampbell.com.ar*, True -*.sofiachiodi.com.ar*, True -*.sofianee.com*, True -*.sofianee.ru*, True -*.sofiarobb.com*, True -*.sofisec.ro*, True -*.sofoscafe.com*, True -*.sofrinogas.ro*, True -*.sofronovalex.tk*, True -*.soft868.com*, True -*.softair-games.ro*, True -*.softaltitudegames.com*, True -*.softart.us*, True -*.softautomation.co.uk*, True -*.softautomation.info*, True -*.softballchallenge.org*, True -*.softbend.net*, True -*.softbox.com.my*, True -*.softbush.com*, True -*.softcentrica.ro*, True -*.softcoffee.ro*, True -*.softcue.com*, True -*.softea.me*, True -*.softechnic.com*, True -*.softengine.net*, True -*.softerra.cl*, True -*.softexhellokitty.com*, True -*.softexpress.es*, True -*.softgrades.com*, True -*.softguy.com*, True -*.softids.com.ar*, True -*.softinbox.com*, True -*.softing.com.ar*, True -*.softinweb.net*, True -*.soft-iphone5.ru*, True -*.softknobs.com*, True -*.soft-layers.com*, True -*.softleader.org*, True -*.soft-libre.es*, True -*.soft-libre.eu*, True -*.soft-link.ca*, True -*.softlips.cz*, True -*.softlips.sk*, True -*.softmath.pl*, True -*.softmaths.org*, True -*.softopinion.com*, True -*.softpack.ro*, True -*.softpan.cl*, True -*.softprovietnam.com*, True -*.softraffer.ro*, True -*.softroller.com*, True -*.softsait.ru*, True -*.softselector.com*, True -*.softsense.ca*, True -*.softstudio.co.uk*, True -*.softstyle.ro*, True -*.soft-sys.ro*, True -*.softtime.ro*, True -*.softtoons.com*, True -*.softwareasli.web.id*, True -*.softwaredesignteam.com*, True -*.software-develop.eu*, True -*.software-development-consulting.nl*, True -*.softwaredev.guru*, True -*.softwareelves.com*, True -*.softwarefactory.org*, True -*.softwarefinesse.com*, True -*.softwarefreaks.com*, True -*.softwarelinux.web.id*, True -*.software-ol.com.ar*, True -*.software-products-development.com*, True -*.softwarepulsamurah.com*, True -*.softwaresmasters.com*, True -*.softwaresoup.tk*, True -*.softwarestudio.sk*, True -*.softwaretester.co.za*, True -*.softwaretools.ch*, True -*.softwarevend.com*, True -*.softwarewallet.org*, True -*.softwareweb.com.ve*, True -*.softwarte.es*, True -*.softways.info*, True -*.sofware-porurco.com*, True -*.sogababy.com*, True -*.soga.ec*, True -*.sogames.com.br*, True -*.sogeac.com*, True -*.sogedev.cf*, True -*.soged.it*, True -*.sogesca.al*, True -*.sogese.cl*, True -*.sogoodcandy.com*, True -*.sogoodplaza.com*, True -*.so-good.tw*, True -*.sogotshirts.com*, True -*.sohabeachrentals.com*, True -*.sohografica.com*, True -*.soho.hk*, True -*.soica.ro*, True -*.soies-nepal.org.np*, True -*.soillgang.com*, True -*.soillrecords.com*, True -*.soilmaster.org*, True -*.soilnet.com.br*, True -*.soj.ch*, True -*.sojda.org*, True -*.sojoe.at*, True -*.sojoyfc.com*, True -*.soju79.co.kr*, True -*.sokita.co.id*, True -*.soklutr.cf*, True -*.sokolimokiem.tv*, True -*.solabyte.net*, True -*.solanasfutbol.com.ar*, True -*.solanocountybankruptcy.com*, True -*.solaogroup.com*, True -*.solar4ca.com*, True -*.solaradvisor.tk*, True -*.solarbrigade.com*, True -*.solarburst.net*, True -*.solarcharts.co.nz*, True -*.solarcity-solarrural.ch*, True -*.solardata.mobi*, True -*.solardoktor.ro*, True -*.solar-energy.cl*, True -*.solaresgroup.com.ar*, True -*.solariiknight.org*, True -*.solari.mx*, True -*.solaris.co.il*, True -*.solarlogic.net*, True -*.solarmoxie.com*, True -*.solarnesia.com*, True -*.solarpanelestimates.co.uk*, True -*.solar-pizza.org*, True -*.solarporte.pt*, True -*.solar-power-adelaide.net.au*, True -*.solarpower-australia.com*, True -*.solarpower-australia.net.au*, True -*.solar-power-sydney.net.au*, True -*.solarpumpsystems.net.au*, True -*.solarsciences.net*, True -*.solarsociety.org*, True -*.solartpersianas.com.br*, True -*.solartrailer.com.au*, True -*.solartrailer.net*, True -*.solartrailer.net.au*, True -*.solartrailers.net*, True -*.solartrailers.net.au*, True -*.solar-wind.ch*, True -*.solary.mx*, True -*.solcarty.com*, True -*.solc.me*, True -*.soldigital.com.br*, True -*.soldigitalconsultoria.com.br*, True -*.soldonline.ca*, True -*.soledadespinosa.cl*, True -*.solematesneakers.com*, True -*.solematesneakers.com.au*, True -*.solerstudios.ch*, True -*.solertech.com*, True -*.solet.us*, True -*.solexinnovation.com*, True -*.solexinnovation.co.za*, True -*.solfa.org*, True -*.solforum.nu*, True -*.solfresard.ch*, True -*.solheimsvollen.net*, True -*.solidaris.ro*, True -*.soliday.org*, True -*.solidis.com*, True -*.solidmation.com*, True -*.solidmation.com.ar*, True -*.solidmation.net*, True -*.solidsights.com*, True -*.solidstoneapparel.com*, True -*.solidworkswpdm.com*, True -*.soliglow.co.uk*, True -*.solihin.biz*, True -*.so-like.net*, True -*.solike.tk*, True -*.solimco.com*, True -*.solink.co*, True -*.solisradius.pl*, True -*.solitary.org*, True -*.soliverez.com.ar*, True -*.solmetech.com*, True -*.solnascenteproducoes.com.br*, True -*.solodonto.com.br*, True -*.solografika.co.id*, True -*.sologub.md*, True -*.soloindustrialproducts.com*, True -*.solo-irk.ru*, True -*.sololineas.com*, True -*.solomochila.com.ar*, True -*.solomo.pt*, True -*.solomotorcycleproducts.com*, True -*.solonat.tk*, True -*.solonegociosweb.com.ar*, True -*.soloplay.ga*, True -*.solopos.co.id*, True -*.soloprenerds.com*, True -*.solopro.co.id*, True -*.solorpg.com*, True -*.solos.gr*, True -*.solostock.cl*, True -*.solosystem.ro*, True -*.soloverde.eco.br*, True -*.soloverdemeioambiente.com.br*, True -*.solovov.net*, True -*.solproacces.com*, True -*.sols-deschenaux.ch*, True -*.solsive.ro*, True -*.solskensmetarna.se*, True -*.solsource.co.za*, True -*.solstheim.com*, True -*.soltrad.ro*, True -*.soltranex.cl*, True -*.soluciencia.mx*, True -*.solucionesfinancieras.cf*, True -*.solucionesfinancieras.tk*, True -*.solucionesjry.com.ar*, True -*.solucionesmdq.com.ar*, True -*.solucionesmm.com.ar*, True -*.solucionestecnologicasambientales.tk*, True -*.solucionestecnologicasinpact.cl*, True -*.solucioni.mx*, True -*.solucoesestrategicas.pt*, True -*.solucoesqualidade.com*, True -*.soluekat.com*, True -*.soluestra.com*, True -*.soluparking.com.ar*, True -*.solusdesigns.net*, True -*.solusikayaberkah.com*, True -*.solutio.in*, True -*.solutioin.com*, True -*.solutionbox.co.za*, True -*.solutionhouse.ch*, True -*.solutionm.com*, True -*.solutionoptic.com.ar*, True -*.solutionsathome.ch*, True -*.solutions-techniques.com*, True -*.solutionviewer.com*, True -*.solving.se*, True -*.solvnt.net*, True -*.solyomiren.hu*, True -*.soly-tech.com*, True -*.somachi.cl*, True -*.somagel.cl*, True -*.somansays.com*, True -*.somanydoors.ca*, True -*.somasounds.net*, True -*.somatore.net.br*, True -*.sombrero.si*, True -*.somea.ir*, True -*.somea-mobile.tk*, True -*.somebody.hk*, True -*.someformoflight.net*, True -*.somemissing.info*, True -*.somenews.co.uk*, True -*.someone.one.pl*, True -*.someproduction.co*, True -*.somerford.me*, True -*.sometconstruct.ro*, True -*.somethinggui.com*, True -*.somethingiknow.com*, True -*.sometimesidostuff.com*, True -*.somet-sa.ro*, True -*.somewordson.com*, True -*.somisoft.net*, True -*.somlife.ru*, True -*.sommardahl.com*, True -*.sommelier.tw*, True -*.sommer4m.tk*, True -*.sommerbuergin.ch*, True -*.sommerson.com*, True -*.somnusoft.hu*, True -*.somomo77.com*, True -*.somostodosamigos.com.ar*, True -*.somplay.com*, True -*.somplay.pt*, True -*.somuchpotential.co.uk*, True -*.somy.web.id*, True -*.son545.com*, True -*.sonamsingh.com.np*, True -*.sonandofuerte.cl*, True -*.sonarbanglanewspaper.com*, True -*.sonarbehandlung.ch*, True -*.sonarcts.com.ar*, True -*.sonarintl.com*, True -*.sonart.ch*, True -*.sonbienhoa.com*, True -*.sonbits.com.ar*, True -*.son.bz*, True -*.sonceboz-nettoyages.ch*, True -*.soncured.com*, True -*.sond1478.com*, True -*.sondasespaciales.com*, True -*.sondeoctava.cl*, True -*.sondita.web.id*, True -*.soneek.info*, True -*.sonetospart.com.br*, True -*.song4free.co*, True -*.songblurb.com*, True -*.songblurb.net*, True -*.songblurbs.com*, True -*.songblurbs.net*, True -*.songcen.com*, True -*.songfree.co*, True -*.songlover.la*, True -*.songmeanings.biz*, True -*.songmeanings.me*, True -*.songmeanings.tv*, True -*.songoty.info*, True -*.songs4share.com*, True -*.songslike.com*, True -*.songswords.com.ar*, True -*.songwarriors.com.au*, True -*.songzhumei.com*, True -*.sonhana.com*, True -*.sonhoaltar.com.br*, True -*.soniamoevius.com.br*, True -*.soniceducation.com*, True -*.sonicgadgets.com*, True -*.sonicimplementations.com*, True -*.sonic.net.au*, True -*.sonicom-ent.com*, True -*.sonicresearch.com*, True -*.soni.si*, True -*.sonix.ro*, True -*.sonla.asia*, True -*.sonla.ru*, True -*.sonlemura.ru*, True -*.sonlife.org.au*, True -*.sonlightsoftware.com*, True -*.sonnenhirsch.ch*, True -*.sonoars.es*, True -*.sonodiag.ru*, True -*.sonofa.biz*, True -*.son-of-sand.com*, True -*.son-of-sand.us*, True -*.sonomamountainvineyards.com*, True -*.sonosax.com*, True -*.sonotec.com.my*, True -*.sonotelmo.com.ar*, True -*.sonriso.ro*, True -*.sontexgroup.com*, True -*.sonydistribution.ro*, True -*.sonyhelmi.com*, True -*.sonywoo.com*, True -*.soodd72.com*, True -*.sookeglass.ca*, True -*.sookeriverhotel.ca*, True -*.soomro.net*, True -*.soondubu.net*, True -*.soonercentral.net*, True -*.soon.it*, True -*.sooo.tk*, True -*.soooweibo.com*, True -*.soosin.com*, True -*.soozoe.tk*, True -*.sopandiahmad.com*, True -*.sop.com.pe*, True -*.sophiafin.ca*, True -*.sophiakokosalaki.us*, True -*.sophiamaddox.com*, True -*.sophiaphillips.net*, True -*.sophiart.us*, True -*.sophiejewellery.com*, True -*.sophielewis.name*, True -*.sophita.com*, True -*.sophochrome.com*, True -*.sophochrome.co.uk*, True -*.sophochrome.net*, True -*.sophochrome.org*, True -*.sophtia.com*, True -*.sophtia.org*, True -*.sopintex.com.br*, True -*.sopirku.com*, True -*.sopko.md*, True -*.soportedeinformatica.cl*, True -*.soporteideas.cl*, True -*.soporteit.net.ve*, True -*.soportemdq.com.ar*, True -*.soporte-mmm.com.ar*, True -*.soportemultinivel.com.ar*, True -*.soprano1.ca*, True -*.sopt.us*, True -*.sopulaina.fi*, True -*.sorairosubs.com*, True -*.soralia.co.za*, True -*.soraya.cl*, True -*.sorayahutchison.com*, True -*.sorcerys.org*, True -*.sordell.com*, True -*.sorger.biz*, True -*.sorger.info*, True -*.sorinastoica.ro*, True -*.sorinu.tk*, True -*.sorizan.com*, True -*.sorjak.com*, True -*.sorjateng.org*, True -*.sormani.com.ar*, True -*.sornar.com*, True -*.sorn.one.pl*, True -*.sorocaba.adv.br*, True -*.sorrentoopenclub.com.ar*, True -*.sorrilha.ml*, True -*.sorriso-mz.org*, True -*.sorry.is*, True -*.sorryone.com*, True -*.sorsa.org.za*, True -*.sortadrunk.com*, True -*.sortadrunk.net*, True -*.sortdomain.tk*, True -*.sortf.com*, True -*.sortmymail.com*, True -*.sosambiente.cl*, True -*.sosanimal.cl*, True -*.sosanime.com*, True -*.sosa.ro*, True -*.sosautobody.com*, True -*.sosbsas.com.ar*, True -*.soscadou.ro*, True -*.soscranetrucks.com*, True -*.sosete-ciorapi.ro*, True -*.sosetica.ro*, True -*.sosfuvos.net*, True -*.sosis-bakar-bandung-santika.com*, True -*.sosjacanosdesardigna.it*, True -*.sos-kc.org*, True -*.soskids.net*, True -*.soskutiko.info*, True -*.soslimpeza.com.br*, True -*.sosmanga.com*, True -*.sosmanga.net*, True -*.sosmanga.org*, True -*.sosmundial.com.ar*, True -*.sosonaru.ro*, True -*.sospet.com.br*, True -*.sos-pomoc.hr*, True -*.sos-pronatura.ro*, True -*.sostech.net.au*, True -*.sostilttrays.com*, True -*.sosunc.org.ar*, True -*.sosups.ro*, True -*.sosvet.pt*, True -*.sosyoblog.ml*, True -*.sotabots.com*, True -*.sotagroup.ru*, True -*.sotahome.com*, True -*.sotaquisa.cl*, True -*.sotares.net*, True -*.sotayhocduong.com*, True -*.soteri.ca*, True -*.sotf.me*, True -*.sothet.com*, True -*.sotinar.pt*, True -*.sotka-info.ru*, True -*.sotnikov.pw*, True -*.sotravill.cl*, True -*.sotych.pl*, True -*.soudooeste.com.br*, True -*.souhlaris.org*, True -*.soukla.com*, True -*.soulbirth.com*, True -*.soulbirth.com.au*, True -*.soulcarehk.org*, True -*.soulcrafting.tk*, True -*.soulfork.com*, True -*.soulheart-gaming.net*, True -*.soulmu.net*, True -*.soulslayer.eu*, True -*.soulspark.org*, True -*.soulsphere.org*, True -*.soulvoid.com*, True -*.soumaisaventura.com.br*, True -*.soumaisbarato.com.br*, True -*.soundaquatics.com*, True -*.soundartpro.com*, True -*.soundbeauty.com*, True -*.soundcaremedical.com*, True -*.soundchemist.com*, True -*.sound-cll.tk*, True -*.soundcube.ch*, True -*.soundengineering.ro*, True -*.soundex.org*, True -*.soundfactory-21.com*, True -*.soundfit.com.ar*, True -*.soundglobal.hk*, True -*.sound-movement.co.uk*, True -*.soundproject.ga*, True -*.soundpromote.com*, True -*.soundroid.co.il*, True -*.soundrown.com*, True -*.soundstormdeejays.com*, True -*.soundsystem.ro*, True -*.soundtentacle.de*, True -*.soundunity.pl*, True -*.soundweb.ro*, True -*.soupmakerrecipes.com*, True -*.source-asia.com*, True -*.sourceclip.org*, True -*.source-it.us*, True -*.sourcekeeper.com*, True -*.sourcemagazine.net.au*, True -*.sourcephp.org*, True -*.sourcescs.com*, True -*.source.si*, True -*.sourcingsa.co.za*, True -*.sourio.com.br*, True -*.soussa-csc.com*, True -*.souten.org*, True -*.southafricangirldoll.com*, True -*.southbay2.com*, True -*.southbeachcasa.com*, True -*.southcalgary.com*, True -*.southconetech.com*, True -*.southdademarina.com*, True -*.south-dm.ru*, True -*.southdubbotavern.com.au*, True -*.southeast.co.za*, True -*.southeastern.co.za*, True -*.southeasternnetworks.com*, True -*.southeastpt.com.au*, True -*.southernbookings.net*, True -*.southern.com.my*, True -*.southerncrosshotel.com.au*, True -*.southerndads.com*, True -*.southerngraphics.co.uk*, True -*.southernlightsmusic.com*, True -*.southernmost.biz*, True -*.southernmost.info*, True -*.southexcursions.cl*, True -*.southfairfaxstreet.com*, True -*.southfiregaming.com*, True -*.southfire.org*, True -*.southforkfd.com*, True -*.southgater.com*, True -*.southhamptononline.com*, True -*.southit.com*, True -*.southlondon-escorts.net*, True -*.south.me*, True -*.southquay.com*, True -*.southsaltlaketech.com*, True -*.southsaltlaketech.net*, True -*.southsaltlaketechnologies.com*, True -*.southsaltlaketech.org*, True -*.southshorebicycle.com*, True -*.southshorekickboxing.com*, True -*.southshoremedia.net*, True -*.southsidetinting.com*, True -*.southsidetinting.com.au*, True -*.southsmythesdale.com*, True -*.southsoundtechnology.com*, True -*.southtlondon-escorts.net*, True -*.southtrestle.com*, True -*.southvalleysigns.com*, True -*.southwest.co.za*, True -*.southwestern.co.za*, True -*.southwestvoodoo.com*, True -*.souvenirberkualitas.com*, True -*.souvenir.cz*, True -*.souvenirfoto.com*, True -*.souvenirimport.com*, True -*.souvenirteez.com*, True -*.souvenirulangtahunku.com*, True -*.souvenir-yk.com*, True -*.souvenirzku.com*, True -*.souza.es*, True -*.sovan.ro*, True -*.sovdat.si*, True -*.sovich.org*, True -*.soviwebs.com.ve*, True -*.sovix.org*, True -*.sovremennik-kino.ru*, True -*.sowens.me*, True -*.sowl.gr*, True -*.sowmyanagarajan.us*, True -*.sownit.net*, True -*.sox2.ro*, True -*.soxin4.net*, True -*.soxy-ip.co.uk*, True -*.soyal-accesscontrol.com*, True -*.soyar.com.ar*, True -*.soydevillasarmiento.com.ar*, True -*.soyingeniero.com.ve*, True -*.soylentseth.com*, True -*.soypython.ninja*, True -*.soysoquete.com.ar*, True -*.soytemiz.com.au*, True -*.sozvezdeie.com*, True -*.sozzin.com*, True -*.sp-2.com*, True -*.sp2qbq.com*, True -*.sp33dk1ngp1n.com*, True -*.sp33d.my*, True -*.sp-558.com*, True -*.spaans.si*, True -*.spaarbeleg.com*, True -*.space-academy.ru*, True -*.spaceclean.cl*, True -*.spacecleanser.com*, True -*.spacecoastimage.com*, True -*.space-cyber.org*, True -*.spacedrain.com*, True -*.space-elephant.com*, True -*.spacegangster.com*, True -*.spacegas.com*, True -*.space-gs.com*, True -*.spacehat.net*, True -*.space-hs.com*, True -*.space-ina.org*, True -*.space-is.com*, True -*.space-js.com*, True -*.spacelaser.co.il*, True -*.spaceleft.net*, True -*.spacelift.co.il*, True -*.spacelook.ru*, True -*.spacemule.net*, True -*.spacenuke.tk*, True -*.spacepictures.ca*, True -*.spacesat.com*, True -*.spacescape.in*, True -*.space-science.de*, True -*.spacesfh.com*, True -*.spacetechnology.net*, True -*.spaceveharn.com*, True -*.spachos.gr*, True -*.spacialdrift.com*, True -*.spacks.info*, True -*.spacocor.ro*, True -*.spa-dental.eu*, True -*.spa-dental.gr*, True -*.spadhausen.org*, True -*.sp-aero.ru*, True -*.spagnolobuilders.com*, True -*.spagnuolo.lu*, True -*.spaininvest.ru*, True -*.spain.sc*, True -*.spajalica.biz*, True -*.spajk.me*, True -*.spajk.xyz*, True -*.spalatoriiselfservice.ro*, True -*.spamadise.org*, True -*.spamer.co.uk*, True -*.spamming.ml*, True -*.spam-o-matic.com*, True -*.spam-o-matic.net*, True -*.spampackage.com*, True -*.spandekfumira.com*, True -*.spanglerpdx.net*, True -*.spanienresor.com*, True -*.spanish-realty.com*, True -*.spano.ca*, True -*.spanyar.ch*, True -*.sparajuli.com.np*, True -*.sparesandrepairs.co*, True -*.sparham.info*, True -*.sparham.org.uk*, True -*.sparifs.tk*, True -*.spark14.in*, True -*.sparkachampion.net*, True -*.sparkanoid.com*, True -*.sparkcaribbean.com*, True -*.sparker24.com*, True -*.sparklepop.com.au*, True -*.sparkleshine.org*, True -*.sparkleslimited.com*, True -*.sparklesmac.com*, True -*.sparkracer.pt*, True -*.sparksoftware.biz*, True -*.sparksolution.ch*, True -*.sparktv.cl*, True -*.sparrow.com.ar*, True -*.sparsho.com*, True -*.spartakiada.cz*, True -*.spartakman.ru*, True -*.spartanburgcc.com*, True -*.spartansehat.com*, True -*.spartansforari.com*, True -*.spartanwear.net*, True -*.spartinet.com*, True -*.spartinet.org*, True -*.spartoi.se*, True -*.spasofts.com*, True -*.spathizilla.tk*, True -*.spatialintegration.com*, True -*.spatio.li*, True -*.spatiugazduire.com*, True -*.spaul.com.ar*, True -*.spauldinglaw.com*, True -*.spavitta.com.br*, True -*.spawnstore.com.ar*, True -*.spaynix.ru*, True -*.spayse.co.za*, True -*.spazio.cl*, True -*.spazioinnovazioni.com*, True -*.spazz.one.pl*, True -*.spbaral.com.np*, True -*.spbisness.ru*, True -*.spbnw.com*, True -*.spb.nz*, True -*.spbox.cl*, True -*.spb-sip.tk*, True -*.spca.hk*, True -*.spccaa-bc.org*, True -*.spc-dunaj.net*, True -*.spchicago.org*, True -*.spc-live.com*, True -*.spc-live.net*, True -*.spdcreators.hk*, True -*.spdu.org*, True -*.speakandsearch.com*, True -*.speakergrid.com*, True -*.speakit-net.com*, True -*.speakout.hk*, True -*.speakupforchange.ca*, True -*.speakyourmind.space*, True -*.spearshome.us*, True -*.special-engagement-army-clan.tk*, True -*.specialgift.asia*, True -*.specialisedcrusherservices.com*, True -*.specialisedcrusherservices.com.au*, True -*.specialist.cc*, True -*.specialkind.net*, True -*.specialmomentsagency.ro*, True -*.specials4uc3.com*, True -*.specialsigning.com*, True -*.specialtylounge.com*, True -*.specialwap.ml*, True -*.spec.org.ru*, True -*.spectralreality.com*, True -*.spectreapplications.info*, True -*.spectre-net.co.nz*, True -*.spectromas.ro*, True -*.spectrum62.co.uk*, True -*.spectrumbooth.com*, True -*.spectrum.cl*, True -*.spectrumdataresources.com*, True -*.spectrumhealing.info*, True -*.spedalis-universis.com*, True -*.speechandhearingassoc.com*, True -*.speechandhearinghelp.com*, True -*.speechandpronunciation.com*, True -*.speechandpronunciation.co.uk*, True -*.speech.hk*, True -*.speechpathologybrisbane.com*, True -*.speechpathologybrisbane.com.au*, True -*.speedandtorque.com*, True -*.speedboataluminium.tk*, True -*.speedboatbekas.tk*, True -*.speedboatfiberbekas.tk*, True -*.speedboatfiberglass.tk*, True -*.speedboatfiber.tk*, True -*.speedboatindonesia.tk*, True -*.speedboatjakarta.tk*, True -*.speedboatmancing.tk*, True -*.speedboatpatroli.tk*, True -*.speedboatpenumpang.tk*, True -*.speed-car.ch*, True -*.speeddategirls.com*, True -*.speeddatehq.com*, True -*.speeddaterush.com*, True -*.speedgo.tk*, True -*.speedingticketgirl.com*, True -*.speeding-tricks.com*, True -*.speedinsure.hk*, True -*.speedkingpin.com*, True -*.speedlabkarting.se*, True -*.speedlab.se*, True -*.speedlabstreaming.com*, True -*.speedlabstreaming.se*, True -*.speed-likerz.com*, True -*.speed-parcel.co.uk*, True -*.speedparcel.co.uk*, True -*.speedreaderapp.com*, True -*.speedrocket.net*, True -*.speedrun.org*, True -*.speedstats.org*, True -*.speedtech.cn*, True -*.speedtone.com*, True -*.speedwaycomputing.com*, True -*.speedybytes.com.au*, True -*.speedyesales.com*, True -*.speedyfit.biz*, True -*.speedy-fit.co.uk*, True -*.speedy-net.ch*, True -*.speedypixel.ml*, True -*.speedyres.com*, True -*.speedys.ch*, True -*.speedytest.info*, True -*.speedytest.it*, True -*.speedyturtle.info*, True -*.speedz.nl*, True -*.spehora.com.br*, True -*.speicherhahn.com*, True -*.spekhp.gq*, True -*.spekpcvroh.ga*, True -*.spektrummuh.com.tr*, True -*.spelar.se*, True -*.speldenkussen.tk*, True -*.speleosphere.org*, True -*.spell.ch*, True -*.spelledbackward.com*, True -*.speltorsk.se*, True -*.spembroke.com*, True -*.spencedit.com*, True -*.spenceradams.org*, True -*.spencerbosworth.com*, True -*.spencerbunting.com*, True -*.spencercovington.com*, True -*.spencergriffin.com*, True -*.spencerpainting.net*, True -*.spencerportbiblechurch.org*, True -*.spence.rs*, True -*.spencerthomass.com*, True -*.spenderherz.ch*, True -*.spenjco.com*, True -*.speranta-romania.ro*, True -*.sperat.com.ar*, True -*.sperez.com.ar*, True -*.sperryunlimited.com*, True -*.spesaamerica.com*, True -*.spesial.cf*, True -*.spesifikasilenovo.ga*, True -*.spetra.ru*, True -*.spetslit.ru*, True -*.spetsmontazh.com*, True -*.speyetech.net*, True -*.speysondheim.com*, True -*.spf50krem.com*, True -*.sp-fajslawice.pl*, True -*.spfe.ir*, True -*.spgcantik.ml*, True -*.spgcheck.com*, True -*.spgpsc.com.ar*, True -*.sphautoparts.ca*, True -*.sphenical.ch*, True -*.sphereazure.com*, True -*.spheredata.co.za*, True -*.spherical-software.ro*, True -*.sphickey.com.au*, True -*.sphone.org*, True -*.spicealley.net*, True -*.spiceraq.com*, True -*.spicette.com*, True -*.spicettes.com*, True -*.spicevan.com*, True -*.spicy.pk*, True -*.spidercider.net*, True -*.spiderclan4xbox.com*, True -*.spideremailsolution.net*, True -*.spiderfish.net*, True -*.spiderjockey.com*, True -*.spidermaus.de*, True -*.spidernet.co.il*, True -*.spideycraft.tk*, True -*.spiegs.com*, True -*.spielgruppe.cl*, True -*.spielgruppeweidli.ch*, True -*.spielo.ml*, True -*.spiesr.com*, True -*.spiidfriik.com*, True -*.spii-spb.ru*, True -*.spike.tw*, True -*.spilk.us*, True -*.spillanesprinting.com*, True -*.spinalcare.ro*, True -*.spinellaillumina.it*, True -*.spinhirne.com*, True -*.spinxp.com*, True -*.spiraliving.ca*, True -*.spiralplot.com*, True -*.spirigs.ch*, True -*.spiritandword.ug*, True -*.spiritmonger.net*, True -*.spiritofadvaita.co.za*, True -*.spiritofthesky.ru*, True -*.spiritrefuge.com*, True -*.spiritsa.com.ar*, True -*.spiritual-service.info*, True -*.spirulina-heals-you.com*, True -*.spiru.ro*, True -*.spishy-ru.tk*, True -*.spisokvdorogu.ru*, True -*.spitbit.com.ar*, True -*.spiteriduca.com*, True -*.spitexregionolten.ch*, True -*.spitfiredev.com*, True -*.spitfiredev.co.uk*, True -*.spitika.gr*, True -*.spitstir.com*, True -*.spittelbar.ch*, True -*.spiz.cl*, True -*.spjmobile.com*, True -*.spk.com.np*, True -*.spkt2.net*, True -*.splakow.com*, True -*.splashmail.tk*, True -*.splashnet.ro*, True -*.splashweave.com*, True -*.splat.id.au*, True -*.splatnom.net*, True -*.splatnom.org*, True -*.splatnum.com*, True -*.splatnum.net*, True -*.splatnum.org*, True -*.splcloud.ch*, True -*.splcloud.net*, True -*.splegal.ru*, True -*.splend.id.lv*, True -*.splengu.in*, True -*.spletarjenje.tk*, True -*.spletkarna.si*, True -*.spletlab.net*, True -*.split.one.pl*, True -*.split.ro*, True -*.splshortcourses.com*, True -*.splshortcourses.co.za*, True -*.splunk-sled.com*, True -*.splunxter.com*, True -*.splusom.ru*, True -*.spmfn.com.au*, True -*.spm.my*, True -*.spmserver.com*, True -*.spn2g.tk*, True -*.spo-9.com*, True -*.spockfamily.net*, True -*.spodniewski.tk*, True -*.spoggi.com*, True -*.spog.gq*, True -*.spo-ho.com*, True -*.spoiler-attack.ru*, True -*.spoilerboard.co.uk*, True -*.spoilerboards.co.uk*, True -*.spoilerforums.co.uk*, True -*.spoilthedead.com*, True -*.spokanefamilyphotographers.com*, True -*.spokanemaranatha.com*, True -*.spokojnezycie.pl*, True -*.spokwa.net*, True -*.spolinnovations.com*, True -*.spolinnovations.in*, True -*.spomeniteni.org*, True -*.spon.ga*, True -*.spongeb.net*, True -*.sponge-bob-game.com*, True -*.spongereef.com*, True -*.spongycraft.tk*, True -*.spo-nine.com*, True -*.sponsorafuture.com*, True -*.sponsorafuture.co.uk*, True -*.sponsorafuture.net*, True -*.sponsorafuture.org.uk*, True -*.spontypic.com*, True -*.spoofed.ml*, True -*.spoofed.ninja*, True -*.spoof-o-matic.com*, True -*.spoofomatic.com*, True -*.spoof-o-rama.com*, True -*.spooforama.com*, True -*.spooker.net*, True -*.spookshowstudios.net*, True -*.spooksoftware.com*, True -*.spookyjams.tk*, True -*.spoolcastle.com*, True -*.spoolcastleproductions.com*, True -*.spoonman.org*, True -*.spoopycode.tk*, True -*.spootnika.com*, True -*.spootsworld.com*, True -*.sporedi.si*, True -*.sporen.co.za*, True -*.sporen.name*, True -*.sporkeheh.com*, True -*.sportautohuren.nl*, True -*.sportbusinessnetwork.ro*, True -*.sportcenter-andenmatten.ch*, True -*.sportduo.net*, True -*.sportember.net*, True -*.sportember.net.au*, True -*.sportent.com.ar*, True -*.sporteventleasing.com*, True -*.sportexpertsystem.com*, True -*.sport-express.lv*, True -*.sportgroup.cl*, True -*.sportingweb.com.au*, True -*.sportips.gr*, True -*.sportiveman.ru*, True -*.sport-land.ch*, True -*.sportlibre.com*, True -*.sportlibre.com.ar*, True -*.sportliga.com.ar*, True -*.sportlook.ru*, True -*.sportlo.to*, True -*.sportmealshop.com*, True -*.sportmusculo.es*, True -*.sportnamashina.com*, True -*.sportnation.ch*, True -*.sportography.co.za*, True -*.sportsarbaustralia.com*, True -*.sportsbarvillars.ch*, True -*.sports-ba.xyz*, True -*.sportsbookreview.ru*, True -*.sportsclick.tk*, True -*.sportseducationinstructors.org*, True -*.sportskickstart.com.au*, True -*.sportslist.com*, True -*.sportslive.hk*, True -*.sportslocker.ro*, True -*.sportsmart.be*, True -*.sportsoffensive.com*, True -*.sports-per-head.com*, True -*.sportsstreamsforall.com*, True -*.sportstoaster.com*, True -*.sport-streaming.net*, True -*.sportsud.ro*, True -*.sportswearstoresite.com*, True -*.sportswebreport.com*, True -*.sport-ticino.ch*, True -*.sportuitlaten.com*, True -*.sportulpotrivit.ro*, True -*.sportvorort.ch*, True -*.sportv.si*, True -*.sportwetten.info*, True -*.spostujmoslovensko.si*, True -*.spotcourt.com*, True -*.spotdropp.com*, True -*.spothub.com*, True -*.spothubque.biz*, True -*.spothubque.com*, True -*.spotlightdeals.ca*, True -*.spotlightdeals.com*, True -*.spotliker.net*, True -*.spotlikes.net*, True -*.spotlikes.tk*, True -*.spotlz.com*, True -*.spotranslations.com*, True -*.spotrs.in*, True -*.spots24.net*, True -*.spotsec.com*, True -*.spottedwielun.info*, True -*.spottedwielun.pl*, True -*.spottedzebraphotography.com*, True -*.spotterrf.net*, True -*.spotterrf.org*, True -*.spottt.com*, True -*.spotvid.ga*, True -*.spotvid.gq*, True -*.spotvid.ml*, True -*.sppoc.com*, True -*.sp-prg.com.my*, True -*.spq4.com*, True -*.spqrit.com*, True -*.spqwertyuiopasdfghjklz.xyz*, True -*.sprachenmobil.com*, True -*.spravca.net*, True -*.sprawysadowskiej.pl*, True -*.spraynozzleindonesia.com*, True -*.sprdancija.com*, True -*.spreadplace.com*, True -*.spreadplace.com.br*, True -*.spreadplace.org*, True -*.spreadthelight.org.za*, True -*.sprecher-automation.ir*, True -*.spreichantiq.net*, True -*.spreionline.tk*, True -*.spreitrendy.com*, True -*.sprey.is*, True -*.spriccc.com*, True -*.sprice.ro*, True -*.spriet-claus.be*, True -*.spring2lab.com*, True -*.springboardfoodservice.com*, True -*.springcourt.com.au*, True -*.springfundingllc.com*, True -*.springlaneprimary.com*, True -*.springleaves.asia*, True -*.springworks.com.my*, True -*.sprinklersupply.net*, True -*.sprinkul.com*, True -*.sprint0.net*, True -*.sprintbooster2.com*, True -*.sprintcom.hu*, True -*.sprinterandme.tk*, True -*.sprint-intl.com*, True -*.spr.io*, True -*.spritvogel.de*, True -*.sproathome.net*, True -*.sprocket.at*, True -*.sprocketq.com*, True -*.sprocketq.net*, True -*.sproge.ru*, True -*.sproutgarden.com.au*, True -*.sproutme.com.au*, True -*.sprucehillstables.com*, True -*.sprucenshine.com*, True -*.spruceup.se*, True -*.sprudel.nl*, True -*.sprzedaj.tk*, True -*.spsgateway.ch*, True -*.spslog.ch*, True -*.spstali.ru*, True -*.sptformatble2014.co.uk*, True -*.sptips.ir*, True -*.sptoto.com*, True -*.sptransporte.net*, True -*.spudalicio.us*, True -*.spudco.ca*, True -*.spudlet.com*, True -*.spuhler.us*, True -*.s-pulsa.co*, True -*.spurdo.xyz*, True -*.spuriouscode.com*, True -*.spy-agents.net*, True -*.spyderlich.com*, True -*.spyderlich.org*, True -*.spydernet.org*, True -*.spygirlmovies.com*, True -*.spyingeyes.ca*, True -*.spykerk.eu*, True -*.spy-pi.co.il*, True -*.spyserv.com*, True -*.spyware-database.com*, True -*.spyware.ml*, True -*.spza.net*, True -*.sqcapacitacion.cl*, True -*.sqempresas.cl*, True -*.sqingenieria.cl*, True -*.sqkybeaver.com*, True -*.sqladvanced.cl*, True -*.sqldb2.com*, True -*.sql.fi*, True -*.sqlizer.com*, True -*.sqlmanager.tk*, True -*.sqlman.ca*, True -*.sqlserverbestpractices.com*, True -*.sqlserverbpm.com*, True -*.sqlserverbusinessintelligence.com*, True -*.sqlservercommunity.com*, True -*.sqlserverconference.com*, True -*.sqlserverdts.com*, True -*.sqlserveressentials.com*, True -*.sqlserveretl.com*, True -*.sqlservergurus.com*, True -*.sqlserverinsider.com*, True -*.sqlserverintellect.com*, True -*.sqlserverknowledge.com*, True -*.sqlservermigration.com*, True -*.sqlserverolap.com*, True -*.sqlserverroadshow.com*, True -*.sqlserverrs.com*, True -*.sqlserverseminars.com*, True -*.sqlserversmarties.com*, True -*.sqlserverusers.com*, True -*.sqlserverusersgroup.com*, True -*.sqmitco.cl*, True -*.sqn.at*, True -*.sqnp.ro*, True -*.sqo.co.za*, True -*.sqooozee.com*, True -*.sqoozee.com*, True -*.squadnoob.tk*, True -*.squadplay.com*, True -*.squadritto.cl*, True -*.squadron66.com*, True -*.squadwars.net*, True -*.squaredancecenter.com*, True -*.squarekiwi.net*, True -*.squaremilesoftware.com*, True -*.squaremoo.com*, True -*.squareorange.net*, True -*.squareownz.org*, True -*.squares.space*, True -*.squaretony.biz*, True -*.squashlosone.ch*, True -*.squashpower.ro*, True -*.squashware.com*, True -*.squashware.net*, True -*.squashware.org*, True -*.squatbarefoot.com*, True -*.squawkboxwifi.com*, True -*.squeakyporcupine.com*, True -*.squibo.com*, True -*.squidbeak.com*, True -*.squiggle.io*, True -*.squirreldip.com*, True -*.squirrelms.com*, True -*.squirrels.de*, True -*.squirrel-server.tk*, True -*.squishplop.com*, True -*.squishyds.com*, True -*.squishyds.us*, True -*.squishymess.com*, True -*.squivler.co.uk*, True -*.sqwaddle.com*, True -*.sr4.co.za*, True -*.sracunovodstvo.si*, True -*.sramage.net*, True -*.sramock.com*, True -*.srastaffing.com*, True -*.srawan.com.np*, True -*.srbracing.com*, True -*.src-bekasi.us*, True -*.srccc.com.au*, True -*.srcollections.co.id*, True -*.srcsb.com*, True -*.srcsistem.com*, True -*.srdchile.cl*, True -*.sr-designs.co.uk*, True -*.srdproductions.com*, True -*.srdz.cl*, True -*.srebrenica.net*, True -*.srebrnik.eu*, True -*.sreenilayam.com*, True -*.srev.com*, True -*.srgmri.co.nz*, True -*.sriaz.com*, True -*.srijanajha.com.np*, True -*.srikandi.web.id*, True -*.srikotamedical.com*, True -*.srimemes.com*, True -*.srirupa.com*, True -*.sritex.co.id*, True -*.srivaishnavam.com.au*, True -*.srivaishnavam.org.au*, True -*.sriwijayaair.co.id*, True -*.srks.ch*, True -*.srk-vaki.fi*, True -*.srmck.com*, True -*.srmcollider.org*, True -*.srmedicals.tk*, True -*.srmendoza.com*, True -*.srmmx.com*, True -*.sro-asgard.com*, True -*.sroufedesign.com*, True -*.sroweb.ch*, True -*.srtacarolina.com.ar*, True -*.srutiacademy.com*, True -*.srv6.eu*, True -*.srvgames.ro*, True -*.srv.hacdc.org*, True -*.srvi.info*, True -*.srvjc.com*, True -*.srvohm.nl*, True -*.srvpl.pl*, True -*.sry9.com*, True -*.ss01042002.com*, True -*.ss1982.me.uk*, True -*.ss-2080.com*, True -*.ss77892.ru*, True -*.ss84.org*, True -*.ssai2021.com.ve*, True -*.ssanaodontologia.com.ar*, True -*.ssancall.com*, True -*.ssantel.com*, True -*.ssariews.tk*, True -*.ssat.com.ar*, True -*.ssatplus.com.ar*, True -*.ssaudio.com.my*, True -*.ssc84.com*, True -*.ssc92.com*, True -*.sscada.co.kr*, True -*.ssdp-tip.org*, True -*.sselki.ru*, True -*.ssenn.org*, True -*.ssfengfan.com*, True -*.ssforwarding.co.za*, True -*.ssgconvenios.com.ar*, True -*.ssh-agan.cf*, True -*.sshasamoah.tk*, True -*.sshbandung.com*, True -*.sshbandung.tk*, True -*.sshcn.org.np*, True -*.sshconsultoria.com.br*, True -*.sshell.tk*, True -*.sshg.net*, True -*.sshgratis.web.id*, True -*.ssh.id.lv*, True -*.sshjoss.net*, True -*.sshotels.com.au*, True -*.sshsinga.cf*, True -*.sshstech.com*, True -*.ssh-tere.tk*, True -*.ssh-termurah.com*, True -*.ssico.ir*, True -*.ssiconsulters.com*, True -*.ssiddiqui.co*, True -*.ssi.li*, True -*.ssistem.com.ar*, True -*.ssitech.bg*, True -*.sskniranjan.ga*, True -*.ssksoft.ru*, True -*.ssl-crew.ru*, True -*.ssldefense.com*, True -*.sslmotionlabs.com*, True -*.ssl-privacy.com*, True -*.ssm.im*, True -*.ssmss.ro*, True -*.ssodemo.ga*, True -*.ssoft.pl*, True -*.ssoo.tk*, True -*.ssop.com.br*, True -*.ssott.com*, True -*.sspbx.co.za*, True -*.sspcam.com.br*, True -*.sspencer10.com*, True -*.sspmg.org.br*, True -*.sss1666.com*, True -*.sss816.com*, True -*.sss916.com*, True -*.ssseconference.org*, True -*.sssergy.tk*, True -*.ssshao.com*, True -*.ssshhh8.com*, True -*.ssshot.com*, True -*.sssmf.com*, True -*.sssmf.net*, True -*.sssmf.org*, True -*.sss-pulsa.com*, True -*.sssutas.com.au*, True -*.sssvid.com*, True -*.sstint.net*, True -*.ssvodata.co.za*, True -*.ssvp.org*, True -*.sswbz.com*, True -*.ssy77.com*, True -*.ssy87.com*, True -*.ssy97.com*, True -*.st0n3d.tk*, True -*.st1992s.com*, True -*.st-3355.com*, True -*.st-4545.com*, True -*.st-5566.com*, True -*.st5web.info*, True -*.st-6677.com*, True -*.st-825.com*, True -*.st9g.ru*, True -*.staat-sex-amen.ch*, True -*.stabbed.me*, True -*.stablenode.net*, True -*.stabler.ca*, True -*.stablesrow.com*, True -*.stablesrow.co.uk*, True -*.stach.co*, True -*.stach.io*, True -*.stach.one.pl*, True -*.stackrating.com*, True -*.stacktrace.tk*, True -*.stacyandjohn.us*, True -*.stacyhale.com*, True -*.staden.nom.za*, True -*.staderweg.de*, True -*.stadlman.com*, True -*.stadlman.net*, True -*.stadtfilter.ch*, True -*.staempfli-knapp.ch*, True -*.staffalacartelive.com*, True -*.staffmate.com.au*, True -*.staffordesq.com*, True -*.staffordit.com*, True -*.staffpro.net*, True -*.staffsyncro.cl*, True -*.stageflv.com*, True -*.stagestopcampground.net*, True -*.stag.ml*, True -*.stahlnecker.net*, True -*.stai-alazhary-cianjur.ac.id*, True -*.staii.com*, True -*.stainless123.com*, True -*.stainlessgecko.info*, True -*.stajner.si*, True -*.stakko.com*, True -*.stakkomail.net*, True -*.stalete.com*, True -*.stalheim.net*, True -*.stalheim.tk*, True -*.stalhut.de*, True -*.stalker.fi*, True -*.stalk.pw*, True -*.stallhynsta.se*, True -*.stamagdalena.cl*, True -*.stamfordasks.org*, True -*.stami-be.ch*, True -*.stamm.ca*, True -*.stamonica.cl*, True -*.stamperke.com*, True -*.stampingfoil.in*, True -*.stampingfoils.in*, True -*.stamps4food.com*, True -*.stamps4food.org*, True -*.stampsandletters.com*, True -*.stampsforfood.com*, True -*.stampsforfood.org*, True -*.stampyhome.com*, True -*.stampypad.com*, True -*.stampyweb.com*, True -*.stanciu.biz*, True -*.stancliffapartments.info*, True -*.stancliffapartments.net*, True -*.stancliffapartments.org*, True -*.stancliffparkapartments.com*, True -*.stan.cn*, True -*.stancu.ro*, True -*.standardgrup.ro*, True -*.standard-hk.com*, True -*.standardhomesltd.net*, True -*.standardimplosion.net*, True -*.standardpanels.com*, True -*.standardpizzacompany.com*, True -*.standardtestpacks.co.uk*, True -*.standarganda.biz*, True -*.standarganda.us*, True -*.standart-inform.com*, True -*.standby.com.ar*, True -*.stand.com.ar*, True -*.standconfident.com*, True -*.standup4tibet.org*, True -*.standupfortibet.com*, True -*.standupfortibet.org*, True -*.standuppaddlenoosa.com*, True -*.standuppaddlenoosa.com.au*, True -*.stanfordswim.hk*, True -*.stanharvell.com*, True -*.stanila.com*, True -*.stankoproekt.ru*, True -*.stankostroenie.ru*, True -*.stanleybox.com*, True -*.stanleypicklemovie.com*, True -*.stanmah.ru*, True -*.stanmash.com*, True -*.stanmed.ru*, True -*.stannestaug.org*, True -*.stansradiator.com*, True -*.st-anton-childcare.com*, True -*.stanwoodruff.com*, True -*.stanyurin.com*, True -*.stapleszoo.com*, True -*.s-tappen.be*, True -*.starbandcorp.tk*, True -*.starbandwebhosting.tk*, True -*.starbase123.com*, True -*.starbounduniverse.com*, True -*.starcast.cf*, True -*.starcast.ml*, True -*.starcenterforautism.com*, True -*.starchild2014.com*, True -*.starcitizen.ml*, True -*.starcivilizations.com*, True -*.starcliomediax.com*, True -*.starcom.pro*, True -*.stardom.ml*, True -*.stardroid.tk*, True -*.stardustcommercialservices.com*, True -*.starestvari.com*, True -*.starfleet.info*, True -*.starfury.co.uk*, True -*.starfyre.org*, True -*.stargatemc.com*, True -*.stargat.es*, True -*.stargazerscommunity.org*, True -*.starhoam.com*, True -*.star.is*, True -*.starkindustries.com.br*, True -*.starkk.id.au*, True -*.starkk.org*, True -*.starkom.ru*, True -*.starlang.net*, True -*.starlang.org*, True -*.starledimports.com.br*, True -*.starlightworld.net*, True -*.starline-parts.ro*, True -*.starlineparts.ro*, True -*.starlitedance.com.au*, True -*.starmaxtek.com*, True -*.starmedical.com.au*, True -*.starmet.ru*, True -*.starmike.com.ve*, True -*.starmooncoven.org*, True -*.starnerd.com*, True -*.star-net.co.il*, True -*.starnetworks.com.br*, True -*.starnightimport.com*, True -*.starofrose.com*, True -*.starpaster.com*, True -*.starpaytronik.com*, True -*.starpulsa.org*, True -*.starran.co.kr*, True -*.starry.co.za*, True -*.starscene.com*, True -*.starsdream.ch*, True -*.starsens.com*, True -*.starserviceinc.in*, True -*.starshare.ro*, True -*.starshiptroopersrp.net*, True -*.start168.com*, True -*.start168.net*, True -*.start-2000.ru*, True -*.startconsulting.ro*, True -*.startechconf.cl*, True -*.starters.su*, True -*.startheaterportland.com*, True -*.startilda.com*, True -*.startingchance.org.za*, True -*.startist.tw*, True -*.startmyeducation.com*, True -*.startmyfamily.com*, True -*.startmymotor.com*, True -*.startoolkit.org*, True -*.startostar.co.uk*, True -*.startrekkin.net*, True -*.startslowendshigh.com*, True -*.starttheparty12.com*, True -*.startuphost.info*, True -*.startupspace.pl*, True -*.startupwliczbach.pl*, True -*.startx.ro*, True -*.starvalor.com*, True -*.starvalour.com*, True -*.starvational.com*, True -*.starveyourselfbeautiful.com*, True -*.starwagonparts.com*, True -*.starwars.co.ve*, True -*.starwebsoft.com*, True -*.starzone.biz*, True -*.staszko.pl*, True -*.staszow.tk*, True -*.statboss.com*, True -*.statescasinos.com*, True -*.statesmangroup.org*, True -*.statewidecom.com*, True -*.staticfish.com*, True -*.staticreaction.com*, True -*.statika.si*, True -*.statikecho.net*, True -*.statinnovations.com*, True -*.stationadmin.ru*, True -*.station.moe*, True -*.stationplaylist.com*, True -*.statistiku.com*, True -*.statiunealovrin.ro*, True -*.statoveneto.net*, True -*.stat-seen.ml*, True -*.statsmexchartx.info*, True -*.statum.us*, True -*.status.co.il*, True -*.statuscor.com.br*, True -*.statuspro.ro*, True -*.stauntonslouisburgh.com*, True -*.stavgren.se*, True -*.stavinvest.sk*, True -*.stavi.si*, True -*.stavmedupak.ru*, True -*.stavropoly.ru*, True -*.stayathomedevs.com*, True -*.stayhere.co.il*, True -*.stay.lc*, True -*.staythebody13.com*, True -*.stbernadetteschool.net*, True -*.stbretail.ro*, True -*.st-bubu.com*, True -*.stc66.com*, True -*.stc87.com*, True -*.stc-llc.net*, True -*.stcloudhouston.com*, True -*.stcmeurope.com*, True -*.stcrispins.co.uk*, True -*.stctienda.com*, True -*.stdb.co.za*, True -*.stde.co.kr*, True -*.stdelta.com*, True -*.stdo.ms*, True -*.st-dupontiran.ir*, True -*.stdupontiran.ir*, True -*.stead.ca*, True -*.steadyworkers.com*, True -*.steagromania.ro*, True -*.steak-factory.ch*, True -*.steakweekly.com*, True -*.stealeat.com*, True -*.stealove.com*, True -*.stealthebasis.com*, True -*.stealthnet.it*, True -*.stealthserver.eu*, True -*.stealthygeek.com*, True -*.steambit.net*, True -*.steambit.org*, True -*.steambit.ru*, True -*.steauahub.ro*, True -*.s-tec.co.za*, True -*.s-tech.ch*, True -*.stechly.org*, True -*.steckonline.ch*, True -*.steco.net*, True -*.sted.ca*, True -*.stedeling.info*, True -*.steden.us*, True -*.stedilniki.si*, True -*.stedlphos.com*, True -*.steel-coin.com*, True -*.steeldetail.ro*, True -*.steeleguitars.com*, True -*.steele-sorensen.dk*, True -*.steelgraf.cl*, True -*.steel-grating-manufacturer.com*, True -*.steelmastermachinery.com*, True -*.steel.ml*, True -*.steelserver.us*, True -*.steelsheep.net*, True -*.steelsolutions.cl*, True -*.steelstocksint.com*, True -*.steelthorax.info*, True -*.steeluswo.com*, True -*.steelvaginas.org*, True -*.steel-velvet.pl*, True -*.steelyjames.com*, True -*.stefangroothuis.com*, True -*.stefanheymans.be*, True -*.stefanis.md*, True -*.stefanoconti.tk*, True -*.stefano-niko-orzen.tk*, True -*.stefanopepe.ch*, True -*.stefanopropiedades.com.ar*, True -*.stefanroberts.org*, True -*.stefansdream.com*, True -*.stefanservices.in*, True -*.stefantauer.de*, True -*.stefanzimmerli.ch*, True -*.stefanzimmerli.com*, True -*.stefecar.com.br*, True -*.steffano.biz*, True -*.steffen-schlinger.de*, True -*.steffensen.se*, True -*.stefneyv.com*, True -*.stefu.ch*, True -*.stegi-chorus.gr*, True -*.steginformatik.ch*, True -*.stegmannservice.com*, True -*.steigerwalts.com*, True -*.steinarsson.com*, True -*.stein.at*, True -*.steinerbilten.ch*, True -*.steiner-k.ch*, True -*.steinmetz.at*, True -*.steinmetznet.com*, True -*.stein-montreux-demenagements.ch*, True -*.stelimp.cl*, True -*.st-elizabeth.ru*, True -*.stellahits.com*, True -*.stellamarina.hu*, True -*.stellarpool.net*, True -*.stellashipping.com.tr*, True -*.stellavox.ch*, True -*.stelleinternational.com.au*, True -*.stelofme.ru*, True -*.stelzendepp.org*, True -*.stemandslide.com*, True -*.stemgaming.tk*, True -*.stemii.com*, True -*.stemii.co.za*, True -*.stemii.org*, True -*.stemline.com*, True -*.stenboda.se*, True -*.stendbaj.eu*, True -*.steneweb.org*, True -*.stenhouse.us*, True -*.steni.us*, True -*.steniwisata.com*, True -*.stentwood.com.au*, True -*.stepaheadtraining.org*, True -*.stepandstroll.com*, True -*.stepanovmaxim.ru*, True -*.step.com.ve*, True -*.step-energy.com*, True -*.stepenergy.net*, True -*.steperre.tk*, True -*.stepfinehk.com*, True -*.stephandlindsay.com*, True -*.stephanesmith.com*, True -*.stephanieborgelt.com*, True -*.stephaniederaul.cl*, True -*.stephaniestutz.ch*, True -*.stephanin.com.br*, True -*.stephanparry.com*, True -*.stephan-titz.de*, True -*.stephencol.es*, True -*.stephenconsulting.com.au*, True -*.stephendewald.com*, True -*.stephenherr.com*, True -*.stephenjabs.ca*, True -*.stephenjbaxter.com*, True -*.stephenlojewski.com*, True -*.stephenpape.net*, True -*.stephenpsych.com.au*, True -*.stephenwagler.com*, True -*.stephswii.tk*, True -*.stephtsang.com*, True -*.stephworks.com*, True -*.stepintomyday.com*, True -*.steppenwolfvm.tk*, True -*.steppenwolfvonmensch.tk*, True -*.steppingontoys.com*, True -*.stepsolution.net*, True -*.stepsys.org*, True -*.stepupenergy.com*, True -*.stepv.info*, True -*.ster85.pl*, True -*.sterbe.nz*, True -*.stereotip.ro*, True -*.sterlingprint.ca*, True -*.sterling.su*, True -*.sternenschmuck.ch*, True -*.steroccasion.eu*, True -*.steroccasion.info*, True -*.steroccasions.eu*, True -*.steroccasions.nl*, True -*.steroiden-shop.com*, True -*.steropes.info*, True -*.stes.fi*, True -*.stetter.us*, True -*.stetti.ch*, True -*.steuerguide.ch*, True -*.steuerhaus.ro*, True -*.steuer.md*, True -*.steuernagel.com.br*, True -*.stevanhogg.com*, True -*.steveandkristie.com*, True -*.stevebrackett.com*, True -*.stevechrismer.com*, True -*.stevedake.com*, True -*.stevedewald.com*, True -*.steveeagle.com*, True -*.steveeso.net*, True -*.steveharp.com*, True -*.steveharris.com.br*, True -*.steveharrop.co.uk*, True -*.steve.id.au*, True -*.stevekeims.com*, True -*.stevekoch.ca*, True -*.stevelawton.ca*, True -*.stevenandcandice.com*, True -*.stevenbauer.net*, True -*.stevencnm.net*, True -*.stevencohen.net*, True -*.stevenfoley.com*, True -*.stevenhickson.com*, True -*.steven.id.au*, True -*.steven.pw*, True -*.stevenr.net*, True -*.stevenr.org*, True -*.stevenscomputerservice.com*, True -*.stevenservices.in*, True -*.stevenspark.com*, True -*.stevenvisual.com*, True -*.stevenzawaski.com*, True -*.steveprattfamily.com*, True -*.steveprior.com*, True -*.steveranthony.net*, True -*.steverosato.com*, True -*.steve-savannah.com*, True -*.stevescomputers.biz*, True -*.stevesien.com*, True -*.steve-t-green.com*, True -*.steveward.org*, True -*.steveward.ws*, True -*.stevewong.ga*, True -*.stevia-bg.info*, True -*.stevoo.be*, True -*.stewartcurtis.com*, True -*.stew-family.com*, True -*.stewhouse8.com*, True -*.stex.ga*, True -*.steynehotel.com.au*, True -*.st-fifa.com*, True -*.stfu.cc*, True -*.stfu.gq*, True -*.stfu-kthnx.com*, True -*.stfu-kthx.net*, True -*.stfuman.com*, True -*.st-ga1.com*, True -*.st-georges.org.za*, True -*.stg.hk*, True -*.stgi.tk*, True -*.stgl.in*, True -*.stgm.su*, True -*.st-gogo.com*, True -*.sth0r.dk*, True -*.sthapatibd.com*, True -*.sthayi.com*, True -*.sthelena.fi*, True -*.st-hojo.com*, True -*.sthorizonte.com.ve*, True -*.stibium.pro*, True -*.stichtingzorgboerderijen.nl*, True -*.stickelsystems.com*, True -*.stickerize.me*, True -*.stickerpro.com.my*, True -*.stickville.ga*, True -*.stickyprints.ro*, True -*.stickysolutionz.com*, True -*.sticode.com*, True -*.sticode.org*, True -*.stiemahardhika-sia.ac.id*, True -*.sti-euro.com*, True -*.stihlbrzeg.pl*, True -*.stihovi.rs*, True -*.stijger.org*, True -*.stikeskendal.ac.id*, True -*.stikesmb.ac.id*, True -*.stikma.mx*, True -*.stikom.tk*, True -*.stilcolor.al*, True -*.stilephotography.ca*, True -*.stileworks.co.id*, True -*.stileworks.com*, True -*.stillaliveband.com*, True -*.stillart.ch*, True -*.stillcreekgardening.com*, True -*.still.tw*, True -*.stillwaterexpress.com*, True -*.stilmediasv.ro*, True -*.stiloclub.ro*, True -*.stilwellcreations.com*, True -*.stilwellenterprisesllc.com*, True -*.stimie.net*, True -*.stimulo.pt*, True -*.stineri.ro*, True -*.stingher.ro*, True -*.stingo.com.ar*, True -*.stingray.bz*, True -*.stinkpot.org*, True -*.stinksource.com*, True -*.stinnissen.net*, True -*.stipplezen.com*, True -*.stire24.ro*, True -*.stirihot.ro*, True -*.stirlinglane.com*, True -*.stirni.li*, True -*.stitaf.ac.id*, True -*.stitchedsoul.com*, True -*.stitchfingers.com*, True -*.stitt.me*, True -*.stiv2k.info*, True -*.stiwin.ca*, True -*.stiwin.com*, True -*.stiwin.co.uk*, True -*.stjameschurchclifton.org.uk*, True -*.st-jiro.com*, True -*.stjoeclub.org*, True -*.stjohnbert.org.au*, True -*.stjosephshistory.com*, True -*.stkhome.de*, True -*.stkhv.ru*, True -*.stkipdharma.ac.id*, True -*.stkipmktb.ac.id*, True -*.stkippgri-lumajang.ac.id*, True -*.stkip-ypup.ac.id*, True -*.stkkmk.eu*, True -*.stl.cl*, True -*.stlctv.ml*, True -*.stldeaf.org*, True -*.stlinternacional.com.br*, True -*.st-mama.com*, True -*.stmarksjefferson.org*, True -*.stmaryredcliffe.co.uk*, True -*.stmarysicsekk.com*, True -*.stmarysklpta.org*, True -*.stmaster66.ru*, True -*.sto4u.com*, True -*.stoccareddo.com*, True -*.stocdefotografii.ro*, True -*.stocfotografii.ro*, True -*.stocfoto.ro*, True -*.stock4all.co.il*, True -*.stockbay.ro*, True -*.stockbuy.ro*, True -*.stockcity.ru*, True -*.stockco.com.br*, True -*.stockdrop.com.au*, True -*.stockduo.com*, True -*.stock-family.co.uk*, True -*.stock-game.tk*, True -*.stockhausen.at*, True -*.stockholmcykelklubb.se*, True -*.stockholm-international.se*, True -*.stockinfomaster.com*, True -*.stockintl.ca*, True -*.stockmarketplayers.com*, True -*.stockmarkets.hk*, True -*.stockphotoperu.com*, True -*.stockpickshere.com*, True -*.stockpodium.com*, True -*.stockportnsg.co.uk*, True -*.stockport-tuition.co.uk*, True -*.stockprice.vn*, True -*.stocks2go.com*, True -*.stocks2go.net*, True -*.stocksale.com.br*, True -*.stocksjon.com*, True -*.stocktester.ru*, True -*.stock-ville.com*, True -*.stocpoze.ro*, True -*.stoellger-preila.de*, True -*.stofega.net*, True -*.stofer.name*, True -*.stoff.cl*, True -*.stoffel.net*, True -*.stoic2.net*, True -*.stoican.eu*, True -*.stojilovic.net*, True -*.stokedweb.com*, True -*.stokestechnology.com*, True -*.stokishpai.com*, True -*.stokistbanjar.com*, True -*.stokka.info*, True -*.stok.web.id*, True -*.stol3n.cc*, True -*.stolarkaprzeciwpozarowa.pl*, True -*.stoleallyour.info*, True -*.stolenimg.com*, True -*.stoletov.ru*, True -*.stoletov-ug.ru*, True -*.stollma.ch*, True -*.stolsvik.net*, True -*.stolzstein.com*, True -*.stomatologie-dristor.ro*, True -*.stomatologie-nonstop.ro*, True -*.stoneagetechnologies.com*, True -*.stonebutteranch.com*, True -*.stone-crusher.co*, True -*.stonecrusher.web.id*, True -*.stoned.ml*, True -*.stonelinks.org*, True -*.stone-lion.co.uk*, True -*.stonemillservice.com*, True -*.stonemillventures.com*, True -*.stonemonkey.com.ar*, True -*.stoner.one.pl*, True -*.stonesriver.org*, True -*.stonieb.com*, True -*.stoodee.com*, True -*.stoodeeworld.com*, True -*.stoopid.tk*, True -*.stoosem.si*, True -*.stop40.ru*, True -*.stopanic.cl*, True -*.stopanyforeclosurenowsacramento.com*, True -*.stop-daddy.com*, True -*.stopgame.com.br*, True -*.stopmanyun.com*, True -*.stopmomento.ru*, True -*.stopmurder.com*, True -*.st-opop.com*, True -*.stoppanic.cl*, True -*.stoppesten.nl*, True -*.stoptheobstructionistparty.com*, True -*.stopwatched.com*, True -*.stopwater.cn*, True -*.stopxam.net*, True -*.stoqbot.com*, True -*.stoquepa.com.br*, True -*.storage.cf*, True -*.storcatoaredefructe.ro*, True -*.store128.com*, True -*.store-1.net*, True -*.store360.pk*, True -*.storeapple.ro*, True -*.storearticle.org*, True -*.store.com.ar*, True -*.storehouse.hu*, True -*.storen-adelboden.ch*, True -*.storevisuals.com*, True -*.storevn.us*, True -*.storeylaw.com*, True -*.storeyourshit.com*, True -*.storiadirigutino.tk*, True -*.storinfor.pt*, True -*.storitve-bps.si*, True -*.storkhome.com*, True -*.storklja.si*, True -*.stormbacken.se*, True -*.stormblade.us*, True -*.stormfood.com*, True -*.stormlinux.be*, True -*.stormlinux.es*, True -*.stormlinux.net*, True -*.stormlinux.org*, True -*.stormlinux.tv*, True -*.stormlinux.us*, True -*.stormpvp.cf*, True -*.stormstress.ml*, True -*.stormvinge.se*, True -*.storm-ware.co.uk*, True -*.stormy.co.za*, True -*.stormystorage.com*, True -*.storpuman.se*, True -*.storspigg.se*, True -*.storyboard.co.il*, True -*.storybows.com*, True -*.storylook.co.kr*, True -*.storyonthewall.com*, True -*.storyshape.com*, True -*.storyteller.su*, True -*.stosunkimiedzynarodowe.pl*, True -*.stotis.net*, True -*.sto.tw*, True -*.stoupin.ru*, True -*.stoutste.nl*, True -*.sto-vo-kor.org*, True -*.stowers.me*, True -*.st-oz.com*, True -*.st-papa.com*, True -*.stpaulscemetery.org*, True -*.stpauls.com.ar*, True -*.stpaulunitedmethodist.org*, True -*.stpetepowersport.com*, True -*.stpetersandstpauls.org*, True -*.stpetersburgpowersport.com*, True -*.stpetersuccinmanks.com*, True -*.stpse.ro*, True -*.st-qq1.com*, True -*.str0bez.com*, True -*.str8.fi*, True -*.stracker.cc*, True -*.strada-sports.com*, True -*.stradhome.net*, True -*.stradivart.ro*, True -*.strahlenschutzbeauftragter.at*, True -*.strahlenschutzexperte.at*, True -*.strahlenschutzgutachter.at*, True -*.straightclownin.com*, True -*.stral.in*, True -*.stramfamily.com*, True -*.stramoconstruct.ro*, True -*.strandberg.nu*, True -*.strandinternal.com*, True -*.strangecharm.net*, True -*.strangemind.com*, True -*.strangeparty.com*, True -*.strangewaves.net*, True -*.strangewaysherewecome.co.uk*, True -*.strangewaysherewecome.net*, True -*.strangewaysherewecome.org*, True -*.strangewaysherewecome.org.uk*, True -*.strangled.net*, True -*.st-rara.com*, True -*.strataclad.ca*, True -*.strataclad.com*, True -*.stratainsurance.com.my*, True -*.stratainsurance.my*, True -*.stratechcrm.com*, True -*.strategic-alliance.in*, True -*.strategicdesign.us*, True -*.strategie.co.za*, True -*.strategoals.com*, True -*.strategon.ro*, True -*.strategyofcombat.com*, True -*.strathelections.com*, True -*.strathelections.co.uk*, True -*.stratospheric.com.au*, True -*.stratospheric.net.au*, True -*.strat-tac.com*, True -*.strattonshotel.com.au*, True -*.strattravel.com.mx*, True -*.stratulat1.com*, True -*.stratum1.net*, True -*.strauserfarms.com*, True -*.strauserhomes.com*, True -*.strauserproperties.com*, True -*.strausshouse.com.au*, True -*.strawberrynet.ru*, True -*.strawberry-tags.com*, True -*.strawberrytales.co.uk*, True -*.strawhouse.ch*, True -*.strawtricks.com*, True -*.strayasoft.com*, True -*.streambutler.net*, True -*.streame.tv*, True -*.streamfutura.com*, True -*.streamhosting.ch*, True -*.streamingvideo.ml*, True -*.streamiz-filmze.com*, True -*.streamlineelectrical.com.au*, True -*.streamlinefutura.com*, True -*.streamme.co.nz*, True -*.streammoderne.com*, True -*.streamrose.com*, True -*.stream-server.ch*, True -*.stream.tc*, True -*.streamtrade.tv*, True -*.streetdirectory.net.my*, True -*.streetdirectory.sg*, True -*.streetdirektory.com.my*, True -*.streetfair.net*, True -*.streetlightsdrama.com*, True -*.streetnova.org*, True -*.streetpasschicago.com*, True -*.streetsamurai.com*, True -*.streetsofbklyn.com*, True -*.streetvampires.ch*, True -*.streetwideassetrecoverygroup.com*, True -*.streetwidecollectionservices.com*, True -*.streetwidedebtrecoverygroup.com*, True -*.streetwiderecovery.com*, True -*.streetwiderecoveryinc.com*, True -*.strefamix.pl*, True -*.strei.ch*, True -*.streisandeffect.com*, True -*.stremler.pl*, True -*.strengarei.ro*, True -*.strengarii.ro*, True -*.strengari.ro*, True -*.strengarul.ro*, True -*.stres.biz*, True -*.stres.co*, True -*.stresnaokna.si*, True -*.stressreleasesa.co.za*, True -*.stretchapenny.com*, True -*.streznik.ga*, True -*.stricker-praxis.ch*, True -*.strick-kit.ch*, True -*.strickkit.ch*, True -*.strick-kits.ch*, True -*.strickkits.ch*, True -*.strick-laden.ch*, True -*.strictfp.com*, True -*.strictlyconformist.tk*, True -*.strictly.ninja*, True -*.strictus.com*, True -*.strijbosch.tk*, True -*.strike23.de*, True -*.stringfeed.com*, True -*.stringtheorydj.com*, True -*.strinnholms.se*, True -*.stripeyhorse.info*, True -*.stripmall.ro*, True -*.strki.net*, True -*.strobeck.net*, True -*.strobeck.se*, True -*.strobs.com*, True -*.stroirost.ru*, True -*.strokin.it*, True -*.stromm.com.ar*, True -*.strongernetworks.com.ve*, True -*.strongfamily.us*, True -*.strongliker.com*, True -*.strong-net.com*, True -*.strongson.com*, True -*.strongstory.com*, True -*.stronte.ch*, True -*.strontiumjesus.com*, True -*.stroyexpert.org*, True -*.stroysnami.com*, True -*.strt.xyz*, True -*.strub-immobilien.ch*, True -*.strubimmobilien.ch*, True -*.struccano.com.au*, True -*.struct.cf*, True -*.structural.ro*, True -*.structuriderezistenta.ro*, True -*.strugee.net*, True -*.strykelabs.com*, True -*.stscompani.ru*, True -*.stsfi.com*, True -*.stssystem.com*, True -*.ststech.net*, True -*.st-sw1.com*, True -*.st-sw2.com*, True -*.st-sw3.com*, True -*.st-sw4.com*, True -*.st-sw5.com*, True -*.st-sw6.com*, True -*.st-sw7.com*, True -*.st-sw8.com*, True -*.st-sw9.com*, True -*.st-swn.com*, True -*.stt-ec.com*, True -*.stthomasfoundation.org*, True -*.stuartfazakerley.com*, True -*.stuartfielding.com*, True -*.stuarthelwig.com*, True -*.stuartlight.co.uk*, True -*.stuartmathews.com*, True -*.stuartp.co.uk*, True -*.stuartr.id.au*, True -*.stuartshand.co.uk*, True -*.stuartshandgroup.com*, True -*.stuartshandgroup.co.uk*, True -*.stuarttown.com.au*, True -*.stuarttown.org.au*, True -*.stub.co.za*, True -*.stucktothefloor.com*, True -*.stuckup.co.za*, True -*.studentcentered.net*, True -*.studentcont.ro*, True -*.studenteasy.com*, True -*.studentedu.com.np*, True -*.studentenemail.de*, True -*.studenthouses.com.au*, True -*.studentje.net*, True -*.studentje.si*, True -*.studentjobs.com.my*, True -*.students.lt*, True -*.studentu.ro*, True -*.studhomes.ro*, True -*.studiapodarkov.ru*, True -*.studiniz.com.br*, True -*.studio-14.ch*, True -*.studio326.co.il*, True -*.studio532.com*, True -*.studio54.com.br*, True -*.studioazzurro.info*, True -*.studioberzaghi.it*, True -*.studiobfm.ch*, True -*.studiobloom.com.br*, True -*.studiob.lv*, True -*.studiocacciatore.com*, True -*.studiocadore.com*, True -*.studiocityvo.com*, True -*.studioconnect.biz*, True -*.studiocristal.ro*, True -*.studiodata.com.ar*, True -*.studiodentalebios.it*, True -*.studiodentisticoandretta.it*, True -*.studiodiemmerc.it*, True -*.studiodiip.eu*, True -*.studiodona.com.br*, True -*.studiodynamics.co.uk*, True -*.studioepektasis.com*, True -*.studiofantome.com*, True -*.studiofantome.net*, True -*.studio-gioia.ch*, True -*.studiohenna.fi*, True -*.studioinformatico.it*, True -*.studiolananh.com*, True -*.studiolegaleadami.it*, True -*.studiolegalecnt.it*, True -*.studiolegalemanuelapepi.it*, True -*.studiolusem.com*, True -*.studioluxfm.com*, True -*.studiomaster.si*, True -*.studiomc.com.au*, True -*.studiomedicolamaestra.it*, True -*.studio-m.ro*, True -*.studionuntihd.ro*, True -*.studiop3.net*, True -*.studioparaluppi.it*, True -*.studiopauletto.it*, True -*.studioprimadesign.com.br*, True -*.studiorjr.tk*, True -*.studiosakamoto.asia*, True -*.studiosarit.com*, True -*.studiosheva.com*, True -*.studiosigma.tv*, True -*.studiosilveston.ch*, True -*.studiostarkaraoke.com*, True -*.studiotecnologico.com*, True -*.s-tudio.tk*, True -*.studiovanite.com.br*, True -*.studiovideo.org*, True -*.studiovk.com*, True -*.studiowga.com*, True -*.studiowga.it*, True -*.studiu.eu*, True -*.studiuteologic.ro*, True -*.studt.ch*, True -*.study7979.com*, True -*.studymakeover.com*, True -*.study-now-pay-later.com.au*, True -*.stufestube.com*, True -*.stuffedanimalcentral.com*, True -*.stuffedanimalscentral.com*, True -*.stuffseek.com*, True -*.stuga-funasdalen.com*, True -*.stugots.tk*, True -*.stukamanhpt4.com*, True -*.stulcehaus.tk*, True -*.stumf.com*, True -*.stumf.si*, True -*.stuns.org*, True -*.stuntstore.nl*, True -*.stunzenas.lt*, True -*.stupaproject.ru*, True -*.stupica.com*, True -*.stupidnig.ga*, True -*.stupid.one.pl*, True -*.stupidsexy.ninja*, True -*.stupidshitiwriteontheinternet.com*, True -*.sturrocks.com.au*, True -*.stuwurtz.com*, True -*.stvad.org*, True -*.stvarcice.com*, True -*.stvip802.com*, True -*.stvip-ah.com*, True -*.stvip-live.com*, True -*.stvmb.at*, True -*.stv-neuenhof.ch*, True -*.stvtav.org.ar*, True -*.stweber.ch*, True -*.st-win7.com*, True -*.stwits.com*, True -*.stwits.ru*, True -*.stwongco.com*, True -*.stwoo.tk*, True -*.stw-r.de*, True -*.st-xo.com*, True -*.stydilka.ru*, True -*.style-ekb.ru*, True -*.style.pk*, True -*.stylesecretarial.com.au*, True -*.styleystory.com*, True -*.styner.net*, True -*.styrofoam-boots.com*, True -*.styrsky.com.ar*, True -*.st-yuyu.com*, True -*.stzi.org*, True -*.suaexplosives.in*, True -*.suaf.lv*, True -*.suahistoriavaidarumlivro.com.br*, True -*.suamayphoto.com*, True -*.suanie.net*, True -*.suanming.gq*, True -*.suannadams.com*, True -*.suara-konservasi.co*, True -*.suarapendidikanbatu.com*, True -*.suara-rakyat.com*, True -*.suara.us*, True -*.subaru-community.ch*, True -*.subarutuner.com*, True -*.subcob.com*, True -*.subcribs.ml*, True -*.subcribs.tk*, True -*.subdee.org*, True -*.subdomaindot.com*, True -*.subdomain.ga*, True -*.subdomain.gq*, True -*.subdomain.ml*, True -*.subekthi.com*, True -*.subematik.net*, True -*.subeshkc.com.np*, True -*.subfz.eu*, True -*.subhashbose.com*, True -*.subhashjindal.com*, True -*.subidha.com.np*, True -*.subinjoshi.com.np*, True -*.sublevel21.tk*, True -*.sublimaciya.ru*, True -*.sublimenail.ch*, True -*.sublimesaude.com.br*, True -*.sublimesounds.us*, True -*.subliminalmp3.guru*, True -*.sublocar.com*, True -*.submarinovigens.com.br*, True -*.submartino.com.br*, True -*.submeower.info*, True -*.submission.pl*, True -*.submit-gear.com*, True -*.subolca.com.ve*, True -*.subotovsky.com*, True -*.subpar.co*, True -*.subprodukti.ru*, True -*.subratgyawali.com.np*, True -*.subrids.com*, True -*.subrids.me*, True -*.subrids.net*, True -*.subrids.org*, True -*.subrids.pw*, True -*.subrofirm.com*, True -*.subroyal.tk*, True -*.subsonic.us*, True -*.subs-pants.net*, True -*.substance-abuse-tests.com*, True -*.substruction.net*, True -*.subsurfaceui.com*, True -*.subteam.info*, True -*.subtelephony.com*, True -*.subtitulando.com.ar*, True -*.sububies.biz*, True -*.sububies.space*, True -*.suburbanprecision.com*, True -*.subur-jaya.com*, True -*.suby.tk*, True -*.su-campus.com.ar*, True -*.successwms.hk*, True -*.succexy.net*, True -*.sucessucargas.com.br*, True -*.suchara.cx*, True -*.suchttherapiebaern.ch*, True -*.suchypressuregauge.com*, True -*.suci-fitria.tk*, True -*.suciu.ch*, True -*.suckhoe4u.com*, True -*.suckit.us*, True -*.suckmy.xyz*, True -*.suckoobai.com*, True -*.sucks.lt*, True -*.suck.tw*, True -*.sucky-sucky.biz*, True -*.sucky-sucky.org*, True -*.sucrenoticias.com*, True -*.sudako.net*, True -*.sudandulal.com.np*, True -*.sudanembassybeijing.com*, True -*.sudaryomo.com*, True -*.suddendeceleration.com*, True -*.suddenlyfive.com*, True -*.sudedil.ro*, True -*.sudeepacharya.com.np*, True -*.sudge.com*, True -*.sudieptutroi.com*, True -*.sudipk.com.np*, True -*.sudiptoghosh.ml*, True -*.sudokuquest.com*, True -*.sudoku.sg*, True -*.sudoku-solver.net*, True -*.sudo.kz*, True -*.sudol.ca*, True -*.sudotee.com*, True -*.sudptt06.org*, True -*.sudsonbleecker.com*, True -*.sudsonbleeker.net*, True -*.sudsonbleeker.org*, True -*.sueggel.net*, True -*.suelwald.de*, True -*.suero-tv.ru*, True -*.suesopian.com*, True -*.suessetorten.de*, True -*.sufficit.com.br*, True -*.suffymilk.com.my*, True -*.sufix.com.au*, True -*.sufiyo.com*, True -*.sufiyo.net*, True -*.sufnicnc.com*, True -*.sugaar.org*, True -*.sugacube.com.au*, True -*.sugamo-kotobuki.com*, True -*.sugarandspicehampers.com.au*, True -*.sugarcreekarms.com*, True -*.sugardoodle.de*, True -*.sugarfixbakeshop.com*, True -*.sugar-free.ca*, True -*.sugar-on-top-events.com*, True -*.sugar-on-top-events.com.au*, True -*.sugartoys.net*, True -*.sugiri.com*, True -*.sugi.us*, True -*.sugleris.com*, True -*.sugmegtom.com*, True -*.suhendra.com*, True -*.suhe.pl*, True -*.suicide-risk-screen.com*, True -*.suihun.com*, True -*.suikwong.org*, True -*.suiky.us*, True -*.suiteone.club*, True -*.suitless.net*, True -*.suits-me.net.au*, True -*.suitsustoatea.com*, True -*.sujankoirala.com.np*, True -*.suka69.ga*, True -*.suka-bokep.ga*, True -*.suka.ga*, True -*.sukakita.com*, True -*.sukaluyu.com*, True -*.sukanci.si*, True -*.suka.nu*, True -*.suka.se*, True -*.sukatamendoza.com.ar*, True -*.sukha1994.tk*, True -*.sukhdevsingh.com*, True -*.sukibox.com*, True -*.sukinull.tw*, True -*.sukrie.biz*, True -*.sukrya.com*, True -*.suksesjayamas.co.id*, True -*.suksessanjayaenergy.com*, True -*.sulavchaudhary.com.np*, True -*.sulbrasileira.com.br*, True -*.sulbrasileiratintas.com.br*, True -*.sulej.com*, True -*.sulekutlay.com*, True -*.sulengers.tk*, True -*.sule.ro*, True -*.sulimport.com.br*, True -*.suline.cz*, True -*.sulismusic.com*, True -*.suljagic.rs*, True -*.sulmotors-pf.com.br*, True -*.sulsel.go.id*, True -*.sulsul.co.kr*, True -*.suluttel.net*, True -*.suluus.ru*, True -*.sulvale.inf.br*, True -*.sulz.cl*, True -*.sumako.ch*, True -*.sumanaryal.com.np*, True -*.sumasajista.com.ar*, True -*.sumbarjobs.com*, True -*.sumberalam.net*, True -*.sumberban.co.id*, True -*.sumberban.com*, True -*.sumberbeasiswa.com*, True -*.sumber-cahaya.com*, True -*.sumberdayabumiutama.com*, True -*.sumberdownload.com*, True -*.sumberindahfashion.com*, True -*.sumbermalang.com*, True -*.sumbermalang.net*, True -*.sumber-mandiri.com*, True -*.sumbermandiri.net*, True -*.sumberplasticinjection.com*, True -*.sumbersafety.com*, True -*.sumbersejatijaya.com*, True -*.sum-box.de*, True -*.sumcin.tk*, True -*.sumeca.com.ve*, True -*.sumeetg.co.uk*, True -*.sumelagarden.com*, True -*.sumelmaharjan.com.np*, True -*.sumel.ro*, True -*.sumerucapital.hk*, True -*.sumi34.ch*, True -*.sumibi.org*, True -*.sumidas.com.ar*, True -*.sumincogar.com*, True -*.sumitpokhrel.com.np*, True -*.sumits.org*, True -*.sumkiman.ru*, True -*.summerbreezemotel.com*, True -*.summercat.com*, True -*.summergatevilla.com*, True -*.summerhillcricketclub.org.au*, True -*.summernaildesigns.com*, True -*.summerpub.it*, True -*.summitcityopen.com*, True -*.summitconstruction.biz*, True -*.summitnato.ro*, True -*.summitpowercable.com*, True -*.summitpowerchina.com*, True -*.sumners.org.uk*, True -*.sumoservers.net*, True -*.sumostyle.net*, True -*.sumpinsumpin.com*, True -*.sumrak-server.ru*, True -*.sums.hk*, True -*.sumyk.com.br*, True -*.sun18.ru*, True -*.sun-1994.com*, True -*.sunaengenharia.com.br*, True -*.sunaga.jp*, True -*.sun-asset.net*, True -*.sunatura.com*, True -*.sunaygeridonusum.com*, True -*.sunayhurdacilik.com*, True -*.sunbank.com.au*, True -*.sunbeamcbs.com*, True -*.sunbris.com*, True -*.sunburypropertymanagement.com*, True -*.sunburypropertymanagement.com.au*, True -*.sunburyrentalproperties.com.au*, True -*.suncaniodmor.com*, True -*.suncart.ro*, True -*.sun-cgv.com*, True -*.sun-chaser.com*, True -*.sun-co.ga*, True -*.suncow.eu*, True -*.suncube.de*, True -*.suncvet.ru*, True -*.sunda33.com*, True -*.sundalikers.pw*, True -*.sundaysport.co.za*, True -*.sundaywireless.com*, True -*.sundblad.com.ar*, True -*.sundby.com*, True -*.sunde88.com*, True -*.sunduksate.com*, True -*.sunecho.co.za*, True -*.sunenergies.ro*, True -*.sunfitgym.ro*, True -*.sunfroggroup.com*, True -*.sungchan.org*, True -*.sunggongvip.com*, True -*.sungjin.asia*, True -*.sungkem.guru*, True -*.sunglasshut-mail.co.za*, True -*.sunhoney.co.za*, True -*.sunilamaharjan.com.np*, True -*.sunilbajracharya.com.np*, True -*.sunil.cc*, True -*.sunilpoudel.com.np*, True -*.sunitalaughteryoga.co.nz*, True -*.sunjinjonghap.com*, True -*.sunjobservice.in*, True -*.sunkiddo.com*, True -*.sunlightccfl.com*, True -*.sunlikesupply.com*, True -*.sunlikesupply.net*, True -*.sunlink711.com*, True -*.sunlinksolar.com*, True -*.sunlinksolar.org*, True -*.sunlitindia.com*, True -*.sunmobil.org*, True -*.sunmoonseed.co.za*, True -*.sunnah.com.my*, True -*.sunnehus.net*, True -*.sunnyanaba.com*, True -*.sunnyindustries.net*, True -*.sunny-love.com*, True -*.sunnypeople.eu*, True -*.sunnyschool.com.tw*, True -*.sunnyservice.com.au*, True -*.sunnysidechristianschool.org*, True -*.sunnysidena.org*, True -*.sunnysidepac.ca*, True -*.sunoo.me*, True -*.sunos.ir*, True -*.sunray18.com*, True -*.sunrayhk.com*, True -*.sunrisefarmireland.org*, True -*.sunrisefoto.com*, True -*.sun-riselog.com*, True -*.sunrise.org.uk*, True -*.sunriser.tw*, True -*.sunrocks.com.ar*, True -*.sunsea.net.br*, True -*.sunsetbeachjazzproject.com*, True -*.sunsetbraais.co.za*, True -*.sunsetcoders.com*, True -*.sunshinealterations.com.au*, True -*.sunshinebanditz.org*, True -*.sunshinegrillefm.com*, True -*.sunshinepoultry.com*, True -*.sunsmoke.com*, True -*.sunsmoke.net*, True -*.sunsmoke.org*, True -*.suns.si*, True -*.sun-style.ru*, True -*.sun-sukhum.ru*, True -*.suntaipeiphil.org*, True -*.suntec.hk*, True -*.sunter.tk*, True -*.sunt.ninja*, True -*.suntpopulara.ro*, True -*.suntpopular.ro*, True -*.suntronics.in*, True -*.sunts.co.uk*, True -*.suntuk.tk*, True -*.suntverde.ro*, True -*.sunubuda.lv*, True -*.sunverpd.cf*, True -*.sunvic.info*, True -*.sunwap.net*, True -*.sunwind.ro*, True -*.suny.ch*, True -*.sunzan-design.com*, True -*.suona.com*, True -*.suoyin.info*, True -*.supachotefarm.com*, True -*.supbienestar.gob.ar*, True -*.supctrl.com*, True -*.super53herbie.tk*, True -*.superair.tw*, True -*.superandonos.cl*, True -*.supera.net.br*, True -*.superautoveiculos.com*, True -*.superb90.ro*, True -*.superbee.ws*, True -*.superbindustries.net*, True -*.superblue.com.ar*, True -*.superbowlpool2011.com*, True -*.superbowlpool2012.com*, True -*.superbowlpool2015.com*, True -*.superbowlpool2017.com*, True -*.superbowlpool2018.com*, True -*.superbowlpool2019.com*, True -*.superbowlpool2020.com*, True -*.superbproduction.com*, True -*.superchargedpc.com*, True -*.supercola.ir*, True -*.supercomputerrobot.com*, True -*.supercoolinc.com*, True -*.supercore.co.kr*, True -*.supercrinch.com*, True -*.superdatacloud.com*, True -*.superdator.se*, True -*.superdealstore.ro*, True -*.super-dent.md*, True -*.superdent.md*, True -*.superdnscenter.com*, True -*.superdodge.com*, True -*.superdojin.com*, True -*.superd.tw*, True -*.superelectroic.ro*, True -*.superfanapps.net*, True -*.superfest.ru*, True -*.superfreak.com.ar*, True -*.superguide.net.au*, True -*.superhac.ga*, True -*.superhidden.info*, True -*.superhidden.net*, True -*.superhtml.info*, True -*.super-ilanlar.com*, True -*.superimagery.com*, True -*.superinformed.ca*, True -*.superionet.com*, True -*.superior50.com.ar*, True -*.superiorcreditrepair.com*, True -*.superiorcreditspecialists.com*, True -*.superiordebt.com*, True -*.superiordebt.net*, True -*.superiordebt.org*, True -*.superiordebtrelief.com*, True -*.superiordebtrelief.net*, True -*.superiordebtrelief.org*, True -*.superiordebtservice.net*, True -*.superiordebtservices.com*, True -*.superioreducation.com*, True -*.superip.org*, True -*.superizeme.com*, True -*.super-lab.de*, True -*.super-lib.ru*, True -*.superliga88.com*, True -*.super-likerz.net*, True -*.superlubricanteseyj.com*, True -*.superlyrics.net*, True -*.supermackeybros.com*, True -*.supermailer.jp*, True -*.supermasivemedia.tk*, True -*.supermassivejeans.com*, True -*.supermegaprofit.web.id*, True -*.supermemory.hk*, True -*.supermercadodasfrutas.com.br*, True -*.supermercadosoriente.cl*, True -*.supermercadosriomarket.com.br*, True -*.supermercadoterezinha.com.br*, True -*.supermeteorgrid.com*, True -*.supermodelui.com*, True -*.supermops.org*, True -*.supermotika.com*, True -*.supermusteri.com*, True -*.supernice.com.my*, True -*.superpacomatic.com*, True -*.superpaginas.com.br*, True -*.superparkers.co.uk*, True -*.superperolas.com.br*, True -*.superpin.cl*, True -*.superportret.ru*, True -*.superpowlpool2014.com*, True -*.superracks.cl*, True -*.supersayan.tk*, True -*.superservidor.cl*, True -*.supershop.com.au*, True -*.supersixers.com*, True -*.supersmurf.com*, True -*.supersneaky.ninja*, True -*.supersonic.ml*, True -*.superspace.eu*, True -*.superspintt.com*, True -*.supertiendarita.com.ar*, True -*.supertux.ch*, True -*.supervacationworld.com*, True -*.supervigor.com*, True -*.supervigor.com.br*, True -*.supervines.org*, True -*.super-vip.tk*, True -*.superyeti.ru*, True -*.suphu.tk*, True -*.supir.biz*, True -*.supirku.com*, True -*.supito.ch*, True -*.suplacard.com*, True -*.suplemenmakdara.com*, True -*.suplementate.com.ar*, True -*.suplimenteprosaucontra.ro*, True -*.suplindo-ps.com*, True -*.suplutdh.cf*, True -*.suply-vensu.com.ve*, True -*.suportbiciclete.ro*, True -*.suporteadsl.com.br*, True -*.suporte-ebom.tk*, True -*.suportegpsparamoto.com.br*, True -*.suporteicb.com.br*, True -*.suporteparagps.com.br*, True -*.suporteweb.tk*, True -*.suport-inc.com*, True -*.suppito.ch*, True -*.supplieralatsafety.com*, True -*.supplieranekapipa.com*, True -*.supplierbahankimia.com*, True -*.supplierfilterair.com*, True -*.suppliergoods.com*, True -*.supplier-ikan.com*, True -*.suppliermaterialbangunan.com*, True -*.suppliermesinbakery.com*, True -*.supplierpabx.com*, True -*.supplierperalatansafety.com*, True -*.supplierpipa.com*, True -*.supplierpompa.com*, True -*.supplierstainlesssteel.com*, True -*.supplycabin.com*, True -*.supplychaininfo.co.za*, True -*.supplychainonline.co.za*, True -*.supplychainupdate.co.za*, True -*.supplyline.org*, True -*.supply.sg*, True -*.support4it.org*, True -*.support7.co.uk*, True -*.supportanerd.com*, True -*.supportbuy.tk*, True -*.supportcentre.com.my*, True -*.supportdesk.com.mx*, True -*.support-helpdesk.co.uk*, True -*.supportinformatica.com.ar*, True -*.supportisrael.tk*, True -*.supportloli.com*, True -*.supportm.com*, True -*.supportm.co.uk*, True -*.supportm.info*, True -*.supportmoxie.com*, True -*.supportnickturro.com*, True -*.supportresourcesinc.com*, True -*.supportsolusindo.com*, True -*.supportsolutions.com.ar*, True -*.supportwolfpack.com*, True -*.supravietuim.ro*, True -*.suprdupr-dj.com*, True -*.supremamultimarcas.net*, True -*.supreme-hosting.us*, True -*.supremeproint.com*, True -*.supremepty.com*, True -*.supremer.ch*, True -*.supremereferrals.com*, True -*.supremesafety.com*, True -*.supremesportstore.hu*, True -*.supriartigosmedicos.com.br*, True -*.supr.io*, True -*.suprisefinds.com*, True -*.suprun.ru*, True -*.supsikoloji-psikiyatri.com*, True -*.surajdhungel.com.np*, True -*.surajjung.com.np*, True -*.surajkulkarni.com*, True -*.surajpyakurel.com.np*, True -*.surak.kz*, True -*.suranet.tk*, True -*.sura-one.com*, True -*.surastur.com.ar*, True -*.surconex.web.ve*, True -*.surdone.cl*, True -*.sureclamo.com.ar*, True -*.surefiresql.com*, True -*.surel.me*, True -*.surenets.com*, True -*.sure-personnel.com*, True -*.surers.ch*, True -*.sureshg.com.np*, True -*.sureshrajbanshi.com.np*, True -*.surething.biz*, True -*.surf6.net*, True -*.surfacefleet.com*, True -*.surfacesband.co.uk*, True -*.surf-foto.net*, True -*.surfguidingbali.com*, True -*.surfinza.com*, True -*.surfjunkie.net*, True -*.surfnet.ca*, True -*.surf-n-fly.ch*, True -*.surf-n-go.ch*, True -*.s-u-r.ga*, True -*.surgeonspreferences.net*, True -*.surgicaldna.com*, True -*.suricatta.biz*, True -*.suridea.si*, True -*.surin.net*, True -*.surpass.com.ar*, True -*.surpass.hk*, True -*.surplus.cl*, True -*.surrealsystems.ca*, True -*.surrealwebstudio.com*, True -*.surreydarts.org.uk*, True -*.surreyears.co.uk*, True -*.surreyeyelash.com*, True -*.surreyquays.com*, True -*.surrounding.io*, True -*.surtani.org*, True -*.surtecchina.com*, True -*.surtec.mx*, True -*.surte.se*, True -*.suruat.ru*, True -*.surukle.me*, True -*.surunfildecoton.tk*, True -*.surveillancehumanrights.org*, True -*.survet.cl*, True -*.surveyinvite.us*, True -*.surveys-101.com*, True -*.survivalact.com*, True -*.survivalducks.ga*, True -*.survivalgearsurplus.com*, True -*.survivaloverdose.net*, True -*.suryabakery.in*, True -*.suryadeep.com.np*, True -*.suryadi.id.au*, True -*.suryadinlaoddang.com*, True -*.suryahadi22.com*, True -*.suryahidromatik.com*, True -*.suryamentariindah.co.id*, True -*.suryandranusa.com*, True -*.suryanusantarasafety.co.id*, True -*.suryapatriacrane.com*, True -*.suryapersada.com*, True -*.suryaputratenda.com*, True -*.suryasamudraabadi.com*, True -*.suryatenda.net*, True -*.suryavanshi.in*, True -*.suryavie.com*, True -*.susanabarnet.com*, True -*.susanabilbao.com.ar*, True -*.susanagourmet.cl*, True -*.susanasalon1.tk*, True -*.susanaserrano.net*, True -*.susanbaerg.com*, True -*.susangilmore.com*, True -*.susangraham.net*, True -*.susanita.com.ar*, True -*.susanolivermusic.com*, True -*.susanrichards.org*, True -*.susantodjoko.net*, True -*.susca.tk*, True -*.susetyo.web.id*, True -*.sushantg.tk*, True -*.sushicorp.com*, True -*.sushi-it.ro*, True -*.sushi-lausanne.ch*, True -*.sushilgupta.com.np*, True -*.sushilpathak.com.np*, True -*.sushmashah.com.np*, True -*.suslic.org*, True -*.suspartes.pt*, True -*.suspiration.org*, True -*.sussex-escorts.net*, True -*.sussexfarmsupplies.ca*, True -*.sussidio.com*, True -*.sussidio.com.au*, True -*.sussidio.info*, True -*.sustainabilityadvisory.net*, True -*.sustainabilityengineering.com.au*, True -*.sustainable-arch.net*, True -*.sustainablefibermanagement.com*, True -*.sustainablelifeinc.ca*, True -*.sustainable-russia.org*, True -*.sustenancencovering.com*, True -*.sustentarconsultoria.com.br*, True -*.susuguesthouse.com*, True -*.susycollections.com.my*, True -*.sutech.sk*, True -*.sutherlandchristianfellowship.org.au*, True -*.suti.com.ar*, True -*.suto.ro*, True -*.sutr.org*, True -*.suttihuasi.com.ar*, True -*.suttonbm.net*, True -*.suttonhathorn.com*, True -*.suulaav.com.np*, True -*.suunto-taiwan.com*, True -*.suutarinvehkeet.fi*, True -*.suvashthapaliya.com.np*, True -*.suvasinishrestha.com.np*, True -*.suvorova.pp.ru*, True -*.suvorov.pp.ru*, True -*.suvu.com*, True -*.suwapha-massage.ch*, True -*.sux-inc.net*, True -*.suyanto.cf*, True -*.suzakavff.jp*, True -*.suzannehuffman.com*, True -*.suzannepeebles.com*, True -*.suzannesorganicssalon.com*, True -*.suzannezorich.com*, True -*.suzavarga.eu*, True -*.suzdaly.ru*, True -*.suzukijatim.net*, True -*.suzukipartsaustralia.com*, True -*.suzukipartsaustralia.com.au*, True -*.sv12.tk*, True -*.svabi.ch*, True -*.svadba-mir.ru*, True -*.svall.com*, True -*.svansen.se*, True -*.svart.fi*, True -*.svart.nu*, True -*.svartpeppar.org*, True -*.svatos.co.uk*, True -*.svc777.com*, True -*.svdpmonroe.org*, True -*.sve-di.ru*, True -*.svedklint.se*, True -*.sveetly.com*, True -*.sveigur.net*, True -*.svekla-design.ru*, True -*.svengalipress.com.au*, True -*.svenhorsheim.com*, True -*.svenskasnacks.se*, True -*.svensons.us*, True -*.sven.to*, True -*.sventus.com*, True -*.sverigesannonsorer.se*, True -*.sver.tk*, True -*.svetec.guru*, True -*.svetilen.com*, True -*.svetkrmiv.sk*, True -*.svetlanamokrushina.ru*, True -*.svetlotisk.cz*, True -*.svetonum.tk*, True -*.svetoprom.ru*, True -*.svetovanje-as.com*, True -*.svetservis.ru*, True -*.svetvs.ru*, True -*.svhdns.tk*, True -*.svhealthclub.com*, True -*.sv-holding.com*, True -*.sv-holding.com.ru*, True -*.sviluppo-svizzera.ch*, True -*.svip-bonsa.com*, True -*.svipr.com*, True -*.svipr.nl*, True -*.sv-italia.it*, True -*.svjenny.com*, True -*.svjenny.us*, True -*.svlastra.com.ar*, True -*.svmblocker.com*, True -*.svms-ltd.co.uk*, True -*.svmzulia.com.ve*, True -*.svninfinity.com*, True -*.svoygroup.com*, True -*.svp-home.org*, True -*.svrmetal.ro*, True -*.svrzyt.com*, True -*.svscientific.in*, True -*.svtransylvania.com*, True -*.svws.org*, True -*.svx.ro*, True -*.svxr.org*, True -*.svzuiderkwartier.nl*, True -*.swaecoregion.org*, True -*.swag-lord.tk*, True -*.swagpeople.ru*, True -*.swagswagsw46.me*, True -*.swagtaco.tk*, True -*.swampymunchk1n.co.uk*, True -*.swanhold.com.au*, True -*.swankysynology.co.uk*, True -*.swansoncastlepinesland.com*, True -*.swan.tk*, True -*.swap.pl*, True -*.swappy.in*, True -*.swapstick.co.uk*, True -*.swapstickdev.com*, True -*.swarajgroup.asia*, True -*.swarchy.com*, True -*.swarmscape.com*, True -*.swarmscape.net*, True -*.swartztech.com*, True -*.swashbucklerdesign.ca*, True -*.swash.cl*, True -*.swatlanta.com*, True -*.swatted.ga*, True -*.swattkd.com*, True -*.swattkd.co.uk*, True -*.s-w-a-t.us*, True -*.swavely.com*, True -*.swavely.net*, True -*.swbaires.com.ar*, True -*.swccstudent.org*, True -*.swds.com.au*, True -*.sweat-equity.fi*, True -*.sweatequity.fi*, True -*.sweater-makers.com*, True -*.sweatshopp.us*, True -*.sweatyballs.club*, True -*.swecan.net*, True -*.sweconsol.se*, True -*.swedishchef.org*, True -*.swedish-esports.se*, True -*.sweengineering.com.my*, True -*.sweeny.us*, True -*.sweetadriblog.info*, True -*.sweetandcupcakes.com.ar*, True -*.sweetbangla.com*, True -*.sweetbonbon.com*, True -*.sweetboutique.hk*, True -*.sweetboxgifts.co.uk*, True -*.sweetbytes.net*, True -*.sweet-cara.ml*, True -*.sweetcara.ml*, True -*.sweetcomputing.com*, True -*.sweet-heaven.com*, True -*.sweet-lady.us*, True -*.sweetliquid.com*, True -*.sweetmommasbakeshop.com*, True -*.sweetnanny.com.ve*, True -*.sweetnhot.com.au*, True -*.sweet-os.uk*, True -*.sweetpeacakeshop.com*, True -*.sweetpee.com.au*, True -*.sweet-petites.net*, True -*.sweetplans.com.ar*, True -*.sweetriders.com*, True -*.sweetscanphoto.net*, True -*.sweet-spatula.com*, True -*.sweetspelling.com*, True -*.sweettits.net*, True -*.sweetylemons.com*, True -*.swell.cl*, True -*.swe.net*, True -*.swenet.se*, True -*.swentechthailand.com*, True -*.swerffoos.com*, True -*.swetol.ru*, True -*.sweval.com*, True -*.swfin.net*, True -*.swflmail.com*, True -*.swganh.com*, True -*.swganh.org*, True -*.swhill.co.uk*, True -*.swhousehk.com*, True -*.swhwconsultores.com.ar*, True -*.swhydro.com*, True -*.swicalment.ch*, True -*.swiderski.ca*, True -*.swiebel.com*, True -*.swift-bit.com*, True -*.swiftbl.org*, True -*.swift.cl*, True -*.swifthand.net*, True -*.swiftnetworks.biz*, True -*.swiftpcservices.co.uk*, True -*.swiftperf.com*, True -*.swiftutils.com*, True -*.swigro.com*, True -*.swiila.net*, True -*.swimming.md*, True -*.swimmingpoolrepairri.com*, True -*.swimwithoutwalls.com*, True -*.swinco.cl*, True -*.swingbop.ch*, True -*.swingcity.com.ar*, True -*.swingewood.co.za*, True -*.swinginvent.com.au*, True -*.swinglaif.ru*, True -*.swingnites.com*, True -*.swing.ro*, True -*.swing-zona.ru*, True -*.swinny.me*, True -*.swipe.si*, True -*.swisha.ch*, True -*.swiss32.com*, True -*.swissarmychainsaw.net*, True -*.swissbushindian.ch*, True -*.swisscall.eu*, True -*.swisscandledesign.ch*, True -*.swiss-carrelage.ch*, True -*.swisscode.ch*, True -*.swissconnect.net*, True -*.swissdatacenters.ch*, True -*.swisskomm.ch*, True -*.swissnavy.info*, True -*.swissorthodontics.ch*, True -*.swissphotonics.ch*, True -*.swisssouvenircoins.com*, True -*.swisstaxpayersassociation.ch*, True -*.swisstreu.ch*, True -*.switchestudio.com*, True -*.switch.pt*, True -*.switchshop.ro*, True -*.switchsports.de*, True -*.switchsports.eu*, True -*.switchsports.ro*, True -*.swjhr.tk*, True -*.swjmortgage.com*, True -*.swmab.com*, True -*.swmbudokan.com*, True -*.swmncs.com*, True -*.swmodule.com*, True -*.swng.net*, True -*.swokar.org*, True -*.swooboo.com*, True -*.swooka.com*, True -*.swordgirls.web.id*, True -*.sworupshrestha.com.np*, True -*.swos.cf*, True -*.swos.ga*, True -*.swos.ml*, True -*.swphoa.com*, True -*.swp.my*, True -*.swreality.com*, True -*.swret.com*, True -*.swsc.org.np*, True -*.swtc.ch*, True -*.sw-totf.com*, True -*.swtping.org*, True -*.swyip.com*, True -*.sx2.name*, True -*.sxf.im*, True -*.sxn.us*, True -*.sxoc.ee*, True -*.sxrskscn.com*, True -*.sxs2.com*, True -*.sx-win.net*, True -*.sxx37.com*, True -*.sxx57.com*, True -*.sxx59.com*, True -*.syac.ca*, True -*.syac.com*, True -*.syaeruk157.cf*, True -*.syafa-electric.com*, True -*.syafaflexibleconduit.com*, True -*.sya-free.com*, True -*.syahrifcaem.tk*, True -*.syamsul404.com*, True -*.syamsulhady.com*, True -*.syaqah.com*, True -*.syariah.or.id*, True -*.syarifl.web.id*, True -*.syauqykamalfuady.com*, True -*.sybasin.net*, True -*.sybrandus.co.za*, True -*.sybux.com*, True -*.sycah.org*, True -*.sychev.com*, True -*.syclonefreaks.asia*, True -*.syclonefreaks.club*, True -*.syclonefreaks.com*, True -*.sycohex.com*, True -*.sydbusinessclub.com.au*, True -*.sydneyballpithire.com.au*, True -*.sydneybushregeneration.com.au*, True -*.sydneychristians.org*, True -*.sydneycitycomputers.com.au*, True -*.sydneycosmeticmedicine.com.au*, True -*.sydneyfurniturestore.com.au*, True -*.sydneyheads.com*, True -*.sydneyihl.org.au*, True -*.sydneyinline.com*, True -*.sydneyinlinehockey.com*, True -*.sydneykin.org.au*, True -*.sydneymotoryachtcharters.com.au*, True -*.sydney-neurosurgeon.com.au*, True -*.sydneyweber.com*, True -*.sydooh.tk*, True -*.syeen.cl*, True -*.syglisis.gr*, True -*.sygnosoft.com*, True -*.sygpconsultores.com.mx*, True -*.syinura.co.uk*, True -*.syjon.net*, True -*.sykepleieforskning.no*, True -*.syllabear.tk*, True -*.syltburken.tk*, True -*.sylvancorp.in*, True -*.sylvansolar.com*, True -*.sylveon.ca*, True -*.sylvergreen.my*, True -*.sylviahomes.org*, True -*.sylvianaku.tk*, True -*.symbiance.ro*, True -*.symbicore.com*, True -*.symbiosecentrecontactclient.com*, True -*.symbitz.com*, True -*.symcs.com*, True -*.symen.ir*, True -*.symessolutions.com*, True -*.symessolutions.com.au*, True -*.symetrics.com.ar*, True -*.symmetry-viewer.com*, True -*.symocupacional.com.ve*, True -*.sympashelties.com*, True -*.symphonic-music.com*, True -*.symphony.io*, True -*.sympoc.com*, True -*.symptoms-of-high-blood-pressure.com*, True -*.symrise.ch*, True -*.syn-ack.be*, True -*.synapseit.com.ar*, True -*.synapsenx.com*, True -*.synaptic.cc*, True -*.synapticsec.net*, True -*.synap.tk*, True -*.synboz.com*, True -*.sync2cloud.co.za*, True -*.sync-cloud.com*, True -*.syncl.co.uk*, True -*.syncleft.org*, True -*.syncl.uk*, True -*.syncproperties.com.ar*, True -*.syncrify.co.za*, True -*.syncro-net.com.ar*, True -*.syncroot.net*, True -*.syndic.al*, True -*.syndicatehosting.co*, True -*.synemav.com*, True -*.synergetix.ca*, True -*.synergex.com.ar*, True -*.synergisticalignment.com.au*, True -*.synergis.tk*, True -*.synergize.info*, True -*.synergo.gr*, True -*.synergy-force.com*, True -*.synergygaming.com*, True -*.synergyimagery.com*, True -*.synergyindia.org*, True -*.synetcom.co.id*, True -*.synet.net*, True -*.synflood.ch*, True -*.syngress.co.uk*, True -*.synixtech.co.uk*, True -*.synkro.com.ar*, True -*.synkro.net*, True -*.syn.la*, True -*.synner.org*, True -*.synolab.info*, True -*.synoserver.com*, True -*.synostrij.nl*, True -*.synotom.com*, True -*.synrg.co.za*, True -*.synrg.nom.za*, True -*.syntagmaarisen.org*, True -*.syntagmax.com*, True -*.syntegraindonesia.com*, True -*.syntereo.com*, True -*.synthesis-solutions.kz*, True -*.syntheticdream.org*, True -*.syntheticlogic.net*, True -*.syntheticzero.com*, True -*.synthte.ch*, True -*.synthtra.cc*, True -*.syolk.com*, True -*.sypabogados.cl*, True -*.syphe.net*, True -*.sypult.com*, True -*.sypult.info*, True -*.sypult.name*, True -*.sypult.net*, True -*.syrberus.com*, True -*.syrianembassy.ro*, True -*.syrnix.tk*, True -*.sys49152.net*, True -*.sys6.de*, True -*.sysabris.com*, True -*.sysadminday.com.ru*, True -*.sysadminhaiku.com.ar*, True -*.sys-arquitectura.cl*, True -*.sysback.net*, True -*.sysbmy.com*, True -*.syscoinformatique.com*, True -*.syscomservice.in*, True -*.sysconsultores.cl*, True -*.sysctrl.com*, True -*.sysctrl.org*, True -*.sysdatanet.ro*, True -*.syserror.tk*, True -*.sysher.com.ar*, True -*.sysinfo.pro*, True -*.sysinnovations.ru*, True -*.syslab.se*, True -*.sysmagic.net*, True -*.sysmanager.ro*, True -*.sys-master.ru*, True -*.sysmax.com.ar*, True -*.sysmel-consulting.com.ar*, True -*.sysmen.cl*, True -*.sysmonkey.com*, True -*.sysmotive.net*, True -*.sysnet-inc.net*, True -*.sys.one.pl*, True -*.sysopstech.com*, True -*.syspytania.pl*, True -*.sysr.co.uk*, True -*.sysrq.tk*, True -*.sysspire.ro*, True -*.system32.ga*, True -*.systematictech.net*, True -*.systembyte.com.ar*, True -*.systemcenter.gr*, True -*.systemcenterlab.se*, True -*.systemcontrolcenter.org*, True -*.systemer.org*, True -*.systemgenie.com*, True -*.systemlord.ch*, True -*.system-one.com*, True -*.systemr3.com*, True -*.systemreboot.net*, True -*.systemrequirements.net*, True -*.systemsadvisers.hk*, True -*.systemsafe.com.au*, True -*.systemshq.net*, True -*.systems.lt*, True -*.systems-network.be*, True -*.systems-programmer.co.uk*, True -*.systems-programmer.pro*, True -*.systemstart.kz*, True -*.systemstc.com*, True -*.systemvan.cl*, True -*.systemworksit.com*, True -*.systemx.sg*, True -*.systinus.com*, True -*.systrace.com.ar*, True -*.systrarna.com*, True -*.systuki.fi*, True -*.sysvitals.com*, True -*.sytco.com.ar*, True -*.syte4.com*, True -*.syteks.com*, True -*.syte.tv*, True -*.sytix.com*, True -*.sytxq.com*, True -*.syukri.com*, True -*.syxyz.net*, True -*.syyingsu.com*, True -*.syyxft.com*, True -*.szad.pl*, True -*.szahntechnik.ch*, True -*.szallasportal.ro*, True -*.szaminfo.hu*, True -*.szamitogepesz.com*, True -*.szamitogepesz.hu*, True -*.szaniawski.co.uk*, True -*.szczech.com.ar*, True -*.szczechconstructora.com.ar*, True -*.szekelychili.ro*, True -*.szekelypajzs.ro*, True -*.szekelysziget.ro*, True -*.szer.ch*, True -*.szerverpark.hu*, True -*.szeszi.ro*, True -*.szexcentral.hu*, True -*.szfagro.com*, True -*.szfanera.com*, True -*.szfproductions.com*, True -*.szikes.hu*, True -*.szilagybagos.ro*, True -*.szilva.ro*, True -*.szinesfb.com*, True -*.szj1991.ro*, True -*.szk-obihiro.com*, True -*.szmaterlok.info*, True -*.szmoore.net*, True -*.szociopodcast.info*, True -*.szsinatech.com*, True -*.szs.io*, True -*.szteixo.com*, True -*.szukielojc.com*, True -*.szybka-szama.pl*, True -*.szybszastrona.pl*, True -*.szyfz.com*, True -*.szymanowicz.pl*, True -*.szzed.hu*, True -*.t05.sg*, True -*.t0m0.de*, True -*.t0w.org*, True -*.t120.info*, True -*.t1.my*, True -*.t229.org*, True -*.t25outlet.com*, True -*.t26.us*, True -*.t28.net*, True -*.t2h.ru*, True -*.t2h.su*, True -*.t31.org*, True -*.t3gamers.com*, True -*.t3hk1d.com*, True -*.t3jada.com*, True -*.t413.com*, True -*.t42.com.ar*, True -*.t42.com.au*, True -*.t4b.me*, True -*.t4uk.tk*, True -*.t5u3.com*, True -*.t67.eu*, True -*.t6p.us*, True -*.t98e.com*, True -*.taalla.org*, True -*.taappraisals.com*, True -*.tab73.com*, True -*.tab85.com*, True -*.tabacariamineira.com.br*, True -*.tabacosmarasca.com.br*, True -*.tabacoyron.cl*, True -*.tabac.ro*, True -*.tabaninsaat.com.tr*, True -*.tabbuffu.eu*, True -*.tabernacledekolwezi.org*, True -*.tabernadogaiteiro.com*, True -*.tabhu.tk*, True -*.tabieta.net*, True -*.tabirca.ro*, True -*.table13.org*, True -*.table-bay.co.za*, True -*.tablebaygsd.co.za*, True -*.tableflattrekking.co.nz*, True -*.tabletnerds.com*, True -*.tablet-share.nl*, True -*.tabletshare.nl*, True -*.tabletvn.net*, True -*.tablewarehk.com*, True -*.taboobacon.com*, True -*.taboryes.com*, True -*.tabrado.pl*, True -*.tabshier.com*, True -*.tabtoon.co.kr*, True -*.tabule.com.ar*, True -*.tabuledeli.com.ar*, True -*.tabungansurga.or.id*, True -*.tabungpemadamapimurah.com*, True -*.tacconiskiteam.it*, True -*.tacconisport.com*, True -*.tacdev.de*, True -*.tacdev.eu*, True -*.tachyean.net*, True -*.tachyondevelopment.com*, True -*.taciki.ru*, True -*.tackairco.tk*, True -*.tackingintothewind.com*, True -*.tackletraffic.com*, True -*.tacknet.net*, True -*.tacobarasia.com*, True -*.tacobarchina.com*, True -*.taco-land.net*, True -*.tacomayouthsymphony.com*, True -*.tacowolf.com*, True -*.tacsops.com*, True -*.tacspec.net*, True -*.tactedo1youth.tk*, True -*.tacticaencomunicacion.com*, True -*.tacticalgearsurplus.com*, True -*.tacticalsoccer.org*, True -*.tactical-specialist.com*, True -*.tacticalspecialist.net*, True -*.tactiq.net*, True -*.tactraders.com*, True -*.tactraders.com.au*, True -*.tada-entertainment.com*, True -*.tadahot.com*, True -*.tadaload.com*, True -*.tadaplay.com*, True -*.tadaplayer.com*, True -*.tadasgirevicius.tk*, True -*.tadas.tk*, True -*.tad.com.ve*, True -*.taddei.im*, True -*.tadejszkola.com*, True -*.tadeu.org*, True -*.tadolfswitler.com*, True -*.taekwondo-eat.com.ar*, True -*.taekwon-do.md*, True -*.taeman.com*, True -*.taenapottery.co.uk*, True -*.taenfu.com*, True -*.taenil.com*, True -*.taespecialties.com*, True -*.tafca.co.uk*, True -*.taf.org.nz*, True -*.tagalong.ca*, True -*.tagan-rog.info*, True -*.tagcloud.ro*, True -*.tagdesigndev.com*, True -*.taggarts.com.au*, True -*.taglid.ir*, True -*.tag.mx*, True -*.tagomago.net*, True -*.tagprice.com*, True -*.tagsly.com*, True -*.tagtoug.com*, True -*.tagtstrom.eu*, True -*.tagtstrom.org*, True -*.tag-zone.com*, True -*.tahamail.com*, True -*.tahanan201.com*, True -*.tahisoft.tk*, True -*.tahmatassu.org*, True -*.tahuri.com.ar*, True -*.tahurikiller.com.ar*, True -*.tahviehpars.com*, True -*.taianh.net*, True -*.taiatreros.com*, True -*.tai-chi.ee*, True -*.taichiundqigong.ch*, True -*.taichuan-food.com*, True -*.taichunggolfsociety.org*, True -*.taicom.ru*, True -*.taicorp.cl*, True -*.taigadao.ru*, True -*.taigamepikachumienphi.biz*, True -*.taiga-project.ru*, True -*.taihinh.net*, True -*.taiing.net*, True -*.taiken.ro*, True -*.taikus.co*, True -*.taildragger.org*, True -*.taileong.my*, True -*.tailieutonghop.com*, True -*.tailmht.com*, True -*.tailoi.net*, True -*.tails55.tk*, True -*.tailue.org*, True -*.taincotel.com.ve*, True -*.tainhanh.ml*, True -*.taioneway.com*, True -*.taipei1981.com*, True -*.taipeitext.com*, True -*.taiphim.ml*, True -*.tairun-int.com*, True -*.taishanlive.com*, True -*.taisoshita.com.br*, True -*.tait.com.ar*, True -*.taiteam.net*, True -*.tait.info*, True -*.taivas.biz*, True -*.taivideo.org*, True -*.taiwan911.com*, True -*.taiwanbravo.tw*, True -*.taiwancake.com*, True -*.taiwaner.net*, True -*.taiwan-lavie.com*, True -*.taiwanpersotex.com*, True -*.taiwanpos.com*, True -*.taiwanpt.net*, True -*.taiwanrunners.com*, True -*.taiwansemicon.com*, True -*.taiwansemicon.org*, True -*.taiwans.tw*, True -*.taiwantimes.org*, True -*.taiwan-yi-ching.com*, True -*.taizingmp3.mobi*, True -*.taja-wedding.com*, True -*.tajawedding.com*, True -*.tajgirls.com*, True -*.tajvar.io*, True -*.tajvar.me*, True -*.t-akabane.net*, True -*.takamachi.com*, True -*.takashi.hk*, True -*.taka-taka-taka.com*, True -*.takaya.ru*, True -*.takeadayoff.com*, True -*.takealemon.com*, True -*.takeboot.com*, True -*.takegawa.tw*, True -*.takemehome.asia*, True -*.takemehome.com.au*, True -*.takemusukai.asn.au*, True -*.takeoffviajes.com.ar*, True -*.takepart.com.ar*, True -*.takeshi.cnt.br*, True -*.taketenbox.com*, True -*.takh.ee*, True -*.takie.pl*, True -*.takingpictures.ch*, True -*.takito.tk*, True -*.takiypiscinas.com.br*, True -*.takkuyacana.com.ar*, True -*.takony.hu*, True -*.takosuke-rp.net*, True -*.takpuaslagi.com*, True -*.taksidermijasdarbnica.lv*, True -*.taksiilmajoki.fi*, True -*.taktakan.com*, True -*.taktau.me.uk*, True -*.taktik.cl*, True -*.taktik.web.id*, True -*.takvaj.ir*, True -*.talaash.tk*, True -*.taladriz.cl*, True -*.talakti.ga*, True -*.talanjebin.ir*, True -*.talbertonline.net*, True -*.talbotech.com*, True -*.talebear.com*, True -*.talebear.net*, True -*.talentkeymedia.com*, True -*.talentocercano.cl*, True -*.talentoeducacao.com.br*, True -*.talentosconsultoria.com.br*, True -*.talesfromtherails.co.uk*, True -*.talesmud.com*, True -*.talesoftech.com*, True -*.talhaasmal.nom.za*, True -*.taliat.com*, True -*.talikipasku.com*, True -*.talinacphotography.com*, True -*.talismanteas.com*, True -*.talitaandrade.com.br*, True -*.taliwongso.com*, True -*.talja.fi*, True -*.talkapk.com*, True -*.talkbacktv.net*, True -*.talkgold.ru*, True -*.talktoworlds.com*, True -*.tallahasseetech.com*, True -*.tallboyfishingcharters.com*, True -*.taller-9.com.ar*, True -*.taller.cl*, True -*.tallerdeestampa.com.ar*, True -*.tallerdeloeste.com.ar*, True -*.tallerescjaen.es*, True -*.talleresnahuel.com.ar*, True -*.talleresvuelve.com.ar*, True -*.tallerideas.com*, True -*.tallerimagina.com*, True -*.tallerpandora.com.ar*, True -*.tallinnatutuksi.fi*, True -*.tallinnavoruselts.ee*, True -*.tallisfabulous.com*, True -*.tallison.com*, True -*.talltreefreelance.com*, True -*.talonit.com.au*, True -*.talonit.net.au*, True -*.talouskuntoon.tk*, True -*.talpalar.com.ar*, True -*.talpinca.com.ve*, True -*.talsma.ca*, True -*.taltonwalker.com*, True -*.talulahriley.com*, True -*.talulahriley.co.uk*, True -*.talyelc.ir*, True -*.talytalk.com*, True -*.tamago.moe*, True -*.tamanneupane.com.np*, True -*.tamaracosta.com*, True -*.tamaracosta.com.br*, True -*.tamaraodon.com.ar*, True -*.tamari.cl*, True -*.tamarindo.net*, True -*.tamatha.co.uk*, True -*.tambakberas.or.id*, True -*.tam-bal.hu*, True -*.tambiendormimos.com.ar*, True -*.tambordeorixa.cf*, True -*.tambordeorixa.ga*, True -*.tambordeorixa.ml*, True -*.tambordeorixas.cf*, True -*.tambordeorixas.ga*, True -*.tambordeorixas.ml*, True -*.tambordeorixas.tk*, True -*.tambordeorixa.tk*, True -*.tamburo.com.ar*, True -*.tamburugy.com.br*, True -*.tamcer.net*, True -*.tamcoincentives.com*, True -*.tamda.eu*, True -*.tamdaexpress.cz*, True -*.tamdaexpress.eu*, True -*.tamdafoods.com*, True -*.tamegao.com*, True -*.tamejs.com*, True -*.tamejs.org*, True -*.tamersoft.net*, True -*.tamerucar.net*, True -*.tamga.ch*, True -*.tamgu.com.ar*, True -*.tamgusoftware.com.ar*, True -*.tamhoahp.cf*, True -*.tamhonanuong.com*, True -*.tamina-allegra.de*, True -*.tammiste.com*, True -*.tamm-tamm.de*, True -*.tampa-bay-photography.com*, True -*.tampa-bay-photography.net*, True -*.tampa-bay-photography.org*, True -*.tampan.ml*, True -*.tampapowersport.com*, True -*.tams.tk*, True -*.tamvakis.net*, True -*.tamvan-corp.com*, True -*.tamvan.eu*, True -*.tanad.ro*, True -*.tanagonzalez.com.ar*, True -*.tanah-aina.com*, True -*.tanakahomejp.com*, True -*.tanalorn.net*, True -*.tanaman-mudo.cf*, True -*.tanasan.info*, True -*.tanata.ir*, True -*.tanat-ramblers.co.uk*, True -*.tanbachtung.tk*, True -*.tanchoo.com*, True -*.tancon.tk*, True -*.tandemedia.com*, True -*.tandtfamily.org*, True -*.tandt.xyz*, True -*.tandu-center.co.il*, True -*.tandycoco.com*, True -*.tanenbaumchat.org*, True -*.tanesine.com*, True -*.tanewolf.com*, True -*.tangbutian.tk*, True -*.tangcomputer.com*, True -*.tangental.net*, True -*.tangents.us*, True -*.tangentworksonline.com*, True -*.tangibles.ro*, True -*.tangjiamei.cn*, True -*.tangledreality.com*, True -*.tangledrealitystudio.com*, True -*.tangledrealitystudios.com*, True -*.tangledupinblonde.com*, True -*.tanglegend.com*, True -*.tangocalmontreal.ca*, True -*.tangocomoarte.com*, True -*.tangodataservices.com*, True -*.tangoindumentaria.com.ar*, True -*.tangomaraton.cl*, True -*.tangosalon.cl*, True -*.tangosierratech.com*, True -*.taniathomasphotography.com*, True -*.taniatricot.com.br*, True -*.taniecdawny.pl*, True -*.tanie-chlanie.pl*, True -*.taniechlanie.pl*, True -*.tanihardjo.web.id*, True -*.tanindolestari.com*, True -*.tanjaigor.com*, True -*.tankanytt.tk*, True -*.tank-mates.com*, True -*.tank-mates.co.uk*, True -*.tanks-adelaide.com.au*, True -*.tank-stats.com*, True -*.tanksteu-bern.ch*, True -*.tankun.tk*, True -*.tannerfranklin.com*, True -*.tannerli.ch*, True -*.tannerlis.ch*, True -*.tannex.com.ar*, True -*.tannex.net*, True -*.tanny.ru*, True -*.tanobun.com*, True -*.tanpopo.hk*, True -*.tanradio.my*, True -*.tansa.ga*, True -*.tanstagi.net*, True -*.tansucandan.com*, True -*.tantegirang.web.id*, True -*.tantgreddelin.se*, True -*.tanthraom.ch*, True -*.tantrangnha.com*, True -*.tantrathroughfood.com*, True -*.tantrictouch.com.au*, True -*.tantrum.org*, True -*.tantrym.com*, True -*.tanuland.com*, True -*.tanveerahmed.us*, True -*.tanzaro.cl*, True -*.tanzen-mit-lia.de*, True -*.tanzfee.ch*, True -*.taobonfu.com*, True -*.taocore.net*, True -*.taogou.gq*, True -*.taogram.com*, True -*.taohuayuan.net*, True -*.taoism-dingshun.com*, True -*.taoism-dingshun.hk*, True -*.taoism-dingshun.org*, True -*.taoism-dingshunseenkoon.org*, True -*.tao-software.co.uk*, True -*.taosurvival.org*, True -*.taoswinterwinefest.com*, True -*.taotrangweb.com*, True -*.tao.vg*, True -*.tapago.net*, True -*.tapaionline.com*, True -*.tap-arch.tw*, True -*.tapchikinhte.com*, True -*.tapclub.com*, True -*.tapc.tw*, True -*.tapeb.su*, True -*.tapecariamiller.com.br*, True -*.tapernouxsanitaires.ch*, True -*.tap-filter.com*, True -*.tapikita.com*, True -*.tapjp.com*, True -*.tapme.org*, True -*.tapmusic.net*, True -*.tapons.com*, True -*.tapper.fi*, True -*.tapperit.com*, True -*.tappir.com*, True -*.tapreport.net*, True -*.tap-romania.ro*, True -*.tapterminal.com*, True -*.tar49.com*, True -*.tar56.com*, True -*.tar66.com*, True -*.tar72.com*, True -*.tar77.com*, True -*.tar84.com*, True -*.tarace.org*, True -*.taracotta.com*, True -*.taracullen.co.uk*, True -*.taraglobalshop.com*, True -*.taragos.com*, True -*.tarama.jp*, True -*.taramcmullen.ca*, True -*.taramcmullen.com*, True -*.tara-mea.ro*, True -*.tarangyadav.tk*, True -*.taran.ro*, True -*.tarantoga.ch*, True -*.taras.com.ar*, True -*.tarashadarah.com*, True -*.tarasovmn.de*, True -*.taraz.ir*, True -*.tarcuri-copii.ro*, True -*.tarddance.com*, True -*.tardeaux.com*, True -*.tardigradesolutions.com*, True -*.tareecitycomputers.com.au*, True -*.targafloriosim.net*, True -*.targettour.com.br*, True -*.targeturbano.com.ar*, True -*.targovistea-turistica.ro*, True -*.tarilelumii.ro*, True -*.tarjetafashionspark.cl*, True -*.tarjeta.si*, True -*.tarjetatei.com.ar*, True -*.tarjetavitamina.com.ar*, True -*.tarka.tk*, True -*.tarko.ro*, True -*.tarnauca-asciu.com*, True -*.tarnauca.com*, True -*.tarnauca.ro*, True -*.tarotbak.com*, True -*.tarot.si*, True -*.tarpat.com*, True -*.tarrapratamatourstravel.com*, True -*.tarreolinux.cl*, True -*.tarrillobarba.com.pe*, True -*.tarryholic.ga*, True -*.tarsetti.net*, True -*.tartasdesignontinyent.es*, True -*.tartsandcrafts.ca*, True -*.tartvpn.com*, True -*.tarud-ing.cl*, True -*.tarvis.tk*, True -*.tarzanka.ru*, True -*.tasawufpsikoterapi.web.id*, True -*.tasawwuf.com*, True -*.tasbagindonesia.com*, True -*.tasci.biz*, True -*.tascsoftware.co.uk*, True -*.tashanconsulting.com*, True -*.tashipalkhiel.com*, True -*.tasiaux.be*, True -*.tasik09.tk*, True -*.tasiktech.net*, True -*.task21.com*, True -*.taskenizer.com*, True -*.taskertech.co.uk*, True -*.tasking.com.br*, True -*.task-toaster.com*, True -*.taslack.us*, True -*.tas-network.com*, True -*.tasproject.org*, True -*.taspromosiswp.com*, True -*.tasseven.com*, True -*.tassoft.com*, True -*.tassujuttu.fi*, True -*.tastebuds.com.au*, True -*.tastefestivals.org*, True -*.tasteitaly.com*, True -*.tastemango.com*, True -*.tastenjoy.org*, True -*.tastravelku.com*, True -*.tastymeal.me*, True -*.tataaja.tk*, True -*.tatabitato.com*, True -*.tatabitato.net*, True -*.tatahasa.com*, True -*.tataieskuvo.hu*, True -*.tatami.hk*, True -*.tatarstana.ru*, True -*.tatasuksesmandiri.com*, True -*.taterbase.org*, True -*.tatesys.com*, True -*.tatianakaryakina.com*, True -*.tatibus.com.ar*, True -*.tatikalamar.com*, True -*.tatik.su*, True -*.tatofswitler.com*, True -*.tatolfswitler.com*, True -*.tatoobook.com.br*, True -*.tatou100.ca*, True -*.tatt5.com*, True -*.tat.to*, True -*.tatto.li*, True -*.tattomasaj.ro*, True -*.tattoo-art.co.za*, True -*.tattoo-oprema.si*, True -*.tattoostand.com*, True -*.tattou.gr*, True -*.tatu92.com*, True -*.tatuarte.cl*, True -*.taturevich.ru*, True -*.tatut.net*, True -*.tatyanakaneva.net*, True -*.taub.at*, True -*.taubfamily.com*, True -*.tau-css.net*, True -*.taudesign.ru*, True -*.tauditorium.com.ar*, True -*.taufanaditya.com*, True -*.taufikfadjar.info*, True -*.taufonua.to*, True -*.taulus.net*, True -*.tauns.com*, True -*.tauratrans.com*, True -*.taurineromania.ro*, True -*.taurushosting.co.za*, True -*.taurus-server.org*, True -*.tausendschoen-bl.ch*, True -*.tavaneextensibile.ro*, True -*.tavangamteb.com*, True -*.tavarescleaningservices.com*, True -*.tavernabradet.ro*, True -*.tavernacanbatlle.cat*, True -*.tavernagreceasca.ro*, True -*.tavernmurrisk.com*, True -*.tavira7.com*, True -*.tavukcivciv.com*, True -*.tawau.com*, True -*.tawaweb.com*, True -*.tawfiq.my*, True -*.tawiki.org*, True -*.tawilgroup.ro*, True -*.tawktawk.info*, True -*.taxbench.com*, True -*.taxcityatlanta.com*, True -*.taxesbyjoan.com*, True -*.taxi7788.com*, True -*.taxi-alliance-gland.ch*, True -*.taxibu.com*, True -*.taxibysms.ro*, True -*.taxicam.co.nz*, True -*.taxicity.org*, True -*.taxiconchofer.cl*, True -*.taxieasyvip.ch*, True -*.taxikochi.com*, True -*.taxileasingnyc.com*, True -*.taxiluc.ch*, True -*.taxinet.ir*, True -*.taxiofbeverlyhills.com*, True -*.taxiofculvercity.com*, True -*.taxiofhollywood.com*, True -*.taxioflosangeles.com*, True -*.taxiofsantamonica.com*, True -*.taxiofwesthollywood.com*, True -*.taxiorbe.ch*, True -*.taxipolis.gr*, True -*.taxisbahia.cl*, True -*.taxiseinajoki.fi*, True -*.taxis.gq*, True -*.taxisroig.com*, True -*.taxisroig.es*, True -*.taxisyservicios.com*, True -*.taxivega.kz*, True -*.taxlitigators.co.za*, True -*.taxmeetup.com*, True -*.taxorg.net*, True -*.taxpedia.co.il*, True -*.tax.si*, True -*.taxsyndicate.com*, True -*.tayana-institut.ch*, True -*.tayfurkara.org*, True -*.tayjay.co.za*, True -*.taylanekinci.com*, True -*.tayloreris.com*, True -*.taylorfamily.net*, True -*.taylorgibson.com*, True -*.taylorharman.cl*, True -*.taylor-hq.com*, True -*.taylorjadin.com*, True -*.taylor-logistics.com*, True -*.taylormadecookies.com*, True -*.taylormail.gq*, True -*.taylornator.com*, True -*.taylor-tech.net*, True -*.ta-yong.com*, True -*.tayo.to*, True -*.taytrangrang.biz*, True -*.tazatriste.cl*, True -*.tazl.ru*, True -*.tazmania.asia*, True -*.tazzflix.com*, True -*.tazz.in*, True -*.tb2.net*, True -*.tb6962.com*, True -*.tbacpa.net*, True -*.tbarphorsesales.com*, True -*.tbarros.com.br*, True -*.tbbconsulting.com*, True -*.tbdus.com*, True -*.tbjx.net*, True -*.tblgmr.com*, True -*.tboneforpresident.com*, True -*.tbonitz.tk*, True -*.tbphd.com*, True -*.tbphp.org*, True -*.tbrhosting.co.uk*, True -*.tbrlivepromotions.co.uk*, True -*.tbtalent.com.mx*, True -*.tbt.com.mx*, True -*.tbt.mx*, True -*.t-bugmaker.com*, True -*.tbwaopenco.co.za*, True -*.tbwa-soa.ro*, True -*.tbz1.com*, True -*.tbzclan.com*, True -*.tc4k.net*, True -*.tcan.co*, True -*.tcanco.com*, True -*.tcan.ir*, True -*.tccb.cf*, True -*.tccb-gov.cf*, True -*.tccb-gov.ga*, True -*.tccb-gov.ml*, True -*.tccb.ml*, True -*.tcc-online.net*, True -*.tcct.cf*, True -*.tcd.hk*, True -*.tcdr.com*, True -*.tcdweb.com*, True -*.tce-clan.tk*, True -*.tcelectronic.ro*, True -*.tcf.pw*, True -*.tcftg.com*, True -*.tcgone.net*, True -*.tchanphoto.com*, True -*.tchanphotography.com*, True -*.tchicourel.com.ar*, True -*.tcholo.net*, True -*.tc-hs.org*, True -*.tcielevator.com*, True -*.tcime.ga*, True -*.tcinterlaken.ch*, True -*.tclubum.org*, True -*.tcmapfelgarten.ch*, True -*.tcmtelecare.ca*, True -*.tcn263.com*, True -*.t-conventions.info*, True -*.tcoppi.net*, True -*.tcpavenue.com*, True -*.tcpvpn.cf*, True -*.tcpvpn.ga*, True -*.tcsaasalmagell.ch*, True -*.tcs.web.id*, True -*.tcwow.ml*, True -*.tcwow.tk*, True -*.td-365.com*, True -*.td3c.com*, True -*.td-555.com*, True -*.tdbgroup.com.ar*, True -*.tdcnet.tk*, True -*.tdconsulting.ca*, True -*.tdecosvet.ru*, True -*.tde.cz*, True -*.tdf3.tk*, True -*.tdfcomercios.com.ar*, True -*.tdg-bg.com*, True -*.td.gen.tr*, True -*.tdhepia.ch*, True -*.tdjnet.com*, True -*.tdjs.me*, True -*.tdjs.tk*, True -*.tdkkabel.com*, True -*.tdl-informatica.com.ar*, True -*.tdmonline.org*, True -*.tdporn.com*, True -*.tdrounds.net*, True -*.tds7.net*, True -*.td-sibgaz.ru*, True -*.tdto.ru*, True -*.tdv3d.com*, True -*.tdviktor.ru*, True -*.tdworks.com*, True -*.tdymaniki.com*, True -*.te1.ru*, True -*.teabaghero.net*, True -*.teacherlookup.info*, True -*.teachmeetwa.com.au*, True -*.teachmetofish.net*, True -*.teacup.fi*, True -*.teaei.ch*, True -*.te-afli.ro*, True -*.teags.org*, True -*.teakles.com*, True -*.teakwondo.one.pl*, True -*.tealchick.com*, True -*.teal.one.pl*, True -*.tea-lounge.com*, True -*.team142.co.za*, True -*.team3group.com*, True -*.team777.ru*, True -*.team-anubis.net*, True -*.teamau.com.au*, True -*.teamazure.jp*, True -*.team-balmer.ch*, True -*.teambelgium.net*, True -*.teambetamax.co.uk*, True -*.teamcelestialhs.com*, True -*.team-clobbersaurus.com*, True -*.teamexclusive.net*, True -*.teamfate.org*, True -*.teamformtopp.se*, True -*.teamfortress.tk*, True -*.teamfour.me*, True -*.teamgadget.com*, True -*.teamgeneric.net*, True -*.teamhonduras.us*, True -*.team-icarus.com*, True -*.teamloomer.com*, True -*.teaml.tk*, True -*.teammcneill.com*, True -*.teamnathan.info*, True -*.teamoptimization.com*, True -*.teamparker.id.au*, True -*.teampicker.com*, True -*.teampix.org*, True -*.teamprother.com*, True -*.teampunch.net*, True -*.teamradicus.com*, True -*.teamraid.com.ar*, True -*.teamrecognition.in*, True -*.teamregal.tk*, True -*.teamrsaf3a.co.za*, True -*.teamscaremask.com*, True -*.teamscaremask.net*, True -*.teamscaremask.org*, True -*.teamscarlet.com*, True -*.teamseitztraining.com*, True -*.teamslack.net*, True -*.teamsolva.com*, True -*.teamspeak.bz*, True -*.teamspeak.fm*, True -*.teamspeakgames.tk*, True -*.teamspectra.com.au*, True -*.teamsters41m.com*, True -*.teamstratos.org*, True -*.team-tfm.com*, True -*.teamtraining.co.il*, True -*.teamtranscript.com*, True -*.team-ugly.com*, True -*.teamworkcooperative.org*, True -*.teamworklistings.co.za*, True -*.teamxiii.com*, True -*.teamyotsuba.com*, True -*.teanesh.com*, True -*.teapals.com*, True -*.teaparty.cl*, True -*.teaponce.co.uk*, True -*.tear.cz*, True -*.tears.asia*, True -*.tearsofdestiny.co.uk*, True -*.tearsurvey.info*, True -*.teas.cl*, True -*.teaseboston.com*, True -*.teasenewyork.com*, True -*.teatalk.my*, True -*.teatowers.co.uk*, True -*.teatromontessori.com*, True -*.teatroxwifi.com.ar*, True -*.teazeofca.com*, True -*.tebaadsl.net*, True -*.tebenadom.com*, True -*.tebet39.com*, True -*.tebiev.ru*, True -*.tecalimentos.com.ar*, True -*.teccom-europe.co.uk*, True -*.tecdoc-online.ru*, True -*.tecdoc-shop.ro*, True -*.tecfertil.com.br*, True -*.tecforth.biz*, True -*.tecforth.com*, True -*.tecforth.info*, True -*.tecforth.net*, True -*.tecforth.org*, True -*.tecforth.us*, True -*.tech2k.ca*, True -*.tech4revolution.com*, True -*.techadmin.com.au*, True -*.techari.com*, True -*.techari.com.ar*, True -*.tech-artists.org*, True -*.techatwork.net*, True -*.techaz.net*, True -*.techbooster.com.br*, True -*.techbrewers.com*, True -*.techbrewers.co.uk*, True -*.techcity.cl*, True -*.techclob.com*, True -*.techcontraire.com*, True -*.techdevs.cl*, True -*.tech-dot.com*, True -*.techdreamz.com*, True -*.techdweebs.com*, True -*.techeep.ga*, True -*.techeep.tk*, True -*.techelpme.com*, True -*.techenergoanalit.ru*, True -*.tech-experts.ca*, True -*.techexperts.ca*, True -*.techfee.com*, True -*.techff.com.ar*, True -*.techfood.hk*, True -*.techforum.tk*, True -*.techfox.com.au*, True -*.techgasm.co*, True -*.techglob.com*, True -*.techglue.me*, True -*.techglue.us*, True -*.techglyphs.tk*, True -*.techgold.com.ar*, True -*.techgoodness.com*, True -*.techgoodness.org*, True -*.techguru.co.za*, True -*.techh.co.uk*, True -*.techiebill.com*, True -*.techiephone.com*, True -*.techiestuffsol.com*, True -*.techievarta.com*, True -*.techiewocke.com*, True -*.techimp.com.au*, True -*.techingcrew.com*, True -*.techinsoft.com.tr*, True -*.techinventory.com*, True -*.techit.ch*, True -*.techjedi.net*, True -*.techjes.com*, True -*.techknack.net*, True -*.techknowledgeez.net*, True -*.techknowregrade.com*, True -*.techkriti.org*, True -*.techlabor.ch*, True -*.tech-labs.pl*, True -*.techlodge.net*, True -*.tech-maniacs.ru*, True -*.techmatic.com.ar*, True -*.techmatics.com.ar*, True -*.techmaxasia.com*, True -*.techmax.hk*, True -*.techmedicmobile.com*, True -*.techmenow.co.uk*, True -*.techmotorsport.com.br*, True -*.techn9ne.net*, True -*.technadel.com*, True -*.technautas.com*, True -*.technelion.com*, True -*.technetcentral.net*, True -*.technetcomputer.com*, True -*.technet-direct.com*, True -*.technetenterprises.com*, True -*.technetinformatica.com.br*, True -*.technetinternetsolutions.ro*, True -*.technetlaw.com*, True -*.technetmail.com*, True -*.technetnepal.net*, True -*.tech.net.np*, True -*.tech-net.ro*, True -*.technic.al*, True -*.technicalsupportresources.com*, True -*.techniclee-minded.co.uk*, True -*.techniice.ro*, True -*.technikexpert-dd.de*, True -*.technik-kalender.gq*, True -*.techniklexikon.com*, True -*.techniplex.net*, True -*.techniqua.com*, True -*.techniqua.co.uk*, True -*.techniqueit.com*, True -*.techniqueit.com.au*, True -*.techniqueit.net*, True -*.techniqueit.net.au*, True -*.technischeuebersetzer.eu*, True -*.techniverrier.ch*, True -*.techno-america.com*, True -*.technoappgeekreview.com*, True -*.technocenose.ru*, True -*.technofix.kz*, True -*.technogeekreview.com*, True -*.technogirl.co.za*, True -*.techno-girls.com*, True -*.technogirls.co.za*, True -*.technogrouptch.ro*, True -*.technohealth.co.uk*, True -*.technohermit.com*, True -*.technohite.net*, True -*.technolo.ga*, True -*.technologic.com.my*, True -*.technologybriefingcenter.com*, True -*.technologyprevingea.com.ar*, True -*.technologywise.net*, True -*.technolovesyou.com*, True -*.tech-nomad.net*, True -*.technomass.ro*, True -*.technonadzor-sl.com*, True -*.technonook.com*, True -*.technopagans.com*, True -*.technopc.tk*, True -*.technophobia.org*, True -*.technorama.ro*, True -*.technorandum.com*, True -*.technosyspak.com*, True -*.techno-teens.com*, True -*.technoteens.co.za*, True -*.technoteens.mobi*, True -*.technoteens.net*, True -*.techno-teens.org*, True -*.technotrance.info*, True -*.technova.ro*, True -*.technowinner.cl*, True -*.technowworld.com*, True -*.tech-nuage.com*, True -*.techonicsa.co.za*, True -*.techorders.mx*, True -*.techotw.com*, True -*.techpack.cl*, True -*.techpack.com*, True -*.techpetroleum.com*, True -*.techreliefservices.com*, True -*.techsamcko.info*, True -*.techsavvyit.net*, True -*.techswagg.ch*, True -*.tech-systems.eu*, True -*.techtide.cf*, True -*.techtime.com.ar*, True -*.techtochka.com*, True -*.techtochka.ru*, True -*.tech-tok.com*, True -*.techtrage.com*, True -*.techtrans-gmbh.eu*, True -*.techtrans.si*, True -*.techtra-online.ca*, True -*.techtrends.ro*, True -*.techtronika.com*, True -*.techtronika.pt*, True -*.tech-tr.ru*, True -*.techtucson.com*, True -*.techunited.cf*, True -*.techvet.sk*, True -*.techway.net*, True -*.techworxsite.com*, True -*.techxpert.org*, True -*.techynista.com*, True -*.tecis.cl*, True -*.tecito.cl*, True -*.teckimateriais.com*, True -*.teckman.cl*, True -*.teclliure.net*, True -*.tecmoldfer.com.br*, True -*.tecmonet.info*, True -*.tecnibor.com*, True -*.tecnicaempresarial.com.ar*, True -*.tecnicouth.com*, True -*.tecnidatsrl.com.ar*, True -*.tecnimundo.com*, True -*.tecnisos.com*, True -*.tecnitechos.com.ar*, True -*.tecnj.org*, True -*.tecnoarquitectonia.net.ve*, True -*.tecnocancun.com*, True -*.tecnocent.com*, True -*.tecnocentersrl.com.ar*, True -*.tecnocia.com*, True -*.tecnociate.com*, True -*.tecnocordoba.com.ar*, True -*.tecnocosmetics.com.ar*, True -*.tecnodisk.cl*, True -*.tecnoducto.com.ar*, True -*.tecnogas.cl*, True -*.tecnogestionlp.com.ve*, True -*.tecnogi-srl.it*, True -*.tecnografic.com.ar*, True -*.tecno-ingenieria.com.ar*, True -*.tecnoinsumosweb.com.ar*, True -*.tecnologia.adm.br*, True -*.tecnologiaesaude.com*, True -*.tecnologiascad.com.ve*, True -*.tecnologiayestado.com.ar*, True -*.tecnological.com*, True -*.tecnologistica.com.ar*, True -*.tecnomania.com.mx*, True -*.tecnomediachannel.com.mx*, True -*.tecnomuda.pt*, True -*.tecnongroup.com*, True -*.tecnongroup.com.ar*, True -*.tecnonly.com*, True -*.tecnooby.com*, True -*.tecnopeamos.com*, True -*.tecnopolis.cl*, True -*.tecnoprint2090.com.ve*, True -*.tecno.se*, True -*.tecnoservicio.com.ar*, True -*.tecnoserviciosange.es*, True -*.tecnosilver.net*, True -*.tecnova.com*, True -*.tecnova.com.br*, True -*.tecnovaelectronics.com*, True -*.tecoil.com.ar*, True -*.tecom.mx*, True -*.tecon.ro*, True -*.tecpar.cl*, True -*.ted67.com*, True -*.ted87.com*, True -*.tedblogs.co.uk*, True -*.tedbuy.com*, True -*.teddick.net*, True -*.teddjohnson.org*, True -*.tedfullwood.com*, True -*.tedi-newbie.eu*, True -*.tedjo.org*, True -*.tedloomis.com*, True -*.tednille.com*, True -*.tedo5.com*, True -*.tedotdata.com*, True -*.tedsears.net*, True -*.tedsflooringnetwork.com*, True -*.tedsign.com.br*, True -*.tedswoodworkguide.tk*, True -*.tedton.hk*, True -*.tedx.ee*, True -*.tedxriocuarto.com.ar*, True -*.tedx.tk*, True -*.tedxvilamada.com.br*, True -*.tedxximen.com*, True -*.tee141.com*, True -*.tee68.com*, True -*.teebat.com*, True -*.teeeko.tk*, True -*.teelabel.com*, True -*.teeman.org*, True -*.teen9xpro.com*, True -*.teen9xpro.net*, True -*.teenage-mutant.ninja*, True -*.teenergize.com*, True -*.teen-nude.ru*, True -*.teens-ttc.com*, True -*.teenthecleanmachine.com*, True -*.teen-tracker.net*, True -*.teenxpro.net*, True -*.teestar.ca*, True -*.teesvalleycitymission.org.uk*, True -*.teetyvonmedia.pw*, True -*.tefl.ro*, True -*.tegalan.com*, True -*.teghy.info*, True -*.tegila.com.br*, True -*.tegneserier.xyz*, True -*.tegrakita.tk*, True -*.tegralens.ml*, True -*.tehari.fi*, True -*.tehdevil.com*, True -*.tehenamtiga.com*, True -*.tehlab.org*, True -*.teh-maz0r.co.uk*, True -*.tehnicanoua.ro*, True -*.tehnic-it.com*, True -*.tehnic-resita.ro*, True -*.tehnident.ro*, True -*.tehnimax.ro*, True -*.tehniprom.ru*, True -*.tehnopro.ro*, True -*.tehnorama.ro*, True -*.tehranrp.ir*, True -*.tehranurology.com*, True -*.tehseen.net*, True -*.teh-server.com*, True -*.tehserv.net*, True -*.teichenberg.at*, True -*.teigom.com.br*, True -*.teilmeier.com*, True -*.teilorauto.com*, True -*.teisho.org*, True -*.teition.com*, True -*.teitor.com.ar*, True -*.tejano.si*, True -*.tejendra.com.np*, True -*.tejidoschaupinela.com.ar*, True -*.tekadjayana.com*, True -*.tekad-makmur.co.id*, True -*.tekadsejahtera.com*, True -*.tekankom.com*, True -*.tekaskasola.si*, True -*.tekcol.com*, True -*.teke.com.ar*, True -*.tekelokey.com*, True -*.tekemista.fi*, True -*.tekmachine.com*, True -*.tekmark.co.uk*, True -*.tekmaxasia.com*, True -*.tekmono.com*, True -*.teknikkom.com*, True -*.teknikmelabur.my*, True -*.tekniksipil-unnes.ac.id*, True -*.tekniksmandiri.com*, True -*.teknobiz.co.id*, True -*.teknodet.si*, True -*.teknolet.com*, True -*.teknolub.com*, True -*.teknoseras.com.tr*, True -*.teknus.me*, True -*.tekolste.com*, True -*.tekoso.com*, True -*.tekoso.net*, True -*.tekoso.org*, True -*.tekran.ir*, True -*.tekransanat.com*, True -*.tekransanat.ir*, True -*.tekraret.com*, True -*.tekra.ro*, True -*.tekreo.tk*, True -*.teksayfa.com.tr*, True -*.teks.biz*, True -*.tekshop.ru*, True -*.teksnet.co.za*, True -*.tekstilmalzemeleri.com*, True -*.tektos-server.tk*, True -*.tektournament.com*, True -*.tekutina.cz*, True -*.tekwerks.org*, True -*.tela.ga*, True -*.telagagunawan.us*, True -*.tel-argentina.org.ar*, True -*.telatar.com*, True -*.telatar.org*, True -*.telcast.cl*, True -*.telcomfx.com*, True -*.telcomnet.hu*, True -*.telcomresearch.ca*, True -*.telcomresearch.com*, True -*.telcomresearch.net*, True -*.telcomresearch.org*, True -*.telcos.cl*, True -*.telcoserve-connect.co.uk*, True -*.telcqocommunications.net*, True -*.tele2net.ro*, True -*.tele7abc.tv*, True -*.telebabu.tk*, True -*.telebabuwebtv.tk*, True -*.telebazar.pl*, True -*.telecalm.tk*, True -*.telecentre.ro*, True -*.telecloudphone.com*, True -*.telecogresca.net*, True -*.telecogresca.org*, True -*.telecomworld.eu*, True -*.telecon.hu*, True -*.teleconomiser.com*, True -*.telecor.cl*, True -*.telecruiting.com*, True -*.teledates.co.za*, True -*.teledating.co.za*, True -*.teledeteccion.com.ar*, True -*.teledoktor.hu*, True -*.teledyski.co*, True -*.teledyski.info*, True -*.telefa.ir*, True -*.telefleuries.com*, True -*.telefoanemobilegsm.ro*, True -*.telefonabrasil.com.br*, True -*.telefoni.com.tr*, True -*.telehealth.mx*, True -*.telekam.tk*, True -*.telekkonyvezes.ro*, True -*.telekomunikasi.ga*, True -*.telekomunikasyon.web.tr*, True -*.telemach.info*, True -*.telemaco.com.br*, True -*.telemako.org*, True -*.telemarketer.ro*, True -*.telemarketers.ro*, True -*.telematch.co.za*, True -*.telem.ch*, True -*.teleme.com*, True -*.teleme.net*, True -*.teleme.org*, True -*.telemoine.com*, True -*.telemq.com*, True -*.telenetti.fi*, True -*.telenova.ca*, True -*.teleormannews.ro*, True -*.teleplantelefonia.com.br*, True -*.teleportz.com.ar*, True -*.telerikturkiye.com*, True -*.teleromm.ru*, True -*.telesat.co.za*, True -*.telescopium.us*, True -*.telesfera.info*, True -*.telesfera.net*, True -*.telesfera.su*, True -*.teleshow.org*, True -*.telesis.web.tr*, True -*.telespertotv.it*, True -*.telesportvideo.com*, True -*.teleteachers.gr*, True -*.teletv.co.za*, True -*.telewallet.net*, True -*.telexhearing.com.au*, True -*.telezin.com*, True -*.telezin.net*, True -*.telfos.com*, True -*.telheiras.info*, True -*.telheiras.net*, True -*.telheiras.org*, True -*.tel.hk*, True -*.tel-hk.com*, True -*.telip.tk*, True -*.telk0msel.tk*, True -*.telkampung.tk*, True -*.telkim.tk*, True -*.telkomapps.net*, True -*.telkomcuys.tk*, True -*.telkomsel4g.tk*, True -*.telkomsel-sia.ga*, True -*.telkomsigma.id*, True -*.telkomspeedy.org*, True -*.telkomtek.com*, True -*.tellcool.com*, True -*.tellefsen.org*, True -*.tellher.net*, True -*.tellinguterent.ee*, True -*.tellmeyour.pw*, True -*.tellurictreats.ca*, True -*.telluspoint.net*, True -*.telmexhub.com*, True -*.telmexhub.org*, True -*.telmtc.info*, True -*.telnama.com*, True -*.telnetsis.com*, True -*.telo.ml*, True -*.telprocompany.com*, True -*.telradio.com.ar*, True -*.telsukita.org*, True -*.telsz.ro*, True -*.teltech.com.ar*, True -*.teltronicvzla.com*, True -*.tel-tw.com*, True -*.telugu.ga*, True -*.telugulive.com*, True -*.telugumaster.com*, True -*.telukgong.com*, True -*.telya.me*, True -*.telyser.com.ar*, True -*.temacentral.com.br*, True -*.temadigital.co*, True -*.temanggung.net*, True -*.temanpati.com*, True -*.temanseksi.com*, True -*.tematika.ro*, True -*.temauri.nl*, True -*.temazo.cl*, True -*.tembongsondigdaya.com*, True -*.tembusupartners.com*, True -*.temcasa.com.br*, True -*.temcasas.com.br*, True -*.temes.es*, True -*.temeteron.net*, True -*.temgostodoque.com.br*, True -*.temizliktabancasi.com*, True -*.temoai.cl*, True -*.temoaisunset.cl*, True -*.temoana.cl*, True -*.temon-holic.net*, True -*.temonholic.net*, True -*.temor.co*, True -*.tempatdownloadlagu.com*, True -*.tempat-musik.tk*, True -*.tempatsampahstanless.com*, True -*.tempe1.tk*, True -*.temperaturescanner.in*, True -*.tempestdawning.com*, True -*.tempgatesolution.com*, True -*.tempimg.ga*, True -*.templarsconsultants.com*, True -*.templarsconsultants.co.uk*, True -*.templateblogger.info*, True -*.templatemagazin.ro*, True -*.template.my.id*, True -*.templatevn.net*, True -*.temple.fi*, True -*.templeofblackjesus.com*, True -*.templesbc.org*, True -*.templewinds.us*, True -*.templogabriel.com.ar*, True -*.tempmailbox.ga*, True -*.tempnote.ga*, True -*.tempnote.ml*, True -*.tempo-red.com.au*, True -*.tempored.com.au*, True -*.tempos-project.org*, True -*.tempurabuick.com*, True -*.tempux.ir*, True -*.temuapp.com*, True -*.ten4women.cl*, True -*.tenants1st.com.au*, True -*.tenarchersroad.co.uk*, True -*.tenarchersroad.info*, True -*.tenarchersroad.uk*, True -*.tenatek.com*, True -*.tendadeumbanda.cf*, True -*.tendadeumbanda.ga*, True -*.tendadeumbanda.ml*, True -*.tendadeumbanda.tk*, True -*.tendakemahmurah.com*, True -*.tendakerucutmurah.com*, True -*.tendakita.com*, True -*.tendakrucutsarnafil.com*, True -*.tendancedujour.fr*, True -*.tendapayungmurah.com*, True -*.tendapayungterpal.com*, True -*.tenda-pleton.com*, True -*.tendapromosi.net*, True -*.tenda-sarnafil.com*, True -*.tendastandpromosi.com*, True -*.tendazone.com*, True -*.tenderedge.com*, True -*.tender.hk*, True -*.tendermain.com*, True -*.tenders.hk*, True -*.tendiendoredes.com.ar*, True -*.tendik.net*, True -*.tenebro.us*, True -*.teneleven.hr*, True -*.tenerina.ml*, True -*.tenetpharma.com*, True -*.tenfive.com*, True -*.teng789.com*, True -*.tengenchart.com*, True -*.teng.io*, True -*.teniscriollo-cnsa.com.ar*, True -*.tenisenremeros.com.ar*, True -*.tenispulenta.com.ar*, True -*.tenistv.tk*, True -*.tenmagad.hu*, True -*.tenndymes.com*, True -*.tennis-sessions.com*, True -*.tenongroup.com.au*, True -*.tenpay.ga*, True -*.ten-pow.com*, True -*.tenpow.com*, True -*.tenrun.com*, True -*.tensa.be*, True -*.tens.cl*, True -*.tenshigaming.tk*, True -*.tenshi.is*, True -*.tenshin.co.za*, True -*.tenspeedsoftware.com*, True -*.tenspot.net*, True -*.tensuerte.com*, True -*.tentecastorsandwheels.com.au*, True -*.tente.com.au*, True -*.tentempie.cl*, True -*.tentewheelsandcastors.com.au*, True -*.tentmembrane.com*, True -*.tenunaslijepara.com*, True -*.tenutacanneto.com*, True -*.tenutacanneto.it*, True -*.tenutadicanneto.com*, True -*.tenutadicanneto.it*, True -*.teodoras.ro*, True -*.teodorbaciu.ro*, True -*.teodor.ch*, True -*.teodorov.ro*, True -*.teonator.net*, True -*.teotehnodesign.ro*, True -*.tep9.com*, True -*.teplikov.ru*, True -*.tepos.tk*, True -*.teppanyaki.hk*, True -*.teppichreinigung-check.de*, True -*.tequilasoft.mx*, True -*.teqworx.co.uk*, True -*.terabaap.tk*, True -*.terabitsolo.com*, True -*.teracomp.org*, True -*.teracota-arges.ro*, True -*.teradasc.com.ar*, True -*.teradashopcenter.com.ar*, True -*.teragallery.ro*, True -*.tera-game.biz*, True -*.terakloud.tk*, True -*.teramail.co.il*, True -*.teranlera.com.ar*, True -*.teranova.ca*, True -*.terapeuticobemviver.com.br*, True -*.terapeutus.com*, True -*.terapeutus.com.br*, True -*.terapeutus.pt*, True -*.terapia.com.ar*, True -*.terapia.org.ar*, True -*.terapiaprinregresie.ro*, True -*.terase.ee*, True -*.terasoporte.com*, True -*.terastio.eu*, True -*.teratoma.tk*, True -*.terbaik.biz*, True -*.terbaik.ga*, True -*.tercom.cl*, True -*.terdes.com*, True -*.teredom.ru*, True -*.tereedan.tk*, True -*.teregranados.com*, True -*.terence.tk*, True -*.teresaortegaespinosa.com*, True -*.terewcook.com.ar*, True -*.terhubung.ga*, True -*.terissawilliams.com*, True -*.terissawilliams.org*, True -*.termacranch.ca*, True -*.termalinternational.eu*, True -*.termar.at*, True -*.termascacheuta.com.ar*, True -*.termicadistributie-navodari.ro*, True -*.termicassoneg.com*, True -*.terminalbuseshospicio.cl*, True -*.terminalco.in*, True -*.terminaldirect.com*, True -*.terminalesdigitales.com.ar*, True -*.terminalhappy.com*, True -*.terminaltalca.cl*, True -*.terminalx.com*, True -*.termina.tk*, True -*.terminplan.ch*, True -*.terminus-el.ru*, True -*.termiq.ro*, True -*.termoconfort.com.ar*, True -*.termoizolareinterioara.ro*, True -*.termomagic.ro*, True -*.termo-obras.com.ar*, True -*.termosanitaria.ro*, True -*.termoserv-cet.ro*, True -*.termoswim.com*, True -*.termotecnologias.com.mx*, True -*.termstem.eu*, True -*.termstem.org*, True -*.te-rongopai-ki-manaia.com*, True -*.teroplus.si*, True -*.terpalimpor.com*, True -*.terpaltendamurah.com*, True -*.terpenator.com*, True -*.terpenator.info*, True -*.terpenator.net*, True -*.terpp.com*, True -*.terppextractors.com*, True -*.terraceattic.com.au*, True -*.terraceram.ro*, True -*.terraefuoco.ro*, True -*.terrafiorente.net*, True -*.terra-fix.com.ar*, True -*.terraform.nl*, True -*.terraforms.ca*, True -*.terraformworker.net*, True -*.terraformworks.net*, True -*.terrafruit.ru*, True -*.terragraphica.com*, True -*.terragraphica.net*, True -*.terragraphica.org*, True -*.terraingames.com*, True -*.terrainiospace.com*, True -*.terramail.co.il*, True -*.terramanagement.ro*, True -*.terramarjv.com.ar*, True -*.terra.me.uk*, True -*.terranord2005.ro*, True -*.terrapura.cl*, True -*.terratours.ro*, True -*.terrauno.com.ar*, True -*.terraviva.ch*, True -*.terra-x-shop.de*, True -*.terrazascv.cl*, True -*.terrazasdeldurazno.com.ar*, True -*.terrell.net.au*, True -*.terrelltsi.com*, True -*.terrescuites.ch*, True -*.terrestino.com*, True -*.terriheldt.com*, True -*.territorysolutions.com.au*, True -*.terrumbra.ch*, True -*.terrycox.org*, True -*.terry.id.au*, True -*.terrykrause.com*, True -*.tersecta.com*, True -*.tersuave.com.ar*, True -*.tertuliaamericana.org*, True -*.tertuliasfilosoficas.cl*, True -*.teruelactiva.org*, True -*.teruel.cl*, True -*.terziotti.com.ar*, True -*.tes36.com*, True -*.tescobigmatchandwin.com*, True -*.teslabesc.ro*, True -*.teslahosting.com*, True -*.teslait.cl*, True -*.teslan.gq*, True -*.tesla.org*, True -*.teslaqb.com*, True -*.teslaqb.net*, True -*.teslaqb.org*, True -*.tesna.net*, True -*.tesniki.ch*, True -*.tessaloni.com.ar*, True -*.tesseris.com*, True -*.testashop.tk*, True -*.testbg.tk*, True -*.testdomain.pl*, True -*.testdrive-hyundai.it*, True -*.testdrive-webapps.tk*, True -*.testeador.com.ar*, True -*.testelectronica.com*, True -*.testerplus.com*, True -*.testikone.net*, True -*.testing123.cf*, True -*.testingdemosite.com*, True -*.testinglobal.com*, True -*.testingservicesinc.com*, True -*.testingspot.com*, True -*.testje.info*, True -*.testkeeper.tk*, True -*.testmanship.com*, True -*.testmasszor.com*, True -*.testmcp.com*, True -*.testmypixel.com*, True -*.testmysnortsig.com*, True -*.testoitsinc.com*, True -*.testpacks.co.uk*, True -*.test-post-please-ignore.com*, True -*.testwiki1.tk*, True -*.tesys-spa.it*, True -*.teszthely.hu*, True -*.tesztlap.hu*, True -*.tetangga.ml*, True -*.tetrachrome.com*, True -*.tetrachrome.net*, True -*.tetrasoft.com.br*, True -*.tetrasoft.info*, True -*.tetrinetserver.be*, True -*.tetrinet.tk*, True -*.tetsuko.ca*, True -*.tetuku.com*, True -*.tetushkakim.ru*, True -*.teufeli.ch*, True -*.teuku.tk*, True -*.teulahti.net*, True -*.teutoniaclub.com.au*, True -*.teuxarts.com*, True -*.tewe.pro*, True -*.tewewew.gq*, True -*.tewi.nl*, True -*.tewm.com*, True -*.texas4sranch.com*, True -*.texasargentinechamber.com*, True -*.texasbirdimages.com*, True -*.texasbirdrecordscommittee.org*, True -*.texascrating.com*, True -*.texasfederation.com*, True -*.texashistoric.com*, True -*.texashotoilers.com*, True -*.texasirishwolfhounds.com*, True -*.texasmath.net*, True -*.texasmath.org*, True -*.texasmicrogrids.com*, True -*.texasruralhousing.com*, True -*.texassolarone.com*, True -*.texdivorce.com*, True -*.texelsemakelaar.com*, True -*.texelsemakelaar.nl*, True -*.texhk.com*, True -*.teximport.com.ar*, True -*.texinno.com*, True -*.texinno.co.uk*, True -*.texinno.uk*, True -*.texmotive.com*, True -*.texnika.ru*, True -*.texnologist.net*, True -*.texsasbd.com*, True -*.texstylesourcing.com*, True -*.textcraig.net*, True -*.textilecomposite.com.au*, True -*.textilrosario.com*, True -*.textium.ro*, True -*.textministry.co.uk*, True -*.textnz.com*, True -*.textobot.com*, True -*.textprocess.ir*, True -*.texxus.com.ar*, True -*.teyhou.com*, True -*.teymi.com.ar*, True -*.tezolin.com.br*, True -*.tf1sector.in*, True -*.tf2recipes.com*, True -*.tfacto.tk*, True -*.tfarina.tk*, True -*.tfbt.co.za*, True -*.tfe-llc.com*, True -*.tfellc.com*, True -*.tfg.cl*, True -*.tfg.com.np*, True -*.tfg.lv*, True -*.tfgroup.org*, True -*.tfgtechnology.com*, True -*.tfi-cyprus.com*, True -*.tfinancial.com.ar*, True -*.tfino.com*, True -*.tfmdp.com.ar*, True -*.tfnetwork.ca*, True -*.tfpenterprises.com*, True -*.tfsu.tw*, True -*.tfsystems.com*, True -*.tftd.co.za*, True -*.tfx.kz*, True -*.tgarneau.org*, True -*.tgaserver.com.mx*, True -*.tgcccsales.com*, True -*.tgcccsales.ga*, True -*.tgdi.tk*, True -*.tg-germany.de*, True -*.tghstudios.com*, True -*.t-gi3.com*, True -*.tgilbertgraphics.com*, True -*.tgits.net*, True -*.tg-kkoo.com*, True -*.tg-kot.com*, True -*.tgl888.gq*, True -*.tgmoment.com*, True -*.tgmoments.com*, True -*.tg-opt.com*, True -*.tgpilotrecruitment.com*, True -*.tgrant.co.uk*, True -*.tgrgifts.com*, True -*.tgro-server.tk*, True -*.tgroup.co.id*, True -*.tgtech.me*, True -*.tgu.ca*, True -*.tguhh.com*, True -*.th3wyatt.us*, True -*.thaase.info*, True -*.thackerfamily.com*, True -*.tha-dav.com*, True -*.thadeu.com.br*, True -*.thagomized.com*, True -*.thagrove.net*, True -*.thaibestspace.com*, True -*.thaibusdev.com*, True -*.thaichess.ru*, True -*.thaidomino.com*, True -*.thaidvd.net*, True -*.thaifloodmonitor.com*, True -*.thaifulfill.com*, True -*.thaigiaoamnhac.com*, True -*.thaihacker.tk*, True -*.thaihomeroof.com*, True -*.thaiinsignia.com*, True -*.thailandacademy.com*, True -*.thailandhappiness.com*, True -*.thailandhappiness.net*, True -*.thailandomania.com*, True -*.thailandspin.com*, True -*.thailandunterkunft.de*, True -*.thaileagueonline.com*, True -*.thailivescore.com*, True -*.thailivescore.net*, True -*.thai-massagetherapie.com*, True -*.thaimazda2.com*, True -*.thaimazda2.net*, True -*.thainewasia.com*, True -*.thainguyenfamily.tk*, True -*.thaiorganicrice.com*, True -*.thaioutsourcing.com*, True -*.thaisociety.org.nz*, True -*.thaitaxis.net*, True -*.thajuice.ca*, True -*.thakalionline.com*, True -*.th-alam.com.my*, True -*.thalitapulsa.com*, True -*.thalita-reload.org*, True -*.thalitareloadpulsa.com*, True -*.thallium.nl*, True -*.thanassis.org*, True -*.thanbaiks.mobi*, True -*.thanetovencleaning.co.uk*, True -*.thanghoa.mobi*, True -*.thangsyle.com*, True -*.thanks.ga*, True -*.thankyounoteexamples.net*, True -*.thanyakarn.com*, True -*.thaoluanlol.tk*, True -*.thaqafa.org*, True -*.tharkad.com*, True -*.thase.net*, True -*.thaspichty.ch*, True -*.thatgeek.ca*, True -*.thatitdude.com*, True -*.thatmakeupartist.com*, True -*.thatperfecttouch.com.au*, True -*.thatsnomoon.org*, True -*.thatsrightbook.com*, True -*.thatstuffs.tk*, True -*.thatsurveysite.com*, True -*.thatsurveysite.net*, True -*.thatthereinternet.com*, True -*.thattttserver.com*, True -*.thaun.com.ar*, True -*.thavea.com*, True -*.thaytot.com*, True -*.thazual.tk*, True -*.thbs.ch*, True -*.thcgirls.com*, True -*.thc.lv*, True -*.thcommunications.com*, True -*.thc.si*, True -*.thdir.com*, True -*.thdots.ru*, True -*.the00z.org*, True -*.the13thchapter.com*, True -*.the404agency.com*, True -*.the416.com*, True -*.the4nd.tk*, True -*.the4wdshow.com*, True -*.the6ix.com*, True -*.theabyss.tk*, True -*.theaccidentalracketeer.com*, True -*.theacmecorp.net*, True -*.theactonline.com*, True -*.theaddathlete.com*, True -*.theaddict.ro*, True -*.theadobestore.co.za*, True -*.theadventuresofalex.com*, True -*.theadventuresofsquirrelandbear.com*, True -*.theaisthorpes.com*, True -*.theajib.tk*, True -*.theaknights.net*, True -*.thealbatrosgroup.net*, True -*.thealcohall.com*, True -*.thealone.com*, True -*.thealsups.com*, True -*.thealternativemedicinecabinet.com*, True -*.theandersfamily.com*, True -*.theangryadmin.info*, True -*.the-anomaly.net*, True -*.theanstees.co.uk*, True -*.thearcforum.com*, True -*.thearchitech.com*, True -*.thearmsfamily.info*, True -*.thearndtfamily.com*, True -*.theartdate.com*, True -*.theartistanddesigner.tk*, True -*.theartwork.ro*, True -*.theatergruppe-hocker.ch*, True -*.theaterplasselb.ch*, True -*.theatlas.co*, True -*.the-atomics.com*, True -*.theatremessage.com*, True -*.theatresh.org*, True -*.theatreslink.com*, True -*.theavenuecarriagecrossing.com*, True -*.theawads.com*, True -*.theawesomeempire.com*, True -*.theawesomes.net*, True -*.thebacklotbar.com*, True -*.thebadapples.co.uk*, True -*.thebadboys.ro*, True -*.thebaitwarehouse.co.uk*, True -*.thebajataco.com*, True -*.the-balance.org*, True -*.thebaldgeek.net*, True -*.thebaldocchifamily.com*, True -*.thebargers.net*, True -*.thebaristafactory.com.au*, True -*.thebarrfamily.com.au*, True -*.the-basement.ch*, True -*.thebasementco.us*, True -*.thebasementkings.com*, True -*.thebattleroyal.com*, True -*.thebayrun.com.au*, True -*.thebci.cl*, True -*.thebeatladies.com.ar*, True -*.thebeautyofboredom.com*, True -*.the-bebop.org*, True -*.thebectons.com*, True -*.thebeershop.co.za*, True -*.thebelvederehotel.com.au*, True -*.theberrybranch.com*, True -*.thebestbeautybuys.com*, True -*.thebestfarmfest.com*, True -*.thebestflashgames.net*, True -*.thebestsolution.com.ar*, True -*.thebesttech.ca*, True -*.thebeverlyhills.hk*, True -*.thebiddingtraveler.com*, True -*.thebiddingtraveller.com*, True -*.thebiggertheycome.co.uk*, True -*.thebiggzone.co.uk*, True -*.thebigmachine.org*, True -*.thebingoexpress.com*, True -*.thebitbucket.ca*, True -*.thebitjockeys.com*, True -*.theblackandgoldzone.com*, True -*.theblackdahlia.co.uk*, True -*.the-black-hole.co.uk*, True -*.theblade.tk*, True -*.theblakescape.com.au*, True -*.theblicks.com*, True -*.theblondeseries.com.ar*, True -*.thebloomcrew.com*, True -*.theblueprintsolutions.com*, True -*.thebobs.com.br*, True -*.thebookllc.com*, True -*.thebookofg.ca*, True -*.thebourbonguys.com*, True -*.thebox4u.com*, True -*.thebrackets.net*, True -*.the-bradlands.net*, True -*.thebradleysessions.com*, True -*.thebranleur.com*, True -*.thebrewbot.com*, True -*.thebrewshed.com.au*, True -*.thebrickcentre.co.za*, True -*.thebridgesrealty.com*, True -*.thebrittainlawfirm.com*, True -*.thebrokenbubble.com*, True -*.thebrokenfew.com*, True -*.thebroom.net*, True -*.thebrowerfamily.com*, True -*.thebrownz.com*, True -*.thebuckland.com*, True -*.thebudget.com.au*, True -*.theburglar.com.ar*, True -*.thebushelboxco.com.au*, True -*.thebusinessleadersroundtable.com*, True -*.thebutterzone.com*, True -*.the-button.com*, True -*.thecabinetcompany.co.za*, True -*.thecabininthehills.com*, True -*.thecachevalleyfix.com*, True -*.thecakes.com.ar*, True -*.thecanadian.us*, True -*.thecandc.com*, True -*.the-car-company.com*, True -*.thecarrollsite.com*, True -*.thecaspers.org*, True -*.thecatwhowalksbyhimself.net*, True -*.thecauseoftheweek.com*, True -*.thecave.me.uk*, True -*.thecaveserver.com*, True -*.thecell.be*, True -*.thechains.com*, True -*.thechamberpot.com*, True -*.thechamps.co.uk*, True -*.thechantribe.com*, True -*.thechardonnayclub.com*, True -*.thechdesign.com*, True -*.thechefcoder.com*, True -*.thechefcoders.com*, True -*.thechickencam.com*, True -*.thechickenrun.com*, True -*.thechileanweb.cl*, True -*.thechillistip.com*, True -*.thechristalls.com*, True -*.thechristianworldviewnetwork.com*, True -*.thechristianworldviewnetwork.net*, True -*.thechunkyvoid.net*, True -*.thecioforum.co.za*, True -*.thecite.com*, True -*.thecitizenchannel.com*, True -*.theclaars.org*, True -*.theclaytons.nz*, True -*.thecleaneatingproject.com*, True -*.the-clearing.org*, True -*.theclemo.com*, True -*.the-clemons-family.com*, True -*.thecleric.com*, True -*.the-cliffords.com*, True -*.theclinic.org.za*, True -*.thecloudintegrator.com*, True -*.the-cloud-is-awesome.com*, True -*.thecloudsareburning.com*, True -*.thecodetavern.com*, True -*.thecoes.ca*, True -*.thecolder.net*, True -*.thecolellas.ca*, True -*.thecollectivemanifest.com*, True -*.thecollegecoffee.com*, True -*.thecolorstalker.com*, True -*.thecoloss.us*, True -*.thecomicfome.cl*, True -*.thecompguru.com*, True -*.thecomputeiros.com*, True -*.thecomputerchaotix.com*, True -*.the-conqueror.gq*, True -*.thecoppers.net*, True -*.thecoreymartin.com*, True -*.thecornercase.com*, True -*.thecorporationofthings.com*, True -*.thecorporationofthings.info*, True -*.thecorporationofthings.net*, True -*.thecorporationofthings.org*, True -*.thecottage.com.au*, True -*.the-courier.co.za*, True -*.thecrackerfactory.co.uk*, True -*.thecraftyfox.net*, True -*.thecrazylife.com*, True -*.thecreamdelacreme.com*, True -*.thecreativepixel.co.uk*, True -*.thecreekonline.net*, True -*.thecrewinc.net*, True -*.thecrittac.us*, True -*.thecritterranch.com*, True -*.thecrocketts.us*, True -*.theculturalconfederacy.com*, True -*.thecut.asia*, True -*.thecymoexperience.com*, True -*.thedaedals.com*, True -*.thedailyleaf.com*, True -*.thedailyleaf.su*, True -*.thedavid.se*, True -*.the-davies.net*, True -*.the-dawn.com*, True -*.thedaystarisbright.com*, True -*.thedazbert.co.uk*, True -*.thedbdude.com*, True -*.thedeadlywalking.com*, True -*.thedecks.net*, True -*.thedens.org*, True -*.thederbys.net*, True -*.thedesserthaven.com*, True -*.thedevelopmentshop.com*, True -*.thedevpit.com*, True -*.thedexboy.com*, True -*.thedialaview.com*, True -*.thedinnerparty.net.au*, True -*.thedisc.fr*, True -*.thedjbeat.com*, True -*.thedmfa.com*, True -*.thedockendorf.com*, True -*.thedocumentpeople.biz*, True -*.thedocumentpeople.info*, True -*.thedocumentpeople.net*, True -*.thedocumentpeople.org*, True -*.thedocumentpeople.us*, True -*.thedods.com*, True -*.thedomspace.co.uk*, True -*.the-don.net*, True -*.thedonohues.org*, True -*.thedonutshop.com*, True -*.thedotgame.com*, True -*.thedougbrownexperience.com*, True -*.thedoughtys.co.uk*, True -*.thedrakefamily.info*, True -*.thedreadfort.com*, True -*.thedreamsdictionary.com*, True -*.thedrift.co*, True -*.thedrunction.com*, True -*.thedrunkensailor.info*, True -*.thedrunkhorse.com*, True -*.thedrunkhorsepub.com*, True -*.theducksparadise.com*, True -*.theduffys.com*, True -*.thedunhamfam.com*, True -*.thedustangel.com*, True -*.thedus-t.com*, True -*.thedust-t.com*, True -*.theearwoods.com*, True -*.theecklundfamily.com*, True -*.the-ecopreneurs.net*, True -*.theecopreneurs.net*, True -*.theedgeofdecember.com*, True -*.theefizone.com*, True -*.theelderscrollsonlinepowerguide.com*, True -*.theelderthings.com*, True -*.theelectricenergy.com*, True -*.theelysianfields.ch*, True -*.theend.com.br*, True -*.the-end-of-the.net*, True -*.theendofwater.com*, True -*.theenvecocompany.com*, True -*.theepps.me*, True -*.theessenceofand.co.za*, True -*.theextremegive.com*, True -*.thefactbook.ml*, True -*.thefacts.xyz*, True -*.thefairfolk.com*, True -*.thefallenones.com.ar*, True -*.thefanghome.com*, True -*.thefanrules.com*, True -*.thefappening.gq*, True -*.thefarco.com*, True -*.thefergusonresponse.com*, True -*.thefez.net*, True -*.the-fighter.ninja*, True -*.thefinearterie.com*, True -*.thefinsters.net*, True -*.thefirstones.info*, True -*.thefirsttrain.com*, True -*.thefishwife.com*, True -*.thefizelles.com*, True -*.thefloshow.com*, True -*.thefloweremedy.com*, True -*.thefoodway.net*, True -*.thefoolwithnohill.com*, True -*.thefoolwithoutahill.com*, True -*.thefoolwithoutthehill.com*, True -*.theforceway.com*, True -*.theforensicforum.co.uk*, True -*.theforgetmenows.com*, True -*.theforgottenparks.org*, True -*.theforneys.net*, True -*.theforwardway.com*, True -*.thefourthcall.com*, True -*.thefox.co.za*, True -*.thefraudsquad.org*, True -*.thefredericksons.com*, True -*.thefreedmans.co.uk*, True -*.thefreedomconsultant.com*, True -*.thefreis.ch*, True -*.thefrickes.net*, True -*.thefruitcompany.nl*, True -*.thefua.ro*, True -*.thefucke.rs*, True -*.thefuelconsultant.com*, True -*.thefuglymovie.com*, True -*.thefullcourse.com*, True -*.thefuturedaily.com*, True -*.thefutureweekly.com*, True -*.theg3rm.com*, True -*.thegadget.ml*, True -*.the-gambler-test.com*, True -*.thegamevault.net*, True -*.thegamingfest.com*, True -*.thegarciafamily.com*, True -*.thegatelys.net*, True -*.thegawgroup.com*, True -*.thegaydoshteam.com*, True -*.thegeekfamily.fr*, True -*.thegeekfreek.com*, True -*.thegeekshop.ca*, True -*.thegeekswork.tk*, True -*.thegeekwith.in*, True -*.thegeneraldefyre.com*, True -*.thegeneralissimo.net*, True -*.thegentlemensday.com*, True -*.thegeodesicsofamusingwanderer.com*, True -*.thegeopros.com*, True -*.thegerm.us*, True -*.thegerovacs.com*, True -*.thegiafkaproject.gr*, True -*.thegiblins.com*, True -*.thegibson.net*, True -*.thegif.org*, True -*.thegingerbaron.com*, True -*.theginza.com*, True -*.thegioibalonhatrang.com*, True -*.thegioilinhphukien.vn*, True -*.thegioinet.org*, True -*.thegioiuudai.com.vn*, True -*.thegizmo.cl*, True -*.theglobaloutpost.com*, True -*.thegmc.com*, True -*.thegnarlydouche.com*, True -*.thegnetworks.cf*, True -*.thegodinz.info*, True -*.thegoldcompany.net*, True -*.thegoldsteinclan.com*, True -*.thegolfdeals.com*, True -*.thegoodmorning.net*, True -*.thegoodnows.net*, True -*.thegoodthebadandtheblues.com*, True -*.thegrandclub.net*, True -*.thegrandpreserve.com*, True -*.thegranges.com*, True -*.thegrasleys.com*, True -*.thegraver.com*, True -*.thegrayzone.biz*, True -*.thegreekmarket.com*, True -*.thegreenroomredruth.co.uk*, True -*.thegreensafecompany.com*, True -*.thegreyhoundinnbrackley.co.uk*, True -*.the-gryphon.com*, True -*.theguitarauthority.com*, True -*.theguitardepot.com*, True -*.theguitarschool.biz*, True -*.theguttersnipes.com*, True -*.thegwdub.info*, True -*.thegymnorthnowra.net.au*, True -*.thegymnowra.net.au*, True -*.thehabegers.com*, True -*.thehackerspaper.com*, True -*.thehaleyhouse.com*, True -*.thehalvnet.com*, True -*.thehandleypartnership.com*, True -*.thehansens.net*, True -*.theharrispad.com*, True -*.thehealingkingdom.com*, True -*.theheartofand.co.za*, True -*.theherd.com.au*, True -*.theherman.org*, True -*.thehermitagemotel.com.au*, True -*.thehiddenpineapple.com*, True -*.the-hi-fis.com*, True -*.thehitechhouse.com*, True -*.thehitechhouse.net*, True -*.thehitechhouse.org*, True -*.thehobbiestore.com.ar*, True -*.thehoelkers.com*, True -*.theholdens.info*, True -*.theholdens.us*, True -*.theholdsworths.org.uk*, True -*.theholidayxperts.co.uk*, True -*.thehollingums.co.uk*, True -*.thehomeserver.net*, True -*.thehonestpirate.com*, True -*.thehongkongclub.com*, True -*.thehongkongtrustcompany.com*, True -*.thehongkongtrustcompany.hk*, True -*.thehor.com*, True -*.thehorseplace.co*, True -*.thehorseplace.us*, True -*.the-hosting-company.com*, True -*.thehouseofaesthetics.com*, True -*.thehoustonhomerealtor.com*, True -*.the-hoyts.com*, True -*.thehuddlefamily.com*, True -*.thehudge.com*, True -*.thehuntclub-kennesaw.com*, True -*.thehuntgang.com*, True -*.thehustongroup.net*, True -*.theibis.co.za*, True -*.theillustratedpenguin.com*, True -*.theimaginecraft.com*, True -*.theimperialceo.com*, True -*.theinoob.com*, True -*.theintr.net*, True -*.theirfit.com*, True -*.theitalianman.com*, True -*.theivesters.com*, True -*.theives.tk*, True -*.thejack.ca*, True -*.thejacklawson.com*, True -*.thejacksonvillecriminaldefenselawyer.com*, True -*.thejacksonvillefamilylawlawyer.com*, True -*.thejacksonvillepersonalinjurylawyer.com*, True -*.thejadeyogamat.com*, True -*.thejamesdavis.net*, True -*.thejansens.name*, True -*.thejaq.net*, True -*.thejarvishouse.co.uk*, True -*.thejavaproject.com*, True -*.thejefferynews.com*, True -*.thejewelbox.co.za*, True -*.thejewellerycompany.co.za*, True -*.thejimmyc.com*, True -*.thejoester.com*, True -*.thejohndean.com*, True -*.thejoker.cl*, True -*.thejonesconashville.com*, True -*.thejoneseffect.com*, True -*.thejordaans.com*, True -*.thejordaans.net*, True -*.thejordanmob.com*, True -*.thejoysoffitness.com*, True -*.thejoysofpomeranians.co.uk*, True -*.thejwfnet.co.uk*, True -*.the-kaisers.net*, True -*.thekangs.name*, True -*.thek.cc*, True -*.thekey.hk*, True -*.thekilempire.com*, True -*.thekiller.info*, True -*.thekimeleon.com*, True -*.thekitchennegotiators.com.au*, True -*.the-kitchen-table-enterprise.com*, True -*.thekittyworks.co.uk*, True -*.thekks.net*, True -*.thekleinigs.com*, True -*.theknack.net*, True -*.theknights.id.au*, True -*.thekobys.net*, True -*.thekratzmanns.com.au*, True -*.thekusilife.com*, True -*.thelandconcept.com*, True -*.thelangsplace.com*, True -*.thelantzranch.com*, True -*.thelaptopguru.co.uk*, True -*.thelastchurfers.com.ar*, True -*.thelastdon.org*, True -*.thelastkinection.com*, True -*.thelaverys.com*, True -*.thelawnlads.co.nz*, True -*.the-lawn.org*, True -*.thelazyk.org*, True -*.theleachfamily.me.uk*, True -*.theleagueofvalor.net*, True -*.thelecks.com*, True -*.thelifestylegames.com*, True -*.thelightningcount.com*, True -*.thelillyhome.com*, True -*.thelistofrover.tk*, True -*.thelittlehousethatcould.com*, True -*.the-livingstons.ca*, True -*.thelmadejager.co.za*, True -*.thelogans.ca*, True -*.thelongestjohns.com*, True -*.the-lords-haven-online.info*, True -*.thelostheaven.com*, True -*.theloudtalker.com*, True -*.theloungeroom.fi*, True -*.thelunarempire.net*, True -*.theluong.com*, True -*.thelymans.org*, True -*.thelyonfamily.com*, True -*.themacallisters.com*, True -*.themacclub.co.za*, True -*.themacshop.co.za*, True -*.themacstore.co.za*, True -*.themadmoogle.com*, True -*.themafia.info*, True -*.themailhub.eu*, True -*.themaker.net*, True -*.themandarintranslators.com*, True -*.themandarintranslators.co.uk*, True -*.themanzos.com*, True -*.themargaits.com*, True -*.themarquis.net*, True -*.themarsh.org.uk*, True -*.themartyfordexperience.com*, True -*.the-master.asia*, True -*.the-master.biz*, True -*.themaster.cl*, True -*.thematchbox.bz*, True -*.themauhaus.com*, True -*.themaxter.com*, True -*.the-maxwells.org*, True -*.themcleans.us*, True -*.themcluster.net*, True -*.themcneils.org.uk*, True -*.themeadowshome.com*, True -*.themeatloaf.org*, True -*.themeccaofbodybuilding.com*, True -*.themeintl.ro*, True -*.thementalclinic.com*, True -*.themeparkfilming.com*, True -*.the-merrills.org*, True -*.themetabay.org*, True -*.themetrestaurant.com*, True -*.themgc.net*, True -*.themichaelresort.com*, True -*.themichaelresorts.com*, True -*.themiljans.com*, True -*.themilko.com.au*, True -*.themischief.tk*, True -*.themitschkes.com*, True -*.themodshack.co.uk*, True -*.themoens.net*, True -*.themonroefamilyonline.com*, True -*.themonumental.com*, True -*.themoosebarn.com*, True -*.themorrisproject.com*, True -*.themortgageloft.com*, True -*.the-mos.me*, True -*.themostreadable.com*, True -*.themound.co.uk*, True -*.themurogroup.cl*, True -*.the-music-box.tk*, True -*.themusicworld.com*, True -*.themysterysolvers.com*, True -*.thenaclab.com*, True -*.thenalley.com*, True -*.thenanobel.ml*, True -*.thenapalebluedot.com*, True -*.thenarrowway.us*, True -*.thenationalactionnetwork.org*, True -*.thenatureofand.co.za*, True -*.thenest.org*, True -*.thenetng.com*, True -*.thenetshadow.com*, True -*.the-netwerk.me*, True -*.the-network-expert.ca*, True -*.thenetworktech.net*, True -*.theneverendinggaragesale.com*, True -*.theneverendinggaragesale.org*, True -*.thenevernever.net*, True -*.thenewellpost.co.uk*, True -*.thenewest.com.ar*, True -*.theneweys.org*, True -*.thenewgrace.org*, True -*.thenewthing.ro*, True -*.thenewtons.co.nz*, True -*.the-next-face.com*, True -*.thenicery.com*, True -*.thenicholsonfamily.co.uk*, True -*.thenightmarehours.com*, True -*.thenme.net*, True -*.thenose.eu*, True -*.thenullterminator.net*, True -*.thenumenorean.net*, True -*.thenutgraph.com.my*, True -*.thenxtreport.com*, True -*.theoandemma.co.uk*, True -*.theoceanforest.com*, True -*.theodia.ro*, True -*.theodorekim.com*, True -*.theodosi.com*, True -*.theoeconline.org*, True -*.theoffbeatnetwork.co.uk*, True -*.theofficialjuks.ml*, True -*.theogmd.com*, True -*.theo.mx*, True -*.theoneserv.us*, True -*.theonevpn.com*, True -*.theonlyborg.com*, True -*.theonlytech.com*, True -*.theopenjournal.org*, True -*.theophilusadegbohungbe.tk*, True -*.theophiramfoundation.org*, True -*.theoppositeistrue.net*, True -*.theordways.net*, True -*.theoryoflyricisity.com*, True -*.theosoares.com.br*, True -*.theoturner.me.uk*, True -*.theourpage.com*, True -*.theourpage.net*, True -*.theourpage.org*, True -*.the-oxford.mobi*, True -*.thepaathshala.com*, True -*.thepaccenter.com*, True -*.thepacketslinger.net*, True -*.thepad.net*, True -*.theparentscollective.org*, True -*.theparkerfamily.co*, True -*.theparthenon.ca*, True -*.theparticlestorm.com*, True -*.thepastos.com*, True -*.thepastos.info*, True -*.thepastos.net*, True -*.thepastos.org*, True -*.thepatchetts.co.uk*, True -*.the-patels.co.uk*, True -*.thepathfinder.com*, True -*.thepathonline.info*, True -*.the-patriot.tk*, True -*.thepaynefamily.id.au*, True -*.thepciportal.com*, True -*.thepeakeducation.co.uk*, True -*.thepelletiers.ca*, True -*.the-penthouse.com.au*, True -*.theperfectchange.com*, True -*.theperfectdomain.net*, True -*.thepham.ninja*, True -*.thephifers.com*, True -*.thephoenix.pw*, True -*.thephonebox.in*, True -*.thephonelocker.co.uk*, True -*.thephorce.net*, True -*.thephotobooth.in*, True -*.thephuck.com*, True -*.thepianoguysfl.com*, True -*.thepianolady.com*, True -*.thepianolady.net*, True -*.thepilotmap.com*, True -*.thepingo.es*, True -*.thepinkladiestrust.org.uk*, True -*.thepinnaclegroup.co.nz*, True -*.thepinotclub.com*, True -*.thepipersden.com*, True -*.thepiratesea.com*, True -*.the-pit-lane.co.uk*, True -*.theplaceconceptstore.com*, True -*.theplaceconceptstore.ro*, True -*.theplacex.com*, True -*.theplanet.gr*, True -*.theplateauofleng.com*, True -*.theplug.org*, True -*.thepolevault.org*, True -*.thepop.ga*, True -*.thepop.ml*, True -*.theportsmouthtavern.ca*, True -*.thepotionsmaster.net*, True -*.thepottlefamily.com*, True -*.theprasojos.web.id*, True -*.theprincedistributors.com*, True -*.theproject.ro*, True -*.theprophet.org.za*, True -*.theprostore.com.au*, True -*.thepublicgroup.com*, True -*.thepumpkinhead.com*, True -*.thequarkworks.com*, True -*.thequeenisdead.co.uk*, True -*.thequestforzion.com*, True -*.thequickconsultant.com*, True -*.thequiethouse.co.uk*, True -*.thequitter.info*, True -*.theradford.com*, True -*.theragingkilt.com*, True -*.theramatch.com*, True -*.therapacks.com*, True -*.therapacks.com.au*, True -*.therdgames.com*, True -*.therealca.ro*, True -*.therealchadhall.com*, True -*.therealization.net*, True -*.therealpatpatterson.com*, True -*.therealss.com*, True -*.therealss.net*, True -*.thereandbeyond.com*, True -*.there-appy.com*, True -*.thered.com.ar*, True -*.theredlands.com*, True -*.thereedpack.net*, True -*.therefinery-ba.com*, True -*.theregulators.org*, True -*.theremotefixer.com*, True -*.therenback.com.au*, True -*.therepublic.ca*, True -*.theresasgrinders.com*, True -*.theriens.com*, True -*.therightdecision.gr*, True -*.therizal.net*, True -*.thermalaircape.co.za*, True -*.thermalninja.com*, True -*.thermarite.com.my*, True -*.thermooikonomiki.gr*, True -*.thermoswim.com*, True -*.thermotron.co.za*, True -*.thermo-wood.cz*, True -*.theroadtoforever.net*, True -*.theroadtoforever.us*, True -*.therobertball.com*, True -*.therock247uk.me*, True -*.therockmfg.com*, True -*.therodemanns.com*, True -*.theroerings.com*, True -*.theromantichearts.com*, True -*.theroom41.com*, True -*.theroot.eu*, True -*.the-root.org*, True -*.therourkefamily.com*, True -*.therujis.com*, True -*.therunwayoflife.com*, True -*.the-samurai.ninja*, True -*.thesanch.com*, True -*.thesanctuaryofaugusta.info*, True -*.thesanctuaryofaugusta.mobi*, True -*.thesanctuaryofaugusta.org*, True -*.the-sanfilippo.com*, True -*.thesanfilippo.org*, True -*.thesausagedog.co.uk*, True -*.thesavvygrape.net*, True -*.the-scary-maze-game.com*, True -*.the-schmidt-family.org*, True -*.theschmidts.ca*, True -*.thescratchingpost.cat*, True -*.thescs.tk*, True -*.thescu.ch*, True -*.thescudderfamily.com*, True -*.thesensationband.com*, True -*.theserver.tk*, True -*.theserviceman.com.au*, True -*.theseventhunders.org*, True -*.the-sgc.co.uk*, True -*.theshawfamily.co.uk*, True -*.theshinga.tk*, True -*.theshirleys.org*, True -*.the-shopaholic.co.za*, True -*.theshopaholicsa.co.za*, True -*.theshopaholics.co.za*, True -*.the-shop.co.za*, True -*.theshowsecretary.co.uk*, True -*.thesicpit.com*, True -*.thesilverdagger.co.uk*, True -*.thesilverforest.com*, True -*.thesilverhide.co.uk*, True -*.thesinclairs.org*, True -*.thesinonomous.com*, True -*.thesinonomous.net*, True -*.thesinonomous.org*, True -*.thesinonomous.tk*, True -*.thesleepwalker.org*, True -*.thesmartcitizen.co.za*, True -*.thesmick.com*, True -*.thesmiler.de*, True -*.thesmysers.tk*, True -*.thesnakepit.info*, True -*.thesnifters.com*, True -*.thesocialimperative.com*, True -*.thesolutionbureau.com*, True -*.thesorethumbs.com*, True -*.thesoulofand.co.za*, True -*.thesoul.tk*, True -*.thesouthernclassic.com*, True -*.thespiritofand.co.za*, True -*.thespork.info*, True -*.thespork.mobi*, True -*.thesportsmarket.ca*, True -*.thesportstourist.co.uk*, True -*.thespotteddonkey.com*, True -*.thespraus.com*, True -*.thesqueakandoilchart.com*, True -*.thesqueakandoilformula.com*, True -*.thesqueakandoilmanual.com*, True -*.thesqueakandoilmodel.com*, True -*.thessaloniki-thessaloniki.com*, True -*.thest0rmxt.tk*, True -*.thestakes.org*, True -*.thestemandslide.com*, True -*.thestickingplace.ca*, True -*.thestickingplacefilm.com*, True -*.thestigfacts.com*, True -*.thestoehrs.net*, True -*.thestore.com.ar*, True -*.thestorklawyer.com*, True -*.thestrickers.com*, True -*.the-studio-d.tk*, True -*.thesundance.co.uk*, True -*.thesustainablegrid.com*, True -*.thesustainablegrid.info*, True -*.thesustainablegrid.net*, True -*.thesustainablegrid.org*, True -*.thesweetchef.com.ar*, True -*.thesweetiger.com*, True -*.thesweetsclinic.us*, True -*.theswitch.ro*, True -*.thesynthesizer.info*, True -*.thesynth.info*, True -*.thetaburn.com*, True -*.thetachiusf.com*, True -*.thetacos.club*, True -*.thetanakas.info*, True -*.thetanakas.us*, True -*.thetanis.com*, True -*.theta-view.com*, True -*.thetechieone.com*, True -*.thetechlads.tk*, True -*.thetechnical.me*, True -*.thetelecomguy.com*, True -*.thetesttimes.com*, True -*.thetexascapitol.com*, True -*.thethe.org*, True -*.thetheory.it*, True -*.thethirdteacher.com.au*, True -*.thethirdteacher.net.au*, True -*.thethomasspot.com*, True -*.thethomasweb.com*, True -*.thetideyfamily.com*, True -*.thetideys.com*, True -*.thetimesnews.ru*, True -*.thetinpusher.com*, True -*.thetoaster.info*, True -*.thetomatoproject.com*, True -*.thetompeterscompany.com*, True -*.thetomyou.com*, True -*.thetongue.com.au*, True -*.thetoplus.com*, True -*.thetopmp3downloads.com*, True -*.thetoxicduck.co.uk*, True -*.thetrailcrew.com*, True -*.thetransformice.ml*, True -*.thetravelergeek.com*, True -*.thetravelingbuilder.com*, True -*.thetrents.org*, True -*.thetrist.com*, True -*.thetruckden.co.za*, True -*.thetrueblood.com*, True -*.thetruthaboutplanes.com*, True -*.thetrystero.org*, True -*.thetschirners.com*, True -*.thetu.bz*, True -*.thetweekpage.net*, True -*.thetwelvedrummers.com*, True -*.thetwelvemusic.com*, True -*.thetyphoon.net*, True -*.thetyraen.tk*, True -*.theultimanet.com*, True -*.theunicom.com*, True -*.theunitedgold.com*, True -*.theuniverseiswinning.com*, True -*.theunorganizedgamer.com*, True -*.theurl.tk*, True -*.thevalley.ai*, True -*.thevaluer.co.za*, True -*.thevaughts.net*, True -*.thevencedor.com*, True -*.theventz.org*, True -*.theverse.tk*, True -*.thevibrantbeet.com*, True -*.thevillagevet.co*, True -*.thevinotracker.com*, True -*.thevintageolivetree.com*, True -*.thevinylfrontier.com.au*, True -*.thevirus.ro*, True -*.thevoiceexchange.com*, True -*.thevoidbelow.com*, True -*.thevolins.com*, True -*.thewaites.org*, True -*.thewambaughs.net*, True -*.thewaragainstsuperbugs.ca*, True -*.thewaragainstsuperbugs.com*, True -*.thewarwick.com.au*, True -*.thewatchshop.im*, True -*.thewatchshop.org*, True -*.thewatsonsydney.com*, True -*.thewatsonsydney.com.au*, True -*.thewavecarcarecenter.com*, True -*.thewave-rockytoppers.com*, True -*.thewayofnature.nl*, True -*.the-web-ac.com*, True -*.thewebcomiclistawards.com*, True -*.thewebsitechecker.com*, True -*.theweedwhisperer.us*, True -*.thewein.co.kr*, True -*.thewellnessfactory.com.au*, True -*.thewengerts.com*, True -*.thewetwizard.co.uk*, True -*.the-who.tk*, True -*.thewikidog.com*, True -*.thewikidogs.com*, True -*.thewildrosejewellerycompany.com*, True -*.thewildscotsman.com*, True -*.thewildscotsman.co.uk*, True -*.thewillregistry.info*, True -*.thewillregistry.net*, True -*.thewillregistry.us*, True -*.the-windows-expert.ca*, True -*.the-windows-expert.com*, True -*.thewinecellar.com.au*, True -*.thewintercloud.com*, True -*.thewirecloset.com*, True -*.thewired.us*, True -*.thewirelessweb.net*, True -*.thewisdomsonline.com*, True -*.thewitterings.com*, True -*.thewitterings.net*, True -*.thewitterings.org*, True -*.thewolffamily.info*, True -*.thewolfsden.net*, True -*.thewolvertonclan.com*, True -*.thewolvertons.com*, True -*.thewolvertons.net*, True -*.thewomanshealth.com*, True -*.thewoodenartist.com*, True -*.thewoodworksllc.com*, True -*.thewoonsocketchannel.com*, True -*.theworking.biz*, True -*.theworldplan.com*, True -*.theworlds50best.com.br*, True -*.theworldsend.eu*, True -*.thewraithcar.com*, True -*.thewrights.id.au*, True -*.thewulffs.us*, True -*.thewww.co.za*, True -*.thewynnes.net*, True -*.thewynnes.org*, True -*.thex.ro*, True -*.thexyin.sexy*, True -*.theyankeegalsutlery.com*, True -*.theyard.ml*, True -*.theyarecute.com*, True -*.theydontmakethisstuffanymore.com*, True -*.theyogaboutique.co.uk*, True -*.theyoungtamlyn.co.uk*, True -*.theyozers.com*, True -*.thezed.tk*, True -*.thezhangs.com*, True -*.thezooresidence.com*, True -*.thezworld.net*, True -*.thgp.info*, True -*.thh.cl*, True -*.thibaultsahuc.fr*, True -*.thichgi.ga*, True -*.thichhangusa.com*, True -*.thientainhi.com*, True -*.thierconstruction.com*, True -*.thierrenovations.com*, True -*.thierryduchoud.ch*, True -*.thierrymartigny-denturologiste.com*, True -*.thierrystump.com.br*, True -*.thiersheetmetal.com*, True -*.thietbiso.asia*, True -*.thietkeweb.cz*, True -*.thim.be*, True -*.thimoteus.tk*, True -*.thinairtech.com*, True -*.thinclients.ro*, True -*.thincrust.com*, True -*.thingamagifts.ca*, True -*.thingamagifts.com*, True -*.thingiebox.com*, True -*.thinglogic.com*, True -*.thingsiseethatilove.com*, True -*.thingsonwheels.co.za*, True -*.thinkandgrowrichbusiness.com.au*, True -*.thinkandgrowrichcashflow.com.au*, True -*.thinkandgrowrichgifts.com*, True -*.thinkandgrowrichinternet.com.au*, True -*.thinkandgrowrichonline.com.au*, True -*.thinkandgrowrichproperty.com.au*, True -*.thinkandgrowrichrealestate.com.au*, True -*.thinkandgrowrichshares.com.au*, True -*.thinkbeyondimagination.tk*, True -*.thinkbluebubble.com*, True -*.thinkbluebubble.co.uk*, True -*.thinkbsd.net*, True -*.thinkdebian.net*, True -*.thinkersrus.com*, True -*.thinkersrus.net*, True -*.thinkersrus.org*, True -*.thinkgarden.com*, True -*.thinkgis.be*, True -*.thinkingallowed.info*, True -*.thinkingaloud.info*, True -*.thinkingamerica.org*, True -*.thinkingchip.com*, True -*.thinkingchips.com*, True -*.thinkingspace.com.au*, True -*.think-leader.com*, True -*.thinkmethod.com*, True -*.thinkrouting.com*, True -*.thinksimple.org*, True -*.thinksnow.net*, True -*.thinksnow.org*, True -*.thinkster.me*, True -*.thinksys.biz*, True -*.thinktank.ro*, True -*.thinkupcomunicacao.com.br*, True -*.thinnerkeiji.com*, True -*.thinserver.org*, True -*.thintech.cl*, True -*.thirdtube.tk*, True -*.thirst-app.mobi*, True -*.thirtyonedays.net*, True -*.thiscluster.com*, True -*.thisflippinhouse.com*, True -*.thisgreencloud.com*, True -*.thi.sh*, True -*.thisindo.info*, True -*.thisisbeauty.biz*, True -*.thisischristhayer.com*, True -*.thisiset.com*, True -*.thisisi.com*, True -*.thisismydublin.ie*, True -*.thisismyown.com*, True -*.thisisnotaurl.co.uk*, True -*.thisisourdotcom.com*, True -*.thisisrealbeauty.com*, True -*.thisiswhatido.info*, True -*.thisnukes4u.net*, True -*.thispersonvotes.com*, True -*.thisplaceisbirds.com*, True -*.thitruongninhbinh.com*, True -*.thksrv.tk*, True -*.thodeylodge.net*, True -*.thoitrangrumi.com*, True -*.thomasandbennett.net*, True -*.thomasandsarah.net*, True -*.thomasave.be*, True -*.thomascmobley.com*, True -*.thomasco.info*, True -*.thomas-ganteng.ml*, True -*.thomasgustavo.com*, True -*.thomaslinstead.info*, True -*.thomaslogic.net*, True -*.thomasmangnall.com*, True -*.thomasnsalzano.com*, True -*.thomas-openvpn.tk*, True -*.thomasplumbinghvac.com*, True -*.thomaspurchas.co.uk*, True -*.thomasschudel.com*, True -*.thomastech.net*, True -*.thomastownautos.com.au*, True -*.thoma-treuhand.ch*, True -*.thommythomaso.com*, True -*.thomoagencies.com*, True -*.thompent.com*, True -*.thompsonbuilding.com.au*, True -*.thompsonracing.co.za*, True -*.thomson-is.com*, True -*.thomson.ninja*, True -*.thomster.ch*, True -*.t-honeypot.de*, True -*.thongslipper.com*, True -*.thongthaitextile.com*, True -*.thoramus.com*, True -*.thorberg.is*, True -*.thorley.net.au*, True -*.thor-management.com.ar*, True -*.thornleighcarclub.org*, True -*.thorntoncreekestates.cf*, True -*.thoroughlymodernbooks.com*, True -*.thorpeend.org*, True -*.thorsten.asia*, True -*.thorwaldgustav.com*, True -*.thosebits.com*, True -*.thosefunkyguys.tk*, True -*.thothbox.ro*, True -*.thoto.tk*, True -*.thotrancoder.tk*, True -*.thoughtfulcavedad.com*, True -*.thoughthammer.net*, True -*.thoughtstash.biz*, True -*.thoughtstash.com*, True -*.thoughtstash.net*, True -*.thoughtster.co*, True -*.thoughtster.net*, True -*.thoughtstorm.biz*, True -*.thoukydidis.gr*, True -*.thoupagen.com*, True -*.thousandhourspractice.com*, True -*.t-hp.com*, True -*.t-hp.co.uk*, True -*.thpschule.de*, True -*.thptvinhlinh.org*, True -*.t-hp.uk*, True -*.thradis.com*, True -*.thranx.com*, True -*.thrashmaster.net*, True -*.thrawn.net*, True -*.threadist.org*, True -*.threadtech.com.au*, True -*.threadwell.com.au*, True -*.threat-awareness.com*, True -*.threatend.com*, True -*.threecanoes.com*, True -*.threednd.info*, True -*.threednd.net*, True -*.threednd.org*, True -*.threegeeksconsulting.com*, True -*.threekingdoms.co.id*, True -*.threelittlebostons.com*, True -*.threemast.com*, True -*.threemeadows.com*, True -*.threenin6.com*, True -*.threeoon.tk*, True -*.threepwud.com*, True -*.threepwud.co.uk*, True -*.threeriversbuccaneers.com*, True -*.threesixtycoach.com*, True -*.three-way.com.ar*, True -*.threewishes.co.kr*, True -*.threeyearsofsundays.org*, True -*.thri.ch*, True -*.thriftywireless.com*, True -*.thriftywireless.net*, True -*.thrippleton.info*, True -*.thriveplus.com.au*, True -*.thrivingonbusiness.com*, True -*.thrivingonbusiness.com.au*, True -*.thronesupply.com*, True -*.throttlebody.co*, True -*.throttleshift.com*, True -*.throttleshift.com.au*, True -*.throttleshift.co.nz*, True -*.throttleshift.co.uk*, True -*.throughmylensphotography.com*, True -*.throughthelensevents.com*, True -*.throwasoupon.com*, True -*.throwbackcountdown.com*, True -*.throwtv.com*, True -*.thrulove.ml*, True -*.thrussells.co.uk*, True -*.thru.st*, True -*.thrust.pl*, True -*.ths64.net*, True -*.thsa.com.ar*, True -*.thtn.tk*, True -*.th.to*, True -*.thuanloipho.com*, True -*.thuanloipho.vn*, True -*.thucdaydesong.org*, True -*.thucnghiem.org*, True -*.thuctap.co.uk*, True -*.thueringhome.com*, True -*.thuexemaynhatrang.vn*, True -*.thuglas.org*, True -*.thugreport.com*, True -*.thuisschool.com*, True -*.thuisverplegingsamyn-callebert.be*, True -*.thuisverplegingsamyn-verduyn.be*, True -*.thula.co.uk*, True -*.thulani.nom.za*, True -*.thule.tk*, True -*.thumperjumper.org*, True -*.thunderfly.com*, True -*.thundernova.ca*, True -*.thunderprofitness.com*, True -*.thunder-storm.ca*, True -*.thunderwars.com*, True -*.thunellnet.com*, True -*.thunyakorn.com*, True -*.thuoc.tv*, True -*.thurein.com*, True -*.thurn.com*, True -*.thursdaynightsocialride.com*, True -*.thuthukadesigns.co.za*, True -*.thuvienconggiao.com*, True -*.thuytam.net*, True -*.thyholyhandgrenade.com*, True -*.thymeconsultinggroup.com*, True -*.thymonmcserver.tk*, True -*.thymonplays.com*, True -*.thymonplays.tk*, True -*.thyregod.tk*, True -*.thytube.com*, True -*.ti68k.com*, True -*.tia-archi.com*, True -*.tiagofischer.com.br*, True -*.tiagom.com*, True -*.tiagopolicarpo.eu*, True -*.tiahome.net*, True -*.tianabuenosaires.com.ar*, True -*.tiandaoguanggao.com*, True -*.tiandelady.com*, True -*.tiande-st.ru*, True -*.tiandidp.co.za*, True -*.tianglampujalan.com*, True -*.tianglampupju.com*, True -*.tiangpjuantik.com*, True -*.tianhua.com.au*, True -*.tianm.info*, True -*.tianweiliu.com*, True -*.tianyijlb.com*, True -*.tiaratown.cf*, True -*.tiarindo.com*, True -*.tiarnach.tk*, True -*.tibaldi.mx*, True -*.tibblenet.com*, True -*.tibet3rdpole.org*, True -*.tibetjustice.org*, True -*.tibetlobbyday.org*, True -*.tibetnetwork.org*, True -*.tibet.org*, True -*.tibiasoft.net*, True -*.tibiz.cl*, True -*.ti-box.com.ar*, True -*.tibpet.ro*, True -*.tib-sa.ch*, True -*.tic.ec*, True -*.ticinostudio.com*, True -*.ticinostudio.net*, True -*.tickercentral.co*, True -*.ticketbooth.nl*, True -*.ticketcsbg.ga*, True -*.ticket-online.ru*, True -*.tickfiles.com*, True -*.tickledhearts.com*, True -*.ticklemetoes.space*, True -*.tickytacksoap.com*, True -*.ticonsult.com.br*, True -*.ticpu.net*, True -*.ticsa.cl*, True -*.ticsan.com.ar*, True -*.tics.ec*, True -*.ticsur.cl*, True -*.tictocenelreloj.com*, True -*.tidder.net*, True -*.tidetimedivers.com*, True -*.tideynet.com*, True -*.tideynet.net*, True -*.tideynetworks.com*, True -*.tidigi.com*, True -*.tiedamihinhyppaat.fi*, True -*.tiedyepoa.com.br*, True -*.tiedyeroses.net*, True -*.tiemetightly.ca*, True -*.tiempolisto.cl*, True -*.tiendabatorrejon.com*, True -*.tiendabatorrejon.es*, True -*.tiendachilena.cl*, True -*.tiendadelturista.com*, True -*.tiendafallera.com*, True -*.tiendaintercenter.com*, True -*.tienda-pastel.com.ar*, True -*.tiendaphe.com.ar*, True -*.tiendasamano.cl*, True -*.tiendas.ir*, True -*.tiendaskoper.com*, True -*.tienichnho.com*, True -*.tien-shan.org*, True -*.tiensidn.com*, True -*.tienti51.com*, True -*.tienve.org*, True -*.tierbetreuung-huber.ch*, True -*.tiere.com.br*, True -*.tierrabienesraices.com.ar*, True -*.tierradeenmedio.org.mx*, True -*.tierrafranca.net*, True -*.tierras-perdidas.com*, True -*.ties.info*, True -*.tiesvr.net*, True -*.tietoliikenne.info*, True -*.tiffanyanderic.com*, True -*.tiffanyd.com*, True -*.tiffanykirchner.com*, True -*.tiflovia.com*, True -*.tigabintangjaya.com*, True -*.tigaintipilar.com*, True -*.tigana.com*, True -*.tigardmasons.org*, True -*.tigaregistry.com*, True -*.tigase.pl*, True -*.tigeostalk.tk*, True -*.tigerdirect.com.br*, True -*.tigerfilm.ru*, True -*.tigerproxy.net*, True -*.tigertranslate.my*, True -*.tigertranslatemy.com*, True -*.tigger2014.co.uk*, True -*.tigger.tk*, True -*.tighefamily.com*, True -*.tight-clothes.net*, True -*.tightspread.com*, True -*.tigodrc.com*, True -*.tigrao.info*, True -*.tigrao.org*, True -*.tigrawill.ro*, True -*.tiguri.ch*, True -*.tigy.ch*, True -*.tiiger.net*, True -*.tiimipalaveri.fi*, True -*.tiina.cf*, True -*.tiina.ga*, True -*.tiina.gq*, True -*.tiina.ml*, True -*.tiinaorav.gq*, True -*.tiinaorav.tk*, True -*.tiina.tk*, True -*.ti-i.ru*, True -*.tika.cf*, True -*.tikay.cl*, True -*.tikbagus.gq*, True -*.tiket-termurah.com*, True -*.tiki7.com*, True -*.tikinti-agent.com*, True -*.tikiradon-wow.de*, True -*.tikitemple.com*, True -*.tikoian.com*, True -*.tiksay.ir*, True -*.tiksay.net*, True -*.tikunaenergia.cl*, True -*.tildecode.net*, True -*.tilde.systems*, True -*.tilenmrevlje.tk*, True -*.tilfors.se*, True -*.tilitaitoanssilaitinen.fi*, True -*.tilitaitolaitinen.fi*, True -*.tilley.me*, True -*.tilovactory.tk*, True -*.tilwedanceaway.com*, True -*.timabington.ml*, True -*.timasr.com.ar*, True -*.timbangan-murah.com*, True -*.timbangansurabaya.com*, True -*.timberglade.in*, True -*.timbertops.org.uk*, True -*.timber-yard.ro*, True -*.timbit-server.com*, True -*.timblais.com*, True -*.timboar.com*, True -*.timboar.com.ar*, True -*.timbul.org*, True -*.tim-commer.de*, True -*.timcommer.de*, True -*.timcosgriff.com*, True -*.time2060.info*, True -*.time2cherish.net*, True -*.time2speak.com*, True -*.time2speak.com.au*, True -*.time2wakeup.me*, True -*.time3.ro*, True -*.time4danny.com*, True -*.time4danny.net*, True -*.time4danny.pw*, True -*.time4danny.xyz*, True -*.time4events.com*, True -*.timeacc.ro*, True -*.timeattack.cl*, True -*.timeattack.my*, True -*.timeblog.co.kr*, True -*.timedax.com*, True -*.timedip.net*, True -*.timegrid.io*, True -*.timelessimages.ca*, True -*.timelesstorah.com*, True -*.timelineproject.tk*, True -*.timelordtechnology.com*, True -*.timemasterlabs.com*, True -*.timemasterlabs.net*, True -*.timemasterlabs.org*, True -*.timemaxdiamonds.com*, True -*.time.rs*, True -*.times.co.il*, True -*.timesharebuyerlist.com*, True -*.timetoexpand.com*, True -*.timetracking.at*, True -*.timetrix.net*, True -*.time-vault.com*, True -*.timewars.net*, True -*.timfrietas.com*, True -*.timhanke.net*, True -*.timhitchins.tk*, True -*.timholden.info*, True -*.timisco.com*, True -*.timjuntunen.com*, True -*.timkeith.tk*, True -*.timlowery.com*, True -*.timmedves.tk*, True -*.timmonsclan.ca*, True -*.tim-murken.de*, True -*.timmy.net.ru*, True -*.timnhac.tk*, True -*.timnkim.com*, True -*.timofiejew.com*, True -*.timofy.co.uk*, True -*.timohoetmer.nl*, True -*.timo-naumann.ch*, True -*.timorstud.com*, True -*.timothy.cf*, True -*.timothyju.com*, True -*.timothykennedy.me*, True -*.timothysteel.com.au*, True -*.timothy.tk*, True -*.timpapan.com*, True -*.timpapan.us*, True -*.timp.cl*, True -*.timpeterson.org*, True -*.timripperowens.com.br*, True -*.timsexton.co.uk*, True -*.timspurway.com*, True -*.timsshorts.com*, True -*.timstellar.hr*, True -*.timstradingpost.com*, True -*.timtamslam.si*, True -*.timthesoundman.co.uk*, True -*.timthiel.de*, True -*.timtilities.com*, True -*.timtschirner.com*, True -*.timtung.com*, True -*.timussolutions.com*, True -*.timussolutions.co.uk*, True -*.timwithers.com*, True -*.timyeu.net*, True -*.timzhu.com*, True -*.tinag.ro*, True -*.tinata.co.uk*, True -*.tinbud48.com*, True -*.tincotech.com*, True -*.tindras.se*, True -*.tinf.cl*, True -*.tinfoilmail.net*, True -*.tingalpamtcottonlutheran.org.au*, True -*.tingateitsolutions.com.au*, True -*.tinge.com.au*, True -*.tinggoo.net*, True -*.tingvollklang.no*, True -*.tinhausstyle.com*, True -*.tinhcam.org*, True -*.tinhdaugac.com*, True -*.tinhuey.com*, True -*.tinichigerieconstructii.ro*, True -*.tinister.com*, True -*.tinju.ninja*, True -*.tinkerbugs.ca*, True -*.tinkerbugs.com*, True -*.tinkerking.tk*, True -*.tink-inc.com*, True -*.tinkingusa.com*, True -*.tinkoala.tk*, True -*.tinkunaku.com.ar*, True -*.tinnes-schaaf.de*, True -*.tinnitus.gq*, True -*.tinobedi.com*, True -*.tino.gq*, True -*.tinosmarble.com*, True -*.tinos-tinos.com*, True -*.tinozplace.com*, True -*.tins.hk*, True -*.tinsign.ru*, True -*.tintincloud.com*, True -*.tintira.com*, True -*.tintmesilly.com*, True -*.tintometer.com.br*, True -*.tintotinta.es*, True -*.tintuc.eu*, True -*.tinturasdoctorazambuya.com*, True -*.tinturier.ch*, True -*.tinyatom.net*, True -*.tiny-bot.com*, True -*.tinybottle.com*, True -*.tinydynamic.net.au*, True -*.tinyeggfarms.com*, True -*.tiny--games.com*, True -*.tinyint.info*, True -*.tinynomad.org*, True -*.tinyrealm.com*, True -*.tinystor.org*, True -*.tinysun.net*, True -*.tinytimemachine.net*, True -*.tinytownacademy.com*, True -*.tiny-url.ga*, True -*.tiot.org.za*, True -*.tipardigital.ro*, True -*.tipci.com.ar*, True -*.tipcup.fi*, True -*.tipjar.io*, True -*.tipoarad.com*, True -*.tipomanagement.ro*, True -*.tippingboard.com*, True -*.tippingboard.com.au*, True -*.tippyturtle.com*, True -*.tipsandtricks.org*, True -*.tipsehat.web.id*, True -*.tips-fb.cf*, True -*.tipshosting.info*, True -*.tipsiso.ch*, True -*.tips-kesehatan.tk*, True -*.tipsmartphone.asia*, True -*.tipsntricks.ca*, True -*.tips-trik.web.id*, True -*.tiptonwholesale.com*, True -*.tiptopcleaning.org*, True -*.tiptopele.ch*, True -*.tiptopgrosir.com*, True -*.tipuric.com*, True -*.tiramuku.com*, True -*.tirantibroker.com.ar*, True -*.tiredowl.biz*, True -*.tire.is*, True -*.tiriel.net*, True -*.tirinhas.trd.br*, True -*.tirlannon.net*, True -*.tirnomlomjutrebmedia.pw*, True -*.tirsdagsklubben.nu*, True -*.tirtachem.com*, True -*.tirta-gemilang.com*, True -*.tirtawahanaabadi.com*, True -*.tirthaojha.com.np*, True -*.tisasoftware.com*, True -*.tisboma.com*, True -*.tischlerei-si.com*, True -*.tiserver.net.br*, True -*.tiservice.net.br*, True -*.tis-hinwil.ch*, True -*.tisolutionsweb.com.ar*, True -*.tison.info*, True -*.tiss-k.ru*, True -*.titan-inter.com*, True -*.titanium-iptv.com*, True -*.titaniummatrix.com*, True -*.titaniumparents.com*, True -*.titan-log.com*, True -*.titan-online.co.za*, True -*.titanportal.com*, True -*.titans2022.org*, True -*.titanslog.com*, True -*.titansoftware.co.za*, True -*.titantech.co.za*, True -*.titikkomaadv.com*, True -*.titikpijat.com*, True -*.titimoli.com.ar*, True -*.titipanak.com*, True -*.tit-kuzmich.ru*, True -*.title.gq*, True -*.titleworld.pw*, True -*.titoherrera.tk*, True -*.titrade.si*, True -*.titsanity.com*, True -*.tits-list.tk*, True -*.titsorgtfo.org*, True -*.tivi.com.br*, True -*.tivimax.com*, True -*.tivivietnam.net*, True -*.tiwic.biz*, True -*.tiwic.com.ar*, True -*.tiwic.org*, True -*.tix21.com*, True -*.tix21.net*, True -*.tixti.com.br*, True -*.tiz80.com*, True -*.tizianobellucci.it*, True -*.tizianorosalia.it*, True -*.tizietizi.it*, True -*.tizpa.net*, True -*.tjbaumann.com*, True -*.tjbaxter.me*, True -*.tjbowers.com*, True -*.tj-coding.net*, True -*.tjcrealty.com*, True -*.tjdakang.com*, True -*.tj-king.com*, True -*.tjkwentus.com*, True -*.tjkwentus.info*, True -*.tjmaru.tk*, True -*.tjminecraft.info*, True -*.tjmproduction.com*, True -*.tjsa-valve.com*, True -*.tjsvalve.com*, True -*.tjuksa.com*, True -*.tjuvlarm.eu*, True -*.tkacsik.net*, True -*.tkacz.tk*, True -*.tkalex-glass.ru*, True -*.tkbud.net*, True -*.tkemaladze.ru*, True -*.tkentseltasarim.com.tr*, True -*.tkhughes.ca*, True -*.tkimbler.com*, True -*.t-kim.ru*, True -*.tkj-1.org*, True -*.tkj-arridho.tk*, True -*.tkjos.net*, True -*.tkklass.ru*, True -*.tkldesign.com*, True -*.tkmapparel.com.au*, True -*.tk-muslimat29.com*, True -*.tkoboc.org*, True -*.tkotrailriders.com*, True -*.tks-indonesia.com*, True -*.tkt.ch*, True -*.tkwapich.com*, True -*.tkzs.org*, True -*.tl4.me*, True -*.tlav.com*, True -*.tlchousesitting.com*, True -*.tldavies.com*, True -*.tldreports.com*, True -*.t-lesark.com*, True -*.t-lesark.ru*, True -*.tlfbelux.com*, True -*.tlf.it*, True -*.tlf-spielplatzgeraete.com*, True -*.tl-garage.ro*, True -*.tlgstone.com*, True -*.tli.cl*, True -*.tlnajera.com*, True -*.tln.cl*, True -*.tlogorejo.com*, True -*.tlov.net*, True -*.tls.co.za*, True -*.tlservicios.cl*, True -*.tlt-ind.gq*, True -*.tluck.com.np*, True -*.tlwclub.com*, True -*.tm2brasil.com.br*, True -*.tm7.ir*, True -*.tmagma.com.ar*, True -*.tmathis.com*, True -*.tmaxclub.tw*, True -*.tmb.mx*, True -*.tmbpc.org*, True -*.tmcn.biz*, True -*.tmcofswfl.com*, True -*.tmdswa.cf*, True -*.tmi-america.com*, True -*.tmi-th.com*, True -*.tmit.ro*, True -*.tmknight.net*, True -*.tmleader.com*, True -*.tmlinkup.com*, True -*.tmm777.com*, True -*.tm-network.ro*, True -*.tmn.xyz*, True -*.tmorehen.com*, True -*.tmoriya.com*, True -*.tmparts.ru*, True -*.tmpneuquen.com.ar*, True -*.tmp.tw*, True -*.tmra.co.uk*, True -*.tmrcorretora.com.br*, True -*.tmsi.ca*, True -*.tmswww.com.br*, True -*.tmt-club.ro*, True -*.tmtclub.ro*, True -*.tmtechs.com*, True -*.tmtkr.com*, True -*.tmt-logistics.us*, True -*.tmxc.ru*, True -*.tn04.com*, True -*.tnan.co.za*, True -*.tncom.com.au*, True -*.tnealart.com*, True -*.tnebldc.org*, True -*.tnesba.net*, True -*.tnf.com.br*, True -*.tnftransporte.com.br*, True -*.tnlcraiova.ro*, True -*.tnlima.info*, True -*.tnl.jp*, True -*.tnmining.mx*, True -*.tn.my*, True -*.tnnrguy.com*, True -*.tnodi.com*, True -*.tnschoolhealth.com*, True -*.tns.com.my*, True -*.tnsma.org*, True -*.tnsmexico.com.mx*, True -*.tnsmexico.mx*, True -*.tntadv.ga*, True -*.tntitans.com*, True -*.tntmotorshouston.com*, True -*.tnt-pictures.com*, True -*.tntt.biz*, True -*.tnttvn.com*, True -*.tny.io*, True -*.toackoncahuak.com*, True -*.toadfishmonastery.org*, True -*.toadville.org*, True -*.toancauexpress.cf*, True -*.toaono.com*, True -*.to-apofasisame.info*, True -*.toart.cl*, True -*.toastbox.ml*, True -*.toastmasters.com.ar*, True -*.toastoffice.com*, True -*.toastsideup.co.uk*, True -*.toat.cl*, True -*.toateschiurile.ro*, True -*.tobaccgrow.com*, True -*.tobac.ch*, True -*.tobal.ml*, True -*.tobaresources.com*, True -*.tobban.com*, True -*.tobbynet.co.nz*, True -*.tobe69.com*, True -*.tobefree.ch*, True -*.tobiasblaser.ch*, True -*.tobiaswolfer.ch*, True -*.tobike.ca*, True -*.tobing.web.id*, True -*.tobogane-copii.ro*, True -*.tobra.ch*, True -*.tobuy.us*, True -*.tobyns.com*, True -*.tobypc.com*, True -*.tocaconsulting.com*, True -*.tocade.ca*, True -*.tocavoip.com*, True -*.tocavoip.com.br*, True -*.toccomagico.ch*, True -*.tocdeptonidzung.com*, True -*.tocdo.biz*, True -*.tochetto.com.br*, True -*.tocky.vn*, True -*.tocomocho.com*, True -*.toc-online.ch*, True -*.toconline.ch*, True -*.tocplus004.com*, True -*.todachique.com.br*, True -*.todalilian.com.br*, True -*.todayspc.us*, True -*.todayspecials.co.za*, True -*.toddboland.com*, True -*.toddhassinger.com*, True -*.toddk.ca*, True -*.toddler2x.com*, True -*.toddlerbreastfeeding.com*, True -*.toddmanor.com*, True -*.toddpfaff.com*, True -*.toddpoland.com*, True -*.toddyluv.com*, True -*.todeco.ru*, True -*.todocitroen.com.ar*, True -*.todoelmundo.ro*, True -*.todoencomputo.com.mx*, True -*.todo-es-posible.com.ar*, True -*.todoesquimica.com.ar*, True -*.todoeventomilavid.com.ve*, True -*.todofiestacordoba.com.ar*, True -*.todohierrosa.com.ar*, True -*.todoindustrial.com.ar*, True -*.todoitall.com*, True -*.todomundovai.com.br*, True -*.todonts.com*, True -*.todopeugeotcitroen.com*, True -*.todopeugeot.com.ar*, True -*.todoporriver.com.ar*, True -*.todosaviajar.com*, True -*.todosgustandemi.com.ar*, True -*.todosuma.cl*, True -*.todosuma.net*, True -*.todosuma.org*, True -*.todotechi.com*, True -*.toeca.ml*, True -*.to-filigran-hvar.hr*, True -*.toflocal.com*, True -*.tofmme.com*, True -*.tofm.pw*, True -*.tofpro.tk*, True -*.togan.ro*, True -*.togetherandcompany.com*, True -*.togetherlets.com.au*, True -*.togl.net*, True -*.togogourmet.net.au*, True -*.toha.cl*, True -*.tohankwithlove.com*, True -*.tohike.ca*, True -*.tohil.net*, True -*.tohmaepa.com*, True -*.toh.my*, True -*.tohokujudo.org*, True -*.to-home.tk*, True -*.tohu.ml*, True -*.tohyu.com*, True -*.toichos.com*, True -*.toicomotuocmo.com*, True -*.toiletproductions.com*, True -*.toitureshmcduff.com*, True -*.toiyeudaklak.com*, True -*.toiyeuphunu.com*, True -*.tojox3.com*, True -*.tok333.com*, True -*.tokalahusky.com*, True -*.tokarev.co.il*, True -*.tokenilusion.com*, True -*.tokfort.nu*, True -*.tokgozler.com.tr*, True -*.tokico.ru*, True -*.tokoalatsafety.com*, True -*.tokoamazing.com*, True -*.tokoanak.com*, True -*.tokobehel.com*, True -*.tokobungaveron.com*, True -*.tokofile.tk*, True -*.tokofilmzeo.com*, True -*.tokohape.asia*, True -*.tokojayamesin.com*, True -*.tokokimiasurabaya.com*, True -*.tokokita.ga*, True -*.tokokit.com*, True -*.tokokolam-renang.com*, True -*.tokomega.com*, True -*.tokomikro.com*, True -*.tokomp3.com*, True -*.tokopintar.com*, True -*.tokoreog.com*, True -*.tokoselang.com*, True -*.tokosinarsurya.com*, True -*.tokoso.com*, True -*.toks.cat*, True -*.tokuriders.com*, True -*.tokyobike.ro*, True -*.tokyoenglishfriends.com*, True -*.tolaninc.com*, True -*.toledocrime.com*, True -*.toledoemployeeattorney.com*, True -*.toledoemployeelawyer.com*, True -*.toledogreens.org*, True -*.toledoingenieria.cl*, True -*.toledomineracao.com.br*, True -*.toledos.cl*, True -*.tol.eu*, True -*.tolfd.com*, True -*.tol.fr*, True -*.tolibre.com*, True -*.tol-in.com*, True -*.tolisjin.com*, True -*.tollarpsbegravningsbyra.se*, True -*.tolleautos.at*, True -*.tolleautos.ch*, True -*.tolleautos.eu*, True -*.tollgatevillagetn.com*, True -*.tolliverbox.com*, True -*.tollmark.com*, True -*.tollocal.com*, True -*.tolloheor.cf*, True -*.tolloheor.gq*, True -*.tolloheor.ml*, True -*.tollstorp.com*, True -*.tollticket.si*, True -*.tolltickets.si*, True -*.tolnk.tk*, True -*.tolol.ga*, True -*.tolsupport.fr*, True -*.toluck8.com*, True -*.tolworth.info*, True -*.toma.fi*, True -*.tomahawkchurch.org*, True -*.tomaktools.com*, True -*.tomallemeesch.be*, True -*.tomal.si*, True -*.tomandshian.us*, True -*.tomar.ca*, True -*.tomascomas.tk*, True -*.tomascontreras.com*, True -*.tomaselli.eng.br*, True -*.tomashuynh.net*, True -*.tomatko.com*, True -*.tomatoeskit.org*, True -*.tomatunik.com*, True -*.tombennett.net*, True -*.tomberek.info*, True -*.tombo.mobi*, True -*.tom-b.org*, True -*.tombu.net*, True -*.tomburing.com*, True -*.tomb.ws*, True -*.tomcatfishingcharters.com*, True -*.tomchandler.co.uk*, True -*.tomcomimpex.com*, True -*.tomdd.hr*, True -*.tom.dj*, True -*.tomeluw.cf*, True -*.tomer-arbel.info*, True -*.tomhawk-share.com*, True -*.tomholden.info*, True -*.tominaga.org*, True -*.tomis74.com*, True -*.tomis74.ro*, True -*.tomivs.com*, True -*.tomjarman.net*, True -*.tomj.me*, True -*.tomjudddvm.com*, True -*.tomkatpro.com*, True -*.tomkershner.com*, True -*.tomklaus.ml*, True -*.tommasse.com*, True -*.tommowantsacolander.co.uk*, True -*.tommtheatre.com*, True -*.tommy1704.net*, True -*.tommybcool.com*, True -*.tommymckinley.be*, True -*.tommywck.com*, True -*.tomnys.be*, True -*.to-mo.com.au*, True -*.tomogara.org*, True -*.tomografie-dentara.ro*, True -*.tomonacci.com*, True -*.tomonica.net*, True -*.tomorrowsmanna.com*, True -*.tomparkerswebsite.com*, True -*.tompeck.tk*, True -*.tomp.id.au*, True -*.tomprinty.com*, True -*.tomradfordphotography.co.za*, True -*.tomrund.com*, True -*.tomryder.net*, True -*.tomsan.ca*, True -*.toms-dev-server.cf*, True -*.tom-servers.com*, True -*.tomsfood.cf*, True -*.tomstewart.ml*, True -*.tomtomrealty.com*, True -*.tomurcuk.gen.tr*, True -*.tomyano.com*, True -*.tomyka.lt*, True -*.tomzaugg.ch*, True -*.tomzorz.co.uk*, True -*.ton77.com*, True -*.ton87.com*, True -*.ton97.com*, True -*.tonads.es*, True -*.tonagol.com*, True -*.tonalla.com*, True -*.tonazueira.com.br*, True -*.tonca.ro*, True -*.tonder.ch*, True -*.toneexcelbiz.my*, True -*.tonegroup.com.my*, True -*.tonegroup.my*, True -*.tonelliart.com*, True -*.toner.cf*, True -*.tonerhq.com*, True -*.toner-media.ro*, True -*.tonermurahjakarta.com*, True -*.toneroriginalmurah.com*, True -*.tonervalues.com*, True -*.tongfangtechnology.com*, True -*.tongji.ml*, True -*.tongtang.tk*, True -*.tongyibi.com*, True -*.tonicaluga.cl*, True -*.tonicvibe.co.za*, True -*.tonige.net*, True -*.toni-g.net*, True -*.toni-rossetti.ch*, True -*.tonisberg.ch*, True -*.tonng.net*, True -*.tonraspi.com*, True -*.tonsakstudio.com*, True -*.tonsalot.ch*, True -*.tontolabica.com*, True -*.tontonmotors.com*, True -*.tontti.fi*, True -*.tonutdn.cf*, True -*.tonyakoil.kg*, True -*.tonyandloretta.com*, True -*.tonyangione.ca*, True -*.tonyanglesey.com*, True -*.tonybalazs.com*, True -*.tonybesselink.com*, True -*.tonybradbury.com*, True -*.tonyfreeman.us*, True -*.tonyhalford.co.uk*, True -*.tonyinformatica.com.br*, True -*.tonyinformatique.com*, True -*.tonylyne.com*, True -*.tonymitchellhair.com.au*, True -*.tonymorris.com.au*, True -*.tonynguyen.ch*, True -*.tonypritchett.com*, True -*.tonyreichmuth.com*, True -*.tonysairconditioning.sx*, True -*.tonysaunders.net*, True -*.tonytranquillo.com*, True -*.tonywestbynunn.com*, True -*.tonyxu.co.nz*, True -*.toob.hk*, True -*.toogoofy.com*, True -*.tookie.si*, True -*.toolman.geek.nz*, True -*.tools4you.com.br*, True -*.tools-coc.com*, True -*.tools-crofes.cf*, True -*.tools-john.ga*, True -*.tools-khirizon.cf*, True -*.tools-to.us*, True -*.toomayan.com*, True -*.toonces.cat*, True -*.toonchar.ga*, True -*.toonefam.net*, True -*.toonh.com*, True -*.toontowncorner.com*, True -*.toontownresketched.com*, True -*.too-oop.com*, True -*.toorminacomputers.com*, True -*.toosavage.com*, True -*.toosigma.com*, True -*.toothless.io*, True -*.top100ipadgames.com*, True -*.top10bestwebhosting.net*, True -*.top10dating.info*, True -*.top10zombiemovies.org*, True -*.top15alfa.ro*, True -*.top15.su*, True -*.top-2020.com*, True -*.top2.ro*, True -*.top-3gp.tk*, True -*.topal.gen.tr*, True -*.topapkfiles.com*, True -*.topaudisites.com*, True -*.top-bee.com*, True -*.topbeleg.com*, True -*.topbeleg.nl*, True -*.topberita.ga*, True -*.topbisnisinternet.com*, True -*.topbloguri.ro*, True -*.topblu.com.br*, True -*.topcamerasealarmes.com.br*, True -*.topcare.vn*, True -*.topcargoteam.cl*, True -*.topcat.io*, True -*.topchevysites.com*, True -*.topchoice.ro*, True -*.topcolor.cl*, True -*.topcolor.com*, True -*.topcomputerservices.eu*, True -*.topcyder.ga*, True -*.topdanang.com*, True -*.topdesaffaires.com*, True -*.topdespromos.com*, True -*.topdirector.ro*, True -*.top-earning-sites.com*, True -*.top-express.ro*, True -*.topfashion.com.mx*, True -*.topfeminin.ro*, True -*.topferret.cl*, True -*.topfortuneinc.com*, True -*.topgirls.nl*, True -*.topgogo-s.com*, True -*.topgrip.org*, True -*.topgunn.com.au*, True -*.tophealthmedical.com.au*, True -*.topherc.com*, True -*.topherclark.com*, True -*.topherk.com*, True -*.tophitshop.com*, True -*.tophop.hu*, True -*.tophosters.ru*, True -*.tophousegp.com*, True -*.topia-gg.com*, True -*.topical.com.au*, True -*.topicbox.co.uk*, True -*.topicbox.net*, True -*.topicbox.org*, True -*.topicbox.org.uk*, True -*.topice.co.il*, True -*.topihitam.net*, True -*.topinkovac.cz*, True -*.topinstructoriauto.ro*, True -*.topit.ml*, True -*.top-it.ru*, True -*.topjeepsites.com*, True -*.topkekeke.com*, True -*.toplabel.pt*, True -*.toplaylist.tk*, True -*.topless.com.ar*, True -*.toplessornot.com*, True -*.topliker.gq*, True -*.toplinetransport.com.au*, True -*.toplita.biz*, True -*.toploanbargains.biz*, True -*.toploanbargains.com*, True -*.toploanbargains.info*, True -*.toploanbargains.net*, True -*.toploanbargains.org*, True -*.toploanbargains.us*, True -*.top-logix.ca*, True -*.toplogix.ca*, True -*.toplogix.com*, True -*.topmazdasites.com*, True -*.topme.net*, True -*.top-mk.com*, True -*.topmoto.pl*, True -*.topmotornord.ro*, True -*.topnotch.tk*, True -*.topocadconstruct.ro*, True -*.topocom.ro*, True -*.topodd.com*, True -*.topoganegonflabile.ro*, True -*.topografus.ro*, True -*.topografxyz.ro*, True -*.topologikosxoleio.org*, True -*.topolsica.si*, True -*.topone.tw*, True -*.topoxyz.ro*, True -*.toppier.com*, True -*.toppulsacenter.com*, True -*.topradiotv.com*, True -*.toprank21.com*, True -*.topresource.net*, True -*.topreviews.ro*, True -*.top-russian-bride.info*, True -*.top-russian-mail-order-bride.info*, True -*.topsccc.cl*, True -*.topscoliauto.ro*, True -*.topsexi.com*, True -*.topshelfcomputingservices.com*, True -*.topshelfevents.co.za*, True -*.topsi.cl*, True -*.topsong.co*, True -*.topspeedmarketing.co.za*, True -*.topspielzeug.ch*, True -*.top-sss.com*, True -*.tops-stone.com*, True -*.topsummit.asia*, True -*.toptel.com.mx*, True -*.toptelecom.ro*, True -*.toptelusa.com*, True -*.toptenmild.co.id*, True -*.toptipsforbusiness.net.au*, True -*.toptoyotasites.com*, True -*.toptrends.ch*, True -*.topulsexy.ro*, True -*.topvideosport.com*, True -*.topwayhkent.com*, True -*.top-web.ro*, True -*.topwesn.com*, True -*.topxnova.cf*, True -*.top-yoo.com*, True -*.topzombiemovies.com*, True -*.toquale.com*, True -*.tora.com.ar*, True -*.toraja.asia*, True -*.torarc.ca*, True -*.torbonet.us*, True -*.torcedorvermelho.com.br*, True -*.torchlakepartners.com*, True -*.torda.one.pl*, True -*.torech.ch*, True -*.torent.ai*, True -*.toretech.ca*, True -*.toretech.com*, True -*.torguen.com.ar*, True -*.torianironfist.com*, True -*.torices.mx*, True -*.torin.es*, True -*.torinoosteria.com*, True -*.torita.com*, True -*.torkinsaat.info*, True -*.torkinsaat.net*, True -*.torkinsaat.org*, True -*.torkmuhendislik.com*, True -*.torkmuhendislik.info*, True -*.torkmuhendislik.net*, True -*.torkmuhendislik.org*, True -*.torlac.com*, True -*.tormentedtechnologies.com*, True -*.tornador.web.tr*, True -*.tornglobal.com.ve*, True -*.tornillosdeseccion.com.ar*, True -*.tornoth.com*, True -*.torny-maintenance.ch*, True -*.torobt.com.ar*, True -*.toro-creativegogreen.com*, True -*.toroiancruz.com.ar*, True -*.torontocondodepot.com*, True -*.torontolawyerforyou.com*, True -*.toropchemical.com*, True -*.toro-watch.com*, True -*.torox.ru*, True -*.torpointer.com*, True -*.torquays.com*, True -*.torreao.net*, True -*.torreintecons.com.ar*, True -*.tor-relay.me*, True -*.torrengalaw.com*, True -*.torrent19.org*, True -*.torrentbaz.com*, True -*.torrentfox.biz*, True -*.torrentmaniacos.com.br*, True -*.torrentspy.pl*, True -*.torrentvault.org*, True -*.torrent-way.ru*, True -*.torrentwolf.com*, True -*.torrentz.lv*, True -*.torrepromotoraparaiso.com*, True -*.torresdelcastillo.cl*, True -*.torresdennis.com*, True -*.torresgomez.com.mx*, True -*.torresimprovement.com*, True -*.torres-moyano.es*, True -*.torrevieja-realty.co.uk*, True -*.torrevieja-realty.ru*, True -*.torrfinder.net*, True -*.torrleech.ga*, True -*.tortendesigner.ch*, True -*.tortengestalter.ch*, True -*.tortenherz.ch*, True -*.tortenkonfigurator.ch*, True -*.torusemd.net*, True -*.torusnetworks.com*, True -*.torusnetworks.com.au*, True -*.torusnetworks.net.au*, True -*.torva.ca*, True -*.toryjinloco.com*, True -*.toscano.com.ar*, True -*.toski.ca*, True -*.toss25.com*, True -*.tostcaf.ro*, True -*.tota.ca*, True -*.tota.ch*, True -*.total180.com*, True -*.total180press.com*, True -*.totalanimeotaku.com*, True -*.totalautomotivo.com*, True -*.totalcare.pk*, True -*.totaleds.com.au*, True -*.totalenglish.ru*, True -*.totalfx.info*, True -*.totalgame.guru*, True -*.totalgame.ml*, True -*.total-gaz.ro*, True -*.totalhealthsystems.com*, True -*.totalhostingsolution.com*, True -*.totalitysolutions.net*, True -*.totalizer.lt*, True -*.total-logistic.ro*, True -*.total-logistics.mx*, True -*.totalltx.co.za*, True -*.totallyawesomeshit.com*, True -*.totallycallie.com*, True -*.totallyfreedownload.pw*, True -*.totallynerd.com*, True -*.totalmedicalgrup.ro*, True -*.totalminer.ga*, True -*.totalos.co.il*, True -*.totalpartners.com.br*, True -*.totalpilates.com.ar*, True -*.totalplay.ml*, True -*.totalsafety88.com*, True -*.totalspanmackay.com.au*, True -*.totardealul.ro*, True -*.totarotechnologies.com*, True -*.totcevrei.org*, True -*.toteslegit.net*, True -*.tothnet.eu*, True -*.totobet.ga*, True -*.totobgoode.com*, True -*.totoco.com*, True -*.totoco.hk*, True -*.totolove.biz*, True -*.totomul.com.ar*, True -*.totravel.ca*, True -*.totsrucs.cat*, True -*.tottenconsulting.com*, True -*.totten.se*, True -*.totulexista.ro*, True -*.totw.us*, True -*.touchline.com.au*, True -*.touch-of-serenity.co.uk*, True -*.touchtyping.ro*, True -*.toufann.ch*, True -*.toughcookies.ca*, True -*.toumaz.com.au*, True -*.tountas.org*, True -*.tour3mien.com*, True -*.touradg.com*, True -*.tour.co.il*, True -*.tourindia.com*, True -*.touringmusic.com*, True -*.tourism-greece.com*, True -*.tourism-lab.com*, True -*.tourism-lab.eu*, True -*.tourismwelfare.org.np*, True -*.tourist-land.ch*, True -*.touristrepublik.ro*, True -*.touri.tk*, True -*.tour-land.ch*, True -*.tourmirinvest.ro*, True -*.tournament-manager.com.ar*, True -*.toustravauxfc.ch*, True -*.toutges.com*, True -*.towak.com.mx*, True -*.towak.mx*, True -*.towaway.ru*, True -*.towbarbrisbane.com*, True -*.towbarsbrisbane.com*, True -*.towbarsredlands.com*, True -*.toweb.ca*, True -*.towens.com*, True -*.towerhouse.ch*, True -*.tower-tr.com.au*, True -*.towervision.cn*, True -*.towit.co.za*, True -*.towngag.com*, True -*.townhallx.com*, True -*.townhallx.org*, True -*.townlegend.com*, True -*.townofcolumbus.com*, True -*.townsendkinship.info*, True -*.townsfamily.info*, True -*.townsing.org*, True -*.towntoaster.com*, True -*.towradgibeachhotel.com.au*, True -*.towww.tk*, True -*.toxic-frock.tv*, True -*.toxico.com.br*, True -*.toxicpc.co.uk*, True -*.toxx.in*, True -*.toyaartasejahtera.co.id*, True -*.toybawx.info*, True -*.toybawx.net*, True -*.toybawx.org*, True -*.toychato.cl*, True -*.toydepot.com.au*, True -*.toyguydirect.co.uk*, True -*.toykitty.com*, True -*.toymania.cl*, True -*.toyntonfamily.com*, True -*.toyoaviation.ro*, True -*.toyomaya.net.ve*, True -*.toyomotornord.ro*, True -*.toyomotor.ro*, True -*.toyosat.com.ve*, True -*.toyoshima.com.my*, True -*.toyotabanjirhadiah.com*, True -*.toyotabenthanh.com*, True -*.toyotasellers.com*, True -*.toysasia.net*, True -*.toysdesigncenter.org*, True -*.toyslove.pt*, True -*.toysman.com.ar*, True -*.toyspank.com*, True -*.toys.ro*, True -*.tpaas.com.br*, True -*.tpangel.com*, True -*.tpaxhem.ru*, True -*.tpayne.net*, True -*.tpbgames.com*, True -*.tpcglobe.hk*, True -*.tpchaven.net*, True -*.tpconsulting.net*, True -*.tpcph.com*, True -*.tpcsagip.com*, True -*.tpdlp.net*, True -*.tphpd.com*, True -*.tphssurf.com*, True -*.tpi64.ru*, True -*.tpjhs.com*, True -*.tpj.ru*, True -*.tpk-krit.ru*, True -*.tp-link.com.ar*, True -*.tplink.com.ar*, True -*.tpm.ru*, True -*.tppcontainer.com*, True -*.tqinvest.se*, True -*.tqpc.org*, True -*.tqts.com.ar*, True -*.tr0l.it*, True -*.tr1k.tk*, True -*.tr3.blog.br*, True -*.tr3nity.com.br*, True -*.tr3oc.co.uk*, True -*.tr-777.com*, True -*.trabajosdesaludrural.cl*, True -*.trabajosmenayasociados.cl*, True -*.trabalhistaadv.com.br*, True -*.traceback.com.au*, True -*.traceestarrinc.tk*, True -*.trachanh9x.com*, True -*.tracieshroyer.com*, True -*.trackandremind.me*, True -*.trackatag.com*, True -*.tracked.ws*, True -*.trackere.ro*, True -*.trackergeek.com*, True -*.tracking.ga*, True -*.trackingvip.co*, True -*.trackit.ga*, True -*.trackmaster.com.au*, True -*.trackmyprospect.tk*, True -*.trackrx.net*, True -*.trackshare.cf*, True -*.tracktivitypets.me*, True -*.trackur.com*, True -*.tracos.ro*, True -*.tracsa.com.ar*, True -*.tractorworld.com.au*, True -*.tracyhinshaw.com*, True -*.tracyspool.com*, True -*.trac-zeedesigns.com*, True -*.trade10.com.br*, True -*.tradechecker.net*, True -*.tradechinanow.com*, True -*.tradeconsultmanagement.ro*, True -*.tradecorp.cn*, True -*.tradecorp.co.id*, True -*.tradecorp.hk*, True -*.tradecorpinternational.cn*, True -*.tradecorpinternational.com*, True -*.tradecorpinternational.hk*, True -*.tradecorpleasing.com*, True -*.tradecorpleasing.hk*, True -*.tradecorpmodular.com*, True -*.tradecorpmodular.hk*, True -*.tradecorpmodularhousing.com*, True -*.tradecorpmodularhousing.hk*, True -*.tradecorpsupportservices.com*, True -*.tradecorpsupportservices.hk*, True -*.trade.cx*, True -*.tradegenic.com*, True -*.tradehero.sg*, True -*.tradekerala.com*, True -*.tradelocal.co.nz*, True -*.trade-off.ch*, True -*.tradeoff.ch*, True -*.traderesearchers.in*, True -*.traderevent.com*, True -*.tradernews.com.br*, True -*.traders.fi*, True -*.traderspot.com*, True -*.traders-success.com*, True -*.tradeseeding.com.ar*, True -*.tradesoft.co.il*, True -*.tradethno.com*, True -*.tradevalue.co.za*, True -*.tradevoip.co.uk*, True -*.tradewinds-asia.com*, True -*.tradework.co.za*, True -*.tradeworks.co.za*, True -*.tradiebanners.com.au*, True -*.tradiesearch.com*, True -*.tradingasaservice.com*, True -*.tradingforexsystem.info*, True -*.tradingmemories.co.uk*, True -*.tradingonlineforex.info*, True -*.tradition-nordtour.de*, True -*.tradival.com*, True -*.tradrs.tv*, True -*.traduccionestrisol.cl*, True -*.traducerile.eu*, True -*.traductorespba.org*, True -*.tradutores.org*, True -*.tradutorsc.com.br*, True -*.tradux.com.ar*, True -*.traffica.co.id*, True -*.trafficbuzz.com.my*, True -*.trafficchaos.net*, True -*.trafficclick.com.ar*, True -*.trafficfilter.org*, True -*.trafficial.com*, True -*.traffic-partners.co.uk*, True -*.trafficp.co.uk*, True -*.traffninja.com*, True -*.traficsex.ro*, True -*.trafodistribusipln.com*, True -*.trafomajujaya.com*, True -*.trafosintra.com*, True -*.tragazorras.com*, True -*.trah-asia.ru*, True -*.traher.info*, True -*.trahsimbah.com*, True -*.traikynang.com*, True -*.trailalfa.com*, True -*.trailblazersacademy.com*, True -*.trailcreekbuilders.com*, True -*.trailheadpark.com*, True -*.trailrunningsa.co.za*, True -*.trail-runs.co.za*, True -*.trailtrax.co*, True -*.trailtrax.com*, True -*.trailtrax.co.nz*, True -*.training365.com.au*, True -*.trainingelo.com*, True -*.trainingeloindonesia.com*, True -*.trainingforexsimpro.com*, True -*.trainingpro.com.au*, True -*.trainingservices.com.au*, True -*.trainingvideos.com.au*, True -*.trainingwithspain.com*, True -*.trainmar.com.mx*, True -*.trainmar.mx*, True -*.trainrun.co.za*, True -*.traintogrow.net*, True -*.traintozone.com*, True -*.train.web.id*, True -*.traitimvang.info*, True -*.trajetos.com.br*, True -*.tralice.com.ar*, True -*.trallala.ch*, True -*.tralue.com*, True -*.trama.net.au*, True -*.tramanta.cl*, True -*.tramasoli.com*, True -*.tramaurbana.cl*, True -*.tramitesaeta.com.ar*, True -*.tramiton.to*, True -*.trammos.com*, True -*.tramway.tk*, True -*.tranac.us*, True -*.tranced.tk*, True -*.trancetraffic2.com*, True -*.trandafirii.ro*, True -*.trandisur.cl*, True -*.trandnet.ru*, True -*.traneairconditioning123.info*, True -*.trangcoi.info*, True -*.tranminhtri.com*, True -*.trannel.dk*, True -*.trannincobranca.com.br*, True -*.tranonnet.com*, True -*.tran-phu.biz*, True -*.tranphudn.com*, True -*.tranquangkhai.org*, True -*.tranqueracarlospaz.com.ar*, True -*.tranquility.ga*, True -*.tranquitos.com.ar*, True -*.transabs.ro*, True -*.transactiontable.com*, True -*.transactiveenergyappliance.com*, True -*.transadria.ro*, True -*.trans.am*, True -*.trans-atlan.tk*, True -*.transbild.com*, True -*.transblucency.com*, True -*.transcaneng.com*, True -*.transcitytours.com*, True -*.transcoinfoundation.org*, True -*.transelectrica-stct.ro*, True -*.transell.co.id*, True -*.transeurope.ch*, True -*.transfairost.ch*, True -*.transferbubble.com*, True -*.transfer.fi*, True -*.transfer.hk*, True -*.transformalism.org*, True -*.transformars.ro*, True -*.transformednow.net*, True -*.transformix.pw*, True -*.transient.com.au*, True -*.transign.com.ar*, True -*.transilvania-cincsor.ro*, True -*.transimaca.pt*, True -*.transitionalcorp.com*, True -*.transit-travel.com*, True -*.transjuliardo.com.br*, True -*.translated-in-argentina.com*, True -*.translate.my*, True -*.translatez.com*, True -*.translation.st*, True -*.translessa.com.br*, True -*.translng.com*, True -*.translogist.ro*, True -*.transmedika.ro*, True -*.transmisionargtv.tk*, True -*.transmisionesdigitales.com*, True -*.transmite.ro*, True -*.transmitter.co.id*, True -*.transmon.ch*, True -*.transmtp.ro*, True -*.transnetfinancialgroup.com*, True -*.transnetusa.com*, True -*.transpack.com.ar*, True -*.transpackcompanies.com.ar*, True -*.transpandino.com.ar*, True -*.transparenciamunicipal-isla.cl*, True -*.transparrent.net*, True -*.transpiree.ch*, True -*.transpire.in*, True -*.trans-plus.com.ar*, True -*.transportam-ieftin.ro*, True -*.transportation-management-system-software.com*, True -*.transport-curk.si*, True -*.transportemanantial.com.ar*, True -*.transportemorelli.com.ar*, True -*.transportepetrel.com*, True -*.transportesci.com*, True -*.transportesmirasur.cl*, True -*.transportessotrasal.cl*, True -*.transportestsm.cl*, True -*.transportroig.com*, True -*.transportschenois.ch*, True -*.transppt.com*, True -*.transquebecexpress.ca*, True -*.transquebecexpress.com*, True -*.transrapid.ro*, True -*.transregional.net*, True -*.transsylvanicum.eu*, True -*.transsylvanicum.ro*, True -*.transtastic.com*, True -*.transurban.net*, True -*.transvalparaiso.cl*, True -*.transversality.com*, True -*.transwarp.com.ar*, True -*.transwarp.ro*, True -*.transzient.net*, True -*.tranz.eu*, True -*.trapdoor.ninja*, True -*.trapvilla.com*, True -*.traseemontane.ro*, True -*.trashtruckstuff.com*, True -*.trashy.tk*, True -*.trasladosvgb.com.ar*, True -*.traslanoticia.com*, True -*.trasneoir.net*, True -*.trasnocheros.cl*, True -*.trasteando20.com*, True -*.traumatologiaeortopedia.com.br*, True -*.traus.com.br*, True -*.travashipping.com*, True -*.travatron.us*, True -*.travel2galapagos.com*, True -*.travel2malaysia.com.my*, True -*.travel2myamar.com*, True -*.traveladmin.ch*, True -*.traveladserving.com*, True -*.travel-cheap.co.za*, True -*.travelclicknow.com*, True -*.travelcloud.asia*, True -*.travel-cool.com*, True -*.traveldave.us*, True -*.traveldoc.info*, True -*.travelecuadorguide.com*, True -*.traveleroad.com*, True -*.travelgalapagosguide.com*, True -*.travelgreece.de*, True -*.travelgreecetravel.com*, True -*.travelguideecuador.com*, True -*.travelguidegalapagos.com*, True -*.travelhits.co.uk*, True -*.travelicious.ch*, True -*.travelingcheap.eu*, True -*.traveling.com.ar*, True -*.travelingfates.com*, True -*.traveljakarta-yogya.com*, True -*.travelking.hk*, True -*.travella.com.ar*, True -*.travellingfates.com*, True -*.travelmaster.ro*, True -*.travelmate2021.com*, True -*.travelmoods.co.uk*, True -*.travel.mx*, True -*.travelnh.co.za*, True -*.travel-north.cl*, True -*.traveloffers.ro*, True -*.travelolcity.org*, True -*.travel-organizer.ch*, True -*.travelpackageindonesia.com*, True -*.travelpilot.gr*, True -*.travelr.org*, True -*.travelsendmail.com*, True -*.traveltheartsworld.com*, True -*.travelucion.ru*, True -*.travelwish.ru*, True -*.travelwrt.tk*, True -*.travelx.com.br*, True -*.travery.de*, True -*.travesiaciclistica.com.ar*, True -*.travianexpert.com*, True -*.travisborovatz.com*, True -*.travisburks.com*, True -*.travis-hansen.com*, True -*.travishanson.com*, True -*.travishansson.com*, True -*.travis-hansson-fine-art.com*, True -*.travishanssonfineart.com*, True -*.travishughes.ca*, True -*.travisnielsen.com*, True -*.travistieman.com*, True -*.travonda.com*, True -*.trawun.com*, True -*.traxcot.biz*, True -*.traxcot.com*, True -*.traxcot.info*, True -*.traxcot.net*, True -*.traykabelindo.com*, True -*.trazeable.com.ar*, True -*.trazilica.net*, True -*.trbogps.co.nz*, True -*.trbonet.us*, True -*.trccomputers.com*, True -*.trcvr.com*, True -*.treacy.me*, True -*.treasurebox.my*, True -*.treasurefood.hk*, True -*.treasuresource.com*, True -*.treasure-web.com*, True -*.treasureweb.com*, True -*.treasureweb.net*, True -*.treatyofwaitangi.maori.nz*, True -*.t-reb.net*, True -*.trebol.com.ve*, True -*.trebroke.com*, True -*.trebroke.se*, True -*.treckstar.net*, True -*.tredding.net*, True -*.tredding.org*, True -*.tredding.us*, True -*.treebits.net*, True -*.treech.at*, True -*.tree-computer.com*, True -*.treelight.org*, True -*.treemail.ro*, True -*.treeproblemnoproblem.com*, True -*.treestead.com*, True -*.treetech.tw*, True -*.treewords.com*, True -*.treewords.ru*, True -*.treeyc.com*, True -*.trefemma.com*, True -*.tregenza-dancer.com*, True -*.tregenza-dancer.co.uk*, True -*.tregenzadancer.co.uk*, True -*.tregenza-dancer.net*, True -*.tregenzadancer.net*, True -*.treinamentoslider.com*, True -*.treinamentospfsense.com.br*, True -*.trek.cl*, True -*.treki.org*, True -*.trekstuffs.com*, True -*.trektec.com*, True -*.trektechies.com*, True -*.trelactea.com*, True -*.trelease.net*, True -*.trelvix.com*, True -*.trelvix.net*, True -*.tremamunno.com*, True -*.tremendosalto.cl*, True -*.tremere-ilusionista.com.ar*, True -*.tremulous.net.ru*, True -*.trendart.ro*, True -*.trend-cars.ch*, True -*.trenderer.com*, True -*.trendigt.nu*, True -*.trending-topic.com*, True -*.trendoholik.pl*, True -*.trendoptik.co.id*, True -*.trends7media.com*, True -*.trendtheater.com*, True -*.trend.web.id*, True -*.trendwell.se*, True -*.trendy4you.ro*, True -*.trendybyte.com*, True -*.trendyfashion.nl*, True -*.trentonconstruction.in*, True -*.trentonresearch.in*, True -*.trepadus.ro*, True -*.treppen-titan.at*, True -*.treptow-koepenick.cf*, True -*.treptow-koepenick.ga*, True -*.treptow-koepenick.ml*, True -*.treptow-koepenick.tk*, True -*.tres42.com.ar*, True -*.tresanetwork.com.br*, True -*.tresba.ch*, True -*.trescalles.com.ar*, True -*.trescom.cl*, True -*.tresgarras.com*, True -*.tresiw.com*, True -*.tres-jolie.cl*, True -*.tresmarranos.com.ar*, True -*.tre-sor.com*, True -*.tretinaprinting.com*, True -*.treu-co.ch*, True -*.treuhand-oberson.ch*, True -*.treviarmory.com*, True -*.treviartgallery.com*, True -*.trevicarriages.com*, True -*.trevicars.com*, True -*.trevichocolate.com*, True -*.trevicinema.com*, True -*.trevifun.com*, True -*.trevigourmet.com*, True -*.trevijewelry.com*, True -*.trevimedia.net*, True -*.trevisoft.net*, True -*.trevistudio.com*, True -*.treviteknoloji.com.tr*, True -*.trevitv.com*, True -*.treviweb.com*, True -*.treviwireless.com*, True -*.trevor-martin.com*, True -*.trevorvandale.ca*, True -*.trexfund.com*, True -*.treyager.com*, True -*.treyhome.com*, True -*.treynold.com*, True -*.treyresources.net*, True -*.trezitorul.tk*, True -*.trgenerare.ro*, True -*.tr-go.com*, True -*.triada-akademij.si*, True -*.triad.tk*, True -*.triadwindgen.com*, True -*.triady.ga*, True -*.triady.tk*, True -*.triagrama.cl*, True -*.trialmu.com*, True -*.trialoftheundead.com*, True -*.trianglealumni.org*, True -*.trianglecouchsurfing.info*, True -*.trianglesoft.net*, True -*.triangle-ten.com*, True -*.triangulasi.net*, True -*.trias-energy.com*, True -*.tri-astuti.co.uk*, True -*.triathlondata.com*, True -*.triatlonklub-lj.si*, True -*.triazo.net*, True -*.tribaldata.org*, True -*.tribalgod.com*, True -*.tribal-knowledge.com*, True -*.tribalknowledge.net*, True -*.tribalknowledge.org*, True -*.tribbles.net*, True -*.tribeoftwo.com*, True -*.tribit-field.jp*, True -*.triboadm.com.br*, True -*.tribonacci.com*, True -*.tribuideas.cl*, True -*.tribunaruasdacidade.com.br*, True -*.tribunedirectonline.com*, True -*.tribuslibres.com*, True -*.tricerataco.com*, True -*.trichology.tk*, True -*.trichotomy.ca*, True -*.tricho.us*, True -*.trichromium.com*, True -*.trichy.info*, True -*.tricicleta-copii.ro*, True -*.tricicletecopii.info*, True -*.triciklo.cl*, True -*.trickbook.net*, True -*.trickjump.org*, True -*.trick-monnet.ch*, True -*.tricksshop.com.br*, True -*.trickydick.se*, True -*.trickypixie.com*, True -*.tricky.pt*, True -*.tricorelon.ro*, True -*.tricoteknologi.com*, True -*.tricountymobilexray.com*, True -*.tricubodigital.com.ar*, True -*.tricuna.com*, True -*.tridentgumingredients.com*, True -*.trieuhung.com*, True -*.triff-mich.org*, True -*.trifinity.se*, True -*.trifix.cz*, True -*.trigeninc.com*, True -*.trigenius.tk*, True -*.trigonon.ch*, True -*.trigontrade.com*, True -*.trigranitdev.ro*, True -*.trijayaawning.com*, True -*.trik-dunia-maya.net*, True -*.trikfb.us*, True -*.triki.ca*, True -*.trikita-travel.ru*, True -*.trikkeeletrico.com.br*, True -*.trillianverse.org*, True -*.trillini.com.ar*, True -*.trilogi.si*, True -*.trilorproducciones.cl*, True -*.trimasperkasa.com*, True -*.trimetalgama.ro*, True -*.trimex.cf*, True -*.trimixt.ro*, True -*.trimurti.us*, True -*.trinaya.com*, True -*.trinayainteractive.com*, True -*.trinayamedia.com*, True -*.trince.net*, True -*.trindon.co.uk*, True -*.trinh.co.nz*, True -*.trinitybe.com*, True -*.trinityrajawali.com*, True -*.trink.com.tr*, True -*.trinkometer.ch*, True -*.trinkwasserforum.org*, True -*.triocompech.ro*, True -*.triocruising.com*, True -*.triodesiree.ca*, True -*.trio-impex.com*, True -*.trioindah2hotel.com*, True -*.trionyx-sal.com*, True -*.triopalmprings.com*, True -*.trio-pogladic.com*, True -*.triop.org*, True -*.triotogo.com*, True -*.triovanbeethoven.at*, True -*.tripco.com.ar*, True -*.tripdeviser.com*, True -*.tripdeviser.co.za*, True -*.tripesite.com.au*, True -*.tripesperto.com.br*, True -*.tripinonline.com*, True -*.tripleaaacomm.ro*, True -*.tripleacp.com*, True -*.tripleate.tk*, True -*.triple-ef.net*, True -*.triplekidz.com*, True -*.triplenvy.com*, True -*.tripleoak.com*, True -*.tripleoakfarm.com*, True -*.tripler.cl*, True -*.tripletrance.com*, True -*.triplezeta.cl*, True -*.triplist.io*, True -*.tri-pointproducts.com*, True -*.tripowlim2.tk*, True -*.trippin.ca*, True -*.trippy.gq*, True -*.tripreceipts.com*, True -*.triquetra-soul.co.za*, True -*.triscall.com*, True -*.trisense.com.br*, True -*.trishassalon.com*, True -*.trisigmaconsulting.com*, True -*.triskaideca.com*, True -*.trisla.com*, True -*.trisol.cl*, True -*.tristalee.com*, True -*.tristancartledge.com*, True -*.tristandeveney.com*, True -*.tristanparsley.com*, True -*.tristar-tire.com*, True -*.tristartransfer.com*, True -*.tristatehardwoods.com*, True -*.tri-state-industrial.com*, True -*.tristateskydivers.com*, True -*.tristatetechsupport.com*, True -*.tristram.co.za*, True -*.trisummerseries.co.za*, True -*.tritamagroup.co.id*, True -*.tritechamerica.com*, True -*.triteksolusi.co.id*, True -*.trithemius.at*, True -*.triton-sport.ro*, True -*.tritunggal.sch.id*, True -*.triumfpress.ro*, True -*.triumph-costa-blanca.com*, True -*.triumph-costa-blanca.es*, True -*.triumphvlaanderen.be*, True -*.triviem.cl*, True -*.trivisio.com.br*, True -*.triwahyunita.com*, True -*.tri-worx.com*, True -*.trixandtrax.cl*, True -*.trixfit.com*, True -*.trizia.com.mx*, True -*.trkalce.org*, True -*.trk-dialog.ru*, True -*.trkr8r.com*, True -*.trlserver.net*, True -*.trnsf.com*, True -*.trocca.ch*, True -*.trochoi.biz*, True -*.trocuri-barter.ro*, True -*.trofo.ro*, True -*.troger.hu*, True -*.trogie.net*, True -*.trogiupketoan.com*, True -*.troistulipes.com*, True -*.troi.to*, True -*.trojen.net*, True -*.trole.cl*, True -*.trollboxhistory.com*, True -*.trolley-supermarket.com*, True -*.trolling-motor-manufacturers.com*, True -*.trolls.lv*, True -*.tromley.ca*, True -*.tronadoronline.com.ar*, True -*.trongdat.cf*, True -*.trongtinmobile.com*, True -*.tronic.ca*, True -*.tronic.co.nz*, True -*.tronj.org*, True -*.tronmetal.cl*, True -*.troonventures.com*, True -*.troop473.net*, True -*.tropaelitedetrolls.com*, True -*.tropeanoyasociados.com.ar*, True -*.trophon.eu*, True -*.trophy-takers.com*, True -*.trophytakers.com*, True -*.tropicalaquariums.co.za*, True -*.tropicalbeaches.org*, True -*.tropicalhideout.net*, True -*.tropical-lizard.com*, True -*.tropicwars.ro*, True -*.trosmetal.com*, True -*.trotot.com*, True -*.troubadour-gewerkschaft.ch*, True -*.troubao.tk*, True -*.troutpools.com*, True -*.trove.co.nz*, True -*.troyalford.com*, True -*.troyann.ru*, True -*.troyevans.net*, True -*.troysresume.com*, True -*.trozki.net*, True -*.trpa.cz*, True -*.trses.ru*, True -*.tr-sta.com*, True -*.trt68.com*, True -*.trt77.com*, True -*.trubadis.com*, True -*.truckaday.com*, True -*.truckenmiller.com*, True -*.truckieloads.com*, True -*.truckieloads.com.au*, True -*.truck-occasion.ch*, True -*.truckoccasion.ch*, True -*.truck-parts.co.uk*, True -*.trucksales.co.uk*, True -*.truckstore.ch*, True -*.truckterminal.ch*, True -*.trucktiresearch.com*, True -*.trucktoolbox-cn.com*, True -*.trucktrackweb.com*, True -*.trudireaume.com*, True -*.trudodelie.ru*, True -*.trudportal.com*, True -*.truealex.ru*, True -*.trueartfuls.com*, True -*.true-assist.nl*, True -*.trueassist.nl*, True -*.truebalanceit.org*, True -*.truebit7.ru*, True -*.trueblue.xyz*, True -*.truebsd.org*, True -*.truecatholic.net*, True -*.true-communications.com*, True -*.truecommunications.co.za*, True -*.truecontact.me*, True -*.true.co.za*, True -*.truedeals.ro*, True -*.truedit.com.ar*, True -*.trueendtimes.com*, True -*.truehd.ca*, True -*.truehotspot.co.za*, True -*.truehusky.com*, True -*.truekemx.com*, True -*.truelig.co.za*, True -*.truelove.gq*, True -*.truelovewins.com*, True -*.truenw.co.za*, True -*.trueprospects.com*, True -*.truequemx.com*, True -*.truetechy.com.au*, True -*.truetechy.net.au*, True -*.truevb.co.za*, True -*.trueviewer.biz*, True -*.truewan.co.za*, True -*.truewatch.co.za*, True -*.trughy.net*, True -*.truinvest.com.au*, True -*.tru.io*, True -*.trulightdesigns.com*, True -*.trulymeet.com*, True -*.trumann.ca*, True -*.trumbulls.org*, True -*.trumbulls.us*, True -*.trumbull.ws*, True -*.trumgame.net*, True -*.trumhentai.com*, True -*.trumnest.ml*, True -*.trumpace.info*, True -*.trumpace.us*, True -*.trumpetx.net*, True -*.trumpler-jacqueline.ch*, True -*.trungtammoitruong.com.vn*, True -*.trungtammoitruong.vn*, True -*.trunken.eu*, True -*.trunk.so*, True -*.trupathemessage.ro*, True -*.trushkovskiy.ru*, True -*.trusoftng.com*, True -*.trustchanges.com*, True -*.trustchanges.ru*, True -*.trustedguests.com*, True -*.trustissolutions.com*, True -*.trustlaw.hk*, True -*.trustnet.com.au*, True -*.trustnet.ro*, True -*.trustpanama.pw*, True -*.trusty-rentcar.com*, True -*.truthbydegrees.com*, True -*.truthisouronlyweapon.org*, True -*.truthrejoices.com*, True -*.truthsayerradio.com*, True -*.truthvid.com*, True -*.truthvideos.net*, True -*.truviamotors.ro*, True -*.truvisageantiaging.tk*, True -*.truweave.co.za*, True -*.truyen18hay.com*, True -*.truyendam24h.com*, True -*.truyenhit.com*, True -*.truyenmoi.com*, True -*.truyenvang.com*, True -*.trvale.net*, True -*.trxcraft.tk*, True -*.try2do.com*, True -*.tryandfeel.com*, True -*.tryazsasingke.com*, True -*.tryoutwppe.com*, True -*.trypurchasingpower.com*, True -*.trytheprimerib.com*, True -*.tryton.org.ar*, True -*.trytrykan.com*, True -*.tryunfos.com.br*, True -*.tryzub-it.co.uk*, True -*.tsaar.net*, True -*.tsabary-law.co.il*, True -*.tsa-bc.com*, True -*.tsachev.net*, True -*.tsaiborg.com*, True -*.tsane.net*, True -*.tsange.com*, True -*.tsangenterprises.co.uk*, True -*.tsangfamily.name*, True -*.tsanpablo.cl*, True -*.tsar.in*, True -*.tsaswimteam.com*, True -*.tsaukpaetra.com*, True -*.tsbdy.com*, True -*.tsbtransportservices.ch*, True -*.tschaga.ch*, True -*.tscharland.ch*, True -*.tscharland.com*, True -*.tscmedia.biz*, True -*.tscmedia.co*, True -*.tscmedia.info*, True -*.tscmedia.org*, True -*.tscng.org*, True -*.tscprinters.tw*, True -*.tsc.web.id*, True -*.tsdnasaud.ro*, True -*.tsdnavodari.ro*, True -*.tse-family.net*, True -*.tselaconsulting.co.za*, True -*.tsel.cf*, True -*.tselup.com*, True -*.tselvpn.tk*, True -*.tsenz.tk*, True -*.tseparfait.com*, True -*.tsf.cl*, True -*.t-s-f.com.au*, True -*.ts-fivb.org*, True -*.tsfivb.org*, True -*.tsgvit.ru*, True -*.tsholtis.com*, True -*.t-showa.com*, True -*.tsikunov.com*, True -*.tsiolkovskii.ru*, True -*.tsipoura.gr*, True -*.tsirepfirm.com*, True -*.tsj5.ru*, True -*.tsk66.com*, True -*.tsk99.com*, True -*.tskhinvali.ru*, True -*.tsk.ro*, True -*.t-smartphone.net*, True -*.ts-me.com.my*, True -*.tsmlaw.co.za*, True -*.tsmts.com*, True -*.tsochatzidis.info*, True -*.tsogcherbalcare.com*, True -*.tsrnews.tk*, True -*.tsroom.net*, True -*.tsruedas.com.ar*, True -*.tss77.com*, True -*.tss87.com*, True -*.tstatus.com*, True -*.tstgroup.com.ar*, True -*.tstmgmt.com*, True -*.tstracker.to*, True -*.tst-sqd.tk*, True -*.tstutors.com*, True -*.tstzz.net*, True -*.tsub.net*, True -*.tsumkursk.ru*, True -*.tsunade.org*, True -*.tsurenko.net*, True -*.tsur.tk*, True -*.tsurukawa.org*, True -*.tsushoscs.com.br*, True -*.tsvzug.ch*, True -*.tszminggung.com*, True -*.tt-1588.com*, True -*.tt99t.com*, True -*.ttbomaha.com*, True -*.ttcenghyd.co.za*, True -*.ttchyd.co.za*, True -*.ttclic.com*, True -*.ttclic.org*, True -*.ttconsult.in*, True -*.ttcvoeren.be*, True -*.ttechnic.com*, True -*.ttechr.com*, True -*.ttech.si*, True -*.tteufel.ch*, True -*.ttggen.com*, True -*.ttgrules.com*, True -*.tth.cl*, True -*.tth.com.pk*, True -*.tticctv.ir*, True -*.ttipus.com*, True -*.ttjy8.com*, True -*.ttkacz.com*, True -*.ttkz.me*, True -*.t.tl*, True -*.ttmask.com.my*, True -*.ttmask.net.my*, True -*.ttmc.ru*, True -*.ttna.info*, True -*.ttnc.us*, True -*.ttn-group.eu*, True -*.ttnsc.net*, True -*.ttornit.info*, True -*.ttp.co.id*, True -*.ttpl.tk*, True -*.ttr55.com*, True -*.ttr77.com*, True -*.ttr88.com*, True -*.ttr99.com*, True -*.tttiendas.com*, True -*.ttttjg.com*, True -*.ttuconcept.ro*, True -*.ttumobil.ro*, True -*.ttx73.com*, True -*.ttx79.com*, True -*.ttx82.com*, True -*.ttx86.com*, True -*.ttx96.com*, True -*.ttxxc.com*, True -*.ttyemupt.com*, True -*.tuakana.net*, True -*.tu.am*, True -*.tuan86.com*, True -*.tuangou1.com*, True -*.tuantin.com*, True -*.tuapel.com.ar*, True -*.tuapuestaonline.com*, True -*.tube88.com*, True -*.tubeampkits.net*, True -*.tubeextractor.net*, True -*.tubehub.mobi*, True -*.tubepile.com*, True -*.tube-porn.ru*, True -*.tuberiot.com*, True -*.tubeweblearning.com*, True -*.tubex.ga*, True -*.tubocentro.com.ve*, True -*.tubocobre.net*, True -*.tubrossystems.net*, True -*.tubularfells.com*, True -*.tuc5.com*, True -*.tucanotours.tur.ar*, True -*.tucasafacil.com.mx*, True -*.tuccc.com*, True -*.tucglam.com.ar*, True -*.tuchak.ir*, True -*.tuchapter.org*, True -*.tuckbox.com.au*, True -*.tuckboxdesign.com*, True -*.tuckboxdesign.com.au*, True -*.tuckinz.tk*, True -*.tuck.tw*, True -*.tucson-appraisals.com*, True -*.tucsoncomputer.info*, True -*.tudeli.ch*, True -*.tudocombinado.com.br*, True -*.tudodescontos.com.br*, True -*.tudongdich.com*, True -*.tudormihaiservsrl.ro*, True -*.tudorpopa.com*, True -*.tudosobre2012.com.br*, True -*.tudunglabuh.com.my*, True -*.tues.com.ve*, True -*.tuespacioverde.com.ar*, True -*.tuev-nord.hk*, True -*.tuevnord.hk*, True -*.tufail.org*, True -*.tufaltabas.com*, True -*.tufaltabas.es*, True -*.tufar.at*, True -*.tufar.de*, True -*.tuffo.net*, True -*.tufinhas.net*, True -*.tufuton.com.ar*, True -*.tugabox.net*, True -*.tugabox.org*, True -*.tugboattech.com*, True -*.tugorra.com.ar*, True -*.tuhaibrothers.com.vn*, True -*.tuhaitour.com*, True -*.tuhlaajapojat.fi*, True -*.tuhoisongthanhthe.com*, True -*.tuhosting.com.ve*, True -*.tuicreek.com*, True -*.tuimages.co.nz*, True -*.tuimpresion.net*, True -*.tuina.tk*, True -*.tuinchiriezi.ro*, True -*.tuintransporte.com.ar*, True -*.tuitanic.com*, True -*.tuitt.ch*, True -*.tukangblog.web.id*, True -*.tukangklambi.tk*, True -*.tukangtaman.web.id*, True -*.tukar.net*, True -*.tukbuy.com*, True -*.tukiryhma.net*, True -*.tukubuy.com*, True -*.tulagrad.su*, True -*.tulancingoyya.com*, True -*.tulanerw.org*, True -*.tulinkarbeyaz.com*, True -*.tuliobeloqui.com*, True -*.tulipkeramik.com*, True -*.tulistr.com*, True -*.tullamarinebus.com.au*, True -*.tulle-and-ribbon.com*, True -*.tulpainteractive.com*, True -*.tuma.cc*, True -*.tuman.cl*, True -*.tumbledown.ml*, True -*.tumblelog.ir*, True -*.tumbleweedprogram.org*, True -*.tumentor.org*, True -*.tumeriti.ro*, True -*.tumgazeteler.com*, True -*.tumlaydee.com*, True -*.tumovil.cl*, True -*.tums.co.id*, True -*.tumsun.com*, True -*.tun74.com*, True -*.tun82.com*, True -*.tun96.com*, True -*.tun-a.net*, True -*.tunbridge.org*, True -*.tune63.net*, True -*.tunebrosaudio.com*, True -*.tunebros.com*, True -*.tune-inn.com*, True -*.tuneldns.ml*, True -*.tunemanbbs.com*, True -*.tunepbx.com*, True -*.tuner.im*, True -*.tunesu.com.my*, True -*.tunggaljayapusat.com*, True -*.tunggalperkasa.org*, True -*.tungir-crb.ru*, True -*.tungvan.net*, True -*.tuningzone.ch*, True -*.tunks.net*, True -*.tunnel2biz.com*, True -*.tunnel2home.com*, True -*.tunnik.name*, True -*.tunnlr.net*, True -*.tunow.tk*, True -*.tunverk.is*, True -*.tuoitretrau.tk*, True -*.tuoitreviet.biz*, True -*.tuoitrevn.es*, True -*.tuoitrevn.nl*, True -*.tuonggoducthu.com*, True -*.tuopille.com*, True -*.tuorden.com.ar*, True -*.tuotanto.fi*, True -*.tuphan.net*, True -*.tuplanc.com*, True -*.tuplantaforma.com*, True -*.tuplesoft.co.kr*, True -*.tuplet.com*, True -*.tuppa.info*, True -*.tuprofe.es*, True -*.tupuola.com*, True -*.tuqmobile.ca*, True -*.tuquy.com*, True -*.turan.org*, True -*.turbinedesign.org*, True -*.turbobenz.com*, True -*.turbofriends.net*, True -*.turbogfx.net*, True -*.turboirc.ga*, True -*.turbo-italia.com*, True -*.turbomansion.com*, True -*.turbo-nerds.com*, True -*.turboserver.tk*, True -*.turbosync.com*, True -*.turbosync.net*, True -*.turbotrading.ro*, True -*.turbowaste.com.au*, True -*.turbowow.biz*, True -*.turbowow.ru*, True -*.turcenter72.ru*, True -*.turcon.ru*, True -*.turg24.ee*, True -*.turichile.cl*, True -*.turingmind.com*, True -*.turismodeltalar.com.ar*, True -*.turismodoss.com.ar*, True -*.turismoenparana.com*, True -*.turismo-mendoza.com*, True -*.turismonautico.com.br*, True -*.turismovalparaisodelmar.cl*, True -*.turismundove.com*, True -*.turi.tk*, True -*.turiving.es*, True -*.turkcekuran.net*, True -*.turkeydaystuffing.com*, True -*.turkeyhaven.com*, True -*.turkishnewsweekly.com*, True -*.turkishwebmoney.com*, True -*.turkishwm.com*, True -*.turkleruzayda.com*, True -*.turkposta.tk*, True -*.turmadocountry.com.br*, True -*.turminumanbuahsegar.com*, True -*.turner-bianca.pt*, True -*.turnerfoster.com*, True -*.turnguard.com*, True -*.turnkeyrecruitmentsolutions.co.za*, True -*.turnonad.com*, True -*.turnusy-krakow.pl*, True -*.turn-wright.co.uk*, True -*.turp.us*, True -*.turta.ro*, True -*.turtera.com*, True -*.turtlerampage.com*, True -*.turtlerampage.net*, True -*.turtlescandy.com*, True -*.turukhansk.ru*, True -*.turulinfo.tk*, True -*.turulonline.tk*, True -*.turuq.com*, True -*.turvatunniste.fi*, True -*.turven.tk*, True -*.tusaludbucal.com*, True -*.tusegurosi.com.mx*, True -*.tusegurosi.mx*, True -*.tuservicioit.com.ar*, True -*.tusfidec.cf*, True -*.tusflores.com.ar*, True -*.tushee.com*, True -*.tushinbd.com*, True -*.tuslukitas.cl*, True -*.tusmateriales.com.ve*, True -*.tuson.org*, True -*.tusovok.net*, True -*.tussah.co*, True -*.tusx.com*, True -*.tutadmin.co.il*, True -*.tutifruta.pt*, True -*.tuti.org.il*, True -*.tutoner.tk*, True -*.tutoredattilo.ch*, True -*.tutoriais.tv.br*, True -*.tutoriale-auto.ro*, True -*.tutorialecstrike.ro*, True -*.tutorialeselectronicos.com*, True -*.tutorialgadget.com*, True -*.tutorialsederhana.com*, True -*.tutorialsurf.com*, True -*.tutorkita.tk*, True -*.tutorme.ie*, True -*.tutorship.co.za*, True -*.tutorwolf.com*, True -*.tutosy.pl*, True -*.tutriplefacil.com.ve*, True -*.tutstuts.ga*, True -*.tutti.club*, True -*.tutti-club.ru*, True -*.tuttoabbigliamento.com*, True -*.tutusbyashley.com*, True -*.tuu69.com*, True -*.tuu77.com*, True -*.tuu88.com*, True -*.tuu89.com*, True -*.tuumin.net*, True -*.tuure.eu*, True -*.tuutu.eu*, True -*.tuvalet.tk*, True -*.tuvdiunr.cf*, True -*.tuvimoingay.com*, True -*.tuv-nord.hk*, True -*.tuvnord.hk*, True -*.tuvolumendeagua.tk*, True -*.tuwa.ga*, True -*.tuwas.com.ar*, True -*.tuxar.tk*, True -*.tuxbay.org*, True -*.tuxedochamber.com*, True -*.tuxedochamber.org*, True -*.tuxedoperformingarts.org*, True -*.tuxedotabby.com*, True -*.tuxgate.net*, True -*.tuxinside.cl*, True -*.tuxman.me*, True -*.tuxpat.net*, True -*.tuxservice.com.ar*, True -*.tuxshell.eu*, True -*.tuxshells.com*, True -*.tuxteno.com*, True -*.tuxysfunserver.tk*, True -*.tuyetbut.com*, True -*.tuyhoatoday.com*, True -*.tuyulirenk.tk*, True -*.tuzgatlas.hu*, True -*.tuzosoft.mx*, True -*.tv1144.com*, True -*.tv123.info*, True -*.tv169169.com*, True -*.tv2000.ro*, True -*.tv220.com*, True -*.tv24.ml*, True -*.tv770.com*, True -*.tv997.com*, True -*.tvambalam.com*, True -*.tv-antennas-and-aerials.com.au*, True -*.tvantennasandaerials.com.au*, True -*.tvarquitectura.cl*, True -*.tvatl.com*, True -*.tvboksi.fi*, True -*.tvbox.fi*, True -*.tvcabopp.com.br*, True -*.tvcana.com.br*, True -*.tvcco.com*, True -*.tvcsolutions.com*, True -*.tvdonline.com.ar*, True -*.tvduck.us*, True -*.tvfacil.net*, True -*.tvfanatica.com*, True -*.tvfoco.biz*, True -*.tvfoco.tv*, True -*.tvforfree.tk*, True -*.tvibope.com*, True -*.tvigarapava.com.br*, True -*.tvlanka.com.au*, True -*.tvlifedirecto.es*, True -*.tvlinux.com*, True -*.tv-l.ru*, True -*.tvmaipo.cl*, True -*.tvmanager.es*, True -*.tvmm.org*, True -*.tvmoca.ro*, True -*.tvmoka.ro*, True -*.tvmontecaseros.tk*, True -*.tv-morzg.at*, True -*.tvnet.com.ar*, True -*.tvoezrenie.info*, True -*.tvoicenter.ru*, True -*.tvoi-glavbuh.ru*, True -*.tvojemisljenje.com*, True -*.tvojo.info*, True -*.tvonlinen.com*, True -*.tvoridob.ro*, True -*.tvornica-znanosti.org*, True -*.tvpark.com.ru*, True -*.tvparty.ru*, True -*.tvphone.com*, True -*.tvphone.co.za*, True -*.tvpoll.co.za*, True -*.tvrally.com*, True -*.tvr.com.ar*, True -*.tvrepaircenturion.co.za*, True -*.tvrepairpretoria.co.za*, True -*.tvrepairscenturion.co.za*, True -*.tvrepairspretoria.co.za*, True -*.tvr-register.org.au*, True -*.tvrunner.nl*, True -*.tvsaluddev.com.ar*, True -*.tvsaomarcos.com.br*, True -*.tvsat.co.za*, True -*.tvshop.sg*, True -*.tvshowfantasy.com*, True -*.tvspartak.ru*, True -*.tvstationsoftware.com*, True -*.tvsupports.ru*, True -*.tvtom10.com*, True -*.tvtv.ro*, True -*.tvtwo.co.za*, True -*.tvumbanda.cf*, True -*.tvumbanda.ga*, True -*.tvumbanda.ml*, True -*.tvumbanda.tk*, True -*.tvv59.com*, True -*.tvx.org*, True -*.tvz.net*, True -*.tw138.com*, True -*.tw168.net*, True -*.tw2000.com*, True -*.tw3ntyn1n3.com*, True -*.twankydeuce.com*, True -*.twasds.com*, True -*.twawayday.sg*, True -*.twbjd.tk*, True -*.twcah.org*, True -*.twceo.com*, True -*.tw-cgv.com*, True -*.tweakandroid.com*, True -*.tweak.cz*, True -*.tweakedcase.com*, True -*.tweakrng.net*, True -*.tweaksource.com*, True -*.tweakyllama.com*, True -*.tweekernut.com*, True -*.tweetflow.me*, True -*.tweetstats.tk*, True -*.twelftree.com*, True -*.twemmedia.com*, True -*.twentyklein.org*, True -*.twentyonesoft.com*, True -*.twentyonesoft.net*, True -*.twentypeas.com*, True -*.twentyseven.info*, True -*.twghf.org*, True -*.twgtea.sg*, True -*.twhouseinternational.com*, True -*.twhouserealty.com*, True -*.twiamch.com*, True -*.twibm.com*, True -*.twig-it.co.za*, True -*.twigletshouse.net*, True -*.twiikuu.tk*, True -*.twilightdreams.co.uk*, True -*.twilightice.net*, True -*.twilight.lt*, True -*.twilightparadox.com*, True -*.twilightparadox.tk*, True -*.twilightsecrets.co.uk*, True -*.twin.ga*, True -*.twinion.org*, True -*.twinix.pt*, True -*.twinkcream.com*, True -*.twinrix.nl*, True -*.twinslist.com*, True -*.twinslist.org*, True -*.twinwillows.com.au*, True -*.twistandshout.hk*, True -*.twistedcreations.net.au*, True -*.twistedfingers.com.br*, True -*.twisted-racing.com*, True -*.twisted-racing.eu*, True -*.twisted-racing.pl*, True -*.twistedrelativity.net*, True -*.twisted-schwartz.com*, True -*.twisted-software.eu*, True -*.twisted-software.pl*, True -*.twistermod.com*, True -*.twistmark.ca*, True -*.twistmark.com*, True -*.twistofcolortattoos.com*, True -*.twitjam.com*, True -*.twitmap.it*, True -*.twittcut.com*, True -*.twitterbrooks.com*, True -*.twitteria.me*, True -*.twixi.ch*, True -*.twjudo.com*, True -*.twlab.org*, True -*.tw-mat.com*, True -*.twmsteelbuildings.com*, True -*.twnonline.ca*, True -*.twnuu.com*, True -*.twobearsbandb.com.au*, True -*.twobigguys.com*, True -*.twobitrentals.com*, True -*.twoboos.org*, True -*.twocarrots.com*, True -*.twocarrotsjuice.com*, True -*.tw-ocn.com*, True -*.twococksonemouth.com*, True -*.twodogsddns.com*, True -*.twogeeksconsulting.com*, True -*.twogen.com*, True -*.twohomes.gr*, True -*.twohoots.co.uk*, True -*.twoja-strona.net*, True -*.twok.cf*, True -*.twomixingbowls.com*, True -*.twoods.info*, True -*.two-pillows.com*, True -*.twoplayers.net*, True -*.twopyros.com*, True -*.tworiverssoftware.com*, True -*.tworld3.com*, True -*.tworld3.net*, True -*.tworld53.com*, True -*.tworld53.net*, True -*.two-seventy.com*, True -*.two-seventy.net*, True -*.twostoreyhome.com.au*, True -*.twototango.es*, True -*.twoweims.us*, True -*.twpanel.com*, True -*.twp.cl*, True -*.twqua.com*, True -*.twrch.com*, True -*.twseb.org*, True -*.twsoft.co.uk*, True -*.twsystem.ro*, True -*.twws.org*, True -*.twww.tk*, True -*.twx8.com.ar*, True -*.twxieda.com*, True -*.tw-yishu.com*, True -*.tx2600.org*, True -*.t-xavier.com*, True -*.txbrothers.com*, True -*.txdivorce.net*, True -*.txnewtons.us*, True -*.txradar.com*, True -*.txt123.cf*, True -*.txt123.ga*, True -*.txt123.tk*, True -*.txtobot.com*, True -*.txtsurveys.com*, True -*.txx33.com*, True -*.txx59.com*, True -*.txx63.com*, True -*.txx74.com*, True -*.txx88.com*, True -*.ty2013.tw*, True -*.tycoonwebinar.com*, True -*.tycoonwebinar.com.au*, True -*.tyday.co.za*, True -*.tyden.name*, True -*.tyeg.tw*, True -*.ty-f.com*, True -*.tygerson-art.com*, True -*.tygiel.one.pl*, True -*.tyhe.ro*, True -*.tylerclary.com*, True -*.tylerjones.info*, True -*.tylerleetucker.com*, True -*.tylermaclean.com*, True -*.tylerstratton.net*, True -*.tylerwittman.com*, True -*.tylstedt.se*, True -*.tymdechi.cl*, True -*.tymex-it.co.uk*, True -*.tymnet.us*, True -*.tymsys.com.ar*, True -*.tynen.us*, True -*.tynged.com*, True -*.tyo-a.in*, True -*.tyone.tk*, True -*.tyosubs.net*, True -*.typ.ch*, True -*.typefast.ir*, True -*.type.hk*, True -*.typerzy.eu*, True -*.typesetprint.com*, True -*.typesofmonkeys.net*, True -*.typetheory.ru*, True -*.typing.hk*, True -*.typocall.com*, True -*.tyrant9.com*, True -*.tyrecon.ca*, True -*.tyr-net.net*, True -*.tyrovc.com*, True -*.tyrrenoimoveis.com.br*, True -*.tysa.org*, True -*.tysonnet.net*, True -*.tystest.tk*, True -*.tystros.tk*, True -*.tytcompeticion.cl*, True -*.ty-td.com*, True -*.tythiensu.tk*, True -*.tywong.tk*, True -*.tyx156.tk*, True -*.tyx888.cf*, True -*.tyx888.tk*, True -*.tzafrir.org.il*, True -*.tziku.ro*, True -*.tzmfen.me.uk*, True -*.tz-po.com*, True -*.u4ia.com.au*, True -*.u888.cn*, True -*.uaa43.com*, True -*.uaa52.com*, True -*.uaa69.com*, True -*.uaa79.com*, True -*.uaa85.com*, True -*.uabart.ga*, True -*.ua-company.com*, True -*.uadepot.com*, True -*.uaget.tk*, True -*.uagps.com*, True -*.uah2btc.com*, True -*.uahero.net*, True -*.uaip.ru*, True -*.uamedical.ca*, True -*.uamsibiu.ro*, True -*.uangdollar.com*, True -*.uanl.mobi*, True -*.uastarter.org*, True -*.uatafac.ro*, True -*.uatenergy.com.my*, True -*.uatsa.cl*, True -*.uauhabitat.com.br*, True -*.uaviation.net*, True -*.uaviation.org*, True -*.uaz-posad.ru*, True -*.ubab-group.com*, True -*.uba.cl*, True -*.ubat-b.com*, True -*.ubat-ff.com*, True -*.ubat-jn.com*, True -*.ubat-sk.com*, True -*.ubbens.ca*, True -*.ub-com.us*, True -*.ubeagle.com*, True -*.ubec.info*, True -*.uberbid.com*, True -*.uberblah.com*, True -*.uberblog.co.uk*, True -*.uberdia.net*, True -*.uberdns.co.uk*, True -*.uberfather.net*, True -*.uberfubar.com*, True -*.ubergate.com*, True -*.uberleet.com*, True -*.ubermail.eu*, True -*.ubermensch.tv*, True -*.uberminecraft.co.uk*, True -*.ubernerden.com*, True -*.ubernet.info*, True -*.ubertom.com*, True -*.ubezpieczeniapabianice.one.pl*, True -*.ubezpieczenia.ws*, True -*.ubezpieczsie.one.pl*, True -*.ubiapp.com*, True -*.ubiapp.hk*, True -*.ubillos.net*, True -*.ubillos.org*, True -*.ubimed.cl*, True -*.ubin.ga*, True -*.ubiprot.org.ru*, True -*.ubiq.org*, True -*.ubique-consulting.com*, True -*.ubiquitous.tv*, True -*.ubiz.cl*, True -*.ubmch.ch*, True -*.ubm.md*, True -*.ubnco.com*, True -*.ubon-energygroup.com*, True -*.uboxstream.com*, True -*.ubpuebloperonista.com.ar*, True -*.ub-ts.ch*, True -*.ubts.ch*, True -*.ubunet.ch*, True -*.ubuntology.ru*, True -*.ubuntu.al*, True -*.ubuntuphone.cz*, True -*.ubuyre.com*, True -*.ubx.se*, True -*.ucanfly.hk*, True -*.ucb-guild.com*, True -*.uccaccess.com*, True -*.uccelab.net*, True -*.uccewiki.org*, True -*.ucche.us*, True -*.ucctw.com*, True -*.ucdcanoeclub.com*, True -*.ucfcssa.org*, True -*.uc-fpok.ru*, True -*.ucfusion.com*, True -*.ucgrp.com*, True -*.ucheba-dubna.ru*, True -*.uchebniki.ru*, True -*.uchelfa.net*, True -*.uchi-puchi.ro*, True -*.uchitel.ca*, True -*.uchoufo.com*, True -*.ucilsuka.ml*, True -*.uclab.tw*, True -*.u-cloud.de*, True -*.ucoim.it*, True -*.ucolor.jp*, True -*.ucoluk.name.tr*, True -*.ucos.ro*, True -*.ucpop.com*, True -*.ucraman.tk*, True -*.ucsar.com.ve*, True -*.ucsar.net.ve*, True -*.ucsar.org.ve*, True -*.uctdns.com*, True -*.ucuncukopru.info*, True -*.ucup.us*, True -*.ucuzzi.com*, True -*.ucvc.ru*, True -*.ucvmedios.cl*, True -*.ucvradio.cl*, True -*.ucvtelevision.cl*, True -*.ucvtelevision.net*, True -*.ucvtelevision.tv*, True -*.ucvtv.cl*, True -*.ucvtv.net*, True -*.ucvtv.tv*, True -*.ud98.net*, True -*.ud.com.ar*, True -*.udensprieks.lv*, True -*.udestaaqui.com.ar*, True -*.udev.ch*, True -*.udh2015.tk*, True -*.udij.com*, True -*.udingokil.info*, True -*.udma.su*, True -*.udo.lt*, True -*.udomatiello.com.br*, True -*.udomlia.ru*, True -*.udoo.ml*, True -*.udovic.biz*, True -*.udovic.net*, True -*.udpiler.cl*, True -*.uds7mail.com*, True -*.udvarhelyinfo.ro*, True -*.udzin.ru*, True -*.u-e-b.co.il*, True -*.uebersax.li*, True -*.uebrigens.ch*, True -*.ueefleet.com*, True -*.uefizone.com*, True -*.uefizone.net*, True -*.uep171.com.ar*, True -*.ueppfe.com.ar*, True -*.ufaopen.ru*, True -*.u-f-a.pl*, True -*.ufastroisnab.ru*, True -*.ufblive.co.uk*, True -*.ufd2.net*, True -*.ufficiovistibari.it*, True -*.ufgqgrid.org*, True -*.ufgstellt.ch*, True -*.ufnpsi.com*, True -*.ufobrasil.com*, True -*.ufobr.com.br*, True -*.ufobr.info*, True -*.ufodjs.com*, True -*.ufodns.com*, True -*.ufologiabrasil.com.br*, True -*.ufologiabr.com.br*, True -*.ufook.com*, True -*.ufotable.co.uk*, True -*.ufotv.tk*, True -*.ufoundme.com*, True -*.ufourandir.com.br*, True -*.ufowiki.info*, True -*.ufu.gr*, True -*.ugab.net*, True -*.ugalofb.cf*, True -*.ugego.com*, True -*.ugexpress.com*, True -*.uggbootsale.net*, True -*.ugg-store.eu*, True -*.ugiserver.tk*, True -*.ugli.se*, True -*.uglycash.com*, True -*.uglyducklingstudio.com*, True -*.ugnss.net*, True -*.ugnss.ru*, True -*.ugombed.cf*, True -*.ugo.si*, True -*.ugroz.ru*, True -*.uguu.at*, True -*.ugx-studio.com*, True -*.uhcsolar.com*, True -*.uhf.pw*, True -*.uhoh-boom.com*, True -*.uhrsachen.ch*, True -*.uhvati.ru*, True -*.uillinois.me*, True -*.uiludine.it*, True -*.uinsport.com*, True -*.uinsports.com*, True -*.ui-solutions.com*, True -*.uissecurite.ch*, True -*.uitgavepatroon.nl*, True -*.uithoven.net*, True -*.uitleg.org*, True -*.uitoracrew.com*, True -*.uiuc-sife.org*, True -*.ujifderk.cf*, True -*.ujirani.com*, True -*.ujjwalprasai.com.np*, True -*.ujjwol.com.np*, True -*.ujobemsk.cf*, True -*.ukau.org*, True -*.ukawa.biz*, True -*.ukbizroom.com*, True -*.ukbizroom.co.uk*, True -*.ukbizrooms.com*, True -*.ukbizrooms.co.uk*, True -*.ukbiztravel.com*, True -*.ukbiztravel.co.uk*, True -*.ukcvs.net*, True -*.ukescortsforthedisabled.com*, True -*.ukfap.com*, True -*.uk-fc.net*, True -*.ukhov.me*, True -*.ukiericoncretecongress.com*, True -*.ukip6net.net*, True -*.ukipaulus.ac.id*, True -*.ukjobmart.co.uk*, True -*.ukkeli.info*, True -*.uk.ms*, True -*.u-know-who.com*, True -*.uk-nvkz.ru*, True -*.ukpeeps.co.uk*, True -*.ukpropertymart.co.uk*, True -*.ukraine-office.eu*, True -*.ukrainian-girl.info*, True -*.ukrida.ac.id*, True -*.ukrida.tv*, True -*.ukrinvest.net*, True -*.ukrua.tk*, True -*.uksport2.com*, True -*.uk-st66.ru*, True -*.uk.to*, True -*.uktopshops.info*, True -*.uk-unitour.tw*, True -*.ul7.info*, True -*.uleiu.ro*, True -*.uleygrad.ru*, True -*.ulge.no*, True -*.uli1.tk*, True -*.ulicon.com*, True -*.uli-momo.tk*, True -*.ulink.fi*, True -*.uliss.es*, True -*.ulissesgurgel.com*, True -*.ulitimate.us*, True -*.ulixe.to*, True -*.ullash.com.np*, True -*.ullum.com.ar*, True -*.ullviufotografiacreativa.cat*, True -*.u-lock-it.info*, True -*.ulpipdn.com*, True -*.ulpo.cl*, True -*.ulps.co.za*, True -*.ulrik.net*, True -*.ulring.com*, True -*.ulsoy.net*, True -*.ulsoy.org*, True -*.ulster-fuel.com*, True -*.ulster-oil.com*, True -*.ultibyte.net*, True -*.ultimalabor.se*, True -*.ultimamilla.cl*, True -*.ultimarat.io*, True -*.ultimateballoons.net*, True -*.ultimatedecision.lv*, True -*.ultimatedesktop.uk*, True -*.ultimatedistributors.co.za*, True -*.ultimateempowerment.org.uk*, True -*.ultimate-fight.net*, True -*.ultimateginger.co.uk*, True -*.ultimatehair.co.za*, True -*.ultimatelaw.org*, True -*.ultra5starshost.tk*, True -*.ultraangel.com*, True -*.ultrabug.com*, True -*.ultracoups.com*, True -*.ultrafreehosting.tk*, True -*.ultrainfoair.com*, True -*.ultrakrass.de*, True -*.ultralowit.com*, True -*.ultrapanel.us*, True -*.ultraponie.com*, True -*.ultrasek.pl*, True -*.ultrashell.biz*, True -*.ultrashit.org*, True -*.ultrasmall.org*, True -*.ultrasport.co.il*, True -*.ultrastockpicks.com*, True -*.ultrastorage.co.uk*, True -*.ultratoner.com*, True -*.ultratrendy.com*, True -*.ultra-ts.com*, True -*.ultravet.com.br*, True -*.ultraviolet.im*, True -*.ulum.tk*, True -*.ulvang.info*, True -*.ulvilantie11b.info*, True -*.ulysses-nepean.org.au*, True -*.ulzone.ru*, True -*.uma.com.ar*, True -*.umad-barnyard.com*, True -*.umail.ml*, True -*.umaitaxi.kz*, True -*.umar4u.com*, True -*.umardia.com.mx*, True -*.umb22.com*, True -*.umb33.com*, True -*.umb55.com*, True -*.umb66.com*, True -*.umb77.com*, True -*.umb88.com*, True -*.umb99.com*, True -*.umbanda.cf*, True -*.umbanda.ml*, True -*.umbandasagrada.cf*, True -*.umbandasagrada.ga*, True -*.umbandasagrada.ml*, True -*.umbanda.tk*, True -*.umbandista.cf*, True -*.umbandista.ga*, True -*.umbandista.ml*, True -*.umbandista.tk*, True -*.umbra.pw*, True -*.umbrella.guru*, True -*.umbrellaj.com*, True -*.umbris.net*, True -*.umc.ac.id*, True -*.umcbc.ca*, True -*.umchk.ml*, True -*.umcnet.nl*, True -*.umdana.com*, True -*.umdana.co.uk*, True -*.u-med.ru*, True -*.umeid.in*, True -*.umem.me*, True -*.umeshgajurel.com.np*, True -*.umeshwar.com.np*, True -*.umetni-nohti.tk*, True -*.umfrimouski.com*, True -*.umfundi.com*, True -*.umhl.com*, True -*.u-mine.cl*, True -*.uml.pro.br*, True -*.umni4ki.ru*, True -*.umnsvp.tk*, True -*.umob.org*, True -*.umowe.pl*, True -*.umpireofthedead.com*, True -*.umptygump.com*, True -*.umtsplaza.nl*, True -*.umtsshop.nl*, True -*.umx.ch*, True -*.umzugshilfehamburg.com*, True -*.umzugshilfemuenchen.com*, True -*.un0b1t.com*, True -*.un1ty.org*, True -*.unaboutiquesensual.com.br*, True -*.unafamigliacolriccio.it*, True -*.unagi.tk*, True -*.unaiscreativity.com*, True -*.unaltro68.org*, True -*.unamatrix.net*, True -*.uname-a.com*, True -*.unaquimica.com.ar*, True -*.unaresystems.net.ve*, True -*.unarquitectura.cl*, True -*.unart.info*, True -*.u-nas.co.kr*, True -*.unas.ru*, True -*.unatallamas.com*, True -*.unavida.cl*, True -*.unbendiphone6.com*, True -*.unbend-iphone.com*, True -*.unblag.com*, True -*.unblocksurfproxy.com*, True -*.unblocktheweb.biz*, True -*.unblocktheweb.co.uk*, True -*.unblocktheweb.net*, True -*.unblocktube.pk*, True -*.unblockwall.info*, True -*.unbuzzle.info*, True -*.unc26.com*, True -*.unc43.com*, True -*.unc74.com*, True -*.uncbreastreconstruction.org*, True -*.uncensordns.com*, True -*.uncensordns.eu*, True -*.uncensordns.info*, True -*.uncensordns.net*, True -*.uncensordns.nu*, True -*.uncensordns.org*, True -*.uncensordns.se*, True -*.uncensoredasiantube.com*, True -*.uncensoredav.com*, True -*.unchartedearth.com*, True -*.unchen.com*, True -*.unchi.ga*, True -*.unchs.org*, True -*.uncityguide.com*, True -*.unclebilly.org*, True -*.uncleemphie.com*, True -*.unclehairy.uk*, True -*.uncletwo.com*, True -*.unclipcloud.com*, True -*.unclipcloud.org*, True -*.uncluded.net*, True -*.uncluttertampabay.com*, True -*.uncouriershipping.com*, True -*.unc.ro*, True -*.uncuoglu.net*, True -*.uncuoglu.org*, True -*.uncvn.ro*, True -*.unded28.com*, True -*.undefeated.eu*, True -*.undefined.one.pl*, True -*.underconstruction-pub.ro*, True -*.undercoverbrowser.com*, True -*.underdog.com.ar*, True -*.undereyewrinkles.org*, True -*.undergroundgamers.ga*, True -*.undergroundnerds.net*, True -*.undergroundtrust.com*, True -*.undermark.ca*, True -*.undernet.biz*, True -*.undernet.club*, True -*.undernetworld.com*, True -*.underpatagonia.com*, True -*.underpatagonia.com.ar*, True -*.underpatagonia.net*, True -*.underpatagonia.org*, True -*.underpressure.cl*, True -*.underprotection.com.br*, True -*.underseaprotection.com*, True -*.underseaprotection.net*, True -*.underseaprotection.org*, True -*.understandingeducationalissues.org*, True -*.underthecosmos.com*, True -*.underw0rld.tk*, True -*.underwear4you.pl*, True -*.underwritertender.com*, True -*.undetected.cf*, True -*.undetermined.info*, True -*.undo.cl*, True -*.undo.it*, True -*.undo.xyz*, True -*.unduhandro.com*, True -*.unduhanku.com*, True -*.unduhlagump3.info*, True -*.unduh.me*, True -*.unduhmusikbaru.com*, True -*.unduhmusik.com*, True -*.unduhmusikmp3.com*, True -*.unduhsoft.com*, True -*.unduhvideo.com*, True -*.unduhvideo.website*, True -*.unduhxxx.com*, True -*.unedonline.es*, True -*.uneekstudio.com*, True -*.unelca.com.ve*, True -*.unemployment4u.com*, True -*.une-pune.com*, True -*.uneschile.cl*, True -*.unesite.com*, True -*.unetcomm.ca*, True -*.unexi.fi*, True -*.unexpected-journey.tk*, True -*.unexpectedrunner.com*, True -*.unfimedia.cf*, True -*.unfocused.nz*, True -*.unforgettablecreative.com*, True -*.ungabunga.ro*, True -*.ungerwaegs-international.ch*, True -*.unggas-super.com*, True -*.ungheni.biz*, True -*.ungoliant.org*, True -*.ungritodegol.com.ar*, True -*.unhadeouro.com*, True -*.unhasdeouro.com*, True -*.unhasdeouro.com.br*, True -*.unholypaperclip.net*, True -*.uni2.tw*, True -*.uniaotv.com.br*, True -*.unibookmarket.co.uk*, True -*.unibutton.com*, True -*.unicake.ch*, True -*.unicetw.com*, True -*.uniclean.hr*, True -*.unicliq.com*, True -*.uniclothing.org*, True -*.unico1.com.au*, True -*.unicolor.ro*, True -*.unicomm-corp.com*, True -*.unicompreactiva.com*, True -*.unicomworldwide.com*, True -*.unicorn-pluto.hk*, True -*.unicornridejewelry.com*, True -*.unicornridejewelry.ru*, True -*.unicotrade.bg*, True -*.unicraft.su*, True -*.unicred.com.ar*, True -*.unicredmailserver.com.ar*, True -*.unicusgaming.net*, True -*.unidom.si*, True -*.unids.com*, True -*.unielectronics.ca*, True -*.unienvases.com.mx*, True -*.unificaagropecuaria.com.br*, True -*.unifios.com*, True -*.unifor81.ca*, True -*.uniforlocal195.com*, True -*.uniformcap.com*, True -*.unifysquared.com*, True -*.unigap.com*, True -*.unigifts.co.uk*, True -*.unika.ru*, True -*.unikcare.com*, True -*.unikey.co.kr*, True -*.unikon23.com*, True -*.unik.ru*, True -*.unilabs.co*, True -*.unilinearco.com*, True -*.unil.ml*, True -*.uniluma.com*, True -*.uniluma.net*, True -*.uniluma.org*, True -*.unimagemdigital.com.br*, True -*.unimed-c.ru*, True -*.unioffice.in*, True -*.unioffice.net*, True -*.unioil.si*, True -*.unionartshk.com*, True -*.unioncc.co.za*, True -*.unioncordobesa.org*, True -*.unioncountyfair.net*, True -*.unionzone.net*, True -*.unipa.ac.id*, True -*.uni-pak.com.au*, True -*.unipoles.cl*, True -*.unipratamasentosa.co.id*, True -*.unipuma.co.uk*, True -*.uniq-care.com*, True -*.uniq-care.co.za*, True -*.uniqcast.com*, True -*.uniqittech.com*, True -*.uniqnet.sg*, True -*.uniqnet.tk*, True -*.uniqomp.tk*, True -*.uniquebeautiquespa.com*, True -*.uniquebolee.pk*, True -*.uniquedeals.com*, True -*.uniquefinancing.com*, True -*.uniquelye6.tk*, True -*.uniqueone.tk*, True -*.uniquepropertiescc.co.za*, True -*.unishaver.net*, True -*.unisol.com.pk*, True -*.unistyle.pl*, True -*.unitarians.org.nz*, True -*.unitaw.co.uk*, True -*.unitdomb.ro*, True -*.unite4tibet.org*, True -*.unitech.com.mx*, True -*.united1world.com*, True -*.unitedapparatus.org*, True -*.unitedbd.net*, True -*.unitedcolors.ro*, True -*.unitedfoods.in*, True -*.unitedinternational.cf*, True -*.unitedmotors.ro*, True -*.unitedservers.cf*, True -*.unitedservers.tk*, True -*.united-tractor.cf*, True -*.unitefortibet.org*, True -*.unitent.org*, True -*.unitivedesign.com*, True -*.unitors.ch*, True -*.unitpricing.org*, True -*.unitsense.com*, True -*.unityempire.tk*, True -*.unitysuperstore.com*, True -*.univacc.net*, True -*.universal2002.ro*, True -*.universaladmin.com.au*, True -*.universalart.ro*, True -*.universaldocument.com*, True -*.universalesqui.com*, True -*.universal-office.com*, True -*.universalpeacesociety.org.au*, True -*.universalproof.com*, True -*.universalski.com*, True -*.universalski.com.ar*, True -*.universal-steel.ro*, True -*.universalsurrealbus.com*, True -*.universaltower.co.id*, True -*.universegem.net*, True -*.universe-xt.com*, True -*.universiade-innsbruck.org*, True -*.universityforums.co.za*, True -*.universitylodgesball.com*, True -*.universoarmas.com.ar*, True -*.universobebe.com.ar*, True -*.universoludico.com.ar*, True -*.univertical.us*, True -*.uniwealth.co.za*, True -*.uniwomenssoccer.com.au*, True -*.unix4all.com*, True -*.unixadm.info*, True -*.unixbsd.cl*, True -*.unix.cf*, True -*.unixclone.com*, True -*.unixdc.com*, True -*.unixdc.net*, True -*.unixdc.org*, True -*.unixexpert.ro*, True -*.unixfreez.eu*, True -*.unixguru.tk*, True -*.unix.id.lv*, True -*.unixjrossfashion.com*, True -*.unixporn.net*, True -*.unixsg.com*, True -*.unix.st*, True -*.unixsystem.it*, True -*.unix.tk*, True -*.unixwars.com*, True -*.unixzone.info*, True -*.unkill.org*, True -*.unkle7.tk*, True -*.unkleho.com*, True -*.unlawn.org*, True -*.unleadedonly.com*, True -*.unleashedthoughts.com*, True -*.unleashed-web.org*, True -*.unlimitedcuriosity.net*, True -*.unlimited.io*, True -*.unlimited-reality.com*, True -*.unlimited-reality.net*, True -*.unlimitedvibes.co.za*, True -*.unlimiterhear.com*, True -*.unlix.tk*, True -*.unlock-data.ro*, True -*.unlockhost.com*, True -*.unlockingtension.co.za*, True -*.unlockiphone6s.com*, True -*.unlock.li*, True -*.unlockmoviedownload.com*, True -*.unlockmovienow.com*, True -*.unloked.tk*, True -*.unltd-networx.de*, True -*.unmanarc.com*, True -*.unmannedforum.eu*, True -*.unmundoperdido.cl*, True -*.unnati.org.np*, True -*.unnl.us*, True -*.unobscured.com*, True -*.unogs.com*, True -*.unoob.ml*, True -*.unopaa.info*, True -*.unopaa.net*, True -*.un.or.id*, True -*.unorthodoxsolutions.net*, True -*.unosolutions.com.ar*, True -*.unotech.com.mx*, True -*.unotech.mx*, True -*.unowel.com*, True -*.unplugdotcom.com*, True -*.unplug.org.ve*, True -*.unpublishedmaterials.com*, True -*.unqualify.com*, True -*.unre.al*, True -*.unrealass.net*, True -*.unreal.ch*, True -*.unrealcreations.com*, True -*.unregisteredhypercam2.net*, True -*.unridiculous.com*, True -*.unscripted.com.au*, True -*.unscrupulous.name*, True -*.unsec.net*, True -*.unsere-wsw.de*, True -*.unserserver.net*, True -*.uns-ich-er.ch*, True -*.unsiq.com*, True -*.unsown.tk*, True -*.unsquashable.com.au*, True -*.unstac.tk*, True -*.unsubscribe.us*, True -*.unsueno.com*, True -*.untappedevents.pt*, True -*.untappedkegg.com*, True -*.unterdorf8.ch*, True -*.unterfrintrop.de*, True -*.unterhund.org*, True -*.unterkunft-basel.ch*, True -*.untilam.com*, True -*.untoquedediana.com.ar*, True -*.untrustedsource.com*, True -*.unts.us*, True -*.unusual.ro*, True -*.unworthies.eu*, True -*.unworthycause.com*, True -*.unxt-hosting.org*, True -*.unyanetalumni.org*, True -*.unystel.cl*, True -*.unyu.ga*, True -*.unyu.ml*, True -*.uoapo2.com*, True -*.uoapo.com*, True -*.uoflsigep.org*, True -*.uomlaplata.org.ar*, True -*.uooo.tk*, True -*.uottawa-timetable.ca*, True -*.uowefsoc.com*, True -*.uowow.com*, True -*.up1.ro*, True -*.upadeshs.com.np*, True -*.upadeshshrestha.com.np*, True -*.upak-blister.ru*, True -*.upakblister.ru*, True -*.upakovkablister.ru*, True -*.upakovka-blister.su*, True -*.upakovkavblister.ru*, True -*.upal.se*, True -*.upayme.com*, True -*.upbidz.com*, True -*.upcheer.com*, True -*.upcworks.com*, True -*.up-design.be*, True -*.updong.com*, True -*.upennpma.com*, True -*.upfields.org*, True -*.upfile-mobi.tk*, True -*.upflipflops.co.uk*, True -*.upful.org*, True -*.upgradehouse.com.br*, True -*.upgradesti.com.br*, True -*.upgrid.com*, True -*.uphealth.es*, True -*.upholsteryworxbyjason.com.au*, True -*.upholsteryworx.com*, True -*.upilsinga.tk*, True -*.upiy.ml*, True -*.upjav.com*, True -*.uplap.ru*, True -*.uplate.us*, True -*.uplay.hk*, True -*.uplc.ru*, True -*.uplife.org.br*, True -*.upliker.biz*, True -*.uplink.li*, True -*.upln.gr*, True -*.uploaderbrasil.com.br*, True -*.uploadnolimit.com*, True -*.upload.ro*, True -*.uploads.io*, True -*.uploads.ws*, True -*.upload-thai.com*, True -*.upnyk.org*, True -*.upp68.com*, True -*.upp78.com*, True -*.upp98.com*, True -*.upperline.pt*, True -*.uppernewyork.club*, True -*.uppm.ru*, True -*.uppro.cl*, True -*.upps.co.za*, True -*.upptwitter.com*, True -*.upravdom.me*, True -*.uprint.com.tr*, True -*.uproc.com.br*, True -*.upsa3t-indonesia.com*, True -*.upsc.co.uk*, True -*.upseguros.com.br*, True -*.upsrielloaros.com*, True -*.upstartmusic.com*, True -*.uptfin.tk*, True -*.uptime.com.ar*, True -*.uptime.si*, True -*.uptoken2u.com*, True -*.uptownvillageoptometry.ca*, True -*.upukka.tk*, True -*.upup.ml*, True -*.upvison.net*, True -*.upvn.org*, True -*.upwardfacingdawn.com*, True -*.ur0.eu*, True -*.ur580.com*, True -*.uragano.org*, True -*.uralchemfreight.com*, True -*.uralkomi.ru*, True -*.urandir2012.com.br*, True -*.urandirblog.com.br*, True -*.urandirbr.com.br*, True -*.urandir.com.br*, True -*.urandircontatado.com.br*, True -*.urandirfernandes.com.br*, True -*.urandirfernandesdeoliveira.com.br*, True -*.urandirnaweb.com.br*, True -*.urandiroliveira.com.br*, True -*.urandirparanormal.com.br*, True -*.urandirufo.com.br*, True -*.urang.ga*, True -*.urasob.com*, True -*.urbalink.co*, True -*.urban14.net*, True -*.urbananarchy.gr*, True -*.urbanarboretum.com*, True -*.urbanarboretum.org*, True -*.urbanart.su*, True -*.urban-dance.net*, True -*.urbanfamily.us*, True -*.urbanfm.ro*, True -*.urbanglamgeek.com*, True -*.urbanguru.pt*, True -*.urbanhippiecolorado.com*, True -*.urbanizadoragea.com.ar*, True -*.urbanmediateam.biz*, True -*.urbanmediateam.com*, True -*.urbanmediateam.info*, True -*.urbanmediateam.net*, True -*.urbanmediateam.org*, True -*.urbanmediaxchange.tk*, True -*.urbanmint.ca*, True -*.urbanmix.cl*, True -*.urban-nomad.com*, True -*.urbanorganicwear.com*, True -*.urbanq.com.au*, True -*.urbanradyo.ml*, True -*.urbanrealty.co.za*, True -*.urbanrun.co.za*, True -*.urbanservicesqld.com.au*, True -*.urbanslide.co.za*, True -*.urbansoul.info*, True -*.urbanspotlight.tv*, True -*.urbanspotlite.net*, True -*.urbantadka.com*, True -*.urbantvs.tk*, True -*.urbanus-suites.com.ar*, True -*.urbe.ro*, True -*.urbieta.com.ar*, True -*.urbinauto.cl*, True -*.urbistm.com*, True -*.urbsex.com*, True -*.urca.tv*, True -*.urdchsc.org*, True -*.urdi.biz*, True -*.urdirectory.org*, True -*.urdot.tk*, True -*.urdukhanov.ru*, True -*.urecruit.ro*, True -*.urelajah.tk*, True -*.urer.av.tr*, True -*.uretapropiedades.cl*, True -*.urimfashion.com*, True -*.urist93.ru*, True -*.urkiola.com*, True -*.urknall-universe.com*, True -*.url2046.com*, True -*.urldrop.net*, True -*.urlhk.co*, True -*.urlo.ga*, True -*.urlshorter.tk*, True -*.urlss.tk*, True -*.urlstat.eu*, True -*.urlw.us*, True -*.urmanet.ch*, True -*.urmem.com*, True -*.urmiladevi.com.np*, True -*.urmomsbox.com*, True -*.urno.biz*, True -*.uroborosfactoringbrokers.com*, True -*.urolog.si*, True -*.urq.co*, True -*.urquhart.tv*, True -*.ursadda.com*, True -*.ursadda.in*, True -*.urs-bucher.ch*, True -*.ursey.com*, True -*.ur.sg*, True -*.ursicdavid.tk*, True -*.urs-jakob-ag.ch*, True -*.ursrohr.ch*, True -*.ursula-markus.ch*, True -*.ursupe.net*, True -*.urubin.net*, True -*.urubook.net*, True -*.uruqulnadhif.com*, True -*.urusai.pt*, True -*.urwi.nz*, True -*.us1314.com*, True -*.usabay.ru*, True -*.usableforall.com*, True -*.usableforall.org*, True -*.usadosnet.com.br*, True -*.usaemploymentresources.com*, True -*.usafe-locksmith.net*, True -*.usagestamp.com*, True -*.usagi.ml*, True -*.usaharvest.com*, True -*.usajusaj.org*, True -*.usamooc.com*, True -*.usa-pdl-2015.com*, True -*.usarf.org*, True -*.usatrusttitle.com*, True -*.usautoglass.info*, True -*.usawerock.com*, True -*.usbdaqsolutions.com*, True -*.usblanks.net*, True -*.usbscale.com*, True -*.usccseller.com*, True -*.us-chinaedexchange.org*, True -*.uscoinage.com*, True -*.usd04.com*, True -*.usdnsk.ru*, True -*.usdpikes.org*, True -*.use99.com*, True -*.used2.be*, True -*.usedautoclave.com*, True -*.usedautoclaves.com*, True -*.usedcarsin.eu*, True -*.usedsails.com.au*, True -*.usefulkit.co.uk*, True -*.usefulrant.com*, True -*.uselectronicdesign.com*, True -*.uselessinter.net*, True -*.uselesslaws.org*, True -*.uselinux.us*, True -*.usellworld.com*, True -*.useme.eu*, True -*.useme.net*, True -*.usemobes.com*, True -*.usenet4all.com*, True -*.usenet4all.net*, True -*.usenet4all.org*, True -*.usenetmail.tk*, True -*.usenetology.com*, True -*.userator.vn*, True -*.userfriendly.net*, True -*.usergun.com*, True -*.users.cf*, True -*.users.ninja*, True -*.users.tk*, True -*.userxserv.com*, True -*.useunix.net*, True -*.usexy.cc*, True -*.usfc-pyroworks.com*, True -*.usfunkhub.tk*, True -*.usg-ros.com.ar*, True -*.ushafoundation.com*, True -*.ushopcool.com*, True -*.ushrestha.com.np*, True -*.usiadini.tk*, True -*.usirhujan.com*, True -*.usites.cf*, True -*.usites.ga*, True -*.usites.gq*, True -*.usites.tk*, True -*.usjepor.com*, True -*.uskoplje.eu*, True -*.usmagnum.net*, True -*.usman-arif.com*, True -*.usman.ch*, True -*.usman.com.pk*, True -*.usmannaeem.net*, True -*.usmile.ro*, True -*.usmob.net*, True -*.usmooc.com*, True -*.usoba.com*, True -*.usoba.org*, True -*.usoff.tk*, True -*.usole-sibirskoe.ru*, True -*.usolix.cl*, True -*.uspc.cf*, True -*.uspehcrimea.com*, True -*.uspesnyblog.info*, True -*.usradrefresh.co.za*, True -*.usrdns.de*, True -*.usrsrc.com*, True -*.usscurology.com*, True -*.ussdvas.ir*, True -*.uss-dyndns.de*, True -*.ussh.ro*, True -*.ussi.cf*, True -*.ussm.ro*, True -*.ustadzmafrur.com*, True -*.ustaztawfiq.my*, True -*.ustcbbs.tk*, True -*.ustinka.org*, True -*.us.to*, True -*.usto.pro*, True -*.ustraco.co.id*, True -*.ustrada.co.id*, True -*.ustt.ru*, True -*.us-tunnel.com*, True -*.usuarioglobal.com.ar*, True -*.usuxorurox.com*, True -*.uswebsystems.com*, True -*.ut2004.ga*, True -*.ut4all.tk*, True -*.utahrealestatedreamteam.com*, True -*.utahsalesjobs.net*, True -*.utahvalleymodelaclub.org*, True -*.utamarox.com*, True -*.utam.cl*, True -*.u-tami.com*, True -*.utask.ru*, True -*.utasks.ru*, True -*.utatwork.com*, True -*.utbanque.com*, True -*.utclab.com*, True -*.uteafemayotros.com.ar*, True -*.utenfor.net*, True -*.uteprocrearpna.com.ar*, True -*.utes.com.ar*, True -*.utida.com.br*, True -*.utilcare.pt*, True -*.utilicell.com*, True -*.utilizetechnology.com.au*, True -*.utilmedica.pt*, True -*.ut-instagib.co*, True -*.utip.com*, True -*.utip.us*, True -*.utkugenel.com*, True -*.utm.co.il*, True -*.utn-nordelta.com*, True -*.utoctadel.com.ar*, True -*.utopians.gr*, True -*.utopiaserver.net*, True -*.utopista.com.ar*, True -*.utrealestatedreamteam.com*, True -*.utryt.com*, True -*.utsbig.com.au*, True -*.utscs.co.uk*, True -*.utt77.com*, True -*.utt88.com*, True -*.utti.fi*, True -*.ut-tower.com*, True -*.utumplus.ru*, True -*.utworld.ch*, True -*.uumc.com.my*, True -*.uung46.dj*, True -*.uusiaika.fi*, True -*.uuskula.com*, True -*.uuskula.eu*, True -*.uutiskommentti.fi*, True -*.uuvpn.us*, True -*.uuxe.com*, True -*.uuy29.com*, True -*.uuy56.com*, True -*.uuy59.com*, True -*.uuy74.com*, True -*.uuy85.com*, True -*.uvatec.com*, True -*.uvb76.info*, True -*.uvdeos.com*, True -*.uve-haedo.com.ar*, True -*.uvl.ro*, True -*.uvusaa.org*, True -*.uways.com*, True -*.uwepsa.org*, True -*.uwgraduation.com*, True -*.uwgraduation.net*, True -*.uwgraduation.org*, True -*.uwh.ch*, True -*.uwpho.to*, True -*.uwsrd.org*, True -*.uwxco.com*, True -*.uwxisp.com*, True -*.uxacon.ro*, True -*.uxew.com*, True -*.uxpedite.com*, True -*.uyy46.com*, True -*.uyy73.com*, True -*.uyy85.com*, True -*.uyy95.com*, True -*.uzas.info*, True -*.uzdan.ru*, True -*.uzelac.net*, True -*.uzhi.ru*, True -*.uzid.com*, True -*.uzivajte.si*, True -*.uzkur.net*, True -*.uzmanadanis.com*, True -*.uznaipravdu.org*, True -*.uzoba.com*, True -*.uzon.org*, True -*.uzposp3i8tp4x3k.com.ar*, True -*.uztracker.tk*, True -*.uzunu.ro*, True -*.uzuzuz.net*, True -*.uzz58.com*, True -*.v00d00.co*, True -*.v0166.com*, True -*.v0188.com*, True -*.v0222.com*, True -*.v0669.com*, True -*.v0889.com*, True -*.v0899.com*, True -*.v1nc3nt.us*, True -*.v2-nightmare.net*, True -*.v2n.jp*, True -*.v2winformatica.com.br*, True -*.v3m.se*, True -*.v3n0m.nl*, True -*.v3x.us*, True -*.v58net.net*, True -*.v8print.com*, True -*.v8print.com.au*, True -*.va145.com*, True -*.vaananen.fi*, True -*.vaandrager.com*, True -*.vabeachgeeks.com*, True -*.vabes.net*, True -*.vabits.com*, True -*.vacani.com.ar*, True -*.vacantademaine.tk*, True -*.vacantalitoral.ro*, True -*.vacanta-predeal.ro*, True -*.vacantcranium.net*, True -*.vacanzafacileamatera.it*, True -*.vacatello.tk*, True -*.vacationbythesea.net*, True -*.vacationsolutionstoday.com*, True -*.vacation-villa-cote-azur.com*, True -*.vacatko.cz*, True -*.vaccinuri.net*, True -*.vaccinuri.org*, True -*.vacko.cf*, True -*.vacle.eu*, True -*.vactsurvival.tk*, True -*.vadakel.com*, True -*.vadalus.com*, True -*.vadamus.com*, True -*.vadco.tk*, True -*.vaden.co*, True -*.vaderstadaustralia.com*, True -*.vadesigns.net*, True -*.vadfansomhelst.tk*, True -*.vadimfrolov.com*, True -*.vadim.ga*, True -*.vadu.ch*, True -*.vaduri.ro*, True -*.vaeme.com*, True -*.vaettir.net*, True -*.vae.xyz*, True -*.vafaclubdata.com.au*, True -*.vafadar.co*, True -*.vafc.co.za*, True -*.vaf.com.ar*, True -*.vaffles.net*, True -*.vafiades.ca*, True -*.vagabondo.biz*, True -*.vagabondo.ru*, True -*.vagamu.net*, True -*.vaganfree.com*, True -*.vagaocafedomuseu.com.br*, True -*.vagecountdown.com*, True -*.vagfans.info*, True -*.vaggos13.net*, True -*.vagrantsoul.de*, True -*.vague-inspirations.com*, True -*.vahac.com*, True -*.vahtapro.ru*, True -*.vahva.ee*, True -*.vaibhavbhardwaj.com*, True -*.vaidicjoshi.in*, True -*.vaihda.fi*, True -*.vainguild.com*, True -*.vainham.com*, True -*.vaino.info*, True -*.vaizer.cl*, True -*.vakantie-immo.be*, True -*.vakkerdevelopment.com*, True -*.vako69.com*, True -*.vakuumglas.ch*, True -*.valary.com*, True -*.valbe-s.com*, True -*.valcharov.com*, True -*.valdacabelos.com*, True -*.valdeslira.cl*, True -*.valdo.co.id*, True -*.valdostano.com*, True -*.valedaspaineiras.com.br*, True -*.valehacerlio.com.ar*, True -*.valejo.net*, True -*.valenasrl.com.ar*, True -*.valenciasnooker.es*, True -*.valenciasnooker.org*, True -*.valen-cyberz.asia*, True -*.valent-dmasterpiece.tk*, True -*.valentegubert.com.br*, True -*.valent.ga*, True -*.valentinacrnkovic.com*, True -*.valentinarodriguez.cl*, True -*.valentinasuter.ch*, True -*.valentinogrup.ro*, True -*.valentyna.ch*, True -*.valenzuela-torrellas.com*, True -*.valenzuela-torrellas.org*, True -*.valeriabianchini.com.ar*, True -*.valeriacicconi.com.ar*, True -*.valeriavidela.cl*, True -*.valerieanddoron.com*, True -*.valeriekolbert.com*, True -*.valerija.tk*, True -*.valeur.us*, True -*.valevolunteers.org.uk*, True -*.valeze.cl*, True -*.valfirma.pt*, True -*.valga.es*, True -*.valgusrada.ee*, True -*.valhallanet.net*, True -*.valhor.ro*, True -*.valibarbulescu.ro*, True -*.val.id.lv*, True -*.valifesafetydashboard.com*, True -*.vali-nettoyage-renovation.ch*, True -*.valinski.com*, True -*.valin.us*, True -*.valiollahi.ir*, True -*.valiux.net*, True -*.valiza.com*, True -*.valkaria.org*, True -*.valkine2.tk*, True -*.vallcar.com.ar*, True -*.vallecomercial.com.br*, True -*.valledelayui.com.ar*, True -*.valledemaria.com*, True -*.valleslights.com*, True -*.valleyabstractcompany.com*, True -*.valley.ai*, True -*.valleyautomotivespecialists.com*, True -*.valleysc.net*, True -*.valleyviewpropertyservices.com.au*, True -*.valleyweb.us*, True -*.vallinapintura.com*, True -*.valloita.fi*, True -*.vall.ro*, True -*.vallromanes.org*, True -*.val-mar.com.ar*, True -*.valmarkproperties.in*, True -*.valmiera.cf*, True -*.valokuvapiste.fi*, True -*.valonlumo.fi*, True -*.valo-promet.hr*, True -*.valorizar.pt*, True -*.valosterich.com*, True -*.valoursportsgear.com*, True -*.valpomobileconf.cl*, True -*.valsangiacomo.net*, True -*.val-taxi.ch*, True -*.valtoaho.com*, True -*.valtrexkit.com*, True -*.valtser.com*, True -*.valuecraft.info*, True -*.valuefence.co*, True -*.valuestream.id*, True -*.valuetable.biz*, True -*.valuetable.com*, True -*.valuetable.org*, True -*.valuetexts.com*, True -*.valueyoung.com*, True -*.valunlili.com*, True -*.valvemurah.com*, True -*.valvolinz.com*, True -*.vamage.com*, True -*.vamonoz.com*, True -*.vamoschilerestaurant.cl*, True -*.vampear.hu*, True -*.vampi.info*, True -*.vampire.moe*, True -*.vampir.es*, True -*.vampiress.ru*, True -*.vampirsha.ru*, True -*.vamplew.com*, True -*.vamvu.com.mx*, True -*.vamvu.mx*, True -*.van42.com*, True -*.van72.com*, True -*.van76.com*, True -*.van85.com*, True -*.vanacken.org*, True -*.vanaday.com*, True -*.vanaheim.co.za*, True -*.vanaja.com.au*, True -*.vanasco.com.ar*, True -*.vanchi.eu*, True -*.vancoller.com*, True -*.van-congo.bz*, True -*.vancongo.bz*, True -*.vancorp.com.au*, True -*.vancouvershotokankarate.com*, True -*.vancouvertodo.com*, True -*.vandale.ca*, True -*.vandamdiner.com*, True -*.vandaseafoodsupplier.com*, True -*.vandbike.ro*, True -*.vandedonk.nl*, True -*.vandenheuvel.ml*, True -*.vanderberg.co.za*, True -*.vanderfoguel.com.ar*, True -*.vandergrifthsalumni.com*, True -*.vandergriftpolice.com*, True -*.vanderlee.sg*, True -*.vanderlinde.org*, True -*.vanderraad.ca*, True -*.vanderscheer.net*, True -*.van-deutekom.com*, True -*.vandeutekom.eu*, True -*.vandeutekom.net*, True -*.vandewerken.id.au*, True -*.vandongen.id.au*, True -*.vandyde.com*, True -*.vandykfamily.ca*, True -*.vandyselo.com.ar*, True -*.vaness0.ga*, True -*.vanessadion.com*, True -*.vanessa-lopes.ch*, True -*.vanessamarques.com.br*, True -*.vanessamedley.com*, True -*.vanessas-photography.com*, True -*.vanet.co.uk*, True -*.vanger.co*, True -*.vangerglobal.com*, True -*.vangersolutions.com*, True -*.vanguard.cl*, True -*.vanhaveri.fi*, True -*.vanhecke.org*, True -*.vanhoacompany.com*, True -*.van.id.au*, True -*.vanidev.com*, True -*.vanidevs.com*, True -*.vanidiossa.cl*, True -*.vanie.web.id*, True -*.vanilla.cz*, True -*.vanillaforum.ir*, True -*.vanillapvp.com*, True -*.vanir-wow.com*, True -*.vanishingpoint.io*, True -*.vanitydomain.co.uk*, True -*.vanitypanels.com*, True -*.vanjacob.org*, True -*.vanjastefanovic.tk*, True -*.vanjava.biz*, True -*.vanjava.co.uk*, True -*.vanjava.info*, True -*.vanjosh.net*, True -*.vankin.de*, True -*.vanlee-promotion.com*, True -*.vanmartlimited.com*, True -*.vanmau.vn*, True -*.vanmeir.ch*, True -*.vannijen.be*, True -*.vannutt.ch*, True -*.vanocniponozka.cz*, True -*.vanomania.net*, True -*.vanroijen.com*, True -*.vanscheltinga.eu*, True -*.vansolo.us*, True -*.vantaanrauhanyhdistys.fi*, True -*.vant.com.ar*, True -*.van-trac.com*, True -*.vanvaeck.net*, True -*.vanwap.com*, True -*.vanworth.ca*, True -*.vanzarecasecraiova.ro*, True -*.vanzarimoto.ro*, True -*.vanzarioradea.ro*, True -*.vanzettacleto.ch*, True -*.vapeachile.cl*, True -*.vapeguy.co.uk*, True -*.vapeteria.com*, True -*.vapid.me*, True -*.vaporack.net*, True -*.vaporium.cl*, True -*.vaporrack.com*, True -*.vaporrack.net*, True -*.vapourchat.com*, True -*.varastoexpert.fi*, True -*.varbuse.ee*, True -*.vardars.com*, True -*.vardenafilbuy.net*, True -*.varesano.net*, True -*.varezky.org*, True -*.varezky.us*, True -*.variable-pistonpumps.com*, True -*.variaindah.com*, True -*.variance.org.uk*, True -*.variantdimensions.com*, True -*.varianth.com*, True -*.varianth.com.br*, True -*.varianthe.com*, True -*.varianthe.com.br*, True -*.variasimotormu.com*, True -*.variationalinference.org*, True -*.varibasa.ch*, True -*.variobalt.ru*, True -*.varnait.tk*, True -*.varovalka.com*, True -*.varscript.ru*, True -*.varshets.com*, True -*.varshets.info*, True -*.varshets.net*, True -*.varshets.org*, True -*.vartanov.nl*, True -*.vartely.ro*, True -*.vartiem.lv*, True -*.varunaprinter.com*, True -*.varunmangla.com*, True -*.varunreddy.ch*, True -*.varusteporssi.fi*, True -*.varvet.info*, True -*.varvori.com*, True -*.varylinx.com*, True -*.varzina.me*, True -*.vasantkunjinformershopper.com*, True -*.vascar.ro*, True -*.vaselinebuddies.com*, True -*.vasgaz.com.br*, True -*.vasiledumitrache.org*, True -*.vasileleordean.ro*, True -*.vasilenkoit.ru*, True -*.vasilevsky.org*, True -*.vasilis.gq*, True -*.vasilyev.me*, True -*.vasilyklenov.ru*, True -*.vasims.com*, True -*.vasorecords.com*, True -*.vassi.li*, True -*.vastudomos.cl*, True -*.vastwifi.com*, True -*.vasuarte.net*, True -*.vasum.org*, True -*.vasyapupkin123.com*, True -*.vatav.ro*, True -*.vatical.com.au*, True -*.vaticclothing.com*, True -*.vatic.com.au*, True -*.vatoslocos.ro*, True -*.vatpablo.com*, True -*.vatsap.ir*, True -*.vatzcar.com*, True -*.vaughngass.com*, True -*.vaughn.ninja*, True -*.vaughnnugent.com*, True -*.vault400.com*, True -*.vaultnet.org*, True -*.vaultnoir.com*, True -*.vaults.ca*, True -*.vaultvalet.net*, True -*.vaupotic.eu*, True -*.vautovariasi.com*, True -*.vaux.us*, True -*.vavalina.tk*, True -*.vawars.com*, True -*.va-wood.co.il*, True -*.vayannis.gr*, True -*.vaylaria.com*, True -*.vaytindung.info*, True -*.vayubags.tk*, True -*.vayxinhsaigon.com*, True -*.vazduh.co.uk*, True -*.vazhop.co.id*, True -*.vazil.in*, True -*.vazquezbianchini.com.ar*, True -*.vazquez.pro*, True -*.vba.ch*, True -*.vbarch.ch*, True -*.vbchobby.com*, True -*.vbn.md*, True -*.vbn.ro*, True -*.vbrao.com*, True -*.vbsa.at*, True -*.vbula.com.br*, True -*.vbvisuals.com*, True -*.vbvisuals.ro*, True -*.vc33.tk*, True -*.vc34.tk*, True -*.vcaptains.com*, True -*.vcarecustomer.com*, True -*.vcash.ro*, True -*.vcbx.com*, True -*.vcc58.com*, True -*.vcc64.com*, True -*.vcc73.com*, True -*.vcc74.com*, True -*.vcc82.com*, True -*.vcc92.com*, True -*.vcc94.com*, True -*.vcconsultores.com.ar*, True -*.vcgreekfestival.org*, True -*.vci.si*, True -*.vcmar.com.br*, True -*.vcoach.com.br*, True -*.vcooler.ru*, True -*.vcrdemo.com*, True -*.vcr-telecom.cl*, True -*.vcsd.ch*, True -*.vctel.com*, True -*.vcube.ca*, True -*.vcuculo.com*, True -*.vd0.co*, True -*.vdadel.nl*, True -*.vdamp.org*, True -*.vda.ro*, True -*.v-demo.web.id*, True -*.vdeos.info*, True -*.vdhdn.nl*, True -*.vdholding.ch*, True -*.vdig.com*, True -*.vdilhk.com*, True -*.vdldental.com*, True -*.vdna.be*, True -*.vd-omnimex.com.ar*, True -*.ve2reh.net*, True -*.ve3.info*, True -*.veam.com.au*, True -*.veater-carey.me.uk*, True -*.veater.me.uk*, True -*.vebbu.co*, True -*.vebpoo.com*, True -*.vecina.cl*, True -*.veconsult.cl*, True -*.vecperth.org.au*, True -*.vectah.tk*, True -*.vector-icons.com*, True -*.vectorpg.com*, True -*.vectorpg.com.br*, True -*.vectrogamers.com*, True -*.vedatech.ru*, True -*.veddigebk.com*, True -*.vedicsocietyvictoria.org.au*, True -*.vee48.net*, True -*.veedev.com.au*, True -*.veehu.net*, True -*.veemi.com*, True -*.veen.org*, True -*.ve-ferdiansyah.net*, True -*.vegaalgairen.es*, True -*.veganissimus.com*, True -*.vegarti.cl*, True -*.vegcanucks.com*, True -*.vegetableterrorism.org*, True -*.vegetable-whipping-cream.com*, True -*.veget.al*, True -*.veggiefit.ro*, True -*.vegypte.info*, True -*.vehikac.cf*, True -*.veho.com.au*, True -*.veiculoabandonado.com.br*, True -*.veiculosdoisirmaos.com.br*, True -*.veja.ro*, True -*.vejaurandir.com.br*, True -*.vejeke.net*, True -*.vekio.net*, True -*.vekotin.fi*, True -*.vektorarm.ru*, True -*.veladvis.com*, True -*.velagiovane.ch*, True -*.velaligera.com*, True -*.velasgroup.com*, True -*.velastina.com*, True -*.veleanu.ro*, True -*.v-elektrik.co.id*, True -*.velen.ch*, True -*.velezgarcia.com.ar*, True -*.velezhsp.com.ar*, True -*.velezht.com.ar*, True -*.velholobodomar.com.br*, True -*.veli4ko.ru*, True -*.velikiyustyug.ru*, True -*.veljance.tk*, True -*.velkavrh.com*, True -*.velko.id.lv*, True -*.velleda.com*, True -*.vellesaguirre.com.ar*, True -*.vell.me*, True -*.velmaxxxenterprises.com*, True -*.vel.nu*, True -*.velocity.net.my*, True -*.velocityus.biz*, True -*.velocityus.net*, True -*.velocityus.org*, True -*.velocycle.com.au*, True -*.velogear.com.au*, True -*.veloka-web.net*, True -*.velola.la*, True -*.velolife.co.za*, True -*.velomesagerul.ro*, True -*.veloshop.com.au*, True -*.velostore.com.au*, True -*.velox.com.au*, True -*.veloxcom.com.ar*, True -*.veloxinter.net*, True -*.veloxtrading.com*, True -*.veltman.ga*, True -*.velun.si*, True -*.v-email.co.uk*, True -*.vemimero.com*, True -*.vempraruabelem.net.br*, True -*.venavaluos.com*, True -*.vencomunicacionesrl.com*, True -*.vencontrols.com.ve*, True -*.vendabem.com*, True -*.vendeautos.com.br*, True -*.vendeloaca.com*, True -*.vendelstrand.se*, True -*.vendenafarmacia.com.br*, True -*.vendetta.ch*, True -*.vendevolada.com*, True -*.vendevolada.com.mx*, True -*.vendevoto.com*, True -*.vendita.ro*, True -*.vendmach.ro*, True -*.vendogomas.tk*, True -*.vendor36.ru*, True -*.vendrig.com*, True -*.venduti.it*, True -*.venduti.tk*, True -*.venenga.com*, True -*.venergold.com*, True -*.venetiandream.com*, True -*.venetie.in*, True -*.venetovillage.com.ar*, True -*.venexie.org*, True -*.venezolanos.ch*, True -*.venezuelasoft.com.ve*, True -*.venezuela.vn*, True -*.vengaserver.tk*, True -*.venhistoria.com.ve*, True -*.venitalee.com*, True -*.venivola.com.ar*, True -*.venmor.com.au*, True -*.vennoms.ro*, True -*.venom.org*, True -*.venomousword.web.id*, True -*.venrl.com*, True -*.ventaci.com.mx*, True -*.ventaci.mx*, True -*.ventana-financial.com*, True -*.ventanafinancial.com*, True -*.ventapel.com*, True -*.ventasgymsalud.cl*, True -*.ventastecno.com.ar*, True -*.ventasya21.com.ar*, True -*.venter.nom.za*, True -*.ventfort.net*, True -*.venti5.tk*, True -*.ventocity.ru*, True -*.ventol.tk*, True -*.vento.md*, True -*.ventrilox.com*, True -*.ventronllc.com*, True -*.venturaoneprojects.com*, True -*.venturehub.ro*, True -*.venturesandbox.com*, True -*.ventureswest.com*, True -*.venturesxing.com*, True -*.venueporntube.pw*, True -*.venusfactor.cf*, True -*.venusprints.in*, True -*.venvest.com*, True -*.venym.com*, True -*.veodia.com*, True -*.veoeluz.com*, True -*.veps.co.id*, True -*.vequim.cl*, True -*.ver0.ir*, True -*.ver23492949234.mobi*, True -*.veracar98.it*, True -*.verachter.ch*, True -*.veranew.com*, True -*.verant.cl*, True -*.veraport.com*, True -*.veratab.com*, True -*.veratech.net*, True -*.verayasoc.com.ar*, True -*.verbateam.net*, True -*.verbovirtual.com.br*, True -*.verbum.biz*, True -*.verbumdeibizkaia.org*, True -*.verbumdei.cl*, True -*.verdaguerjuan.com.ar*, True -*.verdana.asia*, True -*.verdana-npp.net*, True -*.verde-claudia.com*, True -*.verdeingles.com.ar*, True -*.verdelindo.com.ar*, True -*.verdeoriginal.cl*, True -*.verderecreo.co.uk*, True -*.verderincon.cl*, True -*.verdeseco.com.ar*, True -*.verdesmares.com*, True -*.verdexpress.com*, True -*.verdico-bg.com*, True -*.vereadornelson.com.br*, True -*.veresiu.ro*, True -*.vergeol.com*, True -*.vergniol.com.ar*, True -*.verheij-group.com*, True -*.verian.ca*, True -*.veridianaguarnieri.com.br*, True -*.veridiandynamics.co.za*, True -*.veriditas.org*, True -*.verificaripram.ro*, True -*.verificationbill.com*, True -*.verified.mn*, True -*.veriler.com*, True -*.verilog.ru*, True -*.verimerkezi.tk*, True -*.veriperfect.com*, True -*.verisym.com.ar*, True -*.verkehrsschule-frauenfeld.ch*, True -*.verkkoasiointi.fi*, True -*.verkkomarkkinat.fi*, True -*.verleden.org*, True -*.verlet.org*, True -*.vermeer.cl*, True -*.vermilionwords.com*, True -*.vermiponicshome.com*, True -*.vermogensplan.com*, True -*.vernut-svoi-dengi.ru*, True -*.veroderoba.cl*, True -*.verogift.com*, True -*.verogift.com.ar*, True -*.veron11.com.ar*, True -*.veronicabazan.cl*, True -*.veronicachild.com*, True -*.veronicaludington.com*, True -*.veroniquelee.com*, True -*.verouk.net*, True -*.verplaetse.org*, True -*.verrifi-bill.com*, True -*.versace.one.pl*, True -*.versaconstruction.cl*, True -*.versatilcba.com.ar*, True -*.versatodecoracao.com.br*, True -*.verschuur.co.za*, True -*.versdata.com*, True -*.versey.org*, True -*.vershinin.org.ru*, True -*.versiitecnologia.com.br*, True -*.versodemo.fi*, True -*.verstanddigital.com*, True -*.verstanddigital.com.ar*, True -*.versustravel.eu*, True -*.versus-travel.gr*, True -*.versys1000.com.br*, True -*.vertaal.tk*, True -*.vertal.com.ar*, True -*.verteazur.fr*, True -*.verte.com.my*, True -*.vertelag.com*, True -*.vertewest.com*, True -*.vertfin.com*, True -*.verticallambodoors.com*, True -*.verticalsolutions.com.ar*, True -*.verticalxtreme.com*, True -*.verticpro.com*, True -*.vertigobox.org*, True -*.vertigo.com.au*, True -*.vertigoetrex.com*, True -*.vertigo-media.gq*, True -*.vertigo-media.tk*, True -*.vertix.ml*, True -*.vertrees.org*, True -*.verts-onex.ch*, True -*.verusme.com*, True -*.verve.pt*, True -*.verwonderwijs.be*, True -*.verylight.pt*, True -*.verylittle.info*, True -*.verylofi.com*, True -*.verymad.eu*, True -*.verymad.net*, True -*.verytopsecret.info*, True -*.verzasi.cl*, True -*.vesade.nl*, True -*.vesa.fi*, True -*.vescorom.ro*, True -*.vescovi.cl*, True -*.veselaya-ferma.tk*, True -*.veselyidachnik.ru*, True -*.vesnawestbrook.com*, True -*.vespa-indonesia.or.id*, True -*.vespertinus.com*, True -*.vesportif.cl*, True -*.vesteabuna.ro*, True -*.vestidosdenovia.com.ar*, True -*.vestidosexpress.com*, True -*.vestidosexpress.com.ar*, True -*.vestigo.tk*, True -*.vestkysten.tk*, True -*.vet37.ru*, True -*.veta.su*, True -*.vetdoctor.lv*, True -*.vetepid.com*, True -*.veteransko-drustvo-sever.si*, True -*.veterinariaalberto.com.ar*, True -*.veterinarianativa.cl*, True -*.veterinariasfasis.com.ar*, True -*.vethealth.ro*, True -*.vetherapy.net*, True -*.vetherapy.org*, True -*.vetherapy.pt*, True -*.vetloc.se*, True -*.vetoncall.hk*, True -*.vetor0.com.br*, True -*.vetorlobo.com.br*, True -*.vetorzero.com*, True -*.vetorzero.com.br*, True -*.vetorzero.net.br*, True -*.vetorzero.tv*, True -*.vetprofinform.ru*, True -*.vetr0v.ru*, True -*.vets.co.il*, True -*.vetsijoki.net*, True -*.vetswithamission.com*, True -*.veturi.fi*, True -*.vetvot.ru*, True -*.vevedikolmediasx.pw*, True -*.vevfertokmedia.pw*, True -*.vewufeb.cf*, True -*.vexcast.com*, True -*.vexper.ru*, True -*.vexperts.de*, True -*.vexpress-demo.com*, True -*.veyco.com.mx*, True -*.vezn.com*, True -*.vfcontabilidade.cnt.br*, True -*.vfon.com.ar*, True -*.vfork.com*, True -*.vfw9460.com*, True -*.vgag.ca*, True -*.vganti.com*, True -*.vgate.co.uk*, True -*.vgb2.ru*, True -*.vgc2015.fi*, True -*.vgc2016.fi*, True -*.vggdigital.com.ar*, True -*.vggmunicipalidad.gob.ar*, True -*.vg.gs*, True -*.vghnursingschoolalumnae.com*, True -*.vghnursingschoolalumni.com*, True -*.vgmpp.info*, True -*.vgriz.com*, True -*.vgsoft.com.ve*, True -*.vhcorp.com*, True -*.vhfdental.com*, True -*.vhipass.net*, True -*.vhipwhip.net*, True -*.vhmcomputers.com*, True -*.vhmsllc.com*, True -*.vhomeweb.net*, True -*.v-hos.tk*, True -*.vhostsss.tk*, True -*.vhsadvd.com.ar*, True -*.vhssextapes.com*, True -*.vhstodvdbelfast.com*, True -*.vhs.tw*, True -*.vhutambo.co.za*, True -*.vhutemas.org*, True -*.viabiliinvest.com*, True -*.viabilinvest.com*, True -*.viacarmultimarcas.com.br*, True -*.viacustik.cl*, True -*.viadev.net*, True -*.viadisplay.com.ar*, True -*.viagelistobrasil.com.br*, True -*.viagelistobrasil.net.br*, True -*.viagelistobrasil.tur.br*, True -*.viagemcerto.com.br*, True -*.viagemcerto.net.br*, True -*.viagemcerto.tur.br*, True -*.viagemlistobrasil.com.br*, True -*.viagemlistobrasil.net.br*, True -*.viagemlistobrasil.tur.br*, True -*.viagempronto.com.br*, True -*.viagempronto.net.br*, True -*.viagempronto.tur.br*, True -*.viagemviva.com.br*, True -*.viagensesexo.com*, True -*.viagenslisto.com.br*, True -*.viaglobal.cl*, True -*.viagraon-line.net*, True -*.viah1.com*, True -*.viajarenbus.com.ve*, True -*.viajaresunarte.com*, True -*.viajecerto.net.br*, True -*.viajecerto.tur.br*, True -*.viajeesferico.com*, True -*.viajeesferico.es*, True -*.viajelistobrasil.com.br*, True -*.viajelistobrasil.net.br*, True -*.viajelistobrasil.tur.br*, True -*.viajelisto.net.br*, True -*.viajelisto.tur.br*, True -*.viajeshuicho.com*, True -*.viajesmijura.es*, True -*.viajesydisfrutes.com.ve*, True -*.vialan.su*, True -*.vialtosca.com.ar*, True -*.viamichelin.com.br*, True -*.viamisoftware.com*, True -*.viamura.at*, True -*.viamura.com*, True -*.viamura.de*, True -*.viamura.eu*, True -*.viamura.info*, True -*.viamura.si*, True -*.viamusik.com*, True -*.viana.pro*, True -*.vian.cl*, True -*.viandedegaule.eu*, True -*.vianettelecom.ro*, True -*.vianocnaponozka.sk*, True -*.viany.cf*, True -*.viapoli.com*, True -*.viapoli.pt*, True -*.viaprevia.com*, True -*.viarmotorsumut.com*, True -*.viaroma-carouge.ch*, True -*.via.sg*, True -*.viatacolorata.ro*, True -*.viatafrumoasa.ro*, True -*.viatainviteza.ro*, True -*.viatemperley.com.ar*, True -*.viavia9.com*, True -*.vibecape.com*, True -*.vibeclip.com*, True -*.vibecomics.com*, True -*.vibecomics.co.za*, True -*.vibecomics.org*, True -*.vibecomix.com*, True -*.vibecomix.co.za*, True -*.vibedigital.co.za*, True -*.vibeedutainment.com*, True -*.vibeedutainment.co.za*, True -*.vibeentertainment.co.za*, True -*.vibegames.co.za*, True -*.vibelearning.co.za*, True -*.vibemedia.ro*, True -*.vibemovie.co.za*, True -*.vibemusic.co.za*, True -*.viberadio.co.za*, True -*.vibestereo.com*, True -*.vibetalent.co.za*, True -*.vibetext.com*, True -*.vibetutor.com*, True -*.vibetutor.co.za*, True -*.vibetv.co.za*, True -*.vibe-tv.tv*, True -*.vibeyouth.co.za*, True -*.vibhk.com*, True -*.vibizconsulting.com*, True -*.vibizconsultinggroup.com*, True -*.vibizdaily.com*, True -*.vibizexclusivepropertyservice.com*, True -*.vibizhope.com*, True -*.vibizlearning.com*, True -*.vibizmedia.com*, True -*.vibizmedianetwork.com*, True -*.vibiznews.co.id*, True -*.vibizoutbound.com*, True -*.vibizportal.com*, True -*.vibizproperty.com*, True -*.vibizsalesacademy.co.id*, True -*.vibotv.com*, True -*.vibrantbud.com*, True -*.vibrantweed.com*, True -*.vibrata.net*, True -*.vibratorseks.com*, True -*.vibtech.eu*, True -*.vicaccom.com.au*, True -*.vicall.net*, True -*.vicari-deco.ch*, True -*.vicarious.com.ar*, True -*.vicbass.cl*, True -*.vicbusiness.com.au*, True -*.viccmp.com*, True -*.viccs.my*, True -*.vicenda.co.za*, True -*.vicentehraste.cl*, True -*.v-ice.ru*, True -*.viceversaconsulting.com*, True -*.vichycosmetics.ru*, True -*.vichy-shop.ru*, True -*.viciana.ch*, True -*.vicidial.ro*, True -*.vici.kz*, True -*.vicinanza.org*, True -*.vicioemania.com*, True -*.vicious.pt*, True -*.vickerysound.com.au*, True -*.vicky2001.com*, True -*.vickymather.co.uk*, True -*.vickytruss.com*, True -*.vico.co.za*, True -*.vicont.bg*, True -*.vicontmeats.bg*, True -*.vicouscorp.com*, True -*.vicouscorp.in*, True -*.vicpc.net*, True -*.vicrail.net*, True -*.vicross.net*, True -*.victaulic-fmc.com*, True -*.victorahn.com*, True -*.victorboaretto.com*, True -*.victorgv.tk*, True -*.victoriaconstruct.ro*, True -*.victoriadarvai.ro*, True -*.victoriagaming.ca*, True -*.victoriagaming.com*, True -*.victorialakeclub.co.za*, True -*.victorialuka.com.ar*, True -*.victoriansense.com*, True -*.victoriosolazzi.com.ar*, True -*.victorpereira.adv.br*, True -*.victortorres.com.ar*, True -*.victorygospelchapel.org*, True -*.victoryinsulators.com*, True -*.victorymarine.fi*, True -*.victorymines.com.au*, True -*.victorymineslimited.com.au*, True -*.victoryminesltd.com.au*, True -*.victoryneighborhood.com*, True -*.victory-temple.org*, True -*.victorzaharia.ro*, True -*.victrixnet.com*, True -*.vicunaycia.cl*, True -*.vid3d.com*, True -*.vidacampestre.com.br*, True -*.vidaescorts.co.uk*, True -*.vidageek.com*, True -*.vidalinux.com*, True -*.vidalinux.net*, True -*.vidalinux.org*, True -*.vidanativa.cl*, True -*.vidaplenamarilia.com.br*, True -*.vidasaudavelparavoce.com*, True -*.vidasrecicladas.org*, True -*.vidawave.com*, True -*.videcruit.com*, True -*.videgar.com.ar*, True -*.video27.ru*, True -*.videobua.com*, True -*.videocat-wen.ru*, True -*.videocell.co.za*, True -*.videochat-com.ru*, True -*.video-cheat.ru*, True -*.videoclipa.com*, True -*.videocollectables.com*, True -*.videoconference.hk*, True -*.videoconnect.ro*, True -*.videocorsi.ch*, True -*.videocourse.ch*, True -*.videoculinar.ro*, True -*.videodillers.com*, True -*.video-fotografija.gq*, True -*.video-fotografija.tk*, True -*.videokurse.ch*, True -*.video-lab.net*, True -*.video-land.ch*, True -*.videolengkap.com*, True -*.video-licini.ch*, True -*.videolinks.ru*, True -*.videomobo.com*, True -*.videonoleggiocarygrant.it*, True -*.videoo.info*, True -*.videopast.com*, True -*.videopharmacy.com*, True -*.videophim.net*, True -*.videoscribe.my*, True -*.videosearch.com*, True -*.videosex.pw*, True -*.videoshare.ch*, True -*.videospeed.cl*, True -*.video-sport.pl*, True -*.videostreamfactory.com*, True -*.videotante.com*, True -*.videothek.to*, True -*.videotraining.biz*, True -*.videotrainingservices.com*, True -*.videotrainingservices.com.au*, True -*.videotube.ml*, True -*.videounlimit.com*, True -*.videowallsmelbourne.com*, True -*.videoyy.com*, True -*.vide-visa.ch*, True -*.videx.com.ar*, True -*.vidify.ga*, True -*.vidio.cf*, True -*.vidi.to*, True -*.vidostravel.com*, True -*.vidsling.com*, True -*.vidyo-cat.ru*, True -*.vi-echo.ch*, True -*.vieconsult.ch*, True -*.vieconsult-portal.at*, True -*.vieira.es*, True -*.vieirarepres.com.br*, True -*.vieiras.net*, True -*.viejasherramientas.com.ar*, True -*.vielegali.com*, True -*.vielegali.eu*, True -*.vienmat.tk*, True -*.viennastay.at*, True -*.viento5.com.ar*, True -*.vienzent.cf*, True -*.vieolshop.tk*, True -*.viepep.com*, True -*.vierjahreszeitenriehen.ch*, True -*.viernesfeliz.com*, True -*.viestarts.lv*, True -*.vietbee.net*, True -*.vietbloghay.com*, True -*.vietembed.com*, True -*.vietnam7.com*, True -*.vietnamesefoods.net*, True -*.vietnamesevisa.org*, True -*.vietnam-esports.ga*, True -*.vietnamonlinevisa.com*, True -*.vietnam.ro*, True -*.vietnam-tours.us*, True -*.vietnamunterkunft.de*, True -*.vietnamvodoi.com*, True -*.vietphpfox.com*, True -*.view588.com*, True -*.viewbourse.com*, True -*.viewgate.tk*, True -*.viewlogix.com*, True -*.viewpoint.co.il*, True -*.vieyraviajes.com.ar*, True -*.vigilancia-trigenius.tk*, True -*.viglizzo.com.ar*, True -*.vigne-blanche.ch*, True -*.vignefornasari.it*, True -*.vigo.ch*, True -*.vigo-transforma.com*, True -*.vigotransforma.com*, True -*.vigotransforma.es*, True -*.viharsarok.ro*, True -*.viialaseura.fi*, True -*.viiic.net*, True -*.viitor-programator.ro*, True -*.viivijavilpertti.fi*, True -*.viiv.tw*, True -*.vijayawada.ml*, True -*.vijaymasala.com*, True -*.vijays.com.np*, True -*.vijela.com*, True -*.vijverberg.nu*, True -*.vijverb.nl*, True -*.viki.gq*, True -*.vikingbild.se*, True -*.vikinggameboats.com.au*, True -*.vikinggroup.net*, True -*.vikingoba.com.ar*, True -*.vikk.cz*, True -*.viktand.ru*, True -*.viktor.com.br*, True -*.viktor-timofeev.ru*, True -*.vila-ajda.si*, True -*.vila-arba.com*, True -*.vilaaura.ro*, True -*.vilacocora.ro*, True -*.vila.com.ar*, True -*.vilacomputers.net*, True -*.vilaflorin.ro*, True -*.vilaka.com*, True -*.vilaroby.ro*, True -*.vilat.net*, True -*.vilceana.ro*, True -*.viljas.net*, True -*.villa1001.com*, True -*.villacamilla.com*, True -*.villacastella.com.br*, True -*.villacatalunya.com.br*, True -*.villacruiser.com*, True -*.villadata.se*, True -*.villaditrevi.com.br*, True -*.villaentreolivos.com*, True -*.villageguitars.co.uk*, True -*.villageoptometry.ca*, True -*.villagevet.co*, True -*.villagevets.co*, True -*.villahanyomibatu.com*, True -*.villahi.com.mx*, True -*.villainaustria.com*, True -*.villain.ga*, True -*.villainopatija.com*, True -*.villalon.cl*, True -*.villamagnia.ro*, True -*.villanorwayresort.com*, True -*.villaparkfontein.nl*, True -*.villaro.es*, True -*.villarscleaning.com*, True -*.villasante.cl*, True -*.villasontheharbor.com*, True -*.villatamara.com*, True -*.villaterttula.fi*, True -*.villatorrisi.it*, True -*.villaunion.com.ar*, True -*.villavierela.fi*, True -*.villemin.ch*, True -*.villespot.com*, True -*.villu.cf*, True -*.villu.ga*, True -*.villu.gq*, True -*.villu.ml*, True -*.villuorav.gq*, True -*.villuorav.tk*, True -*.villu.tk*, True -*.viloconecta.com.ar*, True -*.vil.to*, True -*.vil.xyz*, True -*.vima.co.id*, True -*.vimaga.com.ve*, True -*.vi-market.com*, True -*.vimedkic.cf*, True -*.vimgpro.com*, True -*.vimo.cl*, True -*.vimtoarabia.com*, True -*.vimxcoder.com*, True -*.vinacf.com*, True -*.vinagresantos.eu*, True -*.vina-metlika.si*, True -*.vinapovh.com*, True -*.vinarialuitudor.ro*, True -*.vinario.com.ar*, True -*.vinayaprabha.com*, True -*.vinca.pl*, True -*.vincefry.com*, True -*.vincentbaldocchi.com*, True -*.vincentflesouras.com*, True -*.vincentfourie.com*, True -*.vincent-grenadines.com*, True -*.vincentkwok.hk*, True -*.vincentponton.com*, True -*.vincentv-v.com*, True -*.vincenzolongo.it*, True -*.vincepanozzo.com*, True -*.vincerosso.net*, True -*.vincesalvati.com*, True -*.vinceshome.com*, True -*.vinceterranova.net*, True -*.vinceye.com*, True -*.vincisrl.com.ar*, True -*.vindecoderz.com*, True -*.vindel.ro*, True -*.vindel.tk*, True -*.vindenunta.ro*, True -*.vindeocazie.ro*, True -*.vindepetrecere.ro*, True -*.vindeydc.cf*, True -*.vineel.in*, True -*.vinexs.com*, True -*.vingyo69.com*, True -*.vinhaes.net*, True -*.vinhant.com*, True -*.vinho.net.br*, True -*.vinilodiscos.com.ar*, True -*.viniseoutrascoisas.com*, True -*.vinita.ru*, True -*.vinithidesign.com.br*, True -*.vinnari.com*, True -*.vinnikov.su*, True -*.vinoigristoe.com*, True -*.vinoigristoe.ru*, True -*.vinom.net*, True -*.vinoniv.com*, True -*.vinoniv.net*, True -*.vinoporcopa.es*, True -*.vinorodrigues.com*, True -*.vinoteka-sodcek.si*, True -*.vinson.ro*, True -*.vint8.com*, True -*.vintage66.ga*, True -*.vintagealbuquerque.org*, True -*.vintagefenderamplifiers.com*, True -*.vintagepickins.com*, True -*.vintagepickns.com*, True -*.vintagepostcardtees.com*, True -*.vintagespeed.com.au*, True -*.vintagesquirrels.net*, True -*.vintar.si*, True -*.vintec.mx*, True -*.vinter5.org*, True -*.vintermedia.com*, True -*.vinti98.com*, True -*.vints.org*, True -*.vinuri-cotesti.ro*, True -*.vinurihusi.com*, True -*.vinuri-personalizate.ro*, True -*.vinvin.co*, True -*.vinylcode.com*, True -*.vinylcode.net*, True -*.vinylmp3.net*, True -*.vioconsulting.com*, True -*.vioconsulting.org*, True -*.violamia.com.ar*, True -*.violanjo.com*, True -*.violates.me*, True -*.violates.us*, True -*.viole.ch*, True -*.violencemu.com*, True -*.violetak.com.ar*, True -*.violetchan.org*, True -*.violetdepil.com.br*, True -*.violet.la*, True -*.violetserv.com*, True -*.violettasteclub.com*, True -*.violinlessonstoronto.com*, True -*.viona.cf*, True -*.viona.ga*, True -*.viona.gq*, True -*.viona.ml*, True -*.viona.tk*, True -*.vioricapetrovici.ro*, True -*.viospeed.info*, True -*.vioss.web.id*, True -*.vip0809.com*, True -*.vip102.com*, True -*.vip3ads.net*, True -*.vipautosroig.es*, True -*.vip-brands.com*, True -*.vipchehov.ru*, True -*.vipergps.ro*, True -*.vipez.org*, True -*.vipfile.ga*, True -*.viphan.com.br*, True -*.vip.hk*, True -*.vip-ho.com*, True -*.vipibizavipbrasil.com.br*, True -*.vipibizavip.com.br*, True -*.vipies.net*, True -*.vipishere.com*, True -*.vip-kiss.com*, True -*.vipkone.fi*, True -*.vip-lf.com*, True -*.vipmarketing.eu*, True -*.vipmedtour.com*, True -*.vipmovil.cl*, True -*.vipmovs.com*, True -*.vipon.ca*, True -*.vippitili.fi*, True -*.vip-proto.rs*, True -*.vipuljain.in*, True -*.vipunderground.org*, True -*.vip-vo.com*, True -*.viradev.ir*, True -*.virage.mx*, True -*.viralplace.org*, True -*.viralshift.net*, True -*.viralyay.com*, True -*.virant.net*, True -*.viratech.tk*, True -*.virbrand.asia*, True -*.virchik.ru*, True -*.virg0.org*, True -*.virginiabass.com*, True -*.virginislands.co.za*, True -*.virgo.fi*, True -*.virgous.biz*, True -*.viridianmicrogrid.com*, True -*.virine.web.id*, True -*.virjoesdottd.tk*, True -*.virl.ru*, True -*.virnext.com*, True -*.virrigamamma.se*, True -*.virt2-ipv6.tk*, True -*.virt-cam.ru*, True -*.virtconmedia.ro*, True -*.virtip.tk*, True -*.virtopia.org*, True -*.virt.ro*, True -*.virtualaddiction.net*, True -*.virtual-address.com*, True -*.virtualbooks.ro*, True -*.virtualcash.ro*, True -*.virtual-cities.net*, True -*.virtualconfusion.net*, True -*.virtual-data.info*, True -*.virtualdata.me*, True -*.virtualdemos.com.ar*, True -*.virtualesoficinas.com.mx*, True -*.virtual-foundry.net*, True -*.virtual-homelab.net*, True -*.virtual-id.com.ar*, True -*.virtualin-houseaccounting.com*, True -*.virtualin-house.com*, True -*.virtualinhouse.com*, True -*.virtualin-houseit.com*, True -*.virtualin-houselaw.com*, True -*.virtualinhouselawyer.com*, True -*.virtualin-houselegal.com*, True -*.virtualinhouselegal.com*, True -*.virtualinsanity.com.ar*, True -*.virtualinterworks.net*, True -*.virtuality.cl*, True -*.virtualizationexpert.de*, True -*.virtualizationexperts.de*, True -*.virtualizationspecialist.de*, True -*.virtualizationspecialists.de*, True -*.virtualizationteam.de*, True -*.virtualizationteams.de*, True -*.virtuallab.cf*, True -*.virtuallawyer.hk*, True -*.virtual-learning.at*, True -*.virtuallegalin-house.com*, True -*.virtualline.com.ar*, True -*.virtualmagazine.ro*, True -*.virtualmedica.com*, True -*.virtualmon.tk*, True -*.virtualoficina.com.mx*, True -*.virtualpowerstation.com.au*, True -*.virtual-server.ro*, True -*.virtualsiam.com*, True -*.virtualslugbug.com*, True -*.virtualspace.ro*, True -*.virtualvisit.us*, True -*.virtual-weltanschauung.info*, True -*.virtual-weltanschauung.org*, True -*.virtuania.com*, True -*.virtueevents.com.my*, True -*.virtuoselinux.net*, True -*.virtuousrealm.net*, True -*.virtus.web.tr*, True -*.virtuway.com*, True -*.viruglio.com.ar*, True -*.virusalert.asia*, True -*.virus.blue*, True -*.virusbustersllc.com*, True -*.virusmovis.tk*, True -*.virusremovalbelfast.com*, True -*.virux.ro*, True -*.visacloud.org*, True -*.visague.pt*, True -*.visalawyer.co.uk*, True -*.visalea.cl*, True -*.visand.ro*, True -*.visan.tk*, True -*.visaovirtual.net.br*, True -*.visatovietnam.com*, True -*.viser.ch*, True -*.vishalsharma.com.np*, True -*.vishvendra.tk*, True -*.vishwakarmasfurniture.com*, True -*.visibleair.com*, True -*.visibleblue.net*, True -*.visijobs.com*, True -*.visine4rx.com*, True -*.visineyedrops.com*, True -*.visio.hu*, True -*.visional.pt*, True -*.visioncoco.com*, True -*.visiondelsur.cl*, True -*.visionforutopia.com*, True -*.visiongraf.com.mx*, True -*.visionleds.com*, True -*.vision-moments.com*, True -*.visionnet.co.za*, True -*.visionofearth.org*, True -*.visionordi.com*, True -*.visionordi.info*, True -*.visionovni.com.ar*, True -*.visiontrans.ro*, True -*.visitalbufeira.pt*, True -*.visite.es*, True -*.visitgeres.com*, True -*.visitkarakol.com*, True -*.visitorsguidenyc.com*, True -*.visitpalace.xyz*, True -*.visitplayeat.com*, True -*.visitriga.com*, True -*.visittallinn.com*, True -*.viskovicfamily.tk*, True -*.visotica.com.br*, True -*.visoticadf.com.br*, True -*.visper.net*, True -*.vistaborna.biz*, True -*.vistaborna.com*, True -*.vistaborna.ir*, True -*.vistamulia.com*, True -*.vistaport.com*, True -*.vista-se.org*, True -*.vistasuaideia.com.br*, True -*.vistnet.com*, True -*.vistnet.net*, True -*.vistud.ro*, True -*.visualed.com.ar*, True -*.visualindividuals.com*, True -*.visualizeweb.com*, True -*.visualnew.com*, True -*.visualvocab.net*, True -*.vita22.ml*, True -*.vita22.tk*, True -*.vitacost.fi*, True -*.vitacuramedios.cl*, True -*.vitaetempus.com*, True -*.vitagenomics.com*, True -*.vitalaya.com*, True -*.vitalchemistry.com*, True -*.vital-emedia.com*, True -*.vitalik.org*, True -*.vitality-alliance.com*, True -*.vitality-beautyshop.com*, True -*.vitalliveiculos.com.br*, True -*.vitalnet.cl*, True -*.vitalsignsseattle.com*, True -*.vitamina.com.ar*, True -*.vitaminagroup.com.ar*, True -*.vitaminavip.com.ar*, True -*.vitanlab.ro*, True -*.vitann.ru*, True -*.vitapie.cl*, True -*.vitawealthpartners.com*, True -*.vitbiomed.com*, True -*.vitbiomed.info*, True -*.vitdam.net*, True -*.vitech.com.my*, True -*.vitedeschi.com*, True -*.vitkevicius.lt*, True -*.vitoesposito.com*, True -*.vitor.eti.br*, True -*.vitoriatech.com*, True -*.vitoriatech.com.br*, True -*.vitrerie-nouvelle.ch*, True -*.vitrorock.com.ar*, True -*.vitruvio.cl*, True -*.vitsinc.net*, True -*.vittoretti.it*, True -*.vittoriasportingfutsal.it*, True -*.vittorioromeo.info*, True -*.viu.com.ar*, True -*.viureguesthouse.com*, True -*.vivace.ca*, True -*.vivafm.ro*, True -*.vivalacrisis.com*, True -*.vivalink.org*, True -*.vivanapoli.it*, True -*.vivash.co.uk*, True -*.vivat-consult.ru*, True -*.vivatec.hk*, True -*.vivatrader.com*, True -*.vivatrans.ru*, True -*.vivebienvivemas.com*, True -*.vivekadhikari.com.np*, True -*.vivekaworld.com*, True -*.vivendamoveis.com.br*, True -*.vivendistore.com.ar*, True -*.vive.pw*, True -*.viveroallgreen.com.ar*, True -*.vives.cl*, True -*.vivesoap.com*, True -*.vivesur.es*, True -*.vivetumexico.com*, True -*.viviananotari.com.ar*, True -*.viviandowney.com*, True -*.vivianshaw.com*, True -*.vivibeauty-store.com*, True -*.vividacity.com*, True -*.vividapps.biz*, True -*.vividbox.com*, True -*.viv.id.lv*, True -*.vivienandjames.com*, True -*.vivierfamily.com*, True -*.viviewangbrides.com*, True -*.vivilo.com.ar*, True -*.vivi.ml*, True -*.viviparana.com*, True -*.vivirdeviaje.net*, True -*.viv-isomatic.com*, True -*.vivmar-party.ro*, True -*.vixenlights.com*, True -*.vix.ro*, True -*.viyu.com.ar*, True -*.vizeum.com.tw*, True -*.vizgazfutesszerelo.com*, True -*.vizon.com.tr*, True -*.vizondergisi.com*, True -*.vizondergisi.com.tr*, True -*.vizonmagazine.com*, True -*.vizonmag.com*, True -*.vizonshow.com*, True -*.vizonshow.net*, True -*.vizonshow.org*, True -*.vjeran.com*, True -*.vjohn.tk*, True -*.vjplanificacion.cl*, True -*.vjts.com*, True -*.vjz224.us*, True -*.vk3lol.com*, True -*.vk4jrc.com.au*, True -*.vk4mtj.com.au*, True -*.vk5microwave.net*, True -*.vk6fb.net*, True -*.vk7hch.org*, True -*.vkagent.ru*, True -*.vkhacker.ru*, True -*.vkk36.com*, True -*.vkk79.com*, True -*.vkk82.com*, True -*.vknowmagz.info*, True -*.vkool.xyz*, True -*.vkpandey.com.np*, True -*.vkr-zuchwil.ch*, True -*.vk.sg*, True -*.vl-125.tk*, True -*.vlaciky.com*, True -*.vladcond.ru*, True -*.vladeasa.ro*, True -*.vladescu-olt.com*, True -*.vladimir-kondratenko.info*, True -*.vladimir.me*, True -*.vladmarica.net*, True -*.vlad.md*, True -*.vladomusic.cf*, True -*.vladushkin.ru*, True -*.vlagor-iptv.com*, True -*.vlagtwedde.net*, True -*.vlaicu.ro*, True -*.vlainc.ca*, True -*.vlasnn.com*, True -*.vlastepedia.ru*, True -*.vlatkodavidovski.com*, True -*.vlcdirect.com*, True -*.vlestudio.com.ar*, True -*.vliegtickets.nu*, True -*.vliethuys.com*, True -*.vlnavsbreh.cz*, True -*.vlnk.tk*, True -*.vlnto.com*, True -*.vlogvilag.hu*, True -*.vlontakte.com*, True -*.vlotisfamily.com*, True -*.vlovmx.com*, True -*.vlxuk.com*, True -*.vmadmin.ro*, True -*.vmarine.com.au*, True -*.vmatte.com*, True -*.vmbc.com.au*, True -*.vmcdroid.com*, True -*.vmcs.com.my*, True -*.vmirenews.ru*, True -*.vmire-x.ru*, True -*.vmkmed.ru*, True -*.vmoydom.com*, True -*.vmp3.cf*, True -*.vmpanda.com*, True -*.vmp-canada.com*, True -*.vmpgroup.ca*, True -*.vmpgroup.com*, True -*.vmph.ru*, True -*.vmradvogados.com.br*, True -*.vmsinc.net*, True -*.vmsupports.com*, True -*.vmvault.org*, True -*.vmwareblogs.com*, True -*.vmwareitacademy.com*, True -*.vmwareitacademy.info*, True -*.vmwareitacademy.net*, True -*.vmwareitacademy.org*, True -*.vmwareitacademy.us*, True -*.vmwareyedekleme.net*, True -*.vmworld.it*, True -*.vnad.net*, True -*.vnaingirl.com*, True -*.vnaoe.com*, True -*.vncas.com*, True -*.vnce-inc.com*, True -*.vnceinc.com*, True -*.vncenet.com*, True -*.vn-creepypasta.cf*, True -*.vndemons.net*, True -*.vndl.com*, True -*.vndragon1102.com*, True -*.vnedkov.com*, True -*.vneshop.com*, True -*.vnetpublishing.com*, True -*.vneworld.com*, True -*.vn-group.net*, True -*.vngrupo.com*, True -*.vngrupo.net*, True -*.vngrupo.org*, True -*.vnl.cc*, True -*.vnlinux.org*, True -*.vnlla.tk*, True -*.vnlove.net*, True -*.vnmobile.us*, True -*.vnn22.com*, True -*.vnn33.com*, True -*.vnn44.com*, True -*.vnn55.com*, True -*.vnn66.com*, True -*.vnode.pl*, True -*.vnpower.net*, True -*.vnprivate.com*, True -*.vns3x.com*, True -*.vnstar.net*, True -*.vnstar.org*, True -*.vntp.com*, True -*.vntransport.biz*, True -*.vntransport.com*, True -*.vntransport.info*, True -*.vnvui.com*, True -*.vnwap.asia*, True -*.vnwcash.com*, True -*.vo3.org*, True -*.vo70.ru*, True -*.voapk.net*, True -*.voborsky.name*, True -*.vocably.us*, True -*.vocalgogoboys.com.br*, True -*.vocalize.mus.br*, True -*.vocaltransit.com*, True -*.voceeodinheiro.com.br*, True -*.vodafone-sicherheitszentrale.de*, True -*.vodafoone.net*, True -*.vodais.com*, True -*.vodehar.com*, True -*.vod.hk*, True -*.vodhk.tv*, True -*.vodkalibrary.com*, True -*.vodka-pomme.net*, True -*.vodoprom.ru*, True -*.vodtel.com*, True -*.voecota.com.br*, True -*.voeding.co.za*, True -*.voegtlisa.ch*, True -*.vogelspinnen.net*, True -*.vogen.info*, True -*.voglar.si*, True -*.voglo.com*, True -*.vogoa.com*, True -*.voguedesign.net.au*, True -*.vogueluxhk.com*, True -*.vohe.com.ar*, True -*.vohns.com*, True -*.voiceador.org.uk*, True -*.voicecallusa.com*, True -*.voice.com.pk*, True -*.voice.ga*, True -*.voice-ink.com*, True -*.voice-lessons.eu*, True -*.voicenger.fi*, True -*.voiceovernet.com.ar*, True -*.voicesharp.net*, True -*.voicesland.com*, True -*.voidbits.com*, True -*.voidcast.net*, True -*.voidgate.org*, True -*.voidmind.info*, True -*.voidnothings.com*, True -*.voidover.tk*, True -*.void.st*, True -*.voipchile.cl*, True -*.voipecuador.net*, True -*.voipgeek.net*, True -*.voipri.com*, True -*.voipsecuritytraining.com*, True -*.voipserver.ir*, True -*.voise.jp*, True -*.voisins4.org*, True -*.voitel.com.ar*, True -*.voitra.com*, True -*.volamdalat.tk*, True -*.volamtrungnguyen.net*, True -*.volantespublicitarios.cl*, True -*.volare.com.my*, True -*.volcano.net.br*, True -*.volden.us*, True -*.voleirio.com.br*, True -*.volera.cc*, True -*.volerparapente.com.ar*, True -*.voles35.ru*, True -*.volfeu.ch*, True -*.volgcmk.ru*, True -*.volguein.com.ar*, True -*.voliani.com*, True -*.volim.net*, True -*.volkano.com.ar*, True -*.volkartholzboeden.ch*, True -*.volkno.com.ar*, True -*.volkno.net*, True -*.volkov.ca*, True -*.volkswagenrescue.com*, True -*.volkszaehler.org*, True -*.volktek.jp*, True -*.volleydupied.ch*, True -*.vollrina.ch*, True -*.volneimorastoni.com.br*, True -*.volnorez.tk*, True -*.volo.cf*, True -*.vologda-it.ru*, True -*.volperts.com*, True -*.volphied.com*, True -*.voltage.nz*, True -*.voltaje.mx*, True -*.voltboard.com*, True -*.voltbot.com*, True -*.voltcompvp.com*, True -*.voltiosys.com*, True -*.voltman.co.za*, True -*.voltronic.cl*, True -*.volume.bg*, True -*.volumexp.xyz*, True -*.voluntariosvn.com.ar*, True -*.voluntaristbay.tk*, True -*.volunteermongolia.com*, True -*.volunteersforthailand.com*, True -*.voluntersnepal.org*, True -*.volusiaplex.com*, True -*.volvar.info*, True -*.volvo1800es.com*, True -*.vomhutkimedia.pw*, True -*.vomuan.com*, True -*.vomy.com*, True -*.vomytdaug.biz*, True -*.vomytdaug.com*, True -*.vomytdaug.info*, True -*.vonbroembsen.net*, True -*.vondata.com.ar*, True -*.vondef.com*, True -*.vongraffenried.com*, True -*.vongr.ch*, True -*.vonmuhlenbrock.com*, True -*.vonzakft.com*, True -*.voodoohax.com*, True -*.voodoomystic.com*, True -*.voomee.com*, True -*.voomi.com*, True -*.voomie.com*, True -*.voomy.com*, True -*.voorl.com*, True -*.vootxtbrasil.com*, True -*.voowoo.de*, True -*.vopap.ca*, True -*.voplyk.sk*, True -*.vopros.kz*, True -*.vopsilux.ro*, True -*.vorcek.com*, True -*.vorganize.com*, True -*.vorktanamo.com*, True -*.vormav.com*, True -*.voro-corp.com.ar*, True -*.vorov-net.ru*, True -*.vorsteuerverguetungsverfahren.com*, True -*.vortech.com.ar*, True -*.vortechsgaming.com*, True -*.vortexhub.tk*, True -*.vortexsystems.net*, True -*.vorticegeopolitico.com.ar*, True -*.vortoclan.co.uk*, True -*.vor.vc*, True -*.vorzen.com*, True -*.vos.io*, True -*.vos.la*, True -*.vosmas.com*, True -*.vossreedstein.com*, True -*.voster.ru*, True -*.vostok-mash.ru*, True -*.vota.net*, True -*.votani.gr*, True -*.voteco.in*, True -*.votersparty.net*, True -*.votesense.com*, True -*.votesense.org*, True -*.vote-track.com*, True -*.vothuong.com*, True -*.votocolimense.com*, True -*.votolibre.com*, True -*.votovinculante.cl*, True -*.votre-location-en-martinique.fr*, True -*.votuclass.com.br*, True -*.votuprint.com.br*, True -*.voucherasset.com*, True -*.vouchercodes.pro*, True -*.voucher-game.web.id*, True -*.vouchernation.com*, True -*.vouchernation.co.uk*, True -*.vouchers-online.com*, True -*.voudouris.org*, True -*.voupararderoncar.com.br*, True -*.vouprobar.com*, True -*.vovinamchuprong.com*, True -*.vowgol.com.br*, True -*.voxadam.com*, True -*.voxanon.net*, True -*.voxelperfect.org*, True -*.voxelsoft.com*, True -*.voxgaming.net*, True -*.voxnowstudios.com*, True -*.voxpoli.com*, True -*.vox.si*, True -*.voyagebaikal.ru*, True -*.voyageonline.co.uk*, True -*.voyage-promos.com*, True -*.voyagesamoreira.ch*, True -*.voyagesmachado.ch*, True -*.voydanoff.com*, True -*.voyez.ca*, True -*.voz.com.ar*, True -*.vozdigital.cl*, True -*.vozila.si*, True -*.vozimgruzy.ru*, True -*.vozipchile.cl*, True -*.vozite.si*, True -*.vozoperario.pt*, True -*.vpeti.com*, True -*.vpi1.us*, True -*.vpizde.info*, True -*.vpizde.org*, True -*.vplan.tk*, True -*.vpn12.cf*, True -*.vpn12.ga*, True -*.vpn12.ml*, True -*.vpn6.eu*, True -*.vpnforall.ga*, True -*.vpngateway.co*, True -*.vpnkaka.tk*, True -*.vpn-ku.tk*, True -*.vpnman.ir*, True -*.vpnmasterusa.net*, True -*.vpnme.cf*, True -*.vpnpower.net*, True -*.vpnsim.com*, True -*.vpnsimulator.com*, True -*.vpns.tk*, True -*.vpntamvan.tk*, True -*.vpn-tld.tk*, True -*.vpnto.me*, True -*.vpn-tunnel.ru*, True -*.vpnx.ga*, True -*.vpnx.nl*, True -*.vpnyo.ga*, True -*.vpnyoga.tk*, True -*.vpnzie.cf*, True -*.vpredmete.ru*, True -*.vpsbox.info*, True -*.vpsku.be*, True -*.vpsplans.tk*, True -*.vpsuser.info*, True -*.vpvp.us*, True -*.vr2.co.za*, True -*.vr2fun.net*, True -*.vradu.ro*, True -*.vrancea.org*, True -*.vraptor.com.br*, True -*.vraptorframework.com.br*, True -*.vraptor.org*, True -*.vraptors.cl*, True -*.vratsa24.com*, True -*.vrbanec.com*, True -*.vr-center.biz*, True -*.vrco.cl*, True -*.vrcpro.co.za*, True -*.vrealm.org*, True -*.vrecia.sk*, True -*.vredu.si*, True -*.vremea365.com*, True -*.vremeadintara.com*, True -*.vremeaonline10.com*, True -*.vremeaonlinemeteo.com*, True -*.vremeax.ro*, True -*.vremenska.si*, True -*.vreng.us*, True -*.vreyesd.com*, True -*.vrgprofin.ro*, True -*.vrhpolje.si*, True -*.vriesit.com*, True -*.vrijzinnighumanisme.be*, True -*.vritant.com*, True -*.vr.lt*, True -*.vrmath.net*, True -*.vrmkorea.com*, True -*.vrmtr.com*, True -*.vrnges.ru*, True -*.vrn.li*, True -*.vronskiy.com*, True -*.vronskiy.ru*, True -*.vronsky.com*, True -*.vrsanitary.com*, True -*.vrtec-bled.si*, True -*.vrtecng.si*, True -*.vrtnica.si*, True -*.vrtnice.si*, True -*.vs2soft.com*, True -*.vs-adaptation.ru*, True -*.vsanteam.info*, True -*.vsdev.biz*, True -*.vsecheats.ru*, True -*.vsekopii.com*, True -*.vsemgadget.ru*, True -*.vsempomp3.ru*, True -*.vsgu.ch*, True -*.vsherbina.ru*, True -*.vsi-kuponi.si*, True -*.vsi-popusti.si*, True -*.vsj.com.br*, True -*.vskelectro.ru*, True -*.vskelektro.ru*, True -*.vslnk.tk*, True -*.vsltech.net*, True -*.vslui.co*, True -*.vslui.info*, True -*.vslui.net*, True -*.v-smartonline.com*, True -*.vspecialists.de*, True -*.vsportoriginal.com*, True -*.vsranieri.tk*, True -*.vs-schirning.com*, True -*.vstarcustom.com*, True -*.vstopnice.biz*, True -*.vstopnice-vstopnice.si*, True -*.vstopnicevstopnice.si*, True -*.vs-to-vs.com*, True -*.vsudu.com*, True -*.vsupport.tk*, True -*.vsuri.tk*, True -*.vsurl.tk*, True -*.vsvfoto.ru*, True -*.vswww.tk*, True -*.vt108.tk*, True -*.v-tax.web.id*, True -*.vtcconsorcios.com.ar*, True -*.vtechshokat.com*, True -*.vtechshokat.net*, True -*.vthfreedom.com*, True -*.vtii.be*, True -*.v-tlt.ru*, True -*.vt-mobile.com*, True -*.vtodorov.com*, True -*.vtsone.com*, True -*.vtspower.net*, True -*.v-tutor.com*, True -*.vube.sg*, True -*.vucijarakija.com*, True -*.vucijarakija.rs*, True -*.vuilletransports.ch*, True -*.vuissent.tk*, True -*.vukovich.com*, True -*.vulcantourist.info*, True -*.vulgh.com*, True -*.vulk.com.ar*, True -*.vulkeyewear.com*, True -*.vulnbroker.com*, True -*.vulnerability.pro*, True -*.vulvar.com*, True -*.vumagates.co.za*, True -*.vumi.com*, True -*.vumie.com*, True -*.vumup.com*, True -*.vumy.com*, True -*.vungtauguide.com*, True -*.vunho34.com*, True -*.vunk.ee*, True -*.vuokkopitkanen.fi*, True -*.vuokraapaku.net*, True -*.vuorisaunat.fi*, True -*.vuottos.com.ar*, True -*.vuscanandreea.ro*, True -*.vut.cl*, True -*.vuurwerkstore.nl*, True -*.vuyg.tk*, True -*.vv-815.com*, True -*.vvinc.co*, True -*.vvjaggi.ch*, True -*.vvk46.com*, True -*.vvk49.com*, True -*.vvk59.com*, True -*.vvk93.com*, True -*.vvp88.com*, True -*.vvp97.com*, True -*.vvp99.com*, True -*.vvquant.com*, True -*.vvs.com.au*, True -*.vvvrm.net*, True -*.vwi.co.za*, True -*.vwms.com.mx*, True -*.vwo.co.za*, True -*.vwrescue.com*, True -*.vwresmijakarta.com*, True -*.vwstorage.com*, True -*.vwtweaked.ca*, True -*.vxbx.biz*, True -*.vxe6.net*, True -*.vxers.net*, True -*.vxp.co.za*, True -*.vxv.su*, True -*.vyacheslav.info*, True -*.vyachik.ru*, True -*.vyatta.tw*, True -*.vydcasyvia.cf*, True -*.vyhrajes.cz*, True -*.vylepseni.cz*, True -*.vymalujem.cz*, True -*.vyn.ch*, True -*.vyohyke.fi*, True -*.vyoufinder.com*, True -*.vyreal.cl*, True -*.vyskocil.eu*, True -*.vyskocilova.eu*, True -*.vytran.org*, True -*.vyzivy.cz*, True -*.vzakladki.ru*, True -*.vzi.tv*, True -*.vzkj.net*, True -*.vzlogistics.cl*, True -*.vztz.com*, True -*.w007.org*, True -*.w00z.la*, True -*.w0kcf.us*, True -*.w15cm.net*, True -*.w244.com*, True -*.w2bh.com.ar*, True -*.w35.me*, True -*.w3apon.net*, True -*.w3cavern.cf*, True -*.w3il.com*, True -*.w3pro.com.ar*, True -*.w3-style.tk*, True -*.w3style.tk*, True -*.w4event.at*, True -*.w4uk.tk*, True -*.w6rob.com*, True -*.w8gfw.com*, True -*.w8zjt.net*, True -*.w9ro.com*, True -*.waa200.com*, True -*.waa69.com*, True -*.waa73.com*, True -*.waa77.com*, True -*.waa99.com*, True -*.waaao.com*, True -*.waa.com.au*, True -*.waadookodaading.org*, True -*.waarisdebanaan.com*, True -*.waas.co.nz*, True -*.wabadus.tk*, True -*.wabido.com*, True -*.wabo33.com*, True -*.wabsite.pro*, True -*.waccess-project.com*, True -*.wachob.org*, True -*.wackychocolateheaven.co.za*, True -*.wadahpengantin.com*, True -*.wadeowen.net*, True -*.wadep.com*, True -*.wadul.tk*, True -*.wafexploit.tk*, True -*.waffle.asia*, True -*.wafflez.net*, True -*.wafinternasional.com*, True -*.wafranks.com*, True -*.wagberg.tk*, True -*.wagenaarpcs.nl*, True -*.wagenmotors.es*, True -*.wagenwerkz.co*, True -*.wagenwerkz.com*, True -*.wagenwerkz.in*, True -*.waggabuildingco.com.au*, True -*.waggawaggacomputers.com.au*, True -*.wagingwords.net*, True -*.wagrain-urlaub.at*, True -*.wahanacakralegawapools.com*, True -*.wahana-enterprise.co.id*, True -*.wahanainjectpile.com*, True -*.wahasinarmas.com*, True -*.wahcom.ga*, True -*.wahid.web.id*, True -*.wahoonetworks.com*, True -*.waht.biz*, True -*.wahtuo.com*, True -*.wahyu-alfani.net*, True -*.wahyudi.ml*, True -*.wahyudin.ml*, True -*.wahyusyaadi.com*, True -*.wahyusyaadi.info*, True -*.waibasangeeta.com.np*, True -*.wainwrightguarddogs.ca*, True -*.wain.ws*, True -*.waitingfortheshout.com*, True -*.waitlang.info*, True -*.waitlove.biz*, True -*.waitsburgstorage.com*, True -*.waiwai.hk*, True -*.waka.us*, True -*.wakawakamp3.com*, True -*.wakeboard.com.ar*, True -*.wakepc.com.ar*, True -*.wakingmoon.com*, True -*.wakingmoonmedia.com*, True -*.wakko.cl*, True -*.waklaks.com.ar*, True -*.waktusahur.ga*, True -*.walbo.info*, True -*.walbro-fuel-pumps.com*, True -*.walcott.se*, True -*.waldania.com.my*, True -*.waldenraines.com*, True -*.walderviolin.com*, True -*.waldfreunde.ch*, True -*.waldherrweg.at*, True -*.waldman.ro*, True -*.waldorfcomputer.com*, True -*.waldorfcomputers.com*, True -*.waldorpcorp.com*, True -*.walichowski.com*, True -*.wali-reload.info*, True -*.walk4autism.com*, True -*.walk4autism.com.au*, True -*.walk4women.com.au*, True -*.walkaround.org*, True -*.walkative.org*, True -*.walkcloud.com*, True -*.walker-cc.com*, True -*.walker.cl*, True -*.walkercomputing.com.au*, True -*.walker.cx*, True -*.walkerfamilygathering.com*, True -*.walkforautism.com.au*, True -*.walkieshootie.tw*, True -*.walkme.ir*, True -*.walknut.com*, True -*.walkonhill.com*, True -*.walkscore.com.au*, True -*.walkthetalk-info.co.za*, True -*.wallacehsh.info*, True -*.wallboardtoolco.com*, True -*.walletbrute.com*, True -*.walletone.ru*, True -*.wallflowerdesign.com*, True -*.wallm.com*, True -*.walloforgasm.org*, True -*.wall.one.pl*, True -*.wallpaperimg.com*, True -*.wallpaperpc.ml*, True -*.wallplus.com.pk*, True -*.wallsconsultores.com.ar*, True -*.wallstory.ro*, True -*.wallynet.net*, True -*.walmerac.co.za*, True -*.walnet.ca*, True -*.walnetinnovations.ca*, True -*.walnetinnovations.com*, True -*.walnetmedia.ca*, True -*.walnetmedia.com*, True -*.walnuthillstation.com*, True -*.walnutnetworks.com*, True -*.walovari.ru*, True -*.walshfamily.ca*, True -*.walshindustrial.com*, True -*.walsinghamyouthpilgrimage.org.uk*, True -*.walterbowles.com*, True -*.walterdmamani.com*, True -*.walterh.com*, True -*.walterphotos.com*, True -*.walte.rs*, True -*.walthowd.com*, True -*.waltlee.com*, True -*.waltonledale.co.uk*, True -*.waltons.info*, True -*.waltruehlig.com*, True -*.waltwoodcomedy.com*, True -*.waltwoodhumor.com*, True -*.waltwoodhumour.com*, True -*.waluk.com.ar*, True -*.walysoft2.com.ar*, True -*.wambo.ga*, True -*.wampire.info*, True -*.wamser.tk*, True -*.wanab33.ninja*, True -*.wanasek.org*, True -*.wandaalvares.com*, True -*.wandawellness.fi*, True -*.wandawoman.fi*, True -*.wanderingalbatrossphoto.com*, True -*.wanderlustbooks.co.za*, True -*.wanderlust.co.za*, True -*.wandesain.com*, True -*.wandeveiculos.com.br*, True -*.wang0601.com*, True -*.wangan.net*, True -*.wanganuicottage.com*, True -*.wanganuicottage.co.nz*, True -*.wang.biz*, True -*.wangbook.com*, True -*.wangchang.org*, True -*.wangjiayi.tk*, True -*.wanglirui.cn*, True -*.wanglubo.cn*, True -*.wanglubo.com*, True -*.wangname.com*, True -*.wangst.com*, True -*.wangsus.com*, True -*.wangyh.tk*, True -*.wangzhenyong.cn*, True -*.wanip.ch*, True -*.wanipiro.in*, True -*.wanitaberbagicerita.com*, True -*.wankenste.in*, True -*.wanke.rs*, True -*.wannabeamom.com*, True -*.wanstechno.com*, True -*.wantbetterworld.tk*, True -*.wanted.cf*, True -*.wanted.hk*, True -*.wanyad.com*, True -*.waod.com.ve*, True -*.waoevent.tk*, True -*.waouwa.com*, True -*.wap2chat.ml*, True -*.wap4file.ml*, True -*.wap4file.tk*, True -*.wap4hp.com*, True -*.wapasik.org*, True -*.wap-beranda.net*, True -*.wap-bici.us*, True -*.wapblogku.org*, True -*.wapcay.com*, True -*.wapc.com.my*, True -*.wapcloud.ga*, True -*.wapclup.me*, True -*.wapcoy.com*, True -*.wapcrot.in*, True -*.wapcuy.net*, True -*.wapdot.net*, True -*.wap-dz.ml*, True -*.wapego.ga*, True -*.waper.uk*, True -*.wapftp.de*, True -*.wapftp.in*, True -*.wapftp.mx*, True -*.wapgrunge.tk*, True -*.wapgue.cf*, True -*.wap-gue.ga*, True -*.waphao.net*, True -*.waphape.gq*, True -*.wapindo.web.id*, True -*.wapjun.eu*, True -*.wapkita.info*, True -*.wapkitz.net*, True -*.wapku.in*, True -*.wapkujua.tk*, True -*.waplagu.us*, True -*.waploe.com*, True -*.waplofer.net*, True -*.waplogs.ml*, True -*.waplu.net*, True -*.wapmeg.com*, True -*.wapmeo.net*, True -*.wapmoe.com*, True -*.wapmore.ml*, True -*.wapmp3.co*, True -*.wapmusic.us*, True -*.wapmusik.ga*, True -*.wapnation.ml*, True -*.wapndeso.info*, True -*.wappity.com*, True -*.wappres.tk*, True -*.wapqys.com*, True -*.wapsave.biz*, True -*.wapsex.be*, True -*.wapsot.net*, True -*.wapsutera.mx*, True -*.wapterik.net*, True -*.wapti.net*, True -*.waptroopz.cf*, True -*.wapvnn.mobi*, True -*.wapware.net*, True -*.wap-we.com*, True -*.wapz.biz*, True -*.wapzku.tk*, True -*.wapzli.web.id*, True -*.wapzme.com*, True -*.wapznr.cf*, True -*.waqastoor.com*, True -*.war3z.eu*, True -*.waralabalaundry.com*, True -*.war.asn.au*, True -*.waras.us*, True -*.warcasts.com*, True -*.warcog.org*, True -*.ward9.net*, True -*.wardfam.com*, True -*.war-dog.org*, True -*.wardonline.org*, True -*.wardour.com.au*, True -*.wards.pt*, True -*.war-eagle.info*, True -*.wareham.com.ar*, True -*.warehouseamsterdam.com*, True -*.warelab.ru*, True -*.warez-business.com*, True -*.warezromania.net*, True -*.warezws.com*, True -*.warezx.com*, True -*.wargademak.ga*, True -*.wargademak.tk*, True -*.wargame.ca*, True -*.wargrim.com*, True -*.warhawkenterprises.com*, True -*.wariat.ml*, True -*.wark.tk*, True -*.warm4u.co.uk*, True -*.warmkessel.com*, True -*.warmsanieren.de*, True -*.warmsanierung.de*, True -*.warna.ch*, True -*.warnet.gq*, True -*.warnet.name*, True -*.warning.cz*, True -*.waroeng-abrasived.com*, True -*.waroengkauman.com*, True -*.waronvegetables.com*, True -*.waronvegetables.org*, True -*.warp9.net*, True -*.warpie.biz*, True -*.warrantyvoid.com*, True -*.warrenandjan.com*, True -*.warren.bz*, True -*.warrenpublishing.us*, True -*.warrenretina.com*, True -*.warrenspot.com*, True -*.warrentran.com*, True -*.warrentransport-mt.com*, True -*.warriorforum.cf*, True -*.warrior.ga*, True -*.warriorhub.ga*, True -*.warriorsofdelwymn.asia*, True -*.warriorsofdelwymn.com*, True -*.warriorsweb.net*, True -*.warriortools.ga*, True -*.warrnamboolshowgroundsmarket.com*, True -*.warrock.cf*, True -*.warrockleague.com*, True -*.wars365.com*, True -*.warsawinteractive.waw.pl*, True -*.warspeculation.com*, True -*.warsztatjogi.pl*, True -*.wartacinta.net*, True -*.wartamerta.com*, True -*.wartapedia.tk*, True -*.wartawan.web.id*, True -*.wart.ca*, True -*.wartdecor.com*, True -*.waru1.org*, True -*.warung1.tk*, True -*.warung2.tk*, True -*.warung3.tk*, True -*.warung4.tk*, True -*.warungjaketbdg.com*, True -*.warungklik.com*, True -*.warungklik.net*, True -*.warungtehnik.com*, True -*.warungtelkom.com*, True -*.warwickjailbreak.co.uk*, True -*.warwickjames.com*, True -*.warwickjames.com.au*, True -*.warwickjames.net.au*, True -*.waryway.com*, True -*.warz.club*, True -*.warzmax.com*, True -*.wasabi-erp.com*, True -*.wasabitech.com*, True -*.wasandbox.org*, True -*.wasap.ga*, True -*.wasastation.fi*, True -*.wasatchlogic.com*, True -*.wasatchnet.net*, True -*.wasatranslations.fi*, True -*.washdom.es*, True -*.washinemachinerepairsmandurah.com.au*, True -*.washingducks.com*, True -*.washingmachinerepairsarmadale.com.au*, True -*.washingmachinerepairsperth.com*, True -*.washokkiya.com*, True -*.wasistseitan.de*, True -*.waslike.wtf*, True -*.wasocialmedia.com.au*, True -*.waspne.st*, True -*.was-sie-wollen.de*, True -*.wassner.com.ar*, True -*.wasson.com*, True -*.wastandswithrand.com*, True -*.wastandwithrand.com*, True -*.wastedgod.com*, True -*.wastemonitor.com.au*, True -*.wastingcode.com*, True -*.watchbabe.com*, True -*.watchfreeinhd.com*, True -*.watchitall.co.uk*, True -*.watch-movies.to*, True -*.watchou.tk*, True -*.watchpornofree.com*, True -*.watchshop.bz*, True -*.watch-shop.org*, True -*.watch-shows.to*, True -*.watchshows.to*, True -*.watchthemplaygames.com*, True -*.watchtreedog.com*, True -*.watdisk.com*, True -*.watdisk.net*, True -*.watech.ro*, True -*.water4you.com*, True -*.waterawards.in*, True -*.waterbabe.tw*, True -*.watercleans.com*, True -*.watercolorsbyslinger.com*, True -*.watereco.ru*, True -*.waterfalltelecom.co.uk*, True -*.waterfilter.hk*, True -*.waterfilterindonesia.com*, True -*.waterfiltersun.com*, True -*.waterfordcenter.net*, True -*.waterfordfamilybowl.com*, True -*.waterfrontresidences.com.au*, True -*.watergeusyacht.nl*, True -*.watermarkhr.com.au*, True -*.watermeloen.be*, True -*.waterpointresidences.com.au*, True -*.waterproof-underwater-protect-electronic-device.com*, True -*.watersphoto.com*, True -*.watersportsmegastore.com*, True -*.waterstackables.com*, True -*.watertankcleaningcq.com.au*, True -*.watervalbediening.co.za*, True -*.watisseitan.nl*, True -*.watness.com*, True -*.watsonlake.net*, True -*.watsonmail.org*, True -*.wattninja.com*, True -*.watu-net.com*, True -*.watz.ch*, True -*.waukegangurneeautobody.com*, True -*.wave1o5.com*, True -*.waveboats.gr*, True -*.wavechan.com*, True -*.waveevo.net*, True -*.wavepine.com*, True -*.wavepine.net*, True -*.waverleysoftware.com*, True -*.waverlysoftware.com*, True -*.wavescript.com*, True -*.wavescript.org*, True -*.wavetec.com.pk*, True -*.wavetec.pk*, True -*.wavetool.com*, True -*.wavscript.com*, True -*.wavscript.org*, True -*.wavsoft.com*, True -*.wawa3.net*, True -*.wawanaditya.com*, True -*.wawansihaloho.com*, True -*.wawan.web.id*, True -*.wawasan.tk*, True -*.wawi.es*, True -*.wawjg.com*, True -*.wawo79.com*, True -*.wawrzek.name*, True -*.wawuwe.at*, True -*.waxiaojie.com*, True -*.way2go.tw*, True -*.way2gowebproductions.com*, True -*.way2task.com*, True -*.way-aikido.com*, True -*.wayaikido.com*, True -*.way.com.np*, True -*.waylink.cn*, True -*.wayll.com.au*, True -*.wayneabroue.nom.za*, True -*.waynecountycomputerrepair.com*, True -*.waynecountycomputerrepairs.com*, True -*.waynecountyrecorder.com*, True -*.waynefox.net*, True -*.waynehartman.com*, True -*.waynemarshall.com*, True -*.wayner.ca*, True -*.waynesealey.co.uk*, True -*.waynes-world.info*, True -*.waynewolf.com*, True -*.wayphone.net*, True -*.wayphone.ru*, True -*.way-zen.com*, True -*.waze.com.ar*, True -*.wazman.me*, True -*.wazua.com*, True -*.wazuraka.com*, True -*.wb0vtm.com*, True -*.wbafinc.org*, True -*.wbasrl.com*, True -*.wbcc.org.au*, True -*.wbgentry.com*, True -*.wbksystems.com*, True -*.wblutz.com*, True -*.wbnsh.ga*, True -*.wbox.ch*, True -*.wbpfbrasil.com.br*, True -*.wbproductions.net*, True -*.wbs.com.ar*, True -*.wbsrchapp.com*, True -*.wbsrch.net*, True -*.wbt.ch*, True -*.wc7i.com*, True -*.wcat.com*, True -*.wcc.cl*, True -*.wccsoftware.com*, True -*.wcdf.com*, True -*.wceast.com*, True -*.wcell.org*, True -*.wchen.me*, True -*.wci.co.za*, True -*.wck.co.za*, True -*.wcmarshall.com*, True -*.wcmsp.net*, True -*.wcmt.co.za*, True -*.wc.one.pl*, True -*.wcredille.com*, True -*.wcu.co.za*, True -*.wcv.se*, True -*.wcx96.com*, True -*.wcxhk.com*, True -*.wdc-construction.com*, True -*.wdcloud.tk*, True -*.wde-project.org*, True -*.wdg2011.tk*, True -*.wd-g.de*, True -*.wdlsm.com*, True -*.wdmail.com.ar*, True -*.wdowney.net*, True -*.wdstainedglass.com*, True -*.wduvel.co.za*, True -*.w-e-a.co.uk*, True -*.wealtheffect.bg*, True -*.wealtheffectmanagement.bg*, True -*.wealthlibre.info*, True -*.wealthps.co.za*, True -*.weaponizedpony.com*, True -*.weaponofmassdestruction.us*, True -*.weapwnx.ninja*, True -*.wearecares.net*, True -*.wearecurb.com*, True -*.wearedrunken.tk*, True -*.weareinside.com*, True -*.wearelearning.org*, True -*.wearemikacuz.com*, True -*.wearepromoters.com*, True -*.wearetrade.cl*, True -*.wearitsat1.co*, True -*.wearitsat1.net*, True -*.wearitsat1.org*, True -*.wearsa.co.za*, True -*.wearwildflower.com*, True -*.weatherchannel.com.ar*, True -*.weatherwell.com*, True -*.weaveconsult.com*, True -*.weavemanagement.com*, True -*.weavemanagement.net*, True -*.weavers.ws*, True -*.weaverworks.org*, True -*.web010.com*, True -*.web2ser.tk*, True -*.web36.cl*, True -*.web3.ro*, True -*.web48.ch*, True -*.web4groups.at*, True -*.webagency.xyz*, True -*.webagen-msa.ga*, True -*.web-agvo.com*, True -*.webalizer.com*, True -*.webalizer.net*, True -*.webalizer.org*, True -*.webanaliz.ml*, True -*.webapro.hu*, True -*.w-e-b-art.ch*, True -*.webartstudio.ro*, True -*.webava.ml*, True -*.webavl.ir*, True -*.webbase.pt*, True -*.webb-creations.org*, True -*.webbeheerder.net*, True -*.webblu.com.br*, True -*.web-bot.gq*, True -*.webbzon.se*, True -*.webcam-com.ru*, True -*.webcampla.net*, True -*.webcamtubevids.com*, True -*.webcast.hk*, True -*.webchars.com*, True -*.webcoleg.ro*, True -*.webcomaspnetmvc.com.br*, True -*.webcompass.ro*, True -*.webconsolidator.com*, True -*.webconsulting.info*, True -*.webcontabilitate.ro*, True -*.webconvertmedia.com*, True -*.webcore.xyz*, True -*.webcorporation.net.au*, True -*.webcraft.ro*, True -*.web-creat1ve.ru*, True -*.webdem.com.au*, True -*.webdesigncourse.org.uk*, True -*.webdesigner-denhaag.nl*, True -*.webdesignerdenhaag.nl*, True -*.webdesignleyland.co.uk*, True -*.webdethi.com*, True -*.webdev2.net*, True -*.webdeveloper4hire.info*, True -*.webdevshop.ro*, True -*.webdisenovenezuela.com.ve*, True -*.webdown.com*, True -*.webdsign.gr*, True -*.webdude.com.au*, True -*.webeez.co.uk*, True -*.webell.de*, True -*.weber-breitenstein.ch*, True -*.weberhomesinc.net*, True -*.weberndorfer.net*, True -*.weberp.ro*, True -*.webertechservices.com*, True -*.weberton.cl*, True -*.webescorts.co.za*, True -*.webes.ml*, True -*.webfallout.com*, True -*.webfellows.fi*, True -*.webfingers.com.br*, True -*.webflakes.ro*, True -*.webflowers.co.za*, True -*.webfootenterprises.com*, True -*.webfootenterprises.net*, True -*.webfornovices.com*, True -*.webfortune.org*, True -*.webftp.ml*, True -*.web-funerals.com*, True -*.webgap.eu*, True -*.web-gay.ru*, True -*.webgeezer.net*, True -*.webgenerica.com.ar*, True -*.webgine.tk*, True -*.webgis.ro*, True -*.webgl.net*, True -*.webgospelsites.com.br*, True -*.webguys.ca*, True -*.webgyerek.net*, True -*.web-host-ideas.com*, True -*.webhostingmate.com.au*, True -*.webidyougoodnight.com*, True -*.webimpulso.com.br*, True -*.webinfinite.com*, True -*.web-informasi.com*, True -*.webinformatique.co.uk*, True -*.webinterno.es*, True -*.webipost.net*, True -*.webizness.fr*, True -*.webkamera.tk*, True -*.webkat.me*, True -*.webkerja.com*, True -*.webkrall.com*, True -*.webku.jp*, True -*.webldr.net*, True -*.webley.co.nz*, True -*.weblightingcontrol.com*, True -*.weblightingcontroller.com*, True -*.weblinkmedia.com*, True -*.weblinx.co.za*, True -*.weblista.pt*, True -*.weblog.hk*, True -*.weblogs.hk*, True -*.weblokal.tk*, True -*.webmadeeasy.net*, True -*.web-mail.biz*, True -*.webmailinbox.org*, True -*.webmailplusplus.com*, True -*.webman.ch*, True -*.webmanftp.com*, True -*.webmann.info*, True -*.web-marketing.cf*, True -*.webmarketingmillionaire.com*, True -*.webmarvel.nl*, True -*.webmarz.tk*, True -*.webmasterdesignteam.com*, True -*.webmaster.hk*, True -*.webmasters.ro*, True -*.webmdee.com*, True -*.webmediacom.com*, True -*.webmediadesignmaster.ca*, True -*.webmel.com.ar*, True -*.webmereka.com*, True -*.webminer.pro*, True -*.webmoney77.ru*, True -*.webmosher.com*, True -*.webmosher.net*, True -*.webmosher.org*, True -*.webmosphere.ca*, True -*.webmuni.com.ar*, True -*.webnesday.ch*, True -*.webnestar.com*, True -*.webnetwork.com*, True -*.weboda.info*, True -*.webonspot.com*, True -*.web-on.us*, True -*.webonvr.info*, True -*.webonvr.net*, True -*.weborchid.ir*, True -*.weboright.com*, True -*.weborthopaedics.com*, True -*.webo.tw*, True -*.webpage4bz.com*, True -*.webpanel.ro*, True -*.webpant.com*, True -*.webparking.biz*, True -*.webparking.com*, True -*.webpersonal.cl*, True -*.webphysicaltherapy.com*, True -*.webpolis.com.ar*, True -*.webportret.com*, True -*.web-presence-management.co.uk*, True -*.webpress.hu*, True -*.webpromoviranje.com*, True -*.webqi.org*, True -*.webrank.ro*, True -*.webratd.com*, True -*.web-ready.com.au*, True -*.web-referat.ru*, True -*.webreports.com.br*, True -*.webresponsiva.tk*, True -*.webring.cf*, True -*.webringlink.com*, True -*.websca.ws*, True -*.websdr-chile.cl*, True -*.websearch.hu*, True -*.webselect.ir*, True -*.webserver2014.com*, True -*.webservercity.com*, True -*.webserver.ga*, True -*.web-services.ro*, True -*.webservicess.org*, True -*.websexcam.com.br*, True -*.webshed.org*, True -*.webshite.com*, True -*.webside.xyz*, True -*.websigns.co.za*, True -*.web-site-ideas.com*, True -*.websitelinks.com*, True -*.websitelinks.net*, True -*.websitelinks.org*, True -*.web-siwil.com*, True -*.webskazka.net*, True -*.web-snap.com*, True -*.web-soft.ro*, True -*.websolutions.com.au*, True -*.webspace-kostenlos.xyz*, True -*.websparks.ro*, True -*.webspotweb.com*, True -*.webstage.ga*, True -*.webstandard.pl*, True -*.webstarter.ir*, True -*.websupport.ga*, True -*.webs.vc*, True -*.webswapper.com*, True -*.web-tech.ca*, True -*.webtextanalysis.com*, True -*.webthing.com.ar*, True -*.webtigre.com.ar*, True -*.webtransfercenter.ru*, True -*.webtransferfinans.ru*, True -*.webtranzit.info*, True -*.webtranzit.net*, True -*.webuild.hk*, True -*.webvideos.mobi*, True -*.webvinci.com*, True -*.webwidefiles.ml*, True -*.webwise.pt*, True -*.web-wordpress.com*, True -*.webx.ml*, True -*.webydea.com*, True -*.webz.hu*, True -*.webzlogic.com*, True -*.we-chat.in*, True -*.we-cm.com*, True -*.wedally.com*, True -*.wedart.ro*, True -*.wedberrysafes.net*, True -*.wedding4guests.ch*, True -*.weddingannouncement.co.za*, True -*.weddingbox.ro*, True -*.weddingdancemalaysia.com*, True -*.weddingdancesingapore.com*, True -*.wedding-digitalpasbook.web.id*, True -*.weddingdream.com*, True -*.weddinggarden.co.uk*, True -*.weddingguest.co.za*, True -*.weddingguests.co.za*, True -*.wedding-love.co*, True -*.weddingmakeupvancouver.ca*, True -*.wedding-marquees.com.au*, True -*.weddingofkimanddavid.com*, True -*.wedding-photographers-kent.com*, True -*.weddingphotosouvenir.com*, True -*.wedding-pictures.org*, True -*.wedevforyou.com*, True -*.wed.lt*, True -*.wedovoice.com*, True -*.wedowebdesign.com*, True -*.wedreamstream.com*, True -*.weebber.net*, True -*.weecomp.com*, True -*.weedeliver.net*, True -*.weed.ga*, True -*.weed-products.org*, True -*.weeds.org.za*, True -*.wee.io*, True -*.weejay.com*, True -*.weejay.it*, True -*.weejay.net*, True -*.weejay.org*, True -*.weejay.tk*, True -*.weekaboo.com*, True -*.weekendproject.ro*, True -*.weekendtechsquad.com*, True -*.weekendyogatreat.com*, True -*.weepirate.com*, True -*.weerasinghe.ch*, True -*.weewoodenkitchens.com*, True -*.weexten.com*, True -*.weezer.in*, True -*.weezer.org*, True -*.wef.gr*, True -*.wefittings.com*, True -*.wegetin.nl*, True -*.wegivejob.in*, True -*.wegmueller.ch*, True -*.wegoeast.ch*, True -*.wegov.co.uk*, True -*.wegowest.ch*, True -*.wegroup.ro*, True -*.weiachernet.ch*, True -*.weibo.sg*, True -*.wei-chen.tk*, True -*.weichin.com*, True -*.weickhardt.com*, True -*.weigele.ch*, True -*.weightlossalliancehq.com*, True -*.weight-loss.gq*, True -*.weightlossstore.com*, True -*.weightnomorepe.co.za*, True -*.weightsport.com*, True -*.weikeno.com*, True -*.weimailaser.com*, True -*.weiners.org*, True -*.weingaertner-bohner.ch*, True -*.wein-garage.at*, True -*.weinhappl-ag.ch*, True -*.weinstein.org.il*, True -*.weinteract.com*, True -*.weinzettel.com.ar*, True -*.weirandassociates.cn*, True -*.weirasia.com*, True -*.weirder.ro*, True -*.weirdlittleworlds.com*, True -*.weirdpixels.org*, True -*.weirhk.com*, True -*.weirinhouse.com*, True -*.weirlawasia.com*, True -*.weirlawhk.com*, True -*.weirlawyers.com*, True -*.weise7.org*, True -*.weishanjiang.com*, True -*.weisms.com*, True -*.weisong.li*, True -*.weissberg.biz*, True -*.weissbrewing.com*, True -*.weissenfluh.ch*, True -*.weisserhouse.com*, True -*.weisses-band.at*, True -*.weisshorn.nl*, True -*.weixservice.com*, True -*.wejoza.com*, True -*.welangn.com*, True -*.welathome.ca*, True -*.welchsmith.com*, True -*.welcome2australia.com*, True -*.welcomeatwork.at*, True -*.welcomegroup.net*, True -*.welcometopurgatory.ca*, True -*.welcometosatellite.com*, True -*.weld-nk.ru*, True -*.weldwooddesigns.com*, True -*.welibat.cf*, True -*.welikeitaly.biz*, True -*.welikeitaly.org*, True -*.wellastore.ru*, True -*.wellcms.com*, True -*.wellcode.ca*, True -*.wellcotech.com*, True -*.welldone-ing.cl*, True -*.wellent.hk*, True -*.wellingtonartgroup.com*, True -*.wellingtonfelix.com.br*, True -*.wellingtontc.com.au*, True -*.wellingtontouch.co.nz*, True -*.well-lord.com*, True -*.wellmark.ro*, True -*.wellnessbyoriflame.ro*, True -*.wellness-india.in*, True -*.wellnessnaturally.com.au*, True -*.wellnessstudio.fr*, True -*.wellnesswithinyoga.com*, True -*.well-scan.com*, True -*.wellsemi.com*, True -*.welltekgroup.net*, True -*.wellwellsha.com*, True -*.welovechina.cn*, True -*.welovemetal.com*, True -*.welpenhund.de*, True -*.welshbreakers.com*, True -*.welshprincess.com*, True -*.welshshadwell.co.uk*, True -*.welsiker.ch*, True -*.welsted.info*, True -*.welters.net*, True -*.weltrevolution.ch*, True -*.welwoodlaw.com*, True -*.wemakenoise.co.uk*, True -*.wemap.cl*, True -*.wem.bg*, True -*.weminetogether.com*, True -*.wemine.uk*, True -*.wemitob.cf*, True -*.wendlamita.com*, True -*.wendlandfamily.net*, True -*.wendyandnick.net*, True -*.wendy.web.id*, True -*.wengans.cl*, True -*.wenger-production.com*, True -*.wenisch.asia*, True -*.wenjunnet.cn*, True -*.wenlez.com*, True -*.wenona130plus.com.au*, True -*.wenona.me*, True -*.wenselfamily.info*, True -*.wenternet.com*, True -*.wenzel.mobi*, True -*.weoutt.com*, True -*.wepkita.com*, True -*.wepotus.com*, True -*.wepplers.com*, True -*.weqan.net*, True -*.wer95.com*, True -*.wer96.com*, True -*.wer97.com*, True -*.werbefotografieihlemann.de*, True -*.werbekritik.ch*, True -*.werdaskate.cl*, True -*.werder.li*, True -*.weregoingtothecloud.com*, True -*.werger.tk*, True -*.werir.co.za*, True -*.werjen.com*, True -*.werktab.com*, True -*.werner-isolation.ch*, True -*.werner-martin.ch*, True -*.wernet.com.br*, True -*.werowdy.ca*, True -*.wersdfxcv.tk*, True -*.werthfam.com*, True -*.wertygo.pl*, True -*.wertynet.com*, True -*.werunhot.com*, True -*.wescfcu.net*, True -*.wescleycastro.com.br*, True -*.weseli.info*, True -*.wesellbig.com*, True -*.weshipproduce.org*, True -*.weskusremovals.co.za*, True -*.wesnicks.com*, True -*.wesolve.co.id*, True -*.wespennest.li*, True -*.wesseldijkstra.com*, True -*.wesselse.com*, True -*.wessels.nom.za*, True -*.west1881.com*, True -*.westafricaministries.org*, True -*.westagem.ro*, True -*.westbayorthopaedics.com*, True -*.westbrookitpro.com*, True -*.westby-nunn.com*, True -*.westbynunn.com*, True -*.westbys.com*, True -*.westclubunited.tk*, True -*.westcoastautomotive.com.au*, True -*.westcoasteden.ca*, True -*.westcoastendocrine.com*, True -*.westcoastmobilekitchen.ca*, True -*.westcoastremovals.co.za*, True -*.westendcomputerlab.org*, True -*.westendinhautaustoimisto.com*, True -*.westendinhautaustoimisto.net*, True -*.westenvik.no*, True -*.western-channel.com*, True -*.westernconsult.in*, True -*.westerndiscobsas.com.ar*, True -*.westernsydneyfood.com*, True -*.westgateplumbing.com.au*, True -*.westhem.com*, True -*.westindiaquay.com*, True -*.westinghousestoveovenrepairs.com.au*, True -*.westlondon-escorts.net*, True -*.westneckbay.com*, True -*.weston.net.nz*, True -*.westorgroup.com*, True -*.westpennanthillspodiatry.com.au*, True -*.westpoint.web.id*, True -*.westportalphysicaltherapy.com*, True -*.westportalpt.com*, True -*.westportaltherapy.com*, True -*.westportgolfclub.com*, True -*.westportmarathon.com*, True -*.westsidepaintandbody.us*, True -*.westsidepropane.ca*, True -*.westside-racing.ch*, True -*.westsillawarracricket.com.au*, True -*.westsoft.com.ar*, True -*.westygp.com.au*, True -*.wet96.com*, True -*.wet98.com*, True -*.wetbc.ca*, True -*.wetbooks.com*, True -*.weteks.com*, True -*.wetherill.com.au*, True -*.wetnet.in*, True -*.wetofu.es*, True -*.wetpi.com*, True -*.wetpoolparty.com.ar*, True -*.wetrust.tw*, True -*.wettank.net.au*, True -*.wetter-frick.ch*, True -*.wettergreenolsen.dk*, True -*.wetwaresalta.com.ar*, True -*.wevsnet.com*, True -*.wevvin.nz*, True -*.wewanttotrade.com*, True -*.wew.asia*, True -*.wewin.ru*, True -*.wew.mx*, True -*.wexleymedical.com*, True -*.weyher-technik-wiki.tk*, True -*.weyya.cl*, True -*.weze-zbrojone.pl*, True -*.wf9800.net*, True -*.wfbhs75.com*, True -*.wfinternational.com.pk*, True -*.wfrick.net*, True -*.wfsl.pl*, True -*.wfw.org.za*, True -*.wg8b.net*, True -*.wg95.de*, True -*.wgardens.co.uk*, True -*.wgaugsburg.de*, True -*.wgbbsonline.net*, True -*.wgbe.ch*, True -*.wgcs.com*, True -*.wgray.club*, True -*.wguu.info*, True -*.whaazup.us*, True -*.whaffrewards.net*, True -*.whaiteindustries.com*, True -*.whaka.net*, True -*.whalley.com.au*, True -*.whanaumai.nz*, True -*.whansite.com*, True -*.wharfietime.com*, True -*.wharquitetura.com.br*, True -*.what2do.co.nz*, True -*.what2no.com*, True -*.whatacoincidence.org*, True -*.whatagenius.com.au*, True -*.whatajack.com*, True -*.whatartist.com*, True -*.whatartistprojects.com*, True -*.whatbox.tk*, True -*.whatcaniofferyou.co.uk*, True -*.whatchamacakes.com*, True -*.whatdayoftheweek.com*, True -*.whatdoesthecolorsofthenauticalstarmean.com*, True -*.whateverbpd.com*, True -*.whateverpays.com*, True -*.whateveryouneed.com.ve*, True -*.whathosting.info*, True -*.whatis.cf*, True -*.whatisdoing.com*, True -*.whatisit-ltd.co.uk*, True -*.whatisseitan.eu*, True -*.whatnet.us*, True -*.what-network.com*, True -*.what-network.net*, True -*.what-network.org*, True -*.whatnow.mobi*, True -*.whatop.com*, True -*.whatsonod.co.uk*, True -*.whatsposted.com*, True -*.whatsthislifeabout.com*, True -*.whatsworking.com.au*, True -*.whatthefuckingfuck.com*, True -*.whatthehuh.net*, True -*.what-to.com*, True -*.whattthefuck.tk*, True -*.whatworks.org.au*, True -*.whatwouldjasedo.com*, True -*.whatz-new.com*, True -*.whconst.hk*, True -*.whe888.com*, True -*.wheatfreeglutenfree.co.uk*, True -*.wheel-chairs.eu*, True -*.wheel-clamp.co.uk*, True -*.wheeler.cl*, True -*.wheelerheirs.com*, True -*.wheel-music.com*, True -*.wheels4survivors.org*, True -*.whelan.id.au*, True -*.whelenbatavia.com*, True -*.when48.com*, True -*.whenandwherepr.com.ar*, True -*.whenisthenextnhllockout.com*, True -*.whenthemoviereallystarts.com*, True -*.whenwillthehurtingstop.com*, True -*.whenwillthehurtingstop.info*, True -*.whenwillthehurtingstop.net*, True -*.whenwillthehurtingstop.org*, True -*.where2eat.be*, True -*.where2go.co.il*, True -*.where2stay.co.nz*, True -*.whereandhow.cl*, True -*.wherearemycookies.de*, True -*.wheredidmyhairgo.com*, True -*.wheredodolphinslive.com*, True -*.wherehoju.com*, True -*.whereintheweb.net*, True -*.whereintheweb.org*, True -*.whereisthe.info*, True -*.whereitsat.ca*, True -*.where.si*, True -*.wheressharon.com*, True -*.wheretheresawillow.net*, True -*.wherever.net*, True -*.whichdba.com*, True -*.whillson.cf*, True -*.whimsicalanthologycreations.com*, True -*.whimsicalanthologycreations.com.au*, True -*.whimsy.me*, True -*.whine.se*, True -*.whipcracker.net*, True -*.whirlwindbb.com*, True -*.whiskeyfights.com*, True -*.whiskydice.com*, True -*.whiskyimbiber.com*, True -*.whiskyprotokoll.de*, True -*.whiskytramp.com*, True -*.whiskyworld.com.au*, True -*.whisperblooms.com.au*, True -*.whispercall.com*, True -*.whisperlake.com*, True -*.whisperproductions.com.au*, True -*.whisperwoodcommunity.net*, True -*.whistleemporium.com*, True -*.whiteangel-bg.eu*, True -*.whitebeans.ro*, True -*.whiteboxbistro.com*, True -*.whitebuffalopress.com*, True -*.white.com.ar*, True -*.whitefangrec.com*, True -*.whitefenech.com*, True -*.white-flag.ca*, True -*.whiteisland.com*, True -*.whiteknightelectronics.com*, True -*.whiteley.org*, True -*.whitemushroomhouse.com*, True -*.whitenoisegaming.com*, True -*.white.nom.za*, True -*.whitepaperonvideo.com*, True -*.whitepapersonvideo.com*, True -*.whitepeople.co.uk*, True -*.whiterosechurch.com*, True -*.whitesandbeachresort.info*, True -*.white-shadows-ddc.net*, True -*.whitesmoving.com*, True -*.whitesmurf.com*, True -*.whitespaceairwaves.com*, True -*.whitespaceairwaves.net*, True -*.whitespaceairwaves.org*, True -*.white-square.net*, True -*.whitetigerexploration.ca*, True -*.whitewalkers.org*, True -*.whitewaterproject.se*, True -*.whitewizardllc.com*, True -*.whitezen.com*, True -*.whitmermarchingband.com*, True -*.whittemoredurgin.biz*, True -*.whittemore-durgin.com*, True -*.whittemoredurgin.com*, True -*.whittemoreglass.com*, True -*.whittleandcompany.ca*, True -*.whittlebydesign.com*, True -*.whitworths.asia*, True -*.whitworthsdiscountmarine.asia*, True -*.whitworthsdiscountmarine.co.nz*, True -*.whitworthsdiscountmarine.info*, True -*.whitworthsdiscountmarine.net.nz*, True -*.whitworthsdiscountmarine.nz*, True -*.whitworthsdiscountmarinesupplies.asia*, True -*.whitworthsdiscountmarinesupplies.co.nz*, True -*.whitworthsdiscountmarinesupplies.info*, True -*.whitworthsdiscountmarinesupplies.net.nz*, True -*.whitworthsdiscountmarinesupplies.nz*, True -*.whitworthsmarineandleisure.asia*, True -*.whitworthsmarineandleisure.com*, True -*.whitworthsmarineandleisure.co.nz*, True -*.whitworthsmarineandleisure.info*, True -*.whitworthsmarineandleisure.net*, True -*.whitworthsmarineandleisure.net.au*, True -*.whitworthsmarineandleisure.net.nz*, True -*.whitworthsmarineandleisure.nz*, True -*.whitworthsmarine.asia*, True -*.whitworthsmarine.com.au*, True -*.whitworthsmarine.co.nz*, True -*.whitworthsmarinediscountsupplies.asia*, True -*.whitworthsmarinediscountsupplies.co.nz*, True -*.whitworthsmarinediscountsupplies.info*, True -*.whitworthsmarinediscountsupplies.net.nz*, True -*.whitworthsmarinediscountsupplies.nz*, True -*.whitworthsmarine.info*, True -*.whitworthsmarine.net.nz*, True -*.whitworthsmarine.nz*, True -*.whitworthsmarinesupplies.asia*, True -*.whitworthsmarinesupplies.co.nz*, True -*.whitworthsmarinesupplies.net.nz*, True -*.whitworthsmarinesupplies.nz*, True -*.whitworths.net*, True -*.whitworths.net.nz*, True -*.whitworths.nz*, True -*.whizkidstest.tk*, True -*.whizwares.com*, True -*.whizwhener.ru*, True -*.whmbahdonk.mx*, True -*.whmcs.asia*, True -*.whmteam.tk*, True -*.whn66.com*, True -*.whn77.com*, True -*.whn88.com*, True -*.who2call.co.nz*, True -*.whoami.la*, True -*.whoateallthepecansandies.com*, True -*.whocarriesthat.com*, True -*.whodaresspinz.co.uk*, True -*.whodatninga.com*, True -*.whogetsmystuff.com*, True -*.whoip.ga*, True -*.whoisjohnny.com*, True -*.whoisnickbecker.com*, True -*.whoisthatperson.com*, True -*.whoiswhointurkey.com*, True -*.whole-lifestyle.com*, True -*.wholesalecellaccessory.com*, True -*.wholesalerepellents.com*, True -*.wholesalesdirect.com.au*, True -*.wholesaletech.com.au*, True -*.wholetemplate.com*, True -*.whomadethatcake.com.au*, True -*.who-measles.org*, True -*.whoreoscope.com*, True -*.whore-o-scopes.com*, True -*.whoreoscopes.com*, True -*.whorfin.com*, True -*.whoschilling.com*, True -*.whoshiringrightnow.com*, True -*.whosonpodcast.com*, True -*.whostrading.com*, True -*.whosyourdaddy.cl*, True -*.whotel.pt*, True -*.whowant.it*, True -*.whowashere.ru*, True -*.whproperties.biz*, True -*.whqkcdc.com*, True -*.whqscdc.com*, True -*.whrisky.com*, True -*.whwinvestments.com*, True -*.whyboner.com*, True -*.whychapter13.com*, True -*.whychapter7.com*, True -*.whydoeshewearthemask.com*, True -*.whyisrumgone.com*, True -*.whyizrumgone.com*, True -*.whyman.org*, True -*.whynotad.com*, True -*.whyterabbit.net*, True -*.whyuesao.com*, True -*.wiab-service.se*, True -*.wialto.com*, True -*.wibhradio.com*, True -*.wiblr.cf*, True -*.wiblr.ga*, True -*.wiblr.gq*, True -*.wiblr.ml*, True -*.wib.ro*, True -*.wicalenda.com*, True -*.wicc.com.au*, True -*.wickedgirlfashions.com*, True -*.wickedgremlin.net*, True -*.wicked.hk*, True -*.wickedhq.com*, True -*.wickedone.tk*, True -*.wicksta.com*, True -*.wicky-carrelage.ch*, True -*.wico.ir*, True -*.wideglobal.com.my*, True -*.widegren.nu*, True -*.widening.net*, True -*.wideradius.com*, True -*.widereuropecapital.com*, True -*.widereuropecapitalmanagement.com*, True -*.widesystems.com.br*, True -*.wideybro.ru*, True -*.widiwaika.ch*, True -*.widlund.fi*, True -*.widuit.com.ar*, True -*.widyajayakarta.ac.id*, True -*.widyalokakontraktor.com*, True -*.widyaswara-indonesia.ac.id*, True -*.widzu.com*, True -*.wiebels.info*, True -*.wiecaszek.pw*, True -*.wiechetek.com*, True -*.wiedenhoeft.net*, True -*.wiedmann-online.tk*, True -*.wienerstudio.at*, True -*.wiengarage.at*, True -*.wiernusz.com*, True -*.wierschke.net*, True -*.wiev.one.pl*, True -*.wifemakingmedoit.com*, True -*.wifi45.ru*, True -*.wifi4free.ro*, True -*.wifi96.ru*, True -*.wifiangra.com.br*, True -*.wifiangra.net.br*, True -*.wificomputacion.com.ar*, True -*.wifieyes.net*, True -*.wifi-id.cf*, True -*.wifi-id.ga*, True -*.wifimami.com*, True -*.wifination.org.za*, True -*.wifispin.ga*, True -*.wifitelecom.ec*, True -*.wigdahl.se*, True -*.wigglesbooks.com*, True -*.wiggy.systems*, True -*.wight-solutions.co.uk*, True -*.wigkribo.com*, True -*.wigtil.net*, True -*.wigtil.no*, True -*.wiifailed.com*, True -*.wiigloves.com*, True -*.wiiknee.com*, True -*.wiilivefree.com*, True -*.wiiombouwborne.nl*, True -*.wijayakarya.co.id*, True -*.wijayamasteknindo.com*, True -*.wijaya-steel.com*, True -*.wijkachterdekerk.be*, True -*.wijo.be*, True -*.wike.info*, True -*.wiki21.com*, True -*.wiki21.net*, True -*.wikiachomi.ir*, True -*.wikiberry.info*, True -*.wikicode.com.br*, True -*.wikidesign.hk*, True -*.wikifondos.com*, True -*.wiki.gd*, True -*.wikihotels.ru*, True -*.wikilegia.at*, True -*.wikilegia.com*, True -*.wikilegia.net*, True -*.wikilive.in*, True -*.wiki-maaref.com*, True -*.wikimedia.mx*, True -*.wikinformatica.tk*, True -*.wikin.ga*, True -*.wikinternet.tk*, True -*.wikiosaurus.com*, True -*.wikipaudio.com*, True -*.wikipediachile.cl*, True -*.wikithrough.com*, True -*.wiki-trade.info*, True -*.wikne.ch*, True -*.wikro.org*, True -*.wikshop.com*, True -*.wilberspublishing.nl*, True -*.wilcoxwide.com*, True -*.wild1.ch*, True -*.wild1.net*, True -*.wild1.org*, True -*.wildandheart.com*, True -*.wildatwork.com*, True -*.wildatworktickets.com*, True -*.wildbilldeerhunter.com*, True -*.wildbilldeerhunter.net*, True -*.wildbolz-bern.ch*, True -*.wildcardonnitro.com*, True -*.wildcrafthollow.com*, True -*.wilde-de.com*, True -*.wildenglish.co.kr*, True -*.wildfirepics.com*, True -*.wildfrizzle.tk*, True -*.wildgamegrillaz.com*, True -*.wildgamesportsgrill.com*, True -*.wildgeeks.com*, True -*.wildgoldsbrough.com*, True -*.wildgreen.cl*, True -*.wildking.net*, True -*.wildlifeportfolio.co.za*, True -*.wildlifeprotectionservice.com*, True -*.wildlifeprotectionservices.com*, True -*.wildlifewatcher.ch*, True -*.wildmama.com.au*, True -*.wildone.ch*, True -*.wildonesieweek.com*, True -*.wildonesieweek.com.au*, True -*.wildplumpies.com*, True -*.wildrootsholisticlearningcenter.com*, True -*.wildrootsholisticlearning.com*, True -*.wildspark.net*, True -*.wildsports.com.np*, True -*.wildstaronlinepowerguide.com*, True -*.wildsurf.net*, True -*.wildtrailsa.co.za*, True -*.wileexpress.ro*, True -*.wileybizaus.com*, True -*.wileymetal.com*, True -*.wilgaskin.com*, True -*.wilgenhoff.de*, True -*.wilheck.co.za*, True -*.wilkes.tk*, True -*.wilkinsonlawpractice.com*, True -*.wilkisonmarkingservice.com*, True -*.wilkisonmarkingsevice.com*, True -*.wilkore.com.au*, True -*.will4me.net*, True -*.willamettequilting.com*, True -*.willandkristin.com*, True -*.willardempire.com*, True -*.willartmusic.com*, True -*.will-cloud.com*, True -*.willcy.com*, True -*.willdevelops.com*, True -*.willdotargent.com*, True -*.willemvisser.co.za*, True -*.willengineers.com*, True -*.willettavt.com*, True -*.willeys.org*, True -*.willhans.se*, True -*.william-beene.com*, True -*.williambest.com*, True -*.williambratz.com*, True -*.williamcrown.com*, True -*.williamhelgeson.com*, True -*.williamlai.hk*, True -*.williamlee.com.au*, True -*.williamlightfoot.com*, True -*.williammallory.com*, True -*.williammckenzie.com*, True -*.williamnabaza.com*, True -*.williamolsen.me*, True -*.williamperkasa.com*, True -*.williamrnabaza.com*, True -*.williamsbrothersexpeditions.com*, True -*.williamsfamilysite.us*, True -*.williamsimard.com*, True -*.williamsjk2.com*, True -*.williamski.co.uk*, True -*.williamsportdj.com*, True -*.williamsulzer.net*, True -*.williamvictoria.com*, True -*.williamwragg.cl*, True -*.willkula.com*, True -*.willmott.info*, True -*.willner.fi*, True -*.willoughbysite.com*, True -*.willowbrookconnersville.com*, True -*.willowfallsapartment.com*, True -*.willowhousenursery.co.uk*, True -*.willowseed.com*, True -*.willowvalleyranch.com*, True -*.willowwoodgames.co.nz*, True -*.willparrish.com*, True -*.willpetrik.com*, True -*.willsdb.com*, True -*.willsprojects.tk*, True -*.willsrus.biz*, True -*.willtokillgaming.org*, True -*.willweatherholtz.tk*, True -*.willybest.co.uk*, True -*.willytp.com*, True -*.willyware.com.au*, True -*.wilmatron.com*, True -*.wilpster.com*, True -*.wilsonema.com*, True -*.wilsongimenes.com.br*, True -*.wilsonsfamily.us*, True -*.wilsonweather.net*, True -*.wilsor.ro*, True -*.wiltrout.info*, True -*.wilykids.com*, True -*.wimans.com*, True -*.wimarket.es*, True -*.wimbat.com*, True -*.wiminin.asia*, True -*.wiminin.at*, True -*.wiminin.be*, True -*.wiminin.cc*, True -*.wiminin.ch*, True -*.wiminin.com*, True -*.wiminin.co.uk*, True -*.wiminin.cz*, True -*.wiminin.es*, True -*.wiminin.eu*, True -*.wiminin.fr*, True -*.wiminin.in*, True -*.wiminin.li*, True -*.wimininn.at*, True -*.wimininn.com*, True -*.wiminin.net*, True -*.wiminin.nl*, True -*.wiminin.org*, True -*.wiminin.pl*, True -*.wiminin.si*, True -*.wiminin.sk*, True -*.wimpieke.be*, True -*.win289.tw*, True -*.win31.net*, True -*.win5858.co*, True -*.win7tweaks.net*, True -*.win999.biz*, True -*.win999.co*, True -*.winceys.com*, True -*.winchcombe.eu*, True -*.winchtec.com*, True -*.winchtek.com*, True -*.windalforever.com*, True -*.windexlg.com*, True -*.windflowerbotanicals.com*, True -*.windflowerdoula.com*, True -*.windflowerhandmade.com*, True -*.windfyre.com*, True -*.windfyre.net*, True -*.windimda.com*, True -*.windingriveronline.com*, True -*.windmag.net*, True -*.windmaxinternational.com*, True -*.windmills-travel.com*, True -*.windmillstravel.com*, True -*.windowclean.ca*, True -*.win-do.ws*, True -*.windows8themes.info*, True -*.windowsdriver.cn*, True -*.windowsofwelfare.com*, True -*.windowwashnguy.com*, True -*.windrivermining.com*, True -*.windrox.info*, True -*.windrushcottageinn.com*, True -*.windsoftrade.net*, True -*.windsorbus.com*, True -*.windsormetalbattery.com*, True -*.windy-city-liquidation.com*, True -*.windyhillgourds.com*, True -*.wine-and-dine.co.za*, True -*.wineanddine.hk*, True -*.wineandmeat.com*, True -*.wine.as*, True -*.winecart4s.com*, True -*.winecompass.hk*, True -*.winecountrymall.com*, True -*.winefoodcarnival.hk*, True -*.winefridge.co.za*, True -*.winegarage.at*, True -*.winegiftmegastore.com*, True -*.wine-monitor.net*, True -*.winepubcrawl.com.ar*, True -*.winergy.pl*, True -*.winerybrasil.com*, True -*.winerydistribuidora.com*, True -*.winespy.net*, True -*.winetastenote.com*, True -*.winetelligence.co.za*, True -*.winglai.com*, True -*.winglet.ca*, True -*.wingquist.com*, True -*.wingsofthedawn.com.au*, True -*.wingtaiplastic.com*, True -*.wingtat.tk*, True -*.wingwah.ch*, True -*.winition.com*, True -*.winkel.com.ar*, True -*.winkelplus.nl*, True -*.winkeltip.nl*, True -*.winkeltotaal.com*, True -*.winkeltotaal.nl*, True -*.winlininfotech.com*, True -*.winlots.ga*, True -*.winminhas.com*, True -*.winnaqinna.fi*, True -*.winnarr.com*, True -*.winnarr.net*, True -*.winnarr.org*, True -*.winncs.com*, True -*.winnerr.com*, True -*.winne.rs*, True -*.winnery.ro*, True -*.winnie-cam.com*, True -*.winnieng.com*, True -*.winning.ro*, True -*.winnipeghorizon.com*, True -*.winnity.ro*, True -*.winonawinn.com*, True -*.win-ow.com*, True -*.winpack.gq*, True -*.winpex.com*, True -*.win-raffler.com*, True -*.winrarturkiye.com*, True -*.winrate.net*, True -*.winridge.com*, True -*.winryese.com*, True -*.wins.com.br*, True -*.winscp.ga*, True -*.winship.co.za*, True -*.winsi.cl*, True -*.winstonhall.com*, True -*.winston.web.id*, True -*.winstructions.net*, True -*.winsuk.tk*, True -*.win-tech.cn*, True -*.winterfell.ch*, True -*.winterhouse.info*, True -*.wintermodellook.com*, True -*.winter.org*, True -*.winterservers.nl*, True -*.winter-shells.de*, True -*.winterwoodfarm.co.nz*, True -*.wintoday.co.za*, True -*.winuklottery.com*, True -*.win-uw.com*, True -*.winwhois.com*, True -*.winwiz.net*, True -*.winwood.net.au*, True -*.winyourxmas.com*, True -*.wip3d.com.ar*, True -*.wiphi.net*, True -*.wira-7.com*, True -*.wirabaktikencana.com*, True -*.wiratechnicmandiri.com*, True -*.wirbauen.es*, True -*.wirdieschweiz.ch*, True -*.wireandless.com*, True -*.wirednet.com.ar*, True -*.wiredscience.us*, True -*.wiredup.co.za*, True -*.wiredz.net*, True -*.wire.gq*, True -*.wirelesku.com*, True -*.wirelessku.com*, True -*.wiremad.ro*, True -*.wiremesh-mjsa.com*, True -*.wireos.com*, True -*.wireraptor.us*, True -*.wirerun.com*, True -*.wireside.net*, True -*.wirestrike.co.za*, True -*.wirich.com*, True -*.wirkiffenteam.com*, True -*.wir-schwarzen.ch*, True -*.wirtschaft48.info*, True -*.wirtschaftslexi.com*, True -*.wirtschaftslexikon.net*, True -*.wirzan.com*, True -*.wirzus.name*, True -*.wisataborobudur.co.id*, True -*.wisatajakarta.co.id*, True -*.wisataku.asia*, True -*.wisatapendidikanjogja.com*, True -*.wisbroadband.com*, True -*.wisconns.com*, True -*.wisdmhub.org*, True -*.wisdomlanna.com*, True -*.wisdom-spa.com*, True -*.wise-boss.com*, True -*.wiseconsults.com*, True -*.wiseeyesent.com*, True -*.wiseitsolutions.com.au*, True -*.wiseleadhandbag.com*, True -*.wisetownbaptistchurch.com*, True -*.wisgy.com*, True -*.wishct.com*, True -*.wish-list.at*, True -*.wishyouwerebeer.com*, True -*.wismeexpress.com.ar*, True -*.wisnuu.ml*, True -*.wis-pengin.ml*, True -*.wisp.si*, True -*.wissen48.net*, True -*.wissnet.com.ar*, True -*.witakharismajaya.co.id*, True -*.witakharismajaya.com*, True -*.witbro.com*, True -*.witchcraft.net.au*, True -*.witchers.org*, True -*.witchyhouse.com*, True -*.witcom.com.ar*, True -*.witczak.org*, True -*.withfrosted.com*, True -*.within.hk*, True -*.with.mirkforce.de*, True -*.withouttech.com*, True -*.withyoujapan.com*, True -*.witongachildcare.com.au*, True -*.witrick.com*, True -*.witschger.net*, True -*.witschi-bauleitung.ch*, True -*.wittering.net*, True -*.wittering.org*, True -*.witterings.info*, True -*.witterings.net*, True -*.witterings.org*, True -*.wittesolutions.com*, True -*.wittymelon.com*, True -*.wiwiec.com*, True -*.wixbit.com*, True -*.wizardblue.com*, True -*.wizard.im*, True -*.wizardofcairo.com*, True -*.wizardy.org*, True -*.wizfos.com*, True -*.wizgnome.com*, True -*.wizluv.com*, True -*.wizodvd.com*, True -*.wizzup.com*, True -*.wj4p.me*, True -*.wjcltd.com*, True -*.wjj44.com*, True -*.wjj55.com*, True -*.wjj66.com*, True -*.wjj77.com*, True -*.wjj88.com*, True -*.wjmaniac.ml*, True -*.wjsolutions.com.br*, True -*.wjstieritz.com*, True -*.wkclx.net*, True -*.wkdsl.hk*, True -*.wkfprovincials.ca*, True -*.wk-hannover.tk*, True -*.wkwk.co*, True -*.wland.de*, True -*.wland.ro*, True -*.wlan.lv*, True -*.wlchile.cl*, True -*.wlfnet.org*, True -*.wlmantenimiento.cl*, True -*.wlm.co.za*, True -*.wlmonitor.me*, True -*.wloforever.com*, True -*.wlsn.co.uk*, True -*.wlsn.uk*, True -*.wlucas.com*, True -*.wm24.com.ru*, True -*.wm24.md*, True -*.wmagno.com.br*, True -*.wmbeco.com*, True -*.wmcesher.ru*, True -*.wmch.net*, True -*.wmconsultores.net.ve*, True -*.wmcpotts.net*, True -*.wmhelgeson.com*, True -*.wmhelp.com*, True -*.wmiag.ch*, True -*.wmining.cl*, True -*.wmkasher.ru*, True -*.wmome.net*, True -*.wmpublicidad.cl*, True -*.wmqyin.com*, True -*.wmsfrank.com*, True -*.wmtday.org*, True -*.wmwc.ru*, True -*.wmz-mail.com*, True -*.w-n.co.za*, True -*.wnd66.com*, True -*.wnd78.com*, True -*.wnd88.com*, True -*.wnetbg.com*, True -*.wnoiprogramming.tk*, True -*.wnsr198.com*, True -*.wntcomm.com*, True -*.wo5m.net*, True -*.woal.ch*, True -*.wobb.nu*, True -*.wobertni.cf*, True -*.wobh.org*, True -*.wocaweb.com*, True -*.wochat.ml*, True -*.wocone.com*, True -*.wod-media.com*, True -*.wodongabaseball.org.au*, True -*.wodongabaseballsoftball.org.au*, True -*.wodongasoftball.org.au*, True -*.wodryhep.cf*, True -*.woeac.org*, True -*.woelkchen-online.de*, True -*.wofeidengxian.com*, True -*.woh.ca*, True -*.wohing.asia*, True -*.wohlerdt.com*, True -*.wohnheim-ruebeldorf.ch*, True -*.wohn-land.ch*, True -*.wohnliches-geiselweid.ch*, True -*.wohnungssuche.pw*, True -*.woibbs.org*, True -*.woi.bz*, True -*.wojb.org*, True -*.wojcicka.org*, True -*.wojcicki.org*, True -*.wojciktechnologies.com*, True -*.wojcik.tk*, True -*.wojewodzki.co.uk*, True -*.wojtekzielinski.com*, True -*.wojts.pl*, True -*.wojtulas.pl*, True -*.wolbi.ca*, True -*.wol.ca*, True -*.woles.net*, True -*.wolfande.ml*, True -*.wolfautoaccessories.com*, True -*.wolfautoaccessories.com.au*, True -*.wolfauto.pro*, True -*.wolfcoenterprises.com*, True -*.wolfdork.com*, True -*.wolffautohaustrucks.co.za*, True -*.wolfgang-birner.de*, True -*.wolfgang-hametner.com*, True -*.wolfganghametner.com*, True -*.wolfgangpucher.com*, True -*.wolfgangww.com*, True -*.wolfidy.com*, True -*.wolfi.hu*, True -*.wolf-killer.com*, True -*.wolfmaschine.ro*, True -*.wolframauto.ru*, True -*.wolframreulecke.de*, True -*.wolfrealty.biz*, True -*.wolfsdengaming.com*, True -*.wolfsource.eu*, True -*.wolftech.ro*, True -*.wolf-tec.net*, True -*.wolf-theparty.ml*, True -*.wolfwhistles.org*, True -*.wolislaw.com*, True -*.wolkie.ml*, True -*.wolle-laden.ch*, True -*.woll-laden.ch*, True -*.wollladen.ch*, True -*.wollmann.org*, True -*.wolmerica.com*, True -*.wolnanuta.pl*, True -*.wolneiautomoveis.com.br*, True -*.wolochwianski.com.ar*, True -*.wolstencroft.com.au*, True -*.wolvertonbuilders.com*, True -*.woman-freedom.ru*, True -*.womanshop.bg*, True -*.womansurvivalskills.com*, True -*.wombles.org*, True -*.womega.com.au*, True -*.womenbuddy.com*, True -*.womenclothingtoday.com*, True -*.womenfpal.com*, True -*.womenfpal.info*, True -*.womensberry.com*, True -*.womenscounselingcenter.org*, True -*.womenwhocare.ca*, True -*.womenwillloveyou.com*, True -*.wonderconstructie.be*, True -*.wonderfuldolls.ru*, True -*.wonderland.com.br*, True -*.wonderville.ru*, True -*.wondrouswater.co.za*, True -*.wonerth.ro*, True -*.wongandlarsen.com*, True -*.wong-awam.com*, True -*.wonghome.tk*, True -*.wongnet.hk*, True -*.wong-paciran.tk*, True -*.wongsters.net*, True -*.woningserviceutrecht.nl*, True -*.wonka.com.br*, True -*.wonka.net.br*, True -*.wonkatonkwa.com*, True -*.wonkdugul.ml*, True -*.wonkwangmd.org*, True -*.wonky.name*, True -*.wonosobo.tk*, True -*.wontdoit.com*, True -*.wontonproductions.com*, True -*.woobling.org*, True -*.woodburnfamily.net*, True -*.woodcarving-tyrol.com*, True -*.woodchucker.se*, True -*.woodenartist.com*, True -*.woodencamera.ca*, True -*.woodenshampoo.com*, True -*.woodhome.us*, True -*.woodlandsfarm.co.za*, True -*.woodleg.ca*, True -*.woodlove.be*, True -*.woodlove.eu*, True -*.woodlove.nl*, True -*.woodnuttantiques.com*, True -*.woodruffhsalumni.com*, True -*.woodsfashion.com*, True -*.woodsmad.com*, True -*.woodsterrace.ca*, True -*.woodwardinc.net*, True -*.woodwardlaw-mt.com*, True -*.woodyprojects.co.za*, True -*.woodys-music.co.uk*, True -*.woofhound.com*, True -*.woofsquad.com*, True -*.wookas.com*, True -*.wookieeonendor.com*, True -*.wookiefuck.com*, True -*.wookiefuck.info*, True -*.wooloo.net*, True -*.woolyorgasms.com*, True -*.woombyenewsagency.com.au*, True -*.woon.cc*, True -*.woonpolicedetails.com*, True -*.woonserviceutrecht.nl*, True -*.woonsocketdailynews.com*, True -*.woonsocketradio.com*, True -*.wooptoo.com*, True -*.wootwatchers.com*, True -*.wordaxis.com*, True -*.wordfortunes.com*, True -*.word-play.com*, True -*.wordpressbuddy.com*, True -*.wordpressthemes.si*, True -*.wordsey.com*, True -*.wordsformyunborn.com*, True -*.words.hk*, True -*.wordslurp.com*, True -*.wordsmithme.ca*, True -*.wordtditmijnwebsite.info*, True -*.wordup.io*, True -*.word-walk.com*, True -*.worid.tk*, True -*.workandplay.info*, True -*.work-box.com.ar*, True -*.workdesktop.co.za*, True -*.workeasy.ca*, True -*.workforceexplorer.com*, True -*.workhomelife.com.au*, True -*.workingcreativity.com*, True -*.workitfor.me*, True -*.worklab.com.ar*, True -*.workloadautomation.net*, True -*.worklog.pl*, True -*.workordersonthego.com*, True -*.work-outguys.com*, True -*.workoutguys.com*, True -*.workoutlaw.com*, True -*.workoutlawyers.com*, True -*.workoutnetwork.cf*, True -*.work-outpros.com*, True -*.workplant.com*, True -*.workrightfast.com*, True -*.workshopinabox.co.za*, True -*.workshopinc.in*, True -*.workshopsforyou.com*, True -*.workshopstation.com*, True -*.worksinmagic.com*, True -*.workslink.com.au*, True -*.worksmart.com.my*, True -*.worksmart.me*, True -*.worksmartware.com*, True -*.workstrate.com*, True -*.workstrate.ir*, True -*.worktoday.in*, True -*.workviet.com*, True -*.workviet.net*, True -*.workvisahelp.com*, True -*.workymotion.org*, True -*.world2chat.ml*, True -*.world-box.tk*, True -*.worldclique.nl*, True -*.worldcontrol.org*, True -*.worldcreate.com*, True -*.worldcreate.net*, True -*.worldcreate.org*, True -*.worldcup.as*, True -*.world-domination.com.au*, True -*.worldefense.com*, True -*.worldelitemilitary.com*, True -*.world-herbals.com*, True -*.worldhotnews.ga*, True -*.world-insurance.co*, True -*.worldintechnocolor.com*, True -*.world-labels.com*, True -*.worldlawlist.com*, True -*.worldlinkaccessories.com*, True -*.worldmarketindo.com*, True -*.worldmart.info*, True -*.worldmoneytr.ee*, True -*.worldmoneytree.com*, True -*.worldofcaudor.com*, True -*.worldofiniquity.com*, True -*.worldoflighting.co.za*, True -*.worldoflights.co.za*, True -*.worldofmetal.tk*, True -*.worldofmotorsports.com*, True -*.worldofpengelski.com*, True -*.worldofpower.ru*, True -*.worldofsienna.com*, True -*.worldofunix.in*, True -*.worldofwarlords.info*, True -*.worldomatic.com*, True -*.worldpaste.com*, True -*.worldpromo.com*, True -*.worldsalsainfo.com*, True -*.worldsbestbrands.com.au*, True -*.worldscollide.ca*, True -*.worldscotts.com*, True -*.worldserpentexotics.com*, True -*.worldsquarehostel.com.au*, True -*.worldsquarehotel.com.au*, True -*.worldstopbrands.com*, True -*.worldstudio.tk*, True -*.worldviewweekendfoundation.com*, True -*.worldviewweekendfoundation.org*, True -*.worldweary.org*, True -*.worldwellness.com.my*, True -*.worldwidebase.com*, True -*.worldwide-investment.net*, True -*.worldwiderecruitmentservices.com*, True -*.worldwide-technologies.ro*, True -*.worldwideweber.net*, True -*.worldwidewebolution.com*, True -*.worldwrestlingtorrents.net*, True -*.wormhole.cf*, True -*.worontzoff.be*, True -*.worstmemes.com*, True -*.worst.ml*, True -*.wortha1000words.net*, True -*.worthingelectrical.co.uk*, True -*.worthing-electrician.com*, True -*.worthingfirealarms.co.uk*, True -*.worthyplatoon.com*, True -*.wortordnung.ch*, True -*.worxxx.tk*, True -*.worzallahc.com*, True -*.woshop.se*, True -*.woszczak.com*, True -*.woszczakcontractors.com*, True -*.woszczakmechanical.com*, True -*.wotcgaming.com*, True -*.wot.cl*, True -*.wot-irbit.ru*, True -*.wotlife.net*, True -*.wotus.com*, True -*.wouldyoucometoslovenia.si*, True -*.wouldyougogayforgeti.com*, True -*.wouldyoulookatthat.co.uk*, True -*.wounds.co.il*, True -*.woutwoot.be*, True -*.woutwoot.com*, True -*.wovensphere.com*, True -*.wowbear.com*, True -*.wow.bz*, True -*.wowchile.cl*, True -*.wowchris.com*, True -*.wow-endofdays.us*, True -*.woweventbali.com*, True -*.wow-hungary.com*, True -*.wowscape.ml*, True -*.woww.ga*, True -*.wox33.com*, True -*.wox77.com*, True -*.wox88.com*, True -*.wox99.com*, True -*.woyko.com*, True -*.woys.net*, True -*.wozabus.com*, True -*.wp7s.com*, True -*.wpaji.info*, True -*.wpe.co.za*, True -*.wpg.im*, True -*.wpjones.com*, True -*.wpk.co.za*, True -*.wpkuyk.com*, True -*.wp-likers.ga*, True -*.wpmc.cl*, True -*.wpo.co.za*, True -*.wpostback.com*, True -*.wptweetblast.com*, True -*.wptweetblast.net*, True -*.wpv.co.za*, True -*.wq3c.net*, True -*.wqc.me*, True -*.w--q.com*, True -*.wqlmart.com.br*, True -*.wraithworks.org*, True -*.wrang.fi*, True -*.wrb.ca*, True -*.wreckedskategaming.tk*, True -*.wreckergames.us*, True -*.wreckomendautobody.com*, True -*.wrestlegc.com*, True -*.wretchedvillains.com*, True -*.wrh.club*, True -*.wrigg.com.au*, True -*.wriggcreative.com.au*, True -*.wrightjnr.co.za*, True -*.wrightsproductions.com*, True -*.wrightway.in*, True -*.writecongress.com*, True -*.writecoy.biz*, True -*.writerpatkramer.com*, True -*.writersepiphany.com*, True -*.writers.net.au*, True -*.writestart.co.nz*, True -*.writhem.net*, True -*.writr.ca*, True -*.wrkit.me*, True -*.wrkit.ru*, True -*.wrlabs.com*, True -*.wroble.org*, True -*.wrolpreps.com*, True -*.wrongfoxx.tv*, True -*.wrongsite.net*, True -*.wrongway.in*, True -*.wrongway.org*, True -*.wrongwrong.com*, True -*.wroth.org*, True -*.wrps-lhsalumni.org*, True -*.wrtpoona.in*, True -*.wrxtuner.com*, True -*.ws-2.net*, True -*.wsabkonsult.se*, True -*.wsapi.net*, True -*.wsconsulting.com.ar*, True -*.wservices88.com*, True -*.wseymour.co.uk*, True -*.w--s.ga*, True -*.w--s.gq*, True -*.wsiao.com*, True -*.wsite.co.za*, True -*.wsmed.pl*, True -*.wsn-sa.cl*, True -*.wsoks.com*, True -*.ws-service.ru*, True -*.ws.si*, True -*.wsworld.it*, True -*.wsxd.ca*, True -*.wsxedcrfv.tk*, True -*.wta66.com*, True -*.wta78.com*, True -*.wta.su*, True -*.wtfae.net*, True -*.wtfden.co*, True -*.wtfden.com*, True -*.wtfdmmg.com*, True -*.wtfidiot.com*, True -*.wtf.im*, True -*.wtfix.com*, True -*.wtfix.org*, True -*.wtfpass.ru*, True -*.wtfpwnt.net*, True -*.wtfsales.com.ar*, True -*.wtfwasithinking.org*, True -*.wt.gd*, True -*.wthschina.com*, True -*.wt.lv*, True -*.wtm-online.ca*, True -*.wtoons.com*, True -*.wtr2.ro*, True -*.wtrenker.com*, True -*.wtstudio.pl*, True -*.wttyone.ca*, True -*.wttyone.com*, True -*.wtu-ensenada.com*, True -*.wtvision.com.br*, True -*.wtvision.es*, True -*.wtvision.pt*, True -*.wtzny.tk*, True -*.wubba.com.au*, True -*.wud.li*, True -*.wuens.ch*, True -*.wuesttreuhand.ch*, True -*.wuevos.com*, True -*.wuffle.net*, True -*.wuhh.ga*, True -*.wulabs.org*, True -*.wulf2k.ca*, True -*.wulfdengaming.com*, True -*.wulfslair.com*, True -*.wumbo.be*, True -*.wunderbargain.com*, True -*.wunsch-karten.ch*, True -*.wunsch-therapeut.ch*, True -*.wurb.com*, True -*.wurmi.net*, True -*.wurstbrot.co.uk*, True -*.wurstpelle.ch*, True -*.wurth.org*, True -*.wurty.net*, True -*.wusabi.com*, True -*.wuss.cf*, True -*.wuswus.cf*, True -*.wuswus.ga*, True -*.wuswus.gq*, True -*.wuswus.ml*, True -*.wuswus.tk*, True -*.wutang.ml*, True -*.wuun.com*, True -*.wuxiandaili.com*, True -*.wuxinjiaosu.com*, True -*.wuzhou.tw*, True -*.wuziya.com*, True -*.wuzz.gq*, True -*.wuzzle.pl*, True -*.wv44.com*, True -*.wvrealview.com*, True -*.ww0.ca*, True -*.ww2.io*, True -*.ww2.li*, True -*.ww2nar-pac.com*, True -*.ww3.co.za*, True -*.ww51.com*, True -*.wwais.com*, True -*.ww-bbvanet.com*, True -*.wwdc-live.com*, True -*.w-web.org*, True -*.wweindo.net*, True -*.wwenzel.org*, True -*.wwe-pro.com*, True -*.wwfbb.com*, True -*.wwiii.me*, True -*.wwivbbs.com*, True -*.wwlog.co.za*, True -*.wwojd.com*, True -*.wwpon.com*, True -*.wwrad.com*, True -*.wwresidentialservices.com*, True -*.wws4all.de*, True -*.w-ws.gq*, True -*.w-ws.tk*, True -*.wwtest.co.za*, True -*.wwvip.com*, True -*.www1.ga*, True -*.www1.ml*, True -*.www24.co.za*, True -*.www2.ml*, True -*.www3.ga*, True -*.www4.ga*, True -*.www4.gq*, True -*.wwwcat.com*, True -*.www-domein.nl*, True -*.wwweb.co.za*, True -*.ww-web.org*, True -*.wwwebsites.co.za*, True -*.wwwgo.tk*, True -*.wwwlive.co.za*, True -*.wwwpiekielni.pl*, True -*.www-pornoload.ru*, True -*.wwwriva.com*, True -*.wwwsabcnews.co.za*, True -*.wwwsa.co.za*, True -*.www-style.tk*, True -*.wwwstyle.tk*, True -*.wwwto.tk*, True -*.wwwww.gq*, True -*.wwwwwwwww.in*, True -*.wwx.be*, True -*.wxc73.com*, True -*.wxc76.com*, True -*.wxc83.com*, True -*.wxc92.com*, True -*.wxk73.com*, True -*.wxk76.com*, True -*.wxk85.com*, True -*.wxnw.net*, True -*.wxyz.ml*, True -*.wyb2010.co.uk*, True -*.wyck.ca*, True -*.wyckedsensation.com*, True -*.wycliffe.tk*, True -*.wyevery.tk*, True -*.wyk73.com*, True -*.wyk83.com*, True -*.wyk85.com*, True -*.wyk97.com*, True -*.wyker.info*, True -*.wyklikaniec.info*, True -*.wyldbrian.com*, True -*.wylie.mx*, True -*.wylie.org.au*, True -*.wyli.es*, True -*.wym32.com*, True -*.wym73.com*, True -*.wym82.com*, True -*.wym92.com*, True -*.wyndnet.eu*, True -*.wyndwar.net*, True -*.wynnefam.com*, True -*.wynnehome.net*, True -*.wynnsfinishescomplete.com*, True -*.wynns.org*, True -*.wynnware.com*, True -*.wypierdalaj.tk*, True -*.wyrdscience.us*, True -*.wyrmtek.com*, True -*.wyrzykowski.biz*, True -*.wyss.mx*, True -*.wyss-sa.ch*, True -*.wyssyw.ch*, True -*.wyszukajauto.pl*, True -*.wyszynski.org*, True -*.wytrysk.net*, True -*.wyverngames.net*, True -*.wyvernia.net*, True -*.wyzzoo.com*, True -*.wzf1927.com*, True -*.x01x.us*, True -*.x11p2p.com*, True -*.x12express.com*, True -*.x14n.org*, True -*.x1nt00l2.tk*, True -*.x26.ch*, True -*.x2c.net*, True -*.x-2.info*, True -*.x3100.ml*, True -*.x314xx.ru*, True -*.x317xx.ru*, True -*.x3mfly.com*, True -*.x3n.pw*, True -*.x3y2.com*, True -*.x-42.ru*, True -*.x4fyr.de*, True -*.x64.co*, True -*.x64.ro*, True -*.x6h.pw*, True -*.x86.se*, True -*.x90its.com*, True -*.x96.org*, True -*.xa-counter.com*, True -*.xad84.com*, True -*.xadica.com*, True -*.xadja.com*, True -*.xagnus.com*, True -*.xakep.kz*, True -*.xalem.net*, True -*.xalem.org*, True -*.xalg.im*, True -*.xalg.org*, True -*.xalthe.com*, True -*.xamlcast.net*, True -*.xammy.net*, True -*.xammy.nl*, True -*.xandao.co.uk*, True -*.xand.es*, True -*.x-andika.cf*, True -*.x-andika.ga*, True -*.x-andika.gq*, True -*.x-andika.tk*, True -*.xandis.info*, True -*.xantrep.com*, True -*.xanxan.cf*, True -*.xardas.eu*, True -*.xarena.tk*, True -*.xarothan.ch*, True -*.xashen.com*, True -*.xasia.hk*, True -*.xatanic.ml*, True -*.xatoo.com*, True -*.xaviermet.net*, True -*.xaviersegtrab.com.br*, True -*.xavkearney.com*, True -*.xavorus.com*, True -*.xaxlo.com*, True -*.xbabes.co*, True -*.xbasex.cl*, True -*.xb.co.za*, True -*.xbinventory.com*, True -*.xbmc.fi*, True -*.xbone.co.il*, True -*.xboned.com*, True -*.xbooking.com.ar*, True -*.xbox360walkthroughs.net*, True -*.xboxid.net*, True -*.xboxonemodding.info*, True -*.xbrav.com*, True -*.xbrl.cl*, True -*.xbrlsoftware.cl*, True -*.xbsd.tk*, True -*.xbte.net*, True -*.xbte.nl*, True -*.xbudex.com*, True -*.xbytes.com.ar*, True -*.xc1.pw*, True -*.xc2.pw*, True -*.xc325.net*, True -*.xc3.pw*, True -*.xc5.pw*, True -*.xc6.pw*, True -*.xc7.pw*, True -*.xc8.pw*, True -*.xc9.pw*, True -*.xca97.com*, True -*.xca98.com*, True -*.xca99.com*, True -*.xcamvidz.net*, True -*.xcasuals.com*, True -*.xcause.net*, True -*.xcc93.com*, True -*.xcelprop.com.au*, True -*.x-changegate.com*, True -*.xcharters.com*, True -*.xcisco.net*, True -*.x-cite.sk*, True -*.xcite.tk*, True -*.x-clio.com*, True -*.xcloudhost.org*, True -*.x-corp.info*, True -*.xcorps.in*, True -*.xcosmeticos.com.br*, True -*.xcportugal.org*, True -*.xcrip.tk*, True -*.xcrm.cl*, True -*.xcruft.com*, True -*.xcs.gr*, True -*.xdados.com.br*, True -*.xdavid.in*, True -*.xday.ca*, True -*.xdchannel.com*, True -*.xdecor.eu*, True -*.xdivegear.co*, True -*.xdivegear.com*, True -*.xdns.ir*, True -*.xdownloadmp3.com*, True -*.xecnoit.cf*, True -*.xecutives.ch*, True -*.xeditor.org*, True -*.xedulich.com*, True -*.xeduten.cf*, True -*.xeimbobtipolbedgik.pw*, True -*.xelio.ga*, True -*.xelp.cl*, True -*.xelux.ru*, True -*.xelybry.ro*, True -*.xemay24.com*, True -*.xemclickzdirects.net*, True -*.xemphimhd.net*, True -*.xemphimzz.com*, True -*.xemtatca.com*, True -*.xem.tv*, True -*.xemvideozz.com*, True -*.xen21.net*, True -*.xen83.com*, True -*.xen84.com*, True -*.xencomputing.info*, True -*.xendashop.com*, True -*.xendastore.com*, True -*.xenesis.com.mx*, True -*.xenfor.com*, True -*.xeniax.ru*, True -*.xenia-zingg.ch*, True -*.xenlightenment.com*, True -*.xenocorp143.co.za*, True -*.xenonsky.com*, True -*.xenor.ro*, True -*.xenosgame.info*, True -*.xenoss.net*, True -*.xenox1983.de*, True -*.xensoft.com*, True -*.xeonxu.info*, True -*.xeox.one.pl*, True -*.xephaoma.com*, True -*.xepl.com.mx*, True -*.xerevro.cl*, True -*.xerius.net*, True -*.xerver.co.uk*, True -*.xerver-v.co.uk*, True -*.xeso.xyz*, True -*.xetica.uk*, True -*.xevna.net*, True -*.xevz.net*, True -*.xfanny.com*, True -*.xfei.cf*, True -*.xfei.ga*, True -*.xfei.ml*, True -*.xffm.org*, True -*.xfiles.to*, True -*.xfirmware.com*, True -*.xfollow.uk*, True -*.xfoo.net*, True -*.xforce-crew.org*, True -*.xforecasts.ru*, True -*.xform.com.ar*, True -*.xfox.id.lv*, True -*.xfusionsolution.com*, True -*.xgamegodni.pl*, True -*.x-gamers.ru*, True -*.xgate.net*, True -*.xgate.org*, True -*.xgen.my*, True -*.xgiaitri.net*, True -*.xgmar.com*, True -*.xgn-itd.co.uk*, True -*.xhalarin.com*, True -*.xheaven.net*, True -*.xhekel.net*, True -*.xh-physio.ch*, True -*.xh-physiotherapie.ch*, True -*.xhub.ro*, True -*.xhzshop.com*, True -*.xiangetaway.com*, True -*.xiao235.com*, True -*.xiaodai.info*, True -*.xiaoshei.com*, True -*.xiaoshuo8.gq*, True -*.xibbit.ch*, True -*.xicod.com*, True -*.xid.co.kr*, True -*.xielilawyer.com*, True -*.xieum.com*, True -*.xi-ipa.cf*, True -*.xijinping-tibetchallenge.org*, True -*.xill.fi*, True -*.xilobtyk.cf*, True -*.ximangvietnam.com*, True -*.ximbetrpolmediasx.pw*, True -*.ximbubadvedgimemxol.pw*, True -*.ximedikolmediasx.pw*, True -*.ximlenrd.cf*, True -*.ximnentiupolmediasx.pw*, True -*.ximnolpitredgitolpos.pw*, True -*.ximonoditressortgixexol.pw*, True -*.ximpoppitredgidetol.pw*, True -*.ximtipolkistepmediasx.pw*, True -*.ximtitpitdedgixexol.pw*, True -*.ximtonytedodgixexol.pw*, True -*.xincronet.cl*, True -*.xinebikolpolmediasx.pw*, True -*.xinezhan.com*, True -*.xinghexing.com*, True -*.xinhuamall.com.pk*, True -*.xinit.se*, True -*.xinobi.net*, True -*.xins.eu*, True -*.xintel.ru*, True -*.xintiandi.com.ar*, True -*.xinxinya.tw*, True -*.xion345.info*, True -*.xipdfcontrol.com*, True -*.xirc.tk*, True -*.xiris.com.ar*, True -*.xirix.com.ar*, True -*.xisla.com.br*, True -*.xistore.tw*, True -*.xitauri.com*, True -*.xiur.de*, True -*.xiusiyan.com*, True -*.xiutuxiu.com*, True -*.xivlife.net*, True -*.xivlife.tk*, True -*.xiyu.ml*, True -*.xjad.com.br*, True -*.xjb.se*, True -*.xjcaisan.com*, True -*.xjohn.net*, True -*.xjsv.tk*, True -*.xkxempire.com*, True -*.xl4g.org*, True -*.xlagugratis.com*, True -*.xlan.ro*, True -*.xleox.org*, True -*.x-linux.in*, True -*.xliveindonesia.net*, True -*.xlive.pro*, True -*.xll1006.com.ar*, True -*.xllun.com*, True -*.xlnation.net*, True -*.xl-penis.com*, True -*.xlr8apps.com*, True -*.xlr8apps.com.au*, True -*.xlrate.ch*, True -*.xlwxf.com*, True -*.xman.tw*, True -*.xmaturevideos.net*, True -*.xmed.me*, True -*.xmia3-smansa.org*, True -*.xmi.gr*, True -*.xmiservices.eu*, True -*.xmiservices.gr*, True -*.xmlfence.com*, True -*.xmlpad.com*, True -*.xmm64.com*, True -*.xmm94.com*, True -*.xmonitoring.com*, True -*.xmpc.com.ar*, True -*.xmtb.ru*, True -*.xmtmail.tk*, True -*.xmxwt.com*, True -*.xn-------05fcfop3cdbcadrf7bze5if4i76iia03eja.com*, True -*.xn----0hcblbccdk3a2a2m.co.il*, True -*.xn----0hccc8aadsh8aj4gm.co.il*, True -*.xn--0z3a13h.hk*, True -*.xn--12c6c3axydj1a7gg5i.com*, True -*.xn--12c7bb0a0aa2cya6a1be7t7b.com*, True -*.xn--12cl5bibibe4efl7fbt1hecbbyr5wthxd.com*, True -*.xn--12cm9bm5b4dza4c8dp7e.com*, True -*.xn--12csal0csidk3cqe5d8b3a1bg4a4b6drgs1nujf.com*, True -*.xn--1ctw9mh3i47n.com*, True -*.xn----1hce2avyrmv.com*, True -*.xn----1hceimejc2b1a.co.il*, True -*.xn--1nqr6o71keu1a1bc.tw*, True -*.xn--1qqu7hpvgcybf60anhi.tw*, True -*.xn--22cehd1flde9dfg1d4gqai5b3n8f.com*, True -*.xn--22ck7c6ccd0s.com*, True -*.xn--2e0ba322dba.com*, True -*.xn----2hcbhbixu2b1fjp.co.il*, True -*.xn----2hcehdtrhs6a9b4c.co.il*, True -*.xn----2hcjlhad2ah0en0a.co.il*, True -*.xn--2qu872b6ya651f.tw*, True -*.xn--2qu872b8ya651f.tw*, True -*.xn--2rqr6g20dmxcms1f1t6a5nb.com*, True -*.xn--365-r48dj4n6n7f.cn*, True -*.xn--365-r48dj4n6n7f.com*, True -*.xn--3et30cd0uie.tm*, True -*.xn----3hcja8a0biouy.co.il*, True -*.xn--3nz149a.hk*, True -*.xn--42cga5c0aef6dc1hqbn5b6a7jl1k.com*, True -*.xn--48s290ax8jc7j.hk*, True -*.xn--48s331dkkh7xx.hk*, True -*.xn--48s7g623h7ct.hk*, True -*.xn--48s7gz66aksx.hk*, True -*.xn--4dbcjbrce1b1cl4b.co.il*, True -*.xn--4gbwdm.my*, True -*.xn--4gq53tnts3we7xfc34bcym.tw*, True -*.xn----4hcebbb5awoy8f.com*, True -*.xn--4zq561ekoskvb.co*, True -*.xn--5dbaibyiuuag6h.co.il*, True -*.xn--5dbajcb4bp8df6a.co.il*, True -*.xn--5dbfbrc5ba1at7b.co.il*, True -*.xn--5dbqaq2ce.com*, True -*.xn----5hcgbrc8aq4a6afhg.com*, True -*.xn--6bt33k0qe.tw*, True -*.xn----6hcdbtbc5c8azc.co.il*, True -*.xn----6hceimoqg7fdg.co.il*, True -*.xn-----6ldcft1bl1bvydml.co.il*, True -*.xn--6o8h.tk*, True -*.xn--6oqv77an9lsy1a1uo.hk*, True -*.xn--72c6a3agbba9c1a2fugj4l.com*, True -*.xn--72cb5i.net*, True -*.xn--72cg7bdd3bro6b3ab9c8btw4x.com*, True -*.xn--74qu15c.tw*, True -*.xn--79q873ce5k2wc.com*, True -*.xn----7sbabl6cda1ck6i.com*, True -*.xn----7sbabl6cda1ck6i.net*, True -*.xn----7sbabl6cda1ck6i.su*, True -*.xn--80aab1akcqk0a.su*, True -*.xn--80aaffbr2b3a.com*, True -*.xn--80ag6b.su*, True -*.xn----8hcbbpdb0bvm3cyae.co.il*, True -*.xn----8hchibwwa4a4b1a.co.il*, True -*.xn--8prp2pima757g.tm*, True -*.xn-------94f6asbad3ebdbdb3ae2x1bqbfiwhb0bt80nrzbka.com*, True -*.xn--950bt9s1tdo7h.cf*, True -*.xn--9ck.co*, True -*.xn----9hcbnbuxlvf3e.co.il*, True -*.xn----9hchdcbcb0bv2f1a.co.il*, True -*.xn--9my920a.tw*, True -*.xn--9qq349j.hk*, True -*.xn--9qqp2h.hk*, True -*.xn--a-fka0lb.com*, True -*.xn--agathe-lliger-pmb.ch*, True -*.xname.pl*, True -*.xn--ampl-2ra.com*, True -*.xn--aranmaji-p4b.si*, True -*.xn--armutlugiriim-stc.com.tr*, True -*.xn--aron-btler-gmbh-4vb.ch*, True -*.xn--arta-jua.si*, True -*.xn--asi-rza.com*, True -*.xn--askerd-0xa.se*, True -*.xn--auberge-avry-ros-qqb.ch*, True -*.xn--b3ctq9d5c4e.com*, True -*.xn--b3cwz1b2a8bfn3fzd.com*, True -*.xn--bachmannsshne-ag-vwb.ch*, True -*.xn--basel-kieferorthopdie-n2b.ch*, True -*.xn--berner-mandelbrli-3qb.ch*, True -*.xn----bicagirou1c5bd.co.il*, True -*.xn--billigastelnet-vib.se*, True -*.xn--bjrck-kua.se*, True -*.xn--bndner-3ya.ch*, True -*.xn--bostder-8wa.biz*, True -*.xn--bqs412bmxl.tw*, True -*.xn--brenmania-v2a.ch*, True -*.xn--brgerticket-thb.info*, True -*.xn--brnnvrdshus-m8ad4w.se*, True -*.xn--brstel-4ya.de*, True -*.xn--brtschi-kosmetik-vnb.ch*, True -*.xn--bru-qla.ch*, True -*.xn--bser-5qa.org*, True -*.xn-----btdcab7dcc8rcfv37k5o.com*, True -*.xn--cabaaeltatu-4db.com.ar*, True -*.xn--carrosserie-west-vzb.ch*, True -*.xn--cck1bxhya8f.com*, True -*.xn--cck5dwc.ml*, True -*.xn--cckem4p6g.jp*, True -*.xn--cdal36a.tk*, True -*.xn--cnqxy420li2r.hk*, True -*.xn--cnqxyh92cdj7al4gr4w.hk*, True -*.xn--cohuepan-e3a.cl*, True -*.xn--c-sga.eu*, True -*.xn--c-sga.net*, True -*.xn--czrz79h.tw*, True -*.xnd.at*, True -*.xn--ddkyb8b6053aj8k.com*, True -*.xn--dileri-p9a28ab.com*, True -*.xn--diseo-bijouterie-9tb.com.ar*, True -*.xn--djrpt57m4om.tw*, True -*.xn--djrw1pxsrlqk.tw*, True -*.xn--doaemilia-m6a.es*, True -*.xn--dominikrttimann-6vb.ch*, True -*.xn--dorusz-0xa83a.com*, True -*.xn--dorusz-0xa83a.com.tr*, True -*.xn--doumgnmesajlar-ksbb30dsk.com*, True -*.xn--dozr40b.hk*, True -*.xn--ds-bja.info*, True -*.xn--ds-bja.org*, True -*.xn--dzei-n2a.lv*, True -*.xn--e1aybc.pw*, True -*.xn--ea-zja.com*, True -*.xn--ebelica-i6a.si*, True -*.xn--eckn.com*, True -*.xn--ekr50gwure0onga.com*, True -*.xn--ekr50gwure0onga.net*, True -*.xn--enklaln-jxa.se*, True -*.xn--enlaube-7za.com.ar*, True -*.xn--eq4bt7z.com*, True -*.xn--eryap-r4a.com.tr*, True -*.xn--espaopinheiro-lgb.pt*, True -*.xn--eutt0rm6f184ahjq.hk*, True -*.xn--f1aehd9aze.com*, True -*.xn--f1ajc2a2d.com*, True -*.xn--ffr573b.com*, True -*.xnff.tk*, True -*.xn--fiberhjlpen-r8a.se*, True -*.xn--fidi-nbb.lv*, True -*.xn--fiq228c9la.hk*, True -*.xn--fiqp3jtxe9n0a37aj1cr63a7x9c.tm*, True -*.xn--fiqs7ikf45a52cmz3a.com*, True -*.xn--flsche-cua.ch*, True -*.xn--flughhe-e1a.ch*, True -*.xn--frchtegemse-uhbh.ch*, True -*.xn--frkleinepfoten-gsb.ch*, True -*.xn--frwehr-3yaa.ch*, True -*.xn--gda.ga*, True -*.xn--gieler-xjb.com*, True -*.xn--goldbr-fua.ch*, True -*.xn--goldbrli-4za.ch*, True -*.xn--goldmandelbrli-gib.ch*, True -*.xn--gor068k.hk*, True -*.xn--gynekologbrum-dgb.no*, True -*.xn--h3t130e.tw*, True -*.xn--hberlitv-0za.ch*, True -*.xn--hchlergartenpflege-ltb.ch*, True -*.xn--hemvrd-lua.fi*, True -*.xn--herbrio-kwa.com.br*, True -*.xn--hexn36ax8q.tw*, True -*.xn--hger-loa.org*, True -*.xn--hgnestrand-q5a.se*, True -*.xn--hgstarntan-v5a4s.se*, True -*.xn--hhbd.my*, True -*.xn--hjlmargs-1za9p.se*, True -*.xn--hoffmnsche-u5a.de*, True -*.xn--hoqu2dfq41d124bf8an0ikw2hbjl.hk*, True -*.xn--hxajapmxkcvef1bl.com*, True -*.xnict.asia*, True -*.xnict.net*, True -*.xn--ictt74fba641z.hk*, True -*.xnict.tk*, True -*.xn--ideal-kchen-zhb.ch*, True -*.xn--igtq80be2f8ph.com*, True -*.xn--igvenliimalzemeleri-69b45ey7b.com*, True -*.xn--ihq441h.hk*, True -*.xn--iigopea-4zaf.es*, True -*.xn--iileri-wua57g.com*, True -*.xn--ithjlp-eua.com*, True -*.xn--ithjlp-eua.se*, True -*.xn--j-0fa.fr*, True -*.xn--j77hya.tk*, True -*.xn--jetboatzrich-klb.ch*, True -*.xn--jetbootzrich-klb.ch*, True -*.xn--jhb0q.my*, True -*.xn--jkuliski-tpb.pl*, True -*.xn--jlwu7f.tw*, True -*.xn--jlwys14bc0b.tw*, True -*.xn--jmtberg-5wa.se*, True -*.xn--jrgens-3ya.com.ar*, True -*.xn--jrvensivu-v2a.fi*, True -*.xn--jsenkorjaaja-gcb.fi*, True -*.xn--jsenkorjaajakoulu-qqb.fi*, True -*.xn--jsenkorjaus-l8a.fi*, True -*.xn--juliopea-j3a.es*, True -*.xn--katk-oza.com*, True -*.xn--kcrv30cfx4a.hk*, True -*.xn--kda.tk*, True -*.xn--khn-online-ecb.de*, True -*.xn--knsl-loacb.fi*, True -*.xn--knzig-gra.net*, True -*.xn--kohlerbaugerte-hib.ch*, True -*.xn--kuczyski-tpb.com*, True -*.xn--l2bqaa2at0b5dvb.com*, True -*.xn--l3cke7a1ej6ftd.com*, True -*.xn--lascaitas-p6a.com*, True -*.xn--lda-ula.se*, True -*.xn--l-dqa8r736dyga02e.tk*, True -*.xn--lgb5q.my*, True -*.xn--lgtu14a.com*, True -*.xn--linnemannstns-smb.com*, True -*.xn--linnemannstns-smb.de*, True -*.xn--logglesrtsch-bjb.ch*, True -*.xn--logopdische-praxis-kloten-pec.ch*, True -*.xn--lt0aq47c.hk*, True -*.xn--lw8h.tk*, True -*.xn--lzrr82e61qqyk.tw*, True -*.xn--m1x758d.tw*, True -*.xn--malergeschft-loretan-kzb.ch*, True -*.xn--malerzger-v9a.ch*, True -*.xn--mandelbr-6za.ch*, True -*.xn--mandelbr-6za.com*, True -*.xn--mandelbr-6za.li*, True -*.xn--mandelbrli-w5a.ch*, True -*.xn--mandelkrli-w5a.ch*, True -*.xn--mandellwe-67a.ch*, True -*.xn--mandelmndli-r8a.ch*, True -*.xn--mandeltrmli-zhb.ch*, True -*.xn--maonnerie-ruffieux-8ub.ch*, True -*.xn--mariatranas-u9a.com.br*, True -*.xn--marktlcke-berlin-ozb.de*, True -*.xn--matthiasknzi-llb.ch*, True -*.xn--mbel24-wxaa.ee*, True -*.xn--mccbttenberg-glb.ch*, True -*.xn--mendaa-0wa.com.ar*, True -*.xn--merli-iua.com*, True -*.xn--mgb6de.my*, True -*.xn--mgbaab9bbb8nbes87i6m.com*, True -*.xn--mgbai2ai.my*, True -*.xn--mgbb1a3f9xxg.com*, True -*.xn--mgbc.my*, True -*.xn--mgbfqgckb3mua33k.com*, True -*.xn--mgbj.my*, True -*.xn--mgbll0g16ad.com*, True -*.xn--mgbtd2a1dpq.my*, True -*.xn--mhbaa.my*, True -*.xn--michaelschr-u8a.ch*, True -*.xn--mnchen-3ya.ml*, True -*.xn--mnnergesundheit40plus-51b.ch*, True -*.xn--monodphysiothrapie-nwb.ch*, True -*.xn--mpyton-iua.fi*, True -*.xn--mxaaaah3ch9d.gr*, True -*.xn--mxaaaomxkcvef1bl.com*, True -*.xn--mxaaazq3ca.gr*, True -*.xn--mxahaascmgg5a4ay.gr*, True -*.xn--mxamra5ad4e.com*, True -*.xn--mxavifrh.gr*, True -*.xn--mzx85tvsx.com*, True -*.xn--n1aalg.su*, True -*.xn--n9so80ax8jc7j.hk*, True -*.xn--n9sp21dkkh7xx.hk*, True -*.xn--n9stf349aksx.hk*, True -*.xn--n9stfs41i7ct.hk*, True -*.xn--nabony-spb.pl*, True -*.xn--nhrmittel-v2a.ch*, True -*.xn--obrr8csyqmsy.com*, True -*.xn--omlea-e9b.ro*, True -*.xn--oort13h.hk*, True -*.xn--oorv7pis6aba.hk*, True -*.xn--operatrsls-95a4r.se*, True -*.xn--op-qta.com*, True -*.xn--osaamispomasijoittaja-d2ba.fi*, True -*.xn--osaamispomasijoittajat-74ba.fi*, True -*.xn--osaamispomasijoittaminen-xbca.fi*, True -*.xn--oxaemoj1a.gr*, True -*.xn--oxailuqef.gr*, True -*.xn--oxamlhw.gr*, True -*.xn--oy2b25b86nd0p.net*, True -*.xn--p0q10e.hk*, True -*.xn--p0qu36j.hk*, True -*.xn--p0qv2y.hk*, True -*.xn--pasirayk-bxb.lt*, True -*.xnp.com.au*, True -*.xn--peagonzalo-u9a.es*, True -*.xn--peaypea-5zae.com.ar*, True -*.xn--pe-fma.si*, True -*.xn--philippmckli-cjb.ch*, True -*.xn--phin-ooa8h.fi*, True -*.xn--physiotherapie-kng-16b.ch*, True -*.xn----pmcnc3cds5jl1a37lba.com*, True -*.xn--pnter-kva.ch*, True -*.xn--podbrenik-0cc.si*, True -*.xn--praxishnggi-r8a.ch*, True -*.xn--pxajdjlcb5f.gr*, True -*.xn--qdk5b289to1i.com*, True -*.xn--racine-carre-leb.ch*, True -*.xn--rahankeryslaki-dib.fi*, True -*.xn--rcklinger-07a.com*, True -*.xn--reaca-pta.com.ar*, True -*.xn--regg-schmidlin-gsb.ch*, True -*.xn--reparao-2wa9a.pt*, True -*.xn--rezistena-xmd.ro*, True -*.xn--ricc-oqa.com*, True -*.xn--rnila-gya.si*, True -*.xn--rss647b.tm*, True -*.xn--sbluemeldeli-ncb.ch*, True -*.xn--schlsselservice-zuerich-fpc.ch*, True -*.xn--schwarzwldertorte-xqb.ch*, True -*.xn--set-hoa.com*, True -*.xn--sir-xla.com*, True -*.xn--smpsnniemi-q5ad.fi*, True -*.xn--soora-pta.com.ar*, True -*.xn--spanisch-bersetzungen-hic.ch*, True -*.xn--spelhrnan-47a.se*, True -*.xn--sspansiyon-9db.com*, True -*.xn--suchttherapiebrn-8nb.ch*, True -*.xn--suomentekijnoikeustoimisto-qhc.com*, True -*.xn--ta-5ia01azh.net*, True -*.xn--tausendschn-bl-4pb.ch*, True -*.xn--tekoly-eua.fi*, True -*.xn--tfr372buik.tw*, True -*.xn--tiedmihinhyppt-8hbja.fi*, True -*.xn--tnyx4t.hk*, True -*.xn--triciklodiseo-tkb.cl*, True -*.xn--u2u122bw0p.com*, True -*.xn--u9j761nrcgi19a.jp*, True -*.xn--ugbh5cch51f.com*, True -*.xn--umaa-iqa.cl*, True -*.xn--uvw51sbz7a.tw*, True -*.xn--uvwr39b.tw*, True -*.xn--uvwt08h.tw*, True -*.xn--uvwz68b4ga.tw*, True -*.xn--uxqs23f4xujpa.com*, True -*.xn--v0q44jb8x.com*, True -*.xn--v3ci5bj2e.net*, True -*.xn--vallkrra-4za.se*, True -*.xn--vodfone-b4a.ro*, True -*.xn--volkszhler-v5a.org*, True -*.xn--von-pchtuschi-ffb.ch*, True -*.xn--weinraritten-ocb.ch*, True -*.xn--wfler-gra.ch*, True -*.xn--wgb2bj.com*, True -*.xn--wgb4bij.my*, True -*.xn--wgb5bm.my*, True -*.xn--wgbb1d34a.com*, True -*.xn--wgbb8ctyue.com*, True -*.xn-----wldcca7bhgwe7a8gvbh.co.il*, True -*.xn-----wldccap3bg0a7fza9c.co.il*, True -*.xnxx-blog.com*, True -*.xn--y3ct7b.net*, True -*.xn--yaki-75a.name.tr*, True -*.xn--yalar-l1a.com*, True -*.xn--yg1a912aszj.tw*, True -*.xn----ymc5anv8c9aza22g.com*, True -*.xn----ymcbjd6bzic32gca29aga.com*, True -*.xn----ymcbm9a2hdj51c7nc42bja.com*, True -*.xn----ymcrkgj2ln8bdabc.com*, True -*.xn--ynteminaat-ecb08j.com*, True -*.xn--ynteminaat-ecb08j.com.tr*, True -*.xn--zahnrztealtstetten-otb.ch*, True -*.xn----zhcpncbc3ad2ar7dh.co.il*, True -*.xn--zirkuspdagogik-cib.ch*, True -*.xn-----zldcibbdh9ae4c3a8hfk0b.co.il*, True -*.xn----zmcjfydbjf.com*, True -*.xn----zmcyf3al6fq30g.com*, True -*.xn--zn-0fb.com*, True -*.xo6600.com*, True -*.xo7700.com*, True -*.xo8800.com*, True -*.xo.am*, True -*.xocraft.com*, True -*.xode.com*, True -*.xodial-web.com*, True -*.xodio.com.ar*, True -*.xogi.com*, True -*.xoji.com*, True -*.xoloclub.com*, True -*.xolution.ch*, True -*.xoma4ok.ru*, True -*.xombi-ink.ca*, True -*.xondi.com*, True -*.xone.ro*, True -*.xonex.zone*, True -*.xonix.info*, True -*.xoompa.com*, True -*.xooww.com*, True -*.xorbgames.com*, True -*.x-or.in*, True -*.xororo.com.br*, True -*.xorrito.info*, True -*.xor.vc*, True -*.xotic.ro*, True -*.xo.to*, True -*.xoxakis.com.ar*, True -*.xox.mx*, True -*.xoxo.cat*, True -*.x-o-x.org*, True -*.xpandismo.com*, True -*.xpandismo.tk*, True -*.xpast.me*, True -*.xpatholiday.com*, True -*.xpcom.org*, True -*.xpcompanies.com*, True -*.xpedi.ca*, True -*.xperia-games.com*, True -*.xpertdigital.co.nz*, True -*.xphim14.net*, True -*.xphim3s.net*, True -*.xphimheo.com*, True -*.xpintl.com*, True -*.xpl.cc*, True -*.xplife.com*, True -*.xpl-informatique.com*, True -*.xplodeweb.com*, True -*.xploramedia.com.pe*, True -*.xplormor.co.za*, True -*.xplova.com*, True -*.xpm.io*, True -*.xpoconcept.ro*, True -*.xpod.se*, True -*.xpornon.ru*, True -*.xpozd.hk*, True -*.x-preess.com*, True -*.xpresit.net*, True -*.xpress-agencies.com*, True -*.xpress-aviation.com*, True -*.xpresservers.info*, True -*.xpress-line.us*, True -*.xpress.pk*, True -*.xpress-trading.com*, True -*.x-pulsa.com*, True -*.xpxd.ca*, True -*.xr4rt.com*, True -*.xradeon.com*, True -*.x-rage.cn*, True -*.xrakesh.com*, True -*.xrea.asia*, True -*.xrg.cl*, True -*.xristo.com.ar*, True -*.xrizan.cf*, True -*.xrmcenter.com*, True -*.xrooters.ro*, True -*.xrp.cz*, True -*.xsa.co.za*, True -*.xsamuels.com*, True -*.xseller.com*, True -*.xsenergyllc.com*, True -*.xsenergy.ro*, True -*.xsf.com.au*, True -*.xs-gay.ru*, True -*.xshade.ca*, True -*.xshosting.org*, True -*.xsidesolutions.com.ar*, True -*.xskernel.org*, True -*.xskopavogur.is*, True -*.xskylord.com*, True -*.xsnas.com*, True -*.xsoftware.com.mx*, True -*.xsoftware.mx*, True -*.xsos1.com*, True -*.xsound.com.br*, True -*.xspo.cf*, True -*.xspo.tk*, True -*.xss.ro*, True -*.xst.cl*, True -*.xstonesurfaces.com*, True -*.xstreetgq.com*, True -*.xtendedcare.co.za*, True -*.xtendedcare.org*, True -*.xtendedlink.co.za*, True -*.xterminatestudio.com*, True -*.xthljgys.com*, True -*.xtl.ro*, True -*.xtons.com*, True -*.x-top.biz*, True -*.xtop.co.uk*, True -*.xtpanel.com*, True -*.xtracut.com.ar*, True -*.xtralution.com*, True -*.xtreme-av.com.au*, True -*.xtremeflooringandmfg.com*, True -*.xtremelabs.co.uk*, True -*.xtremeporn.ro*, True -*.xtremep.ro*, True -*.xtremeroveroutfitters.com*, True -*.xtremville.net*, True -*.xtriva.com.au*, True -*.x-trm.ro*, True -*.xtroz.net*, True -*.xtr.pp.ru*, True -*.xuacec.tk*, True -*.xuan.com.ar*, True -*.xubuntu.ro*, True -*.xuchenart.com*, True -*.xuctien.com*, True -*.xudoanthanhthenguonsong.com*, True -*.xuewen365.com*, True -*.xuitv.ru*, True -*.xul1349.com*, True -*.xuniver.se*, True -*.xunmotredfijolpitnenwog.pw*, True -*.xup.to*, True -*.xuu43.com*, True -*.xuu64.com*, True -*.xuu72.com*, True -*.xuxiaobo.com*, True -*.xuxidi.com*, True -*.xuziqing.com*, True -*.xvat.net*, True -*.xvideosru.com*, True -*.xwaretech.com*, True -*.xwaretech.info*, True -*.xwaretech.net*, True -*.xwaretech.org*, True -*.xwaretech.tk*, True -*.x-wen.com*, True -*.xwmin.co.uk*, True -*.xwolf3d.ru*, True -*.x-wolf.ru*, True -*.xwolf.ru*, True -*.xxiv.tk*, True -*.xxn.ca*, True -*.xxnyxx.cn*, True -*.xxredxiiixx.com*, True -*.xxunknownxx.tk*, True -*.xx-videos.ru*, True -*.xxxd.org*, True -*.xxxego.ml*, True -*.xxxhappy.com*, True -*.xxxi-coloquio-smp-ica.org*, True -*.xxxindia.cf*, True -*.xxxindia.ga*, True -*.xxxindia.gq*, True -*.xxxindia.ml*, True -*.xxxltransport.co.za*, True -*.xxx.my.id*, True -*.xxxrebel.com*, True -*.xxxspel.se*, True -*.xxx-video.us*, True -*.xxx.web.id*, True -*.xxxxx.tw*, True -*.xya666.com*, True -*.xyberwolf.net*, True -*.xyberwolf.org*, True -*.xyboi.net*, True -*.xydium.net*, True -*.xyfyx.com*, True -*.xyimi.ga*, True -*.xynal.com*, True -*.xyons.net*, True -*.xy-solutions.com*, True -*.xytoklasiki.gr*, True -*.xyutv.ru*, True -*.xyz.is*, True -*.xyzv.net*, True -*.xzolx.com*, True -*.xzolx.net*, True -*.xzolx.org*, True -*.y0u.biz*, True -*.y-17.net*, True -*.y2care.com*, True -*.y2p.net*, True -*.y2services.com*, True -*.y4j6.com*, True -*.y4nkee.cf*, True -*.yaa27.com*, True -*.yaa69.com*, True -*.yaa78.com*, True -*.yaadab.com.np*, True -*.yaakoubi.tk*, True -*.yabaphone.ca*, True -*.yabaphone.com*, True -*.yabarana.com*, True -*.yabarana.net*, True -*.yabb.co.za*, True -*.yabo.com.ar*, True -*.ya-browser.tk*, True -*.yachtcharternkroatien.de*, True -*.yachtclubnaval.com*, True -*.yachtcpm.com.ar*, True -*.yachtequipment.asia*, True -*.yachtequipment.co.nz*, True -*.yachtequipment.net.nz*, True -*.yachtequipment.nz*, True -*.yachthire.eu*, True -*.yachtingequipment.asia*, True -*.yachtingequipment.co.nz*, True -*.yachtingequipment.info*, True -*.yachtingequipment.net.nz*, True -*.yachtingequipment.nz*, True -*.yachtingmonthly.co.za*, True -*.yachtingworld.co.za*, True -*.yachtpaint.ru*, True -*.yacht-therapy.net*, True -*.yack.io*, True -*.yacopinivw.com.ar*, True -*.yacplanet.com*, True -*.yacrwestern.org.uk*, True -*.yadavdilip.com.np*, True -*.yadavnaresh.com.np*, True -*.yaddas.org*, True -*.yaddi.tk*, True -*.yadijr4rt.net*, True -*.yadijr4rt.org*, True -*.yadima.info*, True -*.yadongers.org*, True -*.yaelabraham.com*, True -*.yaeldiamonds.com*, True -*.yagab.com*, True -*.yagami.com.br*, True -*.yaganexpress.cl*, True -*.yagirllaqueefa.com*, True -*.yagmurmuhendislik.com.tr*, True -*.yagoo.net.ru*, True -*.yahooservice.ga*, True -*.yahost.net*, True -*.yahyamorad.com*, True -*.yajri.or.id*, True -*.yakenterprises.com*, True -*.yakitara.com*, True -*.yakshaving.org*, True -*.yaksi.name.tr*, True -*.yakspravy.com*, True -*.yakuli.com*, True -*.yakuli.net*, True -*.yakuli.org*, True -*.yakuza.la*, True -*.yala.so*, True -*.yaler.ca*, True -*.yaletownvillageoptometry.ca*, True -*.yalisi.net*, True -*.yal.jp*, True -*.yalo.es*, True -*.yamagataarquitetura.com*, True -*.yamaha-matic.or.id*, True -*.yamahaoutboardpartsaustralia.com*, True -*.yamahaoutboardpartsaustralia.com.au*, True -*.yamahapartsaustralia.com*, True -*.yamahapartsaustralia.com.au*, True -*.yamakase.com*, True -*.yamana.com.ar*, True -*.yamanakadaniel.com*, True -*.yamaoka.com.br*, True -*.yamashita.tk*, True -*.yamasv.com*, True -*.yambazo.com*, True -*.yamer.pl*, True -*.yametesubs.me*, True -*.yamulemao.com*, True -*.yanadrover.com*, True -*.yanaverba.com*, True -*.yanbaijin.cn*, True -*.yanber.com*, True -*.yanbianlihua.com*, True -*.yanboyang.com*, True -*.yan.ch*, True -*.yandarin.com*, True -*.yandex-money.com*, True -*.yandinarealty.com.au*, True -*.yangbeom.tk*, True -*.yangdi.cf*, True -*.yangdi.gq*, True -*.yangmei118.com*, True -*.yangonairporttaxi.com*, True -*.yangon-airways.com*, True -*.yangon-airways.net*, True -*.yangonmyanmarairporttaxicab.com*, True -*.yangontaxiyellowcab.com*, True -*.yangtzepartners.com*, True -*.yangz.net*, True -*.yaniwisata.com*, True -*.yanjiclubg.com*, True -*.yanjicoffee.com*, True -*.yanjixian.com*, True -*.yankthetank.com*, True -*.yanldex.ru*, True -*.yanma.com.ar*, True -*.yanscars.com.au*, True -*.yansfotografer.com*, True -*.yanting.org*, True -*.yanvarin19.com*, True -*.yanzhanling.com*, True -*.yaochang.net*, True -*.yao.cl*, True -*.yaoto.me*, True -*.yaozhou.me*, True -*.yap49.com*, True -*.yap73.com*, True -*.yap85.com*, True -*.yap92.com*, True -*.yapay.us*, True -*.yapex.ru*, True -*.yaplaneta.ru*, True -*.yapp.ru*, True -*.yarabella.com.br*, True -*.yardguard.com*, True -*.yardie.cf*, True -*.yarniciones.cl*, True -*.yarnowl.com*, True -*.yarnsfortots.ca*, True -*.yaroha7.com*, True -*.yaroslavly.ru*, True -*.yarp.org*, True -*.yarsorcctv.com*, True -*.yarsuvat.av.tr*, True -*.yarzii.com*, True -*.yasamanj.com*, True -*.yaseminaksoy.com.tr*, True -*.ya-sex.com*, True -*.yasfaj.tk*, True -*.yashoda.com.np*, True -*.yasifun.com*, True -*.yasintec.com*, True -*.yasmingroupuae.com*, True -*.yasserisa.com*, True -*.yasser.ru*, True -*.yassin.ro*, True -*.yastut.ch*, True -*.yasulcafe.com*, True -*.yasung77.com*, True -*.yates-family.co.uk*, True -*.yathieshop.com*, True -*.yatirimport.com*, True -*.yatusabee.com.ar*, True -*.yavalve.com*, True -*.yavner.ca*, True -*.yavoyyo.com*, True -*.yawdtalk.net*, True -*.yaxleys.co.uk*, True -*.yaxochu.ru*, True -*.yayang.info*, True -*.yayasan-bopkri.org*, True -*.yayati.com*, True -*.yayu-design.com*, True -*.yaz4rt.biz*, True -*.yazigimb.com.br*, True -*.yazigisa.com.br*, True -*.yb0y.com*, True -*.yb.co.za*, True -*.ybn-us.tk*, True -*.ybudjit.com*, True -*.y-care.com*, True -*.ycare.de*, True -*.ycare.org*, True -*.ycc26.com*, True -*.ycc56.com*, True -*.ycc83.com*, True -*.ycc89.com*, True -*.ycc94.com*, True -*.yc.co.za*, True -*.ycctek.com*, True -*.ycd47.com*, True -*.ycd49.com*, True -*.ycd59.com*, True -*.ychsu.tw*, True -*.ycitywoman.com*, True -*.yclblog.tk*, True -*.ycmafia.com*, True -*.ycw32.com*, True -*.ycw46.com*, True -*.ycw82.com*, True -*.ycw94.com*, True -*.yd2.com*, True -*.ydc.co.il*, True -*.ydd69.com*, True -*.ydetective.com*, True -*.ydftech.com*, True -*.ydnbproduction.com*, True -*.ydy.cn*, True -*.yeahba.com*, True -*.yeah.co.za*, True -*.yeahh.ga*, True -*.yeahh.ml*, True -*.yearbook.com.ve*, True -*.yearl.net*, True -*.year-zero.net*, True -*.yeaway.org*, True -*.yeblatin.net.ve*, True -*.yecima.com*, True -*.yedded.com*, True -*.yedi.org*, True -*.yedvab.com.ar*, True -*.yee68.com*, True -*.yee87.com*, True -*.yeebc.com*, True -*.yeeshunggaedinburgh.co.uk*, True -*.yeewu.com*, True -*.yeezytalk.com*, True -*.yeff.org*, True -*.yehder.com*, True -*.yeh.id.au*, True -*.yekaizhong.com*, True -*.yekarpet.com*, True -*.yellowbaggers.com*, True -*.yellowbinary.net*, True -*.yellowbox.org.au*, True -*.yellowdomain.com*, True -*.yellowlobster.eu*, True -*.yellowridecab.com*, True -*.yellowsub.ca*, True -*.yellowtaxicabrichmond.com*, True -*.yellowtowncab.com*, True -*.yellowtransportations.com*, True -*.yen05.com*, True -*.yenning.com*, True -*.yen.nu*, True -*.yenoos.com*, True -*.yentzscholarship.org*, True -*.yerbaps.com*, True -*.yerevanshow.com*, True -*.yerros007.tk*, True -*.yesamulet.com*, True -*.yesbet88.com*, True -*.yesdave.net*, True -*.yesdave.org*, True -*.yeshuahill.com*, True -*.yeskie.tk*, True -*.yeslawgroup.com*, True -*.yesmyliege.com*, True -*.yesmyliege.org*, True -*.yesmy.tk*, True -*.yesno.ch*, True -*.yesquel.com*, True -*.yessi.eu*, True -*.yesterdaymorning.de*, True -*.yesterdaysjam.us*, True -*.yesthatkevinhunt.com*, True -*.yestu.be*, True -*.yesvn.info*, True -*.yesvn.net*, True -*.yesvn.org*, True -*.yeswekanban.net*, True -*.yet66.com*, True -*.yet77.com*, True -*.yet87.com*, True -*.yetaotao.com*, True -*.yetka.com*, True -*.yeuaothun.com*, True -*.yeudulich.net*, True -*.yewnix.ca*, True -*.yeyedvd.com*, True -*.yezidgutierrez.com*, True -*.yfanet.net*, True -*.yff.org.my*, True -*.yfixit.com*, True -*.yfixit.co.uk*, True -*.yflts.com*, True -*.yf-oil.com*, True -*.yform.ru*, True -*.yfplus.com*, True -*.yfplus.com.my*, True -*.yfplus.my*, True -*.yfr-yo.ga*, True -*.yfsgt.com*, True -*.yg4you.com*, True -*.yg.co.za*, True -*.yggdrasilsbranch.us*, True -*.yggdrasil.sk*, True -*.yg-gogos.com*, True -*.ygrafik.com*, True -*.ygzeed.com*, True -*.yh88668.com*, True -*.yh88680.com*, True -*.yh88689.com*, True -*.yh88890.com*, True -*.yhge.co.uk*, True -*.yhh34.com*, True -*.yhh59.com*, True -*.yhh79.com*, True -*.yhiinternational.com*, True -*.yhk44.com*, True -*.yhkrubber.com.my*, True -*.yhoccotruyen.org*, True -*.yhocvietnam.net*, True -*.yhqz.com*, True -*.yht67.com*, True -*.yht77.com*, True -*.yht87.com*, True -*.yhware.com*, True -*.yhype.com*, True -*.yiamuc.com*, True -*.yiamuc.es*, True -*.yiannamarie.com*, True -*.yiasouitsgreek.com*, True -*.yibbuy.com*, True -*.yick-studio.com*, True -*.yidacorp.sg*, True -*.yidaelectronics.com*, True -*.yifanchen.tw*, True -*.yiff.fi*, True -*.yiff.in*, True -*.yifulian.com*, True -*.yifulian.net*, True -*.yi-group.tw*, True -*.yihlin.com*, True -*.yihshin.com*, True -*.yihtah.net*, True -*.yingsane.com*, True -*.ying-shun.com*, True -*.yingxiukm.com*, True -*.yingyin88.com*, True -*.yinstube.com*, True -*.yinztube.com*, True -*.yiqianart.com*, True -*.yishalu.com*, True -*.yishuaba.com*, True -*.yiuksk.cf*, True -*.yiuyiu.com*, True -*.yixianhui.net*, True -*.yjcross.org*, True -*.ykhoonextension.com*, True -*.ykmnet.ro*, True -*.ykpf111.com*, True -*.ylchosting.com*, True -*.yldbouk.ml*, True -*.yleinen.fi*, True -*.ylicl-petroresin.com*, True -*.ylinku.com*, True -*.ylresin.com*, True -*.ymc23.com*, True -*.ymc66.com*, True -*.ymc73.com*, True -*.ymc74.com*, True -*.ymc84.com*, True -*.ymc87.com*, True -*.ymh24.com*, True -*.ymh42.com*, True -*.ymh46.com*, True -*.ymh49.com*, True -*.ymh85.com*, True -*.ymie.net*, True -*.ymishkov.ru*, True -*.ymiyata.com*, True -*.yml.co.id*, True -*.ymmedia.web.id*, True -*.ympulsa.cl*, True -*.ymu33.com*, True -*.ymu88.com*, True -*.ymxh123.com*, True -*.yna66.com*, True -*.yna77.com*, True -*.yna88.com*, True -*.ynb777.com*, True -*.yngling.com*, True -*.yngzz.com*, True -*.ynmcarving.com*, True -*.ynn23.com*, True -*.ynodi.com*, True -*.ynot-designs.ch*, True -*.yns-wl.cf*, True -*.ynt-demenagements.ch*, True -*.ynumlab.com*, True -*.yo2kcb.ro*, True -*.yo2kjg.ro*, True -*.yo2kji.ro*, True -*.yo2lyn.ro*, True -*.yo5pip.ro*, True -*.yo8.ro*, True -*.yoaevelyn.com*, True -*.yoamopsicopedagogia.cl*, True -*.yoavraccah.com*, True -*.yobing72.com*, True -*.yobka.net*, True -*.yobs.ir*, True -*.yobst.tk*, True -*.yocaro.cl*, True -*.yocto.ca*, True -*.yoda3d.com*, True -*.yoda.space*, True -*.yodx.ro*, True -*.yodxuus.ro*, True -*.yodyiam.com*, True -*.yo-einstein.at*, True -*.yoeri.ml*, True -*.yoescribo.com.ar*, True -*.yoezl.cf*, True -*.yoezl.ga*, True -*.yoezl.ml*, True -*.yoezl.tk*, True -*.yogaandmore.ch*, True -*.yoga-arch.tk*, True -*.yogabase.com.au*, True -*.yogachicureo.cl*, True -*.yogadibali.com*, True -*.yogafest.cl*, True -*.yogaflow.gr*, True -*.yogaflowkomi.ru*, True -*.yogaikido.com*, True -*.yogaiyengar.com.ar*, True -*.yogalovers.cl*, True -*.yogame.us*, True -*.yogaplaytherapy.com*, True -*.yoga-power.com*, True -*.yogarave.cl*, True -*.yogasale.ru*, True -*.yogasantosha.com.ar*, True -*.yogateachertraining.info*, True -*.yogatherapycentre.co.uk*, True -*.yogauniversity.ca*, True -*.yogaup.cl*, True -*.yogawithyaga.co.uk*, True -*.yogisaraha.com.ar*, True -*.yogoc.co*, True -*.yogon57.com*, True -*.yogoodman.com*, True -*.yogya.ga*, True -*.yogyakartablackhat.com*, True -*.yogyakarta.gq*, True -*.yogyakarta.info*, True -*.yogyakarta.name*, True -*.yogyakarta.tk*, True -*.yohnson.net*, True -*.yohoswa.com*, True -*.yohubtech.com*, True -*.yoitubw.com*, True -*.yoiyoi.info*, True -*.yok39.com*, True -*.yokato.net*, True -*.yokatta.co.id*, True -*.yo-kino.ru*, True -*.yolandacarmin.cl*, True -*.yolentaskincare.com*, True -*.yolocandypalace.com*, True -*.yolofreshjuice.com*, True -*.yolotats.com*, True -*.yolo.us*, True -*.yomamasof.at*, True -*.yomanmasa.co.il*, True -*.yonan.ro*, True -*.yonarocks.com*, True -*.yonathan.web.id*, True -*.yondlabantu.org.za*, True -*.yonet.ru*, True -*.yongchenghaoye.cn*, True -*.yongindian.com*, True -*.yongkihutagalung.biz*, True -*.yonsm.tk*, True -*.yonteminsaat.com*, True -*.yoocamz.com*, True -*.yoogle.info*, True -*.yoohoo.hu*, True -*.yoonora.ga*, True -*.yoopee.info*, True -*.yoo.ro*, True -*.yoosk.tk*, True -*.yooxy.ru*, True -*.yopete.com*, True -*.yopi01.tk*, True -*.yo-pi.tk*, True -*.yopi.web.id*, True -*.yoporlarojaprometo.cl*, True -*.yoriba.com*, True -*.yorkhome.info*, True -*.yoro.tv*, True -*.yosi.ro*, True -*.yosi-tamvan.com*, True -*.yosoyapple.com*, True -*.yosoy.cf*, True -*.yostnetsolutions.com*, True -*.yoteamo.org*, True -*.yote.me*, True -*.yotengolamagia.mx*, True -*.yotengolamagia.org.mx*, True -*.yotourist.com*, True -*.yottabyte.hr*, True -*.yottabytes.biz*, True -*.youareaheathen.com*, True -*.youbash.org*, True -*.you-bokep.ml*, True -*.youcar.com.au*, True -*.youdawgg.com*, True -*.you-decide.nl*, True -*.youdo.ro*, True -*.youdreamcosmetics.com*, True -*.youfunding.nl*, True -*.youfuze.com*, True -*.yougavemesomebad.info*, True -*.yougomould.com*, True -*.yougotfirehosed.info*, True -*.youhavespam.com*, True -*.youjinasset.com*, True -*.youknowlah.web.id*, True -*.youku.sg*, True -*.youle.com.br*, True -*.youmaola.com*, True -*.youmogan.com*, True -*.you-needs.com*, True -*.younee.ro*, True -*.young4d.com.br*, True -*.youngblood.cf*, True -*.youngchurch.org*, True -*.young-eagles.co.za*, True -*.younghong.com.tw*, True -*.younginoregon.com*, True -*.young-jet.com*, True -*.youngpcrepair.com*, True -*.youngstarsweater.com*, True -*.youngtrendpgmta.com*, True -*.youngx.co.za*, True -*.youniquebymeg.com.au*, True -*.younique.hk*, True -*.youno.net*, True -*.youorder.net*, True -*.youosx.ga*, True -*.youpayme.com*, True -*.youpc.ro*, True -*.you-porno.ru*, True -*.your-answering-service.com*, True -*.yourbeliefsarewrong.com*, True -*.yourbirthdaypartyfree.com.au*, True -*.yourchipperfield.co.uk*, True -*.yourchoicecityrealtor.com*, True -*.yourciooncall.com*, True -*.yourcorporateeventfree.com.au*, True -*.yourcostcenter.com*, True -*.yourdailypress.com*, True -*.yourdailypress.pt*, True -*.yourdigitaldoc.com*, True -*.yourdreamshere.in*, True -*.yourdreamstage.com*, True -*.yourduilawyer.com*, True -*.youre.space*, True -*.yourezweb.com*, True -*.your-files.org*, True -*.yourfix.cc*, True -*.yourfreelancer.co.uk*, True -*.yourhealthaustralia.com.au*, True -*.yourhealthgriffith.com.au*, True -*.yourhost.pw*, True -*.youridemooij.nl*, True -*.youriowacomputerguy.biz*, True -*.youriowacomputerguy.com*, True -*.youriowacomputerguy.info*, True -*.youriowacomputerguy.org*, True -*.youriowacomputerguy.us*, True -*.your-it-person.com*, True -*.yourkleenteam.com*, True -*.yourko.org*, True -*.yourlaws.info*, True -*.yourlaws.net*, True -*.yourlivejasmin.net*, True -*.yourmomisafae.com*, True -*.yourmontrealhome.com*, True -*.your.my.id*, True -*.youroilfieldcareer.com*, True -*.yourpersonalbestinc.net*, True -*.yourplaceforskincare.com*, True -*.yourplacehss.net.au*, True -*.yourprocs.com*, True -*.yourprojectshop.com*, True -*.yourrumorsucks.com*, True -*.yoursapjob.ro*, True -*.yourself.gq*, True -*.yoursexymovies.com*, True -*.yourshoppingkaki.com*, True -*.yourskyphoto.com*, True -*.yoursoft.es*, True -*.yourspace.ch*, True -*.yourspecialtee.com*, True -*.yourspecialtees.com*, True -*.yoursurveylink.net*, True -*.yourtechwhiz.com*, True -*.yourtek.tk*, True -*.yourtelonline.net*, True -*.yourtownmagazine.com*, True -*.yourtownshopper.com*, True -*.yourtrainerlin.com*, True -*.yourvaluedhomes.com*, True -*.yousaiditwithacake.com*, True -*.yousocial.tk*, True -*.yousoldwhat.com*, True -*.yousolution.net*, True -*.youspeak.nl*, True -*.yousuckattyping.com*, True -*.youthcamp2015.tk*, True -*.youthcares.my*, True -*.youthcouncil.hk*, True -*.youthmodelstudio.hk*, True -*.youthps.hk*, True -*.youthsportsnetwork.co.za*, True -*.youtrip.in*, True -*.youtubell.com*, True -*.youtubelubukduit.my*, True -*.youtubemp3.to*, True -*.youtubeunlimited.ga*, True -*.youtubev3.tk*, True -*.youutube.ga*, True -*.youwish.co.za*, True -*.youwontremember.com*, True -*.youwould.com.au*, True -*.youxxoo.com*, True -*.yovoodoo.info*, True -*.yowie.me*, True -*.yoy.ch*, True -*.yoyokiss.com*, True -*.yoyotaiwan.tw*, True -*.yozh.us*, True -*.yozhvps.com*, True -*.yozzo.tk*, True -*.yp-adviser.fi*, True -*.yps.cl*, True -*.yqlamp.com*, True -*.yr0hq.ro*, True -*.yrims.com*, True -*.yrmixing.com*, True -*.yrrepydna.us*, True -*.yrt67.com*, True -*.yrt77.com*, True -*.yrt87.com*, True -*.ys760.com*, True -*.ysarchives.org*, True -*.ys.com.my*, True -*.ysdvd.com*, True -*.ysggroup.com*, True -*.ysmhouse.com*, True -*.ysn.co.za*, True -*.ysnet.co.za*, True -*.yspeh-plus.ru*, True -*.yst.com.my*, True -*.ysteal.com*, True -*.ytcron.com*, True -*.yte.be*, True -*.ytevette.com*, True -*.ytilact.cf*, True -*.ytimg.ga*, True -*.ytm1.com*, True -*.yt.name.tr*, True -*.ytopkem.cf*, True -*.ytrium.com.ar*, True -*.ytspinner.com*, True -*.ytsy168.com*, True -*.ytt48.com*, True -*.ytt69.com*, True -*.yttc.us*, True -*.ytuong.biz*, True -*.yu2be.net*, True -*.yuan-bon.tw*, True -*.yuanfanghu.net*, True -*.yuanfeng0001.com*, True -*.yuanfeng0002.com*, True -*.yuanfeng0003.com*, True -*.yuanfeng0005.com*, True -*.yuanfeng0006.com*, True -*.yuanfey.com*, True -*.yuangd.com*, True -*.yuanjiao.ml*, True -*.yuanrox.com*, True -*.yuazusof.tk*, True -*.yubai.us*, True -*.yubhar.com*, True -*.yubi.in*, True -*.yubird.com*, True -*.yubrajpoudel.com.np*, True -*.yuceer.gen.tr*, True -*.yudasin.net*, True -*.yudasin.org*, True -*.yudazesct.tk*, True -*.yudhamanika.com*, True -*.yudhi.se*, True -*.yudi.ml*, True -*.yuditahers.tk*, True -*.yuditaher.tk*, True -*.yue.com.br*, True -*.yuehao.com*, True -*.yuelonggere.com*, True -*.yuenbug.com*, True -*.yuenholdings.com*, True -*.yueyue.tw*, True -*.yufok.com*, True -*.yugioh.gq*, True -*.yu-jen.tw*, True -*.yuka21.com*, True -*.yukejang.com*, True -*.yukini.com*, True -*.yukmedia.com*, True -*.yukngampus.com*, True -*.yuko.ch*, True -*.yukonpark.ru*, True -*.yuktha.com*, True -*.yuktsang.com*, True -*.yuliatretyakova.ru*, True -*.yulkoc.com*, True -*.yuly.tw*, True -*.yumakov.com*, True -*.yume.pl*, True -*.yummy-shop.com*, True -*.yumrepo.com*, True -*.yumsys.com*, True -*.yunbom.net*, True -*.yunes.info*, True -*.yunikamujahat.tk*, True -*.yunisatiarahayu.com*, True -*.yunis.cl*, True -*.yunjiaoshi.com*, True -*.yunjiaoshi.org*, True -*.yunnancoffee.co.uk*, True -*.yunung.com*, True -*.yuo4xue.tk*, True -*.yupik.eu*, True -*.yupyup.me*, True -*.yur77.com*, True -*.yur88.com*, True -*.yur99.com*, True -*.yurenso.com*, True -*.yurenso.ru*, True -*.yurev-polskiy.ru*, True -*.yurigoron.com*, True -*.yurippe.net*, True -*.yurisz.tk*, True -*.yurivasiliev.ru*, True -*.yurka.org*, True -*.yurysl.ru*, True -*.yushan.hk*, True -*.yuspa.co.za*, True -*.yut-domlng.ru*, True -*.yutils.com*, True -*.yuvalhay.co.il*, True -*.yuvaskills.com*, True -*.yuvcom.com*, True -*.yuying.com*, True -*.yuyi.tw*, True -*.yvdrones.com.ve*, True -*.yvettewain.asia*, True -*.yvettewain.co*, True -*.yvettewain.com*, True -*.yvettewain.com.au*, True -*.yvettewain.net*, True -*.yvettewain.net.au*, True -*.yvutders.cf*, True -*.ywilfekt.cf*, True -*.yw.sg*, True -*.yxfur.com*, True -*.yy1234.net*, True -*.yyg79.com*, True -*.yyg97.com*, True -*.yyk43.com*, True -*.yyk68.com*, True -*.yyk78.com*, True -*.yyk98.com*, True -*.yyoon.net*, True -*.yyoung.cn*, True -*.yyymp3.com*, True -*.yzakius.org*, True -*.yzor.com.ve*, True -*.z00.nu*, True -*.z00t.info*, True -*.z00z.tk*, True -*.z0d.eu*, True -*.z0nk.pl*, True -*.z10n.eu*, True -*.z11.com*, True -*.z1x.pw*, True -*.z219.com*, True -*.z2reki.pl*, True -*.z2u.info*, True -*.z2x.pw*, True -*.z31.com.ar*, True -*.z3d1k.ru*, True -*.z3ddota.com*, True -*.z3liff.com*, True -*.z3liff.net*, True -*.z3r0.us*, True -*.z3x.pw*, True -*.z42z.com*, True -*.z4x.pw*, True -*.z5x.pw*, True -*.z6x.pw*, True -*.z7x.pw*, True -*.z86.ru*, True -*.z8x.pw*, True -*.z9x.pw*, True -*.zaa66.com*, True -*.zaa77.com*, True -*.zaabinternational.com*, True -*.zaahir.com*, True -*.zabala.cl*, True -*.zabardalim.com*, True -*.zabardalim.ru*, True -*.zabardast.pk*, True -*.zabavnov.com*, True -*.zabawne.org*, True -*.zabaykale.ru*, True -*.zab.co.za*, True -*.zabiasrl.com.ar*, True -*.zabolekari.bg*, True -*.zabrabota.ru*, True -*.zacapu.com.mx*, True -*.zacbedell.com*, True -*.zacco.hk*, True -*.zacdurham.com*, True -*.zacgarrett.com*, True -*.zachalnasser.com*, True -*.zacharyhoobler.com*, True -*.zacharyhoobler.net*, True -*.zacharyhoobler.org*, True -*.zacharywais.info*, True -*.zachcraftnetwork.org*, True -*.zachellis.me*, True -*.zackblock.com*, True -*.zackboe.co*, True -*.zackboe.hm*, True -*.zackhardie.tk*, True -*.zackpole.com*, True -*.zacky.biz*, True -*.zackynet.com*, True -*.zacky.ninja*, True -*.zadakent.com*, True -*.zad.co.il*, True -*.zaeimi.ir*, True -*.zaenalcomservisindo.com*, True -*.zaetachile.cl*, True -*.zafa-rancho.com.ar*, True -*.zafarani.info*, True -*.zafarani.ir*, True -*.zafarani.net*, True -*.zafc.co.za*, True -*.zaf.co.za*, True -*.zaffarano.com.ar*, True -*.zafirosystem.com.mx*, True -*.zafirus.name*, True -*.zaghi.ir*, True -*.zaghini.com*, True -*.zagibalkin.ru*, True -*.zagit.hr*, True -*.zagit-sistemi.hr*, True -*.zagoris.info*, True -*.zahara.cl*, True -*.zahnarztluetscher.ch*, True -*.zahnarzt-oberwil.ch*, True -*.zahnarzt-petrovic.ch*, True -*.zahn-schutz.de*, True -*.zahnspange-basel.ch*, True -*.zaho.tk*, True -*.zahrajem.eu*, True -*.zahrim.net*, True -*.zahydraulic.com*, True -*.zaibar.ro*, True -*.zaiclean.com*, True -*.zaid.info*, True -*.zailence.com*, True -*.zainab.tk*, True -*.zainlatanza.com*, True -*.zairbevol-jpbeauty.com*, True -*.zaiskgolfa.lt*, True -*.zaitsu.com.br*, True -*.zaiwa.net*, True -*.zajas.pl*, True -*.zaj.co.za*, True -*.zajebanirawi.tk*, True -*.zajis.com*, True -*.zakame.ru*, True -*.zakariageneration.com*, True -*.zakblystone.net*, True -*.zakrevskis.lt*, True -*.zaledevs.com.ar*, True -*.zaleski.tk*, True -*.zaliena.lv*, True -*.zaliofin.co.za*, True -*.zalovat.cz*, True -*.zalzice.net*, True -*.zamannama.com*, True -*.zambagestion.com.ar*, True -*.zambeezee.com*, True -*.zambranolimitada.cl*, True -*.zambry.net*, True -*.zambuto.com*, True -*.zamel.ro*, True -*.zameni-ka.ru*, True -*.zamir.co.il*, True -*.zamoner.com.br*, True -*.zamoraconstrucciones.com*, True -*.zampar.org*, True -*.zampieriimoveis.com*, True -*.zampieriimoveis.net*, True -*.zams.us*, True -*.zamzama.pk*, True -*.zanardi.co*, True -*.zan.com.ar*, True -*.zan.co.za*, True -*.zander-development.co.uk*, True -*.zandobot.com*, True -*.zanedaniel.com*, True -*.zanek.com.ar*, True -*.zanestan.es*, True -*.zang1.com*, True -*.zang4.com*, True -*.zangha.com*, True -*.zangvip.com*, True -*.zanimalnya.com*, True -*.zanity.net*, True -*.zanninin.tk*, True -*.zanov.ru*, True -*.zan-spehonja.tk*, True -*.zanwoodworking.com*, True -*.zanzidaric.tk*, True -*.zao-potok.ru*, True -*.zaowa.net*, True -*.zaoweb.com*, True -*.zaozernyi.ru*, True -*.zap3.net*, True -*.zap46.com*, True -*.zap56.com*, True -*.zap77.com*, True -*.zap86.com*, True -*.zap96.com*, True -*.zapaishiki-rostov.ru*, True -*.zapamietaj.to*, True -*.zapateriamiami.com*, True -*.zaphire.cf*, True -*.zapisi-privatov.ru*, True -*.zapni.com.mx*, True -*.zaposlitvenisejem.si*, True -*.zapote.de*, True -*.zappingtime.com*, True -*.zapto.tw*, True -*.zaqr.web.id*, True -*.zarafaturkiye.com*, True -*.zaraku.com*, True -*.zaravn.net*, True -*.zarazahistorica.com.ve*, True -*.zardp.net*, True -*.zargaran.net*, True -*.zaribeni.net*, True -*.zarins.eu*, True -*.zarko-opacic.com*, True -*.zarokosta.gr*, True -*.zarrehbin.ir*, True -*.zarria.cl*, True -*.zas66.com*, True -*.zas77.com*, True -*.zas87.com*, True -*.zasepa.waw.pl*, True -*.zastitanaradu.info*, True -*.zastrutzki.be*, True -*.zater.tk*, True -*.zatochimvse.ru*, True -*.zatopit.cz*, True -*.zatura.ro*, True -*.zau.co.za*, True -*.zaunere.com*, True -*.zauzolkov.com*, True -*.zauzolkov.ru*, True -*.zavarovalnicar.si*, True -*.zav.co.za*, True -*.zavhoz.info*, True -*.zavincode.web.id*, True -*.zavio.nl*, True -*.zavitek.cz*, True -*.zavodik.pro*, True -*.zavodila.pro*, True -*.zavod-korak.si*, True -*.zavon.org*, True -*.zawadzki.waw.pl*, True -*.zawalidroga.tk*, True -*.zax7.com*, True -*.zaxis.com.ar*, True -*.zayacam.com*, True -*.zaz59.com*, True -*.zazabu.ch*, True -*.zazadate.eu*, True -*.zazeek.co.za*, True -*.zazit.cz*, True -*.zazoufashion.com*, True -*.zbaads.com*, True -*.zbanowani.pl*, True -*.zbavitu.name*, True -*.zbay.me*, True -*.zbhknight.cf*, True -*.zbindenmarcelfils.ch*, True -*.zbinden-umzuege.ch*, True -*.zbjudith.com*, True -*.zbjudith.net*, True -*.zblabs.com*, True -*.zbo-39.ru*, True -*.zbor-mavrica.net*, True -*.zbot.cl*, True -*.zbr.se*, True -*.zbs.co.id*, True -*.zbs.so*, True -*.zc1.pw*, True -*.zc2.pw*, True -*.zc3.pw*, True -*.zc4.pw*, True -*.zc5.pw*, True -*.zc6.pw*, True -*.zc7.pw*, True -*.zc8.pw*, True -*.zc9.pw*, True -*.zcal.com.my*, True -*.zcast.info*, True -*.zchat.tk*, True -*.zcirc.in*, True -*.zclin.tw*, True -*.zcmd.net*, True -*.zcramblerz.com*, True -*.zcs.li*, True -*.zcube.info*, True -*.zdev.ca*, True -*.zdmfiles.com*, True -*.zdolinski.com*, True -*.zdorich.ru*, True -*.zdorovie-42.ru*, True -*.zdorportal.ru*, True -*.zdravilanadom.com*, True -*.zdravilanadom.si*, True -*.zdravmag.com*, True -*.zdravmagrf.ru*, True -*.zdt.com.au*, True -*.zdw888.com*, True -*.zd-z.com*, True -*.ze4rt.jp*, True -*.ze-90.com*, True -*.zebka.com*, True -*.zebramedia.ro*, True -*.zebraplays.com*, True -*.zebratrades.net*, True -*.zebratreasures.com*, True -*.zebraxc.info*, True -*.zebrenka.com*, True -*.zebronis.si*, True -*.zec3.com*, True -*.zec6.com*, True -*.zecave.com*, True -*.zecheru.ro*, True -*.zecoj.com*, True -*.zecoy.com*, True -*.zed.ee*, True -*.zedserver.us*, True -*.zee.ac*, True -*.zeebrothers.org*, True -*.zeeh.com.ar*, True -*.zee-liker.ml*, True -*.zeepower.com*, True -*.zeepreventorium.org*, True -*.zeepster.org*, True -*.zeeskull.com*, True -*.zego.co.uk*, True -*.zeikko.fi*, True -*.zeist.tk*, True -*.zeitgei.st*, True -*.zeitgeisttrends.ch*, True -*.zeithaml.com*, True -*.zei.tw*, True -*.zekarkovacs.com*, True -*.zekarya.com*, True -*.zekriwap.com*, True -*.zelda.gq*, True -*.zelenamisel.si*, True -*.zelenetehnologije.com*, True -*.zelenetehnologije.eu*, True -*.zeleniburek.tk*, True -*.zelenjava.si*, True -*.zeleznock.net*, True -*.zelguitar.ru*, True -*.zellfaze.org*, True -*.zelslonik.info*, True -*.zelslonik.ru*, True -*.zelturinformatic.com*, True -*.zeluc.cl*, True -*.zemanet.com*, True -*.zemlickas.com.br*, True -*.zemljisca.si*, True -*.zenarchi.com*, True -*.zencampaigns.com*, True -*.z-e-n.ch*, True -*.zenchecker.com*, True -*.zen.com.my*, True -*.zendragon.info*, True -*.zendsoft.com*, True -*.zenessi.my*, True -*.zenetuning.hu*, True -*.zenfitness.com*, True -*.zenidc.com*, True -*.zenidc.net*, True -*.zenist.cn*, True -*.zenithcreations.com.au*, True -*.zenmail.com.ve*, True -*.zenmoney.in*, True -*.zenontrainingsolutions.com.au*, True -*.zenpit.com*, True -*.zenpod.tk*, True -*.zenpos.cl*, True -*.zenpursuit.info*, True -*.zensolutions.info*, True -*.zentenoingenieros.cl*, True -*.zentio.eu*, True -*.zentrader.com.br*, True -*.zentsang.com*, True -*.zentur.net*, True -*.zentur.org*, True -*.zentyal.ro*, True -*.zeomal.com*, True -*.zep66.com*, True -*.zep77.com*, True -*.zep88.com*, True -*.zephirtechnik.com*, True -*.zephyrmethod.com*, True -*.zeplia.com*, True -*.zepstable.com*, True -*.zepto-biolab.com*, True -*.zepto-lab.com*, True -*.zer0box.com*, True -*.zer0.gq*, True -*.zer0signal.net*, True -*.zerahaha.com*, True -*.zeresic.com*, True -*.zergdns.eu*, True -*.zerkr.eu*, True -*.zer-matok.co.il*, True -*.zero1.hk*, True -*.zero2ipo.net*, True -*.zeroaccess.net*, True -*.zerocinque.ch*, True -*.zerocss.com*, True -*.zerocss.net*, True -*.zerodaysec.com*, True -*.zeroesx.com*, True -*.zeroflux.net*, True -*.zerogap.com.ar*, True -*.zerojs.net*, True -*.zerolinetrader.net*, True -*.zerompg.com*, True -*.zeroone.ca*, True -*.zero-one.com.ar*, True -*.ze-ro.org*, True -*.zerorush.in*, True -*.zeroscuba.com*, True -*.zeroskateboards.biz*, True -*.zerotax.hk*, True -*.zeroth.be*, True -*.zerothreeone.com*, True -*.zerotodad.com*, True -*.zerotoipo.net*, True -*.zerotwosixty.net*, True -*.zeroweb.eu*, True -*.zerowing.co.uk*, True -*.zerrasoft.com*, True -*.zerrasoft.net*, True -*.zerven.org*, True -*.zeserver.info*, True -*.zestforlife.es*, True -*.zestreastanelor.ro*, True -*.zestyimages.com.au*, True -*.zesucre.com.ve*, True -*.zesucre.net.ve*, True -*.zeta93.fm*, True -*.zetalabs.com.ar*, True -*.zetasb.com.my*, True -*.zetaworld.co.uk*, True -*.zetdns.cf*, True -*.zet-el.club*, True -*.zetrak.com.mx*, True -*.zetris.tk*, True -*.zettaspeed.com*, True -*.zettelmann.com.ar*, True -*.zetzsche.ch*, True -*.zeugolator.com*, True -*.zeugolator.gr*, True -*.zeusbox.com*, True -*.zeus.geek.nz*, True -*.zevnik.eu*, True -*.zewtastic.com*, True -*.zex.ro*, True -*.zez-silko.ir*, True -*.zf42.com*, True -*.zferi.eu*, True -*.zf-master.ru*, True -*.zfn.web.id*, True -*.zfs123.net*, True -*.zfssf.net*, True -*.zfuck.tk*, True -*.zgbi100.ru*, True -*.zgk-nk.ru*, True -*.zgkshop.ir*, True -*.zgodbe.eu*, True -*.zgrco.com*, True -*.zgt-it.ml*, True -*.zguardian.com*, True -*.zguardian.info*, True -*.zguardian.net*, True -*.zguardian.org*, True -*.zgzyzc.org*, True -*.zhanghui.cf*, True -*.zhanghui.ga*, True -*.zhanghui.gq*, True -*.zhanghui.info*, True -*.zhanghui.ml*, True -*.zhang.li*, True -*.zhang-yu.de*, True -*.zhanwenhan.com*, True -*.zhaogedanyang.cn*, True -*.zhaogedanyang.com*, True -*.zhaoxing.org*, True -*.zhaoyan-coating.com*, True -*.zharova.net.ru*, True -*.zharov.net.ru*, True -*.zhazhasparty.co.za*, True -*.zhedhugul.cf*, True -*.zhendemei.net*, True -*.zhenek.info*, True -*.zhengheinc.com*, True -*.zhengyiyu.com*, True -*.zhenqianwang.com*, True -*.zhenyu.li*, True -*.zhigazhiga.ru*, True -*.zhihao.de*, True -*.zhila.info*, True -*.zhilcontrol.ru*, True -*.zhineng.com.ar*, True -*.zhizhinovich.ru*, True -*.zhjxhr.com*, True -*.zhnch.info*, True -*.zhngt.com*, True -*.zhnh.info*, True -*.zhnwei.info*, True -*.zhoe.in*, True -*.zhoe.ninja*, True -*.zhoe.sexy*, True -*.zhongai.name*, True -*.zhonghenglamp.com*, True -*.zhongkao.gq*, True -*.zhongwei.name*, True -*.zhorachi.gq*, True -*.zhoubin.com*, True -*.zhouguangjun.com*, True -*.zhscai.info*, True -*.zhuaisheng.com*, True -*.zhuchkov.tk*, True -*.zhunzi.com*, True -*.zhuoyang.tk*, True -*.zhuromskiy.tk*, True -*.zhuxin.org*, True -*.zhwazi.net*, True -*.zhx-freedom.tk*, True -*.zi0n.tk*, True -*.zia.asia*, True -*.ziabar.co.il*, True -*.ziarulantidrog.ro*, True -*.ziberna.eu*, True -*.zico.gr*, True -*.zidardusan.si*, True -*.zidarstvo-maucec.com*, True -*.ziedns.ga*, True -*.ziegler-albstadt.tk*, True -*.ziel12.tk*, True -*.zielkes.com*, True -*.ziellulusan.tk*, True -*.ziemowit.com*, True -*.zienbaby.com*, True -*.zieraeliani.tk*, True -*.zigante.cl*, True -*.zigbee.fi*, True -*.zig.gen.tr*, True -*.ziggurat.ca*, True -*.ziggycom.net*, True -*.ziggynomms.com*, True -*.ziggynomms.com.au*, True -*.ziguratpictures.com*, True -*.zihan.cf*, True -*.zihan.ml*, True -*.ziho.com*, True -*.zihr.si*, True -*.ziigluu.com*, True -*.ziizhost.com*, True -*.zik9.net*, True -*.zikaware.com*, True -*.zikaware.com.br*, True -*.zikor.co.il*, True -*.zila.com.ar*, True -*.zilli.mobi*, True -*.zilock.co.uk*, True -*.z-imaging.com*, True -*.zimazaman.com*, True -*.zimhey.com*, True -*.zimhey.info*, True -*.zimhey.net*, True -*.zimmerli-hosting.ch*, True -*.zimmerli-hosting.com*, True -*.zimmerli-hosting.net*, True -*.zimmermanntech.com*, True -*.zimonzzonz.se*, True -*.zimweb.pl*, True -*.zindagi.ca*, True -*.zindrel.eu*, True -*.zine.com.br*, True -*.zines.biz*, True -*.zines.eu*, True -*.zines.in*, True -*.zinga77.net*, True -*.zinghost.us*, True -*.zingme.us*, True -*.zingmobi.us*, True -*.zingup.net*, True -*.zingz0r.me*, True -*.zinoo.tk*, True -*.zinziber.ru*, True -*.ziokis.com.br*, True -*.zionansp.com.br*, True -*.zioncambria.com*, True -*.zion-corp.net*, True -*.zion-fellowship.org*, True -*.zion-lrnt.tk*, True -*.zionmobilepr.com*, True -*.zionpleinair.com*, True -*.zipit.in*, True -*.zipnerd.com*, True -*.ziporea.com*, True -*.zipper-maker.com*, True -*.zippos.net*, True -*.zipruz.com*, True -*.zipsernet.sk*, True -*.zipwife.com*, True -*.zirkusleben.ch*, True -*.zirrus.com.au*, True -*.zirsi.com.ar*, True -*.ziscra.com*, True -*.zishatoys.tk*, True -*.zitac.de*, True -*.zitaholdings.com*, True -*.zitata.ru*, True -*.zithier.com*, True -*.zitt.ch*, True -*.ziuabloggerilor.ro*, True -*.ziuata.ro*, True -*.zivilcourage-portal.ch*, True -*.zivilcourageportal.ch*, True -*.zivitel.com*, True -*.zivlevi.co.il*, True -*.zizarije.si*, True -*.zizulka.ru*, True -*.zjc.tw*, True -*.zjebaly.one.pl*, True -*.zjeban.si*, True -*.zka55.com*, True -*.zkk-kvarner.hr*, True -*.zkm33.com*, True -*.zlata-polica.tk*, True -*.zlatarabobi.com*, True -*.zlatolas.si*, True -*.zldomain.com*, True -*.zley.com*, True -*.zlotecentrum.com*, True -*.zlxc.org*, True -*.zlyzwy.cn*, True -*.zmanww.com*, True -*.zmapz.com*, True -*.zmata.net*, True -*.zm-design.ml*, True -*.zmenta.ro*, True -*.zmik-tek.com*, True -*.zminformatica.es*, True -*.zmplus.net*, True -*.znajdzprzodka.pl*, True -*.znakomstv.net*, True -*.z--n.com*, True -*.z-net.ch*, True -*.znet.cl*, True -*.zneth.com*, True -*.znet.tk*, True -*.znet-tx.com*, True -*.znizanja.si*, True -*.znizanje.si*, True -*.znn36.com*, True -*.znovine.com*, True -*.znro-server.com*, True -*.zo3.com*, True -*.zobin-online.de*, True -*.zobozdravnik-tomaz-rotar.com*, True -*.zocc.com*, True -*.zockizocki.ch*, True -*.zodaho.co.uk*, True -*.zodiacist.com*, True -*.zodiotone.com*, True -*.zoe-947.com.ar*, True -*.zoebean.net*, True -*.zoec.cl*, True -*.zoemama.com*, True -*.zoeti-shop.tk*, True -*.zoframa.net*, True -*.zogi.com*, True -*.zogi.net*, True -*.zogi.org*, True -*.zoho.to*, True -*.zoidson.com*, True -*.zoin.ru*, True -*.zoite.com*, True -*.zoji.com*, True -*.zoji.net*, True -*.zoji.org*, True -*.zojy.com*, True -*.zolal-quran.ir*, True -*.zoldhaz.ro*, True -*.zolik.com*, True -*.zolkan.cl*, True -*.zoller.li*, True -*.zolotaev.ru*, True -*.zolotayareka.net*, True -*.zolotoeruno24.ru*, True -*.zol-telec.ru*, True -*.zombags.com*, True -*.zombia.com*, True -*.zombiehitmen.com*, True -*.zombie-ink.ca*, True -*.zombieinvaders.com*, True -*.zombiemud.org*, True -*.zombie-panic.com*, True -*.zombiepcs.co.uk*, True -*.zombie-plus.com*, True -*.zombies.ga*, True -*.zombiesinfo.cf*, True -*.zombietranslator.com*, True -*.zombietranslator.net*, True -*.zombiewalkdallas.com*, True -*.zombiie.tk*, True -*.zombinary.com*, True -*.zomererf.be*, True -*.zomoya.co.za*, True -*.zompitta.it*, True -*.zonabokep.net*, True -*.zonacomun.com.ar*, True -*.zonadigitaltech.com*, True -*.zonageo.com.ar*, True -*.zonagolpeada.com.ar*, True -*.zonaledprofesional.es*, True -*.zonaloca.com.ar*, True -*.zonalshop.com*, True -*.zonamoda.com.mx*, True -*.zonanoticias.cl*, True -*.zonapredictiva.com*, True -*.zona-promosi.com*, True -*.zonasaridas.com.ar*, True -*.zonatv.cl*, True -*.zonavial.cl*, True -*.zonavv.com*, True -*.zonayahya.com*, True -*.zonazeroskateshop.com.ar*, True -*.zondao.com*, True -*.zonderkomanda.ru*, True -*.zondron.ro*, True -*.zone2industries.com*, True -*.zone83.fr*, True -*.zonebg.org*, True -*.zonecore.net*, True -*.zonegame.ml*, True -*.zoneitshop.com*, True -*.zonemag.ro*, True -*.zonemusic.pw*, True -*.zone-sys.net*, True -*.zonetel.hk*, True -*.zonet.us*, True -*.zoneunknown-studio.tk*, True -*.zon-gogos.com*, True -*.zoniour.net*, True -*.zonnevanderveen.nl*, True -*.zoobtl.cl*, True -*.zoogla.gr*, True -*.zoolhelmy.com*, True -*.zoolight.com*, True -*.zoomandsizes.com*, True -*.zoom-it.com.au*, True -*.zoomprint.com.au*, True -*.zoomprint.net.au*, True -*.zoom.sh*, True -*.zooparty.co.uk*, True -*.zooptics.com*, True -*.zoopy.com*, True -*.zootuy.com.ve*, True -*.zoovet.ro*, True -*.zopyra.com*, True -*.zopyx.ru*, True -*.zoran.tk*, True -*.zora-z.net*, True -*.zorcrux.com*, True -*.zoregroup.com*, True -*.zorfit.com*, True -*.zornhaw.pl*, True -*.zorpidisbus.gr*, True -*.zort.cl*, True -*.zosat.com*, True -*.zoserver.org*, True -*.zosonet.ro*, True -*.zospot.com*, True -*.zoteeva.name*, True -*.zoteev.name*, True -*.zotman.com*, True -*.zotoo.com*, True -*.zotov.ca*, True -*.zotu.com*, True -*.zoudihuang.org*, True -*.zovi-mastera.ru*, True -*.zovimastera.ru*, True -*.zoviraxmed.com*, True -*.zoviraxointment.org*, True -*.zoviraxonline.com*, True -*.zovoc.com*, True -*.zoxy.co*, True -*.zoz.gr*, True -*.zozotube.com*, True -*.zozowap.com*, True -*.zozo-zz.com*, True -*.zoztele.com*, True -*.zp7.net*, True -*.zpi.com.ar*, True -*.z-plate.net*, True -*.zplaza.tk*, True -*.z-p-m.at*, True -*.zpn-kopi.tk*, True -*.zports.co.za*, True -*.zpoxc.com*, True -*.zpsite.com*, True -*.zqz.me*, True -*.zr-aero.com*, True -*.zrauto.co.za*, True -*.zrov.com*, True -*.zrumpo.com*, True -*.zsa666.com*, True -*.zsa88.com*, True -*.zseye.com*, True -*.zsh.jp*, True -*.zsoltgumi.com*, True -*.zso-zulg.ch*, True -*.zsports.co.za*, True -*.zsrm-slo.org*, True -*.zs-starodobniki.si*, True -*.ztam.se*, True -*.ztechnologies.com.mx*, True -*.ztservicios.com.ar*, True -*.zts.ninja*, True -*.zu254.com*, True -*.zubex.net*, True -*.zubex.org*, True -*.zubex.ru*, True -*.zubien.com*, True -*.zubien.net*, True -*.zuccato.net*, True -*.zuccheri.com.ar*, True -*.zucc.ml*, True -*.zuerigschnetzlets.ch*, True -*.zueuz.ws*, True -*.zuev.net*, True -*.zuidstrijders.eu*, True -*.zuijade.com*, True -*.zuijade.tw*, True -*.zuilian.com*, True -*.zuishenai.com*, True -*.zukunft.ro*, True -*.zulalatagun.com*, True -*.zulalatagun.net*, True -*.zulantay.cl*, True -*.zul.asia*, True -*.zulassung.cc*, True -*.zulfikar.web.id*, True -*.zulkarneyn.info*, True -*.zulmaseke.web.id*, True -*.zuluos.com*, True -*.zumba-constanta.ro*, True -*.zumbafitnessnorthampton.co.uk*, True -*.zumbalaturba.com.ar*, True -*.zumbudda.com*, True -*.zumbudda.co.za*, True -*.zumdieckasia.com*, True -*.zummi.co.za*, True -*.zumpro.cl*, True -*.zuncho.es*, True -*.zuninomilius.com.ar*, True -*.zuninonet.com.ar*, True -*.zupa-ivanmerz.hr*, True -*.zupa-sv-petra-i-pavla.hr*, True -*.zupfis.ch*, True -*.zupnija-kog.si*, True -*.zupnija-ormoz.si*, True -*.zupnija-svetilenart.si*, True -*.zupnija-svetitomaz.si*, True -*.zuqiuqimen.com*, True -*.zuquim.com.br*, True -*.zurano-morra.com.ar*, True -*.zuriel.co.za*, True -*.zurit.ch*, True -*.zurka.us*, True -*.zuroweb.com*, True -*.zurrich.cf*, True -*.zurui.net*, True -*.zusjava.tk*, True -*.zus-tof.tk*, True -*.zustudio.tk*, True -*.zustu.tk*, True -*.zuu88.com*, True -*.zuuul.com*, True -*.zuyoutube.com*, True -*.zuyt.in*, True -*.zuzazapata.com.br*, True -*.zuzufruits.ch*, True -*.zuzu.pw*, True -*.zverovich.info*, True -*.zverovich.net*, True -*.zverovich.org*, True -*.zvezazadolenjsko.si*, True -*.zvezdaringa.com*, True -*.zvezdaringa.ru*, True -*.zvit.tk*, True -*.zvolenvet.sk*, True -*.zw3n.se*, True -*.zwaybackmusic.com.mx*, True -*.zweb.sg*, True -*.zweiundvierzig.ch*, True -*.zwerglisinge.ch*, True -*.zwergli-werkstatt.ch*, True -*.zwitterions.co.uk*, True -*.zwitterions-domain.net*, True -*.zwitterions-ipv6.net*, True -*.zwitterions.net*, True -*.zwv-220.com*, True -*.zx1.pw*, True -*.zx2.pw*, True -*.zx3.pw*, True -*.zx4.pw*, True -*.zx5.pw*, True -*.zx6.pw*, True -*.zx7.pw*, True -*.zx8.pw*, True -*.zx9.pw*, True -*.zxc96.com*, True -*.zxcv.pl*, True -*.zxe3.com*, True -*.zxe.ir*, True -*.zxiiro.ca*, True -*.zxspectrum.ml*, True -*.zyix.com*, True -*.zyktech.com*, True -*.zyll.ch*, True -*.zylmari.co.za*, True -*.zyngoale.info*, True -*.zyrtec.cl*, True -*.zytagien.tk*, True -*.zytagienx.tk*, True -*.zytgroup.com.ar*, True -*.zyxas.com*, True -*.zyxel.name*, True -*.zyygu.com*, True -*.zyzzyworld.com*, True -*.zzangdb.com*, True -*.zza.pl*, True -*.zzdedy.ga*, True -*.zziggu.com*, True -*.zzphim.com*, True -*.zzsjlove.com.ar*, True -*.zzsolt.hu*, True -*.zzttlaw.ga*, True -*.zzttlaw.tk*, True -*.zzv.si*, True -*.zzz.fi*, True -*.zzz.lv*, True -*.zzzvpn.tk*, True -*.firewall-gateway.com*, True -*.firewall-gateway.de*, True -*.firewall-gateway.net*, True -*.my-firewall.org*, True -*.my-gateway.de*, True -*.my-router.de*, True -*.myfirewall.org*, True -*.spdns.de*, True -*.spdns.org*, True -*.spdns.eu*, True -*.6600.org*, True -*.7766.org*, True -*.8800.org*, True -*.webok.net*, True -*.2288.org*, True -*.9966.org*, True -*.8866.org*, True -*.3322.org*, True -*.f3322.net*, True -*.f3322.org*, True -*.eatuo.com*, True -*.x3322.net*, True -*.x3322.org*, True -*.001www.com*, True -*.16-b.it*, True -*.2mydns.net*, True -*.32-b.it*, True -*.64-b.it*, True -*.crafting.xyz*, True -*.ddnslive.com*, True -*.dnsapi.info*, True -*.dnsdyn.net*, True -*.dnsking.ch*, True -*.dnsup.net*, True -*.dynip.org*, True -*.dynserv.org*, True -*.forumz.info*, True -*.freeddns.uk*, True -*.freeddns.us*, True -*.hicam.net*, True -*.myiphost.com*, True -*.mypi.co*, True -*.n4t.co*, True -*.now-dns.net*, True -*.now-dns.org*, True -*.now-dns.top*, True -*.nowddns.com*, True -*.ntdll.top*, True -*.ownip.net*, True -*.soundcast.me*, True -*.tcp4.me*, True -*.tftpd.net*, True -*.vpndns.net*, True -*.wifizone.org*, True -*.x443.pw*, True diff --git a/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_local.csv b/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_local.csv deleted file mode 100644 index 2cd9bc8fd8..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/dynamic_dns_providers_local.csv +++ /dev/null @@ -1 +0,0 @@ -dynamic_dns_domains, isDynDNS_local \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/hijacklibs.csv b/dist/DA-ESS-ContentUpdate/lookups/hijacklibs.csv deleted file mode 100644 index 88b1d009dd..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/hijacklibs.csv +++ /dev/null @@ -1,403 +0,0 @@ -library,islibrary -outllib.dll,TRUE -iviewers.dll,TRUE -hha.dll,TRUE -aclui.dll,TRUE -xwtpw32.dll,TRUE -xwizards.dll,TRUE -xpsservices.dll,TRUE -xolehlp.dll,TRUE -xmllite.dll,TRUE -wwapi.dll,TRUE -wwancfg.dll,TRUE -wtsapi32.dll,TRUE -wsmsvc.dll,TRUE -wshelper.dll,TRUE -wshbth.dll,TRUE -wscapi.dll,TRUE -wpdshext.dll,TRUE -wofutil.dll,TRUE -wmsgapi.dll,TRUE -wmpdui.dll,TRUE -wmiutils.dll,TRUE -wmidcom.dll,TRUE -wmiclnt.dll,TRUE -wlidprov.dll,TRUE -wldp.dll,TRUE -wlbsctrl.dll,TRUE -wlancfg.dll,TRUE -wlanapi.dll,TRUE -wkscli.dll,TRUE -winsync.dll,TRUE -winsta.dll,TRUE -winsqlite3.dll,TRUE -winscard.dll,TRUE -winrnr.dll,TRUE -winnsi.dll,TRUE -winmm.dll,TRUE -winmde.dll,TRUE -winipsec.dll,TRUE -wininet.dll,TRUE -winhttp.dll,TRUE -windowsudk.shellcommon.dll,TRUE -windowsperformancerecordercontrol.dll,TRUE -windowscodecsext.dll,TRUE -windowscodecs.dll,TRUE -windows.ui.immersive.dll,TRUE -windows.storage.search.dll,TRUE -windows.storage.dll,TRUE -winbrand.dll,TRUE -winbio.dll,TRUE -wimgapi.dll,TRUE -whhelper.dll,TRUE -wevtapi.dll,TRUE -wer.dll,TRUE -wecapi.dll,TRUE -webservices.dll,TRUE -wdscore.dll,TRUE -wdi.dll,TRUE -wcnnetsh.dll,TRUE -wcmapi.dll,TRUE -wbemsvc.dll,TRUE -wbemprox.dll,TRUE -vsstrace.dll,TRUE -vssapi.dll,TRUE -virtdisk.dll,TRUE -version.dll,TRUE -vdsutil.dll,TRUE -vaultcli.dll,TRUE -uxtheme.dll,TRUE -uxinit.dll,TRUE -utildll.dll,TRUE -userenv.dll,TRUE -urlmon.dll,TRUE -upshared.dll,TRUE -updatepolicy.dll,TRUE -unattend.dll,TRUE -umpdc.dll,TRUE -uiribbon.dll,TRUE -uireng.dll,TRUE -uiautomationcore.dll,TRUE -uianimation.dll,TRUE -twinui.appcore.dll,TRUE -twinapi.dll,TRUE -twext.dll,TRUE -ttdrecord.dll,TRUE -tsworkspace.dll,TRUE -tquery.dll,TRUE -tpmcoreprovisioning.dll,TRUE -timesync.dll,TRUE -tdh.dll,TRUE -tbs.dll,TRUE -tapi32.dll,TRUE -systemsettingsthresholdadminflowui.dll,TRUE -sxshared.dll,TRUE -structuredquery.dll,TRUE -staterepository.core.dll,TRUE -ssshim.dll,TRUE -sspicli.dll,TRUE -ssp_isv.exe_rsaenh.dll,TRUE -ssp.exe_rsaenh.dll,TRUE -srvcli.dll,TRUE -srpapi.dll,TRUE -srmtrace.dll,TRUE -srcore.dll,TRUE -srclient.dll,TRUE -sppcext.dll,TRUE -sppc.dll,TRUE -spp.dll,TRUE -spectrumsyncclient.dll,TRUE -snmpapi.dll,TRUE -slc.dll,TRUE -shell32.dll,TRUE -security.dll,TRUE -secur32.dll,TRUE -schedcli.dll,TRUE -scecli.dll,TRUE -scansetting.dll,TRUE -sas.dll,TRUE -sapi_onecore.dll,TRUE -samlib.dll,TRUE -samcli.dll,TRUE -rtworkq.dll,TRUE -rtutils.dll,TRUE -rsaenh.dll,TRUE -rpcnsh.dll,TRUE -rmclient.dll,TRUE -resutils.dll,TRUE -resetengine.dll,TRUE -reseteng.dll,TRUE -regapi.dll,TRUE -reagent.dll,TRUE -rasmontr.dll,TRUE -rasman.dll,TRUE -rasgcw.dll,TRUE -rasdlg.dll,TRUE -rasapi32.dll,TRUE -radcui.dll,TRUE -puiapi.dll,TRUE -prvdmofcomp.dll,TRUE -proximityservicepal.dll,TRUE -proximitycommon.dll,TRUE -propsys.dll,TRUE -profapi.dll,TRUE -prntvpt.dll,TRUE -printui.dll,TRUE -powrprof.dll,TRUE -polstore.dll,TRUE -policymanager.dll,TRUE -pnrpnsp.dll,TRUE -playsndsrv.dll,TRUE -pla.dll,TRUE -pkeyhelper.dll,TRUE -peerdistsh.dll,TRUE -pdh.dll,TRUE -pcaui.dll,TRUE -p9np.dll,TRUE -p2pnetsh.dll,TRUE -p2p.dll,TRUE -osuninst.dll,TRUE -osksupport.dll,TRUE -osbaseln.dll,TRUE -opcservices.dll,TRUE -onex.dll,TRUE -omadmapi.dll,TRUE -oleacc.dll,TRUE -oci.dll,TRUE -ntshrui.dll,TRUE -ntmarta.dll,TRUE -ntlmshared.dll,TRUE -ntlanman.dll,TRUE -ntdsapi.dll,TRUE -nshwfp.dll,TRUE -nshipsec.dll,TRUE -nshhttp.dll,TRUE -npmproxy.dll,TRUE -nlansp_c.dll,TRUE -nlaapi.dll,TRUE -ninput.dll,TRUE -newdev.dll,TRUE -networkexplorer.dll,TRUE -netutils.dll,TRUE -nettrace.dll,TRUE -netshell.dll,TRUE -netsetupapi.dll,TRUE -netprovfw.dll,TRUE -netprofm.dll,TRUE -netplwiz.dll,TRUE -netjoin.dll,TRUE -netiohlp.dll,TRUE -netid.dll,TRUE -netapi32.dll,TRUE -ndfapi.dll,TRUE -ncrypt.dll,TRUE -napinsp.dll,TRUE -mtxclu.dll,TRUE -msxml3.dll,TRUE -mswsock.dll,TRUE -mswb7.dll,TRUE -msvcp110_win.dll,TRUE -msutb.dll,TRUE -mstracer.dll,TRUE -msiso.dll,TRUE -msi.dll,TRUE -msftedit.dll,TRUE -msdtctm.dll,TRUE -msdrm.dll,TRUE -msctfmonitor.dll,TRUE -msctf.dll,TRUE -mscoree.dll,TRUE -mscms.dll,TRUE -msacm32.dll,TRUE -mrmcorer.dll,TRUE -mpsvc.dll,TRUE -mprapi.dll,TRUE -mpr.dll,TRUE -mpclient.dll,TRUE -mobilenetworking.dll,TRUE -mmdevapi.dll,TRUE -mlang.dll,TRUE -miutils.dll,TRUE -mintdh.dll,TRUE -midimap.dll,TRUE -mi.dll,TRUE -mfplat.dll,TRUE -mfcore.dll,TRUE -mfc42u.dll,TRUE -mdmdiagnostics.dll,TRUE -mbaexmlparser.dll,TRUE -mapistub.dll,TRUE -maintenanceui.dll,TRUE -magnification.dll,TRUE -lrwizdll.dll,TRUE -lpksetupproxyserv.dll,TRUE -logoncontroller.dll,TRUE -logoncli.dll,TRUE -lockhostingframework.dll,TRUE -loadperf.dll,TRUE -linkinfo.dll,TRUE -licensingdiagspp.dll,TRUE -licensemanagerapi.dll,TRUE -ktmw32.dll,TRUE -ksuser.dll,TRUE -kdstub.dll,TRUE -joinutil.dll,TRUE -iumsdk.dll,TRUE -iumbase.dll,TRUE -isv.exe_rsaenh.dll,TRUE -iscsium.dll,TRUE -iscsidsc.dll,TRUE -iri.dll,TRUE -iphlpapi.dll,TRUE -inproclogger.dll,TRUE -ifsutil.dll,TRUE -ifmon.dll,TRUE -iertutil.dll,TRUE -iedkcs32.dll,TRUE -ieadvpack.dll,TRUE -idstore.dll,TRUE -icmp.dll,TRUE -httpapi.dll,TRUE -hnetmon.dll,TRUE -hid.dll,TRUE -gpapi.dll,TRUE -getuname.dll,TRUE -fxstiff.dll,TRUE -fxsst.dll,TRUE -fxsapi.dll,TRUE -fwpuclnt.dll,TRUE -fwpolicyiomgr.dll,TRUE -fwcfg.dll,TRUE -fwbase.dll,TRUE -fvewiz.dll,TRUE -fveskybackup.dll,TRUE -fveapi.dll,TRUE -framedynos.dll,TRUE -fltlib.dll,TRUE -flightsettings.dll,TRUE -firewallapi.dll,TRUE -fhsvcctl.dll,TRUE -fhcfg.dll,TRUE -feclient.dll,TRUE -fddevquery.dll,TRUE -faultrep.dll,TRUE -fastprox.dll,TRUE -explorerframe.dll,TRUE -execmodelproxy.dll,TRUE -esent.dll,TRUE -efsutil.dll,TRUE -efsadu.dll,TRUE -edputil.dll,TRUE -edgeiso.dll,TRUE -eappprxy.dll,TRUE -eappcfg.dll,TRUE -dynamoapi.dll,TRUE -dxva2.dll,TRUE -dxgi.dll,TRUE -dxcore.dll,TRUE -dwrite.dll,TRUE -dwmcore.dll,TRUE -dwmapi.dll,TRUE -dusmapi.dll,TRUE -duser.dll,TRUE -dui70.dll,TRUE -dsrole.dll,TRUE -dsreg.dll,TRUE -dsprop.dll,TRUE -dsparse.dll,TRUE -dsclient.dll,TRUE -drvstore.dll,TRUE -drprov.dll,TRUE -dpx.dll,TRUE -dot3cfg.dll,TRUE -dot3api.dll,TRUE -dnsapi.dll,TRUE -dmxmlhelputils.dll,TRUE -dmpushproxy.dll,TRUE -dmprocessxmlfiltered.dll,TRUE -dmoleaututils.dll,TRUE -dmiso8601utils.dll,TRUE -dmenterprisediagnostics.dll,TRUE -dmenrollengine.dll,TRUE -dmcommandlineutils.dll,TRUE -dmcmnutils.dll,TRUE -dmcfgutils.dll,TRUE -dismcore.dll,TRUE -dismapi.dll,TRUE -directmanipulation.dll,TRUE -dhcpcsvc6.dll,TRUE -dhcpcsvc.dll,TRUE -dhcpcmonitor.dll,TRUE -devrtl.dll,TRUE -devobj.dll,TRUE -devicepairing.dll,TRUE -devicecredential.dll,TRUE -deviceassociation.dll,TRUE -desktopshellext.dll,TRUE -defragproxy.dll,TRUE -dcomp.dll,TRUE -dcntel.dll,TRUE -dbghelp.dll,TRUE -dbgcore.dll,TRUE -davclnt.dll,TRUE -dataexchange.dll,TRUE -d3dcompiler_47.dll,TRUE -d3d9.dll,TRUE -d3d12.dll,TRUE -d3d11.dll,TRUE -d3d10warp.dll,TRUE -d3d10core.dll,TRUE -d3d10_1core.dll,TRUE -d3d10_1.dll,TRUE -d3d10.dll,TRUE -d2d1.dll,TRUE -cscui.dll,TRUE -cscobj.dll,TRUE -cscapi.dll,TRUE -cryptxml.dll,TRUE -cryptui.dll,TRUE -cryptsp.dll,TRUE -cryptdll.dll,TRUE -cryptbase.dll,TRUE -credui.dll,TRUE -coreuicomponents.dll,TRUE -coremessaging.dll,TRUE -coredplus.dll,TRUE -connect.dll,TRUE -configmanager2.dll,TRUE -comdlg32.dll,TRUE -colorui.dll,TRUE -coloradapterclient.dll,TRUE -cmutil.dll,TRUE -cmpbk32.dll,TRUE -clusapi.dll,TRUE -clipc.dll,TRUE -cldapi.dll,TRUE -certenroll.dll,TRUE -certcli.dll,TRUE -cabview.dll,TRUE -cabinet.dll,TRUE -bootux.dll,TRUE -bootmenuux.dll,TRUE -bderepair.dll,TRUE -bcrypt.dll,TRUE -bcp47mrm.dll,TRUE -bcp47langs.dll,TRUE -bcd.dll,TRUE -batmeter.dll,TRUE -avrt.dll,TRUE -authz.dll,TRUE -authfwcfg.dll,TRUE -auditpolcore.dll,TRUE -audioses.dll,TRUE -atl.dll,TRUE -archiveint.dll,TRUE -appxdeploymentclient.dll,TRUE -appxalluserstore.dll,TRUE -appvpolicy.dll,TRUE -applicationframe.dll,TRUE -apphelp.dll,TRUE -aepic.dll,TRUE -adsldpc.dll,TRUE -activeds.dll,TRUE -amsi.dll,TRUE \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/hijacklibs_loaded.csv b/dist/DA-ESS-ContentUpdate/lookups/hijacklibs_loaded.csv deleted file mode 100644 index 716fabed35..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/hijacklibs_loaded.csv +++ /dev/null @@ -1,886 +0,0 @@ -islibrary,library,excludes,ttp,comment -TRUE,aclui.dll,*\Windows\System32\*,T1574.002,https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -TRUE,aclui.dll,*\Windows\SysWOW64\*,T1574.002,https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -TRUE,acrodistdll.dll,*\Program Files\Adobe\Acrobat *,T1574.002,https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf -TRUE,acrodistdll.dll,*\Acrobat\acrodistdll*,T1574.002,https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf -TRUE,activeds.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,activeds.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,adsldpc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,adsldpc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,aepic.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,aepic.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,apphelp.dll,*\Windows\System32\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,apphelp.dll,*\Windows\SysWOW64\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,applicationframe.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,applicationframe.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,appvpolicy.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,appwiz.cpl,*\Windows\System32\*,T1574.002,https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -TRUE,appwiz.cpl,*\Windows\SysWOW64\*,T1574.002,https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -TRUE,appxalluserstore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,appxalluserstore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,appxdeploymentclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,appxdeploymentclient.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,archiveint.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,archiveint.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ashldres.dll,*\Program Files\McAfee.com\VSO*,T1574.002,https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-tomato-campaign.pdf -TRUE,atl.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,atl.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,atltracetoolui.dll,*\Program Files\Microsoft Visual Studio 11.0\Common7\Tools*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,audioses.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,audioses.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,auditpolcore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,auditpolcore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,authfwcfg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,authfwcfg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,authz.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,authz.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,avrt.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,avrt.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,basicnetutils.dll,*\Appdata\local\Temp\*,T1574.002,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/ -TRUE,basicnetutils.dll,*\Program Files\BAIDU\BAIDUPINYIN\*,T1574.002,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/ -TRUE,batmeter.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,batmeter.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,bcd.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bcd.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bcp47langs.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bcp47langs.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bcp47mrm.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bcp47mrm.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bcrypt.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,bcrypt.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,bderepair.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bootmenuux.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,bootux.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,cabinet.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cabinet.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cabview.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,cabview.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,certcli.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,certcli.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,certenroll.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,certenroll.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cfgmgr32.dll,*\Windows\System32\*,T1574.002, -TRUE,cfgmgr32.dll,*\Windows\SysWOW64\*,T1574.002, -TRUE,chrome_frame_helper.dll,*\Appdata\local\Google\Chrome\Application*,T1574.002,https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -TRUE,chrome_frame_helper.dll,*\Program Files\Google\Chrome\Application*,T1574.002,https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -TRUE,ciscosparklauncher.dll,*\Appdata\local\CiscoSparkLauncher*,T1574.002,https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ -TRUE,ciscosparklauncher.dll,*\AppData\Local\Programs\Cisco Spark\*,T1574.002,https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ -TRUE,classicexplorer32.dll,*\Program Files\Classic Shell*,T1574.002,https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets -TRUE,classicexplorer32.dll,*\Program Files\Open-Shell*,T1574.002,https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets -TRUE,cldapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cldapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,clipc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,clipc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,clusapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,clusapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cmpbk32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cmpbk32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cmutil.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,cmutil.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,coloradapterclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,coloradapterclient.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,colorui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,colorui.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,comdlg32.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,comdlg32.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,commfunc.dll,*\Program Files\Lenovo\Communications Utility*,T1574.002,https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/ -TRUE,configmanager2.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,connect.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,connect.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,coredplus.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,coremessaging.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,coremessaging.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,coreuicomponents.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,coreuicomponents.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,credui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,credui.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptbase.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptbase.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptdll.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptdll.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptsp.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,cryptsp.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,cryptui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptui.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptxml.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cryptxml.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cscapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cscapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,cscobj.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,cscobj.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,cscui.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,cscui.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,d2d1.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d2d1.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10_1.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10_1.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10_1core.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10_1core.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10core.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10core.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10warp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d10warp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d11.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d11.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d12.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d12.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d9.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3d9.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\windows kits\10\bin\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\windows kits\10\bin\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\windows kits\10\redist\d3d\x64*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\windows kits\10\redist\d3d\x86*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\wireshark*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\cisco systems\cisco jabber*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\microsoft\edge\application\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Program Files\Google\Chrome\Application\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Appdata\local\microsoft\teams\stage*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dcompiler_47.dll,*\Microsoft\Teams\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,d3dx9_43.dll,*\Windows\System32\*,T1574.002,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/ -TRUE,d3dx9_43.dll,*\Windows\SysWOW64\*,T1574.002,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/ -TRUE,dataexchange.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,dataexchange.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,davclnt.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,davclnt.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\arm*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\arm\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\arm64*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\arm64\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\x64*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\x64\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\x86*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\windows kits\10\debuggers\x86\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Program Files\microsoft office\root\office*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgcore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgeng.dll,*\Program Files\Windows Kits\*,T1574.002,https://twitter.com/mrexodia/status/1630320327967252483 -TRUE,dbgeng.dll,*\Program Files\Windows Kits\*,T1574.002,https://twitter.com/mrexodia/status/1630320327967252483 -TRUE,dbgeng.dll,*\Program Files\Windows Kits\*,T1574.002,https://twitter.com/mrexodia/status/1630320327967252483 -TRUE,dbgeng.dll,*\Program Files\Windows Kits\*,T1574.002,https://twitter.com/mrexodia/status/1630320327967252483 -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\arm*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\arm\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\arm64*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\arm64\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\x64*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\x64\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\x86*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\windows kits\10\debuggers\x86\srcsrv*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\cisco systems\cisco jabber*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\microsoft office\root\office*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Program Files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbghelp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dbgmodel.dll,*\Windows\System32\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,dbgmodel.dll,*\Windows\SysWOW64\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,dbgmodel.dll,*\Program Files\Windows Kits\10\Debuggers\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,dcntel.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dcomp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dcomp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,defragproxy.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,defragproxy.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,desktopshellext.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,desktopshellext.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,deviceassociation.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,deviceassociation.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,devicecredential.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,devicecredential.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,devicepairing.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,devicepairing.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,devobj.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,devobj.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,devrtl.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,devrtl.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dhcpcmonitor.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dhcpcmonitor.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dhcpcsvc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dhcpcsvc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dhcpcsvc6.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dhcpcsvc6.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,directmanipulation.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,directmanipulation.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,dismapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dismapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dismcore.dll,*\Windows\System32\dism*,T1574.001,https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/ -TRUE,dismcore.dll,*\Windows\SysWOW64\dism*,T1574.001,https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/ -TRUE,dmcfgutils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmcfgutils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmcmnutils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmcmnutils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmcommandlineutils.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dmcommandlineutils.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dmenrollengine.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmenrollengine.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmenterprisediagnostics.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmiso8601utils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmiso8601utils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmoleaututils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmoleaututils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmprocessxmlfiltered.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmprocessxmlfiltered.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmpushproxy.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmpushproxy.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmxmlhelputils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dmxmlhelputils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dnsapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dnsapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dot3api.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dot3api.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dot3cfg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dot3cfg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dpx.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dpx.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,drprov.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,drprov.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,drvstore.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,drvstore.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dsclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsclient.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsparse.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsparse.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsprop.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dsprop.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dsreg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsreg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsrole.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dsrole.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dui70.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dui70.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,duser.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,duser.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dusmapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dusmapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dwmapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dwmapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dwmcore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dwrite.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dwrite.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dxcore.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dxcore.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,dxgi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dxgi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dxva2.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dxva2.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,dynamoapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,eappcfg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,eappcfg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,eappprxy.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,eappprxy.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,edgeiso.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,edgeiso.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,edputil.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,edputil.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,efsadu.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,efsadu.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,efsutil.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,efsutil.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,esent.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,esent.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,execmodelproxy.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,execmodelproxy.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,explorerframe.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,explorerframe.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,facesdk.dll,*\Program Files\luxand\facesdk\bin\win64*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,fastprox.dll,*\Windows\System32\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,fastprox.dll,*\Windows\SysWOW64\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,faultrep.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,faultrep.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fddevquery.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,fddevquery.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,feclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,feclient.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fhcfg.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,fhcfg.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,fhsvcctl.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,firewallapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,firewallapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,flightsettings.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,flightsettings.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,fltlib.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fltlib.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,formdll.dll,*\Program Files\Common Files\Microsoft Shared\NoteSync Forms*,T1574.002,https://any.run/report/d9c7f6d4ec08d961c20dac1b6422b3fbec5c6a8d9dc67d1f604835b36c5f224e/ae068531-92db-497d-b0cb-c0b1af5476f1 -TRUE,framedynos.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,framedynos.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,fveapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fveapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fveskybackup.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,fvewiz.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,fwbase.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwbase.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwcfg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwcfg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwpolicyiomgr.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwpolicyiomgr.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwpuclnt.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fwpuclnt.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fxsapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fxsapi.dll,*\Windows\System32\driverstore\filerepository\prnms002.inf_*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fxsapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fxsst.dll,*\Windows\System32\*,T1574.001,https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html/ -TRUE,fxstiff.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,fxstiff.dll,*\Windows\System32\driverstore\filerepository\prnms002.inf_*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,getuname.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,getuname.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,gflagsui.dll,*\Program Files\Windows Kits\10\Debuggers\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,glib-2.0.dll,*\Program Files\VMware\VMware Tools*,T1574.002,https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ -TRUE,glib-2.0.dll,*\Program Files\VMware\VMware Workstation*,T1574.002,https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ -TRUE,glib-2.0.dll,*\Program Files\VMware\VMware Player*,T1574.002,https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ -TRUE,gpapi.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,gpapi.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,hha.dll,*\Windows\System32\*,T1574.002,https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/ -TRUE,hha.dll,*\Windows\SysWOW64\*,T1574.002,https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/ -TRUE,hha.dll,*\Program Files\HTML Help Workshop*,T1574.002,https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/ -TRUE,hid.dll,*\Windows\System32\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,hid.dll,*\Windows\SysWOW64\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,hnetmon.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,hnetmon.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,hpcustpartui.dll,*\Program Files\HP*,T1574.002,https://www.trellix.com/en-us/about/newsroom/stories/research/operation-harvest-a-deep-dive-into-a-long-term-campaign.html -TRUE,hpqhvsei.dll,*\Program Files\HP*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,httpapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,httpapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,icmp.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,icmp.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,idstore.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,idstore.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ieadvpack.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ieadvpack.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iedkcs32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iedkcs32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iernonce.dll,*\Windows\System32\*,T1574.002,https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -TRUE,iernonce.dll,*\Windows\SysWOW64\*,T1574.002,https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -TRUE,iertutil.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iertutil.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ifmon.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ifmon.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ifsutil.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,ifsutil.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,inproclogger.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iphlpapi.dll,*\Windows\System32\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iphlpapi.dll,*\Windows\SysWOW64\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iri.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iri.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iscsidsc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iscsidsc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iscsiexe.dll,*\Windows\System32\*,T1574.001,https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC -TRUE,iscsiexe.dll,*\Windows\SysWOW64\*,T1574.001,https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC -TRUE,iscsium.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iscsium.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,isv.exe_rsaenh.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,isv.exe_rsaenh.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,iumbase.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,iumsdk.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,iviewers.dll,*\Program Files\Windows Kits\10\bin\*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,iviewers.dll,*\Program Files\Windows Kits\10\bin\*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,iviewers.dll,*\Program Files\Windows Kits\10\bin\*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,iviewers.dll,*\Program Files\Windows Kits\10\bin\*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,joinutil.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,joinutil.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,kdstub.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ksuser.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ksuser.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ktmw32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ktmw32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ldvpocx.ocx,*\Program Files\Symantec_Client_Security\Symantec AntiVirus*,T1574.002,https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox -TRUE,ldvpocx.ocx,*\Program Files\Symantec AntiVirus*,T1574.002,https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox -TRUE,libvlc.dll,*\Program Files\VideoLAN\VLC*,T1574.002,https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ -TRUE,licensemanagerapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,licensemanagerapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,licensingdiagspp.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,licensingdiagspp.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,linkinfo.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,linkinfo.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,lmiguardiandll.dll,*\Program Files\LogMeIn*,T1574.002,https://twitter.com/StopMalvertisin/status/1610961056163311619 -TRUE,lmiguardiandll.dll,*\Program Files\LogMeIn\x86*,T1574.002,https://twitter.com/StopMalvertisin/status/1610961056163311619 -TRUE,lmiguardiandll.dll,*\Program Files\LogMeIn\x64*,T1574.002,https://twitter.com/StopMalvertisin/status/1610961056163311619 -TRUE,loadperf.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,loadperf.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,lockdown.dll,*\Program Files\McAfee\VirusScan Enterprise*,T1574.002,https://twitter.com/thepacketrat/status/1520878930449817600 -TRUE,lockhostingframework.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,log.dll,*\Program Files\Bitdefender Antivirus Free*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,logoncli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,logoncli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,logoncontroller.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,logoncontroller.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,lpksetupproxyserv.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,lpksetupproxyserv.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,lrwizdll.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,magnification.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,magnification.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,maintenanceui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mapistub.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mapistub.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mbaexmlparser.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,mdmdiagnostics.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mfc42u.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,mfc42u.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,mfcore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mfcore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mfplat.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mfplat.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,midimap.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,midimap.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mintdh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,miutils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,miutils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mlang.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mlang.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mmdevapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mmdevapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mobilenetworking.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mobilenetworking.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mozglue.dll,*\Program Files\SeaMonkey*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,mozglue.dll,*\Program Files\Mozilla Firefox*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,mozglue.dll,*\Program Files\Mozilla Thunderbird*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,mozglue.dll,*\AppData\Local\Mozilla Firefox\*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,mpclient.dll,*\Program Files\Windows Defender*,T1574.002,https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ -TRUE,mpclient.dll,*\ProgramData\Microsoft\Windows Defender\Platform\*,T1574.002,https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ -TRUE,mpr.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,mpr.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,mprapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mprapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mpsvc.dll,*\Program Files\Windows Defender\*,T1574.002,https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/ -TRUE,mpsvc.dll,*\ProgramData\Microsoft\Windows Defender\Platform\*,T1574.002,https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/ -TRUE,mrmcorer.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mrmcorer.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msacm32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msacm32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mscms.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mscms.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mscoree.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mscoree.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mscorsvc.dll,*\Windows\Microsoft.NET\Framework\v*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,mscorsvc.dll,*\Windows\Microsoft.NET\Framework64\v*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,msctf.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,msctf.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,msctfmonitor.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msctfmonitor.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msdrm.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msdrm.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msdtctm.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msftedit.dll,*\Windows\System32\*,T1574.002,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ -TRUE,msftedit.dll,*\Windows\SysWOW64\*,T1574.002,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ -TRUE,msi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msiso.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,msiso.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,msutb.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msutb.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,msvcp110_win.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,msvcp110_win.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,msvcr100.dll,*\Windows\System32\*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,msvcr100.dll,*\Windows\SysWOW64\*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,mswb7.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,mswb7.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,mswsock.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,mswsock.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,msxml3.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,msxml3.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,mtxclu.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,mtxclu.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,napinsp.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,napinsp.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ncrypt.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ncrypt.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ndfapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ndfapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netapi32.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,netapi32.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,netid.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netid.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netiohlp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netiohlp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netjoin.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,netjoin.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,netplwiz.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netplwiz.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netprofm.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,netprofm.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,netprovfw.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,netprovfw.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,netsetupapi.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,netsetupapi.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,netshell.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netshell.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nettrace.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netutils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,netutils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,networkexplorer.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,networkexplorer.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,newdev.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,newdev.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ninput.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ninput.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nlaapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nlaapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nlansp_c.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,nlansp_c.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,npmproxy.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,npmproxy.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,nshhttp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nshhttp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nshipsec.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nshipsec.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nshwfp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,nshwfp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ntdsapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ntdsapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ntlanman.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ntlanman.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ntlmshared.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ntlmshared.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ntmarta.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ntmarta.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ntshrui.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ntshrui.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,nvsmartmax.dll,*\Program Files\NVIDIA Corporation\Display*,T1574.002,https://www.cybereason.com/blog/research/deadringer-exposing-chinese-threat-actors-targeting-major-telcos -TRUE,oleacc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,oleacc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,omadmapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,omadmapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,onex.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,onex.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,opcservices.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,opcservices.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,opera_elf.dll,*\Appdata\local\programs\opera\*,T1574.002,https://twitter.com/ShitSecure/status/1566127363389329412 -TRUE,osbaseln.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,osbaseln.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,osksupport.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,osuninst.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,osuninst.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,outllib.dll,*\Program Files\Microsoft Office\OFFICE*,T1574.002,https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-b2509344ebe6 -TRUE,outllib.dll,*\Program Files\Microsoft Office\Root\OFFICE*,T1574.002,https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-b2509344ebe6 -TRUE,p2p.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,p2p.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,p2pnetsh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,p2pnetsh.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,p9np.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,p9np.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,pcaui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,pcaui.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,pdh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,pdh.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,peerdistsh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,peerdistsh.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,pkeyhelper.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,pla.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,pla.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,playsndsrv.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,playsndsrv.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,pnrpnsp.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,pnrpnsp.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,policymanager.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,policymanager.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,polstore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,polstore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,powrprof.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,powrprof.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,printui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,printui.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,prntvpt.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,prntvpt.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,profapi.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,profapi.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,propsys.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,propsys.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,proximitycommon.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,proximitycommon.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,proximityservicepal.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,prvdmofcomp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,prvdmofcomp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,puiapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,puiapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,python39.dll,*\Program Files\Python39*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,python39.dll,*\Appdata\local\Temp\*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,python39.dll,*\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,python39.dll,*\Users\anaconda3*,T1574.002,https://twitter.com/SBousseaden/status/1530595156055011330 -TRUE,qrt.dll,*\Program Files\F-Secure\Anti-Virus*,T1574.002,https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/ -TRUE,radcui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,radcui.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rasapi32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rasapi32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rasdlg.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,rasdlg.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,rasgcw.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,rasgcw.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,rasman.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rasman.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rasmontr.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rasmontr.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rastls.dll,*\Program Files\Symantec\Network Connected Devices Auto Setup*,T1574.002,https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf -TRUE,rcdll.dll,*\Program Files\Windows Kits\10\bin\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,reagent.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,reagent.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,regapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,regapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,reseteng.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,resetengine.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,resutils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,resutils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rjvplatform.dll,*\Windows\System32\SystemResetPlatform*,T1574.002,https://twitter.com/0gtweet/status/1666716511988330499 -TRUE,rjvplatform.dll,*\Windows\SysWOW64\SystemResetPlatform*,T1574.002,https://twitter.com/0gtweet/status/1666716511988330499 -TRUE,rmclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rmclient.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rpcnsh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rpcnsh.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rsaenh.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,rsaenh.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,rtutils.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rtutils.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rtworkq.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rtworkq.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,rzlog4cpp_logger.dll,*\Appdata\local\razer\InGameEngine\cache\RzFpsApplet*,T1574.002,https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia -TRUE,safestore32.dll,*\Program Files\Sophos\Sophos Anti-Virus*,T1574.002,https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf -TRUE,samcli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,samcli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,samlib.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,samlib.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sapi_onecore.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,sapi_onecore.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,sas.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sas.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,scansetting.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,scansetting.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,scecli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,scecli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,schedcli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,schedcli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,secur32.dll,*\Windows\System32\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,secur32.dll,*\Windows\SysWOW64\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,security.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,security.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,sensapi.dll,*\Windows\System32\*,T1574.002,https://twitter.com/AndrewOliveau/status/1682185200862625792 -TRUE,sensapi.dll,*\Windows\SysWOW64\*,T1574.002,https://twitter.com/AndrewOliveau/status/1682185200862625792 -TRUE,shell32.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,shell32.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,shfolder.dll,*\Windows\System32\*,T1574.002,https://twitter.com/dissectmalware/status/978017957480628226 -TRUE,shfolder.dll,*\Windows\SysWOW64\*,T1574.002,https://twitter.com/dissectmalware/status/978017957480628226 -TRUE,siteadv.dll,*\Program Files\SiteAdvisor\*,T1574.002,https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf -TRUE,slc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,slc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,smadhook32c.dll,*\Program Files\Smadav*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,snmpapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,snmpapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,spectrumsyncclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,spp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,spp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sppc.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sppc.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sppcext.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,sppcext.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,srclient.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,srclient.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,srcore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,srmtrace.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,srmtrace.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,srpapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,srpapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,srvcli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,srvcli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ssp.exe_rsaenh.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ssp.exe_rsaenh.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ssp_isv.exe_rsaenh.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,ssp_isv.exe_rsaenh.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,sspicli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sspicli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ssshim.dll,*\Windows\System32\*,T1574.002,https://twitter.com/0gtweet/status/1363107343018385410 -TRUE,ssshim.dll,*\Windows\SysWOW64\*,T1574.002,https://twitter.com/0gtweet/status/1363107343018385410 -TRUE,staterepository.core.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,staterepository.core.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,structuredquery.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,structuredquery.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,sxshared.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,sxshared.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,symsrv.dll,*\Program Files\Windows Kits\10\Debuggers\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,systemsettingsthresholdadminflowui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tapi32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tapi32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tbs.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tbs.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tdh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tdh.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,textshaping.dll,*\Windows\System32\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,textshaping.dll,*\Windows\SysWOW64\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,timesync.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tmdbglog.dll,*\Program Files\Trend Micro\Titanium*,T1574.002,https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ -TRUE,tosbtkbd.dll,*\Program Files\Toshiba\Bluetooth Toshiba Stack*,T1574.002,https://www.secureworks.com/research/shadowpad-malware-analysis -TRUE,tpmcoreprovisioning.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,tpmcoreprovisioning.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,tquery.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tquery.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tsworkspace.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,tsworkspace.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ttdrecord.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,ttdrecord.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,twext.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,twext.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,twinapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,twinapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/save-the-environment-variables -TRUE,twinui.appcore.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,twinui.appcore.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,uianimation.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,uianimation.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,uiautomationcore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uiautomationcore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uireng.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uireng.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uiribbon.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,uiribbon.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,umpdc.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,umpdc.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,unattend.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,unityplayer.dll,*\Appdata\local\Temp\*,T1574.002,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/ -TRUE,updatepolicy.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,updatepolicy.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,upshared.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,urlmon.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,urlmon.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,userenv.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,userenv.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,utildll.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,utildll.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uxinit.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uxinit.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uxtheme.dll,*\Windows\System32\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,uxtheme.dll,*\Windows\SysWOW64\*,T1574.001,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vaultcli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vaultcli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vdsutil.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,vdsutil.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,vender.dll,*\Program Files\ASUS\GPU TweakII*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,vender.dll,*\Program Files\ASUS\VGA COM\*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,version.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,version.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,vftrace.dll,*\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32*,T1574.002,https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state?web_view=true -TRUE,vftrace.dll,*\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x64*,T1574.002,https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state?web_view=true -TRUE,vftrace.dll,*\Program Files\CyberArk\Endpoint Privilege Manager\Agent*,T1574.002,https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state?web_view=true -TRUE,virtdisk.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,virtdisk.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vivaldi_elf.dll,*\Appdata\local\Vivaldi\Application*,T1574.002,https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/ -TRUE,vivaldi_elf.dll,*\Appdata\local\Vivaldi\Application\*,T1574.002,https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/ -TRUE,vntfxf32.dll,*\Program Files\Venta\VentaFax & Voice*,T1574.002,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -TRUE,vsodscpl.dll,*\Program Files\McAfee\VirusScan Enterprise*,T1574.002,https://eiploader.wordpress.com/2011/03/28/digitally-signed-malware-without-stealing-certificates/ -TRUE,vssapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vssapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vsstrace.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,vsstrace.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wbemprox.dll,*\Windows\System32\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wbemprox.dll,*\Windows\SysWOW64\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wbemsvc.dll,*\Windows\System32\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wbemsvc.dll,*\Windows\SysWOW64\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wcmapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wcmapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wcnnetsh.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wdi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wdi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wdscore.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wdscore.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,webservices.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,webservices.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wecapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wecapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wer.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wer.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wevtapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wevtapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,whhelper.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,whhelper.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wimgapi.dll,*\Windows\System32\*,T1574.002,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ -TRUE,wimgapi.dll,*\Windows\SysWOW64\*,T1574.002,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ -TRUE,wimgapi.dll,*\Program Files\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\arm64\DISM*,T1574.002,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ -TRUE,winbio.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,winbio.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,winbrand.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winbrand.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,windows.storage.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windows.storage.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windows.storage.search.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windows.storage.search.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windows.ui.immersive.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,windows.ui.immersive.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,windowscodecs.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,windowscodecs.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,windowscodecsext.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windowscodecsext.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windowsperformancerecordercontrol.dll,*\Program Files\windows kits\10\windows performance toolkit*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,windowsperformancerecordercontrol.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,windowsperformancerecordercontrol.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,windowsperformancerecorderui.dll,*\Program Files\Windows Kits\10\Windows Performance Toolkit*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,windowsudk.shellcommon.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,windowsudk.shellcommon.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,winhttp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winhttp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wininet.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wininet.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winipsec.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winipsec.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winmde.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winmm.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winmm.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winnsi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winnsi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winrnr.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,winrnr.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,winscard.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,winscard.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,winsqlite3.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winsqlite3.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winsta.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winsta.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,winsync.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,winsync.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,winutils.dll,*\Program Files\Palo Alto Networks\Traps*,T1574.002,https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ -TRUE,wkscli.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wkscli.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wlanapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wlanapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wlancfg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wlancfg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wldp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wldp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wlidprov.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wlidprov.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wmiclnt.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wmiclnt.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wmidcom.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wmidcom.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wmiutils.dll,*\Windows\System32\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wmiutils.dll,*\Windows\SysWOW64\wbem*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wmpdui.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wmsgapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wmsgapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wofutil.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wofutil.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wpdshext.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wpdshext.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wsc.dll,*\Program Files\AVAST Software\Avast*,T1574.001,https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2022-AVAST2 -TRUE,wscapi.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,wscapi.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,wsdapi.dll,*\Windows\System32\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,wsdapi.dll,*\Windows\SysWOW64\*,T1574.002,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -TRUE,wshbth.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wshbth.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,wshelper.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wshelper.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wsmsvc.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,wsmsvc.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,wtsapi32.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wtsapi32.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wwancfg.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wwancfg.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wwapi.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,wwapi.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,xmllite.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,xmllite.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,xolehlp.dll,*\Windows\System32\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,xolehlp.dll,*\Windows\SysWOW64\*,T1574.002,https://wietze.github.io/blog/hijacking-dlls-in-windows -TRUE,xpsservices.dll,*\Windows\System32\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,xpsservices.dll,*\Windows\SysWOW64\*,T1574.002,https://securityintelligence.com/posts/windows-features-dll-sideloading/ -TRUE,xwizards.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,xwizards.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,xwtpw32.dll,*\Windows\System32\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables -TRUE,xwtpw32.dll,*\Windows\SysWOW64\*,T1574.007,https://wietze.github.io/blog/save-the-environment-variables diff --git a/dist/DA-ESS-ContentUpdate/lookups/images_to_repository.csv b/dist/DA-ESS-ContentUpdate/lookups/images_to_repository.csv deleted file mode 100644 index 5bc7335489..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/images_to_repository.csv +++ /dev/null @@ -1,3 +0,0 @@ -image, repository -devsecops/cat_dog_client, splunk/devsecops_poc -devsecops/cat_dog_server, splunk/devsecops_poc \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/is_net_windows_file20231221.csv b/dist/DA-ESS-ContentUpdate/lookups/is_net_windows_file20231221.csv deleted file mode 100644 index 4c21dbd007..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/is_net_windows_file20231221.csv +++ /dev/null @@ -1,47 +0,0 @@ -filename,originalFileName,netFile -MSBuild.exe,MSBuild.exe,True -ComSvcConfig.exe,ComSvcConfig.exe,True -DfsrAdmin.exe,DfsrAdmin.exe,True -dfsvc.exe,dfsvc.exe,True -Microsoft.Workflow.Compiler.exe,Microsoft.Workflow.Compiler.exe,True -SMSvcHost.exe,SMSvcHost.exe,True -WsatConfig.exe,WsatConfig.exe,True -AddInProcess.exe,AddInProcess.exe,True -AddInProcess32.exe,AddInProcess32.exe,True -AddInUtil.exe,AddInUtil.exe,True -aspnet_compiler.exe,aspnet_compiler.exe,True -aspnet_regbrowsers.exe,aspnet_regbrowsers.exe,True -aspnet_regsql.exe,aspnet_regsql.exe,True -CasPol.exe,CasPol.exe,True -DataSvcUtil.exe,DataSvcUtil.exe,True -EdmGen.exe,EdmGen.exe,True -InstallUtil.exe,InstallUtil.exe,True -jsc.exe,jsc.exe,True -ngentask.exe,ngentask.exe,True -ngen.exe,ngen.exe,True -RegAsm.exe,RegAsm.exe,True -RegSvcs.exe,RegSvcs.exe,True -SDNBR.exe,SDNBR.exe,True -acu.exe,acu.exe,True -AppVStreamingUX.exe,,True -dsac.exe,dsac.exe,True -LbfoAdmin.exe,LBFOADMIN.EXE,True -Microsoft.Uev.SyncController.exe,Microsoft.Uev.SyncController.exe,True -mtedit.exe,mtedit.exe,True -ScriptRunner.exe,ScriptRunner.exe,True -ServerManager.exe,servermanager.dll,True -stordiag.exe,stordiag.exe,True -storeadm.exe,storeadm.exe,True -tzsync.exe,tzsync.exe,True -UevAgentPolicyGenerator.exe,UevAgentPolicyGenerator.exe,True -UevAppMonitor.exe,UevAppMonitor.exe,True -UevTemplateBaselineGenerator.exe,UevTemplateBaselineGenerator.exe,True -UevTemplateConfigItemGenerator.exe,UevTemplateConfigItemGenerator.exe,True -powershell_ise.exe,powershell_ise.EXE,True -iediagcmd.exe,IEDiagCmd.exe,True -XBox.TCUI.exe,XBox.TCUI.exe,True -Microsoft.ActiveDirectory.WebServices.exe,Microsoft.ActiveDirectory.WebServices.exe,True -iisual.exe,iisual.exe,True -FileHistory.exe,FileHistory.exe,True -SecureAssessmentBrowser.exe,SecureAssessmentBrowser.exe,True -aspnet_regiis.exe,aspnet_regiis.exe,True \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/is_nirsoft_software20231221.csv b/dist/DA-ESS-ContentUpdate/lookups/is_nirsoft_software20231221.csv deleted file mode 100644 index 8e2ad32430..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/is_nirsoft_software20231221.csv +++ /dev/null @@ -1,15 +0,0 @@ -filename,nirsoftFile -AdvancedRun.exe,True -ChromePass.exe,True -CredHistView.exe,True -Dialupass.exe,True -iepv.exe,True -LostMyPassword.exe,True -mailpv.exe,True -mspass.exe,True -netpass.exe,True -PasswordFox.exe,True -PasswordHashesView.exe,True -PstPassword.exe,True -RegHiveBackup.exe,True -WebBrowserPassView.exe,True \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/is_suspicious_file_extension_lookup.csv b/dist/DA-ESS-ContentUpdate/lookups/is_suspicious_file_extension_lookup.csv deleted file mode 100644 index 1284088431..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/is_suspicious_file_extension_lookup.csv +++ /dev/null @@ -1,52 +0,0 @@ -file_name,suspicious -*.avi.com,true -*.avi.exe,true -*.doc.com,true -*.doc.exe,true -*.docx.com,true -*.docx.exe,true -*.jpg.com,true -*.jpg.exe,true -*.jpeg.com,true -*.jpeg.exe,true -*.mpg.com,true -*.mpg.exe,true -*.mpg2.com,true -*.mpg2.exe,true -*.mpeg.com,true -*.mpeg.exe,true -*.pdf.com,true -*.pdf.exe,true -*.png.com,true -*.png.exe,true -*.ppt.com,true -*.ppt.exe,true -*.pptx.com,true -*.pptx.exe,true -*.swf.com,true -*.swf.exe,true -*.xls.com,true -*.xls.exe,true -*.xlsx.com,true -*.xlsx.exe,true -*.zip.com,true -*.zip.exe,true -*.bat,true -*.chm,true -*.com,true -*.cmd,true -*.cpl,true -*.exe,true -*.hlp,true -*.hta,true -*.jar,true -*.js,true -*.msi,true -*.pif,true -*.ps1,true -*.rar,true -*.reg,true -*.scr,true -*.vbe,true -*.vbs,true -*.wsf,true diff --git a/dist/DA-ESS-ContentUpdate/lookups/is_windows_system_file20231221.csv b/dist/DA-ESS-ContentUpdate/lookups/is_windows_system_file20231221.csv deleted file mode 100644 index 96617dd524..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/is_windows_system_file20231221.csv +++ /dev/null @@ -1,753 +0,0 @@ -filename,systemFile -acu.exe,true -AgentService.exe,true -aitstatic.exe,true -alg.exe,true -AppHostRegistrationVerifier.exe,true -appidcertstorecheck.exe,true -appidpolicyconverter.exe,true -appidtel.exe,true -ApplicationFrameHost.exe,true -ApplySettingsTemplateCatalog.exe,true -AppVClient.exe,true -AppVDllSurrogate.exe,true -AppVNice.exe,true -AppVStreamingUX.exe,true -ARP.EXE,true -at.exe,true -AtBroker.exe,true -attrib.exe,true -audiodg.exe,true -auditpol.exe,true -AuthHost.exe,true -autochk.exe,true -autoconv.exe,true -autofmt.exe,true -AxInstUI.exe,true -backgroundTaskHost.exe,true -BackgroundTransferHost.exe,true -bcastdvr.exe,true -bcdboot.exe,true -bcdedit.exe,true -BioIso.exe,true -bitsadmin.exe,true -bootcfg.exe,true -bootim.exe,true -bridgeunattend.exe,true -browser_broker.exe,true -bthudtask.exe,true -ByteCodeGenerator.exe,true -cacls.exe,true -calc.exe,true -CameraSettingsUIHost.exe,true -CastSrv.exe,true -CertEnrollCtrl.exe,true -certreq.exe,true -certutil.exe,true -change.exe,true -changepk.exe,true -charmap.exe,true -CheckNetIsolation.exe,true -chglogon.exe,true -chgport.exe,true -chgusr.exe,true -chkdsk.exe,true -chkntfs.exe,true -choice.exe,true -cipher.exe,true -cleanmgr.exe,true -cliconfg.exe,true -clip.exe,true -ClipUp.exe,true -CloudExperienceHostBroker.exe,true -CloudNotifications.exe,true -CloudStorageWizard.exe,true -cmd.exe,true -cmdkey.exe,true -cmdl32.exe,true -cmmon32.exe,true -cmstp.exe,true -cofire.exe,true -colorcpl.exe,true -comp.exe,true -compact.exe,true -CompatTelRunner.exe,true -CompMgmtLauncher.exe,true -ComputerDefaults.exe,true -Configure-SMRemoting.exe,true -conhost.exe,true -consent.exe,true -control.exe,true -convert.exe,true -CredentialUIBroker.exe,true -credwiz.exe,true -cscript.exe,true -csrss.exe,true -ctfmon.exe,true -cttune.exe,true -cttunesvr.exe,true -dasHost.exe,true -DataExchangeHost.exe,true -DataSenseLiveTileTask.exe,true -dccw.exe,true -dcgpofix.exe,true -dcomcnfg.exe,true -dcpromo.exe,true -ddodiag.exe,true -Defrag.exe,true -DeviceCensus.exe,true -DeviceEject.exe,true -DeviceEnroller.exe,true -DevicePairingWizard.exe,true -DeviceProperties.exe,true -DFDWiz.exe,true -dfrgui.exe,true -dfsrdiag.exe,true -dialer.exe,true -DIMC.exe,true -diskpart.exe,true -diskperf.exe,true -diskraid.exe,true -diskshadow.exe,true -DiskSnapshot.exe,true -Dism.exe,true -dispdiag.exe,true -DisplaySwitch.exe,true -djoin.exe,true -dllhost.exe,true -dllhst3g.exe,true -dmcertinst.exe,true -dmcfghost.exe,true -DmNotificationBroker.exe,true -DmOmaCpMo.exe,true -dnscacheugc.exe,true -doskey.exe,true -dpapimig.exe,true -DpiScaling.exe,true -dpnsvr.exe,true -driverquery.exe,true -drvcfg.exe,true -drvinst.exe,true -DsmUserTask.exe,true -dsregcmd.exe,true -dstokenclean.exe,true -dvdplay.exe,true -dwm.exe,true -DWWIN.EXE,true -dxdiag.exe,true -Dxpserver.exe,true -Eap3Host.exe,true -EaseOfAccessDialog.exe,true -easinvoker.exe,true -EasPoliciesBrokerHost.exe,true -EDPCleanup.exe,true -edpnotify.exe,true -efsui.exe,true -EhStorAuthn.exe,true -embeddedapplauncher.exe,true -EmbeddedAppLauncherConfig.exe,true -escUnattend.exe,true -esentutl.exe,true -eudcedit.exe,true -eventcreate.exe,true -eventvwr.exe,true -expand.exe,true -extrac32.exe,true -fc.exe,true -find.exe,true -findstr.exe,true -finger.exe,true -fixmapi.exe,true -fltMC.exe,true -fodhelper.exe,true -Fondue.exe,true -fontdrvhost.exe,true -fontview.exe,true -forfiles.exe,true -fsavailux.exe,true -fsquirt.exe,true -fsutil.exe,true -ftp.exe,true -GameBarPresenceWriter.exe,true -GamePanel.exe,true -GenValObj.exe,true -getmac.exe,true -gpresult.exe,true -gpscript.exe,true -gpupdate.exe,true -grpconv.exe,true -hdwwiz.exe,true -help.exe,true -HOSTNAME.EXE,true -hvax64.exe,true -hvix64.exe,true -hvloader.exe,true -hwrcomp.exe,true -hwrreg.exe,true -iashost.exe,true -icacls.exe,true -IcsEntitlementHost.exe,true -icsunattend.exe,true -ie4uinit.exe,true -ieUnatt.exe,true -iexpress.exe,true -immersivetpmvscmgrsvr.exe,true -InfDefaultInstall.exe,true -InstallAgent.exe,true -InstallAgentUserBroker.exe,true -ipconfig.exe,true -iscsicli.exe,true -iscsicpl.exe,true -isoburn.exe,true -klist.exe,true -ksetup.exe,true -ktmutil.exe,true -ktpass.exe,true -label.exe,true -LanguageComponentsInstallerComHandler.exe,true -LaunchTM.exe,true -LaunchWinApp.exe,true -LbfoAdmin.exe,true -LegacyNetUXHost.exe,true -LicenseManagerShellext.exe,true -licensingdiag.exe,true -LicensingUI.exe,true -LocationNotificationWindows.exe,true -Locator.exe,true -LockAppHost.exe,true -LockScreenContentServer.exe,true -lodctr.exe,true -logagent.exe,true -logman.exe,true -logoff.exe,true -LogonUI.exe,true -lpkinstall.exe,true -lpksetup.exe,true -lpremove.exe,true -LsaIso.exe,true -lsass.exe,true -Magnify.exe,true -makecab.exe,true -mavinject.exe,true -MbaeParserTask.exe,true -mblctr.exe,true -mcbuilder.exe,true -MDEServer.exe,true -MDMAgent.exe,true -MDMAppInstaller.exe,true -MdmDiagnosticsTool.exe,true -MdRes.exe,true -MdSched.exe,true -mfpmp.exe,true -Microsoft.Uev.CscUnpinTool.exe,true -Microsoft.Uev.SyncController.exe,true -mmc.exe,true -mobsync.exe,true -mountvol.exe,true -mpnotify.exe,true -MpSigStub.exe,true -MRINFO.EXE,true -MRT-KB890830.exe,true -MRT.exe,true -MSchedExe.exe,true -msconfig.exe,true -msdt.exe,true -msdtc.exe,true -msfeedssync.exe,true -msg.exe,true -mshta.exe,true -msiexec.exe,true -msinfo32.exe,true -mspaint.exe,true -MsSpellCheckingHost.exe,true -mstsc.exe,true -mtstocom.exe,true -MuiUnattend.exe,true -MultiDigiMon.exe,true -MusNotification.exe,true -MusNotificationUx.exe,true -Narrator.exe,true -nbtstat.exe,true -ndadmin.exe,true -net.exe,true -net1.exe,true -netbtugc.exe,true -netcfg.exe,true -NetCfgNotifyObjectHost.exe,true -netdom.exe,true -NetEvtFwdr.exe,true -NetHost.exe,true -netiougc.exe,true -Netplwiz.exe,true -netsh.exe,true -NETSTAT.EXE,true -newdev.exe,true -nltest.exe,true -notepad.exe,true -nslookup.exe,true -ntoskrnl.exe,true -ntprint.exe,true -odbcad32.exe,true -odbcconf.exe,true -omadmclient.exe,true -omadmprc.exe,true -openfiles.exe,true -OpenWith.exe,true -OptionalFeatures.exe,true -osk.exe,true -PackagedCWALauncher.exe,true -PackageInspector.exe,true -PasswordOnWakeSettingFlyout.exe,true -PATHPING.EXE,true -pcalua.exe,true -pcaui.exe,true -pcwrun.exe,true -perfmon.exe,true -phoneactivate.exe,true -PickerHost.exe,true -PING.EXE,true -PkgMgr.exe,true -plasrv.exe,true -PnPUnattend.exe,true -pnputil.exe,true -poqexec.exe,true -powercfg.exe,true -PresentationHost.exe,true -PresentationSettings.exe,true -prevhost.exe,true -print.exe,true -PrintBrmUi.exe,true -PrintDialogHost.exe,true -PrintDialogHost3D.exe,true -printfilterpipelinesvc.exe,true -PrintIsolationHost.exe,true -printui.exe,true -proquota.exe,true -psr.exe,true -pwlauncher.exe,true -qappsrv.exe,true -qprocess.exe,true -query.exe,true -quser.exe,true -qwinsta.exe,true -rasdial.exe,true -rdpclip.exe,true -rdpinit.exe,true -rdpinput.exe,true -RdpSa.exe,true -RdpSaProxy.exe,true -RdpSaUacHelper.exe,true -rdpshell.exe,true -rdpsign.exe,true -rdrleakdiag.exe,true -RDSPnf.exe,true -ReAgentc.exe,true -recover.exe,true -RecoveryDrive.exe,true -reg.exe,true -regedt32.exe,true -regini.exe,true -Register-CimProvider.exe,true -regsvr32.exe,true -rekeywiz.exe,true -relog.exe,true -RelPost.exe,true -RemotePosWorker.exe,true -replace.exe,true -reset.exe,true -ResetEngine.exe,true -resmon.exe,true -RMActivate.exe,true -RMActivate_isv.exe,true -RMActivate_ssp.exe,true -RMActivate_ssp_isv.exe,true -RmClient.exe,true -rmttpmvscmgrsvr.exe,true -Robocopy.exe,true -ROUTE.EXE,true -RpcPing.exe,true -rrinstaller.exe,true -rsopprov.exe,true -runas.exe,true -rundll32.exe,true -RunLegacyCPLElevated.exe,true -runonce.exe,true -RuntimeBroker.exe,true -rwinsta.exe,true -sacsess.exe,true -sc.exe,true -schtasks.exe,true -ScriptRunner.exe,true -sdbinst.exe,true -sdiagnhost.exe,true -SearchFilterHost.exe,true -SearchIndexer.exe,true -SearchProtocolHost.exe,true -SecEdit.exe,true -secinit.exe,true -securekernel.exe,true -SensorDataService.exe,true -ServerManager.exe,true -ServerManagerLauncher.exe,true -services.exe,true -sessionmsg.exe,true -sethc.exe,true -setres.exe,true -setspn.exe,true -SettingSyncHost.exe,true -setupcl.exe,true -setupugc.exe,true -setx.exe,true -sfc.exe,true -shrpubw.exe,true -shutdown.exe,true -sigverif.exe,true -SIHClient.exe,true -sihost.exe,true -SlideToShutDown.exe,true -slui.exe,true -smartscreen.exe,true -SmartScreenSettings.exe,true -smss.exe,true -SndVol.exe,true -SnippingTool.exe,true -snmptrap.exe,true -sort.exe,true -SpaceAgent.exe,true -spaceman.exe,true -spoolsv.exe,true -SppExtComObj.Exe,true -sppsvc.exe,true -stordiag.exe,true -subst.exe,true -svchost.exe,true -sxstrace.exe,true -SyncAppvPublishingServer.exe,true -SyncHost.exe,true -syskey.exe,true -SysResetErr.exe,true -systeminfo.exe,true -SystemPropertiesAdvanced.exe,true -SystemPropertiesComputerName.exe,true -SystemPropertiesDataExecutionPrevention.exe,true -SystemPropertiesHardware.exe,true -SystemPropertiesPerformance.exe,true -SystemPropertiesProtection.exe,true -SystemPropertiesRemote.exe,true -systemreset.exe,true -SystemSettingsAdminFlows.exe,true -SystemSettingsBroker.exe,true -SystemSettingsRemoveDevice.exe,true -systray.exe,true -tabcal.exe,true -takeown.exe,true -TapiUnattend.exe,true -taskhostw.exe,true -taskkill.exe,true -tasklist.exe,true -Taskmgr.exe,true -tcmsetup.exe,true -TCPSVCS.EXE,true -tdlrecover.exe,true -ThumbnailExtractionHost.exe,true -TieringEngineService.exe,true -timeout.exe,true -TokenBrokerCookies.exe,true -TpmInit.exe,true -tpmvscmgr.exe,true -tpmvscmgrsvr.exe,true -tracerpt.exe,true -TRACERT.EXE,true -tscon.exe,true -tsdiscon.exe,true -tsecimp.exe,true -tskill.exe,true -TSTheme.exe,true -TSWbPrxy.exe,true -typeperf.exe,true -tzsync.exe,true -tzutil.exe,true -ucsvc.exe,true -UevAgentPolicyGenerator.exe,true -UevAppMonitor.exe,true -UevTemplateBaselineGenerator.exe,true -UevTemplateConfigItemGenerator.exe,true -UI0Detect.exe,true -unlodctr.exe,true -unregmp2.exe,true -UpgradeResultsUI.exe,true -upnpcont.exe,true -UserAccountBroker.exe,true -UserAccountControlSettings.exe,true -userinit.exe,true -UsoClient.exe,true -Utilman.exe,true -VaultCmd.exe,true -vds.exe,true -vdsldr.exe,true -verclsid.exe,true -verifier.exe,true -verifiergui.exe,true -vssadmin.exe,true -VSSUIRUN.exe,true -VSSVC.exe,true -w32tm.exe,true -waitfor.exe,true -WallpaperHost.exe,true -WebCache.exe,true -wecutil.exe,true -WerFault.exe,true -WerFaultSecure.exe,true -wermgr.exe,true -wevtutil.exe,true -wextract.exe,true -where.exe,true -whoami.exe,true -wiaacmgr.exe,true -wiawow64.exe,true -wimserv.exe,true -win32calc.exe,true -WinBioDataModelOOBE.exe,true -Windows.Media.BackgroundPlayback.exe,true -WindowsActionDialog.exe,true -WindowsUpdateElevatedInstaller.exe,true -wininit.exe,true -winload.exe,true -winlogon.exe,true -winresume.exe,true -winrs.exe,true -winrshost.exe,true -WinSAT.exe,true -winver.exe,true -wkspbroker.exe,true -wksprt.exe,true -wlrmdr.exe,true -WMPDMC.exe,true -wowreg32.exe,true -WPDShextAutoplay.exe,true -wpr.exe,true -write.exe,true -WSCollect.exe,true -wscript.exe,true -WSManHTTPConfig.exe,true -wsmprovhost.exe,true -wsqmcons.exe,true -WSReset.exe,true -wuapihost.exe,true -wuauclt.exe,true -WUDFHost.exe,true -wusa.exe,true -WWAHost.exe,true -XblGameSaveTask.exe,true -xcopy.exe,true -xwizard.exe,true -comrepl.exe,true -MigRegDB.exe,true -DiagnosticsHub.StandardCollector.Service.exe,true -DismHost.exe,true -F12Chooser.exe,true -IMJPDCT.EXE,true -IMJPSET.EXE,true -IMJPUEX.EXE,true -imjpuexc.exe,true -IMTCLNWZ.EXE,true -IMTCPROP.exe,true -IMCCPHR.exe,true -ImeBroker.exe,true -imecfmui.exe,true -IMEDICTUPDATEUI.EXE,true -IMEPADSV.EXE,true -IMESEARCH.EXE,true -IMEWDBLD.EXE,true -ChsIME.exe,true -ChtIME.exe,true -mighost.exe,true -audit.exe,true -AuditShD.exe,true -FirstLogonAnim.exe,true -msoobe.exe,true -oobeldr.exe,true -Setup.exe,true -UserOOBEBroker.exe,true -windeploy.exe,true -SpeechUXWiz.exe,true -SpeechModelDownload.exe,true -SpeechRuntime.exe,true -PrintBrm.exe,true -PrintBrmEngine.exe,true -sysprep.exe,true -SystemResetPlatform.exe,true -mofcomp.exe,true -scrcons.exe,true -unsecapp.exe,true -wbemtest.exe,true -WinMgmt.exe,true -WMIADAP.exe,true -WmiApSrv.exe,true -WMIC.exe,true -WmiPrvSE.exe,true -powershell.exe,true -powershell_ise.exe,true -dplaysvr.exe,true -dtdump.exe,true -hh.exe,true -instnm.exe,true -perfhost.exe,true -rasautou.exe,true -rasphone.exe,true -regedit.exe,true -setup16.exe,true -user.exe,true -_isdel.exe,true -agentactivationruntimestarter.exe,true -ApplyTrustOffline.exe,true -ApproveChildRequest.exe,true -appverif.exe,true -baaupdate.exe,true -bash.exe,true -bdechangepin.exe,true -BdeHdCfg.exe,true -BdeUISrv.exe,true -bdeunlock.exe,true -BitLockerDeviceEncryption.exe,true -BitLockerWizard.exe,true -BitLockerWizardElev.exe,true -bootsect.exe,true -browserexport.exe,true -CIDiag.exe,true -CompPkgSrv.exe,true -convertvhd.exe,true -coredpussvr.exe,true -CredentialEnrollmentManager.exe,true -curl.exe,true -CustomInstallExec.exe,true -d3dconfig.exe,true -DataStoreCacheDumpTool.exe,true -DataUsageLiveTileTask.exe,true -deploymentcsphelper.exe,true -desktopimgdownldr.exe,true -DeviceCredentialDeployment.exe,true -directxdatabaseupdater.exe,true -dmclient.exe,true -DTUHandler.exe,true -dusmtask.exe,true -DXCap.exe,true -DXCpl.exe,true -dxgiadaptercache.exe,true -EASPolicyManagerBrokerHost.exe,true -EduPrintProv.exe,true -EoAExperiences.exe,true -fhmanagew.exe,true -FileHistory.exe,true -FsIso.exe,true -fvenotify.exe,true -fveprompt.exe,true -FXSCOVER.exe,true -FXSSVC.exe,true -FXSUNATD.exe,true -hcsdiag.exe,true -hnsdiag.exe,true -hvsievaluator.exe,true -ie4ushowIE.exe,true -IESettingSync.exe,true -InputSwitchToastHandler.exe,true -iotstartup.exe,true -manage-bde.exe,true -MBR2GPT.EXE,true -microsoft.windows.softwarelogo.showdesktop.exe,true -MicrosoftEdgeBCHost.exe,true -MicrosoftEdgeCP.exe,true -MicrosoftEdgeDevTools.exe,true -MicrosoftEdgeSH.exe,true -mmgaserver.exe,true -MoUsoCoreWorker.exe,true -msra.exe,true -MusNotifyIcon.exe,true -NDKPing.exe,true -NgcIso.exe,true -nmbind.exe,true -nmscrub.exe,true -nvspinfo.exe,true -ofdeploy.exe,true -pacjsworker.exe,true -PinEnrollmentBroker.exe,true -PktMon.exe,true -pospaymentsworker.exe,true -provlaunch.exe,true -provtool.exe,true -ProximityUxHost.exe,true -prproc.exe,true -quickassist.exe,true -raserver.exe,true -RDVGHelper.exe,true -recdisc.exe,true -refsutil.exe,true -RemoteAppLifetimeManager.exe,true -RemoteFXvGPUDisablement.exe,true -repair-bde.exe,true -rstrui.exe,true -runexehelper.exe,true -sdchange.exe,true -sdclt.exe,true -SecurityHealthHost.exe,true -SecurityHealthService.exe,true -SecurityHealthSystray.exe,true -SgrmBroker.exe,true -SgrmLpac.exe,true -SpatialAudioLicenseSrv.exe,true -Spectrum.exe,true -srdelayed.exe,true -SrTasks.exe,true -SystemUWPLauncher.exe,true -tar.exe,true -tcblaunch.exe,true -TpmTool.exe,true -ttdinject.exe,true -tttracer.exe,true -UIMgrBroker.exe,true -upfc.exe,true -usocoreworker.exe,true -UtcDecoderHost.exe,true -VBoxControl.exe,true -VBoxService.exe,true -VBoxTray.exe,true -vfpctrl.exe,true -vmcompute.exe,true -vmwp.exe,true -VsGraphicsDesktopEngine.exe,true -VsGraphicsRemoteEngine.exe,true -vsjitdebugger.exe,true -WaaSMedicAgent.exe,true -wbadmin.exe,true -wbengine.exe,true -WFS.exe,true -wifitask.exe,true -Windows.WARP.JITService.exe,true -WinRTNetMUAHostServer.exe,true -wlanext.exe,true -WorkFolders.exe,true -WpcMon.exe,true -WpcTok.exe,true -wpnpinst.exe,true -wscadminui.exe,true -wsl.exe,true -wslconfig.exe,true -WUDFCompanionHost.exe,true -IEChooser.exe,true -wslhost.exe,true -scp.exe,true -sftp.exe,true -ssh-add.exe,true -ssh-agent.exe,true -ssh-keygen.exe,true -ssh-keyscan.exe,true -ssh.exe,true -PerceptionSimulationInput.exe,true -PerceptionSimulationService.exe,true -UNPUXHost.exe,true -UNPUXLauncher.exe,true -UpdateNotificationMgr.exe,true -FaceFodUninstaller.exe,true -wlms.exe,true -OneDriveSetup.exe,true -OposHost.exe,true \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/legit_domains.csv b/dist/DA-ESS-ContentUpdate/lookups/legit_domains.csv deleted file mode 100644 index b2a75bf36e..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/legit_domains.csv +++ /dev/null @@ -1,20 +0,0 @@ -domain, isLegit -amazon.com, True -ssl-images-amazon.com, True -facebook.com, True -xx.fbcdn.net, True -github.com, True -githubassets.com, True -instagram.com, True -linkedin.com, True -microsoftonline.com, True -office.com, True -okta.com, True -live.com, True -protonmail.com, True -reddit.com, True -redditstatic.com, True -twitter.com, True -twimg.com, True -google.com, True - diff --git a/dist/DA-ESS-ContentUpdate/lookups/linux_tool_discovery_process.csv b/dist/DA-ESS-ContentUpdate/lookups/linux_tool_discovery_process.csv deleted file mode 100644 index 98b55d4efc..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/linux_tool_discovery_process.csv +++ /dev/null @@ -1,61 +0,0 @@ -process -cat /proc/version -cat /etc/*-release -/etc/passwd -cat /etc/* -lastlog -id -PermitRootLogin -sestatus * -ps -mysql* -netstat* -find * -head /var/mail/root -docker -cat /etc/issue -cat /etc/*-release -cat /proc/version -uname -a -uname -mrs -rpm -q kernel -dmesg | grep Linux -ls /boot | grep vmlinuz- -cat /etc/profile -cat /etc/bashrc -cat ~/.bash_profile -cat ~/.bashrc -cat ~/.bash_logout -ps -aux | grep root -ps -ef | grep root -crontab -l -cat /etc/cron* -cat /etc/cron.allow -cat /etc/cron.deny -cat /etc/crontab -grep -i user * -grep -i pass * -ifconfig -cat /etc/network/interfaces -cat /etc/sysconfig/network -cat /etc/resolv.conf -cat /etc/networks -cvelist-file:* -exploit-db* -strings -e /etc/apache2/apache2.conf -strings -e /etc/ssh/sshd_config -strings -e /etc/shadow -iptables -L -lsof -i -netstat -antup -netstat -antpx -netstat -tulpn -arp -e -route -cat /etc/passwd -cat /etc/group -cat /etc/shadow -find / -perm -u=s -find / -perm -g=s -find / -perm -4000 -find / -perm -2000 \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/local_file_inclusion_paths.csv b/dist/DA-ESS-ContentUpdate/lookups/local_file_inclusion_paths.csv deleted file mode 100644 index f0a0de38a5..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/local_file_inclusion_paths.csv +++ /dev/null @@ -1,1009 +0,0 @@ -local_file_inclusion_paths, lfi_path -*/apache2/logs/access.log*, yes -*/apache2/logs/error.log*, yes -*/apache/conf/httpd.conf*, yes -*/apache/logs/access.log*, yes -*/apache/logs/error.log*, yes -*/apache/php/php.ini*, yes -*/apachephpphp.ini*, yes -*/bin/php.ini*, yes -*/boot/grub/grub.cfg*, yes -*/boot/grub/menu.lst*, yes -*/etc/adduser.conf*, yes -*/etc/alias*, yes -*/etc/apache22/conf/httpd.conf*, yes -*/etc/apache22/httpd.conf*, yes -*/etc/apache2/apache2.conf*, yes -*/etc/apache2/apache.conf*, yes -*/etc/apache2/conf/httpd.conf*, yes -*/etc/apache2/default-server.conf*, yes -*/etc/apache2/envvars*, yes -*/etc/apache2/httpd2.conf*, yes -*/etc/apache2/httpd.conf*, yes -*/etc/apache2/mods-available/autoindex.conf*, yes -*/etc/apache2/mods-available/deflate.conf*, yes -*/etc/apache2/mods-available/dir.conf*, yes -*/etc/apache2/mods-available/mem_cache.conf*, yes -*/etc/apache2/mods-available/mime.conf*, yes -*/etc/apache2/mods-available/proxy.conf*, yes -*/etc/apache2/mods-available/setenvif.conf*, yes -*/etc/apache2/mods-available/ssl.conf*, yes -*/etc/apache2/mods-enabled/alias.conf*, yes -*/etc/apache2/mods-enabled/deflate.conf*, yes -*/etc/apache2/mods-enabled/dir.conf*, yes -*/etc/apache2/mods-enabled/mime.conf*, yes -*/etc/apache2/mods-enabled/negotiation.conf*, yes -*/etc/apache2/mods-enabled/php5.conf*, yes -*/etc/apache2/mods-enabled/status.conf*, yes -*/etc/apache2/ports.conf*, yes -*/etc/apache2/sites-available/default*, yes -*/etc/apache2/sites-available/default-ssl*, yes -*/etc/apache2/sites-enabled/000-default*, yes -*/etc/apache2/sites-enabled/default*, yes -*/etc/apache2/ssl-global.conf*, yes -*/etc/apache/access.conf*, yes -*/etc/apache/apache.conf*, yes -*/etc/apache/conf/httpd.conf*, yes -*/etc/apache/default-server.conf*, yes -*/etc/apache/httpd.conf*, yes -*/etc/apt/apt.conf*, yes -*/etc/avahi/avahi-daemon.conf*, yes -*/etc/bash.bashrc*, yes -*/etc/bluetooth/input.conf*, yes -*/etc/bluetooth/main.conf*, yes -*/etc/bluetooth/network.conf*, yes -*/etc/bluetooth/rfcomm.conf*, yes -*/etc/ca-certificates.conf*, yes -*/etc/ca-certificates.conf.dpkg-old*, yes -*/etc/casper.conf*, yes -*/etc/chkrootkit.conf*, yes -*/etc/chrootUsers*, yes -*/etc/clamav/clamd.conf*, yes -*/etc/clamav/freshclam.conf*, yes -*/etc/crontab*, yes -*/etc/crypttab*, yes -*/etc/cups/acroread.conf*, yes -*/etc/cups/cupsd.conf*, yes -*/etc/cups/cupsd.conf.default*, yes -*/etc/cups/pdftops.conf*, yes -*/etc/cups/printers.conf*, yes -*/etc/cvs-cron.conf*, yes -*/etc/cvs-pserver.conf*, yes -*/etc/debconf.conf*, yes -*/etc/debian_version*, yes -*/etc/default/grub*, yes -*/etc/deluser.conf*, yes -*/etc/dhcp3/dhclient.conf*, yes -*/etc/dhcp3/dhcpd.conf*, yes -*/etc/dhcp/dhclient.conf*, yes -*/etc/dns2tcpd.conf*, yes -*/etc/e2fsck.conf*, yes -*/etc/esound/esd.conf*, yes -*/etc/etter.conf*, yes -*/etc/exports*, yes -*/etc/fedora-release*, yes -*/etc/firewall.rules*, yes -*/etc/foremost.conf*, yes -*/etc/fstab*, yes -*/etc/ftpchroot*, yes -*/etc/ftphosts*, yes -*/etc/ftpusers*, yes -*/etc/fuse.conf*, yes -*/etc/group*, yes -*/etc/group-*, yes -*/etc/hdparm.conf*, yes -*/etc/host.conf*, yes -*/etc/hostname*, yes -*/etc/hosts*, yes -*/etc/hosts.allow*, yes -*/etc/hosts.deny*, yes -*/etc/http/conf/httpd.conf*, yes -*/etc/httpd/apache2.conf*, yes -*/etc/httpd/apache.conf*, yes -*/etc/httpd.conf*, yes -*/etc/httpd/conf*, yes -*/etc/httpd/conf/apache2.conf*, yes -*/etc/httpd/conf/apache.conf*, yes -*/etc/httpd/conf.d*, yes -*/etc/httpd/conf/httpd.conf*, yes -*/etc/httpd/extra/httpd-ssl.conf*, yes -*/etc/httpd/httpd.conf*, yes -*/etc/httpd/logs/acces.log*, yes -*/etc/httpd/logs/acces_log*, yes -*/etc/httpd/logs/access.log*, yes -*/etc/httpd/logs/access_log*, yes -*/etc/httpd/logs/error.log*, yes -*/etc/httpd/logs/error_log*, yes -*/etc/httpd/mod_php.conf*, yes -*/etc/httpd/php.ini*, yes -*/etc/http/httpd.conf*, yes -*/etc/inetd.conf*, yes -*/etc/init.d*, yes -*/etc/inittab*, yes -*/etc/ipfw.conf*, yes -*/etc/ipfw.rules*, yes -*/etc/issue*, yes -*/etc/issue.net*, yes -*/etc/kbd/config*, yes -*/etc/kernel-img.conf*, yes -*/etc/kernel-pkg.conf*, yes -*/etc/ldap/ldap.conf*, yes -*/etc/ld.so.conf*, yes -*/etc/lighttpd/lighthttpd.conf*, yes -*/etc/login.defs*, yes -*/etc/logrotate.conf*, yes -*/etc/ltrace.conf*, yes -*/etc/mail/sendmail.conf*, yes -*/etc/mandrake-release*, yes -*/etc/manpath.config*, yes -*/etc/miredo.conf*, yes -*/etc/miredo/miredo.conf*, yes -*/etc/miredo/miredo-server.conf*, yes -*/etc/miredo-server.conf*, yes -*/etc/modules*, yes -*/etc/mono/config*, yes -*/etc/motd*, yes -*/etc/mtab*, yes -*/etc/mtools.conf*, yes -*/etc/muddleftpd.com*, yes -*/etc/muddleftpd/muddleftpd.conf*, yes -*/etc/muddleftpd/muddleftpd.passwd*, yes -*/etc/muddleftpd/mudlog*, yes -*/etc/muddleftpd/mudlogd.conf*, yes -*/etc/muddleftpd/passwd*, yes -*/etc/my.cnf*, yes -*/etc/mysql/my.cnf*, yes -*/etc/networks*, yes -*/etc/nginx/nginx.conf*, yes -*/etc/openldap/ldap.conf*, yes -*/etc/os-release*, yes -*/etc/osxhttpd/osxhttpd.conf*, yes -*/etc/pam.conf*, yes -*/etc/passwd*, yes -*/etc/passwd-*, yes -*/etc/passwd~*, yes -*/etc/password.master*, yes -*/etc/php4/apache2/php.ini*, yes -*/etc/php4/apache/php.ini*, yes -*/etc/php4/cgi/php.ini*, yes -*/etc/php5/apache2/php.ini*, yes -*/etc/php5/apache/php.ini*, yes -*/etc/php5/cgi/php.ini*, yes -*/etc/php/apache2/php.ini*, yes -*/etc/php/apache/php.ini*, yes -*/etc/php/cgi/php.ini*, yes -*/etc/php.ini*, yes -*/etc/phpmyadmin/config.inc.php*, yes -*/etc/php/php4/php.ini*, yes -*/etc/php/php.ini*, yes -*/etc/postgresql/pg_hba.conf*, yes -*/etc/postgresql/postgresql.conf*, yes -*/etc/profile*, yes -*/etc/proftp.conf*, yes -*/etc/proftpd/modules.conf*, yes -*/etc/protpd/proftpd.conf*, yes -*/etc/pulse/client.conf*, yes -*/etc/pure-ftpd.conf*, yes -*/etc/pureftpd.passwd*, yes -*/etc/pureftpd.pdb*, yes -*/etc/pure-ftpd/pure-ftpd.conf*, yes -*/etc/pure-ftpd/pure-ftpd.pdb*, yes -*/etc/pure-ftpd/pureftpd.pdb*, yes -*/etc/rc.conf*, yes -*/etc/redhat-release*, yes -*/etc/resolv.conf*, yes -*/etc/samba/dhcp.conf*, yes -*/etc/samba/netlogon*, yes -*/etc/samba/private/smbpasswd*, yes -*/etc/samba/samba.conf*, yes -*/etc/samba/smb.conf*, yes -*/etc/samba/smb.conf.user*, yes -*/etc/samba/smbpasswd*, yes -*/etc/samba/smbusers*, yes -*/etc/security/access.conf*, yes -*/etc/security/environ*, yes -*/etc/security/failedlogin*, yes -*/etc/security/group*, yes -*/etc/security/group.conf*, yes -*/etc/security/lastlog*, yes -*/etc/security/limits*, yes -*/etc/security/limits.conf*, yes -*/etc/security/namespace.conf*, yes -*/etc/security/opasswd*, yes -*/etc/security/pam_env.conf*, yes -*/etc/security/passwd*, yes -*/etc/security/passwd*, yes -*/etc/security/sepermit.conf*, yes -*/etc/security/time.conf*, yes -*/etc/security/user*, yes -*/etc/sensors3.conf*, yes -*/etc/sensors.conf*, yes -*/etc/shadow*, yes -*/etc/shadow-*, yes -*/etc/shadow~*, yes -*/etc/slackware-release*, yes -*/etc/smb.conf*, yes -*/etc/smbpasswd*, yes -*/etc/smi.conf*, yes -*/etc/squirrelmail/apache.conf*, yes -*/etc/squirrelmail/config/config.php*, yes -*/etc/squirrelmail/config_default.php*, yes -*/etc/squirrelmail/config_local.php*, yes -*/etc/squirrelmail/config.php*, yes -*/etc/squirrelmail/default_pref*, yes -*/etc/squirrelmail/filters_setup.php*, yes -*/etc/squirrelmail/index.php*, yes -*/etc/squirrelmail/sqspell_config.php*, yes -*/etc/ssh/sshd_config*, yes -*/etc/sso/sso_config.ini*, yes -*/etc/stunnel/stunnel.conf*, yes -*/etc/sudoers*, yes -*/etc/SUSE-release*, yes -*/etc/sysconfig/network-scripts/ifcfg-eth0*, yes -*/etc/sysctl.conf*, yes -*/etc/syslog.conf*, yes -*/etc/timezone*, yes -*/etc/tinyproxy/tinyproxy.conf*, yes -*/etc/tor/tor-tsocks.conf*, yes -*/etc/tsocks.conf*, yes -*/etc/updatedb.conf*, yes -*/etc/updatedb.conf.BeforeVMwareToolsInstall*, yes -*/etc/utmp*, yes -*/etc/vhcs2/proftpd/proftpd.conf*, yes -*/etc/vmware-tools/config*, yes -*/etc/vmware-tools/tpvmlp.conf*, yes -*/etc/vmware-tools/vmware-tools-libraries.conf*, yes -*/etc/vsftpd.chroot_list*, yes -*/etc/vsftpd.conf*, yes -*/etc/vsftpd/vsftpd.conf*, yes -*/etc/webmin/miniserv.conf*, yes -*/etc/webmin/miniserv.users*, yes -*/etc/wicd/dhclient.conf.template.default*, yes -*/etc/wicd/manager-settings.conf*, yes -*/etc/wicd/wired-settings.conf*, yes -*/etc/wicd/wireless-settings.conf*, yes -*/etc/wu-ftpd/ftpaccess*, yes -*/etc/wu-ftpd/ftphosts*, yes -*/etc/wu-ftpd/ftpusers*, yes -*/etc/X11/xorg.conf*, yes -*/etc/X11/xorg.conf.BeforeVMwareToolsInstall*, yes -*/etc/X11/xorg.conf.orig*, yes -*/etc/X11/xorg.conf-vesa*, yes -*/etc/X11/xorg.conf-vmware*, yes -*/home2/bin/stable/apache/php.ini*, yes -*/home2binstableapachephp.ini*, yes -*/home/bin/stable/apache/php.ini*, yes -*/homebinstableapachephp.ini*, yes -*/home/postgres/data/pg_hba.conf*, yes -*/home/postgres/data/pg_ident.conf*, yes -*/home/postgres/data/PG_VERSION*, yes -*/home/postgres/data/postgresql.conf*, yes -*/home/user/lighttpd/lighttpd.conf*, yes -*/http/httpd.conf*, yes -*/[JBOSS]/server/default/conf/jboss-minimal.xml*, yes -*/[JBOSS]/server/default/conf/jboss-service.xml*, yes -*/[JBOSS]/server/default/conf/jndi.properties*, yes -*/[JBOSS]/server/default/conf/log4j.xml*, yes -*/[JBOSS]/server/default/conf/login-config.xml*, yes -*/[JBOSS]/server/default/conf/server.log.properties*, yes -*/[JBOSS]/server/default/conf/standardjaws.xml*, yes -*/[JBOSS]/server/default/conf/standardjboss.xml*, yes -*/[JBOSS]/server/default/deploy/jboss-logging.xml*, yes -*/[JBOSS]/server/default/log/boot.log*, yes -*/[JBOSS]/server/default/log/server.log*, yes -*/Library/WebServer/Documents/default.htm*, yes -*/Library/WebServer/Documents/default.html*, yes -*/Library/WebServer/Documents/default.php*, yes -*/Library/WebServer/Documents/.htaccess*, yes -*/Library/WebServer/Documents/index.htm*, yes -*/Library/WebServer/Documents/index.html*, yes -*/Library/WebServer/Documents/index.php*, yes -*/logs/access.log*, yes -*/logs/access_log*, yes -*/logs/error.log*, yes -*/logs/error_log*, yes -*/logs/pure-ftpd.log*, yes -*/logs/security_debug_log*, yes -*/logs/security_log*, yes -*/mysql/bin/my.ini*, yes -*/MySQL/data/{HOST}.err*, yes -*/MySQL/data/mysql-bin.index*, yes -*/MySQL/data/mysql-bin.log*, yes -*/MySQL/data/mysql.err*, yes -*/MySQL/data/mysql.log*, yes -*/MySQL/my.cnf*, yes -*/MySQL/my.ini*, yes -*/NetServer/bin/stable/apache/php.ini*, yes -*/NetServerbinstableapachephp.ini*, yes -*/opt/apache22/conf/httpd.conf*, yes -*/opt/apache2/apache2.conf*, yes -*/opt/apache2/apache.conf*, yes -*/opt/apache2/conf/apache2.conf*, yes -*/opt/apache2/conf/apache.conf*, yes -*/opt/apache2/conf/httpd.conf*, yes -*/opt/apache/apache2.conf*, yes -*/opt/apache/apache.conf*, yes -*/opt/apache/conf/apache2.conf*, yes -*/opt/apache/conf/apache.conf*, yes -*/opt/apache/conf/httpd.conf*, yes -*/opt/httpd/apache2.conf*, yes -*/opt/httpd/apache.conf*, yes -*/opt/httpd/conf/apache2.conf*, yes -*/opt/httpd/conf/apache.conf*, yes -*/opt/[JBOSS]/server/default/conf/jboss-minimal.xml*, yes -*/opt/[JBOSS]/server/default/conf/jboss-service.xml*, yes -*/opt/[JBOSS]/server/default/conf/jndi.properties*, yes -*/opt/[JBOSS]/server/default/conf/log4j.xml*, yes -*/opt/[JBOSS]/server/default/conf/login-config.xml*, yes -*/opt/[JBOSS]/server/default/conf/server.log.properties*, yes -*/opt/[JBOSS]/server/default/conf/standardjaws.xml*, yes -*/opt/[JBOSS]/server/default/conf/standardjboss.xml*, yes -*/opt/[JBOSS]/server/default/deploy/jboss-logging.xml*, yes -*/opt/[JBOSS]/server/default/log/boot.log*, yes -*/opt/[JBOSS]/server/default/log/server.log*, yes -*/opt/lampp/etc/httpd.conf*, yes -*/opt/lampp/logs/access.log*, yes -*/opt/lampp/logs/access_log*, yes -*/opt/lampp/logs/error.log*, yes -*/opt/lampp/logs/error_log*, yes -*/opt/lsws/conf/httpd_conf.xml*, yes -*/opt/lsws/logs/access.log*, yes -*/opt/lsws/logs/error.log*, yes -*/opt/tomcat/logs/catalina.err*, yes -*/opt/tomcat/logs/catalina.out*, yes -*/opt/xampp/etc/php.ini*, yes -*/opt/xampp/logs/access.log*, yes -*/opt/xampp/logs/access_log*, yes -*/opt/xampp/logs/error.log*, yes -*/opt/xampp/logs/error_log*, yes -*/private/etc/httpd/apache2.conf*, yes -*/private/etc/httpd/apache.conf*, yes -*/private/etc/httpd/httpd.conf*, yes -*/private/etc/httpd/httpd.conf.default*, yes -*/private/etc/squirrelmail/config/config.php*, yes -*/private/tmp/[JBOSS]/server/default/conf/jboss-minimal.xml*, yes -*/private/tmp/[JBOSS]/server/default/conf/jboss-service.xml*, yes -*/private/tmp/[JBOSS]/server/default/conf/jndi.properties*, yes -*/private/tmp/[JBOSS]/server/default/conf/log4j.xml*, yes -*/private/tmp/[JBOSS]/server/default/conf/login-config.xml*, yes -*/private/tmp/[JBOSS]/server/default/conf/server.log.properties*, yes -*/private/tmp/[JBOSS]/server/default/conf/standardjaws.xml*, yes -*/private/tmp/[JBOSS]/server/default/conf/standardjboss.xml*, yes -*/private/tmp/[JBOSS]/server/default/deploy/jboss-logging.xml*, yes -*/private/tmp/[JBOSS]/server/default/log/boot.log*, yes -*/private/tmp/[JBOSS]/server/default/log/server.log*, yes -*/proc/cpuinfo*, yes -*/proc/devices*, yes -*/proc/meminfo*, yes -*/proc/net/tcp*, yes -*/proc/net/udp*, yes -*/proc/self/cmdline*, yes -*/proc/self/environ*, yes -*/proc/self/mounts*, yes -*/proc/self/stat*, yes -*/proc/self/status*, yes -*/proc/version*, yes -*/Program Files/Apache Group/Apache2/conf/apache2.conf*, yes -*/Program Files/Apache Group/Apache2/conf/apache.conf*, yes -*/Program Files/Apache Group/Apache2/conf/httpd.conf*, yes -*/Program FilesApache GroupApache2confhttpd.conf*, yes -*/Program Files/Apache Group/Apache/apache2.conf*, yes -*/Program Files/Apache Group/Apache/apache.conf*, yes -*/Program Files/Apache Group/Apache/conf/apache2.conf*, yes -*/Program Files/Apache Group/Apache/conf/apache.conf*, yes -*/Program Files/Apache Group/Apache/conf/httpd.conf*, yes -*/Program FilesApache GroupApacheconfhttpd.conf*, yes -*/Program Files/Apache Group/Apache/logs/access.log*, yes -*/Program FilesApache GroupApachelogsaccess.log*, yes -*/Program Files/Apache Group/Apache/logs/error.log*, yes -*/Program FilesApache GroupApachelogserror.log*, yes -*/Program Files/[JBOSS]/server/default/conf/jboss-minimal.xml*, yes -*/Program Files/[JBOSS]/server/default/conf/jboss-service.xml*, yes -*/Program Files/[JBOSS]/server/default/conf/jndi.properties*, yes -*/Program Files/[JBOSS]/server/default/conf/log4j.xml*, yes -*/Program Files/[JBOSS]/server/default/conf/login-config.xml*, yes -*/Program Files/[JBOSS]/server/default/conf/server.log.properties*, yes -*/Program Files/[JBOSS]/server/default/conf/standardjaws.xml*, yes -*/Program Files/[JBOSS]/server/default/conf/standardjboss.xml*, yes -*/Program Files/[JBOSS]/server/default/deploy/jboss-logging.xml*, yes -*/Program Files/[JBOSS]/server/default/log/boot.log*, yes -*/Program Files/[JBOSS]/server/default/log/server.log*, yes -*/Program Files/MySQL/data/{HOST}.err*, yes -*/Program Files/MySQL/data/mysql-bin.index*, yes -*/Program Files/MySQL/data/mysql-bin.log*, yes -*/Program Files/MySQL/data/mysql.err*, yes -*/Program Files/MySQL/data/mysql.log*, yes -*/Program Files/MySQL/my.cnf*, yes -*/Program Files/MySQL/my.ini*, yes -*/Program Files/Vidalia Bundle/Polipo/polipo.conf*, yes -*/Program Files/xampp/apache/conf/apache2.conf*, yes -*/Program Files/xampp/apache/conf/apache.conf*, yes -*/Program Files/xampp/apache/conf/httpd.conf*, yes -*/Program Filesxamppapacheconfhttpd.conf*, yes -*/root/.bash_config*, yes -*/root/.bash_history*, yes -*/root/.bash_logout*, yes -*/root/.bashrc*, yes -*/root/.ksh_history*, yes -*/root/.Xauthority*, yes -*/srv/www/htdos/squirrelmail/config/config.php*, yes -*/tmp/access.log*, yes -*/tmp/[JBOSS]/server/default/conf/jboss-minimal.xml*, yes -*/tmp/[JBOSS]/server/default/conf/jboss-service.xml*, yes -*/tmp/[JBOSS]/server/default/conf/jndi.properties*, yes -*/tmp/[JBOSS]/server/default/conf/log4j.xml*, yes -*/tmp/[JBOSS]/server/default/conf/login-config.xml*, yes -*/tmp/[JBOSS]/server/default/conf/server.log.properties*, yes -*/tmp/[JBOSS]/server/default/conf/standardjaws.xml*, yes -*/tmp/[JBOSS]/server/default/conf/standardjboss.xml*, yes -*/tmp/[JBOSS]/server/default/deploy/jboss-logging.xml*, yes -*/tmp/[JBOSS]/server/default/log/boot.log*, yes -*/tmp/[JBOSS]/server/default/log/server.log*, yes -*/usr/apache2/conf/httpd.conf*, yes -*/usr/apache/conf/httpd.conf*, yes -*/usr/etc/pure-ftpd.conf*, yes -*/usr/home/user/lighttpd/lighttpd.conf*, yes -*/usr/home/user/var/log/apache.log*, yes -*/usr/home/user/var/log/lighttpd.error.log*, yes -*/usr/internet/pgsql/data/pg_hba.conf*, yes -*/usr/internet/pgsql/data/postmaster.log*, yes -*/usr/lib/cron/log*, yes -*/usr/lib/php.ini*, yes -*/usr/lib/php/php.ini*, yes -*/usr/lib/security/mkuser.default*, yes -*/usr/local/apache22/conf/httpd.conf*, yes -*/usr/local/apache22/httpd.conf*, yes -*/usr/local/apache2/apache2.conf*, yes -*/usr/local/apache2/apache.conf*, yes -*/usr/local/apache2/conf/apache2.conf*, yes -*/usr/local/apache2/conf/apache.conf*, yes -*/usr/local/apache2/conf/extra/httpd-ssl.conf*, yes -*/usr/local/apache2/conf/httpd.conf*, yes -*/usr/local/apache2/conf/modsec.conf*, yes -*/usr/local/apache2/conf/ssl.conf*, yes -*/usr/local/apache2/conf/vhosts.conf*, yes -*/usr/local/apache2/conf/vhosts-custom.conf*, yes -*/usr/local/apache2/httpd.conf*, yes -*/usr/local/apache2/logs/access.log*, yes -*/usr/local/apache2/logs/access_log*, yes -*/usr/local/apache2/logs/audit_log*, yes -*/usr/local/apache2/logs/error.log*, yes -*/usr/local/apache2/logs/error_log*, yes -*/usr/local/apache2/logs/lighttpd.error.log*, yes -*/usr/local/apache2/logs/lighttpd.log*, yes -*/usr/local/apache/apache2.conf*, yes -*/usr/local/apache/apache.conf*, yes -*/usr/local/apache/conf/access.conf*, yes -*/usr/local/apache/conf/apache2.conf*, yes -*/usr/local/apache/conf/apache.conf*, yes -*/usr/local/apache/conf/httpd.conf*, yes -*/usr/local/apache/conf/httpd.conf.default*, yes -*/usr/local/apache/conf/modsec.conf*, yes -*/usr/local/apache/conf/php.ini*, yes -*/usr/local/apache/conf/vhosts.conf*, yes -*/usr/local/apache/conf/vhosts-custom.conf*, yes -*/usr/local/apache/httpd.conf*, yes -*/usr/local/apache/logs/access.log*, yes -*/usr/local/apache/logs/access_log*, yes -*/usr/local/apache/logs/audit_log*, yes -*/usr/local/apache/logs/error.log*, yes -*/usr/local/apache/logs/error_log*, yes -*/usr/local/apache/logs/lighttpd.error.log*, yes -*/usr/local/apache/logs/lighttpd.log*, yes -*/usr/local/apache/logs/mod_jk.log*, yes -*/usr/local/apps/apache22/conf/httpd.conf*, yes -*/usr/local/apps/apache2/conf/httpd.conf*, yes -*/usr/local/apps/apache/conf/httpd.conf*, yes -*/usr/local/cpanel/logs*, yes -*/usr/local/cpanel/logs/access_log*, yes -*/usr/local/cpanel/logs/error_log*, yes -*/usr/local/cpanel/logs/license_log*, yes -*/usr/local/cpanel/logs/login_log*, yes -*/usr/local/cpanel/logs/stats_log*, yes -*/usr/local/etc/apache22/conf/httpd.conf*, yes -*/usr/local/etc/apache22/httpd.conf*, yes -*/usr/local/etc/apache2/conf/httpd.conf*, yes -*/usr/local/etc/apache2/httpd.conf*, yes -*/usr/local/etc/apache2/vhosts.conf*, yes -*/usr/local/etc/apache/conf/httpd.conf*, yes -*/usr/local/etc/apache/httpd.conf*, yes -*/usr/local/etc/apache/vhosts.conf*, yes -*/usr/local/etc/httpd/conf*, yes -*/usr/local/etc/httpd/conf/httpd.conf*, yes -*/usr/local/etc/lighttpd.conf*, yes -*/usr/local/etc/lighttpd.conf.new*, yes -*/usr/local/etc/nginx/nginx.conf*, yes -*/usr/local/etc/php.ini*, yes -*/usr/local/etc/pure-ftpd.conf*, yes -*/usr/local/etc/pureftpd.pdb*, yes -*/usr/local/etc/smb.conf*, yes -*/usr/local/etc/webmin/miniserv.conf*, yes -*/usr/local/etc/webmin/miniserv.users*, yes -*/usr/local/httpd/conf/httpd.conf*, yes -*/usr/local/jakarta/dist/tomcat/conf/context.xml*, yes -*/usr/local/jakarta/dist/tomcat/conf/jakarta.conf*, yes -*/usr/local/jakarta/dist/tomcat/conf/logging.properties*, yes -*/usr/local/jakarta/dist/tomcat/conf/server.xml*, yes -*/usr/local/jakarta/dist/tomcat/conf/workers.properties*, yes -*/usr/local/jakarta/dist/tomcat/logs/mod_jk.log*, yes -*/usr/local/jakarta/tomcat/conf/context.xml*, yes -*/usr/local/jakarta/tomcat/conf/jakarta.conf*, yes -*/usr/local/jakarta/tomcat/conf/logging.properties*, yes -*/usr/local/jakarta/tomcat/conf/server.xml*, yes -*/usr/local/jakarta/tomcat/conf/workers.properties*, yes -*/usr/local/jakarta/tomcat/logs/catalina.err*, yes -*/usr/local/jakarta/tomcat/logs/catalina.out*, yes -*/usr/local/jakarta/tomcat/logs/mod_jk.log*, yes -*/usr/local/[JBOSS]/server/default/conf/jboss-minimal.xml*, yes -*/usr/local/[JBOSS]/server/default/conf/jboss-service.xml*, yes -*/usr/local/[JBOSS]/server/default/conf/jndi.properties*, yes -*/usr/local/[JBOSS]/server/default/conf/log4j.xml*, yes -*/usr/local/[JBOSS]/server/default/conf/login-config.xml*, yes -*/usr/local/[JBOSS]/server/default/conf/server.log.properties*, yes -*/usr/local/[JBOSS]/server/default/conf/standardjaws.xml*, yes -*/usr/local/[JBOSS]/server/default/conf/standardjboss.xml*, yes -*/usr/local/[JBOSS]/server/default/deploy/jboss-logging.xml*, yes -*/usr/local/[JBOSS]/server/default/log/boot.log*, yes -*/usr/local/[JBOSS]/server/default/log/server.log*, yes -*/usr/local/lib/php.ini*, yes -*/usr/local/lighttpd/conf/lighttpd.conf*, yes -*/usr/local/lighttpd/log/access.log*, yes -*/usr/local/lighttpd/log/lighttpd.error.log*, yes -*/usr/local/logs/access.log*, yes -*/usr/local/logs/samba.log*, yes -*/usr/local/lsws/conf/httpd_conf.xml*, yes -*/usr/local/lsws/logs/error.log*, yes -*/usr/local/mysql/data/{HOST}.err*, yes -*/usr/local/mysql/data/mysql-bin.index*, yes -*/usr/local/mysql/data/mysql-bin.log*, yes -*/usr/local/mysql/data/mysqlderror.log*, yes -*/usr/local/mysql/data/mysql.err*, yes -*/usr/local/mysql/data/mysql.log*, yes -*/usr/local/mysql/data/mysql-slow.log*, yes -*/usr/local/nginx/conf/nginx.conf*, yes -*/usr/local/pgsql/bin/pg_passwd*, yes -*/usr/local/pgsql/data/passwd*, yes -*/usr/local/pgsql/data/pg_hba.conf*, yes -*/usr/local/pgsql/data/pg_log*, yes -*/usr/local/pgsql/data/postgresql.conf*, yes -*/usr/local/pgsql/data/postgresql.log*, yes -*/usr/local/php4/apache2.conf*, yes -*/usr/local/php4/apache2.conf.php*, yes -*/usr/local/php4/apache.conf*, yes -*/usr/local/php4/apache.conf.php*, yes -*/usr/local/php4/httpd.conf*, yes -*/usr/local/php4/httpd.conf.php*, yes -*/usr/local/php4/lib/php.ini*, yes -*/usr/local/php5/apache2.conf*, yes -*/usr/local/php5/apache2.conf.php*, yes -*/usr/local/php5/apache.conf*, yes -*/usr/local/php5/apache.conf.php*, yes -*/usr/local/php5/httpd.conf*, yes -*/usr/local/php5/httpd.conf.php*, yes -*/usr/local/php5/lib/php.ini*, yes -*/usr/local/php/apache2.conf*, yes -*/usr/local/php/apache2.conf.php*, yes -*/usr/local/php/apache.conf*, yes -*/usr/local/php/apache.conf.php*, yes -*/usr/local/php/httpd.conf*, yes -*/usr/local/php/httpd.conf.php*, yes -*/usr/local/php/lib/php.ini*, yes -*/usr/local/psa/admin/conf/php.ini*, yes -*/usr/local/psa/admin/conf/site_isolation_settings.ini*, yes -*/usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php*, yes -*/usr/local/psa/admin/logs/httpsd_access_log*, yes -*/usr/local/psa/admin/logs/panel.log*, yes -*/usr/local/pureftpd/etc/pure-ftpd.conf*, yes -*/usr/local/pureftpd/etc/pureftpd.pdb*, yes -*/usr/local/pureftpd/sbin/pure-config.pl*, yes -*/usr/local/samba/lib/log.user*, yes -*/usr/local/samba/lib/smb.conf.user*, yes -*/usr/local/sb/config*, yes -*/usr/local/Zend/etc/php.ini*, yes -*/usr/local/zeus/web/global.cfg*, yes -*/usr/local/zeus/web/log/errors*, yes -*/usr/pkg/etc/httpd/httpd.conf*, yes -*/usr/pkg/etc/httpd/httpd-default.conf*, yes -*/usr/pkg/etc/httpd/httpd-vhosts.conf*, yes -*/usr/pkgsrc/net/pureftpd/*, yes -*/usr/pkgsrc/net/pureftpd/pure-ftpd.conf*, yes -*/usr/pkgsrc/net/pureftpd/pureftpd.passwd*, yes -*/usr/pkgsrc/net/pureftpd/pureftpd.pdb*, yes -*/usr/ports/contrib/pure-ftpd/*, yes -*/usr/ports/contrib/pure-ftpd/pure-ftpd.conf*, yes -*/usr/ports/contrib/pure-ftpd/pureftpd.passwd*, yes -*/usr/ports/contrib/pure-ftpd/pureftpd.pdb*, yes -*/usr/ports/ftp/pure-ftpd/*, yes -*/usr/ports/ftp/pure-ftpd/pure-ftpd.conf*, yes -*/usr/ports/ftp/pure-ftpd/pureftpd.passwd*, yes -*/usr/ports/ftp/pure-ftpd/pureftpd.pdb*, yes -*/usr/ports/net/pure-ftpd/*, yes -*/usr/ports/net/pure-ftpd/pure-ftpd.conf*, yes -*/usr/ports/net/pure-ftpd/pureftpd.passwd*, yes -*/usr/ports/net/pure-ftpd/pureftpd.pdb*, yes -*/usr/sbin/mudlogd*, yes -*/usr/sbin/mudpasswd*, yes -*/usr/sbin/pure-config.pl*, yes -*/usr/share/adduser/adduser.conf*, yes -*/usr/share/logs/catalina.err*, yes -*/usr/share/logs/catalina.out*, yes -*/usr/share/squirrelmail/config/config.php*, yes -*/usr/share/squirrelmail/plugins/squirrel_logger/setup.php*, yes -*/usr/share/tomcat6/conf/context.xml*, yes -*/usr/share/tomcat6/conf/logging.properties*, yes -*/usr/share/tomcat6/conf/server.xml*, yes -*/usr/share/tomcat6/conf/workers.properties*, yes -*/usr/share/tomcat6/logs/catalina.err*, yes -*/usr/share/tomcat6/logs/catalina.out*, yes -*/usr/share/tomcat/logs/catalina.err*, yes -*/usr/share/tomcat/logs/catalina.out*, yes -*/usr/spool/lp/log*, yes -*/usr/spool/mqueue/syslog*, yes -*/var/adm/acct/sum/loginlog*, yes -*/var/adm/aculog*, yes -*/var/adm/aculogs*, yes -*/var/adm/crash/unix*, yes -*/var/adm/crash/vmcore*, yes -*/var/adm/cron/log*, yes -*/var/adm/dtmp*, yes -*/var/adm/lastlog/username*, yes -*/var/adm/log/asppp.log*, yes -*/var/adm/loginlog*, yes -*/var/adm/log/xferlog*, yes -*/var/adm/lp/lpd-errs*, yes -*/var/adm/messages*, yes -*/var/adm/pacct*, yes -*/var/adm/qacct*, yes -*/var/adm/ras/bootlog*, yes -*/var/adm/ras/errlog*, yes -*/var/adm/sulog*, yes -*/var/adm/SYSLOG*, yes -*/var/adm/utmp*, yes -*/var/adm/utmpx*, yes -*/var/adm/vold.log*, yes -*/var/adm/wtmp*, yes -*/var/adm/wtmpx*, yes -*/var/adm/X0msgs*, yes -*/var/apache/conf/httpd.conf*, yes -*/var/cpanel/cpanel.config*, yes -*/var/cpanel/tomcat.options*, yes -*/var/cron/log*, yes -*/var/data/mysql-bin.index*, yes -*/var/lib/mysql/my.cnf*, yes -*/var/lib/pgsql/data/postgresql.conf*, yes -*/var/lib/squirrelmail/prefs/squirrelmail.log*, yes -*/var/lighttpd.log*, yes -*/var/local/www/conf/php.ini*, yes -*/var/log/access.log*, yes -*/var/log/access_log*, yes -*/var/log/apache2/access.log*, yes -*/var/log/apache2/access_log*, yes -*/var/log/apache2/error.log*, yes -*/var/log/apache2/error_log*, yes -*/var/log/apache2/squirrelmail.err.log*, yes -*/var/log/apache2/squirrelmail.log*, yes -*/var/log/apache/access.log*, yes -*/var/log/apache/access_log*, yes -*/var/log/apache/error.log*, yes -*/var/log/apache/error_log*, yes -*/var/log/auth.log*, yes -*/var/log/authlog*, yes -*/var/log/boot.log*, yes -*/var/log/cron/var/log/postgres.log*, yes -*/var/log/daemon.log*, yes -*/var/log/daemon.log.1*, yes -*/var/log/data/mysql-bin.index*, yes -*/var/log/dmessage*, yes -*/var/log/error.log*, yes -*/var/log/error_log*, yes -*/var/log/exim/mainlog*, yes -*/var/log/exim_mainlog*, yes -*/var/log/exim/paniclog*, yes -*/var/log/exim_paniclog*, yes -*/var/log/exim/rejectlog*, yes -*/var/log/exim_rejectlog*, yes -*/var/log/ftplog*, yes -*/var/log/ftp-proxy*, yes -*/var/log/ftp-proxy/ftp-proxy.log*, yes -*/var/log/httpd-access.log*, yes -*/var/log/httpd/access.log*, yes -*/var/log/httpd/access_log*, yes -*/var/log/httpd/error.log*, yes -*/var/log/httpd/error_log*, yes -*/var/log/ipfw*, yes -*/var/log/ipfw/ipfw.log*, yes -*/var/log/ipfw.log*, yes -*/var/log/ipfw.today*, yes -*/var/log/kern.log*, yes -*/var/log/kern.log.1*, yes -*/var/log/lighttpd/*, yes -*/var/log/lighttpd.access.log*, yes -*/var/log/lighttpd/access.log*, yes -*/var/log/lighttpd/access.www.log*, yes -*/var/log/lighttpd/{DOMAIN}/access.log*, yes -*/var/log/lighttpd/{DOMAIN}/error.log*, yes -*/var/log/lighttpd.error.log*, yes -*/var/log/lighttpd/error.log*, yes -*/var/log/lighttpd/error.www.log*, yes -*/var/log/log.smb*, yes -*/var/log/mail.err*, yes -*/var/log/mail.info*, yes -*/var/log/mail.log*, yes -*/var/log/maillog*, yes -*/var/log/mail.warn*, yes -*/var/log/messages*, yes -*/var/log/messages.1*, yes -*/var/log/muddleftpd*, yes -*/var/log/muddleftpd.conf*, yes -*/var/log/mysql-bin.index*, yes -*/var/log/mysql/data/mysql-bin.index*, yes -*/var/log/mysqlderror.log*, yes -*/var/log/mysql.err*, yes -*/var/log/mysql.log*, yes -*/var/log/mysql/mysql-bin.index*, yes -*/var/log/mysql/mysql-bin.log*, yes -*/var/log/mysql/mysql.log*, yes -*/var/log/mysql/mysql-slow.log*, yes -*/var/log/news.all*, yes -*/var/log/news/news.all*, yes -*/var/log/news/news.crit*, yes -*/var/log/news/news.err*, yes -*/var/log/news/news.notice*, yes -*/var/log/news/suck.err*, yes -*/var/log/news/suck.notice*, yes -*/var/log/nginx.access_log*, yes -*/var/log/nginx/access.log*, yes -*/var/log/nginx/access_log*, yes -*/var/log/nginx.error_log*, yes -*/var/log/nginx/error.log*, yes -*/var/log/nginx/error_log*, yes -*/var/log/pgsql8.log*, yes -*/var/log/pgsql_log*, yes -*/var/log/pgsql/pgsql.log*, yes -*/var/log/pm-powersave.log*, yes -*/var/log/POPlog*, yes -*/var/log/postgres/pg_backup.log*, yes -*/var/log/postgres/postgres.log*, yes -*/var/log/postgresql.log*, yes -*/var/log/postgresql/main.log*, yes -*/var/log/postgresql/postgres.log*, yes -*/var/log/postgresql/postgresql-8.1-main.log*, yes -*/var/log/postgresql/postgresql-8.3-main.log*, yes -*/var/log/postgresql/postgresql-8.4-main.log*, yes -*/var/log/postgresql/postgresql-9.0-main.log*, yes -*/var/log/postgresql/postgresql-9.1-main.log*, yes -*/var/log/postgresql/postgresql.log*, yes -*/var/log/proftpd*, yes -*/var/log/proftpd.access_log*, yes -*/var/log/proftpd.xferlog*, yes -*/var/log/proftpd/xferlog.legacy*, yes -*/var/log/pureftpd.log*, yes -*/var/log/pure-ftpd/pure-ftpd.log*, yes -*/var/logs/access.log*, yes -*/var/log/samba.log*, yes -*/var/log/samba.log1*, yes -*/var/log/samba.log2*, yes -*/var/log/samba/log.nmbd*, yes -*/var/log/samba/log.smbd*, yes -*/var/log/squirrelmail.log*, yes -*/var/log/sso/sso.log*, yes -*/var/log/sw-cp-server/error_log*, yes -*/var/log/syslog*, yes -*/var/log/syslog.1*, yes -*/var/log/tomcat6/catalina.out*, yes -*/var/log/ufw.log*, yes -*/var/log/user.log*, yes -*/var/log/user.log.1*, yes -*/var/log/vmware/hostd-1.log*, yes -*/var/log/vmware/hostd.log*, yes -*/var/log/vsftpd.log*, yes -*/var/log/webmin/miniserv.log*, yes -*/var/log/xferlog*, yes -*/var/log/Xorg.0.log*, yes -*/var/lp/logs/lpNet*, yes -*/var/lp/logs/lpsched*, yes -*/var/lp/logs/requests*, yes -*/var/mail/root*, yes -*/var/mysql-bin.index*, yes -*/var/mysql.log*, yes -*/var/nm2/postgresql.conf*, yes -*/var/postgresql/db/postgresql.conf*, yes -*/var/postgresql/log/postgresql.log*, yes -*/var/saf/_log*, yes -*/var/saf/port/log*, yes -*/var/spool/cron/crontabs/root*, yes -*/var/spool/cron/crontabs/root*, yes -*/var/www/conf*, yes -*/var/www/conf/httpd.conf*, yes -*/var/www/html/squirrelmail/config/config.php*, yes -*/var/www/.lighttpdpassword*, yes -*/var/www/logs/access.log*, yes -*/var/www/logs/access_log*, yes -*/var/www/logs/error.log*, yes -*/var/www/logs/error_log*, yes -*/var/www/squirrelmail/config/config.php*, yes -*/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf*, yes -*/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf*, yes -*/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf*, yes -*/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php*, yes -*/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php*, yes -*/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php*, yes -*/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini*, yes -*/Volumes/webBackup/opt/apache2/conf/httpd.conf*, yes -*/Volumes/webBackup/private/etc/httpd/httpd.conf*, yes -*/Volumes/webBackup/private/etc/httpd/httpd.conf.default*, yes -*/wamp/bin/apache/apache2.2.21/conf/httpd.conf*, yes -*/wamp/bin/apache/apache2.2.21/logs/access.log*, yes -*/wamp/bin/apache/apache2.2.21/logs/error.log*, yes -*/wamp/bin/apache/apache2.2.21/wampserver.conf*, yes -*/wamp/bin/apache/apache2.2.22/conf/httpd.conf*, yes -*/wamp/bin/apache/apache2.2.22/conf/wampserver.conf*, yes -*/wamp/bin/apache/apache2.2.22/logs/access.log*, yes -*/wamp/bin/apache/apache2.2.22/logs/error.log*, yes -*/wamp/bin/apache/apache2.2.22/wampserver.conf*, yes -*/wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index*, yes -*/wamp/bin/mysql/mysql5.5.16/my.ini*, yes -*/wamp/bin/mysql/mysql5.5.16/wampserver.conf*, yes -*/wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index*, yes -*/wamp/bin/mysql/mysql5.5.24/my.ini*, yes -*/wamp/bin/mysql/mysql5.5.24/wampserver.conf*, yes -*/wamp/logs/access.log*, yes -*/wamp/logs/apache_error.log*, yes -*/wamp/logs/genquery.log*, yes -*/wamp/logs/mysql.log*, yes -*/wamp/logs/slowquery.log*, yes -*/web/conf/php.ini*, yes -*/WINDOWS/php.ini*, yes -*/WINDOWSphp.ini*, yes -*/WINDOWS/system32/logfiles/MSFTPSVC*, yes -*/WINDOWS/system32/logfiles/MSFTPSVC1*, yes -*/WINDOWS/system32/logfiles/MSFTPSVC2*, yes -*/WINDOWS/system32/logfiles/SMTPSVC*, yes -*/WINDOWS/system32/logfiles/SMTPSVC1*, yes -*/WINDOWS/system32/logfiles/SMTPSVC2*, yes -*/WINDOWS/system32/logfiles/SMTPSVC3*, yes -*/WINDOWS/system32/logfiles/SMTPSVC4*, yes -*/WINDOWS/system32/logfiles/SMTPSVC5*, yes -*/WINDOWS/system32/logfiles/W3SVC1/inetsvn1.log*, yes -*/WINDOWS/system32/logfiles/W3SVC2/inetsvn1.log*, yes -*/WINDOWS/system32/logfiles/W3SVC3/inetsvn1.log*, yes -*/WINDOWS/system32/logfiles/W3SVC/inetsvn1.log*, yes -*/WINNT/php.ini*, yes -*/WINNTphp.ini*, yes -*/WINNT/system32/logfiles/MSFTPSVC*, yes -*/WINNT/system32/logfiles/MSFTPSVC1*, yes -*/WINNT/system32/logfiles/MSFTPSVC2*, yes -*/WINNT/system32/logfiles/SMTPSVC*, yes -*/WINNT/system32/logfiles/SMTPSVC1*, yes -*/WINNT/system32/logfiles/SMTPSVC2*, yes -*/WINNT/system32/logfiles/SMTPSVC3*, yes -*/WINNT/system32/logfiles/SMTPSVC4*, yes -*/WINNT/system32/logfiles/SMTPSVC5*, yes -*/WINNT/system32/logfiles/W3SVC1/inetsvn1.log*, yes -*/WINNT/system32/logfiles/W3SVC2/inetsvn1.log*, yes -*/WINNT/system32/logfiles/W3SVC3/inetsvn1.log*, yes -*/WINNT/system32/logfiles/W3SVC/inetsvn1.log*, yes -*/www/apache/conf/httpd.conf*, yes -*/www/conf/httpd.conf*, yes -*/www/logs/freebsddiary-access_log*, yes -*/www/logs/freebsddiary-error.log*, yes -*/www/logs/proftpd.system.log*, yes -*/xampp/apache/bin/php.ini*, yes -*/xamppapachebinphp.ini*, yes -*/xampp/apache/conf/httpd.conf*, yes -*/xampp/apache/logs/access.log*, yes -*/xampp/apache/logs/error.log*, yes -*/xampp/FileZillaFTP/FileZilla Server.xml*, yes -*/xampp/htdocs/aca.txt*, yes -*/xampp/htdocs/admin.php*, yes -*/xampp/htdocs/leer.txt*, yes -*/xampp/MercuryMail/mercury.ini*, yes -*/xampp/mysql/data/{HOST}.err*, yes -*/xampp/mysql/data/mysql-bin.index*, yes -*/xampp/mysql/data/mysql.err*, yes -*/xampp/phpMyAdmin/config.inc.php*, yes -*/xampp/php/php.ini*, yes -*/xampp/sendmail/sendmail.ini*, yes -*/xampp/sendmail/sendmail.log*, yes -*/xampp/webalizer/webalizer.conf*, yes -*/proc/self/fd/0*, yes -*/proc/self/fd/1*, yes -*/proc/self/fd/2*, yes -*/proc/self/fd/3*, yes -*/proc/self/fd/4*, yes -*/proc/self/fd/5*, yes -*/proc/self/fd/6*, yes -*/proc/self/fd/7*, yes -*/proc/self/fd/8*, yes -*/proc/self/fd/9*, yes -*/proc/self/fd/10*, yes -*/proc/self/fd/11*, yes -*/proc/self/fd/12*, yes -*/proc/self/fd/13*, yes -*/proc/self/fd/14*, yes -*/proc/self/fd/15*, yes -*/proc/self/fd/16*, yes -*/proc/self/fd/17*, yes -*/proc/self/fd/18*, yes -*/proc/self/fd/19*, yes -*/proc/self/fd/20*, yes -*/proc/self/fd/21*, yes -*/proc/self/fd/22*, yes -*/proc/self/fd/23*, yes -*/proc/self/fd/24*, yes -*/proc/self/fd/25*, yes -*/proc/self/fd/26*, yes -*/proc/self/fd/27*, yes -*/proc/self/fd/28*, yes -*/proc/self/fd/29*, yes -*/proc/self/fd/30*, yes -*/proc/self/fd/31*, yes -*/proc/self/fd/32*, yes -*/proc/self/fd/33*, yes -*/proc/self/fd/34*, yes -*/proc/self/fd/35*, yes -*/proc/self/fd/36*, yes -*/proc/self/fd/37*, yes -*/proc/self/fd/38*, yes -*/proc/self/fd/39*, yes -*/proc/self/fd/40*, yes -*/proc/self/fd/41*, yes -*/proc/self/fd/42*, yes -*/proc/self/fd/43*, yes -*/proc/self/fd/44*, yes -*/proc/self/fd/45*, yes -*/proc/self/fd/46*, yes -*/proc/self/fd/47*, yes -*/proc/self/fd/48*, yes -*/proc/self/fd/49*, yes -*/proc/self/fd/50*, yes -*/proc/self/fd/51*, yes -*/proc/self/fd/52*, yes -*/proc/self/fd/53*, yes -*/proc/self/fd/54*, yes -*/proc/self/fd/55*, yes -*/proc/self/fd/56*, yes -*/proc/self/fd/57*, yes -*/proc/self/fd/58*, yes -*/proc/self/fd/59*, yes -*/proc/self/fd/60*, yes -*/proc/self/fd/61*, yes -*/proc/self/fd/62*, yes -*/proc/self/fd/63*, yes -*/proc/self/fd/64*, yes -*/proc/self/fd/65*, yes -*/proc/self/fd/66*, yes -*/proc/self/fd/67*, yes -*/proc/self/fd/68*, yes -*/proc/self/fd/69*, yes -*/proc/self/fd/70*, yes -*/proc/self/fd/71*, yes -*/proc/self/fd/72*, yes -*/proc/self/fd/73*, yes -*/proc/self/fd/74*, yes -*/proc/self/fd/75*, yes -*/proc/self/fd/76*, yes -*/proc/self/fd/77*, yes -*/proc/self/fd/78*, yes -*/proc/self/fd/79*, yes -*/proc/self/fd/80*, yes -*/proc/self/fd/81*, yes -*/proc/self/fd/82*, yes -*/proc/self/fd/83*, yes -*/proc/self/fd/84*, yes -*/proc/self/fd/85*, yes -*/proc/self/fd/86*, yes -*/proc/self/fd/87*, yes -*/proc/self/fd/88*, yes -*/proc/self/fd/89*, yes -*/proc/self/fd/90*, yes -*/proc/self/fd/91*, yes -*/proc/self/fd/92*, yes -*/proc/self/fd/93*, yes -*/proc/self/fd/94*, yes -*/proc/self/fd/95*, yes -*/proc/self/fd/96*, yes -*/proc/self/fd/97*, yes -*/proc/self/fd/98*, yes -*/proc/self/fd/99*, yes -*/proc/self/fd/100*, yes \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/lolbas_file_path.csv b/dist/DA-ESS-ContentUpdate/lookups/lolbas_file_path.csv deleted file mode 100644 index 12682573e3..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/lolbas_file_path.csv +++ /dev/null @@ -1,480 +0,0 @@ -lolbas_file_name,lolbas_file_path,description -eventvwr.exe,c:\windows\system32\*,Displays Windows Event Logs in a GUI window. -eventvwr.exe,c:\windows\syswow64\*,Displays Windows Event Logs in a GUI window. -rasautou.exe,c:\windows\system32\*,Windows Remote Access Dialer -regedit.exe,c:\windows\system32\*,Used by Windows to manipulate registry -regedit.exe,c:\windows\syswow64\*,Used by Windows to manipulate registry -regsvr32.exe,c:\windows\system32\*,Used by Windows to register dlls -regsvr32.exe,c:\windows\syswow64\*,Used by Windows to register dlls -control.exe,c:\windows\system32\*,Binary used to launch controlpanel items in Windows -control.exe,c:\windows\syswow64\*,Binary used to launch controlpanel items in Windows -configsecuritypolicy.exe,c:\programdata\microsoft\windows defender\platform\4.18.2008.9-0\*,Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. -scriptrunner.exe,c:\windows\system32\*,Execute binary through proxy binary to evade defensive counter measures -scriptrunner.exe,c:\windows\syswow64\*,Execute binary through proxy binary to evade defensive counter measures -offlinescannershell.exe,c:\program files\windows defender\offline\*,Windows Defender Offline Shell -atbroker.exe,c:\windows\system32\*,Helper binary for Assistive Technology (AT) -atbroker.exe,c:\windows\syswow64\*,Helper binary for Assistive Technology (AT) -mmc.exe,c:\windows\system32\*,Load snap-ins to locally and remotely manage Windows systems -mmc.exe,c:\windows\syswow64\*,Load snap-ins to locally and remotely manage Windows systems -mavinject.exe,c:\windows\system32\*,Used by App-v in Windows -mavinject.exe,c:\windows\syswow64\*,Used by App-v in Windows -ftp.exe,c:\windows\system32\*,A binary designed for connecting to FTP servers -ftp.exe,c:\windows\syswow64\*,A binary designed for connecting to FTP servers -ttdinject.exe,c:\windows\system32\*,Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) -ttdinject.exe,c:\windows\syswow64\*,Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) -certoc.exe,c:\windows\system32\*,Used for installing certificates -certoc.exe,c:\windows\syswow64\*,Used for installing certificates -at.exe,c:\windows\system32\*,Schedule periodic tasks -at.exe,c:\windows\syswow64\*,Schedule periodic tasks -netsh.exe,c:\windows\system32\*,Netsh is a Windows tool used to manipulate network interface settings. -netsh.exe,c:\windows\syswow64\*,Netsh is a Windows tool used to manipulate network interface settings. -pnputil.exe,c:\windows\system32\*,Used for installing drivers -ie4uinit.exe,c:\windows\system32\*,Executes commands from a specially prepared ie4uinit.inf file. -ie4uinit.exe,c:\windows\syswow64\*,Executes commands from a specially prepared ie4uinit.inf file. -infdefaultinstall.exe,c:\windows\system32\*,Binary used to perform installation based on content inside inf files -infdefaultinstall.exe,c:\windows\syswow64\*,Binary used to perform installation based on content inside inf files -forfiles.exe,c:\windows\system32\*,Selects and executes a command on a file or set of files. This command is useful for batch processing. -forfiles.exe,c:\windows\syswow64\*,Selects and executes a command on a file or set of files. This command is useful for batch processing. -register-cimprovider.exe,c:\windows\system32\*,Used to register new wmi providers -register-cimprovider.exe,c:\windows\syswow64\*,Used to register new wmi providers -tttracer.exe,c:\windows\system32\*,Used by Windows 1809 and newer to Debug Time Travel -tttracer.exe,c:\windows\syswow64\*,Used by Windows 1809 and newer to Debug Time Travel -xwizard.exe,c:\windows\system32\*,Execute custom class that has been added to the registry or download a file with Xwizard.exe -xwizard.exe,c:\windows\syswow64\*,Execute custom class that has been added to the registry or download a file with Xwizard.exe -pcalua.exe,c:\windows\system32\*,Program Compatibility Assistant -print.exe,c:\windows\system32\*,Used by Windows to send files to the printer -print.exe,c:\windows\syswow64\*,Used by Windows to send files to the printer -runscripthelper.exe,c:\windows\winsxs\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\*,Execute target PowerShell script -runscripthelper.exe,c:\windows\winsxs\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\*,Execute target PowerShell script -regasm.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,Part of .NET -regasm.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,Part of .NET -regasm.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Part of .NET -regasm.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Part of .NET -cmd.exe,c:\windows\system32\*,The command-line interpreter in Windows -cmd.exe,c:\windows\syswow64\*,The command-line interpreter in Windows -msbuild.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework\v3.5\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework64\v3.5\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Used to compile and execute code -msbuild.exe,c:\program files (x86)\msbuild\14.0\bin\*,Used to compile and execute code -certutil.exe,c:\windows\system32\*,Windows binary used for handling certificates -certutil.exe,c:\windows\syswow64\*,Windows binary used for handling certificates -vbc.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Binary file used for compile vbs code -vbc.exe,c:\windows\microsoft.net\framework64\v3.5\*,Binary file used for compile vbs code -psr.exe,c:\windows\system32\*,"Windows Problem Steps Recorder, used to record screen and clicks." -psr.exe,c:\windows\syswow64\*,"Windows Problem Steps Recorder, used to record screen and clicks." -extexport.exe,c:\program files\internet explorer\*,Load a DLL located in the c:\test folder with a specific name. -extexport.exe,c:\program files (x86)\internet explorer\*,Load a DLL located in the c:\test folder with a specific name. -rpcping.exe,c:\windows\system32\*,Used to verify rpc connection -rpcping.exe,c:\windows\syswow64\*,Used to verify rpc connection -msdt.exe,c:\windows\system32\*,Microsoft diagnostics tool -msdt.exe,c:\windows\syswow64\*,Microsoft diagnostics tool -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -dnscmd.exe,c:\windows\system32\*,A command-line interface for managing DNS servers -dnscmd.exe,c:\windows\syswow64\*,A command-line interface for managing DNS servers -wab.exe,c:\program files\windows mail\*,Windows address book manager -wab.exe,c:\program files (x86)\windows mail\*,Windows address book manager -msconfig.exe,c:\windows\system32\*,"MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows" -wscript.exe,c:\windows\system32\*,Used by Windows to execute scripts -wscript.exe,c:\windows\syswow64\*,Used by Windows to execute scripts -makecab.exe,c:\windows\system32\*,Binary to package existing files into a cabinet (.cab) file -makecab.exe,c:\windows\syswow64\*,Binary to package existing files into a cabinet (.cab) file -datasvcutil.exe,c:\windows\microsoft.net\framework64\v3.5\*,DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. -cmdl32.exe,c:\windows\system32\*,Microsoft Connection Manager Auto-Download -cmdl32.exe,c:\windows\syswow64\*,Microsoft Connection Manager Auto-Download -mshta.exe,c:\windows\system32\*,Used by Windows to execute html applications. (.hta) -mshta.exe,c:\windows\syswow64\*,Used by Windows to execute html applications. (.hta) -cmdkey.exe,c:\windows\system32\*,"creates, lists, and deletes stored user names and passwords or credentials." -cmdkey.exe,c:\windows\syswow64\*,"creates, lists, and deletes stored user names and passwords or credentials." -ilasm.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,used for compile c# code into dll or exe. -ilasm.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,used for compile c# code into dll or exe. -rdrleakdiag.exe,c:\windows\system32\*,Microsoft Windows resource leak diagnostic tool -rdrleakdiag.exe,c:\windows\syswow64\*,Microsoft Windows resource leak diagnostic tool -mpcmdrun.exe,c:\programdata\microsoft\windows defender\platform\4.18.2008.4-0\*,Binary part of Windows Defender. Used to manage settings in Windows Defender -mpcmdrun.exe,c:\programdata\microsoft\windows defender\platform\4.18.2008.7-0\*,Binary part of Windows Defender. Used to manage settings in Windows Defender -mpcmdrun.exe,c:\programdata\microsoft\windows defender\platform\4.18.2008.9-0\*,Binary part of Windows Defender. Used to manage settings in Windows Defender -jsc.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Binary file used by .NET to compile javascript code to .exe or .dll format -jsc.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Binary file used by .NET to compile javascript code to .exe or .dll format -jsc.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,Binary file used by .NET to compile javascript code to .exe or .dll format -jsc.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,Binary file used by .NET to compile javascript code to .exe or .dll format -cmstp.exe,c:\windows\system32\*,Installs or removes a Connection Manager service profile. -cmstp.exe,c:\windows\syswow64\*,Installs or removes a Connection Manager service profile. -stordiag.exe,c:\windows\system32\*,Storage diagnostic tool -stordiag.exe,c:\windows\syswow64\*,Storage diagnostic tool -odbcconf.exe,c:\windows\system32\*,Used in Windows for managing ODBC connections -odbcconf.exe,c:\windows\syswow64\*,Used in Windows for managing ODBC connections -wlrmdr.exe,c:\windows\system32\*,Windows Logon Reminder executable -printbrm.exe,c:\windows\system32\spool\tools\*,Printer Migration Command-Line Tool -dfsvc.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfsvc.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfsvc.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,ClickOnce engine in Windows used by .NET -dfsvc.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,ClickOnce engine in Windows used by .NET -extrac32.exe,c:\windows\system32\*,"Extract to ADS, copy or overwrite a file with Extrac32.exe" -extrac32.exe,c:\windows\syswow64\*,"Extract to ADS, copy or overwrite a file with Extrac32.exe" -rundll32.exe,c:\windows\system32\*,Used by Windows to execute dll files -rundll32.exe,c:\windows\syswow64\*,Used by Windows to execute dll files -runonce.exe,c:\windows\system32\*,Executes a Run Once Task that has been configured in the registry -runonce.exe,c:\windows\syswow64\*,Executes a Run Once Task that has been configured in the registry -explorer.exe,c:\windows\*,Binary used for managing files and system components within Windows -explorer.exe,c:\windows\syswow64\*,Binary used for managing files and system components within Windows -wuauclt.exe,c:\windows\system32\*,Windows Update Client -wsreset.exe,c:\windows\system32\*,Used to reset Windows Store settings according to its manifest file -finger.exe,c:\windows\system32\*,Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -finger.exe,c:\windows\syswow64\*,Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -regini.exe,c:\windows\system32\*,Used to manipulate the registry -regini.exe,c:\windows\syswow64\*,Used to manipulate the registry -reg.exe,c:\windows\system32\*,Used to manipulate the registry -reg.exe,c:\windows\syswow64\*,Used to manipulate the registry -syncappvpublishingserver.exe,c:\windows\system32\*,Used by App-v to get App-v server lists -syncappvpublishingserver.exe,c:\windows\syswow64\*,Used by App-v to get App-v server lists -bitsadmin.exe,c:\windows\system32\*,Used for managing background intelligent transfer -bitsadmin.exe,c:\windows\syswow64\*,Used for managing background intelligent transfer -msiexec.exe,c:\windows\system32\*,Used by Windows to execute msi files -msiexec.exe,c:\windows\syswow64\*,Used by Windows to execute msi files -regsvcs.exe,c:\windows\system32\*,Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies -regsvcs.exe,c:\windows\syswow64\*,Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies -gpscript.exe,c:\windows\system32\*,Used by group policy to process scripts -gpscript.exe,c:\windows\syswow64\*,Used by group policy to process scripts -diskshadow.exe,c:\windows\system32\*,Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -diskshadow.exe,c:\windows\syswow64\*,Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -ieexec.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -ieexec.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -diantz.exe,c:\windows\system32\*,Binary that package existing files into a cabinet (.cab) file -diantz.exe,c:\windows\syswow64\*,Binary that package existing files into a cabinet (.cab) file -desktopimgdownldr.exe,c:\windows\system32\*,Windows binary used to configure lockscreen/desktop image -appinstaller.exe,c:\program files\windowsapps\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe\*,Tool used for installation of AppX/MSIX applications on Windows 10 -sc.exe,c:\windows\system32\*,Used by Windows to manage services -sc.exe,c:\windows\syswow64\*,Used by Windows to manage services -replace.exe,c:\windows\system32\*,Used to replace file with another file -replace.exe,c:\windows\syswow64\*,Used to replace file with another file -schtasks.exe,c:\windows\system32\*,Schedule periodic tasks -schtasks.exe,c:\windows\syswow64\*,Schedule periodic tasks -microsoft.workflow.compiler.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,A utility included with .NET that is capable of compiling and executing C# or VB.net code. -expand.exe,c:\windows\system32\*,Binary that expands one or more compressed files -expand.exe,c:\windows\syswow64\*,Binary that expands one or more compressed files -conhost.exe,c:\windows\system32\*,Console Window host -bash.exe,c:\windows\system32\*,File used by Windows subsystem for Linux -bash.exe,c:\windows\syswow64\*,File used by Windows subsystem for Linux -pcwrun.exe,c:\windows\system32\*,Program Compatibility Wizard -fltmc.exe,c:\windows\system32\*,Filter Manager Control Program used by Windows -wmic.exe,c:\windows\system32\wbem\*,The WMI command-line (WMIC) utility provides a command-line interface for WMI -wmic.exe,c:\windows\syswow64\wbem\*,The WMI command-line (WMIC) utility provides a command-line interface for WMI -workfolders.exe,c:\windows\system32\*,Work Folders -settingsynchost.exe,c:\windows\system32\*,Host Process for Setting Synchronization -settingsynchost.exe,c:\windows\syswow64\*,Host Process for Setting Synchronization -pktmon.exe,c:\windows\system32\*,Capture Network Packets on the windows 10 with October 2018 Update or later. -pktmon.exe,c:\windows\syswow64\*,Capture Network Packets on the windows 10 with October 2018 Update or later. -aspnet_compiler.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,ASP.NET Compilation Tool -aspnet_compiler.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,ASP.NET Compilation Tool -cscript.exe,c:\windows\system32\*,Binary used to execute scripts in Windows -cscript.exe,c:\windows\syswow64\*,Binary used to execute scripts in Windows -installutil.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -installutil.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -installutil.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -installutil.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -esentutl.exe,c:\windows\system32\*,Binary for working with Microsoft Joint Engine Technology (JET) database -esentutl.exe,c:\windows\syswow64\*,Binary for working with Microsoft Joint Engine Technology (JET) database -hh.exe,c:\windows\*,Binary used for processing chm files in Windows -hh.exe,c:\windows\syswow64\*,Binary used for processing chm files in Windows -findstr.exe,c:\windows\system32\*,"Write to ADS, discover, or download files with Findstr.exe" -findstr.exe,c:\windows\syswow64\*,"Write to ADS, discover, or download files with Findstr.exe" -verclsid.exe,c:\windows\system32\*,Used to verify a COM object before it is instantiated by Windows Explorer -verclsid.exe,c:\windows\syswow64\*,Used to verify a COM object before it is instantiated by Windows Explorer -certreq.exe,c:\windows\system32\*,Used for requesting and managing certificates -certreq.exe,c:\windows\syswow64\*,Used for requesting and managing certificates -csc.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Binary file used by .NET to compile C# code -csc.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Binary file used by .NET to compile C# code -imewdbld.exe,c:\windows\system32\ime\shared\*,Microsoft IME Open Extended Dictionary Module -presentationhost.exe,c:\windows\system32\*,File is used for executing Browser applications -presentationhost.exe,c:\windows\syswow64\*,File is used for executing Browser applications -shell32.dll,c:\windows\system32\*,Windows Shell Common Dll -shell32.dll,c:\windows\syswow64\*,Windows Shell Common Dll -zipfldr.dll,c:\windows\system32\*,Compressed Folder library -zipfldr.dll,c:\windows\syswow64\*,Compressed Folder library -desk.cpl,c:\windows\system32\*,Desktop Settings Control Panel -desk.cpl,c:\windows\syswow64\*,Desktop Settings Control Panel -comsvcs.dll,c:\windows\system32\*,COM+ Services -setupapi.dll,c:\windows\system32\*,Windows Setup Application Programming Interface -setupapi.dll,c:\windows\syswow64\*,Windows Setup Application Programming Interface -mshtml.dll,c:\windows\system32\*,Microsoft HTML Viewer -mshtml.dll,c:\windows\syswow64\*,Microsoft HTML Viewer -advpack.dll,c:\windows\system32\*,Utility for installing software and drivers with rundll32.exe -advpack.dll,c:\windows\syswow64\*,Utility for installing software and drivers with rundll32.exe -pcwutl.dll,c:\windows\system32\*,Microsoft HTML Viewer -pcwutl.dll,c:\windows\syswow64\*,Microsoft HTML Viewer -shdocvw.dll,c:\windows\system32\*,Shell Doc Object and Control Library. -shdocvw.dll,c:\windows\syswow64\*,Shell Doc Object and Control Library. -ieframe.dll,c:\windows\system32\*,Internet Browser DLL for translating HTML code. -ieframe.dll,c:\windows\syswow64\*,Internet Browser DLL for translating HTML code. -dfshim.dll,c:\windows\microsoft.net\framework\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfshim.dll,c:\windows\microsoft.net\framework64\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfshim.dll,c:\windows\microsoft.net\framework\v4.0.30319\*,ClickOnce engine in Windows used by .NET -dfshim.dll,c:\windows\microsoft.net\framework64\v4.0.30319\*,ClickOnce engine in Windows used by .NET -url.dll,c:\windows\system32\*,Internet Shortcut Shell Extension DLL. -url.dll,c:\windows\syswow64\*,Internet Shortcut Shell Extension DLL. -ieadvpack.dll,c:\windows\system32\*,INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -ieadvpack.dll,c:\windows\syswow64\*,INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -syssetup.dll,c:\windows\system32\*,Windows NT System Setup -syssetup.dll,c:\windows\syswow64\*,Windows NT System Setup -winrm.vbs,c:\windows\system32\*,Script used for manage Windows RM settings -winrm.vbs,c:\windows\syswow64\*,Script used for manage Windows RM settings -manage-bde.wsf,c:\windows\system32\*,Script for managing BitLocker -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\windowsupdate\*,Proxy execution with CL_Mutexverifiers.ps1 -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\audio\*,Proxy execution with CL_Mutexverifiers.ps1 -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\video\*,Proxy execution with CL_Mutexverifiers.ps1 -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\speech\*,Proxy execution with CL_Mutexverifiers.ps1 -pubprn.vbs,c:\windows\system32\printing_admin_scripts\en-us\*,Proxy execution with Pubprn.vbs -pubprn.vbs,c:\windows\syswow64\printing_admin_scripts\en-us\*,Proxy execution with Pubprn.vbs -pester.bat,c:\program files\windowspowershell\modules\pester\3.4.0\bin\*,Used as part of the Powershell pester -pester.bat,c:\program files\windowspowershell\modules\pester\*\bin\*,Used as part of the Powershell pester -cl_loadassembly.ps1,c:\windows\diagnostics\system\audio\*,PowerShell Diagnostic Script -syncappvpublishingserver.vbs,c:\windows\system32\*,Script used related to app-v and publishing server -cl_invocation.ps1,c:\windows\diagnostics\system\aero\*,Aero diagnostics script -cl_invocation.ps1,c:\windows\diagnostics\system\audio\*,Aero diagnostics script -cl_invocation.ps1,c:\windows\diagnostics\system\windowsupdate\*,Aero diagnostics script -utilityfunctions.ps1,c:\windows\diagnostics\system\networking\*,PowerShell Diagnostic Script -coregen.exe,c:\program files\microsoft silverlight\5.1.50918.0\*,"Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within ""C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight." -coregen.exe,c:\program files (x86)\microsoft silverlight\5.1.50918.0\*,"Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within ""C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight." -fsi.exe,c:\program files\dotnet\sdk\[sdk version]\fsharp\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -fsi.exe,c:\program files (x86)\microsoft visual studio\2019\professional\common7\ide\commonextensions\microsoft\fsharp\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -visualuiaverifynative.exe,c:\program files (x86)\windows kits\10\bin\[sdk version]\arm64\uiaverify\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -visualuiaverifynative.exe,c:\program files (x86)\windows kits\10\bin\[sdk version]\x64\uiaverify\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -visualuiaverifynative.exe,c:\program files (x86)\windows kits\10\bin\[sdk version]\uiaverify\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -ntdsutil.exe,c:\windows\system32\*,Command line utility used to export Active Directory. -sqltoolsps.exe,c:\program files (x86)\microsoft sql server\130\tools\binn\*,Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. -dump64.exe,c:\program files (x86)\microsoft visual studio\installer\feedback\*,Memory dump tool that comes with Microsoft Visual Studio -wsl.exe,c:\windows\system32\*,Windows subsystem for Linux executable -csi.exe,c:\program files (x86)\microsoft visual studio\2017\community\msbuild\15.0\bin\roslyn\*,Command line interface included with Visual Studio. -csi.exe,c:\program files (x86)\microsoft web tools\packages\microsoft.net.compilers.x.y.z\tools\*,Command line interface included with Visual Studio. -mftrace.exe,c:\program files (x86)\windows kits\10\bin\10.0.16299.0\*,Trace log generation tool for Media Foundation Tools. -mftrace.exe,c:\program files (x86)\windows kits\10\bin\*,Trace log generation tool for Media Foundation Tools. -adplus.exe,c:\program files (x86)\windows kits\10\debuggers\x64\*,Debugging tool included with Windows Debugging Tools -adplus.exe,c:\program files (x86)\windows kits\10\debuggers\x86\*,Debugging tool included with Windows Debugging Tools -excel.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office14\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office12\*,Microsoft Office binary -dotnet.exe,c:\program files\dotnet\*,dotnet.exe comes with .NET Framework -sqlps.exe,c:\program files (x86)\microsoft sql server\100\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -sqlps.exe,c:\program files (x86)\microsoft sql server\110\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -sqlps.exe,c:\program files (x86)\microsoft sql server\120\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -sqlps.exe,c:\program files (x86)\microsoft sql server\130\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -sqlps.exe,c:\program files (x86)\microsoft sql server\150\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\x86\accchecker\*,Verifies UI accessibility requirements -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\x64\accchecker\*,Verifies UI accessibility requirements -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\arm\accchecker\*,Verifies UI accessibility requirements -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\arm64\accchecker\*,Verifies UI accessibility requirements -powerpnt.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office12\*,Microsoft Office binary. -sqldumper.exe,c:\program files\microsoft sql server\90\shared\*,Debugging utility included with Microsoft SQL. -sqldumper.exe,c:\program files (x86)\microsoft office\root\vfs\programfilesx86\microsoft analysis\as oledb\140\*,Debugging utility included with Microsoft SQL. -remote.exe,c:\program files (x86)\windows kits\10\debuggers\x64\*,Debugging tool included with Windows Debugging Tools -remote.exe,c:\program files (x86)\windows kits\10\debuggers\x86\*,Debugging tool included with Windows Debugging Tools -appvlp.exe,c:\program files\microsoft office\root\client\*,Application Virtualization Utility Included with Microsoft Office 2016 -appvlp.exe,c:\program files (x86)\microsoft office\root\client\*,Application Virtualization Utility Included with Microsoft Office 2016 -agentexecutor.exe,c:\program files (x86)\*,Intune Management Extension included on Intune Managed Devices -dxcap.exe,c:\windows\system32\*,DirectX diagnostics/debugger included with Visual Studio. -dxcap.exe,c:\windows\syswow64\*,DirectX diagnostics/debugger included with Visual Studio. -cdb.exe,c:\program files (x86)\windows kits\10\debuggers\x64\*,Debugging tool included with Windows Debugging Tools. -cdb.exe,c:\program files (x86)\windows kits\10\debuggers\x86\*,Debugging tool included with Windows Debugging Tools. -defaultpack.exe,c:\program files (x86)\microsoft\defaultpack\*,This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. -devtoolslauncher.exe,c:\windows\system32\*,Binary will execute specified binary. Part of VS/VScode installation. -vsiisexelauncher.exe,c:\program files (x86)\microsoft visual studio\2019\community\common7\ide\extensions\microsoft\web tools\projectsystem\*,Binary will execute specified binary. Part of VS/VScode installation. -winword.exe,c:\program files\microsoft office\root\office16\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office14\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office12\*,Microsoft Office binary -fsianycpu.exe,c:\program files (x86)\microsoft visual studio\2019\professional\common7\ide\commonextensions\microsoft\fsharp\*,32/64-bit FSharp (F#) Interpreter included with Visual Studio. -vsjitdebugger.exe,c:\windows\system32\*,Just-In-Time (JIT) debugger included with Visual Studio -wfc.exe,c:\program files (x86)\microsoft sdks\windows\v10.0a\bin\netfx 4.8 tools\*,The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). -msdeploy.exe,c:\program files (x86)\iis\microsoft web deploy v3\*,Microsoft tool used to deploy Web Applications. diff --git a/dist/DA-ESS-ContentUpdate/lookups/loldrivers.csv b/dist/DA-ESS-ContentUpdate/lookups/loldrivers.csv deleted file mode 100644 index cda3037470..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/loldrivers.csv +++ /dev/null @@ -1,251 +0,0 @@ -driver_name,driver_description,is_driver -*\ADV64DRV.sys,https://github.com/namazso/physmem_drivers,TRUE -*\Agent64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\ALSysIO64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\amifldrv64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsIO.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsIO64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\asmmap64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrAutoChkUpdDrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrDrv10.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrDrv101.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrIbDrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrOmgDrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrRapidStartDrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsrSmartConnectDrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\AsUpIO.sys,https://github.com/namazso/physmem_drivers,TRUE -*\atillk64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\BS_Def64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\CITMDRV_AMD64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\CITMDRV_IA64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\cpuz_x64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\cpuz141.sys,https://github.com/namazso/physmem_drivers,TRUE -*\dbutil_2_3.sys,https://github.com/namazso/physmem_drivers,TRUE -*\Dh_Kernel_10.sys,https://github.com/namazso/physmem_drivers,TRUE -*\Dh_Kernel.sys,https://github.com/namazso/physmem_drivers,TRUE -*\gdrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\GLCKIO2.sys,https://github.com/namazso/physmem_drivers,TRUE -*\HOSTNT.sys,https://github.com/namazso/physmem_drivers,TRUE -*\HwRwDrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\inpoutx64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\iomem64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\Mhyprot2.sys,https://github.com/namazso/physmem_drivers,TRUE -*\MsIo64.sys,https://github.com/namazso/physmem_drivers,TRUE -*\msrhook.sys,https://github.com/namazso/physmem_drivers,TRUE -*\NTIOLib.sys,https://github.com/namazso/physmem_drivers,TRUE -*\OpenLibSys.sys,https://github.com/namazso/physmem_drivers,TRUE -*\Se64a.sys,https://github.com/namazso/physmem_drivers,TRUE -*\smep_capcom.sys,https://github.com/namazso/physmem_drivers,TRUE -*\smep_namco.sys,https://github.com/namazso/physmem_drivers,TRUE -*\SysInfo.sys,https://github.com/namazso/physmem_drivers,TRUE -*\VProEventMonitor.sys,https://github.com/namazso/physmem_drivers,TRUE -*\WCPU.sys,https://github.com/namazso/physmem_drivers,TRUE -*\WINIODrv.sys,https://github.com/namazso/physmem_drivers,TRUE -*\WinRing0.sys,https://github.com/namazso/physmem_drivers,TRUE -*\physmem.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\procexp152.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\viraglt64.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\vboxdrv.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\rwdrv.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\speedfan.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\kprocesshacker.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\sandra.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\elbycdio.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\goad.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\aswsnx.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\sandbox.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\nicm.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\nscm.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\ncpl.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\elrawdsk.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\DBUtilDrv2.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\BS_RCIO64.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\mhyprot.sys,https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/,TRUE -*\EneTechIo64.sys,https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c,TRUE -*\amp.sys,https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c,TRUE -*\EneIo64.sys,https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c,TRUE -*\ATSZIO.sys,https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c,TRUE -*\NalDrv.sys,https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c,TRUE -*\DirectIo32.sys,https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15480/CVE-2020-15480.md,TRUE -*\DirectIo64.sys,https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15480/CVE-2020-15480.md,TRUE -*\AsUpIO64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\AsrDrv102.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\AsrDrv103.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BSMEMx64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BSMIXP64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BSMIx64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BS_Flash64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BS_HWMIO64_W10.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BS_HWMIo64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BS_I2c64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\GVCIDrv64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\HwOs2Ec10x64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\HwOs2Ec7x64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\NBIOLib_X64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\NCHGBIOS2x64.SYS,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\NTIOLib_X64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\PhlashNT.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\Phymemx64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\UCOREW64.SYS,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\WinFlash64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\WinRing0x64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\dbk64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\mtcBSv64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\nvflash.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\nvflsh64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\phymem64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\rtkio64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\rtkiow10x64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\rtkiow8x64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\segwindrvx64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\superbmc.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\semav6msr.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\piddrv64.sys,https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md,TRUE -*\BS_I2cIo.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\rtkio.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\AMDRyzenMasterDriver.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\LHA.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\kEvP64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\BSMI.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\TmComm.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\cpuz.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\iQVW64.SYS,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\vmdrv.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\HpPortIox64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\AMDPowerProfiler.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\CorsairLLAccess64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\RTCore64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\libnicm.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\procexp.Sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\viragt.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\viragt64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\AsrDrv106.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\zamguard64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\zam64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\fidpcidrv64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\MsIo32.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\winio64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\capcom.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\IOMap64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\ATSZIO64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\aswVmm.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\FairplayKD.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\pgldqpoc.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\iqvw64e.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\Monitor_win10_x64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\srvnetbus.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\Mslo64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\pcdsrvc_x64.pkms,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\krpocesshacker.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\HWiNFO64A.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\rzpnk.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\magdrvamd64.sys,https://github.com/elastic/protections-artifacts/search?q=VulnDriver,TRUE -*\driver7-x64.sys,https://github.com/Chigusa0w0/AsusDriversPrivEscala,TRUE -*\driver7-x86-withoutdbg.sys,https://github.com/Chigusa0w0/AsusDriversPrivEscala,TRUE -*\driver7-x86.sys,https://github.com/Chigusa0w0/AsusDriversPrivEscala,TRUE -*\gmer.sys,https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml,TRUE -*\PCADRVX64.sys,https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml,TRUE -*\clfs.sys,https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml,TRUE -*\ActiveHealth.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\CAM_V3.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\GameFire.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\OpenHardwareMonitor.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\OpenHardwareMonitorLib.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\OpenHardwareMonitorReport.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\SmartDashboard.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\SystemGauge.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\SystemGaugeX7.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\VideoNovaServerControllerService.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\ellp_service.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\hardwareproviders.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\ohm.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\sensorsview32_64.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\touchpointanalyticsclient.sys,https://eclypsium.com/2019/11/12/mother-of-all-drivers/,TRUE -*\ASIO32.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\asrdrv104.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\AsrSetupDrv103.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\bandai.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\dbutil.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\fiddrv.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\fiddrv64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\fidpcidrv.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\DirectIo.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\hw_sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\mhyprot3.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\MsIo.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\otipcibus.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\piddrv.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\semav6msr64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\80.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\netfilterdrv.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\81.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\full.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nstrwsk.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nt2.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nt3.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nt5.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\b4.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\bw.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\bwrs.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\bwrsh.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\TGSafe.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\BlackBoneDrv10.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\LgDCatcher.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\gameink.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\windows-xp-64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\windows8-10-32.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\kbdcap64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\d3.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\d.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\b3.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\2.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\b1.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\My.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Black.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WYProxy32.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WYProxy64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Proxy64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\ni.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\d4.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\d2.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\t.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\1.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\cpupress.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\gameink.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\NetFlt.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\ProtectS.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\GameTerSafe.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Lurker.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\TestBone.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Proxy32.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\t7.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nt4.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\t8.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nstr.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\nt6.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\t3.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\windows7-32.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\NetProxyDriver.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\c.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\b.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\full.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WinIo64A.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WinIo64B.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WinIO32B.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WinIO32.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WinIO32A.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WinIo64C.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\PCHunter.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\aswArPot.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Bs_Def.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\BS_RCIO.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\IObitUnlocker.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\LenovoDiagnosticsDriver.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Lv561av.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\Monitor.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\mydrivers.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\PanIOx64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\PanIO.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\PanMonFltX64.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\PanMonFlt.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE -*\WiseUnlo.sys,https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules,TRUE \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/mandatory_job_for_workflow.csv b/dist/DA-ESS-ContentUpdate/lookups/mandatory_job_for_workflow.csv deleted file mode 100644 index 595421e7b6..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/mandatory_job_for_workflow.csv +++ /dev/null @@ -1,2 +0,0 @@ -workflow_name, job_name -deployment, k8s-security \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/mandatory_step_for_job.csv b/dist/DA-ESS-ContentUpdate/lookups/mandatory_step_for_job.csv deleted file mode 100644 index 10e1d44cfc..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/mandatory_step_for_job.csv +++ /dev/null @@ -1,2 +0,0 @@ -job_name, step_name -k8s-security, Run Kube Hunter \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv b/dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv deleted file mode 100644 index 3396e88936..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/mitre_enrichment.csv +++ /dev/null @@ -1,638 +0,0 @@ -mitre_id,technique,tactics,groups -T1059.010,AutoHotKey & AutoIT,Execution,APT39 -T1564.012,File/Path Exclusions,Defense Evasion,no -T1027.013,Encrypted/Encoded File,Defense Evasion,APT18|APT19|APT28|APT32|APT33|APT39|BITTER|Blue Mockingbird|Dark Caracal|Darkhotel|Elderwood|Fox Kitten|Group5|Higaisa|Inception|Lazarus Group|Leviathan|Magic Hound|Malteiro|Metador|Mofang|Molerats|Moses Staff|OilRig|Putter Panda|Sidewinder|TA2541|TA505|TeamTNT|Threat Group-3390|Transparent Tribe|Tropic Trooper|Whitefly|menuPass -T1574.014,AppDomainManager,Defense Evasion|Persistence|Privilege Escalation,no -T1584.008,Network Devices,Resource Development,APT28|Volt Typhoon -T1548.006,TCC Manipulation,Defense Evasion|Privilege Escalation,no -T1588.007,Artificial Intelligence,Resource Development,no -T1218.015,Electron Applications,Defense Evasion,no -T1543.005,Container Service,Persistence|Privilege Escalation,no -T1665,Hide Infrastructure,Command And Control,APT29 -T1216.002,SyncAppvPublishingServer,Defense Evasion,no -T1556.009,Conditional Access Policies,Credential Access|Defense Evasion|Persistence,Scattered Spider -T1027.012,LNK Icon Smuggling,Defense Evasion,no -T1036.009,Break Process Trees,Defense Evasion,no -T1555.006,Cloud Secrets Management Stores,Credential Access,no -T1016.002,Wi-Fi Discovery,Discovery,Magic Hound -T1566.004,Spearphishing Voice,Initial Access,no -T1598.004,Spearphishing Voice,Reconnaissance,LAPSUS$|Scattered Spider -T1578.005,Modify Cloud Compute Configurations,Defense Evasion,no -T1659,Content Injection,Command And Control|Initial Access,MoustachedBouncer -T1564.011,Ignore Process Interrupts,Defense Evasion,no -T1657,Financial Theft,Impact,Akira|Cinnamon Tempest|FIN13|Malteiro|Scattered Spider|SilverTerrier -T1656,Impersonation,Defense Evasion,LAPSUS$|Scattered Spider -T1567.004,Exfiltration Over Webhook,Exfiltration,no -T1098.006,Additional Container Cluster Roles,Persistence|Privilege Escalation,no -T1654,Log Enumeration,Discovery,APT5|Volt Typhoon -T1548.005,Temporary Elevated Cloud Access,Defense Evasion|Privilege Escalation,no -T1653,Power Settings,Persistence,no -T1021.008,Direct Cloud VM Connections,Lateral Movement,no -T1562.012,Disable or Modify Linux Audit System,Defense Evasion,no -T1556.008,Network Provider DLL,Credential Access|Defense Evasion|Persistence,no -T1652,Device Driver Discovery,Discovery,no -T1027.011,Fileless Storage,Defense Evasion,APT32|Turla -T1027.010,Command Obfuscation,Defense Evasion,APT19|APT32|Aquatic Panda|Chimera|Cobalt Group|Ember Bear|FIN6|FIN7|FIN8|Fox Kitten|GOLD SOUTHFIELD|Gamaredon Group|HEXANE|LazyScripter|Leafminer|Magic Hound|MuddyWater|Patchwork|Sandworm Team|Sidewinder|Silence|TA505|TA551|Turla|Wizard Spider -T1562.011,Spoof Security Alerting,Defense Evasion,no -T1552.008,Chat Messages,Credential Access,LAPSUS$ -T1651,Cloud Administration Command,Execution,APT29 -T1650,Acquire Access,Resource Development,no -T1036.008,Masquerade File Type,Defense Evasion,Volt Typhoon -T1567.003,Exfiltration to Text Storage Sites,Exfiltration,no -T1583.008,Malvertising,Resource Development,Mustard Tempest -T1021.007,Cloud Services,Lateral Movement,APT29|Scattered Spider -T1205.002,Socket Filters,Command And Control|Defense Evasion|Persistence,no -T1608.006,SEO Poisoning,Resource Development,Mustard Tempest -T1027.009,Embedded Payloads,Defense Evasion,no -T1027.008,Stripped Payloads,Defense Evasion,no -T1556.007,Hybrid Identity,Credential Access|Defense Evasion|Persistence,APT29 -T1546.016,Installer Packages,Persistence|Privilege Escalation,no -T1027.007,Dynamic API Resolution,Defense Evasion,Lazarus Group -T1593.003,Code Repositories,Reconnaissance,LAPSUS$ -T1649,Steal or Forge Authentication Certificates,Credential Access,APT29 -T1070.009,Clear Persistence,Defense Evasion,no -T1070.008,Clear Mailbox Data,Defense Evasion,no -T1584.007,Serverless,Resource Development,no -T1583.007,Serverless,Resource Development,no -T1070.007,Clear Network Connection History and Configurations,Defense Evasion,Volt Typhoon -T1556.006,Multi-Factor Authentication,Credential Access|Defense Evasion|Persistence,Scattered Spider -T1586.003,Cloud Accounts,Resource Development,APT29 -T1585.003,Cloud Accounts,Resource Development,no -T1648,Serverless Execution,Execution,no -T1647,Plist File Modification,Defense Evasion,no -T1622,Debugger Evasion,Defense Evasion|Discovery,no -T1621,Multi-Factor Authentication Request Generation,Credential Access,APT29|LAPSUS$|Scattered Spider -T1505.005,Terminal Services DLL,Persistence,no -T1557.003,DHCP Spoofing,Collection|Credential Access,no -T1059.009,Cloud API,Execution,APT29|TeamTNT -T1595.003,Wordlist Scanning,Reconnaissance,APT41|Volatile Cedar -T1098.005,Device Registration,Persistence|Privilege Escalation,APT29 -T1574.013,KernelCallbackTable,Defense Evasion|Persistence|Privilege Escalation,Lazarus Group -T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no -T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no -T1564.010,Process Argument Spoofing,Defense Evasion,no -T1564.009,Resource Forking,Defense Evasion,no -T1559.003,XPC Services,Execution,no -T1562.010,Downgrade Attack,Defense Evasion,no -T1547.015,Login Items,Persistence|Privilege Escalation,no -T1620,Reflective Code Loading,Defense Evasion,Lazarus Group -T1619,Cloud Storage Object Discovery,Discovery,no -T1218.014,MMC,Defense Evasion,no -T1218.013,Mavinject,Defense Evasion,no -T1614.001,System Language Discovery,Discovery,Ke3chang|Malteiro -T1615,Group Policy Discovery,Discovery,Turla -T1036.007,Double File Extension,Defense Evasion,Mustang Panda -T1562.009,Safe Mode Boot,Defense Evasion,no -T1564.008,Email Hiding Rules,Defense Evasion,FIN4|Scattered Spider -T1505.004,IIS Components,Persistence,no -T1027.006,HTML Smuggling,Defense Evasion,APT29 -T1213.003,Code Repositories,Collection,APT41|LAPSUS$|Scattered Spider -T1553.006,Code Signing Policy Modification,Defense Evasion,APT39|Turla -T1614,System Location Discovery,Discovery,SideCopy -T1613,Container and Resource Discovery,Discovery,TeamTNT -T1552.007,Container API,Credential Access,no -T1612,Build Image on Host,Defense Evasion,no -T1611,Escape to Host,Privilege Escalation,TeamTNT -T1204.003,Malicious Image,Execution,TeamTNT -T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no -T1610,Deploy Container,Defense Evasion|Execution,TeamTNT -T1609,Container Administration Command,Execution,TeamTNT -T1608.005,Link Target,Resource Development,LuminousMoth|Silent Librarian -T1608.004,Drive-by Target,Resource Development,APT32|Dragonfly|FIN7|LuminousMoth|Mustard Tempest|Threat Group-3390|Transparent Tribe -T1608.003,Install Digital Certificate,Resource Development,no -T1608.002,Upload Tool,Resource Development,Threat Group-3390 -T1608.001,Upload Malware,Resource Development,APT32|BITTER|EXOTIC LILY|Earth Lusca|FIN7|Gamaredon Group|HEXANE|Kimsuky|LazyScripter|LuminousMoth|Mustang Panda|Mustard Tempest|SideCopy|TA2541|TA505|TeamTNT|Threat Group-3390 -T1608,Stage Capabilities,Resource Development,Mustang Panda -T1016.001,Internet Connection Discovery,Discovery,APT29|FIN13|FIN8|Gamaredon Group|HAFNIUM|HEXANE|Magic Hound|TA2541|Turla -T1553.005,Mark-of-the-Web Bypass,Defense Evasion,APT29|TA505 -T1555.005,Password Managers,Credential Access,Fox Kitten|LAPSUS$|Threat Group-3390 -T1484.002,Trust Modification,Defense Evasion|Privilege Escalation,Scattered Spider -T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Cinnamon Tempest|Indrik Spider -T1547.014,Active Setup,Persistence|Privilege Escalation,no -T1606.002,SAML Tokens,Credential Access,no -T1606.001,Web Cookies,Credential Access,no -T1606,Forge Web Credentials,Credential Access,no -T1555.004,Windows Credential Manager,Credential Access,OilRig|Stealth Falcon|Turla|Wizard Spider -T1059.008,Network Device CLI,Execution,no -T1602.002,Network Device Configuration Dump,Collection,no -T1542.005,TFTP Boot,Defense Evasion|Persistence,no -T1542.004,ROMMONkit,Defense Evasion|Persistence,no -T1602.001,SNMP (MIB Dump),Collection,no -T1602,Data from Configuration Repository,Collection,no -T1601.002,Downgrade System Image,Defense Evasion,no -T1601.001,Patch System Image,Defense Evasion,no -T1601,Modify System Image,Defense Evasion,no -T1600.002,Disable Crypto Hardware,Defense Evasion,no -T1600.001,Reduce Key Space,Defense Evasion,no -T1600,Weaken Encryption,Defense Evasion,no -T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no -T1599.001,Network Address Translation Traversal,Defense Evasion,no -T1599,Network Boundary Bridging,Defense Evasion,no -T1020.001,Traffic Duplication,Exfiltration,no -T1557.002,ARP Cache Poisoning,Collection|Credential Access,Cleaver|LuminousMoth -T1588.006,Vulnerabilities,Resource Development,Sandworm Team -T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no -T1562.008,Disable or Modify Cloud Logs,Defense Evasion,APT29 -T1547.012,Print Processors,Persistence|Privilege Escalation,Earth Lusca -T1598.003,Spearphishing Link,Reconnaissance,APT28|APT32|Dragonfly|Kimsuky|Magic Hound|Mustang Panda|Patchwork|Sandworm Team|Sidewinder|Silent Librarian|ZIRCONIUM -T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|SideCopy|Sidewinder -T1598.001,Spearphishing Service,Reconnaissance,no -T1598,Phishing for Information,Reconnaissance,APT28|Scattered Spider|ZIRCONIUM -T1597.002,Purchase Technical Data,Reconnaissance,LAPSUS$ -T1597.001,Threat Intel Vendors,Reconnaissance,no -T1597,Search Closed Sources,Reconnaissance,EXOTIC LILY -T1596.005,Scan Databases,Reconnaissance,APT41 -T1596.004,CDNs,Reconnaissance,no -T1596.003,Digital Certificates,Reconnaissance,no -T1596.001,DNS/Passive DNS,Reconnaissance,no -T1596.002,WHOIS,Reconnaissance,no -T1596,Search Open Technical Databases,Reconnaissance,no -T1595.002,Vulnerability Scanning,Reconnaissance,APT28|APT29|APT41|Aquatic Panda|Dragonfly|Earth Lusca|Magic Hound|Sandworm Team|TeamTNT|Volatile Cedar -T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT -T1595,Active Scanning,Reconnaissance,no -T1594,Search Victim-Owned Websites,Reconnaissance,EXOTIC LILY|Kimsuky|Sandworm Team|Silent Librarian -T1593.002,Search Engines,Reconnaissance,Kimsuky -T1593.001,Social Media,Reconnaissance,EXOTIC LILY|Kimsuky -T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team -T1592.004,Client Configurations,Reconnaissance,HAFNIUM -T1592.003,Firmware,Reconnaissance,no -T1592.002,Software,Reconnaissance,Andariel|Magic Hound|Sandworm Team -T1592.001,Hardware,Reconnaissance,no -T1592,Gather Victim Host Information,Reconnaissance,no -T1591.004,Identify Roles,Reconnaissance,HEXANE|LAPSUS$ -T1591.003,Identify Business Tempo,Reconnaissance,no -T1591.001,Determine Physical Locations,Reconnaissance,Magic Hound -T1591.002,Business Relationships,Reconnaissance,Dragonfly|LAPSUS$|Sandworm Team -T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group -T1590.006,Network Security Appliances,Reconnaissance,no -T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM|Magic Hound -T1590.004,Network Topology,Reconnaissance,FIN13 -T1590.003,Network Trust Dependencies,Reconnaissance,no -T1590.002,DNS,Reconnaissance,no -T1590.001,Domain Properties,Reconnaissance,Sandworm Team -T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM -T1589.003,Employee Names,Reconnaissance,APT41|Kimsuky|Sandworm Team|Silent Librarian -T1589.002,Email Addresses,Reconnaissance,APT32|EXOTIC LILY|HAFNIUM|HEXANE|Kimsuky|LAPSUS$|Lazarus Group|Magic Hound|Sandworm Team|Silent Librarian|TA551 -T1589.001,Credentials,Reconnaissance,APT28|APT41|Chimera|LAPSUS$|Leviathan|Magic Hound -T1589,Gather Victim Identity Information,Reconnaissance,APT32|FIN13|HEXANE|LAPSUS$|Magic Hound -T1588.005,Exploits,Resource Development,Kimsuky -T1588.004,Digital Certificates,Resource Development,BlackTech|Lazarus Group|LuminousMoth|Silent Librarian -T1588.003,Code Signing Certificates,Resource Development,BlackTech|Ember Bear|FIN8|Threat Group-3390|Wizard Spider -T1588.002,Tool,Resource Development,APT-C-36|APT1|APT19|APT28|APT29|APT32|APT33|APT38|APT39|APT41|Aoqin Dragon|Aquatic Panda|BITTER|BRONZE BUTLER|BackdoorDiplomacy|BlackTech|Blue Mockingbird|Carbanak|Chimera|Cinnamon Tempest|Cleaver|Cobalt Group|CopyKittens|DarkHydrus|DarkVishnya|Dragonfly|Earth Lusca|Ember Bear|FIN10|FIN13|FIN5|FIN6|FIN7|FIN8|Ferocious Kitten|GALLIUM|Gorgon Group|HEXANE|Inception|IndigoZebra|Ke3chang|Kimsuky|LAPSUS$|Lazarus Group|Leafminer|LuminousMoth|Magic Hound|Metador|Moses Staff|MuddyWater|POLONIUM|Patchwork|PittyTiger|Sandworm Team|Silence|Silent Librarian|TA2541|TA505|Threat Group-3390|Thrip|Turla|Volt Typhoon|WIRTE|Whitefly|Wizard Spider|menuPass -T1588.001,Malware,Resource Development,APT1|Andariel|Aquatic Panda|BackdoorDiplomacy|Earth Lusca|LAPSUS$|LazyScripter|LuminousMoth|Metador|TA2541|TA505|Turla -T1588,Obtain Capabilities,Resource Development,no -T1587.004,Exploits,Resource Development,no -T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM -T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork -T1587.001,Malware,Resource Development,APT29|Aoqin Dragon|Cleaver|FIN13|FIN7|Indrik Spider|Ke3chang|Kimsuky|Lazarus Group|LuminousMoth|Moses Staff|Sandworm Team|TeamTNT|Turla -T1587,Develop Capabilities,Resource Development,Kimsuky -T1586.002,Email Accounts,Resource Development,APT28|APT29|HEXANE|IndigoZebra|Kimsuky|LAPSUS$|Leviathan|Magic Hound -T1586.001,Social Media Accounts,Resource Development,Leviathan|Sandworm Team -T1586,Compromise Accounts,Resource Development,no -T1585.002,Email Accounts,Resource Development,APT1|EXOTIC LILY|HEXANE|Indrik Spider|Kimsuky|Lazarus Group|Leviathan|Magic Hound|Mustang Panda|Sandworm Team|Silent Librarian|Wizard Spider -T1585.001,Social Media Accounts,Resource Development,APT32|CURIUM|Cleaver|EXOTIC LILY|Fox Kitten|HEXANE|Kimsuky|Lazarus Group|Leviathan|Magic Hound|Sandworm Team -T1585,Establish Accounts,Resource Development,APT17|Fox Kitten -T1584.006,Web Services,Resource Development,Earth Lusca|Turla -T1584.005,Botnet,Resource Development,Axiom|Sandworm Team -T1584.004,Server,Resource Development,APT16|Dragonfly|Earth Lusca|Indrik Spider|Lazarus Group|Sandworm Team|Turla|Volt Typhoon -T1584.003,Virtual Private Server,Resource Development,Turla -T1584.002,DNS Server,Resource Development,LAPSUS$ -T1584.001,Domains,Resource Development,APT1|Kimsuky|Magic Hound|Mustard Tempest|SideCopy|Transparent Tribe -T1583.006,Web Services,Resource Development,APT17|APT28|APT29|APT32|Confucius|Earth Lusca|FIN7|HAFNIUM|IndigoZebra|Kimsuky|Lazarus Group|LazyScripter|Magic Hound|MuddyWater|POLONIUM|TA2541|Turla|ZIRCONIUM -T1583.005,Botnet,Resource Development,no -T1583.004,Server,Resource Development,Earth Lusca|GALLIUM|Kimsuky|Mustard Tempest|Sandworm Team -T1583.003,Virtual Private Server,Resource Development,APT28|Axiom|Dragonfly|HAFNIUM|LAPSUS$ -T1583.002,DNS Server,Resource Development,Axiom|HEXANE -T1584,Compromise Infrastructure,Resource Development,no -T1583.001,Domains,Resource Development,APT1|APT28|APT32|BITTER|Dragonfly|EXOTIC LILY|Earth Lusca|FIN7|Ferocious Kitten|Gamaredon Group|HEXANE|IndigoZebra|Kimsuky|Lazarus Group|LazyScripter|Leviathan|Magic Hound|Mustang Panda|Sandworm Team|Silent Librarian|TA2541|TA505|TeamTNT|Threat Group-3390|Transparent Tribe|Winnti Group|ZIRCONIUM|menuPass -T1583,Acquire Infrastructure,Resource Development,Sandworm Team -T1564.007,VBA Stomping,Defense Evasion,no -T1558.004,AS-REP Roasting,Credential Access,no -T1580,Cloud Infrastructure Discovery,Discovery,Scattered Spider -T1218.012,Verclsid,Defense Evasion,no -T1205.001,Port Knocking,Command And Control|Defense Evasion|Persistence,PROMETHIUM -T1564.006,Run Virtual Instance,Defense Evasion,no -T1564.005,Hidden File System,Defense Evasion,Equation|Strider -T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no -T1574.012,COR_PROFILER,Defense Evasion|Persistence|Privilege Escalation,Blue Mockingbird -T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no -T1098.004,SSH Authorized Keys,Persistence|Privilege Escalation,Earth Lusca|TeamTNT -T1480.001,Environmental Keying,Defense Evasion,APT41|Equation -T1059.007,JavaScript,Execution,APT32|Cobalt Group|Earth Lusca|Ember Bear|Evilnum|FIN6|FIN7|Higaisa|Indrik Spider|Kimsuky|LazyScripter|Leafminer|Molerats|MoustachedBouncer|MuddyWater|Sidewinder|Silence|TA505|Turla -T1578.004,Revert Cloud Instance,Defense Evasion,no -T1578.003,Delete Cloud Instance,Defense Evasion,LAPSUS$ -T1578.001,Create Snapshot,Defense Evasion,no -T1578.002,Create Cloud Instance,Defense Evasion,LAPSUS$|Scattered Spider -T1127.001,MSBuild,Defense Evasion,no -T1027.005,Indicator Removal from Tools,Defense Evasion,APT3|Deep Panda|GALLIUM|OilRig|Patchwork|Turla -T1562.006,Indicator Blocking,Defense Evasion,APT41|APT5 -T1573.002,Asymmetric Cryptography,Command And Control,Cobalt Group|FIN6|FIN8|OilRig|TA2541|Tropic Trooper -T1573.001,Symmetric Cryptography,Command And Control,APT28|APT33|BRONZE BUTLER|Darkhotel|Higaisa|Inception|Lazarus Group|MuddyWater|Mustang Panda|Stealth Falcon|Volt Typhoon|ZIRCONIUM -T1573,Encrypted Channel,Command And Control,APT29|BITTER|Magic Hound|Tropic Trooper -T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|MuddyWater|Rocke -T1574.004,Dylib Hijacking,Defense Evasion|Persistence|Privilege Escalation,no -T1546.015,Component Object Model Hijacking,Persistence|Privilege Escalation,APT28 -T1071.004,DNS,Command And Control,APT18|APT39|APT41|Chimera|Cobalt Group|FIN7|Ke3chang|LazyScripter|OilRig|Tropic Trooper -T1071.003,Mail Protocols,Command And Control,APT28|APT32|Kimsuky|SilverTerrier|Turla -T1071.002,File Transfer Protocols,Command And Control,APT41|Dragonfly|Kimsuky|SilverTerrier -T1071.001,Web Protocols,Command And Control,APT18|APT19|APT28|APT32|APT33|APT37|APT38|APT39|APT41|BITTER|BRONZE BUTLER|Chimera|Cobalt Group|Confucius|Dark Caracal|FIN13|FIN4|FIN8|Gamaredon Group|HAFNIUM|Higaisa|Inception|Ke3chang|Kimsuky|Lazarus Group|LuminousMoth|Magic Hound|Metador|MuddyWater|Mustang Panda|OilRig|Orangeworm|Rancor|Rocke|Sandworm Team|Sidewinder|SilverTerrier|Stealth Falcon|TA505|TA551|TeamTNT|Threat Group-3390|Tropic Trooper|Turla|WIRTE|Windshift|Wizard Spider -T1572,Protocol Tunneling,Command And Control,Chimera|Cinnamon Tempest|Cobalt Group|FIN13|FIN6|Fox Kitten|Leviathan|Magic Hound|OilRig -T1048.003,Exfiltration Over Unencrypted Non-C2 Protocol,Exfiltration,APT32|APT33|FIN6|FIN8|Lazarus Group|OilRig|Thrip|Wizard Spider -T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28 -T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no -T1001.003,Protocol Impersonation,Command And Control,Higaisa|Lazarus Group -T1001.002,Steganography,Command And Control,Axiom -T1001.001,Junk Data,Command And Control,APT28 -T1132.002,Non-Standard Encoding,Command And Control,no -T1132.001,Standard Encoding,Command And Control,APT19|APT33|BRONZE BUTLER|HAFNIUM|Lazarus Group|MuddyWater|Patchwork|Sandworm Team|TA551|Tropic Trooper -T1090.004,Domain Fronting,Command And Control,APT29 -T1090.003,Multi-hop Proxy,Command And Control,APT28|APT29|FIN4|Inception|Leviathan -T1090.002,External Proxy,Command And Control,APT28|APT29|APT3|APT39|FIN5|GALLIUM|Lazarus Group|MuddyWater|Silence|Tonto Team|menuPass -T1090.001,Internal Proxy,Command And Control,APT39|FIN13|Higaisa|Lazarus Group|Strider|Turla|Volt Typhoon -T1102.003,One-Way Communication,Command And Control,Leviathan -T1102.002,Bidirectional Communication,Command And Control,APT12|APT28|APT37|APT39|Carbanak|FIN7|HEXANE|Kimsuky|Lazarus Group|Magic Hound|MuddyWater|POLONIUM|Sandworm Team|Turla|ZIRCONIUM -T1102.001,Dead Drop Resolver,Command And Control,APT41|BRONZE BUTLER|Patchwork|RTM|Rocke -T1571,Non-Standard Port,Command And Control,APT-C-36|APT32|APT33|DarkVishnya|FIN7|Lazarus Group|Magic Hound|Rocke|Sandworm Team|Silence|WIRTE -T1074.002,Remote Data Staging,Collection,APT28|Chimera|FIN6|FIN8|Leviathan|MoustachedBouncer|Threat Group-3390|ToddyCat|menuPass -T1074.001,Local Data Staging,Collection,APT28|APT3|APT39|APT5|BackdoorDiplomacy|Chimera|Dragonfly|FIN13|FIN5|GALLIUM|Indrik Spider|Kimsuky|Lazarus Group|Leviathan|MuddyWater|Mustang Panda|Patchwork|Sidewinder|TeamTNT|Threat Group-3390|Volt Typhoon|Wizard Spider|menuPass -T1078.004,Cloud Accounts,Defense Evasion|Initial Access|Persistence|Privilege Escalation,APT28|APT29|APT33|APT5|Ke3chang|LAPSUS$ -T1564.004,NTFS File Attributes,Defense Evasion,APT32 -T1564.003,Hidden Window,Defense Evasion,APT19|APT28|APT3|APT32|CopyKittens|DarkHydrus|Deep Panda|Gamaredon Group|Gorgon Group|Higaisa|Kimsuky|Magic Hound|Nomadic Octopus|ToddyCat -T1078.003,Local Accounts,Defense Evasion|Initial Access|Persistence|Privilege Escalation,APT29|APT32|FIN10|FIN7|HAFNIUM|Kimsuky|PROMETHIUM|Tropic Trooper|Turla -T1078.002,Domain Accounts,Defense Evasion|Initial Access|Persistence|Privilege Escalation,APT3|APT5|Chimera|Cinnamon Tempest|Indrik Spider|Magic Hound|Naikon|Sandworm Team|TA505|Threat Group-1314|ToddyCat|Volt Typhoon|Wizard Spider -T1078.001,Default Accounts,Defense Evasion|Initial Access|Persistence|Privilege Escalation,FIN13|Magic Hound -T1564.002,Hidden Users,Defense Evasion,Dragonfly|Kimsuky -T1574.006,Dynamic Linker Hijacking,Defense Evasion|Persistence|Privilege Escalation,APT41|Rocke -T1574.002,DLL Side-Loading,Defense Evasion|Persistence|Privilege Escalation,APT19|APT3|APT32|APT41|BRONZE BUTLER|BlackTech|Chimera|Cinnamon Tempest|Earth Lusca|FIN13|GALLIUM|Higaisa|Lazarus Group|LuminousMoth|MuddyWater|Mustang Panda|Naikon|Patchwork|SideCopy|Sidewinder|Threat Group-3390|Tropic Trooper|menuPass -T1574.001,DLL Search Order Hijacking,Defense Evasion|Persistence|Privilege Escalation,APT41|Aquatic Panda|BackdoorDiplomacy|Cinnamon Tempest|Evilnum|RTM|Threat Group-3390|Tonto Team|Whitefly|menuPass -T1574.008,Path Interception by Search Order Hijacking,Defense Evasion|Persistence|Privilege Escalation,no -T1574.007,Path Interception by PATH Environment Variable,Defense Evasion|Persistence|Privilege Escalation,no -T1574.009,Path Interception by Unquoted Path,Defense Evasion|Persistence|Privilege Escalation,no -T1574.011,Services Registry Permissions Weakness,Defense Evasion|Persistence|Privilege Escalation,no -T1574.005,Executable Installer File Permissions Weakness,Defense Evasion|Persistence|Privilege Escalation,no -T1574.010,Services File Permissions Weakness,Defense Evasion|Persistence|Privilege Escalation,no -T1574,Hijack Execution Flow,Defense Evasion|Persistence|Privilege Escalation,no -T1069.001,Local Groups,Discovery,Chimera|HEXANE|OilRig|Tonto Team|Turla|Volt Typhoon|admin@338 -T1570,Lateral Tool Transfer,Lateral Movement,APT32|APT41|Aoqin Dragon|Chimera|FIN10|GALLIUM|Magic Hound|Sandworm Team|Turla|Volt Typhoon|Wizard Spider -T1568.003,DNS Calculation,Command And Control,APT12 -T1204.002,Malicious File,Execution,APT-C-36|APT12|APT19|APT28|APT29|APT30|APT32|APT33|APT37|APT38|APT39|Ajax Security Team|Andariel|Aoqin Dragon|BITTER|BRONZE BUTLER|BlackTech|CURIUM|Cobalt Group|Confucius|Dark Caracal|DarkHydrus|Darkhotel|Dragonfly|EXOTIC LILY|Earth Lusca|Elderwood|Ember Bear|FIN4|FIN6|FIN7|FIN8|Ferocious Kitten|Gallmaker|Gamaredon Group|Gorgon Group|HEXANE|Higaisa|Inception|IndigoZebra|Indrik Spider|Kimsuky|Lazarus Group|LazyScripter|Leviathan|Machete|Magic Hound|Malteiro|Mofang|Molerats|MuddyWater|Mustang Panda|Naikon|Nomadic Octopus|OilRig|PLATINUM|PROMETHIUM|Patchwork|RTM|Rancor|Sandworm Team|SideCopy|Sidewinder|Silence|TA2541|TA459|TA505|TA551|The White Company|Threat Group-3390|Tonto Team|Transparent Tribe|Tropic Trooper|WIRTE|Whitefly|Windshift|Wizard Spider|admin@338|menuPass -T1204.001,Malicious Link,Execution,APT28|APT29|APT3|APT32|APT33|APT39|BlackTech|Cobalt Group|Confucius|EXOTIC LILY|Earth Lusca|Elderwood|Ember Bear|Evilnum|FIN4|FIN7|FIN8|Kimsuky|LazyScripter|Leviathan|LuminousMoth|Machete|Magic Hound|Mofang|Molerats|MuddyWater|Mustang Panda|Mustard Tempest|OilRig|Patchwork|Sandworm Team|Sidewinder|TA2541|TA505|Transparent Tribe|Turla|Windshift|Wizard Spider|ZIRCONIUM -T1195.003,Compromise Hardware Supply Chain,Initial Access,no -T1195.002,Compromise Software Supply Chain,Initial Access,APT41|Cobalt Group|Dragonfly|FIN7|GOLD SOUTHFIELD|Sandworm Team|Threat Group-3390 -T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no -T1568.001,Fast Flux DNS,Command And Control,TA505|menuPass -T1052.001,Exfiltration over USB,Exfiltration,Mustang Panda|Tropic Trooper -T1569.002,Service Execution,Execution,APT32|APT38|APT39|APT41|Blue Mockingbird|Chimera|FIN6|Ke3chang|Silence|Wizard Spider -T1569.001,Launchctl,Execution,no -T1569,System Services,Execution,TeamTNT -T1568.002,Domain Generation Algorithms,Command And Control,APT41|TA551 -T1568,Dynamic Resolution,Command And Control,APT29|BITTER|Gamaredon Group|TA2541|Transparent Tribe -T1011.001,Exfiltration Over Bluetooth,Exfiltration,no -T1567.002,Exfiltration to Cloud Storage,Exfiltration,Akira|Chimera|Cinnamon Tempest|Confucius|Earth Lusca|FIN7|HAFNIUM|HEXANE|Kimsuky|Leviathan|LuminousMoth|POLONIUM|Scattered Spider|Threat Group-3390|ToddyCat|Turla|Wizard Spider|ZIRCONIUM -T1567.001,Exfiltration to Code Repository,Exfiltration,no -T1059.006,Python,Execution,APT29|APT37|APT39|BRONZE BUTLER|Cinnamon Tempest|Dragonfly|Earth Lusca|Kimsuky|Machete|MuddyWater|Rocke|Tonto Team|Turla|ZIRCONIUM -T1059.005,Visual Basic,Execution,APT-C-36|APT32|APT33|APT37|APT38|APT39|BRONZE BUTLER|Cobalt Group|Confucius|Earth Lusca|FIN13|FIN4|FIN7|Gamaredon Group|Gorgon Group|HEXANE|Higaisa|Inception|Kimsuky|Lazarus Group|LazyScripter|Leviathan|Machete|Magic Hound|Malteiro|Molerats|MuddyWater|Mustang Panda|OilRig|Patchwork|Rancor|Sandworm Team|SideCopy|Sidewinder|Silence|TA2541|TA459|TA505|Transparent Tribe|Turla|WIRTE|Windshift -T1059.004,Unix Shell,Execution,APT41|Rocke|TeamTNT -T1059.003,Windows Command Shell,Execution,APT1|APT18|APT28|APT3|APT32|APT37|APT38|APT41|APT5|Aquatic Panda|BRONZE BUTLER|Blue Mockingbird|Chimera|Cinnamon Tempest|Cobalt Group|Dark Caracal|Darkhotel|Dragonfly|Ember Bear|FIN10|FIN13|FIN6|FIN7|FIN8|Fox Kitten|GALLIUM|Gamaredon Group|Gorgon Group|HAFNIUM|Higaisa|Indrik Spider|Ke3chang|Kimsuky|Lazarus Group|LazyScripter|Machete|Magic Hound|Metador|MuddyWater|Mustang Panda|Nomadic Octopus|OilRig|Patchwork|Rancor|Silence|Sowbug|Suckfly|TA505|TA551|TeamTNT|Threat Group-1314|Threat Group-3390|ToddyCat|Tropic Trooper|Turla|Volt Typhoon|Wizard Spider|ZIRCONIUM|admin@338|menuPass -T1059.002,AppleScript,Execution,no -T1059.001,PowerShell,Execution,APT19|APT28|APT29|APT3|APT32|APT33|APT38|APT39|APT41|APT5|Aquatic Panda|BRONZE BUTLER|Blue Mockingbird|Chimera|Cinnamon Tempest|Cobalt Group|Confucius|CopyKittens|DarkHydrus|DarkVishnya|Deep Panda|Dragonfly|Earth Lusca|Ember Bear|FIN10|FIN13|FIN6|FIN7|FIN8|Fox Kitten|GALLIUM|GOLD SOUTHFIELD|Gallmaker|Gamaredon Group|Gorgon Group|HAFNIUM|HEXANE|Inception|Indrik Spider|Kimsuky|Lazarus Group|LazyScripter|Leviathan|Magic Hound|Molerats|MoustachedBouncer|MuddyWater|Mustang Panda|Nomadic Octopus|OilRig|Patchwork|Poseidon Group|Sandworm Team|Sidewinder|Silence|Stealth Falcon|TA2541|TA459|TA505|TeamTNT|Threat Group-3390|Thrip|ToddyCat|Tonto Team|Turla|Volt Typhoon|WIRTE|Wizard Spider|menuPass -T1567,Exfiltration Over Web Service,Exfiltration,APT28|Magic Hound -T1497.003,Time Based Evasion,Defense Evasion|Discovery,no -T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 -T1497.001,System Checks,Defense Evasion|Discovery,Darkhotel|Evilnum|OilRig|Volt Typhoon -T1498.002,Reflection Amplification,Impact,no -T1498.001,Direct Network Flood,Impact,no -T1566.003,Spearphishing via Service,Initial Access,APT29|Ajax Security Team|CURIUM|Dark Caracal|EXOTIC LILY|FIN6|Lazarus Group|Magic Hound|OilRig|ToddyCat|Windshift -T1566.002,Spearphishing Link,Initial Access,APT1|APT28|APT29|APT3|APT32|APT33|APT39|BlackTech|Cobalt Group|Confucius|EXOTIC LILY|Earth Lusca|Elderwood|Ember Bear|Evilnum|FIN4|FIN7|FIN8|Kimsuky|Lazarus Group|LazyScripter|Leviathan|LuminousMoth|Machete|Magic Hound|Mofang|Molerats|MuddyWater|Mustang Panda|Mustard Tempest|OilRig|Patchwork|Sandworm Team|Sidewinder|TA2541|TA505|Transparent Tribe|Turla|Windshift|Wizard Spider|ZIRCONIUM -T1566.001,Spearphishing Attachment,Initial Access,APT-C-36|APT1|APT12|APT19|APT28|APT29|APT30|APT32|APT33|APT37|APT38|APT39|APT41|Ajax Security Team|Andariel|BITTER|BRONZE BUTLER|BlackTech|Cobalt Group|Confucius|DarkHydrus|Darkhotel|Dragonfly|EXOTIC LILY|Elderwood|Ember Bear|FIN4|FIN6|FIN7|FIN8|Ferocious Kitten|Gallmaker|Gamaredon Group|Gorgon Group|Higaisa|Inception|IndigoZebra|Kimsuky|Lazarus Group|LazyScripter|Leviathan|Machete|Malteiro|Mofang|Molerats|MuddyWater|Mustang Panda|Naikon|Nomadic Octopus|OilRig|PLATINUM|Patchwork|RTM|Rancor|Sandworm Team|SideCopy|Sidewinder|Silence|TA2541|TA459|TA505|TA551|The White Company|Threat Group-3390|Tonto Team|Transparent Tribe|Tropic Trooper|WIRTE|Windshift|Wizard Spider|admin@338|menuPass -T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD -T1565.003,Runtime Data Manipulation,Impact,APT38 -T1565.002,Transmitted Data Manipulation,Impact,APT38 -T1565.001,Stored Data Manipulation,Impact,APT38 -T1565,Data Manipulation,Impact,FIN13 -T1564.001,Hidden Files and Directories,Defense Evasion,APT28|APT32|FIN13|HAFNIUM|Lazarus Group|LuminousMoth|Mustang Panda|Rocke|Transparent Tribe|Tropic Trooper -T1564,Hide Artifacts,Defense Evasion,no -T1563.002,RDP Hijacking,Lateral Movement,Axiom -T1563.001,SSH Hijacking,Lateral Movement,no -T1563,Remote Service Session Hijacking,Lateral Movement,no -T1518.001,Security Software Discovery,Discovery,APT38|Aquatic Panda|Cobalt Group|Darkhotel|FIN8|Kimsuky|Malteiro|MuddyWater|Naikon|Patchwork|Rocke|SideCopy|Sidewinder|TA2541|TeamTNT|The White Company|ToddyCat|Tropic Trooper|Turla|Windshift|Wizard Spider -T1069.003,Cloud Groups,Discovery,no -T1069.002,Domain Groups,Discovery,Dragonfly|FIN7|Inception|Ke3chang|LAPSUS$|OilRig|ToddyCat|Turla|Volt Typhoon -T1087.004,Cloud Account,Discovery,APT29 -T1087.003,Email Account,Discovery,Magic Hound|Sandworm Team|TA505 -T1087.002,Domain Account,Discovery,APT41|BRONZE BUTLER|Chimera|Dragonfly|FIN13|FIN6|Fox Kitten|Ke3chang|LAPSUS$|MuddyWater|OilRig|Poseidon Group|Sandworm Team|Scattered Spider|ToddyCat|Turla|Volt Typhoon|Wizard Spider|menuPass -T1087.001,Local Account,Discovery,APT1|APT3|APT32|APT41|Chimera|Fox Kitten|Ke3chang|Moses Staff|OilRig|Poseidon Group|Threat Group-3390|Turla|admin@338 -T1553.004,Install Root Certificate,Defense Evasion,no -T1562.004,Disable or Modify System Firewall,Defense Evasion,APT38|Carbanak|Dragonfly|Kimsuky|Lazarus Group|Magic Hound|Moses Staff|Rocke|TeamTNT|ToddyCat -T1562.003,Impair Command History Logging,Defense Evasion,APT38 -T1562.002,Disable Windows Event Logging,Defense Evasion,Magic Hound|Threat Group-3390 -T1562.001,Disable or Modify Tools,Defense Evasion,Aquatic Panda|BRONZE BUTLER|Ember Bear|FIN6|Gamaredon Group|Gorgon Group|Indrik Spider|Kimsuky|Lazarus Group|Magic Hound|MuddyWater|Putter Panda|Rocke|TA2541|TA505|TeamTNT|Turla|Wizard Spider -T1562,Impair Defenses,Defense Evasion,Magic Hound -T1003.004,LSA Secrets,Credential Access,APT29|APT33|Dragonfly|Ke3chang|Leafminer|MuddyWater|OilRig|Threat Group-3390|menuPass -T1003.005,Cached Domain Credentials,Credential Access,APT33|Leafminer|MuddyWater|OilRig -T1561.002,Disk Structure Wipe,Impact,APT37|APT38|Lazarus Group|Sandworm Team -T1561.001,Disk Content Wipe,Impact,Lazarus Group -T1561,Disk Wipe,Impact,no -T1560.003,Archive via Custom Method,Collection,CopyKittens|FIN6|Kimsuky|Lazarus Group|Mustang Panda -T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 -T1560.001,Archive via Utility,Collection,APT1|APT28|APT3|APT33|APT39|APT41|APT5|Akira|Aquatic Panda|BRONZE BUTLER|Chimera|CopyKittens|Earth Lusca|FIN13|FIN8|Fox Kitten|GALLIUM|Gallmaker|HAFNIUM|Ke3chang|Kimsuky|Magic Hound|MuddyWater|Mustang Panda|Sowbug|ToddyCat|Turla|Volt Typhoon|Wizard Spider|menuPass -T1560,Archive Collected Data,Collection,APT28|APT32|Axiom|Dragonfly|FIN6|Ke3chang|Lazarus Group|Leviathan|LuminousMoth|Patchwork|menuPass -T1499.004,Application or System Exploitation,Impact,no -T1499.003,Application Exhaustion Flood,Impact,no -T1499.002,Service Exhaustion Flood,Impact,no -T1499.001,OS Exhaustion Flood,Impact,no -T1491.002,External Defacement,Impact,Sandworm Team -T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group -T1114.003,Email Forwarding Rule,Collection,Kimsuky|LAPSUS$|Silent Librarian -T1114.002,Remote Email Collection,Collection,APT1|APT28|APT29|Chimera|Dragonfly|FIN4|HAFNIUM|Ke3chang|Kimsuky|Leafminer|Magic Hound -T1114.001,Local Email Collection,Collection,APT1|Chimera|Magic Hound -T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no -T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no -T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,FIN13 -T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Lazarus Group|Turla -T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,APT28|FIN8 -T1213.002,Sharepoint,Collection,APT28|Akira|Chimera|Ke3chang|LAPSUS$ -T1213.001,Confluence,Collection,LAPSUS$ -T1555.003,Credentials from Web Browsers,Credential Access,APT3|APT33|APT37|APT41|Ajax Security Team|FIN6|HEXANE|Inception|Kimsuky|LAPSUS$|Leafminer|Malteiro|Molerats|MuddyWater|OilRig|Patchwork|Sandworm Team|Stealth Falcon|TA505|ZIRCONIUM -T1555.002,Securityd Memory,Credential Access,no -T1555.001,Keychain,Credential Access,no -T1559.002,Dynamic Data Exchange,Execution,APT28|APT37|BITTER|Cobalt Group|FIN7|Gallmaker|Leviathan|MuddyWater|Patchwork|Sidewinder|TA505 -T1559.001,Component Object Model,Execution,Gamaredon Group|MuddyWater -T1559,Inter-Process Communication,Execution,no -T1558.002,Silver Ticket,Credential Access,no -T1558.001,Golden Ticket,Credential Access,Ke3chang -T1558,Steal or Forge Kerberos Tickets,Credential Access,no -T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Collection|Credential Access,Lazarus Group|Wizard Spider -T1557,Adversary-in-the-Middle,Collection|Credential Access,Kimsuky -T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider -T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera -T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,FIN13 -T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM -T1056.003,Web Portal Capture,Collection|Credential Access,no -T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 -T1056.001,Keylogging,Collection|Credential Access,APT28|APT3|APT32|APT38|APT39|APT41|APT5|Ajax Security Team|Darkhotel|FIN13|FIN4|Group5|HEXANE|Ke3chang|Kimsuky|Lazarus Group|Magic Hound|OilRig|PLATINUM|Sandworm Team|Sowbug|Threat Group-3390|Tonto Team|menuPass -T1555,Credentials from Password Stores,Credential Access,APT33|APT39|Evilnum|FIN6|HEXANE|Leafminer|Malteiro|MuddyWater|OilRig|Stealth Falcon|Volt Typhoon -T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT -T1003.008,/etc/passwd and /etc/shadow,Credential Access,no -T1003.007,Proc Filesystem,Credential Access,no -T1003.006,DCSync,Credential Access,Earth Lusca|LAPSUS$ -T1558.003,Kerberoasting,Credential Access,FIN7|Wizard Spider -T1552.006,Group Policy Preferences,Credential Access,APT33|Wizard Spider -T1003.003,NTDS,Credential Access,APT28|APT41|Chimera|Dragonfly|FIN13|FIN6|Fox Kitten|HAFNIUM|Ke3chang|LAPSUS$|Mustang Panda|Sandworm Team|Scattered Spider|Volt Typhoon|Wizard Spider|menuPass -T1003.002,Security Account Manager,Credential Access,APT29|APT41|APT5|Dragonfly|FIN13|GALLIUM|Ke3chang|Threat Group-3390|Wizard Spider|menuPass -T1003.001,LSASS Memory,Credential Access,APT1|APT28|APT3|APT32|APT33|APT39|APT41|APT5|Aquatic Panda|BRONZE BUTLER|Blue Mockingbird|Cleaver|Earth Lusca|FIN13|FIN6|FIN8|Fox Kitten|GALLIUM|HAFNIUM|Indrik Spider|Ke3chang|Kimsuky|Leafminer|Leviathan|Magic Hound|MuddyWater|OilRig|PLATINUM|Sandworm Team|Silence|Threat Group-3390|Volt Typhoon|Whitefly|Wizard Spider -T1110.004,Credential Stuffing,Credential Access,Chimera -T1110.003,Password Spraying,Credential Access,APT28|APT29|APT33|Chimera|HEXANE|Lazarus Group|Leafminer|Silent Librarian -T1110.002,Password Cracking,Credential Access,APT3|APT41|Dragonfly|FIN6 -T1110.001,Password Guessing,Credential Access,APT28|APT29 -T1021.006,Windows Remote Management,Lateral Movement,Chimera|FIN13|Threat Group-3390|Wizard Spider -T1021.005,VNC,Lateral Movement,FIN7|Fox Kitten|GCMAN|Gamaredon Group -T1021.004,SSH,Lateral Movement,APT39|APT5|BlackTech|FIN13|FIN7|Fox Kitten|GCMAN|Lazarus Group|Leviathan|OilRig|Rocke|TeamTNT|menuPass -T1021.003,Distributed Component Object Model,Lateral Movement,no -T1021.002,SMB/Windows Admin Shares,Lateral Movement,APT28|APT3|APT32|APT39|APT41|Blue Mockingbird|Chimera|Cinnamon Tempest|Deep Panda|FIN13|FIN8|Fox Kitten|Ke3chang|Lazarus Group|Moses Staff|Orangeworm|Sandworm Team|Threat Group-1314|ToddyCat|Turla|Wizard Spider -T1021.001,Remote Desktop Protocol,Lateral Movement,APT1|APT3|APT39|APT41|APT5|Axiom|Blue Mockingbird|Chimera|Cobalt Group|Dragonfly|FIN10|FIN13|FIN6|FIN7|FIN8|Fox Kitten|HEXANE|Kimsuky|Lazarus Group|Leviathan|Magic Hound|OilRig|Patchwork|Silence|Wizard Spider|menuPass -T1554,Compromise Host Software Binary,Persistence,APT5 -T1036.006,Space after Filename,Defense Evasion,no -T1036.005,Match Legitimate Name or Location,Defense Evasion,APT1|APT28|APT29|APT32|APT39|APT41|APT5|Aoqin Dragon|BRONZE BUTLER|BackdoorDiplomacy|Blue Mockingbird|Carbanak|Chimera|Darkhotel|Earth Lusca|FIN13|FIN7|Ferocious Kitten|Fox Kitten|Gamaredon Group|Indrik Spider|Ke3chang|Kimsuky|Lazarus Group|LuminousMoth|Machete|Magic Hound|MuddyWater|Mustang Panda|Mustard Tempest|Naikon|PROMETHIUM|Patchwork|Poseidon Group|Rocke|Sandworm Team|SideCopy|Sidewinder|Silence|Sowbug|TA2541|TeamTNT|ToddyCat|Transparent Tribe|Tropic Trooper|Volt Typhoon|WIRTE|Whitefly|admin@338|menuPass -T1036.004,Masquerade Task or Service,Defense Evasion,APT-C-36|APT32|APT41|BITTER|BackdoorDiplomacy|Carbanak|FIN13|FIN6|FIN7|Fox Kitten|Higaisa|Kimsuky|Lazarus Group|Magic Hound|Naikon|PROMETHIUM|Wizard Spider|ZIRCONIUM -T1036.003,Rename System Utilities,Defense Evasion,APT32|GALLIUM|Lazarus Group|menuPass -T1036.002,Right-to-Left Override,Defense Evasion,BRONZE BUTLER|BlackTech|Ferocious Kitten|Ke3chang|Scarlet Mimic -T1036.001,Invalid Code Signature,Defense Evasion,APT37|Windshift -T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no -T1553.002,Code Signing,Defense Evasion,APT41|CopyKittens|Darkhotel|Ember Bear|FIN6|FIN7|GALLIUM|Kimsuky|Lazarus Group|Leviathan|LuminousMoth|Molerats|Moses Staff|PROMETHIUM|Patchwork|Scattered Spider|Silence|Suckfly|TA505|Winnti Group|Wizard Spider|menuPass -T1553.001,Gatekeeper Bypass,Defense Evasion,no -T1553,Subvert Trust Controls,Defense Evasion,Axiom -T1027.003,Steganography,Defense Evasion,APT37|Andariel|BRONZE BUTLER|Earth Lusca|Leviathan|MuddyWater|TA551|Tropic Trooper -T1027.002,Software Packing,Defense Evasion,APT29|APT3|APT38|APT39|APT41|Aoqin Dragon|Dark Caracal|Elderwood|Ember Bear|GALLIUM|Kimsuky|MoustachedBouncer|Patchwork|Rocke|TA2541|TA505|TeamTNT|The White Company|Threat Group-3390|ZIRCONIUM -T1027.001,Binary Padding,Defense Evasion,APT29|APT32|BRONZE BUTLER|Ember Bear|FIN7|Gamaredon Group|Higaisa|Leviathan|Moafee|Mustang Panda|Patchwork -T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,APT32|Rocke|TeamTNT -T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider -T1552.004,Private Keys,Credential Access,Rocke|Scattered Spider|TeamTNT -T1552.003,Bash History,Credential Access,no -T1552.002,Credentials in Registry,Credential Access,APT32 -T1552.001,Credentials In Files,Credential Access,APT3|APT33|FIN13|Fox Kitten|Kimsuky|Leafminer|MuddyWater|OilRig|Scattered Spider|TA505|TeamTNT -T1552,Unsecured Credentials,Credential Access,no -T1216.001,PubPrn,Defense Evasion,APT32 -T1070.006,Timestomp,Defense Evasion,APT28|APT29|APT32|APT38|APT5|Chimera|Kimsuky|Lazarus Group|Rocke -T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 -T1070.004,File Deletion,Defense Evasion,APT18|APT28|APT29|APT3|APT32|APT38|APT39|APT41|APT5|Aquatic Panda|BRONZE BUTLER|Chimera|Cobalt Group|Dragonfly|Evilnum|FIN10|FIN5|FIN6|FIN8|Gamaredon Group|Group5|Kimsuky|Lazarus Group|Magic Hound|Metador|Mustang Panda|OilRig|Patchwork|Rocke|Sandworm Team|Silence|TeamTNT|The White Company|Threat Group-3390|Tropic Trooper|Volt Typhoon|Wizard Spider|menuPass -T1070.003,Clear Command History,Defense Evasion,APT41|APT5|Lazarus Group|Magic Hound|TeamTNT|menuPass -T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,no -T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT28 -T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT29|APT32|BRONZE BUTLER -T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,APT1|APT28|APT32|APT41|Chimera|FIN13|GALLIUM|Kimsuky|Wizard Spider -T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,no -T1548.004,Elevated Execution with Prompt,Defense Evasion|Privilege Escalation,no -T1548.003,Sudo and Sudo Caching,Defense Evasion|Privilege Escalation,no -T1548.002,Bypass User Account Control,Defense Evasion|Privilege Escalation,APT29|APT37|BRONZE BUTLER|Cobalt Group|Earth Lusca|Evilnum|MuddyWater|Patchwork|Threat Group-3390 -T1548.001,Setuid and Setgid,Defense Evasion|Privilege Escalation,no -T1548,Abuse Elevation Control Mechanism,Defense Evasion|Privilege Escalation,no -T1136.003,Cloud Account,Persistence,APT29|LAPSUS$ -T1070.002,Clear Linux or Mac System Logs,Defense Evasion,Rocke|TeamTNT -T1070.001,Clear Windows Event Logs,Defense Evasion,APT28|APT32|APT38|APT41|Chimera|Dragonfly|FIN5|FIN8|Indrik Spider -T1136.002,Domain Account,Persistence,GALLIUM|HAFNIUM|Wizard Spider -T1136.001,Local Account,Persistence,APT3|APT39|APT41|APT5|Dragonfly|FIN13|Fox Kitten|Kimsuky|Leafminer|Magic Hound|TeamTNT|Wizard Spider -T1547.010,Port Monitors,Persistence|Privilege Escalation,no -T1547.009,Shortcut Modification,Persistence|Privilege Escalation,APT39|Gorgon Group|Lazarus Group|Leviathan -T1547.008,LSASS Driver,Persistence|Privilege Escalation,no -T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no -T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no -T1547.005,Security Support Provider,Persistence|Privilege Escalation,no -T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Tropic Trooper|Turla|Wizard Spider -T1547.003,Time Providers,Persistence|Privilege Escalation,no -T1546.014,Emond,Persistence|Privilege Escalation,no -T1546.013,PowerShell Profile,Persistence|Privilege Escalation,Turla -T1546.012,Image File Execution Options Injection,Persistence|Privilege Escalation,no -T1218.008,Odbcconf,Defense Evasion,Cobalt Group -T1546.011,Application Shimming,Persistence|Privilege Escalation,FIN7 -T1547.002,Authentication Package,Persistence|Privilege Escalation,no -T1546.010,AppInit DLLs,Persistence|Privilege Escalation,APT39 -T1546.009,AppCert DLLs,Persistence|Privilege Escalation,no -T1218.007,Msiexec,Defense Evasion,Machete|Molerats|Rancor|TA505|ZIRCONIUM -T1546.008,Accessibility Features,Persistence|Privilege Escalation,APT29|APT3|APT41|Axiom|Deep Panda|Fox Kitten -T1546.007,Netsh Helper DLL,Persistence|Privilege Escalation,no -T1546.006,LC_LOAD_DYLIB Addition,Persistence|Privilege Escalation,no -T1546.005,Trap,Persistence|Privilege Escalation,no -T1546.004,Unix Shell Configuration Modification,Persistence|Privilege Escalation,no -T1546.003,Windows Management Instrumentation Event Subscription,Persistence|Privilege Escalation,APT29|APT33|Blue Mockingbird|FIN8|HEXANE|Leviathan|Metador|Mustang Panda|Rancor|Turla -T1546.002,Screensaver,Persistence|Privilege Escalation,no -T1546.001,Change Default File Association,Persistence|Privilege Escalation,Kimsuky -T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,APT18|APT19|APT28|APT29|APT3|APT32|APT33|APT37|APT39|APT41|BRONZE BUTLER|Cobalt Group|Confucius|Dark Caracal|Darkhotel|Dragonfly|FIN10|FIN13|FIN6|FIN7|Gamaredon Group|Gorgon Group|Higaisa|Inception|Ke3chang|Kimsuky|Lazarus Group|LazyScripter|Leviathan|LuminousMoth|Magic Hound|Molerats|MuddyWater|Mustang Panda|Naikon|PROMETHIUM|Patchwork|Putter Panda|RTM|Rocke|Sidewinder|Silence|TA2541|TeamTNT|Threat Group-3390|Tropic Trooper|Turla|Windshift|Wizard Spider|ZIRCONIUM -T1218.002,Control Panel,Defense Evasion,Ember Bear -T1218.010,Regsvr32,Defense Evasion,APT19|APT32|Blue Mockingbird|Cobalt Group|Deep Panda|Inception|Kimsuky|Leviathan|TA551|WIRTE -T1218.009,Regsvcs/Regasm,Defense Evasion,no -T1218.005,Mshta,Defense Evasion,APT29|APT32|Confucius|Earth Lusca|FIN7|Gamaredon Group|Inception|Kimsuky|Lazarus Group|LazyScripter|MuddyWater|Mustang Panda|SideCopy|Sidewinder|TA2541|TA551 -T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass -T1218.001,Compiled HTML File,Defense Evasion,APT38|APT41|Dark Caracal|OilRig|Silence -T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater -T1218.011,Rundll32,Defense Evasion,APT19|APT28|APT3|APT32|APT38|APT41|Blue Mockingbird|Carbanak|CopyKittens|FIN7|Gamaredon Group|HAFNIUM|Kimsuky|Lazarus Group|LazyScripter|Magic Hound|MuddyWater|Sandworm Team|TA505|TA551|Wizard Spider -T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no -T1546,Event Triggered Execution,Persistence|Privilege Escalation,no -T1098.003,Additional Cloud Roles,Persistence|Privilege Escalation,LAPSUS$|Scattered Spider -T1098.002,Additional Email Delegate Permissions,Persistence|Privilege Escalation,APT28|APT29|Magic Hound -T1098.001,Additional Cloud Credentials,Persistence|Privilege Escalation,no -T1543.004,Launch Daemon,Persistence|Privilege Escalation,no -T1543.003,Windows Service,Persistence|Privilege Escalation,APT19|APT3|APT32|APT38|APT41|Blue Mockingbird|Carbanak|Cinnamon Tempest|Cobalt Group|DarkVishnya|Earth Lusca|FIN7|Ke3chang|Kimsuky|Lazarus Group|PROMETHIUM|TeamTNT|Threat Group-3390|Tropic Trooper|Wizard Spider -T1543.002,Systemd Service,Persistence|Privilege Escalation,Rocke|TeamTNT -T1543.001,Launch Agent,Persistence|Privilege Escalation,no -T1037.005,Startup Items,Persistence|Privilege Escalation,no -T1037.004,RC Scripts,Persistence|Privilege Escalation,APT29 -T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Gorgon Group|Kimsuky|Patchwork|TA2541|Threat Group-3390|menuPass -T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer -T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no -T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no -T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no -T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no -T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no -T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 -T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no -T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Gorgon Group|Rocke -T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Lazarus Group|Leviathan|Malteiro|Putter Panda|TA505|Tropic Trooper|Turla|Wizard Spider -T1037.003,Network Logon Script,Persistence|Privilege Escalation,no -T1543,Create or Modify System Process,Persistence|Privilege Escalation,no -T1037.002,Login Hook,Persistence|Privilege Escalation,no -T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,APT28|Cobalt Group -T1542.003,Bootkit,Defense Evasion|Persistence,APT28|APT41|Lazarus Group -T1542.002,Component Firmware,Defense Evasion|Persistence,Equation -T1542.001,System Firmware,Defense Evasion|Persistence,no -T1505.003,Web Shell,Persistence,APT28|APT29|APT32|APT38|APT39|APT5|BackdoorDiplomacy|Deep Panda|Dragonfly|FIN13|Fox Kitten|GALLIUM|HAFNIUM|Kimsuky|Leviathan|Magic Hound|Moses Staff|OilRig|Sandworm Team|Threat Group-3390|Tonto Team|Tropic Trooper|Volatile Cedar|Volt Typhoon -T1505.002,Transport Agent,Persistence,no -T1505.001,SQL Stored Procedures,Persistence,no -T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|APT5|Rocke -T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,APT-C-36|APT29|APT3|APT32|APT33|APT37|APT38|APT39|APT41|BITTER|BRONZE BUTLER|Blue Mockingbird|Chimera|Cobalt Group|Confucius|Dragonfly|FIN10|FIN13|FIN6|FIN7|FIN8|Fox Kitten|GALLIUM|Gamaredon Group|HEXANE|Higaisa|Kimsuky|Lazarus Group|LuminousMoth|Machete|Magic Hound|Molerats|MuddyWater|Mustang Panda|Naikon|OilRig|Patchwork|Rancor|Silence|Stealth Falcon|TA2541|ToddyCat|Wizard Spider|menuPass -T1053.002,At,Execution|Persistence|Privilege Escalation,APT18|BRONZE BUTLER|Threat Group-3390 -T1542,Pre-OS Boot,Defense Evasion|Persistence,no -T1137.001,Office Template Macros,Persistence,MuddyWater -T1137.004,Outlook Home Page,Persistence,OilRig -T1137.003,Outlook Forms,Persistence,no -T1137.005,Outlook Rules,Persistence,no -T1137.006,Add-ins,Persistence,Naikon -T1137.002,Office Test,Persistence,APT28 -T1531,Account Access Removal,Impact,Akira|LAPSUS$ -T1539,Steal Web Session Cookie,Credential Access,Evilnum|LuminousMoth|Sandworm Team|Scattered Spider -T1529,System Shutdown/Reboot,Impact,APT37|APT38|Lazarus Group -T1518,Software Discovery,Discovery,BRONZE BUTLER|HEXANE|Inception|MuddyWater|Mustang Panda|SideCopy|Sidewinder|Tropic Trooper|Volt Typhoon|Windigo|Windshift|Wizard Spider -T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no -T1534,Internal Spearphishing,Lateral Movement,Gamaredon Group|HEXANE|Kimsuky|Leviathan -T1528,Steal Application Access Token,Credential Access,APT28|APT29 -T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no -T1525,Implant Internal Image,Persistence,no -T1538,Cloud Service Dashboard,Discovery,Scattered Spider -T1530,Data from Cloud Storage,Collection,Fox Kitten|Scattered Spider -T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no -T1537,Transfer Data to Cloud Account,Exfiltration,no -T1526,Cloud Service Discovery,Discovery,no -T1505,Server Software Component,Persistence,no -T1499,Endpoint Denial of Service,Impact,Sandworm Team -T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel -T1498,Network Denial of Service,Impact,APT28 -T1496,Resource Hijacking,Impact,APT41|Blue Mockingbird|Rocke|TeamTNT -T1495,Firmware Corruption,Impact,no -T1491,Defacement,Impact,no -T1490,Inhibit System Recovery,Impact,Wizard Spider -T1489,Service Stop,Impact,Indrik Spider|LAPSUS$|Lazarus Group|Wizard Spider -T1486,Data Encrypted for Impact,Impact,APT38|APT41|Akira|FIN7|FIN8|Indrik Spider|Magic Hound|Sandworm Team|Scattered Spider|TA505 -T1485,Data Destruction,Impact,APT38|Gamaredon Group|LAPSUS$|Lazarus Group|Sandworm Team -T1484,Domain or Tenant Policy Modification,Defense Evasion|Privilege Escalation,no -T1482,Domain Trust Discovery,Discovery,Akira|Chimera|Earth Lusca|FIN8|Magic Hound -T1480,Execution Guardrails,Defense Evasion,no -T1222,File and Directory Permissions Modification,Defense Evasion,no -T1220,XSL Script Processing,Defense Evasion,Cobalt Group|Higaisa -T1221,Template Injection,Defense Evasion,APT28|Confucius|DarkHydrus|Dragonfly|Gamaredon Group|Inception|Tropic Trooper -T1190,Exploit Public-Facing Application,Initial Access,APT28|APT29|APT39|APT41|APT5|Axiom|BackdoorDiplomacy|BlackTech|Blue Mockingbird|Cinnamon Tempest|Dragonfly|Earth Lusca|FIN13|FIN7|Fox Kitten|GALLIUM|GOLD SOUTHFIELD|HAFNIUM|Ke3chang|Kimsuky|Magic Hound|Moses Staff|MuddyWater|Rocke|Sandworm Team|Threat Group-3390|ToddyCat|Volatile Cedar|Volt Typhoon|menuPass -T1213,Data from Information Repositories,Collection,APT28|FIN6|Fox Kitten|LAPSUS$|Sandworm Team|Turla -T1202,Indirect Command Execution,Defense Evasion,Lazarus Group -T1207,Rogue Domain Controller,Defense Evasion,no -T1212,Exploitation for Credential Access,Credential Access,no -T1201,Password Policy Discovery,Discovery,Chimera|OilRig|Turla -T1197,BITS Jobs,Defense Evasion|Persistence,APT39|APT41|Leviathan|Patchwork|Wizard Spider -T1189,Drive-by Compromise,Initial Access,APT19|APT28|APT32|APT37|APT38|Andariel|Axiom|BRONZE BUTLER|Dark Caracal|Darkhotel|Dragonfly|Earth Lusca|Elderwood|Lazarus Group|Leafminer|Leviathan|Machete|Magic Hound|Mustard Tempest|PLATINUM|PROMETHIUM|Patchwork|RTM|Threat Group-3390|Transparent Tribe|Turla|Windigo|Windshift -T1218,System Binary Proxy Execution,Defense Evasion,Lazarus Group -T1210,Exploitation of Remote Services,Lateral Movement,APT28|Dragonfly|Earth Lusca|FIN7|Fox Kitten|MuddyWater|Threat Group-3390|Tonto Team|Wizard Spider|menuPass -T1203,Exploitation for Client Execution,Execution,APT12|APT28|APT29|APT3|APT32|APT33|APT37|APT41|Andariel|Aoqin Dragon|Axiom|BITTER|BRONZE BUTLER|BlackTech|Cobalt Group|Confucius|Darkhotel|Dragonfly|EXOTIC LILY|Elderwood|Ember Bear|Higaisa|Inception|Lazarus Group|Leviathan|MuddyWater|Mustang Panda|Patchwork|Sandworm Team|Sidewinder|TA459|The White Company|Threat Group-3390|Tonto Team|Transparent Tribe|Tropic Trooper|admin@338 -T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 -T1216,System Script Proxy Execution,Defense Evasion,no -T1195,Supply Chain Compromise,Initial Access,no -T1219,Remote Access Software,Command And Control,Akira|Carbanak|Cobalt Group|DarkVishnya|Evilnum|FIN7|GOLD SOUTHFIELD|Kimsuky|MuddyWater|Mustang Panda|RTM|Sandworm Team|Scattered Spider|TeamTNT|Thrip -T1205,Traffic Signaling,Command And Control|Defense Evasion|Persistence,no -T1204,User Execution,Execution,LAPSUS$|Scattered Spider -T1199,Trusted Relationship,Initial Access,APT28|APT29|GOLD SOUTHFIELD|LAPSUS$|POLONIUM|Sandworm Team|Threat Group-3390|menuPass -T1217,Browser Information Discovery,Discovery,APT38|Chimera|Fox Kitten|Scattered Spider -T1200,Hardware Additions,Initial Access,DarkVishnya -T1176,Browser Extensions,Persistence,Kimsuky -T1185,Browser Session Hijacking,Collection,no -T1187,Forced Authentication,Credential Access,DarkHydrus|Dragonfly -T1137,Office Application Startup,Persistence,APT32|Gamaredon Group -T1140,Deobfuscate/Decode Files or Information,Defense Evasion,APT19|APT28|APT39|BRONZE BUTLER|Cinnamon Tempest|Darkhotel|Earth Lusca|FIN13|Gamaredon Group|Gorgon Group|Higaisa|Ke3chang|Kimsuky|Lazarus Group|Leviathan|Malteiro|Molerats|MuddyWater|OilRig|Rocke|Sandworm Team|TA505|TeamTNT|Threat Group-3390|Tropic Trooper|Turla|WIRTE|ZIRCONIUM|menuPass -T1136,Create Account,Persistence,Indrik Spider|Scattered Spider -T1135,Network Share Discovery,Discovery,APT1|APT32|APT38|APT39|APT41|Chimera|DarkVishnya|Dragonfly|FIN13|Sowbug|Tonto Team|Tropic Trooper|Wizard Spider -T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,Blue Mockingbird|FIN6 -T1133,External Remote Services,Initial Access|Persistence,APT18|APT28|APT29|APT41|Akira|Chimera|Dragonfly|FIN13|FIN5|GALLIUM|GOLD SOUTHFIELD|Ke3chang|Kimsuky|LAPSUS$|Leviathan|OilRig|Sandworm Team|Scattered Spider|TeamTNT|Threat Group-3390|Wizard Spider -T1132,Data Encoding,Command And Control,no -T1129,Shared Modules,Execution,no -T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no -T1125,Video Capture,Collection,FIN7|Silence -T1124,System Time Discovery,Discovery,BRONZE BUTLER|Chimera|Darkhotel|Higaisa|Lazarus Group|Sidewinder|The White Company|Turla|ZIRCONIUM -T1123,Audio Capture,Collection,APT37 -T1120,Peripheral Device Discovery,Discovery,APT28|APT37|BackdoorDiplomacy|Equation|Gamaredon Group|OilRig|TeamTNT|Turla -T1119,Automated Collection,Collection,APT1|APT28|Chimera|Confucius|FIN5|FIN6|Gamaredon Group|Ke3chang|Mustang Panda|OilRig|Patchwork|Sidewinder|Threat Group-3390|Tropic Trooper|menuPass -T1115,Clipboard Data,Collection,APT38|APT39 -T1114,Email Collection,Collection,Magic Hound|Silent Librarian -T1113,Screen Capture,Collection,APT28|APT39|BRONZE BUTLER|Dark Caracal|Dragonfly|FIN7|GOLD SOUTHFIELD|Gamaredon Group|Group5|Magic Hound|MoustachedBouncer|MuddyWater|OilRig|Silence -T1112,Modify Registry,Defense Evasion,APT19|APT32|APT38|APT41|Blue Mockingbird|Dragonfly|Earth Lusca|Ember Bear|FIN8|Gamaredon Group|Gorgon Group|Kimsuky|LuminousMoth|Magic Hound|Patchwork|Silence|TA505|Threat Group-3390|Turla|Wizard Spider -T1111,Multi-Factor Authentication Interception,Credential Access,Chimera|Kimsuky|LAPSUS$ -T1110,Brute Force,Credential Access,APT28|APT38|APT39|DarkVishnya|Dragonfly|FIN5|Fox Kitten|HEXANE|OilRig|Turla -T1106,Native API,Execution,APT37|APT38|BlackTech|Chimera|Gamaredon Group|Gorgon Group|Higaisa|Lazarus Group|SideCopy|Silence|TA505|ToddyCat|Tropic Trooper|Turla|menuPass -T1105,Ingress Tool Transfer,Command And Control,APT-C-36|APT18|APT28|APT29|APT3|APT32|APT33|APT37|APT38|APT39|APT41|Ajax Security Team|Andariel|Aquatic Panda|BITTER|BRONZE BUTLER|BackdoorDiplomacy|Chimera|Cinnamon Tempest|Cobalt Group|Confucius|Darkhotel|Dragonfly|Elderwood|Ember Bear|Evilnum|FIN13|FIN7|FIN8|Fox Kitten|GALLIUM|Gamaredon Group|Gorgon Group|HAFNIUM|HEXANE|IndigoZebra|Indrik Spider|Ke3chang|Kimsuky|Lazarus Group|LazyScripter|Leviathan|LuminousMoth|Magic Hound|Metador|Molerats|Moses Staff|MuddyWater|Mustang Panda|Mustard Tempest|Nomadic Octopus|OilRig|PLATINUM|Patchwork|Rancor|Rocke|Sandworm Team|SideCopy|Sidewinder|Silence|TA2541|TA505|TA551|TeamTNT|Threat Group-3390|Tonto Team|Tropic Trooper|Turla|Volatile Cedar|WIRTE|Whitefly|Windshift|Winnti Group|Wizard Spider|ZIRCONIUM|menuPass -T1104,Multi-Stage Channels,Command And Control,APT3|APT41|Lazarus Group|MuddyWater -T1102,Web Service,Command And Control,APT32|EXOTIC LILY|Ember Bear|FIN6|FIN8|Fox Kitten|Gamaredon Group|Inception|LazyScripter|Mustang Panda|Rocke|TeamTNT|Turla -T1098,Account Manipulation,Persistence|Privilege Escalation,APT3|APT41|APT5|Dragonfly|FIN13|HAFNIUM|Kimsuky|Lazarus Group|Magic Hound -T1095,Non-Application Layer Protocol,Command And Control,APT3|BITTER|BackdoorDiplomacy|FIN6|HAFNIUM|Metador|PLATINUM|ToddyCat -T1092,Communication Through Removable Media,Command And Control,APT28 -T1091,Replication Through Removable Media,Initial Access|Lateral Movement,APT28|Aoqin Dragon|Darkhotel|FIN7|LuminousMoth|Mustang Panda|Tropic Trooper -T1090,Proxy,Command And Control,APT41|Blue Mockingbird|Cinnamon Tempest|CopyKittens|Earth Lusca|Fox Kitten|LAPSUS$|Magic Hound|MoustachedBouncer|POLONIUM|Sandworm Team|Turla|Volt Typhoon|Windigo -T1087,Account Discovery,Discovery,FIN13 -T1083,File and Directory Discovery,Discovery,APT18|APT28|APT3|APT32|APT38|APT39|APT41|APT5|Aoqin Dragon|BRONZE BUTLER|Chimera|Confucius|Dark Caracal|Darkhotel|Dragonfly|FIN13|Fox Kitten|Gamaredon Group|HAFNIUM|Inception|Ke3chang|Kimsuky|Lazarus Group|Leafminer|LuminousMoth|Magic Hound|MuddyWater|Mustang Panda|Patchwork|Sandworm Team|Scattered Spider|Sidewinder|Sowbug|TeamTNT|ToddyCat|Tropic Trooper|Turla|Windigo|Winnti Group|admin@338|menuPass -T1082,System Information Discovery,Discovery,APT18|APT19|APT3|APT32|APT37|APT38|APT41|Aquatic Panda|Blue Mockingbird|Chimera|Confucius|Darkhotel|FIN13|FIN8|Gamaredon Group|HEXANE|Higaisa|Inception|Ke3chang|Kimsuky|Lazarus Group|Magic Hound|Malteiro|Moses Staff|MuddyWater|Mustang Panda|Mustard Tempest|OilRig|Patchwork|Rocke|Sandworm Team|SideCopy|Sidewinder|Sowbug|Stealth Falcon|TA2541|TeamTNT|ToddyCat|Tropic Trooper|Turla|Volt Typhoon|Windigo|Windshift|Wizard Spider|ZIRCONIUM|admin@338 -T1080,Taint Shared Content,Lateral Movement,BRONZE BUTLER|Cinnamon Tempest|Darkhotel|Gamaredon Group -T1078,Valid Accounts,Defense Evasion|Initial Access|Persistence|Privilege Escalation,APT18|APT28|APT29|APT33|APT39|APT41|Akira|Axiom|Carbanak|Chimera|Cinnamon Tempest|Dragonfly|FIN10|FIN4|FIN5|FIN6|FIN7|FIN8|Fox Kitten|GALLIUM|Ke3chang|LAPSUS$|Lazarus Group|Leviathan|OilRig|POLONIUM|PittyTiger|Sandworm Team|Silence|Silent Librarian|Suckfly|Threat Group-3390|Wizard Spider|menuPass -T1074,Data Staged,Collection,Scattered Spider|Volt Typhoon|Wizard Spider -T1072,Software Deployment Tools,Execution|Lateral Movement,APT32|Sandworm Team|Silence|Threat Group-1314 -T1071,Application Layer Protocol,Command And Control,Magic Hound|Rocke|TeamTNT -T1070,Indicator Removal,Defense Evasion,APT5|Lazarus Group -T1069,Permission Groups Discovery,Discovery,APT3|APT41|FIN13|TA505 -T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT28|APT29|APT32|APT33|BITTER|Cobalt Group|FIN6|FIN8|LAPSUS$|MoustachedBouncer|PLATINUM|Scattered Spider|Threat Group-3390|Tonto Team|Turla|Whitefly|ZIRCONIUM -T1059,Command and Scripting Interpreter,Execution,APT19|APT32|APT37|APT39|Dragonfly|FIN5|FIN6|FIN7|Fox Kitten|Ke3chang|OilRig|Stealth Falcon|Whitefly|Windigo -T1057,Process Discovery,Discovery,APT1|APT28|APT3|APT37|APT38|APT5|Andariel|Chimera|Darkhotel|Deep Panda|Earth Lusca|Gamaredon Group|HAFNIUM|HEXANE|Higaisa|Inception|Ke3chang|Kimsuky|Lazarus Group|Magic Hound|Molerats|MuddyWater|Mustang Panda|OilRig|Poseidon Group|Rocke|Sidewinder|Stealth Falcon|TeamTNT|ToddyCat|Tropic Trooper|Turla|Volt Typhoon|Windshift|Winnti Group -T1056,Input Capture,Collection|Credential Access,APT39 -T1055,Process Injection,Defense Evasion|Privilege Escalation,APT32|APT37|APT41|APT5|Cobalt Group|Kimsuky|PLATINUM|Silence|TA2541|Turla|Wizard Spider -T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,Earth Lusca -T1052,Exfiltration Over Physical Medium,Exfiltration,no -T1049,System Network Connections Discovery,Discovery,APT1|APT3|APT32|APT38|APT41|APT5|Andariel|BackdoorDiplomacy|Chimera|Earth Lusca|FIN13|GALLIUM|HEXANE|Ke3chang|Lazarus Group|Magic Hound|MuddyWater|Mustang Panda|OilRig|Poseidon Group|Sandworm Team|TeamTNT|Threat Group-3390|ToddyCat|Tropic Trooper|Turla|Volt Typhoon|admin@338|menuPass -T1048,Exfiltration Over Alternative Protocol,Exfiltration,TeamTNT -T1047,Windows Management Instrumentation,Execution,APT29|APT32|APT41|Blue Mockingbird|Chimera|Cinnamon Tempest|Deep Panda|Earth Lusca|FIN13|FIN6|FIN7|FIN8|GALLIUM|Gamaredon Group|Indrik Spider|Lazarus Group|Leviathan|Magic Hound|MuddyWater|Mustang Panda|Naikon|OilRig|Sandworm Team|Stealth Falcon|TA2541|Threat Group-3390|ToddyCat|Volt Typhoon|Windshift|Wizard Spider|menuPass -T1046,Network Service Discovery,Discovery,APT32|APT39|APT41|BackdoorDiplomacy|BlackTech|Chimera|Cobalt Group|DarkVishnya|FIN13|FIN6|Fox Kitten|Lazarus Group|Leafminer|Magic Hound|Naikon|OilRig|Rocke|Suckfly|TeamTNT|Threat Group-3390|Tropic Trooper|menuPass -T1041,Exfiltration Over C2 Channel,Exfiltration,APT3|APT32|APT39|Chimera|Confucius|GALLIUM|Gamaredon Group|Higaisa|Ke3chang|Kimsuky|Lazarus Group|Leviathan|LuminousMoth|MuddyWater|Sandworm Team|Stealth Falcon|Wizard Spider|ZIRCONIUM -T1040,Network Sniffing,Credential Access|Discovery,APT28|APT33|DarkVishnya|Kimsuky|Sandworm Team -T1039,Data from Network Shared Drive,Collection,APT28|BRONZE BUTLER|Chimera|Fox Kitten|Gamaredon Group|Sowbug|menuPass -T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,APT29|Rocke -T1036,Masquerading,Defense Evasion,APT28|APT32|BRONZE BUTLER|Dragonfly|FIN13|LazyScripter|Nomadic Octopus|OilRig|PLATINUM|Sandworm Team|TA551|TeamTNT|Windshift|ZIRCONIUM|menuPass -T1033,System Owner/User Discovery,Discovery,APT19|APT3|APT32|APT37|APT38|APT39|APT41|Chimera|Dragonfly|Earth Lusca|FIN10|FIN7|FIN8|GALLIUM|Gamaredon Group|HAFNIUM|HEXANE|Ke3chang|Lazarus Group|LuminousMoth|Magic Hound|MuddyWater|OilRig|Patchwork|Sandworm Team|Sidewinder|Stealth Falcon|Threat Group-3390|Tropic Trooper|Volt Typhoon|Windshift|Wizard Spider|ZIRCONIUM -T1030,Data Transfer Size Limits,Exfiltration,APT28|APT41|LuminousMoth|Threat Group-3390 -T1029,Scheduled Transfer,Exfiltration,Higaisa -T1027,Obfuscated Files or Information,Defense Evasion,APT-C-36|APT3|APT37|APT41|BackdoorDiplomacy|BlackOasis|Earth Lusca|Ember Bear|GALLIUM|Gallmaker|Gamaredon Group|Ke3chang|Kimsuky|Mustang Panda|Rocke|Sandworm Team|Windshift -T1025,Data from Removable Media,Collection,APT28|Gamaredon Group|Turla -T1021,Remote Services,Lateral Movement,Wizard Spider -T1020,Automated Exfiltration,Exfiltration,Gamaredon Group|Ke3chang|Sidewinder|Tropic Trooper -T1018,Remote System Discovery,Discovery,APT3|APT32|APT39|Akira|BRONZE BUTLER|Chimera|Deep Panda|Dragonfly|Earth Lusca|FIN5|FIN6|FIN8|Fox Kitten|GALLIUM|HAFNIUM|HEXANE|Indrik Spider|Ke3chang|Leafminer|Magic Hound|Naikon|Rocke|Sandworm Team|Scattered Spider|Silence|Threat Group-3390|ToddyCat|Turla|Volt Typhoon|Wizard Spider|menuPass -T1016,System Network Configuration Discovery,Discovery,APT1|APT19|APT3|APT32|APT41|Chimera|Darkhotel|Dragonfly|Earth Lusca|FIN13|GALLIUM|HAFNIUM|HEXANE|Higaisa|Ke3chang|Kimsuky|Lazarus Group|Magic Hound|Moses Staff|MuddyWater|Mustang Panda|Naikon|OilRig|SideCopy|Sidewinder|Stealth Falcon|TeamTNT|Threat Group-3390|Tropic Trooper|Turla|Volt Typhoon|Wizard Spider|ZIRCONIUM|admin@338|menuPass -T1014,Rootkit,Defense Evasion,APT28|APT41|Rocke|TeamTNT|Winnti Group -T1012,Query Registry,Discovery,APT32|APT39|APT41|Chimera|Dragonfly|Fox Kitten|Kimsuky|Lazarus Group|OilRig|Stealth Falcon|Threat Group-3390|Turla|Volt Typhoon|ZIRCONIUM -T1011,Exfiltration Over Other Network Medium,Exfiltration,no -T1010,Application Window Discovery,Discovery,HEXANE|Lazarus Group -T1008,Fallback Channels,Command And Control,APT41|FIN7|Lazarus Group|OilRig -T1007,System Service Discovery,Discovery,APT1|Aquatic Panda|BRONZE BUTLER|Chimera|Earth Lusca|Indrik Spider|Ke3chang|Kimsuky|OilRig|Poseidon Group|TeamTNT|Turla|admin@338 -T1006,Direct Volume Access,Defense Evasion,Scattered Spider -T1005,Data from Local System,Collection,APT1|APT28|APT29|APT3|APT37|APT38|APT39|APT41|Andariel|Axiom|BRONZE BUTLER|CURIUM|Dark Caracal|Dragonfly|FIN13|FIN6|FIN7|Fox Kitten|GALLIUM|Gamaredon Group|HAFNIUM|Inception|Ke3chang|Kimsuky|LAPSUS$|Lazarus Group|LuminousMoth|Magic Hound|Patchwork|Sandworm Team|Stealth Falcon|Threat Group-3390|ToddyCat|Turla|Volt Typhoon|Windigo|Wizard Spider|menuPass -T1003,OS Credential Dumping,Credential Access,APT28|APT32|APT39|Axiom|Leviathan|Poseidon Group|Sowbug|Suckfly|Tonto Team -T1001,Data Obfuscation,Command And Control,no diff --git a/dist/DA-ESS-ContentUpdate/lookups/network_acl_activity_baseline.csv b/dist/DA-ESS-ContentUpdate/lookups/network_acl_activity_baseline.csv deleted file mode 100644 index 4fec3cadd9..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/network_acl_activity_baseline.csv +++ /dev/null @@ -1 +0,0 @@ -arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls diff --git a/dist/DA-ESS-ContentUpdate/lookups/previously_seen_cmd_line_arguments.csv b/dist/DA-ESS-ContentUpdate/lookups/previously_seen_cmd_line_arguments.csv deleted file mode 100644 index ee6ce88f4c..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/previously_seen_cmd_line_arguments.csv +++ /dev/null @@ -1 +0,0 @@ -firstTime,lastTime,process diff --git a/dist/DA-ESS-ContentUpdate/lookups/previously_seen_ec2_modifications_by_user.csv b/dist/DA-ESS-ContentUpdate/lookups/previously_seen_ec2_modifications_by_user.csv deleted file mode 100644 index 225fcaa19a..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/previously_seen_ec2_modifications_by_user.csv +++ /dev/null @@ -1 +0,0 @@ -arn,firstTime,lastTime diff --git a/dist/DA-ESS-ContentUpdate/lookups/privileged_azure_ad_roles.csv b/dist/DA-ESS-ContentUpdate/lookups/privileged_azure_ad_roles.csv deleted file mode 100644 index d4260b6ba3..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/privileged_azure_ad_roles.csv +++ /dev/null @@ -1,26 +0,0 @@ -"azureadrole","isprvilegedadrole","description" -"""Authentication Administrator""","True","Can access to view, set and reset authentication method information for any non-admin user." -"""Authentication Policy Administrator""","True","Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials." -"""Azure AD Joined Device Local Administrator""","True","Users assigned to this role are added to the local administrators group on Azure AD-joined devices." -"""Azure DevOps Administrator""","True","Can manage Azure DevOps policies and settings." -"""Azure Information Protection Administrator""","True","Can manage all aspects of the Azure Information Protection product." -"""Cloud Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps except App Proxy." -"""Cloud Device Administrator""","True","Limited access to manage devices in Azure AD." -"""Compliance Administrator""","True","Can read and manage compliance configuration and reports in Azure AD and Microsoft 365." -"""Conditional Access Administrator""","True","Can manage Conditional Access capabilities." -"""Exchange Administrator""","True","Can manage all aspects of the Exchange product." -"""External Identity Provider Administrator""","True","Can configure identity providers for use in direct federation." -"""Groups Administrator""","True","Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports." -"""Helpdesk Administrator""","True","Can reset passwords for non-administrators and Helpdesk Administrators." -"""Hybrid Identity Administrator""","True","Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings." -"""Intune Administrator""","True","Can manage all aspects of the Intune product." -"""License Administrator""","True","Can manage product licenses on users and groups." -"""Network Administrator""","True","Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications." -"""Password Administrator""","True","Can reset passwords for non-administrators and Password Administrators." -"""Privileged Role Administrator""","True","Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management." -"""Security Administrator""","True","Can read security information and reports, and manage configuration in Azure AD and Office 365." -"""SharePoint Administrator""","True","Can manage all aspects of the SharePoint service." -"""Teams Administrator""","True","Can manage the Microsoft Teams service." -"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins." -"""Windows 365 Administrator""","True","Can provision and manage all aspects of Cloud PCs." - diff --git a/dist/DA-ESS-ContentUpdate/lookups/prohibited_apps_launching_cmd20231221.csv b/dist/DA-ESS-ContentUpdate/lookups/prohibited_apps_launching_cmd20231221.csv deleted file mode 100644 index 7ebd89b2b4..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/prohibited_apps_launching_cmd20231221.csv +++ /dev/null @@ -1,18 +0,0 @@ -prohibited_applications,isProhibited -winword.exe,prohibited -EXCEL.EXE,prohibited -OUTLOOK.EXE,prohibited -POWERPNT.EXE,prohibited -visio.exe,prohibited -mspub.exe,prohibited -Acrobat.exe,prohibited -Acrord32.exe,prohibited -chrome.exe,prohibited -iexplore.exe,prohibited -opera.exe,prohibited -firefox.exe,prohibited -java.exe,prohibited -powershell.exe,prohibited -mshta.exe, prohibited -zoom.exe,prohibitied -node.exe,prohibited diff --git a/dist/DA-ESS-ContentUpdate/lookups/prohibited_processes.csv b/dist/DA-ESS-ContentUpdate/lookups/prohibited_processes.csv deleted file mode 100644 index b418ab0f74..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/prohibited_processes.csv +++ /dev/null @@ -1,20 +0,0 @@ -app,note -remcom.exe,ESCU - This process is an open source replacement to psexec and is not typically seen in an enterprise environment. -pwdump.exe,ESCU - This process is associated with a tool used to dump password hashes on a Windows system. -pwdump2.exe,ESCU - This process is associated with a tool used to dump password hashes on a Windows system. -nc.exe,ESCU - This process is an open source tool used for network communications. -wce.exe,ESCU - This process is associated with a tool used to dump hashes and execute pass-the-hash and pass-the-ticket attacks. -cain.exe,ESCU - This process is associated with a tool used to collect user credentials and execute attacks. -nmap.exe,ESCU - This process is an open source network mapping tool used to identify hosts and listening services on a network. -kidlogger.exe,ESCU - This process is associated with a tool used to collect keyboard input on a host. -isass.exe,ESCU - This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process. -svch0st.exe,ESCU - This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process. -at.exe,ESCU - This process is used to schedule other processes to run. schtasks.exe should be used instead as it provides more flexibility. -getmail.exe,ESCU - This process is seen to be used by attackers to extract email files from host machines. -ntdll.exe,ESCU - This process was identified as malicious by DHS Alert TA18-074A. -netpass.exe,ESCU - This process was identified as malicious by DHS Alert TA18-201A and attackers use this tool to recover all network passwords stored on your system for the current logged-on user. -WebBrowserPassView.exe,ESCU - This process was identified as malicious by DHS Alert TA18-201A and is used by attackers as a password recovery tool that reveals the passwords stored in Web Browsers. -OutlookAddressBookView.exe,ESCU - This process was identified as malicious by DHS Alert TA18-201A and is used by attackers to steal the details of all recipients stored in the address books of Microsoft Outlook. -mailpv.exe,ESCU - This process was identified by DHS Alert TA18-201A and attackers use this tool is a password-recovery tool that reveals the passwords and other account details from various email clients. -NLBrute.exe,ESCU - This process was identified in the SamSam Ransomware Campaign and attackers use this tool to brute force RDP instances with a range of commonly used passwords. -selfdel.exe,ESCU - This executable was delivered in the SamSam Ransomware Campain and the attackers levereged this binary to delete its malicilous activities. diff --git a/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions.csv b/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions.csv deleted file mode 100644 index 145fea7a9f..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions.csv +++ /dev/null @@ -1,303 +0,0 @@ -Extensions,Name -.enc,.CryptoHasYou. -.777,777 -.R4A,7ev3n -.R5A,7ev3n -.7h9r,7h9r -.8lock8,8lock8 -.encrypt,Alpha Ransomware -.amba,AMBA -.adk,Angry Duck -.encrypted,Apocalypse -.SecureCrypted,Apocalypse -.FuckYourData,Apocalypse -.unavailable,Apocalypse -.bleepYourFiles,Apocalypse -.Where_my_files.txt,Apocalypse -.encrypted,ApocalypseVM -.locked,ApocalypseVM -.locky,AutoLocky -.adr,BaksoCrypt -.avos,AvosLocker -.avos2,AvosLocker -.avoslinux,AvosLocker -.bart.zip,Bart -.bart,Bart -.perl,Bart -.clf,BitCryptor -.bitstak,BitStak -.Silent,BlackShades Crypter -.blocatto,Blocatto -.cry,Central Security Treatment Organization -.cerber,Cerber -.cerber2,Cerber -.cerber3,Cerber -.clf,CoinVault -.coverton,Coverton -.enigma,Coverton -.czvxce,Coverton -.criptiko,CryFile -.criptoko,CryFile -.criptokod,CryFile -.cripttt,CryFile -.aga,CryFile -.cry,CryLocker -.ENCRYPTED,Crypren -.crypt38,Crypt38 -.scl,CryptFIle2 -.crinf,CryptInfinite -.frtrss,CryptoFortress -.clf,CryptoGraphic Locker -.crjoker,CryptoJoker -.encrypted ,CryptoLocker -.ENC,CryptoLocker -.code,CryptoMix -.scl,CryptoMix -.crptrgr,CryptoRoger -.locked,CryptoShocker -.CryptoTorLocker2015!,CryptoTorLocker2015 -.crypt,CryptXXX -.crypt,CryptXXX 2.0 -.crypt,CryptXXX 3.0 -.cryp1,CryptXXX 3.0 -.crypz,CryptXXX 3.0 -.cryptz,CryptXXX 3.0 -.cryp1,CryptXXX 3.1 -.ctbl,CTB-Locker -.encrypted,CuteRansomware -.ded,DEDCryptor -.domino,Domino -.locked,EDA2 / HiddenTear -.isis,EduCrypt -.locked,EduCrypt -.ha3,El-Polocker -.enigma,Enigma -.1txt,Enigma -.exotic,Exotic -.locked,Fakben -.fantom,Fantom -.Z81928819,GhostCrypt -.purge,Globe v1 -.globe,Globe v3 -.locked,GNL Locker -.crypt,Gomasom -.herbst,Herbst -.cry,Hi Buddy! -.locky,Hucky -.crime,iLock -.crime,iLockLight -.btc,Jigsaw -.kkk,Jigsaw -.fun,Jigsaw -.gws,Jigsaw -.porno,Jigsaw -.payransom,Jigsaw -.payms,Jigsaw -.paymst,Jigsaw -.AFD,Jigsaw -.paybtcs,Jigsaw -.epic,Jigsaw -.xyz,Jigsaw -.locked,Job Crypter -.encrypted,KeRanger -.keybtc@inbox_com,KeyBTC -.rip,Killer Locker -.kimcilware,KimcilWare -.locked,KimcilWare -.kostya,Kostya -.kratos,KratosCrypt -.LeChiffre,LeChiffre -.locky,Locky -.zepto,Locky -.odin,Locky -.shit,Locky -.thor,Locky -.asier,Locky -.zzzzz,Locky -.osiris,Locky -.lock93,Lock93 -.crime,Lortok -.oor,LowLevel04 -.magic,Magic -.Lock,MIRCOP -.fucked,MireWare -.fuck,MireWare -.locked,MM Locker -.KEYZ,Mobef -.KEYH0LES,Mobef -.crypted,Nemucod -.odcodc,ODCODC -.cbf,Offline ransomware -.LOL!,OMG! Ransomware -.OMG!,OMG! Ransomware -.padcrypt,PadCrypt -.locked,Philadelphia -.locked,PokemonGO -.filock,Popcorn Time -.locky,PowerWare -.crypt,R980 -.locked,RAA encryptor -.RDM,Radamant -.RRK,Radamant -.RAD,Radamant -.RADAMANT,Radamant -.locked,Rakhni -.kraken,Rakhni -.darkness,Rakhni -.nochance,Rakhni -.oshit,Rakhni -.oplata@qq_com,Rakhni -.relock@qq_com,Rakhni -.crypto,Rakhni -.helpdecrypt@ukr.net,Rakhni -.pizda@qq_com,Rakhni -.dyatel@qq_com,Rakhni -._ryp,Rakhni -.nalog@qq_com,Rakhni -.chifrator@qq_com,Rakhni -.gruzin@qq_com,Rakhni -.troyancoder@qq_com,Rakhni -.encrypted,Rakhni -.cry,Rakhni -.AES256,Rakhni -.enc,Rakhni -.hb15,Rakhni -.vscrypt,Rector -.infected,Rector -.bloc,Rector -.korrektor,Rector -.rekt,RektLocker -.remind,RemindMe -.crashed,RemindMe -.rokku,Rokku -.encryptedAES,Samas-Samsam -.encryptedRSA,Samas-Samsam -.encedRSA,Samas-Samsam -.justbtcwillhelpyou,Samas-Samsam -.btcbtcbtc,Samas-Samsam -.btc-help-you,Samas-Samsam -.only-we_can-help_you,Samas-Samsam -.iwanthelpuuu,Samas-Samsam -.notfoundrans,Samas-Samsam -.encmywork,Samas-Samsam -.weapologize,Samas-Samsam -.stubbin,Samas-Samsam -.areyoulovemyrans,Samas-Samsam -.loveransisgood,Samas-Samsam -.myransext2017,Samas-Samsam -.disposed2017,Samas-Samsam -.prosperous666,Samas-Samsam -.supported2017,Samas-Samsam -.country82000,Samas-Samsam -.moments2900,Samas-Samsam -.breeding123,Samas-Samsam -.mention9823,Samas-Samsam -.suppose666,Samas-Samsam -.skjdthghh,Samas-Samsam -.cifgksaffsfyghd,Samas-Samsam -.iaufkakfhsaraf,Samas-Samsam -.filegofprencrp,Samas-Samsam -.weencedufiles,Samas-Samsam -.encryptedyourfiles,Samas-Samsam -.letmetrydecfiles,Samas-Samsam -.otherinformation,Samas-Samsam -.weareyourfriends,Samas-Samsam -.noproblemwedecfiles,Samas-Samsam -.powerfulldecrypt,Samas-Samsam -.wowreadfordecryp,Samas-Samsam -.wowwhereismyfiles,Samas-Samsam -.helpmeencedfiles,Samas-Samsam -.theworldisyours,Samas-Samsam -.vekanhelpu,Samas-Samsam -.howcanihelpusir,Samas-Samsam -.VforVendetta,Samas-Samsam -.checkdiskenced,Samas-Samsam -.goforhelp,Samas-Samsam -.iloveworld,Samas-Samsam -.canihelpyou,Samas-Samsam -.AreYouLoveMyRansFile,Samas-Samsam -.fucku,Samas-Samsam -.happenencedfiles,Samas-Samsam -.iwishiyou,Samas-Samsam -.powerfulldecryp,Samas-Samsam -.suppose665,Samas-Samsam -.Whereisyourfiles,Samas-Samsam -.sanction,Sanction -.locked,Shark -.shino,ShinoLocker -.locked,SkidLocker / Pompous -.encrypted,Smrss32 -.RSNSlocked,SNSLocker -.RSplited,SNSLocker -.sport,Sport -.locked,Stampado -.locked,Strictor -.surprise,Surprise -.tzu,Surprise -.szf,SZFLocker -.xcri,TeleCrypt -.vvv,TeslaCrypt 0.x - 2.2.0 -.ecc,TeslaCrypt 0.x - 2.2.0 -.exx,TeslaCrypt 0.x - 2.2.0 -.ezz,TeslaCrypt 0.x - 2.2.0 -.abc,TeslaCrypt 0.x - 2.2.0 -.aaa,TeslaCrypt 0.x - 2.2.0 -.zzz,TeslaCrypt 0.x - 2.2.0 -.xyz,TeslaCrypt 0.x - 2.2.0 -.micro,TeslaCrypt 3.0+ -.xxx,TeslaCrypt 3.0+ -.ttt,TeslaCrypt 3.0+ -.mp3,TeslaCrypt 3.0+ -.Encrypted,TorrentLocker -.enc,TorrentLocker -.toxcrypt,Toxcrypt -.better_call_saul,Troldesh -.xtbl,Troldesh -.da_vinci_code,Troldesh -.windows10,Troldesh -.enc,TrueCrypter -.locked,Turkish Ransom -.H3LL,Ungluk -.0x0,Ungluk -.1999,Ungluk -.CRRRT,Unlock92 -.CCCRRRPPP,Unlock92 -.vault,VaultCrypt -.xort,VaultCrypt -.trun,VaultCrypt -.Venusf,VenusLocker -.Venusp,VenusLocker -.CrySiS,Virus-Encoder -.xtbl,Virus-Encoder -.wflx,WildFire Locker -.EnCiPhErEd,Xorist -.73i87A,Xorist -.p5tkjw,Xorist -.PoAr2w,Xorist -.fileiscryptedhard,Xorist -.encoderpass,Xorist -.zc3791,Xorist -.xrtn,XRTN -.zcrypt,Zcrypt -.crypto,Zimbra -.vault,Zlader / Russian -.zyklon,Zyklon -.wncry,WannaCry -.wcry,WannaCry -.wnry,WannaCry -.wncryt,WannaCry -.WNCRYT,WannaCry -.RYK,Ryuk -.Clop,Clop -.Cllp,Clop -.JSWORM,JSWorm -.NEMTY_*,Nemty -.NEFILIM,Nefilim -.OFFWHITE,Offwhite -.TELEGRAM,Telegram -.FUSION,Fusion -.MILIHPEN,Milihpen -.GANGBANG,Gangbang -.reddot,RedDot -.MEDUSA,Medusa -.rhysida,Rhysida diff --git a/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions_20231219.csv b/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions_20231219.csv deleted file mode 100644 index 85a53a6a11..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/ransomware_extensions_20231219.csv +++ /dev/null @@ -1,303 +0,0 @@ -Extensions,Name -.enc,.CryptoHasYou. -.777,777 -.R4A,7ev3n -.R5A,7ev3n -.7h9r,7h9r -.8lock8,8lock8 -.encrypt,Alpha Ransomware -.amba,AMBA -.adk,Angry Duck -.encrypted,Apocalypse -.SecureCrypted,Apocalypse -.FuckYourData,Apocalypse -.unavailable,Apocalypse -.bleepYourFiles,Apocalypse -.Where_my_files.txt,Apocalypse -.encrypted,ApocalypseVM -.locked,ApocalypseVM -.locky,AutoLocky -.adr,BaksoCrypt -.avos,AvosLocker -.avos2,AvosLocker -.avoslinux,AvosLocker -.bart.zip,Bart -.bart,Bart -.perl,Bart -.clf,BitCryptor -.bitstak,BitStak -.Silent,BlackShades Crypter -.blocatto,Blocatto -.cry,Central Security Treatment Organization -.cerber,Cerber -.cerber2,Cerber -.cerber3,Cerber -.clf,CoinVault -.coverton,Coverton -.enigma,Coverton -.czvxce,Coverton -.criptiko,CryFile -.criptoko,CryFile -.criptokod,CryFile -.cripttt,CryFile -.aga,CryFile -.cry,CryLocker -.ENCRYPTED,Crypren -.crypt38,Crypt38 -.scl,CryptFIle2 -.crinf,CryptInfinite -.frtrss,CryptoFortress -.clf,CryptoGraphic Locker -.crjoker,CryptoJoker -.encrypted ,CryptoLocker -.ENC,CryptoLocker -.code,CryptoMix -.scl,CryptoMix -.crptrgr,CryptoRoger -.locked,CryptoShocker -.CryptoTorLocker2015!,CryptoTorLocker2015 -.crypt,CryptXXX -.crypt,CryptXXX 2.0 -.crypt,CryptXXX 3.0 -.cryp1,CryptXXX 3.0 -.crypz,CryptXXX 3.0 -.cryptz,CryptXXX 3.0 -.cryp1,CryptXXX 3.1 -.ctbl,CTB-Locker -.encrypted,CuteRansomware -.ded,DEDCryptor -.domino,Domino -.locked,EDA2 / HiddenTear -.isis,EduCrypt -.locked,EduCrypt -.ha3,El-Polocker -.enigma,Enigma -.1txt,Enigma -.exotic,Exotic -.locked,Fakben -.fantom,Fantom -.Z81928819,GhostCrypt -.purge,Globe v1 -.globe,Globe v3 -.locked,GNL Locker -.crypt,Gomasom -.herbst,Herbst -.cry,Hi Buddy! -.locky,Hucky -.crime,iLock -.crime,iLockLight -.btc,Jigsaw -.kkk,Jigsaw -.fun,Jigsaw -.gws,Jigsaw -.porno,Jigsaw -.payransom,Jigsaw -.payms,Jigsaw -.paymst,Jigsaw -.AFD,Jigsaw -.paybtcs,Jigsaw -.epic,Jigsaw -.xyz,Jigsaw -.locked,Job Crypter -.encrypted,KeRanger -.keybtc@inbox_com,KeyBTC -.rip,Killer Locker -.kimcilware,KimcilWare -.locked,KimcilWare -.kostya,Kostya -.kratos,KratosCrypt -.LeChiffre,LeChiffre -.locky,Locky -.zepto,Locky -.odin,Locky -.shit,Locky -.thor,Locky -.asier,Locky -.zzzzz,Locky -.osiris,Locky -.lock93,Lock93 -.crime,Lortok -.oor,LowLevel04 -.magic,Magic -.Lock,MIRCOP -.fucked,MireWare -.fuck,MireWare -.locked,MM Locker -.KEYZ,Mobef -.KEYH0LES,Mobef -.crypted,Nemucod -.odcodc,ODCODC -.cbf,Offline ransomware -.LOL!,OMG! Ransomware -.OMG!,OMG! Ransomware -.padcrypt,PadCrypt -.locked,Philadelphia -.locked,PokemonGO -.filock,Popcorn Time -.locky,PowerWare -.crypt,R980 -.locked,RAA encryptor -.RDM,Radamant -.RRK,Radamant -.RAD,Radamant -.RADAMANT,Radamant -.locked,Rakhni -.kraken,Rakhni -.darkness,Rakhni -.nochance,Rakhni -.oshit,Rakhni -.oplata@qq_com,Rakhni -.relock@qq_com,Rakhni -.crypto,Rakhni -.helpdecrypt@ukr.net,Rakhni -.pizda@qq_com,Rakhni -.dyatel@qq_com,Rakhni -._ryp,Rakhni -.nalog@qq_com,Rakhni -.chifrator@qq_com,Rakhni -.gruzin@qq_com,Rakhni -.troyancoder@qq_com,Rakhni -.encrypted,Rakhni -.cry,Rakhni -.AES256,Rakhni -.enc,Rakhni -.hb15,Rakhni -.vscrypt,Rector -.infected,Rector -.bloc,Rector -.korrektor,Rector -.rekt,RektLocker -.remind,RemindMe -.crashed,RemindMe -.rokku,Rokku -.encryptedAES,Samas-Samsam -.encryptedRSA,Samas-Samsam -.encedRSA,Samas-Samsam -.justbtcwillhelpyou,Samas-Samsam -.btcbtcbtc,Samas-Samsam -.btc-help-you,Samas-Samsam -.only-we_can-help_you,Samas-Samsam -.iwanthelpuuu,Samas-Samsam -.notfoundrans,Samas-Samsam -.encmywork,Samas-Samsam -.weapologize,Samas-Samsam -.stubbin,Samas-Samsam -.areyoulovemyrans,Samas-Samsam -.loveransisgood,Samas-Samsam -.myransext2017,Samas-Samsam -.disposed2017,Samas-Samsam -.prosperous666,Samas-Samsam -.supported2017,Samas-Samsam -.country82000,Samas-Samsam -.moments2900,Samas-Samsam -.breeding123,Samas-Samsam -.mention9823,Samas-Samsam -.suppose666,Samas-Samsam -.skjdthghh,Samas-Samsam -.cifgksaffsfyghd,Samas-Samsam -.iaufkakfhsaraf,Samas-Samsam -.filegofprencrp,Samas-Samsam -.weencedufiles,Samas-Samsam -.encryptedyourfiles,Samas-Samsam -.letmetrydecfiles,Samas-Samsam -.otherinformation,Samas-Samsam -.weareyourfriends,Samas-Samsam -.noproblemwedecfiles,Samas-Samsam -.powerfulldecrypt,Samas-Samsam -.wowreadfordecryp,Samas-Samsam -.wowwhereismyfiles,Samas-Samsam -.helpmeencedfiles,Samas-Samsam -.theworldisyours,Samas-Samsam -.vekanhelpu,Samas-Samsam -.howcanihelpusir,Samas-Samsam -.VforVendetta,Samas-Samsam -.checkdiskenced,Samas-Samsam -.goforhelp,Samas-Samsam -.iloveworld,Samas-Samsam -.canihelpyou,Samas-Samsam -.AreYouLoveMyRansFile,Samas-Samsam -.fucku,Samas-Samsam -.happenencedfiles,Samas-Samsam -.iwishiyou,Samas-Samsam -.powerfulldecryp,Samas-Samsam -.suppose665,Samas-Samsam -.Whereisyourfiles,Samas-Samsam -.sanction,Sanction -.locked,Shark -.shino,ShinoLocker -.locked,SkidLocker / Pompous -.encrypted,Smrss32 -.RSNSlocked,SNSLocker -.RSplited,SNSLocker -.sport,Sport -.locked,Stampado -.locked,Strictor -.surprise,Surprise -.tzu,Surprise -.szf,SZFLocker -.xcri,TeleCrypt -.vvv,TeslaCrypt 0.x - 2.2.0 -.ecc,TeslaCrypt 0.x - 2.2.0 -.exx,TeslaCrypt 0.x - 2.2.0 -.ezz,TeslaCrypt 0.x - 2.2.0 -.abc,TeslaCrypt 0.x - 2.2.0 -.aaa,TeslaCrypt 0.x - 2.2.0 -.zzz,TeslaCrypt 0.x - 2.2.0 -.xyz,TeslaCrypt 0.x - 2.2.0 -.micro,TeslaCrypt 3.0+ -.xxx,TeslaCrypt 3.0+ -.ttt,TeslaCrypt 3.0+ -.mp3,TeslaCrypt 3.0+ -.Encrypted,TorrentLocker -.enc,TorrentLocker -.toxcrypt,Toxcrypt -.better_call_saul,Troldesh -.xtbl,Troldesh -.da_vinci_code,Troldesh -.windows10,Troldesh -.enc,TrueCrypter -.locked,Turkish Ransom -.H3LL,Ungluk -.0x0,Ungluk -.1999,Ungluk -.CRRRT,Unlock92 -.CCCRRRPPP,Unlock92 -.vault,VaultCrypt -.xort,VaultCrypt -.trun,VaultCrypt -.Venusf,VenusLocker -.Venusp,VenusLocker -.CrySiS,Virus-Encoder -.xtbl,Virus-Encoder -.wflx,WildFire Locker -.EnCiPhErEd,Xorist -.73i87A,Xorist -.p5tkjw,Xorist -.PoAr2w,Xorist -.fileiscryptedhard,Xorist -.encoderpass,Xorist -.zc3791,Xorist -.xrtn,XRTN -.zcrypt,Zcrypt -.crypto,Zimbra -.vault,Zlader / Russian -.zyklon,Zyklon -.wncry,WannaCry -.wcry,WannaCry -.wnry,WannaCry -.wncryt,WannaCry -.WNCRYT,WannaCry -.RYK,Ryuk -.Clop,Clop -.Cllp,Clop -.JSWORM,JSWorm -.NEMTY_*,Nemty -.NEFILIM,Nefilim -.OFFWHITE,Offwhite -.TELEGRAM,Telegram -.FUSION,Fusion -.MILIHPEN,Milihpen -.GANGBANG,Gangbang -.reddot,RedDot -.MEDUSA,Medusa -.rhysida,Rhysida \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes.csv b/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes.csv deleted file mode 100644 index 5ab10617c1..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes.csv +++ /dev/null @@ -1,75 +0,0 @@ -ransomware_notes, status -HELP_TO_SAVE_FILES.txt,True -BitCryptorFileList.txt,True -BUYUNLOCKCODE,True -YOUR_FILES_ARE_ENCRYPTED.HTML,True -Coin.Locker.txt,True -DECRYPT_INSTRUCTIONS.HTML,True -ReadDecryptFilesHere.txt,True -HOW_DECRYPT.TXT,True -READ IF YOU WANT YOUR FILES BACK.HTML,True -GetYouFiles.txt,True -HOW TO DECRYPT FILES.HTML,True -DECRYPT_INSTRUCTION.TXT,True -HELP_DECRYPT.TXT,True -HELP_YOURFILES.HTML,True -HowDecrypt.gif,True -Decrypt All Files *.bmp,True -cryptinfo.txt,True -DECRYPT_Readme.TXT.ReadMe,True -qwer.html,True -qwer2.html,True -Hellothere.txt,True -FILESAREGONE.TXT,True -HOW TO DECRYPT FILES.TXT,True -DECRYPT_Readme.TXT.ReadMe,True -README_DECRYPT_HYDRA_ID_*.txt,True -DECRYPT_YOUR_FILES.HTML,True -KryptoLocker_README.txt,True -_Locky_recover_instructions.txt,True -DECRYPT_Readme.TXT.ReadMe,True -ATTENTION.RTF,True -how to get data.txt,True -IMPORTANT READ ME.txt,True -UnblockFiles.vbs,True -YOUR_FILES.url,True -exit.hhr.obleep,True -HOW_TO_DECRYPT.HTML,True -HOW-TO-DECRYPT-FILES.HTML,True -HELP_TO_SAVE_FILES.txt,True -HELP_TO_SAVE_FILES.txt,True -HELP_TO_SAVE_FILES.txt,True -_H_e_l_p_RECOVER_INSTRUCTIONS+*.txt,True -DECRYPT_INSTRUCTIONS.HTML,True -README_DECRYPT_UMBRE_ID_*.txt,True -Help_Decrypt.txt,True -CryptLogFile.txt,True -*@Please_Read_Me@.txt*,True -*@WanaDecryptor@.exe*,True -# DECRYPT MY FILES #.vbs,True -# DECRYPT MY FILES #.html,True -# DECRYPT MY FILES #.txt,True -# DECRYPT MY FILES #.vbs,True -# DECRYPT MY FILES #.html,True -# DECRYPT MY FILES #.txt,True -HELP_DECRYPT_YOUR_FILES.HTML,True -*-HELP_FOR_DECRYPT_FILE.html,True -*-SORRY-FOR-FILES.html,True -*-READ-FOR-HELLPP.html,True -RyukReadMe.html,True -ClopReadMe.txt,True -README_README.txt,True -JSWORM-DECRYPT.html,True -NEMTY_*-DECRYPT.txt,True -NEFILIM-DECRYPT.txt,True -OFFWHITE-MANUAL.txt,True -TELEGRAM-RECOVER.txt,True -FUSION-README.txt,True -MILIHPEN-INSTRUCT.txt,True -GANGBANG-NOTE.txt,True -GET_YOUR_FILES_BACK.txt,True -read_it.txt,True -*.README.txt, True -*READ_ME_MEDUSA*.TXT,True -How_to_back_files.HTML,True -CriticalBreachDetected.pdf,True \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes_20231219.csv b/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes_20231219.csv deleted file mode 100644 index 5ab10617c1..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/ransomware_notes_20231219.csv +++ /dev/null @@ -1,75 +0,0 @@ -ransomware_notes, status -HELP_TO_SAVE_FILES.txt,True -BitCryptorFileList.txt,True -BUYUNLOCKCODE,True -YOUR_FILES_ARE_ENCRYPTED.HTML,True -Coin.Locker.txt,True -DECRYPT_INSTRUCTIONS.HTML,True -ReadDecryptFilesHere.txt,True -HOW_DECRYPT.TXT,True -READ IF YOU WANT YOUR FILES BACK.HTML,True -GetYouFiles.txt,True -HOW TO DECRYPT FILES.HTML,True -DECRYPT_INSTRUCTION.TXT,True -HELP_DECRYPT.TXT,True -HELP_YOURFILES.HTML,True -HowDecrypt.gif,True -Decrypt All Files *.bmp,True -cryptinfo.txt,True -DECRYPT_Readme.TXT.ReadMe,True -qwer.html,True -qwer2.html,True -Hellothere.txt,True -FILESAREGONE.TXT,True -HOW TO DECRYPT FILES.TXT,True -DECRYPT_Readme.TXT.ReadMe,True -README_DECRYPT_HYDRA_ID_*.txt,True -DECRYPT_YOUR_FILES.HTML,True -KryptoLocker_README.txt,True -_Locky_recover_instructions.txt,True -DECRYPT_Readme.TXT.ReadMe,True -ATTENTION.RTF,True -how to get data.txt,True -IMPORTANT READ ME.txt,True -UnblockFiles.vbs,True -YOUR_FILES.url,True -exit.hhr.obleep,True -HOW_TO_DECRYPT.HTML,True -HOW-TO-DECRYPT-FILES.HTML,True -HELP_TO_SAVE_FILES.txt,True -HELP_TO_SAVE_FILES.txt,True -HELP_TO_SAVE_FILES.txt,True -_H_e_l_p_RECOVER_INSTRUCTIONS+*.txt,True -DECRYPT_INSTRUCTIONS.HTML,True -README_DECRYPT_UMBRE_ID_*.txt,True -Help_Decrypt.txt,True -CryptLogFile.txt,True -*@Please_Read_Me@.txt*,True -*@WanaDecryptor@.exe*,True -# DECRYPT MY FILES #.vbs,True -# DECRYPT MY FILES #.html,True -# DECRYPT MY FILES #.txt,True -# DECRYPT MY FILES #.vbs,True -# DECRYPT MY FILES #.html,True -# DECRYPT MY FILES #.txt,True -HELP_DECRYPT_YOUR_FILES.HTML,True -*-HELP_FOR_DECRYPT_FILE.html,True -*-SORRY-FOR-FILES.html,True -*-READ-FOR-HELLPP.html,True -RyukReadMe.html,True -ClopReadMe.txt,True -README_README.txt,True -JSWORM-DECRYPT.html,True -NEMTY_*-DECRYPT.txt,True -NEFILIM-DECRYPT.txt,True -OFFWHITE-MANUAL.txt,True -TELEGRAM-RECOVER.txt,True -FUSION-README.txt,True -MILIHPEN-INSTRUCT.txt,True -GANGBANG-NOTE.txt,True -GET_YOUR_FILES_BACK.txt,True -read_it.txt,True -*.README.txt, True -*READ_ME_MEDUSA*.TXT,True -How_to_back_files.HTML,True -CriticalBreachDetected.pdf,True \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_default.csv b/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_default.csv deleted file mode 100644 index cfc193563d..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_default.csv +++ /dev/null @@ -1,7 +0,0 @@ -process,allow_list -splunk-regmon.exe,true -winword.exe,true -excel.exe,true -outlook.exe,true -powerpnt.exe,true -visio.exe,true diff --git a/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_local.csv b/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_local.csv deleted file mode 100644 index 2cca84e0ea..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/rare_process_allow_list_local.csv +++ /dev/null @@ -1 +0,0 @@ -process,allow_list diff --git a/dist/DA-ESS-ContentUpdate/lookups/remote_access_software.csv b/dist/DA-ESS-ContentUpdate/lookups/remote_access_software.csv deleted file mode 100644 index 2593eebb17..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/remote_access_software.csv +++ /dev/null @@ -1,569 +0,0 @@ -description,remote_domain,remote_utility,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update -247ithelp.com (ConnectWise),*.247ithelp.com,Remote Workforce Client.exe,,,TRUE,RMM,Simlar / replaced by ScreenConnect,2/8/2024 -Access Remote PC,,rpcgrab.exe,,,TRUE,RMM,,2/7/2024 -Access Remote PC,,rpcsetup.exe,,,TRUE,RMM,,2/7/2024 -Acronic Cyber Protect (Remotix),cloud.acronis.com,AcronisCyberProtectConnectQuickAssist*.exe,Acronis Cyber Protect Connect Quick Assist,remotix,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024 -Acronic Cyber Protect (Remotix),agents*-cloud.acronis.com,AcronisCyberProtectConnectAgent.exe,Acronis Cyber Protect Connect Agent,,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024 -Acronic Cyber Protect (Remotix),gw.remotix.com,,,,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024 -Acronic Cyber Protect (Remotix),connect.acronis.com,,,,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024 -Action1,*.action1.com,action1_agent.exe,Action1*,,TRUE,RMM,https://www.action1.com/documentation/firewall-configuration/,2/7/2024 -Action1,action1.com,action1_remote.exe,,,TRUE,RMM,https://www.action1.com/documentation/firewall-configuration/,2/7/2024 -Action1,a1-backend-packages.s3.amazonaws.com,action1_connector.exe,,,TRUE,RMM,https://www.action1.com/documentation/firewall-configuration/,2/7/2024 -Action1,server.action1.com,action1_update.exe,,,TRUE,RMM,https://www.action1.com/documentation/firewall-configuration/,2/7/2024 -Addigy,prod.addigy.com,addigy-*.pkg,Addigy*,,TRUE,RMM,https://addigy.com/,2/27/2024 -Addigy,grtmprod.addigy.com,,,,TRUE,RMM,https://addigy.com/,2/27/2024 -Addigy,agents.addigy.com,,,,TRUE,RMM,https://addigy.com/,2/27/2024 -Adobe Connect,*.adobeconnect.com,ConnectAppSetup*.exe,Adobe Connect,adobe-connect,TRUE,RMM,https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,2/27/2024 -Adobe Connect,,ConnectShellSetup*.exe,,adobe-meeting-remote-control,TRUE,RMM,https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,2/27/2024 -Adobe Connect,,Connect.exe,,adobe-connectnow,TRUE,RMM,https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,2/27/2024 -Adobe Connect,,ConnectDetector.exe,,adobe-connectnow-remote-control,TRUE,RMM,https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,2/27/2024 -AeroAdmin,auth*.aeroadmin.com,aeroadmin.exe,AeroAdmin*,aeroadmin,TRUE,RMM,https://support.aeroadmin.com/kb/faq.php?id=58,2/7/2024 -AeroAdmin,aeroadmin.com,,Aero Admin*,,TRUE,RMM,https://support.aeroadmin.com/kb/faq.php?id=58,2/7/2024 -AliWangWang-remote-control,wangwang.taobao.com,alitask.exe,AliWangWang*,ali-wangwang,TRUE,RMM,https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,2/7/2024 -AliWangWang-remote-control,,,,ali-wangwang-remote-control,TRUE,RMM,https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,2/7/2024 -Alpemix,*.alpemix.com,alpemix.exe,Alpemix*,alpemix,TRUE,RMM,https://www.alpemix.com/en/remote-access,2/7/2024 -Alpemix,*.teknopars.com,,Teknopars*,,TRUE,RMM,https://www.alpemix.com/en/remote-access,2/7/2024 -Ammyy Admin,*ammyy.com,aa_v*.exe,Ammyy*,ammyy-admin,TRUE,RMM,https://www.ammyy.com/en/admin_security.html,2/7/2024 -Ammyy Admin,,AMMYY_Admin.exe,,,TRUE,RMM,https://www.ammyy.com/en/admin_security.html,2/7/2024 -Any Support,*.anysupport.net,ManualLauncher.exe,AnySupport*,anysupport,TRUE,RMM,https://www.anysupport.net/introduce_howto.php,2/27/2024 -Any Support,,,"Koino Co., Ltd.",,TRUE,RMM,https://www.anysupport.net/introduce_howto.php,2/27/2024 -AnyDesk,net.anydesk.com,anydesk.exe,anydesk*,anydesk,TRUE,RMM,https://support.anydesk.com/knowledge/firewall,2/7/2024 -AnyDesk,,,philandro Software*,anydesk,TRUE,RMM,https://support.anydesk.com/knowledge/firewall,2/7/2024 -Anyplace Control,anyplace-control.com,apc_host.exe,Anyplace*,anyplace-remote-control,TRUE,RMM,http://www.anyplace-control.com/anyplace-control/help/faq.htm,2/7/2024 -AnyViewer,controlserver.anyviewer.com,AnyViewerSetup.exe,AOMEI*,,TRUE,RMM,https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html,2/7/2024 -AnyViewer,*.aomeisoftware.com,RCClient.exe,Anyviewer*,,TRUE,RMM,https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html,2/7/2024 -AnyViewer,aomeisoftware.com,RCService.exe,,,TRUE,RMM,https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html,2/7/2024 -Apple Remote Desktop,user_managed,ARDAgent.app,,apple-remote-desktop,TRUE,RMM,https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,2/24/2024 -Atera RMM,agent-api.atera.com,atera_agent.exe,Atera Networks,,TRUE,RMM,https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations,2/7/2024 -Atera RMM,pubsub.atera.com,ateraagent.exe,AteraAgent,,TRUE,RMM,https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations,2/7/2024 -Atera RMM,,syncrosetup.exe,,,TRUE,RMM,https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations,2/7/2024 -Auvik,*.my.auvik.com,auvik.engine.exe,,,TRUE,RMM,https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,2/7/2024 -Auvik,*.auvik.com,auvik.agent.exe,,,TRUE,RMM,https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,2/7/2024 -AweRay,asapi*.aweray.net,aweray_remote*.exe,AweRay*,awesun,TRUE,RMM,https://sun.aweray.com/help,2/7/2024 -AweRay,client-api.aweray.com,AweSun.exe,AweSun*,,TRUE,RMM,https://sun.aweray.com/help,2/7/2024 -Barracuda,*.islonline.net,,Barracuda MSP,,TRUE,RMM,https://help.islonline.com/19799/166125,2/7/2024 -Barracuda,rmm.barracudamsp.com,,Barracuda Networks,,TRUE,RMM,https://help.islonline.com/19799/166125,2/7/2024 -Barracuda,,,LPI Level Platforms,,TRUE,RMM,https://help.islonline.com/19799/166125,2/7/2024 -Basecamp,,,,,TRUE,RMM,basecamp.com - No specific RMM tool listed,2/7/2024 -BeamYourScreen,beamyourscreen.com,beamyourscreen.exe,BeamYourScreen*,,TRUE,RMM,beamyourscreen redirects to https://www.mikogo.com/,2/7/2024 -BeamYourScreen,*.beamyourscreen.com,beamyourscreen-host.exe,,,TRUE,RMM,beamyourscreen redirects to https://www.mikogo.com/,2/7/2024 -BeAnywhere,beanywhere.com,BASupConHelper.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnywhere,*.beanywhere.com,BASupSrvc.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnywhere,,BASupSrvcCnfg.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnywhere,,BASupSrvcUpdater.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnyWhere,,BASupSysInf.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnyWhere,,BASupAppSrvc.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnyWhere,,BASupAppElev.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnyWhere,,BASupApp.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnyWhere,,TakeControl.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeAnyWhere,,BASupApp.exe,,,TRUE,RMM,https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,2/7/2024 -BeInSync,*.beinsync.net,Beinsync*.exe,BeInSync,beinsync,TRUE,RMM,https://en.wikipedia.org/wiki/Phoenix_Technologies,2/26/2024 -BeInSync,*.beinsync.com,,BeInSync Client GUI,,TRUE,RMM,https://en.wikipedia.org/wiki/Phoenix_Technologies,2/26/2024 -BeyondTrust (Bomgar),*.beyondtrustcloud.com,bomgar-scc-*.exe,BeyondTrust*,beyond-trust-remote-support,TRUE,RMM,https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,2/7/2024 -BeyondTrust (Bomgar),*.bomgarcloud.com,bomgar-scc.exe,Bomgar*,bomgar,TRUE,RMM,https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,2/7/2024 -BeyondTrust (Bomgar),bomgarcloud.com,bomgar-pac-*.exe,,,TRUE,RMM,https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,2/7/2024 -BeyondTrust (Bomgar),,bomgar-pac.exe,,,TRUE,RMM,https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,2/7/2024 -BeyondTrust (Bomgar),,bomgar-rdp.exe,,,TRUE,RMM,https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,2/7/2024 -CentraStage (Now Datto),*.rmm.datto.com,CagService.exe,Datto*,,TRUE,RMM,https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,2/7/2024 -CentraStage (Now Datto),*cc.centrastage.net,AEMAgent.exe,,,TRUE,RMM,https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,2/7/2024 -Centurion,centuriontech.com,ctiserv.exe,,,TRUE,RMM,https://data443.atlassian.net/servicedesk/customer/portal/20,2/7/2024 -Chrome Remote Desktop,*remotedesktop.google.com,remote_host.exe,Chrome Remote Desktop,chrome-remote-desktop,TRUE,RMM,https://support.google.com/chrome/a/answer/2799701?hl=en,2/7/2024 -Chrome Remote Desktop,*remotedesktop-pa.googleapis.com,remoting_host.exe,,,TRUE,RMM,https://support.google.com/chrome/a/answer/2799701?hl=en,2/7/2024 -CloudFlare Tunnel,,cloudflared.exe,,,TRUE,Remote Access,cloudflare.com/products/tunnel/,2/7/2024 -Comodo RMM,*.itsm-us1.comodo.com,itsmagent.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/7/2024 -Comodo RMM,*mdmsupport.comodo.com,rviewer.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/7/2024 -Connectwise Automate (LabTech),*.hostedrmm.com,ltsvc.exe,,,TRUE,RMM,https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,2/8/2024 -Connectwise Automate (LabTech),,ltsvcmon.exe,,,TRUE,RMM,https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,2/8/2024 -Connectwise Automate (LabTech),,lttray.exe,,,TRUE,RMM,https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,2/8/2024 -CrossLoop,*.crossloop.com,crossloopservice.exe,Crossloop*,crossloop,TRUE,RMM,www.CrossLoop.com -> redirects to avast.com,2/7/2024 -CrossLoop,,CrossLoopConnect.exe,,,TRUE,RMM,www.CrossLoop.com -> redirects to avast.com,2/7/2024 -CrossLoop,,WinVNCStub.exe,,,TRUE,RMM,www.CrossLoop.com -> redirects to avast.com,2/7/2024 -CrossTec Remote Control,user_managed,PCIVIDEO.EXE,CrossTec,,TRUE,RMM,www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,2/7/2024 -CrossTec Remote Control,,supporttool.exe,,,TRUE,RMM,www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,2/7/2024 -CruzControl,,,,,TRUE,RMM,https://resources.doradosoftware.com/cruz-rmm,2/7/2024 -Dameware,user_managed,dntus*.exe,DameWare*,dameware-mini-remote,TRUE,RMM,https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,2/7/2024 -Dameware,,dwrcs.exe,,,TRUE,RMM,https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,2/7/2024 -DameWare,,DameWare Remote Support.exe,,,TRUE,RMM,https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,2/7/2024 -DameWare,,SolarWinds-Dameware-MRC*.exe,,,TRUE,RMM,https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,2/7/2024 -DameWare,,DameWare Mini Remote Control*.exe,,,TRUE,RMM,https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,2/7/2024 -DameWare,,SolarWinds-Dameware-DRS*.exe,,,TRUE,RMM,https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,2/7/2024 -DeskDay,deskday.ai,ultimate_*.exe,,,TRUE,RMM,https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,2/7/2024 -DeskDay,app.deskday.ai,,,,TRUE,RMM,https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,2/7/2024 -DeskNets,,,,desknets,TRUE,RMM,https://www.desknets.com/en/download.html,2/26/2024 -DeskShare,user_managed,TeamTaskManager.exe,Team Task Manager*,deskshare,TRUE,RMM,https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,2/26/2024 -DeskShare,,DSGuest.exe,DeskShare*,,TRUE,RMM,https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,2/26/2024 -DesktopNow,*.nchuser.com,desktopnow.exe,DesktopNow*,,TRUE,RMM,https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,2/26/2024 -DesktopNow,,,NCH Software*,,TRUE,RMM,https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,2/26/2024 -Distant Desktop,*.distantdesktop.com,distant-desktop.exe,Distant Software*,,TRUE,RMM,https://www.distantdesktop.com/manual/first-start.htm,2/8/2024 -Distant Desktop,*signalserver.xyz,dd.exe,Distant Desktop*,,TRUE,RMM,https://www.distantdesktop.com/manual/first-start.htm,2/8/2024 -Distant Desktop,,ddsystem.exe,German Gorodokuplya*,,TRUE,RMM,https://www.distantdesktop.com/manual/first-start.htm,2/8/2024 -Domotz,*.domotz.co,domotz*.exe,Domotz*,,TRUE,RMM,https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,2/7/2024 -Domotz,*cell-1.domotz.com,domotz_bash.exe,,,TRUE,RMM,https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,2/7/2024 -Domotz,domotz.com,domotz-windows*.exe,,,TRUE,RMM,https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,2/7/2024 -Domotz,,Domotz Pro Desktop App.exe,,,TRUE,RMM,https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,2/7/2024 -Domotz,,Domotz Pro Desktop App Setup*.exe,,,TRUE,RMM,https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,2/7/2024 -Domotz,,domotz.exe,,,TRUE,RMM,https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,2/7/2024 -DW Service,*.dwservice.net,dwagsvc.exe,DWSNET*,dws-remote-control,TRUE,RMM,https://news.dwservice.net/dwservice-security-infrastructure/,2/7/2024 -DW Service,,dwagent.exe,,,TRUE,RMM,https://news.dwservice.net/dwservice-security-infrastructure/,2/7/2024 -DW Service,,dwagsvc.exe,,,TRUE,RMM,https://news.dwservice.net/dwservice-security-infrastructure/,2/7/2024 -Echoware,,echoserver*.exe,,echoware,TRUE,RMM,,2/7/2024 -Echoware,,echoware.dll,,,TRUE,RMM,,2/7/2024 -Electric AI (Kaseya),,,,,TRUE,RMM,https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,2/7/2024 -EMCO Remote Console,user_managed,remoteconsole.exe,,,TRUE,RMM,,2/7/2024 -Encapto,,,,,TRUE,RMM,https://www.encapto.com - used to manage Cisco services,2/7/2024 -Ericom AccessNow,user_managed,accessserver*.exe,,,TRUE,RMM,https://www.ericom.com/connect-accessnow/,2/7/2024 -Ericom Connect,user_managed,EricomConnectRemoteHost*.exe,,,TRUE,RMM,https://www.ericom.com/connect-accessnow/,2/7/2024 -Ericom Connect,,ericomconnnectconfigurationtool.exe,,,TRUE,RMM,https://www.ericom.com/connect-accessnow/,2/7/2024 -ESET Remote Administrator,user_managed,era.exe,ESET Management*,,TRUE,RMM,eset.com/me/business/remote-management/remote-administrator/,2/7/2024 -ESET Remote Administrator,,einstaller.exe,,,TRUE,RMM,eset.com/me/business/remote-management/remote-administrator/,2/7/2024 -ESET Remote Administrator,,ezhelp*.exe,,,TRUE,RMM,eset.com/me/business/remote-management/remote-administrator/,2/7/2024 -ESET Remote Administrator,,eratool.exe,,,TRUE,RMM,eset.com/me/business/remote-management/remote-administrator/,2/7/2024 -ESET Remote Administrator,,ERAAgent.exe,,,TRUE,RMM,eset.com/me/business/remote-management/remote-administrator/,2/7/2024 -ezHelp,*.ezhelp.co.kr,ezhelpclientmanager.exe,Mastersoft Corp*,ezhelp,TRUE,RMM,https://www.exhelp.co.kr,2/7/2024 -ezHelp,,ezHelpManager.exe,,,TRUE,RMM,https://www.exhelp.co.kr,2/7/2024 -ezHelp,,ezhelpclient.exe,,,TRUE,RMM,https://www.exhelp.co.kr,2/7/2024 -FastViewer,*.fastviewer.com,fastclient.exe,Fastviewer*,fastviewer,TRUE,RMM,https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,2/7/2024 -FastViewer,,fastmaster.exe,,,TRUE,RMM,https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,2/7/2024 -FastViewer,,FastViewer.exe,,,TRUE,RMM,https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,2/7/2024 -FixMe.it,*.fixme.it,FixMeit Unattended Access Setup.exe,FixMe*,techinline,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,*.techinline.net,TiExpertStandalone.exe,SetMe*,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,fixme.it,FixMeitClient*.exe,FixMe.IT Helper,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,*set.me,FixMeit Client.exe,,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,*setme.net,FixMeit Expert Setup.exe,,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,,TiExpertCore.exe,,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,,fixmeitclient.exe,,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,,TiClientCore.exe,,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FixMe.it,,TiClientHelper*.exe,,,TRUE,RMM,https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,2/7/2024 -FleetDesk.io,*.fleetdeck.io,fleetdeck_agent_svc.exe,FleetDeck*,,TRUE,RMM,https://fleetdeck.io/faq/,2/7/2024 -FleetDesk.io,cognito-idp.us-west-2.amazonaws.com,fleetdeck_commander_svc.exe,,,TRUE,RMM,https://fleetdeck.io/faq/,2/7/2024 -FleetDesk.io,fleetdeck.io,fleetdeck_installer.exe,,,TRUE,RMM,https://fleetdeck.io/faq/,2/7/2024 -FleetDesk.io,,fleetdeck_agent.exe,,,TRUE,RMM,https://fleetdeck.io/faq/,2/7/2024 -FleetDesk.io,,fleetdeck_commander_launcher.exe,,,TRUE,RMM,https://fleetdeck.io/faq/,2/7/2024 -Fortra,,,,,TRUE,RMM,https://www.fortra.com - No free/cloud RMM softwars listed,2/7/2024 -GatherPlace-desktop sharing,*.gatherplace.com,gp3.exe,Gatherworks*,,TRUE,RMM,https://www.gatherplace.com/kb?id=136377,2/7/2024 -GatherPlace-desktop sharing,*.gatherplace.net,gp4.exe,,,TRUE,RMM,https://www.gatherplace.com/kb?id=136377,2/7/2024 -GatherPlace-desktop sharing,,gp5.exe,,,TRUE,RMM,https://www.gatherplace.com/kb?id=136377,2/7/2024 -GetScreen,*.getscreen.me,getscreen.exe,getscreen.me*,,TRUE,RMM,https://docs.getscreen.me/self-hosted/system-requirements/,2/7/2024 -GetScreen,getscreen.me,,Point B Ltd*,,TRUE,RMM,https://docs.getscreen.me/self-hosted/system-requirements/,2/7/2024 -GoToAssist,goto.com,gotoassist.exe,GoToAssist*,gotoassist,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,*.getgo.com,g2a*.exe,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,*.fastsupport.com,GoTo Assist Opener.exe,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,*.gotoassist.com,,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,helpme.net,,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,*.gotoassist.me,,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,*.gotoassist.at,,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GoToAssist,*.desktopstreaming.com,,,,TRUE,RMM,https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,2/7/2024 -GotoHTTP,gotohttp.com,gotohttp.exe,GotoHTTP*,,TRUE,RMM,https://gotohttp.com/goto/help.12x,2/8/2024 -GotoHTTP,*.gotohttp.com,GotoHTTP_x64.exe,Pingbo*,,TRUE,RMM,https://gotohttp.com/goto/help.12x,2/8/2024 -GoToMyPC,*.GoToMyPC.com,g2file*.exe,GoTo Opener,gotomypc,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2quick.exe,GoToOpener,gotomypc-base,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2svc.exe,,gotomypc-desktop-sharing,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2tray.exe,,gotomypc-remote-control,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2svc.exe,,gotomypc-printing,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2printh.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2fileh.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2tray.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,gopcsrv.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2host.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2comm.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -GoToMyPC,,g2mainh.exe,,,TRUE,RMM,https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#,2/8/2024 -Goverlan,user_managed,goverrmc.exe,Goverlan*,goverlan,TRUE,RMM,https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,2/8/2024 -Goverlan,,govsrv*.exe,,,TRUE,RMM,https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,2/8/2024 -Goverlan,,GovAgentInstallHelper.exe,,,TRUE,RMM,https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,2/8/2024 -Goverlan,,GovAgentx64.exe,,,TRUE,RMM,https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,2/8/2024 -Goverlan,,GovReachClient.exe,,,TRUE,RMM,https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,2/8/2024 -Guacamole,user_managed,guacd.exe,,,TRUE,RMM,guacamole.apache.org,2/8/2024 -HelpBeam,,helpbeam*.exe,,,TRUE,RMM,https://www.helpbeam.com domain for sale in 2024,2/8/2024 -HelpU,helpu.co.kr,helpu_install.exe,helpU*,helpu,TRUE,RMM,https://helpu.co.kr/,2/8/2024 -HelpU,*.helpu.co.kr,HelpuUpdater.exe,Help Manager Program,,TRUE,RMM,https://helpu.co.kr/,2/8/2024 -HelpU,,HelpuManager.exe,,,TRUE,RMM,https://helpu.co.kr/,2/8/2024 -I'm InTouch,*.01com.com,iit.exe,I'm InTouch*,,TRUE,RMM,https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,2/8/2024 -I'm InTouch,,intouch.exe,,,TRUE,RMM,https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,2/8/2024 -I'm InTouch,,I'm InTouch Go Installer.exe,,,TRUE,RMM,https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,2/8/2024 -Instant Housecall,*.instanthousecall.com,hsloader.exe,,,TRUE,RMM,https://instanthousecall.com/features/,2/8/2024 -Instant Housecall,*.instanthousecall.net,ihcserver.exe,,,TRUE,RMM,https://instanthousecall.com/features/,2/8/2024 -Instant Housecall,instanthousecall.com,instanthousecall.exe,,,TRUE,RMM,https://instanthousecall.com/features/,2/8/2024 -Instant Housecall,secure.instanthousecall.com,instanthousecall.exe,,,TRUE,RMM,https://instanthousecall.com/features/,2/8/2024 -IntelliAdmin Remote Control,user_managed,iadmin.exe,,,TRUE,RMM,intelliadmin.com/remote-control,2/8/2024 -IntelliAdmin Remote Control,*.intelliadmin.com,intelliadmin.exe,,,TRUE,RMM,intelliadmin.com/remote-control,2/8/2024 -IntelliAdmin Remote Control,,agent32.exe,,,TRUE,RMM,intelliadmin.com/remote-control,2/8/2024 -IntelliAdmin Remote Control,,agent64.exe,,,TRUE,RMM,intelliadmin.com/remote-control,2/8/2024 -IntelliAdmin Remote Control,,agent_setup_5.exe,,,TRUE,RMM,intelliadmin.com/remote-control,2/8/2024 -Iperius Remote,*.iperiusremote.com,iperius.exe,Enter Srl*,,TRUE,RMM,https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,2/8/2024 -Iperius Remote,*.iperius.com,iperiusremote.exe,Enter S.R.L*,,TRUE,RMM,https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,2/8/2024 -Iperius Remote,*.iperius-rs.com,,Iperius Remote*,,TRUE,RMM,https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,2/8/2024 -ISL Online,*.islonline.com,islalwaysonmonitor.exe,ISL Online*,isl-light,TRUE,RMM,https://help.islonline.com/19818/165940,2/8/2024 -ISL Online,*.islonline.net,isllight.exe,ISL Light*,,TRUE,RMM,https://help.islonline.com/19818/165940,2/8/2024 -ISL Online,,isllightservice.exe,,,TRUE,RMM,https://help.islonline.com/19818/165940,2/8/2024 -ISL Online,,ISLLightClient.exe,,,TRUE,RMM,https://help.islonline.com/19818/165940,2/8/2024 -Itarian,*.itsm-us1.comodo.com,ITSMAgent.exe,Itarian*,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,mdmsupport.comodo.com,ItsmRsp.exe,RMM*,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,*.cmdm.comodo.com,ITSMService.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,remoteaccess.itarian.com,RDesktop.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,servicedesk.itarian.com,RHost.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,,RmmService.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,,ComodoRemoteControl.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,,RAccess.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,,RViewer.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -Itarian,,ITarianRemoteAccessSetup.exe,,,TRUE,RMM,"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",2/8/2024 -ITSupport247 (ConnectWise),*.itsupport247.net,saazapsc.exe,,,TRUE,RMM,https://control.itsupport247.net/,2/8/2024 -Ivanti Remote Control,*.ivanticloud.com,IvantiRemoteControl.exe,,,TRUE,RMM,https://rc1.ivanticloud.com/,2/9/2024 -Ivanti Remote Control,,ArcUI.exe,,,TRUE,RMM,https://rc1.ivanticloud.com/,2/9/2024 -Ivanti Remote Control,,AgentlessRC.exe,,,TRUE,RMM,https://rc1.ivanticloud.com/,2/9/2024 -Jump Cloud,*.api.jumpcloud.com,JumpCloud*.exe ,JumpCloud*,,TRUE,RMM,https://jumpcloud.com/support/understand-remote-assist-agent,2/26/2024 -Jump Cloud,*.assist.jumpcloud.com,,,,TRUE,RMM,https://jumpcloud.com/support/understand-remote-assist-agent,2/26/2024 -Jump Desktop,*.jumpdesktop.com,jumpclient.exe,,jumpdesktop,TRUE,RMM,https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,2/9/2024 -Jump Desktop,jumpdesktop.com,jumpdesktop.exe,,,TRUE,RMM,https://jumpdesktop.com/connect/,2/8/2024 -Jump Desktop,jumpto.me,jumpservice.exe,,,TRUE,RMM,https://jumpdesktop.com/connect/,2/8/2024 -Jump Desktop,*.jumpto.me,jumpconnect.exe,,,TRUE,RMM,https://jumpdesktop.com/connect/,2/8/2024 -Jump Desktop,,jumpupdater.exe,,,TRUE,RMM,https://jumpdesktop.com/connect/,2/8/2024 -Kabuto,*.kabuto.io,Kabuto.App.Runner.exe,,,TRUE,RMM,https://www.repairtechsolutions.com/documentation/kabuto/,2/8/2024 -Kaseya (VSA),deploy01.kaseya.com,agentmon.exe,Kaseya*,,TRUE,RMM,https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements,2/8/2024 -Kaseya (VSA),*managedsupport.kaseya.net,KaUpdHlp.exe,,,TRUE,RMM,https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements,2/8/2024 -Kaseya (VSA),*.kaseya.net,KaUsrTsk.exe,,,TRUE,RMM,https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements,2/8/2024 -KHelpDesk,*.khelpdesk.com.br,KHelpDesk.exe,KHELPDESK*,khelpdesk-remote-control,TRUE,RMM,https://www.khelpdesk.com.br/en-us,2/26/2024 -KHelpDesk,,,Ferramenta de Acesso Remoto,,TRUE,RMM,https://www.khelpdesk.com.br/en-us,2/26/2024 -KickIdler,kickidler.com,grabberEM.*msi,,,TRUE,RMM,https://www.kickidler.com/for-it/faq/,2/8/2024 -KickIdler,my.kickidler.com,grabberTT*.msi,,,TRUE,RMM,https://www.kickidler.com/for-it/faq/,2/8/2024 -LANDesk,*.ivanticloud.com,issuser.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,2/8/2024 -LANDesk,*.ivanti.com,landeskagentbootstrap.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,2/8/2024 -LANDesk,,LANDeskPortalManager.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,2/8/2024 -LANDesk,,ldinv32.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,2/8/2024 -LANDesk,,ldsensors.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,2/8/2024 -Laplink Everywhere,everywhere.laplink.com,laplink.exe,,,TRUE,RMM,https://everywhere.laplink.com/docs,2/8/2024 -Laplink Everywhere,le.laplink.com,laplink-everywhere-setup*.exe,,,TRUE,RMM,https://everywhere.laplink.com/docs,2/8/2024 -Laplink Everywhere,atled.syspectr.com,laplinkeverywhere.exe,,,TRUE,RMM,https://everywhere.laplink.com/docs,2/8/2024 -Laplink Everywhere,,llrcservice.exe,,,TRUE,RMM,https://everywhere.laplink.com/docs,2/8/2024 -Laplink Everywhere,,serverproxyservice.exe,,,TRUE,RMM,https://everywhere.laplink.com/docs,2/8/2024 -Laplink Everywhere,,OOSysAgent.exe,,,TRUE,RMM,https://everywhere.laplink.com/docs,2/8/2024 -Laplink Gold,user_managed,tsircusr.exe,,,TRUE,RMM,wen.laplink.com/product/laplink-gold,2/8/2024 -Level.io,level.io,level-windows-amd64.exe,Level*,,TRUE,RMM,https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,2/8/2024 -Level.io,*.level.io,level.exe,,,TRUE,RMM,https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,2/8/2024 -Level.io,,level-remote-control-ffmpeg.exe,,,TRUE,RMM,https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,2/8/2024 -LiteManager,*.litemanager.ru,romfusclient.exe,Yakhnovets Denis*,litemanager,TRUE,RMM,https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,2/8/2024 -LiteManager,*.litemanager.com,romviewer.exe,ROMServer*,,TRUE,RMM,https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,2/8/2024 -LiteManager,,romserver.exe,ROMViewer*,,TRUE,RMM,https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,2/8/2024 -LiteManager,,lmnoipserver.exe,LiteManager*,,TRUE,RMM,https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,2/8/2024 -LogMeIn,*logmein.eu,lmiguardiansvc.exe,LogMeIn*,logmein,TRUE,RMM,https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,2/8/2024 -LogMeIn,*.logmeininc.com,lmiignition.exe,RemotelyAnywhere*,,TRUE,RMM,https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,2/8/2024 -LogMeIn,*.logmein.com,logmein.exe,,,TRUE,RMM,https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,2/8/2024 -LogMeIn,,logmeinsystray.exe,,,TRUE,RMM,https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,2/8/2024 -LogMeIn,,logmein*.exe,,,TRUE,RMM,https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,2/8/2024 -LogMeIn,,lmiignition.exe,,,TRUE,RMM,https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,2/8/2024 -LogMeIn rescue,*.logmeinrescue.com,support-logmeinrescue*.exe,,logmeinrescue,TRUE,RMM,https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,2/8/2024 -LogMeIn rescue,*.logmeinrescue.eu,support-logmeinrescue.exe,,,TRUE,RMM,https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,2/8/2024 -LogMeIn rescue,,lmi_rescue.exe,,,TRUE,RMM,https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,2/8/2024 -Manage Engine (Desktop Central),desktopcentral.manageengine.com,dcagentservice.exe,,,TRUE,RMM,https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,2/8/2024 -Manage Engine (Desktop Central),desktopcentral.manageengine.com.eu,dcagentregister.exe,,,TRUE,RMM,https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,2/8/2024 -Manage Engine (Desktop Central),desktopcentral.manageengine.cn,,,,TRUE,RMM,https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,2/8/2024 -Manage Engine (Desktop Central),*.dms.zoho.com,,,,TRUE,RMM,https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,2/8/2024 -Manage Engine (Desktop Central),*.dms.zoho.com.eu,,,,TRUE,RMM,https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,2/8/2024 -Manage Engine (Desktop Central),*.-dms.zoho.com.cn,,,,TRUE,RMM,https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,2/8/2024 -MeshCentral,user_managed,meshcentral*.exe,meshcentral,,TRUE,RMM,https://ylianst.github.io/MeshCentral/meshcentral/,2/8/2024 -Microsoft Quick Assist,user_managed,quickassist.exe,,ms-quick-assist,TRUE,Built-in,https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,2/9/2024 -Microsoft RDP,,mstsc.exe,,ms-rdp,TRUE,Built-in,https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,2/8/2024 -Microsoft TSC,,termsrv.exe,,,TRUE,Built-in,https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,2/8/2024 -Mikogo,*.real-time-collaboration.com,mikogo.exe,,,TRUE,RMM,https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,2/7/2024 -Mikogo,*.mikogo4.com,mikogo-starter.exe,,,TRUE,RMM,https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,2/7/2024 -Mikogo,*.mikogo.com,mikogo-service.exe,,,TRUE,RMM,https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,2/7/2024 -Mikogo,,mikogolauncher.exe,,,TRUE,RMM,https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,2/7/2024 -MioNet (WD Anywhere Access),,mionet.exe,,,TRUE,RMM,https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,2/9/2024 -MioNet (WD Anywhere Access),,mionetmanager.exe,,,TRUE,RMM,https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,2/9/2024 -mRemoteNG,user_managed,mRemoteNG.exe,,,TRUE,RMM,https://github.com/mRemoteNG/mRemoteNG,2/9/2024 -MSP360,*.cloudberrylab.com,Online Backup.exe,MSP360*,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,*.msp360.com,CBBackupPlan.exe,Cloud.Ra*,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,*.mspbackups.com,Cloud.Backup.Scheduler.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,Cloud.Backup.RM.Service.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,cbb.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,CloudRaService.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,CloudRaSd.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,CloudRaCmd.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,CloudRaUtilities.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,Remote Desktop.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MSP360,,Connect.exe,,,TRUE,RMM,https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,2/9/2024 -MyGreenPC,*mygreenpc.com,mygreenpc.exe,,mygreenpc,TRUE,RMM,http://www.mygreenpc.com/,2/26/2024 -MyIVO,,myivomgr.exe,,,TRUE,RMM,myivo.com - DOA as of 2024,2/9/2024 -MyIVO,,myivomanager.exe,,,TRUE,RMM,myivo.com - DOA as of 2024,2/9/2024 -N-Able Advanced Monitoring Agent,*remote.management,Agent_*_RW.exe,N-Able*,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*.logicnow.com,BASEClient.exe,Remote Monitoring*,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*systemmonitor.us,BASupApp.exe,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*systemmonitor.eu.com,BASupSrvc.exe,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*system-monitor.com,BASupSrvcCnfg.exe,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,systemmonitor.us.cdn.cloudflare.net,BASupTSHelper.exe,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*cloudbackup.management,,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*systemmonitor.co.uk,,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*.n-able.com,,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*.beanywhere.com ,,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -N-Able Advanced Monitoring Agent,*.swi-tc.com,,,,TRUE,RMM,https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,2/9/2024 -NateOn-desktop sharing,*.nate.com,nateon*.exe,,,TRUE,RMM,http://rsupport.nate.com/rview/r8/main/index.aspx,2/9/2024 -NateOn-desktop sharing,,nateon.exe,,,TRUE,RMM,http://rsupport.nate.com/rview/r8/main/index.aspx,2/9/2024 -NateOn-desktop sharing,,nateonmain.exe,,,TRUE,RMM,http://rsupport.nate.com/rview/r8/main/index.aspx,2/9/2024 -Naverisk,user_managed,AgentSetup-*.exe,naverisk*,,TRUE,RMM,http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,2/9/2024 -Naverisk,,,NavMK1 Limited*,,TRUE,RMM,http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,2/9/2024 -Netop Remote Control (Impero Connect),*.connect.backdrop.cloud,nhostsvc.exe,Impero Solutions*,netop-remote-control,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),*.netop.com,nhstw32.exe,Impero Connect*,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,ngstw32.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,Netop Ondemand.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,nldrw32.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,rmserverconsolemediator.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,ImperoInit.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,Connect.Backdrop.cloud*.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/9/2024 -Netop Remote Control (Impero Connect),,ImperoClientSVC.exe,,,TRUE,RMM,https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,2/8/2024 -Netreo,charon.netreo.net,,,,TRUE,RMM,https://solutions.netreo.com/docs/firewall-requirements,2/9/2024 -Netreo,activation.netreo.net,,,,TRUE,RMM,https://solutions.netreo.com/docs/firewall-requirements,2/9/2024 -Netreo,*.api.netreo.com,,,,TRUE,RMM,https://solutions.netreo.com/docs/firewall-requirements,2/9/2024 -NetSupport Manager,*.netsupportmanager.com,pcictlui.exe,netsupport,netsupport-manager,TRUE,RMM,https://www.netsupportmanager.com/resources/,2/9/2024 -NetSupport Manager,,pcicfgui.exe,,,TRUE,RMM,https://www.netsupportmanager.com/resources/,2/9/2024 -NetSupport Manager,,client32.exe,,,TRUE,RMM,https://www.netsupportmanager.com/resources/,2/9/2024 -Neturo,neturo.uplus.co.kr,neturo*.exe,,,TRUE,RMM,"Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",2/9/2024 -Neturo,,ntrntservice.exe,,,TRUE,RMM,"Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",2/9/2024 -Netviewer (GoToMeet),,nvClient.exe,Algorius*,netviewer,TRUE,RMM,Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,2/9/2024 -Netviewer (GoToMeet),,netviewer.exe,,,TRUE,RMM,Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,2/9/2024 -ngrok,user_managed,ngrok.exe,,,TRUE,Developer Utility,https://ngrok.com/docs/guides/running-behind-firewalls/,2/9/2024 -NinjaRMM,*.ninjaone.com,ninjarmmagent.exe,NinjaRMM*,,TRUE,RMM,https://www.ninjaone.com/faq/,2/9/2024 -NinjaRMM,*.ninjarmm.com,NinjaRMMAgenPatcher.exe,Ninja MSP*,,TRUE,RMM,https://www.ninjaone.com/faq/,2/9/2024 -NoMachine,user_managed,nomachine*.exe,NoMachine*,nomachine,TRUE,RMM,https://kb.nomachine.com/AR04S01122,2/9/2024 -NoMachine,,nxservice*.ese,,,TRUE,RMM,https://kb.nomachine.com/AR04S01122,2/9/2024 -NoMachine,,nxd.exe,,,TRUE,RMM,https://kb.nomachine.com/AR04S01122,2/9/2024 -NTR Remote,*.ntrsupport.com,NTRsupportPro_EN.exe,Net Transmit & Receive SL,ntr-remote,TRUE,RMM,DOA as of 2024,2/26/2024 -OCS inventory,user_managed,ocsinventory.exe,Ocs Inventory*,,TRUE,RMM,https://ocsinventory-ng.org/?page_id=878&lang=en,2/9/2024 -OCS inventory,,ocsservice.exe,OcsPackager*,,TRUE,RMM,https://ocsinventory-ng.org/?page_id=878&lang=en,2/9/2024 -OptiTune,*.optitune.us,OTService.exe,Bravura Software*,,TRUE,RMM,https://www.bravurasoftware.com/optitune/support/faq.aspx,2/26/2024 -OptiTune,*.opti-tune.com,OTPowerShell.exe,OptiTune*,,TRUE,RMM,https://www.bravurasoftware.com/optitune/support/faq.aspx,2/26/2024 -Pandora RC (eHorus),portal.ehorus.com,ehorus standalone.exe,eHorus*,,TRUE,RMM,https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,2/7/2024 -Pandora RC (eHorus),,ehorus_agent.exe,,,TRUE,RMM,https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,2/7/2024 -Panorama9,trusted.panorama9.com,p9agent*.exe,Panorama9*,,TRUE,RMM,https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,2/9/2024 -Panorama9,changes.panorama9.com,,,,TRUE,RMM,https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,2/9/2024 -Parallels Access,*.parallels.com,prl_deskctl_agent.exe,Parallels Access*,parallels-access,TRUE,RMM,https://kb.parallels.com/en/129097,2/9/2024 -Parallels Access,,prl_deskctl_wizard.exe,,,TRUE,RMM,https://kb.parallels.com/en/129097,2/9/2024 -Parallels Access,,prl_pm_service.exe,,,TRUE,RMM,https://kb.parallels.com/en/129097,2/9/2024 -Parallels Access,,parallelsaccess-*.exe,,,TRUE,RMM,https://kb.parallels.com/en/129097,2/9/2024 -pcAnywhere,user_managed,awhost32.exe,,pcanywhere,TRUE,RMM,https://en.wikipedia.org/wiki/PcAnywhere,2/9/2024 -pcAnywhere,,pcaquickconnect.exe,,pcanywhere-remote-control,TRUE,RMM,https://en.wikipedia.org/wiki/PcAnywhere,2/9/2024 -pcAnywhere,,winaw32.exe,,pcanywhere-base,TRUE,RMM,https://en.wikipedia.org/wiki/PcAnywhere,2/9/2024 -Pcnow,,mwcliun.exe,,,TRUE,RMM,http://pcnow.webex.com/ - DOA as of 2024,2/9/2024 -Pcnow,,pcnmgr.exe,,,TRUE,RMM,http://pcnow.webex.com/ - DOA as of 2024,2/9/2024 -Pcnow,,webexpcnow.exe,,,TRUE,RMM,http://pcnow.webex.com/ - DOA as of 2024,2/9/2024 -Pcvisit,*.pcvisit.de,pcvisit.exe,pcvisit*,pcvisit,TRUE,RMM,https://www.pcvisit.de/,2/9/2024 -Pcvisit,,pcvisit_client.exe,,,TRUE,RMM,https://www.pcvisit.de/,2/9/2024 -Pcvisit,,pcvisit-easysupport.exe,,,TRUE,RMM,https://www.pcvisit.de/,2/9/2024 -Pcvisit,,pcvisit_service_client.exe,,,TRUE,RMM,https://www.pcvisit.de/,2/9/2024 -PDQ Connect,app.pdq.com,pdq-connect*.exe,PDQ.com*,,TRUE,RMM,https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,2/26/2024 -PDQ Connect,cfcdn.pdq.com,,PDQConnectAgent*,,TRUE,RMM,https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,2/26/2024 -Pilixo,*.pilixo.com,Pilixo_Installer*.exe,Pilixo*,,TRUE,RMM,https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,2/9/2024 -Pilixo,pilixo.com,rdp.exe,,,TRUE,RMM,https://pilixo.freshdesk.com/support/solutions/articles/9000141862-pilixo-anti-virus-and-anti-malware-exclusion-recommendations,2/9/2024 -Pilixo,download.pilixo.com,,,,TRUE,RMM,pilixo domain DOA as of 2024,2/9/2024 -Pocket Cloud (Wyse),,pocketcloud*.exe,PocketCloud*,pocket-cloud,TRUE,RMM,https://wyse-pocketcloud.informer.com/2.1/,2/9/2024 -Pocket Cloud (Wyse),,pocketcloudservice.exe,,,TRUE,RMM,https://wyse-pocketcloud.informer.com/2.1/,2/9/2024 -Pocket Controller (Soti Xsight),*soti.net,pocketcontroller.exe,Pocket Controller*,pocket-controller,TRUE,RMM,https://pulse.soti.net/support/soti-xsight/help/,2/9/2024 -Pocket Controller (Soti Xsight),,wysebrowser.exe,,,TRUE,RMM,https://pulse.soti.net/support/soti-xsight/help/,2/9/2024 -Pocket Controller (Soti Xsight),,XSightService.exe,,,TRUE,RMM,https://pulse.soti.net/support/soti-xsight/help/,2/9/2024 -PSEXEC,user_managed,psexec.exe,Sysinternals PsExec,psexec,TRUE,Remote Access,https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,2/9/2024 -PSEXEC,,psexecsvc.exe,PsExec*,,TRUE,Remote Access,https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,2/9/2024 -PSEXEC (Clone),user_managed,paexec.exe,Power Admin*,,TRUE,Remote Access,https://www.poweradmin.com/paexec/,2/9/2024 -PSEXEC (Clone),,PAExec-*.exe,PAExec*,,TRUE,Remote Access,https://www.poweradmin.com/paexec/,2/9/2024 -PSEXEC (Clone),,csexec.exe ,,,TRUE,Remote Access,https://github.com/malcomvetter/CSExec,2/9/2024 -PSEXEC (Clone),,remcom.exe,Remote System Deployment*,,TRUE,Remote Access,https://support.alertlogic.com/hc/en-us/articles/360034494351-Windows-Server-RemCom-Tool-Remote-Shell,2/9/2024 -PSEXEC (Clone),,remcomsvc.exe,Remote Command Executor*,,TRUE,Remote Access,https://support.alertlogic.com/hc/en-us/articles/360034494351-Windows-Server-RemCom-Tool-Remote-Shell,2/9/2024 -PSEXEC (Clone),,xcmd.exe,,,TRUE,Remote Access,https://docs.bmc.com/docs/display/public/baob201204/xCmd+utility,2/9/2024 -PSEXEC (Clone),,xcmdsvc.exe,,,TRUE,Remote Access,https://docs.bmc.com/docs/display/public/baob201204/xCmd+utility,2/9/2024 -PulseWay,user_managed,pcmonitorsrv.exe,Pulseway*,,TRUE,RMM,https://intercom.help/pulseway/en/,2/9/2024 -Pulseway,,PCMonitorManager.exe,MMSoft Design*,,TRUE,RMM,https://intercom.help/pulseway/en/,2/9/2024 -QQ IM-remote assistance,*.mdt.qq.com,qq.exe,Tencent*,qq,TRUE,RMM,https://en.wikipedia.org/wiki/Tencent_QQ,2/9/2024 -QQ IM-remote assistance,*.desktop.qq.com,QQProtect.exe,QQ*,qq-rdp,TRUE,RMM,https://en.wikipedia.org/wiki/Tencent_QQ,2/9/2024 -QQ IM-remote assistance,upload_data.qq.com,qqpcmgr.exe,,,TRUE,RMM,https://en.wikipedia.org/wiki/Tencent_QQ,2/9/2024 -Quest KACE Agent (formerly Dell KACE),*.kace.com,konea.exe,KACE Agent*,,TRUE,RMM,https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,2/9/2024 -RAdmin,user_managed,radmin.exe,famatech*,radmin,TRUE,RMM,https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/,2/9/2024 -RAdmin,,famitrfc.exe,radmin*,,TRUE,RMM,https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/,2/9/2024 -RAdmin,,radmin3.exe,,,TRUE,RMM,https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/,2/9/2024 -Rapid7,*.analytics.insight.rapid7.com,ir_agent.exe,Insight Agent*,,TRUE,RMM,https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,2/14/2024 -Rapid7,*.endpoint.ingress.rapid7.com,rapid7_agent_core.exe,Rapid7 Insight Agent*,,TRUE,RMM,https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,2/14/2024 -Rapid7,,rapid7_endpoint_broker.exe,,,TRUE,RMM,https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,2/14/2024 -rdp2tcp,user_managed,tdp2tcp.exe,,,TRUE,RMM,github.com/V-E-O/rdp2tcp,2/9/2024 -rdp2tcp,,rdp2tcp.py,,,TRUE,RMM,github.com/V-E-O/rdp2tcp,2/9/2024 -RDPView,user_managed,dwrcs.exe,,,TRUE,RMM,systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,2/9/2024 -rdpwrap,user_managed,RDPWInst.exe,,,TRUE,Utility,github.com/stascorp/rdpwrap,2/9/2024 -rdpwrap,,RDPCheck.exe,,,TRUE,Utility,github.com/stascorp/rdpwrap,2/9/2024 -rdpwrap,,RDPConf.exe,,,TRUE,Utility,github.com/stascorp/rdpwrap,2/9/2024 -Remobo,user_managed,remobo.exe,,,TRUE,RMM,https://www.remobo.com - DOA as of 2024,2/9/2024 -Remobo,,remobo_client.exe,,,TRUE,RMM,https://www.remobo.com - DOA as of 2024,2/9/2024 -Remobo,,remobo_tracker.exe,,,TRUE,RMM,https://www.remobo.com - DOA as of 2024,2/9/2024 -Remote Desktop Plus,,rdp.exe,Remote Desktop Plus*,,TRUE,Utility,https://www.donkz.nl/,2/9/2024 -Remote Manipulator System,*.internetid.ru,rfusclient.exe,,,TRUE,RMM,https://rmansys.ru/files/,2/9/2024 -Remote Manipulator System,,rutserv.exe,,,TRUE,RMM,https://rmansys.ru/files/,2/9/2024 -Remote Utilities,*.internetid.ru,rutview.exe,Remote Utilities*,,TRUE,RMM,https://www.remoteutilities.com/download/,2/9/2024 -Remote Utilities,,rutserv.exe,,,TRUE,RMM,https://www.remoteutilities.com/download/,2/9/2024 -Remote.it,auth.api.remote.it,remote-it-installer.exe,,,TRUE,RMM,https://docs.remote.it/introduction/get-started,2/9/2024 -Remote.it,api.remote.it,remote.it.exe,,,TRUE,RMM,https://docs.remote.it/introduction/get-started,2/9/2024 -Remote.it,,remoteit.exe,,,TRUE,RMM,https://docs.remote.it/introduction/get-started,2/9/2024 -RemoteCall,*.remotecall.com,rcengmgru.exe,RSUPPORT*,remotecall,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemoteCall,*.startsupport.com,rcmgrsvc.exe,,,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemoteCall,,rxstartsupport.exe,,,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemoteCall,,rcstartsupport.exe,,,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemoteCall,,raautoup.exe,,,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemoteCall,,agentu.exe,,,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemoteCall,,remotesupportplayeru.exe,,,TRUE,RMM,https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,2/9/2024 -RemotePass Access,,remotepass-access.exe,,,TRUE,RMM,https://www.remotepass.com/rpaccess.html - DOA as of 2024,2/9/2024 -RemotePass Access,,rpaccess.exe,,,TRUE,RMM,https://www.remotepass.com/rpaccess.html - DOA as of 2024,2/9/2024 -RemotePass Access,,rpwhostscr.exe,,,TRUE,RMM,https://www.remotepass.com/rpaccess.html - DOA as of 2024,2/9/2024 -RemotePC,*.remotepc.com,remotepcservice.exe,remotedesktop*,remotepc,TRUE,RMM,https://www.remotedesktop.com/helpdesk/faq-firewall,2/9/2024 -RemotePC,remotepc.com,rpcsuite.exe,remotepc*,,TRUE,RMM,https://www.remotedesktop.com/helpdesk/faq-firewall,2/9/2024 -RemotePC,*.remotedesktop.com,Idrive.File-Transfer,,,TRUE,RMM,https://www.remotedesktop.com/helpdesk/faq-firewall,2/9/2024 -RemotePC,,idrive.RemotePCAgent,,,TRUE,RMM,https://www.remotedesktop.com/helpdesk/faq-firewall,2/9/2024 -RemotePC,,remotepchost.exe,,,TRUE,RMM,https://www.remotedesktop.com/helpdesk/faq-firewall,2/9/2024 -RemoteView,*content.rview.com,remoteview.exe,RemoteView*,remoteview,TRUE,RMM,https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,2/9/2024 -RemoteView,*.rview.com,rv.exe,RsDoctor*,,TRUE,RMM,https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,2/9/2024 -RemoteView,,rvagent.exe,,,TRUE,RMM,https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,2/9/2024 -RemoteView,,rvagtray.exe,,,TRUE,RMM,https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,2/9/2024 -RES Automation Manager,user_managed,wisshell*.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,2/9/2024 -RES Automation Manager,,wmc.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,2/9/2024 -RES Automation Manager,,wmc_deployer.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,2/9/2024 -RES Automation Manager,,wmcsvc.exe,,,TRUE,RMM,https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,2/9/2024 -Royal Apps,user_managed,royalserver.exe,,,TRUE,RMM,https://www.royalapps.com/ts/win/download,2/9/2024 -Royal Apps,,royalts.exe,,,TRUE,RMM,https://www.royalapps.com/ts/win/download,2/9/2024 -RPort,user_managed,rport.exe,,,TRUE,RMM,https://kb.rport.io/using-the-remote-access,2/9/2024 -RuDesktop,*.rudesktop.ru,rd.exe,,rudesktop-remote-desktop,TRUE,RMM,https://rudesktop.ru,2/9/2024 -RuDesktop,,rudesktop*.exe,,,TRUE,RMM,https://asec.ahnlab.com/en/40263/,2/9/2024 -RustDesk,user_managed,rustdesk.exe,rustdesk*,rustdesk-remote-desktop,TRUE,RMM,https://rustdesk.com/docs/en/,2/9/2024 -RustDesk,,rustdesk*.exe,,,TRUE,RMM,https://rustdesk.com/docs/en/,2/9/2024 -ScreenConnect (ConnectWise),*.connectwise.com,Remote Workforce Client.exe,ConnectWise*,screenconnect,TRUE,RMM,https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,2/7/2024 -ScreenConnect (ConnectWise),*.screenconnect.com,screenconnect*.exe,ScreenConnect*,,TRUE,RMM,https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,2/7/2024 -ScreenConnect (ConnectWise),,ConnectWiseControl*.exe,CONTINUUM MANAGED*,,TRUE,RMM,https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,2/7/2024 -ScreenConnect (ConnectWise),,connectwise*.exe,,,TRUE,RMM,https://cybir.com/2022/cve/bypasssing-connectwise-and-endpoint-controls/,2/7/2024 -ScreenConnect (ConnectWise),,screenconnect.windowsclient.exe,,,TRUE,RMM,https://cybir.com/2022/cve/bypasssing-connectwise-and-endpoint-controls/,2/7/2024 -ScreenConnect (ConnectWise),,screenconnect.clientservice.exe,,,TRUE,RMM,https://cybir.com/2022/cve/bypasssing-connectwise-and-endpoint-controls/,2/7/2024 -ScreenMeet,*.screenmeet.com,ScreenMeetSupport.exe,ScreenMeet*,,TRUE,RMM,https://docs.screenmeet.com/docs/firewall-white-list,2/7/2024 -ScreenMeet,*.scrn.mt,ScreenMeet.Support.exe,,,TRUE,RMM,https://docs.screenmeet.com/docs/firewall-white-list,2/7/2024 -Seetrol,seetrol.co.kr,seetrolcenter.exe,,,TRUE,RMM,http://www.seetrol.com/en/features/features3.php,2/7/2024 -Seetrol,,seetrolclient.exe,,,TRUE,RMM,http://www.seetrol.com/en/features/features3.php,2/7/2024 -Seetrol,,seetrolmyservice.exe,,,TRUE,RMM,http://www.seetrol.com/en/features/features3.php,2/7/2024 -Seetrol,,seetrolremote.exe,,,TRUE,RMM,http://www.seetrol.com/en/features/features3.php,2/7/2024 -Seetrol,,seetrolsetting.exe,,,TRUE,RMM,http://www.seetrol.com/en/features/features3.php,2/7/2024 -Senso.cloud,*.senso.cloud,SensoClient.exe,,,TRUE,RMM,https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,2/9/2024 -Senso.cloud,,SensoService.exe,,,TRUE,RMM,https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,2/9/2024 -Senso.cloud,,aadg.exe,,,TRUE,RMM,https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,2/9/2024 -ServerEye,*.server-eye.de,servereye*.exe,ServerEye*,,TRUE,RMM,https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,2/9/2024 -ServerEye,,ServiceProxyLocalSys.exe,Server-Eye*,,TRUE,RMM,https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,2/9/2024 -ServerEye,,,,,TRUE,RMM,https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,2/9/2024 -ShowMyPC,showmypc.com,showmypc*.exe,ShowMyPC*,showmypc,TRUE,RMM,https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,2/9/2024 -ShowMyPC,*.showmypc.com,showmypc.exe,,,TRUE,RMM,https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,2/9/2024 -ShowMyPC,,SMPCSetup.exe,,,TRUE,RMM,https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,2/9/2024 -SimpleHelp,user_managed,simplehelpcustomer.exe,SimpleHelp*,,TRUE,RMM,https://simple-help.com/remote-support,2/9/2024 -SimpleHelp,,simpleservice.exe,,,TRUE,RMM,https://simple-help.com/remote-support,2/9/2024 -SimpleHelp,,simplegatewayservice.exe,,,TRUE,RMM,https://simple-help.com/remote-support,2/9/2024 -SimpleHelp,,remote access.exe,,,TRUE,RMM,https://simple-help.com/remote-support,2/9/2024 -Site24x7,plus*.site24x7.com,MEAgentHelper.exe,,,TRUE,RMM,https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,2/13/2024 -Site24x7,plus*.site24x7.eu,MonitoringAgent.exe,,,TRUE,RMM,https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,2/13/2024 -Site24x7,plus*.site24x7.in,Site24x7WindowsAgentTrayIcon.exe,,,TRUE,RMM,https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,2/13/2024 -Site24x7,plus*.site24x7.cn,Site24x7PluginAgent.exe,,,TRUE,RMM,https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,2/13/2024 -Site24x7,plus*.site24x7.net.au,,,,TRUE,RMM,https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,2/13/2024 -SkyFex,skyfex.com,Deskroll.exe,DeskRoll Remote Desktop*,,TRUE,RMM,https://skyfex.com/,2/9/2024 -SkyFex,deskroll.com,DeskRollUA.exe,,,TRUE,RMM,https://skyfex.com/,2/9/2024 -SkyFex,*.deskroll.com,,,,TRUE,RMM,https://skyfex.com/,2/9/2024 -Sophos-Remote Management System,*.sophos.com,clientmrinit.exe,,,TRUE,RMM,community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,2/9/2024 -Sophos-Remote Management System,*.sophosupd.com,mgntsvc.exe,,,TRUE,RMM,community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,2/9/2024 -Sophos-Remote Management System,*.sophosupd.net,routernt.exe,,,TRUE,RMM,community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,2/9/2024 -Sorillus,*.sorillus.com,Sorillus-Launcher*.exe,,,TRUE,RMM,https://sorillus.com/,2/9/2024 -Sorillus,sorillus.com,Sorillus Launcher.exe,,,TRUE,RMM,https://sorillus.com/,2/9/2024 -Splashtop Remote,splashtop.com,strwinclt.exe,Splashtop*,splashtop-remote,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -Splashtop Remote,*.api.splashtop.com,Splashtop_Streamer_Windows*.exe,,,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -Splashtop Remote,*.relay.splashtop.com,SplashtopSOS.exe,,,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -Splashtop Remote,*.api.splashtop.eu,sragent.exe,,,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -Splashtop Remote,,srmanager.exe,,,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -Splashtop Remote,,srserver.exe,,,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -Splashtop Remote,,srservice.exe,,,TRUE,RMM,https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,2/9/2024 -SpyAnywhere,*.spytech-web.com,sysdiag.exe,,,TRUE,RMM,https://www.spyanywhere.com/support.shtml,2/9/2024 -SunLogin,sunlogin.oray.com,OrayRemoteShell.exe,Shanghai Best Oray*,sunlogin-remote-control,TRUE,RMM,https://sunlogin.oray.com/en/embed/software.html,2/26/2024 -SunLogin,client.oray.net,OrayRemoteService.exe,Remote control service,,TRUE,RMM,https://sunlogin.oray.com/en/embed/software.html,2/26/2024 -SunLogin,,sunlogin*.exe,,,TRUE,RMM,https://sunlogin.oray.com/en/embed/software.html,2/26/2024 -SuperOps,superops.ai,superopsticket.exe,SuperOps*,,TRUE,RMM,https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,2/7/2024 -SuperOps,*.superops.ai,superops.exe,,,TRUE,RMM,https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,2/7/2024 -SuperOps,serv.superopsalpha.com,,,,TRUE,RMM,https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,2/7/2024 -SuperOps,*.superopsalpha.com,,,,TRUE,RMM,https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,2/7/2024 -SuperOps,*.superopsbeta.com,,,,TRUE,RMM,https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,2/7/2024 -Supremo,supremocontrol.com,supremo.exe,SupRemo*,supremo,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Supremo,*.supremocontrol.com,supremohelper.exe,NanoSystems*,,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Supremo,* .nanosystems.it,supremoservice.exe,,,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Supremo,,supremosystem.exe,,,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Supremo,,supremohelper.exe,,,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Supremo,,supremo.exe,,,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Supremo,,supremosystem.exe,,,TRUE,RMM,https://www.supremocontrol.com/frequently-asked-questions/,2/13/2024 -Syncro,app.kabuto.io ,Kabuto.App.Runner.exe,Servably*,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,*.syncromsp.com,Kabuto.Service.Runner.exe,Syncro*,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,*.syncroapi.com,Kabuto.Installer.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,*.kabutoservices.com,KabutoSetup.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,ld.aurelius.host,Syncro.Overmind.Service.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,attachments.servably.com,SyncroLive.Service.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,,SyncroLive.Agent.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,,Syncro.App.Runner.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,,Syncro.Installer.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Syncro,,Syncro.Service.exe,,,TRUE,RMM,https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,2/13/2024 -Synergy,user_managed,,,synergy,TRUE,RMM,https://symless.com/synergy,2/26/2024 -Syspectr,atled.syspectr.com,oo-syspectr*.exe,O&O Syspectr*,,TRUE,RMM,https://www.syspectr.com/en/installation-in-a-network,2/26/2024 -Syspectr,app.syspectr.com,OOSysAgent.exe,,,TRUE,RMM,https://www.syspectr.com/en/installation-in-a-network,2/26/2024 -Tactical RMM,login.tailscale.com,tacticalrmm.exe,AmidaWare*,,TRUE,RMM,docs.tacticalrmm.com,2/14/2024 -Tactical RMM,login.tailscale.com,tacticalrmm.exe,Tactical Techs*,,TRUE,RMM,docs.tacticalrmm.com,2/14/2024 -Tailscale,*.tailscale.com,tailscale-*.exe,Tailscale*,,TRUE,Remote Access,https://tailscale.com/kb/1023/troubleshooting,2/14/2024 -Tailscale,*.tailscale.io,tailscaled.exe,,,TRUE,Remote Access,https://tailscale.com/kb/1023/troubleshooting,2/14/2024 -Tailscale,,tailscale-ipn.exe,,,TRUE,Remote Access,https://tailscale.com/kb/1023/troubleshooting,2/14/2024 -Tanium,cloud.tanium.com,TaniumClient.exe,Tanium*,,TRUE,RMM,https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,2/14/2024 -Tanium,*.cloud.tanium.com,TaniumCX.exe,,,TRUE,RMM,https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,2/14/2024 -Tanium,,TaniumExecWrapper.exe,,,TRUE,RMM,https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,2/14/2024 -Tanium,,TaniumFileInfo.exe,,,TRUE,RMM,https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,2/14/2024 -Tanium,,TPowerShell.exe,,,TRUE,RMM,https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,2/14/2024 -TeamViewer,*.teamviewer.com,teamviewer*.exe,TeamViewer*,teamviewer,TRUE,RMM,https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer,2/14/2024 -TeamViewer,,teamviewerqs.exe,,teamviewer-remote-control,TRUE,RMM,https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer,2/14/2024 -TeamViewer,,tv_w32.exe,,teamviewer-sharing,TRUE,RMM,https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer,2/14/2024 -TeamViewer,,tv_w64.exe,,teamviewer-base,TRUE,RMM,https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer,2/14/2024 -TeamViewer,,teamviewer.exe,,teamviewer-web,TRUE,RMM,https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer,2/14/2024 -TeleDesktop,user_managed,pstlaunch.exe,,,TRUE,RMM,http://potomacsoft.com/ - DOA as of 2024,2/14/2024 -TeleDesktop,,ptdskclient.exe,,,TRUE,RMM,http://potomacsoft.com/ - DOA as of 2024,2/14/2024 -TeleDesktop,,ptdskhost.exe,,,TRUE,RMM,http://potomacsoft.com/ - DOA as of 2024,2/14/2024 -TigerVNC,user_managed,tigervnc*.exe,TigerVNC*,,TRUE,RMM,https://github.com/TigerVNC/tigervnc/releases,2/26/2024 -TigerVNC,,winvnc4.exe,,,TRUE,RMM,https://github.com/TigerVNC/tigervnc/releases,2/26/2024 -TightVNC,user_managed,tvnviewer.exe,TightVNC*,,TRUE,RMM,https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,2/14/2024 -TightVNC,,TightVNCViewerPortable*.exe,,,TRUE,RMM,https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,2/14/2024 -TightVNC,,tvnserver.exe,,,TRUE,RMM,https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,2/14/2024 -ToDesk,todesk.com,todesk.exe,ToDesk*,,TRUE,RMM,https://www.todesk.com/,2/14/2024 -ToDesk,*.todesk.com,ToDesk_Service.exe,,,TRUE,RMM,https://www.todesk.com/,2/14/2024 -ToDesk,*.todesk.com,ToDesk_Setup.exe,,,TRUE,RMM,https://www.todesk.com/,2/14/2024 -TurboMeeting,user_managed,pcstarter.exe,,,TRUE,RMM,http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,2/14/2024 -TurboMeeting,,turbomeeting.exe,,,TRUE,RMM,http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,2/14/2024 -TurboMeeting,,turbomeetingstarter.exe,,,TRUE,RMM,http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,2/14/2024 -UltraViewer,* .ultraviewer.net,UltraViewer_Service.exe,UltraViewer*,ultraviewer,TRUE,RMM,https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,2/14/2024 -UltraViewer,,UltraViewer_setup*,DucFabulous*,,TRUE,RMM,https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,2/14/2024 -UltraViewer,,UltraViewer_Desktop.exe,,,TRUE,RMM,https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,2/14/2024 -UltraViewer,,ultraviewer.exe,,,TRUE,RMM,https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,2/14/2024 -UltraVNC,user_managed,UltraVNC*.exe,,,TRUE,Remote Access,https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,2/14/2024 -Visual Studio Dev Tunnel,global.rel.tunnels.api.visualstudio.com,,,,TRUE,Developer Utility,https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,2/7/2024 -Visual Studio Dev Tunnel,*.rel.tunnels.api.visualstudio.com,,,,TRUE,Developer Utility,https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,2/7/2024 -Visual Studio Dev Tunnel,*.devtunnels.ms,,,,TRUE,Developer Utility,https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,2/7/2024 -VNC,user_managed,vncserver.exe,realvnc*,vnc,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -VNC,,winvnc*.exe,,vnc-clipboard,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -VNC,,vncviewer.exe,,vnc-print,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -VNC,,vncserverui.exe,,vnc-encrypted,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -VNC,,winwvc.exe,,vnc-filetransfer,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -VNC,,winvncsc.exe,,vnc-base,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -VNC,,,,vnc-http,TRUE,Remote Access,https://realvnc.com/en/connect/download/vnc,2/14/2024 -WebEx (Remote Access),,,,,TRUE,Remote Access,https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,2/14/2024 -WebRDP,user_managed,webrdp.exe,,,TRUE,RMM,github.com/Mikej81/WebRDP,2/14/2024 -Weezo,*.weezo.me,weezohttpd.exe,Peer 2 World,,TRUE,RMM,weezo.en.softonic.com,2/14/2024 -Weezo,weezo.net,weezo.exe,Weezo*,,TRUE,RMM,weezo.en.softonic.com,2/14/2024 -Weezo,*.weezo.net,weezo setup*.exe,,,TRUE,RMM,weezo.en.softonic.com,2/14/2024 -Xeox,xeox.com,xeox-agent_*.exe,,,TRUE,RMM,https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,2/14/2024 -Xeox,*.xeox.com,xeox_service_windows.exe,,,TRUE,RMM,https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,2/14/2024 -Zabbix Agent,user_managed,zabbix_agent*.exe,Zabbix*,,TRUE,RMM,https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,2/14/2024 -ZeroTier,zerotier.com,zerotier*.msi,ZeroTier*,,TRUE,RMM,https://my.zerotier.com/,2/14/2024 -ZeroTier,*.zerotier.com,zerotier*.exe,zero-powesrhell*,,TRUE,RMM,https://my.zerotier.com/,2/14/2024 -ZeroTier,,zero-powershell.exe,,,TRUE,RMM,https://my.zerotier.com/,2/14/2024 -Zoho Assist,*.zoho.com,za_connect.exe,Zoho*,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zoho.eu,zaservice.exe,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zoho.in,zohotray.exe,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zoho.com.au,ZohoMeeting.exe,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zoho.com.cn,Zohours.exe,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zohoassist.com,ZohoURSService.exe,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zohoassist.jp,ZMAgent.exe,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,*.zohoassist.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,downloads.zohodl.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,downloads.zohocdn.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/security_services.csv b/dist/DA-ESS-ContentUpdate/lookups/security_services.csv deleted file mode 100644 index b8982c6109..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/security_services.csv +++ /dev/null @@ -1,5 +0,0 @@ -service,description,category -*mpssvc*,Windows Firewall Service,security -*wscsvc*,Windows Security Center Service,security -*windefend*,Windows Defender Service,security -*sysmon*,Sysmon Driver,security diff --git a/dist/DA-ESS-ContentUpdate/lookups/splunk_risky_command_20240122.csv b/dist/DA-ESS-ContentUpdate/lookups/splunk_risky_command_20240122.csv deleted file mode 100644 index 93201a4b19..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/splunk_risky_command_20240122.csv +++ /dev/null @@ -1,15 +0,0 @@ -"splunk_risky_command","description","vulnerable_versions","CVE","other_metadata" -"*createrss*","createrss command overwrites existing RSS feeds without verifying permissions","8.1.13, 8.2.10","CVE-2023-22931", -"*pivot?seedSid=*","pivot command allows a search to bypass SPL safeguards for risky commands using a saved job","8.1.13, 8.2.10, 9.0.4","CVE-2023-22934", -"*|makeresults+&search_listener*","search_listener parameter in a Search allows for a Blind Server Side Request Forgery by an authenticated user","8.1.13, 8.2.10, 9.0.4","CVE-2023-22936", -"*| map search=*| *","map search processing language (SPL) command lets a search bypass SPL safeguards for risky commands","8.1.13, 8.2.10, 9.0.4","CVE-2023-22939", -"*|mcollect%20index*","collect command SPL aliases commands could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*meventcollect*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*summaryindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*sumindex*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*|""*stash*""","collect command SPL alias could potentially allow for the exposing of data to a summary index that unprivileged users could access","8.1.13, 8.2.10, 9.0.4","CVE-2023-22940", -"*| sendalert *","display.page.search.patterns.sensitivity search parameter allows a search to bypass SPL safeguards for risky commands using obfuscation","8.1.13, 8.2.10, 9.0.4","CVE-2023-22935", -"*|*runshellscript*","runshellscript searches should not be run interactively via User Interface or REST API and may be used to bypass safeguards; -runshellscript may be abused to exploit legacy internal functions in external lookups leading to arbitrary code execution","<8.1.14, <8.2.12, <9.0.6, <9.1.1; -<8.2.12, <9.0.6, <9.1.1","CVE-2023-40598, CVE-2023-46214", -"*|*mrollup*","The “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit.","<9.0.8, <9.1.3, <9.1.2308.200","CVE-2024-23676", diff --git a/dist/DA-ESS-ContentUpdate/lookups/suspicious_files.csv b/dist/DA-ESS-ContentUpdate/lookups/suspicious_files.csv deleted file mode 100644 index 836182da18..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/suspicious_files.csv +++ /dev/null @@ -1,4 +0,0 @@ -file, note -mssscardprv.ax,ESCU - File associated with Hidden Cobra malware https://www.us-cert.gov/ncas/analysis-reports/AR18-149A -scardprv.dll,ESCU - File associated with Hidden Cobra malware https://www.us-cert.gov/ncas/analysis-reports/AR18-149A -wmmvsvc.dll,ESCU - File associated with Hidden Cobra malware https://www.us-cert.gov/ncas/analysis-reports/AR18-149A diff --git a/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_default.csv b/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_default.csv deleted file mode 100644 index 4cd4daa1dc..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_default.csv +++ /dev/null @@ -1,9 +0,0 @@ -process_name,uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default -sethc.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -utilman.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -osk.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -magnify.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -narrator.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -displayswitch.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -atbroker.exe,true,needs_accessibility,Windows Privilege Escalation,Actions on Objectives,Execution|Accessibility Features -quser.exe,true,,DHS Report TA18-074A|Unusual Processes,Actions on Objectives,Execution \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_local.csv b/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_local.csv deleted file mode 100644 index 49adc09176..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/uncommon_processes_local.csv +++ /dev/null @@ -1 +0,0 @@ -process_name,uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/lookups/windows_protocol_handlers.csv b/dist/DA-ESS-ContentUpdate/lookups/windows_protocol_handlers.csv deleted file mode 100644 index 4f809b8b61..0000000000 --- a/dist/DA-ESS-ContentUpdate/lookups/windows_protocol_handlers.csv +++ /dev/null @@ -1,205 +0,0 @@ -handler,ishandler -"*bingmaps:*",TRUE -"*calculator:*",TRUE -"*callto:*",TRUE -"*conf:*",TRUE -"*DLNA-PLAYSINGLE:*",TRUE -"*Explorer.AssocActionId.BurnSelection:*",TRUE -"*Explorer.AssocActionId.EraseDisc:*",TRUE -"*Explorer.AssocActionId.ZipSelection:*",TRUE -"*Explorer.AssocProtocol.search-ms:*",TRUE -"*Explorer.BurnSelection:*",TRUE -"*Explorer.EraseDisc:*",TRUE -"*Explorer.ZipSelection:*",TRUE -"*feed:*",TRUE -"*feeds:*",TRUE -"*file:*",TRUE -"*FirefoxURL-308046B0AF4A39CB:*",TRUE -"*ftp:*",TRUE -"*grvopen:*",TRUE -"*http:*",TRUE -"*https:*",TRUE -"*iehistory:*",TRUE -"*ierss:*",TRUE -"*im:*",TRUE -"*LDAP:*",TRUE -"*Lync15:*",TRUE -"*Lync15classic:*",TRUE -"*ma-chan:*",TRUE -"*ma-filelink:*",TRUE -"*mailto:*",TRUE -"*mapi:*",TRUE -"*mapi15:*",TRUE -"*mapi16:*",TRUE -"*mk:*",TRUE -"*MMS:*",TRUE -"*ms-access:*",TRUE -"*ms-actioncenter:*",TRUE -"*ms-apprep:*",TRUE -"*ms-availablenetworks:*",TRUE -"*ms-cortana:*",TRUE -"*ms-cxh:*",TRUE -"*ms-device-enrollment:*",TRUE -"*ms-excel:*",TRUE -"*ms-msdt:*",TRUE -"*ms-penworkspace:*",TRUE -"*ms-powerpoint:*",TRUE -"*ms-publisher:*",TRUE -"*ms-settings:*",TRUE -"*ms-settings-airplanemode:*",TRUE -"*ms-settings-bluetooth:*",TRUE -"*ms-settings-cellular:*",TRUE -"*ms-settings-connectabledevices:*",TRUE -"*ms-settings-displays-topology:*",TRUE -"*ms-settings-emailandaccounts:*",TRUE -"*ms-settings-language:*",TRUE -"*ms-settings-location:*",TRUE -"*ms-settings-lock:*",TRUE -"*ms-settings-mobilehotspot:*",TRUE -"*ms-settings-notifications:*",TRUE -"*ms-settings-power:*",TRUE -"*ms-settings-privacy:*",TRUE -"*ms-settings-proximity:*",TRUE -"*ms-settings-screenrotation:*",TRUE -"*ms-settings-wifi:*",TRUE -"*ms-settings-workplace:*",TRUE -"*ms-teams:*",TRUE -"*ms-windows-search:*",TRUE -"*ms-word:*",TRUE -"*mssharepointclient:*",TRUE -"*msteams:*",TRUE -"*mswindowsmusic:*",TRUE -"*mswindowsvideo:*",TRUE -"*odopen:*",TRUE -"*OneIndex16:*",TRUE -"*OneNote:*",TRUE -"*OneNote.URL.16:*",TRUE -"*OneNoteDesktop:*",TRUE -"*OneNoteDesktop.URL.16:*",TRUE -"*Outlook.URL.feed.15:*",TRUE -"*Outlook.URL.mailto.15:*",TRUE -"*Outlook.URL.stssync.15:*",TRUE -"*Outlook.URL.webcal.15:*",TRUE -"*res:*",TRUE -"*rlogin:*",TRUE -"*search:*",TRUE -"*search-ms:*",TRUE -"*sip:*",TRUE -"*sips:*",TRUE -"*skypecast15:*",TRUE -"*stssync:*",TRUE -"*tbauth:*",TRUE -"*tel:*",TRUE -"*telnet:*",TRUE -"*tn3270:*",TRUE -"*webcal:*",TRUE -"*webcals:*",TRUE -"*windows.tbauth:*",TRUE -"*WMP11.AssocProtocol.DLNA-PLAYSINGLE:*",TRUE -"*WMP11.AssocProtocol.MMS:*",TRUE -"*Word:*",TRUE -"*xbox-tcui:*",TRUE -"*appinstaller.oauth2:*",TRUE -"*bingnews:*",TRUE -"*bingweather:*",TRUE -"*feedback-hub:*",TRUE -"*git-client:*",TRUE -"*IE.HTTP:*",TRUE -"*insiderhub:*",TRUE -"*microsoft-edge:*",TRUE -"*microsoft-edge-holographic:*",TRUE -"*microsoft.windows.camera:*",TRUE -"*microsoft.windows.camera.multipicker:*",TRUE -"*microsoft.windows.camera.picker:*",TRUE -"*microsoft.windows.photos.crop:*",TRUE -"*microsoft.windows.photos.picker:*",TRUE -"*microsoft.windows.photos.videoedit:*",TRUE -"*Microsoft.Workfolders:*",TRUE -"*microsoftvideo:*",TRUE -"*ms-aad-brokerplugin:*",TRUE -"*ms-appinstaller:*",TRUE -"*ms-calculator:*",TRUE -"*ms-clock:*",TRUE -"*ms-contact-support:*",TRUE -"*ms-cortana2:*",TRUE -"*ms-cxh-full:*",TRUE -"*ms-default-location:*",TRUE -"*ms-device-enrollment2:*",TRUE -"*ms-drive-to:*",TRUE -"*ms-edu-secureassessment:*",TRUE -"*ms-eyecontrolspeech:*",TRUE -"*ms-gamebar:*",TRUE -"*ms-gamebarservices:*",TRUE -"*ms-gamingoverlay:*",TRUE -"*ms-get-started:*",TRUE -"*ms-getoffice:*",TRUE -"*ms-inputapp:*",TRUE -"*ms-insights:*",TRUE -"*ms-meetnow:*",TRUE -"*ms-meetnowflyout:*",TRUE -"*ms-mmsys:*",TRUE -"*ms-msime-imepad:*",TRUE -"*ms-msime-imjpdct:*",TRUE -"*ms-officeapp:*",TRUE -"*ms-officecmd:*",TRUE -"*ms-oobenetwork:*",TRUE -"*ms-people:*",TRUE -"*ms-perception-simulation:*",TRUE -"*ms-phone:*",TRUE -"*ms-photos:*",TRUE -"*ms-powerautomate:*",TRUE -"*ms-print-addprinter:*",TRUE -"*ms-print-printjobs:*",TRUE -"*ms-quick-assist:*",TRUE -"*ms-rdx-document:*",TRUE -"*ms-retaildemo-launchbioenrollment:*",TRUE -"*ms-retaildemo-launchstart:*",TRUE -"*ms-screenclip:*",TRUE -"*ms-screensketch:*",TRUE -"*ms-search:*",TRUE -"*ms-sttoverlay:*",TRUE -"*ms-taskswitcher:*",TRUE -"*ms-to-do:*",TRUE -"*ms-todo:*",TRUE -"*ms-unistore-email:*",TRUE -"*ms-virtualtouchpad:*",TRUE -"*ms-walk-to:*",TRUE -"*ms-wcrv:*",TRUE -"*ms-windows-store:*",TRUE -"*ms-windows-store-deskext:*",TRUE -"*ms-windows-store2:*",TRUE -"*ms-wpc:*",TRUE -"*ms-wpdrmv:*",TRUE -"*ms-wxh:*",TRUE -"*ms-xbet-survey:*",TRUE -"*ms-xbl-3d8b930f:*",TRUE -"*ms-xgpueject:*",TRUE -"*msgamepass:*",TRUE -"*msgamingapp:*",TRUE -"*msnews:*",TRUE -"*msnnews:*",TRUE -"*msnweather:*",TRUE -"*msxbox:*",TRUE -"*outlookaccounts:*",TRUE -"*outlookcal:*",TRUE -"*outlookmail:*",TRUE -"*read:*",TRUE -"*vscode:*",TRUE -"*vsls:*",TRUE -"*vstfs:*",TRUE -"*vsweb:*",TRUE -"*windows-feedback:*",TRUE -"*windowsdefender:*",TRUE -"*xboxliveapp-1297287741:*",TRUE -"*zune:*",TRUE -"*SecureBrowser.security.getDeviceInfo:*",TRUE -"*SecureBrowser.security.getMACAddress:*",TRUE -"*SecureBrowser.security.examineProcessList:*",TRUE -"*SecureBrowser.security.isRemoteSession:*",TRUE -"*SecureBrowser.security.isVMSession:*",TRUE -"*JavaScript:*",TRUE -"*vbscript:*",TRUE -"*about:*",TRUE -"*ms-its:*",TRUE -"*its:*",TRUE -"*mk:@MSITStore:*",TRUE \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/metadata/default.meta b/dist/DA-ESS-ContentUpdate/metadata/default.meta deleted file mode 100644 index b9b933bfa5..0000000000 --- a/dist/DA-ESS-ContentUpdate/metadata/default.meta +++ /dev/null @@ -1,23 +0,0 @@ -## shared Application-level permissions -[] -access = read : [ * ], write : [ admin ] -export = system - -[savedsearches] -owner = admin - -## Correlation Searches -[correlationsearches] -access = read : [ * ], write : [ * ] - -[governance] -access = read : [ * ], write : [ * ] - -## Managed Configurations -[managed_configurations] -access = read : [ * ], write : [ * ] - -## Postprocess -[postprocess] -access = read : [ * ], write : [ * ] - diff --git a/dist/DA-ESS-ContentUpdate/static/appIcon.png b/dist/DA-ESS-ContentUpdate/static/appIcon.png deleted file mode 100644 index 593ed9af8cc747cf4a88fc6aa24d83f905dd1a40..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3658 zcmaJ^XIN8Pvj(Zs1E_REKnyh`)CB3F_a>kygb*MgBql)u(u-0oh=5T%5D-+P7b#Mu zND&Z0fql<=sfo5VlrBBAA(192d&>Q224b}yHYitDpu|B#WR}C9g8@w^b zA8Q^?z&M55I-|n_(QqG-z8>%t8Nnb3!jMova?pifB7&?7`kNQQ*dLf7AmHCFq(EKJ zf0A;uu?HIC2pFJ-il#Ces-_Lpf~!C^;My>CB_K={stHkrL!j!)s!)U~9H9yY{_}ts z(Fi`i2uGypKd~4mU64PCghxOip`oEFp=v5Pf*%A5hr=PNFbE8$% z>US)FiHWP;0%_<>o~Us%VZh&^cbfDVEv5m zR?mP&S9*kcX}?m(n|^|!`bdd2TYvV=u;X_O)7*T=GR5w-LsGvCRP z#i#HUfex=c!~S`L=T*#Uh%*)scLA@ZK`}Sg9<+If#=V`6pcKaLeCceP`WBZ@9Wm;j zo~6B+9_9&A3`G_P*gtLW`!p1F)+T*KE59~H$)LoEe(bA_Q%ejQimEhjs6HaSi6cOgsi z=ZwJnDMm!Vyg*2jNarD>OarPG9(&ae7ctDgn<-d6XUkFcg8AwI->p0Xb4tSO{Sp~K z7+^q?>sK`Mtt5ZL@6jTOJ%<_v^nuPv*kUAo_AdAMpYTV#`vIeJKVUsP02 zJtM25?^b?--7qN67RR!EY4f;GWCgdwwS_V9L~nqn3>U!ZYoiu_Y&Y|cZo)fxzUESD z$@2)8ybR+Zsv&;6&BA>6*xe6<*9LwH5Z-8BC9)E=B(VaKv=120Z#fFi2~_uA7mu3( z8j{2hNp0|dmr;leefw!Q_bJDoM7Z|qlqQ%~ziUv!(;o9p_fZG38xI#=&7J*<dM;B!c5ST;ocLbUTk=UTRMlhtI7O6z5%kg3?G?fc$>2BXh+97oDNRuxI-*bhSx ztk>9IO7$CGUYXPDWKV#AQqL7rHq7q8by+<)Z*k`pb^N%TXz#@x5Pt52(0Tvms`#US z9kD~7EVkyNbKVM6qe(N#6fX>rKltg}cZaDCzPRmvQG+X4U?`Kyp4l}boez=zLfdt* z(VY3AvT}62&8jE%+4g%o?yS0_VTUinhtZMm)=xV-C0qXgt|<( z;M%}=Z{&nv+=uZRhOdxl2eymrd^HM}~ir7^|9Rcvr{Y2yg-?6gi)Os|U3*Df62 zoz#cIk)EwJCB6AA_9*R0y4MDn@9KoO!m-l!_9vzevDuEdX~ls~1uIuLQl>jKnz`S{ zPvnT%+KQY4b7VL#Dh{sAvA2UoIx+Q|;yv-Fcwpfn~K_lPFW z^{#{TbF&r8)-x;}r^x={i0WF?4khi2_j`Nv+kGT@(Wi^bVXuzsT^Xe>lQ6Yx4sF7= z%1yPJvBG_pqZ?8Qf%3+?G4Oled5NUBW>rN#cJ}1y;s#XPlDJE^gw)w^|ESLR&m45# zln&Y&d6Z!CAerTKHCxjOsWu_5ycP%kxE8=rUXjSKgUht`rNSWfS4)(ZMk=kksf)hD z;jTw5czvOKNF-8Gyq{%Es(dC>o#Jd(R%6E1|Dv-hQF?z=DjR#qhwa4Wl6k(j=0F9>Q93s#ofuzw+!{?Cerm3pRI3w zZb-q7mfo_CGEI7Nc5wUi<9U^`YkvD}9x4L4y}v?h_=(z~j`sUrSgchT_XE@md>H+@*vtv_ z_gqT6a2xZ`preY~lOYc`*j{k!XH9ZdXl7Kf?F35&Or&$3x!}(FPDei3w`yHZF ztd{kHtWW{$Y(;gC-g)jFNPvYna>iq=E*0(NSYr2~%9JSS+aTwmk@iL@oprUw^<`5S zO)~sJ=y+A}U*X%#5sy2p8x@UB5plA~jLQlR;8d}pl#8NJy)s#|j)PD3nY+_nnr8~l zDeBg%_pR!|T{qLMMzT8#yx&Pth92(1%QjV zg)z*Ly5apI-IZhFq2o+5?Q`bQ4&bqXiSO+W6;#Imd|zjI(uFcw^h!<2s%;By>@(gC^ka9xc@c>Zq6kz|Ma;5#Js+P z4v}WG0B$`@AgWEPiH}9+C3gvppPVDU9}ADy2$k~2)Ey2HLAoWKYZ-S+_w30Lc6h>U zqj3{|=d7~aW36^4nTOY$Vv2;8#xbnhT(^2?Hi5R94d>-PHAJLSmW1iLS-G#8?r?%y zJ59EJZhy-Pyw!F8V zuiQ5t?hZ_HZ^d=vi1|CMX5R}OWLs1va_v4>4VMaEZS>m{IzLJIBG{*r?sblCaAd6@ z49#-7K$Z=**~sLn*-=`wyW$YJryZBPUTIl+LJ#ZqY4K)e4q|=ptFb^vTFhZbwq@U| zfaa+3@{>5k*LNMwMG+at#mx(f*z_Eq9_!xUA1Ga{mHhU^v-7rjQS-5y>{}r%b-KFj zyF+7~jj~PK=L7c4g+Z&|SS?~Cs0Gt+e??_k>B&WyO?;BnuQR+@Ev6R^m7vSWQajE( z?ocoweJS#8cI51BF5Zy7GFn4<*XST5e%&Bt`QuVx#WprG)da~AR{zXEY%x~{H5a~S zahXlx3j~bhJc7{dpK|8WpYjiFeLG0EZGHNK%o{-}1MJ@g#%uTY$bLxU4dK6L35?9W f-lEmN4{2k{gkb~l8Am1${_ZSHY>{O~UUB~eqD^Z5 diff --git a/dist/DA-ESS-ContentUpdate/static/appIconAlt.png b/dist/DA-ESS-ContentUpdate/static/appIconAlt.png deleted file mode 100644 index 8035698d8963d8f4e96305e9d1a9db1e30e9415e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2656 zcmV-m3ZM0fP)500001b5ch_0Itp) z=>Px#32;bRa{vGr5&!@f5&>tQ(oz5b3I$0-K~z`?wO9>YR8O09HD(RSq1)H1d5w{0J0`Mqgwt=Wd3si5*DiZFmE ziiHL;pfGP{-g|e?#eD{fXzO-_v(tdR|jCP z06+ZS@t)jq|BE%*`XpOrI}_|7;Gn|l#;BCNoHy%fSQ}JV^!<CXX=~_h%WbtN*!CT+C0_o5qdDCpT?IV}AZlnK9b$ioI1XQHZj& zRc3d@SqmHPW}Um*rgCdcU}aY9S{9K)%#aiXkyEllW@&hL`1?ni9+G5ojW|UVnfx^R z+H;uez^R7yIxUu2mU-W(B_&l^meew9xaLlP?zm0mnU+6lSiBZv#7PQT!tm0%(D|j8 zJ2(y)H3B0-2$HV0prDb%g`}A~st`K+dSzBjj6(3M9D`SD1>uQ`jJR1LiwkTWY&$)6 z8=2D?<~IZ$?}R8EbBN-Q;DtrY26g~KtcV#k(96V8&A?WaOTQC)wv9tABcBxw;*%#f0q;PB5dDX5wJvOp3%bb2e zKltF13B3*wm%|ePBMkt#Tw8~x28n&iXCwNk`XOm2_BD%2qAZh2L5u%+I@1!b&UGBS zOyKf#^Ke1S>~YD;D$~N^*Hr^sX0$)Ua7z#(&k=;|Jj?7oQT|iyO7Ev<$4r{2Yq?@a zrPu%N}CjBoTuD;v{@j|2GPfA7A&=O4rq9spiNLlADpS|J1SK zVSRl(6P%LrjgDiM3tD0O$*hRp)K9+!Cz~8ZPJ;AGGhS>KRp07(OJrctc^u0wmE6c2 z`c~mdsz?(N0Pe#GpK=iLeE5Q*YSjUZehA|t$lw>?c~=KHs>rd71FDpU85?yB$5jCKFle~(_!zg zPr?U)KzYh@gHWiiflrZS^jWyIq=Y)CT0Kzf#VH^6GVn7Xuiky} zi<+FvSKZBHSCwZF1&uTc+)($odR(~7pjVfY4NWTp11{N}M^&h(0p3EImJ ze>~#8egQ~qGi%-%oa}JP*|LHk4Nfck7sydXh9wa*Xb(orBf)6}KTz4tq(+AG9XR0q{;ygi zqQ;Lwy#@rKK4D=fK6Osdb^LI}kec6K%E`VF95lz7RhJxx0LXN3HX2yWDfS96f2$+-x^f7zA1(Y<{x*s!= zm@g>KaQfZ_vvixb0uLVcQfeUa?u}R?5icDFtq7xQqJ-RtLls-Ta5h#~mhlYc!~8u$ z&o?@`rZx%8ZcFuA4qpoQ*GJV{cGOBG^dRO1)(j#0hm<9xk*Ic8lqU}%Ydr#36r zd9hXE|1{M1=&IS}htKBat@DqHLJqqf(bCI6Qn6YsI=%b*8mbT6Ov7`7t~uN#EuuSa z*DKeL-{}iYC2gX7q4JV*)(s`kzF#JW^jI-_w4bEoJDF1z+JoK%uCX;ZBimeZkGcl; zNx9X&`M~NAw%7_zx{;tqg24bq8>75WKC#KjddkQ4eVNj(ftclvt{-)*FWo`vcHZ3gtn##^) z#f}toIJYMwj^*c`>bA~MeRTh8c{E8^0GMa0vSR6xL~ws?ld(Jv7G|_s{Jky9Jc`OG z(fk4fuj`LUs*s{%U2|T;Z`2eXM(JZ(qY>1StdE z63z||4$8tw+uHAdWf|rv(DSy5PBax7@Wz`#sPDIcp%azqQA1e`cK~jYn_6mdO58_< zZYn=(4HO)Vcaly+QWxyLHpKnp>nOkygN`iEK_3TK)Ej-g_J}U!y^ux4H}as&8WW=v z*j(sM`!~CbldRVE?=0%>7U~iV)q<`(Rj0x0p=)no82rkB&bP9paT%Fg`VWaiilU&y zAAZ<0w)Mxs%l9^)>9|5^x;eoMA|ff|66U3G9q-Q__0;EE&ZasMvZ!c7n@f2X5_b|* zs0zlf6m+H`@ugbQ}_2ii!WI}4&T++ll0ikxc z1w$u87Zq<3-Q*AOF@_n2Jy?-x{`$(w*a_YO+e4=5s}jb_m{1RGRkk?{K5bq$YRGW_ z`L;xq^~BjSF4|gJr>b^0(hA%yg)J(|hdana%2ltYV1btzk1=2tp@dv7=&O8 zpr6Txr4s{=z;^mE@c9JYdM8|{UI<%MoZqeUnA=jbyj=!h;z&p+taf?^?gr{=U`qs?+x)K&w-?;` z35|p#F6HHHZs`DX2Ux&t?3^TkN3ESefSr{D@THJCue!4w%+^lH#}%gQqoHT%<6sH0 z0!m2&#J#{z1aO$UIlv3<=;Q|Wk^ugT7yPvUYvut0{^jECAOZZJqzu%x0CEUd7(j?y zn9Gt+KolSX;^q?qiSi3_0{D6Pgn4*DJbZ#&ynJ9@5SW(_@b3rs6wTGj8mt3R_;;+Q zlLXM#-Q5|?!{h1c$?Yk?jc~Q$;RAs{JiPoo{QO)`9$aqTPVVMjTuyEb|1dycZkDcg z&hB;yC%|7ua|?ury9Dql)Bh;}?))EGC%1pM>8W8nUgpj`eB8W$OZvxAUH$*>3Wxv4 z+s$1E_P_c5KZ)J+yq#e@IxshchpXk&;H(+`hH?hWxx&od5w3a&gyTP5)UrjmBiw8e z&Hy>Nzg-gnu&SF|+By9-vi%FCt`1gqa&tF#vVuTR1SIp+FIiz>em;4Aei?blKUfID(gO~2a{mWw^}kq!|BC%92)Of8WC+aF?hVXJ z!4&}q{Ht)V-G9$T?!WT=8*BC7bAkLuGDJqtYhl9(!&lGaH23rTaLJX5tP%nJ)L2j?fJUNEC1HyV;8Vs* z3(ScOWXXAs42sNS4c{J*dX^tS43tQ5mrYdXS*-ajb$0sp*q}yP3)AQEM8MY>Z(Jo+9uOGUiZ|}|LC(YvxD^V)y zjS*yD$3}Ft5y4sr3{emdE!c-GI4n?$r9d)jPfd)`f=F#|8zqVkC!l~`u9a##hdi9N zC9emm`awmsv5JFHzU4T~J#dn8hYoDBK7~0(#gzva>}@AJX}{J{y9UMEGEj`^Z80E-Ph^s&olo7lzJ(DDej-xlT zC(Y;?=Fg3lx0i&Otr!!yG-Tp@uookfb703=FXyWKnHwkZ^y&IblWS#QQY;C>U%1lzpYuRBB z{wgo?#ZK4!ol4Ap@C!TLcgCCaIqbWWJIaRejz{Gw4qWGlHQYK>4=HM6 zDI-{ik@i|do})GRQybESxP6*bV1Vz3ur}tow5UJ4dq`98VdIS=LODMe!`Klrnuc7)JaA5+NYX^*Oo6+rbI7rVmL-PC9Cz2CsbZ63NWRMd{7RY zQXaCzK}-80d%xYzOK6@xS!Uvx`OE709(6$LB8J(u-q$aQ7RGBV8?ZHQpsG6jEG^=z z1us?1SlPId;ygY-A6Wr2&{kwIMO>KFqttALqs+8{1;5}&GUr?gHviJraJ?hI>L@$_ z-I#moJa&KQ`TYZL<7#Q*XEWYc(iU!&K`Lkq*g|?6WPz=+b=yalvS#jq7}u>o@(IVi z1Y#9asiRs5FW?PF6n|LJ2@cBxWGNCiH(yTq-DSe%eYNT2-USCJ#-`crMFV=QINjox zdgj>LjPCCM-nWuVyxpS+=Ak%T&t>iW8M;>JB<5#cLH>A352nSEqlZX}{mPIzBJ^k8 zqr2ni>rK1|NntI4BKTNq6e&UE)G%lvg$M+g@4}gPdK#ESmr|cZBC1d`|}FXE5yUw+cv^tzU&D%+&OHuXvWe>$Rnqr%Kz$CWBs-0eV~oU!Lzlmm4@!X{d{j z(lITQ=mm2$^m82q^(7%^*>l5_ROf^TkD;e1p*o5mA%YBJn$_^jlB~hoQ?-{%63>Cf zQ6!?b*Z!uCoIB+XW{c73T5osNTt-K@#}7wN$9&p%-;ED9$F4${adK0wC<+<7wEU*C zhh(@p-*|h!xX{7b_O!|;2hMqhduy}9Ka9(2BeNTHG?J&%apxP;>Lj2E>Q9g5LFEoL zOIHtO;AUfj@o9H`fW)#3pGqD%`!Imb}u#G;NJ;+r%b)~N>e z-Z!o+s_vc8D6WIinFZ~*RLD@wRK^Cnoy}Ij9L7w5pilhpYH&=fOHn0Y1$0bYLPr&K%vA?@;@mz2w+EK5ZqVpPL36OrhJA2n>YD(z%q6D+X-U!7Caei#bi*Sqz$WioRP z5~OtDWV)Fds-Pv$QW;+4g`ts3mL;p&%Sq6zeoX-%4*$u^xBbCKnZGV{nXt&1&3ccBztcZAe!~3>2!IQ=F6&y%h6vK;I_Jk z5vOaT%@j+Vmj!rBX2!dZ)12>etW85-(Q z>W}4`7G#;X-aYYpo%phZOKMwKe2ZvDRBYm9v+gE09==HM5q(tX>ejI zeB|Df_V7C$yQyGCgy8wE`aFAUc0xC;Yxvh|eAKE4+Vlk-uZeZh;VJmSsd{k6VH0;%y(Jws-H~VU3HI@Dc|zrE62s zDvMQ$DS4VA_ropxp@FM2S*kzwf;4MzJx_=}2VYFmOAs}Oa)%0PP_X!s@54Ik065fJ z&uu~`9^*n-Fl^nw+JNctT~RU)Pb<1lQ|7nN)X1+qQd;<7h|1zp@e`SyvoYyof^+1L zK`7)NK4W?XsJ8f5T9p0eEq;(PEo@m;vzpf(;our-C|(kbuoTZVQRnF#<0=qeUR9z70RZUc(uQgw)`Jsr95907P2eyoeV$xX^e2JpgIiqT@ zbhsXAT6~g@QTmZ zXYES2lDN<%*8E{`0Aerj#@i=z>%IZz2UW5F245TzyZ|*DiPrD<*@}B;;4_NzlLoeU z=<|oKJU`}`=r*eZV!C1Gvu|$!YiU)!#E=G#t^khc%Sqoy8Vrd{?ds#cghrab26RNn zU6RRhLuZY*E6jE#RLA_4q!vuQbHcD>Xir(ACCO_!@dRU1SEhJXBWc0GgF-XHl~7y;jp^jnTie{6=_it&SCBhIZlBJE*iG_Y=@uF)QbXP^Z$8VKDgEl4}8V)0D?ci|d z?Xq_tUpV1-E-5)&^XJXJ-3AmwGO2^;>2@oSUMhYZwH1t&7_#KS(2k%{nl@%6jq~z5 zayrJ3>r$ESzd*88YRm&DEjH41@&WGFWP4Io)c8>@cKnk zNWH<`kw!;@;Za8xiH9S~vGlOCS-}Q=&G_ek6yjNvSFOqdB28nv>12K>#Gp2INjs@Q zn5g;4uBfM0uv|TxB+=HG6|SR+)02aE(PKz;8Xebw;mV=m7tt71oCLUstugq))pdL7 zh~Qs^DNFn$h82cyMZ29%$&M3NU$m--%6_c=7!BP3OKLLv5Ntz}if6l~_f~$(uu#O+ zhTgJTBm#}!lFLsQ9`Dvh)AQ8ifD4h#ZCHm|4G;V{G`TT;~UMhvsAA9B^4NI?|G42YxhX0 zD(&+fFs6@$@R9o+Ao_{h{UjuDDvC-8+H**;m9Af8w5i7*Benbrp*Z{@&lYL~Q+04e zdKVgVkFrHf`%K=l5|$7U1UjBRb0GO9)5Rorv?ELz({QzEKu&vvU-8W|5WPK}Ql)gj zs!oNoLQMoUiP16p1&V5ai0km@k0|fDqql`JxQOBJ<~wEH2)K^vkYna(s8>!%EPsW2O;b>V=FBKb3iY(&1Vgt%=-$#{;D=&uC{2C zphE(BTKss^kK43JYmZ9yNsd|6Cx$U{xbMX9DC~Z_zlw-e@_6>XN&}&>OWQ+{Tk;}F zqtXP$?(L9P2yQB9t;x`}0_IX{$@< zM4dZj3jE_MjjPJh{GZ=2xG050;WS;}x}|WyAN}S|7L0gzF9c<7-qso&V5t2d=x>ps zly%;XDQRM8C%1;s2z;0y8TtgRQdd8muud}9l|6V)Q}*Y;OX2qzh3S@2u5BH_eSLE0 zJ-U30^eNQ|CeQiT=9$Pjzh80J^Jkdx8YY=&RGQ@>Sob7aXsD?8RM^XJzXeVx%lG^L zX!HH9AsJ}yG4PdKx)#rmD4{dr{vB&hrXkY_UBejCobN4;7(ulOFFp{s@TJ(BBxTdt zbkn~aebT?3tYUqJn(LyUpJw27kvREXLOn}U2yq=WBb8HijOxoYdE5BlbYL7_PaIc? za7;^Of&h4pst5!?Q{9S9YED?mo{&k6FqGTqS;gF(3;Gn}Kt>RLUU4f++d)J`hTceB zTDk0Z`DkMZNRR#0JR(y3)A|h2DvQTatcFW-d)t#SDzJ7l49a%7l7C|`kYSXib!2^Y zK)w^gnbk&pwk#u@xt(ykQ}QbFg?M(+YDm6y-y`LDDx+^n;bEogj|LW>HW#1OFMa5W zm-BF-rN!&t8qGZ;>=8kMRKNR6N`|re1|XS|Rm;ehh0PzC#);@e_YK&5PkV)`n%DN1 zrOJKT5KKr+X4Y8*sQuO0oiDjx$VfodGjg>dfa+{jkWgV6@?eKuZ@Eq3_1pS7p_}^9 zf*o|y`Sax818-)MNJEWl_fgu9xkw63!a-$61vv5Zg6f0~kdJY=a@945S!4uLwuNqE zqREgI!YoDgJA1J!x%~@;n*LTM#m_5=|#QD6tVoZ?HJ6qLiArOsdvGE_~C}vi7fD+!s;RsNF@ON_xhE| z=f_W)pF=$lhcLI2FEoz!_|r->D{QVPqAp35mu?RYSuA6nXTcq(z77To5B(HgEDCw% zw`A;pzAKMfgVhZ$lz^cvK!E$M=gFE_YC{T}X@Q0j|PgI znmvCNMG%VlilScaAd|&r1=EbGzxgmWc<&6))}A|O8L$XdcG@%{!(^tgHcv|$98(Ij z3hy_iq(;&ewqD^Q_%(hI76{KEt!qGy3pW+-$%(MdI_p-F@Fg;5X}=*k_@3w!w^D~i z`#}IBtF1l1vIuo=dI_;-rTma?}toa`)r6OWBeW@qJnE9&ZIw6L_+0HWANcrxqEOR(^<0wfBJ{{H%QU!mG{i~3 zd0%zKj{C3;b6UoOCMc#j9iCLnVFdkA8R60;>1gy|t>`Y^?>Vblv!$5b^N4To${bxh zcOL1DVe)<>uV@l{{X?CtodX?cG=<`1^5u+8@H55v8i;H>!aRE!fgLm^8L@h>j}cmu z`(mkQ(o0KCY9qUbo~mZ>e05&j>BM?kWe%^H?&yNFF7CIKs80fNyWw$bt(ZN)46}hw zZmdnKf4ylHMF<43Lv=V*Z{}!4Tw%Ws4;RwsL0OV% zCXouGv>`EZ!exOK5?LE@%vL~S34**bV$9_e28z_n@>7^j>wX>VZ!>_LzcJ^zl4>MB z3fCMF0k0L0`hzz#?(>{L47IHxwxsZ?8U>ply^#C)$}|f_)E_dLsnD(q|4b@1{>)cB z60qWx4nnlo?ekQ4=b{R|Dl@x<&XJ@>HF4gtXF@?6^F^ z!QkKN3x<5k?|zYuO;0&5iyP+0GBwXGVCC=MEo}~X86%r$*1^!_j@yjP*Te%iX|4sx z!^!NW`}pG{S>%2!S9TR`&@$$;l8qAaX33d z9^yUp{hTC}d@KJk;7#)7_2l!Z{=8g>WWjhQ&{}+n4SR2p+bJECIVdMdLNj^2{v&xSz;71Z%QG|kL*abG9V?AerfE4};c z2Uq_o&Su7|EwT=_h4Y7oz-X=aipMUgZfyr95q0gI@%lW#_^auZ)Q(P@?!{5>u&}q| zrxfpcJxq2*9&ZCD9P9C+;xy>m4@)fy!jgaJMB-z#a4v#QIbQbX#agJ>?^pcn5d9dM z+=f0U%Jj@fzO`qXm}}N8wQfE42T^Z(8agz=TG&(5ZniG|`lq)+6BmK6@g^b3>UZyi zzCTjdfY<2T;f@kx>P|<=RjHMw4;OiTX=XUr;YQQbOi|>A}u$K>-{>Vu1 X#!)HrJNVq+zm&@I8jwm^v%voYn#RoW diff --git a/dist/DA-ESS-ContentUpdate/static/appIcon_2x.png b/dist/DA-ESS-ContentUpdate/static/appIcon_2x.png deleted file mode 100644 index 351da4383da55de4930707ba4490b7af6a464da1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3657 zcmaJ^c{r4N8=h>*7Aj<&25G@8*0CF-QpP%ywPDN*1~bFVU}$V*FOkX;%9br_W6KgH zONbmA+o8c3(jO?)MEKD~r1vW>`8i9I4)nP#ld2FegyGh(Iec&WGqg#1X=Ro)L`z0N!IH zv@^pQWo>|`k~ML=F`7(rAQue)7@0Byad>|s1L#HcAyJG$E3F+MAc;{!B9=eZb?4^QK?1>saVP zp_Y1Zb8f#7y1Fo^B@AY6iTr^@Qt`oLB8Bk-OZXeB{jbqDTGKkMWd2| zzZY&m`Ufo*2&gU;uD{Et^UqrTz!Lsl3+!LDfVpD8yW{ za6M1sn)~WGw`u@DsL2Xxj%L2D&)VmV9#ibx2@Mg5kHHBD5X_{A_I&p4j_i#j7vqUV z`spBl=ztn{Lj2tND9n+*?`{U^w*S0CwosX^=~_hcWni74pa?`+s|&V07`CH@WoVyl zFk*F3( zN^RHMd&g7TEqAv2z1h&EYDis2x(z?5?hPn<*rzADdzt5c*QSaa?@AKoNs(_rquT7m zOzTfi(osM`Q(Mrz9*-IYqew(V(9`@$Ie{BXvVii)*F3?<-%3r*?Z@Q9r34T%uF(qnRdY(p;qB?UY8r8s9Y9*Q=ZJSsAV3$tDx%DgBv(c zHSAPeCGywnA|W-1amDGygTl??n$n2&kq zerP#*L*dd3_S($S{LWf<@TII~?OrX(ibIk|@{gPA2wf?)$h1NDz50T&^5}W%GP~5x zt8`><<6Zw~l#lin`qZ+zOdLh1ukY5vk<62vg)No(n8VDkMIpF_K>Z|n$G%YB_&9CV zI4iI1kbN?_+SX&2z!tZk4;_+^|HK;JN^|TxihN~q9I1C}d)3qHb4}VKwn#O)X^+|o zJ3f0M3C5G*W>52$#+IJ!mes;f-&ZOkw&u@As}K6@f2h2A!LZX)T6OD<98W*Goy5lym%w2vNN0G}!V0l~5}!fAU2uNolYo>H0>j z`JjG&nS)12{9W;&b246AZ=IiG;664=ipsJ#42&Y{*kcbLw2dHa1$b0gRcQm-!(UsB z@YF{X@fnkBl!f6p1rbt~S&0YOUHPwn#KlZ&$0b<9j;(2*r>WMlA&q{;kGu@MUM5;cA;bIDd zYbcs7?41Xcqcds|FU0O)jpqHly==4fb~0~s#^I9SWhp;fNeL&{q9$3pyenRyi1W{< zu|je-{)&t9IO9?q)$B10VZ5$L<@*cs^vG3!OW~ul*y$*~hHlRMwE(tP^qknRMxS+I z(t})`_5^!K<7q%z*X0i7guCqb-YRBZWzrwBrS=e@shCeS2I z7hizD{}MeGu*V}whKV@x(r*K}AkN=Y@j$UB8PI&u!}1#WN+?yqPZ!Fx5i7Csm-VX|8!4IV zk`~=+7f+wfcZ!{B>GyzuN}o=~oLc<(unRt&mzIG_4!`cJQ6nC+T9s#-F;!VPQrasT zrl`d}Ebpy#=Ae*oMP;nAFwD<7JmNNIAUt-v6MU}KT=~>o$@%TAg>9x^1kM!*F3nT199P(yJ8Av$6IRTUH`eWr;Mwwg@pTvJ>(K)n z-)DuU+Q=7+))O^|B-=eRbHa*AvzzX3j*WrY_VO~DYs>lR`|`&M!b#b|I!rV#7Z312vALn^0ZOE`a#3?A$B?= zwZbj79EUN^Xw|)P$Xy_hWNE{RyL*-l&yq`?jEw+`jYXyNxCXfJO|>3*_AH}fL~$uY zd0_Hj?QNSEg8`3+KuZf6lMzARI|iE8!H$*x-EqObt{oOhhwi9WvK10~mC zsugYTlX;F+>KHr3=%#&di*%Ct#hc8?FH@fIb6tNu|4aS6JzcsqqG8(O)0Cj#*85E! zYNhAMkb5lSqFEN>yo{^#t?U3B@#JO*)wfSMvsSjzH9&8{)1(43|NQcn82Ws-`or5n zx~pOTY38SQI*0Sl%?r2=S7JY5Fh)m5FJM{K@3AWn7EPknDNY4qd4dP(I8sUteZxfC zWFbsK2t03GQ%??M#}QEeRxE~&F6aL^N#xrWu1jO*WGK{xnp*eKIfP?0$*);e!@biU zf?g3xIcqCTKbw*-57o)NH{AEEN38Gz2M%>~;5kx=@KKdnoW3G^o9w(9MBW}nM?(YB z9)Bz@4Z0$#L{)wpRU|uagW8x~kx2dNn1kCw%2q15!GNkIzdUrvB0@K;q}|P zde*}k)@$sZgs;LpBbS6kv diff --git a/dist/api/baselines.json b/dist/api/baselines.json deleted file mode 100644 index 2f2b080234..0000000000 --- a/dist/api/baselines.json +++ /dev/null @@ -1 +0,0 @@ -{"baselines": [{"name": "Baseline of blocked outbound traffic from AWS", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "fc0edd96-ff2b-48b0-9f1f-63da3782fd63", "description": "This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "detections": ["Detect Spike in blocked Outbound Traffic from your AWS"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "action", "src_ip", "dest_ip"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline Of Cloud Infrastructure API Calls Per User", "author": "David Dorsey, Splunk", "date": "2020-09-07", "version": 1, "id": "1da5d5ea-4382-447d-98a9-87c358c95fcb", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances created in a small time window.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "detections": ["Abnormally High Number Of Cloud Infrastructure API Calls"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user", "All_Changes.status"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time api_calls, user, HourOfDay, isWeekend | eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend | where api_calls >= 1 | fit DensityFunction api_calls by \"user,HourOfDay,isWeekend\" into cloud_excessive_api_calls_v1 dist=norm show_density=true", "how_to_implement": "You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Baseline Of Cloud Instances Destroyed", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "a2f701f8-5296-4d74-829c-0b7eb346d549", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are destroyed in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances destroyed in a small time window.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "detections": ["Abnormally High Number Of Cloud Instances Destroyed"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.object_category"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats count as instances_destroyed from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by _time span=1h | makecontinuous span=1h _time | eval instances_destroyed=coalesce(instances_destroyed, (random()%2)*0.0000000001) | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time instances_destroyed, HourOfDay, isWeekend | fit DensityFunction instances_destroyed by \"HourOfDay,isWeekend\" into cloud_excessive_instances_destroyed_v1 dist=expon show_density=true", "how_to_implement": "You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Baseline Of Cloud Instances Launched", "author": "David Dorsey, Splunk", "date": "2020-08-14", "version": 1, "id": "b01bd274-f661-4f9c-bd9f-cf23ff6ae0bc", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are created in the environment. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of instances created in a small time window.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "detections": ["Abnormally High Number Of Cloud Instances Launched"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.object_category"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats count as instances_launched from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by _time span=1h | makecontinuous span=1h _time | eval instances_launched=coalesce(instances_launched, (random()%2)*0.0000000001) | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time instances_launched, HourOfDay, isWeekend | fit DensityFunction instances_launched by \"HourOfDay,isWeekend\" into cloud_excessive_instances_created_v1 dist=expon show_density=true", "how_to_implement": "You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Baseline Of Cloud Security Group API Calls Per User", "author": "David Dorsey, Splunk", "date": "2020-09-07", "version": 1, "id": "67b84d51-8329-4909-849f-8d38ce54260a", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls for security groups are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "detections": ["Abnormally High Number Of Cloud Security Group API Calls"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user", "All_Changes.status", "All_Changes.object_category"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats count as security_group_api_calls from datamodel=Change where All_Changes.object_category=firewall All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | table _time security_group_api_calls, user, HourOfDay, isWeekend | eventstats dc(security_group_api_calls) as security_group_api_calls by user, HourOfDay, isWeekend | where security_group_api_calls >= 1 | fit DensityFunction security_group_api_calls by \"user,HourOfDay,isWeekend\" into cloud_excessive_security_group_api_calls_v1 dist=norm show_density=true", "how_to_implement": "You must have Enterprise Security 6.0 or later, if not you will need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 90 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Baseline of Command Line Length - MLTK", "author": "Rico Valdez, Splunk", "date": "2019-05-08", "version": 1, "id": "d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Unusual Processes"], "detections": ["Unusually Long Command Line - MLTK"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel", "how_to_implement": "You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of DNS Query Length - MLTK", "author": "Rico Valdez, Splunk", "date": "2019-05-08", "version": 1, "id": "c914844c-0ff5-4efc-8d44-c063443129ba", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "detections": ["DNS Query Length Outliers - MLTK"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query", "DNS.record_type"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(\"DNS\")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": ["Network_Resolution"]}, {"name": "Baseline Of Kubernetes Container Network IO", "author": "Matthew Moore, Splunk", "date": "2023-12-19", "version": 1, "id": "6edaca1d-d436-42d0-8df0-6895d3bf5b70", "description": "This baseline rule calculates the average and standard deviation of inbound and outbound network IO for each Kubernetes container. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the network IO for each container. This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior.", "references": [], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "detections": ["Kubernetes Anomalous Inbound Outbound Network IO"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["k8s.pod.network.io", "k8s.cluster.name", "k8s.node.name", "k8s.pod.name"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as avg_outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as avg_inbound_network_io stdev(eval(if(direction=\"transmit\", io,null()))) as stdev_outbound_network_io stdev(eval(if(direction=\"receive\", io,null()))) as stdev_inbound_network_io count latest(_time) as last_seen by key | outputlookup k8s_container_network_io_baseline ", "how_to_implement": "To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on (ref: https://splunkbase.splunk.com/app/5247) 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline Of Kubernetes Container Network IO Ratio", "author": "Matthew Moore, Splunk", "date": "2023-12-19", "version": 1, "id": "f395003b-6389-4e14-89bf-ac4dbea215bd", "description": "This baseline rule calculates the average ratio of inbound to outbound network IO for each Kubernetes container. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the network IO ratio for each container. This baseline can be used to detect anomalies in network communication behavior, which may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior.", "references": [], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "detections": ["Kubernetes Anomalous Inbound to Outbound Network IO Ratio"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["k8s.pod.network.io", "k8s.cluster.name", "k8s.node.name", "k8s.pod.name"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | stats avg(*:*) as avg_*:* stdev(*:*) as stdev_*:* count latest(_time) as last_seen by key | outputlookup k8s_container_network_io_ratio_baseline ", "how_to_implement": "To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247) 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline Of Kubernetes Process Resource", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "f749862b-5fae-415f-940b-823bdeba2315", "description": "This baseline rule calculates the average and standard deviation of various process resources in a Kubernetes environment. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the resource utilization for each process. This baseline can be used to detect anomalies in process resource utilization, which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior.", "references": [], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "detections": ["Kubernetes Process with Anomalous Resource Utilisation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["process.*", "host.name", "k8s.cluster.name", "k8s.node.name", "process.executable.name"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| mstats avg(process.*) as avg_process.* stdev(*) as stdev_* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | fillnull | outputlookup k8s_process_resource_baseline", "how_to_implement": "To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on. 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline Of Kubernetes Process Resource Ratio", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "427f81cf-ce6a-4a24-a73d-70c50171ea66", "description": "This baseline rule calculates the average and standard deviation of the ratio of various process resources in a Kubernetes environment. It uses metrics from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table with the average and standard deviation of the resource ratios for each process. This baseline can be used to detect anomalies in process resource utilization, which may indicate security threats such as resource exhaustion attacks, cryptojacking, or compromised process behavior.", "references": [], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "detections": ["Kubernetes Process with Resource Ratio Anomalies"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["process.*", "host.name", "k8s.cluster.name", "k8s.node.name", "process.executable.name"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.memory.utilization' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | fillnull | stats avg(cpu:mem) as avg_cpu:mem stdev(cpu:mem) as stdev_cpu:mem avg(cpu:disk) as avg_cpu:disk stdev(cpu:disk) as stdev_cpu:disk avg(mem:disk) as avg_mem:disk stdev(mem:disk) as stdev_mem:disk avg(cpu:threads) as avg_cpu:threads stdev(cpu:threads) as stdev_cpu:threads avg(disk:threads) as avg_disk:threads stdev(disk:threads) as stdev_disk:threads count latest(_time) as last_seen by key | outputlookup k8s_process_resource_ratio_baseline ", "how_to_implement": "To implement this detection, follow these steps: 1. Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster. 2. Enable the hostmetrics/process receiver in the OTEL configuration. 3. Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled. 4. Install the Splunk Infrastructure Monitoring (SIM) add-on.(ref: https://splunkbase.splunk.com/app/5247) 5. Configure the SIM add-on with your Observability Cloud Organization ID and Access Token. 6. Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\". 7. In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID. 8. Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K') 9. Set the Metric Resolution to 10000. 10. Leave all other settings at their default values.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of Network ACL Activity by ARN", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 1, "id": "fc0edd96-ff2b-4810-9f1f-63da3783fd63", "description": "This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "detections": ["Detect Spike in Network ACL Activity"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.arn"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of S3 Bucket deletion activity by ARN", "author": "Bhavin Patel, Splunk", "date": "2018-07-17", "version": 1, "id": "841b102c-8866-494b-a704-87b674fe9b09", "description": "This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "detections": ["Detect Spike in S3 Bucket deletion"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.arn"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of Security Group Activity by ARN", "author": "Bhavin Patel, Splunk", "date": "2018-04-17", "version": 1, "id": "fc0edd96-ff2b-48b0-9f1f-63da3783fd63", "description": "This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "detections": ["Detect Spike in Security Group Activity"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.arn"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of SMB Traffic - MLTK", "author": "Rico Valdez, Splunk", "date": "2019-05-08", "version": 1, "id": "df98763b-0b08-4281-8ef9-08db7ac572a9", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Netsh Abuse", "Ransomware"], "detections": ["Processes launching netsh", "SMB Traffic Spike - MLTK"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.app", "All_Traffic.src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(\"All_Traffic\")` | fit DensityFunction count by \"HourOfDay,DayOfWeek\" into smb_pdfmodel", "how_to_implement": "You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \"src\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": ["Network_Traffic"]}, {"name": "Count of assets by category", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff9", "description": "This search shows you every asset category you have and the assets that belong to those categories.", "references": [], "tags": {"analytic_story": ["Asset Tracking"], "detections": ["Detect Unauthorized Assets by MAC address"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Identity_Management.All_Assets", "category"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| from datamodel Identity_Management.All_Assets | stats count values(nt_host) by category | sort -count", "how_to_implement": "To successfully implement this search you must first leverage the Assets and Identity framework in Enterprise Security to populate your assets_by_str.csv file which should then be mapped to the Identity_Management data model. The Identity_Management data model will contain a list of known authorized company assets. Ensure that all inventoried systems are constantly vetted and updated.", "known_false_positives": "none", "datamodel": []}, {"name": "Count of Unique IPs Connecting to Ports", "author": "David Dorsey, Splunk", "date": "2017-09-13", "version": 1, "id": "9f3bae5a-9fe3-49df-8c84-5edc51d84b7f", "description": "The search counts the number of times a connection was observed to each destination port, and the number of unique source IPs connecting to them.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "detections": ["Prohibited Network Traffic Allowed"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | sort - count", "how_to_implement": "To successfully implement this search, you must be ingesting network traffic, and populating the Network_Traffic data model.", "known_false_positives": "none", "datamodel": ["Network_Traffic"]}, {"name": "Create a list of approved AWS service accounts", "author": "Bhavin Patel, Splunk", "date": "2018-12-03", "version": 2, "id": "08ef80f5-6555-474b-bb2d-22e2aa4206a4", "description": "This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "detections": ["Detect AWS API Activities From Unapproved Accounts"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "errorCode", "userName"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [inputlookup identity_lookup_expanded | fields identity] | stats count by identity | table identity | outputlookup aws_service_accounts | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the service account entires in `aws_service_accounts.csv`, which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.", "known_false_positives": "none", "datamodel": []}, {"name": "Add Prohibited Processes to Enterprise Security", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "251930a5-1451-4428-bb13-eed5775be0ce", "description": "This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"], "detections": ["Prohibited Software On Endpoint"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| inputlookup prohibited_processes | search note!=ESCU* | inputlookup append=T prohibited_processes | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup prohibited_processes | stats count", "how_to_implement": "This search should be run on each new install of ESCU.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of API Calls per User ARN", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "4b5119c3-5369-4040-9430-b63b1a314229", "description": "This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "detections": ["Detect Spike in AWS API Activity"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "userIdentity.arn"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of Excessive AWS Instances Launched by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2019-11-14", "version": 1, "id": "fa5634df-fb05-4b4b-aba0-6115138bb1ba", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "detections": ["Abnormally High AWS Instances Launched by User - MLTK"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "src_user"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": []}, {"name": "Baseline of Excessive AWS Instances Terminated by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2019-11-14", "version": 1, "id": "b28ed6de-e4ba-40f7-ae0a-93a088c774ab", "description": "This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "detections": ["Abnormally High AWS Instances Terminated by User - MLTK"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "src_user"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously seen API call per user roles in CloudTrail", "author": "Bhavin Patel, Splunk", "date": "2018-04-16", "version": 1, "id": "02add098-efa3-428d-b2e2-4ed0831c92f4", "description": "This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user role and name of the API call--that occurred within the last 30 days. In this support search, we are only looking for events where the user identity is Assumed Role.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "detections": ["Detect new API calls from user roles"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "errorCode", "userIdentity.type", "userName", "eventName"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user role entries in `previously_seen_api_calls_from_user_roles.csv`, which is a lookup file created as a result of running this support search.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen AWS Provisioning Activity Sources", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee", "description": "This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "detections": ["AWS Cloud Provisioning From Previously Unseen IP Address", "AWS Cloud Provisioning From Previously Unseen City", "AWS Cloud Provisioning From Previously Unseen Country", "AWS Cloud Provisioning From Previously Unseen Region"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen EC2 AMIs", "author": "David Dorsey, Splunk", "date": "2018-03-12", "version": 1, "id": "bb1bd99d-1e93-45f1-9571-cfed42d372b9", "description": "This search builds a table of previously seen AMIs used to launch EC2 instances", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "detections": ["EC2 Instance Started With Previously Unseen AMI"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instancesSet.items{}.imageId"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen EC2 Instance Types", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "b8f029f2-65a6-4d76-be98-dad1c9d59c45", "description": "This search builds a table of previously seen EC2 instance types", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "detections": ["EC2 Instance Started With Previously Unseen Instance Type"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instanceType"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType as instanceType | fillnull value=\"m1.small\" instanceType | stats earliest(_time) as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen EC2 Launches By User", "author": "David Dorsey, Splunk", "date": "2018-03-15", "version": 1, "id": "6c767ac0-0906-4355-9a83-927f5ee7bdad", "description": "This search builds a table of previously seen ARNs that have launched a EC2 instance.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "detections": ["EC2 Instance Started With Previously Unseen User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instanceType"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously seen users in CloudTrail", "author": "Jason Brewer, Splunk", "date": "2018-04-30", "version": 1, "id": "fc0edc95-ff2b-48b0-9f6f-63da3789fd03", "description": "This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days. NOTE - This baseline search is deprecated and has been updated to use the Authentication Datamodel", "references": [], "tags": {"analytic_story": ["Suspicious AWS Login Activities"], "detections": ["Detect AWS Console Login by User from New Country", "Detect AWS Console Login by User from New Region", "Detect AWS Console Login by User from New City", "Detect new user AWS Console Login"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn", "src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \"\",src,City),Region=if(Region LIKE \"\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins_cloudtrail | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins_cloudtrail`, which is a lookup file created as a result of running this support search.", "known_false_positives": "none", "datamodel": []}, {"name": "Update previously seen users in CloudTrail", "author": "Jason Brewer, Splunk", "date": "2018-04-30", "version": 1, "id": "06c036e6-d6d7-4daa-bd76-411c3d356031", "description": "This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour. NOTE - This baseline search is deprecated and has been updated to use the Authentication Datamodel", "references": [], "tags": {"analytic_story": ["Suspicious AWS Login Activities"], "detections": ["Detect AWS Console Login by User from New Country", "Detect AWS Console Login by User from New Region", "Detect AWS Console Login by User from New City", "Detect new user AWS Console Login"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn", "src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \"\",src,City),Region=if(Region LIKE \"\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins_cloudtrail", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins_cloudtrail`, which is a lookup file created as a result of running this support search.", "known_false_positives": "none", "datamodel": []}, {"name": "Discover DNS records", "author": "Jose Hernandez, Splunk", "date": "2019-02-14", "version": 1, "id": "c096f721-8842-42ce-bfc7-74bd8c72b7c3", "description": "The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup", "references": [], "tags": {"analytic_story": ["DNS Hijacking"], "detections": ["DNS record changed"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.record_type", "DNS.answer", "DNS.query"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, \"\\*\", \"\")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records", "how_to_implement": "To successfully implement this search, you must be ingesting DNS logs, and populating the Network_Resolution data model. Also make sure that the cim_corporate_web_domains and cim_corporate_email_domains lookups are populated with the domains owned by your corporation", "known_false_positives": "none", "datamodel": ["Network_Resolution"]}, {"name": "DNSTwist Domain Names", "author": "David Dorsey, Splunk", "date": "2018-10-08", "version": 2, "id": "19f7d2ec-6028-4d01-bcdb-bda9a034c17f", "description": "This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.", "references": [], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "detections": ["Monitor Email For Brand Abuse", "Monitor DNS For Brand Abuse", "Monitor Web Traffic For Brand Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\"true\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count", "how_to_implement": "To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\_SA\\_CIM**.", "known_false_positives": "none", "datamodel": []}, {"name": "Identify Systems Creating Remote Desktop Traffic", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "5cdda34f-4caf-4128-a713-0837fc48b67a", "description": "This search counts the numbers of times the system has generated remote desktop traffic.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "detections": ["Remote Desktop Network Traffic"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | sort - count", "how_to_implement": "To successfully implement this search, you must ingest network traffic and populate the Network_Traffic data model.", "known_false_positives": "none", "datamodel": ["Network_Traffic"]}, {"name": "Identify Systems Receiving Remote Desktop Traffic", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "baaeea15-fe8a-4090-92c2-5b60943bb608", "description": "This search counts the numbers of times the system has created remote desktop traffic", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "detections": ["Remote Desktop Network Traffic"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.dest"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.dest | `drop_dm_object_name(\"All_Traffic\")` | sort - count", "how_to_implement": "To successfully implement this search you must ingest network traffic and populate the Network_Traffic data model. If a system receives a lot of remote desktop traffic, you can apply the category common_rdp_destination to it.", "known_false_positives": "none", "datamodel": ["Network_Traffic"]}, {"name": "Identify Systems Using Remote Desktop", "author": "David Dorsey, Splunk", "date": "2019-04-01", "version": 1, "id": "063dfe9f-b1d7-4254-a16d-1e2e7eadd6a8", "description": "This search counts the numbers of times the remote desktop process, mstsc.exe, has run on each system.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "detections": ["Remote Desktop Network Traffic"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.dest"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name=\"*mstsc.exe*\" by Processes.dest Processes.process_name | `drop_dm_object_name(Processes)` | sort - count", "how_to_implement": "To successfully implement this search you must be ingesting endpoint data that records process activity.", "known_false_positives": "none", "datamodel": ["Endpoint"]}, {"name": "Monitor Successful Backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "b4d0dfb2-2195-4f6e-93a3-48468ed9734e", "description": "This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "detections": ["Unsuccessful Netbackup backups"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "`netbackup` \"Disk/Partition backup completed successfully.\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE", "how_to_implement": "To successfully implement this search you must be ingesting your backup logs.", "known_false_positives": "none", "datamodel": []}, {"name": "Monitor Unsuccessful Backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "b2178fed-592f-492b-b851-74161678aa56", "description": "This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "detections": ["Unsuccessful Netbackup backups"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "`netbackup` \"An error occurred, failed to backup.\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE", "how_to_implement": "To successfully implement this search you must be ingesting your backup logs.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "1cc22b09-c867-416e-a511-cb36ac44aee2", "description": "This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "detections": ["AWS Cross Account Activity From Previously Unseen Account"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.accountId", "resources{}.accountId"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId!=requestedAccountId | stats earliest(_time) as firstTime latest(_time) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen AWS Cross Account Activity - Initial", "author": "Rico Valdez, Splunk", "date": "2020-08-15", "version": 1, "id": "82af2ed9-8f4b-4785-a152-ba61e6a23bbf", "description": "This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "detections": ["AWS Cross Account Activity From Previously Unseen Account"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.vendor_account", "Authentication.user", "Authentication.src", "Authentication.user_role"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | table requestingAccountId requestedAccountId firstTime lastTime | outputlookup previously_seen_aws_cross_account_activity", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later)and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search.", "known_false_positives": "none", "datamodel": ["Authentication"]}, {"name": "Previously Seen AWS Cross Account Activity - Update", "author": "Rico Valdez, Splunk", "date": "2020-08-15", "version": 1, "id": "dd6fb3a9-4906-48cb-8626-c88a25a056c3", "description": "This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "detections": ["AWS Cross Account Activity From Previously Unseen Account"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.vendor_account", "Authentication.user", "Authentication.src", "Authentication.user_role"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | inputlookup append=t previously_seen_aws_cross_account_activity | stats min(firstTime) as firstTime max(lastTime) as lastTime by requestingAccountId requestedAccountId | outputlookup previously_seen_aws_cross_account_activity", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_aws_cross_account_activity` kvstore", "known_false_positives": "none", "datamodel": ["Authentication"]}, {"name": "Previously Seen AWS Regions", "author": "Bhavin Patel, Splunk", "date": "2018-01-08", "version": 1, "id": "fc0edc95-ff2b-48b0-9f6f-63da3789fd63", "description": "This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "detections": ["EC2 Instance Started In Previously Unseen Region"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "awsRegion"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions| stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen Cloud API Calls Per User Role - Initial", "author": "David Dorsey, Splunk", "date": "2020-09-03", "version": 1, "id": "69d75f4b-b794-4a66-a777-730357b886b4", "description": "This search builds a table of the first and last times seen for every user role and command combination. This is broadly defined as any event that runs or creates something. This table is then cached.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "detections": ["Cloud API Calls From Previously Unseen User Roles"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user_type", "All_Changes.status", "All_Changes.user", "All_Changes.command"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | table user, command, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_api_calls_per_user_role", "how_to_implement": "You must be ingesting Cloud infrastructure logs from your cloud provider.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud API Calls Per User Role - Update", "author": "David Dorsey, Splunk", "date": "2020-09-03", "version": 1, "id": "c4b760a0-6a97-47e9-b089-8ae9e57f210e", "description": "This search updates the table of the first and last times seen for every user role and command combination.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "detections": ["Cloud API Calls From Previously Unseen User Roles"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user_type", "All_Changes.status", "All_Changes.user", "All_Changes.command"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | table user, command, firstTimeSeen, lastTimeSeen | inputlookup previously_seen_cloud_api_calls_per_user_role append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by user, command | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_api_calls_per_user_role_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | table user, command, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_api_calls_per_user_role", "how_to_implement": "You must be ingesting Cloud infrastructure logs from your cloud provider.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Compute Creations By User - Initial", "author": "Rico Valdez, Splunk", "date": "2020-08-15", "version": 1, "id": "dd4ced8a-15a9-4285-94ac-7e4134673bf8", "description": "This search builds a table of previously seen users that have launched a cloud compute instance.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created By Previously Unseen User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.object_category", "All_Changes.user"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created AND All_Changes.object_category=instance by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | outputlookup previously_seen_cloud_compute_creations_by_user | stats count", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the proper TAs installed.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Compute Creations By User - Update", "author": "Rico Valdez, Splunk", "date": "2020-08-15", "version": 1, "id": "6bf75d69-7766-47bc-8097-e41696807a6f", "description": "This search builds a table of previously seen users that have launched a cloud compute instance.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created By Previously Unseen User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.object_category", "All_Changes.user"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created AND All_Changes.object_category=instance by All_Changes.user| `drop_dm_object_name(\"All_Changes\")` | inputlookup append=t previously_seen_cloud_compute_creations_by_user | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by user | where lastTimeSeen > relative_time(now(), \"-90d@d\") | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | outputlookup previously_seen_cloud_compute_creations_by_user", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the proper TAs installed.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Compute Images - Initial", "author": "David Dorsey, Splunk", "date": "2020-10-08", "version": 1, "id": "7744597f-d07a-4cea-94a7-e0f8aaebc410", "description": "This search builds a table of previously seen images used to launch cloud compute instances", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created With Previously Unseen Image"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.Instance_Changes.image_id"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | outputlookup previously_seen_cloud_compute_images", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the latest Change Datamodel accelerated", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Compute Images - Update", "author": "David Dorsey, Splunk", "date": "2020-08-12", "version": 1, "id": "6f1ca5dc-e445-401c-9845-a96d2b6ba184", "description": "This search builds a table of previously seen images used to launch cloud compute instances", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created With Previously Unseen Image"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.Instance_Changes.image_id"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by image_id | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_images_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | outputlookup previously_seen_cloud_compute_images", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Compute Instance Types - Initial", "author": "David Dorsey, Splunk", "date": "2020-09-03", "version": 1, "id": "3c78025c-1ffe-4976-a640-75ef604842be", "description": "This search builds a table of previously seen cloud compute instance types", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created With Previously Unseen Instance Type"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.Instance_Changes.instance_type"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type | `drop_dm_object_name(\"All_Changes.Instance_Changes\")` | where instance_type != \"unknown\" | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-14d@d\"), 1, 0) | outputlookup previously_seen_cloud_compute_instance_types", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Compute Instance Types - Update", "author": "David Dorsey, Splunk", "date": "2020-09-03", "version": 1, "id": "7b7ef9ab-acb9-4e07-af76-4cf1e722885c", "description": "This search builds a table of previously seen cloud compute instance types", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created With Previously Unseen Instance Type"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.Instance_Changes.instance_type"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type | `drop_dm_object_name(\"All_Changes.Instance_Changes\")` | where instance_type != \"unknown\" | inputlookup append=t previously_seen_cloud_compute_instance_types | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by instance_type | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_instance_type_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-14d@d\"), 1, 0) | outputlookup previously_seen_cloud_compute_instance_types", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Instance Modifications By User - Initial", "author": "Rico Valdez, Splunk", "date": "2020-07-29", "version": 1, "id": "f36dc403-739d-42f3-83a3-49237d8654c5", "description": "This search builds a table of previously seen users that have modified a cloud instance.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "detections": ["Cloud Instance Modified By Previously Unseen User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.change_type", "All_Changes.status", "All_Changes.user"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 c=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | outputlookup previously_seen_cloud_instance_modifications_by_user", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the latest Change Datamodel accelerated.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Instance Modifications By User - Update", "author": "Rico Valdez, Splunk", "date": "2020-07-29", "version": 1, "id": "534b7d30-7b0c-4510-8f55-65439850d58d", "description": "This search updates a table of previously seen Cloud Instance modifications that have been made by a user", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "detections": ["Cloud Instance Modified By Previously Unseen User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.change_type", "All_Changes.status", "All_Changes.user"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | inputlookup append=t previously_seen_cloud_instance_modifications_by_user | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by user | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_images_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | outputlookup previously_seen_cloud_instance_modifications_by_user", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Provisioning Activity Sources - Initial", "author": "Rico Valdez, Splunk", "date": "2020-08-19", "version": 1, "id": "4ce865fc-f43e-4521-a8ed-ab8af99052d7", "description": "This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something. This table is then cached.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "detections": ["Cloud Provisioning Activity From Previously Unseen IP Address", "Cloud Provisioning Activity From Previously Unseen City", "Cloud Provisioning Activity From Previously Unseen Country", "Cloud Provisioning Activity From Previously Unseen Region"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.src", "All_Changes.status"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | table src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_provisioning_activity_sources", "how_to_implement": "You must be ingesting Cloud infrastructure logs from your cloud provider.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Provisioning Activity Sources - Update", "author": "David Dorsey, Splunk", "date": "2020-08-20", "version": 1, "id": "9830abb9-be80-4563-b232-09bf1f628cf3", "description": "This returns the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity within the last day. Cloud provisioning is broadly defined as any event that runs or creates something. It then updates this information with historical data and filters out locations that have not been seen within the specified time window. This updated table is then cached.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "detections": ["Cloud Provisioning Activity From Previously Unseen IP Address", "Cloud Provisioning Activity From Previously Unseen City", "Cloud Provisioning Activity From Previously Unseen Country", "Cloud Provisioning Activity From Previously Unseen Region"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.src", "All_Changes.status"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | table src, firstTimeSeen, lastTimeSeen, City, Country, Region | inputlookup previously_seen_cloud_provisioning_activity_sources append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by src, City, Country, Region | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_provisioning_activity_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-7d@d\"), 1, 0) | table src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data | outputlookup previously_seen_cloud_provisioning_activity_sources", "how_to_implement": "You must be ingesting Cloud infrastructure logs from your cloud provider.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Regions - Initial", "author": "David Dorsey, Splunk", "date": "2020-09-02", "version": 1, "id": "b5e232db-dec6-4db8-aaa1-dd5474521e40", "description": "This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created In Previously Unused Region"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.vendor_region"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-14d@d\"), 1, 0) | outputlookup previously_seen_cloud_regions", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously Seen Cloud Regions - Update", "author": "David Dorsey, Splunk", "date": "2020-09-02", "version": 1, "id": "512f928a-a461-41b4-8984-db4dd2c472e4", "description": "This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "detections": ["Cloud Compute Instance Created In Previously Unused Region"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.vendor_region"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | inputlookup append=t previously_seen_cloud_regions | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by vendor_region | where lastTimeSeen > relative_time(now(), `previously_seen_cloud_region_forget_window`) | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), \"-14d@d\"), 1, 0) | outputlookup previously_seen_cloud_regions | stats count", "how_to_implement": "You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Previously seen command line arguments", "author": "Bhavin Patel, Splunk", "date": "2019-03-01", "version": 2, "id": "56059acf-50fe-4f60-98d1-b75b51b5c2f3", "description": "This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Hidden Cobra Malware", "IcedID", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity"], "detections": ["First time seen command line argument"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\"* /c *\" by Processes.process | `drop_dm_object_name(Processes)`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "none", "datamodel": ["Endpoint"]}, {"name": "Previously Seen EC2 Modifications By User", "author": "David Dorsey, Splunk", "date": "2018-04-05", "version": 1, "id": "4d69091b-d975-4267-85df-888bd41034eb", "description": "This search builds a table of previously seen ARNs that have launched a EC2 instance.", "references": [], "tags": {"analytic_story": ["Unusual AWS EC2 Modifications"], "detections": ["EC2 Instance Modified With Previously Unseen User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.arn", "errorCode"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen Running Windows Services - Initial", "author": "David Dorsey, Splunk", "date": "2020-06-23", "version": 3, "id": "64ce0ade-cb01-4678-bddd-d31c0b175394", "description": "This collects the services that have been started across your entire enterprise.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "detections": ["First Time Seen Running Windows Service"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen Running Windows Services - Update", "author": "David Dorsey, Splunk", "date": "2020-06-23", "version": 3, "id": "2e3bdd68-1863-46ee-81f8-87273eee7f1c", "description": "This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "detections": ["First Time Seen Running Windows Service"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by service | where lastTimeSeen > relative_time(now(), `previously_seen_windows_services_forget_window`) | outputlookup previously_seen_running_windows_services", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously seen S3 bucket access by remote IP", "author": "Bhavin Patel, Splunk", "date": "2018-06-28", "version": 1, "id": "54c40c6a-9a5b-4a79-9291-85977f713961", "description": "This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking for S3 access events where the HTTP response code from AWS is \"200\"", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "detections": ["Detect S3 access from a new IP"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_status", "bucket_name", "remote_ip"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "`aws_s3_accesslogs` http_status=200 | stats earliest(_time) as earliest latest(_time) as latest by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip | stats count", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`, which is a lookup file created as a result of running this support search.", "known_false_positives": "none", "datamodel": []}, {"name": "Previously Seen Users in CloudTrail - Initial", "author": "Rico Valdez, Splunk", "date": "2020-05-28", "version": 1, "id": "0a87ecf9-dc6a-43af-861a-205e75a09bf5", "description": "This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "detections": ["Detect AWS Console Login by User from New Country", "Detect AWS Console Login by User from New Region", "Detect AWS Console Login by User from New City", "Detect AWS Console Login by New User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins | stats count", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins`, which is a lookup file created by this support search.", "known_false_positives": "none", "datamodel": ["Authentication"]}, {"name": "Previously Seen Users In CloudTrail - Update", "author": "Rico Valdez, Splunk", "date": "2020-05-28", "version": 1, "id": "66ff71c2-7e01-47dd-a041-906688c9d322", "description": "This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "detections": ["Detect AWS Console Login by User from New Country", "Detect AWS Console Login by User from New Region", "Detect AWS Console Login by User from New City", "Detect AWS Console Login by New User"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "security_domain": "network", "deployments": null}, "type": "Baseline", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins`, which is a lookup file created by this support search.", "known_false_positives": "none", "datamodel": ["Authentication"]}, {"name": "Previously Seen Zoom Child Processes - Initial", "author": "David Dorsey, Splunk", "date": "2020-05-20", "version": 1, "id": "60b9c00f-a9d6-4e51-803c-5d63ea21b95b", "description": "This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached.", "references": [], "tags": {"analytic_story": ["Suspicious Zoom Child Processes"], "detections": ["First Time Seen Child Process of Zoom"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table dest, process_name, firstTimeSeen, lastTimeSeen | outputlookup zoom_first_time_child_process", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.", "known_false_positives": "none", "datamodel": ["Endpoint"]}, {"name": "Previously Seen Zoom Child Processes - Update", "author": "David Dorsey, Splunk", "date": "2020-05-20", "version": 1, "id": "80aea7fd-5da2-4533-b3c2-560533bfbaee", "description": "This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name and endpoint pairs that have not been seen within the specified time window. This updated table is outputed to disk.", "references": [], "tags": {"analytic_story": ["Suspicious Zoom Child Processes"], "detections": ["First Time Seen Child Process of Zoom"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table firstTimeSeen, lastTimeSeen, process_name, dest | inputlookup zoom_first_time_child_process append=t | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by process_name, dest | where lastTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_forget_window`\") | outputlookup zoom_first_time_child_process", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.", "known_false_positives": "none", "datamodel": ["Endpoint"]}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "date": "2022-05-27", "version": 1, "id": "273df2f7-643a-451a-8d4d-637e39eadc87", "description": "This search supports an analyst looking for abuse or misuse of the risky commands listed here: https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning This is accomplished by using the time spent executing one of these risky commands as a proxy for misuse/abuse of interest during investigation and/or hunting. The search builds a model utilizes the MLTK DensityFunction algorithm on Splunk app audit log data. The model uses the past 7 days of user history executing the above referenced commands then aggregates the total search run time for each hour as indicator of user behavior. The model identifies the top 0.1% of user search run time, indicating a risky use of these commands. Users can adjust this threshold 0.1% as interested however this will correlate to missed/false positive rates. This search should be scheduled to run at least every 7 days. The name of machine learning model generated is \"risky_command_abuse\" and should be configured to be globally shared (not private) in MLTK app as documented here: https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Models#Sharing_models_from_other_Splunk_apps unless the same account of training this model will be used to perform inference using this model for anomaly detection.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "detections": ["Splunk Command and Scripting Interpreter Risky SPL MLTK"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.search_type"], "security_domain": "audit", "deployments": null}, "type": "Baseline", "search": "| tstats sum(Search_Activity.total_run_time) as run_time, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-7d@d latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | fit DensityFunction \"run_time\" dist=auto lower_threshold=0.000001 upper_threshold=0.001 show_density=true by Search_Activity.user into \"risky_command_abuse\" ", "how_to_implement": "The corresponding detection of using this model is \"Splunk Command and Scripting Interpreter Risky SPL MLTK\". This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and it assumes Splunk accelerated audit data model is available. For large enterprises, training the model might take significant computing resources. It might require dedicated search head. The underlined machine learning algorithm this detection used is DensityFunction. It might need to increase its settings default values, such as max_fit_time, max_groups, etc. More details of achieving optimal performance and configuring DensityFunction parameters can be found here - https://docs.splunk.com/Documentation/MLApp/5.3.1/User/Configurefitandapply Users can modify earliest=-7d@d in the search to other value so that the search can collect enough data points to build a good baseline model. Users can also modify list of risky commands in \"Search_Activity.search IN\" to better suit users' violation policy and their usage environment.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "datamodel": ["Splunk_Audit"]}, {"name": "Systems Ready for Spectre-Meltdown Windows Patch", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "fc0edc95-ff2b-48b0-9f6f-63da3789fd61", "description": "Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this key has been written, the system can then be patched for Spectre and Meltdown.", "references": [], "tags": {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "detections": ["Spectre and Meltdown Vulnerable Systems"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_category", "All_Changes.object_path", "All_Changes.dest", "All_Changes.command", "All_Changes.user", "All_Changes.object"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\QualityCompat*\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "none", "datamodel": ["Change"]}, {"name": "Windows Updates Install Failures", "author": "David Dorsey, Splunk", "date": "2017-09-14", "version": 1, "id": "6a4dbd1b-4502-4a11-943a-82b5ae7a42d7", "description": "This search is intended to give you a feel for how often Windows updates fail to install in your environment. Fluctuations in these numbers will allow you to determine when you should be concerned.", "references": [], "tags": {"analytic_story": ["Monitor for Updates"], "detections": ["No Windows Updates in a time frame"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Updates.vendor_product", "Updates.status"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product=\"Microsoft Windows\" AND Updates.status=failure by _time span=1d", "how_to_implement": "You must be ingesting your Windows Update Logs", "known_false_positives": "none", "datamodel": []}, {"name": "Windows Updates Install Successes", "author": "David Dorsey, Splunk", "date": "2017-09-14", "version": 1, "id": "6a80535c-86a6-4b54-894c-4b446d0c701d", "description": "This search is intended to give you a feel for how often successful Windows updates are applied in your environments. Fluctuations in these numbers will allow you to determine when you should be concerned.", "references": [], "tags": {"analytic_story": ["Monitor for Updates"], "detections": ["No Windows Updates in a time frame"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Updates.vendor_product", "Updates.status"], "security_domain": "endpoint", "deployments": null}, "type": "Baseline", "search": "| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product=\"Microsoft Windows\" AND Updates.status=installed by _time span=1d", "how_to_implement": "You must be ingesting your Windows Update Logs", "known_false_positives": "none", "datamodel": []}]} \ No newline at end of file diff --git a/dist/api/deployments.json b/dist/api/deployments.json deleted file mode 100644 index aac4dab50f..0000000000 --- a/dist/api/deployments.json +++ /dev/null @@ -1 +0,0 @@ -{"deployments": [{"scheduling": {"cron_schedule": "0 * * * *", "earliest_time": "-70m@m", "latest_time": "-10m@m", "schedule_window": "auto"}, "tags": {"type": "Anomaly"}, "name": "ESCU Default Configuration Anomaly", "author": "Patrick Bareiss", "date": "2021-12-21", "version": 1, "id": "a9e210c6-9f50-4f8b-b60e-71bb26e4f216", "description": "This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.", "rba": {"enabled": "true"}}, {"scheduling": {"cron_schedule": "10 0 * * *", "earliest_time": "-1450m@m", "latest_time": "-10m@m", "schedule_window": "auto"}, "tags": {"type": "Baseline"}, "name": "ESCU Default Configuration Baseline", "author": "Patrick Bareiss", "date": "2021-12-21", "version": 1, "id": "0f7ee854-1aad-4bef-89c5-5c402b488510", "description": "This configuration file applies to all detections of type baseline."}, {"scheduling": {"cron_schedule": "0 * * * *", "earliest_time": "-70m@m", "latest_time": "-10m@m", "schedule_window": "auto"}, "tags": {"type": "Correlation"}, "name": "ESCU Default Configuration Correlation", "author": "Patrick Bareiss", "date": "2021-12-21", "version": 1, "id": "36ba498c-46e8-4b62-8bde-67e984a40fb4", "description": "This configuration file applies to all detections of type Correlation. These correlations will generate Notable Events.", "notable": {"rule_description": "%description%", "rule_title": "%name%", "nes_fields": ["user", "dest"]}}, {"scheduling": {"cron_schedule": "0 * * * *", "earliest_time": "-70m@m", "latest_time": "-10m@m", "schedule_window": "auto"}, "tags": {"type": "Hunting"}, "name": "ESCU Default Configuration Hunting", "author": "Patrick Bareiss", "date": "2021-12-21", "version": 1, "id": "cc5895e8-3420-4ab7-af38-cf87a28f9c3b", "description": "This configuration file applies to all detections of type hunting."}, {"scheduling": {"cron_schedule": "0 * * * *", "earliest_time": "-70m@m", "latest_time": "-10m@m", "schedule_window": "auto"}, "tags": {"type": "TTP"}, "name": "ESCU Default Configuration TTP", "author": "Patrick Bareiss", "date": "2021-12-21", "version": 1, "id": "b81cd059-a3e8-4c03-96ca-e168c50ff70b", "description": "This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.", "notable": {"rule_description": "%description%", "rule_title": "%name%", "nes_fields": ["user", "dest"]}, "rba": {"enabled": "true"}}]} \ No newline at end of file diff --git a/dist/api/detections.json b/dist/api/detections.json deleted file mode 100644 index 169336aed9..0000000000 --- a/dist/api/detections.json +++ /dev/null @@ -1 +0,0 @@ -{"detections": [{"name": "CrushFTP Server Side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "description": "This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "tags": {"analytic_story": ["CrushFTP Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`crushftp` | rex field=_raw \"\\[(?HTTPS|HTTP):(?[^\\:]+):(?[^\\:]+):(?\\d+\\.\\d+\\.\\d+\\.\\d+)\\] (?READ|WROTE): \\*(?[A-Z]+) (?[^\\s]+) HTTP/[^\\*]+\\*\" | eval message=if(match(_raw, \"INCLUDE\") and isnotnull(src_ip), \"traces of exploitation by \" . src_ip, \"false\") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter`", "how_to_implement": "CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs.", "known_false_positives": "False positives should be limited, however tune or filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "crushftp", "definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "crushftp_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Login Attempts to Routers", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "description": "The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \"-30d@d\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\"Authentication\")` | `detect_new_login_attempts_to_routers_filter`", "how_to_implement": "To successfully implement this search, you must ensure the network router devices are categorized as \"router\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.", "known_false_positives": "Legitimate router connections may appear as new connections", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_new_login_attempts_to_routers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Risky SPL using Pretrained ML Model", "author": "Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk", "date": "2022-06-16", "version": 1, "id": "b4aefb5f-1037-410d-a149-1e091288ba33", "description": "The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potentially risky Splunk command has been run by $user$, kindly review.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. \" \" .'Search_Activity.user'. \" \" .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter`", "how_to_implement": "This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb.", "known_false_positives": "False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_risky_spl_using_pretrained_ml_model_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Email Attachments With Lots Of Spaces", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "description": "The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | eval space_ratio = (mvcount(split(file_name,\" \"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \"(?.*)@\" | `email_attachments_with_lots_of_spaces_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_attachments_with_lots_of_spaces_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Email files written outside of the Outlook directory", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 4, "id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "description": "The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in \"C:\\Users\\*\\My Documents\\Outlook Files\\*\" or \"C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*\". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \"C:\\\\Users\\\\*\\\\My Documents\\\\Outlook Files\\\\*\" Filesystem.file_path!=\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Outlook*\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_files_written_outside_of_the_outlook_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Email servers sending high volume traffic to hosts", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "description": "The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_servers_sending_high_volume_traffic_to_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor Email For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-04-16", "version": 3, "id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "description": "The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\"All_Email\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \"@\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`", "how_to_implement": "You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_email_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor", "filename": "brand_monitoring.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "No Windows Updates in a time frame", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "description": "This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.", "references": [], "tags": {"analytic_story": ["Monitor for Updates"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\"Microsoft Windows\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \"Update Status\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \"-60d@d\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \"Last Update Time\", | table Host, \"Update Status\", Product, \"Last Update Time\" | `no_windows_updates_in_a_time_frame_filter`", "how_to_implement": "To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.", "known_false_positives": "None identified", "datamodel": ["Updates"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "no_windows_updates_in_a_time_frame_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-03-11", "version": 1, "id": "e2b99e7d-d956-411a-a120-2b14adfdde93", "description": "The following analytic identifies an authentication attempt event against an Okta tenant that fails during the Multi-Factor Authentication (MFA) challenge. This detection is written against the Authentication datamodel and we look for a specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", "references": ["https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]\"", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials.", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta IDP Lifecycle Modifications", "author": "Bhavin Patel, Splunk", "date": "2024-03-14", "version": 1, "id": "e0be2c83-5526-4219-a14f-c3db2e763d15", "description": "This detection identifies modifications to Okta Identity Provider (IDP) lifecycle events, such as creation, activation, deactivation, and deletion of IDP configurations. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms within an organization. By detecting unauthorized or anomalous changes, organizations can quickly respond to potential security breaches or misconfigurations, ensuring that their identity management systems remain secure and operational.", "references": ["https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]\"", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`okta` eventType IN (\"system.idp.lifecycle.activate\",\"system.idp.lifecycle.create\",\"system.idp.lifecycle.delete\",\"system.idp.lifecycle.deactivate\") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_idp_lifecycle_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta MFA Exhaustion Hunt", "author": "Michael Haag, Marissa Bower, Mauricio Velazco, Splunk", "date": "2022-09-27", "version": 2, "id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "description": "The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock", "https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 18, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Hunting", "search": "`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType=\"core.user.factor.attempt_success\")) as successes count(eval(legacyEventType=\"core.user.factor.attempt_fail\")) as failures count(eval(eventType=\"system.push.send_factor_verify_push\")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, \"%c\") | search (pushes>1) | eval totalattempts=successes+failures | eval finding=\"Normal authentication pattern\" | eval finding=if(failures==pushes AND pushes>1,\"Authentication attempts not successful because multiple pushes denied\",finding) | eval finding=if(totalattempts==0,\"Multiple pushes sent and ignored\",finding) | eval finding=if(successes>0 AND pushes>3,\"Probably should investigate. Multiple pushes sent, eventual successful authentication!\",finding) | `okta_mfa_exhaustion_hunt_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mfa_exhaustion_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "author": "John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk", "date": "2023-03-17", "version": 1, "id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "description": "The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\nFor each Okta Verify Push challenge, the following two events are recorded in Okta System Log\nSource of Push (Sign-In)\neventType eq \\\"system.push.send_factor_verify_push\\\"\nUser Push Response (Okta Verify client)\neventType eq \"user.authentication.auth_via_mfa\" AND debugContext.debugData.factor eq \"OKTA_VERIFY_PUSH\"\nIn sequence, the logic for the analytic -\n* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push)\n* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. * Creates a ratio of successful sign-ins to pushes.\n* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.", "references": ["https://attack.mitre.org/techniques/T1621", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\") | eval groupby=\"authenticationContext.externalSessionId\" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_pushes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_successes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"FAILURE\",1,0))) as total_rejected sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New Device=POSITIVE%\",1,0))) as suspect_device_from_source sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New IP=POSITIVE%\",0,0))) as suspect_ip_from_source values(eval(if(eventType=\"system.push.send_factor_verify_push\",\"client.ipAddress\",\"\"))) as src values(eval(if(eventType=\"user.authentication.auth_via_mfa\",\"client.ipAddress\",\"\"))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-03-11", "version": 1, "id": "7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Okta user. An adversary who has obtained access to an Okta tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "references": ["https://attack.mitre.org/techniques/T1556/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype=\"OktaIM2:log\" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Accounts Locked Out", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-03-06", "version": 1, "id": "a511426e-184f-4de6-8711-cfd2af29d1e1", "description": "The following analytic utilizes the user.acount.lock event to identify multiple Okta accounts locking out in a short period of time. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold set by the organization. Monitoring for multiple account lockouts can help detect potential account takeover attempts or unauthorized access to Okta accounts.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.", "risk_score": 49, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_multiple_accounts_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-03-05", "version": 1, "id": "826dbaae-a1e6-4c8c-b384-d16898956e73", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Okta tenant. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Okta tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requests for user [$src_user$] from IP Address - [$src_ip$]. Investigate further to determine if this was authorized.", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": " `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "author": "John Murphy, Okta, Michael Haag, Splunk", "date": "2023-03-17", "version": 1, "id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "description": "The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: * Retrieves policy evaluation and SSO details in events that contain the Application requested\n* Formats target fields so we can aggregate specifically on Applications (AppInstances)\n* Groups by User, Session and IP\n* Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies\n* Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps.", "references": ["https://attack.mitre.org/techniques/T1538", "https://attack.mitre.org/techniques/T1550/004"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "Hunting", "search": "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\". \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \" chiclets/apps with \" . total_successes . \" challenges successfully passed\" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_requests_to_access_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-03-06", "version": 1, "id": "de365ffa-42f5-46b5-b43f-fa72290b8218", "description": "This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes) within an Okta tenant. Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach security by targeting multiple user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "type": "Anomaly", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action=\"failure\" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta New API Token Created", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-09-21", "version": 2, "id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "description": "The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}]}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_new_api_token_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta New Device Enrolled on Account", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-03-08", "version": 2, "id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "description": "The following analytic identifies when a new device is enrolled on an Okta account. This behavior is indicative of a user adding a new device to their account. This activity is common when a user is setting up a new device or when a user has lost access to their previous device. However, this activity can also be indicative of an adversary adding a new device to an account to maintain access to an account. Monitoring for this activity can help detect potential account takeover attempts or unauthorized access to Okta accounts.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized.", "risk_score": 24, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is possible that the user has legitimately added a new device to their account. Please verify this activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_new_device_enrolled_on_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "description": "The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.", "references": ["https://sec.okta.com/fastpassphishingdetection"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Okta FastPass has prevented $user$ from authenticating to a malicious site.", "risk_score": 100, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "`okta` eventType=\"user.authentication.auth_via_mfa\" AND result=\"FAILURE\" AND outcome.reason=\"FastPass declined phishing attempt\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_phishing_detection_with_fastpass_origin_check_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Risk Threshold Exceeded", "author": "Michael Haag, Bhavin Patel, Splunk", "date": "2024-04-02", "version": 2, "id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "description": "This correlation computes the risk events associated with the detection analytics from \"Suspicious Okta Activity\", \"Okta Account Takeover\", and \"Okta MFA Exhaustion\" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user.", "references": ["https://developer.okta.com/docs/reference/api/event-types", "https://sec.okta.com/everythingisyes"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "User", "role": ["Victim"]}], "message": "Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN (\"Okta Account Takeover\", \"Suspicious Okta Activity\",\"Okta MFA Exhaustion\") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name(\"All_Risk\")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`", "how_to_implement": "This search leverages the Risk Framework from Enterprise Security. Ensure that \"Suspicious Okta Activity\", \"Okta Account Takeover\", and \"Okta MFA Exhaustion\" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed.", "known_false_positives": "False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.", "datamodel": ["Risk"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_risk_threshold_exceeded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Successful Single Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-04-08", "version": 1, "id": "98f6ad4f-4325-4096-9d69-45dc8e638e82", "description": "This analytic identifies successful authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication enabled. It specifically searches for events where \"Okta Verify\" is not detected during authentication. This could indicate a misconfiguration, a policy violation, or an account takeover attempt that warrants investigation. If your organization has other authenticators configured in the environment, consider excluding those from the \"targets\" in the detection search.", "references": ["https://sec.okta.com/everythingisyes", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$].", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !=\"Okta Verify\" | `okta_successful_single_factor_authentication_filter`", "how_to_implement": "This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Suspicious Activity Reported", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 3, "id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "description": "The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}]}, "type": "TTP", "search": "`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities.", "known_false_positives": "False positives should be minimal, given the high fidelity of this detection. marker.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_suspicious_activity_reported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Suspicious Use of a Session Cookie", "author": "Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk", "date": "2024-03-17", "version": 2, "id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "description": "The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie.\n* Retrieves policy evaluation events from successful authentication events.\n* Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window.\n* It checks for the presence of more than one IP and whether there are multiple OS or browsers for each User/Device Token combination.", "references": ["https://attack.mitre.org/techniques/T1539/"], "tags": {"analytic_story": ["Okta Account Takeover", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur, depending on the organization's size and the configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_use_of_a_session_cookie_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Threat Detected", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-09-21", "version": 2, "id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "description": "This anomaly is based on the identification of threats by Okta ThreatInsight. It allows for the escalation of risk based on src_ip or the addition of fields for further tracking. Possible identifications include password spraying, login failures, and login failures with a high count of unknown users.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "app", "type": "Endpoint", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_threatinsight_threat_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Unauthorized Access to Application", "author": "Bhavin Patel, Splunk", "date": "2024-03-07", "version": 1, "id": "5f661629-9750-4cb9-897c-1f05d6db8727", "description": "This search detects instances where a user attempts to access an Okta application that has not been assigned to them. Such unauthorized access to applications poses a significant security risk, potentially leading to the exposure of sensitive information, disruption of services, and breaches of data protection laws. Ensuring that only authorized users have access to applications is crucial for maintaining a secure and compliant IT environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$]", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action=\"failure\" by _time Authentication.src Authentication.user | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_unauthorized_access_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta User Logins from Multiple Cities", "author": "Bhavin Patel, Splunk", "date": "2024-03-07", "version": 1, "id": "a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "description": "This search identifies instances where the same user logs in from different cities within a 24-hour period, potentially indicating a compromised account. Such behavior may be indicative of an attacker attempting to gain unauthorized access to an Okta account from multiple locations. Investigating and responding to such incidents promptly is crucial to prevent account takeovers and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_user_logins_from_multiple_cities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Path traversal SPL injection", "author": "Rod Soto, Splunk", "date": "2024-03-19", "version": 2, "id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "description": "On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Scattered Spider", "Sidewinder", "Sowbug", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "type": "TTP", "search": " `path_traversal_spl_injection` | search \"\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/\" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter (\"../../../../../../../../../\") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "author": "Rod Soto, Splunk", "date": "2023-02-14", "version": 1, "id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "description": "In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "TTP", "search": "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index", "known_false_positives": "This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID Mismatch Auth Source and Verification Response", "author": "Steven Dick", "date": "2023-09-26", "version": 1, "id": "15b0694e-caa2-4009-8d83-a1f98b86d086", "description": "The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$].", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`pingid` (\"result.status\" IN (\"SUCCESS*\",\"FAIL*\",\"UNSUCCESSFUL*\") NOT \"result.message\" IN (\"*pair*\",\"*create*\",\"*delete*\")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` (\"result.status\" IN (\"POLICY\") AND \"resources{}.ipaddress\"=*) AND \"result.message\" IN(\"*Action: Authenticate*\",\"*Action: Approve*\",\"*Action: Allowed*\") | rex field=result.message \"IP Address: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Action: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application Name: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application ID: (?:N\\/A)?(?.+)?\\n\" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by users working out the geographic region where the organizations services or technology is hosted.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "pingid_mismatch_auth_source_and_verification_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID Multiple Failed MFA Requests For User", "author": "Steven Dick", "date": "2023-09-26", "version": 1, "id": "c1bc706a-0025-4814-ad30-288f38865036", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "references": ["https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`pingid` \"result.status\" IN (\"FAILURE,authFail\",\"UNSUCCESSFUL_ATTEMPT\") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "pingid_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID New MFA Method After Credential Reset", "author": "Steven Dick", "date": "2023-09-26", "version": 1, "id": "2fcbce12-cffa-4c84-b70c-192604d201d0", "description": "A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677", "https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`pingid` \"result.message\" = \"*Device Paired*\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,\"duration\"),\"(\\d*)\\+*(\\d+):(\\d+):(\\d+)\",\"\\2 hours \\3 minutes\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`", "how_to_implement": "Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_new_mfa_method_after_credential_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID New MFA Method Registered For User", "author": "Steven Dick", "date": "2024-05-07", "version": 2, "id": "892dfeaf-461d-4a78-aac8-b07e185c9bce", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$], the device [$object$] was $action$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`pingid` \"result.message\"=\"Device Paired*\" result.status=\"SUCCESS\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "pingid_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "author": "Rod Soto", "date": "2024-05-17", "version": 2, "id": "356bd3fe-f59b-4f64-baa1-51495411b7ad", "description": "The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0806"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attack against splunk_server $splunk_server$ through abuse of the runshellscript command", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Scattered Spider", "Sidewinder", "Sowbug", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "`splunk_python` *runshellscript* | eval log_split=split(_raw, \"runshellscript: \") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,\"\\[\",\"\"),\"\\]\",\"\"),\"'\",\"\") | eval array_indices=split(data_cleaned,\",\") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != \"*C:*\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter`", "how_to_implement": "Must have access to internal indexes. Only applies to Splunk on Windows versions.", "known_false_positives": "The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_absolute_path_traversal_using_runshellscript_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2022-08-02", "version": 1, "id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "description": "Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "author", "type": "User", "role": ["Attacker"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data=\"*$env:*\" eai:data=\"*url*\" eai:data=\"*options*\" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS \"Dashboard XML\" | fields Author Permissions App \"Dashboard XML\" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter`", "how_to_implement": "This search uses REST function to query for dashboards with environment variables present in URL options.", "known_false_positives": "This search may reveal non malicious URLs with environment variables used in organizations.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 2, "id": "a053e6a6-2146-483a-9798-2d43652f3299", "description": "The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "eai:acl.app", "type": "Other", "role": ["Victim"]}], "message": "Please review $eai:acl.app$ for possible malicious lookups", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| rest splunk_server=local /services/data/lookup-table-files/ | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`", "how_to_implement": "Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable.", "known_false_positives": "This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "author": "Rod Soto, Chase Franklin", "date": "2024-03-18", "version": 1, "id": "9a67e749-d291-40dd-8376-d422e7ecf8b5", "description": "This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0301"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible JsonWebToken exposure, please investigate affected $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1654", "mitre_attack_technique": "Log Enumeration", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT5", "Volt Typhoon"]}]}, "type": "TTP", "search": "`splunkd` component=JsonWebToken log_level=DEBUG eventtype=\"splunkd-log\" event_message=\"Validating token:*\" | rex \"Validating token: (?.*)\\.$\" | search token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter`", "how_to_implement": "Requires access to internal Splunk indexes.", "known_false_positives": "Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9", "datamodel": ["Web"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_authentication_token_exposure_in_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "author": "Rod Soto", "date": "2022-10-11", "version": 1, "id": "b06b41d7-9570-4985-8137-0784f582a1b3", "description": "This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential exploitation of Code Injection via Dashboard PDF generation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode(\"uri_path\")| rex field=URL \"\\/saved\\/searches\\/(?[^\\/]*)\" | rex field=URL \"\\/data\\/ui\\/views\\/(?[^\\/]*)\" | eval NAME=NAME.\"( Saved Search )\",NAME1=NAME1.\"( Dashboard )\" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,\"2\\d+\"),\"SUCCESS\",match(status,\"3\\d+\"),\"REDIRECTION\",match(status,\"4\\d+\") OR match(status,\"5\\d+\"),\"ERROR\") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "author": "Michael Haag, Splunk", "date": "2022-05-27", "version": 1, "id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "description": "The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ executed the 'delete' command, if this is unexpected it should be reviewed.", "risk_score": 27, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| delete*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/.", "known_false_positives": "False positives may be present if this command is used as a common practice. Filter as needed.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_delete_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "author": "Michael Haag, Splunk", "date": "2022-05-23", "version": 1, "id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "description": "The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json", "https://advisory.splunk.com/advisories/SVD-2024-0302"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A risky Splunk command has ran by $user$ and should be reviewed.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will be present until properly filtered by Username and search name.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_risky_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "date": "2022-05-27", "version": 1, "id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "description": "This detection utilizes machine learning model named \"risky_command_abuse\" trained from \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0)", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Abnormally long run time for risk SPL command seen by user $(Search_Activity.user).", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`", "how_to_implement": "This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "author": "Rod Soto", "date": "2023-02-14", "version": 1, "id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CSRF exploitation attempt from $splunk_server$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "TTP", "search": "`splunkda` uri_path=\"/en-US/splunkd/__raw/services/ssg/kvstore_client\" method=\"GET\" delete_field_value=\"spacebridge_server\" status=\"200\" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`", "how_to_implement": "Requires access to internal index.", "known_false_positives": "This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "author": "Rod Soto, Eric McGinnis", "date": "2022-11-01", "version": 1, "id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "description": "This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential data exfiltration attack using SID query by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "type": "Hunting", "search": "`audit_searches` info=granted search NOT (\"audit_searches\") search NOT (\"security_content_summariesonly\") AND ((search=\"*mstats*[*]*\" AND provenance=\"N/A\") OR (search=\"*mstats*\\\\\\\"*[*]*\\\\\\\"*\"))| eval warning=if(match(search,\"\\\\\\\\\\\"\"), \"POTENTIAL INJECTION STAGING\", \"POTENTIAL INJECTION EXECUTION\") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`", "how_to_implement": "The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run \"Splunk Command and Scripting Interpreter Risky SPL MLTK\" to gain more insight into potentially risky commands which could lead to data exfiltration.", "known_false_positives": "This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to \"/en-US/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "author": "Lou Stella, Splunk", "date": "2022-05-26", "version": 1, "id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "description": "This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk-to-Splunk_communication", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}]}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"sslConfig\"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value=\"Not Set\" | rename sslVerifyServerCert as \"Server.conf:SslConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:SslConfig:sslVerifyServerName\", serverCert as \"Server.conf:SslConfig:serverCert\" | `splunk_digital_certificates_infrastructure_version_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "No known at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_digital_certificates_infrastructure_version_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "author": "Lou Stella, Splunk", "date": "2022-05-26", "version": 1, "id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "description": "On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "hostname", "type": "Hostname", "role": ["Victim"]}], "message": "$hostname$ is not using TLS when forwarding data", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}]}, "type": "Anomaly", "search": "`splunkd` group=\"tcpin_connections\" ssl=\"false\" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`", "how_to_implement": "This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the \"ssl=false\" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_digital_certificates_lack_of_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS Using Malformed SAML Request", "author": "Rod Soto", "date": "2023-09-05", "version": 1, "id": "8e8a86d5-f323-4567-95be-8e817e2baee6", "description": "In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0802"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible DoS attack against Splunk Server $splunk_server$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}]}, "type": "Hunting", "search": "`splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`", "how_to_implement": "To run this search, you must have access to the _internal index.", "known_false_positives": "This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_using_malformed_saml_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DOS Via Dump SPL Command", "author": "Rod Soto", "date": "2024-05-03", "version": 2, "id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "description": "The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack with Victim $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`splunk_crash_log` \"*Segmentation fault*\" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`", "how_to_implement": "This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.", "known_false_positives": "Segmentation faults may occur due to other causes, so this search may produce false positives", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_dos_via_dump_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS via Malformed S2S Request", "author": "Lou Stella, Splunk", "date": "2022-03-24", "version": 2, "id": "fc246e56-953b-40c1-8634-868f9e474cbd", "description": "On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}]}, "type": "TTP", "search": "`splunkd` log_level=\"ERROR\" component=\"TcpInputProc\" thread_name=\"FwdDataReceiverThread\" \"Invalid _meta atom\" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.", "known_false_positives": "None.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_via_malformed_s2s_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DOS via printf search function", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2023-08-30", "version": 1, "id": "78b48d08-075c-4eac-bd07-e364c3780867", "description": "This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack against $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`audit_searches` \"*makeresults * eval * fieldformat *printf*\" user!=\"splunk_system_user\" search!=\"*audit_searches*\" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter`", "how_to_implement": "This search requires the ability to search internal indexes.", "known_false_positives": "This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_dos_via_printf_search_function_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Edit User Privilege Escalation", "author": "Rod Soto, Chase Franklin", "date": "2024-05-15", "version": 2, "id": "39e1c326-67d7-4c0d-8584-8056354f6593", "description": "The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as \"change_own_password\" and \"edit_password\" where the info field is \"granted\" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible attempt to abuse edit_user function by $user$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`audittrail` action IN (\"change_own_password\",\"password_change\",\"edit_password\") AND info=\"granted\" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.", "known_false_positives": "This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_edit_user_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2022-08-02", "version": 1, "id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "description": "This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions.", "references": ["https://en.wikipedia.org/wiki/ZIP_(file_format)", "https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 75, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "type": "TTP", "search": "`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`", "how_to_implement": "Need to monitor Splunkd data from Universal Forwarders.", "known_false_positives": "This search may reveal non malicious zip files causing errors as well.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-01-18", "version": 1, "id": "8f0e8380-a835-4f2b-b749-9ce119364df0", "description": "In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0105"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attempt to access KV Store collections at $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method=\"POST\" user=* file=_reload | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter`", "how_to_implement": "Requires access to internal indexes and REST API enabled instances.", "known_false_positives": "This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_enterprise_kv_store_incorrect_authorization_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-18", "version": 2, "id": "947d4d2e-1b64-41fc-b32a-736ddb88ce97", "description": "The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0108"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Windows Deserialization exploitation via irregular path file against $host$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`splunk_python` request_path=\"/en-US/app/search/C:\\\\Program\" *strings* | rex \"request_path=(?[^\\\"]+)\" | rex field=file_path \"[^\\\"]+/(?[^\\\"\\'\\s/\\\\\\\\]+)\" | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_windows_deserialization_file_partition_filter`", "how_to_implement": "Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.", "known_false_positives": "Irregular path with files that may be purposely called for benign reasons may produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_enterprise_windows_deserialization_file_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-01-04", "version": 1, "id": "7f6a07bd-82ef-46b8-8eba-802278abd00e", "description": "In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0102"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Denial of Service Attack against Splunk ES Investigation Manager by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_investigations_manager_via_investigation_creation_filter`", "how_to_implement": "This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.", "known_false_positives": "The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-01-04", "version": 1, "id": "bb85b25e-2d6b-4e39-bd27-50db42edcb8f", "description": "In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0101"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Denial of Service detected at Splunk ES affecting $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` status=error object=investigation | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter`", "how_to_implement": "This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2.", "known_false_positives": "This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_es_dos_through_investigation_attachments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "author": "Rod Soto, Chase Franklin", "date": "2023-05-23", "version": 1, "id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "description": "A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "URL String", "role": ["Victim"]}], "message": "Suspicious access by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "type": "Hunting", "search": "`audit_searches` AND search IN (\"*|*rest*POST*\",\"*|*rest*PUT*\",\"*|*rest*PATCH*\",\"*|*rest*DELETE*\") AND NOT search=\"*audit_searches*\" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.", "known_false_positives": "This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_http_response_splitting_via_rest_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "author": "Chase Franklin, Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "08978eca-caff-44c1-84dc-53f17def4e14", "description": "The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "An attempt to exploit ingest eval parameter was detected from $user$", "risk_score": 100, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search=\"*makeresults*\"AND Search_Activity.search=\"*ingestpreview*transforms*\") Search_Activity.search_type=adhoc Search_Activity.search!=\"*splunk_improperly_formatted_parameter_crashes_splunkd_filter*\" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter`", "how_to_implement": "Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-20", "version": 2, "id": "b7b82980-4a3e-412e-8661-4531d8758735", "description": "The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0111"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "version", "type": "Other", "role": ["Other"]}], "message": "Vulnerable $version$ of Splunk Add-on Builder found - Upgrade Immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "type": "Hunting", "search": "| rest /services/apps/local | search disabled=0 core=0 label=\"Splunk Add-on Builder\" | dedup label | search version < 4.1.4 | eval WarningMessage=\"Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111\" | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter`", "how_to_implement": "This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed.", "known_false_positives": "This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_information_disclosure_in_splunk_add_on_builder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk list all nonstandard admin accounts", "author": "Rod Soto", "date": "2023-02-07", "version": 1, "id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "description": "This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential stored XSS attempt from $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them.", "known_false_positives": "It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_list_all_nonstandard_admin_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2023-05-09", "version": 1, "id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempt to access Splunk hashed password file from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`splunkd_web` uri=\"*/servicesNS/nobody/system/configs/conf-user-seed*\" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.", "known_false_positives": "This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "author": "Rod Soto, Eric McGinnis", "date": "2023-05-11", "version": 1, "id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Scattered Spider", "Sidewinder", "Sowbug", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts or malformed requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "author": "Rod Soto", "date": "2023-05-09", "version": 1, "id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "description": "In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempted access to vulnerable bootstrap file by $clientip$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"*bootstrap-2.3.1*\" file=\"*.js\" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`", "how_to_implement": "This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.", "known_false_positives": "This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "author": "Lou Stella, Splunk", "date": "2022-05-26", "version": 1, "id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "description": "On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "$peer$ downloaded apps from $host$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "`splunkd` component=\"PackageDownloadRestHandler\" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`", "how_to_implement": "This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_process_injection_forwarder_bundle_downloads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "author": "Lou Stella, Splunk", "date": "2022-05-25", "version": 1, "id": "900892bf-70a9-4787-8c99-546dd98ce461", "description": "On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}]}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"PythonSslClientConfig\" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as \"Server.conf:PythonSSLClientConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:PythonSSLClientConfig:sslVerifyServerName\", serverCert as \"Web.conf:Settings:serverCert\", sslVersions as \"Web.conf:Settings:sslVersions\" | `splunk_protocol_impersonation_weak_encryption_configuration_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration.", "datamodel": ["Web"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_configuration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "author": "Rod Soto, Splunk", "date": "2024-05-21", "version": 2, "id": "c76c7a2e-df49-414a-bb36-dce2683770de", "description": "The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Splunk default issued certificate at $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}]}, "type": "Hunting", "search": "`splunkd` certificate event_message=\"X509 certificate* should not be used*\" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "description": "The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when \"simpleRequest SSL certificate validation is enabled without hostname verification.\" This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Failed to validate certificate on $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}]}, "type": "Hunting", "search": "`splunk_python` \"simpleRequest SSL certificate validation is enabled without hostname verification\" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "author": "Rod Soto", "date": "2024-05-15", "version": 2, "id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "description": "The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Review $clientip$ access to indexing preview endpoint from low privilege user", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "Hunting", "search": "`splunkda` method=\"POST\" uri=\"*/services/indexing/preview*\" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`", "how_to_implement": "This search does not require additional data ingestion. It requires the ability to search _internal index.", "known_false_positives": "This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Serialized Session Payload", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2023-10-02", "version": 1, "id": "d1d8fda6-874a-400f-82cf-dcbb59d8e4db", "description": "In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential abuse of the 'collect' SPL command against $splunk_server$ by detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "Hunting", "search": "`audit_searches` file=* (search=\"*makeresults*\" AND search=\"*collect*\") | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter`", "how_to_implement": "Requires access to the _audit index.", "known_false_positives": "There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_serialized_session_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "author": "Rod Soto", "date": "2022-10-11", "version": 1, "id": "baa41f09-df48-4375-8991-520beea161be", "description": "This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation attempt from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`splunkda` uri_path=\"/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" sort=\"notification.created_at:-1\" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`", "how_to_implement": "This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions.", "known_false_positives": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is \"uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via User XSLT", "author": "Marissa Bower, Chase Franklin, Rod Soto, Bhavin Patel, Eric McGinnis, Splunk", "date": "2024-05-16", "version": 2, "id": "6cb7e011-55fb-48e3-a98d-164fa854e37e", "description": "The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Remote Code Execution via XLST from $src$ using useragent - $useragent$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`splunkd_ui` ((uri=\"*NO_BINARY_CHECK=1*\" AND \"*input.path=*.xsl*\") OR uri=\"*dispatch*.xsl*\") AND uri!= \"*splunkd_ui*\" | rex field=uri \"(?=\\s*([\\S\\s]+))\" | eval decoded_field=urldecode(string) | eval action=case(match(status,\"200\"),\"Allowed\",match(status,\"303|500|401|403|404|301|406\"),\"Blocked\",1=1,\"Unknown\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value=\"N/A\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "author": "Rod Soto, Chase Franklin", "date": "2024-05-23", "version": 2, "id": "d532d105-c63f-4049-a8c4-e249127ca425", "description": "The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance.", "references": ["https://research.splunk.com/stories/splunk_vulnerabilities/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential XSS exploitation against radio template by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`", "how_to_implement": "This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to \"en-US/list/entities/x/ui/views\" which is the vulnerable injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_reflected_xss_in_the_templates_lists_radio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "author": "Rod Soto", "date": "2023-09-05", "version": 1, "id": "182f9080-4137-4629-94ac-cb1083ac981a", "description": "In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0801"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible XSS attack against from $user$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "`splunkd_web` (dataset_commands=\"*makeresults*\" AND dataset_commands=\"*count*\" AND dataset_commands=\"*eval*\" AND dataset_commands=\"*baseSPL*\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_reflected_xss_on_app_search_table_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-05", "version": 3, "id": "ee69374a-d27e-4136-adac-956a96ff60fd", "description": "The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_risky_command", "type": "Other", "role": ["Other"]}], "message": "Use of risky splunk command $splunk_risky_command$ detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "Hunting", "search": "| tstats fillnull_value=\"N/A\" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "how_to_implement": "Requires implementation of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This search encompasses many commands.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_risky_command_abuse_disclosed_february_2023_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse", "filename": "splunk_risky_command_20240122.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "fields_list": null}]}, {"name": "Splunk Stored XSS via Data Model objectName field", "author": "Rod Soto", "date": "2022-10-11", "version": 1, "id": "062bff76-5f9c-496e-a386-cb1adcf69871", "description": "Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model.", "references": ["https://www.splunk.com/en_us/product-security.html", "https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`", "how_to_implement": "This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_via_data_model_objectname_field_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "author": "Rod Soto", "date": "2023-07-13", "version": 1, "id": "de3908dc-1298-446d-84b9-fa81d37e959b", "description": "An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0606"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "Hunting", "search": "`splunkd_webx` uri_path IN (\"*\\x1B*\", \"*\\u001b*\", \"*\\033*\", \"*\\0x9*\", \"*\\0x8*\") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`", "how_to_implement": "This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.", "known_false_positives": "This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unauthenticated_log_injection_web_service_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "author": "Rod Soto, Splunk", "date": "2023-02-14", "version": 1, "id": "b7d1293f-e78f-415e-b5f6-443df3480082", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "TTP", "search": "`splunkda` method IN (\"POST\", \"DELETE\") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method==\"POST\" AND like( uri_path , \"%/acl\" ) , \"Permissions Update\", method==\"POST\" AND NOT like( uri_path , \"%/acl\" ) , \"Edited\" , method==\"DELETE\" , \"Deleted\" ) | rex field=uri_path \"(?.*?)\\/ui\\/views/(?.*)\" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`", "how_to_implement": "Requires access to internal splunkd_access.", "known_false_positives": "This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk User Enumeration Attempt", "author": "Lou Stella, Splunk", "date": "2024-03-19", "version": 2, "id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "description": "On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$TotalFailedAuths$ failed authentication events to Splunk from $src$ detected.", "risk_score": 40, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames.", "known_false_positives": "Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_user_enumeration_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS in Highlighted JSON Events", "author": "Rod Soto, Splunk", "date": "2023-11-16", "version": 1, "id": "1030bc63-0b37-4ac9-9ae0-9361c955a3cc", "description": "This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment.", "references": ["https://advisory.splunk.com/advisories"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation from $clientip$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "`splunkd_ui` \"/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users\" status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter`", "how_to_implement": "This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_highlighted_json_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS in Monitoring Console", "author": "Lou Stella, Splunk", "date": "2022-04-27", "version": 1, "id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "description": "On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "TTP", "search": " `splunkd_web` method=\"GET\" uri_query=\"description=%3C*\" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.", "known_false_positives": "Use of the monitoring console where the less-than sign (<) is the first character in the description field.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_monitoring_console_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS in Save table dialog header in search page", "author": "Rod Soto", "date": "2022-10-11", "version": 1, "id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "description": "This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with \"power\" Splunk role can store this code that can lead to persistent cross site scripting.", "references": ["https://www.splunk.com/en_us/product-security.html", "https://portswigger.net/web-security/cross-site-scripting"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation attempt from $clientip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "`splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`", "how_to_implement": "Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.", "known_false_positives": "If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS via View", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2023-02-07", "version": 1, "id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "fileName", "type": "URL String", "role": ["Target"]}], "message": "Potential stored XSS attempt via $fileName$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "Hunting", "search": "index = _internal sourcetype IN (\"splunk_web_service\", \"splunk_python\") message=\"*loadParams*\" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`", "how_to_implement": "This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit.", "known_false_positives": "The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_view_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email Attachment Extensions", "author": "David Dorsey, Splunk", "date": "2023-04-14", "version": 3, "id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "description": "The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` ", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.'", "known_false_positives": "None identified", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}, {"name": "suspicious_email_attachment_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Java Classes", "author": "Jose Hernandez, Splunk", "date": "2024-05-19", "version": 2, "id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "description": "The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_method=POST http_content_length>1 | regex form_data=\"(?i)java\\.lang\\.(?:runtime|processbuilder)\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_java_classes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Servers Executing Suspicious Processes", "author": "David Dorsey, Splunk", "date": "2019-04-01", "version": 1, "id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "description": "The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include \"whoami\", \"ping\", \"iptables\", \"wget\", \"service\", and \"curl\". Uses the Splunk data model \"Endpoint.Processes\" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\"web_server\" AND (Processes.process=\"*whoami*\" OR Processes.process=\"*ping*\" OR Processes.process=\"*iptables*\" OR Processes.process=\"*wget*\" OR Processes.process=\"*service*\" OR Processes.process=\"*curl*\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "web_servers_executing_suspicious_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 2, "id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "description": "The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment.", "references": [], "tags": {"analytic_story": ["Compromised User Account", "Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename \"IsOutlier(api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Destroyed", "author": "David Dorsey, Splunk", "date": "2020-08-21", "version": 1, "id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "description": "This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename \"IsOutlier(instances_destroyed)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.", "known_false_positives": "Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_destroyed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "author": "David Dorsey, Splunk", "date": "2020-08-21", "version": 2, "id": "f2361e9f-3928-496c-a556-120cd4223a65", "description": "This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_launched_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 2, "id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "description": "The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename \"IsOutlier(security_group_api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_security_group_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Amazon EKS Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "294c4686-63dd-4fe6-93a2-ca807626704a", "description": "The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the \"system:anonymous\" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" userAgent!=\"AWS Security Scanner\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "description": "The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to \"system:anonymous\", the `verb` is set to \"list\", and the `objectRef.resource` is set to \"pods\". Additionally, the search checks if the `requestURI` is equal to \"/api/v1/pods\". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster Pod", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" verb=list objectRef.resource=pods requestURI=\"/api/v1/pods\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "author": "Patrick Bareiss, Splunk", "date": "2024-02-13", "version": 2, "id": "b3424bbe-3204-4469-887b-ec144483a336", "description": "The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": " `amazon_security_lake` api.operation=DescribeEventAggregates \"http_request.user_agent\"!=\"AWS Internal\" \"src_endpoint.domain\"!=\"health.amazonaws.com\" | eval time = time/pow(10,3) | `security_content_ctime(time)` | bin span=5m time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count values(cloud.region) as cloud.region by time api.operation actor.user.account_uid actor.user.uid | where distinct_ip_count > 1 | rename cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id, actor.user.uid as user | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 3, "id": "1f0b47e5-0134-43eb-851c-e3258638945e", "description": "The following analytic detects the deletion of AWS CloudTrail logs, a critical event that could indicate an adversary's attempt to evade detection. By identifying `DeleteTrail` events within CloudTrail logs, this analytic helps in uncovering efforts to impair defense mechanisms by preventing the logging of malicious activities. Such actions allow adversaries to operate undetected within a compromised AWS environment. Recognizing these deletion events is crucial for a Security Operations Center (SOC) as it signals a potential compromise and the attacker's intent to hide their tracks, making it a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a complete loss of visibility into the activities within the environment, hindering incident response and forensics efforts.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudTrail logging for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "description": "The following analytic detects the deletion of CloudWatch Log Groups within AWS CloudTrail logs. This action is indicative of an attacker's attempt to evade detection by disrupting the logging and monitoring capabilities of CloudWatch. By identifying and analyzing `DeleteLogGroup` events, this analytic helps in uncovering efforts to obscure malicious activities within a compromised AWS environment. Such evasion tactics are critical for a Security Operations Center (SOC) to identify as they signal an attacker's intent to operate undetected, posing a significant threat to the integrity and security of cloud environments. The impact of this attack is substantial, as it can lead to a loss of visibility into potentially malicious activities, hindering incident response and forensics efforts.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "author": "Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-02-12", "version": 2, "id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "description": "The following analytic detects the deletion of critical AWS Security Services configurations through specific API calls to services like CloudWatch, GuardDuty, and Web Application Firewalls. By monitoring for these deletion actions, the analytic aims to identify attempts by adversaries to undermine security defenses, such as erasing logging configurations or removing detection mechanisms. This behavior is crucial for a Security Operations Center (SOC) to identify as it can indicate an attacker's intent to operate undetected by eliminating evidence of their presence and activities. The impact of such attacks is significant, potentially leaving the environment vulnerable to further exploitation without any traceable logs or alerts.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "`amazon_security_lake` api.operation IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "description": "The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "f3eb471c-16d0-404d-897c-7653f0a78cba", "description": "The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "739ed682-27e9-4ba0-80e5-a91b97698213", "description": "The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), \"%H\"), weekday=strftime(time/pow(10,3), \"%A\") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "886a8f46-d7e2-4439-b9ba-aec238e31732", "description": "The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_users_asl", "definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS IAM Delete Policy", "author": "Patrick Bareiss, Splunk", "date": "2024-02-13", "version": 2, "id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "description": "The following analytic detects the deletion of an AWS policy, a critical action that could indicate an attempt to alter permissions or reduce security controls. By monitoring AWS logs for `DeletePolicy` events, this analytic identifies both successful and attempted deletions, providing insights into potentially malicious activities. Identifying such behavior is crucial for a Security Operations Center (SOC) as it may signal an adversary's effort to escalate privileges or evade detection. The impact of unauthorized policy deletion is significant, potentially leading to compromised accounts or data exposure.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted AWS Policies from IP address $src_ip$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS IAM Failure Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "8d12f268-c567-4557-9813-f8389e235c06", "description": "The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has had mulitple failures while attempting to delete groups from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS IAM Successful Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "description": "The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has sucessfully deleted a user group from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`", "how_to_implement": "You must install the Data Lake Federated Analytics App and ingest the logs into Splunk.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "author": "Patrick Bareiss, Splunk", "date": "2024-02-13", "version": 2, "id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "description": "The following analytic detects when multi-factor authentication (MFA) is disabled for an AWS IAM user. It operates by monitoring for specific API calls that deactivate MFA, signaling a potential unauthorized attempt to weaken account security. This behavior is critical for a Security Operations Center (SOC) to identify, as disabling MFA removes a significant barrier against unauthorized access, making accounts more vulnerable to compromise. The impact of such an attack is substantial, as it allows adversaries to maintain access within the environment with less risk of detection, facilitating further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": "`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS New MFA Method Registered For User", "author": "Patrick Bareiss, Splunk", "date": "2024-02-13", "version": 2, "id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "description": "The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration. Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new virtual device is added to user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": " `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "author": "Bhavin Patel, Splunk", "date": "2023-03-31", "version": 2, "id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "description": "This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.", "risk_score": 80, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,\"all\") ,\"Public AMI\", \"Not Public\") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ami_attribute_modification_for_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Concurrent Sessions From Different Ips", "author": "Bhavin Patel, Splunk", "date": "2023-02-01", "version": 1, "id": "51c04fdb-2746-465a-b86e-b413a09c9085", "description": "The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `cloudtrail` eventName = DescribeEventAggregates src_ip!=\"AWS Internal\" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Console Login Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2022-10-03", "version": 1, "id": "55349868-5583-466f-98ab-d3beb321961e", "description": "The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ failed to pass MFA challenge while logging into console from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorMessage=\"Failed authentication\" additionalEventData.MFAUsed = \"Yes\" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_console_login_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Create Policy Version to allow all resources", "author": "Bhavin Patel, Splunk", "date": "2024-04-16", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "description": "This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ created a policy version that allows them to access any resource in their account.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = \"*\" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_create_policy_version_to_allow_all_resources_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS CreateAccessKey", "author": "Bhavin Patel, Splunk", "date": "2022-03-03", "version": 3, "id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "Hunting", "search": "`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS CreateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2021-07-19", "version": 2, "id": "2a9b80d3-6340-4345-11ad-212bf444d111", "description": "This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_createloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Credential Access Failed Login", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-07", "version": 1, "id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "description": "It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity.", "references": ["https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has a login failure from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely mistype or forget the password.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_credential_access_failed_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Credential Access GetPasswordData", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 2, "id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "description": "The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1552/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment.", "known_false_positives": "Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_credential_access_getpassworddata_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Credential Access RDS Password reset", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-03-19", "version": 2, "id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "description": "The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "database_id", "type": "Endpoint", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$database_id$ password has been reset from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`cloudtrail` eventSource=\"rds.amazonaws.com\" eventName=ModifyDBInstance \"requestParameters.masterUserPassword\"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely reset the RDS password.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_credential_access_rds_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cross Account Activity From Previously Unseen Account", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "description": "The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "requestingAccountId", "type": "Other", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), \"-24h@h\"),\"New Cross Account Activity\",\"Previously Seen\") | where status = \"New Cross Account Activity\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.", "known_false_positives": "Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_cross_account_activity_from_previously_unseen_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles", "collection": "previously_seen_aws_cross_account_activity", "case_sensitive_match": null, "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2022-07-13", "version": 1, "id": "82092925-9ca1-4e06-98b8-85a2d3889552", "description": "This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-17", "version": 1, "id": "d308b0f1-edb7-4a62-a614-af321160710f", "description": "This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Impair Security Services", "author": "Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2022-07-26", "version": 1, "id": "b28c4957-96a6-47e0-a965-6c767aac1458", "description": "This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "author": "Bhavin Patel", "date": "2022-07-25", "version": 1, "id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "description": "This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted.", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_putbucketlifecycle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2022-07-12", "version": 1, "id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "description": "This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-17", "version": 1, "id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "description": "This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect attach to role policy", "author": "Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "description": "The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_attach_to_role_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect permanent key creation", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "description": "The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \"userIdentity.type\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_permanent_key_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect role creation", "author": "Rod Soto, Splunk", "date": "2020-07-27", "version": 1, "id": "5f04081e-ddee-4353-afe4-504f288de9ad", "description": "This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_role_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect sts assume role abuse", "author": "Rod Soto, Splunk", "date": "2024-05-20", "version": 2, "id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "description": "The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_assume_role_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect sts get session token abuse", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "description": "The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_get_session_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2021-01-11", "version": 1, "id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "description": "This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account is potentially compromised and user $user$ is trying to compromise other accounts.", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "TTP", "search": "`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action=\"kms:Encrypt\" AND key_policy_principal=\"*\" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-18", "version": 3, "id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "description": "The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption=\"aws:kms\" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "There maybe buckets provisioned with S3 encryption", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Disable Bucket Versioning", "author": "Bhavin Patel, Splunk", "date": "2023-05-01", "version": 1, "id": "657902a9-987d-4879-a1b2-e7a65512824b", "description": "The following analytic detects AWS CloudTrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data.", "references": ["https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName= PutBucketVersioning \"requestParameters.VersioningConfiguration.Status\"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_disable_bucket_versioning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS EC2 Snapshot Shared Externally", "author": "Bhavin Patel, Splunk", "date": "2024-05-07", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "description": "The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,\"Match\",\"No Match\") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = \"No Match\" | `aws_ec2_snapshot_shared_externally_filter` ", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ec2_snapshot_shared_externally_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings High", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 3, "id": "30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "description": "The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity high found in repository $repository$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_scanning_findings_high_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "author": "Patrick Bareiss, Eric McGinnis Splunk", "date": "2024-05-15", "version": 3, "id": "cbc95e44-7c22-443f-88fd-0424478f5589", "description": "The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN (\"LOW\", \"INFORMATIONAL\", \"UNKNOWN\") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"low\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Medium", "author": "Patrick Bareiss, Splunk", "date": "2024-05-06", "version": 3, "id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "description": "The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 21, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_scanning_findings_medium_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2023-11-09", "version": 2, "id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2021-08-19", "version": 1, "id": "300688e4-365c-4486-a065-7c884462b31d", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-08", "version": 2, "id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "description": "The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "author": "Bhavin Patel, Splunk", "date": "2023-04-10", "version": 1, "id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "description": "This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection", "https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Anomalous S3 activities detected by user $user_arn$ from $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection \"count\" \"user_type\" \"user_arn\" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via Batch Service", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 1, "id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "description": "This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_exfiltration_via_batch_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via Bucket Replication", "author": "Bhavin Patel, Splunk", "date": "2023-04-28", "version": 1, "id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "description": "The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\nS3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_bucket_replication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via DataSync Task", "author": "Bhavin Patel, Splunk", "date": "2023-04-10", "version": 1, "id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "description": "This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "TTP", "search": "`cloudtrail` eventName = CreateTask eventSource=\"datasync.amazonaws.com\" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_exfiltration_via_datasync_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "author": "Bhavin Patel, Splunk", "date": "2023-03-22", "version": 1, "id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "description": "This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://stratus-red-team.cloud/attack-techniques/list/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "userName", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`cloudtrail` eventName IN (\"CreateSnapshot\", \"DescribeSnapshotAttribute\", \"ModifySnapshotAttribute\", \"DeleteSnapshot\") src_ip !=\"guardduty.amazonaws.com\" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_ec2_snapshot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications For User", "author": "Bhavin Patel, Splunk", "date": "2023-01-27", "version": 1, "id": "e3236f49-daf3-4b70-b808-9290912ac64d", "description": "The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}], "message": "User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2023-01-30", "version": 1, "id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "description": "The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM AccessDenied Discovery Events", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 2, "id": "3e1f1568-9633-11eb-a69c-acde48001122", "description": "The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.arn", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` (errorCode = \"AccessDenied\") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_accessdenied_discovery_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "author": "Michael Haag, Splunk", "date": "2021-04-01", "version": 1, "id": "f19e09b0-9308-11eb-b7ec-acde48001122", "description": "The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing.", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", "https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.", "risk_score": 28, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_assume_role_policy_brute_force_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Delete Policy", "author": "Michael Haag, Splunk", "date": "2021-04-01", "version": 1, "id": "ec3a9362-92fe-11eb-99d0-acde48001122", "description": "The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "Hunting", "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Failure Group Deletion", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "723b861a-92eb-11eb-93b8-acde48001122", "description": "This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has had mulitple failures while attempting to delete groups from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Successful Group Deletion", "author": "Michael Haag, Splunk", "date": "2021-03-31", "version": 1, "id": "e776d06c-9267-11eb-819b-acde48001122", "description": "The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_deleted", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "Hunting", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Lambda UpdateFunctionCode", "author": "Bhavin Patel, Splunk", "date": "2022-02-24", "version": 1, "id": "211b80d3-6340-4345-11ad-212bf3d0d111", "description": "This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered.", "references": ["http://detectioninthe.cloud/execution/modify_lambda_function_code/", "https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$", "risk_score": 63, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Hunting", "search": "`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_lambda_updatefunctioncode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Splunk", "date": "2022-10-04", "version": 1, "id": "374832b1-3603-420c-b456-b373e24d34c0", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "aws_account_id", "type": "Other", "role": ["Victim"]}, {"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": "`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Multiple Failed MFA Requests For User", "author": "Bhavin Patel", "date": "2022-10-03", "version": 1, "id": "1fece617-e614-4329-9e61-3ba228c0f353", "description": "The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS CloudTrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ is seen to have high number of MFA prompt failures within a short period of time.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName= ConsoleLogin \"additionalEventData.MFAUsed\"=Yes errorMessage=\"Failed authentication\" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel", "date": "2022-09-27", "version": 1, "id": "71e1fb89-dd5f-4691-8523-575420de4630", "description": "The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Network Access Control List Created with All Open Ports", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "description": "The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$", "risk_score": 48, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_network_access_control_list_created_with_all_open_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Network Access Control List Deleted", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2021-01-12", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS New MFA Method Registered For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": " `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Password Policy Changes", "author": "Bhavin Patel, Splunk", "date": "2023-01-26", "version": 1, "id": "aee4a575-7064-4e60-b511-246f9baf9895", "description": "This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "author": "Bhavin Patel, Splunk", "date": "2023-11-07", "version": 2, "id": "85096389-a443-42df-b89d-200efbb1b560", "description": "This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = \"collection\" OR All_Risk.annotations.mitre_attack.mitre_tactic = \"exfiltration\" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`", "how_to_implement": "You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.", "known_false_positives": "alse positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "aws_s3_exfiltration_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS SAML Access by Provider User and Principal", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "bbe23980-6019-11eb-ae93-0242ac130002", "description": "This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "recipientAccountId", "type": "Other", "role": ["Victim"]}], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_saml_access_by_provider_user_and_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS SAML Update identity provider", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "2f0604c6-6030-11eb-ae93-0242ac130002", "description": "This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.principalId", "type": "User", "role": ["Victim", "Target"]}], "message": "User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_saml_update_identity_provider_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS SetDefaultPolicyVersion", "author": "Bhavin Patel, Splunk", "date": "2021-03-02", "version": 1, "id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "description": "This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_setdefaultpolicyversion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "author": "Bhavin Patel, Splunk", "date": "2023-11-07", "version": 2, "id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "description": "The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "references": ["https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/"], "tags": {"analytic_story": ["Compromised User Account", "Suspicious AWS Login Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": " `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_successful_console_authentication_from_multiple_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Successful Single-Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2022-10-04", "version": 1, "id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "description": "The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorCode=success \"additionalEventData.MFAUsed\"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2023-11-07", "version": 2, "id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "description": "The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS UpdateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2022-03-03", "version": 3, "id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "description": "This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": " `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_updateloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Active Directory High Risk Sign-in", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A high risk event was identified by Identify Protection for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype.", "known_false_positives": "Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_active_directory_high_risk_sign_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-02-09", "version": 1, "id": "9d4fea43-9182-4c5a-ada8-13701fd5615d", "description": "This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the \"Add app role assignment to service principal\" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight.", "references": ["https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add app role assignment to service principal\" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Application Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "eac4de87-7a56-4538-a21b-277897af6d8d", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.", "references": ["https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Administrators may legitimately assign the Application Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_application_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "875de3d7-09bc-4916-8c0a-0929f4ced3d8", "description": "This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the \"Update authorization policy\" operation is performed. It specifically looks for changes to the \"AllowUserConsentForRiskyApps\" setting, identifying instances where this setting is switched to \"true,\" effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the \"risk-based step-up consent\" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the \"risk-based step-up consent\" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update authorization policy\" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = \"[true]\" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "description": "The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Device Code Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "description": "The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches.", "references": ["https://attack.mitre.org/techniques/T1528", "https://github.com/rvrsh3ll/TokenTactics", "https://embracethered.com/blog/posts/2022/device-code-phishing/", "https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html", "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Device code requested for $user$ from $src_ip$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs \"properties.authenticationProtocol\"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_device_code_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD External Guest User Invited", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "description": "The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`", "references": ["https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf", "https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999", "https://attack.mitre.org/techniques/T1136/003/", "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "External Guest User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Invite external user\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrator may legitimately invite external guest users. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_external_guest_user_invited_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-01-29", "version": 1, "id": "ae286126-f2ad-421c-b240-4ea83bd1c43a", "description": "The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Global Administrator Role Assigned", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 4, "id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "description": "The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment.", "references": ["https://o365blog.com/post/admin/", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "Global Administrator Role assigned for User $user$ initiated by $initiatedBy$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add member to role\" properties.targetResources{}.modifiedProperties{}.newValue=\"\\\"Global Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Global Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_global_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "630b1694-210a-48ee-a450-6f79e7679f2c", "description": "The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to authenticate more than 20 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "description": "The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "description": "This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Hunting", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "description": "This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" (properties.authenticationRequirement=\"multiFactorAuthentication\" AND properties.status.additionalDetails=\"MFA required in Azure AD\") OR (properties.authenticationRequirement=singleFactorAuthentication AND \"properties.authenticationDetails{}.succeeded\"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "d0895c20-de71-4fd2-b56c-3fcdb888eba1", "description": "This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on \"Sign-in activity\" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating \"MFA denied; user declined the authentication.\" The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails=\"MFA denied; user declined the authentication\" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_denied_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 3, "id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" properties.status.errorCode=500121 properties.status.additionalDetails!=\"MFA denied; user declined the authentication\" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-02-07", "version": 1, "id": "66cb378f-234d-4fe1-bb4c-e7878ff6b017", "description": "This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-02-07", "version": 1, "id": "32880707-f512-414e-bd7f-204c0c85b758", "description": "This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New Custom Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "description": "The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new custom domain, $domain$ , was added by $user$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add unverified domain\" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, new customm domains will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_custom_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New Federated Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "description": "The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "references": ["https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new federated domain, $domain$ , was added by $user$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Set domain authentication\" \"properties.result\"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, domain federation settings will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "0488e814-eb81-42c3-9f1f-b2244973e3a3", "description": "This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update user\" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New MFA Method Registered For User", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "2628b087-4189-403f-9044-87403f777a1b", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "10ec9031-015b-4617-b453-c0c1ab729007", "description": "This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_oauth_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD PIM Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "description": "The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was assiged to $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add eligible member to role in PIM completed*\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_pim_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD PIM Role Assignment Activated", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 3, "id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "description": "The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role completed (PIM activation)\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_pim_role_assignment_activated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "description": "The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 50, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_authentication_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-01-30", "version": 1, "id": "5521f8c5-1aa3-473c-9eb7-853701924a06", "description": "This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Privileged Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 3, "id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "description": "The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 3, "id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "description": "The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals.", "references": ["https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Victim"]}], "message": "A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role\" | rename properties.* as * | search \"targetResources{}.type\"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_role_assigned_to_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Service Principal Authentication", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "5a2ec401-60bb-474e-b936-1e66e7aa4060", "description": "Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets \"Sign-in activity\" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Service Principal $user$ authenticated from $src_ip$", "risk_score": 25, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Service Principal Created", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "description": "The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0", "https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}], "message": "Service Principal named $displayName$ created by $user$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately create Service Principal. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Service Principal New Client Credentials", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "description": "The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "New credentials added for Service Principal by $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"Update application*Certificates and secrets management \" | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Service Principal Owner Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 3, "id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "description": "The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A new owner was added for service principal $displayName$ by $initiatedBy$", "risk_score": 54, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add owner to application\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately add new owners for Service Principals. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Successful Authentication From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 3, "id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "description": "The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "references": ["https://attack.mitre.org/techniques/T1110", "https://attack.mitre.org/techniques/T1110.001", "https://attack.mitre.org/techniques/T1110.003"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_successful_authentication_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Successful PowerShell Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0", "https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ using PowerShell.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_successful_powershell_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Successful Single-Factor Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "a560e7f6-1711-4353-885b-40be53101fcd", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks*", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2023-09-14", "version": 2, "id": "dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Administrator $user$ consented an OAuth application for the tenant.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2022-07-11", "version": 2, "id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "risk_score": 54, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2023-10-27", "version": 1, "id": "06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "description": "The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = \"\\\"Risky application detected\\\"\" | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "UPDATE_KNOWN_FALSE_POSITIVES", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "bb093c30-d860-4858-a56e-cd0895d5b49c", "description": "The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied consent for an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Users may deny consent for legitimate applications by mistake, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User Enabled And Password Reset", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2023-12-20", "version": 2, "id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "description": "The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": " `azure_monitor_aad` (operationName=\"Enable account\" OR operationName=\"Reset password (by admin)\" OR operationName=\"Update user\") | transaction user startsWith=(operationName=\"Enable account\") endsWith=(operationName=\"Reset password (by admin)\") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_enabled_and_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2022-09-02", "version": 1, "id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "description": "The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Update user\" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_immutableid_attribute_updated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Automation Account Created", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 2, "id": "860902fd-2e76-46b3-b050-ba548dab576c", "description": "The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal", "https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation account $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation account\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation accounts. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_automation_account_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Automation Runbook Created", "author": "Mauricio Velazco, Splunk", "date": "2023-11-07", "version": 2, "id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "description": "The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/manage-runbooks", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation Runbook $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation Runbook\" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation Runbooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_automation_runbook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Runbook Webhook Created", "author": "Mauricio Velazco, Splunk", "date": "2023-12-20", "version": 3, "id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "description": "The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Runbook Webhook $object$ was created by $user$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation webhook\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Runbook Webhooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_runbook_webhook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Circle CI Disable Security Job", "author": "Patrick Bareiss, Splunk", "date": "2021-09-02", "version": 1, "id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "description": "This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as \"build\" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Host Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT5"]}]}, "type": "Anomaly", "search": "`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, \"%\".mandatory_job.\"%\"), 1, 0) | where mandatory_job_executed=0 | eval phase=\"build\" | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circle_ci_disable_security_job_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow", "filename": "mandatory_job_for_workflow.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Circle CI Disable Security Step", "author": "Patrick Bareiss, Splunk", "date": "2021-09-01", "version": 1, "id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "description": "The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security step $mandatory_step$ in job $job_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Host Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT5"]}]}, "type": "Anomaly", "search": "`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, \"%\".mandatory_step.\"%\"), 1, 0) | where mandatory_step_executed=0 | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | eval phase=\"build\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circle_ci_disable_security_step_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job", "filename": "mandatory_step_for_job.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "description": "The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),\"-24h@h\") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_api_calls_from_previously_unseen_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen", "collection": "previously_seen_cloud_api_calls_per_user_role", "case_sensitive_match": null, "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2025-05-18", "version": 3, "id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "description": "The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating a new instance $dest$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`", "how_to_implement": "You must be ingesting the appropriate cloud-infrastructure logs Run the \"Previously Seen Cloud Compute Creations By User\" support search to create of baseline of previously seen users.", "known_false_positives": "It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cloud_compute_instance_created_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances", "collection": "previously_seen_cloud_compute_creations_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "author": "David Dorsey, Splunk", "date": "2024-05-10", "version": 2, "id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "description": "The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ in a new region for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_in_previously_unused_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities", "collection": "previously_seen_cloud_regions", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "author": "David Dorsey, Splunk", "date": "2018-10-12", "version": 1, "id": "bc24922d-987c-4645-b288-f8c73ec194c4", "description": "The following analytic detects potential instances that are created in a cloud computing environment using new or unknown image IDs that have not been seen before. This detection is important because it helps to investigate and take appropriate action to prevent further damage or unauthorized access to the Cloud environment, which can include data breaches, unauthorized access to sensitive information, or the deployment of malicious payloads within the cloud environment. False positives might occur since legitimate instances can also have previously unseen image IDs. Next steps include conducting an extensive triage and investigation to determine the nature of the activity. During triage, review the details of the created instances, including the user responsible for the creation, the image ID used, and any associated metadata. Additionally, consider inspecting any relevant on-disk artifacts and analyzing concurrent processes to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an image that has not been previously seen.", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), \"-24h@h\") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.", "known_false_positives": "After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_image_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs", "collection": "previously_seen_cloud_compute_images", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2020-09-12", "version": 1, "id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "description": "The following analytic detects the creation of EC2 instances with previously unseen instance types. The detection is made by using a Splunk query to identify the EC2 instances. First, the query searches for changes in the EC2 instance creation action and filters for instances with instance types that are not recognized or previously seen. Next, the query uses the Splunk tstats command to gather the necessary information from the Change data model. Then, it filters the instances with unknown instance types and reviews previously seen instance types to determine if they are new or not. The detection is important because it identifies attackers attempting to create instances with unknown or potentially compromised instance types, which can be an attempt to gain unauthorized access to sensitive data, compromise of systems, exfiltrate data, potential disruption of services, or launch other malicious activities within the environment. False positives might occur since there might be legitimate reasons for creating instances with previously unseen instance types. Therefore, you must carefully review and triage all alerts.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where instance_type != \"unknown\" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types", "collection": "previously_seen_cloud_compute_instance_types", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 2, "id": "7fb15084-b14e-405a-bd61-a6de15a40722", "description": "The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "User $user$ is modifying an instance $object_id$ for the first time.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`", "how_to_implement": "This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search \"Previously Seen Cloud Instance Modifications By User - Update\" should be enabled for this detection to properly work.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cloud_instance_modified_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed", "collection": "previously_seen_cloud_instance_modifications_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen City", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "description": "The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "94994255-3acf-4213-9b3f-0494df03bb31", "description": "The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), \"-24h@h\") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "description": "The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object_id", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-17", "version": 2, "id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "description": "The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Security Groups Modifications by User", "author": "Bhavin Patel, Splunk", "date": "2024-02-21", "version": 1, "id": "cfe7cca7-2746-4bdf-b712-b01ed819b9de", "description": "The following analytic identifies users who are unsually modifying security group in your cloud enriovnment,focusing on actions such as modifications, deletions, or creations performed by users over 30-minute intervals. Analyzing patterns of modifications to security groups can help in identifying anomalous behavior that may indicate a compromised account or an insider threat.\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will only trigger on all user and service accounts that have created/modified/deleted a security group .\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and values of the security objects affected.", "references": ["https://attack.mitre.org/techniques/T1578/005/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unsual number cloud security group modifications detected by user - $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1578.005", "mitre_attack_technique": "Modify Cloud Compute Configurations", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = \"security_group\" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name(\"All_Changes\")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`", "how_to_implement": "This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment.", "known_false_positives": "It is possible that legitimate user/admin may modify a number of security groups", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_security_groups_modifications_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by New User", "author": "Rico Valdez, Splunk", "date": "2022-05-10", "version": 3, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console for the first time", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), \"-24h@h\") OR isnull(earliestseen), \"First Time Logging into AWS Console\", \"Previously Seen User\") | where userStatus=\"First Time Logging into AWS Console\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_new_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by User from New City", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2022-08-25", "version": 2, "id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from City $City$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New City\",\"Previously Seen City\") | where userCity = \"New City\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Country", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2022-08-25", "version": 2, "id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Country $Country$ for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Country\",\"Previously Seen Country\") | where userCountry = \"New Country\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Region", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2022-08-25", "version": 2, "id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Region $Region$ for the first time", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Region\",\"Previously Seen Region\") | where userRegion= \"New Region\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect GCP Storage access from a new IP", "author": "Shannon Davis, Splunk", "date": "2024-05-14", "version": 2, "id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "description": "The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "remote_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\"\\\"200\\\"\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),\"-70m@m\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\"%m/%d/%y %H:%M:%S\") | eval last_time=strftime(lastTime,\"%m/%d/%y %H:%M:%S\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.", "known_false_positives": "GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_gcp_storage_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Open GCP Storage Buckets", "author": "Shannon Davis, Splunk", "date": "2024-05-17", "version": 2, "id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "description": "The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}]}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).", "known_false_positives": "While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \"allUsers\" group.", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_gcp_storage_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Open S3 buckets", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "description": "The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "message": "User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}]}, "type": "TTP", "search": "`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw \"(?{.+})\" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN (\"http://acs.amazonaws.com/groups/global/AllUsers\",\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\") | search permission IN (\"READ\",\"READ_ACP\",\"WRITE\",\"WRITE_ACP\",\"FULL_CONTROL\") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter` ", "how_to_implement": "You must install the AWS App for Splunk.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_open_s3_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "description": "The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to \"AuthenticatedUsers\" or \"AllUsers.\" This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.userName", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}]}, "type": "TTP", "search": "`cloudtrail` eventSource=\"s3.amazonaws.com\" (userAgent=\"[aws-cli*\" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-full-control IN (\"*AuthenticatedUsers\",\"*AllUsers\") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` ", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_open_s3_buckets_over_aws_cli_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect S3 access from a new IP", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "e6f1bb1b-f441-492b-9126-902acda217da", "description": "The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "bucketName", "type": "Other", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "New S3 access from a new IP - $src_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \"Previously Seen S3 Bucket Access by Remote IP\" support search once to create a history of previously seen remote IPs and bucket names.", "known_false_positives": "S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_s3_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"Resources{}.Type\"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Spike in AWS Security Hub alerts for user - $user$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"findings{}.Resources{}.Type\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "description": "The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "resourceId", "type": "Other", "role": ["Victim"]}], "message": "Blocked outbound traffic from your AWS", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as \"resourceId\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \"spike.\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Blocked Outbound Connection\" support search once to create a history of previously seen blocked outbound connections.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in S3 Bucket deletion", "author": "Bhavin Patel, Splunk", "date": "2024-05-03", "version": 2, "id": "e733a326-59d2-446d-b8db-14a17151aa68", "description": "The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of S3 Bucket deletion activity by ARN\" support search once to create a baseline of previously seen S3 bucket-deletion activity.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_s3_bucket_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-01-04", "version": 2, "id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "description": "The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Detect gcploit framework", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "description": "The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_gcploit_framework_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Kubernetes cluster pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 2, "id": "19b53215-4a16-405b-8087-9e6acf619842", "description": "The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_kubernetes_cluster_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-01-04", "version": 2, "id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "description": "The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "references": ["https://support.google.com/cloudidentity/answer/2537800?hl=en", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "GCP", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "actor.email", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $actor.email$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}]}, "type": "TTP", "search": "`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2022-10-14", "version": 1, "id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple Failed MFA requests for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "description": "The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false postives for this detection. Please review this alert.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Successful Single-Factor Authentication", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-01-04", "version": 2, "id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "description": "The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://support.google.com/a/answer/175197?hl=en", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": "`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2022-10-13", "version": 1, "id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "description": "The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip`", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false positives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gdrive suspicious file sharing", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "a7131dae-34e3-11ec-a2de-acde48001122", "description": "The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations.", "references": ["https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html"], "tags": {"analytic_story": ["Data Exfiltration", "Spearphishing Attachments"], "asset_type": "GDrive", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Hunting", "search": "`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = \"*@yourdomain.com\" target_user != \"*@yourdomain.com\" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`", "how_to_implement": "Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gdrive_suspicious_file_sharing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GitHub Actions Disable Security Workflow", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 2, "id": "0459f1a5-c0ac-4987-82d6-65081209f854", "description": "The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Security Workflow is disabled in branch $branch$ for repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_actions_disable_security_workflow_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Github Commit Changes In Master", "author": "Teoderick Contreras, Splunk", "date": "2021-08-20", "version": 1, "id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "description": "This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to main branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}]}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "Admin can do changes directly to master branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_commit_changes_in_master_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Github Commit In Develop", "author": "Teoderick Contreras, Splunk", "date": "2021-09-01", "version": 1, "id": "f3030cb6-0b02-11ec-8f22-acde48001122", "description": "This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to develop branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}]}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to develop branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_commit_in_develop_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GitHub Dependabot Alert", "author": "Patrick Bareiss, Splunk", "date": "2021-09-01", "version": 1, "id": "05032b04-4469-4034-9df7-05f607d75cba", "description": "The following analytic is made by first searching for logs that contain the action \"create\" and renames certain fields for easier analysis. Then, this analytic uses the \"stats\" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The \"phase\" field is set to \"code\" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the \"create\" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_dependabot_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GitHub Pull Request from Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2021-09-01", "version": 1, "id": "9d7b9100-8878-4404-914e-ca5e551a641e", "description": "The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request.\"", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_pull_request_from_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Drive Share In External Email", "author": "Teoderick Contreras, Splunk", "date": "2021-08-16", "version": 1, "id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "description": "This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "type": "Anomaly", "search": "`gsuite_drive` NOT (email IN(\"\", \"null\")) | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=email \"[^@]+@(?[^@]+)\" | where src_domain = \"internal_test_email.com\" and not dest_domain = \"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "network admin or normal user may share files to customer and external team.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_drive_share_in_external_email_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GSuite Email Suspicious Attachment", "author": "Teoderick Contreras, Splunk", "date": "2021-08-16", "version": 1, "id": "6d663014-fe92-11eb-ab07-acde48001122", "description": "This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "Email Address", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`gsuite_gmail` \"attachment{}.file_extension_type\" IN (\"pl\", \"py\", \"rb\", \"sh\", \"bat\", \"exe\", \"dll\", \"cpl\", \"com\", \"js\", \"vbs\", \"ps1\", \"reg\",\"swf\", \"cmd\", \"go\") | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_suspicious_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "author": "Teoderick Contreras, Splunk", "date": "2021-08-19", "version": 1, "id": "8ef3971e-00f2-11ec-b54f-acde48001122", "description": "This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`gsuite_gmail` num_message_attachments > 0 subject IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"* fedex *\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") attachment{}.file_extension_type IN (\"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"pdf\", \"zip\", \"rar\", \"html\",\"htm\",\"hta\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_suspicious_subject_with_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "author": "Teoderick Contreras, Splunk", "date": "2021-08-23", "version": 1, "id": "8630aa22-042b-11ec-af39-acde48001122", "description": "This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services.", "references": ["https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`gsuite_gmail` \"link_domain{}\" IN (\"*pastebin.com*\", \"*discord*\", \"*telegram*\",\"t.me\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal email contains this link that are known application within the organization or network can be catched by this detection.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_with_known_abuse_web_service_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-03-25", "version": 2, "id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "description": "This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "src_domain_list", "type": "Email Address", "role": ["Victim"]}, {"name": "dest_domain", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious email from $src_domain_list$ to $dest_domain$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "Hunting", "search": "`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where source_domain=\"internal_test_email.com\" and not dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_outbound_email_with_attachment_to_external_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite suspicious calendar invite", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-21", "version": 2, "id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "description": "The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.", "references": ["https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/", "https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "email", "type": "Email Address", "role": ["Attacker"]}], "message": "Gsuite suspicious calendar invite sent by $email$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Hunting", "search": "`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email=\"*yourdomain.com\"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`", "how_to_implement": "In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_calendar_invite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Suspicious Shared File Name", "author": "Teoderick Contreras, Splunk", "date": "2021-08-23", "version": 1, "id": "07eed200-03f5-11ec-98fb-acde48001122", "description": "This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`gsuite_drive` parameters.owner_is_team_drive=false \"parameters.doc_title\" IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"*fedex*\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") parameters.doc_type IN (\"document\",\"pdf\", \"msexcel\", \"msword\", \"spreadsheet\", \"presentation\") | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=parameters.target_user \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_suspicious_shared_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Number of Login Failures from a single source", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "description": "This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account.", "references": ["https://attack.mitre.org/techniques/T1110/001/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.", "known_false_positives": "An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_number_of_login_failures_from_a_single_source_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual Location", "author": "Patrick Bareiss, Splunk", "date": "2023-12-06", "version": 1, "id": "40a064c1-4ec1-4381-9e35-61192ba8ef82", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_locations", "definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "author": "Patrick Bareiss, Splunk", "date": "2023-12-06", "version": 1, "id": "096ab390-05ca-462c-884e-343acd5b9240", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_agents", "definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "author": "Patrick Bareiss, Splunk", "date": "2023-12-06", "version": 1, "id": "b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_groups", "definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "author": "Patrick Bareiss, Splunk", "date": "2023-12-06", "version": 1, "id": "df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_names", "definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Access Scanning", "author": "Patrick Bareiss, Splunk", "date": "2023-12-07", "version": 1, "id": "2f4abe6d-5991-464d-8216-f90f42999764", "description": "The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_access_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-01-10", "version": 1, "id": "10442d8b-0701-4c25-911d-d67b906e713c", "description": "This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key='dest.workload.name' + \":\" + 'dest.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key='dest.workload.name' + \":\" + 'dest.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter` ", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Org ID \n* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E')\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_inbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "author": "Matthew Moore, Splunk", "date": "2023-12-19", "version": 1, "id": "4f3b0c97-657e-4547-a89a-9a50c656e3cd", "description": "This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$$|-[abcdef0-9]{8,10}-\\w{5}$$\", \"\") | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = 'k8s.cluster.name' + \":\" + 'service' | lookup k8s_container_network_io_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_traffic_io_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_inbound_outbound_network_io_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO", "collection": "k8s_container_network_io_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "author": "Matthew Moore, Splunk", "date": "2023-12-19", "version": 1, "id": "9d8f6e3f-39df-46d8-a9d4-96173edc501f", "description": "This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio", "collection": "k8s_container_network_io_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-01-10", "version": 1, "id": "dd6afee6-e0a3-4028-a089-f47dd2842c22", "description": "This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key='source.workload.name' + \":\" + 'source.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key='source.workload.name' + \":\" + 'source.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter` ", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Org ID \n* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E')\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_outbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "author": "Matthew Moore, Splunk", "date": "2024-01-10", "version": 1, "id": "886c7e51-2ea1-425d-8705-faaca5a64cc6", "description": "This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key='source.workload.name' + \":\" + 'dest.workload.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key='source.workload.name' + \":\" + 'dest.workload.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter` ", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Org ID \n* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E')\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_traffic_on_network_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "author": "Rod Soto, Patrick Bareiss, Splunk", "date": "2023-12-19", "version": 2, "id": "042a3d32-8318-4763-9679-09db2644a8f2", "description": "The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure.", "references": [], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` user.username=\"system:anonymous\" user.groups{} IN (\"system:unauthenticated\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Create or Update Privileged Pod", "author": "Patrick Bareiss, Splunk", "date": "2023-12-14", "version": 1, "id": "3c6bd734-334d-4818-ae7c-5234313fc5da", "description": "The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes privileged pod created by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"privileged\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_create_or_update_privileged_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Cron Job Creation", "author": "Patrick Bareiss, Splunk", "date": "2023-12-14", "version": 1, "id": "5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "description": "The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes cron job creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.007", "mitre_attack_technique": "Container Orchestration Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`kube_audit` verb=create \"objectRef.resource\"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_cron_job_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes DaemonSet Deployed", "author": "Patrick Bareiss, Splunk", "date": "2023-12-14", "version": 1, "id": "bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "description": "The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "DaemonSet deployed to Kubernetes by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_daemonset_deployed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Falco Shell Spawned", "author": "Patrick Bareiss, Splunk", "date": "2023-12-13", "version": 1, "id": "d2feef92-d54a-4a19-8306-b47c6ceba5b2", "description": "The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A shell is spawned in the container $container_name$ by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_container_falco` \"A shell was spawned in a container\" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter` ", "how_to_implement": "The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_container_falco", "definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_falco_shell_spawned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen TCP edge", "author": "Matthew Moore, Splunk", "date": "2024-01-10", "version": 1, "id": "13f081d6-7052-428a-bbb0-892c79ca7c65", "description": "This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen TCP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter` ", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Org ID \n* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E')\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_tcp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen UDP edge", "author": "Matthew Moore, Splunk", "date": "2024-01-10", "version": 1, "id": "49b7daca-4e3c-4899-ba15-9a175e056fa9", "description": "This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen UDP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter` ", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Org ID \n* Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E')\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_udp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Nginx Ingress LFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "0f83244b-425b-4528-83db-7a88c5f66e48", "description": "The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Local File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request \"^(?\\S+)\\s(?\\S+)\\s\" | eval phase=\"operate\" | eval severity=\"high\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_nginx_ingress_lfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack", "filename": "local_file_inclusion_paths.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "fields_list": null}]}, {"name": "Kubernetes Nginx Ingress RFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "description": "The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Remote File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rex field=request \"^(?\\S+)?\\s(?\\S+)\\s\" | rex field=url \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase=\"operate\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_nginx_ingress_rfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Node Port Creation", "author": "Patrick Bareiss, Splunk", "date": "2023-12-13", "version": 1, "id": "d7fc865e-b8a1-4029-a960-cf4403b821b6", "description": "The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes node port creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_node_port_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod Created in Default Namespace", "author": "Patrick Bareiss, Splunk", "date": "2023-12-19", "version": 1, "id": "3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "description": "The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes Pod Created in Default Namespace by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN (\"default\", \"kube-system\", \"kube-public\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_created_in_default_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod With Host Network Attachment", "author": "Patrick Bareiss, Splunk", "date": "2023-12-14", "version": 1, "id": "cce357cf-43a4-494a-814b-67cea90fe990", "description": "The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes pod with host network attachment from user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"hostNetwork\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_with_host_network_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "fea515a4-b1d8-4cd6-80d6-e0d71397b891", "description": "The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Container Image Name on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"True\" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"false\" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current=\"true\" AND current!=\"false\" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_container_image_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Process", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "c8119b2f-d7f7-40be-940a-1c582870e8e2", "description": "This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Process on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current=\"True\" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_previously_unseen_process_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process Running From New Path", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "454076fb-0e9e-4adf-b93a-da132621c5e6", "description": "This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process Running From New Path on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current=\"True\" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_process_running_from_new_path_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_running_from_new_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "description": "This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Anomalous Resource Utilisation on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_anomalous_resource_utilisation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource", "collection": "k8s_process_resource_baseline", "case_sensitive_match": null, "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "0d42b295-0f1f-4183-b75e-377975f47c65", "description": "This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Resource Ratio Anomalies on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_resource_ratio_anomalies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios", "collection": "k8s_process_resource_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen"}]}, {"name": "Kubernetes Scanner Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4890cd6b-0112-4974-a272-c5c153aee551", "description": "The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Scanner image pulled on host $host$", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`kube_objects_events` object.message IN (\"Pulling image *kube-hunter*\", \"Pulling image *kube-bench*\", \"Pulling image *kube-recon*\", \"Pulling image *kube-recon*\") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase=\"operate\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_scanner_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "author": "Patrick Bareiss, Splunk", "date": "2023-12-07", "version": 1, "id": "f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "description": "This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter` ", "how_to_implement": "You must ingest Kubernetes audit logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanning_by_unauthenticated_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "description": "This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "author": "Matthew Moore, Splunk", "date": "2023-12-18", "version": 1, "id": "cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "description": "This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell with cpu activity running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter` ", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Suspicious Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2023-12-07", "version": 1, "id": "4d3a17b3-0a6d-4ae0-9421-46623a69c122", "description": "The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`kube_audit` requestObject.message=\"Pulling image*\" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_images", "definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_suspicious_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Unauthorized Access", "author": "Patrick Bareiss, Splunk", "date": "2023-12-07", "version": 1, "id": "9b5f1832-e8b9-453f-93df-07a3d6a72a45", "description": "The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Unauthorized access to Kubernetes from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter` ", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_unauthorized_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Add App Role Assignment Grant User", "author": "Rod Soto, Splunk", "date": "2023-07-11", "version": 2, "id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "description": "This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ has created a new federation setting $modified_properties_name$ on $dest$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment grant to user.\" | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_add_app_role_assignment_grant_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Added Service Principal", "author": "Rod Soto, Splunk", "date": "2023-08-02", "version": 3, "id": "1668812a-6047-11eb-ae93-0242ac130002", "description": "The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"*Add service principal*\" OR (Operation = \"*principal*\" AND action = \"created\") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_added_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-02-09", "version": 1, "id": "8a1b22eb-50ce-4e26-a691-97ff52349569", "description": "This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment to service principal.\" | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = \"ServicePrincipal\" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Advanced Audit Disabled", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2023-09-19", "version": 1, "id": "49862dd4-9cb2-4c48-a542-8c8a588d9361", "description": "The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail.", "references": ["https://attack.mitre.org/techniques/T1562/008/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Advanced auditing for user $object$ was disabled by $user$", "risk_score": 32, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Change user license.\" | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = \"extendedAuditEventCategory\" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, \"NewValue\") | eval possible_plan=mvindex(split_value, 1) | rex field=\"possible_plan\" \"DisabledPlans=\\[(?P[^\\]]+)\\]\" | search DisabledPlans IN (\"*M365_ADVANCED_AUDITING*\") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_advanced_audit_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Application Registration Owner Added", "author": "Mauricio Velazco, Splunk", "date": "2023-09-07", "version": 1, "id": "c068d53f-6aaa-4558-8011-3734df878266", "description": "The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations", "references": ["https://attack.mitre.org/techniques/T1098/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $app_displayName$ was assigned a new owner $object$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add owner to application.\" | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Application owners may be added for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_application_registration_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2023-10-17", "version": 1, "id": "49cdce75-f814-4d56-a7a4-c64ec3a481f2", "description": "The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://www.mandiant.com/media/17656"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "target_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted the ApplicationImpersonation role to $target_user$", "risk_score": 56, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-ManagementRoleAssignment\" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_applicationimpersonation_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2023-10-26", "version": 1, "id": "12a23592-e3da-4344-8545-205d3290647c", "description": "This analytic detects when the \"risk-based step-up consent\" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative \"step-up\" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the \"Update authorization policy\" operation is performed. It specifically looks for changes to the \"AllowUserConsentForRiskyApps\" setting, identifying instances where this setting is switched to \"true,\" effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the \"risk-based step-up consent\" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the \"risk-based step-up consent\" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Risk-based step-up consent security setting was disabled by $user$", "risk_score": 30, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update authorization policy.\" | eval index_number = if(mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like \"%true%\" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Bypass MFA via Trusted IP", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2022-02-03", "version": 3, "id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "description": "This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/techniques/T1562/007/", "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "ip_addresses_new_added", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Set Company Information.\" ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | rex max_match=100 field=ModifiedProperties{}.OldValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,\"0\") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`", "how_to_implement": "You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_bypass_mfa_via_trusted_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Compliance Content Search Exported", "author": "Mauricio Velazco, Splunk", "date": "2024-04-01", "version": 1, "id": "2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "description": "This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search export was started by $user$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=\"SearchExported\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searche exports may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_compliance_content_search_exported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Compliance Content Search Started", "author": "Mauricio Velazco, Splunk", "date": "2024-04-01", "version": 1, "id": "f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "description": "This detection will trigger when a content search is initiated within the Office 365 Security and Compliance Center, a critical component in the suite's governance, risk management, and compliance (GRC) capabilities. By monitoring the SearchCreated operation within the o365_management_activity logs, specifically under the SecurityComplianceCenter workload, this analytic flags the commencement of searches across the organization's data, including emails, documents, and more, that reside in ExchangeLocations.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search was started by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searches may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_compliance_content_search_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2023-12-04", "version": 1, "id": "58e034de-1f87-4812-9dc3-a4f68c7db930", "description": "The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ips", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has logged in with the same session id from more than one unique IP address", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Disable MFA", "author": "Rod Soto, Splunk", "date": "2022-02-03", "version": 2, "id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "description": "This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account.", "references": ["https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has executed an operation $action$ for user $user$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Disable Strong Authentication.\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to disable MFA or Strong Authentication", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_disable_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-03-31", "version": 1, "id": "2246c142-a678-45f8-8546-aaed7e0efd30", "description": "This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission", "https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Elevated mailbox permissions were assigned on $dest_user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_elevated_mailbox_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Excessive Authentication Failures Alert", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 3, "id": "d441364c-349c-453b-b55f-12eccab67cf9", "description": "The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The threshold for alert is above 10 attempts and this should reduce the number of false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_excessive_authentication_failures_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Excessive SSO logon errors", "author": "Rod Soto, Splunk", "date": "2024-05-17", "version": 4, "id": "8158ccc4-6038-11eb-ae93-0242ac130002", "description": "The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.", "references": ["https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_excessive_sso_logon_errors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2023-10-18", "version": 1, "id": "6c382336-22b8-4023-9b80-1689e799f21f", "description": "This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests file-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Files.Read\", \"Files.Read.All\", \"Files.ReadWrite\", \"Files.ReadWrite.All\", \"Files.ReadWrite.AppFolder\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require file permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_file_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-01-29", "version": 1, "id": "01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "description": "The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 High Number Of Failed Authentications for User", "author": "Mauricio Velazco, Splunk", "date": "2023-10-10", "version": 1, "id": "31641378-2fa9-42b1-948e-25e281cb98f7", "description": "The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the \"UserLoginFailed\" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to authenticate more than 10 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": " `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Although unusual, users who have lost their passwords may trigger this detection. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 High Privilege Role Granted", "author": "Mauricio Velazco, Splunk", "date": "2023-10-20", "version": 1, "id": "e78a1037-4548-4072-bb1b-ad99ae416426", "description": "This analytic detects when high-privilege roles, specifically \"Exchange Administrator\", \"SharePoint Administrator\", or \"Global Administrator\", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide", "https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted high privilege roles to $ObjectId$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Add member to role.\" Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN (\"29232cdf-9323-42fd-ade2-1d097af3e4de\", \"f28a1f50-f6e7-4571-818b-6a12f2af6b6c\", \"62e90394-69f5-4237-9190-012177145e10\") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privilege roles may be assigned for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_high_privilege_role_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2023-10-12", "version": 1, "id": "fddad083-cdf5-419d-83c6-baa85e329595", "description": "The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests mail-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Mail.Read\", \"Mail.ReadBasic\", \"Mail.ReadWrite\", \"Mail.Read.Shared\", \"Mail.ReadWrite.Shared\", \"Mail.Send\", \"Mail.Send.Shared\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mail_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-03-26", "version": 1, "id": "0b6bc75c-05d1-4101-9fc3-97e706168f24", "description": "This detection is designed to identify instances where email forwarding has been enabled on mailboxes within an Office 365 environment. By monitoring for the specific operation Set-Mailbox within the o365_management_activity logs, this analytic hones in on changes made to mailbox configurations that initiate the forwarding of emails. It specifically looks for the activation of ForwardingAddress or ForwardingSmtpAddress parameters, indicating that emails are being automatically sent to another email address from the user's mailbox.", "references": ["https://attack.mitre.org/techniques/T1114/003/", "https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Email forwarding configured by $user$ on mailbox $ObjectId$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', \"ForwardingAddress\") | eval match2=mvfind('Parameters{}.Name', \"ForwardingSmtpAddress\") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!=\"\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Email forwarding may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_email_forwarding_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-03-29", "version": 1, "id": "1435475e-2128-4417-a34f-59770733b0d5", "description": "This detection is tailored to capture instances where read permissions are assigned to mailbox folders within an Office 365 environment, utilizing the operations ModifyFolderPermissions and AddFolderPermissions as captured in the o365_management_activity. Unlike other permission modifications, this detection excludes actions related to the Calendar, Contacts, and PersonMetadata objects, focusing on core mailbox folders.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946", "https://learn.microsoft.com/en-us/purview/audit-mailboxes"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_folder_read_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-03-28", "version": 1, "id": "cd15c0a8-470e-4b12-9517-046e4927db30", "description": "This detection focuses on identifying changes in mailbox folder permissions within an Office 365 environment, specifically pinpointing instances where read permissions are granted. It monitors for two key operations Set-MailboxFolderPermission and Add-MailboxFolderPermission, as logged in the o365_management_activity. These operations are indicative of modifications or additions to the permissions of mailbox folders, potentially altering who can view or interact with the folder contents.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange (Operation=\"Set-MailboxFolderPermission\" OR Operation=\"Add-MailboxFolderPermission\" ) | eval isReadRole=if(match(AccessRights, \"^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$\"), \"true\", \"false\") | search isReadRole=\"true\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_folder_read_permission_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "author": "Mauricio Velazco, Splunk", "date": "2023-09-07", "version": 1, "id": "21421896-a692-4594-9888-5faeb8a53106", "description": "The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/", "https://learn.microsoft.com/en-us/purview/audit-mailboxes", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "MailboxOwnerUPN", "type": "User", "role": ["Victim"]}], "message": "Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | search isReadRole = \"true\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_inbox_folder_shared_with_all_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Read Access Granted to Application", "author": "Mauricio Velazco, Splunk", "date": "2023-09-01", "version": 1, "id": "27ab61c5-f08a-438a-b4d3-325e666490b3", "description": "The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://graphpermissions.merill.net/permission/Mail.Read"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $object$ was grandes mailbox read access by $user$", "risk_score": 45, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Update application.\" | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) | eval json_data=replace(json_data, \"^\\[\\s*\", \"\") | eval json_data=replace(json_data, \"\\s*\\]$\", \"\") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_read_access_granted_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2023-11-09", "version": 1, "id": "ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "description": "This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "Hunting", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2023-10-24", "version": 1, "id": "66adc486-224d-45c1-8e4d-9e7eeaba988f", "description": "This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": " `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2023-10-19", "version": 1, "id": "fd22124e-dbac-4744-a8ce-be10d8ec3e26", "description": "This analytic identifies potential \"MFA fatigue\" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requestes for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "author": "Mauricio Velazco, Splunk", "date": "2024-02-01", "version": 1, "id": "7cd853e9-d370-412f-965d-a2bcff2a2908", "description": "The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold - set here to flag over five unique mailboxes accessed within 10 minutes - to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, \"^Client=WebServices;ExchangeWebServices\"), 1, 0) | search (AppId=\"00000003-0000-0000-c000-000000000000\" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_mailboxes_accessed_via_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-02-07", "version": 1, "id": "ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "description": "This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"ServicePrincipal\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-02-07", "version": 1, "id": "a34e65d0-54de-4b02-9db8-5a04522067f6", "description": "This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"User\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-03-19", "version": 2, "id": "8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "description": "This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-03-27", "version": 1, "id": "68469fd0-1315-44ba-b7e4-e92847bb76d6", "description": "This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}]}, "type": "TTP", "search": "`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', \"ForwardTo\") | eval match2=mvfind('Parameters{}.Name', \"ForwardAsAttachmentTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectTo\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_email_forwarding_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Enabled", "author": "Mauricio Velazco, Splunk", "date": "2024-03-28", "version": 1, "id": "ac7c4d0a-06a3-4278-aa59-88a5e537f981", "description": "This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', \"ForwardToRecipientsAction\") | eval match2=mvfind('OperationProperties{}.Value', \"ForwardAsAttachmentToRecipientsAction\") | eval match3=mvfind('OperationProperties{}.Value', \"RedirectToRecipientsAction\") | eval index = mvfind('OperationProperties{}.Name', \"ServerRule\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted=\"*@*.*\" | eval ForwardTo=if(match(valueExtracted, \"^[^@]+@[^@]+\\\\.[^@]+$\"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_email_forwarding_rule_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Federated Domain Added", "author": "Rod Soto, Mauricio Velazco Splunk", "date": "2023-08-02", "version": 3, "id": "e155876a-6048-11eb-ae93-0242ac130002", "description": "The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation=\"Add-FederatedDomain\" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://o365blog.com/post/aadbackdoor/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has added a new federated domain $new_value$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation IN (\"*add*\", \"*new*\") AND Operation=\"*domain*\" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.", "known_false_positives": "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-04-10", "version": 1, "id": "289ed0a1-4c78-4a43-9321-44ea2e089c14", "description": "The following analytic monitors for the creation of new mail flow rules in Office 365 that could potentially redirect or copy emails to unauthorized or external addresses. This analytic works by querying the Office 365 Management Activity logs for any operation tagged as \"New-TransportRule\". It specifically looks for parameters indicative of mail forwarding actions, such as \"BlindCopyTo\", \"CopyTo\", and \"RedirectMessageTo\". If any of these parameters are present, indicating that a forwarding rule has been set up, the detection then captures the details of this rule, including the user ID responsible for the creation, the name of the rule, the forwarding target, and the timestamps of the rule's creation and last modification.", "references": ["https://attack.mitre.org/techniques/T1114/", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new forwarding mailflow rule was created by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-TransportRule\" | eval match1=mvfind('Parameters{}.Name', \"BlindCopyTo\") | eval match2=mvfind('Parameters{}.Name', \"CopyTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectMessageTo\") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!=\"\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Forwarding mail flow rules may be created for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_forwarding_mailflow_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2023-10-20", "version": 1, "id": "4e12db1f-f7c7-486d-8152-a221cad6ac2b", "description": "This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was added for $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update user.\" | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "author": "Mauricio Velazco, Splunk", "date": "2024-01-31", "version": 1, "id": "e600cf1a-0bef-4426-b42e-00176d610a4d", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with \"Client=WebServices;ExchangeWebServices\". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString=\"^Client=WebServices;ExchangeWebServices\" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_oauth_app_mailbox_access_via_ews_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "author": "Mauricio Velazco, Splunk", "date": "2024-01-31", "version": 1, "id": "9db0d5b0-4058-4cb7-baaf-77d8143539a2", "description": "This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_oauth_app_mailbox_access_via_graph_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-01-30", "version": 1, "id": "868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "description": "This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 PST export alert", "author": "Rod Soto, Splunk", "date": "2020-12-16", "version": 2, "id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "description": "This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions.", "references": ["https://attack.mitre.org/techniques/T1114/"], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Source", "type": "User", "role": ["Victim"]}], "message": "User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "type": "TTP", "search": "`o365_management_activity` Category=ThreatManagement Name=\"eDiscovery search started or exported\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_pst_export_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Security And Compliance Alert Triggered", "author": "Mauricio Velazco, Splunk", "date": "2024-03-25", "version": 1, "id": "5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "description": "The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide", "https://learn.microsoft.com/en-us/purview/alert-policies"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Security and Compliance triggered an alert for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_security_and_compliance_alert_triggered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Service Principal New Client Credentials", "author": "Mauricio Velazco, Splunk", "date": "2023-08-31", "version": 1, "id": "a1b229e9-d962-4222-8c62-905a8a010453", "description": "The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "New credentials added for Service Principal $object$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application*Certificates and secrets management \" | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2023-09-06", "version": 1, "id": "50eaabf8-5180-4e86-bfb2-011472c359fc", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The $object$ application registration was granted tenant wide admin consent.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Consent to application.\" | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2023-10-11", "version": 1, "id": "242e4d30-cb59-4051-b0cf-58895e218f40", "description": "The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "O365 has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = \"Risky application detected\" | rex field=permissions \"Scope: (?[^,]+)\" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2023-10-12", "version": 1, "id": "2d8679ef-b075-46be-8059-c25116cb1072", "description": "The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ denifed consent for an OAuth application.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "type": "TTP", "search": " `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_graph", "definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "author": "Bhavin Patel", "date": "2023-10-27", "version": 1, "id": "161bc0ca-4651-4c13-9c27-27770660cf67", "description": "The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Amazon Elastic Container Registry", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Other", "role": ["Victim"]}], "message": "Correlation triggered for repository $risk_object$", "risk_score": 70, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Dev Sec Ops\" All_Risk.risk_object_type = \"other\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`", "how_to_implement": "Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security.", "known_false_positives": "Unknown", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "risk_rule_for_dev_sec_ops_by_repository_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "description": "This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "description": "This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \"IsOutlier(instances_terminated)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS CreateAccessKey", "author": "Patrick Bareiss, Splunk", "date": "2022-05-23", "version": 1, "id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin \"^(?[^,]+),(?.*)$\" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2023-06-01", "version": 1, "id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "user $identity.user.name$ has excessive number of api calls.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Password Policy Changes", "author": "Patrick Bareiss, Splunk", "date": "2023-05-22", "version": 1, "id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "description": "This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "Hunting", "search": "`amazon_security_lake` \"api.service.name\"=\"iam.amazonaws.com\" \"api.operation\" IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") \"api.response.error\"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen City", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "344a1778-0b25-490c-adb1-de8beddf59cd", "description": "This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "description": "This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "42e15012-ac14-4801-94f4-f1acbe64880b", "description": "This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "7971d3df-da82-4648-a6e5-b5637bea5253", "description": "This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`", "how_to_implement": "You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clients Connecting to Multiple DNS Servers", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "74ec6f18-604b-4202-a567-86b2066be3ce", "description": "This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\"Network_Resolution\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` ", "how_to_implement": "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Distinct DNS Connections, **Field:** dest_count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clients_connecting_to_multiple_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cloud Network Access Control List Deleted", "author": "Peter Gael, Splunk", "date": "2020-09-08", "version": 1, "id": "021abc51-1862-41dd-ad43-43c739c0a983", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Correlation by Repository and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "description": "This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_repository_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Correlation by User and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "description": "The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_user_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Activity Related to Pass the Hash Attacks", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2020-10-15", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4b", "description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.", "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "APT41", "Chimera", "FIN13", "GALLIUM", "Kimsuky", "Wizard Spider"]}]}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName=\"ANONYMOUS LOGON\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`", "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.", "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_activity_related_to_pass_the_hash_attacks_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect API activity from users without MFA", "author": "Bhavin Patel, Splunk", "date": "2018-05-17", "version": 1, "id": "4d46e8bd-4072-48e4-92db-0325889ef894", "description": "This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** AWS User ARN, **Field:** userIdentity.arn\n* **Label:** AWS User Type, **Field:** userIdentity.type\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_api_activity_from_users_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "description": "This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Hunting", "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \"Create a list of approved AWS service accounts\": run it once every 30 days to create and validate a list of service accounts.\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** First Time, **Field:** firstTime\n* **Label:** Last Time, **Field:** lastTime\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_api_activities_from_unapproved_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "description": "This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.", "references": [], "tags": {"analytic_story": ["Common Phishing Frameworks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "ToddyCat", "Windshift"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \"Web.*\" as * | rex field=site \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`", "how_to_implement": "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app.\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`)", "known_false_positives": "If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.", "datamodel": ["Network_Resolution", "Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Long DNS TXT Record Response", "author": "Rico Valdez, Splunk", "date": "2020-07-21", "version": 2, "id": "05437c07-62f5-452e-afdc-04dd44815bb9", "description": "This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \"Source IP\", dest as \"Destination IP\", answer as \"DNS Answer\" anslen as \"Answer Length\" record_type as \"DNS Record Type\" firstTime as \"First Time\" lastTime as \"Last Time\" count as Count | table \"Source IP\" \"Destination IP\" \"DNS Answer\" \"DNS Record Type\" \"Answer Length\" Count \"First Time\" \"Last Time\" | `detect_long_dns_txt_record_response_filter`", "how_to_implement": "To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.", "known_false_positives": "It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_long_dns_txt_record_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Mimikatz Using Loaded Images", "author": "Patrick Bareiss, Splunk", "date": "2019-12-03", "version": 1, "id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "description": "This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Cloud Federated Credential Abuse", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack", "Sandworm Tools"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_using_loaded_images_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "author": "Rico Valdez, Splunk", "date": "2019-02-27", "version": 2, "id": "98917be2-bfc8-475a-8618-a9bb06575188", "description": "This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.", "references": [], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`", "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.", "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect new API calls from user roles", "author": "Bhavin Patel, Splunk", "date": "2018-04-16", "version": 1, "id": "22773e84-bac0-4595-b086-20d3f335b4f1", "description": "This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \"-70m@m\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously seen API call per user roles in AWS CloudTrail\" support search once to create a history of previously seen user roles.", "known_false_positives": "It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_api_calls_from_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect new user AWS Console Login", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS Login Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Hunting", "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \"-70m@m\"), \"First Time Logging into AWS Console\",\"Previously Seen User\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\"First Time Logging into AWS Console\" | `detect_new_user_aws_console_login_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen users in AWS CloudTrail\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \"Update previously seen users in AWS CloudTrail\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_user_aws_console_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS API Activity", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "description": "This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** Number of API Calls, **Field:** numberOfApiCalls\n* **Label:** Unique API Calls, **Field:** uniqueApisCalled\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "None.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 1, "id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Network ACL Activity by ARN\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}, {"name": "detect_spike_in_network_acl_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in Security Group Activity", "author": "Bhavin Patel, Splunk", "date": "2018-04-18", "version": 1, "id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \"Baseline of Security Group Activity by ARN\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}, {"name": "detect_spike_in_security_group_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect USB device insertion", "author": "Bhavin Patel, Splunk", "date": "2017-11-27", "version": 1, "id": "104658f4-afdc-499f-9719-17a43f9826f5", "description": "The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Data Protection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\"Removable Storage device\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\"All_Changes\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.", "known_false_positives": "Legitimate USB activity will also be detected. Please verify and investigate as appropriate.", "datamodel": ["Change", "Change_Analysis"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_usb_device_insertion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect web traffic to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "description": "This search looks for web connections to dynamic DNS providers.", "references": [], "tags": {"analytic_story": ["Dynamic DNS"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN13", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`", "how_to_implement": "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.", "known_false_positives": "It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.", "datamodel": ["Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_web_traffic_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detection of DNS Tunnels", "author": "Bhavin Patel, Splunk", "date": "2022-02-15", "version": 2, "id": "104658f4-afdc-499f-9719-17a43f9826f4", "description": "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\nNOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.", "references": [], "tags": {"analytic_story": ["Command And Control", "Data Protection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` dc(\"DNS.query\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.query\" | rename \"DNS.src\" as src \"DNS.query\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\"DNS.answer\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.answer\" | rename \"DNS.src\" as src \"DNS.answer\" as message | eval message=if(message==\"unknown\",\"\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`", "how_to_implement": "To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.", "known_false_positives": "It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detection_of_dns_tunnels_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "description": "This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\"DNS\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` ", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.", "known_false_positives": "Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS record changed", "author": "Jose Hernandez, Splunk", "date": "2020-07-21", "version": 3, "id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "description": "The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.", "references": [], "tags": {"analytic_story": ["DNS Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}]}, "type": "TTP", "search": "| inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\".\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`)", "known_false_positives": "Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_record_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Dump LSASS via procdump Rename", "author": "Michael Haag, Splunk", "date": "2021-02-01", "version": 1, "id": "21276daa-663d-11eb-ae93-0242ac130002", "description": "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}]}, "type": "Hunting", "search": "`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "None identified.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "dump_lsass_via_procdump_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Modified With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "description": "This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Unusual AWS EC2 Modifications"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_modified_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "author": "Bhavin Patel, Splunk", "date": "2018-02-23", "version": 1, "id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "description": "This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\"-1d@d\"), \"Instance Started in a New Region\",\"Previously Seen Region\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\"Instance Started in a New Region\" | `ec2_instance_started_in_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen AWS Regions\" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_in_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "author": "David Dorsey, Splunk", "date": "2018-03-12", "version": 1, "id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "description": "This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 AMIs\" support search once to create a history of previously seen AMIs.", "known_false_positives": "After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_with_previously_unseen_ami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2020-02-07", "version": 2, "id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "description": "This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\"m1.small\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Instance Types\" support search once to create a history of previously seen instance types.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "22773e84-bac0-4595-b086-20d3f735b4f1", "description": "This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}]}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs.", "known_false_positives": "It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Execution of File With Spaces Before Extension", "author": "Rico Valdez, Splunk", "date": "2020-11-19", "version": 3, "id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "description": "This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.", "references": [], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* .*\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_spaces_before_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Extended Period Without Successful Netbackup Backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aef-952c-3ea214444440", "description": "This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` MESSAGE=\"Disk/Partition backup completed successfully.\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \"-7d@d\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "extended_period_without_successful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "First time seen command line argument", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 5, "id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "description": "This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "first_time_seen_command_line_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Detect accounts with high risk roles by project", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "27af8c15-38b0-4408-b339-920170724adb", "description": "This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/understanding-roles"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Detect high risk permissions by resource and account", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "description": "This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/permissions-reference"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "gcp detect oauth token abuse", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "description": "This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.", "references": ["https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1", "https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_oauth_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \"data.labels.authorization.k8s.io/decision\"=forbid \"data.protoPayload.status.message\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\"system:anonymous\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` ", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Identify New User Accounts", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "description": "This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.", "references": [], "tags": {"analytic_story": [], "asset_type": "Domain Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}]}, "type": "Hunting", "search": "| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \"Accounts created in last week\") | search empStatus=\"Accounts created in last week\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`", "how_to_implement": "To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.", "known_false_positives": "If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "identify_new_user_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "de7264ed-3ed9-4fef-bb01-6eefc87cefe8", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "b6013a7b-85e0-4a45-b051-10b252d69569", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "description": "This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "47af7d20-0607-4079-97d7-7a29af58b54e", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "019690d7-420f-4da0-b320-f27b09961514", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "description": "This search provides information on rare Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure pod scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_pod_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-19", "version": 1, "id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-07-10", "version": 1, "id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk GCP add on. This search works with pubsub messaging service logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "99487de3-7192-4b41-939d-fbe9acfb1340", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`", "how_to_implement": "You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`", "how_to_implement": "You must install splunk add on for GCP . This search works with pubsub messaging service logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a46923f6-36b9-4806-a681-31f314907c30", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging service logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor DNS For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2017-09-23", "version": 1, "id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "description": "This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command.", "known_false_positives": "None at this time", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_dns_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "author": "Michael Haag, Mauricio Velazco, Rico Valdez, Splunk", "date": "2024-02-29", "version": 3, "id": "19cba45f-cad3-4032-8911-0c09e0444552", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS", "https://developer.okta.com/docs/reference/api/system-log/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multple user accounts have failed to authenticate from a single IP.", "risk_score": 9, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}]}, "type": "TTP", "search": "`okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` ", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Suspicious Admin Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_admin_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Suspicious Rights Delegation", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-15", "version": 2, "id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access.", "references": ["https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://attack.mitre.org/techniques/T1098/002/", "https://attack.mitre.org/techniques/T1114/002/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": "`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_rights_delegation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Suspicious User Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the \"Identity\" field as \"src_user\" and searches for entries where the \"ForwardingSmtpAddress\" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ForwardingSmtpAddress", "type": "Email Address", "role": ["Other"]}], "message": "User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_user_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Account Locked Out", "author": "Michael Haag, Splunk", "date": "2022-09-21", "version": 1, "id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_user$ account has been locked out.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_account_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Account Lockout Events", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-19", "version": 2, "id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.", "references": ["https://developer.okta.com/docs/reference/api/event-types/#catalog", "https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following user $src_user$ has locked out their account within Okta.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}]}, "type": "Anomaly", "search": "`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_account_lockout_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Failed SSO Attempts", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-21", "version": 3, "id": "371a6545-2618-4032-ad84-93386b8698c5", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event \"unauth app access attempt\".", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ failed SSO authentication to the app.", "risk_score": 16, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}]}, "type": "Anomaly", "search": "`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` ", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "There may be a faulty config preventing legitmate users from accessing apps they should have access to.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_failed_sso_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "632663b0-4562-4aad-abe9-9f621a049738", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a high number of login failures.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Login failures with high unknown users count*\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_threatinsight_login_failure_with_high_unknown_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify \"PasswordSpray\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a PasswordSpray attack.", "risk_score": 60, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Password Spray\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_threatinsight_suspected_passwordspray_attack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Two or More Rejected Okta Pushes", "author": "Michael Haag, Marissa Bower, Splunk", "date": "2022-09-27", "version": 1, "id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`okta` outcome.reason=\"User rejected Okta push verify\" OR (debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\" outcome.result=FAILURE legacyEventType=\"core.user.factor.attempt_fail\" \"target{}.detailEntry.methodTypeUsed\"=\"Get a push notification\") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, \"@\"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_two_or_more_rejected_okta_pushes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Open Redirect in Splunk Web", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "description": "This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_web_access return_to=\"/%09/*\" | `open_redirect_in_splunk_web_filter`", "how_to_implement": "No extra steps needed to implement this search.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "open_redirect_in_splunk_web_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Osquery pack - ColdRoot detection", "author": "Rico Valdez, Splunk", "date": "2019-01-29", "version": 1, "id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "description": "This search looks for ColdRoot events from the osx-attacks osquery pack.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "osquery_pack___coldroot_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes created by netsh", "author": "Bhavin Patel, Splunk", "date": "2020-11-23", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162041e", "description": "This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.", "references": [], "tags": {"analytic_story": ["Netsh Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \"C:\\Program Files\\rempl\\sedlauncher.exe\" process path since it is a legitimate process by Mircosoft.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "processes_created_by_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Prohibited Software On Endpoint", "author": "David Dorsey, Splunk", "date": "2019-10-11", "version": 2, "id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "description": "This search looks for applications on the endpoint that you have marked as prohibited.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_processes` | `prohibited_software_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prohibited_software_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Reg exe used to hide files directories via registry keys", "author": "Bhavin Patel, Splunk", "date": "2019-02-27", "version": 2, "id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "description": "The search looks for command-line arguments used to hide a file or directory using the reg add command.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\"*add*\" Processes.process=\"*Hidden*\" Processes.process=\"*REG_DWORD*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \"(/d\\s+2)\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None at the moment", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Registry Key modifications", "author": "Bhavin Patel, Splunk", "date": "2020-03-02", "version": 3, "id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "description": "This search monitors for remote modifications to registry keys.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"\\\\\\\\*\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`", "how_to_implement": "To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.", "known_false_positives": "This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_registry_key_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled tasks used in BadRabbit ransomware", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection", "references": [], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\" OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No known false positives", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_tasks_used_in_badrabbit_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spectre and Meltdown Vulnerable Systems", "author": "David Dorsey, Splunk", "date": "2017-01-07", "version": 1, "id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "description": "The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.", "references": [], "tags": {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\"CVE-2017-5753\" OR Vulnerabilities.cve =\"CVE-2017-5715\" OR Vulnerabilities.cve =\"CVE-2017-5754\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`", "how_to_implement": "The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.", "known_false_positives": "It is possible that your vulnerability scanner is not detecting that the patches have been applied.", "datamodel": ["Vulnerabilities"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spectre_and_meltdown_vulnerable_systems_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise Information Disclosure", "author": "David Dorsey, Splunk", "date": "2018-06-14", "version": 1, "id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "description": "This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\"*raw/services/server/info/server-info\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`", "how_to_implement": "The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.", "known_false_positives": "Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_information_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Changes to File Associations", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 4, "id": "1b989a0e-0129-4446-a695-f193a5b746fc", "description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_changes_to_file_associations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email - UBA Anomaly", "author": "Bhavin Patel, Splunk", "date": "2020-07-22", "version": 3, "id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "description": "This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).", "references": [], "tags": {"analytic_story": ["Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \"SuspiciousEmailDetectionModel\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`", "how_to_implement": "You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \"SuspiciousEmailDetectionModel.\" Ensure that this model is enabled on your UBA instance.", "known_false_positives": "This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.", "datamodel": ["Email", "UEBA"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_email___uba_anomaly_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious File Write", "author": "Rico Valdez, Splunk", "date": "2019-04-25", "version": 3, "id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "description": "The search looks for files created with names that have been linked to malicious activity.", "references": [], "tags": {"analytic_story": ["Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.", "known_false_positives": "It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}, {"name": "suspicious_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Powershell Command-Line Arguments", "author": "David Dorsey, Splunk", "date": "2021-01-19", "version": 6, "id": "2cdb91d2-542c-497f-b252-be495e71f38c", "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", "references": [], "tags": {"analytic_story": ["CISA AA22-320A", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_powershell_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 Rename", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 5, "id": "7360137f-abad-473e-8189-acbdaa34d114", "description": "The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed rundll32.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to System Volume Information", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 2, "id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "description": "This search detects writes to the 'System Volume Information' folder by something other than the System process.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "Hunting", "search": "(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_writes_to_system_volume_information_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Uncommon Processes On Endpoint", "author": "David Dorsey, Splunk", "date": "2020-07-22", "version": 4, "id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "description": "This search looks for applications on the endpoint that you have marked as uncommon.", "references": [], "tags": {"analytic_story": ["Hermetic Wiper", "Unusual Processes", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "uncommon_processes_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsigned Image Loaded by LSASS", "author": "Patrick Bareiss, Splunk", "date": "2019-12-06", "version": 1, "id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "description": "This search detects loading of unsigned images by LSASS. Deprecated because too noisy.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` ", "how_to_implement": "This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsigned_image_loaded_by_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsuccessful Netbackup backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "description": "This search gives you the hosts where a backup was attempted and then failed.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\"An error occurred, failed to backup.\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unsuccessful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Account Harvesting", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "description": "This search is used to identify the creation of multiple user accounts using the same email domain name.", "references": ["https://splunkbase.splunk.com/app/2734/", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "`stream_http` http_content_type=text* uri=\"/magento2/customer/account/loginPost/\" | rex field=cookie \"form_key=(?\\w+)\" | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | search Username=* | rex field=Username \"@(?.*)\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`", "how_to_implement": "We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___account_harvesting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "description": "This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* | rex field=cookie \"form_key=(?\\w+)\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`", "how_to_implement": "Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___anomalous_user_clickspeed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "description": "This search is used to identify user accounts that share a common password.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | rex field=form_data \"login\\[password\\]=(?[^&|^$]+)\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`", "how_to_implement": "We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___password_sharing_across_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows connhost exe started forcefully", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "description": "The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. ", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process=\"*C:\\\\Windows\\\\system32\\\\conhost.exe* 0xffffffff *-ForceV1*\" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This process should not be ran forcefully, we have not see any false positives for this detection", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_connhost_exe_started_forcefully_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 3, "id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows hosts file modification", "author": "Rico Valdez, Splunk", "date": "2018-11-02", "version": 1, "id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "description": "The search looks for modifications to the hosts file on all Windows endpoints across your environment.", "references": [], "tags": {"analytic_story": ["Host Redirection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\System32\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "There may be legitimate reasons for system administrators to add entries to this file.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_hosts_file_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "3CX Supply Chain Attack Network Indicators", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "791b727c-deec-4fbe-a732-756131b3c5a1", "description": "The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "URL String", "role": ["Attacker"]}], "message": "Indicators related to 3CX supply chain attack have been identified on $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.", "known_false_positives": "False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.", "datamodel": ["Network_Resolution"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "3cx_supply_chain_attack_network_indicators_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack.", "filename": "3cx_ioc_domains.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "7zip CommandLine To SMB Share Path", "author": "Teoderick Contreras, Splunk", "date": "2021-08-17", "version": 1, "id": "01d29b48-ff6f-11eb-b81e-acde48001123", "description": "This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "archive process $process_name$ with suspicious cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "7zip_commandline_to_smb_share_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Access LSASS Memory for Dump Creation", "author": "Patrick Bareiss, Splunk", "date": "2023-12-27", "version": 2, "id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "description": "The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` ", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "access_lsass_memory_for_dump_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Account Discovery With Net App", "author": "Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community", "date": "2023-01-04", "version": 4, "id": "339805ce-ac30-11eb-b87d-acde48001122", "description": "This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"analytic_story": ["IcedID", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=\"* user *\" OR Processes.process=\"*config*\" OR Processes.process=\"*view /all*\") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or power user may used this series of command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Active Directory Lateral Movement Identified", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "description": "The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.", "references": ["https://attack.mitre.org/tactics/TA0008/", "https://research.splunk.com/stories/active_directory_lateral_movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to lateral movement has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Lateral Movement\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_directory_lateral_movement_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Active Directory Privilege Escalation Identified", "author": "Mauricio Velazco, Splunk", "date": "2023-05-23", "version": 1, "id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "description": "The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://research.splunk.com/stories/active_directory_privilege_escalation/"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to privilege escalation has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Privilege Escalation\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_directory_privilege_escalation_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Active Setup Registry Autostart", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 4, "id": "f64579c0-203f-11ec-abcc-acde48001122", "description": "This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry.", "references": ["https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E", "https://attack.mitre.org/techniques/T1547/014/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Active setup installer may add or modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_setup_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Add DefaultUser And Password In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-03-29", "version": 4, "id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "add_defaultuser_and_password_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Add or Set Windows Defender Exclusion", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "773b66fe-4dd9-11ec-8289-acde48001122", "description": "This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*Add-MpPreference *\" OR Processes.process = \"*Set-MpPreference *\") AND Processes.process=\"*-exclusion*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or user may choose to use this windows features. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "add_or_set_windows_defender_exclusion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AdsiSearcher Account Discovery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 2, "id": "de7fcadc-04f3-11ec-a241-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/002/", "https://www.blackhillsinfosec.com/red-blue-purple/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"AdsiSearcher\" used for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=user*\" ScriptBlockText = \"*.findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "adsisearcher_account_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow File And Printing Sharing In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 3, "id": "ce27646e-d411-11eb-8a00-acde48001122", "description": "This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"File and Printer Sharing\\\"*\" Processes.process=\"*enable=Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_file_and_printing_sharing_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Inbound Traffic By Firewall Rule Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-03-29", "version": 5, "id": "0a46537c-be02-11eb-92ca-acde48001122", "description": "The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Azorult", "NjRAT", "PlugX", "Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_inbound_traffic_by_firewall_rule_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "a5d85486-b89c-11eb-8267-acde48001122", "description": "The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall modification detected on endpoint $dest$ by user $user$.", "risk_score": 3, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*firewall*\" ScriptBlockText = \"*Inbound*\" ScriptBlockText = \"*Allow*\" ScriptBlockText = \"*-LocalPort*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "administrator may allow inbound traffic in certain network or machine.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "allow_inbound_traffic_in_firewall_rule_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Network Discovery In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2021-06-23", "version": 2, "id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "description": "This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "NjRAT", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious modification to the firewall to allow network discovery detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enable*\" Processes.process=\"*Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_network_discovery_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Operation with Consent Admin", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-03-29", "version": 4, "id": "7de17d7a-c9d8-11eb-a812-acde48001122", "description": "This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4", "https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/"], "tags": {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_operation_with_consent_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Anomalous usage of 7zip", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "description": "The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"rundll32.exe\", \"dllhost.exe\") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "anomalous_usage_of_7zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Any Powershell DownloadFile", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 3, "id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Phemedrone Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "any_powershell_downloadfile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Any Powershell DownloadString", "author": "Michael Haag, Splunk", "date": "2023-04-05", "version": 3, "id": "4d015ef2-7adf-11eb-95da-acde48001122", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "IcedID", "Ingress Tool Transfer", "Malicious PowerShell", "Phemedrone Stealer", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "any_powershell_downloadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Attacker Tools On Endpoint", "author": "Bhavin Patel, Splunk", "date": "2024-01-01", "version": 3, "id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "description": "The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives.", "references": [], "tags": {"analytic_story": ["CISA AA22-264A", "Monitor for Unauthorized Software", "SamSam Ransomware", "Unusual Processes", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some administrator activity can be potentially triggered, please add those users to the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attacker_tools_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "attacker_tools", "description": "A list of tools used by attackers", "filename": "attacker_tools.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempt To Add Certificate To Untrusted Store", "author": "Patrick Bareiss, Rico Valdez, Splunk", "date": "2021-09-16", "version": 7, "id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "description": "The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"], "tags": {"analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attempt_to_add_certificate_to_untrusted_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Attempt To Stop Security Service", "author": "Rico Valdez, Splunk", "date": "2023-06-13", "version": 4, "id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "description": "The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the \"sc.exe\" command and include the phrase \"stop\" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Data Destruction", "Disabling Security Tools", "Graceful Wipe Out Attack", "Trickbot", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified. Attempts to disable security-related services should be identified and understood.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attempt_to_stop_security_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "security_services_lookup", "description": "A list of services that deal with security", "filename": "security_services.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 8, "id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "description": "The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Data Destruction", "Industroyer2", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attempted_credential_dump_from_registry_via_reg_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Auto Admin Logon Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-11", "version": 4, "id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "auto_admin_logon_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Batch File Write to System32", "author": "Steven Dick, Michael Haag, Rico Valdez, Splunk", "date": "2024-05-19", "version": 5, "id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "description": "The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\") Filesystem.file_name=\"*.bat\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "batch_file_write_to_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "dc7a8004-0f18-11ec-8c54-acde48001122", "description": "This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/deletevalue*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bcdedit_command_back_to_normal_mode_boot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "BCDEdit Failure Recovery Modification", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "809b31d2-5462-11eb-ae93-0242ac130002", "description": "The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as \"recoveryenabled\" and \"no\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair"], "tags": {"analytic_story": ["Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*recoveryenabled*\" (Processes.process=\"* no*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bcdedit_failure_recovery_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "BITS Job Persistence", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 2, "id": "e97a5ffe-90bf-11eb-928a-acde48001122", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"], "tags": {"analytic_story": ["BITS Jobs", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bits_job_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "BITSAdmin Download File", "author": "Michael Haag, Sittikorn S", "date": "2022-11-29", "version": 3, "id": "80630ff4-8e4c-11eb-aab5-acde48001122", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download", "https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["BITS Jobs", "DarkSide Ransomware", "Flax Typhoon", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however it may be required to filter based on parent process name or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bitsadmin_download_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "author": "Michael Haag, Splunk", "date": "2022-02-03", "version": 3, "id": "415b4306-8bfb-11eb-85c4-acde48001122", "description": "Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths. During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats", "https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkSide Ransomware", "Flax Typhoon", "Forest Blizzard", "Ingress Tool Transfer", "Living Off The Land", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_download_with_urlcache_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "author": "Michael Haag, Splunk", "date": "2022-02-03", "version": 3, "id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "description": "Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\`. ", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_download_with_verifyctl_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Certutil exe certificate extraction", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "337a46be-600f-11eb-ae93-0242ac130002", "description": "The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack", "https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = \"*-exportPFX*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_exe_certificate_extraction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CertUtil With Decode Argument", "author": "Michael Haag, Splunk", "date": "2021-03-23", "version": 2, "id": "bfe94226-8c10-11eb-a4b3-acde48001122", "description": "CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.", "references": ["https://attack.mitre.org/techniques/T1140/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Deobfuscate-Decode Files or Information", "Forest Blizzard", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_with_decode_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Change Default File Association", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "462d17d8-1f71-11ec-ad07-acde48001122", "description": "This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host.", "references": ["https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Prestige Ransomware", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\shell\\\\open\\\\command\\\\*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "change_default_file_association_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Change To Safe Mode With Network Config", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "description": "This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to force safemode boot the $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/set*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" Processes.process=\"*network*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "change_to_safe_mode_with_network_config_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CHCP Command Execution", "author": "Teoderick Contreras, Splunk", "date": "2021-07-27", "version": 1, "id": "21d236ec-eec1-11eb-b23e-acde48001122", "description": "This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host.", "references": ["https://ss64.com/nt/chcp.html", "https://twitter.com/tccontre18/status/1419941156633329665?s=20"], "tags": {"analytic_story": ["Azorult", "Forest Blizzard", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "other tools or script may used this to change code page to UTF-* or others", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "chcp_command_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Check Elevated CMD using whoami", "author": "Teoderick Contreras, Splunk", "date": "2021-09-15", "version": 1, "id": "a9079b18-1633-11ec-859c-acde48001122", "description": "This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated.", "references": [], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.process = \"*12288*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "check_elevated_cmd_using_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Child Processes of Spoolsv exe", "author": "Rico Valdez, Splunk", "date": "2024-05-15", "version": 4, "id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "description": "The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "child_processes_of_spoolsv_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clear Unallocated Sector Using Cipher App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "description": "The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.", "references": ["https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cipher.exe\" Processes.process = \"*/w:*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may execute this app to manage disk", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clear_unallocated_sector_using_cipher_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clop Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2023-03-17", "version": 2, "id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "description": "The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is \"runrun\", CLOP ransomware will try to encrypt files in network shares and if it is \"temp.dat\", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Operators can execute third party tools using these parameters.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clop_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clop Ransomware Known Service Name", "author": "Teoderick Contreras", "date": "2024-04-26", "version": 2, "id": "07e08a12-870c-11eb-b5f9-acde48001122", "description": "This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of a known Clop Ransomware Service Name detected on $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ServiceName StartType ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "clop_ransomware_known_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CMD Carry Out String Command Parameter", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2023-12-27", "version": 4, "id": "54a6ed00-3256-11ec-b031-acde48001122", "description": "The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AsyncRAT", "Azorult", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Hermetic Wiper", "IcedID", "Living Off The Land", "Log4Shell CVE-2021-44228", "NjRAT", "PlugX", "ProxyNotShell", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Warzone RAT", "WhisperGate", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process=\"* /c*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be high based on legitimate scripted code in any environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmd_carry_out_string_command_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CMD Echo Pipe - Escalation", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 2, "id": "eb277ba0-b96b-11eb-b00e-acde48001122", "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", "references": ["https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible filtering may be required to ensure fidelity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmd_echo_pipe___escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 2, "id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "description": "The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-277A", "CISA AA23-347A", "DarkGate Malware", "FIN7", "Qakbot", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmdline_tool_not_executed_in_cmd_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-05", "version": 2, "id": "f87b5062-b405-11eb-a889-acde48001122", "description": "The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "tags": {"analytic_story": ["DarkSide Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Legitimate windows application that are not on the list loading this dll. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cmlua_or_cmstplua_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cobalt Strike Named Pipes", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 2, "id": "5876d429-0240-4709-8b93-ea8330b411b5", "description": "The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice.\nUpon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1040", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "DarkSide Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventID=17 OR EventID=18 PipeName IN (\\\\msagent_*, \\\\DserNamePipe*, \\\\srvsvc_*, \\\\postex_*, \\\\status_*, \\\\MSSE-*, \\\\spoolss_*, \\\\win_svc*, \\\\ntsvcs*, \\\\winsock*, \\\\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cobalt_strike_named_pipes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Common Ransomware Extensions", "author": "David Dorsey, Michael Haag, Splunk, Steven Dick", "date": "2022-11-10", "version": 5, "id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "description": "The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack.", "references": ["https://github.com/splunk/security_content/issues/2448"], "tags": {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name \"(?\\.[^\\.]+)$\" | rex field=file_path \"(?([^\\\\\\]*\\\\\\)*).*\" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "common_ransomware_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Common Ransomware Notes", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 5, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "description": "The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands.", "references": [], "tags": {"analytic_story": ["Chaos Ransomware", "Clop Ransomware", "LockBit Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "It's possible that a legitimate file could be created with the same name used by ransomware note files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "common_ransomware_notes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "56a3ac65-e747-41f7-b014-dff7423c1dda", "description": "This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") Filesystem.file_name IN (\"*.aspx\",\"*.ashx\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`", "how_to_implement": "This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "connectwise_screenconnect_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "4e127857-1fc9-4c95-9d69-ba24c91d52d7", "description": "This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4663 ProcessName=*\\\\ScreenConnect.Service.exe file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") file_name IN (\"*.aspx\",\"*.ashx\") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter`", "how_to_implement": "To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing.", "known_false_positives": "False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "connectwise_screenconnect_path_traversal_windows_sacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Conti Common Exec parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "624919bc-c382-11eb-adcc-acde48001122", "description": "The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*-m local*\" OR Processes.process = \"*-m net*\" OR Processes.process = \"*-m all*\" OR Processes.process = \"*-nomutex*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "3rd party tool may have commandline parameter that can trigger this detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "conti_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Control Loading from World Writable Directory", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "10423ac4-10c9-11ec-8dc4-acde48001122", "description": "The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "control_loading_from_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create local admin accounts using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-04-26", "version": 9, "id": "b89919ed-fe5f-492c-b139-151bb162040e", "description": "The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the \"/add\" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack.", "references": [], "tags": {"analytic_story": ["Azorult", "CISA AA22-257A", "DHS Report TA18-074A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create admin accounts.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "create_local_admin_accounts_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create or delete windows shares using net exe", "author": "Bhavin Patel, Splunk", "date": "2020-09-16", "version": 6, "id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "description": "The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack.", "references": ["https://attack.mitre.org/techniques/T1070/005/"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkGate Malware", "Hidden Cobra Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "create_or_delete_windows_shares_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create Remote Thread In Shell Application", "author": "Teoderick Contreras, Splunk", "date": "2024-01-31", "version": 2, "id": "10399c1e-f51e-11eb-b920-acde48001122", "description": "This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application.", "references": ["https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"], "tags": {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\cmd.exe\", \"*\\\\powershell*\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_in_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create Remote Thread into LSASS", "author": "Patrick Bareiss, Splunk", "date": "2019-12-06", "version": 1, "id": "67d4dbef-9564-4699-8da8-03a151529edc", "description": "The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon EventID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "TargetImage", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_into_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Creation of lsass Dump with Taskmgr", "author": "Michael Haag, Splunk", "date": "2020-02-03", "version": 1, "id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "description": "Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \\AppData\\Local\\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager", "https://attack.mitre.org/techniques/T1003/001/", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "creation_of_lsass_dump_with_taskmgr_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Creation of Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "eb120f5f-b879-4a63-97c1-93352b5df844", "description": "The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate administrator usage of Vssadmin or Wmic will create false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "author": "Patrick Bareiss, Splunk", "date": "2021-09-16", "version": 3, "id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "description": "The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains \"wmic\" or \"Powershell\" and the process command contains \"shadowcopy\" and \"create\". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legtimate administrator usage of wmic to create a shadow copy.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_with_wmic_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2021-09-16", "version": 2, "id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "description": "The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as \"sam\", \"security\", \"system\", and \"ntds.dit\", located in system directories like \"system32\" or \"windows\". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "credential_dumping_via_copy_command_from_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2021-09-16", "version": 2, "id": "c5eac648-fae0-4263-91a6-773df1f4c903", "description": "The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing \"mklink\" and \"HarddiskVolumeShadowCopy\". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "credential_dumping_via_symlink_to_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CSC Net On The Fly Compilation", "author": "Teoderick Contreras, Splunk", "date": "2021-11-12", "version": 1, "id": "ea73128a-43ab-11ec-9753-acde48001122", "description": "this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/", "https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "csc.exe with commandline $process$ to compile .net code on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = \"*/noconfig*\" Processes.process = \"*/fullpaths*\" Processes.process = \"*@*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "csc_net_on_the_fly_compilation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Curl Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2021-12-10", "version": 1, "id": "900bc324-59f3-11ec-9fb4-acde48001122", "description": "The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "curl_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Delete ShadowCopy With PowerShell", "author": "Teoderick Contreras, Splunk", "date": "2022-05-02", "version": 2, "id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "description": "This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security"], "tags": {"analytic_story": ["DarkGate Malware", "DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*ShadowCopy*\" (ScriptBlockText = \"*Delete*\" OR ScriptBlockText = \"*Remove*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "delete_shadowcopy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Deleting Of Net Users", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 2, "id": "1c8c6f66-acce-11eb-aafb-acde48001122", "description": "This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["DarkGate Malware", "Graceful Wipe Out Attack", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/delete*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators or scripts may delete user accounts via this technique. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "deleting_of_net_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Deleting Shadow Copies", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 5, "id": "b89919ed-ee5f-492c-b139-95dbb162039e", "description": "The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["CISA AA22-264A", "Chaos Ransomware", "Clop Ransomware", "DarkGate Malware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "SamSam Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "deleting_shadow_copies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AzureHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 2, "id": "26f02e96-c300-11eb-b611-acde48001122", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", "references": ["https://attack.mitre.org/software/S0521/", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_azurehound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AzureHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 2, "id": "1c34549e-c31b-11eb-996b-acde48001122", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", "references": ["https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_azurehound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "93fbec4e-0375-440c-8db3-4508eca470c4", "description": "The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the \"-s\" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`linux_hosts` \"sudoedit -s \\\\\" | `detect_baron_samedit_cve_2021_3156_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "author": "Shannon Davis, Splunk", "date": "2021-01-29", "version": 1, "id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "description": "The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms \"sudoedit\" and \"segfault\" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host", "known_false_positives": "If sudoedit is throwing segfaults for other reasons this will pick those up too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_segfault_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "author": "Shannon Davis, Splunk", "date": "2021-01-28", "version": 1, "id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "description": "The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command \"sudoedit -s *\" is run using the osquery_process data source. This indicates that the sudoedit command is used with the \"-s\" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the \"-s\" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`osquery_process` | search \"columns.cmdline\"=\"sudoedit -s \\\\*\" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`", "how_to_implement": "OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Certify Command Line Arguments", "author": "Steven Dick", "date": "2023-06-25", "version": 1, "id": "e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "description": "The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions.", "references": ["https://github.com/GhostPack/Certify", "https://github.com/ly4k/Certipy", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Certify/Certipy arguments detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"* find *\",\"* auth *\",\"* request *\",\"* req *\",\"* download *\",) AND Processes.process IN (\"* /vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\",\"* /ca*\", \"* -username *\",\"* -u *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_certify_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "author": "Steven Dick", "date": "2023-06-25", "version": 1, "id": "f533ca6c-9440-4686-80cb-7f294c07812a", "description": "The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions.", "references": ["https://github.com/GhostPack/Certify", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Malicious PowerShell", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Certify arguments through PowerShell detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell..", "known_false_positives": "Unknown, partial script block matches.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_certify_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Certipy File Modifications", "author": "Steven Dick", "date": "2023-06-25", "version": 1, "id": "7e3df743-b1d8-4631-8fa8-bd5819688876", "description": "The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process.", "references": ["https://github.com/ly4k/Certipy"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious files $file_name$ related to Certipy detected on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action=\"allowed\" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*_certipy.zip\", \"*_certipy.txt\", \"*_certipy.json\", \"*.ccache\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_certipy_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Computer Changed with Anonymous Account", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-18", "version": 2, "id": "1400624a-d42d-484d-8843-e6753e6e3645", "description": "The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to \"ANONYMOUS LOGON\" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.", "references": ["https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/"], "tags": {"analytic_story": ["Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\"ANONYMOUS LOGON\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`", "how_to_implement": "This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "None thus far found", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_computer_changed_with_anonymous_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 2, "id": "9251299c-ea5b-11eb-a8de-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*copy*\",\"*[System.IO.File]::Copy*\") AND ScriptBlockText IN (\"*System32\\\\config\\\\SAM*\", \"*System32\\\\config\\\\SYSTEM*\",\"*System32\\\\config\\\\SECURITY*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_copy_of_shadowcopy_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Credential Dumping through LSASS access", "author": "Patrick Bareiss, Splunk", "date": "2023-12-27", "version": 3, "id": "2c365e57-4414-4540-8dc0-73ab10729996", "description": "The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities.", "references": [], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetImage", "type": "Other", "role": ["Victim"]}], "message": "The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` ", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_credential_dumping_through_lsass_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 2, "id": "bc1dc6b8-c954-11eb-bade-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://github.com/BC-SECURITY/Empire", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_empire_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Excessive Account Lockouts From Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 9, "id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "description": "The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple accounts have been locked out. Review $dest$ and results related to $user$.", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`", "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.\n**Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\nPlaybook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`)", "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_excessive_account_lockouts_from_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Excessive User Account Lockouts", "author": "David Dorsey, Splunk", "date": "2025-05-20", "version": 6, "id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "description": "The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive user account lockouts for $user$ in a short period of time", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`", "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.", "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_excessive_user_account_lockouts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Exchange Web Shell", "author": "Michael Haag, Shannon Davis, David Dorsey, Splunk", "date": "2023-11-07", "version": 5, "id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", "references": ["https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "HAFNIUM Group", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_exchange_web_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help Renamed", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 4, "id": "62fed254-513b-460e-953d-79771493a9f3", "description": "The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help Spawn Child Process", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["AgentTesla", "Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_spawn_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help URL in Command Line", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 2, "id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://blog.sevagas.com/?Hacking-around-HTA-files", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 2, "id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://www.kb.cert.org/vuls/id/851869", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_using_infotech_storage_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 2, "id": "8148c29c-c952-11eb-9255-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all.\n\nThis analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_mimikatz_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect mshta inline hta execution", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-09-16", "version": 6, "id": "a0873b32-5b68-11eb-ae93-0242ac130002", "description": "The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_mshta_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect mshta renamed", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 3, "id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "description": "The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_mshta_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect MSHTA Url in Command Line", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 2, "id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "description": "This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to access a remote destination to download an additional payload.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible legitimate applications may perform this behavior and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_mshta_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Local Admin account", "author": "David Dorsey, Splunk", "date": "2024-02-14", "version": 3, "id": "b25f6f62-0712-43c1-b203-083231ffd97d", "description": "The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack.", "references": [], "tags": {"analytic_story": ["CISA AA22-257A", "DHS Report TA18-074A", "HAFNIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.", "risk_score": 42, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`", "how_to_implement": "You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732", "known_false_positives": "The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \"Administrators\", this search may generate an excessive number of false positives", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_local_admin_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Outlook exe writing a zip file", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 5, "id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "description": "The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.", "references": [], "tags": {"analytic_story": ["Amadey", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\Users* OR Filesystem.file_path=*Local\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \"\" | `detect_outlook_exe_writing_a_zip_file_filter` ", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "It is not uncommon for outlook to write legitimate zip files to the disk.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_outlook_exe_writing_a_zip_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Path Interception By Creation Of program exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 6, "id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "description": "The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint.", "references": ["https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \"^.*?\\\\\\\\(?[^\\\\\\\\]*\\.(?:exe|bat|com|ps1))\" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_path_interception_by_creation_of_program_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect processes used for System Network Configuration Discovery", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 3, "id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "description": "The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.", "references": [], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}, {"name": "detect_processes_used_for_system_network_configuration_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 7, "id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "description": "The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "prohibited_apps_launching_cmd_macro", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_prohibited_applications_spawning_cmd_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect PsExec With accepteula Flag", "author": "Bhavin Patel, Splunk", "date": "2021-09-16", "version": 4, "id": "27c3a83d-cada-47c6-9042-67baf19d2574", "description": "This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.", "references": ["https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "IcedID", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_psexec_with_accepteula_flag_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rare Executables", "author": "Bhavin Patel, Splunk", "date": "2024-03-12", "version": 4, "id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "description": "The following analytic detects the occurrence of rare processes that appear only once across the network within a specified timeframe. It operates by compiling a list of process executions. This detection is crucial for a Security Operations Center (SOC) as it helps in identifying potentially malicious activities or unauthorized software that could indicate a security breach or an ongoing attack. Identifying such rare processes allows for early detection of threats, minimizing the potential impact of an attack which could range from data theft to complete system compromise.", "references": [], "tags": {"analytic_story": ["Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A rare process - [$process_name$] has been detected on less than 10 hosts in your environment.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate processes may be only rarely executed in your environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rare_executables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect RClone Command-Line Usage", "author": "Michael Haag, Splunk", "date": "2021-11-29", "version": 2, "id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "description": "This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rclone_command_line_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regasm Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-04-29", "version": 3, "id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "description": "The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["DarkGate Malware", "Living Off The Land", "Snake Keylogger", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN (\"conhost.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regasm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regasm with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-01-30", "version": 3, "id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "description": "The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regasm_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regasm with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2022-03-15", "version": 3, "id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "description": "The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe` and `C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe`.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regasm_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvcs Spawning a Process", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "description": "The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvcs with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-01-30", "version": 3, "id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "description": "The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regsvcs_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2022-03-15", "version": 3, "id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "description": "The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvr32 Application Control Bypass", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 2, "id": "070e9b80-6252-11eb-ae93-0242ac130002", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a \"Squiblydoo\" attack.\nUpon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for \"scrobj.dll\", the \".dll\" is not required to load scrobj. \"scrobj.dll\" will be loaded by \"regsvr32.exe\" upon execution. ", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives related to third party software registering .DLL's.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvr32_application_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Remote Access Software Usage File", "author": "Steven Dick", "date": "2024-02-22", "version": 1, "id": "3bf5541a-6a45-4fdc-b01d-59b899fff961", "description": "The following analytic detects when a file from a known remote access software is written to disk within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file for known a remote access software [$file_name$] was created on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage FileInfo", "author": "Steven Dick", "date": "2024-02-22", "version": 1, "id": "ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "description": "The following analytic detects when process with file or code signing attributes from a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A file attributes for known a remote access software [$process_name$] was detected on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`", "how_to_implement": "This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_remote_access_software_usage_fileinfo_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Process", "author": "Steven Dick", "date": "2024-02-22", "version": 1, "id": "ffd5e001-2e34-48f4-97a2-26dc4bb08178", "description": "The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process for a known remote access software $process_name$ was identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Renamed 7-Zip", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 2, "id": "4057291a-b8cf-11eb-95fe-acde48001122", "description": "The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_7_zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Renamed PSExec", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 4, "id": "683e6196-b8e8-11eb-9a79-acde48001122", "description": "The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml", "https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_psexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Renamed RClone", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 2, "id": "6dca1124-b3ec-11eb-9328-acde48001122", "description": "The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_rclone_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Renamed WinRAR", "author": "Michael Haag, Splunk", "date": "2021-09-16", "version": 3, "id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "description": "The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["CISA AA22-277A", "Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible third party applications use renamed instances of WinRAR.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_winrar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect RTLO In File Name", "author": "Steven Dick", "date": "2023-04-26", "version": 2, "id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "description": "This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = \"\\\\x{202E}\" | rex field=file_name \"(?.+)(?\\\\x{202E})(?.+)\" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect RTLO In Process", "author": "Steven Dick", "date": "2023-04-26", "version": 2, "id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "description": "This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process=\"\\\\x{202E}\" | rex field=process \"(?.+)(?\\\\x{202E})(?.+)\" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "author": "Michael Haag, Splunk", "date": "2021-02-04", "version": 2, "id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "description": "The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Advpack/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___advpack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "author": "Michael Haag, Splunk", "date": "2021-02-04", "version": 2, "id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "description": "The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use setupapi triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___setupapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "author": "Michael Haag, Splunk", "date": "2021-02-04", "version": 2, "id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "description": "The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Syssetup/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___syssetup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Inline HTA Execution", "author": "Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "91c79f14-5b41-11eb-ae93-0242ac130002", "description": "The following analytic identifies \"rundll32.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "NOBELIUM Group", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious rundll32.exe inline HTA execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SharpHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 2, "id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "description": "The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible SharpHound command-Line arguments identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*-collectionMethod*\",\"*invoke-bloodhound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SharpHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 3, "id": "42b4b438-beed-11eb-ba1d-acde48001122", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential SharpHound file modifications identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SharpHound Usage", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 3, "id": "dd04b29a-beed-11eb-87bc-acde48001122", "description": "The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential SharpHound binary identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2023-01-23", "version": 1, "id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "description": "The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa20-302a", "https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if a suspicious processname is similar to a benign processname.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2023-12-07", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162039e", "description": "This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine", "references": ["https://attack.mitre.org/techniques/T1059/", "https://redcanary.com/threat-detection-report/techniques/windows-command-shell/"], "tags": {"analytic_story": ["Azorult", "Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "cmd.exe launching script interpreters $process_name$ on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"cmd.exe\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Webshell Exploit Behavior", "author": "Steven Dick", "date": "2023-07-10", "version": 2, "id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "description": "This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server.", "references": ["https://attack.mitre.org/techniques/T1505/003/", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "HAFNIUM Group", "ProxyNotShell", "ProxyShell", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"arp.exe\",\"at.exe\",\"bash.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"cmd.exe\",\"cscript.exe\", \"dsget.exe\",\"dsquery.exe\",\"find.exe\",\"findstr.exe\",\"fsutil.exe\",\"hostname.exe\",\"ipconfig.exe\",\"ksh.exe\",\"nbstat.exe\", \"net.exe\",\"net1.exe\",\"netdom.exe\",\"netsh.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ntdsutil.exe\",\"pathping.exe\", \"ping.exe\",\"powershell.exe\",\"pwsh.exe\",\"qprocess.exe\",\"query.exe\",\"qwinsta.exe\",\"reg.exe\",\"rundll32.exe\",\"sc.exe\", \"scrcons.exe\",\"schtasks.exe\",\"sh.exe\",\"systeminfo.exe\",\"tasklist.exe\",\"tracert.exe\",\"ver.exe\",\"vssadmin.exe\", \"wevtutil.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\",\"wusa.exe\",\"zsh.exe\") AND Processes.parent_process_name IN (\"w3wp.exe\", \"http*.exe\", \"nginx*.exe\", \"php*.exe\", \"php-cgi*.exe\",\"tomcat*.exe\")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_webshell_exploit_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect WMI Event Subscription Persistence", "author": "Michael Haag, Splunk", "date": "2021-06-16", "version": 1, "id": "01d9a0c2-cece-11eb-ab46-acde48001122", "description": "The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\nAll event subscriptions have three components\n1. Filter - WQL Query for the events we want. EventID equals 19\n1. Consumer - An action to take upon triggering the filter. EventID equals 20\n1. Binding - Registers a filter to a consumer. EventID equals 21\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible malicious WMI Subscription created on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.", "known_false_positives": "It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_wmi_event_subscription_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detection of tools built by NirSoft", "author": "Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "description": "The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as \"/stext\" and \"/scomma\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* /stext *\" OR Processes.process=\"* /scomma *\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detection_of_tools_built_by_nirsoft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable AMSI Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "9c27ec42-d338-11eb-9044-acde48001122", "description": "this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", "references": ["https://blog.f-secure.com/hunting-for-amsi-bypasses/", "https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable AMSI Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_amsi_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender AntiVirus Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-11", "version": 4, "id": "aa4f695a-3024-11ec-9987-acde48001122", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_antivirus_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "2dd719ac-3021-11ec-97b4-acde48001122", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_blockatfirstseen_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender Enhanced Notification", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 3, "id": "dc65678c-301f-11ec-8e30-acde48001122", "description": "This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*Microsoft\\\\Windows Defender\\\\Reporting*\" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may choose to disable windows defender AV", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_enhanced_notification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender MpEngine Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-11", "version": 4, "id": "cc391750-3024-11ec-955a-acde48001122", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_mpengine_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender Spynet Reporting", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 5, "id": "898debf4-3021-11ec-ba7c-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Qakbot", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_spynet_reporting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender Submit Samples Consent Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "73922ff8-3022-11ec-bf5e-acde48001122", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_submit_samples_consent_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable ETW Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "description": "This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable ETW Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_etw_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Logs Using WevtUtil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "236e7c8e-c9d9-11eb-a824-acde48001122", "description": "The following analytic detects the execution of \"wevtutil.exe\" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident.", "references": ["https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "WevtUtil.exe used to disable Event Logging on $dest", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"wevtutil.exe\" Processes.process = \"*sl*\" Processes.process = \"*/e:false*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may disable audit event logs for debugging purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_logs_using_wevtutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Registry Tool", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 5, "id": "cd2cf33c-9201-11eb-a10a-acde48001122", "description": "This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Registry Tools on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_registry_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2021-10-18", "version": 1, "id": "db596056-3019-11ec-a9ff-acde48001122", "description": "This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "schtask process with commandline $process$ to disable schedule task in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable problematic schedule task", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Security Logs Using MiniNt Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "39ebdc68-25b9-11ec-aec7-acde48001122", "description": "This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_security_logs_using_minint_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Show Hidden Files", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-02-14", "version": 5, "id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", "references": ["https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis"], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Show Hidden Files' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_show_hidden_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable UAC Remote Restriction", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "9928b732-210e-11ec-b65e-acde48001122", "description": "This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction"], "tags": {"analytic_story": ["CISA AA23-347A", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may set this policy for non-critical machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_uac_remote_restriction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Windows App Hotkeys", "author": "Steven Dick, Teoderick Contreras, Splunkk", "date": "2023-04-27", "version": 4, "id": "1490f224-ad8b-11eb-8c4f-acde48001122", "description": "The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Windows App Hotkeys' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_app_hotkeys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Windows Behavior Monitoring", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "79439cae-9200-11eb-a4d3-acde48001122", "description": "The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "Ransomware", "RedLine Stealer", "Revil Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender real time behavior monitoring disabled on $dest", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_behavior_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Windows SmartScreen Protection", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-02-14", "version": 5, "id": "664f0fd0-91ff-11eb-a56f-acde48001122", "description": "The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Smartscreen was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\", \"*\\\\Microsoft\\\\Windows\\\\System\\\\EnableSmartScreen\") Registry.registry_value_data IN (\"Off\", \"0\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_smartscreen_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 2, "id": "114c6bfe-9406-11ec-bcce-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "author": "Mauricio Velazco, Splunk", "date": "2022-05-03", "version": 2, "id": "b0b34e2c-90de-11ec-baeb-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\nRed Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling CMD Application", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 5, "id": "ff86077c-9212-11eb-a1e6-acde48001122", "description": "This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows command prompt was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_cmd_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling ControlPanel", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "6ae0148e-9215-11eb-a94a-acde48001122", "description": "The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Control Panel was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_controlpanel_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Defender Services", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 4, "id": "911eacdc-317f-11ec-ad30-acde48001122", "description": "This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "RedLine Stealer", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_defender_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Firewall with Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 4, "id": "6860a62c-9203-11eb-9e05-acde48001122", "description": "The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like \"firewall,\" \"off,\" or \"disable.\" This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Firewall was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" (Processes.process= \"*off*\" OR Processes.process= \"*disable*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable firewall during testing or fixing network problem.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_firewall_with_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling FolderOptions Windows Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 5, "id": "83776de4-921a-11eb-868a-acde48001122", "description": "This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_folderoptions_windows_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Net User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "c0325326-acd6-11eb-98c2-acde48001122", "description": "The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/active:no*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_net_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling NoRun Windows App", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 5, "id": "de81bc46-9213-11eb-adc9-acde48001122", "description": "This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.malwarebytes.com/detections/pum-optional-norun/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_norun_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Remote User Account Control", "author": "David Dorsey, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 5, "id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "description": "The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.", "references": [], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Remcos", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA* Registry.registry_value_data=\"0x00000000\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.", "known_false_positives": "This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_remote_user_account_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling SystemRestore In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-02-14", "version": 5, "id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "description": "The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable system restore on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "in some cases admin can disable systemrestore on a machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_systemrestore_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Task Manager", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 5, "id": "dac279bc-9202-11eb-b7fb-acde48001122", "description": "This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Task Manager was disabled on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_task_manager_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "author": "Dean Luxton", "date": "2024-05-19", "version": 3, "id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "description": "The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.", "references": ["https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LsaCfgFlags\", \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\*\", \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL\") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Potential to be triggered by an administrator disabling protections for troubleshooting purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_windows_local_security_authority_defences_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DLLHost with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2023-07-10", "version": 4, "id": "f1c07594-a141-11eb-8407-acde48001122", "description": "The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_image", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dllhost_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Exfiltration Using Nslookup App", "author": "Teoderick Contreras, Splunk", "date": "2021-04-15", "version": 1, "id": "2452e632-9e0d-11eb-bacd-acde48001122", "description": "this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin nslookup usage", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_exfiltration_using_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Account Discovery with Dsquery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"dsquery.exe\" AND Processes.process = \"*user*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Account Discovery With Net App", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-06-13", "version": 1, "id": "98f6a534-04c2-11ec-96b2-acde48001122", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery.", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = \"* user*\" AND Processes.process = \"*/do*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Account Discovery with Wmic", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "383572e0-04c5-11ec-bdcc-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.", "references": ["https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"wmic.exe\" AND Processes.process = \"*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*GET*\" AND Processes.process = \"*ds_samaccountname*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Controller Discovery with Nltest", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "description": "This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"nltest.exe\") (Processes.process=\"*/dclist:*\" OR Processes.process=\"*/dsgetdc:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_nltest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Controller Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2021-09-01", "version": 1, "id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=\"\" OR Processes.process=\"*DomainControllerAddress*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "`powershell` (ScriptBlockText = \"*[adsisearcher]*\" AND ScriptBlockText = \"*(objectcategory=group)*\" AND ScriptBlockText = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "domain_group_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery With Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2021-09-01", "version": 1, "id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2023-06-13", "version": 1, "id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "description": "This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Prestige Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_group* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Download Files Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2021-05-06", "version": 1, "id": "58194e28-ae5e-11eb-8912-acde48001122", "description": "The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Phemedrone Stealer", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious files were downloaded with the Telegram application on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal download of file in telegram app. (if it was a common app in network)", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "download_files_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Drop IcedID License dat", "author": "Teoderick Contreras, Splunk", "date": "2021-07-30", "version": 1, "id": "b7a045fc-f14a-11eb-8e79-acde48001122", "description": "This search is to detect dropping a suspicious file named as \"license.dat\" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process $process_name$ created a file $TargetFilename$ on host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "`sysmon` EventCode= 11 TargetFilename = \"*\\\\license.dat\" AND (TargetFilename=\"*\\\\appdata\\\\*\" OR TargetFilename=\"*\\\\programdata\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "drop_icedid_license_dat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DSQuery Domain Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-31", "version": 1, "id": "cc316032-924a-11eb-91a2-acde48001122", "description": "The following analytic identifies \"dsquery.exe\" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of \"Dsquery.exe\" usage.\nWithin this detection, it is assumed `dsquery.exe` is not moved or renamed.\nThe search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"dsquery.exe\" and its parent process.\nDSQuery.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64` and only on Server operating system.\nThe following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\nIn addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. If there is a true false positive, filter based on command-line or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dsquery_domain_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Dump LSASS via comsvcs DLL", "author": "Patrick Bareiss, Splunk", "date": "2023-04-14", "version": 2, "id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "description": "The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source.", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "Credential Dumping", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Industroyer2", "Living Off The Land", "Prestige Ransomware", "Suspicious Rundll32 Activity", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dump_lsass_via_comsvcs_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Dump LSASS via procdump", "author": "Michael Haag, Splunk", "date": "2022-08-31", "version": 3, "id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "description": "Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dump_lsass_via_procdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Elevated Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Discovery", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*group*\" AND Processes.process=\"*/do*\") (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Elevated Group Discovery with PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-02-14", "version": 2, "id": "10d62950-0de5-4199-a710-cff9ea79b413", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated group discovery using PowerView on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainGroupMember*\") AND Message IN (\"*Domain Admins*\",\"*Enterprise Admins*\", \"*Schema Admins*\", \"*Account Operators*\" , \"*Server Operators*\", \"*Protected Users*\", \"*Dns Admins*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest, User as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "elevated_group_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Elevated Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*) (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Enable RDP In Other Port Number", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 4, "id": "99495452-b899-11eb-96dc-acde48001122", "description": "This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it.", "references": ["https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "RDP was moved to a non-standard port on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "enable_rdp_in_other_port_number_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Enable WDigest UseLogonCredential Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 4, "id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "description": "This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques.", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Credential Dumping", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wdigest registry $registry_path$ was modified in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "enable_wdigest_uselogoncredential_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Enumerate Users Local Group Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 3, "id": "fcd74532-ae54-11eb-a5ab-acde48001122", "description": "This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Telegram application has been identified enumerating local groups on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4798 CallerProcessName = \"*\\\\telegram.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "enumerate_users_local_group_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Esentutl SAM Copy", "author": "Michael Haag, Splunk", "date": "2021-08-18", "version": 1, "id": "d372f928-ce4f-11eb-a762-acde48001122", "description": "The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md", "https://attack.mitre.org/software/S0404/"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN (\"*ntds*\", \"*SAM*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "esentutl_sam_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ETW Registry Disabled", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "8ed523ac-276b-11ec-ac39-acde48001122", "description": "The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.", "references": ["https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "etw_registry_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Eventvwr UAC Bypass", "author": "Steven Dick, Michael Haag, Splunk", "date": "2022-11-14", "version": 3, "id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "description": "The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://attack.mitre.org/techniques/T1548/002/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*mscfile\\\\shell\\\\open\\\\command\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some false positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "eventvwr_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excel Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "42d40a22-9be3-11eb-8f08-acde48001122", "description": "The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excel_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excel Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "57fe880a-9be3-11eb-9bf3-acde48001122", "description": "The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\\windows\\system32\\` or c:windows\\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.", "references": ["https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excel_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Attempt To Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 2, "id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "description": "The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where \"sc.exe\" is used with parameters like \"config\" or \"Disabled\" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"sc.exe\" AND Processes.process=\"*config*\" OR Processes.process=\"*Disabled*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_attempt_to_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive distinct processes from Windows Temp", "author": "Michael Hart, Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 3, "id": "23587b6a-c479-11eb-b671-acde48001122", "description": "This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\\Temp.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple processes were executed out of windows\\temp within a short amount of time on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\Windows\\\\Temp\\\\*\" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Many benign applications will create processes from executables in Windows\\Temp, although unlikely to exceed the given threshold. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_distinct_processes_from_windows_temp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive File Deletion In WinDefender Folder", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-03-05", "version": 2, "id": "b5baa09a-7a05-11ec-8da4-acde48001122", "description": "This analytic identifies excessive file deletion events in the Windows Defender folder. This technique was observed in the WhisperGate malware campaign, where adversaries exploited Nirsoft's advancedrun.exe to gain administrative privileges and then executed PowerShell commands to delete files within the Windows Defender application folder. Such behavior is a strong indicator that the offending process is attempting to corrupt a Windows Defender installation.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*\" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`", "how_to_implement": "To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_file_deletion_in_windefender_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive number of service control start as disabled", "author": "Michael Hart, Splunk", "date": "2021-06-25", "version": 1, "id": "77592bec-d5cc-11eb-9e60-acde48001122", "description": "This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create", "https://attack.mitre.org/techniques/T1562/001/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"sc.exe\" AND Processes.process=\"*start= disabled*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_number_of_service_control_start_as_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive number of taskhost processes", "author": "Michael Hart", "date": "2024-04-26", "version": 3, "id": "f443dac2-c7cf-11eb-ab51-acde48001122", "description": "This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame.", "references": ["https://attack.mitre.org/software/S0250/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"taskhost.exe\" OR Processes.process_name = \"taskhostex.exe\" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == \"taskhost.exe\", pid_count, 0) | eval taskhostex_count_=if(process_name == \"taskhostex.exe\", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_number_of_taskhost_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Service Stop Attempt", "author": "Teoderick Contreras, Splunk", "date": "2021-05-04", "version": 2, "id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "description": "This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.process_name = \"net1.exe\" AND Processes.process=\"*stop*\" OR Processes.process=\"*delete*\" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_service_stop_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of Cacls App", "author": "Teoderick Contreras, Splunk", "date": "2021-05-07", "version": 1, "id": "0bdf6092-af17-11eb-939a-acde48001122", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Prestige Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"XCACLS.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or administrative scripts may use this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_cacls_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of Net App", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 2, "id": "45e52536-ae42-11eb-b5c6-acde48001122", "description": "This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown. Filter as needed. Modify the time span as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage of NSLOOKUP App", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2022-06-03", "version": 2, "id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "description": "This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"nslookup.exe\" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of SC Service Utility", "author": "Teoderick Contreras, Splunk", "date": "2021-06-24", "version": 1, "id": "cb6b339e-d4c6-11eb-a026-acde48001122", "description": "This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Azorult", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive Usage Of SC Service Utility", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"sc.exe\" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_sc_service_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "fe5bca48-accb-11eb-a67c-acde48001122", "description": "The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CISA AA22-264A", "CISA AA22-277A", "NjRAT", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Exchange PowerShell Abuse via SSRF", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 2, "id": "29228ab4-0762-11ec-94aa-acde48001122", "description": "This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel.\nModification of this analytic is requried to ensure fields are mapped accordingly.\n\nA suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF.\n\nAn event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated)\nReview the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles.", "references": ["https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "`exchange` c_uri=\"*//autodiscover*\" cs_uri_query=\"*PowerShell*\" cs_method=\"POST\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`", "how_to_implement": "The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.", "known_false_positives": "Limited false positives, however, tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exchange_powershell_abuse_via_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Exchange PowerShell Module Usage", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 5, "id": "2d10095e-05ae-11ec-8fdf-acde48001122", "description": "The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\nInherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent.\nModule - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file.\nModule - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG).\nModule - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \\ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "CISA AA22-277A", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Exchange PowerShell module usaged was identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exchange_powershell_module_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Executable File Written in Administrative SMB Share", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-02-14", "version": 3, "id": "f63c34fe-a435-11eb-935a-acde48001122", "description": "The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/", "https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "Prestige Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.exe\",\"*.dll\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "executable_file_written_in_administrative_smb_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Executables Or Script Creation In Suspicious Path", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "description": "This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "NjRAT", "PlugX", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Snake Keylogger", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\* OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\* OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "executables_or_script_creation_in_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Execute Javascript With Jscript COM CLSID", "author": "Teoderick Contreras, Splunk", "date": "2021-06-22", "version": 1, "id": "dc64d064-d346-11eb-8588-acde48001122", "description": "This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cscript.exe\" Processes.process=\"*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execute_javascript_with_jscript_com_clsid_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Execution of File with Multiple Extensions", "author": "Rico Valdez, Teoderick Contreras, Splunk", "date": "2020-11-18", "version": 3, "id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "description": "This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the \"real\" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "DarkGate Malware", "Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Parent Process", "Attacker"]}], "message": "process $process$ have double extensions in the file name is executed on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.doc.exe\", \"*.xls.exe\",\"*.ppt.exe\", \"*.htm.exe\", \"*.html.exe\", \"*.txt.exe\", \"*.pdf.exe\", \"*.docx.exe\", \"*.xlsx.exe\", \"*.pptx.exe\",\"*.one.exe\", \"*.bat.exe\", \"*rtf.exe\") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_multiple_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Extraction of Registry Hives", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 2, "id": "8bbb7d58-b360-11eb-ba21-acde48001122", "description": "The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=\"*\\sam *\" OR Processes.process=\"*\\system *\" OR Processes.process=\"*\\security *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible some agent based products will generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "extraction_of_registry_hives_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "File with Samsam Extension", "author": "Rico Valdez, Splunk", "date": "2018-12-14", "version": 1, "id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "description": "The following analytic detects file writes with extensions that are consistent with a SamSam ransomware attack to proactively detect and respond to potential SamSam ransomware attacks, minimizing the impact and reducing the likelihood of successful ransomware infections. This detection is made by a Splunk query to search for specific file extensions that are commonly associated with SamSam ransomware, such as .stubbin, .berkshire, .satoshi, .sophos, and .keyxml. This identifies file extensions in the file names of the written files. If any file write events with these extensions are found, it suggests a potential SamSam ransomware attack. This detection is important because SamSam ransomware is a highly destructive and financially motivated attack and suggests that the organization is at risk of having its files encrypted and held for ransom, which can lead to significant financial losses, operational disruptions, and reputational damage. False positives might occur since legitimate files with these extensions can exist in the environment. Therefore, next steps include conducting a careful analysis and triage to confirm the presence of a SamSam ransomware attack. Next steps include taking immediate action to contain the attack, mitigate the impact, and prevent further spread of the ransomware. This might involve isolating affected systems, restoring encrypted files from backups, and conducting a thorough investigation to identify the attack source and prevent future incidents.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "message": "File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \"(?\\.[^\\.]+)$\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because these extensions are not typically used in normal operations, you should investigate all results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "file_with_samsam_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Firewall Allowed Program Enable", "author": "Teoderick Contreras, Splunk", "date": "2021-11-12", "version": 1, "id": "9a8f63a8-43ac-11ec-904c-acde48001122", "description": "The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Azorult", "BlackByte Ransomware", "NjRAT", "PlugX", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "firewall_allowed_program_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "First Time Seen Child Process of Zoom", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "description": "The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint.", "references": [], "tags": {"analytic_story": ["Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker", "Child Process"]}], "message": "Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_window`\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "first_time_seen_child_process_of_zoom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "zoom_first_time_child_process", "description": "A list of suspicious file names", "collection": "zoom_first_time_child_process", "case_sensitive_match": null, "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen"}]}, {"name": "First Time Seen Running Windows Service", "author": "David Dorsey, Splunk", "date": "2024-05-21", "version": 5, "id": "823136f2-d755-4b6d-ae04-372b486a5808", "description": "The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the \"running\" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "first_time_seen_running_windows_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running", "collection": "previously_seen_running_windows_services", "case_sensitive_match": null, "fields_list": "_key, service, firstTimeSeen, lastTimeSeen"}]}, {"name": "FodHelper UAC Bypass", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "description": "Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege.\n* `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command`\n* `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute`\n* `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)`\nUpon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1", "https://attack.mitre.org/techniques/T1548/002/"], "tags": {"analytic_story": ["IcedID", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious registy keys added by process fodhelper.exe with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "fodhelper_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Fsutil Zeroing File", "author": "Teoderick Contreras, Splunk", "date": "2021-08-11", "version": 1, "id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "description": "This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host.", "references": ["https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible file data deletion on $dest$ using $process$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process=\"*setzerodata*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "fsutil_zeroing_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "author": "Teoderick Contreras, Splunk", "date": "2021-08-26", "version": 1, "id": "36e46ebe-065a-11ec-b4c7-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADDefaultDomainPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"Get-ADDefaultDomainPasswordPolicy\" to query domain password policy on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-ADDefaultDomainPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUser*\" AND Processes.process = \"*-filter*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_aduser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 2, "id": "21432e40-04f4-11ec-b7e6-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"get-aduser\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-aduser*\" ScriptBlockText = \"*-filter*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_aduser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "8b5ef342-065a-11ec-b0fc-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUserResultantPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 3, "id": "737e1eb0-065a-11ec-921a-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline to query domain user password policy detected on host - $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Get-ADUserResultantPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-26", "version": 1, "id": "b8f9947e-065a-11ec-aafb-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domainpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainPolicy with Powershell Script Block", "author": "Teoderick Contreras, Splunk", "date": "2022-05-02", "version": 2, "id": "a360d2b2-065a-11ec-b0bf-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline $ScriptBlockText$ to query domain policy.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-DomainPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_domainpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2021-08-24", "version": 1, "id": "4fa7f846-054a-11ec-a836-acde48001122", "description": "This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domaintrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2022-05-02", "version": 2, "id": "89275e7e-0548-11ec-bf75-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible certain system management frameworks utilize this command to gather trust information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_domaintrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "9a5a41d6-04e7-11ec-923c-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainUser*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domainuser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 3, "id": "61994268-04f4-11ec-865c-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"*Get-DomainUser*\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainUser*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_domainuser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2021-09-02", "version": 1, "id": "584f4884-0bf1-11ec-a5ec-acde48001122", "description": "This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_foresttrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2022-02-24", "version": 2, "id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_foresttrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get WMIObject Group Discovery", "author": "Michael Haag, Splunk", "date": "2021-09-14", "version": 1, "id": "5434f670-155d-11ec-8cca-acde48001122", "description": "The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \\ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\ During triage, review parallel processes and identify any further suspicious behavior.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process=\"*Get-WMIObject*\" AND Processes.process=\"*Win32_Group*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_wmiobject_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2022-03-22", "version": 2, "id": "69df7f7c-155d-11ec-a055-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery enumeration on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-WMIObject*\" AND ScriptBlockText = \"*Win32_Group*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_wmiobject_group_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-09-07", "version": 1, "id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getadcomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-05-02", "version": 3, "id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-AdComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getadcomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getadgroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ADGroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getadgroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetCurrent User with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-09-13", "version": 1, "id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "description": "This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getcurrent_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetCurrent User with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "80879283-c30f-44f7-8471-d1381f6d437a", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[System.Security.Principal.WindowsIdentity]*\" ScriptBlockText = \"*GetCurrent()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getcurrent_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-09-07", "version": 1, "id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaincomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-05-02", "version": 2, "id": "f64da023-b988-4775-8d57-38e512beb56e", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getdomaincomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainController with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-09-07", "version": 1, "id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery using PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaincontroller_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainController with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-05-02", "version": 2, "id": "676b600a-a94d-4951-b346-11329431e6c1", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $Computer$ by $UserID$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainController*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getdomaincontroller_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "93c94be3-bead-4a60-860f-77ca3fe59903", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery with PowerView on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaingroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-05-02", "version": 2, "id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerView on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroup*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView functions for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getdomaingroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetLocalUser with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-08-23", "version": 1, "id": "85fae8fa-0427-11ec-8b78-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getlocaluser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetLocalUser with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "2e891cbe-0426-11ec-9c9c-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-LocalUser*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getlocaluser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "description": "This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getnettcpconnection_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-04-02", "version": 2, "id": "091712ff-b02a-4d43-82ed-34765515d95d", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-NetTcpconnection*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getnettcpconnection_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-09-07", "version": 1, "id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration using WMI on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_computer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-05-02", "version": 2, "id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_computer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_ds_computer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-08-25", "version": 1, "id": "df275a44-4527-443b-b884-7600e066e3eb", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_group_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-05-02", "version": 2, "id": "67740bd3-1506-469c-b91d-effc322cc6e5", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_ds_group_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "22d3b118-04df-11ec-8fa3-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*get-wmiobject*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*root\\\\directory\\\\ldap*\" AND Processes.process = \"*-namespace*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-11-07", "version": 3, "id": "fabd364e-04f3-11ec-b34b-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline for user enumeration detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-wmiobject*\" ScriptBlockText = \"*ds_user*\" ScriptBlockText = \"*-namespace*\" ScriptBlockText = \"*root\\\\directory\\\\ldap*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_ds_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2023-04-05", "version": 1, "id": "b44f6ac6-0429-11ec-87e9-acde48001122", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_user_account_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2023-04-05", "version": 2, "id": "640b0eda-0429-11ec-accd-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Get-WmiObject*\" AND ScriptBlockText=\"*Win32_UserAccount*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_user_account_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 2, "id": "2c853856-a140-11eb-a5b5-acde48001122", "description": "The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "C2", "type": "IP Address", "role": ["Attacker"]}], "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "gpupdate_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Headless Browser Mockbin or Mocky Request", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "94fc85a1-e55b-4265-95e1-4b66730e05c0", "description": "The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of \"--headless\" and \"--disable-gpu\" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process.", "references": ["https://mockbin.org/", "https://www.mocky.io/"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\" AND (Processes.process=\"*mockbin.org/*\" OR Processes.process=\"*mocky.io/*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "headless_browser_mockbin_or_mocky_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Headless Browser Usage", "author": "Michael Haag, Splunk", "date": "2023-09-08", "version": 1, "id": "869ba261-c272-47d7-affe-5c0aa85c93d6", "description": "The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of \"--headless\" and \"--disable-gpu\" command line arguments which are commonly used in headless browsing.", "references": ["https://cert.gov.ua/article/5702579"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Behavior related to headless browser usage detected on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "headless_browser_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hide User Account From Sign-In Screen", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 4, "id": "834ba832-ad89-11eb-937d-acde48001122", "description": "This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Warzone RAT", "Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "registry_value_name", "type": "Other", "role": ["Attacker"]}], "message": "Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hide_user_account_from_sign_in_screen_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hiding Files And Directories With Attrib exe", "author": "Bhavin Patel, Splunk", "date": "2024-01-01", "version": 5, "id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "description": "Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.", "references": [], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some applications and users may legitimately use attrib.exe to interact with the files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hiding_files_and_directories_with_attrib_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Frequency Copy Of Files In Network Share", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "40925f12-4709-11ec-bb43-acde48001122", "description": "This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing.", "references": ["https://attack.mitre.org/techniques/T1537/"], "tags": {"analytic_story": ["Information Sabotage", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "High frequency copy of document into a network share from $src_ip$ by $src_user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.doc\",\"*.docx\",\"*.xls\",\"*.xlsx\",\"*.ppt\",\"*.pptx\",\"*.log\",\"*.txt\",\"*.db\",\"*.7z\",\"*.zip\",\"*.rar\",\"*.tar\",\"*.gz\",\"*.jpg\",\"*.gif\",\"*.png\",\"*.bmp\",\"*.pdf\",\"*.rtf\",\"*.key\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "This behavior may seen in normal transfer of file within network if network share is common place for sharing documents.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_frequency_copy_of_files_in_network_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Process Termination Frequency", "author": "Teoderick Contreras", "date": "2022-09-14", "version": 2, "id": "17cd75b2-8666-11eb-9ab4-acde48001122", "description": "This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware", "LockBit Ransomware", "Rhysida Ransomware", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "proc_terminated", "type": "Process", "role": ["Target"]}], "message": "High frequency process termination (more than 15 processes within 3s) detected on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin or user tool that can terminate multiple process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_process_termination_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hunting 3CXDesktopApp Software", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "description": "The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance $process_name$ was identified on endpoint $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name=\"3CX Desktop App\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hunting_3cxdesktopapp_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Icacls Deny Command", "author": "Teoderick Contreras, Splunk", "date": "2023-06-06", "version": 1, "id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "description": "This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Sandworm Tools", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/deny*\", \"*/D*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "icacls_deny_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ICACLS Grant Command", "author": "Teoderick Contreras, Splunk", "date": "2023-06-06", "version": 1, "id": "b1b1e316-accc-11eb-a9b4-acde48001122", "description": "This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/grant*\", \"*/G*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "icacls_grant_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "IcedID Exfiltrated Archived File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "0db4da70-f14b-11eb-8043-acde48001122", "description": "The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $TargetFilename$ on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Hunting", "search": "`sysmon` EventCode= 11 (TargetFilename = \"*\\\\passff.tar\" OR TargetFilename = \"*\\\\cookie.tar\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "icedid_exfiltrated_archived_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "author": "Mauricio Velazco, Splunk", "date": "2023-06-13", "version": 3, "id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "description": "This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = \"*/Q /c * \\\\\\\\127.0.0.1\\\\*$*\" AND Processes.process IN (\"*2>&1*\",\"*2>&1*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "author": "Michael Haag, Splunk", "date": "2023-06-13", "version": 1, "id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "description": "This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process,\"(?i)echo\\s+cd\") AND match(process, \"(?i)\\\\__output\") AND match(process, \"(?i)C:\\\\\\\\Windows\\\\\\\\[a-zA-Z]{1,8}\\\\.bat\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_smbexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "author": "Michael Haag, Splunk", "date": "2023-06-13", "version": 1, "id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "description": "This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") AND match(process, \"__\\\\d{1,10}\\\\.\\\\d{1,10}\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2023-11-07", "version": 4, "id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An interactive session was opened on a remote endpoint from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Enter-PSSession*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "interactive_session_on_remote_endpoint_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Java Class File download by Java User Agent", "author": "Michael Haag, Splunk", "date": "2021-12-13", "version": 1, "id": "8281ce42-5c50-11ec-82d2-acde48001122", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell).", "references": ["https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_user_agent", "type": "Other", "role": ["Other"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}], "message": "A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_user_agent=\"*Java*\" Web.http_method=\"GET\" Web.url=\"*.class*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "Filtering may be required in some instances, filter as needed.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "java_class_file_download_by_java_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Java Writing JSP File", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 2, "id": "eb65619c-4f8d-4383-a975-d352765d344b", "description": "The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Spring4Shell CVE-2022-22965", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"java\",\"java.exe\", \"javaw.exe\") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.jsp*\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "java_writing_jsp_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Jscript Execution Using Cscript App", "author": "Teoderick Contreras, Splunk", "date": "2021-09-13", "version": 1, "id": "002f1e24-146e-11ec-a470-acde48001122", "description": "This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute jscript in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Processes.process_name = \"cscript.exe\" AND Processes.process = \"*//e:jscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "jscript_execution_using_cscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberoasting spn request with RC4 encryption", "author": "Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 5, "id": "5cc67381-44fa-4111-8a37-7a230943f027", "description": "The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md", "https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential kerberoasting attack via service principal name requests detected on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4769 ServiceName!=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberoasting_spn_request_with_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "author": "Mauricio Velazco, Splunk", "date": "2022-02-22", "version": 1, "id": "0cb847ee-9423-11ec-b2df-acde48001122", "description": "The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User Name", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled for $user$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Unknown.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "59b51620-94c9-11ec-b3d5-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled using PowerShell on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Although unlikely, Administrators may need to set this flag for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "7d90f334-a482-11ec-908c-acde48001122", "description": "The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed.", "references": ["https://attack.mitre.org/techniques/T1558/001/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769", "https://adsecurity.org/?p=1515", "https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos Service TTicket request with RC4 encryption was requested from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_service_ticket_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "18916468-9c04-11ec-bdc6-acde48001122", "description": "The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_tgt_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos User Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "description": "The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field.", "references": ["https://github.com/ropnop/kerbrute", "https://attack.mitre.org/techniques/T1589/002/", "https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential Kerberos based user enumeration attack $src_ip$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "Sandworm Team", "Silent Librarian", "TA551"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!=\"*$\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_user_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Known Services Killed by Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "3070f8e0-c528-11eb-b2a0-acde48001122", "description": "This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "param1", "type": "Other", "role": ["Other"]}], "message": "Known services $param1$ terminated by a potential ransomware on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7036 param1 IN (\"*Volume Shadow Copy*\",\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\", \"DefWatch\", \"ccEvtMgr\", \"ccSetMgr\", \"SavRoam\", \"RTVscan\", \"QBFCService\", \"QBIDPService\", \"Intuit.QuickBooks.FCS\", \"QBCFMonitorService\" \"YooBackup\", \"YooIT\", \"*Veeam*\", \"PDVFSService\", \"BackupExecVSSProvider\", \"BackupExecAgentAccelerator\", \"BackupExec*\", \"WdBoot\", \"WdFilter\", \"WdNisDrv\", \"WdNisSvc\", \"WinDefend\", \"wscsvc\", \"Sense\", \"sppsvc\", \"SecurityHealthService\") param2=\"stopped\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.", "known_false_positives": "Admin activities or installing related updates may do a sudden stop to list of services we monitor.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "known_services_killed_by_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Account Manipulation Of SSH Config and Keys", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "description": "This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN (\"/etc/ssh/*\", \"~/.ssh/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_account_manipulation_of_ssh_config_and_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Add Files In Known Crontab Directories", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "023f3452-5f27-11ec-bf00-acde48001122", "description": "The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions.", "references": ["https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/", "https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/cron*\", \"*/var/spool/cron/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_add_files_in_known_crontab_directories_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Add User Account", "author": "Teoderick Contreras, Splunk", "date": "2021-12-21", "version": 1, "id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "description": "This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed.", "references": ["https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create user account on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"useradd\", \"adduser\") OR Processes.process IN (\"*useradd *\", \"*adduser *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_add_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Adding Crontab Using List Parameter", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "description": "The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab list command $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\" Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_adding_crontab_using_list_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux apt-get Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "description": "The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/apt-get/", "https://phoenixnap.com/kb/how-to-use-apt-get-commands"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt-get*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_apt_get_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux APT Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "description": "Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://www.digitalocean.com/community/tutorials/what-is-apt"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_apt_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux At Allow Config File Creation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "977b3082-5f3d-11ec-b954-acde48001122", "description": "The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the \"at\" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using \"at.\" It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\nIdentifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions.", "references": ["https://linuxize.com/post/at-command-in-linux/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/at.allow\", \"*/etc/at.deny\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_at_allow_config_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux At Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2022-05-26", "version": 2, "id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The \"At\" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the \"At\" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\nDuring triage, the SOC analyst should review the context surrounding the execution of the \"At\" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\nThe presence of \"At\" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization.", "references": ["https://attack.mitre.org/techniques/T1053/001/", "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "At application was executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"at\", \"atd\") OR Processes.parent_process_name IN (\"at\", \"atd\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_at_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux AWK Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-31", "version": 1, "id": "4510cae0-96a2-4840-9919-91d262db210a", "description": "Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://www.hacknos.com/awk-privilege-escalation/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*\" AND Processes.process=\"*awk*\" AND Processes.process=\"*BEGIN*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Busybox Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/busybox/", "https://man.archlinux.org/man/busybox.1.en"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*busybox*\" AND Processes.process=\"*sh*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_busybox_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux c89 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "description": "The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/c89/", "https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c89*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_c89_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux c99 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "description": "The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/c99/", "https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c99*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_c99_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Change File Owner To Root", "author": "Teoderick Contreras, Splunk", "date": "2021-12-21", "version": 1, "id": "c1400ea2-6257-11ec-ad49-acde48001122", "description": "This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege.", "references": ["https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users", "https://askubuntu.com/questions/617850/changing-from-user-to-superuser"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may change ownership to root on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = \"*chown *\") AND Processes.process = \"* root *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_change_file_owner_to_root_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Clipboard Data Copy", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "description": "The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN (\"*-o *\", \"*-sel *\", \"*-selection *\", \"*clip *\",\"*clipboard*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_clipboard_data_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Common Process For Elevation Control", "author": "Teoderick Contreras, Splunk", "date": "2021-12-23", "version": 1, "id": "66ab15c0-63d0-11ec-9e70-acde48001122", "description": "This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed.", "references": ["https://attack.mitre.org/techniques/T1548/001/", "https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297", "https://github.com/bfuzzy1/auditd-attack/blob/master/auditd-attack/auditd-attack.rules#L269-L270", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ with process $process_name$ on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"chmod\", \"chown\", \"fchmod\", \"fchmodat\", \"fchown\", \"fchownat\", \"fremovexattr\", \"fsetxattr\", \"lchown\", \"lremovexattr\", \"lsetxattr\", \"removexattr\", \"setuid\", \"setgid\", \"setreuid\", \"setregid\", \"chattr\") OR Processes.process IN (\"*chmod *\", \"*chown *\", \"*fchmod *\", \"*fchmodat *\", \"*fchown *\", \"*fchownat *\", \"*fremovexattr *\", \"*fsetxattr *\", \"*lchown *\", \"*lremovexattr *\", \"*lsetxattr *\", \"*removexattr *\", \"*setuid *\", \"*setgid *\", \"*setreuid *\", \"*setregid *\", \"*setcap *\", \"*chattr *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_common_process_for_elevation_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Composer Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "description": "Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/composer/", "https://getcomposer.org/doc/00-intro.md"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*composer*\" AND Processes.process=\"*run-script*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_composer_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Cpulimit Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "description": "cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/cpulimit/", "http://cpulimit.sourceforge.net/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*cpulimit*\" AND Processes.process=\"*-l*\" AND Processes.process=\"*-f*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_cpulimit_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Csvtool Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "description": "csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/csvtool/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*csvtool*\" AND Processes.process=\"*call*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_csvtool_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Curl Upload File", "author": "Michael Haag, Splunk", "date": "2022-07-29", "version": 1, "id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "description": "The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials.", "references": ["https://curl.se/docs/manpage.html", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-F *\", \"*--form *\",\"*--upload-file *\",\"*-T *\",\"*-d *\",\"*--data *\",\"*--data-raw *\", \"*-I *\", \"*--head *\") AND Processes.process IN (\"*.aws/credentials*\". \"*.aws/config*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_curl_upload_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Data Destruction Command", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "description": "The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host.", "references": ["https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process IN (\"* -rf*\", \"* -fr*\") AND Processes.process = \"* --no-preserve-root\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_data_destruction_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux DD File Overwrite", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "description": "This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives.", "references": ["https://gtfobins.github.io/gtfobins/dd/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dd\" AND Processes.process = \"*of=*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_dd_file_overwrite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Decode Base64 to Shell", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "637b603e-1799-40fd-bf87-47ecbd551b66", "description": "The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely \"base64 -d\" and \"base64 --decode\", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") AND Processes.process=\"*|*\" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate software being utilized. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_decode_base64_to_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "description": "The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A deletion in known critical list of folder using rm command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/var/log/*\", \"*/etc/*\", \"*/dev/*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deleting_critical_directory_using_rm_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion Of Cron Jobs", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "description": "This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path=\"/etc/cron.*\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_cron_jobs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion Of Init Daemon Script", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "description": "This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Init daemon script deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_init_daemon_script_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion Of Services", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "description": "This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AcidRain", "AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"*/lib/systemd/*\", \"*/run/systemd/*\") Filesystem.file_path = \"*.service\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion of SSL Certificate", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "839ab790-a60a-4f81-bfb3-02567063f615", "description": "This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "SSL certificate deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*.crt\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_ssl_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "description": "The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Doas Conf File Creation", "author": "Teoderick Contreras, Splunk", "date": "2022-01-05", "version": 1, "id": "f6343e86-6e09-11ec-9376-acde48001122", "description": "This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/doas.conf\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_doas_conf_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Doas Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2022-01-05", "version": 1, "id": "d5a62490-6e09-11ec-884e-acde48001122", "description": "This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A doas $process_name$ with commandline $process$ was executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"doas\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_doas_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Docker Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-31", "version": 1, "id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "description": "Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root.", "references": ["https://gtfobins.github.io/gtfobins/docker/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN(\"*docker*-v*/*:*\",\"*docker*--volume*/*:*\") OR Processes.process IN(\"*docker*exec*sh*\",\"*docker*exec*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_docker_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Edit Cron Table Parameter", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "0d370304-5f26-11ec-a4bb-acde48001122", "description": "The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\nRecognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\nTo implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\nKnown false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab edit command $process$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = \"*crontab *\" Processes.process = \"* -e*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_edit_cron_table_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Emacs Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "92033cab-1871-483d-a03b-a7ce98665cfc", "description": "EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as \"the extensible, customizable, self-documenting, real-time display editor\". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/emacs/", "https://en.wikipedia.org/wiki/Emacs"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*emacs*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_emacs_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux File Created In Kernel Driver Directory", "author": "Teoderick Contreras, Splunk", "date": "2021-12-22", "version": 1, "id": "b85bbeec-6326-11ec-9311-acde48001122", "description": "This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/kernel/drivers/*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_created_in_kernel_driver_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux File Creation In Init Boot Directory", "author": "Teoderick Contreras, Splunk", "date": "2021-12-20", "version": 1, "id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "description": "This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed.", "references": ["https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/init.d/*\", \"*/etc/rc.d/*\", \"*/sbin/init.d/*\", \"*/etc/rc.local*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_init_boot_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux File Creation In Profile Directory", "author": "Teoderick Contreras, Splunk", "date": "2021-12-20", "version": 1, "id": "46ba0082-61af-11ec-9826-acde48001122", "description": "This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes.", "references": ["https://attack.mitre.org/techniques/T1546/004/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/profile.d/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_profile_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Find Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "description": "Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/find/", "https://en.wikipedia.org/wiki/Find_(Unix)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*find*\" AND Processes.process=\"*-exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_find_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux GDB Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "310b7da2-ab52-437f-b1bf-0bd458674308", "description": "GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/gdb/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gdb*\" AND Processes.process=\"*-nx*\" AND Processes.process=\"*-ex*!*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gdb_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Gem Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "description": "RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a \"gem\"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/gem/", "https://en.wikipedia.org/wiki/RubyGems"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gem*open*-e*\" AND Processes.process=\"*-c*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gem_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux GNU Awk Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "description": "gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/gawk/", "https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gawk*\" AND Processes.process=\"*BEGIN*{system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gnu_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Hardware Addition SwapOff", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "c1eea697-99ed-44c2-9b70-d8935464c499", "description": "This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ swap off paging device in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"swapoff\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may disable swapping of devices in a linux host. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_hardware_addition_swapoff_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "description": "This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 2, "id": "9d867448-2aff-4d07-876c-89409a752ff8", "description": "This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Impair Defenses Process Kill", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "description": "This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ tries to execute pkill commandline to terminate process in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( \"pgrep\", \"pkill\") Processes.process = \"*pkill *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can terminate a process using this linux command. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_impair_defenses_process_kill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Indicator Removal Clear Cache", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "e0940505-0b73-4719-84e6-cb94c44a5245", "description": "This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ clear cache using kernel drop cache system request in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") AND Processes.process IN(\"* echo 3 > *\", \"* echo 2 > *\",\"* echo 1 > *\") AND Processes.process = \"*/proc/sys/vm/drop_caches\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_clear_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Indicator Removal Service File Deletion", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "description": "This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ has a commandline $process$ to delete service configuration file in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process = \"*rm *\" AND Processes.process = \"*.service\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can delete services unit configuration file as part of normal software installation. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_service_file_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ingress Tool Transfer Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "description": "The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. This query is meant to help tune other curl and wget analytics.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ingress Tool Transfer with Curl", "author": "Michael Haag, Splunk", "date": "2022-07-29", "version": 1, "id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "description": "The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, \"(?i)(-O|-sO|-ksO|--output)\") | `linux_ingress_tool_transfer_with_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. Tune and then change type to TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_with_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2021-12-22", "version": 1, "id": "18b5a1a0-6326-11ec-943a-acde48001122", "description": "This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_insert_kernel_module_using_insmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "author": "Teoderick Contreras, Splunk", "date": "2021-12-22", "version": 1, "id": "387b278a-6326-11ec-aa2c-acde48001122", "description": "This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_install_kernel_module_using_modprobe_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Iptables Firewall Modification", "author": "Teoderick Contreras, Splunk", "date": "2023-04-12", "version": 3, "id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "description": "This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process name - $process_name$ that may modify iptables firewall on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*iptables *\" AND Processes.process = \"* --dport *\" AND Processes.process = \"* ACCEPT*\" AND Processes.process = \"*&>/dev/null*\" AND Processes.process = \"* tcp *\" AND NOT(Processes.parent_process_path IN(\"/bin/*\", \"/lib/*\", \"/usr/bin/*\", \"/sbin/*\")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process \"--dport (?3269|636|989|994|995|8443)\" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_iptables_firewall_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Java Spawning Shell", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "7b09db8a-5c20-11ec-9945-acde48001122", "description": "The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh', \"tcsh', \"ion\", \"eshell\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Spring4Shell CVE-2022-22965"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_java_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Kernel Module Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "6df99886-0e04-4c11-8b88-325747419278", "description": "The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.", "references": ["https://man7.org/linux/man-pages/man8/kmod.8.html"], "tags": {"analytic_story": ["Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN (\"*lsmod*\", \"*list*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_kernel_module_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Kworker Process In Writable Process Path", "author": "Teoderick Contreras, Splunk", "date": "2023-04-12", "version": 2, "id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "description": "This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ with kworker commandline in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = \"*[kworker/*\" Processes.parent_process_path IN (\"/home/*\", \"/tmp/*\", \"/var/log/*\") Processes.process=\"*iptables*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_kworker_process_in_writable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Make Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "80b22836-5091-4944-80ee-f733ac443f4f", "description": "The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/make/", "https://www.javatpoint.com/linux-make-command"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*make*-s*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_make_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux MySQL Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "c0d810f4-230c-44ea-b703-989da02ff145", "description": "MySQL is an open-source relational database management system. Its name is a combination of \"My\", the name of co-founder Michael Widenius's daughter My, and \"SQL\", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/mysql/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*mysql*-e*\" AND Processes.process=\"*\\!**\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_mysql_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2023-01-12", "version": 1, "id": "bc84d574-708c-467d-b78a-4c1e20171f97", "description": "The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool.", "references": ["https://ngrok.com/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if Ngrok is an authorized utility. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Node Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-31", "version": 1, "id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "description": "Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.", "references": ["https://gtfobins.github.io/gtfobins/docker/", "https://en.wikipedia.org/wiki/Node.js"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*node*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*child_process.spawn*\" AND Processes.process=\"*stdio*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_node_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2021-12-21", "version": 1, "id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "description": "This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands", "https://help.ubuntu.com/community/Sudoers"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*NOPASSWD:*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_nopasswd_entry_in_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "description": "The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"base64 -d\" or \"base64 --decode\". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and will require some tuning based on processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_obfuscated_files_or_information_base64_decode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Octave Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "description": "GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/octave/", "https://en.wikipedia.org/wiki/GNU_Octave"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*octave-cli*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_octave_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux OpenVPN Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "description": "OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/openvpn/", "https://en.wikipedia.org/wiki/OpenVPN"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*openvpn*\" AND Processes.process=\"*--dev*\" AND Processes.process=\"*--script-security*\" AND Processes.process=\"*--up*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_openvpn_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "author": "Michael Haag, Splunk", "date": "2022-08-30", "version": 3, "id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "description": "The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Privilege escalation and persistence behaviors have been identified on $risk_object$.", "risk_score": 56, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN (\"Linux Privilege Escalation\", \"Linux Persistence Techniques\") OR source = \"*Linux*\") All_Risk.annotations.mitre_attack.mitre_tactic IN (\"persistence\", \"privilege-escalation\") All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`", "how_to_implement": "Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_persistence_and_privilege_escalation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux PHP Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "description": "PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/php/", "https://en.wikipedia.org/wiki/PHP"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*php*-r*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_php_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux pkexec Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-01-28", "version": 1, "id": "03e22c1c-8086-11ec-ac2e-acde48001122", "description": "The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system.", "references": ["https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/", "https://linux.die.net/man/1/pkexec", "https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/", "https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_pkexec_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "author": "Teoderick Contreras, Splunk", "date": "2022-01-11", "version": 1, "id": "7a85eb24-72da-11ec-ac76-acde48001122", "description": "This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/ssh/sshd_config\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_or_modification_of_sshd_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Access To Credential Files", "author": "Teoderick Contreras, Splunk", "date": "2022-01-10", "version": 1, "id": "16107e0e-71fc-11ec-b862-acde48001122", "description": "This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. \"etc/passwd\" store user information within linux OS while \"etc/shadow\" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed.", "references": ["https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd", "https://attack.mitre.org/techniques/T1003/008/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/shadow*\", \"*/etc/passwd*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_credential_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Access To Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2022-01-10", "version": 1, "id": "4479539c-71fc-11ec-b2e2-acde48001122", "description": "This analytic is to detect a possible access or modification of /etc/sudoers file. \"/etc/sudoers\" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host.", "references": ["https://attack.mitre.org/techniques/T1548/003/", "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/sudoers*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Append Command To At Allow Config File", "author": "Teoderick Contreras, Splunk", "date": "2022-05-26", "version": 2, "id": "7bc20606-5f40-11ec-a586-acde48001122", "description": "The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\nIn this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive.", "references": ["https://linuxize.com/post/at-command-in-linux/", "https://attack.mitre.org/techniques/T1053/001/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify at allow config file in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/at.allow\", \"*/etc/at.deny\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_at_allow_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Append Command To Profile Config File", "author": "Teoderick Contreras, Splunk", "date": "2021-12-20", "version": 1, "id": "9c94732a-61af-11ec-91e3-acde48001122", "description": "This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes.", "references": ["https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work", "https://attack.mitre.org/techniques/T1546/004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may modify profile files in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*~/.bashrc\", \"*~/.bash_profile\", \"*/etc/profile\", \"~/.bash_login\", \"*~/.profile\", \"~/.bash_logout\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_profile_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b5b91200-5f27-11ec-bb4e-acde48001122", "description": "The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\nThe analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\nThis behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity.", "references": ["https://attack.mitre.org/techniques/T1053/003/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Cronjob Modification With Editor", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "dcc89bde-5f24-11ec-87ca-acde48001122", "description": "The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like \"nano\", \"vi\" or \"vim\". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\nIn case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\nTo implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\nKnown false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file using editor in $dest$", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN(\"nano\",\"vim.basic\") OR Processes.process IN (\"*nano *\", \"*vi *\", \"*vim *\")) AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_cronjob_modification_with_editor_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Ssh Key File Creation", "author": "Teoderick Contreras, Splunk", "date": "2022-01-11", "version": 1, "id": "c04ef40c-72da-11ec-8eac-acde48001122", "description": "This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/.ssh*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_ssh_key_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Preload Hijack Library Calls", "author": "Teoderick Contreras, Splunk", "date": "2021-12-22", "version": 1, "id": "cbe2ca30-631e-11ec-8670-acde48001122", "description": "This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command.", "references": ["https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may hijack library function on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*LD_PRELOAD*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_preload_hijack_library_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Proxy Socks Curl", "author": "Michael Haag, Splunk", "date": "2022-07-29", "version": 1, "id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "description": "The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity.", "references": ["https://www.offensive-security.com/metasploit-unleashed/proxytunnels/", "https://curl.se/docs/manpage.html", "https://en.wikipedia.org/wiki/SOCKS", "https://oxylabs.io/blog/curl-with-proxy", "https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-x *\", \"*socks4a://*\", \"*socks5h://*\", \"*socks4://*\",\"*socks5://*\", \"*--preproxy *\", \"--proxy*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on proxy usage internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_proxy_socks_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Puppet Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "description": "In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/puppet/", "https://en.wikipedia.org/wiki/Puppet_(software)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*puppet*\" AND Processes.process=\"*apply*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_puppet_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux RPM Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "description": "RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/rpm/", "https://en.wikipedia.org/wiki/RPM_Package_Manager"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*rpm*--eval*\" AND Processes.process=\"*lua:os.execute*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_rpm_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ruby Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-09", "version": 1, "id": "097b28b5-7004-4d40-a715-7e390501788b", "description": "Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/ruby/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*ruby*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ruby_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Service File Created In Systemd Directory", "author": "Teoderick Contreras, Splunk", "date": "2021-12-20", "version": 1, "id": "c7495048-61b6-11ec-9a37-acde48001122", "description": "The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\nThe analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1053/006/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service file named as $file_path$ is created in systemd folder on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN (\"*/etc/systemd/system*\", \"*/lib/systemd/system*\", \"*/usr/lib/systemd/system*\", \"*/run/systemd/system*\", \"*~/.config/systemd/*\", \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\", \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_file_created_in_systemd_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Service Restarted", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "084275ba-61b8-11ec-8d64-acde48001122", "description": "The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\nIt's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\nIdentifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create or start a service on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"*restart*\", \"*reload*\", \"*reenable*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_restarted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Service Started Or Enabled", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "e0428212-61b7-11ec-88a3-acde48001122", "description": "The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may create or start a service on $dest", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"* start *\", \"* enable *\") AND NOT (Processes.os=\"Microsoft Windows\" OR Processes.vendor_product=\"Microsoft Windows\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_started_or_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Setuid Using Chmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2021-12-21", "version": 1, "id": "bf0304b6-6250-11ec-9d7c-acde48001122", "description": "This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = \"*chmod *\") AND Processes.process IN(\"* g+s *\", \"* u+s *\", \"* 4777 *\", \"* 4577 *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_chmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Setuid Using Setcap Utility", "author": "Teoderick Contreras, Splunk", "date": "2021-12-21", "version": 1, "id": "9d96022e-6250-11ec-9a19-acde48001122", "description": "This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = \"*setcap *\") AND Processes.process IN (\"* cap_setuid=ep *\", \"* cap_setuid+ep *\", \"* cap_net_bind_service+p *\", \"* cap_net_raw+ep *\", \"* cap_dac_read_search+ep *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_setcap_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Shred Overwrite Command", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "c1952cf1-643c-4965-82de-11c067cbae76", "description": "This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible shred overwrite command $process$ executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_shred_overwrite_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Sqlite3 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-08-11", "version": 1, "id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "description": "sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell.", "references": ["https://gtfobins.github.io/gtfobins/sqlite3/", "https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sqlite3*\" AND Processes.process=\"*.shell*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sqlite3_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux SSH Authorized Keys Modification", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "f5ab595e-28e5-4327-8077-5008ba97c850", "description": "The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like \"bash\" and \"cat\" interacting with \"authorized_keys\" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"bash\",\"cat\") Processes.process IN (\"*/authorized_keys*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering will be required as system administrators will add and remove. One way to filter query is to add \"echo\".", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ssh_authorized_keys_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux SSH Remote Services Script Execute", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "description": "The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN (\"*oStrictHostKeyChecking*\", \"*oConnectTimeout*\", \"*oBatchMode*\") AND Processes.process IN (\"*http:*\",\"*https:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is not a common command to be executed. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ssh_remote_services_script_execute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Stdout Redirection To Dev Null File", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "description": "This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that redirect stdout to dev/null in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*&>/dev/null*\" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_stdout_redirection_to_dev_null_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Stop Services", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "description": "The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_stop_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Sudo OR Su Execution", "author": "Teoderick Contreras, Splunk", "date": "2022-01-04", "version": 1, "id": "4b00f134-6d6a-11ec-a90c-acde48001122", "description": "This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", "references": ["https://attack.mitre.org/techniques/T1548/003/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that execute sudo or su in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"sudo\", \"su\") OR Processes.parent_process_name IN (\"sudo\", \"su\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sudo_or_su_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Sudoers Tmp File Creation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-23", "version": 1, "id": "be254a5c-63e7-11ec-89da-acde48001122", "description": "This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).", "references": ["https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*sudoers.tmp*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sudoers_tmp_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux System Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "535cb214-8b47-11ec-a2c7-acde48001122", "description": "This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2", "Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Network discovery process $process_name_list$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN (\"arp\", \"ifconfig\", \"ip\", \"netstat\", \"firewall-cmd\", \"ufw\", \"iptables\", \"ss\", \"route\") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_system_network_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux System Reboot Via System Request Key", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "description": "This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to reboot $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo b > *\" Processes.process = \"*/proc/sysrq-trigger\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_system_reboot_via_system_request_key_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "e7a96937-3b58-4962-8dce-538e4763cf15", "description": "This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo 1 > *\" Processes.process = \"*/proc/sys/kernel/sysrq\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_unix_shell_enable_all_sysrq_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Visudo Utility Execution", "author": "Teoderick Contreras, Splunk", "date": "2021-12-21", "version": 1, "id": "08c41040-624c-11ec-a71f-acde48001122", "description": "This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_visudo_utility_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Living Off The Land Detection", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "1be30d80-3a39-4df9-9102-64a467b24abc", "description": "The following correlation identifies multiple risk events associated with the \"Living Off The Land\" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.", "references": ["https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html", "https://research.splunk.com/stories/living_off_the_land/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Living Off The Land\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories=\"Living Off The Land\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "living_off_the_land_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Loading Of Dynwrapx Module", "author": "Teoderick Contreras, Splunk", "date": "2021-11-18", "version": 1, "id": "eac5e8ba-4857-11ec-9371-acde48001122", "description": "DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "dynwrapx.dll loaded by process $process_name$ on $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"DynamicWrapperX\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "loading_of_dynwrapx_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Local Account Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2021-09-16", "version": 2, "id": "5d0d4830-0133-11ec-bae3-acde48001122", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "local_account_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Local Account Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2021-09-16", "version": 2, "id": "4902d7aa-0134-11ec-9d65-acde48001122", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "local_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "author": "Jose Hernandez, Splunk", "date": "2022-09-09", "version": 3, "id": "9be30d80-3a39-4df9-9102-64a467b24eac", "description": "This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks.", "references": ["https://research.splunk.com/stories/log4shell_cve-2021-44228/", "https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Log4Shell Exploitation detected against $risk_object$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Log4Shell CVE-2021-44228\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories=\"Log4Shell CVE-2021-44228\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "log4shell_cve_2021_44228_exploitation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Logon Script Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "4c38c264-1f74-11ec-b5fa-acde48001122", "description": "This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine.", "references": ["https://attack.mitre.org/techniques/T1037/001/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Environment\\\\UserInitMprLogonScript\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "logon_script_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "LOLBAS With Network Traffic", "author": "Steven Dick", "date": "2021-12-09", "version": 1, "id": "2820f032-19eb-497e-8642-25b04a880359", "description": "The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies.", "references": ["https://lolbas-project.github.io/#", "https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Command and Control", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "message": "The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN (\"*Regsvcs.exe\", \"*\\\\Ftp.exe\", \"*OfflineScannerShell.exe\", \"*Rasautou.exe\", \"*Schtasks.exe\", \"*Xwizard.exe\", \"*Pnputil.exe\", \"*Atbroker.exe\", \"*Pcwrun.exe\", \"*Ttdinject.exe\", \"*Mshta.exe\", \"*Bitsadmin.exe\", \"*Certoc.exe\", \"*Ieexec.exe\", \"*Microsoft.Workflow.Compiler.exe\", \"*Runscripthelper.exe\", \"*Forfiles.exe\", \"*Msbuild.exe\", \"*Register-cimprovider.exe\", \"*Tttracer.exe\", \"*Ie4uinit.exe\", \"*Bash.exe\", \"*Hh.exe\", \"*SettingSyncHost.exe\", \"*Cmstp.exe\", \"*Stordiag.exe\", \"*Scriptrunner.exe\", \"*Odbcconf.exe\", \"*Extexport.exe\", \"*Msdt.exe\", \"*WorkFolders.exe\", \"*Diskshadow.exe\", \"*Mavinject.exe\", \"*Regasm.exe\", \"*Gpscript.exe\", \"*Regsvr32.exe\", \"*Msiexec.exe\", \"*Wuauclt.exe\", \"*Presentationhost.exe\", \"*Wmic.exe\", \"*Runonce.exe\", \"*Syncappvpublishingserver.exe\", \"*Verclsid.exe\", \"*Infdefaultinstall.exe\", \"*Installutil.exe\", \"*Netsh.exe\", \"*Wab.exe\", \"*Dnscmd.exe\", \"*\\\\At.exe\", \"*Pcalua.exe\", \"*Msconfig.exe\", \"*makecab.exe\", \"*cscript.exe\", \"*notepad.exe\", \"*\\\\cmd.exe\", \"*certutil.exe\", \"*\\\\powershell.exe\", \"*powershell_ise.exe\")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `lolbas_with_network_traffic_filter`", "how_to_implement": "To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.", "known_false_positives": "Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\") ", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "lolbas_with_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MacOS - Re-opened Applications", "author": "Jamie Windley, Splunk", "date": "2024-05-14", "version": 2, "id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "description": "The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to \"com.apple.loginwindow.\" This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*com.apple.loginwindow*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "macos___re_opened_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MacOS LOLbin", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 3, "id": "58d270fb-5b39-418e-a855-4b8ac046805e", "description": "The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as \"find\", \"crontab\", \"screencapture\", \"openssl\", \"curl\", \"wget\", \"killall\", and \"funzip\". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiplle LOLbin are executed on host $dest$ by user $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "`osquery` name=es_process_events columns.cmdline IN (\"find*\", \"crontab*\", \"screencapture*\", \"openssl*\", \"curl*\", \"wget*\", \"killall*\", \"funzip*\") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "None identified.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "macos_lolbin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MacOS plutil", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 4, "id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "description": "The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "plutil are executed on $dest$ from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "Administrators using plutil to change plist files.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "macos_plutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mailsniper Invoke functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 3, "id": "a36972c8-b894-11eb-9f78-acde48001122", "description": "The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure.", "references": ["https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "mailsniper_invoke_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious InProcServer32 Modification", "author": "Michael Haag, Splunk", "date": "2021-10-05", "version": 1, "id": "127c8d08-25ff-11ec-9223-acde48001122", "description": "The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\\\Software\\\\Classes\\\\CLSID or HKCU\\\\Software\\\\Classes\\\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process.", "references": ["https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious Powershell Executed As A Service", "author": "Ryan Becwar", "date": "2024-05-20", "version": 3, "id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "description": "The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "http://az4n6.blogspot.com/2017/", "https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "tags": {"analytic_story": ["Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $ImagePath$ by $user$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) | regex l_ImagePath=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_ImagePath=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Creating a hidden powershell service is rare and could key off of those instances.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "malicious_powershell_executed_as_a_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious PowerShell Process - Encoded Command", "author": "David Dorsey, Michael Haag, Splunk", "date": "2022-01-18", "version": 7, "id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "description": "The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code.\nThe analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash.\nDuring triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use.\nAlternatively, may use regex per matching here https://regexr.com/662ov.", "references": ["https://regexr.com/662ov", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-320A", "DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "Qakbot", "Sandworm Tools", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running potentially malicious encodede commands on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators may use this option, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process___encoded_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 6, "id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "description": "The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like \"-ex\" or \"bypass.\" This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "DHS Report TA18-074A", "DarkCrystal RAT", "HAFNIUM Group", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "PowerShell local execution policy bypass attempt on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"* -ex*\" OR Processes.process=\"* bypass *\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process___execution_policy_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 6, "id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "description": "The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running with potential obfuscated arguments on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"`\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "These characters might be legitimately on the command-line, but it is not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process_with_obfuscation_techniques_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "13bbd574-83ac-11ec-99d4-acde48001122", "description": "The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic.", "references": ["https://github.com/gentilkiwi/mimikatz", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "CISA AA23-347A", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Mimikatz command line parameters for pass the ticket attacks were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*sekurlsa::tickets /export*\" OR Processes.process = \"*kerberos::ptt*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mimikatz_passtheticket_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2021-11-23", "version": 1, "id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Mmc.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mmc_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Modification Of Wallpaper", "author": "Teoderick Contreras, Splunk", "date": "2021-06-02", "version": 1, "id": "accb0712-c381-11eb-8e5b-acde48001122", "description": "This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Brute Ratel C4", "LockBit Ransomware", "Ransomware", "Revil Ransomware", "Rhysida Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wallpaper modification on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode =13 (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Image != \"*\\\\explorer.exe\") OR (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Details IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may used to changed the wallpaper of the machine", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "modification_of_wallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Modify ACL permission To Files Or Folder", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 2, "id": "7e8458cc-acca-11eb-9e3f-acde48001122", "description": "This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious ACL permission modification on $dest$", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"xcacls.exe\") AND Processes.process = \"*/G*\" AND (Processes.process = \"* everyone:*\" OR Processes.process = \"* SYSTEM:*\" OR Processes.process = \"* S-1-1-0:*\") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may use this command. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "modify_acl_permission_to_files_or_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor Registry Keys for Print Monitors", "author": "Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 5, "id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "description": "This search looks for registry activity associated with modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "New print monitor added on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "You will encounter noise from legitimate print-monitor registry entries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_registry_keys_for_print_monitors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 1, "id": "985f322c-57a5-11ec-b9ac-acde48001122", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name=\"*.aspx\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MS Scripting Process Loading Ldap Module", "author": "Teoderick Contreras, Splunk", "date": "2021-09-13", "version": 1, "id": "0b0c40dc-14a6-11ec-b267-acde48001122", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading ldap modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_ldap_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MS Scripting Process Loading WMI Module", "author": "Teoderick Contreras, Splunk", "date": "2021-09-13", "version": 1, "id": "2eba3d36-14a6-11ec-a682-acde48001122", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading wmi modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_wmi_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MSBuild Suspicious Spawned By Script Process", "author": "Teoderick Contreras, Splunk", "date": "2021-10-04", "version": 1, "id": "213b3148-24ea-11ec-93a2-acde48001122", "description": "This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/"], "tags": {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"wscript.exe\", \"cscript.exe\") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as developers do not spawn MSBuild via a WSH.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "msbuild_suspicious_spawned_by_script_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "author": "Teoderick Contreras, Splunk", "date": "2021-07-19", "version": 2, "id": "4aa5d062-e893-11eb-9eb2-acde48001122", "description": "This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"mshta.exe\" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this anomaly behavior is not commonly seen in clean host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mshta_spawning_rundll32_or_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MSHTML Module Load in Office Product", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 3, "id": "5f1c168e-118b-11ec-84ff-acde48001122", "description": "This detection identifies the loading of the mshtml.dll module into an Office product. This behavior is associated with CVE-2021-40444, where a malicious document loads ActiveX, thereby activating the MSHTML component. The vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent processes and document any file modifications for further analysis.", "references": ["https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://strontic.github.io/xcyclopedia/index-dll", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "`sysmon` EventID=7 process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") loaded_file_path IN (\"*\\\\mshtml.dll\", \"*\\\\Microsoft.mshtml.dll\",\"*\\\\IE.Interop.MSHTML.dll\",\"*\\\\MshtmlDac.dll\",\"*\\\\MshtmlDed.dll\",\"*\\\\MshtmlDer.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "mshtml_module_load_in_office_product_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MSI Module Loaded by Non-System Binary", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "ccb98a66-5851-11ec-b91c-acde48001122", "description": "The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts\n\n1. Generation of an MSI that will trigger bad behavior.\n1. Preparing a directory for MSI installation.\n1. Inducing an error state.\n1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file.\nIn addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries.", "references": ["https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis", "https://github.com/AlexandrVIvanov/InstallerFileTakeOver", "https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/msi.dll%20Hijack%20(Methodology).ioc"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $dest$, potentally related to DLL side-loading.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\msi.dll\" NOT (Image IN (\"*\\\\System32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\windows\\\\*\", \"*\\\\winsxs\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "msi_module_loaded_by_non_system_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Msmpeng Application DLL Side Loading", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2023-03-15", "version": 3, "id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "description": "This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine", "references": ["https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND NOT (Filesystem.file_path IN (\"*\\\\Program Files\\\\windows defender\\\\*\",\"*\\\\WinSxS\\\\*defender-service*\",\"*\\\\WinSxS\\\\Temp\\\\*defender-service*\")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "quite minimal false positive expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "msmpeng_application_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Net Localgroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "54f5201e-155b-11ec-a6e2-acde48001122", "description": "The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Graceful Wipe Out Attack", "IcedID", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon", "Windows Discovery Techniques", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process=\"*localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "net_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "NET Profiler UAC bypass", "author": "Teoderick Contreras, Splunk", "date": "2022-02-18", "version": 2, "id": "0252ca80-e30d-11eb-8aa3-acde48001122", "description": "This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Environment\\\\COR_PROFILER_PATH\" Registry.registry_value_data = \"*.dll\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "limited false positive. It may trigger by some windows update that will modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "net_profiler_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Connection Discovery With Arp", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "description": "The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"arp.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_arp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Connection Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2021-09-10", "version": 1, "id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "description": "This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1049/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Connection Discovery With Netstat", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "description": "This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "CISA AA23-347A", "PlugX", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"netstat.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_netstat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Discovery Using Route Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-02-14", "version": 2, "id": "dd83407e-439f-11ec-ab8e-acde48001122", "description": "This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "Prestige Ransomware", "Qakbot", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_discovery_using_route_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Share Discovery Via Dir Command", "author": "Teoderick Contreras, Splunk", "date": "2023-05-23", "version": 1, "id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "description": "The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network.", "references": ["https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$user$ list executable files or directory in known sensitive SMB share. Share name=$ShareName$, Access mask=$AccessMask$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "type": "Hunting", "search": "`wineventlog_security` EventCode=5140 ShareName IN(\"\\\\\\\\*\\\\ADMIN$\",\"\\\\\\\\*\\\\C$\",\"*\\\\\\\\*\\\\IPC$\") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_share_discovery_via_dir_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 2, "id": "68a0056c-34cb-455f-b03d-df935ea62c4f", "description": "The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "Hunting", "search": "| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `network_traffic_to_active_directory_web_services_protocol_filter`", "how_to_implement": "The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "network_traffic_to_active_directory_web_services_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Nishang PowershellTCPOneLine", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 2, "id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "description": "This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process.", "references": ["https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"analytic_story": ["HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present. Filter as needed based on initial analysis.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "nishang_powershelltcponeline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "NLTest Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2022-04-18", "version": 2, "id": "c3e05466-5f22-11eb-ae93-0242ac130002", "description": "This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104", "https://attack.mitre.org/techniques/T1482/", "https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf", "https://ss64.com/nt/nltest.html", "https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/", "https://thedfirreport.com/2020/10/08/ryuks-return/"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery", "IcedID", "Qakbot", "Rhysida Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain trust discovery execution on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "nltest_domain_trust_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "81263de4-160a-11ec-944f-acde48001122", "description": "This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non chrome browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\Google\\\\Chrome\\\\User Data\\\\Default*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_chrome_process_accessing_chrome_default_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "e6fc13b0-1609-11ec-b533-acde48001122", "description": "This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "Azorult", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non firefox browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_firefox_process_access_firefox_profile_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Notepad with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2023-02-22", "version": 1, "id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "description": "The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, \"The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds.\"", "references": ["https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(notepad\\.exe.{0,4}$)\" | `notepad_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on organization endpoint behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "notepad_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ntdsutil Export NTDS", "author": "Michael Haag, Patrick Bareiss, Splunk", "date": "2021-01-28", "version": 1, "id": "da63bc76-61ae-11eb-ae93-0242ac130002", "description": "Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\Temp\" q q\nThis technique uses \"Install from Media\" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Active Directory NTDS export on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ntdsutil_export_ntds_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Application Drop Executable", "author": "Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github", "date": "2023-02-15", "version": 4, "id": "73ce70c4-146d-11ec-9184-acde48001122", "description": "This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "FIN7", "PlugX", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ drops a file $file_name$ in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "office macro for automation may do this behavior", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_drop_executable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Application Spawn Regsvr32 process", "author": "Teoderick Contreras, Splunk", "date": "2023-02-15", "version": 4, "id": "2d9fc90c-f11f-11eb-9300-acde48001122", "description": "this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines.", "references": ["https://www.joesandbox.com/analysis/380662/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning regsvr32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name = \"outlook.exe\" OR Processes.parent_process_name = \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name=\"msaccess.exe\") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_spawn_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Application Spawn rundll32 process", "author": "Teoderick Contreras, Splunk", "date": "2023-02-15", "version": 4, "id": "958751e4-9c5f-11eb-b103-acde48001122", "description": "This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines.", "references": ["https://any.run/malware-trends/trickbot", "https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "IcedID", "NjRAT", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning rundll32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_spawn_rundll32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Document Creating Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 6, "id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "description": "The following analytic detects a potentially malicious office document that creates a scheduled task entry either through a macro VBA API or by loading taskschd.dll. This technique has been observed in numerous instances of malicious macro malware aiming to establish persistence or beaconing through task schedule entries. The analytic will return the first and last time the task was registered, as well as details such as the `Command` to be executed, `Task Name`, `Author`, `Enabled` status, and whether it is `Hidden`. schtasks.exe is natively located in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The DLL(s) `taskschd.dll` are loaded when schtasks.exe or TaskService is initiated. If this DLL is found loaded by another process, it may indicate that a scheduled task is being registered within that process's context in memory. During triage, determine the source of the scheduled task. Was it schtasks.exe or via TaskService? Review the job created and the command to be executed. Capture any artifacts on disk for further review. Identify any parallel processes within the same timeframe to pinpoint the source.'", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An Office document was identified creating a scheduled task on $dest$. Investigate further.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") loaded_file_path = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_creating_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Document Executing Macro Code", "author": "Teoderick Contreras, Splunk", "date": "2024-03-17", "version": 5, "id": "b12c89bc-9d06-11eb-a592-acde48001122", "description": "This detection is designed to identify suspicious office documents that utilize macro code. Macro code is known to be a prevalent weaponization or attack vector for threat actors. This malicious macro code can be embedded in an office document as an attachment, potentially executing a malicious payload, downloading malware, or other malicious components. It is a good practice to disable macros by default to prevent the automatic execution of macro code when opening or closing office document files.", "references": ["https://www.joesandbox.com/analysis/386500/0/html", "https://www.joesandbox.com/analysis/702680/0/html", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", "https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "DarkCrystal RAT", "IcedID", "NjRAT", "PlugX", "Qakbot", "Remcos", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document executing a macro on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") loaded_file_path IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_executing_macro_code_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Document Spawned Child Process To Download", "author": "Teoderick Contreras, Splunk", "date": "2023-07-11", "version": 6, "id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "description": "This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT", "PlugX", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document spawning suspicious child process on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") Processes.process IN (\"*http:*\",\"*https:*\") NOT (Processes.original_file_name IN(\"firefox.exe\", \"chrome.exe\",\"iexplore.exe\",\"msedge.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Default browser not in the filter list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_document_spawned_child_process_to_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawn CMD Process", "author": "Teoderick Contreras, Splunk", "date": "2023-07-11", "version": 5, "id": "b8b19420-e892-11eb-9244-acde48001122", "description": "this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "DarkCrystal RAT", "NjRAT", "PlugX", "Qakbot", "Remcos", "Trickbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name= \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\" OR Processes.parent_process_name=\"Graph.exe\" OR Processes.parent_process_name=\"winproj.exe\") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "IT or network admin may create an document automation that will run shell script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawn_cmd_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning BITSAdmin", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 5, "id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_bitsadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 5, "id": "6925fe72-a6d5-11eb-9e17-acde48001122", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning MSHTA", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 4, "id": "6078fa20-a6d2-11eb-b662-acde48001122", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/"], "tags": {"analytic_story": ["Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "IcedID", "NjRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\", \"onenote.exe\",\"onenotem.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 5, "id": "c661f6be-a38c-11eb-be57-acde48001122", "description": "The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "references": ["https://www.joesandbox.com/analysis/395471/0/html", "https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/", "https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_rundll32_with_no_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "description": "The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") Processes.process_name IN (\"wscript.exe\", \"cscript.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on macro based approved documents in the organization. Filtering may be needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning Wmic", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 6, "id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "description": "The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "references": ["https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/", "https://attack.mitre.org/techniques/T1047/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "FIN7", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Writing cab or inf", "author": "Michael Haag, Splunk", "date": "2023-02-15", "version": 4, "id": "f48cd1d4-125a-11ec-a447-acde48001122", "description": "The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further.", "references": ["https://twitter.com/vxunderground/status/1436326057179860992?s=20", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.inf\",\"*.cab\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_writing_cab_or_inf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Spawning Control", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 4, "id": "053e027c-10c7-11ec-8437-acde48001122", "description": "The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior", "references": ["https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://www.echotrail.io/insights/search/control.exe/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_spawning_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "author": "Mauricio Velazco, Lou Stella, Splunk", "date": "2022-06-28", "version": 2, "id": "d2c14d28-5c47-11ec-9892-acde48001122", "description": "A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Java performed outbound connections to default ports of LDAP or RMI on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name=\"java.exe\" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate Java applications may use perform outbound connections to these ports. Filter as needed", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "outbound_network_connection_from_java_using_default_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Overwriting Accessibility Binaries", "author": "David Dorsey, Splunk", "date": "2023-04-14", "version": 4, "id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "description": "Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A suspicious file modification or replace in $file_path$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\Windows\\\\System32\\\\sethc.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\utilman.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\osk.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Magnify.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Narrator.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "overwriting_accessibility_binaries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PaperCut NG Suspicious Behavior Debug Log", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "395163b8-689b-444b-86c7-9fe9ad624734", "description": "The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log.", "references": ["https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs", "https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md", "https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Behavior related to exploitation of PaperCut NG has been identified on $host$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Hunting", "search": "`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, \"(?i)(\\/app\\?service=page\\/SetupCompleted|\\/app|\\/app\\?service=page\\/PrinterList|\\/app\\?service=direct\\/1\\/PrinterList\\/selectPrinter&sp=l1001|\\/app\\?service=direct\\/1\\/PrinterDetails\\/printerOptionsTab\\.tab)\"), \"URI matches\", null()) | eval ip_match=if(match(_raw, \"(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\") AND NOT match(_raw, \"(?i)(10\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\\.(1[6-9]|2[0-9]|3[0-1])\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\\.168\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\"), \"IP matches\", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`", "how_to_implement": "Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic.", "known_false_positives": "False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "papercut_ng_suspicious_behavior_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Password Policy Discovery with Net", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "09336538-065a-11ec-8665-acde48001122", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") AND Processes.process = \"*accounts*\" AND Processes.process = \"*/domain*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "password_policy_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Permission Modification using Takeown App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "description": "The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data.", "references": ["https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"], "tags": {"analytic_story": ["Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"takeown.exe\" Processes.process = \"*/f*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "takeown.exe is a normal windows application that may used by network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "permission_modification_using_takeown_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PetitPotam Network Share Access Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "95b8061a-0a67-11ec-85ec-acde48001122", "description": "The following analytic utilizes Windows Event Code 5145, \"A network share object was checked to see whether client can be granted desired access\". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values.\nTo enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit\nIt is possible this is not enabled by default and may need to be reviewed and enabled.\n\nDuring triage, review parallel security events to identify further suspicious activity.", "references": ["https://attack.mitre.org/techniques/T1187/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}]}, "type": "TTP", "search": "`wineventlog_security` SubjectUserName=\"ANONYMOUS LOGON\" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`", "how_to_implement": "Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.", "known_false_positives": "False positives have been limited when the Anonymous Logon is used for Account Name.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_network_share_access_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "e3ef244e-0a67-11ec-abf2-acde48001122", "description": "The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 src!=\"::1\" TargetUserName=*$ CertThumbprint!=\"\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`", "how_to_implement": "The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.", "known_false_positives": "False positives are possible if the environment is using certificates for authentication.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_suspicious_kerberos_tgt_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ping Sleep Batch Command", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "ce058d6c-79f2-11ec-b476-acde48001122", "description": "This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "Warzone RAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious $process$ commandline run in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_process=\"* Nul*\"Processes.parent_process=\"*>*\") OR (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*>*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator may execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ping_sleep_batch_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Possible Browser Pass View Parameter", "author": "Teoderick Contreras, Splunk", "date": "2021-11-22", "version": 1, "id": "8ba484e8-4b97-11ec-b19a-acde48001122", "description": "This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the \"/stext\" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior.", "references": ["https://www.nirsoft.net/utils/web_browser_password.html", "https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious process $process_name$ contains commandline $process$ on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext *\", \"*/shtml *\", \"*/LoadPasswordsIE*\", \"*/LoadPasswordsFirefox*\", \"*/LoadPasswordsChrome*\", \"*/LoadPasswordsOpera*\", \"*/LoadPasswordsSafari*\" , \"*/UseOperaPasswordFile*\", \"*/OperaPasswordFile*\",\"*/stab*\", \"*/scomma*\", \"*/stabular*\", \"*/shtml*\", \"*/sverhtml*\", \"*/sxml*\", \"*/skeepass*\" ) AND Processes.process IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positive is quite limited. Filter is needed", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "possible_browser_pass_view_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "author": "Mauricio Velazco, Splunk", "date": "2023-05-13", "version": 2, "id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "description": "The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\nSuch behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1021/006/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A PowerShell process was spawned as a child process of typically abused processes on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN (\"*c:\\windows\\ccm\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "possible_lateral_movement_powershell_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Potential password in username", "author": "Mikael Bjerkeland, Splunk", "date": "2022-05-11", "version": 1, "id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "description": "This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt.", "references": ["https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928"], "tags": {"analytic_story": ["Credential Dumping", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential password in username ($user$) with Shannon entropy ($ut_shannon$)", "risk_score": 21, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY \"Authentication.user\" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=\"| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\\\"$src$\\\" Authentication.dest=\\\"$dest$\\\" sourcetype IN (\\\"$sourcetype$\\\") earliest=\\\"$starttime$\\\" latest=\\\"$endtime$\\\" BY \\\"Authentication.user\\\" | `drop_dm_object_name(\\\"Authentication\\\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\\\"$incorrect_cred$\\\" | eval ut_shannon=\\\"$ut_shannon$\\\" | sort count\" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`", "how_to_implement": "To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000.", "known_false_positives": "Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "potential_password_in_username_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Potentially malicious code on commandline", "author": "Michael Hart, Splunk", "date": "2022-01-14", "version": 1, "id": "9c53c446-757e-11ec-871d-acde48001122", "description": "The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as \"streamreader\" and \"webclient\", threading capabilties such as \"mutex\" locks, programmatic constructs like \"function\" and \"catch\", and cryptographic operations like \"computehash\". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so.", "references": ["https://attack.mitre.org/techniques/T1059/003/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$]", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "potentially_malicious_code_on_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell 4104 Hunting", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 4, "id": "d6f2b006-0041-11ec-8885-acde48001122", "description": "The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team.", "references": ["https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell", "https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt", "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1", "https://www.mandiant.com/resources/greater-visibilityt", "https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware", "Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,\"(?i)(\\$doit)\"), \"4\", 0) | eval enccom=if(match(ScriptBlockText,\"[A-Za-z0-9+\\/]{44,}([A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{2}==)\") OR match(ScriptBlockText, \"(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, \"(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\\S+|invoke-\\S+hunter|Install-Service|get-\\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand\"),1,0) | eval base64 = if(match(lower(ScriptBlockText),\"frombase64\"), \"4\", 0) | eval empire=if(match(lower(ScriptBlockText),\"system.net.webclient\") AND match(lower(ScriptBlockText), \"frombase64string\") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),\"mimikatz\") OR match(lower(ScriptBlockText), \"-dumpcr\") OR match(lower(ScriptBlockText), \"SEKURLSA::Pth\") OR match(lower(ScriptBlockText), \"kerberos::ptt\") OR match(lower(ScriptBlockText), \"kerberos::golden\") ,5,0) | eval iex=if(match(ScriptBlockText, \"(?i)iex|invoke-expression\"),2,0) | eval webclient=if(match(lower(ScriptBlockText),\"http\") OR match(lower(ScriptBlockText),\"web(client|request)\") OR match(lower(ScriptBlockText),\"socket\") OR match(lower(ScriptBlockText),\"download(file|string)\") OR match(lower(ScriptBlockText),\"bitstransfer\") OR match(lower(ScriptBlockText),\"internetexplorer.application\") OR match(lower(ScriptBlockText),\"xmlhttp\"),5,0) | eval get = if(match(lower(ScriptBlockText),\"get-\"), \"1\", 0) | eval rundll32 = if(match(lower(ScriptBlockText),\"rundll32\"), \"4\", 0) | eval suspkeywrd=if(match(ScriptBlockText, \"(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\\.Assembly|shellcode|injection|cnvert|shell\\.application|start-process|Rc4ByteStream|System\\.Security\\.Cryptography|lsass\\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)\"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),\"syswow64\"), \"3\", 0) | eval httplocal = if(match(lower(ScriptBlockText),\"http://127.0.0.1\"), \"4\", 0) | eval reflection = if(match(lower(ScriptBlockText),\"reflection\"), \"1\", 0) | eval invokewmi=if(match(lower(ScriptBlockText), \"(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)\"),5,0) | eval downgrade=if(match(ScriptBlockText, \"(?i)([-]ve*r*s*i*o*n*\\s+2)\") OR match(lower(ScriptBlockText),\"powershell -version\"),3,0) | eval compressed=if(match(ScriptBlockText, \"(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive\"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),\"invoke-command\"), \"4\", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Limited false positives. May filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_4104_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "author": "David Dorsey, Michael Haag Splunk", "date": "2023-04-14", "version": 8, "id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "description": "The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash.", "references": ["https://regexr.com/663rr", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/"], "tags": {"analytic_story": ["AgentTesla", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell___connect_to_internet_with_hidden_window_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ea61e291-af05-4716-932a-67faddb6ae6f", "description": "The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script has been identified with InProcServer32 within the script code on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Software\\\\Classes\\\\CLSID\\\\*\\\\InProcServer32*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives will be present if any scripts are adding to inprocserver32. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Creating Thread Mutex", "author": "Teoderick Contreras, Splunk", "date": "2022-05-02", "version": 3, "id": "637557ec-ca08-11eb-bd0a-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains Thread Mutex on host $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Threading.Mutex*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell developer may used this function in their script for instance checking too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_creating_thread_mutex_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Disable Security Monitoring", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 4, "id": "c148a894-dd93-11eb-bf2a-acde48001122", "description": "The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Defender Real-time Behavior Monitoring disabled on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"*set-mppreference*\" AND Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsystem*\",\"*disablescriptscanning*\",\"*disableblockatfirstseen*\",\"*DisableBehaviorMonitoring*\",\"*drtm *\",\"*dioavp *\",\"*dscrptsc *\",\"*dbaf *\",\"*dbm *\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. However, tune based on scripts that may perform this action.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_disable_security_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Domain Enumeration", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 2, "id": "e1866ce2-ca22-11eb-8e44-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_domain_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Enable PowerShell Remoting", "author": "Michael Haag, Splunk", "date": "2023-03-22", "version": 1, "id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "description": "This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-PSremoting on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Enable-PSRemoting*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_enable_powershell_remoting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Enable SMB1Protocol Feature", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "afed80b2-d34b-11eb-a952-acde48001122", "description": "This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Powershell Enable SMB1Protocol Feature on $Computer$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Enable-WindowsOptionalFeature*\" ScriptBlockText = \"*SMB1Protocol*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "network operator may enable or disable this windows feature.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_enable_smb1protocol_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Execute COM Object", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "65711630-f9bf-11eb-8d72-acde48001122", "description": "This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains COM CLSID command on host $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*CreateInstance([type]::GetTypeFromCLSID*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operrator may use this command.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_execute_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 2, "id": "a26d9db4-c883-11eb-9d75-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all.\n\nThis analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution.\nIn use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains GetProcAddress API on host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_fileless_process_injection_via_getprocaddress_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "author": "Michael Haag, Splunk", "date": "2023-04-05", "version": 3, "id": "8acbc04c-c882-11eb-b060-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code.\nCommand example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....`\n\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell", "NjRAT", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains base64 command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_fileless_script_contains_base64_encoded_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Get LocalGroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b71adfcc-155b-11ec-9413-acde48001122", "description": "The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process=\"*get-localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_get_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2022-04-26", "version": 2, "id": "d7c6ad22-155c-11ec-bb64-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on endpoint $dest$ by user $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-localgroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_get_localgroup_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "author": "Michael Haag, Splunk", "date": "2023-03-22", "version": 1, "id": "651ee958-a433-471c-b264-39725b788b83", "description": "This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-CIMMethod*\", \"*New-CimSession*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_invoke_cimmethod_cimsession_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Invoke WmiExec Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0734bd21-2769-4972-a5f1-78bb1e011224", "description": "The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-WmiExec on $Computer$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-wmiexec*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_invoke_wmiexec_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Load Module in Meterpreter", "author": "Michael Haag, Splunk", "date": "2022-11-22", "version": 1, "id": "d5905da5-d050-48db-9259-018d8f034fcf", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies \"MSF.Powershell\",\"MSF.Powershell.Meterpreter\",\"MSF.Powershell.Meterpreter.Kiwi\",\"MSF.Powershell.Meterpreter.Transport\" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs"], "tags": {"analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user_id", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*MSF.Powershell*\",\"*MSF.Powershell.Meterpreter*\",\"*MSF.Powershell.Meterpreter.Kiwi*\",\"*MSF.Powershell.Meterpreter.Transport*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives should be very limited as this is strict to MetaSploit behavior.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_load_module_in_meterpreter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "author": "Michael Haag, Splunk", "date": "2023-04-05", "version": 3, "id": "85bc3f30-ca28-11eb-bd21-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all.\n\nThis analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["AgentTesla", "AsyncRAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*[system.reflection.assembly]::load(*\",\"*[reflection.assembly]*\", \"*reflection.assembly*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as day to day scripts do not use this method.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_loading_dotnet_into_memory_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Processing Stream Of Data", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "0d718b52-c9f1-11eb-bc61-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*IO.Compression.*\" OR ScriptBlockText = \"*IO.StreamReader*\" OR ScriptBlockText = \"*]::Decompress*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to process compressed data.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_processing_stream_of_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Remote Services Add TrustedHost", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "bef21d24-297e-45e3-9b9a-c6ac45450474", "description": "The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a powershell script adding a remote trustedhost on $dest$ .", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*WSMan:\\\\localhost\\\\Client\\\\TrustedHosts*\" ScriptBlockText IN (\"* -Value *\", \"* -Concatenate *\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "user and network administrator may used this function to add trusted host.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_remote_services_add_trustedhost_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Remote Thread To Known Windows Process", "author": "Teoderick Contreras, Splunk", "date": "2022-08-25", "version": 2, "id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "description": "this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload", "references": ["https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode = 8 parent_process_name IN (\"powershell_ise.exe\", \"powershell.exe\") TargetImage IN (\"*\\\\svchost.exe\",\"*\\\\csrss.exe\" \"*\\\\gpupdate.exe\", \"*\\\\explorer.exe\",\"*\\\\services.exe\",\"*\\\\winlogon.exe\",\"*\\\\smss.exe\",\"*\\\\wininit.exe\",\"*\\\\userinit.exe\",\"*\\\\spoolsv.exe\",\"*\\\\taskhost.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remote_thread_to_known_windows_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Remove Windows Defender Directory", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 3, "id": "adf47620-79fa-11ec-b248-acde48001122", "description": "This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "suspicious powershell script $ScriptBlockText$ was executed on the $Computer$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*rmdir *\" AND ScriptBlockText = \"*\\\\Microsoft\\\\Windows Defender*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter` ", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_remove_windows_defender_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Script Block With URL Chain", "author": "Steven Dick", "date": "2023-06-13", "version": 1, "id": "4a3f2a7d-6402-4e64-a76a-869588ec3b57", "description": "The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*http:*\",\"*https:*\") | regex ScriptBlockText=\"(\\\"?(https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\\\"?(?:,|\\))?){2,}\" | rex max_match=20 field=ScriptBlockText \"(?https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_script_block_with_url_chain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Start-BitsTransfer", "author": "Michael Haag, Splunk", "date": "2021-03-29", "version": 2, "id": "39e2605a-90d8-11eb-899e-acde48001122", "description": "Start-BitsTransfer is the PowerShell \"version\" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation?", "references": ["https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281", "https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs"], "tags": {"analytic_story": ["BITS Jobs"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_start_bitstransfer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Start or Stop Service", "author": "Michael Haag, Splunk", "date": "2023-03-24", "version": 1, "id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "description": "This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "references": ["https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_start_or_stop_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Using memory As Backing Store", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains memorystream command on host $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to store out object into memory.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_using_memory_as_backing_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell WebRequest Using Memory Stream", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "103affa6-924a-4b53-aff4-1d5075342aab", "description": "The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_webrequest_using_memory_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Windows Defender Exclusion Commands", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "description": "This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "Warzone RAT", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $ScriptBlockText$ executed on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Add-MpPreference *\" OR ScriptBlockText = \"*Set-MpPreference *\") AND ScriptBlockText = \"*-exclusion*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_windows_defender_exclusion_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "description": "The following analytic detects the execution of \"bcdedit.exe\" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage.", "references": ["https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"], "tags": {"analytic_story": ["Chaos Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"bcdedit.exe\" Processes.process = \"*bootstatuspolicy*\" Processes.process = \"*ignoreallfailures*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration ignore failure during testing and debugging.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prevent_automatic_repair_mode_using_bcdedit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Print Processor Registry Autostart", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 2, "id": "1f5b68aa-2037-11ec-898e-acde48001122", "description": "This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services.", "references": ["https://attack.mitre.org/techniques/T1547/012/", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Print Processors*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "possible new printer installation may add driver component on this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "print_processor_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Print Spooler Adding A Printer Driver", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2021-07-01", "version": 1, "id": "313681a2-da8e-11eb-adad-acde48001122", "description": "The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare.\n\nWithin the proof of concept code, the following event will occur - \"Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required.\"\nDuring triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began.", "references": ["https://twitter.com/MalwareJake/status/1410421445608476679?s=20", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious print driver was loaded on endpoint $ComputerName$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`printservice` EventCode=316 category = \"Adding a printer driver\" Message = \"*kernelbase.dll,*\" Message = \"*UNIDRV.DLL,*\" Message = \"*.DLL.*\" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "Unknown. This may require filtering.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "print_spooler_adding_a_printer_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Print Spooler Failed to Load a Plug-in", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2021-07-01", "version": 1, "id": "1adc9548-da7c-11eb-8f13-acde48001122", "description": "The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare.\nWithin the proof of concept code, the following error will occur - \"The print spooler failed to load a plug-in module C:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\meterpreter.dll, error code 0x45A. See the event user data for context information.\"\nThe analytic is based on file path and failure to load the plug-in.\nDuring triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`printservice` ((ErrorCode=\"0x45A\" (EventCode=\"808\" OR EventCode=\"4909\")) OR (\"The print spooler failed to load a plug-in module\" OR \"\\\\drivers\\\\x64\\\\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "False positives are unknown and filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "print_spooler_failed_to_load_a_plug_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Creating LNK file in Suspicious Location", "author": "Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-15", "version": 7, "id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "description": "The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\\User*` or `*\\Local\\Temp\\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.", "references": ["https://attack.mitre.org/techniques/T1566/001/", "https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["Amadey", "IcedID", "Qakbot", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that launching .lnk file in $file_path$ in host $dest$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.lnk\" AND (Filesystem.file_path=\"C:\\\\Users\\\\*\" OR Filesystem.file_path=\"*\\\\Temp\\\\*\") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_creating_lnk_file_in_suspicious_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Deleting Its Process File Path", "author": "Teoderick Contreras", "date": "2023-04-14", "version": 2, "id": "f7eda4bc-871c-11eb-b110-acde48001122", "description": "This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "Data Destruction", "Remcos", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "`sysmon` EventCode=1 CommandLine = \"* /c *\" CommandLine = \"* del*\" Image = \"*\\\\cmd.exe\" | eval result = if(like(process,\"%\".parent_process.\"%\"), \"Found\", \"Not Found\") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = \"Found\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "process_deleting_its_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2020-03-16", "version": 5, "id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "description": "The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN (\"*\\\\dismhost.exe*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to execute commands for legitimate purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Kill Base On File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "description": "The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process=\"*process*\" AND Processes.process=\"*executablepath*\" AND Processes.process=\"*delete*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_kill_base_on_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Writing DynamicWrapperX", "author": "Michael Haag, Splunk", "date": "2021-10-05", "version": 1, "id": "b0a078e4-2601-11ec-9aec-acde48001122", "description": "DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"dynwrapx.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_writing_dynamicwrapperx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes launching netsh", "author": "Michael Haag, Josef Kuepker, Splunk", "date": "2021-09-16", "version": 4, "id": "b89919ed-fe5f-492c-b139-95dbb162040e", "description": "This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "Netsh Abuse", "Snake Keylogger", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 14, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "processes_launching_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes Tapping Keyboard Events", "author": "Jose Hernandez, Splunk", "date": "2019-01-25", "version": 1, "id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "description": "This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.", "known_false_positives": "There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "processes_tapping_keyboard_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Randomly Generated Scheduled Task Name", "author": "Mauricio Velazco, Splunk", "date": "2021-11-29", "version": 1, "id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "description": "The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://splunkbase.splunk.com/app/2734/", "https://en.wikipedia.org/wiki/Entropy_(information_theory)"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task with a suspicious task name was created on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Scheduled Task names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_scheduled_task_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Randomly Generated Windows Service Name", "author": "Mauricio Velazco, Splunk", "date": "2021-11-29", "version": 1, "id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "description": "The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service with a suspicious service name was installed on $ComputerName$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "Hunting", "search": " `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Windows Service names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_windows_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ransomware Notes bulk creation", "author": "Teoderick Contreras", "date": "2021-03-12", "version": 1, "id": "eff7919a-8330-11eb-83f8-acde48001122", "description": "The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Chaos Ransomware", "Clop Ransomware", "DarkSide Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A high frequency file creation of $file_name$ in different file path in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ransomware_notes_bulk_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Recon AVProduct Through Pwh or WMI", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "28077620-c9f6-11eb-8785-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Prestige Ransomware", "Qakbot", "Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains AV recon command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "recon_avproduct_through_pwh_or_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Recon Using WMI Class", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "018c1972-ca07-11eb-9473-acde48001122", "description": "The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Industroyer2", "LockBit Ransomware", "Malicious PowerShell", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains host recon commands detected on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 (ScriptBlockText= \"*SELECT*\" OR ScriptBlockText= \"*Get-WmiObject*\") AND (ScriptBlockText= \"*Win32_Bios*\" OR ScriptBlockText= \"*Win32_OperatingSystem*\" OR ScriptBlockText= \"*Win32_Processor*\" OR ScriptBlockText= \"*Win32_ComputerSystem*\" OR ScriptBlockText= \"*Win32_PnPEntity*\" OR ScriptBlockText= \"*Win32_ShadowCopy*\" OR ScriptBlockText= \"*Win32_DiskDrive*\" OR ScriptBlockText= \"*Win32_PhysicalMemory*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "recon_using_wmi_class_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Recursive Delete of Directory In Batch CMD", "author": "Teoderick Contreras, Splunk", "date": "2022-11-12", "version": 3, "id": "ba570b3a-d356-11eb-8358-acde48001122", "description": "This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Recursive Delete of Directory In Batch CMD by $user$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process=\"* rd *\" Processes.process=\"*/s*\" Processes.process=\"*/q*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may use this batch command to delete recursively a directory or files within directory", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "recursive_delete_of_directory_in_batch_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 6, "id": "8470d755-0c13-45b3-bd63-387a373c10cf", "description": "The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise.", "references": [], "tags": {"analytic_story": ["Living Off The Land", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A reg.exe process $process_name$ with commandline $process$ in host $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "reg_exe_manipulating_windows_services_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Registry Keys for Creating SHIM Databases", "author": "Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 7, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "description": "The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to shim modication in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_for_creating_shim_databases_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Registry Keys Used For Persistence", "author": "Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-27", "version": 9, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "description": "The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process.", "references": [], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "CISA AA23-347A", "Chaos Ransomware", "DHS Report TA18-074A", "DarkGate Malware", "Emotet Malware DHS Report TA18-201A", "IcedID", "NjRAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Qakbot", "Ransomware", "RedLine Stealer", "Remcos", "Snake Keylogger", "Sneaky Active Directory Persistence Tricks", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to persistence in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce OR Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\" OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\" OR Registry.registry_path=*\\\\currentversion\\\\run* OR Registry.registry_path=*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Notify* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet* OR Registry.registry_path=*\\\\currentversion\\\\policies\\\\explorer\\\\run* OR Registry.registry_path=*\\\\currentversion\\\\runservices* OR Registry.registry_path=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\* OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\" OR Registry.registry_path= *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler OR Registry.registry_path= *\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command OR (Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\") OR (Registry.registry_path=\"*currentVersion\\\\Windows\" AND Registry.registry_key_name=\"Load\") OR (Registry.registry_path=\"*\\\\CurrentVersion\" AND Registry.registry_key_name=\"Svchost\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\Control\\Session Manager\"AND Registry.registry_key_name=\"BootExecute\") OR (Registry.registry_path=\"*\\\\Software\\\\Run\" AND Registry.registry_key_name=\"auto_update\")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Registry Keys Used For Privilege Escalation", "author": "Steven Dick, David Dorsey, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 7, "id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "description": "This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \"Image File Execution Options\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.", "references": ["https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Data Destruction", "Hermetic Wiper", "Suspicious Windows Registry Activities", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to privilege escalation in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "f421c250-24e7-11ec-bc43-acde48001122", "description": "This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/", "https://attack.mitre.org/techniques/T1218/010/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Living Off The Land", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process=\"*/i*\" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_silent_and_install_param_dll_loading_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other third part application may used this parameter but not so common in base windows environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "regsvr32_silent_and_install_param_dll_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2021-07-27", "version": 2, "id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "description": "The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \\ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary.", "references": ["https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/", "https://regexr.com/699e2"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Living Off The Land", "Qakbot", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_with_known_silent_switch_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "minimal. but network operator can use this application to load dll.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "regsvr32_with_known_silent_switch_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remcos client registry install entry", "author": "Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 3, "id": "f2a1615a-1d63-11ec-97d2-acde48001122", "description": "The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key \"license\" is found in the \"Software\\Remcos\" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the \"license\" registry key is found in the \"Software\\Remcos\" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response.", "references": ["https://attack.mitre.org/software/S0332/"], "tags": {"analytic_story": ["Remcos", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\\\Software\\\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remcos_client_registry_install_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2021-09-21", "version": 2, "id": "25ae862a-1ac3-11ec-94a1-acde48001122", "description": "This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "file $file_name$ created in $file_path$ of $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}]}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.dat\") Filesystem.file_path = \"*\\\\remcos\\\\*\" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remcos_rat_file_creation_in_remcos_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Desktop Process Running On System", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 5, "id": "f5939373-8054-40ad-8c64-cec478a22a4a", "description": "This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_process_running_on_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-11-15", "version": 1, "id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "description": "This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Document.ActiveView.ExecuteShellCommand*\" OR Processes.process=\"*Document.Application.ShellExecute*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_dcom_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Document.Application.ShellExecute*\" OR ScriptBlockText=\"*Document.ActiveView.ExecuteShellCommand*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-11-16", "version": 1, "id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "description": "This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-Command*\" AND Processes.process=\"*-ComputerName*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Invoke-Command*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "author": "Mauricio Velazco, Splunk", "date": "2021-11-11", "version": 1, "id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "description": "This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs", "https://attack.mitre.org/techniques/T1021/006/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process=\"*-r:*\" OR Processes.process=\"*-remote:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_winrs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WMI", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 8, "id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "description": "The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Ransomware", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=\"*/node:*\" AND Processes.process=\"*process*\" AND Processes.process=\"*call*\" AND Processes.process=\"*create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-11-15", "version": 1, "id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "description": "This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-WmiMethod*\" AND Processes.process=\"*-CN*\" AND Processes.process=\"*-Class Win32_Process*\" AND Processes.process=\"*-Name create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_wmi_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-11-15", "version": 2, "id": "2a048c14-4634-11ec-a618-3e22fbd008af", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Invoke-WmiMethod*\" AND (ScriptBlockText=\"*-CN*\" OR ScriptBlockText=\"*-ComputerName*\") AND ScriptBlockText=\"*-Class Win32_Process*\" AND ScriptBlockText=\"*-Name create*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2022-06-29", "version": 2, "id": "70803451-0047-4e12-9d63-77fa7eb8649c", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration with adsisearcher on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*adsisearcher*\" AND ScriptBlockText = \"*objectcategory=computer*\" AND ScriptBlockText IN (\"*findAll()*\",\"*findOne()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_system_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2021-08-30", "version": 1, "id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*domain computers*\" AND Processes.process=*/do*) OR (Processes.process=\"*view*\" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2021-09-01", "version": 1, "id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_computer* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote WMI Command Attempt", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2023-12-27", "version": 4, "id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "description": "The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Graceful Wipe Out Attack", "IcedID", "Living Off The Land", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain node commandline $process$ in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use this legitimately to gather info from remote systems. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_wmi_command_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Resize ShadowStorage volume", "author": "Teoderick Contreras", "date": "2021-03-12", "version": 1, "id": "bc760ca6-8336-11eb-bcbb-acde48001122", "description": "The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://redcanary.com/blog/blackbyte-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell.exe\" OR Processes.parent_process_name = \"powershell_ise.exe\" OR Processes.parent_process_name = \"wmic.exe\" Processes.process_name = \"vssadmin.exe\" Processes.process=\"*resize*\" Processes.process=\"*shadowstorage*\" Processes.process=\"*/maxsize*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can resize the shadowstorage for valid purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "resize_shadowstorage_volume_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Revil Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "85facebe-c382-11eb-9c3e-acde48001122", "description": "The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as \"-nolan\", \"-nolocal\", \"-fast\", and \"-full\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* -nolan *\" OR Processes.process = \"* -nolocal *\" OR Processes.process = \"* -fast *\" OR Processes.process = \"* -full *\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party tool may have same command line parameters as revil ransomware.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "revil_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Revil Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 3, "id": "e3d3f57a-c381-11eb-9e35-acde48001122", "description": "This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "revil_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rubeus Command Line Parameters", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "cca37478-8377-11ec-b59a-acde48001122", "description": "Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Rubeus command line parameters were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*ptt /ticket*\" OR Processes.process = \"* monitor /interval*\" OR Processes.process =\"* asktgt* /user:*\" OR Processes.process =\"* asktgs* /service:*\" OR Processes.process =\"* golden* /user:*\" OR Processes.process =\"* silver* /service:*\" OR Processes.process =\"* kerberoast*\" OR Processes.process =\"* asreproast*\" OR Processes.process = \"* renew* /ticket:*\" OR Processes.process = \"* brute* /password:*\" OR Processes.process = \"* brute* /passwords:*\" OR Processes.process =\"* harvest*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rubeus_command_line_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "5ed8c50a-8869-11ec-876f-acde48001122", "description": "The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "Winlogon.exe was accessed by $SourceImage$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}]}, "type": "TTP", "search": " `sysmon` EventCode=10 TargetImage=C:\\\\Windows\\\\system32\\\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\\\Windows\\\\system32\\\\svchost.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\lsass.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\LogonUI.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\smss.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment.", "known_false_positives": "Legitimate applications may obtain a handle for winlogon.exe. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Runas Execution in CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "4807e716-43a4-11ec-a0e7-acde48001122", "description": "This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "elevated process using runas on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = \"*/user:*\" AND Processes.process = \"*admin*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "runas_execution_in_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Control RunDLL Hunt", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "description": "The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \\ This is written to be a bit more broad by not including .cpl. \\ During triage, review parallel processes to identify any further suspicious behavior.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_control_rundll_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "1adffe86-10c3-11ec-8ce6-acde48001122", "description": "The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_control_rundll_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Create Remote Thread To A Process", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "2dbeee3a-f067-11eb-96c0-acde48001122", "description": "This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage = \"*.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_create_remote_thread_to_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "author": "Teoderick Contreras, Splunk", "date": "2021-07-26", "version": 1, "id": "f8a22586-ee2d-11eb-a193-acde48001122", "description": "This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to \"firefox.exe\" and \"chrome.exe\" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_createremotethread_in_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 DNSQuery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-18", "version": 2, "id": "f1483f5e-ee29-11eb-9d23-acde48001122", "description": "This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ made a DNS query for $query$ from host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=22 process_name=\"rundll32.exe\" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_dnsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 LockWorkStation", "author": "Teoderick Contreras, Splunk", "date": "2021-08-09", "version": 2, "id": "fa90f372-f91d-11eb-816c-acde48001122", "description": "This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,LockWorkStation*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_lockworkstation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "6338266a-ee2a-11eb-bf68-acde48001122", "description": "This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "rundll32 process drops a file $file_name$ on host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*rundll32.exe\" TargetFilename IN (\"*.exe\", \"*.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_process_creating_exe_dll_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Shimcache Flush", "author": "Teoderick Contreras, Splunk", "date": "2021-10-05", "version": 1, "id": "a913718a-25b6-11ec-96d3-acde48001122", "description": "This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine.", "references": ["https://blueteamops.medium.com/shimcache-flush-89daff28d15e"], "tags": {"analytic_story": ["Living Off The Land", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32 process execute $process$ to clear shim cache in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_shimcache_flush_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2023-07-10", "version": 4, "id": "35307032-a12d-11eb-835f-acde48001122", "description": "The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "RunDLL Loading DLL By Ordinal", "author": "Michael Haag, David Dorsey, Splunk", "date": "2022-02-08", "version": 6, "id": "6c135f8d-5e60-454e-80b7-c56eed739833", "description": "The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://twitter.com/M_haggis/status/1491109262428635136", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"rundll32.+\\#\\d+\") | `rundll_loading_dll_by_ordinal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll_loading_dll_by_ordinal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ryuk Test Files Detected", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 2, "id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "description": "The following analytic identifies the presence of files containing the keyword \"Ryuk\" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A creation of ryuk test file $file_path$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE \"Filesystem.file_path\"=C:\\\\*Ryuk* BY \"Filesystem.dest\", \"Filesystem.user\", \"Filesystem.file_path\" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ryuk_test_files_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ryuk Wake on LAN Command", "author": "Michael Haag, Splunk", "date": "2021-03-01", "version": 1, "id": "538d0152-7aaa-11eb-beaa-acde48001122", "description": "This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\\appdata\\roaming) and in public directories (users\\public\\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged.", "references": ["https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf"], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with wake on LAN commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*8 LAN*\" OR Processes.process=\"*9 REP*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no known false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ryuk_wake_on_lan_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SAM Database File Access Attempt", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "57551656-ebdb-11eb-afdf-acde48001122", "description": "The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\\system32\\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions", "https://en.wikipedia.org/wiki/Security_Account_Manager"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "ObjectName", "type": "File", "role": ["Attacker"]}], "message": "The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "Hunting", "search": "`wineventlog_security` (EventCode=4663) ProcessName!=*\\\\dllhost.exe ObjectName IN (\"*\\\\Windows\\\\System32\\\\config\\\\SAM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SYSTEM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SECURITY*\") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sam_database_file_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Samsam Test File Write", "author": "Rico Valdez, Splunk", "date": "2024-05-14", "version": 2, "id": "493a879d-519d-428f-8f57-a06a0fdc107e", "description": "The following analytic detects the creation of a file named \"test.txt\" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A samsam ransomware test file creation in $file_path$ in host $dest$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\windows\\\\system32\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`", "how_to_implement": "You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "No false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "samsam_test_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sc exe Manipulating Windows Services", "author": "Rico Valdez, Splunk", "date": "2024-05-20", "version": 5, "id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "description": "The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.", "references": ["https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "NOBELIUM Group", "Orangeworm Attack Group", "Windows Drivers", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\"* create *\" OR Processes.process=\"* config *\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sc_exe_manipulating_windows_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "author": "Teoderick Contreras, Splunk", "date": "2021-09-07", "version": 1, "id": "991eb510-0fc6-11ec-82d3-acde48001122", "description": "This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise.", "references": ["https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $Image$ create a file $TargetFilename$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=11 TargetFilename = \"*\\\\Windows\\\\SchCache\\\\*\" TargetFilename = \"*.sch*\" NOT (Image IN (\"*\\\\Windows\\\\system32\\\\mmc.exe\")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal application like mmc.exe and other ldap query tool may trigger this detections.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schcache_change_by_app_connect_and_create_adsi_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schedule Task with HTTP Command Arguments", "author": "Teoderick Contreras, Splunk", "date": "2023-04-05", "version": 1, "id": "523c2684-a101-11eb-916b-acde48001122", "description": "The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, \"A scheduled task was created.\" It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string \"HTTP.\" This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\nThe search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\nImplementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\nDetecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/"], "tags": {"analytic_story": ["Living Off The Land", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN (\"*http*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_http_command_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "author": "Teoderick Contreras, Splunk", "date": "2021-04-19", "version": 1, "id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "description": "The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\nIf a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\nTo implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\nUpon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*rundll32*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_rundll32_command_trigger_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "author": "Mauricio Velazco, Splunk", "date": "2021-11-11", "version": 1, "id": "4be54858-432f-11ec-8209-3e22fbd008af", "description": "The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\nIdentifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_creation_on_remote_endpoint_using_at_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "author": "Bhavin Patel, Splunk", "date": "2023-12-27", "version": 6, "id": "d5af132c-7c17-439c-9d31-13d55340f36c", "description": "This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident.", "references": ["https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.joesandbox.com/analysis/691823/0/html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "CISA AA22-257A", "CISA AA23-347A", "DHS Report TA18-074A", "DarkCrystal RAT", "Living Off The Land", "NOBELIUM Group", "NjRAT", "Phemedrone Stealer", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Sandworm Tools", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_deleted_or_created_via_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2021-11-11", "version": 1, "id": "95cf4608-4302-11ec-8194-3e22fbd008af", "description": "The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was ran on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schtasks Run Task On Demand", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "bb37061e-af1f-11eb-a159-acde48001122", "description": "The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["CISA AA22-257A", "Data Destruction", "Industroyer2", "Qakbot", "Scheduled Tasks", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A \"on demand\" execution of schedule task process $process_name$ using commandline $process$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/run*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_run_task_on_demand_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schtasks scheduling job on remote system", "author": "David Dorsey, Mauricio Velazco, Splunk", "date": "2022-05-23", "version": 6, "id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "description": "The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "NOBELIUM Group", "Phemedrone Stealer", "Prestige Ransomware", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=\"*/create*\" AND Processes.process=\"*/s*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_scheduling_job_on_remote_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schtasks used for forcing a reboot", "author": "Bhavin Patel, Splunk", "date": "2020-12-07", "version": 4, "id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "description": "The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst.", "references": [], "tags": {"analytic_story": ["Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*shutdown*\" Processes.process=\"*/create *\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_used_for_forcing_a_reboot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Screensaver Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "58cea3ec-1f6d-11ec-8560-acde48001122", "description": "This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1546/002/", "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "screensaver_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Script Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2020-03-16", "version": 4, "id": "aa73f80d-d728-4077-b226-81ea0c8be589", "description": "The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities.", "references": ["https://redcanary.com/blog/child-processes/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process_name$ that execute script in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "script_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sdclt UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 3, "id": "d71efbf6-da63-11eb-8c6e-acde48001122", "description": "This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed.", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", "https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\control.exe*\" OR Registry.registry_path= \"*\\\\exefile\\\\shell\\\\runas\\\\command\\\\*\") (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"IsolatedCommand\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sdclt_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sdelete Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2021-10-06", "version": 1, "id": "31702fc0-2682-11ec-85c3-acde48001122", "description": "This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice.", "references": ["https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "sdelete process $process_name$ executed in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may execute and use this application", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sdelete_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SearchProtocolHost with no Command Line with Network", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 3, "id": "b690df8c-a145-11eb-a38b-acde48001122", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "searchprotocolhost_with_no_command_line_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 1, "id": "5672819c-be09-11eb-bbfb-acde48001122", "description": "The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive.", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"python*.exe\" Processes.process = \"*.py*\" Processes.process = \"*-ntds*\" (Processes.process = \"*-system*\" OR Processes.process = \"*-sam*\" OR Processes.process = \"*-security*\" OR Processes.process = \"*-bootkey*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "secretdumps_offline_ntds_dumping_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "author": "Michael Haag, Splunk", "date": "2022-02-26", "version": 2, "id": "13243068-2d38-11ec-8908-acde48001122", "description": "The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack.\nWhat is a ServicePrincipleName?\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\nThe following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe.\nDuring triage, review parallel processes for further suspicious activity.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of attempting to identify service principle detected on $dest$ names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "serviceprincipalnames_discovery_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "author": "Michael Haag, Splunk", "date": "2021-10-14", "version": 1, "id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "description": "The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack.\nWhat is a ServicePrincipleName?\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\nExample usage includes the following\n* setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q\nValues\n* -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN\nDuring triage, review parallel processes for further suspicious activity.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process=\"*-t*\" AND Processes.process=\"*-f*\") OR (Processes.process=\"*-q*\" AND Processes.process=\"**/**\") OR (Processes.process=\"*-q*\") OR (Processes.process=\"*-s*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "serviceprincipalnames_discovery_with_setspn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services Escalate Exe", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "c448488c-b7ec-11eb-8253-acde48001122", "description": "The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\\Windows\\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\\System\\CurrentControlSet\\Services\\400619a\\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\\\127.0.0.1\\ADMIN$\\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications.", "references": ["https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://attack.mitre.org/techniques/T1548/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA23-347A", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A service process $parent_process_name$ with process path $process_path$ in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "services_escalate_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2021-11-22", "version": 1, "id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "description": "The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "references": ["https://attack.mitre.org/techniques/T1543/003/", "https://pentestlab.blog/2020/07/21/lateral-movement-services/", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Services.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "services_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "author": "Steven Dick, Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 9, "id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "description": "The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to \"Unrestricted\" or \"Bypass.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.", "references": [], "tags": {"analytic_story": ["Credential Dumping", "DarkGate Malware", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "registry_path", "type": "Unknown", "role": ["Other"]}], "message": "A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\\\Microsoft\\\\Powershell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database File Creation", "author": "David Dorsey, Splunk", "date": "2020-12-08", "version": 3, "id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "description": "This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "message": "A process that possibly write shim database in $file_path$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "shim_database_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database Installation With Suspicious Parameters", "author": "David Dorsey, Splunk", "date": "2020-11-23", "version": 4, "id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "description": "This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that possible create a shim db silently in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "shim_database_installation_with_suspicious_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Short Lived Scheduled Task", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "6fa31414-546e-11ec-adfa-acde48001122", "description": "The following analytic utilizes Windows Security EventCode 4698, \"A scheduled task was created,\" and EventCode 4699, \"A scheduled task was deleted,\" to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\nTo implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\nIt's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\nIdentifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "CISA AA23-347A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created and deleted in 30 seconds on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "short_lived_scheduled_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Short Lived Windows Accounts", "author": "David Dorsey, Splunk", "date": "2024-03-19", "version": 3, "id": "b25f6f62-0782-43c1-b403-083231ffd97d", "description": "The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the \"Change\" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The \"transaction\" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user account created or delete shortly in host $dest$", "risk_score": 63, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "short_lived_windows_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SilentCleanup UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 3, "id": "56d7cfcc-da63-11eb-92d4-acde48001122", "description": "This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account.", "references": ["https://github.com/hfiref0x/UACME", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Environment\\\\windir\" Registry.registry_value_data = \"*.exe*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "silentcleanup_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Single Letter Process On Endpoint", "author": "David Dorsey, Splunk", "date": "2020-12-08", "version": 3, "id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "description": "The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with single letter in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \".exe\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "single_letter_process_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI RunAs Elevated", "author": "Michael Haag, Splunk", "date": "2021-05-13", "version": 1, "id": "8d124810-b3e4-11eb-96c7-acde48001122", "description": "The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\\Software\\Classes\\exefile\\shell` and `HKCU\\Software\\Classes\\launcher.Systemsettings\\Shell\\open\\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`.", "references": ["https://www.exploit-db.com/exploits/46998", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "Hostname", "role": ["Victim"]}], "message": "A slui process $process_name$ with elevated commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as this is not commonly used by legitimate applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "slui_runas_elevated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI Spawning a Process", "author": "Michael Haag, Splunk", "date": "2021-05-13", "version": 1, "id": "879c4330-b3e0-11eb-b1b1-acde48001122", "description": "The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass.", "references": ["https://www.exploit-db.com/exploits/46998", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "slui_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spike in File Writes", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 4, "id": "fdb0f805-74e4-4539-8c00-618927333aae", "description": "The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network.", "references": [], "tags": {"analytic_story": ["Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-1d@d\"), count, null))) as \"count\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` ", "how_to_implement": "In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.", "known_false_positives": "It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spike_in_file_writes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Spawning Rundll32", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2021-07-01", "version": 2, "id": "15d905f6-da6b-11eb-ab82-acde48001122", "description": "The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spoolsv_spawning_rundll32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Suspicious Loaded Modules", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5e451f8-da81-11eb-b245-acde48001122", "description": "The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.", "references": ["https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Suspicious Process Access", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2021-07-01", "version": 1, "id": "799b606e-da81-11eb-93f8-acde48001122", "description": "This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "ProcessID", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process Name", "role": ["Target"]}], "message": "$SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\spoolsv.exe\" CallTrace = \"*\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*\" TargetImage IN (\"*\\\\rundll32.exe\", \"*\\\\spoolsv.exe\") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_process_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Writing a DLL", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "description": "The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\\spool\\drivers\\x64\\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" Filesystem.file_name=\"*.dll\" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process_guid process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name process_guid | `spoolsv_writing_a_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spoolsv_writing_a_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2021-07-01", "version": 1, "id": "347fd388-da87-11eb-836d-acde48001122", "description": "The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\\spool\\drivers\\x64\\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=spoolsv.exe file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_writing_a_dll___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sqlite Module In Temp Folder", "author": "Teoderick Contreras, Splunk", "date": "2021-08-03", "version": 1, "id": "0f216a38-f45f-11eb-b09c-acde48001122", "description": "This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $file_name$ in host $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN13", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Windigo", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sqlite_module_in_temp_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "author": "Michael Haag, Splunk", "date": "2023-05-01", "version": 1, "id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "description": "This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", "references": ["https://research.splunk.com/stories/windows_certificate_services/", "https://attack.mitre.org/techniques/T1649/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Steal or Forge Authentication Certificates Behavior Identified on $risk_object$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Windows Certificate Services\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`", "how_to_implement": "The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.", "known_false_positives": "False positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "steal_or_forge_authentication_certificates_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sunburst Correlation DLL and Network Event", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "701a8740-e8db-40df-9190-5516d3819787", "description": "The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.", "references": ["https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "type": "TTP", "search": "(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` ", "how_to_implement": "This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sunburst_correlation_dll_and_network_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Computer Account Name Change", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "OldTargetUserName", "type": "User", "role": ["Victim"]}], "message": "A computer account $OldTargetUserName$ was renamed with a suspicious computer name on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\" | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest | `suspicious_computer_account_name_change_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_computer_account_name_change_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Copy on System32", "author": "Teoderick Contreras, Splunk", "date": "2023-08-17", "version": 1, "id": "ce633e56-25b2-11ec-9e76-acde48001122", "description": "This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Qakbot", "Sandworm Tools", "Unusual Processes", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Execution of copy exe to copy file from $process$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process,\" \") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,\"%\\\\windows\\\\system32\\\\%\") AND NOT LIKE(first_cmdline,\"%\\\\windows\\\\syswow64\\\\%\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "every user may do this event but very un-ussual.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_copy_on_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Curl Network Connection", "author": "Michael Haag, Splunk", "date": "2021-02-22", "version": 1, "id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "description": "The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_curl_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 4, "id": "ff61e98c-0337-4593-a78f-72a676c56f26", "description": "The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_dllhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Driver Loaded Path", "author": "Teoderick Contreras, Splunk", "date": "2021-04-29", "version": 1, "id": "f880acd4-a8f1-11eb-a53b-acde48001122", "description": "This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious driver $file_name$ on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=6 ImageLoaded = \"*.sys\" NOT (ImageLoaded IN(\"*\\\\WINDOWS\\\\inf\",\"*\\\\WINDOWS\\\\System32\\\\drivers\\\\*\", \"*\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present. Some applications do load drivers", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_driver_loaded_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Event Log Service Behavior", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "description": "The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Windows Event Log Service shutdown on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "type": "Hunting", "search": "(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_event_log_service_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 3, "id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "description": "The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_gpupdate_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2021-07-26", "version": 2, "id": "bed761f8-ee29-11eb-8bf3-acde48001122", "description": "This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this parameter is not commonly used by windows application but can be used by the network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_icedid_rundll32_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Image Creation In Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2022-07-07", "version": 2, "id": "f6f904c4-1ac0-11ec-806b-acde48001122", "description": "This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.png\",\"*.jpg\",\"*.bmp\",\"*.gif\",\"*.tiff\") Filesystem.file_path= \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_image_creation_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Kerberos Service Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "8b1297bc-6204-11ec-b7c4-acde48001122", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,\"@\"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Linux Discovery Commands", "author": "Bhavin Patel, Splunk", "date": "2021-12-06", "version": 1, "id": "0edd5112-56c9-11ec-b990-acde48001122", "description": "This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\nThe search logic specifically looks for high number of distinct commands run in a short period of time.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/", "https://attack.mitre.org/techniques/T1059/004/", "https://github.com/IvanGlinkin/AutoSUID", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/rebootuser/LinEnum"], "tags": {"analytic_story": ["Linux Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Linux Discovery Commands detected on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_linux_discovery_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler rename", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 5, "id": "f0db4464-55d9-11eb-ae93-0242ac130002", "description": "The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler usage", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 3, "id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "description": "The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious msbuild path", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 3, "id": "f5198224-551c-11eb-ae93-0242ac130002", "description": "The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319 and C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\\\framework*\\\\v*\\\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Rename", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 5, "id": "4006adac-5937-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed msbuild.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Spawn", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 2, "id": "a115fba6-5514-11eb-ae93-0242ac130002", "description": "The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious msbuild.exe process executed on $dest$ by $user$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta child process", "author": "Michael Haag, Splunk", "date": "2024-01-01", "version": 2, "id": "60023bb6-5500-11eb-ae93-0242ac130002", "description": "The following analytic identifies child processes spawning from \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious mshta child process detected on host $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta spawn", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "description": "The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "mshta.exe spawned by wmiprvse.exe on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage", "author": "Michael Haag, Splunk", "date": "2021-02-22", "version": 1, "id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "description": "The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\n* PlistBuddy -c \"Add :Label string init_verx\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :RunAtLoad bool true\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :StartInterval integer 3600\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :ProgramArguments array\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :ProgramArguments:0 string /bin/sh\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :ProgramArguments:1 string -c\" ~/Library/Launchagents/init_verx.plist\nUpon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_plistbuddy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "author": "Michael Haag, Splunk", "date": "2021-02-22", "version": 1, "id": "20ba6c32-c733-4a32-b64e-2688cf231399", "description": "The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\n* PlistBuddy -c \"Add :Label string init_verx\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :RunAtLoad bool true\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :StartInterval integer 3600\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :ProgramArguments array\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :ProgramArguments:0 string /bin/sh\" ~/Library/Launchagents/init_verx.plist\n* PlistBuddy -c \"Add :ProgramArguments:1 string -c\" ~/Library/Launchagents/init_verx.plist\nUpon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`osquery_process` \"columns.cmdline\"=\"*LaunchAgents*\" OR \"columns.cmdline\"=\"*RunAtLoad*\" OR \"columns.cmdline\"=\"*true*\" | `suspicious_plistbuddy_usage_via_osquery_filter`", "how_to_implement": "OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_plistbuddy_usage_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "description": "The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network.", "references": ["https://urlhaus.abuse.ch/url/1798923/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Phemedrone Stealer", "Remcos", "Snake Keylogger", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*api.telegram*\",\"*t.me*\") process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\", \"wscript.exe\",\"cscript.exe\") OR Image IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_dns_query_known_abuse_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process Executed From Container File", "author": "Steven Dick", "date": "2023-06-13", "version": 1, "id": "d8120352-3b62-411c-8cb6-7b47584dd5e8", "description": "This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://attack.mitre.org/techniques/T1204/002/"], "tags": {"analytic_story": ["Amadey", "Remcos", "Snake Keylogger", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A suspicious process $process_name$ was launched from $file_name$ on $dest$.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.ZIP\\\\*\",\"*.ISO\\\\*\",\"*.IMG\\\\*\",\"*.CAB\\\\*\",\"*.TAR\\\\*\",\"*.GZ\\\\*\",\"*.RAR\\\\*\",\"*.7Z\\\\*\") AND Processes.action=\"allowed\" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process=\"(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\\\\\.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\\\"?$\" | rex field=process \"(?i).+\\\\\\\\(?[^\\\\\\]+\\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\\\\\((.+\\\\\\\\)+)?(?.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\\\"?$\"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Various business process or userland applications and behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_process_executed_from_container_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process File Path", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "9be25988-ad82-11eb-a14f-acde48001122", "description": "This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "Phemedrone Stealer", "PlugX", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_path", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\\\\*\" OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may allow execution of specific binaries in non-standard paths. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process With Discord DNS Query", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2023-04-14", "version": 2, "id": "4d4332ae-792c-11ec-89c1-acde48001122", "description": "This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*discord*\") Image != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND Image != \"*\\\\Program Files*\" AND Image != \"discord.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`", "how_to_implement": "his detection relies on sysmon logs with the Event ID 22, DNS Query.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_with_discord_dns_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Reg exe Process", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 5, "id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "description": "The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.", "references": ["https://car.mitre.org/wiki/CAR-2013-03-001/"], "tags": {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_reg_exe_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "author": "Michael Haag, Splunk", "date": "2023-03-02", "version": 3, "id": "62732736-6250-11eb-ae93-0242ac130002", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5", "https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Qakbot", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_regsvr32_register_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 dllregisterserver", "author": "Michael Haag, Splunk", "date": "2021-02-09", "version": 2, "id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "description": "The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/pan-unit42/tweets/blob/master/2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 3, "id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "description": "The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 PluginInit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "92d51712-ee29-11eb-b1ae-acde48001122", "description": "The following analytic identifies the execution of the rundll32.exe process with the \"plugininit\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the \"plugininit\" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party application may used this dll export name to execute function.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_plugininit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 StartW", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 3, "id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "description": "The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1036", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Suspicious Rundll32 Activity", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32.exe running with suspicious StartW parameters on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_startw_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Scheduled Task from Public Directory", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 1, "id": "7feb7972-7ac3-11eb-bac8-acde48001122", "description": "The following analytic, \"Suspicious Scheduled Task from Public Directory\", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon EventID 1 data source, searching for instances where schtasks.exe is connected with the directories users\\public, \\programdata\\, or \\windows\\temp and involves the /create command.\nThe registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Living Off The Land", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious scheduled task registered on $dest$ from Public Directory", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\\\users\\\\public\\\\* OR Processes.process=*\\\\programdata\\\\* OR Processes.process=*windows\\\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_scheduled_task_from_public_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 3, "id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_searchprotocolhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "author": "Michael Haag, Splunk", "date": "2021-02-22", "version": 1, "id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "description": "The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Scattered Spider", "Volt Typhoon", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_sqlite3_lsquarantine_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Ticket Granting Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "d77d349e-6269-11ec-9cfe-acde48001122", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious TGT was requested was requested by $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}]}, "type": "Hunting", "search": " `wineventlog_security` (EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\") OR (EventCode=4768 TargetUserName!=\"*$\") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),\"TRUE\") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_ticket_granting_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious WAV file in Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2022-07-07", "version": 2, "id": "5be109e6-1ac5-11ec-b421-acde48001122", "description": "This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.wav\") Filesystem.file_path = \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_wav_file_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious wevtutil Usage", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 5, "id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "description": "The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA23-347A", "Clop Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Wevtutil.exe being used to clear Event Logs on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\") (Processes.process=\"*System*\" OR Processes.process=\"*Security*\" OR Processes.process=\"*Setup*\" OR Processes.process=\"*Application*\" OR Processes.process=\"*trace*\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_wevtutil_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to windows Recycle Bin", "author": "Rico Valdez, Splunk", "date": "2023-11-07", "version": 2, "id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "description": "The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the \"*$Recycle.Bin*\" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "PlugX"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious writes to windows Recycle Bin process $process_name$ on $dest$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*$Recycle.Bin*\" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \"explorer.exe\" by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.", "known_false_positives": "Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_writes_to_windows_recycle_bin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 3, "id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "description": "The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Svchost.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "svchost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Info Gathering Using Dxdiag Application", "author": "Teoderick Contreras, Splunk", "date": "2021-11-19", "version": 1, "id": "f92d74f2-4921-11ec-b685-acde48001122", "description": "This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing.", "references": ["https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "dxdiag.exe process with commandline $process$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_info_gathering_using_dxdiag_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Information Discovery Detection", "author": "Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 4, "id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "description": "The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration.", "references": ["https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential system information discovery behavior on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*wmic* qfe*\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators debugging servers", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_information_discovery_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Processes Run From Unexpected Locations", "author": "David Dorsey, Michael Haag, Splunk", "date": "2020-12-08", "version": 6, "id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "description": "This search looks for system processes that typically execute from `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\nThis detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\nDuring triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation?", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/"], "tags": {"analytic_story": ["DarkGate Malware", "Masquerading - Rename System Utilities", "Qakbot", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\"C:\\\\Windows\\\\System32*\" Processes.process_path !=\"C:\\\\Windows\\\\SysWOW64*\" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_windows_system_file_macro", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_processes_run_from_unexpected_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Query", "author": "Mauricio Velazco, Splunk", "date": "2021-09-13", "version": 1, "id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "description": "This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"query.exe\") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Whoami", "author": "Mauricio Velazco, Splunk", "date": "2023-12-27", "version": 1, "id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "description": "This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Qakbot", "Rhysida Ransomware", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"whoami.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Time Provider Persistence Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 4, "id": "5ba382c4-2105-11ec-8d8f-acde48001122", "description": "This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin.", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/", "https://attack.mitre.org/techniques/T1547/003/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "time_provider_persistence_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Trickbot Named Pipe", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "1804b0a4-a682-11eb-8f68-acde48001122", "description": "The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern \"\\\\pipe\\\\*lacesomepipe\". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Possible Trickbot namedpipe created on $dest$ by $process_name$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode IN (17,18) PipeName=\"\\\\pipe\\\\*lacesomepipe\" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "trickbot_named_pipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "author": "Teoderick Contreras, Splunk", "date": "2021-07-12", "version": 1, "id": "7f04349c-e30d-11eb-bc7f-acde48001122", "description": "This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded = \"*.dll\" Image = \"*\\\\mmc.exe\" Signed=false Company != \"Microsoft Corporation\" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown. all of the dll loaded by mmc.exe is microsoft signed dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_mmc_load_unsigned_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass With Colorui COM Object", "author": "Teoderick Contreras, Splunk", "date": "2021-08-13", "version": 1, "id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "description": "This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.", "references": ["https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "not so common. but 3rd part app may load this dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_with_colorui_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Uninstall App Using MsiExec", "author": "Teoderick Contreras, Splunk", "date": "2021-08-09", "version": 1, "id": "1fca2b28-f922-11eb-b2dd-acde48001122", "description": "This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ with a cmdline $process$ in host $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= \"* /qn *\" Processes.process= \"*/X*\" Processes.process= \"*REBOOT=*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uninstall_app_using_msiexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unknown Process Using The Kerberos Protocol", "author": "Mauricio Velazco, Splunk", "date": "2024-01-23", "version": 2, "id": "c91a0852-9fbb-11ec-af44-acde48001122", "description": "The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Unknown process $process_name$ using the kerberos protocol detected on host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Custom applications may leverage the Kerberos protocol. Filter as needed.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unknown_process_using_the_kerberos_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unload Sysmon Filter Driver", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 5, "id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "description": "The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment.", "references": ["https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver"], "tags": {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Sysmon filter driver unloading on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown at the moment", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unload_sysmon_filter_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unloading AMSI via Reflection", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "a21e3484-c94d-11eb-b55b-acde48001122", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.\n\nThis analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe(\"System.Management.Automation.Amsi\"+\"Utils\")` taken from Powershell-Empire.\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible AMSI Unloading via Reflection using PowerShell on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Potential for some third party applications to disable AMSI upon invocation. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unloading_amsi_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2021-12-01", "version": 1, "id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "description": "The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "message": "", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" Account_Name!=\"*$*\" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "eb3e6702-8936-11ec-98fe-acde48001122", "description": "The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field.", "references": ["https://attack.mitre.org/techniques/T1558/003/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Endpoint", "role": ["Victim"]}], "message": "tbd", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName!=\"*$\" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services by _time, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_kerberos_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "author": "Mauricio Velazco, Splunk", "date": "2021-12-01", "version": 1, "id": "acb5dc74-5324-11ec-a36d-acde48001122", "description": "The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "target_hosts", "type": "Endpoint", "role": ["Victim"]}], "message": "Unusual number of remote authentication events from $Source_Network_Address$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!=\"*$\" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_remote_endpoint_authentication_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Command Line", "author": "David Dorsey, Splunk", "date": "2020-12-08", "version": 5, "id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "description": "The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Unusually long command line $process_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications start with long command lines.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Command Line - MLTK", "author": "Rico Valdez, Splunk", "date": "2019-05-08", "version": 1, "id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "description": "Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \"IsOutlier(processlen)\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2021-09-13", "version": 1, "id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=\"*$env:UserName*\" OR Processes.process=\"*[System.Environment]::UserName*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "user_discovery_with_env_vars_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2022-03-22", "version": 2, "id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System user discovery on endpoint $dest$ by user $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*$env:UserName*\" OR ScriptBlockText = \"*[System.Environment]::UserName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "user_discovery_with_env_vars_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "USN Journal Deletion", "author": "David Dorsey, Splunk", "date": "2018-12-03", "version": 2, "id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "description": "The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.", "references": [], "tags": {"analytic_story": ["Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible USN journal deletion on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\"*deletejournal*\" AND process=\"*usn*\" | `usn_journal_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "usn_journal_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Vbscript Execution Using Wscript App", "author": "Teoderick Contreras, Splunk", "date": "2021-10-01", "version": 1, "id": "35159940-228f-11ec-8a49-acde48001122", "description": "This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system.", "references": ["https://www.joesandbox.com/analysis/369332/0/html", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute vbsscript", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"wscript.exe\" AND Processes.parent_process = \"*//e:vbscript*\") OR (Processes.process_name = \"wscript.exe\" AND Processes.process = \"*//e:vbscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "vbscript_execution_using_wscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Verclsid CLSID Execution", "author": "Teoderick Contreras, Splunk", "date": "2021-09-29", "version": 1, "id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "description": "This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not.", "references": ["https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "process $process_name$ to execute possible clsid commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process=\"*/S*\" Processes.process=\"*/C*\" AND Processes.process=\"*{*\" AND Processes.process=\"*}*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "windows can used this application for its normal COM object validation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "verclsid_clsid_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "W3WP Spawning Shell", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 2, "id": "0f03423c-7c6a-11eb-bc47-acde48001122", "description": "This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Web Shell execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "w3wp_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WBAdmin Delete System Backups", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://attack.mitre.org/techniques/T1490/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin"], "tags": {"analytic_story": ["Chaos Ransomware", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System backups deletion on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process=\"*delete*\" AND (Processes.process=\"*catalog*\" OR Processes.process=\"*systemstatebackup*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wbadmin_delete_system_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wbemprox COM Object Execution", "author": "Teoderick Contreras, Splunk", "date": "2021-06-02", "version": 1, "id": "9d911ce0-c3be-11eb-b177-acde48001122", "description": "The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious COM Object Execution on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\") NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\program files*\", \"*\\\\wbem\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "legitimate process that are not in the exception list may trigger this event.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wbemprox_com_object_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2022-06-01", "version": 2, "id": "ed313326-a0f9-11eb-a89c-acde48001122", "description": "This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe process connecting IP location web services on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}]}, "type": "TTP", "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_connecting_to_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Create Executable File", "author": "Teoderick Contreras, Splunk", "date": "2021-04-19", "version": 1, "id": "ab3bcce0-a105-11eb-973c-acde48001122", "description": "this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe writing executable files on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}]}, "type": "TTP", "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_create_executable_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "author": "Teoderick Contreras, Splunk", "date": "2021-04-19", "version": 2, "id": "e8fc95bc-a107-11eb-a978-acde48001122", "description": "This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Qakbot", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe spawning suspicious processes on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wermgr_process_spawned_cmd_or_powershell_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wget Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2021-12-11", "version": 1, "id": "35682718-5a85-11ec-b8f7-acde48001122", "description": "The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wget_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Abused Web Services", "author": "Teoderick Contreras, Splunk", "date": "2023-09-20", "version": 1, "id": "01f0aef4-8591-4daa-a53d-0ed49823b681", "description": "The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "a network connection on known abused web services from $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\",\"\"*textbin*\"\", \"*ngrok.io*\", \"*discord*\", \"*duckdns.org*\", \"*pasteio.com*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_abused_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "6ece9ed0-5f92-4315-889d-48560472b188", "description": "The following analytic identifies a suspicious process enabling the \"SeDebugPrivilege\" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", "https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Brute Ratel C4", "CISA AA23-347A", "DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4703 EnabledPrivilegeList = \"*SeDebugPrivilege*\" AND NOT(ProcessName IN (\"*\\\\Program File*\", \"*\\\\System32\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\svchost.exe*\", \"*\\\\System32\\\\svchost.exe*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_sedebugprivilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "description": "The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "description": "The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for None Disable User Account", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 2, "id": "eddbf5ba-b89e-47ca-995e-2d259804e55e", "description": "The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is \"Get-NetUser -UACFilter NOT_ACCOUNTDISABLE\". Utilize this query to identify potential suspicious activity of user account enumeration.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://powersploit.readthedocs.io/en/stable/Recon/README/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview", "https://atomicredteam.io/discovery/T1087.001/"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*NOT_ACCOUNTDISABLE*\" ScriptBlockText = \"*-UACFilter*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_none_disable_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for Sam Account Name", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "69934363-e1dd-4c49-8651-9d7663dd4d2f", "description": "The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's \"samccountname\". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for Sam Account Name on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText IN (\"*samaccountname*\", \"*pwdlastset*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_sam_account_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "cf056b65-44b2-4d32-9172-d6b6f081a376", "description": "The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*-PreauthNotRequire*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_with_netuser_preauthnotrequire_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Abnormal Object Access Activity", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "71b289db-5f2c-4c43-8256-8bf26ae7324a", "description": "The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_abnormal_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "author": "Mauricio Velazco, Splunk", "date": "2022-11-15", "version": 1, "id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "description": "The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain.", "references": ["https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory", "https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx", "https://adsecurity.org/?p=1906", "https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists", "https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType=\"%%14674\" ObjectDN=\"CN=AdminSDHolder,CN=System*\" | rex field=AttributeValue max_match=10000 \"A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.", "known_false_positives": "Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_adminsdholder_acl_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Cross Domain SID History Addition", "author": "Dean Luxton", "date": "2022-11-17", "version": 1, "id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "description": "The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_cross_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "author": "Dean Luxton", "date": "2023-01-26", "version": 1, "id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "description": "The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source.\"", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "GPO $SubCategory$ of $Category$ was disabled on $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN (\"%%8448\",\"%%8450\",\"%%8448, %%8450\") OR Changes IN (\"Failure removed\",\"Success removed\",\"Success removed, Failure removed\")) dest_category=\"domain_controller\"| replace \"%%8448\" with \"Success removed\", \"%%8450\" with \"Failure removed\", \"%%8448, %%8450\" with \"Success removed, Failure removed\" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`", "how_to_implement": "Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.", "known_false_positives": "Unknown", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_audit_policy_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies", "filename": "advanced_audit_policy_guids.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AD Domain Controller Promotion", "author": "Dean Luxton", "date": "2023-01-26", "version": 1, "id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "description": "This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity.", "references": ["https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "AD Domain Controller Promotion Event Detected for $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_promotion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Domain Replication ACL Addition", "author": "Dean Luxton", "date": "2022-11-18", "version": 1, "id": "8c372853-f459-4995-afdc-280c114d33ab", "description": "The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.", "references": ["https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb", "https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$src_user$ has granted $user$ permission to replicate AD objects", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` | rex field=AttributeValue max_match=10000 \\\"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\\\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\\\"true\\\",\\\"false\\\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\\\"true\\\",\\\"false\\\")| where minDCSyncPermissions=\\\"true\\\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.", "known_false_positives": "When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_replication_acl_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD DSRM Account Changes", "author": "Dean Luxton", "date": "2023-11-07", "version": 2, "id": "08cb291e-ea77-48e8-a95a-0799319bf056", "description": "Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Changes Initiated on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" Registry.registry_value_data IN (\"*1\",\"*2\") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Disaster recovery events.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_account_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD DSRM Password Reset", "author": "Dean Luxton", "date": "2022-09-08", "version": 1, "id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "description": "Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Password was reset on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id=\"4794\" AND All_Changes.result=\"An attempt was made to set the Directory Services Restore Mode administrator password\" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.", "known_false_positives": "Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Privileged Account SID History Addition", "author": "Dean Luxton", "date": "2023-11-07", "version": 2, "id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "description": "This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration.", "references": ["https://adsecurity.org/?p=1772"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*?)(}$|$)\" | eval category=\"privileged\" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`", "how_to_implement": "Ensure you have objectSid and the Down Level Logon Name `DOMAIN\\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.", "known_false_positives": "Migration of privileged accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_privileged_account_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Privileged Object Access Activity", "author": "Steven Dick", "date": "2023-06-01", "version": 1, "id": "dc2f58bc-8cd2-4e51-962a-694b963acde0", "description": "Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object_name", "type": "Other", "role": ["Attacker"]}], "message": "The account $user$ accessed $object_count$ privileged AD object(s).", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectName IN ( \"CN=Account Operators,*\", \"CN=Administrators,*\", \"CN=Backup Operators,*\", \"CN=Cert Publishers,*\", \"CN=Certificate Service DCOM Access,*\", \"CN=Domain Admins,*\", \"CN=Domain Controllers,*\", \"CN=Enterprise Admins,*\", \"CN=Enterprise Read-only Domain Controllers,*\", \"CN=Group Policy Creator Owners,*\", \"CN=Incoming Forest Trust Builders,*\", \"CN=Microsoft Exchange Servers,*\", \"CN=Network Configuration Operators,*\", \"CN=Power Users,*\", \"CN=Print Operators,*\", \"CN=Read-only Domain Controllers,*\", \"CN=Replicators,*\", \"CN=Schema Admins,*\", \"CN=Server Operators,*\", \"CN=Exchange Trusted Subsystem,*\", \"CN=Exchange Windows Permission,*\", \"CN=Organization Management,*\") | rex field=ObjectName \"CN\\=(?[^,]+)\" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_privileged_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated by User Account", "author": "Dean Luxton", "date": "2024-01-05", "version": 2, "id": "51307514-1236-49f6-8686-d46d93cc2821", "description": "This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND NOT (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set`", "known_false_positives": "Azure AD Connect syncing operations.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_by_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "author": "Dean Luxton", "date": "2024-01-05", "version": 3, "id": "50998483-bb15-457b-a870-965080d9e3d3", "description": "This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category=\"domain_controller\" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers.", "known_false_positives": "Genuine DC promotion may trigger this alert.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Same Domain SID History Addition", "author": "Dean Luxton", "date": "2022-09-09", "version": 2, "id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "description": "The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required..", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_same_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "author": "Mauricio Velazco, Splunk", "date": "2023-11-07", "version": 2, "id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $ObjectDN$ was set by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_serviceprincipalname_added_to_domain_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "author": "Mauricio Velazco, Splunk", "date": "2022-11-18", "version": 1, "id": "b681977c-d90c-4efc-81a5-c58f945fb541", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $user$ was set and shortly deleted", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "author": "Dean Luxton", "date": "2023-11-07", "version": 3, "id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "description": "The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks.", "references": ["https://www.dcshadow.com/", "https://blog.netwrix.com/2022/09/28/dcshadow_attack/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://attack.mitre.org/techniques/T1207/", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue=\"GC/*\" OR AttributeValue=\"E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),\"TRUE\") | where short_lived=\"TRUE\" AND mvcount(OperationType)>1 | replace \"%%14674\" with \"Value Added\", \"%%14675\" with \"Value Deleted\" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_controller_spn_attribute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Short Lived Server Object", "author": "Mauricio Velazco, Splunk", "date": "2022-10-17", "version": 1, "id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "description": "The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz.", "references": ["https://www.dcshadow.com/", "https://attack.mitre.org/techniques/T1207/", "https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/", "https://pentestlab.blog/2018/04/16/dcshadow/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Potential DCShadow Attack Detected on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN=\"*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*\" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.", "known_false_positives": "Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_server_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD SID History Attribute Modified", "author": "Mauricio Velazco, Splunk", "date": "2022-11-16", "version": 1, "id": "1155e47d-307f-4247-beab-71071e3a458c", "description": "The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_sid_history_attribute_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AdFind Exe", "author": "Jose Hernandez, Bhavin Patel, Splunk", "date": "2023-06-13", "version": 3, "id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "description": "This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST.", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption", "https://www.joeware.net/freetools/tools/adfind/index.htm", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Domain Trust Discovery", "Graceful Wipe Out Attack", "IcedID", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows AdFind Exe", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* -f *\" OR Processes.process=\"* -b *\") AND (Processes.process=*objectcategory* OR Processes.process=\"* -gcb *\" OR Processes.process=\"* -sc *\") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_adfind_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admin Permission Discovery", "author": "Teoderick Contreras, Splunk", "date": "2023-09-19", "version": 1, "id": "e08620cb-9488-4052-832d-97bcc0afd414", "description": "This analytic is developed to identify suspicious file creation in the root drive (C:\\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file was created in root drive C:/ on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\", \"*.dll\", \"*.sys\", \"*.com\", \"*.vbs\", \"*.vbe\", \"*.js\", \"*.bat\", \"*.cmd\", \"*.pif\", \"*.lnk\", \"*.dat\") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"C:\") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_admin_permission_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2023-03-23", "version": 1, "id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "description": "The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://en.wikipedia.org/wiki/Administrative_share", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName=\"\\\\\\\\*\\\\ADMIN$\" OR ShareName=\"\\\\\\\\*\\\\IPC$\" OR ShareName=\"\\\\\\\\*\\\\C$\") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.", "known_false_positives": "An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_administrative_shares_accessed_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admon Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2023-03-29", "version": 1, "id": "83458004-db60-4170-857d-8572f16f070b", "description": "The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A default domain group policy was updated on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}]}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" (displayName=\"Default Domain Policy\" OR displayName=\"Default Domain Controllers Policy\") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admon Group Policy Object Created", "author": "Mauricio Velazco, Splunk", "date": "2023-04-06", "version": 1, "id": "69201633-30d9-48ef-b1b6-e680805f0582", "description": "The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A new group policy objected was created on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}]}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" versionNumber=0 displayName!=\"New Group Policy Object\" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Base64 Content", "author": "Steven Dick, Teoderick Contreras, Michael Haag, Splunk", "date": "2024-02-15", "version": 2, "id": "683f48de-982f-4a7e-9aac-9cec550da498", "description": "This analytic leverages Sysmon EventID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse.", "references": ["https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://blog.netwrix.com/2022/12/16/alternate_data_stream/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-stream-creation-hash.md"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}]}, "type": "TTP", "search": "`sysmon` EventCode=15 NOT Contents IN (\"-\",\"[ZoneTransfer]*\") | regex TargetFilename=\"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "arguments": ["b64in"]}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_alternate_datastream___base64_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Executable Content", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-02-15", "version": 2, "id": "a258bf2a-34fd-4986-8086-78f506e00206", "description": "This analytic is designed to detect when data, possessing an IMPHASH value, is written to an Alternate Data Stream (ADS) in the NTFS file system. The presence of an IMPHASH value suggests that the written data has a Portable Executable (PE) structure, indicating its potential to be executed. Such behavior could be a sign of a threat actor staging malicious code within hard-to-detect areas of the file system for future use or persistence. It's important to note that for this analytic to function correctly, import hashing/imphash must be enabled within Sysmon. This allows the capture of the IMPHASH value, a unique identifier for the imported functions of a PE, providing a robust mechanism for detecting hidden malicious activity leveraging ADS.", "references": ["https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://twitter.com/0xrawsec/status/1002478725605273600?s=21"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "file_hash", "type": "File Hash", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}]}, "type": "TTP", "search": "`sysmon` EventCode=15 IMPHASH!=00000000000000000000000000000000 | regex TargetFilename=\"(? upperBound, \"Yes\", \"No\") | where anomaly=\"Yes\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP.", "known_false_positives": "False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_applocker_execution_from_uncommon_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 2, "id": "bca48629-7fa2-40d3-9e5d-807564504e28", "description": "The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to bypass application restrictions was detected on a host $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk.", "known_false_positives": "False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes.", "filename": "applockereventcodes.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "9556f7b7-285f-4f18-8eeb-963d989f9d27", "description": "This analytic is designed to detect the launch of applications that occur rarely within the environment, which could indicate the use of potentially malicious software or tools by attackers. It works by aggregating the count of application launches over time, then calculating the average and standard deviation of these counts. Applications whose launch counts significantly deviate from the norm, either by exceeding or falling below three standard deviations from the average, are flagged for further investigation. This approach helps in identifying unusual application activity that could be indicative of a security threat.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An application launch that deviates from the norm was detected on a host $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "Hunting", "search": "`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there.", "known_false_positives": "False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_rare_application_launch_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2023-12-19", "version": 1, "id": "74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "description": "The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Archive Collected Data via Powershell on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Compress-Archive*\" ScriptBlockText = \"*\\\\Temp\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to archive data.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_archive_collected_data_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Rar", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "2015de95-fe91-413d-9d62-2fe011b67e82", "description": "The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a Rar.exe commandline used in archiving collected data in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"Rar.exe\" OR Processes.original_file_name = \"Rar.exe\" AND Processes.process = \"*a*\" Processes.process = \"* -ep1*\" Processes.process = \"* -r*\" Processes.process = \"* -y*\" Processes.process = \"* -v5m*\" Processes.process = \"* -m1*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_archive_collected_data_via_rar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AutoIt3 Execution", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "0ecb40d9-492b-4a57-9f87-515dd742794c", "description": "The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Other"]}], "message": "Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_autoit3_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "author": "Michael Haag, Splunk", "date": "2022-08-22", "version": 1, "id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "description": "The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials.", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt\",\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_autostart_execution_lsass_driver_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "author": "Michael Haag, Splunk", "date": "2022-07-07", "version": 1, "id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "description": "Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes.", "references": ["https://attack.mitre.org/techniques/T1218/013/", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN (\"*injectrunning*\", \"*hmodule=0x*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter on DLL name or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_binary_proxy_execution_mavinject_dll_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "author": "Teoderick Contreras, Splunk", "date": "2023-01-12", "version": 1, "id": "99d157cb-923f-4a00-aee9-1f385412146f", "description": "This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process dropped a file in %startup% folder in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows BootLoader Inventory", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "description": "The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it.", "references": ["https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of BootLoaders are present on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`", "how_to_implement": "To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model.", "known_false_positives": "No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_bootloader_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "cce58e2c-988a-4319-9390-0daa9eefa3cd", "description": "The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A pkgmgr.exe executed with package manager xml input file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = \"*.xml*\" NOT(Processes.parent_process_path IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"*:\\\\Program Files*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_bypass_uac_via_pkgmgr_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows CAB File on Disk", "author": "Michael Haag, Splunk", "date": "2023-11-08", "version": 1, "id": "622f08d0-69ef-42c2-8139-66088bc25acd", "description": "The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A .cab file was written to disk on endpoint $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_cab_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Cached Domain Credentials Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "description": "The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Processes.process = \"*CACHEDLOGONSCOUNT*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_cached_domain_credentials_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Change Default File Association For No File Ext", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "description": "This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with commandline $process$ set or change the file association of a file with no file extension in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process=\"* add *\" AND Processes.process=\"* HKCR\\\\*\" AND Processes.process=\"*\\\\shell\\\\open\\\\command*\" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process \"Notepad\\.exe (?.*$)\" | rex field=file_name_association \"\\.(?[^\\.]*$)\" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_change_default_file_association_for_no_file_ext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "ab73289e-2246-4de0-a14b-67006c72a893", "description": "The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_clipboard_data_via_get_clipboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2022-09-26", "version": 1, "id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "description": "The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and some filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2022-06-01", "version": 1, "id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "description": "The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,\"/..\"))-1) | eval count_of_pattern2 = (mvcount(split(process,\"\\..\"))-1) | eval count_of_pattern3 = (mvcount(split(process,\"\\\\..\"))-1) | eval count_of_pattern4 = (mvcount(split(process,\"//..\"))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "author": "Teoderick Contreras, Splunk", "date": "2022-06-01", "version": 2, "id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "description": "The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process=\"*\\/..\\/..\\/..\\/*\" OR Processes.process=\"*\\\\..\\\\..\\\\..\\\\*\" OR Processes.process=\"*\\/\\/..\\/\\/..\\/\\/..\\/\\/*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Not known at this moment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "author": "Teoderick Contreras, Splunk", "date": "2022-07-28", "version": 1, "id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "description": "The following analytic identifies DCRat \"forkbomb\" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing \"notepad.exe & pause\". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple cmd.exe processes with child process of notepad.exe executed on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= \"cmd.exe\" (Processes.process_name = \"notepad.exe\" OR Processes.original_file_name= \"notepad.exe\") Processes.parent_process = \"*.bat*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_shell_dcrat_forkbomb_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell Fetch Env Variables", "author": "Teoderick Contreras, Splunk", "date": "2022-10-27", "version": 1, "id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "description": "The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*cmd /c set\" OR Processes.process = \"*cmd.exe /c set\" AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "shell process that are not included in this search may cause False positive. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_shell_fetch_env_variables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "description": "The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host.", "references": ["https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", "https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Disabling Security Tools", "FIN7", "Netsh Abuse", "Qakbot", "Sandworm Tools", "Volt Typhoon", "Windows Defense Evasion Tactics", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "series of process commandline being abused by threat actor have been identified on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*Cmdline Tool Not Executed In CMD Shell*\", \"*Windows System Network Config Discovery Display DNS*\", \"*Local Account Discovery With Wmic*\", \"*Net Localgroup Discovery*\", \"*Create local admin accounts using net exe*\", \"*Local Account Discovery with Net*\", \"*Icacls Deny Command*\", \"*ICACLS Grant Command*\", \"*Windows Proxy Via Netsh*\", \"*Processes launching netsh*\", \"*Disabling Firewall with Netsh*\", \"*Windows System Network Connections Discovery Netsh*\", \"*Network Connection Discovery With Arp*\", \"*Windows System Discovery Using ldap Nslookup*\", \"*Windows System Shutdown CommandLine*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_common_abused_cmd_shell_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account Created by Computer Account", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 2, "id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "description": "The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - \"RestrictedKrbHost\". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack).", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!=\"NT AUTHORITY\" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may have a computer account that adds computer accounts, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_created_by_computer_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "fb3b2bb3-75a4-4279-848a-165b42624770", "description": "The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName=\"*$\" src_ip!=\"::1\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible false positives will be present based on third party applications. Filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_requesting_kerberos_ticket_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account With SPN", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "description": "The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.", "references": ["https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 NewUacValue=\"0x80\" ServicePrincipalNames IN (\"*HOST/*\",\"*RestrictedKrbHost/*\") | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(TargetDomainName),values(PrimaryGroupId), values(OldUacValue), values(NewUacValue),values(SamAccountName),values(DnsHostName),values(ServicePrincipalNames) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_with_spn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ConHost with Headless Argument", "author": "Michael Haag, Splunk", "date": "2023-11-01", "version": 1, "id": "d5039508-998d-4cfc-8b5e-9dcd679d9a62", "description": "The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage.", "references": ["https://x.com/embee_research/status/1559410767564181504?s=20", "https://x.com/GroupIB_TI/status/1719675754886131959?s=20"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows ConHost with Headless Argument detected on $dest$ by $user$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1564.006", "mitre_attack_technique": "Run Virtual Instance", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process=\"*--headless *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_conhost_with_headless_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Create Local Account", "author": "Michael Haag, Splunk", "date": "2025-05-19", "version": 3, "id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "description": "The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.", "references": ["https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following $user$ was added to $dest$ as a local account.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_create_local_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credential Access From Browser Password Store", "author": "Teoderick Contreras, Bhavin Patel Splunk", "date": "2024-02-20", "version": 2, "id": "72013a8e-5cea-408a-9d51-5585386b4d69", "description": "The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-common browser process $process_name$ accessing browser user data folder on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name \"(?[^\\\\\\\\]+)$\" | eval isMalicious=if(match(browser_process_name, extracted_process_name), \"0\", \"1\") | where isMalicious=1 and isAllowed=\"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\" This search may trigger on a browser application that is not included in the browser_app_list lookup file.", "known_false_positives": "The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credential_access_from_browser_password_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction.", "filename": "browser_app_list.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "author": "Michael Haag, Splunk", "date": "2023-01-23", "version": 1, "id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "description": "The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name=\"FX_VER_INTERNALNAME_STR\" Processes.process=\"*-u *\" AND Processes.process=\"*-f *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credential_dumping_lsass_memory_createdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "description": "This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "CISA AA23-347A", "DarkGate Malware", "Phemedrone Stealer", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Local Extension Settings\\\\*\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_extension_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "author": "Teoderick Contreras, Splunk", "date": "2023-04-26", "version": 1, "id": "3b1d09a8-a26f-473e-a510-6c6613573657", "description": "This analytic is designed to detect non-chrome processes accessing the Chrome user data file called \"local state.\" This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the \"local state\" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing \"Chrome\\\\User Data\\\\Local State\" file on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" NOT (process_name IN (\"*\\\\chrome.exe\",\"*:\\\\Windows\\\\explorer.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_localstate_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "author": "Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 1, "id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "description": "This analytic is designed to identify non-chrome processes accessing the Chrome user data file called \"login data.\" This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the \"login data\" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing Chrome \"Login Data\" file on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_login_data_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Creation", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "description": "The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to create stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/generic*\" Processes.process IN (\"*/user*\", \"*/password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Deletion", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "46d676aa-40c6-4fe6-b917-d23b621f0f89", "description": "The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to delete stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/delete*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Query", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "description": "The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks.", "references": ["https://ss64.com/nt/cmdkey.html", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["DarkGate Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to display stored username and credentials.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/list*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials in Registry Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "description": "The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys.", "references": ["https://attack.mitre.org/techniques/T1552/002/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "reg query commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process IN (\"*\\\\Software\\\\ORL\\\\WinVNC3\\\\Password*\", \"*\\\\SOFTWARE\\\\RealVNC\\\\WinVNC4 /v password*\", \"*\\\\CurrentControlSet\\\\Services\\\\SNMP*\", \"*\\\\Software\\\\TightVNC\\\\Server*\", \"*\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*\", \"*\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys*\", \"*password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_in_registry_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Download to Suspicious Path", "author": "Michael Haag, Splunk", "date": "2021-10-19", "version": 1, "id": "c32f091e-30db-11ec-8738-acde48001122", "description": "The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location.\n-O or --output is used when a file is to be downloaded and placed in a specified location.\nDuring triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://attack.mitre.org/techniques/T1105/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"], "tags": {"analytic_story": ["Forest Blizzard", "IcedID", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_curl_download_to_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Upload to Remote Destination", "author": "Michael Haag, Splunk", "date": "2021-11-10", "version": 1, "id": "42f8f1a2-4228-11ec-aade-acde48001122", "description": "The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination.\n`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination.\n\n`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work.\n\nHTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft.\n\nAdversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review.", "references": ["https://everything.curl.dev/usingcurl/uploads", "https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409", "https://twitter.com/d1r4c/status/1279042657508081664?s=20"], "tags": {"analytic_story": ["Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be limited to source control applications and may be required to be filtered out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_curl_upload_to_remote_destination_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2023-03-05", "version": 2, "id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "description": "This analytic identifies a suspicious process that is recursively deleting files on a compromised host. This behavior has been observed in several types of destructive malware, such as CaddyWiper, DoubleZero, and SwiftSlicer, which delete or overwrite files with randomly generated strings to make recovery impossible. Additionally, this analytic can detect potential recursive file writes across multiple files using Sysmon Event 23 or 26. Sysmon considers a file as deleted as soon as it is overwritten. This analytic serves as a strong indicator of potential destructive malware activity on a host machine or the uninstallation of a large software application.", "references": ["https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"analytic_story": ["Data Destruction", "Swift Slicer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_data_destruction_recursive_exec_files_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "author": "Teoderick Contreras, Splunk", "date": "2022-08-25", "version": 1, "id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "description": "The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe.", "references": ["https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "modification or creation of transcodedwallpaper file by $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !=\"*\\\\Windows\\\\Explorer.EXE\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Themes\\\\TranscodedWallpaper\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "3rd part software application can change the wallpaper. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_defacement_modify_transcodedwallpaper_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2023-03-28", "version": 1, "id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "description": "The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserSid", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A default group policy object was modified on $Computer$ by $SubjectUserSid$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN=\"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*\" OR ObjectDN=\"CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*\") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "description": "The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A default group policy object was opened with Group Policy Manage Editor on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = \"*31B2F340-016D-11D2-945F-00C04FB984F9*\" OR Processes.process = \"*6AC1786C-016F-11D2-945F-00C04fB984F9*\" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_default_group_policy_object_modified_with_gpme_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defender ASR Audit Events", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "description": "This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR audit event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_audit_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Block Events", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "026f5f4e-e99f-4155-9e63-911ba587300b", "description": "This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR block event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_block_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Registry Modification", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "description": "This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR registry modification event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rule Disabled", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "429d611b-3183-49a7-b235-fc4203c4e1cb", "description": "The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR rule disabled event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | search New_Registry_Value=\"Disabled\" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rule_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rules Stacking", "author": "Michael Haag, Splunk", "date": "2023-11-20", "version": 1, "id": "425a6657-c5e4-4cbb-909e-fc9e5d326f01", "description": "This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches.\nAdditionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An ASR rule, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired.", "known_false_positives": "False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rules_stacking_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender Exclusion Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "13395a44-4dd9-11ec-9df7-acde48001122", "description": "This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Qakbot", "Remcos", "Warzone RAT", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_defender_exclusion_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Delete or Modify System Firewall", "author": "Teoderick Contreras, Splunk", "date": "2023-09-08", "version": 1, "id": "b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "description": "This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ deleted a firewall configuration on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* firewall *\" Processes.process = \"* delete *\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may modify or delete firewall configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_delete_or_modify_system_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 2, "id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "description": "This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection can catch for third party application updates or installation. In this scenario false positive filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Change Password Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "description": "This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableChangePassword\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "datamodel": ["Endpoint", "Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_change_password_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "c82adbc6-9f00-11ec-a81f-acde48001122", "description": "This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host.", "references": ["https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/", "https://heimdalsecurity.com/blog/fatalrat-targets-telegram/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableLockWorkstation\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_lock_workstation_feature_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable LogOff Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "description": "This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "references": ["https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774", "https://malwiki.org/index.php?title=DigiPop.xp", "https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"NoLogOff\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_logoff_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Memory Crash Dump", "author": "Michael Haag, Splunk", "date": "2023-04-27", "version": 2, "id": "59e54602-9680-11ec-a8a6-acde48001122", "description": "The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check).", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process was identified attempting to disable memory crash dumps on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\CrashControl\\\\CrashDumpEnabled\") AND Registry.registry_value_data=\"0x00000000\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_memory_crash_dump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Notification Center", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 3, "id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "description": "The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows notification center was disabled on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_notification_center_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2023-09-13", "version": 1, "id": "a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "description": "This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "A taskkill process to terminate process is executed on host- $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" Processes.process IN (\"* /f*\", \"* /t*\") Processes.process IN (\"* /im*\", \"* /pid*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Network administrator can use this application to kill process during audit or investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_or_modify_tools_via_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Shutdown Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "55fb2958-9ecd-11ec-a06a-acde48001122", "description": "This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"shutdownwithoutlogon\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_shutdown_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "description": "The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.", "references": ["https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["CISA AA23-347A", "IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*set config*\", \"*httplogging*\",\"*dontlog:true*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_event_logging_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 4, "id": "63a449ae-9f04-11ec-945e-acde48001122", "description": "This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed.", "references": ["https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis", "https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to disable windows group policy features on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_group_policy_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DisableAntiSpyware Registry", "author": "Rod Soto, Jose Hernandez, Michael Haag, Splunk", "date": "2023-12-27", "version": 2, "id": "23150a40-9301-4195-b802-5bb4f43067fb", "description": "The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/"], "tags": {"analytic_story": ["Azorult", "CISA AA22-264A", "CISA AA23-347A", "RedLine Stealer", "Ryuk Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows DisableAntiSpyware registry key set to 'disabled' on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name=\"DisableAntiSpyware\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disableantispyware_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DiskCryptor Usage", "author": "Michael Haag, Splunk", "date": "2021-11-15", "version": 1, "id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "description": "The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used.", "references": ["https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/DavidXanatos/DiskCryptor"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dcrypt.exe\" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_diskcryptor_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Diskshadow Proxy Execution", "author": "Lou Stella, Splunk", "date": "2022-02-15", "version": 1, "id": "58adae9e-8ea3-11ec-90f6-acde48001122", "description": "DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow.", "references": ["https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Signed Binary Proxy Execution on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_diskshadow_proxy_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DISM Remove Defender", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "8567da9e-47f0-11ec-99a9-acde48001122", "description": "The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender.", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.", "risk_score": 80, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process=\"*/online*\" AND Processes.process=\"*/disable-feature*\" AND Processes.process=\"*Windows-Defender*\" AND Processes.process=\"*/remove*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dism_remove_defender_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "author": "Michael Haag, Splunk", "date": "2024-03-17", "version": 4, "id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "description": "This hunting analytic identifies known Windows libraries potentially used in DLL search order hijacking or DLL Sideloading scenarios. Such cases may necessitate recompiling the DLL, relocating the DLL, or moving the vulnerable process. The query searches for any processes running outside of system32 or syswow64 directories. Certain libraries inherently operate from different application paths and must be added to the exclusion list as required. The lookup includes Microsoft native libraries cataloged in the Hijacklibs.net project.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Qakbot", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`sysmon` EventCode=7 NOT (process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`", "how_to_implement": "The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "author": "Michael Haag, Splunk", "date": "2022-07-29", "version": 1, "id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "description": "The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option.", "references": ["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/422926799/csplugin/tree/master/bypassUAC"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_with_iscsicpl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Side-Loading In Calc", "author": "Teoderick Contreras, Splunk", "date": "2022-10-24", "version": 1, "id": "af01f6db-26ac-440e-8d89-2793e303f137", "description": "The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\\system32 or %systemroot%\\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation.", "references": ["https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=7 Image = \"*\\calc.exe\" AND NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\")) AND NOT(ImageLoaded IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\windows\\\\WinSXS\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_side_loading_in_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "author": "Teoderick Contreras, Splunk", "date": "2022-10-20", "version": 1, "id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "description": "The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "calc.exe has a child process $process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_side_loading_process_child_of_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DNS Gather Network Info", "author": "Teoderick Contreras, Splunk", "date": "2023-04-05", "version": 1, "id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "description": "The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information.", "references": ["https://cert.gov.ua/article/3718487", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process commandline $process$ to enumerate dns record in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dnscmd.exe\" Processes.process = \"* /enumrecords *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dns_gather_network_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DnsAdmins New Member Added", "author": "Mauricio Velazco, Splunk", "date": "2023-11-07", "version": 3, "id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "description": "The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise", "https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A new member $user$ added to the DnsAdmins group by $src_user$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`", "how_to_implement": "To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled.", "known_false_positives": "New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dnsadmins_new_member_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "a7fbbc4e-4571-424a-b627-6968e1c939e4", "description": "The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. This technique was seen used in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's \"samccountname\", \"accountexpires\", \"lastlogon\" and so on. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Domain Account Discovery Via Get-NetComputer in $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetComputer*\" ScriptBlockText IN (\"*samaccountname*\", \"*accountexpires*\", \"*lastlogon*\", \"*lastlogoff*\", \"*pwdlastset*\", \"*logoncount*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_domain_account_discovery_via_get_netcomputer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Domain Admin Impersonation Indicator", "author": "Mauricio Velazco, Splunk", "date": "2023-10-06", "version": 2, "id": "10381f93-6d38-470a-9c30-d25478e3bd3f", "description": "The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.", "references": ["https://trustedsec.com/blog/a-diamond-in-the-ruff", "https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks", "https://github.com/GhostPack/Rubeus/pull/136", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "TargetUserName", "type": "User", "role": ["Victim"]}], "message": "$TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN (\"*$\", \"SYSTEM\", \"DWM-*\",\"LOCAL SERVICE\",\"NETWORK SERVICE\", \"ANONYMOUS LOGON\", \"UMFD-*\") | where match(GroupMembership, \"Domain Admins\") | stats count by _time, TargetUserName, GroupMembership, host | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username | search username = \"NotDA\" | `windows_domain_admin_impersonation_indicator_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table.", "known_false_positives": "False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_domain_admin_impersonation_indicator_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "domain_admins", "description": "List of domain admins", "filename": "domain_admins.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Windows DotNet Binary in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "fddf3b56-7933-11ec-98a6-acde48001122", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file_macro macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "is_net_windows_file_macro", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dotnet_binary_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Inventory", "author": "Michael Haag, Splunk", "date": "2023-02-03", "version": 1, "id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "description": "The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently.", "references": ["https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244"], "tags": {"analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Drivers have been identified on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`", "how_to_implement": "To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.", "known_false_positives": "Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\\drivers and look for non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Load Non-Standard Path", "author": "Michael Haag, Splunk", "date": "2023-02-24", "version": 2, "id": "9216ef3d-066a-4958-8f27-c84589465e62", "description": "The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A kernel mode driver was loaded from a non-standard path on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_driver_load_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Drivers Loaded by Signature", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "description": "The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A driver has loaded on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.", "known_false_positives": "This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_drivers_loaded_by_signature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "author": "Michael Haag, Splunk", "date": "2023-03-27", "version": 1, "id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "description": "This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named \"EnableAt\" in the following registry path: \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CurrentVersion\\\\Schedule\\\\Configuration*\" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_enable_win32_scheduledjob_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event For Service Disabled", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 3, "id": "9c2620a8-94a1-11ec-b40c-acde48001122", "description": "This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["RedLine Stealer", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Service $ServiceName$ was disabled on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "`wineventlog_system` EventCode=7040 EventData_Xml=\"*disabled*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Windows service update may cause this event. In that scenario, filtering is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_for_service_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event Log Cleared", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-04-26", "version": 7, "id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "description": "The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA22-264A", "Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows event logs cleared on $dest$ via EventCode $EventCode$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "type": "TTP", "search": "(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_log_cleared_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "author": "Michael Haag, Splunk", "date": "2022-09-08", "version": 1, "id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "description": "The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ and \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring.", "references": ["https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`wineventlog_application` EventCode=3000 | rename param1 AS \"Process\" param2 AS \"Exit_Code\" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`", "how_to_implement": "This analytic requires capturing the Windows Event Log Application channel in XML.", "known_false_positives": "False positives may be present and tuning will be required before turning into a TTP or notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_triggered_image_file_execution_options_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Excessive Disabled Services Event", "author": "Teoderick Contreras, Splunk", "date": "2024-04-26", "version": 3, "id": "c3f85976-94a5-11ec-9a58-acde48001122", "description": "This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7040 \"disabled\" | stats count values(EventData_Xml) as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) as lastTime by Computer EventCode UserID | rename Computer as dest | where count >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_excessive_disabled_services_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Executable in Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2023-09-12", "version": 1, "id": "3e27af56-fcf0-4113-988d-24969b062be7", "description": "This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or other malicious software instances that introduce executable files as modules within a targeted host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An executable $ImageLoaded$ loaded by $Image$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1129", "mitre_attack_technique": "Shared Modules", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_executable_in_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-06-29", "version": 3, "id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "description": "The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN (\"*msdt*\",\"*ms-msdt:*\",\"*ms-msdt:/id*\",\"*ms-msdt:-id*\",\"*/id*\") AND (Processes.process=\"*IT_BrowseForFile=*\" OR Processes.process=\"*IT_RebrowseForFile=*\" OR Processes.process=\"*.xml*\") AND Processes.process=\"*PCWDiagnostic*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_execute_arbitrary_commands_with_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "author": "Teoderick Contreras, Splunk", "date": "2023-04-05", "version": 1, "id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "description": "The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Invoke-RestMethod *\" AND ScriptBlockText = \"* -Uri *\" AND ScriptBlockText = \"* -Method *\" AND ScriptBlockText = \"* Post *\" AND ScriptBlockText = \"* -InFile *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "author": "Teoderick Contreras, Splunk", "date": "2023-04-05", "version": 1, "id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "description": "The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Net.webclient*\" AND ScriptBlockText = \"*.UploadString*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Export Certificate", "author": "Michael Haag, Splunk", "date": "2023-02-11", "version": 2, "id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "description": "The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources.", "references": ["https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An certificate was exported on $dest$ from the Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`", "how_to_implement": "To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational.", "known_false_positives": "False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Share Discovery With Powerview", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "description": "The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement.", "references": ["https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Invoke-ShareFinder commandlet was executed on $Computer$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_file_share_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2022-09-16", "version": 1, "id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "description": "The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a FTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\windows\\\\system32\\\\*\",\"*\\\\windows\\\\SysWOW64\\\\*\")) (DestinationPortName=\"ftp\" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_transfer_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Without Extension In Critical Folder", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2023-04-14", "version": 1, "id": "0dbcac64-963c-11ec-bf04-acde48001122", "description": "This analytic is to look for suspicious file creation in the critical folder like \"System32\\Drivers\" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Driver file with out file extension drop in $file_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\System32\\\\drivers\\\\*\", \"*\\\\syswow64\\\\drivers\\\\*\") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field=\"file_name\" \"\\.(?[^\\.]*$)\" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Unknown at this point", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_file_without_extension_in_critical_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "author": "Teoderick Contreras, Splunk", "date": "2023-06-06", "version": 1, "id": "c76b796c-27e1-4520-91c4-4a58695c749e", "description": "This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\",\"xcacls.exe\") AND Processes.process IN (\"*:R*\", \"*:W*\", \"*:F*\", \"*:C*\",, \"*:N*\",\"*/P*\", \"*/E*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2023-08-31", "version": 1, "id": "0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainOU*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_domain_organizational_units_with_getdomainou_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2023-08-31", "version": 1, "id": "e4a96dfd-667a-4487-b942-ccef5a1e81e8", "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-InterestingDomainAcl*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Findstr GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2023-03-16", "version": 1, "id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "description": "The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Findstr was executed to discover GPP credentials on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_findstr_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Forest Discovery with GetForestDomain", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2023-08-31", "version": 1, "id": "a14803b2-4bd9-4c08-8b57-c37980edebe8", "description": "This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ForestDomain*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_forest_discovery_with_getforestdomain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Host Information Camera", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "e4df4676-ea41-4397-b160-3ee0140dc332", "description": "The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Powershell script to enumerate camera detected on host - $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"* Win32_PnPEntity *\" ScriptBlockText= \"*SELECT*\" ScriptBlockText= \"*WHERE*\" ScriptBlockText = \"*PNPClass*\" ScriptBlockText IN (\"*Image*\", \"*Camera*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may execute this powershell command to get hardware information related to camera on $dest$.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_gather_victim_host_information_camera_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Identity SAM Info", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "description": "The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object.", "references": ["https://redcanary.com/blog/active-breach-evading-defenses/", "https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\samlib.dll\" AND OriginalFileName = \"samlib.dll\") OR (ImageLoaded = \"*\\\\samcli.dll\" AND OriginalFileName = \"SAMCLI.DLL\") AND NOT (Image IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_identity_sam_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-02-15", "version": 2, "id": "70f7c952-0758-46d6-9148-d8969c4481d1", "description": "The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "DarkCrystal RAT", "Phemedrone Stealer", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process connecting IP location web services on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.*\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\", \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\", \"*geoip.*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "Filter internet browser application to minimize the false positive of this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_network_info_through_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "c8640777-469f-4638-ab44-c34a3233ffac", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADComputer*\" AND ScriptBlockText = \"*TrustedForDelegation*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2023-08-31", "version": 1, "id": "d2988160-3ce9-4310-b59d-905334920cdd", "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-LocalAdminAccess*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_local_admin_with_findlocaladminaccess_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Group Policy Object Created", "author": "Mauricio Velazco", "date": "2023-03-27", "version": 1, "id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "description": "The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.varonis.com/blog/group-policy-objects"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}], "message": "A new group policy objected was created by $User$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!=\"New Group Policy Object\" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hidden Schedule Task Settings", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "description": "The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-257A", "Data Destruction", "Industroyer2", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task with hidden setting enable in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hidden_schedule_task_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hide Notification Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "description": "This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to hide windows notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_hide_notification_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows High File Deletion Frequency", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-03-05", "version": 2, "id": "45b125c4-866f-11eb-a95a-acde48001122", "description": "This search identifies a high frequency of file deletions relative to the process name and process ID. Such events typically occur when ransomware attempts to encrypt files with specific extensions, leading Sysmon to treat the original files as deleted as soon as they are replaced with encrypted data.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Data Destruction", "Sandworm Tools", "Swift Slicer", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Elevated file deletion rate observed from process [$process_name$] on machine $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps1\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.bmp\",\"*.zip\", \"*.rar\", \"*.7z\", \"*.chm\", \"*.png\", \"*.log\", \"*.vbs\", \"*.js\", \"*.vhd\", \"*.bak\", \"*.wbcat\", \"*.bkf\" , \"*.backup*\", \"*.dsk\", \"*.win\") NOT TargetFilename IN (\"*\\\\INetCache\\\\Content.Outlook\\\\*\") | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_high_file_deletion_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "description": "This analytic is to detect a process loading version.dll that is not in %windir%\\\\system32 or %windir%\\\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host.", "references": ["https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded = \"*\\\\version.dll\" AND (Signed = \"false\" OR NOT(ImageLoaded IN(\"*\\\\windows\\\\system32*\", \"*\\\\windows\\\\syswow64\\\\*\"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hijack_execution_flow_version_dll_side_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hunting System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 1, "id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "description": "The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hunting_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Identify Protocol Handlers", "author": "Michael Haag, Splunk", "date": "2022-09-13", "version": 2, "id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "description": "The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for \"mailto:\" links. When the user clicks a \"mailto:\" link, the browser opens the application selected as the handler for the \"mailto:\" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell.", "references": ["https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e", "https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html", "https://blogs.windows.com/msedgedev/2022/01/20/getting-started-url-protocol-handlers-microsoft-edge/", "https://github.com/Mr-Un1k0d3r/PoisonHandler", "https://www.mdsec.co.uk/2021/03/phishing-users-to-take-a-test/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file", "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479", "https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug", "https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler=\"TRUE\" | `windows_identify_protocol_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_identify_protocol_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers", "filename": "windows_protocol_handlers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows IIS Components Add New Module", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "description": "The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*install *\", \"*module *\") AND Processes.process=\"*image*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present until properly tuned. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_iis_components_add_new_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 2, "id": "20db5f70-34b4-4e83-8926-fa26119de173", "description": "The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts", "https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "IIS Modules have been listed on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`", "how_to_implement": "You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "known_false_positives": "This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_get_webglobalmodule_module_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Module Failed to Load", "author": "Michael Haag, Splunk", "date": "2022-12-20", "version": 1, "id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "description": "The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not.", "references": ["https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`", "how_to_implement": "IIS must be installed and Application event logs must be collected in order to utilize this analytic.", "known_false_positives": "False positives will be present until all module failures are resolved or reviewed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_module_failed_to_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components New Module Added", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "description": "The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules.", "references": ["https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`", "how_to_implement": "You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040.", "known_false_positives": "False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_new_module_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "author": "Teoderick Contreras, Splunk", "date": "2022-06-24", "version": 1, "id": "467ed9d9-8035-470e-ad5e-ae5189283033", "description": "The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker importing xml policy command was executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process=\"*Import-Module Applocker*\" AND Processes.process=\"*Set-AppLockerPolicy *\" AND Processes.process=\"* -XMLPolicy *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_add_xml_applocker_rules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "5211c260-820e-4366-b983-84bbfb5c263a", "description": "The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "change in the health check interval of Windows Defender on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\ServiceKeepAlive\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_health_check_intervals_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "783f0798-f679-4c17-b3b3-187febf0b9b8", "description": "The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The \"QuickScanInterval\" in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender QuickScanInterval feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Scan\\\\QuickScanInterval\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "f7da5fca-9261-43de-a4d0-130dad1e4f4d", "description": "The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\ThrottleDetectionEventsRate\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_throttle_rate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "description": "The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The \"WppTracingLevel\" registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to \"WppTracingLevel\" within Windows Defender settings or its functionalities, it's challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender WppTracingLevel registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\WppTracingLevel\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_tracing_level_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Configure App Install Control", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "c54b7439-cfb1-44c3-bb35-b0409553077c", "description": "The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. When attackers modify \"ConfigureAppInstallControlEnabled\" to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender App Install Control registry set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControl\" Registry.registry_value_data= \"Anywhere\") OR (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControlEnabled\" Registry.registry_value_data= \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_configure_app_install_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "7215831c-8252-4ae3-8d43-db588e82f952", "description": "The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to \"clean,\" aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies \"no action,\" meaning that the antivirus software refrains from taking immediate steps against the identified threat.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender threat action through registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Threats\\\\ThreatSeverityDefaultAction*\" Registry.registry_value_data IN (\"0x00000001\", \"9\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_define_win_defender_threat_action_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "author": "Teoderick Contreras, Splunk", "date": "2022-06-07", "version": 1, "id": "395ed5fe-ad13-4366-9405-a228427bdd91", "description": "The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender context menu registry key deleted on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_context_menu_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "author": "Teoderick Contreras, Splunk", "date": "2022-06-07", "version": 1, "id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "description": "The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_profile_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "author": "Teoderick Contreras, Splunk", "date": "2022-06-24", "version": 1, "id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "description": "The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker registry modification to deny the action of several AV products on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND Registry.registry_path= \"*}Machine\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\") OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\" AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\" AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=PANDA SECURITY*\",\"*O=SYSTWEAK SOFTWARE*\", \"*O=TREND MICRO*\", \"*O=AVAST*\", \"*O=GRIDINSOFT*\", \"*O=MICROSOFT*\", \"*O=NANO SECURITY*\", \"*O=SUPERANTISPYWARE.COM*\", \"*O=DOCTOR WEB*\", \"*O=MALWAREBYTES*\", \"*O=ESET*\", \"*O=AVIRA*\", \"*O=WEBROOT*\") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "False positives may be present based on organization use of Applocker. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_deny_security_software_with_applocker_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "3032741c-d6fc-4c69-8988-be8043d6478c", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ControlledFolderAccess feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_controlled_folder_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "8467d8cd-b0f9-46fa-ac84-a30ad138983e", "description": "The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender firewall and network protection section feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender Security Center\\\\Firewall and network protection\\\\UILockdown\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_firewall_and_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "b2215bfb-6171-4137-af17-1a02fdd8d043", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It's possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols or communication methods used by malware or suspicious software.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Protocol Recognition set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\DisableProtocolRecognition\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_protocol_recognition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable PUA Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "fbfef407-cfee-4866-88c1-f8de1c16147c", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender PUA protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\PUAProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_pua_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "ffd99aea-542f-448e-b737-091c1b417274", "description": "The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft's cloud-based services.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File realtime signature delivery set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\RealtimeSignatureDelivery\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_realtime_signature_delivery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "e234970c-dcf5-4f80-b6a9-3a562544ca5b", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The \"EnableWebContentEvaluation\" registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify \"EnableWebContentEvaluation\" to 0, they might attempt to disable the browser's capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender web content evaluation feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\AppHost\\\\EnableWebContentEvaluation\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_web_evaluation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "8b700d7e-54ad-4d7d-81cc-1456c4703306", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender AuditApplicationGuard feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\AppHVSI\\\\AuditApplicationGuard\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_app_guard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File hashes computation set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\MpEngine\\\\EnableFileHashComputation\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "93f114f6-cb1e-419b-ac3f-9e11a3045e70", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableGenericRePorts registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\DisableGenericRePorts\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_gen_reports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "8b6c15c7-5556-463d-83c7-986326c21f12", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Exploit Guard network protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Network Protection\\\\EnableNetworkProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_network_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "description": "The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft's servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DontReportInfectionInformation registry is enabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\MRT\\\\DontReportInfectionInformation\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_report_infection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "0418e72f-e710-4867-b656-0688e1523e09", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The \"DisableScanOnUpdate\" registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableScanOnUpdate feature set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\DisableScanOnUpdate\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_scan_on_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "7567a72f-bada-489d-aef1-59743fb64a66", "description": "The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableSignatureRetirement registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\DisableSignatureRetirement\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_signature_retirement_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "10ca081c-57b1-4a78-ba56-14a40a7e116a", "description": "The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. When attackers modify \"PreventOverride\" to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Phishing Filter registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = \"*\\\\MicrosoftEdge\\\\PhishingFilter\" Registry.registry_value_name IN (\"EnabledV9\", \"PreventOverride\") Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_overide_win_defender_phishing_filter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "08058866-7987-486f-b042-275715ef6e9d", "description": "The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The \"PreventSmartScreenPromptOverride\" registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify \"PreventSmartScreenPromptOverride\" to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen prompt was override on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Microsoft\\\\Edge\\\\PreventSmartScreenPromptOverride\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_override_smartscreen_prompt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "author": "Teoderick Contreras, Splunk", "date": "2024-01-08", "version": 1, "id": "cc2a3425-2703-47e7-818f-3dca1b0bc56f", "description": "The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to \"warn\" might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to \"warn,\" the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen Level to Warn on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\System\\\\ShellSmartScreenLevel\" Registry.registry_value_data=\"Warn\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable HVCI", "author": "Michael Haag, Splunk", "date": "2023-04-13", "version": 1, "id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "description": "The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "HVCI has been disabled on $dest$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to administrative scripts disabling HVCI. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_hvci_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "description": "The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderApiLogger\\\\Start\" OR Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderAuditLogger\\\\Start\") Registry.registry_value_data =\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_win_defender_auto_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indicator Removal Via Rmdir", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "c4566d2c-b094-48a1-9c59-d66e22065560", "description": "The following analytic identifies a process execute rmdir commandline to delete files and directory tree. This technique has been observed in the actions of various malware strains, such as DarkGate, as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. Notably, this deletion method doesn't exclusively require elevated privileges and can be executed by regular users or network administrators, although it's not the typical approach used for file deletion.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process execute rmdir command to delete files and directory tree in $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*rmdir*\" Processes.process = \"* /s *\" Processes.process = \"* /q *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indicator_removal_via_rmdir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via forfiles", "author": "Eric McGinnis, Splunk", "date": "2022-04-05", "version": 1, "id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "description": "The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles"], "tags": {"analytic_story": ["Living Off The Land", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The forfiles command (forfiles.exe) launched the process name - $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*forfiles* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via pcalua", "author": "Eric McGinnis, Splunk", "date": "2022-04-05", "version": 1, "id": "3428ac18-a410-4823-816c-ce697d26f7a8", "description": "The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*pcalua* -a*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_pcalua_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "description": "This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "excessive forfiles process execution in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"forfiles.exe\" OR Processes.original_file_name = \"forfiles.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_series_of_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Information Discovery Fsutil", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "2181f261-93e6-4166-a5a9-47deac58feff", "description": "The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"fsutil.exe\" OR Processes.original_file_name = \"fsutil.exe\" AND Processes.process = \"*fsinfo*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_information_discovery_fsutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "author": "Teoderick Contreras, Splunk", "date": "2022-08-30", "version": 2, "id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "description": "The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ingress_tool_transfer_using_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InProcServer32 New Outlook Form", "author": "Michael Haag, Splunk", "date": "2024-03-20", "version": 1, "id": "fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "description": "The following analytic identifies the creation or modification of registry keys associated with new Outlook form installations that could indicate exploitation of CVE-2024-21378. The vulnerability allows for authenticated remote code execution via synced form objects by abusing the InProcServer32 registry key. The attack involves syncing malicious form objects that carry special properties and attachments used to \"install\" the form on a client, potentially leading to arbitrary file and registry key creation under HKEY_CLASSES_ROOT (HKCR), and ultimately, remote code execution. This detection focuses on monitoring for registry modifications involving InProcServer32 keys or equivalent that are linked to Outlook form installations, which are indicative of an attempt to exploit this vulnerability.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" Registry.registry_value_data=*\\\\FORMS\\\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_inprocserver32_new_outlook_form_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Input Capture Using Credential UI Dll", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "description": "The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\credui.dll\" AND OriginalFileName = \"credui.dll\") OR (ImageLoaded = \"*\\\\wincredui.dll\" AND OriginalFileName = \"wincredui.dll\") AND NOT(Image IN(\"*\\\\windows\\\\explorer.exe\", \"*\\\\windows\\\\system32\\\\*\", \"*\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_input_capture_using_credential_ui_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Credential Theft", "author": "Michael Haag, Mauricio Velazo, Splunk", "date": "2024-03-14", "version": 4, "id": "ccfeddec-43ec-11ec-b494-acde48001122", "description": "This analytic identifies instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This technique can be employed to execute code that bypasses application control and captures credentials using tools like Mimikatz.\nWhen `InstallUtil.exe` is used maliciously, it typically specifies the path to an executable on the filesystem. It is important to observe the parent process in such cases. Suspicious activity often involves being spawned from non-standard processes such as `Cmd.exe`, `PowerShell.exe`, or `Explorer.exe`.\nConversely, when used by developers, it is usually accompanied by multiple command-line switches/arguments and originates from Visual Studio.\nDuring triage, review any resulting network connections, file modifications, and concurrent processes. Capture any artifacts for further review.'", "references": ["https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0"], "tags": {"analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_installutil_credential_theft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "dcf74b22-7933-11ec-857c-acde48001122", "description": "The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Living Off The Land", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Remote Network Connection", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 3, "id": "4fbf9270-43da-11ec-9486-acde48001122", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control.\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`.\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio.\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ generating a remote download.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_remote_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option", "author": "Michael Haag, Splunk", "date": "2024-04-29", "version": 2, "id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "description": "The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch.\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`.\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio.\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") NOT (Processes.process IN (\"*C:\\\\WINDOWS\\\\CCM\\\\*\")) NOT (Processes.parent_process_name IN (\"Microsoft.SharePoint.Migration.ClientInstaller.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_installutil_uninstall_option_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. Filter as needed by parent process or application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "author": "Michael Haag, Splunk", "date": "2022-03-16", "version": 2, "id": "1a52c836-43ef-11ec-a36c-acde48001122", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch.\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`.\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio.\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil URL in Command Line", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "28e06670-43df-11ec-a569-acde48001122", "description": "The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control.\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`.\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio.\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md", "https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*http://*\",\"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ISO LNK File Creation", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-09-19", "version": 2, "id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "description": "The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\\AppData\\Local\\Temp\\\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Spearphishing Attachments", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\Microsoft\\\\Windows\\\\Recent\\\\*\") Filesystem.file_name IN (\"*.iso.lnk\", \"*.img.lnk\", \"*.vhd.lnk\", \"*vhdx.lnk\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_iso_lnk_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Java Spawning Shells", "author": "Michael Haag, Splunk", "date": "2023-01-23", "version": 2, "id": "28c81306-5c47-11ec-bfea-acde48001122", "description": "The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"cmd.exe\", \"powershell.exe\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_java_spawning_shells_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Kerberos Local Successful Logon", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 2, "id": "8309c3a8-4d34-48ae-ad66-631658214653", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_kerberos_local_successful_logon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Known Abused DLL Created", "author": "Steven Dick", "date": "2024-02-19", "version": 1, "id": "ea91651a-772a-4b02-ac3d-985b364a5f07", "description": "This analytic is designed to identify instances where Dynamic Link Libraries (DLLs) with a known history of being exploited are created in locations that are not typical for their use. This could indicate that an attacker is attempting to exploit the DLL search order hijacking or sideloading techniques. DLL search order hijacking involves tricking an application into loading a malicious DLL instead of the legitimate one it was intending to load. This is often achieved by placing the malicious DLL in a directory that is searched before the directory containing the legitimate DLL. Sideloading, similarly, involves placing a malicious DLL with the same name as a legitimate DLL that an application is known to load, in a location that the application will search before finding the legitimate version. Both of these techniques can be used by attackers to execute arbitrary code, maintain persistence on a system, and potentially elevate their privileges, all while appearing as legitimate operations to the untrained eye. This analytic aims to shed light on such suspicious activities by monitoring for the creation of known abused DLLs in unconventional locations, thereby helping in the early detection of these stealthy attack techniques.", "references": ["https://attack.mitre.org/techniques/T1574/002/", "https://hijacklibs.net/api/", "https://wietze.github.io/blog/hijacking-dlls-in-windows", "https://github.com/olafhartong/sysmon-modular/pull/195/files"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$].", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!=\"unknown\" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\users\\\\*\",\"*\\\\Windows\\Temp\\\\*\",\"*\\\\programdata\\\\*\") Filesystem.file_name=\"*.dll\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_known_abused_dll_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs_loaded.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2023-12-18", "version": 1, "id": "bf471c94-0324-4b19-a113-d02749b969bc", "description": "The following analytic identifies a potential suspicious process loading dll modules related to Graphicalproton backdoor implant of SVR. These DLL modules have been observed in SVR attacks, commonly used to install backdoors on targeted hosts. This anomaly detection highlights the need for thorough investigation and immediate mitigation measures to safeguard the network against potential breaches.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Known GraphicalProton backdoor Loaded Modules on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\AclNumsInvertHost.dll\", \"*\\\\ModeBitmapNumericAnimate.dll\", \"*\\\\UnregisterAncestorAppendAuto.dll\", \"*\\\\DeregisterSeekUsers.dll\", \"*\\\\ScrollbarHandleGet.dll\", \"*\\\\PerformanceCaptionApi.dll\", \"*\\\\WowIcmpRemoveReg.dll\", \"*\\\\BlendMonitorStringBuild.dll\", \"*\\\\HandleFrequencyAll.dll\", \"*\\\\HardSwapColor.dll\", \"*\\\\LengthInMemoryActivate.dll\", \"*\\\\ParametersNamesPopup.dll\", \"*\\\\ModeFolderSignMove.dll\", \"*\\\\ChildPaletteConnected.dll\", \"*\\\\AddressResourcesSpec.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_known_graphicalproton_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows KrbRelayUp Service Creation", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "e40ef542-8241-4419-9af4-6324582ea60a", "description": "The following analytic detects the creation of a service with the default name \"KrbSCM\" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was created on $dest$, related to KrbRelayUp.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_krbrelayup_service_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "description": "The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\nActive Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed.", "references": ["https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "type": "Endpoint", "role": ["Victim"]}], "message": "A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_large_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Lateral Tool Transfer RemCom", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "description": "The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "APT41", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process=\"*\\\\*\" Processes.process IN (\"*/user:*\", \"*/pwd:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on Administrative use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_lateral_tool_transfer_remcom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ldifde Directory Object Behavior", "author": "Michael Haag, Splunk", "date": "2023-05-25", "version": 1, "id": "35cd29ca-f08c-4489-8815-f715c45460d3", "description": "The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Ldifde/", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://twitter.com/0gtweet/status/1564968845726580736?s=20", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ldifde_directory_object_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Linked Policies In ADSI Discovery", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "510ea428-4731-4d2f-8829-a28293e427aa", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_linked_policies_in_adsi_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Local Administrator Credential Stuffing", "author": "Mauricio Velazco, Splunk", "date": "2023-03-22", "version": 1, "id": "09555511-aca6-484a-b6ab-72cd03d73c34", "description": "The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "references": ["https://attack.mitre.org/techniques/T1110/004/", "https://attack.mitre.org/techniques/T1110/", "https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/", "https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/", "https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/", "https://wiki.porchetta.industries/smb-protocol/password-spraying"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Local Administrator credential stuffing attack coming from $IpAddress$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_local_administrator_credential_stuffing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "48cc1605-538c-4223-8382-e36bee5b540d", "description": "The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows LSA Secrets NoLMhash Registry on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.004", "mitre_attack_technique": "LSA Secrets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT33", "Dragonfly", "Ke3chang", "Leafminer", "MuddyWater", "OilRig", "Threat Group-3390", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\NoLMHash\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_lsa_secrets_nolmhash_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2022-09-16", "version": 1, "id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "description": "The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a SMTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\thunderbird.exe\",\"*\\\\outlook.exe\")) (DestinationPortName=\"smtp\" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mail_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mark Of The Web Bypass", "author": "Teoderick Contreras, Splunk", "date": "2023-08-14", "version": 1, "id": "8ca13343-7405-4916-a2d1-ae34ce0c28ae", "description": "The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions.", "references": ["https://attack.mitre.org/techniques/T1553/005/", "https://github.com/nmantani/PS-MOTW#remove-motwps1"], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A mark-of-the-web data stream is deleted on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.005", "mitre_attack_technique": "Mark-of-the-Web Bypass", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "TA505"]}]}, "type": "TTP", "search": "`sysmon` EventCode=23 TargetFilename = \"*:Zone.Identifier\" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mark_of_the_web_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Explorer As Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-04-25", "version": 1, "id": "61490da9-52a1-4855-a0c5-28233c88c481", "description": "The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" AND Processes.process IN (\"*\\\\explorer.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_masquerading_explorer_as_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Msdtc Process", "author": "Teoderick Contreras, Splunk", "date": "2023-11-21", "version": 1, "id": "238f3a07-8440-480b-b26f-462f41d9a47c", "description": "The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, thereby evading immediate suspicion.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"], "tags": {"analytic_story": ["PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "msdtc.exe process with process commandline used by PlugX malware in $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"msdtc.exe\" Processes.process = \"*msdtc.exe*\" Processes.process IN (\"* -a*\", \"* -b*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_masquerading_msdtc_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_masquerading_msdtc_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Binary Execution", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 1, "id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "description": "As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.varonis.com/blog/what-is-mimikatz", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-320A", "CISA AA23-347A", "Credential Dumping", "Flax Typhoon", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "description": "The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment.", "references": ["https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645"], "tags": {"analytic_story": ["CISA AA23-347A", "Sandworm Tools", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificate file extensions realted to Mimikatz were identified on disk on $dest$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.keyx.rsa.pvk\",\"*sign.rsa.pvk\",\"*sign.dsa.pvk\",\"*dsa.ec.p8k\",\"*dh.ec.p8k\", \"*.pfx\", \"*.der\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_crypto_export_file_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "6410a403-36bb-490f-a06a-11c3be7d2a41", "description": "The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for authentication level settings was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Server Client\\\\AuthenticationLevelOverride\" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint", "Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_authenticationleveloverride_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Minor Updates", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Treat minor updates like other updates\".", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_minor_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Update Notif", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "description": "The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to \"Notify before download\".", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update notification on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_update_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Default Icon Setting", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "description": "This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_default_icon_setting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "cee573a0-7587-48e6-ae99-10e8c657e89a", "description": "The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored closely for any signs of tampering or unauthorized alterations.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows Modify Registry Disable Restricted Admin on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_restricted_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "author": "Teoderick Contreras, Splunk", "date": "2022-06-22", "version": 1, "id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "description": "The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for DisallowRun settings was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_toast_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write.", "references": ["https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for raw write notification settings was modified to disable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "description": "The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to disable Windows Defender notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windefender_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "description": "The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for security center notification settings was modified to disable mode in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windows_security_center_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "4927c6f1-4667-42e6-bd7a-f5222116386b", "description": "The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableRemoteDesktopAntiAlias\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disableremotedesktopantialias_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "989019b4-b7aa-418a-9a17-2293e91288b6", "description": "The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for terminal services settings was modified to disable security settings on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableSecuritySettings\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disablesecuritysettings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disabling WER Settings", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "description": "The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disabling_wer_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisAllow Windows App", "author": "Teoderick Contreras, Splunk", "date": "2022-06-22", "version": 1, "id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "description": "The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for DisallowRun settings was modified to enable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disallow_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the \"Specify intranet Microsoft update service location\" policy.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_do_not_connect_to_win_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DontShowUI", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "4ff9767b-fdf2-489c-83a5-c6c34412d72e", "description": "The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disable show UI on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\DontShowUI\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_dontshowui_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "93048164-3358-4af0-8680-aa5f38440516", "description": "The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows EnableLinkedConnections configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_enablelinkedconnections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry LongPathsEnabled", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "36f9626c-4272-4808-aadd-267acce681c0", "description": "The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows LongPathEnable configuration on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_longpathsenabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "064cd09f-1ff4-4823-97e0-45c2f5b087ec", "description": "The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in max connection per server configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPerServer*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPer1_0Server*\") Registry.registry_value_data = \"0x0000000a\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_maxconnectionperserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow \"Logged-on user gets to choose whether or not to restart his or her compute\".", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Update", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Disable Automatic Updates\".", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "a2276412-e254-4e9a-9082-4d92edb6a3e0", "description": "The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user's control over their system's visual settings.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to disable changing of wallpaper on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\\NoChangingWallPaper\" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_nochangingwallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyEnable", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "description": "The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to enable proxy on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyEnable\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyenable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyServer", "author": "Teoderick Contreras, Splunk", "date": "2023-11-23", "version": 1, "id": "12bdaa0b-3c59-4489-aae1-bff6d67746ef", "description": "The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to setup proxy server on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyServer\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2023-11-07", "version": 2, "id": "2e768497-04e0-4188-b800-70dd2be0e30d", "description": "The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This \"Binary Data\" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry with binary data created by $process_name$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_qakbot_binary_data_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Reg Restore", "author": "Teoderick Contreras, Splunk", "date": "2022-12-12", "version": 1, "id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "description": "The following analytic identifies a process execution of reg.exe with \"restore\" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses \"reg save\" and \"reg restore\" to check the registry modification restriction in targeted host after gaining access to it.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* restore *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_reg_restore_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "author": "Teoderick Contreras, Splunk", "date": "2022-06-24", "version": 1, "id": "824dd598-71be-4203-bc3b-024f4cda340e", "description": "The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The regedit app was executed with silet mode parameter to import .reg file on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_regedit_silent_reg_import_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "5eb479b1-a5ea-4e01-8365-780078613776", "description": "This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code.", "references": ["https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html", "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", "https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html", "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Modify Registry behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*registry*\") All_Risk.annotations.mitre_attack.mitre_technique_id IN (\"*T1112*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "description": "The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_suppress_win_defender_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Tamper Protection", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "description": "The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to tamper Windows Defender protection on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_tamper_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_updateserviceurlalternate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry USeWuServer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use \"The WUServer value unless this key is set\".", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_usewuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "author": "Teoderick Contreras, Splunk", "date": "2023-09-25", "version": 1, "id": "4662c6b1-0754-455e-b9ff-3ee730af3ba8", "description": "This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as part of their malicious activities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A md5 registry value name $registry_value_name$ is created on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\*\" Registry.registry_value_data = \"Binary Data\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, \"\\\\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,\"^[0-9a-fA-F]{32}$\"),\"md5\",\"nonmd5\") | where validation_result = \"md5\" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_with_md5_reg_key_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry WuServer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry wuStatusServer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-21", "version": 1, "id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wustatusserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "b7548c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"ShowCompColor\" and \"ShowInfoTips\" on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_show_compress_color_and_info_tip_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "author": "Teoderick Contreras, Will Metcalf, Splunk", "date": "2023-12-12", "version": 1, "id": "cd6d7410-9146-4471-a418-49edba6dadc4", "description": "The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application.", "references": ["https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" Processes.process IN (\"*\\\\windows\\\\fonts\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\windows\\\\debug\\\\*\", \"*\\\\Users\\\\Administrator\\\\Music\\\\*\", \"*\\\\Windows\\\\servicing\\\\*\", \"*\\\\Users\\\\Default\\\\*\",\"*Recycle.bin*\", \"*\\\\Windows\\\\Media\\\\*\", \"\\\\Windows\\\\repair\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\PerfLogs\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_system_firewall_with_notable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_system_firewall_with_notable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "author": "Michael Haag, Splunk", "date": "2024-04-29", "version": 2, "id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "description": "The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\\Windows\\System32\\wbem.", "references": ["https://attack.mitre.org/techniques/T1546/003/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/", "https://www.sakshamdixit.com/wmi-events/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN (\"cmd.exe\", \"powershell.exe\") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN (\"*\\\\AppData\\\\Local\\\\*\",\"*\\\\Users\\\\Public\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or file paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mof_event_triggered_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOVEit Transfer Writing ASPX", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "description": "The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., \"human2.aspx\") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"], "tags": {"analytic_story": ["MOVEit Transfer Critical Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The MOVEit application on $dest$ has written a new ASPX file to disk.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\MOVEitTransfer\\\\wwwroot\\\\*\") Filesystem.file_name IN(\"*.aspx\", \"*.ashx\", \"*.asp*\") OR Filesystem.file_name IN (\"human2.aspx\",\"_human2.aspx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_moveit_transfer_writing_aspx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "396de86f-25e7-4b0e-be09-a330be35249d", "description": "The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.", "references": ["https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`msexchange_management` EventCode=1 Message IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"*Search-Mailbox*\") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`", "how_to_implement": "The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.", "known_false_positives": "False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_msexchange_management_mailbox_cmdlet_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mshta Execution In Registry", "author": "Teoderick Contreras, Splunk", "date": "2022-10-14", "version": 1, "id": "e13ceade-b673-4d34-adc4-4d9c01729753", "description": "The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot.", "references": ["https://redcanary.com/threat-detection-report/techniques/mshta/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide"], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mshta_execution_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSHTA Writing to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-03-26", "version": 1, "id": "efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "description": "This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named `invite.txt` to the `C:\\Windows\\Tasks` directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with `SqlDumper.exe` in this campaign. \\\nThe analytic is designed to detect the initial file write operation by `mshta.exe` to directories that are typically writable by any user, such as `C:\\Windows\\Tasks`, `C:\\Windows\\Temp`, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of `mshta.exe` to write to these locations, which is a deviation from the utility's legitimate use cases and thus serves as a strong indicator of compromise (IoC). \\\nThe ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ writing to $TargetFilename$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*\\\\mshta.exe\" TargetFilename IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\\Windows\\Tasks`, `C:\\Windows\\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed.", "known_false_positives": "False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mshta_writing_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-06", "version": 2, "id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "description": "The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/y*\", \"*-y*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-01-03", "version": 1, "id": "9683271d-92e4-43b5-a907-1983bfb9f7fd", "description": "The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like \"msiexec,\" \"hidewindow,\" and \"rundll32\" through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a msiexec parent process with /hidewindow rundll32 process commandline in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = \"* /HideWindow *\" Processes.process = \"* rundll32*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other possible 3rd party msi software installers use this technique as part of its installation process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_hidewindow_rundll32_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Remote Download", "author": "Michael Haag, Splunk", "date": "2024-05-08", "version": 2, "id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "description": "The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*http://*\", \"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter by destination or parent process as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_remote_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn Discovery Command", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "description": "The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN (\"powershell.exe\",\"cmd.exe\", \"nltest.exe\",\"ipconfig.exe\",\"systeminfo.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_discovery_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn WinDBG", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "9a18f7c2-1fe3-47b8-9467-8b3976770a30", "description": "This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_windbg_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "description": "The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/z*\", \"*-z*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_unregister_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec With Network Connections", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "description": "The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering is required.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_with_network_connections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "author": "Teoderick Contreras, Splunk", "date": "2022-09-16", "version": 1, "id": "4c2d198b-da58-48d7-ba27-9368732d0054", "description": "The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*.torproject.org\", \"www.theonionrouter.com\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this proxies if allowed in production environment. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multi_hop_proxy_tor_website_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Account Passwords Changed", "author": "Mauricio Velazco, Splunk", "date": "2024-02-20", "version": 1, "id": "faefb681-14be-4f0d-9cac-0bc0160c7280", "description": "This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection's threshold and timeframe to fit their specific operational context.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ changed the passwords of multiple accounts in a short period of time.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_account_passwords_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Accounts Deleted", "author": "Mauricio Velazco, Splunk", "date": "2024-02-21", "version": 1, "id": "49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "description": "The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection's threshold and timeframe to suit their specific environment.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ deleted multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_accounts_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Accounts Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-02-21", "version": 1, "id": "5d93894e-befa-4429-abde-7fc541020b7b", "description": "This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker's attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment's specifics", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ disabled multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_accounts_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2021-04-14", "version": 2, "id": "98f22d82-9d62-11eb-9fcf-acde48001122", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out).\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2021-04-14", "version": 2, "id": "001266a6-9d5b-11eb-829b-acde48001122", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2021-04-15", "version": 2, "id": "57ad5a64-9df7-11eb-a290-acde48001122", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2021-04-13", "version": 2, "id": "e61918fa-9ca4-11eb-836c-acde48001122", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2021-04-13", "version": 2, "id": "7ed272a4-9c77-11eb-af22-acde48001122", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user).\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2021-04-13", "version": 2, "id": "9015385a-9c84-11eb-bef2-acde48001122", "description": "The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2021-04-08", "version": 2, "id": "3a91a212-98a9-11eb-b86a-acde48001122", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "author": "Mauricio Velazco, Splunk", "date": "2021-04-13", "version": 2, "id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows New InProcServer32 Added", "author": "Michael Haag, Splunk", "date": "2024-03-20", "version": 1, "id": "0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "description": "This analytic is designed to detect the addition of new InProcServer32 registry keys, which could indicate suspicious or malicious activity on a Windows endpoint. The InProcServer32 registry key specifies the path to a COM object that can be loaded into the process space of calling processes. Malware often abuses this mechanism to achieve persistence or execute code by registering a new InProcServer32 key pointing to a malicious DLL. By monitoring for the creation of new InProcServer32 keys, this analytic helps identify potential threats that leverage COM hijacking or similar techniques for execution and persistence. Understanding the normal behavior of legitimate software in your environment will aid in distinguishing between benign and malicious use of InProcServer32 modifications.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ .", "risk_score": 2, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_new_inprocserver32_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2023-01-12", "version": 2, "id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "description": "The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft AdvancedRun", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "bb4f3090-7ae4-11ec-897f-acde48001122", "description": "The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments.", "references": ["http://www.nirsoft.net/utils/advanced_run.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Ransomware", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN (\"*EXEFilename*\",\"*/cfg*\",\"*RunAs*\", \"*WindowState*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_advancedrun_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft Utilities", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "description": "The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/TA18-201A", "http://www.nirsoft.net/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Filtering may be required before setting to alert.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_nirsoft_software_macro", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_utilities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Njrat Fileless Storage via Registry", "author": "Teoderick Contreras, Splunk", "date": "2023-09-14", "version": 1, "id": "a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "description": "The following analytic identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a suspicious registry entry related to NjRAT keylloging registry in $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\[kl]\" OR Registry.registry_value_data IN (\"*[ENTER]*\", \"*[TAP]*\", \"*[Back]*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_njrat_fileless_storage_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "author": "Teoderick Contreras, Splunk", "date": "2024-02-16", "version": 1, "id": "1166360c-d495-45ac-87a6-8948aac1fa07", "description": "The following analytic detects suspicious file access within the Discord LevelDB database. This database contains critical data such as user profiles, messages, guilds, channels, settings, and cached information. Access to this data poses a risk of Discord credential theft or unauthorized access to sensitive information on the compromised system. Detecting such anomalies can serve as an effective pivot to identify non-Discord applications accessing this database, potentially indicating the presence of malware or trojan stealers aimed at data theft.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-discord process $process_name$ accessing discord \"leveldb\" file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\discord\\\\Local Storage\\\\leveldb*\") AND process_name != *\\\\discord.exe AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_discord_app_access_discord_leveldb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Non-System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 2, "id": "b1ce9a72-73cf-11ec-981b-acde48001122", "description": "The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_path", "type": "Process", "role": ["Parent Process"]}], "message": "A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on legitimate application requests, filter based on source image as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "description": "The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present as this is meant to assist with filtering and tuning.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load DLL", "author": "Michael Haag, Splunk", "date": "2022-06-28", "version": 1, "id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "description": "The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*/a *\", \"*-a*\") Processes.process=\"*regsvr*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load Response File", "author": "Michael Haag, Splunk", "date": "2022-06-30", "version": 1, "id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "description": "The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*-f *\",\"*/f *\") Processes.process=\"*.rsp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_response_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Office Product Spawning MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 4, "id": "127eba64-c981-40bf-8589-1830638864a7", "description": "The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"outlook.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_office_product_spawning_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PaperCut NG Spawn Shell", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "description": "The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, but most likely not. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_papercut_ng_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Parent PID Spoofing with Explorer", "author": "Teoderick Contreras, Splunk", "date": "2023-11-21", "version": 1, "id": "17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "description": "The following analytic identifies a suspicious explorer.exe process that has \"/root\" process commandline. The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and operate undetected within the system. This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, it attempts to evade scrutiny and evade detection by security measures.", "references": ["https://x.com/CyberRaiju/status/1273597319322058752?s=20"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An explorer.exe process with process commandline $process$ on dest $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*explorer.exe*\" Processes.process=\"*/root,*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_parent_pid_spoofing_with_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_parent_pid_spoofing_with_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Password Managers Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "description": "The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks.", "references": ["https://attack.mitre.org/techniques/T1555/005/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to password manager databases in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.kdbx*\", \"*credential*\", \"*key3.db*\",\"*pass*\", \"*cred*\", \"*key4.db*\", \"*accessTokens*\", \"*access_tokens*\", \"*.htpasswd*\", \"*Ntds.dit*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_password_managers_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "fca01769-5163-4b3a-ae44-de874adfc9bc", "description": "The following analytic identifies a suspicious outlook.exe process dropped a dll file. This technique was seen in CVE-2024-21378, involves the loading of a custom MAPI form to execute a potentially malicious DLL. Detecting such TTPs serves as a crucial pivot point to identify potential adversaries, malware, or red team activity attempting to leverage this method within phishing campaigns.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "an outlook process dropped dll file into $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name =\"*.dll\" Filesystem.file_path = \"*\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_outlook_drop_dll_in_form_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing PDF File Executes URL Link", "author": "Teoderick Contreras, Splunk", "date": "2023-01-18", "version": 1, "id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "description": "This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network.", "references": ["https://twitter.com/pr0xylife/status/1615382907446767616?s=20"], "tags": {"analytic_story": ["Snake Keylogger", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"AcroRd32.exe\", \"FoxitPDFReader.exe\") Processes.process_name IN (\"firefox.exe\", \"chrome.exe\", \"iexplore.exe\") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_pdf_file_executes_url_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "author": "Teoderick Contreras, Splunk", "date": "2022-09-19", "version": 2, "id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "description": "The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.iso\" OR Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.img\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_recent_iso_exec_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Possible Credential Dumping", "author": "Michael Haag, Splunk", "date": "2023-12-27", "version": 3, "id": "e4723b92-7266-11ec-af45-acde48001122", "description": "The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping.\nGrantedAccess is the requested permissions by the SourceImage into the TargetImage.\n\nCallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call.\ndbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context.\nThe idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe granted_access IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_possible_credential_dumping_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Post Exploitation Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2023-06-14", "version": 1, "id": "edb930df-64c2-4bb7-9b5c-889ed53fb973", "description": "The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat"], "tags": {"analytic_story": ["Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"*Windows Post-Exploitation*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_post_exploitation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "author": "Michael Haag, Splunk", "date": "2023-01-18", "version": 1, "id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "description": "The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was used to install a module to the Global Assembly Cache on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*system.enterpriseservices.internal.publish*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on developers or third party utilities adding items to the GAC.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_add_module_to_global_assembly_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Cryptography Namespace", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains cryptography command detected on host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_cryptography_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-05", "version": 2, "id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "description": "The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to \"false\" or \"dontLog\". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union"], "tags": {"analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*get-WebConfigurationProperty*\",\"*Set-ItemProperty*\") AND ScriptBlockText IN (\"*httpLogging*\",\"*Logfile.enabled*\") AND ScriptBlockText IN (\"*dontLog*\", \"*false*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "description": "The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-certificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-pfxcertificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "author": "Michael Haag, Splunk", "date": "2023-03-27", "version": 1, "id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "description": "This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_get_ciminstance_remote_computer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "author": "Michael Haag, Splunk", "date": "2022-12-21", "version": 1, "id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "description": "The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd.", "references": ["https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*New-WebGlobalModule*\",\"*Enable-WebGlobalModule*\",\"*Set-WebGlobalModule*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_iis_components_webglobalmodule_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Import Applocker Policy", "author": "Teoderick Contreras, Splunk", "date": "2022-06-30", "version": 1, "id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "administrators may execute this command that may cause some false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_import_applocker_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell RemoteSigned File", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "f7f7456b-470d-4a95-9703-698250645ff4", "description": "This analytic identifies the use of \"remotesigned\" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to \"remotesigned,\" it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell commandline with remotesigned policy executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"* remotesigned *\" Processes.process=\"* -File *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_powershell_remotesigned_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell ScheduleTask", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "description": "The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network.", "references": ["https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-ScheduledTask*\", \"*New-ScheduledTaskAction*\", \"*New-ScheduledTaskSettingsSet*\", \"*New-ScheduledTaskTrigger*\", \"*Register-ClusteredScheduledTask*\", \"*Register-ScheduledTask*\", \"*Set-ClusteredScheduledTask*\", \"*Set-ScheduledTask*\", \"*Start-ScheduledTask*\", \"*Enable-ScheduledTask*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_scheduletask_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "author": "Michael Haag, Splunk", "date": "2023-03-27", "version": 1, "id": "47c69803-2c09-408b-b40a-063c064cbb16", "description": "The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_wmi_win32_scheduledjob_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerSploit GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2023-03-16", "version": 1, "id": "0130a0df-83a1-4647-9011-841e950ff302", "description": "The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://adsecurity.org/?p=2288", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Commandlets leveraged to discover GPP credentials were executed on $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}]}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powersploit_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2023-04-20", "version": 1, "id": "39405650-c364-4e1e-a740-32a63ef042a6", "description": "The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses.", "references": ["https://attack.mitre.org/techniques/T1078/002/", "https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView AD acccess control list enumeration detected on $Computer$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_ad_access_control_list_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-TrustedToAuth*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_constrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-06-22", "version": 1, "id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for requesting SPN service ticket executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView SPN Discovery", "author": "Gowthamaraj Rajendran, Splunk", "date": "2023-12-27", "version": 1, "id": "a7093c28-796c-4ebb-9997-e2c18b870837", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", "references": ["https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for SPN discovery executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_spn_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-Unconstrained*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Private Keys Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "description": "The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack.", "references": ["https://attack.mitre.org/techniques/T1552/004/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to private keys in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.rdg*\", \"*.gpg*\", \"*.pgp*\", \"*.p12*\", \"*.der*\", \"*.csr*\", \"*.cer*\", \"*.ovpn*\", \"*.key*\", \"*.ppk*\", \"*.p12*\", \"*.pem*\", \"*.pfx*\", \"*.p7b*\", \"*.asc*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_private_keys_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "author": "Steven Dick", "date": "2023-11-30", "version": 1, "id": "6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "description": "The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN (\"system\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\")) OR (Processes.process_integrity_level IN (\"high\",\"system\") AND (Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") OR Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`", "how_to_implement": "Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.", "known_false_positives": "False positives may be generated by administrators installing benign applications using run-as/elevation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_suspicious_process_elevation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "author": "Steven Dick", "date": "2023-11-30", "version": 1, "id": "5a5351cd-ba7e-499e-ad82-2ce160ffa637", "description": "The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "`sysmon` EventCode=1 IntegrityLevel=\"system\" ParentUser=* NOT ParentUser IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"*DWM-*\",\"*$\",\"-\") | eval src_user = replace(ParentUser,\"^[^\\\\\\]+\\\\\\\\\",\"\") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_privilege_escalation_system_process_without_system_parent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "author": "Steven Dick", "date": "2023-11-30", "version": 1, "id": "c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "description": "The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$].", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") AND Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"system\") AND Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 15.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_user_process_spawn_system_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Commandline Discovery", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "description": "The following analytic detects Windows Management Instrumentation Command-line (WMIC) command used to retrieve information about running processes and specifically fetches the command lines used to launch those processes. This Hunting detection can be a good indicator for possible suspicious user or process getting list of process with its command line using wmic application which is not a common practice for a non-technical user.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to process commandline discovery detected on $dest$ using wmic.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1057", "mitre_attack_technique": "Process Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT5", "Andariel", "Chimera", "Darkhotel", "Deep Panda", "Earth Lusca", "Gamaredon Group", "HAFNIUM", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Rocke", "Sidewinder", "Stealth Falcon", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windshift", "Winnti Group"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= \"* process *\" Processes.process= \"* get commandline *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_commandline_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-03", "version": 1, "id": "d131673f-ede1-47f2-93a1-0108d3e7fafd", "description": "The following analytic identifies a non-service searchindexer.exe process. QakBot, a notorious banking trojan and information stealer, often deploys a process named \"searchindexer.exe\" as part of its malicious activities. This legitimate Windows process, \"Search Indexer,\" is manipulated by QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, the malicious \"searchindexer.exe\" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An uncommon non-service searchindexer.exe process in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_injection_in_non_service_searchindexer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection into Notepad", "author": "Michael Haag, Splunk", "date": "2023-02-22", "version": 1, "id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "description": "The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped.", "references": ["https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN (*\\\\notepad.exe) NOT (SourceImage IN (\"*\\\\system32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\Program Files\\\\*\")) GrantedAccess IN (\"0x40\",\"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_into_notepad_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "author": "Teoderick Contreras, Splunk", "date": "2022-10-28", "version": 1, "id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "description": "This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to \"firefox.exe\", \"chrome.exe\" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application.", "references": ["https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\wermgr.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_of_wermgr_to_known_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Remote Thread", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "description": "The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\Taskmgr.exe\", \"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\",\"*\\\\cmd.exe\", \"*\\\\powershell.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_remote_thread_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Wermgr Child Process", "author": "Teoderick Contreras, Splunk", "date": "2022-10-27", "version": 1, "id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "description": "The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wermgr parent process has a child process $process_name$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" AND NOT (Processes.process_name IN (\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_injection_wermgr_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection With Public Source Path", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "description": "The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=8 TargetImage = \"*.exe\" AND NOT(SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_with_public_source_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process With NamedPipe CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2022-02-23", "version": 1, "id": "e64399d4-94a8-11ec-a9da-acde48001122", "description": "This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process with named pipe in $process$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*\\\\\\\\.\\\\pipe\\\\*\" NOT (Processes.process_path IN (\"*\\\\program files*\")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Normal browser application may use this technique. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_with_namedpipe_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Writing File to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-04-17", "version": 1, "id": "c051b68c-60f7-4022-b3ad-773bec7a225b", "description": "The following analytic identifies a process writing a file, specifically a .txt, to a world writable path. This technique is used by adversaries to deliver payloads to a system. It is not common for living off the land binaries to write to these paths.", "references": ["https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$].", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_writing_file_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "description": "The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process was terminated $process_name$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_processes_killed_by_industroyer2_malware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Protocol Tunneling with Plink", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "description": "The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html", "https://attack.mitre.org/techniques/T1572/", "https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5"], "tags": {"analytic_story": ["CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN (\"*-R *\", \"*-L *\", \"*-D *\", \"*-l *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_protocol_tunneling_with_plink_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Netsh", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "description": "This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* portproxy *\" Processes.process = \"* v4tov4 *\" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Registry", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "0270455b-1385-4579-9ac5-e77046c508ae", "description": "This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification for port proxy in$dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry Browser List Application", "author": "Teoderick Contreras, Splunk", "date": "2023-04-25", "version": 1, "id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "description": "The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process accessing installed default browser registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\", \"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\") AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_browser_list_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry Reg Save", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "description": "The following analytic identifies a process execution of reg.exe with \"save\" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses \"reg save\" and \"reg restore\" to check registry modification restriction in targeted host after gaining access to it.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["CISA AA23-347A", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* save *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_query_registry_reg_save_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry UnInstall Program List", "author": "Teoderick Contreras, Splunk", "date": "2023-04-25", "version": 1, "id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "description": "The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the \"Uninstall\" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing uninstall registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_uninstall_program_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raccine Scheduled Task Deletion", "author": "Michael Haag, Splunk", "date": "2021-12-07", "version": 1, "id": "c9f010da-57ab-11ec-82bd-acde48001122", "description": "The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a \"ransomware vaccine\" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/Neo23x0/Raccine"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*delete*\" AND Processes.process=\"*Raccine*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_raccine_scheduled_task_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2023-03-23", "version": 1, "id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "description": "The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!=\"ANONYMOUS LOGON\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_rapid_authentication_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rasautou DLL Execution", "author": "Michael Haag, Splunk", "date": "2022-02-15", "version": 1, "id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "description": "The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads.", "references": ["https://github.com/mandiant/DueDLLigence", "https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1", "https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process=\"* -d *\"AND Processes.process=\"* -p *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rasautou_dll_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Disk Volume Partition", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 1, "id": "a85aa37e-9647-11ec-90c5-acde48001122", "description": "This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the \"hermeticwiper\" malware. This detection is a good indicator that there is a process try to read or write on boot sector.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process accessing disk partition $Device$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_disk_volume_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 1, "id": "7b83f666-900c-11ec-a2d9-acde48001122", "description": "This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector.", "references": ["https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "process accessing MBR $Device$ on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\Harddisk0\\\\DR0 NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_master_boot_record_drive_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows RDP Connection Successful", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 2, "id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "description": "The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf.", "references": ["https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706", "https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A successful RDP connection on $dest$ occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}]}, "type": "Hunting", "search": "`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`", "how_to_implement": "The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.", "known_false_positives": "False positives will be present, filter as needed or restrict to critical assets on the perimeter.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_rdp_connection_successful_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry BootExecute Modification", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "description": "This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to \"autocheck autochk *\". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_bootexecute_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Certificate Added", "author": "Michael Haag, Splunk", "date": "2023-04-27", "version": 2, "id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "description": "The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with \"\\Blob\" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning.", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004"], "tags": {"analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A root certificate was added on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\certificates\\\\*\") AND Registry.registry_value_name=\"Blob\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_certificate_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Delete Task SD", "author": "Michael Haag, Splunk", "date": "2022-04-13", "version": 1, "id": "ffeb7893-ff06-446f-815b-33ca73224e92", "description": "The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.\nIdentifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment.", "references": ["https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728", "https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17"], "tags": {"analytic_story": ["Scheduled Tasks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A scheduled task security descriptor was deleted from the registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Schedule\\\\TaskCache\\\\Tree\\\\*\") Registry.user=\"SYSTEM\" Registry.registry_value_name=\"SD\" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_delete_task_sd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2023-04-27", "version": 4, "id": "c6149154-c9d8-11eb-9da7-acde48001122", "description": "The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode.", "references": ["https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md", "https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/"], "tags": {"analytic_story": ["Ransomware", "Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\*\",\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\*\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "updated windows application needed in safe boot may used this registry", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_modification_for_safe_mode_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Payload Injection", "author": "Steven Dick", "date": "2023-06-15", "version": 1, "id": "c6b2d80f-179a-41a1-b95e-ce5601d7427a", "description": "The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", "https://attack.mitre.org/techniques/T1027/011/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ added a suspicious length of registry data on $dest$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_payload_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry SIP Provider Modification", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "3b4e18cb-497f-4073-85ad-1ada7c2107ab", "description": "The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon EventID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Registry SIP Provider Modification detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\") Registry.registry_value_name IN (\"Dll\",\"$DLL\") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Be aware of potential false positives - legitimate applications may cause benign activities to be flagged.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_sip_provider_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Regsvr32 Renamed Binary", "author": "Teoderick Contreras, Splunk", "date": "2022-10-27", "version": 1, "id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "description": "The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "regsvr32 was renamed as $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_regsvr32_renamed_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "author": "Teoderick Contreras, Splunk", "date": "2022-08-24", "version": 1, "id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "description": "The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html", "https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html", "https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager", "https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html", "https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName==\"credui.dll\", 1, OriginalFileName==\"DBGHELP.DLL\", 1, OriginalFileName==\"SAMCLI.DLL\", 1, OriginalFileName==\"winhttp.dll\", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, \"credui.dll\"), 1, match(ImageLoaded, \"dbghelp.dll\"), 1, match(ImageLoaded, \"samcli.dll\"), 1, match(ImageLoaded, \"winhttp.dll\"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "This module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_access_software_brc4_loaded_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software Hunt", "author": "Michael Haag, Splunk", "date": "2022-08-22", "version": 1, "id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "description": "The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following Remote Access Software $process_name$ was identified on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Remote Access Software RMS Registry", "author": "Teoderick Contreras, Splunk", "date": "2022-06-22", "version": 1, "id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "description": "The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry related to RMS tool is created in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_rms_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Assistance Spawning Process", "author": "Michael Haag, Splunk", "date": "2022-02-07", "version": 1, "id": "ced50492-8849-11ec-9f68-acde48001122", "description": "The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. Add additional shells as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_assistance_spawning_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Create Service", "author": "Michael Haag, Splunk", "date": "2023-03-20", "version": 1, "id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "description": "This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN (\"*create*\") Processes.process=\"*\\\\\\\\*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_create_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2022-06-24", "version": 1, "id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "description": "The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Rdpwinst.exe executed on $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\") AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This tool was designed for home usage and not commonly seen in production environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_service_rdpwinst_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2022-06-21", "version": 1, "id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "description": "The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "new firewall rules was added to allow rdp connection to $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.process = \"*firewall*\" AND Processes.process = \"*add*\" AND Processes.process = \"*protocol=TCP*\" AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_rdp_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Remote Assistance", "author": "Teoderick Contreras, Splunk", "date": "2022-06-21", "version": 1, "id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "description": "The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_remote_assistance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Rdp Enable", "author": "Teoderick Contreras, Splunk", "date": "2022-06-21", "version": 1, "id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "description": "The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common.", "references": ["https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_rdp_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Replication Through Removable Media", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 1, "id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "description": "This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}]}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"%:\") AND dropped_file_path_split_count = 2 AND root_drive!= \"C:\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_replication_through_removable_media_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Root Domain linked policies Discovery", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockText = \"*.gplink*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_root_domain_linked_policies_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "description": "This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings without their knowledge or consent.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,UpdatePerUserSystemParameters*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rundll32_apply_user_settings_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDAV Request", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "320099b7-7eb1-4153-a2b4-decb53267de2", "description": "The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\",\"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "author": "Michael Haag, Splunk", "date": "2024-01-30", "version": 1, "id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "description": "The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\", \"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Created Via XML", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 2, "id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "description": "The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\nWhen a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["CISA AA23-347A", "Scheduled Tasks", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process=\"* /xml *\" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_created_via_xml_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "author": "Steven Dick", "date": "2023-06-13", "version": 1, "id": "d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "description": "The following analytic identifies when the Task Scheduler service \"svchost.exe -k netsvcs -p -s Schedule\" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A windows scheduled task spawned the shell application $process_name$ on $dest$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*\\\\system32\\\\svchost.exe*\" AND Processes.parent_process=\"*-k*\" AND Processes.parent_process= \"*netsvcs*\" AND Processes.parent_process=\"*-p*\" AND Processes.parent_process=\"*-s*\" AND Processes.parent_process=\"*Schedule*\" Processes.process_name IN(\"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"cmd.exe\", \"sh.exe\", \"ksh.exe\", \"zsh.exe\", \"bash.exe\", \"scrcons.exe\",\"pwsh.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_service_spawned_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task with Highest Privileges", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "description": "The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\nThe analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "CISA AA23-347A", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_with_highest_privileges_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Schtasks Create Run As System", "author": "Michael Haag, Splunk", "date": "2022-02-07", "version": 1, "id": "41a0e58e-884c-11ec-9976-acde48001122", "description": "The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "references": ["https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"], "tags": {"analytic_story": ["Qakbot", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_schtasks_create_run_as_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Screen Capture Via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2023-04-05", "version": 1, "id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "description": "The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script was identified possibly performing screen captures on $Computer$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}]}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[Drawing.Graphics]::FromImage(*\" AND ScriptBlockText = \"*New-Object Drawing.Bitmap*\" AND ScriptBlockText = \"*.CopyFromScreen*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_screen_capture_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Account Manager Stopped", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 3, "id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "description": "The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the \"net stop samss\" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $process$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (\"Processes.process_name\"=\"net*.exe\" \"Processes.process\"=\"*stop \\\"samss\\\"*\") BY Processes.dest Processes.user Processes.process Processes.process_guid Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_security_account_manager_stopped_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Support Provider Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "description": "The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords.", "references": ["https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Sneaky Active Directory Persistence Tricks", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with reg query command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA*\" Processes.process IN (\"*RunAsPPL*\" , \"*LsaCfgFlags*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_security_support_provider_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "author": "Michael Haag, Splunk", "date": "2023-01-17", "version": 1, "id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "description": "The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary.", "references": ["https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN (\"*-i *\",\"*/i *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_server_software_component_gacutil_install_to_gac_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create Kernel Mode Driver", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "description": "The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures.", "references": ["https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/"], "tags": {"analytic_story": ["CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*kernel*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on common applications adding new drivers, however, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_create_kernel_mode_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create RemComSvc", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "0be4b5d6-c449-4084-b945-2392b519c33b", "description": "The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the \"RemCom Service\" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A new service was created related to RemCom on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"RemCom Service\" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present, filter as needed based on administrative activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_create_remcomsvc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create SliverC2", "author": "Michael Haag, Splunk", "date": "2023-03-03", "version": 1, "id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "description": "When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of \"Sliver\" and \"Sliver Implant\". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference).", "references": ["https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16", "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://regex101.com/r/DWkkXm/1"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A user mode service was created on $dest$ related to SliverC2.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives should be limited, but if another service out there is named Sliver, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_create_sliverc2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create with Tscon", "author": "Michael Haag, Splunk", "date": "2023-03-29", "version": 1, "id": "c13b3d74-6b63-4db5-a841-4206f0370077", "description": "The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems.", "references": ["https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*/dest:rdp-tcp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_create_with_tscon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Created with Suspicious Service Path", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 4, "id": "429141be-8311-11eb-adb6-acde48001122", "description": "The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "Clop Ransomware", "Flax Typhoon", "PlugX", "Qakbot", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImagePath", "type": "File", "role": ["Attacker"]}], "message": "A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_created_with_suspicious_service_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Created Within Public Path", "author": "Mauricio Velazco, Splunk", "date": "2024-04-26", "version": 2, "id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "description": "The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://pentestlab.blog/2020/07/21/lateral-movement-services/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "ServiceName", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service $ServiceName$ with a public path was created on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Creation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2021-11-10", "version": 1, "id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "description": "This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_creation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Creation Using Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2023-04-27", "version": 3, "id": "25212358-948e-11ec-ad47-acde48001122", "description": "The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "PlugX", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a endpoint from $dest$ using a registry entry", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Third party tools may used this technique to create services but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_creation_using_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Deletion In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "daed6823-b51c-4843-a6ad-169708f1323e", "description": "The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was deleted on $dest$ within the Windows registry.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_deletion_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2021-11-10", "version": 1, "id": "3f519894-4276-11ec-ab02-3e22fbd008af", "description": "This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop By Deletion", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 1, "id": "196ff536-58d9-4d1b-9686-b176b04e430b", "description": "The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrative scripts may start/stop/delete services. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_stop_by_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Via Net and SC Application", "author": "Teoderick Contreras, Splunk", "date": "2023-06-13", "version": 1, "id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "description": "This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process$ was executed on $dest$ attempting to stop service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.original_file_name= \"sc.exe\" AND Processes.process=\"*stop*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Windows OS or software may stop and restart services due to some critical update.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_stop_via_net__and_sc_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Win Updates", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "description": "The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows update services $service_name$ was being disabled on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7040 (service_name IN (\"Update Orchestrator Service for Windows Update\", \"WaaSMedicSvc\", \"Windows Update\") OR param1 IN (\"UsoSvc\", \"WaaSMedicSvc\", \"wuauserv\")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)", "known_false_positives": "Network administrator may disable this services as part of its audit process within the network. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_stop_win_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SIP Provider Inventory", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "21c5af91-1a4a-4511-8603-64fb41df3fad", "description": "The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers.", "references": ["https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "`subjectinterfacepackage` Dll=*\\\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`", "how_to_implement": "To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1", "known_false_positives": "False positives are limited as this is a hunting query for inventory.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "subjectinterfacepackage", "definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_provider_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "6ffc7f88-415b-4278-a80d-b957d6539e1a", "description": "The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is \"The digital signature of the object did not verify.\" STRT tested this analytic using Mimikatz binary.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Failed trust validation via the CryptoAPI 2 on $dest$ for a binary.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`capi2_operational` EventID=81 \"The digital signature of the object did not verify.\" | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_winverifytrust_failed_trust_validation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware File Modification Crmlog", "author": "Michael Haag, Splunk", "date": "2024-05-07", "version": 2, "id": "27187e0e-c221-471d-a7bd-04f698985ff6", "description": "The following analytic identifies the creation of a .crmlog file within the %windows%\\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\registration\\\\*\" AND Filesystem.file_name=\"*.crmlog\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_file_modification_crmlog_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "author": "Michael Haag, Splunk", "date": "2023-05-11", "version": 1, "id": "628d9c7c-3242-43b5-9620-7234c080a726", "description": "The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\\system32\\Com directory.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\system32\\\\com\\\\*\" AND Filesystem.file_name=\"comadmin.dat\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_kernel_driver_comadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "description": "The follow analytic identifies the registry being modified at .wav\\\\OpenWithProgIds\\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry modification related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require tuning based on program Ids in large organizations.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Service Create", "author": "Michael Haag, Splunk", "date": "2023-05-11", "version": 1, "id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "description": "The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "False positives should be limited as this is a strict primary indicator used by Snake Malware.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_snake_malware_service_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SOAPHound Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-03-14", "version": 2, "id": "8e53f839-e127-4d6d-a54d-a2f67044a57f", "description": "The following analytic identifies the common command-line argument used by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The process $process_name$ was executed on $dest$ related to SOAPHound.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"soaphound.exe\" OR Processes.original_file_name=\"soaphound.exe\" AND Processes.process IN (\"*--buildcache *\", \"*--bhdump *\", \"*--certdump *\", \"*--dnsdump *\", \"*-c *\", \"*--cachefilename *\", \"*-o *\", \"*--outputdirectory *\") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_soaphound_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_soaphound_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "author": "Teoderick Contreras, Splunk", "date": "2023-02-15", "version": 2, "id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "description": "this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens.", "references": ["https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a office document process $Image$ connect to an URL link $QueryName$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\",\"*\\\\wordpad.exe\",\"*\\\\wordview.exe\",\"*\\\\onenote.exe\", \"*\\\\onenotem.exe\",\"*\\\\onenoteviewer.exe\",\"*\\\\onenoteim.exe\", \"*\\\\msaccess.exe\") AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Office document may contain legitimate url link other than MS office Domain. filter is needed", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "references": ["https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"onenote.exe\", \"onenotem.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2023-11-07", "version": 2, "id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "description": "The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/tactics/TA0008/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "type": "TTP", "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_special_privileged_logon_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SQL Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "dfc18a5a-946e-44ee-a373-c0f60d06e676", "description": "The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "tags": {"analytic_story": ["Flax Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\", \"sqldumper.exe\") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_sql_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-25", "version": 1, "id": "2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "description": "The following analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading $ImageLoaded$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "TTP", "search": "`sysmon` EventCode=7 (Image=\"*\\\\SQLDumper.exe\" OR Image=\"*\\\\SQLWriter.exe\") ImageLoaded=\"*\\\\vcruntime140.dll\" NOT ImageLoaded=\"C:\\\\Windows\\\\System32\\\\*\" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sqlwriter_sqldumper_dll_sideload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "author": "Steven Dick", "date": "2024-01-03", "version": 2, "id": "cbe761fc-d945-4c8c-a71d-e26d12255d32", "description": "The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1)", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 activity by $src_user$ - $flavor_text$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4886,4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | eval flavor_text = case(EventCode==\"4886\",\"A suspicious certificate was requested using request ID: \".'RequestId',EventCode==\"4887\", \"A suspicious certificate was issued using request ID: \".'RequestId'.\". To revoke this certifacte use this request ID or the SSL fingerprint [\".'ssl_hash'.\"]\"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates___esc1_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "author": "Steven Dick", "date": "2023-05-25", "version": 1, "id": "f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "description": "The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1).", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ssl_hash", "type": "Other", "role": ["Attacker"]}, {"name": "ssl_serial", "type": "Other", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 authentication on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates___esc1_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "author": "Michael Haag, Splunk", "date": "2023-02-06", "version": 1, "id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "description": "The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate\". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was issued to $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_issued_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "author": "Michael Haag, Splunk", "date": "2023-02-06", "version": 1, "id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "description": "The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 \"Certificate Services received a certificate request\".", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was requested by $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "author": "Michael Haag, Splunk", "date": "2024-05-04", "version": 2, "id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "description": "The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN (\"*-backupdb *\", \"*-backup *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_certutil_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "author": "Michael Haag, Splunk", "date": "2023-02-08", "version": 1, "id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "description": "The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is \"Acquire Certificate Private Key\". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike.", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificates were exported via the CryptoAPI 2 on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cryptoapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "description": "The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Active Directory Certiciate Services was backed up on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_cs_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "description": "The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-certificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "391329f3-c14b-4b8d-8b37-ac5012637360", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-pfxcertificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "description": "The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process klist.exe executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"klist.exe\" OR Processes.original_file_name = \"klist.exe\" Processes.parent_process_name IN (\"cmd.exe\", \"powershell*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_or_forge_kerberos_tickets_klist_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Suspect Process With Authentication Traffic", "author": "Steven Dick", "date": "2023-06-13", "version": 1, "id": "953322db-128a-4ce9-8e89-56e039e33d98", "description": "This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations. Most attacker toolkits offer some degree of interaction with AD/LDAP.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", "how_to_implement": "To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.", "known_false_positives": "Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_suspect_process_with_authentication_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "author": "Michael Haag, Splunk", "date": "2022-08-31", "version": 1, "id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "description": "The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage.", "references": ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using ldap Nslookup", "author": "Teoderick Contreras, Splunk", "date": "2022-10-21", "version": 1, "id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "description": "The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more.", "references": ["https://securelist.com/qakbot-technical-analysis/103931/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System nslookup domain discovery on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"nslookup.exe\" OR Processes.original_file_name = \"nslookup.exe\") AND Processes.process = \"*_ldap._tcp.dc._msdcs*\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "dministrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_ldap_nslookup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using Qwinsta", "author": "Teoderick Contreras, Splunk", "date": "2022-10-21", "version": 1, "id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "description": "The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta", "https://securelist.com/qakbot-technical-analysis/103931/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System qwinsta domain discovery on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"qwinsta.exe\" OR Processes.original_file_name = \"qwinsta.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_qwinsta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System File on Disk", "author": "Michael Haag, Splunk", "date": "2022-05-16", "version": 2, "id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "description": "The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["CISA AA22-264A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new driver is present on $dest$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.sys*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")). This will level out the noise generated to potentally lead to generating notables.", "known_false_positives": "False positives will be present. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System LogOff Commandline", "author": "Teoderick Contreras, Splunk", "date": "2022-07-27", "version": 1, "id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "description": "The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name $process_name$ is seen to execute logoff commandline on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /l*\", \"* -l*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_logoff_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Config Discovery Display DNS", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "description": "The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information.", "references": ["https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"ipconfig.exe\" OR Processes.original_file_name = \"ipconfig.exe\" AND Processes.process = \"*/displaydns*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_network_config_discovery_display_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Connections Discovery Netsh", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "description": "The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Snake Keylogger", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "netsh process with command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = \"* show *\" Processes.process IN (\"*state*\", \"*config*\", \"*wlan*\", \"*profile*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_network_connections_discovery_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Reboot CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2022-07-27", "version": 1, "id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "description": "The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ that executed reboot via commandline on $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /r*\", \"* -r*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_reboot_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "description": "The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk.", "references": ["https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"wscript.exe\",\"cscript.exe\") Processes.process=\"*syncappvpublishingserver.vbs*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Shutdown CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2023-06-20", "version": 2, "id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "description": "This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ seen to execute shutdown via commandline on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" AND Processes.process IN(\"* /s*\", \"* -s*\") AND Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_shutdown_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Time Discovery W32tm Delay", "author": "Teoderick Contreras, Splunk", "date": "2022-07-28", "version": 1, "id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "description": "The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= \"* /stripchart *\" Processes.process= \"* /computer:localhost *\" Processes.process= \"* /period:*\" Processes.process= \"* /dataonly *\" Processes.process= \"* /samples:*\" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_time_discovery_w32tm_delay_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Discovery Via Quser", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "description": "The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"quser.exe\" OR Processes.original_file_name = \"quser.exe\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to audit RDP access of user in specific network or host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_user_discovery_via_quser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Privilege Discovery", "author": "Teoderick Contreras, Splunk", "date": "2023-12-15", "version": 1, "id": "8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "description": "This analytic looks for the execution of `whoami.exe` with /priv parameter. This whoami command is used to display or shows the privileges assigned to the current user account. This hunting query can be a good pivot start to look for suspicious usage of whoami application that might related to a malware or adversaries.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to system user privilege discovery detected on $dest$ using whoami.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"whoami.exe\" Processes.process= \"*/priv*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_user_privilege_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Terminating Lsass Process", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "description": "This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "a process $SourceImage$ terminates Lsass process in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_terminating_lsass_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion", "author": "Teoderick Contreras, Splunk", "date": "2023-09-08", "version": 1, "id": "34502357-deb1-499a-8261-ffe144abf561", "description": "This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as evasion tactics.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ did a suspicious ping to invalid IP address on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"ping.exe\" Processes.parent_process = \"* ping 0 -n *\" OR Processes.process = \"* ping 0 -n *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion via Choice Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-02-14", "version": 1, "id": "d5f54b38-10bf-4b3a-b6fc-85949862ed50", "description": "This analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. This technique, observed in the SnakeKeylogger malware, is utilized for time delays or 'Sleep' commands in its code execution or before the deletion of its copies on compromised hosts. Detecting this anomaly serves as a valuable pivot to uncover suspicious processes attempting to evade detection through time-based evasion techniques.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ has a choice time delay commandline on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = \"*/T*\" Processes.process = \"*/N*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_via_choice_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "author": "Steven Dick", "date": "2023-11-20", "version": 1, "id": "453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "description": "The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN (\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\",\"wscript\",\"cscript.exe\",\"bash.exe\",\"werfault.exe\") OR Processes.process IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\ProgramData\\\\*\",\"*\\\\Temp\\\\*\")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "author": "Steven Dick", "date": "2023-11-20", "version": 1, "id": "00d050d3-a5b4-4565-a6a5-a31f69681dc3", "description": "The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval original_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename process_guid as join_guid_1, process* as parent_process* | join max=0 dest join_guid_1 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] | join max=0 dest join_guid_2 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN (\"high\",\"system\") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_2 | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0)] | where elevated_integrity_level > original_integrity_level | table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_escalation_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-02-14", "version": 1, "id": "36334123-077d-47a2-b70c-6c7b3cc85049", "description": "The following analytic identifies a suspicious query on outlook credentials registry in Windows OS registry. typically refers to user profiles associated with Microsoft Outlook. Within this key, Outlook stores configuration settings, including account information such as email addresses, server details, and authentication credentials. Accessing or modifying this registry key can potentially compromise users' email security, making it a target for attackers seeking to steal sensitive information or execute unauthorized actions within Outlook. This anomaly detection is a good pivot to catch possible Trojan Stealer or RAT that tries to steal sensitive information to its targeted host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing outlook credentials registry on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676*\", \"*\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676*\") AND process_name != *\\\\outlook.exe | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "third party software may access this outlook registry.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsecured_outlook_credentials_access_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "5a83ce44-8e0f-4786-a775-8249a525c879", "description": "This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\\windows\\system32 or c:\\windows\\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the \"dismcore.dll\" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. In the case of Warzone RAT (Ave Maria), the dropped \"dismcore.dll\" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, thereby granting the malware elevated privileges and enabling further compromise of the target system. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["NjRAT", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Signed=false OriginalFileName = \"-\" SignatureStatus=\"unavailable\" ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-04-05", "version": 1, "id": "8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "description": "The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute malicious code automatically by running a legitimate process. The analytics involves searching Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). Additionally, it verifies whether the loaded DLL is signed and checks if the folder paths of the `Image` and `ImageLoaded` are identical. This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Company=\"Microsoft Corporation\" Signed=false SignatureStatus != Valid NOT (Image IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) NOT (ImageLoaded IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_ms_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "f65aa026-b811-42ab-b4b9-d9088137648f", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out).\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "15603165-147d-4a6e-9778-bd0ff39e668f", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential NTLM based password spraying attack from $src$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "description": "The following analytic identifies a source process name failing to authenticate with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user).\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will only trigger on domain controllers, not on member servers or workstations.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "author": "Mauricio Velazco, Splunk", "date": "2022-09-22", "version": 1, "id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\nThis detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "author": "Teoderick Contreras, Splunk", "date": "2023-01-12", "version": 1, "id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "description": "This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process created URL shortcut file in $file_path$ of $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}]}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN (\"*\\\\Program Files*\")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_user_execution_malicious_url_shortcut_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Valid Account With Never Expires Password", "author": "Teoderick Contreras, Splunk", "date": "2022-06-23", "version": 1, "id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "description": "The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This behavior is not commonly seen in production environment and not advisable, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_valid_account_with_never_expires_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable 3CX Software", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "f2cc1584-46ee-485b-b905-977c067f36de", "description": "The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "type": "TTP", "search": "`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_3cx_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable Driver Loaded", "author": "Michael Haag, Splunk", "date": "2022-12-12", "version": 2, "id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "description": "The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver.", "references": ["https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`", "how_to_implement": "Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows WinDBG Spawning AutoIt3", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "7aec015b-cd69-46c3-85ed-dac152056aa4", "description": "The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, \"\\\\.(au3|a3x|exe|aut|aup)$\"), \"Yes\", \"No\") | search matches_extension=\"Yes\" | `windows_windbg_spawning_autoit3_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_windbg_spawning_autoit3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WinLogon with Public Network Connection", "author": "Michael Haag, Splunk", "date": "2024-01-30", "version": 2, "id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "description": "The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\\ The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system.\nWinlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation.\nThis analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_winlogon_with_public_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Impersonate Token", "author": "Teoderick Contreras, Splunk", "date": "2022-10-24", "version": 1, "id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "description": "The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process.", "references": ["https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md", "https://www.joesandbox.com/analysis/278341/0/html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\wmiprvse.exe\" GrantedAccess IN (\"0x1478\", \"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "administrator may execute impersonate wmi object script for auditing. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_wmi_impersonate_token_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process And Service List", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "description": "The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wmi command $process$ to list processes and services in $dest$", "risk_score": 4, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*process list*\", \"*service list*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "netowrk administrator or IT may execute this command for auditing processes and services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_and_service_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process Call Create", "author": "Teoderick Contreras, Splunk", "date": "2023-12-27", "version": 1, "id": "0661c2de-93de-11ec-9833-acde48001122", "description": "This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely.", "references": ["https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/2b804d25418004a5f1ba50e9dc637946ab8733c7/atomics/T1047/T1047.md", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "IcedID", "Qakbot", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with $process$ commandline executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"* process *\" Processes.process = \"* call *\" Processes.process = \"* create *\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command for testing or auditing.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_call_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 3, "id": "203ef0ea-9bd8-11eb-8201-acde48001122", "description": "The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\nThe search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\nSchtasks.exe is typically found in C:\\Windows\\system32 and C:\\Windows\\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\nDuring triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA22-257A", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$ by the following command: $TaskContent$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_to_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 3, "id": "5d9c6eee-988c-11eb-8253-acde48001122", "description": "The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\nWhen this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\\Windows\\system32 and C:\\Windows\\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\nDuring the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\nBy conducting this triage process, security analysts can gain insights into potentiallymalicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN", "https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "AsyncRAT", "CISA AA22-257A", "CISA AA23-347A", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "author": "Michael Haag, Splunk", "date": "2024-04-26", "version": 2, "id": "b3632472-310b-11ec-9aab-acde48001122", "description": "The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment.\nAfter implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis.\nTo implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field.\nFalse positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\nIdentifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "CISA AA22-257A", "DarkCrystal RAT", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Qakbot", "Sandworm Tools", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Scheduled Task was scheduled and ran on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}]}, "type": "Hunting", "search": "`wineventlog_task_scheduler` EventCode IN (\"200\",\"201\") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`", "how_to_implement": "Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message.", "known_false_positives": "False positives will be present. Filter based on ActionName paths or specify keywords of interest.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_task_scheduler", "definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_windows_task_scheduler_event_action_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winhlp32 Spawning a Process", "author": "Michael Haag, Splunk", "date": "2021-10-05", "version": 1, "id": "d17dae9e-2618-11ec-b9f5-acde48001122", "description": "The following analytic identifies winhlp32.exe, found natively in `c:\\windows\\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the \".hlp\" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze.", "references": ["https://www.exploit-db.com/exploits/16541", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winhlp32_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRAR Spawning Shell Application", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "d2f36034-37fa-4bd4-8801-26807c15540f", "description": "The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like \"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"mshta.exe\", or \"bitsadmin.exe\". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc", "https://github.com/b1tg/CVE-2023-38831-winrar-exploit"], "tags": {"analytic_story": ["WinRAR Spoofing Attack CVE-2023-38831"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN (\"certutil.exe\",\"mshta.exe\",\"bitsadmin.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winrar_spawning_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRM Spawning a Process", "author": "Drew Church, Michael Haag, Splunk", "date": "2023-12-27", "version": 1, "id": "a081836a-ba4d-11eb-8593-acde48001122", "description": "The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying.", "references": ["https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml", "https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys", "https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py"], "tags": {"analytic_story": ["CISA AA23-347A", "Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN (\"cmd.exe\",\"sh.exe\",\"bash.exe\",\"powershell.exe\",\"pwsh.exe\",\"schtasks.exe\",\"certutil.exe\",\"whoami.exe\",\"bitsadmin.exe\",\"scp.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winrm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Cmd", "author": "Michael Haag, Splunk", "date": "2021-04-22", "version": 2, "id": "6fcbaedc-a37b-11eb-956b-acde48001122", "description": "The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`.", "references": ["https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2021-04-12", "version": 2, "id": "b2c950b8-9be2-11eb-8658-acde48001122", "description": "The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/", "https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/", "https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2021-04-12", "version": 1, "id": "637e1b5c-9be1-11eb-9c32-acde48001122", "description": "The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\\windows\\system32\\` or c:windows\\syswow64\\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.", "references": ["https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "User $user$ on $dest$ spawned Windows Script Host from Winword.exe", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 1, "id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "description": "The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon EventID 5 data to detect instances where the consumers of these events are not the expected \"NTEventLogEventConsumer.\" The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`wmi` EventCode=5861 Binding | rex field=Message \"Consumer =\\s+(?[^;|^$]+)\" | search consumer!=\"NTEventLogEventConsumer=\\\"SCM Event Log Consumer\\\"\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2023-11-07", "version": 2, "id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "description": "This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\nAll event subscriptions have three components\n1. Filter - WQL Query for the events we want. EventID = 19\n1. Consumer - An action to take upon triggering the filter. EventID = 20\n1. Binding - Registers a filter to a consumer. EventID = 21\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "WMI Permanent Event Subscription detected on $dest$ by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Recon Running Process Or Services", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 3, "id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious powerShell script execution by $user$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*SELECT*\" AND (ScriptBlockText=\"*Win32_Process*\" OR ScriptBlockText=\"*Win32_Service*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi_recon_running_process_or_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Temporary Event Subscription", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 1, "id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "description": "The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_temporary_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic Group Discovery", "author": "Michael Haag, Splunk", "date": "2021-09-14", "version": 1, "id": "83317b08-155b-11ec-8e00-acde48001122", "description": "The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint.\nTypically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.\nDuring triage, review parallel processes and identify any further suspicious behavior.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process=\"*group get name*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic NonInteractive App Uninstallation", "author": "Teoderick Contreras, Splunk", "date": "2022-07-19", "version": 2, "id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "description": "This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process=\"* product *\" Processes.process=\"*where name*\" Processes.process=\"*call uninstall*\" Processes.process=\"*/nointeractive*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Third party application may use this approach to uninstall applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_noninteractive_app_uninstallation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMIC XSL Execution via URL", "author": "Michael Haag, Splunk", "date": "2021-11-11", "version": 1, "id": "787e9dd0-4328-11ec-a029-acde48001122", "description": "The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*http://*\", \"*https://*\") Processes.process=\"*/format:*\" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_xsl_execution_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2021-11-22", "version": 1, "id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "description": "The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wmiprsve.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmiprsve_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "author": "Teoderick Contreras, Splunk", "date": "2023-04-14", "version": 1, "id": "1f35e1da-267b-11ec-90a9-acde48001122", "description": "This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "FIN7", "NjRAT", "Remcos", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "wscript or cscript parent process spawned $process_name$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"certutil.exe\",\"msbuild.exe\",\"cmd.exe\",\"powershell*\",\"wmic.exe\",\"mshta.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wscript_or_cscript_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2021-11-22", "version": 1, "id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://lolbas-project.github.io/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wsmprovhost.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wsmprovhost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WSReset UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 3, "id": "8b5901bc-da63-11eb-be43-acde48001122", "description": "This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control.", "references": ["https://github.com/hfiref0x/UACME", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\" AND (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"DelegateExecute\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wsreset_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XMRIG Driver Loaded", "author": "Teoderick Contreras, Splunk", "date": "2024-05-06", "version": 2, "id": "90080fa6-a8df-11eb-91e4-acde48001122", "description": "The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/"], "tags": {"analytic_story": ["CISA AA22-320A", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`sysmon` EventCode=6 Signature=\"Noriyuki MIYAZAKI\" OR ImageLoaded= \"*\\\\WinRing0x64.sys\" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives should be limited.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "xmrig_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XSL Script Execution With WMIC", "author": "Teoderick Contreras, Splunk", "date": "2021-09-13", "version": 1, "id": "004e32e2-146d-11ec-a83f-acde48001122", "description": "This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file"], "tags": {"analytic_story": ["FIN7", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "xsl_script_execution_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect ARP Poisoning", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "b44bebd6-bd39-467b-9321-73971bcd1aac", "description": "The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "type": "TTP", "search": "`cisco_networks` facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"arp-inspection\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_arp_poisoning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2023-01-18", "version": 1, "id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "description": "The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5.", "references": ["https://attack.mitre.org/techniques/T1568/002/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://en.wikipedia.org/wiki/Domain_generation_algorithm"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "domain", "type": "URL String", "role": ["Attacker"]}], "message": "A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy DGA detection model into Splunk App DSDL.\\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\n* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\n* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\n* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if domain name is similar to dga generated domains.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2023-04-27", "version": 1, "id": "92f65c3a-168c-11ed-71eb-0242ac120012", "description": "The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5.", "references": ["https://attack.mitre.org/techniques/T1048/003/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/Data_exfiltration"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "query", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A DNS data exfiltration request was sent by this host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name(\"DNS\")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n* Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect hosts connecting to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2021-01-14", "version": 3, "id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "description": "Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ from your infra connecting to suspicious domain in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`", "how_to_implement": "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** DNS Query, **Field:** query\n* **Label:** DNS Answer, **Field:** answer\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_hosts_connecting_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "description": "The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption.", "references": ["https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-ra-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-snooping.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dad-proxy.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-nd-mcast-supp.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html"], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "type": "TTP", "search": "`cisco_networks` facility=\"SISF\" mnemonic IN (\"IP_THEFT\",\"MAC_THEFT\",\"MAC_AND_IP_THEFT\",\"PAK_DROP\") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "None currently known", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_ipv6_network_infrastructure_threats_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Large Outbound ICMP Packets", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 2, "id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "description": "This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.", "references": [], "tags": {"analytic_story": ["Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\"All_Traffic\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_large_outbound_icmp_packets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Outbound LDAP Traffic", "author": "Bhavin Patel, Johan Bjerke, Splunk", "date": "2024-05-21", "version": 2, "id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "description": "Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", "references": ["https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "Hunting", "search": "| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name(\"All_Traffic\")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_outbound_ldap_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Outbound SMB Traffic", "author": "Bhavin Patel, Stuart Hopkins, Patrick Bareiss", "date": "2024-02-27", "version": 4, "id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "description": "The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=\"smb\") by All_Traffic.src_ip | `drop_dm_object_name(\"All_Traffic\")` | eval match=case( cidrmatch(\"10.0.0.0/8\" ,dest_ip) ,\"1\", cidrmatch(\"172.16.0.0/12\" ,dest_ip) ,\"1\", cidrmatch(\"192.168.0.0/16\" ,dest_ip) ,\"1\", cidrmatch(\"100.64.0.0/10\" ,dest_ip) ,\"1\", 1=1,\"0\") | search match=0 | fields - match | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`", "how_to_implement": "This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_outbound_smb_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Port Security Violation", "author": "Mikael Bjerkeland, Splunk", "date": "2020-10-28", "version": 1, "id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "description": "By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "type": "TTP", "search": "`cisco_networks` (facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"psecure-violation\") OR (facility=\"PORT_SECURITY\" mnemonic=\"PSECURE_VIOLATION\" OR mnemonic=\"PSECURE_VIOLATION_VLAN\") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_port_security_violation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Remote Access Software Usage DNS", "author": "Steven Dick", "date": "2024-02-22", "version": 1, "id": "a16b797d-e309-41bd-8ba0-5067dae2e4be", "description": "The following analytic detects when a known remote access software domains are contacted from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $query$ was contacted by $src$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`", "how_to_implement": "To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Traffic", "author": "Steven Dick", "date": "2024-02-22", "version": 1, "id": "885ea672-07ee-475a-879e-60d28aa5dd42", "description": "The following analytic detects when a known remote access software application traffic is detected from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://applipedia.paloaltonetworks.com/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Application traffic for a known remote access software [$signature$] was detected from $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`", "how_to_implement": "The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Rogue DHCP Server", "author": "Mikael Bjerkeland, Splunk", "date": "2020-08-11", "version": 1, "id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "description": "By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}]}, "type": "TTP", "search": "`cisco_networks` facility=\"DHCP_SNOOPING\" mnemonic=\"DHCP_SNOOPING_UNTRUSTED_PORT\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_rogue_dhcp_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SNICat SNI Exfiltration", "author": "Shannon Davis, Splunk", "date": "2024-05-21", "version": 2, "id": "82d06410-134c-11eb-adc1-0242ac120002", "description": "The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.", "references": ["https://www.mnemonic.io/resources/blog/introducing-snicat/", "https://github.com/mnemonic-no/SNIcat", "https://attack.mitre.org/techniques/T1041/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "type": "TTP", "search": "`zeek_ssl` | rex field=server_name \"(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\\.)\" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`", "how_to_implement": "You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.", "known_false_positives": "Unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_snicat_sni_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Software Download To Network Device", "author": "Mikael Bjerkeland, Splunk", "date": "2020-10-28", "version": 1, "id": "cc590c66-f65f-48f2-986a-4797244762f8", "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`", "how_to_implement": "This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory.", "known_false_positives": "This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_software_download_to_network_device_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2023-01-15", "version": 1, "id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "description": "The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for \"unknown/suspicious\" and otherwise 0 for \"not suspicious\". The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5.", "references": ["https://attack.mitre.org/techniques/T1071/004/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/TXT_record"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "answer", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious DNS TXT response was detected on host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\n* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\n* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab.\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`.\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\n* Save the notebook using the save option in Jupyter notebook.\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Traffic Mirroring", "author": "Mikael Bjerkeland, Splunk", "date": "2020-10-28", "version": 1, "id": "42b3b753-5925-49c5-9742-36fa40a73990", "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives", "Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`cisco_networks` (facility=\"MIRROR\" mnemonic=\"ETH_SPAN_SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"PKTCAP_START\") OR (mnemonic=\"CFGLOG_LOGGEDCMD\" command=\"monitor session*\") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.", "known_false_positives": "This search will return false positives for any legitimate traffic captures by network administrators.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_traffic_mirroring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Unauthorized Assets by MAC address", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 2, "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "description": "By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found.", "references": [], "tags": {"analytic_story": ["Asset Tracking"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name(\"Network_Sessions\")`|`drop_dm_object_name(\"All_Sessions\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`", "how_to_implement": "This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.", "known_false_positives": "This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.", "datamodel": ["Network_Sessions"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_unauthorized_assets_by_mac_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Splunk Stream", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "babd8d10-d073-11ea-87d0-0242ac130003", "description": "Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "type": "TTP", "search": "`stream_dns` | spath \"query_type{}\" | search \"query_type{}\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\"ip:tcp:dns\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count", "how_to_implement": "You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_windows_dns_sigred_via_splunk_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "c5c622e4-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count ", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.", "known_false_positives": "unknown", "datamodel": ["Network_Traffic", "Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_windows_dns_sigred_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Zerologon via Zeek", "author": "Shannon Davis, Splunk", "date": "2020-09-15", "version": 1, "id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "description": "The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage .", "references": ["https://www.secura.com/blog/zero-logon", "https://github.com/SecuraBV/CVE-2020-1472", "https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Detect Zerologon Attack", "Rhysida Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\"NetrServerReqChallenge\")) as challenge count(eval(operation==\"NetrServerAuthenticate3\")) as authcount count(eval(operation==\"NetrServerPasswordSet2\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`", "how_to_implement": "You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_zerologon_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Query Length Outliers - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 3, "id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "description": "The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \"IsOutlier(query_length)\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` ", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_length_outliers___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Query Length With High Standard Deviation", "author": "Bhavin Patel, Splunk", "date": "2024-02-14", "version": 5, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "description": "This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN(\"Pointer\",\"PTR\") by DNS.query host| `drop_dm_object_name(\"DNS\")` | eval tlds=split(query,\".\") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It's possible there can be long domain names that are legitimate.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_length_with_high_standard_deviation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive DNS Failures", "author": "bowesmana, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "104658f4-afdc-499e-9719-17243f9826f1", "description": "The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Excessive DNS failures detected on $src$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.reply_code\"!=\"No Error\" \"DNS.reply_code\"!=\"NoError\" DNS.reply_code!=\"unknown\" NOT \"DNS.query\"=\"*.arpa\" \"DNS.query\"=\"*.*\" by \"DNS.src\" \"DNS.query\" \"DNS.reply_code\" | `drop_dm_object_name(\"DNS\")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter` ", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_dns_failures_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "description": "The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url=\"*/mgmt/tm/util/bash*\" Web.http_method=\"POST\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Volume of Bytes Out to Url", "author": "Bhavin Patel, Splunk", "date": "2024-02-22", "version": 1, "id": "c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "description": "The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further.", "references": ["https://attack.mitre.org/techniques/T1567/", "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html", "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$.", "risk_score": 9, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name(\"Web\")`| `high_volume_of_bytes_out_to_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.", "known_false_positives": "This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.", "datamodel": ["Web"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "high_volume_of_bytes_out_to_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hosts receiving high volume of network traffic from email server", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "description": "The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Large Volume of DNS ANY Queries", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "description": "The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type \"ANY\" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.", "references": [], "tags": {"analytic_story": ["DNS Amplification Attacks"], "asset_type": "DNS Servers", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" \"DNS.record_type\"=\"ANY\" by \"DNS.dest\" | `drop_dm_object_name(\"DNS\")` | where count>200 | `large_volume_of_dns_any_queries_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "large_volume_of_dns_any_queries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Multiple Archive Files Http Post Traffic", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "4477f3ea-a28f-11eb-b762-acde48001122", "description": "This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "TTP", "search": "`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = \"7z\" OR archive_hdr1 = \"PK\" OR archive_hdr2=\"Rar!\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration.", "known_false_positives": "Normal archive transfer via HTTP protocol may trip this detection.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "multiple_archive_files_http_post_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ngrok Reverse Proxy on Network", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "5790a766-53b8-40d3-a696-3547b978fcf0", "description": "The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.", "risk_score": 50, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN (\"*.ngrok.com\",\"*.ngrok.io\", \"ngrok.*.tunnel.com\", \"korgn.*.lennut.com\") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`", "how_to_implement": "The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ngrok_reverse_proxy_on_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Plain HTTP POST Exfiltrated Data", "author": "Teoderick Contreras, Splunk", "date": "2023-11-07", "version": 2, "id": "e2b36208-a364-11eb-8909-acde48001122", "description": "This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration.", "references": ["https://blog.talosintelligence.com/2020/03/trickbot-primer.html"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "A http post $http_method$ sending packet with plain text of information in uri path $uri_path$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "TTP", "search": "`stream_http` http_method=POST form_data IN (\"*wermgr.exe*\",\"*svchost.exe*\", \"*name=\\\"proclist\\\"*\",\"*ipconfig*\", \"*name=\\\"sysinfo\\\"*\", \"*net view*\") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "plain_http_post_exfiltrated_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Prohibited Network Traffic Allowed", "author": "Rico Valdez, Splunk", "date": "2024-02-27", "version": 2, "id": "ce5a0962-849f-4720-a678-753fe6674479", "description": "The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as prohibited in the \"lookup_interesting_ports\" table, is allowed according to the Network_Traffic data model. It operates by cross-referencing traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices that could allow unauthorized access or data exfiltration, directly impacting the organization's security posture.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `prohibited_network_traffic_allowed_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prohibited_network_traffic_allowed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Protocol or Port Mismatch", "author": "Rico Valdez, Splunk", "date": "2020-07-21", "version": 2, "id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "description": "This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocol_or_port_mismatch_filter`", "how_to_implement": "Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "protocol_or_port_mismatch_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Protocols passing authentication in cleartext", "author": "Rico Valdez, Splunk", "date": "2021-08-19", "version": 3, "id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "description": "The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances.", "references": ["https://www.rackaid.com/blog/secure-your-email-and-file-transfers/", "https://www.infosecmatter.com/capture-passwords-using-wireshark/"], "tags": {"analytic_story": ["Use of Cleartext Protocols"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport=\"tcp\" AND (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"143\" OR All_Traffic.dest_port=\"110\" OR (All_Traffic.dest_port=\"21\" AND All_Traffic.user != \"anonymous\")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocols_passing_authentication_in_cleartext_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)", "known_false_positives": "Some networks may use kerberized FTP or telnet servers, however, this is rare.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "protocols_passing_authentication_in_cleartext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Desktop Network Bruteforce", "author": "Jose Hernandez, Splunk", "date": "2024-05-17", "version": 3, "id": "a98727cc-286b-4ff2-b898-41df64695923", "description": "The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$dest$ may be the target of an RDP Bruteforce", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`", "how_to_implement": "You must ensure that your network traffic data is populating the Network_Traffic data model.", "known_false_positives": "RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_bruteforce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Desktop Network Traffic", "author": "David Dorsey, Splunk", "date": "2024-02-27", "version": 4, "id": "272b8407-842d-4b3d-bead-a704584003d3", "description": "The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389, the default RDP port. It identifies this activity by filtering out traffic from known RDP sources and destinations, focusing on atypical RDP connections within the network. This detection is crucial for a Security Operations Center (SOC) as unauthorized RDP access can indicate an attacker's attempt to gain control over networked systems, potentially leading to data theft, ransomware deployment, or further network compromise. The impact of such unauthorized access can be significant, ranging from data breaches to complete system and network control loss.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action=\"allowed\" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` ", "how_to_implement": "To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \"Identify Systems Creating Remote Desktop Traffic\" to identify systems that originate the traffic and the search \"Identify Systems Receiving Remote Desktop Traffic\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \"common_rdp_source\" or \"common_rdp_destination\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SMB Traffic Spike", "author": "David Dorsey, Splunk", "date": "2020-07-22", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "description": "The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-70m@m\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` ", "how_to_implement": "This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.", "known_false_positives": "A file server may experience high-demand loads that could cause this analytic to trigger.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SMB Traffic Spike - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 4, "id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "description": "The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \"IsOutlier(count)\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` ", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of SMB Traffic - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Identified SSL TLS Certificates", "author": "Michael Haag, Splunk", "date": "2022-05-25", "version": 1, "id": "620fbb89-86fd-4e2e-925f-738374277586", "description": "The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL.", "references": ["https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Proxy", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "The following $host$ is using the self signed Splunk certificate.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}]}, "type": "Hunting", "search": "tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS \"Host(s) with Default Cert\" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter`", "how_to_implement": "Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will not be present as it is meant to assist with identifying default certificates being utilized.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "splunk_identified_ssl_tls_certificates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SSL Certificates with Punycode", "author": "Michael Haag, Splunk", "date": "2022-11-01", "version": 1, "id": "696694df-5706-495a-81f2-79501fa11b90", "description": "The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with", "references": ["https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}]}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name(\"All_Certificates.SSL\")` | eval punycode=if(like(ssl_issuer_email_domain,\"%xn--%\"),1,0) | where punycode=1 | cyberchef infield=\"ssl_issuer_email_domain\" outfield=\"convertedPuny\" jsonrecipe=\"[{\"op\":\"From Punycode\",\"args\":[true]}]\" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`", "how_to_implement": "Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines.", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ssl_certificates_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "TOR Traffic", "author": "David Dorsey, Bhavin Patel, Splunk", "date": "2023-09-20", "version": 3, "id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "description": "The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment.", "references": ["https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK", "https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks."], "tags": {"analytic_story": ["Command And Control", "NOBELIUM Group", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$", "risk_score": 80, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `tor_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "None at this time", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "tor_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Content-Type Length", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "description": "The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "Very few legitimate Content-Type fields will have a length greater than 100 characters.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusually_long_content_type_length_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Service Traffic", "author": "Steven Dick", "date": "2022-11-26", "version": 1, "id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "description": "This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques.", "references": ["https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006/", "https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Active Directory Replication Traffic from Unknown Source - $src$", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN (\"ms-dc-replication\",\"*drsr*\",\"ad drs\") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `windows_ad_replication_service_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.", "known_false_positives": "New domain controllers or certian scripts run by administrators.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_replication_service_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "author": "Dean Luxton", "date": "2022-09-08", "version": 1, "id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "description": "This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;)", "references": ["https://adsecurity.org/?p=1729"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "IP Address", "role": ["Victim"]}], "message": "Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$)", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "type": "TTP", "search": "`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category=\"Domain Controller\") OR NOT (src_category=\"Domain Controller\") | fillnull value=\"Unknown\" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`", "how_to_implement": "Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_rogue_domain_controller_network_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zeek x509 Certificate with Punycode", "author": "Michael Haag, Splunk", "date": "2022-11-03", "version": 1, "id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "description": "The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually.", "references": ["https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts", "https://docs.zeek.org/en/master/logs/x509.html", "https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the subject alternative name on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}]}, "type": "Hunting", "search": "`zeek_x509` | rex field=san.email{} \"\\@(?xn--.*)\" | rex field=san.other_fields{} \"\\@(?xn--.*)\" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`", "how_to_implement": "The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509_certificate_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "15838756-f425-43fa-9d88-a7f88063e81a", "description": "This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*\" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Adobe ColdFusion Access Control Bypass", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "d6821c0b-fcdc-4c95-a77f-e10752fae41a", "description": "The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments.", "references": ["https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29298 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"//restplay*\", \"//CFIDE/restplay*\", \"//CFIDE/administrator*\", \"//CFIDE/adminapi*\", \"//CFIDE/main*\", \"//CFIDE/componentutils*\", \"//CFIDE/wizards*\", \"//CFIDE/servermanager*\",\"/restplay*\", \"/CFIDE/restplay*\", \"/CFIDE/administrator*\", \"/CFIDE/adminapi*\", \"/CFIDE/main*\", \"/CFIDE/componentutils*\", \"/CFIDE/wizards*\", \"/CFIDE/servermanager*\") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "adobe_coldfusion_access_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "695aceae-21db-4e7f-93ac-a52e39d02b93", "description": "The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager.\nOur analytic pinpoints exploitation by monitoring web requests to the \"/cf_scripts/scripts/ajax/ckeditor/*\" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions.\nIf a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security.", "references": ["https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-26360 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/cf_scripts/scripts/ajax/ckeditor/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cisco IOS XE Implant Access", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "07c36cda-6567-43c3-bc1a-89dff61e2cd9", "description": "The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", "https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner"], "tags": {"analytic_story": ["Cisco IOS XE Software Web Management User Interface vulnerability"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-20198 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/webui/logoutconfirm.html?logon_hash=*\") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_ios_xe_implant_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b593cac5-dd20-4358-972a-d945fefdaf17", "description": "The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit.\nThis behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems.\nIf a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information.\nUpon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches.", "references": ["https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966"], "tags": {"analytic_story": ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/oauth/idp/.well-known/openid-configuration*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible.", "known_false_positives": "False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Citrix ADC Exploitation CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-21", "version": 2, "id": "76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "description": "This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process.\nGiven the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority.\nThe search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination.\nPlease be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available.", "references": ["https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467", "https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967"], "tags": {"analytic_story": ["Citrix Netscaler ADC CVE-2023-3519"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-3519 against $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saml/login\",\"/cgi/samlauth\",\"*/saml/activelogin\",\"/cgi/samlart?samlart=*\",\"*/cgi/logout\",\"/gwtest/formssso?event=start&target=*\",\"/netscaler/ns_gui/vpn/*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "citrix_adc_exploitation_cve_2023_3519_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "172c59f2-5fae-45e5-8e51-94445143e93f", "description": "The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow \"/documentum/upload.aspx?parentid=\", \"/documentum/upload.aspx?filename=\", \"/documentum/upload.aspx?uploadId=*\", combined with the HTTP POST method, indicative of a file upload attempt.\nThis behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation.\nThe impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation.\nHowever, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum.", "references": ["https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "tags": {"analytic_story": ["Citrix ShareFile RCE CVE-2023-24489"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-24489 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"/documentum/upload.aspx?*\" AND Web.url IN (\"*parentid=*\",\"*filename=*\",\"*uploadId=*\") AND Web.url IN (\"*unzip=*\", \"*raw=*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`", "how_to_implement": "Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.", "known_false_positives": "False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "citrix_sharefile_exploitation_cve_2023_24489_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-23", "version": 2, "id": "630ea8b2-2800-4f5d-9cbc-d65c567349b0", "description": "The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise.", "references": ["https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py", "https://x.com/Shadowserver/status/1712378833536741430?s=20", "https://github.com/j3seer/CVE-2023-22515-POC"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*\",\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*\") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_cve_2023_22515_trigger_vulnerability_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2023-10-18", "version": 3, "id": "115bebac-0976-4f7d-a3ec-d1fb45a39a11", "description": "The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/", "https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/setup/setupadministrator.action*\", \"*/setup/finishsetup.action*\", \"*/json/setup-restore-local.action*\", \"*/json/setup-restore-progress.action*\", \"*/json/setup-restore.action*\", \"*/bootstrap/selectsetupstep.action*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_data_center_and_server_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "description": "This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the \"/template/aui/text-inline.vm\" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat.", "references": ["https://github.com/cleverg0d/CVE-2023-22527", "https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "tags": {"analytic_story": ["Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/template/aui/text-inline.vm*\" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "description": "The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.", "known_false_positives": "Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-02-23", "version": 2, "id": "d3f7a803-e802-448b-8eb2-e796b223bfff", "description": "This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | rex field=Web.url \"/SetupWizard.aspx/(?.+)\" | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "104658f4-afdc-499e-9719-17243f982681", "description": "The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") AND (Web.url=\"*/web-console/ServerInfo.jsp*\" OR Web.url=\"*web-console*\" OR Web.url=\"*jmx-console*\" OR Web.url = \"*invoker*\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`", "how_to_implement": "You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.", "known_false_positives": "It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2024-05-22", "version": 2, "id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "description": "The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as \"hsqldb;\" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254"], "tags": {"analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "how_to_implement": "To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).", "known_false_positives": "unknown", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_f5_tmui_rce_cve_2020_5902_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect malicious requests to exploit JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "description": "The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\" AND Web.url_length > 200 | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`", "how_to_implement": "You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model", "known_false_positives": "No known false positives for this detection.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_malicious_requests_to_exploit_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Remote Access Software Usage URL", "author": "Steven Dick", "date": "2024-02-22", "version": 1, "id": "9296f515-073c-43a5-88ec-eda5a4626654", "description": "The following analytic detects when a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url_domain", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $url_domain$ was contacted by $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}]}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"Web\")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_url_filter`", "how_to_implement": "The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_remote_access_software_usage_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Exploit Public Facing Application via Apache Commons Text", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "description": "The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/", "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/", "https://github.com/kljunowsky/CVE-2022-42889-text4shell", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035"], "tags": {"analytic_story": ["Text4Shell CVE-2022-42889"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`", "how_to_implement": "To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.", "known_false_positives": "False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4).", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "exploit_public_facing_application_via_apache_commons_text_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "description": "The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server.", "references": ["https://github.com/horizon3ai/CVE-2022-39952", "https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30"], "tags": {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "F5 TMUI Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "88bf127c-613e-4579-99e4-c4d4b02f3840", "description": "The following analytic is designed to detect attempts to exploit the CVE-2023-46747 vulnerability, a critical authentication bypass flaw in F5 BIG-IP that can lead to unauthenticated remote code execution (RCE). This vulnerability specifically affects the BIG-IP Configuration utility (TMUI) and has been assigned a high severity CVSSv3 score of 9.8. The analytic identifies this behavior by monitoring for a specific URI path - \"*/mgmt/tm/auth/user/*\", with the PATCH method and 200 status. Additional URI's will occur around the same time include \"*/mgmt/shared/authn/login*\" and \"*/tmui/login.jsp*\", which are associated with the exploitation of this vulnerability. This behavior is significant for a Security Operations Center (SOC) as it indicates an attempt to bypass authentication mechanisms, potentially leading to unauthorized access and control over the system. If a true positive is identified, it suggests that an attacker is attempting to exploit a known vulnerability to gain unauthorized access and execute arbitrary code, which could lead to data theft, system disruption, or further malicious activities within the network.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "tags": {"analytic_story": ["F5 Authentication Bypass with TMUI"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/mgmt/tm/auth/user/*\") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel.", "known_false_positives": "False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "f5_tmui_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "description": "CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system.\nAdd new local users.\nUpdate networking configurations to reroute traffic.\nDownload the system configuration.\nInitiate packet captures to capture other sensitive system information. Reference Horizon3.ai", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://github.com/rapid7/metasploit-framework/pull/17143"], "tags": {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "fortinet_appliance_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hunting for Log4Shell", "author": "Michael Haag, Splunk", "date": "2021-12-14", "version": 1, "id": "158b68fa-5d1a-11ec-aac8-acde48001122", "description": "The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score.\nThe first jndi match identifies the standard pattern of `{jndi:`\njndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the \"base\" score used later.\njndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.`\nall_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior.\nenv works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`.\nuri_detect is string match looking for the common uri paths currently being scanned/abused in the wild.\nkeywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary.\nlookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date.\nScoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score.\nFinally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest.", "references": ["https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449", "https://regex101.com/r/OSrm0q/1/", "https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar", "https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/", "https://gist.github.com/MHaggis/1899b8554f38c8692a9fb0ceba60b44c", "https://twitter.com/sasi2103/status/1469764719850442760?s=20"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}, {"name": "src", "type": "Other", "role": ["Other"]}], "message": "Hunting for Log4Shell exploitation has occurred.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Hunting", "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`", "how_to_implement": "Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.", "known_false_positives": "It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "hunting_for_log4shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "author": "Michael Haag, Splunk", "date": "2024-01-17", "version": 2, "id": "1f32a7e0-a060-4545-b7de-73fcf9ad536e", "description": "This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://twitter.com/GreyNoiseIO/status/1747711939466453301"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN(\"*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*\",\"*/api/v1/totp/user-backup-code/../../license/keys-status/*\") Web.http_method IN (\"POST\", \"GET\") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_connect_secure_command_injection_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "author": "Michael Haag, Splunk", "date": "2024-02-05", "version": 1, "id": "8e6ca490-7af3-4299-9a24-39fb69759925", "description": "The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution.", "references": ["https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis", "https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2024-21893 against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/dana-ws/saml20.ws*\",\"*/dana-ws/saml.ws*\",\"*/dana-ws/samlecp.ws*\",\"*/dana-na/auth/saml-logout.cgi/*\") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_connect_secure_ssrf_in_saml_component_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "d51c13dd-a232-4c83-a2bb-72ab36233c5d", "description": "This analytic is designed to identify the \"check phase\" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/totp/user-backup-code/../../system/system-information*\" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "author": "Michael Haag, Splunk", "date": "2023-07-31", "version": 1, "id": "66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "description": "The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/aad/api/v2/authorized/users?*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 1, "id": "e03edeba-4942-470c-a664-27253f3ad351", "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py", "https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/asfV3/api/v2/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Sentry Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8", "description": "This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "tags": {"analytic_story": ["Ivanti Sentry Authentication Bypass CVE-2023-38035"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-38035 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_sentry_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Jenkins Arbitrary File Read CVE-2024-23897", "author": "Michael Haag, Splunk", "date": "2024-01-26", "version": 1, "id": "c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "description": "The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9025", "https://github.com/jenkinsci-cert/SECURITY-3314-3315", "https://github.com/binganao/CVE-2024-23897", "https://github.com/h4x0r-dz/CVE-2024-23897", "https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/", "https://www.shodan.io/search?query=product%3A%22Jenkins%22", "https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html"], "tags": {"analytic_story": ["Jenkins Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/cli?remoting=false*\" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source.", "known_false_positives": "False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "jenkins_arbitrary_file_read_cve_2024_23897_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "description": "The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution. Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/", "https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url=\"*?jsp=*\" AND Web.url=\"*;.jsp*\") Web.status=200 Web.http_method=POST) OR (Web.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`", "how_to_implement": "The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "description": "The CVE-2024-27198 vulnerability presents a critical security risk for JetBrains TeamCity on-premises servers, allowing attackers to bypass authentication mechanisms and gain unauthorized access. This vulnerability can be exploited in several ways, each leading to the attacker gaining full control over the TeamCity server, including all associated projects, builds, agents, and artifacts. One method of exploitation involves creating a new administrator user. An attacker, without needing to authenticate, can send a specially crafted POST request to the `/app/rest/users` REST API endpoint. This request includes the desired username, password, email, and roles for the new user, effectively granting them administrative privileges upon successful execution.Alternatively, an attacker can generate a new administrator access token by targeting the `/app/rest/users/id:1/tokens` endpoint with a POST request. This method also does not require prior authentication and results in the creation of a token that grants administrative access. Both exploitation methods underscore the severity of the CVE-2024-27198 vulnerability and highlight the importance of securing TeamCity servers against such authentication bypass threats. The manipulation of URI paths `/app/rest/users` and `/app/rest/users/id:1/tokens` through malicious requests enables attackers to gain unauthorized access and control, emphasizing the need for immediate remediation measures.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`suricata` ((http.url=\"*?jsp=*\" AND http.url=\"*;.jsp*\") http.status=200 http_method=POST) OR (http.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "description": "CVE-2024-27199 reveals a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated attackers to bypass authentication for a limited set of endpoints. This vulnerability exploits path traversal issues, enabling attackers to access and potentially modify system settings or disclose sensitive server information without proper authentication. Identified vulnerable paths include /res/, /update/, and /.well-known/acme-challenge/, among others. Attackers can manipulate these paths to reach restricted JSP pages and servlet endpoints, such as /app/https/settings/uploadCertificate, which could allow for the uploading of malicious HTTPS certificates or modification of server settings. This detection aims to identify potential exploitation attempts by monitoring for unusual access patterns to these endpoints, which could indicate an authentication bypass attempt in progress.", "references": ["https://github.com/projectdiscovery/nuclei-templates/blob/f644ec82dfe018890c6aa308967424d26c0f1522/http/cves/2024/CVE-2024-27199.yaml", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`suricata` http.url IN (\"*../admin/diagnostic.jsp*\", \"*../app/https/settings/*\", \"*../app/pipeline*\", \"*../app/oauth/space/createBuild.html*\", \"*../res/*\", \"*../update/*\", \"*../.well-known/acme-challenge/*\", \"*../app/availableRunners*\", \"*../app/https/settings/setPort*\", \"*../app/https/settings/certificateInfo*\", \"*../app/https/settings/defaultHttpsPort*\", \"*../app/https/settings/fetchFromAcme*\", \"*../app/https/settings/removeCertificate*\", \"*../app/https/settings/uploadCertificate*\", \"*../app/https/settings/termsOfService*\", \"*../app/https/settings/triggerAcmeChallenge*\", \"*../app/https/settings/cancelAcmeChallenge*\", \"*../app/https/settings/getAcmeOrder*\", \"*../app/https/settings/setRedirectStrategy*\") http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity RCE Attempt", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "89a58e5f-1365-4793-b45c-770abbb32b6c", "description": "The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE).", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "tags": {"analytic_story": ["CISA AA23-347A", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/app/rest/users/id:1/tokens/RPC2*\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "jetbrains_teamcity_rce_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Juniper Networks Remote Code Execution Exploit Detection", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "description": "The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/", "https://vulncheck.com/blog/juniper-cve-2023-36845"], "tags": {"analytic_story": ["Juniper JunOS Remote Code Execution"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", "how_to_implement": "To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.", "known_false_positives": "Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "juniper_networks_remote_code_execution_exploit_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "author": "Jose Hernandez", "date": "2021-12-13", "version": 1, "id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "log4shell_jndi_payload_injection_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "author": "Jose Hernandez", "date": "2021-12-13", "version": 1, "id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Network_Traffic", "Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "log4shell_jndi_payload_injection_with_outbound_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Microsoft SharePoint Server Elevation of Privilege", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "description": "The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs"], "tags": {"analytic_story": ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29357 against $dest$ from $src$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/_api/web/siteusers*\",\"/_api/web/currentuser*\") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint.", "known_false_positives": "False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "microsoft_sharepoint_server_elevation_of_privilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor Web Traffic For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "description": "The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_web_traffic_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-02-23", "version": 1, "id": "b3f7a803-e802-448b-8eb2-e796b223bccc", "description": "This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.", "references": ["https://docs.splunk.com/Documentation/AddOns/released/NGINX/Sourcetypes", "https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Proxy", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "`nginx_access_logs` uri_path IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "nginx_access_logs", "definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "nginx_connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PaperCut NG Remote Web Access Attempt", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "papercut_ng_remote_web_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "author": "Michael Haag, Splunk", "date": "2023-07-10", "version": 1, "id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "description": "The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", "how_to_implement": "To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.", "known_false_positives": "False positives will be limited, however tune or modify the query as needed.", "datamodel": ["Risk"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "proxyshell_proxynotshell_behavior_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spring4Shell Payload URL Request", "author": "Michael Haag, Splunk", "date": "2022-07-12", "version": 1, "id": "9d44d649-7d67-4559-95c1-8022ff49420b", "description": "The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", "risk_score": 36, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "The jsp file names are static names used in current proof of concept code. =", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spring4shell_payload_url_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SQL Injection with Long URLs", "author": "Bhavin Patel, Splunk", "date": "2022-03-28", "version": 3, "id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "description": "The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack.", "references": [], "tags": {"analytic_story": ["SQL Injection"], "asset_type": "Database Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "SQL injection attempt with url $url$ detected on $dest$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.", "known_false_positives": "It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sql_injection_with_long_urls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Supernova Webshell", "author": "John Stoner, Splunk", "date": "2021-01-06", "version": 1, "id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "description": "The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including \"*logoimagehandler.ashx*codes*\", \"*logoimagehandler.ashx*clazz*\", \"*logoimagehandler.ashx*method*\", and \"*logoimagehandler.ashx*args*\". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.", "known_false_positives": "There might be false positives associted with this detection since items like args as a web argument is pretty generic.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "supernova_webshell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMWare Aria Operations Exploit Attempt", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "description": "The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\nThe analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint (\"/saas./resttosaasservlet\"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\nThe behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\nIdentifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"], "tags": {"analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saas./resttosaasservlet*\") Web.http_method=POST Web.status IN (\"unknown\", \"200\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.", "known_false_positives": "False positives will be present based on gateways in use, modify the status field as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_aria_operations_exploit_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Server Side Template Injection Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "description": "The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing \"deviceudid\" and keywords like \"java.lang.ProcessBuilder\" or \"freemarker.template.utility.ObjectConstructor\" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 35, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Hunting", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*deviceudid=*\" AND Web.url IN (\"*java.lang.ProcessBuilder*\",\"*freemarker.template.utility.ObjectConstructor*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_server_side_template_injection_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "description": "The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "Anomaly", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*/catalog-portal/ui/oauth/verify?error=&deviceudid=*\" AND Web.url=\"*freemarker.template.utility.Execute*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_workspace_one_freemarker_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web JSP Request via URL", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "2850c734-2d44-4431-8139-1a56f6f54c01", "description": "The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*.jsp?cmd=*\",\"*j&cmd=*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_jsp_request_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Remote ShellServlet Access", "author": "Michael Haag, Splunk", "date": "2024-04-02", "version": 2, "id": "c2a332c3-24a2-4e24-9455-0e80332e6746", "description": "This analytic identifies attempts to access the Remote ShellServlet on a web server, which is utilized to execute commands. Such activity is commonly linked with web shells and other forms of malicious behavior. It was specifically detected on a Confluence server in relation to CVE-2023-22518 and CVE-2023-22515. Activities preceding access to the shell servlet include the addition of a plugin to Confluence. Additionally, it is advisable to monitor for ShellServlet?act=3, ShellServlet, or obfuscated variations such as Sh3llServlet1.", "references": ["http://www.servletsuite.com/servlets/shell.htm"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*plugins/servlet/com.jsos.shell/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter`", "how_to_implement": "This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic.", "known_false_positives": "False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_remote_shellservlet_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "author": "Michael Haag, Splunk", "date": "2022-04-06", "version": 1, "id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "description": "The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields \"class.module.classLoader.resources.context.parent.pipeline.first\".", "references": ["https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A http body request related to Spring4Shell has been sent to $dest$ by $src$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "False positives may occur and filtering may be required. Restrict analytic to asset type.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_spring4shell_http_request_class_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring Cloud Function FunctionRouter", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "89dddbad-369a-4f8a-ace2-2439218735bc", "description": "The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called.", "references": ["https://github.com/rapid7/metasploit-framework/pull/16395", "https://github.com/hktalent/spring-spel-0day-poc"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"POST\") Web.url=\"*/functionRouter*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring_cloud_function_functionrouter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "author": "Michael Haag, Nathaniel Stearns, Splunk", "date": "2023-07-10", "version": 1, "id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "description": "The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://docs.splunk.com/Documentation/AddOns/released/MSIIS", "https://highon.coffee/blog/ssrf-cheat-sheet/", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(\"Web\")` | eval is_autodiscover=if(like(lower(uri_path),\"%autodiscover%\"),1,0) | eval powershell = if(match(lower(uri_query),\"powershell\"), \"1\",0) | eval mapi=if(like(uri_query,\"%/mapi/%\"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.", "known_false_positives": "False positives are limited.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_exchange_autodiscover_ssrf_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WordPress Bricks Builder plugin RCE", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "56a8771a-3fda-4959-b81d-2f266e2f679f", "description": "The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. The search is focused on the URL path \"/wp-json/bricks/v1/render_element\" with a status code of 200 and a POST method. It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024. The vulnerability is tracked as CVE-2024-25600. The POC exploit is simple enough and will spawn commands on the target server. The exploit is actively being used in the wild.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "tags": {"analytic_story": ["WordPress Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/wp-json/bricks/v1/render_element\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`", "how_to_implement": "The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed.", "known_false_positives": "False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wordpress_bricks_builder_plugin_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WS FTP Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "description": "The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the \"/AHT/AhtApiService.asmx/AuthUser\" URL with a status of 200, which could indicate an exploitation attempt.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/8296/files", "https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://github.com/rapid7/metasploit-framework/pull/18414"], "tags": {"analytic_story": ["WS FTP Server Critical Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}]}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/AHT/AhtApiService.asmx/AuthUser\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ws_ftp_remote_code_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Adware Activities Threat Blocked", "author": "Gowthamaraj Rajendran, Splunk", "date": "2023-10-30", "version": 1, "id": "3407b250-345a-4d71-80db-c91e555a3ece", "description": "The following analytic is designed to detect potential adware activity which is blocked by Zscaler. Utilizing Splunk search functionality, it filters web proxy logs for blocked actions associated with adware threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible adware intrusions.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_adware_activities_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2023-10-31", "version": 1, "id": "289ad59f-8939-4331-b805-f2bd51d36fb8", "description": "The analytic is built to identify threats blocked by the Zscaler proxy based on behavior analysis. It filters web proxy logs for entries where actions are blocked and threat names and classes are specified. The search further refines the results to include only those with reasons related to \"block\". It then aggregates the count, providing a clear view of the threat landscape as handled by the behavior analysis proxy.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=\"Behavior Analysis\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_behavior_analysis_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-10-30", "version": 1, "id": "ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "description": "The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 32, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_cryptominer_downloaded_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Employment Search Web Activity", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-11-14", "version": 1, "id": "5456bdef-d765-4565-8e1f-61ca027bc50e", "description": "The analytic is designed to identify destinations within a network deemed as potential Empolyment Searches. Utilizing Splunk's search functionality, it processes web proxy logs, focusing on entries marked as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the employment risk destinations. This anomaly-type detection aids in monitoring and managing risks, promoting a secure environment from insider threats.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 4, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` urlsupercategory=\"Job/Employment Search\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_employment_search_web_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Exploit Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2023-10-31", "version": 1, "id": "94665d8c-b841-4ff4-acb4-34d613e2cbfe", "description": "The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "TTP", "search": "`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_exploit_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Legal Liability Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2023-10-31", "version": 1, "id": "bbf55ebf-c416-4f62-94d9-4064f2a28014", "description": "The analytic is aimed at identifying the most significant legal liability threats blocked by zcaler web proxy. It leverages web proxy logs to list the destinations, device owners, users, URL categories, and actions that are associated with Legal Liability, by utilizing stats on unique fields, it ensures a precise focus on unique legal liability threats, thereby providing valuable insights for organizations to enforce legal compliance and risk management.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` urlclass=\"Legal Liability\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_legal_liability_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Malware Activity Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2023-10-25", "version": 1, "id": "ae874ad8-e353-40a7-87d4-420cdfb27d1a", "description": "The analytic targets the detection of potential malware activities within a network that are blocked by Zscaler. By filtering web proxy logs for blocked actions associated with malware, where a threat category is specified, the analytic aggregates occurrences by user, URL, and threat category. This approach ensures a focused identification of malware activities, making it an effective tool for ongoing network security monitoring and anomaly detection.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_malware_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-10-30", "version": 1, "id": "68d3e2c1-e97f-4310-b080-dea180b48aa9", "description": "The analytic is devised to detect likely phishing attempts within a network blocked by Zscaler. By leveraging Splunk search functionality, it evaluates web proxy logs for blocked actions correlated with phishing threats, specifically those tagged as HTML.Phish. Critical data points such as the user, threat name, URL, and hostname are analyzed to accentuate possible phishing activities. This anomaly-type detection serves as an early warning system, facilitating prompt investigation and mitigation of phishing threats, thereby bolstering network security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=\"HTML.Phish*\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_phishing_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Potentially Abused File Download", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-11-21", "version": 1, "id": "b0c21379-f4ba-4bac-a958-897e260f964a", "description": "The analytic is engineered to detect potential rarely abused malicious filetypes downloaded within a network. They are usually used to spread malwares. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to potential threats. Essential data points like the deviceowner, user, urlcategory, url, dest, and filename taken are analyzed to highlight possible malicious endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of malicious download activities, ensuring a safer network environment.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` url IN (\"*.scr\", \"*.dll\", \"*.bat\", \"*.lnk\") | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_potentially_abused_file_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-10-30", "version": 1, "id": "5456bdef-d765-4565-8e1f-61ca027bc50d", "description": "The analytic is designed to identify blocked destinations within a network deemed as privacy risks by Zscaler. Utilizing Splunk search functionality, it processes web proxy logs, focusing on entries marked as Privacy Risk. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the privacy risk destinations. This anomaly-type detection aids in monitoring and managing privacy risks, promoting a secure network environment.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked urlclass=\"Privacy Risk\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": ["Risk"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_privacy_risk_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-10-30", "version": 1, "id": "a0c21379-f4ba-4bac-a958-897e260f964a", "description": "The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_scam_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Virus Download threat blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2023-10-30", "version": 1, "id": "aa19e627-d448-4a31-85cd-82068dec5691", "description": "The analytic is formulated to detect blocked virus download activities within a network by Zscaler. Employing Splunk's search functionality, it reviews web proxy logs for blocked actions indicative of virus threats downloads. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to pinpoint possible virus downloads. As an anomaly-type detection, this analytic facilitates early detection and remediation of virus download attempts, contributing to enhanced network security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=Virus | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_virus_download_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}]} \ No newline at end of file diff --git a/dist/api/lookups.json b/dist/api/lookups.json deleted file mode 100644 index 5335752b14..0000000000 --- a/dist/api/lookups.json +++ /dev/null @@ -1 +0,0 @@ -{"lookups": [{"filename": "3cx_ioc_domains.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack."}, {"filename": "__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl", "description": "Detect DNS Data Exfiltration using pretrained Model in DSDL"}, {"filename": "__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl", "description": "Detect suspicious DNS txt records using Pretrained Model in DSDL"}, {"filename": "__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl", "description": "Detect a suspicious processname using Pretrained Model in DSDL"}, {"filename": "__mlspl_pretrained_dga_model_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_pretrained_dga_model_dsdl", "description": "Detect DGA domains using Pretrained Model in DSDL"}, {"filename": "__mlspl_risky_spl_pre_trained_model.mlmodel", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_risky_spl_pre_trained_model", "description": "Detect Risky SPL using Pretrained ML Model"}, {"filename": "__mlspl_unusual_commandline_detection.mlmodel", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_unusual_commandline_detection", "description": "An MLTK model for detecting malicious commandlines"}, {"filename": "advanced_audit_policy_guids.csv", "default_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls", "name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user"}, {"filename": "applockereventcodes.csv", "default_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes."}, {"filename": "asr_rules.csv", "default_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules."}, {"filename": "attacker_tools.csv", "default_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "attacker_tools", "description": "A list of tools used by attackers"}, {"filename": "aws_service_accounts.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts"}, {"filename": "baseline_blocked_outbound_connections.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections"}, {"filename": "brand_monitoring.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor"}, {"filename": "browser_app_list.csv", "default_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction."}, {"filename": "char_conversion_matrix.csv", "default_match": "false", "match_type": "WILDCARD(data)", "min_matches": 1, "case_sensitive_match": "true", "collection": null, "fields_list": null, "name": "char_conversion_matrix", "description": "A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding."}, {"filename": null, "default_match": "false", "match_type": "WILDCARD(filter)", "min_matches": null, "case_sensitive_match": "false", "collection": "cloud_instances_enough_data", "fields_list": "_key, filter, enough_data", "name": "cloud_instances_enough_data", "description": "A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches"}, {"filename": "discovered_dns_records.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "discovered_dns_records", "description": "A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records"}, {"filename": "domain_admins.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "domain_admins", "description": "List of domain admins"}, {"filename": "domains.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "domains", "description": "A list of domains that can be ignored"}, {"filename": "dynamic_dns_providers_default.csv", "default_match": "false", "match_type": "WILDCARD(dynamic_dns_domains)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "dynamic_dns_providers_default", "description": "A list of dynammic dns providers that should not be modified"}, {"filename": "dynamic_dns_providers_local.csv", "default_match": "false", "match_type": "WILDCARD(dynamic_dns_domains)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "dynamic_dns_providers_local", "description": "A list of dynammic dns providers that can be modified"}, {"filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "hijacklibs", "description": "A list of potentially abused libraries in Windows"}, {"filename": "hijacklibs_loaded.csv", "default_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows"}, {"filename": "images_to_repository.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "images_to_repository", "description": "Mapping images to repositories"}, {"filename": "is_net_windows_file20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_net_windows_file", "description": "A full baseline of executable files in \\Windows\\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline."}, {"filename": "is_nirsoft_software20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_nirsoft_software", "description": "A subset of utilities provided by NirSoft that may be used by adversaries."}, {"filename": "is_suspicious_file_extension_lookup.csv", "default_match": "false", "match_type": "WILDCARD(file_name)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_suspicious_file_extension_lookup", "description": "A list of suspicious extensions for email attachments"}, {"filename": "is_windows_system_file20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_windows_system_file", "description": "A full baseline of executable files in Windows\\System32 and Windows\\Syswow64, including sub-directories from Server 2016 and Windows 10."}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_container_network_io_baseline", "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen", "name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_container_network_io_ratio_baseline", "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen", "name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_process_resource_baseline", "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key", "name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_process_resource_ratio_baseline", "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen", "name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios"}, {"filename": "legit_domains.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "legit_domains", "description": "A list of legit domains to be used as an ignore list for possible phishing sites"}, {"filename": "linux_tool_discovery_process.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "linux_tool_discovery_process", "description": "A list of suspicious bash commonly used by attackers via scripts"}, {"filename": "local_file_inclusion_paths.csv", "default_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack"}, {"filename": "lolbas_file_path.csv", "default_match": "false", "match_type": "WILDCARD(lolbas_file_name)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lolbas_file_path", "description": "A list of LOLBAS and their file path used in determining if a script or binary is valid on windows"}, {"filename": "loldrivers.csv", "default_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "loldrivers", "description": "A list of known vulnerable drivers"}, {"filename": "rare_process_allow_list_default.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_rare_process_allow_list_default", "description": "A list of rare processes that are legitimate that is provided by Splunk"}, {"filename": "rare_process_allow_list_local.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_rare_process_allow_list_local", "description": "A list of rare processes that are legitimate provided by the end user"}, {"filename": "uncommon_processes_default.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_uncommon_processes_default", "description": "A list of processes that are not common"}, {"filename": "uncommon_processes_local.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_uncommon_processes_local", "description": "A list of processes that are not common"}, {"filename": "mandatory_job_for_workflow.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow"}, {"filename": "mandatory_step_for_job.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job"}, {"filename": "network_acl_activity_baseline.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_api_calls_from_user_roles", "fields_list": "_key,earliest,latest,userName,eventName", "name": "previously_seen_api_calls_from_user_roles", "description": "A placeholder for a list of IPs that have access S3"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_aws_cross_account_activity", "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId", "name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_aws_regions", "fields_list": "_key,earliest,latest,awsRegion", "name": "previously_seen_aws_regions", "description": "A place holder for a list of used AWS regions"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_api_calls_per_user_role", "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data", "name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_creations_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data", "name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_images", "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data", "name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_instance_types", "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data", "name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_instance_modifications_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data", "name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data", "name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_regions", "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data", "name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities"}, {"filename": "previously_seen_cmd_line_arguments.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before"}, {"filename": "previously_seen_ec2_modifications_by_user.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri", "name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_running_windows_services", "fields_list": "_key, service, firstTimeSeen, lastTimeSeen", "name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_S3_access_from_remote_ip", "fields_list": "_key, bucket_name,remote_ip,earliest,latest", "name": "previously_seen_S3_access_from_remote_ip", "description": "A placeholder for a list of IPs that have access S3"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country", "name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed"}, {"filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles."}, {"filename": "prohibited_apps_launching_cmd20231221.csv", "default_match": "false", "match_type": "WILDCARD(prohibited_applications)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "prohibited_apps_launching_cmd", "description": "A list of processes that should not be launching cmd.exe"}, {"filename": "prohibited_processes.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "prohibited_processes", "description": "A list of processes that have been marked as prohibited"}, {"filename": "ransomware_extensions_20231219.csv", "default_match": "false", "match_type": "WILDCARD(Extensions)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "ransomware_extensions_lookup", "description": "A list of file extensions that are associated with ransomware"}, {"filename": "ransomware_notes_20231219.csv", "default_match": "false", "match_type": "WILDCARD(ransomware_notes)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "ransomware_notes_lookup", "description": "A list of file names that are ransomware note files"}, {"filename": "remote_access_software.csv", "default_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "remote_access_software", "description": "A list of Remote Access Software"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls", "name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls", "name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups"}, {"filename": "security_services.csv", "default_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "security_services_lookup", "description": "A list of services that deal with security"}, {"filename": "splunk_risky_command_20240122.csv", "default_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse"}, {"filename": "suspicious_files.csv", "default_match": "false", "match_type": "WILDCARD(file)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "suspicious_writes_lookup", "description": "A list of suspicious file names"}, {"filename": "windows_protocol_handlers.csv", "default_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "zoom_first_time_child_process", "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen", "name": "zoom_first_time_child_process", "description": "A list of suspicious file names"}]} \ No newline at end of file diff --git a/dist/api/macros.json b/dist/api/macros.json deleted file mode 100644 index db6e6bb235..0000000000 --- a/dist/api/macros.json +++ /dev/null @@ -1 +0,0 @@ -{"macros": [{"definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "admon"}, {"definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "amazon_security_lake"}, {"definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.", "name": "applocker"}, {"definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches", "name": "audit_searches"}, {"definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs", "name": "audittrail"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_cloudwatchlogs_eks"}, {"definition": "sourcetype=aws:config", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_config"}, {"definition": "sourcetype=\"aws:description\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_description"}, {"definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users"}, {"definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users_asl"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_s3_accesslogs"}, {"definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_finding"}, {"definition": "sourcetype=\"aws:securityhub:firehose\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_firehose"}, {"definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_audit"}, {"definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_monitor_aad"}, {"definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azuread"}, {"definition": "eval b64x_split=split($b64in$,\"\") | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,\"\") | rex field=b64x_join \"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "name": "base64decode"}, {"definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "bootloader_inventory"}, {"definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_dns"}, {"definition": "lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_email"}, {"definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_web"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "capi2_operational"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "certificateservices_lifecycle"}, {"definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "circleci"}, {"definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cisco_networks"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new commands from user roles", "name": "cloud_api_calls_from_previously_unseen_user_roles_activity_window"}, {"definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudtrail"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatch_eks"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatch_vpc"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatchlogs_vpcflow"}, {"definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "crushftp"}, {"definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "driverinventory"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.", "name": "dynamic_dns_providers"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description", "name": "dynamic_dns_web_traffic"}, {"definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances", "name": "ec2_modification_api_calls"}, {"definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365", "name": "evilginx_phishlets_0365"}, {"definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon", "name": "evilginx_phishlets_amazon"}, {"definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console", "name": "evilginx_phishlets_aws"}, {"definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook", "name": "evilginx_phishlets_facebook"}, {"definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub", "name": "evilginx_phishlets_github"}, {"definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google", "name": "evilginx_phishlets_google"}, {"definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook", "name": "evilginx_phishlets_outlook"}, {"definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "exchange"}, {"definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "f5_bigip_rogue"}, {"definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare", "name": "filter_rare_process_allow_list"}, {"definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "github"}, {"definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects.", "name": "github_known_users"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubnet_message"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubsub_message"}, {"definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_calendar"}, {"definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_drive"}, {"definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_gmail"}, {"definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_login_mfa_methods"}, {"definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_admin"}, {"definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_login"}, {"definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_get_webglobalmodule"}, {"definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_operational_logs"}, {"definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.", "name": "is_net_windows_file_macro"}, {"definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.", "name": "is_nirsoft_software_macro"}, {"definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory", "name": "is_windows_system_file_macro"}, {"definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_images"}, {"definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_locations"}, {"definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_agents"}, {"definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_groups"}, {"definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_names"}, {"definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_audit"}, {"definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_container_falco"}, {"definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_objects_events"}, {"definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_azure"}, {"definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_container_controller"}, {"definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_metrics"}, {"definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_hosts"}, {"definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_shells"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "ms_defender"}, {"definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "msexchange_management"}, {"definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "netbackup"}, {"definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs", "name": "network_acl_events"}, {"definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes", "name": "nginx_access_logs"}, {"definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_graph"}, {"definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_management_activity"}, {"definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "okta"}, {"definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery"}, {"definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery_process"}, {"definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "papercutng"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "path_traversal_spl_injection"}, {"definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "pingid"}, {"definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username", "name": "potential_password_in_username_false_positive_reduction"}, {"definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier", "name": "potentially_malicious_code_on_cmdline_tokenize_score"}, {"definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "powershell"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud api calls per user role", "name": "previously_seen_cloud_api_calls_per_user_role_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not", "name": "previously_seen_cloud_compute_creations_by_user_search_window_begin_offset"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the image is new or not", "name": "previously_seen_cloud_compute_image_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance images", "name": "previously_seen_cloud_compute_images_forget_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance types", "name": "previously_seen_cloud_compute_instance_type_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the instance type is new or not", "name": "previously_seen_cloud_compute_instance_types_search_window_begin_offset"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not", "name": "previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud provisioning locations", "name": "previously_seen_cloud_provisioning_activity_forget_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud regions", "name": "previously_seen_cloud_region_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the region is new or not", "name": "previously_seen_cloud_regions_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of Windows services", "name": "previously_seen_windows_services_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services", "name": "previously_seen_windows_services_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of zoom child processes", "name": "previously_seen_zoom_child_processes_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes", "name": "previously_seen_zoom_child_processes_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities", "name": "previously_unseen_cloud_provisioning_activity_window"}, {"definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "printservice"}, {"definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_bitsadmin"}, {"definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_certutil"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_cmd"}, {"definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_copy"}, {"definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_csc"}, {"definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_curl"}, {"definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_diskshadow"}, {"definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dllhost"}, {"definition": "(Processes.process_name=dsquery.exe OR Processes.original_file_name=dsquery.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dsquery"}, {"definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dxdiag"}, {"definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_esentutl"}, {"definition": "(Processes.process_name=fodhelper.exe OR Processes.original_file_name=FodHelper.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_fodhelper"}, {"definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_gpupdate"}, {"definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_hh"}, {"definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_installutil"}, {"definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_microsoftworkflowcompiler"}, {"definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msbuild"}, {"definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_mshta"}, {"definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msiexec"}, {"definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_net"}, {"definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_netsh"}, {"definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_nltest"}, {"definition": "(Processes.process_name=ntdsutil.exe OR Processes.original_file_name=ntdsutil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ntdsutil"}, {"definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ping"}, {"definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_powershell"}, {"definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_procdump"}, {"definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_psexec"}, {"definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name.", "name": "process_rclone"}, {"definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_reg"}, {"definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regasm"}, {"definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvcs"}, {"definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvr32"}, {"definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_route"}, {"definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_runas"}, {"definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_rundll32"}, {"definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_schtasks"}, {"definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_sdelete"}, {"definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_setspn"}, {"definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_verclsid"}, {"definition": "(Processes.process_name=vssadmin.exe OR Processes.original_file_name=VSSADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_vssadmin"}, {"definition": "(Processes.process_name=wbadmin.exe OR Processes.original_file_name=WBADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wbadmin"}, {"definition": "(Processes.process_name=wermgr.exe OR Processes.original_file_name=wermgr.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wermgr"}, {"definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wmic"}, {"definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe", "name": "prohibited_apps_launching_cmd_macro"}, {"definition": "lookup prohibited_softwares app as process_name OUTPUT is_prohibited | search is_prohibited=True", "description": "This macro limits the output to process_names that have been marked as prohibited", "name": "prohibited_softwares"}, {"definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware", "name": "ransomware_extensions"}, {"definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note", "name": "ransomware_notes"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "remoteconnectionmanager"}, {"definition": "eval domain=trim(domain,\"*\") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain=\"*\"+domain+\"*\"", "description": "This macro removes valid domains from the output", "name": "remove_valid_domains"}, {"definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "risk_index"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "s3_accesslogs"}, {"definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "name": "security_content_ctime"}, {"definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only", "name": "security_content_summariesonly"}, {"definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups", "name": "security_group_api_calls"}, {"definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes", "name": "splunk_crash_log"}, {"definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunk_python"}, {"definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd"}, {"definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_failed_auths"}, {"definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_investigation_rest_handler"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_ui"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_web"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webx"}, {"definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkda"}, {"definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_dns"}, {"definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_http"}, {"definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_tcp"}, {"definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "subjectinterfacepackage"}, {"definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "suricata"}, {"definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions", "name": "suspicious_email_attachments"}, {"definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious", "name": "suspicious_writes"}, {"definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "sysmon"}, {"definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration", "name": "system_network_configuration_discovery_tools"}, {"definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation.", "name": "uacbypass_process_name"}, {"definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon", "name": "uncommon_processes"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "windows_shells"}, {"definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_application"}, {"definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_security"}, {"definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_system"}, {"definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_task_scheduler"}, {"definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wmi"}, {"definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_rpc"}, {"definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_ssl"}, {"definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_x509"}, {"definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zscaler_proxy"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "crushftp_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_login_attempts_to_routers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_risky_spl_using_pretrained_ml_model_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_attachments_with_lots_of_spaces_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_files_written_outside_of_the_outlook_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_servers_sending_high_volume_traffic_to_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_email_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "no_windows_updates_in_a_time_frame_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_idp_lifecycle_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mfa_exhaustion_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_accounts_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_requests_to_access_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_api_token_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_device_enrolled_on_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_phishing_detection_with_fastpass_origin_check_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_risk_threshold_exceeded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_activity_reported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_use_of_a_session_cookie_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_threat_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_unauthorized_access_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_user_logins_from_multiple_cities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "path_traversal_spl_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_mismatch_auth_source_and_verification_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_after_credential_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_absolute_path_traversal_using_runshellscript_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_authentication_token_exposure_in_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_delete_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_infrastructure_version_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_lack_of_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_using_malformed_saml_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_dump_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_malformed_s2s_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_printf_search_function_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_edit_user_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_kv_store_incorrect_authorization_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_windows_deserialization_file_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_through_investigation_attachments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_http_response_splitting_via_rest_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_information_disclosure_in_splunk_add_on_builder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_list_all_nonstandard_admin_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_process_injection_forwarder_bundle_downloads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_configuration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_serialized_session_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_in_the_templates_lists_radio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_on_app_search_table_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_risky_command_abuse_disclosed_february_2023_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_data_model_objectname_field_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_log_injection_web_service_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_user_enumeration_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_highlighted_json_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_monitoring_console_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_view_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email_attachment_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_java_classes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_servers_executing_suspicious_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_destroyed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_launched_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_security_group_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ami_attribute_modification_for_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_console_login_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_create_policy_version_to_allow_all_resources_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_failed_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_getpassworddata_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_rds_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cross_account_activity_from_previously_unseen_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_putbucketlifecycle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_attach_to_role_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_permanent_key_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_role_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_assume_role_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_get_session_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_disable_bucket_versioning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ec2_snapshot_shared_externally_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_high_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_medium_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_batch_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_bucket_replication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_datasync_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_ec2_snapshot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_accessdenied_discovery_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_assume_role_policy_brute_force_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_lambda_updatefunctioncode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_created_with_all_open_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_s3_exfiltration_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_access_by_provider_user_and_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_update_identity_provider_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_setdefaultpolicyversion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_console_authentication_from_multiple_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_updateloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_active_directory_high_risk_sign_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_admin_consent_bypassed_by_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_application_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_device_code_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_external_guest_user_invited_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_fullaccessasapp_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_global_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_denied_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_service_principals_created_by_sp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_service_principals_created_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_custom_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_oauth_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assignment_activated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_authentication_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_graph_api_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_to_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_authentication_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_powershell_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_enabled_and_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_immutableid_attribute_updated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_account_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_runbook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_runbook_webhook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_job_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_step_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_api_calls_from_previously_unseen_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_in_previously_unused_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_image_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_instance_modified_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_security_groups_modifications_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_new_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_gcp_storage_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_gcp_storage_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_over_aws_cli_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_s3_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_s3_bucket_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_gcploit_framework_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gdrive_suspicious_file_sharing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_actions_disable_security_workflow_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_changes_in_master_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_in_develop_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_dependabot_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_pull_request_from_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_drive_share_in_external_email_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_subject_with_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_with_known_abuse_web_service_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_outbound_email_with_attachment_to_external_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_calendar_invite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_shared_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_number_of_login_failures_from_a_single_source_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_access_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_network_activity_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_outbound_network_io_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_outbound_network_activity_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_traffic_on_network_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_create_or_update_privileged_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_cron_job_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_daemonset_deployed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_falco_shell_spawned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_newly_seen_tcp_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_newly_seen_udp_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_lfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_rfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_node_port_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_pod_created_in_default_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_pod_with_host_network_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_container_image_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_running_from_new_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_anomalous_resource_utilisation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_resource_ratio_anomalies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanner_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanning_by_unauthenticated_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_suspicious_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_unauthorized_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_add_app_role_assignment_grant_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_added_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_admin_consent_bypassed_by_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_advanced_audit_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_application_registration_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_applicationimpersonation_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_bypass_mfa_via_trusted_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_compliance_content_search_exported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_compliance_content_search_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_disable_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_elevated_mailbox_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_authentication_failures_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_sso_logon_errors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_file_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_fullaccessasapp_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_privilege_role_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mail_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_email_forwarding_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_folder_read_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_folder_read_permission_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_inbox_folder_shared_with_all_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_read_access_granted_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_mailboxes_accessed_via_api_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_service_principals_created_by_sp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_service_principals_created_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_email_forwarding_rule_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_email_forwarding_rule_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_forwarding_mailflow_rule_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_oauth_app_mailbox_access_via_ews_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_oauth_app_mailbox_access_via_graph_api_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_privileged_graph_api_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_pst_export_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_security_and_compliance_alert_triggered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "risk_rule_for_dev_sec_ops_by_repository_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clients_connecting_to_multiple_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_repository_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_user_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_activity_related_to_pass_the_hash_attacks_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_api_activity_from_users_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_api_activities_from_unapproved_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_long_dns_txt_record_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_using_loaded_images_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_api_calls_from_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_user_aws_console_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_network_acl_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_security_group_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_usb_device_insertion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_web_traffic_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_dns_tunnels_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_record_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_modified_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_in_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_ami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_spaces_before_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extended_period_without_successful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_command_line_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_oauth_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "identify_new_user_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_pod_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_dns_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_admin_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_rights_delegation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_user_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_lockout_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_failed_sso_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_login_failure_with_high_unknown_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_suspected_passwordspray_attack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_two_or_more_rejected_okta_pushes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "open_redirect_in_splunk_web_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "osquery_pack___coldroot_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_created_by_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_software_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_registry_key_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_tasks_used_in_badrabbit_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spectre_and_meltdown_vulnerable_systems_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_information_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_changes_to_file_associations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email___uba_anomaly_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_powershell_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_system_volume_information_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uncommon_processes_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsigned_image_loaded_by_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsuccessful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___account_harvesting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___anomalous_user_clickspeed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___password_sharing_across_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_connhost_exe_started_forcefully_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hosts_file_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "3cx_supply_chain_attack_network_indicators_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "7zip_commandline_to_smb_share_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_lsass_memory_for_dump_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_lateral_movement_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_privilege_escalation_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_setup_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_defaultuser_and_password_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_or_set_windows_defender_exclusion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adsisearcher_account_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_file_and_printing_sharing_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_by_firewall_rule_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_in_firewall_rule_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_network_discovery_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_operation_with_consent_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "anomalous_usage_of_7zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadfile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attacker_tools_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_add_certificate_to_untrusted_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_stop_security_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempted_credential_dump_from_registry_via_reg_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "auto_admin_logon_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "batch_file_write_to_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_command_back_to_normal_mode_boot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_failure_recovery_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bits_job_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bitsadmin_download_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_urlcache_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_verifyctl_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_exe_certificate_extraction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_with_decode_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_default_file_association_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_to_safe_mode_with_network_config_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "chcp_command_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "check_elevated_cmd_using_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "child_processes_of_spoolsv_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clear_unallocated_sector_using_cipher_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_ransomware_known_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_carry_out_string_command_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_echo_pipe___escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmdline_tool_not_executed_in_cmd_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmlua_or_cmstplua_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cobalt_strike_named_pipes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_notes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_path_traversal_windows_sacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "conti_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "control_loading_from_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_local_admin_accounts_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_or_delete_windows_shares_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_in_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_into_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_lsass_dump_with_taskmgr_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_with_wmic_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_copy_command_from_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_symlink_to_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "csc_net_on_the_fly_compilation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "curl_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "delete_shadowcopy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_of_net_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_shadow_copies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_segfault_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certipy_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_computer_changed_with_anonymous_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_copy_of_shadowcopy_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_credential_dumping_through_lsass_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_empire_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_account_lockouts_from_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_user_account_lockouts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_exchange_web_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_spawn_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_using_infotech_storage_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_local_admin_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outlook_exe_writing_a_zip_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_path_interception_by_creation_of_program_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_processes_used_for_system_network_configuration_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_prohibited_applications_spawning_cmd_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_psexec_with_accepteula_flag_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rare_executables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rclone_command_line_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvr32_application_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_fileinfo_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_7_zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_psexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_rclone_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_winrar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___advpack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___setupapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___syssetup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_webshell_exploit_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_wmi_event_subscription_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_tools_built_by_nirsoft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_amsi_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_antivirus_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_blockatfirstseen_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_enhanced_notification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_mpengine_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_spynet_reporting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_submit_samples_consent_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_etw_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_logs_using_wevtutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_registry_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_security_logs_using_minint_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_show_hidden_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_uac_remote_restriction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_app_hotkeys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_behavior_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_smartscreen_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_cmd_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_controlpanel_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_defender_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_firewall_with_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_folderoptions_windows_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_net_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_norun_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_remote_user_account_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_systemrestore_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_task_manager_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_windows_local_security_authority_defences_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dllhost_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_exfiltration_using_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_nltest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "download_files_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "drop_icedid_license_dat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dsquery_domain_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_comsvcs_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_rdp_in_other_port_number_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_wdigest_uselogoncredential_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enumerate_users_local_group_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "esentutl_sam_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "etw_registry_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "eventvwr_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_attempt_to_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_distinct_processes_from_windows_temp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_file_deletion_in_windefender_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_service_control_start_as_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_taskhost_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_service_stop_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_cacls_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_sc_service_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_abuse_via_ssrf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_module_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executable_file_written_in_administrative_smb_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executables_or_script_creation_in_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execute_javascript_with_jscript_com_clsid_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_multiple_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extraction_of_registry_hives_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "file_with_samsam_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "firewall_allowed_program_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_child_process_of_zoom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_running_windows_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fodhelper_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fsutil_zeroing_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gpupdate_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_mockbin_or_mocky_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hide_user_account_from_sign_in_screen_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hiding_files_and_directories_with_attrib_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_frequency_copy_of_files_in_network_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_process_termination_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_3cxdesktopapp_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_deny_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_grant_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icedid_exfiltrated_archived_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_smbexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "interactive_session_on_remote_endpoint_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_class_file_download_by_java_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_writing_jsp_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jscript_execution_using_cscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberoasting_spn_request_with_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_service_ticket_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_tgt_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_user_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "known_services_killed_by_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_account_manipulation_of_ssh_config_and_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_files_in_known_crontab_directories_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_adding_crontab_using_list_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_get_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_allow_config_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_busybox_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c89_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c99_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_change_file_owner_to_root_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_clipboard_data_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_common_process_for_elevation_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_composer_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_cpulimit_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_csvtool_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_curl_upload_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_data_destruction_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_dd_file_overwrite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_decode_base64_to_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deleting_critical_directory_using_rm_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_cron_jobs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_init_daemon_script_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_ssl_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_conf_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_docker_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_edit_cron_table_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_emacs_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_created_in_kernel_driver_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_init_boot_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_profile_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_find_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gdb_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gem_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gnu_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_hardware_addition_swapoff_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_impair_defenses_process_kill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_clear_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_service_file_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_with_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_insert_kernel_module_using_insmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_install_kernel_module_using_modprobe_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_iptables_firewall_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_java_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kernel_module_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kworker_process_in_writable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_make_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_mysql_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_node_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_nopasswd_entry_in_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_obfuscated_files_or_information_base64_decode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_octave_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_openvpn_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_persistence_and_privilege_escalation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_php_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_pkexec_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_or_modification_of_sshd_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_credential_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_at_allow_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_profile_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_cronjob_modification_with_editor_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_ssh_key_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_preload_hijack_library_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_proxy_socks_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_puppet_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_rpm_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ruby_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_file_created_in_systemd_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_restarted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_started_or_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_chmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_setcap_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_shred_overwrite_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sqlite3_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_authorized_keys_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_remote_services_script_execute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stdout_redirection_to_dev_null_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stop_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudo_or_su_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudoers_tmp_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_network_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_reboot_via_system_request_key_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_unix_shell_enable_all_sysrq_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_visudo_utility_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "living_off_the_land_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "loading_of_dynwrapx_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_cve_2021_44228_exploitation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "logon_script_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "lolbas_with_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos___re_opened_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_lolbin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_plutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mailsniper_invoke_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_executed_as_a_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___encoded_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___execution_policy_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process_with_obfuscation_techniques_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mimikatz_passtheticket_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mmc_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modification_of_wallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modify_acl_permission_to_files_or_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_registry_keys_for_print_monitors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_ldap_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_wmi_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msbuild_suspicious_spawned_by_script_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshta_spawning_rundll32_or_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshtml_module_load_in_office_product_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msi_module_loaded_by_non_system_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msmpeng_application_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_profiler_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_arp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_netstat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_discovery_using_route_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_share_discovery_via_dir_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_traffic_to_active_directory_web_services_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nishang_powershelltcponeline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nltest_domain_trust_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_chrome_process_accessing_chrome_default_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_firefox_process_access_firefox_profile_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "notepad_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ntdsutil_export_ntds_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_drop_executable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_rundll32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_creating_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_executing_macro_code_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_spawned_child_process_to_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawn_cmd_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_bitsadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_rundll32_with_no_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_writing_cab_or_inf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_spawning_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "outbound_network_connection_from_java_using_default_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "overwriting_accessibility_binaries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_suspicious_behavior_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "password_policy_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "permission_modification_using_takeown_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_network_share_access_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_suspicious_kerberos_tgt_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ping_sleep_batch_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_browser_pass_view_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_lateral_movement_powershell_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potential_password_in_username_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potentially_malicious_code_on_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_4104_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell___connect_to_internet_with_hidden_window_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_creating_thread_mutex_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_disable_security_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_domain_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_powershell_remoting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_smb1protocol_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_execute_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_process_injection_via_getprocaddress_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_script_contains_base64_encoded_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_cimmethod_cimsession_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_wmiexec_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_load_module_in_meterpreter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_loading_dotnet_into_memory_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_processing_stream_of_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_services_add_trustedhost_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_thread_to_known_windows_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remove_windows_defender_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_script_block_with_url_chain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_bitstransfer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_or_stop_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_using_memory_as_backing_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_webrequest_using_memory_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_windows_defender_exclusion_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prevent_automatic_repair_mode_using_bcdedit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_processor_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_adding_a_printer_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_failed_to_load_a_plug_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_creating_lnk_file_in_suspicious_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_deleting_its_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_kill_base_on_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_writing_dynamicwrapperx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_launching_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_tapping_keyboard_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_scheduled_task_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_windows_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ransomware_notes_bulk_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_avproduct_through_pwh_or_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_using_wmi_class_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recursive_delete_of_directory_in_batch_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_manipulating_windows_services_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_for_creating_shim_databases_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_silent_and_install_param_dll_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_with_known_silent_switch_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_client_registry_install_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_rat_file_creation_in_remcos_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_process_running_on_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_winrs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_wmi_command_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "resize_shadowstorage_volume_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_command_line_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "runas_execution_in_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_create_remote_thread_to_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_createremotethread_in_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_dnsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_lockworkstation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_process_creating_exe_dll_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_shimcache_flush_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll_loading_dll_by_ordinal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_test_files_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_wake_on_lan_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sam_database_file_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "samsam_test_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sc_exe_manipulating_windows_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schcache_change_by_app_connect_and_create_adsi_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_http_command_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_rundll32_command_trigger_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_creation_on_remote_endpoint_using_at_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_deleted_or_created_via_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_run_task_on_demand_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_scheduling_job_on_remote_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_used_for_forcing_a_reboot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "screensaver_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "script_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdclt_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdelete_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "searchprotocolhost_with_no_command_line_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "secretdumps_offline_ntds_dumping_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_setspn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_escalate_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_installation_with_suspicious_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_scheduled_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_windows_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "silentcleanup_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "single_letter_process_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_runas_elevated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spike_in_file_writes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_spawning_rundll32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_process_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sqlite_module_in_temp_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "steal_or_forge_authentication_certificates_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sunburst_correlation_dll_and_network_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_computer_account_name_change_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_copy_on_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_curl_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_dllhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_driver_loaded_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_event_log_service_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_gpupdate_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_icedid_rundll32_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_image_creation_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_linux_discovery_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_dns_query_known_abuse_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_executed_from_container_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_with_discord_dns_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_reg_exe_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_regsvr32_register_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_plugininit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_startw_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_scheduled_task_from_public_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_searchprotocolhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_sqlite3_lsquarantine_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_ticket_granting_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wav_file_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wevtutil_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_windows_recycle_bin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "svchost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_info_gathering_using_dxdiag_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_information_discovery_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_processes_run_from_unexpected_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "time_provider_persistence_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "trickbot_named_pipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_mmc_load_unsigned_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_with_colorui_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uninstall_app_using_msiexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unknown_process_using_the_kerberos_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unload_sysmon_filter_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unloading_amsi_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_kerberos_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_remote_endpoint_authentication_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "usn_journal_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vbscript_execution_using_wscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "verclsid_clsid_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "w3wp_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbadmin_delete_system_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbemprox_com_object_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_connecting_to_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_create_executable_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_spawned_cmd_or_powershell_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wget_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_abused_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_sedebugprivilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_none_disable_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_sam_account_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_with_netuser_preauthnotrequire_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_abnormal_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_adminsdholder_acl_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_cross_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_audit_policy_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_promotion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_replication_acl_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_account_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_account_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_by_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_same_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_serviceprincipalname_added_to_domain_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_controller_spn_attribute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_server_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_sid_history_attribute_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_adfind_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admin_permission_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_administrative_shares_accessed_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___base64_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___executable_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___process_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_apache_benchmark_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_qakbot_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_execution_from_uncommon_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_rare_application_launch_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_rar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autoit3_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autostart_execution_lsass_driver_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_binary_proxy_execution_mavinject_dll_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bootloader_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bypass_uac_via_pkgmgr_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cab_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cached_domain_credentials_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_change_default_file_association_for_no_file_ext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_clipboard_data_via_get_clipboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_dcrat_forkbomb_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_fetch_env_variables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_common_abused_cmd_shell_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_created_by_computer_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_requesting_kerberos_ticket_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_with_spn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_conhost_with_headless_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_create_local_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_access_from_browser_password_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_dumping_lsass_memory_createdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_extension_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_localstate_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_login_data_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_in_registry_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_download_to_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_upload_to_remote_destination_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_data_destruction_recursive_exec_files_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defacement_modify_transcodedwallpaper_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_with_gpme_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_audit_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rule_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rules_stacking_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_exclusion_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_delete_or_modify_system_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_change_password_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_lock_workstation_feature_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_logoff_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_memory_crash_dump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_notification_center_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_or_modify_tools_via_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_shutdown_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_event_logging_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_group_policy_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disableantispyware_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskcryptor_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskshadow_proxy_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dism_remove_defender_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_with_iscsicpl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_in_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_process_child_of_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dns_gather_network_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dnsadmins_new_member_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_account_discovery_via_get_netcomputer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_admin_impersonation_indicator_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dotnet_binary_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_load_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_drivers_loaded_by_signature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_enable_win32_scheduledjob_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_for_service_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_log_cleared_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_triggered_image_file_execution_options_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_excessive_disabled_services_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_executable_in_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_execute_arbitrary_commands_with_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_share_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_transfer_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_without_extension_in_critical_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_domain_organizational_units_with_getdomainou_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_findstr_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_forest_discovery_with_getforestdomain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_host_information_camera_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_identity_sam_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_network_info_through_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_local_admin_with_findlocaladminaccess_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hidden_schedule_task_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hide_notification_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_high_file_deletion_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hijack_execution_flow_version_dll_side_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hunting_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_identify_protocol_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_add_new_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_get_webglobalmodule_module_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_module_failed_to_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_new_module_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_add_xml_applocker_rules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_health_check_intervals_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_throttle_rate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_tracing_level_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_configure_app_install_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_define_win_defender_threat_action_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_context_menu_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_profile_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_deny_security_software_with_applocker_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_controlled_folder_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_defender_firewall_and_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_defender_protocol_recognition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_pua_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_realtime_signature_delivery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_web_evaluation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_app_guard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_gen_reports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_network_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_report_infection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_scan_on_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_signature_retirement_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_overide_win_defender_phishing_filter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_override_smartscreen_prompt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_hvci_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_win_defender_auto_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indicator_removal_via_rmdir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_pcalua_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_series_of_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_information_discovery_fsutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ingress_tool_transfer_using_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_inprocserver32_new_outlook_form_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_input_capture_using_credential_ui_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_credential_theft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_remote_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iso_lnk_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_java_spawning_shells_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_kerberos_local_successful_logon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_abused_dll_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_graphicalproton_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_krbrelayup_service_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_large_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lateral_tool_transfer_remcom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ldifde_directory_object_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_linked_policies_in_adsi_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_local_administrator_credential_stuffing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lsa_secrets_nolmhash_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mail_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mark_of_the_web_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_explorer_as_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_msdtc_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_crypto_export_file_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_authenticationleveloverride_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_minor_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_update_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_default_icon_setting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_restricted_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_toast_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windefender_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windows_security_center_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disableremotedesktopantialias_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disablesecuritysettings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disabling_wer_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disallow_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_do_not_connect_to_win_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_dontshowui_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_enablelinkedconnections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_longpathsenabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_maxconnectionperserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_nochangingwallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyenable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_qakbot_binary_data_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_reg_restore_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_regedit_silent_reg_import_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_suppress_win_defender_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_tamper_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_updateserviceurlalternate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_usewuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_with_md5_reg_key_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wustatusserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_show_compress_color_and_info_tip_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_system_firewall_with_notable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mof_event_triggered_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_moveit_transfer_writing_aspx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msexchange_management_mailbox_cmdlet_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_execution_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_writing_to_world_writable_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_hidewindow_rundll32_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_remote_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_discovery_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_windbg_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_unregister_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_with_network_connections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multi_hop_proxy_tor_website_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_account_passwords_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_accounts_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_accounts_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_new_inprocserver32_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_advancedrun_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_utilities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_njrat_fileless_storage_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_discord_app_access_discord_leveldb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_response_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_office_product_spawning_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_papercut_ng_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_parent_pid_spoofing_with_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_password_managers_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_outlook_drop_dll_in_form_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_pdf_file_executes_url_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_recent_iso_exec_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_possible_credential_dumping_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_post_exploitation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_add_module_to_global_assembly_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_cryptography_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_get_ciminstance_remote_computer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_iis_components_webglobalmodule_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_import_applocker_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_remotesigned_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_scheduletask_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_wmi_win32_scheduledjob_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powersploit_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_ad_access_control_list_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_constrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_spn_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_private_keys_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_suspicious_process_elevation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_system_process_without_system_parent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_user_process_spawn_system_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_commandline_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_in_non_service_searchindexer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_into_notepad_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_of_wermgr_to_known_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_remote_thread_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_wermgr_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_with_public_source_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_with_namedpipe_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_writing_file_to_world_writable_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_processes_killed_by_industroyer2_malware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_protocol_tunneling_with_plink_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_browser_list_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_reg_save_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_uninstall_program_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raccine_scheduled_task_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rapid_authentication_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rasautou_dll_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_disk_volume_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_master_boot_record_drive_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rdp_connection_successful_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_bootexecute_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_certificate_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_delete_task_sd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_modification_for_safe_mode_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_payload_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_sip_provider_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_regsvr32_renamed_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_brc4_loaded_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_rms_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_assistance_spawning_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_create_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_service_rdpwinst_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_rdp_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_remote_assistance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_rdp_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_replication_through_removable_media_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_root_domain_linked_policies_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_apply_user_settings_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_created_via_xml_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_service_spawned_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_with_highest_privileges_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_schtasks_create_run_as_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_screen_capture_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_account_manager_stopped_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_support_provider_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_server_software_component_gacutil_install_to_gac_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_kernel_mode_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_remcomsvc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_sliverc2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_with_tscon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_with_suspicious_service_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_using_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_deletion_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_by_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_via_net__and_sc_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_win_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_provider_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_winverifytrust_failed_trust_validation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_file_modification_crmlog_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_kernel_driver_comadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_service_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_soaphound_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_special_privileged_logon_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sql_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sqlwriter_sqldumper_dll_sideload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_issued_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certutil_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cryptoapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cs_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_or_forge_kerberos_tickets_klist_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_suspect_process_with_authentication_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_ldap_nslookup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_qwinsta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_logoff_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_config_discovery_display_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_connections_discovery_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_reboot_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_shutdown_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_time_discovery_w32tm_delay_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_discovery_via_quser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_privilege_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_terminating_lsass_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_via_choice_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_escalation_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsecured_outlook_credentials_access_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_ms_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_user_execution_malicious_url_shortcut_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_valid_account_with_never_expires_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_3cx_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_windbg_spawning_autoit3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_winlogon_with_public_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_impersonate_token_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_and_service_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_call_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_to_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_windows_task_scheduler_event_action_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winhlp32_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrar_spawning_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_recon_running_process_or_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_temporary_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_noninteractive_app_uninstallation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_xsl_execution_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmiprsve_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wscript_or_cscript_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsmprovhost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsreset_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xmrig_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xsl_script_execution_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_arp_poisoning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_hosts_connecting_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_ipv6_network_infrastructure_threats_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_large_outbound_icmp_packets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_ldap_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_smb_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_port_security_violation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rogue_dhcp_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_snicat_sni_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_software_download_to_network_device_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_traffic_mirroring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_unauthorized_assets_by_mac_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_splunk_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_zerologon_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_outliers___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_with_high_standard_deviation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_dns_failures_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_volume_of_bytes_out_to_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "large_volume_of_dns_any_queries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_archive_files_http_post_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ngrok_reverse_proxy_on_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "plain_http_post_exfiltrated_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_network_traffic_allowed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocol_or_port_mismatch_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocols_passing_authentication_in_cleartext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_bruteforce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_identified_ssl_tls_certificates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ssl_certificates_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "tor_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_content_type_length_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_service_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_rogue_domain_controller_network_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zeek_x509_certificate_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_access_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cisco_ios_xe_implant_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_exploitation_cve_2023_3519_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_sharefile_exploitation_cve_2023_24489_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_cve_2023_22515_trigger_vulnerability_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_data_center_and_server_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_f5_tmui_rce_cve_2020_5902_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_malicious_requests_to_exploit_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_application_via_apache_commons_text_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_tmui_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fortinet_appliance_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_for_log4shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_command_injection_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_ssrf_in_saml_component_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_sentry_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jenkins_arbitrary_file_read_cve_2024_23897_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_rce_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "juniper_networks_remote_code_execution_exploit_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_with_outbound_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "microsoft_sharepoint_server_elevation_of_privilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_web_traffic_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nginx_connectwise_screenconnect_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_remote_web_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "proxyshell_proxynotshell_behavior_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spring4shell_payload_url_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sql_injection_with_long_urls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "supernova_webshell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_aria_operations_exploit_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_server_side_template_injection_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_workspace_one_freemarker_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_jsp_request_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_remote_shellservlet_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring4shell_http_request_class_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring_cloud_function_functionrouter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exchange_autodiscover_ssrf_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wordpress_bricks_builder_plugin_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ws_ftp_remote_code_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_adware_activities_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_behavior_analysis_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_cryptominer_downloaded_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_employment_search_web_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_exploit_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_legal_liability_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_malware_activity_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_phishing_activity_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_potentially_abused_file_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_privacy_risk_destinations_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_scam_destinations_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_virus_download_threat_blocked_filter"}]} \ No newline at end of file diff --git a/dist/api/response_tasks.json b/dist/api/response_tasks.json deleted file mode 100644 index c95b595c3b..0000000000 --- a/dist/api/response_tasks.json +++ /dev/null @@ -1 +0,0 @@ -{"response_tasks": [{"name": "All backup logs for host", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 1, "id": "bc91a8cf-aaaa-4bb2-8140-e756cc06fd72", "description": "Retrieve the backup logs for the last 2 weeks for a specific host in order to investigate why backups are not completing successfully.", "references": [], "type": "Investigation", "datamodel": [], "search": "| search `netbackup` dest=$dest$", "how_to_implement": "The successfully implement this search you must first send your backup logs to Splunk.", "known_false_positives": "none", "inputs": ["dest"], "tags": {"analytic_story": ["Monitor Backup Solution"], "product": ["Splunk Phantom"], "required_fields": ["_time", "dest"], "security_domain": "endpoint"}, "lowercase_name": "all_backup_logs_for_host"}, {"name": "Amazon EKS Kubernetes activity by src ip", "author": "Rod Soto, Splunk", "date": "2020-04-13", "version": 1, "id": "a636cca4-7434-4a15-a278-c70734938e39", "description": "This search provides investigation data about requests via user agent, authentication request URI, verb and cluster name data against Kubernetes cluster from a specific IP address", "references": [], "type": "Investigation", "datamodel": [], "search": "`aws_cloudwatchlogs_eks` |rename sourceIPs{} as src_ip |search src_ip=$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(user.username) values(requestURI) values(verb) values(userAgent) by source annotations.authorization.k8s.io/decision src_ip", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Cloud Watch EKS inputs.", "known_false_positives": "", "inputs": ["src_ip"], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "product": ["Splunk Phantom"], "required_fields": ["_time", "sourceIPs{}", "user.username", "requestURI", "verb", "userAgent", "annotations.authorization.k8s.io/decision"], "security_domain": "network"}, "lowercase_name": "amazon_eks_kubernetes_activity_by_src_ip"}, {"name": "AWS Investigate Security Hub alerts by dest", "author": "Bhavin Patel, Splunk", "date": "2020-06-08", "version": 1, "id": "b0d2e6a8-75fa-4b1b-9486-3d32acadf822", "description": "This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id).", "references": [], "type": "Investigation", "datamodel": [], "search": "`aws_securityhub_firehose` \"findings{}.Resources{}.Type\"=AWSEC2Instance | rex field=findings{}.Resources{}.Id .*instance/(?<instance>.*)| rename instance as dest| search dest = $dest$ |rename findings{}.* as * | rename Remediation.Recommendation.Text as Remediation | table dest Title ProductArn Description FirstObservedAt RecordState Remediation", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities", "Cloud Cryptomining", "Suspicious AWS EC2 Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "findings{}.Resources{}.Type", "findings{}.Resources{}.Id", "instance", "Remediation.Recommendation.Text", "Title", "ProductArn", "Description", "FirstObservedAt", "RecordState"], "security_domain": "network"}, "lowercase_name": "aws_investigate_security_hub_alerts_by_dest"}, {"name": "AWS Investigate User Activities By AccessKeyId", "author": "David Dorsey, Splunk", "date": "2018-06-08", "version": 1, "id": "703b65a4-a0ae-4171-965d-45507506c64f", "description": "This search retrieves the times, ARN, source IPs, AWS regions, event names, and the result of the event for specific credentials.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` | rename userIdentity.accessKeyId as accessKeyId| search accessKeyId=$accessKeyId$ | spath output=user path=userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, awsRegion, eventName, errorCode, errorMessage", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["accessKeyId"], "tags": {"analytic_story": ["AWS Cross Account Activity"], "product": ["Splunk Phantom", "Splunk Security Analytics for AWS"], "required_fields": ["_time", "userIdentity.accessKeyId", "userIdentity.arn", "sourceIPAddress", "awsRegion", "eventName", "errorCode", "errorMessage"], "security_domain": "network"}, "lowercase_name": "aws_investigate_user_activities_by_accesskeyid"}, {"name": "AWS Investigate User Activities By ARN", "author": "Bhavin Patel, Splunk", "date": "2019-04-30", "version": 2, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd72", "description": "This search lists all the logged CloudTrail activities by a specific user ARN and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` | search user=$user$| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["user"], "tags": {"analytic_story": ["AWS Cryptomining", "AWS Network ACL Activity", "AWS Security Hub Alerts", "AWS Suspicious Provisioning Activities", "Cloud Cryptomining", "Command And Control", "Suspicious AWS EC2 Activities", "Suspicious AWS Login Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Cloud Instance Activities", "Suspicious Cloud User Activities", "Unusual AWS EC2 Modifications"], "product": ["Splunk Phantom"], "required_fields": ["_time", "user", "userIdentity.type", "userIdentity.userName", "userIdentity.arn", "aws_account_id", "src", "awsRegion", "eventName", "eventType"], "security_domain": "network"}, "lowercase_name": "aws_investigate_user_activities_by_arn"}, {"name": "AWS Network ACL Details from ID", "author": "Bhavin Patel, Splunk", "date": "2017-01-22", "version": 1, "id": "2e11293f-c795-41bd-b470-fc87adc4e196", "description": "This search queries AWS description logs and returns all the information about a specific network ACL via network ACL ID", "references": [], "type": "Investigation", "datamodel": [], "search": "`aws_description` | rename id as networkAclId | search networkAclId=$networkAclId$ | table id account_id vpc_id network_acl_entries{}.*", "how_to_implement": "In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS description inputs.", "known_false_positives": "", "inputs": ["networkAclId"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "product": ["Splunk Phantom"], "required_fields": ["_time", "id", "account_id", "vpc_id", "network_acl_entries{}.*"], "security_domain": "network"}, "lowercase_name": "aws_network_acl_details_from_id"}, {"name": "AWS Network Interface details via resourceId", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "c55b0a17-8fca-4315-81e3-65ceaa176441", "description": "This search queries AWS configuration logs and returns the information about a specific network interface via network interface ID. The information will include the ARN of the network interface, its relationships with other AWS resources, the public and the private IP associated with the network interface.", "references": [], "type": "Investigation", "datamodel": [], "search": "`aws_config` resourceId=$resourceId$ | table _time ARN relationships{}.resourceType relationships{}.name relationships{}.resourceId configuration.privateIpAddresses{}.privateIpAddress configuration.privateIpAddresses{}.association.publicIp", "how_to_implement": "In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS configuration inputs", "known_false_positives": "", "inputs": ["resourceId"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "product": ["Splunk Phantom"], "required_fields": ["_time", "resourceId", "ARN", "relationships{}.resourceType", "relationships{}.name", "relationships{}.resourceId", "configuration.privateIpAddresses{}.privateIpAddress", "configuration.privateIpAddresses{}.association.publicIp"], "security_domain": "network"}, "lowercase_name": "aws_network_interface_details_via_resourceid"}, {"name": "AWS S3 Bucket details via bucketName", "author": "Bhavin Patel, Splunk", "date": "2018-06-26", "version": 1, "id": "2762d4ed-9266-465e-b966-1c10dc8d91f3", "description": "This search queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, AWS account ID, and configuration values of the access-control lists associated with the bucket.", "references": [], "type": "Investigation", "datamodel": [], "search": "`aws_config` | rename resourceId as bucketName |search bucketName=$bucketName$ | table resourceCreationTime bucketName vendor_region action aws_account_id supplementaryConfiguration.AccessControlList", "how_to_implement": "To implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later) and configure your AWS inputs.", "known_false_positives": "", "inputs": ["bucketName"], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "resourceId", "bucketName", "resourceCreationTime", "vendor_region", "action", "aws_account_id", "supplementaryConfiguration.AccessControlList"], "security_domain": "network"}, "lowercase_name": "aws_s3_bucket_details_via_bucketname"}, {"name": "GCP Kubernetes activity by src ip", "author": "Rod Soto, Splunk", "date": "2020-04-13", "version": 1, "id": "c00e7626-92cc-4e06-9a51-b6db0a50bd1f", "description": "This search provides investigation data about requests via user agent, authentication request URI, resource path and cluster name data against Kubernetes cluster from a specific IP address", "references": [], "type": "Investigation", "datamodel": [], "search": "`google_gcp_pubsub_message` | rename data.protoPayload.requestMetadata.callerIp as src_ip | search src_ip =$src_ip$ | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_names values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent values(data.protoPayload.authenticationInfo.principalEmail) as user values(data.protoPayload.status.message) by src_ip data.resource.labels.cluster_name data.resource.type", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "", "inputs": ["src_ip"], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "product": ["Splunk Phantom"], "required_fields": ["_time", "data.protoPayload.requestMetadata.callerIp", "data.protoPayload.methodName", "data.protoPayload.resourceName", "data.protoPayload.requestMetadata.callerSuppliedUserAgent", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.status.message", "data.resource.labels.cluster_name", "data.resource.type"], "security_domain": "network"}, "lowercase_name": "gcp_kubernetes_activity_by_src_ip"}, {"name": "Get All AWS Activity From City", "author": "David Dorsey, Splunk", "date": "2018-03-19", "version": 1, "id": "0abeeb40-1255-4b68-91d1-7a7eb410c4b8", "description": "This search retrieves all the activity from a specific city and will create a table containing the time, city, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` | iplocation sourceIPAddress | search City=$City$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, City, user, userName, userType, src_ip, awsRegion, eventName, errorCode", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["City"], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "sourceIPAddress", "userIdentity.arn", "userIdentity.userName", "userIdentity.type", "awsRegion", "eventName", "errorCode"], "security_domain": "network"}, "lowercase_name": "get_all_aws_activity_from_city"}, {"name": "Get All AWS Activity From Country", "author": "David Dorsey, Splunk", "date": "2018-03-19", "version": 1, "id": "e763cdb9-00da-41e0-9bda-444debc9501a", "description": "This search retrieves all the activity from a specific country and will create a table containing the time, country, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` | iplocation sourceIPAddress | search Country=$Country$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Country, user, userName, userType, src_ip, awsRegion, eventName, errorCode", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["Country"], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "sourceIPAddress", "userIdentity.arn", "userIdentity.userName", "userIdentity.type", "awsRegion", "eventName", "errorCode"], "security_domain": "network"}, "lowercase_name": "get_all_aws_activity_from_country"}, {"name": "Get All AWS Activity From IP Address", "author": "David Dorsey, Splunk", "date": "2018-03-19", "version": 1, "id": "446ec87a-85c6-40d4-b060-bea4498281d6", "description": "This search retrieves all the activity from a specific IP address and will create a table containing the time, ARN, username, the type of user, the IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` | iplocation sourceIPAddress | search src_ip=$src_ip$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, user, userName, userType, src_ip, awsRegion, eventName, errorCode", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["src_ip"], "tags": {"analytic_story": ["AWS Network ACL Activity", "AWS Suspicious Provisioning Activities", "Command And Control", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Cloud Instance Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "sourceIPAddress", "userIdentity.arn", "userIdentity.userName", "userIdentity.type", "awsRegion", "eventName", "errorCode"], "security_domain": "network"}, "lowercase_name": "get_all_aws_activity_from_ip_address"}, {"name": "Get All AWS Activity From Region", "author": "David Dorsey, Splunk", "date": "2018-03-19", "version": 1, "id": "5b794bef-1743-4f6f-804a-43915a2702ff", "description": "This search retrieves all the activity from a specific geographic region and will create a table containing the time, geographic region, ARN, username, the type of user, the source IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` | iplocation sourceIPAddress | search Region=$Region$ | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress as src_ip | table _time, Region, user, userName, userType, src_ip, awsRegion, eventName, errorCode", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["Region"], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "sourceIPAddress", "userIdentity.arn", "userIdentity.userName", "userIdentity.type", "awsRegion", "eventName", "errorCode"], "security_domain": "network"}, "lowercase_name": "get_all_aws_activity_from_region"}, {"name": "Get Backup Logs For Endpoint", "author": "David Dorsey, Splunk", "date": "2017-09-14", "version": 1, "id": "fdcfb369-1725-4c24-824a-22972d7f0d44", "description": "This search will tell you the backup status from your netbackup_logs of a specific endpoint for the last week.", "references": [], "type": "Investigation", "datamodel": [], "search": "`netbackup` COMPUTERNAME=$dest$ | rename COMPUTERNAME as dest, MESSAGE as signature | table _time, dest, signature", "how_to_implement": "You must be ingesting your backup logs.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["Ransomware", "SamSam Ransomware"], "product": ["Splunk Phantom"], "required_fields": ["_time", "COMPUTERNAME", "MESSAGE"], "security_domain": "endpoint"}, "lowercase_name": "get_backup_logs_for_endpoint"}, {"name": "Get Certificate logs for a domain", "author": "Bhavin Patel, Splunk", "date": "2019-04-29", "version": 2, "id": "bc91a8cf-35e7-4bb2-2240-e756cc06fd73", "description": "This search queries the Certificates datamodel and give you all the information for a specific domain. Please note that the certificates issued by \"Let's Encrypt\" are widely used by attackers.", "references": [], "type": "Investigation", "datamodel": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Certificates.All_Certificates where All_Certificates.SSL.ssl_subject_common_name=*$domain$ by All_Certificates.dest All_Certificates.src All_Certificates.SSL.ssl_issuer_common_name All_Certificates.SSL.ssl_subject_common_name All_Certificates.SSL.ssl_hash | `drop_dm_object_name(All_Certificates)` | `drop_dm_object_name(SSL)` | rename ssl_subject_common_name as domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`", "how_to_implement": "You must be ingesting your certificates or SSL logs from your network traffic into your Certificates datamodel. Please note the wildcard(*) before domain in the search syntax, we use to match for all domain and subdomain combinations", "known_false_positives": "", "inputs": ["domain"], "tags": {"analytic_story": ["Common Phishing Frameworks"], "product": ["Splunk Phantom"], "required_fields": ["_time", "All_Certificates.SSL.ssl_subject_common_name", "All_Certificates.dest", "All_Certificates.src", "All_Certificates.SSL.ssl_issuer_common_name", "All_Certificates.SSL.ssl_hash"], "security_domain": "network"}, "lowercase_name": "get_certificate_logs_for_a_domain"}, {"name": "Get DNS Server History for a host", "author": "Bhavin Patel, Splunk", "date": "2017-11-09", "version": 1, "id": "bc91a8cf-35e7-4bb2-8140-e756cc06fd72", "description": "While investigating any detections it is important to understand which and how many DNS servers a host has connected to in the past. This search uses data that is tagged as DNS and gives you a count and list of DNS servers that a particular host has connected to the previous 24 hours.", "references": [], "type": "Investigation", "datamodel": [], "search": "| search tag=dns src_ip=$src_ip$ dest_port=53 | streamstats time_window=1d count values(dest_ip) as dcip by src_ip | table date_mday src_ip dcip count | sort -count", "how_to_implement": "To successfully implement this search, you must be ingesting your DNS traffic", "known_false_positives": "", "inputs": ["src_ip"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Hidden Cobra Malware", "Host Redirection", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious AWS Traffic", "Suspicious DNS Traffic"], "product": ["Splunk Phantom"], "required_fields": ["_time", "src_ip", "dest_port", "dest_ip"], "security_domain": "network"}, "lowercase_name": "get_dns_server_history_for_a_host"}, {"name": "Get DNS traffic ratio", "author": "Bhavin Patel, Splunk", "date": "2017-11-09", "version": 1, "id": "bc91a8cf-35e7-4bb2-8140-e756cc06fd73", "description": "This search calculates the ratio of DNS traffic originating and coming from a host to a list of DNS servers over the last 24 hours. A high value of this ratio could be very useful to quickly understand if a src_ip (host) is sending a high volume of data out via port 53, could be an indicator of data exfiltration via DNS. ", "references": [], "type": "Investigation", "datamodel": ["Network_Traffic"], "search": "| tstats allow_old_summaries=true sum(All_Traffic.bytes_out) as \"bytes_out\" sum(All_Traffic.bytes_in) as \"bytes_in\" from datamodel=Network_Traffic where nodename=All_Traffic All_Traffic.dest_port=53 by All_Traffic.src All_Traffic.dest| `drop_dm_object_name(All_Traffic)` | rename src as src_ip | rename dest as dest_ip | search src_ip=$src_ip$ | search dest_ip = $dest_ip | eval ratio = (bytes_out/bytes_in) | table ratio", "how_to_implement": "You must be ingesting your network traffic", "known_false_positives": "", "inputs": ["src_ip"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Data Protection", "Dynamic DNS", "Hidden Cobra Malware", "Suspicious AWS Traffic", "Suspicious DNS Traffic"], "product": ["Splunk Phantom"], "required_fields": ["_time", "All_Traffic.bytes_out", "All_Traffic.bytes_in", "All_Traffic.dest_port", "All_Traffic.src", "All_Traffic.dest"], "security_domain": "network"}, "lowercase_name": "get_dns_traffic_ratio"}, {"name": "Get EC2 Instance Details by instanceId", "author": "Bhavin Patel, Splunk", "date": "2018-02-12", "version": 1, "id": "de4aed1d-f13a-4d2f-a97a-73c60e2e6b56", "description": "This search queries AWS description logs and returns all the information about a specific instance via the instanceId field", "references": [], "type": "Investigation", "datamodel": [], "search": "`aws_description` | dedup id sortby -_time |rename id as instanceId| search instanceId=$instanceId$ | spath output=tags path=tags | eval tags=mvzip(key,value,\" = \"), ip_address=if((ip_address == \"null\"),private_ip_address,ip_address) | table id, tags.Name, aws_account_id, placement, instance_type, key_name, ip_address, launch_time, state, vpc_id, subnet_id, tags | rename aws_account_id as \"Account ID\", id as ID, instance_type as Type, ip_address as \"IP Address\", key_name as \"Key Pair\", launch_time as \"Launch Time\", placement as \"Availability Zone\", state as State, subnet_id as Subnet, \"tags.Name\" as Name, vpc_id as VPC", "how_to_implement": "In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS description inputs.", "known_false_positives": "", "inputs": ["instanceId"], "tags": {"analytic_story": ["AWS Cryptomining", "AWS Security Hub Alerts", "Cloud Cryptomining", "Suspicious AWS EC2 Activities", "Unusual AWS EC2 Modifications"], "product": ["Splunk Phantom"], "required_fields": ["_time", "id", "ip_address", "tags", "aws_account_id", "placement", "instance_type", "key_name", "launch_time", "state", "vpc_id", "subnet_id"], "security_domain": "network"}, "lowercase_name": "get_ec2_instance_details_by_instanceid"}, {"name": "Get EC2 Launch Details", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "0e40fe83-3edb-4d86-8206-8fed36529ca6", "description": "This search returns some of the launch details for a EC2 instance.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` dest=$dest$ |rename userIdentity.arn as arn, responseElements.instancesSet.items{}.instanceId as dest, responseElements.instancesSet.items{}.privateIpAddress as privateIpAddress, responseElements.instancesSet.items{}.imageId as amiID, responseElements.instancesSet.items{}.architecture as architecture, responseElements.instancesSet.items{}.keyName as keyName | table arn, awsRegion, dest, architecture, privateIpAddress, amiID, keyName", "how_to_implement": "In order to implement this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later) and configure your AWS description inputs.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["AWS Cryptomining", "AWS Security Hub Alerts", "Cloud Cryptomining", "Suspicious AWS EC2 Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "dest", "userIdentity.arn", "responseElements.instancesSet.items{}.instanceId", "responseElements.instancesSet.items{}.privateIpAddress", "responseElements.instancesSet.items{}.imageId", "responseElements.instancesSet.items{}.architecture", "responseElements.instancesSet.items{}.keyName"], "security_domain": "network"}, "lowercase_name": "get_ec2_launch_details"}, {"name": "Get Email Info", "author": "Bhavin Patel, Splunk", "date": "2017-11-09", "version": 1, "id": "bc91a8cf-35e7-4bb2-8140-e756cc06fd75", "description": "This search returns all the information Splunk might have collected a specific email message over the last 2 hours.", "references": [], "type": "Investigation", "datamodel": [], "search": "| from datamodel Email.All_Email | search message_id=$message_id$", "how_to_implement": "To successfully implement this search you must be ingesting your email logs or capturing unencrypted network traffic which contains email communications.", "known_false_positives": "", "inputs": ["message_id"], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "product": ["Splunk Phantom"], "required_fields": ["_time", "message"], "security_domain": "network"}, "lowercase_name": "get_email_info"}, {"name": "Get Emails From Specific Sender", "author": "David Dorsey, Splunk", "date": "2017-11-09", "version": 1, "id": "5df39b3f-447d-4869-b673-8f45ad4616fe", "description": "This search returns all the emails from a specific sender over the last 24 and next hours.", "references": [], "type": "Investigation", "datamodel": [], "search": "| from datamodel Email.All_Email | search src_user=$src_user$", "how_to_implement": "To successfully implement this search you must ingest your email logs or capture unencrypted email communications within network traffic, and populate the Email data model.", "known_false_positives": "", "inputs": ["src_user"], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails", "Web Fraud Detection"], "product": ["Splunk Phantom"], "required_fields": ["_time", "src_user"], "security_domain": "network"}, "lowercase_name": "get_emails_from_specific_sender"}, {"name": "Get First Occurrence and Last Occurrence of a MAC Address", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "bc91a8cf-35e7-4bb2-8140-e756cc06fd33", "description": "This search allows you to gather more context around a notable which has detected a new device connecting to your network. Use this search to determine the first and last occurrences of the suspicious device attempting to connect with your network.", "references": [], "type": "Investigation", "datamodel": ["Network_Sessions"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST All_Sessions.src_mac= $src_mac$ by All_Sessions.src_ip All_Sessions.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`", "how_to_implement": "To successfully implement this search, you must be ingesting the logs from your DHCP server.", "known_false_positives": "", "inputs": ["src_mac"], "tags": {"analytic_story": ["Asset Tracking"], "product": ["Splunk Phantom"], "required_fields": ["_time", "All_Sessions.DHCP", "All_Sessions.signature", "All_Sessions.src_mac", "All_Sessions.src_ip", "All_Sessions.user"], "security_domain": "network"}, "lowercase_name": "get_first_occurrence_and_last_occurrence_of_a_mac_address"}, {"name": "Get History Of Email Sources", "author": "Rico Valdez, Splunk", "date": "2019-02-21", "version": 1, "id": "ddc7af28-c34d-4392-af93-7f29a4e8806c", "description": "This search returns a list of all email sources seen in the 48 hours prior to the notable event to 24 hours after, and the number of emails from each source.", "references": [], "type": "Investigation", "datamodel": ["Email"], "search": "|tstats `security_content_summariesonly` values(All_Email.dest) as dest values(All_Email.recipient) as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email by All_Email.src |`drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search src=$src$", "how_to_implement": "To successfully implement this search you must ingest your email logs or capture unencrypted email communications within network traffic, and populate the Email data model.", "known_false_positives": "", "inputs": ["src"], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Malicious PowerShell", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "SamSam Ransomware"], "product": ["Splunk Phantom"], "required_fields": ["_time", "All_Email.dest", "All_Email.recipient", "All_Email.src"], "security_domain": "network"}, "lowercase_name": "get_history_of_email_sources"}, {"name": "Get Logon Rights Modifications For Endpoint", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 2, "id": "03bffe94-ec7a-4cbe-b677-6af40d1c4505", "description": "This search allows you to retrieve any modifications to logon rights associated with a specific host.", "references": [], "type": "Investigation", "datamodel": [], "search": "`wineventlog_security` (signature_id=4718 OR signature_id=4717) dest=$dest$ | rename user as \"Account Modified\" | table _time, dest, \"Account Modified\", Access_Right, signature", "how_to_implement": "To successfully implement this search you must be ingesting your Windows event logs", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["AWS Cryptomining"], "product": ["Splunk Phantom"], "required_fields": ["_time", "signature_id", "dest", "user"], "security_domain": "endpoint"}, "lowercase_name": "get_logon_rights_modifications_for_endpoint"}, {"name": "Get Logon Rights Modifications For User", "author": "David Dorsey, Splunk", "date": "2019-02-27", "version": 2, "id": "552bc86c-f72c-4d44-b3f2-06ede13af7bb", "description": "This search allows you to retrieve any modifications to logon rights for a specific user account.", "references": [], "type": "Investigation", "datamodel": [], "search": "`wineventlog_security` (signature_id=4718 OR signature_id=4717) user=$user$ | rename user as \"Account Modified\" | table _time, dest, \"Account Modified\", Access_Right, signature", "how_to_implement": "To successfully implement this search you must be ingesting your Windows event logs", "known_false_positives": "", "inputs": ["user"], "tags": {"analytic_story": ["AWS Cryptomining"], "product": ["Splunk Phantom"], "required_fields": ["_time", "signature_id", "dest", "user"], "security_domain": "endpoint"}, "lowercase_name": "get_logon_rights_modifications_for_user"}, {"name": "Get Notable History", "author": "Bhavin Patel, Splunk", "date": "2017-09-20", "version": 2, "id": "3d6c3213-5fff-4a1e-b57d-b24c262171e7", "description": "This search queries the notable index and returns all the Notable Events for the particular destination host, giving the analyst an overview of the incidents that may have occurred with the host under investigation.", "references": [], "type": "Investigation", "datamodel": [], "search": "| search `notable` | search dest=$dest$ | table _time, dest, rule_name, owner, priority, severity, status_description", "how_to_implement": "If you are using Enterprise Security you are likely already creating notable events with your correlation rules. No additional configuration is necessary.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["AWS Cross Account Activity", "AWS Cryptomining", "AWS Network ACL Activity", "AWS User Monitoring", "Apache Struts Vulnerability", "Asset Tracking", "Brand Monitoring", "Cloud Cryptomining", "ColdRoot MacOS RAT", "Collection and Staging", "Command And Control", "DHS Report TA18-074A", "DNS Amplification Attacks", "Data Exfiltration", "Data Protection", "Detect Zerologon Attack", "Disabling Security Tools", "Dynamic DNS", "Emotet Malware DHS Report TA18-201A", "F5 TMUI RCE CVE-2020-5902", "GCP Cross Account Activity", "Hidden Cobra Malware", "Host Redirection", "JBoss Vulnerability", "Kubernetes Scanning Activity", "Kubernetes Sensitive Object Access Activity", "Kubernetes Sensitive Role Activity", "Lateral Movement", "Malicious PowerShell", "Monitor Backup Solution", "Monitor for Unauthorized Software", "Monitor for Updates", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Ransomware Cloud", "Router and Infrastructure Security", "Ryuk Ransomware", "SQL Injection", "SamSam Ransomware", "Spectre And Meltdown Vulnerabilities", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities", "Suspicious AWS Traffic", "Suspicious Cloud Authentication Activities", "Suspicious Cloud Provisioning Activities", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious Emails", "Suspicious GCP Storage Activities", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual AWS EC2 Modifications", "Unusual Processes", "Use of Cleartext Protocols", "Web Fraud Detection", "Windows DNS SIGRed CVE-2020-1350", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"], "product": ["Splunk Phantom"], "required_fields": ["_time"], "security_domain": "endpoint"}, "lowercase_name": "get_notable_history"}, {"name": "Get Outbound Emails to Hidden Cobra Threat Actors", "author": "Bhavin Patel, Splunk", "date": "2018-06-14", "version": 1, "id": "80bac352-e089-46b9-a6a4-8a8467d4d8cf", "description": "This search returns the information of the users that sent emails to the accounts controlled by the Hidden Cobra Threat Actors: specifically to `misswang8107@gmail.com`, and from `redhat@gmail.com`.", "references": [], "type": "Investigation", "datamodel": ["Email"], "search": "| from datamodel Email.All_Email | search recipient=misswang8107@gmail.com OR src_user=redhat@gmail.com | stats count earliest(_time) as firstTime, latest(_time) as lastTime values(dest) values(src) by src_user recipient | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`", "how_to_implement": "To successfully implement this search you must ingest your email logs or capture unencrypted email communications within network traffic, and populate the Email data model.", "known_false_positives": "", "inputs": [], "tags": {"analytic_story": ["Hidden Cobra Malware"], "product": ["Splunk Phantom"], "required_fields": ["_time", "recipient", "src_user", "dest", "sec"], "security_domain": "network"}, "lowercase_name": "get_outbound_emails_to_hidden_cobra_threat_actors"}, {"name": "Get Parent Process Info", "author": "Bhavin Patel, Splunk", "date": "2019-02-28", "version": 2, "id": "fecf2918-670d-4f1c-872b-3d7317a41bf9", "description": "This search queries the Endpoint data model to give you details about the parent process of a process running on a host which is under investigation. Enter the values of the process name in question and the dest", "references": [], "type": "Investigation", "datamodel": ["Endpoint"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.parent_process_name Processes.process_name Processes.dest | `drop_dm_object_name(\"Processes\")` | search parent_process_name= $parent_process_name$ |search dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "", "inputs": ["parent_process_name", "dest"], "tags": {"analytic_story": ["Collection and Staging", "Command And Control", "DHS Report TA18-074A", "Disabling Security Tools", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "SamSam Ransomware", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.dest"], "security_domain": "endpoint"}, "lowercase_name": "get_parent_process_info"}, {"name": "Get Process File Activity", "author": "David Dorsey, Splunk", "date": "2019-11-06", "version": 2, "id": "6a9ad4d9-6ef2-4b85-953f-a37ab256acd5", "description": "This search returns the file activity for a specific process on a specific endpoint", "references": [], "type": "Investigation", "datamodel": ["Endpoint"], "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as file_name values(Filesystem.dest) as dest, values(Filesystem.process_name) as process_name from datamodel=Endpoint.Filesystem by Filesystem.dest Filesystem.process_name Filesystem.file_path, Filesystem.action, _time | `drop_dm_object_name(Filesystem)` | search dest=$dest$ | search process_name=$process_name$ | table _time, process_name, dest, action, file_name, file_path", "how_to_implement": "To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model.", "known_false_positives": "", "inputs": ["dest", "process_name"], "tags": {"analytic_story": ["DHS Report TA18-074A", "Suspicious Zoom Child Processes"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Filesystem.file_name", "Filesystem.dest", "Filesystem.process_name", "Filesystem.file_path", "Filesystem.action"], "security_domain": "endpoint"}, "lowercase_name": "get_process_file_activity"}, {"name": "Get Process Info", "author": "Bhavin Patel, Splunk", "date": "2019-04-01", "version": 2, "id": "bc91a8cf-35e7-4bb2-8140-e756cc06fd71", "description": "This search queries the Endpoint data model to give you details about the process running on a host which is under investigation. To gather the process info, enter the values for the process name in question and the destination IP address.", "references": [], "type": "Investigation", "datamodel": ["Endpoint"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.parent_process_name Processes.process_name Processes.dest | `drop_dm_object_name(\"Processes\")` | search process_name= $process_name$ | search dest = $dest$ | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`", "how_to_implement": "To successfully implement this search you must be ingesting endpoint data and populating the Endpoint data model.", "known_false_positives": "", "inputs": ["process_name", "dest"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Collection and Staging", "Command And Control", "DHS Report TA18-074A", "Data Protection", "Disabling Security Tools", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Malicious PowerShell", "Monitor for Unauthorized Software", "Netsh Abuse", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "SamSam Ransomware", "Suspicious AWS Traffic", "Suspicious Command-Line Executions", "Suspicious DNS Traffic", "Suspicious MSHTA Activity", "Suspicious WMI Use", "Suspicious Windows Registry Activities", "Unusual Processes", "Windows Defense Evasion Tactics", "Windows File Extension and Association Abuse", "Windows Log Manipulation", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Service Abuse"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.dest"], "security_domain": "endpoint"}, "lowercase_name": "get_process_info"}, {"name": "Get Process Information For Port Activity", "author": "Bhavin Patel, Splunk", "date": "2019-04-01", "version": 2, "id": "9925d08f-561e-4faa-8912-e3888a842341", "description": "This search will return information about the process associated with observed network traffic to a specific destination port from a specific host.", "references": [], "type": "Investigation", "datamodel": ["Endpoint"], "search": "| tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search dest=$dest$ | join dest type=inner [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports by Ports.process_id Ports.src Ports.dest_port | `drop_dm_object_name(Ports)` | search dest_port=$dest_port$ | rename src as dest]", "how_to_implement": "To successfully implement this search you must be ingesting endpoint data that associates processes with network events and populate the Endpoint Datamodel", "known_false_positives": "", "inputs": ["dest", "dest_port"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Lateral Movement", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "SamSam Ransomware", "Suspicious AWS Traffic", "Use of Cleartext Protocols"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Processes.user", "Processes.process_id", "Processes.process_name", "Processes.dest", "Ports.process_id", "Ports.src", "Ports.dest_port"], "security_domain": "endpoint"}, "lowercase_name": "get_process_information_for_port_activity"}, {"name": "Get Process Responsible For The DNS Traffic", "author": "Bhavin Patel, Splunk", "date": "2019-04-01", "version": 2, "id": "910e6512-edc9-4f93-ba24-5b786f47a672", "description": "While investigating, an analyst will want to know what process and parent_process is responsible for generating suspicious DNS traffic. Use the following search and enter the value of `dest` in the search to get specific details on the process responsible for creating the DNS traffic.", "references": [], "type": "Investigation", "datamodel": ["Endpoint"], "search": "| tstats `security_content_summariesonly` count min(_time) max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search dest = $dest$ | join dest type=inner [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id Ports.src | `drop_dm_object_name(Ports)` | rename src as dest]", "how_to_implement": "You must be ingesting endpoint data that associates processes with network events into the Endpoint datamodel. This can come from endpoint protection products such as carbon black, or endpoint data sources such as Sysmon.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["AWS Network ACL Activity", "Brand Monitoring", "Command And Control", "Data Protection", "Dynamic DNS", "Hidden Cobra Malware", "Suspicious AWS Traffic", "Suspicious DNS Traffic"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Processes.user", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.parent_process", "Ports.process_id", "Ports.src", "Ports.dest_port"], "security_domain": "endpoint"}, "lowercase_name": "get_process_responsible_for_the_dns_traffic"}, {"name": "Get Sysmon WMI Activity for Host", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 1, "id": "155e0571-7db6-42f2-aa62-9a3a4cf35c94", "description": "This search queries Sysmon WMI events for the host of interest.", "references": [], "type": "Investigation", "datamodel": [], "search": "`sysmon` EventCode>18 EventCode<22 | rename host as dest | search dest=$dest$| table _time, dest, user, Name, Operation, EventType, Type, Query, Consumer, Filter", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate events for WMI activity. In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["Ransomware", "Suspicious WMI Use"], "product": ["Splunk Phantom"], "required_fields": ["_time", "EventCode", "user", "Name", "Operation", "EventType", "Type", "Query", "Consumer", "Filter"], "security_domain": "endpoint"}, "lowercase_name": "get_sysmon_wmi_activity_for_host"}, {"name": "Get Web Session Information via session id", "author": "Bhavin Patel, Splunk", "date": "2018-10-08", "version": 1, "id": "bc91a8cf-35e7-4bb2-1120-e756cc06fd89", "description": "This search helps an analyst investigate a notable event to find out more about a specific web session. The search looks for a specific web session ID in the HTTP web traffic and outputs the URL and user agents, grouped by source IP address and HTTP status code.", "references": [], "type": "Investigation", "datamodel": [], "search": "`stream_http` session_id = $session_id$ | stats values(url) values(http_user_agent) by src_ip status", "how_to_implement": "This search leverages data extracted from Stream:HTTP. You must configure the HTTP stream using the Splunk Stream App on your Splunk Stream deployment server.", "known_false_positives": "", "inputs": ["session_id"], "tags": {"analytic_story": ["Web Fraud Detection"], "product": ["Splunk Phantom"], "required_fields": ["_time", "session_id", "http_user_agent", "src_ip", "status"], "security_domain": "network"}, "lowercase_name": "get_web_session_information_via_session_id"}, {"name": "Investigate AWS activities via region name", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd11", "description": "This search lists all the user activities logged by CloudTrail for a specific region in question and will create a table of the values of parameters requested, the type of the event and the response from the AWS API by each user", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` vendor_region=$vendor_region$| rename requestParameters.instancesSet.items{}.instanceId as instanceId | stats values(eventName) by user instanceId vendor_region", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["vendor_region"], "tags": {"analytic_story": ["AWS Cryptomining", "Cloud Cryptomining", "Suspicious AWS EC2 Activities", "Suspicious AWS S3 Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "vendor_region", "requestParameters.instancesSet.items{}.instanceId", "eventName", "user"], "security_domain": "network"}, "lowercase_name": "investigate_aws_activities_via_region_name"}, {"name": "Investigate AWS User Activities by user field", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd76", "description": "This search lists all the logged CloudTrail activities by a specific user and will create a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and the user's identity information.", "references": [], "type": "Investigation", "datamodel": [], "search": "`cloudtrail` user=$user$ | table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.", "known_false_positives": "", "inputs": ["user"], "tags": {"analytic_story": ["AWS User Monitoring", "Suspicious Cloud Authentication Activities"], "product": ["Splunk Phantom"], "required_fields": ["_time", "user", "userIdentity.type", "userIdentity.userName", "userIdentity.arn", "aws_account_id", "src", "awsRegion", "eventName", "eventType"], "security_domain": "network"}, "lowercase_name": "investigate_aws_user_activities_by_user_field"}, {"name": "Investigate Failed Logins for Multiple Destinations", "author": "Patrick Bareiss, Splunk", "date": "2019-12-10", "version": 1, "id": "097e8030-8662-4254-a735-bf0bdda696e3", "description": "This search returns failed logins to multiple destinations by user.", "references": [], "type": "Investigation", "datamodel": ["Authentication"], "search": "| tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login dc(Authentication.dest) AS distinct_count_dest values(Authentication.dest) AS Authentication.dest values(Authentication.app) AS Authentication.app from datamodel=Authentication where Authentication.action=failure by Authentication.user | where distinct_count_dest > 1 | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | `drop_dm_object_name(\"Authentication\")` | search user=$user$", "how_to_implement": "To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model.", "known_false_positives": "", "inputs": ["user"], "tags": {"analytic_story": ["Credential Dumping"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Authentication.dest", "Authentication.app", "Authentication.action", "Authentication.user"], "security_domain": "endpoint"}, "lowercase_name": "investigate_failed_logins_for_multiple_destinations"}, {"name": "Investigate Network Traffic From src ip", "author": "David Dorsey, Splunk", "date": "2018-06-15", "version": 1, "id": "9df9ca9c-a02b-4f48-9eba-0bac55179050", "description": "This search allows you to find all the network traffic from a specific IP address.", "references": [], "type": "Investigation", "datamodel": ["Network_Traffic"], "search": "| from datamodel Network_Traffic.All_Traffic | search src_ip=$src_ip$", "how_to_implement": "To successfully implement this search, you must be ingesting your web-traffic logs and populating the web data model.", "known_false_positives": "", "inputs": ["src_ip"], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "product": ["Splunk Phantom"], "required_fields": ["_time", "src_ip"], "security_domain": "network"}, "lowercase_name": "investigate_network_traffic_from_src_ip"}, {"name": "Investigate Okta Activity by app", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "420eb1b8-2992-45d1-80cf-0b1b2759524d", "description": "This search returns all okta events associated with a specific app", "references": [], "type": "Investigation", "datamodel": [], "search": "`okta` app=$app$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason", "how_to_implement": "You must be ingesting Okta logs", "known_false_positives": "", "inputs": ["app"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "product": ["Splunk Phantom"], "required_fields": ["_time", "app", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "user", "displayMessage", "src_ip", "result", "outcome.reason"], "security_domain": "network"}, "lowercase_name": "investigate_okta_activity_by_app"}, {"name": "Investigate Okta Activity by IP Address", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "56aae066-d619-477c-93e3-3fb83b2d23c3", "description": "This search returns all okta events from a specific IP address.", "references": [], "type": "Investigation", "datamodel": [], "search": "`okta` src_ip={src_ip} | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason", "how_to_implement": "You must be ingesting Okta logs", "known_false_positives": "", "inputs": [], "tags": {"analytic_story": ["Suspicious Okta Activity"], "product": ["Splunk Phantom"], "required_fields": ["_time", "app", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "user", "displayMessage", "src_ip", "result", "outcome.reason"], "security_domain": "network"}, "lowercase_name": "investigate_okta_activity_by_ip_address"}, {"name": "Investigate Pass the Hash Attempts", "author": "Patrick Bareiss, Splunk", "date": "2019-12-10", "version": 1, "id": "ed3fff45-cba6-4990-983f-6fac72bee659", "description": "This search hunts for dumped NTLM hashes used for pass the hash.", "references": [], "type": "Investigation", "datamodel": [], "search": "`wineventlog_security` EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate | stats count earliest(_time) as first_login latest(_time) as last_login by src_user dest | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | search dest=$dest$", "how_to_implement": "To successfully implement this search you need be ingesting windows security logs. This search uses an input macro named `wineventlog_security`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Security logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["Credential Dumping"], "product": ["Splunk Phantom"], "required_fields": ["_time", "EventCode", "Logon_Type", "AuthenticationPackageName", "src_user", "dest"], "security_domain": "endpoint"}, "lowercase_name": "investigate_pass_the_hash_attempts"}, {"name": "Investigate Pass the Ticket Attempts", "author": "Patrick Bareiss, Splunk", "date": "2019-12-10", "version": 1, "id": "990007ad-d798-4b29-ab2f-f0034144c937", "description": "This search hunts for dumped kerberos ticket from LSASS memory.", "references": [], "type": "Investigation", "datamodel": [], "search": "`wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user \"(?<new_user>[^\\@]+)\" | stats count BY new_user, dest, EventCode | stats max(count) AS max_count sum(count) AS sum_count BY new_user, dest| search dest=$dest$ | where sum_count/max_count!=2 | rename new_user AS user ", "how_to_implement": "To successfully implement this search you need to be ingesting windows security logs. This search uses an input macro named `wineventlog_security`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Security logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["Credential Dumping"], "product": ["Splunk Phantom"], "required_fields": ["_time", "EventCode", "user", "dest"], "security_domain": "endpoint"}, "lowercase_name": "investigate_pass_the_ticket_attempts"}, {"name": "Investigate Previous Unseen User", "author": "Patrick Bareiss, Splunk", "date": "2019-12-10", "version": 1, "id": "ad114d5c-8079-4a84-a646-2fd00dfc07cc", "description": "This search returns previous unseen user, which didn't log in for 30 days.", "references": [], "type": "Investigation", "datamodel": ["Authentication"], "search": "| tstats count `security_content_summariesonly` earliest(_time) as first_login latest(_time) as last_login values(Authentication.dest) AS Authentication.dest values(Authentication.app) AS Authentication.app values(Authentication.action) AS Authentication.action from datamodel=Authentication where Authentication.action=success by _time, Authentication.user | bucket _time span=30d | stats count min(first_login) as first_login max(last_login) as last_login values(Authentication.dest) AS Authentication.dest by Authentication.user | where count=1 | where first_login >= relative_time(now(), \"-30d\") | `security_content_ctime(first_login)` | `security_content_ctime(last_login)` | `drop_dm_object_name(\"Authentication\")` | search dest=$dest$", "how_to_implement": "To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["Credential Dumping"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Authentication.dest", "Authentication.app", "Authentication.action", "Authentication.user"], "security_domain": "endpoint"}, "lowercase_name": "investigate_previous_unseen_user"}, {"name": "Investigate Successful Remote Desktop Authentications", "author": "Jose Hernandez, Splunk", "date": "2018-12-14", "version": 1, "id": "b6618e8e-be04-40a0-a0b9-f0bd4b6c81bc", "description": "This search returns the source, destination, and user for all successful remote-desktop authentications. A successful authentication after a brute-force attack on a destination machine is suspicious behavior. ", "references": [], "type": "Investigation", "datamodel": ["Authentication"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature_id=4624 Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app Authentication.user Authentication.signature Authentication.src_nt_domain | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"Authentication\")` | search dest=$dest$ | table firstTime lastTime src src_nt_domain dest user app count | sort count", "how_to_implement": "You must be populating the Authentication data model with security events from your Windows event logs.", "known_false_positives": "", "inputs": ["dest"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "SamSam Ransomware"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Authentication.signature_id", "Authentication.app", "Authentication.src", "Authentication.dest", "Authentication.user", "Authentication.signature", "Authentication.src_nt_domain"], "security_domain": "endpoint"}, "lowercase_name": "investigate_successful_remote_desktop_authentications"}, {"name": "Investigate Suspicious Strings in HTTP Header", "author": "Bhavin Patel, Splunk", "date": "2017-10-20", "version": 1, "id": "bc91a8cf-35e7-4bb2-8140-e756cc06fd89", "description": "This search helps an analyst investigate a notable event related to a potential Apache Struts exploitation. To investigate, we will want to isolate and analyze the \"payload\" or the commands that were passed to the vulnerable hosts by creating a few regular expressions to carve out the commands focusing on common keywords from the payload, such as cmd.exe, /bin/bash and whois. The search returns these suspicious strings found in the HTTP logs of the system of interest.", "references": [], "type": "Investigation", "datamodel": [], "search": "`stream_http` | search src_ip=$src_ip$ | search dest_ip=$dest_ip$ | eval cs_content_type_length = len(cs_content_type) | search cs_content_type_length > 100 | rex field=\"cs_content_type\" (?<suspicious_strings>cmd.exe) | eval suspicious_strings_found=if(match(cs_content_type, \"application\"), \"True\", \"False\") | rename suspicious_strings_found AS \"Suspicious Content-Type Found\" | fields \"Suspicious Content-Type Found\", dest_ip, src_ip, suspicious_strings, cs_content_type, cs_content_type_length, url", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "", "inputs": ["src_ip", "dest_ip"], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "product": ["Splunk Phantom"], "required_fields": ["_time", "src_ip", "dest_ip", "cs_content_type", "url"], "security_domain": "network"}, "lowercase_name": "investigate_suspicious_strings_in_http_header"}, {"name": "Investigate User Activities In Okta", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "24ff145d-4d16-420a-b047-480f2a51c403", "description": "This search returns all okta events by a specific user", "references": [], "type": "Investigation", "datamodel": [], "search": "`okta` user=$user$ | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, displayMessage, app, src_ip, state, city, result, outcome.reason", "how_to_implement": "You must be ingesting Okta logs", "known_false_positives": "", "inputs": ["user"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "product": ["Splunk Phantom"], "required_fields": ["_time", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "user", "displayMessage", "src_ip", "result", "outcome.reason"], "security_domain": "network"}, "lowercase_name": "investigate_user_activities_in_okta"}, {"name": "Investigate Web POSTs From src", "author": "Jose Hernandez, Splunk", "date": "2018-12-06", "version": 1, "id": "f5c39fac-205c-4e07-9004-8fd61ea3431a", "description": "This investigative search retrieves POST requests from a specified source IP or hostname. Identifying the POST requests, as well as their associated destination URLs and user agent(s), may help you scope and characterize the suspicious traffic. ", "references": [], "type": "Investigation", "datamodel": ["Web"], "search": "| tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name(\"Web\")`| search http_method, \"POST\" | search src=$src$", "how_to_implement": "To successfully implement this search, you must be ingesting your web-traffic logs and populating the web data model.", "known_false_positives": "", "inputs": ["src"], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "product": ["Splunk Phantom"], "required_fields": ["_time", "Web.url", "Web.src", "Web.http_user_agent", "Web.http_method"], "security_domain": "network"}, "lowercase_name": "investigate_web_posts_from_src"}]} \ No newline at end of file diff --git a/dist/api/stories.json b/dist/api/stories.json deleted file mode 100644 index 9f55070b84..0000000000 --- a/dist/api/stories.json +++ /dev/null @@ -1 +0,0 @@ -{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Credential Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes newly seen TCP edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes newly seen UDP edge", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Previously Unseen Process", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Account Manipulation Of SSH Config and Keys", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion of SSL Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "APT41", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\nThis Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint", "Authentication", "Change"], "kill_chain_phases": ["Delivery", "Reconnaissance", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.\nIt is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "APT41", "Chimera", "FIN13", "GALLIUM", "Kimsuky", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Risk", "Endpoint", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Short Lived Windows Accounts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "RDP Hijacking"}]}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Excessive Account Lockouts From Endpoint", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Detect Excessive User Account Lockouts", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Local Accounts"}]}, {"name": "Windows Create Local Account", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures.\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack.\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["Get Notable History", "Investigate Suspicious Strings in HTTP Header", "Investigate Web POSTs From src"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "APT29 Diplomatic Deceptions with WINELOADER", "author": "Michael Haag, splunk", "date": "2024-03-26", "version": 1, "id": "7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd", "description": "APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "narrative": "APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Process Writing File to World Writable Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}, {"name": "Windows Unsigned MS DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["Get First Occurrence and Last Occurrence of a MAC Address", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": []}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Reconnaissance", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware Additions"}]}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["AWS Investigate User Activities By AccessKeyId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "ASL AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "ASL AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "ASL AWS CreateAccessKey", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Network Access Control List Deleted", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "references": ["https://aws.amazon.com/security-hub/features/"], "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage.\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "ASL AWS Excessive Security Scanning", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}], "mitre_attack_tactics": ["Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Trust Modification"}]}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Trust Modification"}]}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Windows Multiple Account Passwords Changed", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Multiple Accounts Deleted", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Windows Multiple Accounts Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}], "mitre_attack_tactics": ["Persistence", "Credential Access", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}], "mitre_attack_tactics": ["Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Command And Control", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "RDP Hijacking"}]}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Service"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Bootkit"}]}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact", "Credential Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SchCache Change By App Connect And Create ADSI Object", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Collection", "Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Web", "Risk", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "bb4367ed-a816-4eb8-8da4-7c7086d06c40", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1057", "mitre_attack_technique": "Process Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT5", "Andariel", "Chimera", "Darkhotel", "Deep Panda", "Earth Lusca", "Gamaredon Group", "HAFNIUM", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Rocke", "Sidewinder", "Stealth Falcon", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windshift", "Winnti Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1003.004", "mitre_attack_technique": "LSA Secrets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT33", "Dragonfly", "Ke3chang", "Leafminer", "MuddyWater", "OilRig", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSA Secrets"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Discovery"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution.\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception.\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used.\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\n- What is the default, or normal, process lineage for spawnto_ value?\n- Does the spawnto_ value make network connections?\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["Get Notable History", "Investigate Network Traffic From src ip"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\nAttacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence.\nUse the searches to detect and monitor suspicious behavior related to these activities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}], "mitre_attack_tactics": ["Initial Access", "Command And Control", "Exfiltration"], "datamodels": ["Network_Traffic", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Password Policy Discovery"}]}]}, {"name": "Confluence Data Center and Confluence Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "509387a5-ab53-4656-8bb5-4bc8c2c074d9", "description": "The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.", "references": ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "narrative": "The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "ConnectWise ScreenConnect Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "fbee3185-748c-40d8-a60c-c2e2c9eb738b", "description": "This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "narrative": "The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "ConnectWise ScreenConnect Path Traversal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Authentication", "Endpoint", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["Investigate Failed Logins for Multiple Destinations", "Investigate Pass the Hash Attempts", "Investigate Pass the Ticket Attempts", "Investigate Previous Unseen User"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "CrushFTP Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "933df821-3b75-4669-a58a-e85d2cd7b9b0", "description": "CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "narrative": "CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CrushFTP Server Side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CrushFTP Server Side Template Injection", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation.\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints.\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available.\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Cyclops Blink", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 2, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Time Discovery"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components.\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Collection", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Actions on Objectives", "Exploitation", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hardware Additions"}]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Collection", "Exfiltration", "Credential Access", "Impact"], "datamodels": ["Web", "Risk", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "High Volume of Bytes Out to Url", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Change_Analysis", "Change", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "references": ["https://attack.mitre.org/techniques/T1140/"], "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Logon Rights Modifications For Endpoint", "Get Logon Rights Modifications For User", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get All AWS Activity From City", "Get All AWS Activity From Country", "Get All AWS Activity From IP Address", "Get All AWS Activity From Region"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["Get Certificate logs for a domain"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing via Service"}]}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["All backup logs for host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "references": ["https://meltdownattack.com/"], "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised.\nSearches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["Get Emails From Specific Sender", "Get Notable History", "Get Web Session Information via session id"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Create Account"}]}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Lateral Movement", "Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Host Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT5"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Exfiltration", "Initial Access", "Discovery", "Credential Access", "Persistence", "Execution"], "datamodels": ["Risk"], "kill_chain_phases": ["Installation", "Delivery", "Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "ASL AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "ASL AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Host Software Binary"}]}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Host Software Binary"}]}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Trusted Relationship"}]}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Trusted Relationship"}]}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure.\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process File Activity", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well.\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days:\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well.\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Initial Access", "Command And Control", "Exfiltration"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["Get DNS Server History for a host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "references": ["https://attack.mitre.org/techniques/T1482/"], "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN13", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Web", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Protocols"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}]}, {"name": "Emotet Malware DHS Report TA18-201A", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Persistence", "Execution", "Lateral Movement"], "datamodels": ["Email", "Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Software Deployment Tools"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions.\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Command And Control", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Window"}]}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Hidden Window"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.", "tags": {"category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Resource Development", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Weaponization", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": ["Email"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Collection", "Credential Access", "Persistence", "Execution", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "LSASS Memory"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get History Of Email Sources", "Get Notable History", "Get Outbound Emails to Hidden Cobra Threat Actors", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN13", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Windigo", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Collection", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Share Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Local System"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "references": ["https://attack.mitre.org/techniques/T1105/"], "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Akira", "Chimera", "Cinnamon Tempest", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Scattered Spider", "Threat Group-3390", "ToddyCat", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT32", "FIN10", "FIN7", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "Scattered Spider", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Exfiltration", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Network_Traffic", "Authentication", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Exploitation", "Delivery", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Ivanti Connect Secure VPN Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab", "description": "The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"], "narrative": "Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure Command Injection Attempts", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server.\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/.\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges.\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry.\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names.\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Discovery", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Jenkins Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-29", "version": 1, "id": "789e76e6-4b5e-4af3-ab8c-46578d84ccff", "description": "This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "references": ["https://www.jenkins.io/security/advisory/2024-01-24/"], "narrative": "The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Jenkins Arbitrary File Read CVE-2024-23897", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "JetBrains TeamCity Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "3cd841e8-2f64-45e8-b148-7767255db111", "description": "This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.", "references": ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "narrative": "JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication.\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts.\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution.\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["Amazon EKS Kubernetes activity by src ip", "GCP Kubernetes activity by src ip", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "references": ["https://kubernetes.io/docs/concepts/security/"], "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1053.007", "mitre_attack_technique": "Container Orchestration Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution"], "datamodels": [], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container API"}]}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Service Discovery"}]}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Create or Update Privileged Pod", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Cron Job Creation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Container Orchestration Job"}]}, {"name": "Kubernetes DaemonSet Deployed", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Falco Shell Spawned", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Node Port Creation", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Pod Created in Default Namespace", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Pod With Host Network Attachment", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Network Service Discovery"}]}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Service Discovery"}]}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "references": ["https://gtfobins.github.io/"], "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "APT5", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TeamTNT", "menuPass"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM", "ToddyCat"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}]}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SSH"}]}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unix Shell"}]}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "APT5", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "references": ["https://lolbas-project.github.io/"], "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "tags": {"category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Cinnamon Tempest", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Exfiltration", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Network_Traffic", "Risk", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}]}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Living Off The Land Detection", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Plist File Modification"}]}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Odbcconf"}]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}]}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Network_Traffic", "Web", "Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}]}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Fileless Storage"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "references": ["https://learn.cisecurity.org/20-controls-download"], "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": []}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1129", "mitre_attack_technique": "Shared Modules", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Local Groups"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify System Firewall"}]}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Shared Modules"}]}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Fileless Storage"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk", "date": "2020-12-14", "version": 3, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.", "references": ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "narrative": "This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Collection", "Initial Access", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Network_Traffic", "Web", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Michael Haag, Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Initial Access", "Collection", "Resource Development", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Weaponization", "Exploitation"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}]}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Browser Session Hijacking"}]}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "O365 Security And Compliance Alert Triggered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal Application Access Token"}]}]}, {"name": "Office 365 Collection Techniques", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "d90f2b80-f675-4717-90af-12fc8c438ae8", "description": "Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.", "references": [], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information", "tags": {"category": ["Adversary Tactics", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}], "mitre_attack_tactics": ["Persistence", "Collection", "Privilege Escalation"], "datamodels": ["Web", "Change"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Compliance Content Search Exported", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Compliance Content Search Started", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Elevated Mailbox Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Mailbox Email Forwarding Enabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 Mailbox Folder Read Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Mailbox Folder Read Permission Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 New Email Forwarding Rule Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 New Email Forwarding Rule Enabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Email Forwarding Rule"}]}, {"name": "O365 New Forwarding Mailflow Rule Created", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}, {"name": "O365 Suspicious Rights Delegation", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}]}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}]}, {"name": "Okta Account Takeover", "author": "Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk", "date": "2024-03-06", "version": 1, "id": "83a48657-8153-4580-adba-eb0b3a83244e", "description": "The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.", "references": ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"], "narrative": "Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}, {"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}], "mitre_attack_tactics": ["Initial Access", "Resource Development", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion", "Lateral Movement"], "datamodels": ["Authentication", "Change", "Risk"], "kill_chain_phases": ["Installation", "Weaponization", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Bhavin Patel, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Authentication Failed During MFA Challenge", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Multi-Factor Authentication Disabled", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}, {"name": "Okta Multiple Accounts Locked Out", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Multiple Failed MFA Requests For User", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}]}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Successful Single Factor Authentication", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}, {"name": "Okta Unauthorized Access to Application", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Okta User Logins from Multiple Cities", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Privilege Escalation", "Credential Access", "Persistence", "Defense Evasion"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}]}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command and Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Encrypted Channel"}]}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Encrypted Channel"}]}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Outlook RCE CVE-2024-21378", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "d889fcf2-0265-4b44-b29f-4ec063c21880", "description": "CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "narrative": "CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows InProcServer32 New Outlook Form", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows New InProcServer32 Added", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}]}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Forced Authentication"}]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}]}, {"name": "Phemedrone Stealer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "386f64dd-657b-4dcf-8eb3-5e297d30924c", "description": "Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.", "references": ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "narrative": "Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Replication Through Removable Media"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "narrative": "This story was created as a joint effort between iDefense and Splunk.\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\n1. www.chemscalere[.]com\n1. chemscalere[.]com\n1. about.chemscalere[.]com\n1. autoconfig.chemscalere[.]com\n1. autodiscover.chemscalere[.]com\n1. catalog.chemscalere[.]com\n1. cpanel.chemscalere[.]com\n1. db.chemscalere[.]com\n1. ftp.chemscalere[.]com\n1. mail.chemscalere[.]com\n1. news.chemscalere[.]com\n1. update.chemscalere[.]com\n1. webmail.chemscalere[.]com\n1. www.candlelightparty[.]org\n1. candlelightparty[.]org\n1. newapp.freshasianews[.]com\nIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\n1. b43ad826fe6928245d3c02b648296b43\n1. 889a9b52566448231f112a5ce9b5dfaf\n1. b8ec65dab97cdef3cd256cc4753f0c54\n1. 04d83cd3813698de28cfbba326d7647c", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Managers"}]}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).\nThe prerequisites for successful exploitation consist of:\n1. Print Spooler service enabled on the target system\n1. Network connectivity to the target system (initial access has been obtained)\n1. Hash or password for a low privileged user ( or computer ) account.\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}], "mitre_attack_tactics": ["Initial Access", "Exfiltration", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Command and Control"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "tags": {"category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Initial Access"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "APT5", "Akira", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Akira", "Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "Scattered Spider", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Exfiltration", "Collection", "Initial Access", "Discovery", "Resource Development", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Network_Resolution", "Endpoint", "Change"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Automated Exfiltration"}]}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Access Software"}]}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "tags": {"category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Updates", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Collection", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Reconnaissance", "Exploitation"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cinnamon Tempest", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command and Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Akira", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Scattered Spider", "Silence", "Threat Group-3390", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote System Discovery"}]}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Initial Access", "Credential Access", "Persistence", "Defense Evasion", "Impact"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Installation", "Delivery", "Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Trust Discovery"}]}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Discovery", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Network_Traffic", "Web", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Actions on Objectives", "Installation"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "references": ["https://attack.mitre.org/techniques/T1053/"], "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "APT5", "Rocke"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded.\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Command And Control", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Staged"}]}]}, {"name": "Snake Keylogger", "author": "Teoderick Contreras, Splunk", "date": "2024-02-12", "version": 1, "id": "0374f962-c66a-4a67-9a30-24b0708ef802", "description": "SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "narrative": "SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "Akira", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "Scattered Spider", "TA505"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Exploitation", "Actions on Objectives", "Delivery", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "Windows Credential Access From Browser Password Store", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}, {"name": "Windows Non Discord App Access Discord LevelDB", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows Time Based Evasion via Choice Exec", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Time Based Evasion"}, {"mitre_attack_technique": "Virtualization/Sandbox Evasion"}]}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 2, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain or Tenant Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Cinnamon Tempest", "Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT5", "Chimera", "Cinnamon Tempest", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "ToddyCat", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Network_Traffic", "Authentication", "Endpoint", "Change"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}]}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain or Tenant Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Rogue Domain Controller"}]}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email.\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\n1. The .lnk file executes a PowerShell script\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1564.006", "mitre_attack_technique": "Run Virtual Instance", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus", "ToddyCat"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Credential Access", "Initial Access", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Window"}, {"mitre_attack_technique": "Run Virtual Instance"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella,Rod Soto, Eric McGinnis, Splunk", "date": "2024-01-22", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Scattered Spider", "Sidewinder", "Sowbug", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1654", "mitre_attack_technique": "Log Enumeration", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT5", "Volt Typhoon"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}], "mitre_attack_tactics": ["Command And Control", "Initial Access", "Exfiltration", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Actions on Objectives", "Installation", "Weaponization", "Command and Control"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Eric McGinnis, Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Authentication Token Exposure in Debug Log", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Log Enumeration"}]}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Denial of Service"}]}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Application or System Exploitation"}]}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Network Denial of Service"}]}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Application or System Exploitation"}]}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "HTML Smuggling"}]}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "File and Directory Discovery"}]}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Protocol Impersonation"}]}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Digital Certificates"}]}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": [{"mitre_attack_technique": "Network Sniffing"}]}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:\n- Java Development Kit (JDK) 9 or greater\n- Apache Tomcat as the Servlet container\n- Packaged as a WAR\n- spring-webmvc or spring-webflux dependency\n", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Resource Development", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Weaponization", "Exploitation"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Cloud Accounts"}]}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"], "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses.\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact", "Exfiltration", "Collection"], "datamodels": [], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS S3 Bucket details via bucketName", "Get All AWS Activity From IP Address", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Automated Collection"}]}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network.\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\nAttackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Resource Development", "Credential Access", "Defense Evasion"], "datamodels": ["Authentication"], "kill_chain_phases": ["Weaponization", "Exploitation"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Exfiltration", "Initial Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Risk", "Change"], "kill_chain_phases": ["Installation", "Delivery", "Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get All AWS Activity From IP Address"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Initial Access", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "APT5", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Change"], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}]}, {"name": "Cloud Security Groups Modifications by User", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Cloud Compute Configurations"}]}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "Mustard Tempest", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Initial Access", "Command And Control", "Exfiltration"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Drive-by Compromise"}]}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\nOnce a phishing message has been detected, the next steps are to answer the following questions:\n1. Which users have received this or a similar message in the past?\n1. When did the targeted campaign begin?\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten", "Scattered Spider"]}], "mitre_attack_tactics": ["Collection"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": [{"mitre_attack_technique": "Data from Cloud Storage"}]}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\n1. Determine if script code was executed with MSHTA.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.004", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth", "Sandworm Team", "Scattered Spider"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Akira", "Axiom", "Carbanak", "Chimera", "Cinnamon Tempest", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Defense Evasion"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": ["Investigate Okta Activity by app", "Investigate Okta Activity by IP Address", "Investigate User Activities In Okta"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Okta IDP Lifecycle Modifications", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cloud Account"}]}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Brute Force"}]}, {"name": "Okta Account Lockout Events", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta Failed SSO Attempts", "source": "deprecated", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Brute Force"}]}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\nThe registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\nThe searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "HEXANE", "Leviathan", "Metador", "Mustang Panda", "Rancor", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "XSL Script Processing"}]}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["Get Process File Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Impact", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Command And Control", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Delivery", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Reconnaissance", "Exploitation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\n1. Determine if script code was executed with MSBuild.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Initial Access", "Resource Development", "Discovery", "Credential Access", "Privilege Escalation", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "User Execution"}]}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Fileless Storage"}]}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["Get Notable History", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": []}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "APT5", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Cinnamon Tempest", "Dragonfly", "Earth Lusca", "FIN13", "FIN7", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Sandworm Team", "Threat Group-3390", "ToddyCat", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Akira", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Installation", "Delivery"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.\nThey issue commands via the command line to: 1. collect data, including credentials from local and network systems,\n2. put the data into an archive file to stage it for exfiltration, and then\n3. use the stolen valid credentials to maintain persistence.\nIn addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Scattered Spider", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "Cinnamon Tempest", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DNS"}]}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1553.005", "mitre_attack_technique": "Mark-of-the-Web Bypass", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "TA505"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "APT41", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Malteiro", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mark-of-the-Web Bypass"}]}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}]}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "ToddyCat", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "ToddyCat", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cinnamon Tempest", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Resource Development", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Weaponization", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Tool"}]}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Windows AppLocker", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "7911b245-e74d-48db-b1cf-69f3eb02ca55", "description": "Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications.", "references": [], "narrative": "AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \\\nOrganizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \\\nIn summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats.", "tags": {"category": ["Unauthorized Software", "Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows AppLocker Block Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Execution from Uncommon Locations", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "references": ["https://attack.mitre.org/techniques/T1649/"], "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Collection", "Credential Access", "Execution", "Defense Evasion", "Lateral Movement"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Command and Control"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Use Alternate Authentication Material"}]}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Malteiro", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Cinnamon Tempest", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT", "ToddyCat"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint", "Updates", "Web", "Risk", "Change"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT41", "BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Scattered Spider", "ToddyCat", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Akira", "Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Detect AzureHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect AzureHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Traffic to Active Directory Web Services Protocol", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}, {"name": "System Information Discovery Detection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows SOAPHound Binary Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Service"}]}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874.\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access.\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers.\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "APT5", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Process Injection"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications.\nSince its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe.\nAttackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}], "mitre_attack_tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Rename System Utilities"}]}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}]}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}], "mitre_attack_tactics": ["Impact", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}]}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Defense Evasion", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}]}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Mshta"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT41", "FIN13", "TA505"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "APT5", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT5", "Lazarus Group"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "ToddyCat", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Malteiro", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "Malteiro", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "Scattered Spider", "TeamTNT"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Reconnaissance", "Collection", "Discovery", "Credential Access", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": ["Reconnaissance", "Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Gather Victim Host Information"}]}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Clipboard Data"}]}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials from Password Stores"}]}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Indirect Command Execution"}]}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Information Discovery"}]}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Password Managers"}]}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Query Registry"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Clipboard Data"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Query Registry"}]}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Network Connections Discovery"}]}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Cinnamon Tempest", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Malteiro", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": [{"mitre_attack_technique": "Malicious File"}]}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Privilege Escalation System Process Without System Parent", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Access Token Manipulation"}]}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT41", "APT5"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "APT5", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "APT5", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT41", "APT5", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact", "Lateral Movement"], "datamodels": ["Web", "Updates", "Endpoint", "Risk"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Inhibit System Recovery"}]}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Authentication Process"}]}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Remote Services"}]}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Defacement"}]}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Manipulation"}]}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "LSASS Driver"}]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Data Destruction"}]}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Modify Registry"}]}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Persistence", "Execution", "Privilege Escalation", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Msiexec"}]}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds.\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses.\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation.\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "references": ["https://cert.gov.ua/article/3761023"], "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TeamTNT", "Threat Group-3390", "Thrip", "ToddyCat", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT41", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT3", "APT37", "APT41", "BackdoorDiplomacy", "BlackOasis", "Earth Lusca", "Ember Bear", "GALLIUM", "Gallmaker", "Gamaredon Group", "Ke3chang", "Kimsuky", "Mustang Panda", "Rocke", "Sandworm Team", "Windshift"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "APT5", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "ToddyCat", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "ToddyCat", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Collection", "Discovery", "Privilege Escalation", "Persistence", "Execution", "Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation", "Exploitation", "Actions on Objectives", "Command and Control"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "System Owner/User Discovery"}]}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Screen Capture"}]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "Scheduled Task"}]}]}, {"name": "WordPress Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "baeaee14-e439-4c95-91e8-aaedd8265c1c", "description": "This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "narrative": "The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WordPress Bricks Builder plugin RCE - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WordPress Bricks Builder plugin RCE", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "APT5", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Akira", "LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "Sandworm Team", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "APT5", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TeamTNT", "ToddyCat", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cinnamon Tempest", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Mustard Tempest", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cinnamon Tempest", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Reconnaissance", "Command And Control", "Discovery", "Privilege Escalation", "Credential Access", "Persistence", "Execution", "Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Reconnaissance", "Exploitation", "Actions on Objectives", "Installation", "Command and Control"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Account Discovery"}]}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Service Stop"}]}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Account Access Removal"}]}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Masquerading"}]}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Scheduled Task/Job"}]}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Create or Modify System Process"}]}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}]}, {"name": "Zscaler Browser Proxy Threats", "author": "Rod Soto, Gowthamaraj Rajendran", "date": "2023-10-25", "version": 1, "id": "5d4ba315-39df-4309-982f-a7052efccffd", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment.", "references": ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"], "narrative": "Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Risk"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran", "author_name": "Rod Soto", "detections": [{"name": "Zscaler Adware Activities Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Behavior Analysis Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Employment Search Web Activity", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Exploit Threat Blocked", "source": "web", "type": "TTP", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Legal Liability Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Malware Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Phishing Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Potentially Abused File Download", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Scam Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}, {"name": "Zscaler Virus Download threat blocked", "source": "web", "type": "Anomaly", "tags": [{"mitre_attack_technique": "Phishing"}]}]}]} \ No newline at end of file diff --git a/dist/api/version.json b/dist/api/version.json deleted file mode 100644 index 6ec3e5a834..0000000000 --- a/dist/api/version.json +++ /dev/null @@ -1 +0,0 @@ -{"version": {"name": "v4.33.0", "published_at": "2024-06-06T17:49:55Z"}} \ No newline at end of file diff --git a/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml b/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml deleted file mode 100644 index f97433f8cc..0000000000 --- a/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Anomalous usage of Archive Tools -id: 63614a58-10e2-4c6c-ae81-ea1113681439 -version: 4 -status: production -detection_type: STREAMING -description: The following detection identifies the usage of archive tools from the - command line. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name="winrar.exe" - OR process_file_name LIKE "7z%" OR process_file_name LIKE "winzip%") AND (actor_process_file_name - LIKE "%powershell.exe" OR actor_process_file_name LIKE "%cmd.exe") - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Anomalous usage of Archive Tools has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Cobalt Strike", "NOBELIUM Group", "Insider Threat"], - class_name = "Detection Report", - confidence = 60, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 42, - severity_id = 0, - rule = {"name": "Anomalous usage of Archive Tools", "uid": "63614a58-10e2-4c6c-ae81-ea1113681439", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: False positives can be ligitmate usage of archive tools from - the command line. -references: -- https://attack.mitre.org/techniques/T1560/001/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 42 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/63614a58-10e2-4c6c-ae81-ea1113681439/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Cobalt Strike - - NOBELIUM Group - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1560.001 - - T1560 - nist: - - DE.AE -test: - name: Anomalous usage of Archive Tools Unit Test - tests: - - name: Anomalous usage of Archive Tools - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_tools/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attacker_tools_on_endpoint.yml b/dist/ssa/srs/ssa___attacker_tools_on_endpoint.yml deleted file mode 100644 index 718ccceb2e..0000000000 --- a/dist/ssa/srs/ssa___attacker_tools_on_endpoint.yml +++ /dev/null @@ -1,148 +0,0 @@ -name: Attacker Tools On Endpoint -id: 241b1159-cf78-4201-8fad-1c21c3c96213 -version: 1 -status: validation -detection_type: STREAMING -description: The following analytic detects the use of tools that are commonly exploited - by cybercriminals since these tools are usually associated with malicious activities - such as unauthorized access, network scanning, or data exfiltration and pose a significant - threat to an organization's security infrastructure. It also provides enhanced visibility - into potential security threats and helps to proactively detect and respond to mitigate - the risks associated with cybercriminal activities. This detection is made by examining - the process activity on the host, specifically focusing on processes that are known - to be associated with attacker tool names. This detection is important because it - acts as an early warning system for potential security incidents that allows you - to respond to security incidents promptly. False positives might occur due to legitimate - administrative activities that can resemble malicious actions. You must develop - a comprehensive understanding of typical endpoint activities and behaviors within - the organization to accurately interpret and respond to the alerts generated by - this analytic. This ensures a proper balance between precision and minimizing false - positives. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%adrecon%" - OR process_cmd_line LIKE "%adcollector%" OR process_cmd_line LIKE "%nmap%" OR process_cmd_line - LIKE "%pingcastle%" OR process_cmd_line LIKE "%sharphound%" OR process_cmd_line - LIKE "%aclight%" OR process_cmd_line LIKE "%adaclscan%" OR process_cmd_line LIKE - "%liza%" OR process_cmd_line LIKE "%lapstoolkit%" OR process_cmd_line LIKE "%rubeus%" - OR process_cmd_line LIKE "%passthecert%" OR process_cmd_line LIKE "%responder%" - OR process_cmd_line LIKE "%inveigh%" OR process_cmd_line LIKE "%hydra%" OR process_cmd_line - LIKE "%mimikatz%" OR process_cmd_line LIKE "%sharpkatz%" OR process_cmd_line LIKE - "%nanodump%" OR process_cmd_line LIKE "%powersploit%" OR process_cmd_line LIKE "%powersharppack%" - OR process_cmd_line LIKE "%privesccheck%" OR process_cmd_line LIKE "%seatbelt%" - OR process_cmd_line LIKE "%krbrelayup%" OR process_cmd_line LIKE "%sharpimpersonation%" - OR process_cmd_line LIKE "%tokenvator%" OR process_cmd_line LIKE "%bloodyad%" OR - process_cmd_line LIKE "%nimcrypt%" OR process_cmd_line LIKE "%protectmytooling%" - OR process_cmd_line LIKE "%invoke-obfuscation%" OR process_cmd_line LIKE "%chameleon%" - OR process_cmd_line LIKE "%covenant%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Attacker Tools On Endpoint has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Reconnaissance", "phase_id": 1}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 64, - severity_id = 0, - rule = {"name": "Attacker Tools On Endpoint", "uid": "241b1159-cf78-4201-8fad-1c21c3c96213", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Some administrator activity can be potentially triggered, please - add those users to the filter macro. -references: -- https://github.com/Jean-Francois-C/Windows-Penetration-Testing -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 64 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/241b1159-cf78-4201-8fad-1c21c3c96213/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Monitor for Unauthorized Software - - XMRig - - SamSam Ransomware - - Unusual Processes - - CISA AA22-264A - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Reconnaissance - mitre_attack_id: - - T1036.005 - - T1036 - - T1003 - - T1595 - nist: - - DE.CM -test: - name: Attacker Tools On Endpoint Unit Test - tests: - - name: Attacker Tools On Endpoint - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attempt_to_delete_services.yml b/dist/ssa/srs/ssa___attempt_to_delete_services.yml deleted file mode 100644 index 86ef0f6327..0000000000 --- a/dist/ssa/srs/ssa___attempt_to_delete_services.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Attempt To Delete Services -id: a0c8c292-d01a-11eb-aa18-acde48001122 -version: 6 -status: production -detection_type: STREAMING -description: The following analytic identifies Windows Service Control, `sc.exe`, - attempting to delete a service. This is typically identified in parallel with other - instances of service enumeration of attempts to stop a service and then delete it. - Adversaries utilize this technique to terminate security services or other related - services to continue there objective and evade detections. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="sc.exe" AND - process_cmd_line LIKE "%delete%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Attempt To Delete Services has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Ransomware"], - class_name = "Detection Report", - confidence = 60, - confidence_id = 2, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}, {"phase": "Installation", "phase_id": 5}, {"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 36, - severity_id = 0, - rule = {"name": "Attempt To Delete Services", "uid": "a0c8c292-d01a-11eb-aa18-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: It is possible administrative scripts may start/stop/delete - services. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 36 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/a0c8c292-d01a-11eb-aa18-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - - Installation - - Exploitation - mitre_attack_id: - - T1489 - - T1543 - - T1543.003 - nist: - - DE.CM -test: - name: Attempt To Delete Services Unit Test - tests: - - name: Attempt To Delete Services - attack_data: - - file_name: sc_del.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/sc_del.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attempt_to_disable_services.yml b/dist/ssa/srs/ssa___attempt_to_disable_services.yml deleted file mode 100644 index e35e7f8532..0000000000 --- a/dist/ssa/srs/ssa___attempt_to_disable_services.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Attempt To Disable Services -id: afb31de4-d023-11eb-98d5-acde48001122 -version: 6 -status: production -detection_type: STREAMING -description: The following analytic identifies Windows Service Control, `sc.exe`, - attempting to disable a service. This is typically identified in parallel with other - instances of service enumeration of attempts to stop a service and then disable - it. Adversaries utilize this technique to terminate security services or other related - services to continue there objective and evade detections. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%config%" - AND process_cmd_line LIKE "%disabled%" AND process_file_name="sc.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Attempt To Disable Services has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Ransomware"], - class_name = "Detection Report", - confidence = 60, - confidence_id = 2, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 36, - severity_id = 0, - rule = {"name": "Attempt To Disable Services", "uid": "afb31de4-d023-11eb-98d5-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: It is possible administrative scripts may start/stop/delete - services. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -- https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 36 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/afb31de4-d023-11eb-98d5-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1489 - nist: - - DE.CM -test: - name: Attempt To Disable Services Unit Test - tests: - - name: Attempt To Disable Services - attack_data: - - file_name: sc_disable.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/sc_disable.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml b/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml deleted file mode 100644 index e37873ca5e..0000000000 --- a/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Attempted Credential Dump From Registry via Reg exe -id: 14038953-e5f2-4daf-acff-5452062baf03 -version: 7 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of `reg.exe` attempting to - export Windows registry keys that contain hashed credentials. Adversaries will utilize - this technique to capture and perform offline password cracking. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("reg.exe", - "cmd.exe")) AND (match(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\System/)=true - OR match(process_cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true OR match(process_cmd_line, - /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match(process_cmd_line, /(?i)HKLM\\System/)=true - OR match(process_cmd_line, /(?i)HKLM\\SAM/)=true OR match(process_cmd_line, /(?i)HKLM\\Security/)=true) - AND match(process_cmd_line, /(?i)save/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Attempted Credential Dump From Registry via Reg exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Credential Dumping"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 63, - severity_id = 0, - rule = {"name": "Attempted Credential Dump From Registry via Reg exe", "uid": "14038953-e5f2-4daf-acff-5452062baf03", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: None identified. -references: -- https://github.com/splunk/security_content/blob/55a17c65f9f56c2220000b62701765422b46125d/detections/attempted_credential_dump_from_registry_via_reg_exe.yml -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 63 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/14038953-e5f2-4daf-acff-5452062baf03/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Credential Dumping - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1003 - - T1003.002 - nist: - - DE.CM -test: - name: Attempted Credential Dump From Registry via Reg exe Unit Test - tests: - - name: Attempted Credential Dump From Registry via Reg exe - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml b/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml deleted file mode 100644 index 0ee5ec2e54..0000000000 --- a/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: BCDEdit Failure Recovery Modification -id: 76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13 -version: 4 -status: production -detection_type: STREAMING -description: This search looks for flags passed to bcdedit.exe modifications to the - built-in Windows error recovery boot configurations. This is typically used by ransomware - to prevent recovery. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="bcdedit.exe" - AND (process_cmd_line LIKE "%no%" AND process_cmd_line LIKE "%recoveryenabled%") - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "BCDEdit Failure Recovery Modification has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ryuk Ransomware", "Ransomware", "Information Sabotage"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 100, - impact_id = 5, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "BCDEdit Failure Recovery Modification", "uid": "76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: Administrators may modify the boot configuration. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ryuk Ransomware - - Ransomware - - Information Sabotage - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1490 - nist: - - DE.CM -test: - name: BCDEdit Failure Recovery Modification Unit Test - tests: - - name: BCDEdit Failure Recovery Modification - attack_data: - - file_name: windows-security_bcdedit_wbadmin.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-security_bcdedit_wbadmin.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml b/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml deleted file mode 100644 index 925f1cedbf..0000000000 --- a/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Clear Unallocated Sector Using Cipher App -id: 8f907d90-6173-11ec-9c23-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: this search is to detect execution of `cipher.exe` to clear the unallocated - sectors of a specific disk. This technique was seen in some ransomware to make it - impossible to forensically recover deleted files. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="cipher.exe" - AND process_cmd_line LIKE "%/w:%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Clear Unallocated Sector Using Cipher App has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ransomware", "Information Sabotage"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 90, - severity_id = 0, - rule = {"name": "Clear Unallocated Sector Using Cipher App", "uid": "8f907d90-6173-11ec-9c23-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: administrator may execute this app to manage disk -references: -- https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/ -- https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 90 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/8f907d90-6173-11ec-9c23-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ransomware - - Information Sabotage - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1070.004 - - T1070 - nist: - - DE.CM -test: - name: Clear Unallocated Sector Using Cipher App Unit Test - tests: - - name: Clear Unallocated Sector Using Cipher App - attack_data: - - file_name: security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/cipher/security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml b/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml deleted file mode 100644 index ab48a4bf3b..0000000000 --- a/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml +++ /dev/null @@ -1,130 +0,0 @@ -name: Create Local Admin Accounts Using Net Exe -id: 2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7 -version: 3 -status: validation -detection_type: STREAMING -description: The following analytic detects the creation of local administrator accounts - using the net.exe command to mitigate the risks associated with unauthorized access - and prevent further damage to the environment by responding to potential threats - earlier and taking appropriate actions to protect the organization's systems and - data. This detection is made by a Splunk query to search for processes with the - name net.exe or net1.exe that include the "/add" parameter and have specific keywords - related to administrator accounts in their process name. This detection is important - because the creation of unauthorized local administrator accounts might indicate - that an attacker has successfully created a new administrator account and is trying - to gain persistent access to a system or escalate their privileges for data theft, - or other malicious activities. False positives might occur since there might be - legitimate uses of the net.exe command and the creation of administrator accounts - in certain circumstances. You must consider the context of the activity and other - indicators of compromise before taking any action. For next steps, review the details - of the identified process, including the user, parent process, and parent process - name. Examine any relevant on-disk artifacts and look for concurrent processes to - determine the source of the attack. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%localgroup%" - AND process_cmd_line LIKE "%/add%" AND (process_cmd_line LIKE "%administrators%" - OR process_cmd_line LIKE "%administratoren%" OR process_cmd_line LIKE "%administrateurs%" - OR process_cmd_line LIKE "%administrador%" OR process_cmd_line LIKE "%amministratori%" - OR process_cmd_line LIKE "%administratorer%") AND (process_file_name IN ("net.exe", - "net1.exe")) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Create Local Admin Accounts Using Net Exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Ransomware"], - class_name = "Detection Report", - confidence = 60, - confidence_id = 2, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 30, - severity_id = 0, - rule = {"name": "Create Local Admin Accounts Using Net Exe", "uid": "2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed net.exe may be used. -known_false_positives: System administrators or scripts may add user accounts via - this technique. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 30 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1136.001 - - T1136 - nist: - - DE.AE -test: - name: Create Local Admin Accounts Using Net Exe Unit Test - tests: - - name: Create Local Admin Accounts Using Net Exe - attack_data: - - file_name: net_user_security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/net_create_user/net_user_security.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml b/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml deleted file mode 100644 index 948020b721..0000000000 --- a/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml +++ /dev/null @@ -1,126 +0,0 @@ -name: Create Local User Accounts Using Net Exe -id: 1ee0fff0-9642-421b-8e13-9aa6fba4ace3 -version: 6 -status: validation -detection_type: STREAMING -description: The following analytic detects the creation of local administrator accounts - using the net.exe command to mitigate the risks associated with unauthorized access - and prevent further damage to the environment by responding to potential threats - earlier and taking appropriate actions to protect the organization's systems and - data. This detection is made by a Splunk query to search for processes with the - name net.exe or net1.exe that include the "/add" parameter in their process name. - This detection is important because the creation of unauthorized local user accounts - might indicate that an attacker has successfully created a new user account and - is trying to gain persistent access to a system or escalate their privileges for - data theft, or other malicious activities. False positives might occur since there - might be legitimate uses of the net.exe command and the creation of user accounts - in certain circumstances. You must consider the context of the activity and other - indicators of compromise before taking any action. For next steps, review the details - of the identified process, including the user, parent process, and parent process - name. Examine any relevant on-disk artifacts and look for concurrent processes to - determine the source of the attack. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" - AND process_cmd_line LIKE "%/add%" AND (process_file_name IN ("net.exe", "net1.exe")) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Create Local User Accounts Using Net Exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Ransomware"], - class_name = "Detection Report", - confidence = 30, - confidence_id = 1, - duration = 0, - impact = 30, - impact_id = 2, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 9, - severity_id = 0, - rule = {"name": "Create Local User Accounts Using Net Exe", "uid": "1ee0fff0-9642-421b-8e13-9aa6fba4ace3", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed net.exe may be used. -known_false_positives: System administrators or scripts may add user accounts via - this technique. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 9 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/1ee0fff0-9642-421b-8e13-9aa6fba4ace3/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1136.001 - - T1136 - nist: - - DE.AE -test: - name: Create Local User Accounts Using Net Exe Unit Test - tests: - - name: Create Local User Accounts Using Net Exe - attack_data: - - file_name: net_user_security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/net_create_user/net_user_security.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___delete_a_net_user.yml b/dist/ssa/srs/ssa___delete_a_net_user.yml deleted file mode 100644 index f139be6934..0000000000 --- a/dist/ssa/srs/ssa___delete_a_net_user.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Delete A Net User -id: 8776d79c-d26e-11eb-9a56-acde48001122 -version: 8 -status: production -detection_type: STREAMING -description: This analytic will detect a suspicious net.exe/net1.exe command-line - to delete a user on a system. This technique may be use by an administrator for - legitimate purposes, however this behavior has been used in the wild to impair some - user or deleting adversaries tracks created during its lateral movement additional - systems. During triage, review parallel processes for additional behavior. Identify - any other user accounts created before or after. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" - AND process_cmd_line LIKE "%/delete%" AND (process_file_name IN ("net.exe", "net1.exe")) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Delete A Net User has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Ransomware"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Delete A Net User", "uid": "8776d79c-d26e-11eb-9a56-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed net.exe may be used. -known_false_positives: System administrators or scripts may delete user accounts via - this technique. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/8776d79c-d26e-11eb-9a56-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1531 - nist: - - DE.AE -test: - name: Delete A Net User Unit Test - tests: - - name: Delete A Net User - attack_data: - - file_name: net_user_del.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/net_user_del.log - source: WinEventLog:Security - - file_name: security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/atomic_red_team/security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___deleting_shadow_copies.yml b/dist/ssa/srs/ssa___deleting_shadow_copies.yml deleted file mode 100644 index 2d805a76e2..0000000000 --- a/dist/ssa/srs/ssa___deleting_shadow_copies.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Deleting Shadow Copies -id: fd40c537-53d0-4c28-9b7e-77cfd28a49c8 -version: 5 -status: validation -detection_type: STREAMING -description: The vssadmin.exe utility is used to interact with the Volume Shadow Copy - Service. Wmic is an interface to the Windows Management Instrumentation. This search - looks for either of these tools being used to delete shadow copies. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("vssadmin.exe", - "wmic.exe")) AND process_cmd_line LIKE "%delete%" AND process_cmd_line LIKE "%shadow%" - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Deleting Shadow Copies has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Clop Ransomware", "Ransomware"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 64, - severity_id = 0, - rule = {"name": "Deleting Shadow Copies", "uid": "fd40c537-53d0-4c28-9b7e-77cfd28a49c8", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. -known_false_positives: System administrators may resize the shadowstorage for valid - purposes. Filter as needed. -references: -- https://atomicredteam.io/impact/T1490/ -- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 64 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/fd40c537-53d0-4c28-9b7e-77cfd28a49c8/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Clop Ransomware - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1490 - nist: - - DE.CM -test: - name: Deleting Shadow Copies Unit Test - tests: - - name: Deleting Shadow Copies - attack_data: - - file_name: 4688_xml_windows_security_delete_shadow.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/4688_xml_windows_security_delete_shadow.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml b/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml deleted file mode 100644 index b58a8dd12b..0000000000 --- a/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Deny Permission using Cacls Utility -id: b76eae28-cd25-11eb-9c92-acde48001122 -version: 7 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of `cacls.exe`, `icacls.exe` - or `xcacls.exe` placing the deny permission on a file or directory. Adversaries - perform this behavior to prevent responders from reviewing or gaining access to - adversary files on disk. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("icacls.exe", - "xcacls.exe", "cacls.exe")) AND match(process_cmd_line, /(?i)deny/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Deny Permission using Cacls Utility has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Information Sabotage"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Deny Permission using Cacls Utility", "uid": "b76eae28-cd25-11eb-9c92-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. -known_false_positives: System administrators may use cacls utilities but this is not - a common practice. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/b76eae28-cd25-11eb-9c92-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Information Sabotage - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1222 - nist: - - DE.CM -test: - name: Deny Permission using Cacls Utility Unit Test - tests: - - name: Deny Permission using Cacls Utility - attack_data: - - file_name: all_icalc.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/ssa_cacls/all_icalc.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___detect_powershell_applications_spawning_cmd_exe.yml b/dist/ssa/srs/ssa___detect_powershell_applications_spawning_cmd_exe.yml deleted file mode 100644 index b65153e5bd..0000000000 --- a/dist/ssa/srs/ssa___detect_powershell_applications_spawning_cmd_exe.yml +++ /dev/null @@ -1,110 +0,0 @@ -name: Detect PowerShell Applications Spawning cmd exe -id: d20a18cb-fd70-4ffa-a844-25126e0b0d94 -version: 3 -status: production -detection_type: STREAMING -description: The following analytic identifies parent processes that are powershell, - spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or - built into macros. Much of this will need to be tuned to further enhance the risk. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) - | eval device_hostname = device.hostname | where (actor_process_file_name IN ("powershell.exe", - "pwsh.exe")) AND process_file_name="cmd.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Detect PowerShell Applications Spawning cmd exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Command-Line Executions", "Insider Threat"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Detect PowerShell Applications Spawning cmd exe", "uid": "d20a18cb-fd70-4ffa-a844-25126e0b0d94", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: In order to successfully implement this analytic, you will need - endpoint process data from a EDR product or Sysmon. This search has been modified - to process raw sysmon data from attack_range's nxlogs on DSP. -known_false_positives: There are circumstances where an application may legitimately - execute and interact with the Windows command-line interface. -references: -- https://attack.mitre.org/techniques/T1059/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/d20a18cb-fd70-4ffa-a844-25126e0b0d94/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Command-Line Executions - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1059 - nist: - - DE.AE -test: - name: Detect PowerShell Applications Spawning cmd exe Unit Test - tests: - - name: Detect PowerShell Applications Spawning cmd exe - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___detect_prohibited_browsers_spawning_cmd_exe.yml b/dist/ssa/srs/ssa___detect_prohibited_browsers_spawning_cmd_exe.yml deleted file mode 100644 index 731e9c1db7..0000000000 --- a/dist/ssa/srs/ssa___detect_prohibited_browsers_spawning_cmd_exe.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Detect Prohibited Browsers Spawning cmd exe -id: c10a18cb-fa70-4dfa-a944-25026e1b0c94 -version: 8 -status: production -detection_type: STREAMING -description: The following analytic identifies parent processes that are browsers, - spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or - built into macros. Much of this will need to be tuned to further enhance the risk. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = lower(process.cmd_line) | eval actor_user = actor.user | eval actor_user_name - = actor_user.name | eval actor_process = actor.process | eval actor_process_pid - = actor_process.pid | eval actor_process_file = actor_process.file | eval actor_process_file_path - = actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) - | eval device_hostname = device.hostname | where ((actor_process_file_name IN ("iexplore.exe", - "opera.exe", "firefox.exe")) OR (actor_process_file_name="chrome.exe" AND (NOT process_cmd_line="chrome-extension"))) - AND process_file_name="cmd.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Detect Prohibited Browsers Spawning cmd exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Command-Line Executions", "Insider Threat"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Detect Prohibited Browsers Spawning cmd exe", "uid": "c10a18cb-fa70-4dfa-a944-25026e1b0c94", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: In order to successfully implement this analytic, you will need - endpoint process data from a EDR product or Sysmon. This search has been modified - to process raw sysmon data from attack_range's nxlogs on DSP. -known_false_positives: There are circumstances where an application may legitimately - execute and interact with the Windows command-line interface. -references: -- https://attack.mitre.org/techniques/T1059/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/c10a18cb-fa70-4dfa-a944-25026e1b0c94/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Command-Line Executions - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1059 - nist: - - DE.AE -test: - name: Detect Prohibited Browsers Spawning cmd exe Unit Test - tests: - - name: Detect Prohibited Browsers Spawning cmd exe - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/browsers/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___detect_prohibited_office_applications_spawning_cmd_exe.yml b/dist/ssa/srs/ssa___detect_prohibited_office_applications_spawning_cmd_exe.yml deleted file mode 100644 index 75849bd654..0000000000 --- a/dist/ssa/srs/ssa___detect_prohibited_office_applications_spawning_cmd_exe.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Detect Prohibited Office Applications Spawning cmd exe -id: c10a18cb-fd70-44fb-a8f4-25026a0b0c94 -version: 3 -status: production -detection_type: STREAMING -description: The following analytic identifies parent processes that are office/productivity - applications, spawning cmd.exe. By its very nature, many applications spawn cmd.exe - natively or built into macros. Much of this will need to be tuned to further enhance - the risk. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) - | eval device_hostname = device.hostname | where (actor_process_file_name IN ("winword.exe", - "excel.exe", "outlook.exe", "powerpnt.exe", "acrobat.exe", "acrord32.exe")) AND - process_file_name="cmd.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Detect Prohibited Office Applications Spawning cmd exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Command-Line Executions", "Insider Threat"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Detect Prohibited Office Applications Spawning cmd exe", "uid": "c10a18cb-fd70-44fb-a8f4-25026a0b0c94", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: In order to successfully implement this analytic, you will need - endpoint process data from a EDR product or Sysmon. This search has been modified - to process raw sysmon data from attack_range's nxlogs on DSP. -known_false_positives: There are circumstances where an application may legitimately - execute and interact with the Windows command-line interface. -references: -- https://attack.mitre.org/techniques/T1059/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/c10a18cb-fd70-44fb-a8f4-25026a0b0c94/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Command-Line Executions - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1059 - nist: - - DE.AE -test: - name: Detect Prohibited Office Applications Spawning cmd exe Unit Test - tests: - - name: Detect Prohibited Office Applications Spawning cmd exe - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/office/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml b/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml deleted file mode 100644 index c98ae8de60..0000000000 --- a/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml +++ /dev/null @@ -1,123 +0,0 @@ -name: Detect RClone Command-Line Usage -id: e8b74268-5454-11ec-a799-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: This analytic identifies commonly used command-line arguments used by - `rclone.exe` to initiate a file transfer. Some arguments were negated as they are - specific to the configuration used by adversaries. In particular, an adversary may - list the files or directories of the remote file share using `ls` or `lsd`, which - is not indicative of malicious behavior. During triage, at this stage of a ransomware - event, exfiltration is about to occur or has already. Isolate the endpoint and continue - investigating by review file modifications and parallel processes. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%--multi-thread-streams%" - OR process_cmd_line LIKE "%--transfers%" OR process_cmd_line LIKE "%--auto-confirm%" - OR process_cmd_line LIKE "%--ignore-existing%" OR process_cmd_line LIKE "%--no-check-certificate%" - OR process_cmd_line LIKE "%--progress%" OR process_cmd_line LIKE "%--config%" OR - process_cmd_line LIKE "%ftp%" OR process_cmd_line LIKE "%pcloud%" OR process_cmd_line - LIKE "%mega%" OR process_cmd_line LIKE "%copy%") AND process_file_name="rclone.exe" - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Detect RClone Command-Line Usage has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["DarkSide Ransomware", "Ransomware", "Insider Threat"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Detect RClone Command-Line Usage", "uid": "e8b74268-5454-11ec-a799-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: False positives should be limited as this is restricted to - the Rclone process name. Filter or tune the analytic as needed. -references: -- https://redcanary.com/blog/rclone-mega-extortion/ -- https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/e8b74268-5454-11ec-a799-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - DarkSide Ransomware - - Ransomware - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1020 - nist: - - DE.CM -test: - name: Detect RClone Command-Line Usage Unit Test - tests: - - name: Detect RClone Command-Line Usage - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___disable_net_user_account.yml b/dist/ssa/srs/ssa___disable_net_user_account.yml deleted file mode 100644 index 80845bf1de..0000000000 --- a/dist/ssa/srs/ssa___disable_net_user_account.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Disable Net User Account -id: ba858b08-d26c-11eb-af9b-acde48001122 -version: 7 -status: production -detection_type: STREAMING -description: This analytic will identify a suspicious command-line that disables a - user account using the native `net.exe` or `net1.exe` utility to Windows. This technique - may used by the adversaries to interrupt availability of accounts and continue the - impact against the organization. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%user%" - AND process_cmd_line LIKE "%/active:no%" AND (process_file_name IN ("net.exe", "net1.exe")) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Disable Net User Account has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Ransomware"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}, {"phase": "Exploitation", "phase_id": 4}, {"phase": "Delivery", "phase_id": 3}, {"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Disable Net User Account", "uid": "ba858b08-d26c-11eb-af9b-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed net.exe/net1.exe may be - used. -known_false_positives: System administrators or automated scripts may disable an account - but not a common practice. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/ba858b08-d26c-11eb-af9b-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - - Exploitation - - Delivery - - Installation - mitre_attack_id: - - T1489 - - T1078 - nist: - - DE.CM -test: - name: Disable Net User Account Unit Test - tests: - - name: Disable Net User Account - attack_data: - - file_name: net_user_dis.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/net_user_dis.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml b/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml deleted file mode 100644 index 305e1a1510..0000000000 --- a/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: DNS Exfiltration Using Nslookup App -id: 2452e632-9e0d-11eb-34ba-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: This search is to detect potential DNS exfiltration using nslookup application. - This technique are seen in couple of malware and APT group to exfiltrated collected - data in a infected machine or infected network. This detection is looking for unique - use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are - commonly used by attacker and also the retry parameter which is designed to query - C2 DNS multiple tries. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-retry=%" - OR process_cmd_line LIKE "%-type=%" OR process_cmd_line LIKE "%-q=%" OR process_cmd_line - LIKE "%-qt=%" OR process_cmd_line LIKE "%-querytype=%") AND process_file_name="nslookup.exe" - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "DNS Exfiltration Using Nslookup App has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 72, - severity_id = 0, - rule = {"name": "DNS Exfiltration Using Nslookup App", "uid": "2452e632-9e0d-11eb-34ba-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: It is possible for some legitimate administrative utilities - to use similar process parameters. Filter as needed. -references: -- https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings -- https://www.varonis.com/blog/dns-tunneling -- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 72 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/2452e632-9e0d-11eb-34ba-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious DNS Traffic - - Dynamic DNS - - Data Exfiltration - - Command And Control - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1048 - nist: - - DE.CM -test: - name: DNS Exfiltration Using Nslookup App Unit Test - tests: - - name: DNS Exfiltration Using Nslookup App - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___fsutil_zeroing_file.yml b/dist/ssa/srs/ssa___fsutil_zeroing_file.yml deleted file mode 100644 index ce092e8de0..0000000000 --- a/dist/ssa/srs/ssa___fsutil_zeroing_file.yml +++ /dev/null @@ -1,113 +0,0 @@ -name: Fsutil Zeroing File -id: f792cdc9-43ee-4429-a3c0-ffce4fed1a85 -version: 4 -status: production -detection_type: STREAMING -description: This search is to detect a suspicious fsutil process to zeroing a target - file. This technique was seen in lockbit ransomware where it tries to zero out its - malware path as part of its defense evasion after encrypting the compromised host. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%setzerodata%" - AND process_file_name="fsutil.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Fsutil Zeroing File has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ransomware", "Insider Threat", "Information Sabotage"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 54, - severity_id = 0, - rule = {"name": "Fsutil Zeroing File", "uid": "f792cdc9-43ee-4429-a3c0-ffce4fed1a85", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed net.exe may be used. -known_false_positives: System administrators or scripts may delete user accounts via - this technique. Filter as needed. -references: -- https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 54 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/f792cdc9-43ee-4429-a3c0-ffce4fed1a85/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ransomware - - Insider Threat - - Information Sabotage - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1070 - nist: - - DE.CM -test: - name: Fsutil Zeroing File Unit Test - tests: - - name: Fsutil Zeroing File - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml b/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml deleted file mode 100644 index 5cfdfba232..0000000000 --- a/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Grant Permission Using Cacls Utility -id: c6da561a-cd29-11eb-ae65-acde48001122 -version: 7 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of `cacls.exe`, `icacls.exe` - or `xcacls.exe` placing the grant permission on a file or directory. Adversaries - perform this behavior to allow components of their files to run, however it allows - responders to review or gaining access to adversary files on disk. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("icacls.exe", - "xcacls.exe", "cacls.exe")) AND match(process_cmd_line, /(?i)grant/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Grant Permission Using Cacls Utility has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig", "Insider Threat"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Grant Permission Using Cacls Utility", "uid": "c6da561a-cd29-11eb-ae65-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. -known_false_positives: System administrators may use cacls utilities but this is not - a common practice. Filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/c6da561a-cd29-11eb-ae65-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1222 - nist: - - DE.CM -test: - name: Grant Permission Using Cacls Utility Unit Test - tests: - - name: Grant Permission Using Cacls Utility - attack_data: - - file_name: all_icalc.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/ssa_cacls/all_icalc.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml b/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml deleted file mode 100644 index e99f2f9679..0000000000 --- a/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Hiding Files And Directories With Attrib exe -id: 028e4406-6176-11ec-aec2-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: Attackers leverage an existing Windows binary, attrib.exe, to mark specific - as hidden by using specific flags so that the victim does not see the file. The - search looks for specific command-line arguments to detect the use of attrib.exe - to hide files. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="attrib.exe" - AND match(process_cmd_line, /(?i)/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Hiding Files And Directories With Attrib exe has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Information Sabotage", "Insider Threat"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 72, - severity_id = 0, - rule = {"name": "Hiding Files And Directories With Attrib exe", "uid": "028e4406-6176-11ec-aec2-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. -known_false_positives: 'Some applications and users may legitimately use attrib.exe - to interact with the files. ' -references: -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 72 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/028e4406-6176-11ec-aec2-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows Defense Evasion Tactics - - Windows Persistence Techniques - - Information Sabotage - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1222.001 - - T1222 - nist: - - DE.CM -test: - name: Hiding Files And Directories With Attrib exe Unit Test - tests: - - name: Hiding Files And Directories With Attrib exe - attack_data: - - file_name: security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/attrib_hidden/security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___impacket_lateral_movement_smbexec_commandline_parameters.yml b/dist/ssa/srs/ssa___impacket_lateral_movement_smbexec_commandline_parameters.yml deleted file mode 100644 index 5f1ea63305..0000000000 --- a/dist/ssa/srs/ssa___impacket_lateral_movement_smbexec_commandline_parameters.yml +++ /dev/null @@ -1,145 +0,0 @@ -name: Impacket Lateral Movement smbexec CommandLine Parameters -id: c1238942-2715-41ee-b371-0475da48029c -version: 1 -status: production -detection_type: STREAMING -description: This analytic focuses on identifying suspicious command-line parameters - commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python - classes designed for working with Microsoft network protocols, and it includes several - scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command - execution on remote endpoints. These scripts typically utilize administrative shares - and hardcoded parameters, which can serve as signatures to detect their usage. Both - Red Teams and adversaries may employ Impacket tools for lateral movement and remote - code execution purposes. By monitoring for these specific command-line indicators, - the analytic aims to detect potentially malicious activities related to Impacket - tool usage. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name="cmd.exe" AND - process_cmd_line LIKE "%cmd.exe /q /c%") AND process_cmd_line LIKE "%echo cd%" AND - (process_cmd_line LIKE "%__output%" AND match(process_cmd_line, /(?i)C:\\Windows\\[a-zA-Z]{1,8}\.bat/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Impacket Lateral Movement smbexec CommandLine Parameters has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 63, - severity_id = 0, - rule = {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "uid": "c1238942-2715-41ee-b371-0475da48029c", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although uncommon, Administrators may leverage Impackets tools - to start a process on remote systems for system administration or automation use - cases. -references: -- https://attack.mitre.org/techniques/T1021/002/ -- https://attack.mitre.org/techniques/T1021/003/ -- https://attack.mitre.org/techniques/T1047/ -- https://attack.mitre.org/techniques/T1053/ -- https://attack.mitre.org/techniques/T1053/005/ -- https://github.com/SecureAuthCorp/impacket -- https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/ -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ -- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 63 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/c1238942-2715-41ee-b371-0475da48029c/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Active Directory Lateral Movement - - CISA AA22-277A - - WhisperGate - - Prestige Ransomware - - Volt Typhoon - - Graceful Wipe Out Attack - - Industroyer2 - - Data Destruction - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Installation - mitre_attack_id: - - T1021 - - T1021.002 - - T1021.003 - - T1047 - - T1543.003 - nist: - - DE.CM -test: - name: Impacket Lateral Movement smbexec CommandLine Parameters Unit Test - tests: - - name: Impacket Lateral Movement smbexec CommandLine Parameters - attack_data: - - file_name: windows_security_xml.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___impacket_lateral_movement_wmiexec_commandline_parameters.yml b/dist/ssa/srs/ssa___impacket_lateral_movement_wmiexec_commandline_parameters.yml deleted file mode 100644 index 744d747f68..0000000000 --- a/dist/ssa/srs/ssa___impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ /dev/null @@ -1,142 +0,0 @@ -name: Impacket Lateral Movement WMIExec Commandline Parameters -id: 9d07ff50-e968-456e-a3d9-c65c38ed0ab0 -version: 1 -status: production -detection_type: STREAMING -description: This analytic looks for the presence of suspicious commandline parameters - typically present when using Impacket tools. Impacket is a collection of python - classes meant to be used with Microsoft network protocols. There are multiple scripts - that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` - and `atexec.py` used to execute commands on remote endpoints. By default, these - scripts leverage administrative shares and hardcoded parameters that can be used - as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets - tools for lateral movement and remote code execution. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) - | eval device_hostname = device.hostname | where actor_process_file_name="wmiprvse.exe" - AND process_cmd_line LIKE "%\\127.0.0.1%" AND match(process_cmd_line, /(?i)__\d{1,10}\.\d{1,10}/)=true - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Impacket Lateral Movement WMIExec Commandline Parameters has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 63, - severity_id = 0, - rule = {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "uid": "9d07ff50-e968-456e-a3d9-c65c38ed0ab0", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Although uncommon, Administrators may leverage Impackets tools - to start a process on remote systems for system administration or automation use - cases. -references: -- https://attack.mitre.org/techniques/T1021/002/ -- https://attack.mitre.org/techniques/T1021/003/ -- https://attack.mitre.org/techniques/T1047/ -- https://attack.mitre.org/techniques/T1053/ -- https://attack.mitre.org/techniques/T1053/005/ -- https://github.com/SecureAuthCorp/impacket -- https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/ -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ -- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 63 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/9d07ff50-e968-456e-a3d9-c65c38ed0ab0/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Active Directory Lateral Movement - - CISA AA22-277A - - WhisperGate - - Prestige Ransomware - - Volt Typhoon - - Graceful Wipe Out Attack - - Industroyer2 - - Data Destruction - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Installation - mitre_attack_id: - - T1021 - - T1021.002 - - T1021.003 - - T1047 - - T1543.003 - nist: - - DE.CM -test: - name: Impacket Lateral Movement WMIExec Commandline Parameters Unit Test - tests: - - name: Impacket Lateral Movement WMIExec Commandline Parameters - attack_data: - - file_name: windows_security_xml.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml b/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml deleted file mode 100644 index 3c27ab9b12..0000000000 --- a/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: Modify ACLs Permission Of Files Or Folders -id: 9ae9a48a-cdbe-11eb-875a-acde48001122 -version: 7 -status: production -detection_type: STREAMING -description: This analytic identifies suspicious modification of ACL permission to - a files or folder to make it available to everyone or to a specific user. This technique - may be used by the adversary to evade ACLs or protected files access. This changes - is commonly configured by the file or directory owner with appropriate permission. - This behavior raises suspicion if this command is seen on an endpoint utilized by - an account with no permission to do so. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)S-1-1-0:/)=true - OR match(process_cmd_line, /(?i)SYSTEM:/)=true OR match(process_cmd_line, /(?i)everyone:/)=true) - AND (process_file_name IN ("icacls.exe", "xcacls.exe", "cacls.exe")) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Modify ACLs Permission Of Files Or Folders has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["XMRig"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Modify ACLs Permission Of Files Or Folders", "uid": "9ae9a48a-cdbe-11eb-875a-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed cacls.exe may be used. -known_false_positives: System administrators may use this windows utility. filter - is needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/9ae9a48a-cdbe-11eb-875a-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - XMRig - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1222 - nist: - - DE.AE -test: - name: Modify ACLs Permission Of Files Or Folders Unit Test - tests: - - name: Modify ACLs Permission Of Files Or Folders - attack_data: - - file_name: all_icalc.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/ssa_cacls/all_icalc.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml b/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml deleted file mode 100644 index 3fa4bb76a5..0000000000 --- a/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: Office Product Spawning Windows Script Host -id: 3ea3851a-8736-41a0-bc09-7e4485b48fa6 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic will identify a Windows Office Product spawning - WScript.exe or CScript.exe. Tuning may be required based on legitimate application - usage that may spawn scripts from an Office product. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("cscript.exe", - "wscript.exe")) AND (match(actor_process_file_name, /(?i)visio.exe/)=true OR match(actor_process_file_name, - /(?i)mspub.exe/)=true OR match(actor_process_file_name, /(?i)powerpnt.exe/)=true - OR match(actor_process_file_name, /(?i)excel.exe/)=true OR match(actor_process_file_name, - /(?i)winword.exe/)=true) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Office Product Spawning Windows Script Host has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Spearphishing Attachments"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Delivery", "phase_id": 3}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 63, - severity_id = 0, - rule = {"name": "Office Product Spawning Windows Script Host", "uid": "3ea3851a-8736-41a0-bc09-7e4485b48fa6", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives may be present based on macro based approved - documents in the organization. Filtering may be needed. -references: -- https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 63 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/3ea3851a-8736-41a0-bc09-7e4485b48fa6/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Spearphishing Attachments - cis20: - - CIS 10 - kill_chain_phases: - - Delivery - mitre_attack_id: - - T1566 - - T1566.001 - nist: - - DE.CM -test: - name: Office Product Spawning Windows Script Host Unit Test - tests: - - name: Office Product Spawning Windows Script Host - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___possible_lateral_movement_powershell_spawn.yml b/dist/ssa/srs/ssa___possible_lateral_movement_powershell_spawn.yml deleted file mode 100644 index d9eaf4b57f..0000000000 --- a/dist/ssa/srs/ssa___possible_lateral_movement_powershell_spawn.yml +++ /dev/null @@ -1,140 +0,0 @@ -name: Possible Lateral Movement PowerShell Spawn -id: 22282a2d-dc19-4b88-ac61-6c86ff92904f -version: 1 -status: production -detection_type: STREAMING -description: 'The following analytic is designed to identify possible lateral movement - attacks that involve the spawning of a PowerShell process as a child or grandchild - process of commonly abused processes. These processes include services.exe, wmiprsve.exe, - svchost.exe, wsmprovhost.exe, and mmc.exe.\ - - Such behavior is indicative of legitimate Windows features such as the Service Control - Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, - and the DCOM protocol being abused to start a process on a remote endpoint. This - behavior is often seen during lateral movement techniques where adversaries or red - teams abuse these services for lateral movement and remote code execution.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) - | eval device_hostname = device.hostname | where (actor_process_file_name IN ("wmiprvse.exe", - "services.exe", "svchost.exe", "wsmprovhost.exe", "mmc.exe")) AND ((process_file_name - IN ("powershell.exe", "pwsh.exe")) OR (process_file_name="cmd.exe" AND (process_cmd_line - LIKE "%powershell.exe%" OR process_cmd_line LIKE "%pwsh.exe%"))) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Possible Lateral Movement PowerShell Spawn has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 45, - severity_id = 0, - rule = {"name": "Possible Lateral Movement PowerShell Spawn", "uid": "22282a2d-dc19-4b88-ac61-6c86ff92904f", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Legitimate applications may spawn PowerShell as a child process - of the the identified processes. Filter as needed. -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://attack.mitre.org/techniques/T1021/006/ -- https://attack.mitre.org/techniques/T1047/ -- https://attack.mitre.org/techniques/T1053/005/ -- https://attack.mitre.org/techniques/T1543/003/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 45 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/22282a2d-dc19-4b88-ac61-6c86ff92904f/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Active Directory Lateral Movement - - Malicious PowerShell - - Hermetic Wiper - - Data Destruction - - Scheduled Tasks - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Installation - mitre_attack_id: - - T1021 - - T1021.003 - - T1021.006 - - T1047 - - T1053.005 - - T1543.003 - - T1059.001 - - T1218.014 - nist: - - DE.CM -test: - name: Possible Lateral Movement PowerShell Spawn Unit Test - tests: - - name: Possible Lateral Movement PowerShell Spawn - attack_data: - - file_name: windows_security_xml.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml b/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml deleted file mode 100644 index a97dcbcb64..0000000000 --- a/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: Resize Shadowstorage Volume -id: dbc30554-d27e-11eb-9e5e-acde48001122 -version: 6 -status: production -detection_type: STREAMING -description: The following analytic identifies the resizing of shadowstorage using - vssadmin.exe to avoid the shadow volumes being made again. This technique is typically - found used by adversaries during a ransomware event and a precursor to deleting - the shadowstorage. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%shadowstorage%" - AND process_cmd_line LIKE "%resize%" AND process_cmd_line LIKE "%maxsize%" AND process_file_name="vssadmin.exe" - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Resize Shadowstorage Volume has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Clop Ransomware", "Ransomware"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 64, - severity_id = 0, - rule = {"name": "Resize Shadowstorage Volume", "uid": "dbc30554-d27e-11eb-9e5e-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: System administrators may resize the shadowstorage for valid - purposes. Filter as needed. -references: -- https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft -- https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 64 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/dbc30554-d27e-11eb-9e5e-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Clop Ransomware - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1489 - nist: - - DE.CM -test: - name: Resize Shadowstorage Volume Unit Test - tests: - - name: Resize Shadowstorage Volume - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/ssa_data1/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___sdelete_application_execution.yml b/dist/ssa/srs/ssa___sdelete_application_execution.yml deleted file mode 100644 index bbbe0ed0a7..0000000000 --- a/dist/ssa/srs/ssa___sdelete_application_execution.yml +++ /dev/null @@ -1,128 +0,0 @@ -name: Sdelete Application Execution -id: fcc52b9a-4616-11ec-8454-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: This analytic will detect the execution of sdelete.exe attempting to - delete potentially important files that may related to adversary or insider threats - to destroy evidence or information sabotage. Sdelete is a SysInternals utility meant - to securely delete files on disk. This tool is commonly used to clear tracks and - artifact on the targeted host. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%.xls%" - OR process_cmd_line LIKE "%.gz%" OR process_cmd_line LIKE "%.tar%" OR process_cmd_line - LIKE "%.rar%" OR process_cmd_line LIKE "%.zip%" OR process_cmd_line LIKE "%.7z%" - OR process_cmd_line LIKE "%.bmp%" OR process_cmd_line LIKE "%.gif%" OR process_cmd_line - LIKE "%.png%" OR process_cmd_line LIKE "%.jpg%" OR process_cmd_line LIKE "%.txt%" - OR process_cmd_line LIKE "%.log%" OR process_cmd_line LIKE "%.key%" OR process_cmd_line - LIKE "%.pdf%" OR process_cmd_line LIKE "%.rtf%" OR process_cmd_line LIKE "%.ppt%" - OR process_cmd_line LIKE "%.xls%" OR process_cmd_line LIKE "%.doc%" OR process_cmd_line - LIKE "%-nobanner%" OR process_cmd_line LIKE "%/accepteula%" OR process_cmd_line - LIKE "%-z %" OR process_cmd_line LIKE "%-s %" OR process_cmd_line LIKE "%-q %" OR - process_cmd_line LIKE "%-r %" OR process_cmd_line LIKE "%-p %" OR process_cmd_line - LIKE "%-f %" OR process_cmd_line LIKE "%-c %") AND process_file_name LIKE "%sdelete%" - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Sdelete Application Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Information Sabotage", "Insider Threat"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}, {"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 42, - severity_id = 0, - rule = {"name": "Sdelete Application Execution", "uid": "fcc52b9a-4616-11ec-8454-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: False positives should be limited, filter as needed. -references: -- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 42 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/fcc52b9a-4616-11ec-8454-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Information Sabotage - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - - Exploitation - mitre_attack_id: - - T1485 - - T1070.004 - - T1070 - nist: - - DE.AE -test: - name: Sdelete Application Execution Unit Test - tests: - - name: Sdelete Application Execution - attack_data: - - file_name: security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___serviceprincipalnames_discovery_with_powershell.yml b/dist/ssa/srs/ssa___serviceprincipalnames_discovery_with_powershell.yml deleted file mode 100644 index de101a903a..0000000000 --- a/dist/ssa/srs/ssa___serviceprincipalnames_discovery_with_powershell.yml +++ /dev/null @@ -1,122 +0,0 @@ -name: ServicePrincipalNames Discovery with PowerShell -id: 043f07a0-7fd8-40e2-b526-80406fb59abb -version: 2 -status: production -detection_type: STREAMING -description: 'The following analytic identifies `powershell.exe` usage, using Script - Block Logging EventCode 4104, related to querying the domain for Service Principle - Names. typically, this is a precursor activity related to kerberoasting or the silver - ticket attack. \ - - What is a ServicePrincipleName? \ - - A service principal name (SPN) is a unique identifier of a service instance. SPNs - are used by Kerberos authentication to associate a service instance with a service - logon account. This allows a client application to request that the service authenticate - an account even if the client does not have the account name.\ - - The following analytic identifies the use of KerberosRequestorSecurityToken class - within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken - class in PowerShell is the equivelant of using setspn.exe. \ - - During triage, review parallel processes for further suspicious activity.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where match(process_cmd_line, /(?i)KerberosRequestorSecurityToken/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "ServicePrincipalNames Discovery with PowerShell has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "ServicePrincipalNames Discovery with PowerShell", "uid": "043f07a0-7fd8-40e2-b526-80406fb59abb", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: False positives should be limited, however filter as needed. -references: -- https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names -- https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8 -- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting -- https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html -- https://attack.mitre.org/techniques/T1558/003/ -- https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx -- https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ -- https://blog.zsec.uk/paving-2-da-wholeset/ -- https://msitpros.com/?p=3113 -- https://adsecurity.org/?p=3466 -- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 -- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf -- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/043f07a0-7fd8-40e2-b526-80406fb59abb/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - Active Directory Discovery - - Active Directory Kerberos Attacks - - Malicious PowerShell - - Active Directory Privilege Escalation - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1558.003 - nist: - - DE.CM -test: - name: ServicePrincipalNames Discovery with PowerShell Unit Test - tests: - - name: ServicePrincipalNames Discovery with PowerShell - attack_data: - - file_name: sbl_xml.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml b/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml deleted file mode 100644 index 59714ac41d..0000000000 --- a/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: Services lolbas Execution Process Spawn -id: 0d85fde3-0de9-4eec-b386-6a8ba70f3935 -version: 5 -status: validation -detection_type: STREAMING -description: The following analytic identifies services.exe spawning a LOLBAS execution - process. When adversaries execute code on remote endpoints abusing the Service Control - Manager and creating a remote malicious service, the executed command is spawned - as a child process of services.exe. The LOLBAS project documents Windows native - binaries that can be abused by threat actors to perform tasks like executing malicious - code. Looking for child processes of services.exe that are part of the LOLBAS project - can help defenders identify lateral movement activity. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) - | eval device_hostname = device.hostname | where actor_process_file_name="services.exe" - AND (process_file_name IN ("at.exe", "atbroker.exe", "bash.exe", "bitsadmin.exe", - "certoc.exe", "cmd.exe", "cmstp.exe", "dllhost.exe", "dnscmd.exe", "extexport.exe", - "explorer.exe", "forfiles.exe", "ftp.exe", "gpscript.exe", "hh.exe", "ie4uinit.exe", - "ieexec.exe", "infdefaultinstall.exe", "installutil.exe", "lucallbackproxy.exe", - "mavinject.exe", "microsoft.workflow.compiler.exe", "mmc.exe", "msbuild.exe", "msconfig.exe", - "msdt.exe", "mshta.exe", "msiexec.exe", "netsh.exe", "odbcconf.exe", "offlinescannershell.exe", - "pcwrun.exe", "pcalua.exe", "pnputil.exe", "presentationhost.exe", "rasautou.exe", - "regasm.exe", "regsvcs.exe", "regsvr32.exe", "register-cimprovider.exe", "rundll32.exe", - "runonce.exe", "runscripthelper.exe", "schtasks.exe", "scriptrunner.exe", "settingsynchost.exe", - "stordiag.exe", "syncappvpublishingserver.exe", "ttdinject.exe", "tttracer.exe", - "verclsid.exe", "wab.exe", "wmic.exe", "wuauclt.exe", "xwizard.exe")) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Services lolbas Execution Process Spawn has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Command-Line Executions", "Insider Threat"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Installation", "phase_id": 5}, {"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Services lolbas Execution Process Spawn", "uid": "0d85fde3-0de9-4eec-b386-6a8ba70f3935", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the Processes node of the Endpoint - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: There are circumstances where the services application may - legitimately execute and spawn a windows native binary to do an activity that is - benign. -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://pentestlab.blog/2020/07/21/lateral-movement-services -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/0d85fde3-0de9-4eec-b386-6a8ba70f3935/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Command-Line Executions - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Installation - - Exploitation - mitre_attack_id: - - T1543.003 - nist: - - DE.AE -test: - name: Services lolbas Execution Process Spawn Unit Test - tests: - - name: Services lolbas Execution Process Spawn - attack_data: - - file_name: 4688_xml_windows_security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml b/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml deleted file mode 100644 index 41578c20f0..0000000000 --- a/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml +++ /dev/null @@ -1,219 +0,0 @@ -name: System Process Running from Unexpected Location -id: 28179107-099a-464a-94d3-08301e6c055f -version: 8 -status: production -detection_type: STREAMING -description: An attacker tries might try to use different version of a system command - without overriding original, or they might try to avoid some detection running the - process from a different folder. This detection checks that a list of system processes - run inside C:\\Windows\System32 or C:\\Windows\SysWOW64 The list of system processes - has been extracted from https://github.com/splunk/security_content/blob/develop/lookups/is_windows_system_file.csv - and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("xwizard.exe", - "xpsrchvw.exe", "xcopy.exe", "wusa.exe", "wuauclt.exe", "wuapp.exe", "wuapihost.exe", - "wsqmcons.exe", "wsmprovhost.exe", "wscript.exe", "write.exe", "wpr.exe", "wpnpinst.exe", - "wowreg32.exe", "wlrmdr.exe", "wlanext.exe", "wksprt.exe", "wkspbroker.exe", "wisptis.exe", - "winver.exe", "winrshost.exe", "winrs.exe", "winresume.exe", "winlogon.exe", "winload.exe", - "wininit.exe", "wimserv.exe", "wifitask.exe", "wiawow64.exe", "wiaacmgr.exe", "whoami.exe", - "where.exe", "wextract.exe", "wevtutil.exe", "wermgr.exe", "wecutil.exe", "wbengine.exe", - "wbadmin.exe", "waitfor.exe", "w32tm.exe", "vssadmin.exe", "vmicsvc.exe", "verifiergui.exe", - "verifier.exe", "verclsid.exe", "vdsldr.exe", "vds.exe", "userinit.exe", "upnpcont.exe", - "unregmp2.exe", "unlodctr.exe", "ucsvc.exe", "tzutil.exe", "tzsync.exe", "typeperf.exe", - "tskill.exe", "tsdiscon.exe", "tscon.exe", "tracerpt.exe", "tpmvscmgrsvr.exe", "tpmvscmgr.exe", - "timeout.exe", "tcmsetup.exe", "taskmgr.exe", "tasklist.exe", "taskkill.exe", "taskhostw.exe", - "taskhost.exe", "taskeng.exe", "takeown.exe", "tabcal.exe", "systray.exe", "systemreset.exe", - "systeminfo.exe", "syskey.exe", "sxstrace.exe", "svchost.exe", "subst.exe", "srdelayed.exe", - "spreview.exe", "sppsvc.exe", "spoolsv.exe", "spinstall.exe", "sort.exe", "snmptrap.exe", - "smss.exe", "slui.exe", "sihost.exe", "sigverif.exe", "shutdown.exe", "shrpubw.exe", - "shadow.exe", "setx.exe", "setupugc.exe", "setupcl.exe", "setspn.exe", "sethc.exe", - "sessionmsg.exe", "services.exe", "secinit.exe", "sdiagnhost.exe", "sdclt.exe", - "sdchange.exe", "sdbinst.exe", "schtasks.exe", "sc.exe", "sbunattend.exe", "rwinsta.exe", - "runonce.exe", "rundll32.exe", "runas.exe", "rstrui.exe", "rrinstaller.exe", "rmttpmvscmgrsvr.exe", - "resmon.exe", "reset.exe", "replace.exe", "repair-bde.exe", "relog.exe", "rekeywiz.exe", - "regsvr32.exe", "regini.exe", "regedt32.exe", "reg.exe", "recover.exe", "recdisc.exe", - "rdrleakdiag.exe", "rdpinput.exe", "rdpclip.exe", "rasphone.exe", "raserver.exe", - "rasdial.exe", "rasautou.exe", "qwinsta.exe", "quser.exe", "query.exe", "qprocess.exe", - "qappsrv.exe", "pwlauncher.exe", "psr.exe", "provtool.exe", "proquota.exe", "printui.exe", - "printfilterpipelinesvc.exe", "print.exe", "prevhost.exe", "powercfg.exe", "poqexec.exe", - "plasrv.exe", "phoneactivate.exe", "perfmon.exe", "pcwrun.exe", "pcawrk.exe", "pcaui.exe", - "pcalua.exe", "p2phost.exe", "osk.exe", "openfiles.exe", "omadmprc.exe", "omadmclient.exe", - "odbcconf.exe", "odbcad32.exe", "ocsetup.exe", "ntprint.exe", "ntoskrnl.exe", "nslookup.exe", - "notepad.exe", "nltest.exe", "newdev.exe", "netsh.exe", "netiougc.exe", "netcfg.exe", - "netbtugc.exe", "net1.exe", "net.exe", "ndadmin.exe", "nbtstat.exe", "mtstocom.exe", - "mstsc.exe", "msra.exe", "mspaint.exe", "msinfo32.exe", "msiexec.exe", "mshta.exe", - "msg.exe", "msfeedssync.exe", "msdtc.exe", "msdt.exe", "msconfig.exe", "mpnotify.exe", - "mountvol.exe", "mobsync.exe", "mmc.exe", "mfpmp.exe", "mctadmin.exe", "mcbuilder.exe", - "mblctr.exe", "manage-bde.exe", "makecab.exe", "lsm.exe", "lsass.exe", "lpremove.exe", - "lpksetup.exe", "lpkinstall.exe", "logoff.exe", "logman.exe", "logagent.exe", "lodctr.exe", - "licensingdiag.exe", "label.exe", "ktmutil.exe", "ksetup.exe", "klist.exe", "isoburn.exe", - "iscsicpl.exe", "iscsicli.exe", "irftp.exe", "ipconfig.exe", "immersivetpmvscmgrsvr.exe", - "iexpress.exe", "ieetwcollector.exe", "ieunatt.exe", "ie4uinit.exe", "icsunattend.exe", - "icardagt.exe", "icacls.exe", "hwrreg.exe", "hwrcomp.exe", "help.exe", "hdwwiz.exe", - "grpconv.exe", "gpupdate.exe", "gpscript.exe", "gpresult.exe", "getmac.exe", "fveprompt.exe", - "fvenotify.exe", "ftp.exe", "fsutil.exe", "fsquirt.exe", "fsavailux.exe", "forfiles.exe", - "fontview.exe", "fontdrvhost.exe", "fodhelper.exe", "fltmc.exe", "fixmapi.exe", - "finger.exe", "findstr.exe", "find.exe", "fhmanagew.exe", "fc.exe", "extrac32.exe", - "expand.exe", "eventvwr.exe", "eventcreate.exe", "eudcedit.exe", "esentutl.exe", - "embeddedapplauncher.exe", "efsui.exe", "easinvoker.exe", "dxdiag.exe", "dwm.exe", - "dvdupgrd.exe", "dvdplay.exe", "dstokenclean.exe", "dsregcmd.exe", "drvinst.exe", - "drvcfg.exe", "driverquery.exe", "dpnsvr.exe", "dpapimig.exe", "doskey.exe", "dnscacheugc.exe", - "dmclient.exe", "dmcfghost.exe", "dmcertinst.exe", "dllhst3g.exe", "dllhost.exe", - "djoin.exe", "dispdiag.exe", "diskraid.exe", "diskperf.exe", "diskpart.exe", "dinotify.exe", - "diantz.exe", "dialer.exe", "dfrgui.exe", "ddodiag.exe", "dcomcnfg.exe", "dccw.exe", - "dashost.exe", "cttunesvr.exe", "cttune.exe", "ctfmon.exe", "csrss.exe", "cscript.exe", - "credwiz.exe", "convert.exe", "control.exe", "consent.exe", "conhost.exe", "compact.exe", - "comp.exe", "colorcpl.exe", "cofire.exe", "cmstp.exe", "cmmon32.exe", "cmdl32.exe", - "cmdkey.exe", "cmd.exe", "clip.exe", "cliconfg.exe", "cleanmgr.exe", "cipher.exe", - "choice.exe", "chkntfs.exe", "chkdsk.exe", "chgusr.exe", "chgport.exe", "chglogon.exe", - "charmap.exe", "changepk.exe", "change.exe", "certutil.exe", "certreq.exe", "cdpreference.exe", - "calc.exe", "cacls.exe", "bthudtask.exe", "browser_broker.exe", "bridgeunattend.exe", - "bootsect.exe", "bootim.exe", "bootcfg.exe", "bitsadmin.exe", "bdeunlock.exe", "bdechangepin.exe", - "bcdedit.exe", "bcdboot.exe", "bcastdvr.exe", "backgroundtaskhost.exe", "baaupdate.exe", - "autofmt.exe", "autoconv.exe", "autochk.exe", "auditpol.exe", "audiodg.exe", "attrib.exe", - "at.exe", "appidpolicyconverter.exe", "appidcertstorecheck.exe", "alg.exe", "aitstatic.exe", - "aitagent.exe", "acu.exe", "wpcmon.exe", "workfolders.exe", "windowsupdateelevatedinstaller.exe", - "windowsanytimeupgradeui.exe", "windowsanytimeupgraderesults.exe", "windowsanytimeupgrade.exe", - "windowsactiondialog.exe", "windows.media.backgroundplayback.exe", "winsat.exe", - "werfaultsecure.exe", "werfault.exe", "webcache.exe", "wallpaperhost.exe", "wwahost.exe", - "wudfhost.exe", "wsreset.exe", "wsmanhttpconfig.exe", "wscollect.exe", "wpdshextautoplay.exe", - "wmpdmc.exe", "wfs.exe", "vaultsysui.exe", "vaultcmd.exe", "vssvc.exe", "utilman.exe", - "usoclient.exe", "useraccountcontrolsettings.exe", "useraccountbroker.exe", "upgraderesultsui.exe", - "ui0detect.exe", "tswpfwrp.exe", "tpminit.exe", "tokenbrokercookies.exe", "thumbnailextractionhost.exe", - "taskmgr.exe", "tapiunattend.exe", "tswbprxy.exe", "tstheme.exe", "tracert.exe", - "tcpsvcs.exe", "systemsettingsremovedevice.exe", "systemsettingsbroker.exe", "systemsettingsadminflows.exe", - "systempropertiesremote.exe", "systempropertiesprotection.exe", "systempropertiesperformance.exe", - "systempropertieshardware.exe", "systempropertiesdataexecutionprevention.exe", "systempropertiescomputername.exe", - "systempropertiesadvanced.exe", "sysreseterr.exe", "synchost.exe", "stikynot.exe", - "srtasks.exe", "sppextcomobj.exe", "spaceagent.exe", "soundrecorder.exe", "snippingtool.exe", - "sndvol.exe", "smartscreensettings.exe", "slidetoshutdown.exe", "settingsynchost.exe", - "setieinstalleddate.exe", "sensordataservice.exe", "secedit.exe", "searchprotocolhost.exe", - "searchindexer.exe", "searchfilterhost.exe", "sihclient.exe", "runtimebroker.exe", - "runlegacycplelevated.exe", "rpcping.exe", "rmclient.exe", "remoteposworker.exe", - "relpost.exe", "registeriepkeys.exe", "register-cimprovider.exe", "recoverydrive.exe", - "reagentc.exe", "rdpsauachelper.exe", "rdpsaproxy.exe", "rdpsa.exe", "route.exe", - "rmactivate_ssp_isv.exe", "rmactivate_ssp.exe", "rmactivate_isv.exe", "rmactivate.exe", - "rdspnf.exe", "proximityuxhost.exe", "printisolationhost.exe", "printdialoghost3d.exe", - "printdialoghost.exe", "printbrmui.exe", "presentationsettings.exe", "presentationhost.exe", - "pnputil.exe", "pnpunattend.exe", "pkgmgr.exe", "pickerhost.exe", "passwordonwakesettingflyout.exe", - "ping.exe", "pathping.exe", "optionalfeatures.exe", "openwith.exe", "networkuxbroker.exe", - "netplwiz.exe", "netproj.exe", "netevtfwdr.exe", "netcfgnotifyobjecthost.exe", "narrator.exe", - "netstat.exe", "napstat.exe", "musnotificationux.exe", "musnotification.exe", "multidigimon.exe", - "muiunattend.exe", "msspellcheckinghost.exe", "mpsigstub.exe", "migautoplay.exe", - "mdsched.exe", "mdres.exe", "mbaeparsertask.exe", "magnify.exe", "mschedexe.exe", - "mrt.exe", "mrinfo.exe", "mdmappinstaller.exe", "mdmagent.exe", "mdeserver.exe", - "lsaiso.exe", "logonui.exe", "lockscreencontentserver.exe", "lockapphost.exe", "locator.exe", - "locationnotifications.exe", "locationnotificationwindows.exe", "licensingui.exe", - "licensemanagershellext.exe", "legacynetuxhost.exe", "launchwinapp.exe", "launchtm.exe", - "languagecomponentsinstallercomhandler.exe", "installagent.exe", "infdefaultinstall.exe", - "icsentitlementhost.exe", "hostname.exe", "gettingstarted.exe", "genvalobj.exe", - "gamepanel.exe", "fondue.exe", "filehistory.exe", "fxsunatd.exe", "fxssvc.exe", - "fxscover.exe", "ehstorauthn.exe", "easeofaccessdialog.exe", "easpoliciesbrokerhost.exe", - "eap3host.exe", "eosnotify.exe", "edpcleanup.exe", "dxpserver.exe", "dsmusertask.exe", - "dpiscaling.exe", "dmomacpmo.exe", "dmnotificationbroker.exe", "displayswitch.exe", - "dism.exe", "disksnapshot.exe", "deviceproperties.exe", "devicepairingwizard.exe", - "deviceenroller.exe", "deviceeject.exe", "devicedisplayobjectprovider.exe", "defrag.exe", - "dataexchangehost.exe", "dwwin.exe", "dfdwiz.exe", "credentialuibroker.exe", "computerdefaults.exe", - "compattelrunner.exe", "compmgmtlauncher.exe", "cloudstoragewizard.exe", "cloudnotifications.exe", - "cloudexperiencehostbroker.exe", "clipup.exe", "checknetisolation.exe", "certenrollctrl.exe", - "castsrv.exe", "camerasettingsuihost.exe", "bytecodegenerator.exe", "bitlockerwizardelev.exe", - "bitlockerwizard.exe", "bitlockerdeviceencryption.exe", "bdeunlockwizard.exe", "bdeuisrv.exe", - "bdehdcfg.exe", "backgroundtransferhost.exe", "axinstui.exe", "autoworkplace.exe", - "authhost.exe", "atbroker.exe", "applicationframehost.exe", "adaptertroubleshooter.exe", - "arp.exe")) AND (NOT match(process_file_path, /(?i)\\windows\\syswow64/)=true) AND - (NOT match(process_file_path, /(?i)\\windows\\system32/)=true) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "System Process Running from Unexpected Location has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows Defense Evasion Tactics", "Masquerading - Rename System Utilities"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "System Process Running from Unexpected Location", "uid": "28179107-099a-464a-94d3-08301e6c055f", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: Collect endpoint data such as sysmon or 4688 events. -known_false_positives: None -references: [] -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/28179107-099a-464a-94d3-08301e6c055f/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows Defense Evasion Tactics - - Masquerading - Rename System Utilities - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - nist: - - DE.AE -test: - name: System Process Running from Unexpected Location Unit Test - tests: - - name: System Process Running from Unexpected Location - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml deleted file mode 100644 index 39f7c83ccd..0000000000 --- a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml +++ /dev/null @@ -1,113 +0,0 @@ -name: WBAdmin Delete System Backups -id: 71efbf52-4dbb-4c00-a520-306aa546cbb7 -version: 4 -status: production -detection_type: STREAMING -description: This search looks for flags passed to wbadmin.exe (Windows Backup Administrator - Tool) that delete backup files. This is typically used by ransomware to prevent - recovery. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="wbadmin.exe" - AND (process_cmd_line LIKE "%systemstatebackup%" OR process_cmd_line LIKE "%catalog%" - OR process_cmd_line LIKE "%delete%") - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "WBAdmin Delete System Backups has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ryuk Ransomware", "Ransomware"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 30, - impact_id = 2, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 15, - severity_id = 0, - rule = {"name": "WBAdmin Delete System Backups", "uid": "71efbf52-4dbb-4c00-a520-306aa546cbb7", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: Administrators may modify the boot configuration. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md -- https://thedfirreport.com/2020/10/08/ryuks-return/ -- https://attack.mitre.org/techniques/T1490/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 15 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/71efbf52-4dbb-4c00-a520-306aa546cbb7/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ryuk Ransomware - - Ransomware - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1490 - nist: - - DE.CM -test: - name: WBAdmin Delete System Backups Unit Test - tests: - - name: WBAdmin Delete System Backups - attack_data: - - file_name: windows-security_bcdedit_wbadmin.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-security_bcdedit_wbadmin.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml b/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml deleted file mode 100644 index 7bb981dabc..0000000000 --- a/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: WevtUtil Usage To Clear Logs -id: 5438113c-cdd9-11eb-93b8-acde48001122 -version: 5 -status: production -detection_type: STREAMING -description: The wevtutil.exe application is the windows event log utility. This searches - for wevtutil.exe with parameters for clearing the application, security, setup, - powershell, sysmon, or system event logs. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)powershell/)=true - OR match(process_cmd_line, /(?i)setup/)=true OR match(process_cmd_line, /(?i)application/)=true - OR match(process_cmd_line, /(?i)sysmon/)=true OR match(process_cmd_line, /(?i)system/)=true - OR match(process_cmd_line, /(?i)security/)=true) AND process_cmd_line LIKE "% cl - %" AND process_file_name="wevtutil.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "WevtUtil Usage To Clear Logs has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows Log Manipulation", "Ransomware", "Clop Ransomware", "Insider Threat", "CISA AA22-264A"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 63, - severity_id = 0, - rule = {"name": "WevtUtil Usage To Clear Logs", "uid": "5438113c-cdd9-11eb-93b8-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. -known_false_positives: The wevtutil.exe application is a legitimate Windows event - log utility. Administrators may use it to manage Windows event logs. -references: -- https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 63 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/5438113c-cdd9-11eb-93b8-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows Log Manipulation - - Ransomware - - Clop Ransomware - - Insider Threat - - CISA AA22-264A - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1070 - - T1070.001 - nist: - - DE.CM -test: - name: WevtUtil Usage To Clear Logs Unit Test - tests: - - name: WevtUtil Usage To Clear Logs - attack_data: - - file_name: clear_evt.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/ssa_wevtutil/clear_evt.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml b/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml deleted file mode 100644 index 5a92b27542..0000000000 --- a/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Wevtutil Usage To Disable Logs -id: a4bdc944-cdd9-11eb-ac97-acde48001122 -version: 5 -status: production -detection_type: STREAMING -description: This search is to detect execution of wevtutil.exe to disable logs. This - technique was seen in several ransomware to disable the event logs to evade alerts - and detections in compromised host. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%/e:false%" - AND process_cmd_line LIKE "% sl %" AND process_file_name="wevtutil.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Wevtutil Usage To Disable Logs has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows Log Manipulation", "Ransomware", "Insider Threat", "Information Sabotage"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 63, - severity_id = 0, - rule = {"name": "Wevtutil Usage To Disable Logs", "uid": "a4bdc944-cdd9-11eb-ac97-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. -known_false_positives: network operator may disable audit event logs for debugging - purposes. -references: -- https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 63 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/a4bdc944-cdd9-11eb-ac97-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows Log Manipulation - - Ransomware - - Insider Threat - - Information Sabotage - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1070 - - T1070.001 - nist: - - DE.CM -test: - name: Wevtutil Usage To Disable Logs Unit Test - tests: - - name: Wevtutil Usage To Disable Logs - attack_data: - - file_name: disable_evt.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/ssa_wevtutil/disable_evt.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_bits_job_persistence.yml b/dist/ssa/srs/ssa___windows_bits_job_persistence.yml deleted file mode 100644 index 346a1457c5..0000000000 --- a/dist/ssa/srs/ssa___windows_bits_job_persistence.yml +++ /dev/null @@ -1,124 +0,0 @@ -name: Windows Bits Job Persistence -id: 1e25e97a-8ea4-11ec-9767-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: The following query identifies Microsoft Background Intelligent Transfer - Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. - The query identifies the parameters used to create, resume or add a file to a BITS - job. Typically seen combined in a oneliner or ran in sequence. If identified, review - the BITS job created and capture any files written to disk. It is possible for BITS - to be used to upload files and this may require further network data analysis to - identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%resume%" - OR process_cmd_line LIKE "%setcustomheaders%" OR process_cmd_line LIKE "%setminretrydelay%" - OR process_cmd_line LIKE "%setnotifycmdline%" OR process_cmd_line LIKE "%setnotifyflags%" - OR process_cmd_line LIKE "%addfile%" OR process_cmd_line LIKE "%create%") AND process_file_name="bitsadmin.exe" - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Bits Job Persistence has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["BITS Jobs", "Living Off The Land"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "Windows Bits Job Persistence", "uid": "1e25e97a-8ea4-11ec-9767-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Limited false positives will be present. Typically, applications - will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments - (legitimate applications) or parent process. -references: -- https://attack.mitre.org/techniques/T1197/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute -- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/1e25e97a-8ea4-11ec-9767-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - BITS Jobs - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Installation - mitre_attack_id: - - T1197 - nist: - - DE.CM -test: - name: Windows Bits Job Persistence Unit Test - tests: - - name: Windows Bits Job Persistence - attack_data: - - file_name: bits-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/bits-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml b/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml deleted file mode 100644 index 73260ec1b2..0000000000 --- a/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml +++ /dev/null @@ -1,129 +0,0 @@ -name: Windows Bitsadmin Download File -id: d76e8188-8f5a-11ec-ace4-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: The following query identifies Microsoft Background Intelligent Transfer - Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote - object. In addition, look for `download` or `upload` on the command-line, the switches - are not required to perform a transfer. Capture any files downloaded. Review the - reputation of the IP or domain used. Typically once executed, a follow on command - will be used to execute the dropped file. Note that the network connection or file - modification events related will not spawn or create from `bitsadmin.exe`, but the - artifacts will appear in a parallel process of `svchost.exe` with a command-line - similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel - and child processes to capture any behaviors and artifacts. In some suspicious and - malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` - to list out the jobs during investigation. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%transfer%" - AND process_file_name="bitsadmin.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Bitsadmin Download File has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}, {"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Windows Bitsadmin Download File", "uid": "d76e8188-8f5a-11ec-ace4-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Limited false positives, however it may be required to filter - based on parent process name or network connection. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download -- https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md -- https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/d76e8188-8f5a-11ec-ace4-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ingress Tool Transfer - - BITS Jobs - - DarkSide Ransomware - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Installation - - Command and Control - mitre_attack_id: - - T1197 - - T1105 - nist: - - DE.CM -test: - name: Windows Bitsadmin Download File Unit Test - tests: - - name: Windows Bitsadmin Download File - attack_data: - - file_name: bits-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/bits-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_certutil_decode_file.yml b/dist/ssa/srs/ssa___windows_certutil_decode_file.yml deleted file mode 100644 index f4724926c5..0000000000 --- a/dist/ssa/srs/ssa___windows_certutil_decode_file.yml +++ /dev/null @@ -1,122 +0,0 @@ -name: Windows CertUtil Decode File -id: b06983f4-8f72-11ec-ab50-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: CertUtil.exe may be used to `encode` and `decode` a file, including PE - and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` - and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded - file that was downloaded. Once decoded, it will be loaded by a parallel process. - Note that there are two additional command switches that may be used - `encodehex` - and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for - further execution. During triage, identify the source of the file being decoded. - Review its contents or execution behavior for further analysis. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%decode%" - AND process_file_name="certutil.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows CertUtil Decode File has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Deobfuscate-Decode Files or Information", "Living Off The Land", "Forest Blizzard"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 40, - severity_id = 0, - rule = {"name": "Windows CertUtil Decode File", "uid": "b06983f4-8f72-11ec-ab50-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Typically seen used to `encode` files, but it is possible to - see legitimate use of `decode`. Filter based on parent-child relationship, file - paths, endpoint or user. -references: -- https://attack.mitre.org/techniques/T1140/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -- https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 40 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/b06983f4-8f72-11ec-ab50-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Deobfuscate-Decode Files or Information - - Living Off The Land - - Forest Blizzard - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1140 - nist: - - DE.CM -test: - name: Windows CertUtil Decode File Unit Test - tests: - - name: Windows CertUtil Decode File - attack_data: - - file_name: encode-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/encode-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml b/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml deleted file mode 100644 index 2499d03af1..0000000000 --- a/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml +++ /dev/null @@ -1,120 +0,0 @@ -name: Windows CertUtil URLCache Download -id: 8cb1ad38-8f6d-11ec-87a3-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: 'Certutil.exe may download a file from a remote destination using `-urlcache`. - This behavior does require a URL to be passed on the command-line. In addition, - `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will - be used. It is not entirely common for `certutil.exe` to contact public IP space. - However, it is uncommon for `certutil.exe` to write files to world writeable paths. - - During triage, capture any files on disk and review. Review the reputation of the - remote IP or domain in question.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name="certutil.exe" - AND process_cmd_line LIKE "%split%" AND process_cmd_line LIKE "%urlcache%") OR process_cmd_line - LIKE "%urlcache%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows CertUtil URLCache Download has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "Forest Blizzard"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 90, - severity_id = 0, - rule = {"name": "Windows CertUtil URLCache Download", "uid": "8cb1ad38-8f6d-11ec-87a3-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: Limited false positives in most environments, however tune - as needed based on parent-child relationship or network connection. -references: -- https://attack.mitre.org/techniques/T1105/ -- https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats -- https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 90 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/8cb1ad38-8f6d-11ec-87a3-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ingress Tool Transfer - - DarkSide Ransomware - - Living Off The Land - - Forest Blizzard - cis20: - - CIS 10 - kill_chain_phases: - - Command and Control - mitre_attack_id: - - T1105 - nist: - - DE.CM -test: - name: Windows CertUtil URLCache Download Unit Test - tests: - - name: Windows CertUtil URLCache Download - attack_data: - - file_name: T1105-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml b/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml deleted file mode 100644 index 879515f892..0000000000 --- a/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows CertUtil VerifyCtl Download -id: 9ac29c40-8f6b-11ec-b19a-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`. - This behavior does require a URL to be passed on the command-line. In addition, - `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will - be used. It is not entirely common for `certutil.exe` to contact public IP space. - \ During triage, capture any files on disk and review. Review the reputation of - the remote IP or domain in question. Using `-VerifyCtl`, the file will either be - written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. ' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name="certutil.exe" - AND process_cmd_line LIKE "%split%" AND process_cmd_line LIKE "%verifyctl%") OR - process_cmd_line LIKE "%verifyctl%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows CertUtil VerifyCtl Download has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 90, - severity_id = 0, - rule = {"name": "Windows CertUtil VerifyCtl Download", "uid": "9ac29c40-8f6b-11ec-b19a-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: Limited false positives in most environments, however tune - as needed based on parent-child relationship or network connection. -references: -- https://attack.mitre.org/techniques/T1105/ -- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ -- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl -- https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 90 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/9ac29c40-8f6b-11ec-b19a-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ingress Tool Transfer - - DarkSide Ransomware - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Command and Control - mitre_attack_id: - - T1105 - nist: - - DE.CM -test: - name: Windows CertUtil VerifyCtl Download Unit Test - tests: - - name: Windows CertUtil VerifyCtl Download - attack_data: - - file_name: T1105-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml b/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml deleted file mode 100644 index ed63997d0e..0000000000 --- a/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows COM Hijacking InprocServer32 Modification -id: 0ae05a0f-bc84-456b-822a-a5b9c081c7ca -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of reg.exe performing an add - to the InProcServer32, which may be related to COM hijacking. Adversaries can use - the COM system to insert malicious code that can be executed in place of legitimate - software through hijacking the COM references and relationships as a means for persistence. - Hijacking a COM object requires a change in the Registry to replace a reference - to a legitimate system component which may cause that component to not work when - executed. When that system component is executed through normal system operation - the adversary's code will be executed instead. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where match(process_cmd_line, /(?i)inprocserver32/)=true - AND process_file_name="reg.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows COM Hijacking InprocServer32 Modification has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Living Off The Land"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Installation", "phase_id": 5}, {"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 64, - severity_id = 0, - rule = {"name": "Windows COM Hijacking InprocServer32 Modification", "uid": "0ae05a0f-bc84-456b-822a-a5b9c081c7ca", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives may be present and some filtering may be required. -references: -- https://attack.mitre.org/techniques/T1546/015/ -- https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 64 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/0ae05a0f-bc84-456b-822a-a5b9c081c7ca/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Installation - - Exploitation - mitre_attack_id: - - T1546.015 - - T1546 - nist: - - DE.CM -test: - name: Windows COM Hijacking InprocServer32 Modification Unit Test - tests: - - name: Windows COM Hijacking InprocServer32 Modification - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml b/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml deleted file mode 100644 index 29895cd600..0000000000 --- a/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml +++ /dev/null @@ -1,126 +0,0 @@ -name: Windows Curl Upload to Remote Destination -id: cc8d046a-543b-11ec-b864-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: 'The following analytic identifies the use of Windows Curl.exe uploading - a file to a remote destination. - - `-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. - - `-d` or `--data` POST is the HTTP method that was invented to send data to a receiving - web application, and it is, for example, how most common HTML forms on the web work. - - HTTP multipart formposts are done with `-F`, but this appears to not be compatible - with the Windows version of Curl. Will update if identified adversary tradecraft. - - Adversaries may use one of the three methods based on the remote destination and - what they are attempting to upload (zip vs txt). During triage, review parallel - processes for further behavior. In addition, identify if the upload was successful - in network logs. If a file was uploaded, isolate the endpoint and review.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-f %" - OR process_cmd_line LIKE "%--data %" OR process_cmd_line LIKE "%-d %" OR process_cmd_line - LIKE "%--upload-file %" OR process_cmd_line LIKE "%-t %") AND match(process_file_name, - /(?i)curl.exe/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Curl Upload to Remote Destination has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Ingress Tool Transfer", "Insider Threat"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows Curl Upload to Remote Destination", "uid": "cc8d046a-543b-11ec-b864-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: False positives may be limited to source control applications - and may be required to be filtered out. -references: -- https://everything.curl.dev/usingcurl/uploads -- https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409 -- https://twitter.com/d1r4c/status/1279042657508081664?s=20 -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/cc8d046a-543b-11ec-b864-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Ingress Tool Transfer - - Insider Threat - cis20: - - CIS 10 - kill_chain_phases: - - Command and Control - mitre_attack_id: - - T1105 - nist: - - DE.CM -test: - name: Windows Curl Upload to Remote Destination Unit Test - tests: - - name: Windows Curl Upload to Remote Destination - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml deleted file mode 100644 index 8b8ceb8924..0000000000 --- a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml +++ /dev/null @@ -1,123 +0,0 @@ -name: Windows Default Group Policy Object Modified with GPME -id: bcb55c13-067b-4648-98f3-627010f72520 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies the potential edition of a default - Group Policy Object. A fresh installation of an Active Directory network will typically - contain two default group policy objects `Default Domain Controllers Policy` and - `Default Domain Policy`. The default domain controllers policy is used to enforce - and set policies to all the domain controllers within the domain environment. The - default domain policy is linked to all users and computers by default. An adversary - who has obtained privileged access to an Active Directory network may modify the - default group policy objects to obtain further access, deploy persistence or execute - malware across a large number of hosts. Security teams should monitor the edition - of the default GPOs. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name="mmc.exe" AND - process_cmd_line LIKE "%gpme.msc%") OR process_cmd_line LIKE "%31b2f340-016d-11d2-945f-00c04fb984f9%" - OR process_cmd_line LIKE "%6ac1786c-016f-11d2-945f-00c04fb984f9%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Default Group Policy Object Modified with GPME has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Privilege Escalation"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 100, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 50, - severity_id = 0, - rule = {"name": "Windows Default Group Policy Object Modified with GPME", "uid": "bcb55c13-067b-4648-98f3-627010f72520", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: The default Group Policy Objects within an AD network may be - legitimately updated for administrative operations, filter as needed. -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 50 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/bcb55c13-067b-4648-98f3-627010f72520/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Active Directory Privilege Escalation - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1484 - - T1484.001 - nist: - - DE.CM -test: - name: Windows Default Group Policy Object Modified with GPME Unit Test - tests: - - name: Windows Default Group Policy Object Modified with GPME - attack_data: - - file_name: security-4688.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml deleted file mode 100644 index f85d29968b..0000000000 --- a/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml +++ /dev/null @@ -1,108 +0,0 @@ -name: Windows Defender Tools in Non Standard Path -id: c205bd2e-cd5b-4224-8510-578a2a1f83d7 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies usage of the MPCmdRun utility that - can be abused by adversaries by moving it to a new directory. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where match(process_file_name, /(?i)mpcmdrun.exe/)=true - AND (NOT match(process_file_path, /(?i)\\windows defender/)=true) AND (NOT match(process_file_path, - /(?i)\\microsoft\\windows defender\\platform/)=true) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Defender Tools in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Living Off The Land"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "Windows Defender Tools in Non Standard Path", "uid": "c205bd2e-cd5b-4224-8510-578a2a1f83d7", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: Collect endpoint data such as sysmon or 4688 events. -known_false_positives: False positives may be present and filtering may be required. -references: -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/c205bd2e-cd5b-4224-8510-578a2a1f83d7/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Defender Tools in Non Standard Path Unit Test - tests: - - name: Windows Defender Tools in Non Standard Path - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml b/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml deleted file mode 100644 index 7cb9509ab0..0000000000 --- a/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: Windows Diskshadow Proxy Execution -id: aa502688-9037-11ec-842d-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: DiskShadow.exe is a Microsoft Signed binary present on Windows Server. - It has a scripting mode intended for complex scripted backup operations. This feature - also allows for execution of arbitrary unsigned code. This analytic looks for the - usage of the scripting mode flags in executions of DiskShadow. During triage, compare - to known backup behavior in your environment and then review the scripts called - by diskshadow. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%/s%" OR - process_cmd_line LIKE "%-s%") AND process_file_name="diskshadow.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Diskshadow Proxy Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Windows Diskshadow Proxy Execution", "uid": "aa502688-9037-11ec-842d-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on processes that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: Administrators using the DiskShadow tool in their infrastructure - as a main backup tool with scripts will cause false positives -references: -- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/aa502688-9037-11ec-842d-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218 - nist: - - DE.AE -test: - name: Windows Diskshadow Proxy Execution Unit Test - tests: - - name: Windows Diskshadow Proxy Execution - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml deleted file mode 100644 index 717d8bd1ee..0000000000 --- a/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml +++ /dev/null @@ -1,151 +0,0 @@ -name: Windows DotNet Binary in Non Standard Path -id: 21179107-099a-324a-94d3-08301e6c065f -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies native .net binaries within the Windows - operating system that may be abused by adversaries by moving it to a new directory. - The analytic identifies the .net binary by using a list. If one or the other matches - an alert will be generated. Adversaries abuse these binaries as they are native - to Windows and native DotNet. Note that not all SDK (post install of Windows) are - captured in the list. Lookup - https://github.com/splunk/security_content/blob/develop/lookups/is_net_windows_file.csv. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (match(process_file_name, /(?i)MSBuild.exe/)=true - OR match(process_file_name, /(?i)comsvcconfig.exe/)=true OR match(process_file_name, - /(?i)dfsradmin.exe/)=true OR match(process_file_name, /(?i)dfsvc.exe/)=true OR match(process_file_name, - /(?i)microsoft.workflow.compiler.exe/)=true OR match(process_file_name, /(?i)smsvchost.exe/)=true - OR match(process_file_name, /(?i)wsatconfig.exe/)=true OR match(process_file_name, - /(?i)addinprocess.exe/)=true OR match(process_file_name, /(?i)addinprocess32.exe/)=true - OR match(process_file_name, /(?i)addinutil.exe/)=true OR match(process_file_name, - /(?i)aspnet_compiler.exe/)=true OR match(process_file_name, /(?i)aspnet_regbrowsers.exe/)=true - OR match(process_file_name, /(?i)aspnet_regsql.exe/)=true OR match(process_file_name, - /(?i)caspol.exe/)=true OR match(process_file_name, /(?i)datasvcutil.exe/)=true OR - match(process_file_name, /(?i)edmgen.exe/)=true OR match(process_file_name, /(?i)installutil.exe/)=true - OR match(process_file_name, /(?i)jsc.exe/)=true OR match(process_file_name, /(?i)ngentask.exe/)=true - OR match(process_file_name, /(?i)regasm.exe/)=true OR match(process_file_name, /(?i)regsvcs.exe/)=true - OR match(process_file_name, /(?i)sdnbr.exe/)=true OR match(process_file_name, /(?i)acu.exe/)=true - OR match(process_file_name, /(?i)appvstreamingux.exe/)=true OR match(process_file_name, - /(?i)dsac.exe/)=true OR match(process_file_name, /(?i)lbfoadmin.exe/)=true OR match(process_file_name, - /(?i)microsoft.uev.synccontroller.exe/)=true OR match(process_file_name, /(?i)mtedit.exe/)=true - OR match(process_file_name, /(?i)scriptrunner.exe/)=true OR match(process_file_name, - /(?i)servermanager.exe/)=true OR match(process_file_name, /(?i)stordiag.exe/)=true - OR match(process_file_name, /(?i)tzsync.exe/)=true OR match(process_file_name, /(?i)uevagentpolicygenerator.exe/)=true - OR match(process_file_name, /(?i)uevappmonitor.exe/)=true OR match(process_file_name, - /(?i)uevtemplatebaselinegenerator.exe/)=true OR match(process_file_name, /(?i)uevtemplateconfigitemgenerator.exe/)=true - OR match(process_file_name, /(?i)powershell_ise.exe/)=true OR match(process_file_name, - /(?i)iediagcmd.exe/)=true OR match(process_file_name, /(?i)xbox.tcui.exe/)=true - OR match(process_file_name, /(?i)microsoft.activedirectory.webservices.exe/)=true - OR match(process_file_name, /(?i)iisual.exe/)=true OR match(process_file_name, /(?i)filehistory.exe/)=true - OR match(process_file_name, /(?i)secureassessmentbrowser.exe/)=true) AND (NOT (match(process_file_path, - /(?i)\\windows\\system32/)=true OR match(process_file_path, /(?i)\\windows\\syswow64/)=true - OR match(process_file_path, /(?i)\\windows\\adws/)=true OR match(process_file_path, - /(?i)\\windows\\networkcontroller/)=true OR match(process_file_path, /(?i)\\windows\\systemapps/)=true - OR match(process_file_path, /(?i)\\winsxs/)=true OR match(process_file_path, /(?i)\\microsoft.net/)=true)) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows DotNet Binary in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Masquerading - Rename System Utilities", "Unusual Processes", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "WhisperGate"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Windows DotNet Binary in Non Standard Path", "uid": "21179107-099a-324a-94d3-08301e6c065f", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: Collect endpoint data such as sysmon or 4688 events. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/21179107-099a-324a-94d3-08301e6c065f/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Masquerading - Rename System Utilities - - Unusual Processes - - Ransomware - - Signed Binary Proxy Execution InstallUtil - - WhisperGate - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - - T1218 - - T1218.004 - nist: - - DE.AE -test: - name: Windows DotNet Binary in Non Standard Path Unit Test - tests: - - name: Windows DotNet Binary in Non Standard Path - attack_data: - - file_name: dotnet_lolbin-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/dotnet_lolbin-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml b/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml deleted file mode 100644 index e9e2f456ca..0000000000 --- a/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml +++ /dev/null @@ -1,124 +0,0 @@ -name: Windows Exchange PowerShell Module Usage -id: 1118bc65-b0c7-4589-bc2f-ad6802fd0909 -version: 4 -status: production -detection_type: STREAMING -description: 'The following analytic identifies the usage of Exchange PowerShell modules - that were recently used for a proof of concept related to ProxyShell. Currently, - there is no active data shared or data we could re-produce relate to this part of - the ProxyShell chain of exploits. - - Inherently, the usage of the modules is not malicious, but reviewing parallel processes, - and user, of the session will assist with determining the intent. - - Module - New-MailboxExportRequest will begin the process of exporting contents of - a primary mailbox or archive to a .pst file. - - Module - New-managementroleassignment can assign a management role to a management - role group, management role assignment policy, user, or universal security group - (USG). - - Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate - of search results, place search results on In-Place Hold or copy them to a Discovery - mailbox. You can also place all contents in a mailbox on hold by not specifying - a search query, which accomplishes similar results as Litigation Hold. \ Module - - Get-Recipient cmdlet to view existing recipient objects in your organization. - This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, - mail contacts, and distribution groups).' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where match(process_cmd_line, /(?i)get-recipient/)=true OR match(process_cmd_line, - /(?i)new-mailboxsearch/)=true OR match(process_cmd_line, /(?i)new-managementroleassignment/)=true - OR match(process_cmd_line, /(?i)new-mailboxexportrequest/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Exchange PowerShell Module Usage has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["ProxyShell", "CISA AA22-264A"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 40, - impact_id = 3, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 32, - severity_id = 0, - rule = {"name": "Windows Exchange PowerShell Module Usage", "uid": "1118bc65-b0c7-4589-bc2f-ad6802fd0909", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. - This will only work with Multiline event logs, not XML. -known_false_positives: Administrators or power users may use this PowerShell commandlet -references: -- https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps -- https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps -- https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html -- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell -- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ -- https://www.cisa.gov/uscert/ncas/alerts/aa22-264a -- https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps -- https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps -- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 32 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/1118bc65-b0c7-4589-bc2f-ad6802fd0909/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - ProxyShell - - CISA AA22-264A - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1059 - - T1059.001 - nist: - - DE.CM -test: - name: Windows Exchange PowerShell Module Usage Unit Test - tests: - - name: Windows Exchange PowerShell Module Usage - attack_data: - - file_name: windows-powershell.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml b/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml deleted file mode 100644 index fcacc88bda..0000000000 --- a/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml +++ /dev/null @@ -1,121 +0,0 @@ -name: Windows Execute Arbitrary Commands with MSDT -id: f253f9c2-10f0-4cc8-b469-f505ba8c2038 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies a recently disclosed arbitraty command - execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample - identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve - a remote payload. During triage, review file modifications for html. Identify parallel - process execution that may be related, including an Office Product. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%ms-msdt:/id%" - OR process_cmd_line LIKE "%ms-msdt:-id%" OR process_cmd_line LIKE "%ms-msdt:/id%" - OR process_cmd_line LIKE "%ms-msdt:%" OR process_cmd_line LIKE "%msdt%") AND process_file_name="msdt.exe") - AND (match(process_cmd_line, /(?i).xml/)=true OR match(process_cmd_line, /(?i)it_rebrowseforfile=/)=true - OR match(process_cmd_line, /(?i)it_browseforfile=/)=true) AND match(process_cmd_line, - /(?i)pcwdiagnostic/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Execute Arbitrary Commands with MSDT has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 100, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 100, - severity_id = 0, - rule = {"name": "Windows Execute Arbitrary Commands with MSDT", "uid": "f253f9c2-10f0-4cc8-b469-f505ba8c2038", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives may be present, filter as needed. Added .xml - to potentially capture any answer file usage. Remove as needed. -references: -- https://isc.sans.edu/diary/rss/28694 -- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e -- https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A -- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ -- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection -- https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 100 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/f253f9c2-10f0-4cc8-b469-f505ba8c2038/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218 - nist: - - DE.CM -test: - name: Windows Execute Arbitrary Commands with MSDT Unit Test - tests: - - name: Windows Execute Arbitrary Commands with MSDT - attack_data: - - file_name: msdt-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt-windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml deleted file mode 100644 index 13dabe2413..0000000000 --- a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml +++ /dev/null @@ -1,99 +0,0 @@ -name: Windows File Share Discovery With Powerview -id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell - commandlet part of PowerView. This module obtains the list of all active domain - computers and lists the active shares on each computer. Network file shares in Active - Directory environments may contain sensitive information like backups, scripts, - credentials, etc. Adversaries who have obtained a foothold in an AD network may - leverage PowerView to identify secrets and leverage them for Privilege Escalation - or Lateral Movement. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where match(process_cmd_line, /(?i)invoke-sharefinder/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows File Share Discovery With Powerview has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Privilege Escalation"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 48, - severity_id = 0, - rule = {"name": "Windows File Share Discovery With Powerview", "uid": "ec4f671e-c736-4f78-a4c0-8fe809e952e5", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Unknown -references: -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ -- https://attack.mitre.org/techniques/T1135/ -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 48 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/ec4f671e-c736-4f78-a4c0-8fe809e952e5/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - Active Directory Privilege Escalation - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1552 - - T1552.006 - nist: - - DE.CM -test: - name: Windows File Share Discovery With Powerview Unit Test - tests: - - name: Windows File Share Discovery With Powerview - attack_data: - - file_name: windows-powershell.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml deleted file mode 100644 index b1198a97f3..0000000000 --- a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml +++ /dev/null @@ -1,120 +0,0 @@ -name: Windows Findstr GPP Discovery -id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of the findstr command employed - to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools - that allow administrators to create domain policies with embedded credentials. These - policies allow administrators to set local accounts. These group policies are stored - in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL - share and decrypt the password (using the AES key that has been made public). While - Microsoft released a patch that impedes Administrators to create unsecure credentials, - existing Group Policy Preferences files with passwords are not removed from SYSVOL. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="findstr.exe" - AND process_cmd_line LIKE "%cpassword%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Findstr GPP Discovery has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Privilege Escalation"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "Windows Findstr GPP Discovery", "uid": "73ed0f19-080e-4917-b7c6-56e1760a50d4", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: Administrators may leverage findstr to find passwords in GPO - to validate exposure. Filter as needed. -references: -- https://attack.mitre.org/techniques/T1552/006/ -- https://pentestlab.blog/2017/03/20/group-policy-preferences/ -- https://adsecurity.org/?p=2288 -- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ -- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/73ed0f19-080e-4917-b7c6-56e1760a50d4/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Active Directory Privilege Escalation - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1552 - - T1552.006 - nist: - - DE.CM -test: - name: Windows Findstr GPP Discovery Unit Test - tests: - - name: Windows Findstr GPP Discovery - attack_data: - - file_name: windows-4688.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml b/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml deleted file mode 100644 index 0bb052f3f8..0000000000 --- a/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: Windows Ingress Tool Transfer Using Explorer -id: 695bfad6-9662-4f9e-a576-bf02a951aa60 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the Windows Explorer process with a - URL within the command-line. Explorer.exe is known Windows process that handles - start menu, taskbar, desktop and file manager. Many adversaries abuse this process, - like DCRat malware, where it attempts to open the URL with the default browser application - on the target host by putting the URL as a parameter on explorer.exe process. This - anomaly detection might be a good pivot to check which user and how this process - was executed, what is the parent process and what is the URL link. This technique - is not commonly used to open an URL. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" - OR process_cmd_line LIKE "%http://%") AND process_file_name="explorer.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Ingress Tool Transfer Using Explorer has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["DarkCrystal RAT"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 25, - severity_id = 0, - rule = {"name": "Windows Ingress Tool Transfer Using Explorer", "uid": "695bfad6-9662-4f9e-a576-bf02a951aa60", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints. -known_false_positives: False positives may be present based on legitimate applications - or third party utilities. Filter out any additional parent process names. -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 25 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/695bfad6-9662-4f9e-a576-bf02a951aa60/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - DarkCrystal RAT - cis20: - - CIS 10 - kill_chain_phases: - - Command and Control - mitre_attack_id: - - T1105 - nist: - - DE.CM -test: - name: Windows Ingress Tool Transfer Using Explorer Unit Test - tests: - - name: Windows Ingress Tool Transfer Using Explorer - attack_data: - - file_name: T1105_explorer-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml deleted file mode 100644 index 3322a647b5..0000000000 --- a/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml +++ /dev/null @@ -1,136 +0,0 @@ -name: Windows LOLBin Binary in Non Standard Path -id: 25689101-012a-324a-94d3-08301e6c065a -version: 8 -status: production -detection_type: STREAMING -description: The following analytic identifies native living off the land binaries - within the Windows operating system that may be abused by adversaries by moving - it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io - site, and excluded common process names (cmd.exe, explorer.exe, csc.exe, hh.exe, - regedit.exe) and DotNet binaries. It also does not include the category of OtherMSBinaries. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("bitsadmin.exe", - "certoc.exe", "certreq.exe", "certutil.exe", "cmdkey.exe", "cmdl32.exe", "cmstp.exe", - "configsecuritypolicy.exe", "control.exe", "cscript.exe", "datasvcutil.exe", "desktopimgdownldr.exe", - "dfsvc.exe", "diantz.exe", "diskshadow.exe", "dllhost.exe", "dnscmd.exe", "esentutl.exe", - "eventvwr.exe", "expand.exe", "extexport.exe", "extrac32.exe", "findstr.exe", "finger.exe", - "fltmc.exe", "forfiles.exe", "ftp.exe", "gfxdownloadwrapper.exe", "gpscript.exe", - "imewdbld.exe", "ie4uinit.exe", "ieexec.exe", "ilasm.exe", "infdefaultinstall.exe", - "makecab.exe", "mavinject.exe", "microsoft.workflow.compiler.exe", "mmc.exe", "msconfig.exe", - "msdt.exe", "mshta.exe", "msiexec.exe", "netsh.exe", "odbcconf.exe", "offlinescannershell.exe", - "pcalua.exe", "pcwrun.exe", "pktmon.exe", "pnputil.exe", "presentationhost.exe", - "print.exe", "printbrm.exe", "psr.exe", "rasautou.exe", "reg.exe", "regini.exe", - "register-cimprovider.exe", "regsvr32.exe", "replace.exe", "rpcping.exe", "rundll32.exe", - "runonce.exe", "runscripthelper.exe", "sc.exe", "schtasks.exe", "scriptrunner.exe", - "settingsynchost.exe", "syncappvpublishingserver.exe", "ttdinject.exe", "tttracer.exe", - "vbc.exe", "verclsid.exe", "wab.exe", "wlrmdr.exe", "wmic.exe", "workfolders.exe", - "wscript.exe", "wsreset.exe", "wuauclt.exe", "xwizard.exe")) AND (NOT (match(process_file_path, - /(?i)(?i)\\windows\\system32/)=true OR match(process_file_path, /(?i)(?i)\\windows\\syswow64/)=true - OR match(process_file_path, /(?i)(?i)\\windows\\networkcontrolle/)=true OR match(process_file_path, - /(?i)(?i)\\windows\\systemapps/)=true OR match(process_file_path, /(?i)(?i)\\winsxs/)=true - OR match(process_file_path, /(?i)(?i)\\microsoft.net/)=true)) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows LOLBin Binary in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Ransomware", "WhisperGate"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Windows LOLBin Binary in Non Standard Path", "uid": "25689101-012a-324a-94d3-08301e6c065a", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: Collect endpoint data such as sysmon or 4688 events. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/25689101-012a-324a-94d3-08301e6c065a/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Ransomware - - WhisperGate - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - - T1218 - - T1218.004 - nist: - - DE.AE -test: - name: Windows LOLBin Binary in Non Standard Path Unit Test - tests: - - name: Windows LOLBin Binary in Non Standard Path - attack_data: - - file_name: dotnet_lolbin-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/dotnet_lolbin-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_mshta_child_process.yml b/dist/ssa/srs/ssa___windows_mshta_child_process.yml deleted file mode 100644 index 77299100df..0000000000 --- a/dist/ssa/srs/ssa___windows_mshta_child_process.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Windows MSHTA Child Process -id: f63f7e9c-9526-11ec-9fc7-acde48001122 -version: 6 -status: production -detection_type: STREAMING -description: The following analytic identifies child processes spawning from "mshta.exe". - The search will return the first time and last time these command-line arguments - were used for these executions, as well as the target system, the user, parent process - "mshta.exe" and its child process. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("wscript.exe", - "cscript.exe", "searchprotocolhost.exe", "microsoft.workflow.compiler.exe", "msbuild.exe", - "colorcpl.exe", "scrcons.exe", "cmd.exe", "powershell.exe")) AND actor_process_file_name - LIKE "%mshta.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows MSHTA Child Process has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious MSHTA Activity", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows MSHTA Child Process", "uid": "f63f7e9c-9526-11ec-9fc7-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: Although unlikely, some legitimate applications may exhibit - this behavior, triggering a false positive. -references: -- https://github.com/redcanaryco/AtomicTestHarnesses -- https://redcanary.com/blog/introducing-atomictestharnesses/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/f63f7e9c-9526-11ec-9fc7-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious MSHTA Activity - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.005 - - T1218 - nist: - - DE.CM -test: - name: Windows MSHTA Child Process Unit Test - tests: - - name: Windows MSHTA Child Process - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml b/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml deleted file mode 100644 index 7cb2a71cd7..0000000000 --- a/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows MSHTA Command-Line URL -id: 9b35c538-94ef-11ec-9439-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: This analytic identifies when Microsoft HTML Application Host (mshta.exe) - utility is used to make remote http connections. Adversaries may use mshta.exe to - proxy the download and execution of remote .hta files. The analytic identifies command - line arguments of http and https being used. This technique is commonly used by - malicious software to bypass preventative controls. The search will return the first - time and last time these command-line arguments were used for these executions, - as well as the target system, the user, process "rundll32.exe" and its parent process. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" - OR process_cmd_line LIKE "%http://%") AND process_file_name="mshta.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows MSHTA Command-Line URL has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious MSHTA Activity", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows MSHTA Command-Line URL", "uid": "9b35c538-94ef-11ec-9439-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: It is possible legitimate applications may perform this behavior - and will need to be filtered. -references: -- https://github.com/redcanaryco/AtomicTestHarnesses -- https://redcanary.com/blog/introducing-atomictestharnesses/ -- https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/9b35c538-94ef-11ec-9439-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious MSHTA Activity - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.005 - - T1218 - nist: - - DE.CM -test: - name: Windows MSHTA Command-Line URL Unit Test - tests: - - name: Windows MSHTA Command-Line URL - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml b/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml deleted file mode 100644 index a06312798c..0000000000 --- a/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows MSHTA Inline HTA Execution -id: 24962154-9524-11ec-9333-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies "mshta.exe" execution with inline protocol - handlers. "JavaScript", "VBScript", and "About" are the only supported options when - invoking HTA content directly on the command-line. The search will return the first - time and last time these command-line arguments were used for these executions, - as well as the target system, the user, process "mshta.exe" and its parent process. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%about%" - OR process_cmd_line LIKE "%javascript%" OR process_cmd_line LIKE "%vbscript%") AND - process_file_name="mshta.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows MSHTA Inline HTA Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious MSHTA Activity", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows MSHTA Inline HTA Execution", "uid": "24962154-9524-11ec-9333-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Although unlikely, some legitimate applications may exhibit - this behavior, triggering a false positive. -references: -- https://github.com/redcanaryco/AtomicTestHarnesses -- https://redcanary.com/blog/introducing-atomictestharnesses/ -- https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/24962154-9524-11ec-9333-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious MSHTA Activity - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.005 - - T1218 - nist: - - DE.CM -test: - name: Windows MSHTA Inline HTA Execution Unit Test - tests: - - name: Windows MSHTA Inline HTA Execution - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml b/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml deleted file mode 100644 index 17ab725a4d..0000000000 --- a/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Windows Odbcconf Load Response File -id: 7b6c3fac-0c37-4efc-a85e-de88f42b6763 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the odbcconf.exe, Windows Open Database - Connectivity utility, loading up a resource file. The file extension is arbitrary - and may be named anything. The resource file itself may have different commands - supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. - During triage, review file modifications and parallel processes. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%/f %" - OR process_cmd_line LIKE "%-f %") AND process_file_name="odbcconf.exe") AND process_cmd_line - LIKE "%.rsp%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Odbcconf Load Response File has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 42, - severity_id = 0, - rule = {"name": "Windows Odbcconf Load Response File", "uid": "7b6c3fac-0c37-4efc-a85e-de88f42b6763", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives may be present and filtering may need to occur - based on legitimate application usage. Filter as needed. -references: -- https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html -- https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 42 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/7b6c3fac-0c37-4efc-a85e-de88f42b6763/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.008 - - T1218 - nist: - - DE.CM -test: - name: Windows Odbcconf Load Response File Unit Test - tests: - - name: Windows Odbcconf Load Response File - attack_data: - - file_name: odbcconf-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml deleted file mode 100644 index 0e4c63bd8b..0000000000 --- a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml +++ /dev/null @@ -1,126 +0,0 @@ -name: Windows OS Credential Dumping with Ntdsutil Export NTDS -id: dad9ddec-a72a-47be-87b6-a0f7ba98ed6e -version: 4 -status: production -detection_type: STREAMING -description: 'Monitor for signs that Ntdsutil is being used to Extract Active Directory - database - NTDS.dit, typically used for offline password cracking. It may be used - in normal circumstances with no command line arguments or shorthand variations of - more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical - command used to dump ntds.dit - - ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q - - This technique uses "Install from Media" (IFM), which will extract a copy of the - Active Directory database. A successful export of the Active Directory database - will yield a file modification named ntds.dit to the destination.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="ntdsutil.exe" - AND (process_cmd_line LIKE "%create%" AND process_cmd_line LIKE "%ntds%") - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows OS Credential Dumping with Ntdsutil Export NTDS has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Volt Typhoon"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 100, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 50, - severity_id = 0, - rule = {"name": "Windows OS Credential Dumping with Ntdsutil Export NTDS", "uid": "dad9ddec-a72a-47be-87b6-a0f7ba98ed6e", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: Highly possible Server Administrators will troubleshoot with - ntdsutil.exe, generating false positives. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil -- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11) -- https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf -- https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html -- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 50 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/dad9ddec-a72a-47be-87b6-a0f7ba98ed6e/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Credential Dumping - - HAFNIUM Group - - Living Off The Land - - Volt Typhoon - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1003.003 - - T1003 - nist: - - DE.CM -test: - name: Windows OS Credential Dumping with Ntdsutil Export NTDS Unit Test - tests: - - name: Windows OS Credential Dumping with Ntdsutil Export NTDS - attack_data: - - file_name: 4688_windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml deleted file mode 100644 index 8507142e70..0000000000 --- a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml +++ /dev/null @@ -1,122 +0,0 @@ -name: Windows OS Credential Dumping with Procdump -id: e102e297-dbe6-4a19-b319-5c08f4c19a06 -version: 5 -status: production -detection_type: STREAMING -description: 'Detect procdump.exe dumping the lsass process. This query looks for - both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump - file with all process memory. Both are highly suspect and should be reviewed. This - query does not monitor for the internal name (original_file_name=procdump) of the - PE or look for procdump64.exe. Modify the query as needed. - - During triage, confirm this is procdump.exe executing. If it is the first time a - Sysinternals utility has been ran, it is possible there will be a -accepteula on - the command line. Review other endpoint data sources for cross process (injection) - into lsass.exe.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where ((process_cmd_line LIKE "%-ma %" - OR process_cmd_line LIKE "%-mm %") AND (process_file_name IN ("procdump64.exe", - "procdump.exe"))) AND process_cmd_line LIKE "%lsass%" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows OS Credential Dumping with Procdump has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Credential Dumping", "HAFNIUM Group"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows OS Credential Dumping with Procdump", "uid": "e102e297-dbe6-4a19-b319-5c08f4c19a06", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: None identified. -references: -- https://attack.mitre.org/techniques/T1003/001/ -- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump -- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/e102e297-dbe6-4a19-b319-5c08f4c19a06/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Credential Dumping - - HAFNIUM Group - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1003.001 - - T1003 - nist: - - DE.CM -test: - name: Windows OS Credential Dumping with Procdump Unit Test - tests: - - name: Windows OS Credential Dumping with Procdump - attack_data: - - file_name: procdump_windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml deleted file mode 100644 index c891297a54..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ /dev/null @@ -1,125 +0,0 @@ -name: Windows Powershell Connect to Internet With Hidden Window -id: 477e068e-8b6d-11ec-b6c1-81af21670352 -version: 6 -status: production -detection_type: STREAMING -description: The following hunting analytic identifies PowerShell commands utilizing - the WindowStyle parameter to hide the window on the compromised endpoint. This combination - of command-line options is suspicious because it is overriding the default PowerShell - execution policy, attempts to hide its activity from the user, and connects to the - Internet. Removed in this version of the query is New-Object. The analytic identifies - all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. - For example w, win, windowsty and so forth. In addition, through our research it - was identified that PowerShell will interpret different command switch types beyond - the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("powershell_ise.exe", - "powershell.exe", "sqltoolsps.exe", "sqlps.exe", "pwsh.exe")) AND match(process_cmd_line, - /(?i)[\-|\/]w(in*d*o*w*s*t*y*l*e*)*\s+h(i*d*d*e*n*)\s+/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Powershell Connect to Internet With Hidden Window has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "HAFNIUM Group", "Log4Shell CVE-2021-44228"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Windows Powershell Connect to Internet With Hidden Window", "uid": "477e068e-8b6d-11ec-b6c1-81af21670352", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also be - ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. -known_false_positives: Legitimate process can have this combination of command-line - options, but it's not common. -references: -- https://regexr.com/663rr -- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 -- https://ss64.com/ps/powershell.html -- https://twitter.com/M_haggis/status/1440758396534214658?s=20 -- https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/477e068e-8b6d-11ec-b6c1-81af21670352/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Malicious PowerShell - - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - - HAFNIUM Group - - Log4Shell CVE-2021-44228 - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1020 - nist: - - DE.AE -test: - name: Windows Powershell Connect to Internet With Hidden Window Unit Test - tests: - - name: Windows Powershell Connect to Internet With Hidden Window - attack_data: - - file_name: hidden_windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml deleted file mode 100644 index a69997fca3..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml +++ /dev/null @@ -1,103 +0,0 @@ -name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser -id: d57b4d91-fc91-4482-a325-47693cced1eb -version: 4 -status: production -detection_type: STREAMING -description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-ADUser` commandlet with specific parameters. - `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows - Active Directory networks. As the name suggests, `Get-ADUser` is used to query for - domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover - domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries - alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack - their passwords offline. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where process_cmd_line LIKE "%4194304%" AND match(process_cmd_line, /(?i)get-aduser/)=true - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Kerberos Attacks"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 54, - severity_id = 0, - rule = {"name": "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser", "uid": "d57b4d91-fc91-4482-a325-47693cced1eb", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use search for accounts with - Kerberos Pre Authentication disabled for legitimate purposes. -references: -- https://attack.mitre.org/techniques/T1558/004/ -- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html -- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 54 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/d57b4d91-fc91-4482-a325-47693cced1eb/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - Active Directory Kerberos Attacks - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1558 - - T1558.004 - nist: - - DE.CM -test: - name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser - Unit Test - tests: - - name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser - attack_data: - - file_name: windows-powershell.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/windows-powershell.log - source: WinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml deleted file mode 100644 index a726e46d95..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ /dev/null @@ -1,103 +0,0 @@ -name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView -id: dc3f2af7-ca69-47ce-a122-9f9787e19417 -version: 4 -status: production -detection_type: STREAMING -description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) - to identify the execution of the `Get-DomainUser` commandlet with specific parameters. - `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration - on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is - used to identify domain users and combining it with `-PreauthNotRequired` allows - adversaries to discover domain accounts with Kerberos Pre Authentication disabled. - - Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts - and attempt to crack their passwords offline.' -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where match(process_cmd_line, /(?i)preauthnotrequired/)=true AND match(process_cmd_line, - /(?i)get-domainuser/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Kerberos Attacks"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 60, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 54, - severity_id = 0, - rule = {"name": "Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView", "uid": "dc3f2af7-ca69-47ce-a122-9f9787e19417", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Administrators or power users may use PowerView for troubleshooting -references: -- https://attack.mitre.org/techniques/T1558/004/ -- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html -- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 54 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/dc3f2af7-ca69-47ce-a122-9f9787e19417/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - Active Directory Kerberos Attacks - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1558 - - T1558.004 - nist: - - DE.CM -test: - name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView - Unit Test - tests: - - name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView - attack_data: - - file_name: getdomainuser.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml deleted file mode 100644 index 23a0fc0bf3..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows Powershell DownloadFile -id: 46440222-81d5-44b1-a376-19dcd70d1b08 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of PowerShell downloading a - file using `DownloadFile` method. This particular method is utilized in many different - PowerShell frameworks to download files and output to disk. Identify the source - (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell - transaction logs are available, review for further details of the implant. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("powershell_ise.exe", - "powershell.exe", "sqltoolsps.exe", "sqlps.exe", "pwsh.exe", "pwsh.exe")) AND match(process_cmd_line, - /(?i)downloadfile/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Powershell DownloadFile has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Malicious PowerShell", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 50, - impact_id = 3, - kill_chain = [{"phase": "Actions on Objectives", "phase_id": 7}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Windows Powershell DownloadFile", "uid": "46440222-81d5-44b1-a376-19dcd70d1b08", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: False positives may be present and filtering will need to occur - by parent process or command line argument. It may be required to modify this query - to an EDR product for more granular coverage. -references: -- https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0 -- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/46440222-81d5-44b1-a376-19dcd70d1b08/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Malicious PowerShell - - Ingress Tool Transfer - - Log4Shell CVE-2021-44228 - cis20: - - CIS 10 - kill_chain_phases: - - Actions on Objectives - mitre_attack_id: - - T1020 - nist: - - DE.AE -test: - name: Windows Powershell DownloadFile Unit Test - tests: - - name: Windows Powershell DownloadFile - attack_data: - - file_name: downloadfile_windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_downloadstring.yml b/dist/ssa/srs/ssa___windows_powershell_downloadstring.yml deleted file mode 100644 index ed95668081..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_downloadstring.yml +++ /dev/null @@ -1,132 +0,0 @@ -name: Windows Powershell DownloadString -id: e4a2cc58-59d4-480a-8992-9dfb95a4bacd -version: 1 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of PowerShell downloading a - file using `DownloadString` method. This particular method is utilized in many different - PowerShell frameworks to download files and output to disk. Identify the source - (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell - transaction logs are available, review for further details of the implant. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("powershell_ise.exe", - "powershell.exe", "sqltoolsps.exe", "sqlps.exe", "pwsh.exe", "pwsh.exe")) AND match(process_cmd_line, - /(?i)DownloadString/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Powershell DownloadString has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Installation", "phase_id": 5}, {"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "Windows Powershell DownloadString", "uid": "e4a2cc58-59d4-480a-8992-9dfb95a4bacd", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering will need to occur - by parent process or command line argument. It may be required to modify this query - to an EDR product for more granular coverage. -references: -- https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0 -- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md -- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/e4a2cc58-59d4-480a-8992-9dfb95a4bacd/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Winter Vivern - - Ingress Tool Transfer - - Hermetic Wiper - - Malicious PowerShell - - HAFNIUM Group - - Data Destruction - - IcedID - - SysAid On-Prem Software CVE-2023-47246 Vulnerability - cis20: - - CIS 10 - kill_chain_phases: - - Installation - - Command and Control - mitre_attack_id: - - T1059 - - T1059.001 - - T1105 - nist: - - DE.CM -test: - name: Windows Powershell DownloadString Unit Test - tests: - - name: Windows Powershell DownloadString - attack_data: - - file_name: windows-security-2.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_execution_policy_bypass.yml b/dist/ssa/srs/ssa___windows_powershell_execution_policy_bypass.yml deleted file mode 100644 index 2e54edcabf..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_execution_policy_bypass.yml +++ /dev/null @@ -1,128 +0,0 @@ -name: Windows Powershell Execution Policy Bypass -id: 1d20daaa-f99e-4770-a25c-e84e8cd32825 -version: 1 -status: validation -detection_type: STREAMING -description: The following analytic detects the initiation of PowerShell processes - with parameters specifically designed to bypass the local script execution policy. - It identifies this behavior by searching for commandline arguments that are commonly - used in malicious activities to circumvent the built-in security mechanisms of PowerShell. - This detection is crucial for a Security Operations Center (SOC) as bypassing the - execution policy can allow attackers to execute arbitrary scripts, leading to unauthorized - actions, data exfiltration, or further system compromise. The impact of such an - attack can be significant, potentially resulting in the loss of sensitive information - or control over critical systems. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("powershell_ise.exe", - "powershell.exe", "sqltoolsps.exe", "sqlps.exe", "pwsh.exe", "pwsh.exe")) AND match(process_cmd_line, - /(?i)Bypass/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Powershell Execution Policy Bypass has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"], - class_name = "Detection Report", - confidence = 60, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Installation", "phase_id": 5}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 42, - severity_id = 0, - rule = {"name": "Windows Powershell Execution Policy Bypass", "uid": "1d20daaa-f99e-4770-a25c-e84e8cd32825", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: There may be legitimate reasons to bypass the PowerShell execution - policy. The PowerShell script being run with this parameter should be validated - to ensure that it is legitimate. -references: -- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 42 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/1d20daaa-f99e-4770-a25c-e84e8cd32825/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - DHS Report TA18-074A - - HAFNIUM Group - - DarkCrystal RAT - - AsyncRAT - - Volt Typhoon - cis20: - - CIS 10 - kill_chain_phases: - - Installation - mitre_attack_id: - - T1059 - - T1059.001 - nist: - - DE.CM -test: - name: Windows Powershell Execution Policy Bypass Unit Test - tests: - - name: Windows Powershell Execution Policy Bypass - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log - source: XmlWinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml b/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml deleted file mode 100644 index 8a61a275da..0000000000 --- a/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml +++ /dev/null @@ -1,120 +0,0 @@ -name: Windows PowerShell Start-BitsTransfer -id: 0bafd086-8f61-11ec-996e-acde48001122 -version: 5 -status: production -detection_type: STREAMING -description: Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar - functionality is present. This technique variation is not as commonly used by adversaries, - but has been abused in the past. Lesser known uses include the ability to set the - `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` - is used, it is highly possible files will be archived. During triage, review parallel - processes and process lineage. Capture any files on disk and review. For the remote - domain or IP, what is the reputation? -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_file_name IN ("powershell_ise.exe", - "powershell.exe", "sqltoolsps.exe", "sqlps.exe", "pwsh.exe", "pwsh.exe")) AND match(process_cmd_line, - /(?i)start-bitstransfer/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows PowerShell Start-BitsTransfer has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["BITS Jobs", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}, {"phase": "Installation", "phase_id": 5}, {"phase": "Command and Control", "phase_id": 6}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Windows PowerShell Start-BitsTransfer", "uid": "0bafd086-8f61-11ec-996e-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint_Processess` datamodel. -known_false_positives: Limited false positives. It is possible administrators will - utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent - process or command-line arguments. -references: -- https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281 -- https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/0bafd086-8f61-11ec-996e-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - BITS Jobs - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - - Installation - - Command and Control - mitre_attack_id: - - T1197 - - T1105 - nist: - - DE.CM -test: - name: Windows PowerShell Start-BitsTransfer Unit Test - tests: - - name: Windows PowerShell Start-BitsTransfer - attack_data: - - file_name: T1197_windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/T1197_windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml deleted file mode 100644 index c7ba98a26a..0000000000 --- a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml +++ /dev/null @@ -1,104 +0,0 @@ -name: Windows PowerSploit GPP Discovery -id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the use of the Get-GPPPassword PowerShell - commandlet employed to search for unsecured credentials Group Policy Preferences - (GPP). GPP are tools that allow administrators to create domain policies with embedded - credentials. These policies allow administrators to set local accounts. These group - policies are stored in SYSVOL on a domain controller. This means that any domain - user can view the SYSVOL share and decrypt the password (using the AES key that - has been made public). While Microsoft released a patch that impedes Administrators - to create unsecure credentials, existing Group Policy Preferences files with passwords - are not removed from SYSVOL. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where match(process_cmd_line, /(?i)get-gpppassword/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows PowerSploit GPP Discovery has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Active Directory Privilege Escalation"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "Windows PowerSploit GPP Discovery", "uid": "fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: Unknown -references: -- https://attack.mitre.org/techniques/T1552/006/ -- https://pentestlab.blog/2017/03/20/group-policy-preferences/ -- https://adsecurity.org/?p=2288 -- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ -- https://adsecurity.org/?p=2288 -- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - Active Directory Privilege Escalation - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1552 - - T1552.006 - nist: - - DE.CM -test: - name: Windows PowerSploit GPP Discovery Unit Test - tests: - - name: Windows PowerSploit GPP Discovery - attack_data: - - file_name: win-powershell.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml b/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml deleted file mode 100644 index 0f2b001f18..0000000000 --- a/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows Rasautou DLL Execution -id: 6f42b8ce-1e15-11ec-ad5a-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the Windows Windows Remote Auto Dialer, - rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary - shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review - parent and child process behavior including file and image loads. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="rasautou.exe" - AND match(process_cmd_line, /(?i)-p /)=true AND match(process_cmd_line, /(?i)-d - /)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rasautou DLL Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows Defense Evasion Tactics", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows Rasautou DLL Execution", "uid": "6f42b8ce-1e15-11ec-ad5a-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: False positives will be limited to applications that require - Rasautou.exe to load a DLL from disk. Filter as needed. -references: -- https://github.com/mandiant/DueDLLigence -- https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1 -- https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513 -- https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/6f42b8ce-1e15-11ec-ad5a-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows Defense Evasion Tactics - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1055.001 - - T1218 - - T1055 - nist: - - DE.CM -test: - name: Windows Rasautou DLL Execution Unit Test - tests: - - name: Windows Rasautou DLL Execution - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index ece69922a1..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path -id: c842931e-661f-42bc-a4df-0460d93cfb69 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies AccCheckConsole.exe which is a native - living off the land binary or script (LOLBAS) within the Windows operating system - that may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for AccCheckConsole.exe is within "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="acccheckconsole.exe" - AND (NOT match(process_file_path, /(?i)\\program files \(x86\)\\windows kits\\10\\bin\\10.0.22000.0\\(x86|x64|arm|arm64)\\accchecker\\/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path", "uid": "c842931e-661f-42bc-a4df-0460d93cfb69", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/c842931e-661f-42bc-a4df-0460d93cfb69/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard - Path Unit Test - tests: - - name: Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard - Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index bedef58bf2..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path -id: ecaaf956-c516-4980-b08e-8c01c19614ca -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies adplus.exe which is a native living - off the land binary or script (LOLBAS) within the Windows operating system that - may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for adplus.exe is within "C:\Program Files (x86)\Windows Kits\10\Debuggers". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="adplus.exe" - AND (NOT match(process_file_path, /(?i)\\program files \(x86\)\\windows kits\\10\\debuggers\\(x86|x64|arm|arm64)\\/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path", "uid": "ecaaf956-c516-4980-b08e-8c01c19614ca", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/ecaaf956-c516-4980-b08e-8c01c19614ca/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path Unit - Test - tests: - - name: Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml deleted file mode 100644 index 3a1d7c8e71..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path -id: 3284e4f4-67f7-49b6-ad5e-a8fcead2eef8 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies Advpack.dll which is a native living - off the land binary or script (LOLBAS) within the Windows operating system that - may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for advpack.dll is within either "C:\Windows\System32" or "C:\Windows\SysWOW64". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="advpack.dll" - AND (NOT match(process_file_path, /(?i)\\windows\\(syswow64|system32)\\/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path", "uid": "3284e4f4-67f7-49b6-ad5e-a8fcead2eef8", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/Libraries/Advpack/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/3284e4f4-67f7-49b6-ad5e-a8fcead2eef8/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path Unit - Test - tests: - - name: Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index aac3ccafd5..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,120 +0,0 @@ -name: Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path -id: e124f71f-11bc-47e4-9931-6046d256005d -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies AgentExecutor.exe which is a native - living off the land binary or script (LOLBAS) within the Windows operating system - that may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for AgentExecutor.exe should be "C:\Program Files (x86)\Microsoft Intune - Management Extension". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="agentexecutor.exe" - AND (NOT match(process_file_path, /(?i)\\program files (x86)\\microsoft intune management - extension\\/)=true) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path", "uid": "e124f71f-11bc-47e4-9931-6046d256005d", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/e124f71f-11bc-47e4-9931-6046d256005d/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path - Unit Test - tests: - - name: Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard - Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index 754ae0b055..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path -id: 057c06c7-ef31-4749-b5c9-199152e53a06 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies AppInstaller.exe which is a native - living off the land binary or script (LOLBAS) within the Windows operating system - that may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for AppInstaller.exe should be in "C:\Program Files\WindowsApps\". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="appinstaller.exe" - AND (NOT match(process_file_path, /(?i)\\program files\\windowsapps\\microsoft.desktopappinstaller_/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path", "uid": "057c06c7-ef31-4749-b5c9-199152e53a06", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/057c06c7-ef31-4749-b5c9-199152e53a06/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path - Unit Test - tests: - - name: Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard - Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index 8ff0b715a0..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path -id: 93862a89-abe0-4094-909a-08ec390aa5e3 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies Appvlp.exe which is a native living - off the land binary or script (LOLBAS) within the Windows operating system that - may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for Appvlp.exe should be "C:\Program Files\Microsoft Office\root\client". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="appvlp.exe" - AND (NOT match(process_file_path, /(?i)\\program files(| \(x86\))\\microsoft office\\root\\client/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path", "uid": "93862a89-abe0-4094-909a-08ec390aa5e3", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/93862a89-abe0-4094-909a-08ec390aa5e3/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path Unit - Test - tests: - - name: Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index 12b03847a3..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path -id: d75cc561-3828-4d0a-92c4-0eb93bfe0929 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies Aspnet_Compiler.exe which is a native - living off the land binary or script (LOLBAS) within the Windows operating system - that may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath for the Aspnet_compiler.exe should be in "C:\Windows\Microsoft.NET\Framework\". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="aspnet_compiler.exe" - AND (NOT match(process_file_path, /(?i)\\windows\\microsoft.net\\(framework|framework64)\\v[0-9]+\.[0-9]+\.[0-9]+\\/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path", "uid": "d75cc561-3828-4d0a-92c4-0eb93bfe0929", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/d75cc561-3828-4d0a-92c4-0eb93bfe0929/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard - Path Unit Test - tests: - - name: Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard - Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index d13c37fe3e..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Windows Rename System Utilities At exe LOLBAS in Non Standard Path -id: 6401d583-0052-4dc5-a713-68b510826d2b -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies At.exe which is a native living off - the land binary or script (LOLBAS) within the Windows operating system that may - be abused by adversaries by moving it to a new directory. The list of binaries was - derived from the https://lolbas-project.github.io site. The specific default filepath - should be either "C:\Windows\System32\" or "C:\Windows\SysWOW64\". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="at.exe" AND - (NOT match(process_file_path, /(?i)\\windows\\(syswow64|system32)\\/)=true) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities At exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities At exe LOLBAS in Non Standard Path", "uid": "6401d583-0052-4dc5-a713-68b510826d2b", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/Binaries/At/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/6401d583-0052-4dc5-a713-68b510826d2b/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities At exe LOLBAS in Non Standard Path Unit Test - tests: - - name: Windows Rename System Utilities At exe LOLBAS in Non Standard Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml deleted file mode 100644 index 4689ba9f4b..0000000000 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path -id: b8da7ea5-8c16-4eff-9787-54ec271159e0 -version: 5 -status: production -detection_type: STREAMING -description: The following analytic identifies Atbroker.exe which is a native living - off the land binary or script (LOLBAS) within the Windows operating system that - may be abused by adversaries by moving it to a new directory. The list of binaries - was derived from the https://lolbas-project.github.io site. The specific default - filepath should be either "C:\Windows\System32\" or "C:\Windows\SysWOW64\". -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="atbroker.exe" - AND (NOT match(process_file_path, /(?i)\\windows\\(syswow64|system32)\\/)=true) - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Unusual Processes", "Living Off The Land"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 20, - impact_id = 2, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Info", - category_uid = 2, - class_uid = 102001, - risk_level_id = 0, - risk_score = 14, - severity_id = 0, - rule = {"name": "Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path", "uid": "b8da7ea5-8c16-4eff-9787-54ec271159e0", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you must be ingesting logs - with the process name, command-line arguments, and parent processes from your endpoints. - Collect endpoint data such as Sysmon or Windows Events 4688. -known_false_positives: False positives may be present and filtering may be required. - Certain utilities will run from non-standard paths based on the third-party application - in use. -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -- https://attack.mitre.org/techniques/T1036/003/ -- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 14 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/b8da7ea5-8c16-4eff-9787-54ec271159e0/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Unusual Processes - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1036 - - T1036.003 - nist: - - DE.AE -test: - name: Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path Unit - Test - tests: - - name: Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path - attack_data: - - file_name: lolbas_dataset.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/system_process_running_unexpected_location/lolbas_dataset.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml b/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml deleted file mode 100644 index 63c0b591a4..0000000000 --- a/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml +++ /dev/null @@ -1,113 +0,0 @@ -name: Windows Rundll32 Comsvcs Memory Dump -id: 76bb9e35-f314-4c3d-a385-83c72a13ce4e -version: 8 -status: production -detection_type: STREAMING -description: The following analytic identifies memory dumping using comsvcs.dll with - the minidump function with `rundll32.exe`. This technique is common with adversaries - who would like to dump the memory of lsass.exe. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (match(process_cmd_line, /(?i)minidump/)=true - AND process_file_name="rundll32.exe") AND match(process_cmd_line, /(?i)comsvcs.dll/)=true - - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rundll32 Comsvcs Memory Dump has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Credential Dumping", "Suspicious Rundll32 Activity"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 40, - impact_id = 3, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 40, - severity_id = 0, - rule = {"name": "Windows Rundll32 Comsvcs Memory Dump", "uid": "76bb9e35-f314-4c3d-a385-83c72a13ce4e", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: You must be ingesting endpoint data that tracks process activity, - including Windows command line logging. You can see how we test this with [Event - Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) - on the [attack_range](https://github.com/splunk/attack_range/blob/develop/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml). -known_false_positives: False positives should be limited, filter as needed. -references: -- https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 40 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/76bb9e35-f314-4c3d-a385-83c72a13ce4e/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Credential Dumping - - Suspicious Rundll32 Activity - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1003.003 - - T1003 - nist: - - DE.CM -test: - name: Windows Rundll32 Comsvcs Memory Dump Unit Test - tests: - - name: Windows Rundll32 Comsvcs Memory Dump - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml b/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml deleted file mode 100644 index 47ee96d72f..0000000000 --- a/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml +++ /dev/null @@ -1,121 +0,0 @@ -name: Windows Rundll32 Inline HTA Execution -id: 0caa1dd6-94f5-11ec-9786-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies "rundll32.exe" execution with inline - protocol handlers. "JavaScript", "VBScript", and "About" are the only supported - options when invoking HTA content directly on the command-line. This type of behavior - is commonly observed with fileless malware or application whitelisting bypass techniques. - The search will return the first time and last time these command-line arguments - were used for these executions, as well as the target system, the user, process - "rundll32.exe" and its parent process. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%about%" - OR process_cmd_line LIKE "%javascript%" OR process_cmd_line LIKE "%vbscript%") AND - process_file_name="rundll32.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Rundll32 Inline HTA Execution has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], - class_name = "Detection Report", - confidence = 80, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 56, - severity_id = 0, - rule = {"name": "Windows Rundll32 Inline HTA Execution", "uid": "0caa1dd6-94f5-11ec-9786-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Although unlikely, some legitimate applications may exhibit - this behavior, triggering a false positive. -references: -- https://github.com/redcanaryco/AtomicTestHarnesses -- https://redcanary.com/blog/introducing-atomictestharnesses/ -- https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 56 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/0caa1dd6-94f5-11ec-9786-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious MSHTA Activity - - NOBELIUM Group - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218 - - T1218.005 - nist: - - DE.CM -test: - name: Windows Rundll32 Inline HTA Execution Unit Test - tests: - - name: Windows Rundll32 Inline HTA Execution - attack_data: - - file_name: windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_screen_capture_via_powershell.yml b/dist/ssa/srs/ssa___windows_screen_capture_via_powershell.yml deleted file mode 100644 index e1b9d47694..0000000000 --- a/dist/ssa/srs/ssa___windows_screen_capture_via_powershell.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: Windows Screen Capture Via Powershell -id: 678ae7c6-0e63-44db-9881-03202c312f66 -version: 1 -status: production -detection_type: STREAMING -description: The following analytic identifies a potential PowerShell script that - captures screen images on compromised or targeted hosts. This technique was observed - in the Winter-Vivern malware, which attempts to capture desktop screens using a - PowerShell script and send the images to its C2 server as part of its exfiltration - strategy. This TTP serves as a useful indicator that a PowerShell process may be - gathering desktop screenshots from a host system, potentially signaling malicious - activity. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval device_hostname = device.hostname | eval process_file = process.file | eval - process_file_path = process_file.path | eval process_uid = process.uid | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_uid = actor_user.uid - | where match(process_cmd_line, /(?i).CopyFromScreen/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"device.hostname": device_hostname, "process.file.path": process_file_path, "process.uid": process_uid, "process.cmd_line": process_cmd_line, "actor.user.uid": actor_user_uid, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Screen Capture Via Powershell has been triggered on " + device_hostname + " by " + "Unknown" + ".", - users = [{"name": "Unknown", "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Winter Vivern"], - class_name = "Detection Report", - confidence = 70, - confidence_id = 3, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Medium", - category_uid = 2, - class_uid = 102001, - risk_level_id = 2, - risk_score = 49, - severity_id = 0, - rule = {"name": "Windows Screen Capture Via Powershell", "uid": "678ae7c6-0e63-44db-9881-03202c312f66", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this analytic, you will need to enable - PowerShell Script Block Logging on some or all endpoints. Additional setup here - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -known_false_positives: unknown -references: -- https://twitter.com/_CERT_UA/status/1620781684257091584 -- https://cert.gov.ua/article/3761104 -tags: - required_fields: - - device.hostname - - process.file.path - - process.uid - - process.cmd_line - - actor.user.uid - risk_score: 49 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/678ae7c6-0e63-44db-9881-03202c312f66/ - event_schema: ocsf - mappings: - - ocsf: device.hostname - cim: dest - - ocsf: process.file.path - cim: process_path - - ocsf: process.uid - cim: process_id - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.uid - cim: user_id - annotations: - analytic_story: - - Winter Vivern - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1113 - nist: - - DE.CM -test: - name: Windows Screen Capture Via Powershell Unit Test - tests: - - name: Windows Screen Capture Via Powershell - attack_data: - - file_name: windows-powershell-xml.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml b/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml deleted file mode 100644 index ebee275174..0000000000 --- a/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows Script Host Spawn MSBuild -id: 92886f1c-9b11-11ec-848a-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: This analytic is to detect a suspicious child process of MSBuild spawned - by Windows Script Host - cscript or wscript. This behavior or event are commonly - seen and used by malware or adversaries to execute malicious msbuild process using - malicious script in the compromised host. During triage, review parallel processes - and identify any file modifications. MSBuild may load a script from the same path - without having command-line arguments. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="msbuild.exe" - AND (match(actor_process_file_name, /(?i)cscript.exe/)=true OR match(actor_process_file_name, - /(?i)wscript.exe/)=true) - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows Script Host Spawn MSBuild has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows Script Host Spawn MSBuild", "uid": "92886f1c-9b11-11ec-848a-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: False positives should be limited as developers do not spawn - MSBuild via a WSH. -references: -- https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/# -- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1127.001_MSBuild/InvokeMSBuild.ps1 -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/92886f1c-9b11-11ec-848a-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Trusted Developer Utilities Proxy Execution MSBuild - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1127.001 - - T1127 - nist: - - DE.CM -test: - name: Windows Script Host Spawn MSBuild Unit Test - tests: - - name: Windows Script Host Spawn MSBuild - attack_data: - - file_name: msbuild-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/msbuild-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml deleted file mode 100644 index a0be9438b1..0000000000 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ /dev/null @@ -1,117 +0,0 @@ -name: Windows System Binary Proxy Execution Compiled HTML File Decompile -id: 11c32b19-05a6-48a8-ab28-18dbd9ec5d50 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the decompile parameter with the HTML - Help application, HH.exe. This is a uncommon command to see ran and behavior. Most - recently this was seen in a APT41 campaign where a CHM file was delivered and a - script inside used a technique for running an arbitrary command in a CHM file via - an ActiveX object. This unpacks an HTML help file to a specified path for launching - the next stage. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_cmd_line LIKE "%-decompile%" - AND process_file_name="hh.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows System Binary Proxy Execution Compiled HTML File Decompile has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Compiled HTML Activity", "Living Off The Land"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 100, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 90, - severity_id = 0, - rule = {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "uid": "11c32b19-05a6-48a8-ab28-18dbd9ec5d50", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives should be limited, filter as needed. -references: -- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ -- https://redcanary.com/blog/introducing-atomictestharnesses/ -- https://attack.mitre.org/techniques/T1218/001/ -- https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 90 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/11c32b19-05a6-48a8-ab28-18dbd9ec5d50/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Compiled HTML Activity - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.001 - - T1218 - nist: - - DE.CM -test: - name: Windows System Binary Proxy Execution Compiled HTML File Decompile Unit Test - tests: - - name: Windows System Binary Proxy Execution Compiled HTML File Decompile - attack_data: - - file_name: 4688_windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/4688_windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml deleted file mode 100644 index 57411a5d77..0000000000 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml +++ /dev/null @@ -1,127 +0,0 @@ -name: Windows System Binary Proxy Execution Compiled HTML File URL In Command Line -id: 0fec631a-7c9b-4e4c-b28b-93260953e25f -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled - HTML Help (CHM) file from a remote url. This particular technique will load Windows - script code from a compiled help file. CHM files may contain nearly any file type - embedded, but only execute html/htm. Upon a successful execution, the following - script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, - JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe - upon execution. The "htm" and "html" file extensions were the only extensions observed - to be supported for the execution of Shortcut commands or WSH script code. During - investigation, identify script content origination. Review reputation of remote - IP and domain. Some instances, it is worth decompiling the .chm file to review its - original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" - OR process_cmd_line LIKE "%http://%") AND process_file_name="hh.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows System Binary Proxy Execution Compiled HTML File URL In Command Line has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Compiled HTML Activity", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 90, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 90, - severity_id = 0, - rule = {"name": "Windows System Binary Proxy Execution Compiled HTML File URL In Command Line", "uid": "0fec631a-7c9b-4e4c-b28b-93260953e25f", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: Although unlikely, some legitimate applications may retrieve - a CHM remotely, filter as needed. -references: -- https://attack.mitre.org/techniques/T1218/001/ -- https://www.kb.cert.org/vuls/id/851869 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md -- https://lolbas-project.github.io/lolbas/Binaries/Hh/ -- https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7 -- https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 90 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/0fec631a-7c9b-4e4c-b28b-93260953e25f/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Compiled HTML Activity - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.001 - - T1218 - nist: - - DE.CM -test: - name: Windows System Binary Proxy Execution Compiled HTML File URL In Command Line - Unit Test - tests: - - name: Windows System Binary Proxy Execution Compiled HTML File URL In Command - Line - attack_data: - - file_name: chm-wineventlog-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/chm-wineventlog-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml deleted file mode 100644 index e57f15a2d7..0000000000 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml +++ /dev/null @@ -1,130 +0,0 @@ -name: Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage - Handlers -id: ba0c2450-caea-4086-ac3a-a71e2659754b -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled - HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique - will load Windows script code from a compiled help file, using InfoTech Storage - Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are - supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm - file from within a CHM file. CHM files may contain nearly any file type embedded. - Upon a successful execution, the following script engines may be used for execution - - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may - identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" - and "html" file extensions were the only extensions observed to be supported for - the execution of Shortcut commands or WSH script code. During investigation, identify - script content origination. hh.exe is natively found in C:\Windows\system32 and - C:\Windows\syswow64. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%mk:@msitstore:%" - OR process_cmd_line LIKE "%its:%") AND process_file_name="hh.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Suspicious Compiled HTML Activity", "Living Off The Land"], - class_name = "Detection Report", - confidence = 90, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "High", - category_uid = 2, - class_uid = 102001, - risk_level_id = 3, - risk_score = 72, - severity_id = 0, - rule = {"name": "Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers", "uid": "ba0c2450-caea-4086-ac3a-a71e2659754b", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: It is rare to see instances of InfoTech Storage Handlers being - used, but it does happen in some legitimate instances. Filter as needed. -references: -- https://attack.mitre.org/techniques/T1218/001/ -- https://www.kb.cert.org/vuls/id/851869 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md -- https://lolbas-project.github.io/lolbas/Binaries/Hh/ -- https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7 -- https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 72 - security_domain: endpoint - risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/ba0c2450-caea-4086-ac3a-a71e2659754b/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Suspicious Compiled HTML Activity - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.001 - - T1218 - nist: - - DE.CM -test: - name: Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage - Handlers Unit Test - tests: - - name: Windows System Binary Proxy Execution Compiled HTML File Using InfoTech - Storage Handlers - attack_data: - - file_name: chm-wineventlog-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/chm-wineventlog-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml deleted file mode 100644 index 3f9aaca898..0000000000 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Windows System Binary Proxy Execution MSIExec DLLRegisterServer -id: 8d1d5570-722c-49a3-996c-2e2cceef5163 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the usage of msiexec.exe using the - /y switch parameter, which grants the ability for msiexec to load DLLRegisterServer. - Upon triage, review parent process and capture any artifacts for further review. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-y %" - OR process_cmd_line LIKE "%/y %") AND process_file_name="msiexec.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows System Binary Proxy Execution MSIExec DLLRegisterServer has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows System Binary Proxy Execution MSIExec"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Windows System Binary Proxy Execution MSIExec DLLRegisterServer", "uid": "8d1d5570-722c-49a3-996c-2e2cceef5163", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: This analytic will need to be tuned for your environment based - on legitimate usage of msiexec.exe. Filter as needed. -references: -- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/8d1d5570-722c-49a3-996c-2e2cceef5163/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows System Binary Proxy Execution MSIExec - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.007 - nist: - - DE.CM -test: - name: Windows System Binary Proxy Execution MSIExec DLLRegisterServer Unit Test - tests: - - name: Windows System Binary Proxy Execution MSIExec DLLRegisterServer - attack_data: - - file_name: 4688_msiexec-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml deleted file mode 100644 index 9d719a33f6..0000000000 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Windows System Binary Proxy Execution MSIExec Remote Download -id: 92cbbf0f-9a6b-4e9d-8c35-cc9244a4e3d5 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies msiexec.exe with http in the command-line. - This procedure will utilize msiexec.exe to download a remote file and load it. During - triage, review parallel processes and capture any artifacts on disk for review. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%https://%" - OR process_cmd_line LIKE "%http://%") AND process_file_name="msiexec.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows System Binary Proxy Execution MSIExec Remote Download has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows System Binary Proxy Execution MSIExec"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Windows System Binary Proxy Execution MSIExec Remote Download", "uid": "92cbbf0f-9a6b-4e9d-8c35-cc9244a4e3d5", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives may be present, filter by destination or parent - process as needed. -references: -- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/92cbbf0f-9a6b-4e9d-8c35-cc9244a4e3d5/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows System Binary Proxy Execution MSIExec - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.007 - nist: - - DE.CM -test: - name: Windows System Binary Proxy Execution MSIExec Remote Download Unit Test - tests: - - name: Windows System Binary Proxy Execution MSIExec Remote Download - attack_data: - - file_name: 4688_msiexec-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml deleted file mode 100644 index d8efd67b76..0000000000 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Windows System Binary Proxy Execution MSIExec Unregister DLL -id: df76a8d1-92e1-4ec9-b8f7-695b5838703e -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies the usage of msiexec.exe using the - /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. - Upon triage, review parent process and capture any artifacts for further review. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where (process_cmd_line LIKE "%-z %" - OR process_cmd_line LIKE "%/z %") AND process_file_name="msiexec.exe" - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows System Binary Proxy Execution MSIExec Unregister DLL has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Windows System Binary Proxy Execution MSIExec"], - class_name = "Detection Report", - confidence = 50, - confidence_id = 2, - duration = 0, - impact = 70, - impact_id = 4, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Low", - category_uid = 2, - class_uid = 102001, - risk_level_id = 1, - risk_score = 35, - severity_id = 0, - rule = {"name": "Windows System Binary Proxy Execution MSIExec Unregister DLL", "uid": "df76a8d1-92e1-4ec9-b8f7-695b5838703e", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives may be present, filter by destination or parent - process as needed. -references: -- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 35 - security_domain: endpoint - risk_severity: low - research_site_url: https://research.splunk.com/endpoint/df76a8d1-92e1-4ec9-b8f7-695b5838703e/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Windows System Binary Proxy Execution MSIExec - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1218.007 - nist: - - DE.CM -test: - name: Windows System Binary Proxy Execution MSIExec Unregister DLL Unit Test - tests: - - name: Windows System Binary Proxy Execution MSIExec Unregister DLL - attack_data: - - file_name: 4688_msiexec-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log - source: XmlWinEventLog -runtime: SPL2 -internalVersion: 2 diff --git a/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml b/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml deleted file mode 100644 index a18ec138d0..0000000000 --- a/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: Windows WMIPrvse Spawn MSBuild -id: 76b3b290-9b31-11ec-a934-acde48001122 -version: 4 -status: production -detection_type: STREAMING -description: The following analytic identifies wmiprvse.exe spawning msbuild.exe. - This behavior is indicative of a COM object being utilized to spawn msbuild from - wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using - Visual Studio. In this instance, there will be command line arguments and file paths. - In a malicious instance, MSBuild.exe will spawn from non-standard processes and - have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, - powershell.exe is far less common and should be investigated. -search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | - eval process_pid = process.pid | eval process_file = process.file | eval process_file_path - = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line - = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name - | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid - | eval actor_process_file = actor_process.file | eval actor_process_file_path = - actor_process_file.path | eval actor_process_file_name = actor_process_file.name - | eval device_hostname = device.hostname | where process_file_name="msbuild.exe" - AND match(actor_process_file_name, /(?i)wmiprvse.exe/)=true - | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], - time = timestamp, - evidence = {"process.pid": process_pid, "process.file.path": process_file_path, "process.file.name": process_file_name, "process.cmd_line": process_cmd_line, "actor.user.name": actor_user_name, "actor.process.pid": actor_process_pid, "actor.process.file.path": actor_process_file_path, "actor.process.file.name": actor_process_file_name, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, - message = "Windows WMIPrvse Spawn MSBuild has been triggered on " + device_hostname + " by " + actor_user_name + ".", - users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], - activity_id = 1, - cis_csc = [{"control": "CIS 10", "version": 8}], - analytic_stories = ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], - class_name = "Detection Report", - confidence = 100, - confidence_id = 3, - duration = 0, - impact = 80, - impact_id = 5, - kill_chain = [{"phase": "Exploitation", "phase_id": 4}], - nist = ["DE.AE"], - risk_level = "Critical", - category_uid = 2, - class_uid = 102001, - risk_level_id = 4, - risk_score = 80, - severity_id = 0, - rule = {"name": "Windows WMIPrvse Spawn MSBuild", "uid": "76b3b290-9b31-11ec-a934-acde48001122", "type": "Streaming"}, - metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, - type_uid = 10200101, - start_time = timestamp, - end_time = timestamp - | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time - | into sink; ' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, - confirm the latest CIM App 4.20 or higher is installed and the latest TA for the - endpoint product. -known_false_positives: Although unlikely, some legitimate applications may exhibit - this behavior, triggering a false positive. -references: -- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md -tags: - required_fields: - - process.pid - - process.file.path - - process.file.name - - process.cmd_line - - actor.user.name - - actor.process.pid - - actor.process.file.path - - actor.process.file.name - - device.hostname - risk_score: 80 - security_domain: endpoint - risk_severity: high - research_site_url: https://research.splunk.com/endpoint/76b3b290-9b31-11ec-a934-acde48001122/ - event_schema: ocsf - mappings: - - ocsf: process.pid - cim: process_id - - ocsf: process.file.path - cim: process_path - - ocsf: process.file.name - cim: process_name - - ocsf: process.cmd_line - cim: process - - ocsf: actor.user.name - cim: user - - ocsf: actor.process.pid - cim: parent_process_id - - ocsf: actor.process.file.path - cim: parent_process_path - - ocsf: actor.process.file.name - cim: parent_process_name - - ocsf: device.hostname - cim: dest - annotations: - analytic_story: - - Trusted Developer Utilities Proxy Execution MSBuild - - Living Off The Land - cis20: - - CIS 10 - kill_chain_phases: - - Exploitation - mitre_attack_id: - - T1127 - - T1127.001 - nist: - - DE.CM -test: - name: Windows WMIPrvse Spawn MSBuild Unit Test - tests: - - name: Windows WMIPrvse Spawn MSBuild - attack_data: - - file_name: msbuild-windows-security.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/msbuild-windows-security.log - source: WinEventLog:Security -runtime: SPL2 -internalVersion: 2 diff --git a/macros/fillnull_config.yml b/macros/fillnull_config.yml new file mode 100644 index 0000000000..41ccf82201 --- /dev/null +++ b/macros/fillnull_config.yml @@ -0,0 +1,3 @@ +definition: "null" +description: Used inside security_content_summariesonly to adjust the fillnull configuration +name: fillnull_config diff --git a/macros/oldsummaries_config.yml b/macros/oldsummaries_config.yml new file mode 100644 index 0000000000..a985852e7e --- /dev/null +++ b/macros/oldsummaries_config.yml @@ -0,0 +1,3 @@ +definition: "true" +description: Used inside security_content_summariesonly to adjust the allow_old_summaries configuration +name: oldsummaries_config diff --git a/macros/prohibited_softwares.yml b/macros/prohibited_softwares.yml index dbcb244ec4..54abcdee2a 100644 --- a/macros/prohibited_softwares.yml +++ b/macros/prohibited_softwares.yml @@ -1,5 +1,3 @@ -definition: lookup prohibited_softwares app as process_name OUTPUT is_prohibited - | search is_prohibited=True -description: This macro limits the output to process_names that have been marked as - prohibited +definition: search * +description: This macro is deprecated. Update this macro to look for prohibited softwares in your environment name: prohibited_softwares diff --git a/macros/security_content_summariesonly.yml b/macros/security_content_summariesonly.yml index 98b274c7fe..4c9294df6a 100644 --- a/macros/security_content_summariesonly.yml +++ b/macros/security_content_summariesonly.yml @@ -1,3 +1,3 @@ -definition: summariesonly=false allow_old_summaries=true fillnull_value=null +definition: summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config` description: search data model's summaries only name: security_content_summariesonly diff --git a/macros/summariesonly_config.yml b/macros/summariesonly_config.yml new file mode 100644 index 0000000000..6c0bc830b4 --- /dev/null +++ b/macros/summariesonly_config.yml @@ -0,0 +1,3 @@ +definition: "false" +description: Used inside security_content_summariesonly to adjust the summariesonly configuration +name: summariesonly_config diff --git a/pipeline/.build.yml b/pipeline/.build.yml index 4b940c5cf2..6357e4b9de 100644 --- a/pipeline/.build.yml +++ b/pipeline/.build.yml @@ -14,14 +14,8 @@ build: script: - echo "Validating and Building all files in the dist/ directory" - pip list - - > - if [[ "$CI_COMMIT_TAG" =~ ^v?[1-9]\.[0-9]+\.[0-9]+$ ]]; then - echo "Tagged build - Enabling Enrichment" - contentctl build --enrichments - else - echo "Disabled Enrichment" - contentctl build - fi + - echo "ContentCTL build starting..." + - contentctl build --enrichments - echo "ContentCTL build finished" after_script: diff --git a/pipeline/.ephemeral-credentials.yml b/pipeline/.ephemeral-credentials.yml index 47ada47c91..72a1467377 100644 --- a/pipeline/.ephemeral-credentials.yml +++ b/pipeline/.ephemeral-credentials.yml @@ -2,6 +2,9 @@ .creds-init: before_script: | eval $(creds-helper init) + id_tokens: + CI_JOB_JWT: + aud: $CICD_VAULT_ADDR # acquire reader role .generic-read: diff --git a/pipeline/.install-contentctl.yml b/pipeline/.install-contentctl.yml index ea4682ecba..0d1582800f 100644 --- a/pipeline/.install-contentctl.yml +++ b/pipeline/.install-contentctl.yml @@ -3,5 +3,5 @@ before_script: | python3.11 -m venv .venv source .venv/bin/activate - pip install contentctl==4.0.3 - git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git \ No newline at end of file + pip install contentctl==4.0.5 + git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git diff --git a/pipeline/.post.yml b/pipeline/.post.yml index 6f823d94fc..3d1ca7998a 100644 --- a/pipeline/.post.yml +++ b/pipeline/.post.yml @@ -40,6 +40,8 @@ send_pipeline_results: - extracto_config.json dependencies: [] when: always + id_tokens: + !reference [.creds-init, id_tokens] before_script: - !reference [.creds-init, before_script] - !reference [.generic-read, before_script] diff --git a/pipeline/.release.yml b/pipeline/.release.yml index d8bb1558ea..042005cb79 100644 --- a/pipeline/.release.yml +++ b/pipeline/.release.yml @@ -61,6 +61,9 @@ push_sse_json_to_artifactory: - curl -u $ARTIFACTORY_AUTHORIZATION -X PUT $ARTIFACTORY_BASE_URL/generic/threat-research-security-content/$CI_COMMIT_TAG/$CI_PIPELINE_ID/sse.tar.gz -T sse.tar.gz rules: - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + id_tokens: + CI_JOB_JWT: + aud: $CICD_VAULT_ADDR trigger_downstream_sse_json_release: stage: release diff --git a/ssa_detections/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml b/ssa_detections/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml new file mode 100644 index 0000000000..7541d60412 --- /dev/null +++ b/ssa_detections/endpoint/ssa___executable_file_written_in_administrative_smb_share.yml @@ -0,0 +1,112 @@ +name: Executable File Written in Administrative SMB Share +id: d3bba9cb-c066-4e49-a81e-29eeb8e8506b +version: 1 +date: "2024-05-28" +author: Teoderick Contreras, Mauricio Velazco, Splunk +type: TTP +status: validation +description: + The following analytic identifies executable files (.exe or .dll) being + written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents + suspicious behavior as its commonly used by tools like PsExec/PaExec and others + to stage service binaries before creating and starting a Windows service on remote + endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral + movement and remote code execution. The Trickbot malware family also implements + this behavior to try to infect other machines in the infected network. +data_source: + - Windows Event Log Security 5145 +search: + ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval file_type = lower(file.type) | eval actor_user = actor.user | eval actor_user_domain + = actor_user.domain | eval src_endpoint_ip = src_endpoint.ip | eval file_path = + file.path | eval src_endpoint_port = src_endpoint.port | eval actor_user_name = + actor_user.name | eval actor_session = actor.session | eval actor_session_uid = + actor_session.uid | eval actor_user_uid = actor_user.uid | eval device_hostname + = device.hostname | where (file_path LIKE "%.exe" OR file_path LIKE "%.dll") AND + file_type="file" AND (share LIKE "\\%\\c$" OR share LIKE "\\%\\ipc$" OR share LIKE + "\\%\\admin$") AND access_mask=2 --finding_report--' +how_to_implement: + To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also + required. Also enable the object Audit access success/failure in your group policy. +known_false_positives: + System Administrators may use looks like PsExec for troubleshooting + or administrations tasks. However, this will typically come only from certain users + and certain systems that can be added to an allow list. +references: + - https://attack.mitre.org/techniques/T1021/002/ + - https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/ + - https://labs.vipre.com/trickbot-and-its-modules/ + - https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/ + - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +tags: + analytic_story: + - Active Directory Lateral Movement + - Prestige Ransomware + - Graceful Wipe Out Attack + - Industroyer2 + - IcedID + - Data Destruction + - Hermetic Wiper + - Trickbot + asset_type: Endpoint + confidence: 100 + impact: 70 + message: + $src_user$ dropped or created an executable file in known sensitive SMB + share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ + mitre_attack_id: + - T1021 + - T1021.002 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: + - share + - file.type + - access_mask + - actor.user.domain + - src_endpoint.ip + - access_result + - file.path + - src_endpoint.port + - actor.user.name + - actor.session.uid + - actor.user.uid + - access_list + - device.hostname + risk_score: 70 + security_domain: endpoint + mappings: + - ocsf: access_list + cim: access_list + - ocsf: access_mask + cim: access_mask + - ocsf: access_result + cim: access_result + - ocsf: file.path + cim: relative_target_name + - ocsf: src_endpoint.ip + cim: src_ip + - ocsf: src_endpoint.port + cim: src_port + - ocsf: actor.user.name + cim: user + - ocsf: share + cim: share + - ocsf: file.type + cim: object_type + - ocsf: actor.user.domain + cim: user_domain + - ocsf: actor.session.uid + cim: user_logon_id + - ocsf: actor.user.uid + cim: user_sid + - ocsf: device.hostname + cim: dest +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-xml.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/stories/gomir.yml b/stories/gomir.yml new file mode 100644 index 0000000000..515bb091e7 --- /dev/null +++ b/stories/gomir.yml @@ -0,0 +1,26 @@ +name: Gomir +id: 02dbfda2-45fe-4731-a659-91fa871019ba +version: 1 +date: '2024-05-29' +author: Teoderick Contreras, Splunk +description: This analytic story includes detections that help security analysts identify and investigate unusual + activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized + access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal + sensitive data, and facilitate further attacks, often evading traditional security measures. +narrative: The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. + Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. + This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing + sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, + facilitating broader cyber-espionage or destructive activities. +references: +- https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-via-trojanized-installers/ +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage +tags: + category: + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 68ad1ba031a1620a634bc62d235ea88061cc024f Mon Sep 17 00:00:00 2001 From: Lou Stella Date: Wed, 26 Jun 2024 20:03:33 +0000 Subject: [PATCH 3/3] Release v4.34.1 --- contentctl.yml | 4 ++-- .../linux_deleting_critical_directory_using_rm_command.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index a93d091d78..1aad063900 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 4.33.0 + version: 4.34.0 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU @@ -182,4 +182,4 @@ apps: version: 1.9.2 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz -githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd \ No newline at end of file +githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index 42de888c5c..5ed033e710 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the deletion of critical directories on - a Linux machine using the 'rm -rf' command. It leverages data from Endpoint Detection + a Linux machine using the `rm` command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated